This scenario was tackling the detection of different cyber-attacks to the inverters of a PV plant. The main aim of the attacker is to send Modbus commands to one of the inverters to retrieve and change the working point of the inverter, eventually changing the power profile. This could imply to deliver power to the grid and the Anti-Dumping System could open the generation breaker. The scenario has been carried out on AYESA’s building, where the PV plant was installed and in operation. A lab was arranged to install the required hardware for the SDN- µSENSE tools deployed locally and connected to the control LAN of the PV plant.
The tools that integrate the SDN-platform and finally participate in this scenario are: SDN-Controller, Modbus Honeypot, Honeypot manager, Enhanced Suricata, L-ADS, XL-SIEM, S-RAF, AIDB, Local ARIEC, global ARIEC.
To understand better the behavior of the scenario, it is important to check how every tool is behaving in order of appearance. Thus, the L-ADS, which is a machine learning-based tool, and Enhanced Suricata, which detects suspicious packets based on the signature of them, both monitor the network traffic of the target infrastructure to detect anomalous behavior. These tools detect the traffic and transmits the corresponding logs to the XL-SIEM, which generates security alerts. These alerts are sent to the Honeypot Manager, which checks the availability of the Modbus Honeypot and sends to the SDN-Controller a command to forward all the traffic from the attacker to the Modbus Honeypot. By this time, S-RAF is informed and re-calculates the risk level of the assets. Then, AIDB reflects the S-RAF Risk Assessment and finally, Local and Global ARIEC register the events.
This scenario was focused on a DoS attack against the SDN-µSENSE enabled RTU and IED. For this scenario, the hacker follows a similar pattern than in scenario 1, where the main aim is to enter the workstation of the substation and addresses a DoS attack against the RTU, denying, this way, the communication of the RTU with the SCADA. This attack was implemented on a real environment involving different ANELL’s substations and Tecnalia’s Laboratory.
Hence, for this scenario, the tools that integrate the SDN-µSENSE platform and finally participate in this scenario are EDAE and SDN-Controllers + SCS, AIDB and an emulated deployment of S-RAF, leaving aside the full cooperation of tools such as XL- SIEM, S-RAF, EDAE-Dashboard and ARIEC.
Taking the case of scenario 2, during the DoS attack, the IDS Suricata, which monitors the packet traffic between the interconnected devices of the SDN network, detects all the events and generates a datalog of them. When the detected events behave abnormally, Suricata generates a datalog of alerts displaying that a DoS attack is occurring. With the detection of the attack, S-RAF, which calculates the level of risk by categorizing and identifying the vulnerability, sends the detected attack message to the EDAE with all the necessary parameters to carry out the mitigation workflow. Later, EDAE which is a Decision Support System (DSS) responsible for rearranging the network paths in a way that it recovers and/or maximizes the observability and the QoS, applies data traffic blocking rules (DROP) in the SDN-Controllers+SCS to the origin of the DoS attack (attacker’s IP). Finally, after blocking data traffic from the attacker’s IP, Tecnalia’s SCADA recovers the reception of the measurements from the RTU and Concentrator 1 normally, without suffering hardware failures and communications saturation problems.
Similarly, and as an extension of scenario 2, this scenario addresses a DoS attack against the SDN-µSENSE enabled RTU and IED, by denying the service of one concentrator. However, in this case, the scenario addresses the mitigation of the attacks and reconfiguration of RTUs through different paths.
For this scenario, the tools that integrate the SDN-µSENSE platform and finally participate in this scenario are EDAE and SDN-Controllers + SCS.
To understand better the behavior of the scenario, the attacker connects to the SDN network and launches a DoS attack directed at the concentrator 1. This attack supposes that the SCADA losses the reception of measurements from concentrator 1, and subsequently all devices connecting with it. Then, during the DoS attack and similarly to scenario 2, the IDS Suricata monitors the packet traffic between the interconnected devices of the SDN network and generates a datalog of warnings or alarms showing that a DoS attack is occurring. These attacks are categorized by S-RAF and sent to EDAE tool with all the necessary parameters to carry out the observability workflow. Then, the EDAE implements the workflow called Observability and applies data traffic blocking rules (DROP) in the SDN-Controllers + SCS by blocking the attacked Concentrator 1 and allowing the operation of Concentrator 2, which now will be sending the measurements data of the RTU to the SCADA. With this, the data flow is redirected, and the SCADA recovers the observability and the measurements from the RTU and Concentrator 2 normally.
Lluís Cànaves Navarro