Towards a Secure and Resilient Industrial Control System Using Software-Defined Networking Dong (Kevin) Jin 1
Who am I? • CS faculty, Ph.D., University of Illinois at Urbana- Champaign (UIUC), http://cs.iit.edu/~djin/ • Research: cyber-security, networking, cyber-physical system security, simulation & modeling • Industrial experience at Los Alamos National Lab, IBM, Motorola • I like designing/building/deploying large-scale software systems that are grounded in strong theoretical principles 2
Master of Cyber Security Program New CS master degree started at Fall 2019 • What is unique? • – From theory to practice • Data and information security • Network and system security • Software security Why join us? • – IIT is a Center of Academic Excellence in Information Assurance Education (CAE/IAE) designated by the National Security Agency – CS • Multi-millions of federal/industrial research grants in cyber security • A very strong team in the cyber security research and education How to join? • – https://science.iit.edu/programs/graduate/master-cybersecurity- mcybcode – Also available to co-terminal students 3
Master of Cyber Security Program Illinois Tech Team HackIllinois 2019@UIUC 4
Research Areas and Projects Looking for strong and self-motivated students to work together! More Details: http://cs.iit.edu/~djin/research/index.html 5
How to Get Involved in Our Research • For all students, excellent performance in – CS 458 Information Security – CS 558 Advanced Computer Security (Semester-long project) – CSP 544 System and Network Security (Hands-on Labs) – new in Spring 2020 • Master students – CS 597 (Research Project), semester-long projects for credits – CS 591 (Master thesis), typically two-semester commitment • Undergraduate students – CS 497 (undergraduate research) with me, semester-long projects for credits More Details: http://cs.iit.edu/~djin/research/opening.html 6
Industrial Control Systems (ICS) • Control many critical infrastructures • Modern ICSes increasingly adopt Internet technology to boost control efficiency DISTRIBUTION DISTRIBUTION LOADS SITES TRANSFORMER GENERATION SUBSTATION TRANSMISSION Next Generation of Power Grid 7
More Efficient or More Vulnerable? Communication Path Network Markets Operations Service Providers Retailer/ RTO/ISO Ops Transmission Utility Third-Party Distribution Ops Wholesaler Ops Provider Provider Asset DMS Mgmt Retail CIS EMS EMS Energy Aggregator CIS WAMS Demand Provider MDMS Response Billing Billing Energy Market Enterprise Enterprise Home/Building Enterprise Clearing hosue Bus Manager Bus Bus Aggregator RTO ISO/RTO Transmission Metering Distribution SCADA Participation SCADA Others System SCADA Internet / Internet / e-business e-business Electric Vehicle Energy Wide Area Field Area Market Services Services Network Data Distributed Networks Interface Interface Generation Collector Plant Premises Meter Electric Field Control Substation Networks Storage Substation Device System LANs Controller Customer Equipment Appliances Generators Substation Distributed Electric Device Generation Storage Bulk Customer EMS Thermostat Transmission Distribution Customer Generation 8 Picture source: NIST Framework and Roadmap for Smart Grid Interoperability Standards
Cyber Threats in Power Grids • 245 incidents, reported by ICS-CERT • 32% in energy sector Ukraine Power Grid Cyber Attack • 230,000 residents in western Ukraine • 6 hours, 73 MW power lost in Dec 2015 Picture source: 1. National Cybersecurity and Communications Integration Center (NCCIC). ICS-CERT Monitor Sep 2014 – Feb 2015 2. http://dailysignal.com/2016/01/13/ukraine-goes-dark-russia-attributed-hackers-take-down-power-grid/ 9
Protection of Industrial Control Systems • Commercial off-the-shelf products – e.g., firewalls, anti-virus software – fine-grained protection at single device only • How to check system-wide requirements? – Security (e.g., access control) – Performance (e.g., end-to-end delay) • How to safely incorporate existing networking technologies into control systems? – Real time operations – Large-scale networks – Lack of real testbed (unlike Internet) 10
Our Work: Enable a Secure and Resilient ICS in Microgrid with SDN Control Management Application Monitoring Layer Contribution I A novel SDN architecture SDN Control Layer in microgrid Communication Network Layer Power Network Layer Power Grid Component Layer ICS – industrial control system SDN – software-defined networking 11
Transition to an SDN-Enabled Microgrid • Facility Communication Networks Control Center Local Controller 1 Microgrid App PMU Existing Master Controller Local Controller 2 Smart Building – DOE-funded IIT Microgrid SDN Master Controller Network App Local Controller n – First Cluster of Microgrids Major Distribution Fiber Optic Infrastructure – SDN Ring Points Fowler East Grad Lewis Gunsaulu Building Sensors Cunningha s Farr KappaASA m in US Solar PV TRI Carman E D B Gas Generator Bailey C PKS D C Charging Station B F ASP North South – SDN deployment Wind Turbine Loop 4 PKP SPE DTD A E KH Parking Loop 2 A MTCC SSV D Tower • Big data available T T Fiber Optic Infrastructure – SDN Ring CR C T N D C S C Eng PH B LS 1 AM SH SB WH D C – Processing C D E B C Library LSR TBC B A ERB Loop 1 A HH Battery Storage Loop 3 E Loop 5 Loop 6 F A Vanderco – Storage ok II N Power Heat Plant S MM Main Plant Plant Vandercook I Loop 7 Machine Faciliti B A A B es ry – Analytics ComEd ComEd Fisk Substation Pershing Substation (12.47 kV) (12.47 kV) Simulation Testbed -> Living Lab In-house research idea -> Real system deployment 12
Our Work: Enable a Secure and Resilient ICS in Microgrid with SDN IDS Control Contribution II Verification Management Self-healing Innovative SDN-based Application Monitoring Network Layer SDN Application security applications SDN Control Layer Communication Network Layer Power Network Layer Power Grid Component Layer ICS – industrial control system SDN – software-defined networking 13
Our Work: Enable a Secure and Resilient ICS in Microgrid with SDN IDS Control Verification Management Self-healing Application Contribution III Monitoring Network Layer SDN Application SDN-enabled microgrid SDN Control Layer testbed Parallel Simulation • Communication Network Layer (scalability) Virtual-Machine-based • Power Network Layer Emulation (fidelity) Power Grid Component Layer ICS – industrial control system SDN – software-defined networking 14
Outline • SDN Background • Applications – Network Verification [1] – Self-healing PMU system [2] • Testing and Evaluation Platform [3] [1] Wenxuan Zhou, Dong Jin, Jason Croft, Matthew Caesar, and Brighten Godfrey. “ Enforcing Customizable Consistency Properties in Software-Defined Networks.” USENIX NSDI [2] Dong Jin, Zhiyi Li, Christopher Hannon, Chen Chen, Jianhui Wang, Mohammad Shahidehpour and Cheol Won Lee. "Towards a Cyber Resilient and Secure Microgrid Using Software-Defined Networking." IEEE Transactions on Smart Grid [3] Christopher Hannon, Jiaqi Yan and Dong Jin. “DSSnet: A Smart Grid Modeling Platform Combining Electrical Power Distribution System Simulation and Software Defined Networking Emulation.” ACM SIGSIM-PADS (Best Paper Finalist) 15
SDN Background App App App App App App App App Open Interface Specialized Features Control Plane Specialized Control Open Interface Plane Specialized Merchant Hardware Switching Chips Closed, proprietary Open interfaces Slow innovation Rapid innovation Picture Source: Nick McKeown, Open Networking Summit 2012 16
Software Defined Networks control plane : distributed algorithms data plane : packet processing 17
Software Defined Networks decouple control and data planes 18
Software Defined Networks decouple control and data planes by providing open standard API 19
(Logically) Centralized Controller Controller Platform 20
Protocols è Applications Controller Application Controller Platform 21
SDN Architecture … Application App 1 App 2 App n Plane • Logically centralized control Updates Control • Global view Plane Network • Direct network control Verifier Data Plane 22
Outline • SDN Background • Applications – Network Verification [1] – Self-healing PMU system [2] • Testing and Evaluation Platform [3] [1] Wenxuan Zhou, Dong Jin, Jason Croft, Matthew Caesar, and Brighten Godfrey. “ Enforcing Customizable Consistency Properties in Software-Defined Networks.” USENIX NSDI [2] Dong Jin, Zhiyi Li, Christopher Hannon, Chen Chen, Jianhui Wang, Mohammad Shahidehpour and Cheol Won Lee. "Towards a Cyber Resilient and Secure Microgrid Using Software-Defined Networking." IEEE Transactions on Smart Grid [3] Christopher Hannon, Jiaqi Yan and Dong Jin. “DSSnet: A Smart Grid Modeling Platform Combining Electrical Power Distribution System Simulation and Software Defined Networking Emulation.” ACM SIGSIM-PADS (Best Paper Finalist) 23
Recommend
More recommend