Abstract
The modern world is becoming increasingly dependent on computing and communication technology to function, but unfortunately its application and impact on areas such as critical infrastructure and industrial control system (ICS) networks remains to be thoroughly studied. Significant research has been conducted to address the myriad security concerns in these areas, but they are virtually all based on artificial testbeds or simulations designed on assumptions about their behavior either from knowledge of traditional IT networking or from basic principles of ICS operation. In this work, we provide the most detailed characterization of an example ICS to date in order to determine if these common assumptions hold true. A live power distribution substation is observed over the course of two and a half years to measure its behavior and evolution over time. Then, a horizontal study is conducted that compared this behavior with three other substations from the same company. Although most predictions were found to be correct, some unexpected behavior was observed that highlights the fundamental differences between ICS and IT networks including round trip times dominated by processing speed as opposed to network delay, several well known TCP features being largely irrelevant, and surprisingly large jitter from devices running real-time operating systems. The impact of these observations is discussed in terms of generality to other embedded networks, network security applications, and the suitability of the TCP protocol for this environment.
- Nmap - free security scanner for network exploration & security audits. http://nmap.org/. Accessed 2015--11--23.Google Scholar
- Ieee standard for electric power systems communications -- distributed network protocol (dnp3). IEEE Std 1815--2010, pages 1--775, July 2010.Google Scholar
- R. Barbosa, R. Sadre, and A. Pras. A first look into scada network traffic. In Network Operations and Management Symposium (NOMS), 2012 IEEE, pages 518--521, April 2012.Google Scholar
Cross Ref
- A. B. Downey. Lognormal and pareto distributions in the internet. Computer Communications, 28(7):790 -- 801, 2005. Google Scholar
Digital Library
- A. Dunkels. Full tcp/ip for 8-bit architectures. In Proceedings of the 1st International Conference on Mobile Systems, Applications and Services, MobiSys '03, pages 85--98, New York, NY, USA, 2003. ACM. Google Scholar
Digital Library
- D. Formby, S. S. Jung, J. Copeland, and R. Beyah. An empirical study of tcp vulnerabilities in critical power system devices. In Proceedings of the 2Nd Workshop on Smart Energy Grid Security, SEGS '14, pages 39--44, New York, NY, USA, 2014. ACM. Google Scholar
Digital Library
- D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah. Who's in control of your control system? device fingerprinting for industrial control system networks. In 2016 Symposium on Network and Distributed System Security (NDSS'16), February 2016.Google Scholar
Cross Ref
- C. Fraleigh, S. Moon, B. Lyles, C. Cotton, M. Khan, D. Moll, R. Rockell, T. Seely, and S. Diot. Packet-level traffic measurements from the sprint ip backbone. Network, IEEE, 17(6):6--16, Nov 2003. Google Scholar
Digital Library
- ICS-CERT. Icsa-15--295-01, 2015.Google Scholar
- ICS-CERT. Icsa-15--300-01, 2015.Google Scholar
- ICS-CERT. Icsa-16-070-01, 2016.Google Scholar
- V. Jacobson. Congestion avoidance and control. SIGCOMM Comput. Commun. Rev., 18(4):314--329, Aug. 1988. Google Scholar
Digital Library
- S. S. Jung, D. Formby, C. Day, and R. Beyah. A first look at machine-to-machine power grid network traffic. In Smart Grid Communications (SmartGridComm), 2014 IEEE International Conference on, pages 884--889, Nov 2014.Google Scholar
Cross Ref
- M. Mathis, J. Mahdavi, S. Floyd, and A. Romanow. Tcp selective acknowledgment options, October 1996. RFC 2018. Google Scholar
Digital Library
- V. Paxson. End-to-end internet packet dynamics. Networking, IEEE/ACM Transactions on, 7(3):277--292, Jun 1999. Google Scholar
Digital Library
- V. Paxson and M. Allman. Computing tcp's retransmission timer, November 2000. RFC 2988. Google Scholar
Digital Library
- V. Paxson, M. Allman, J. Chu, and M. Sargent. Computing tcp's retransmission timer, June 2011. RFC 6298.Google Scholar
- I. Psaras and V. Tsaoussidis. The tcp minimum rto revisited. In IFIP Networking, May 2007. Google Scholar
Digital Library
- M. Z. Shafiq, L. Ji, A. X. Liu, J. Pang, and J. Wang. A first look at cellular machine-to-machine traffic: Large scale measurement and characterization. In Proceedings of the 12th ACM SIGMETRICS/PERFORMANCE Joint International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS '12, pages 65--76, New York, NY, USA, 2012. ACM. Google Scholar
Digital Library
- Q. Shan, I. Glover, P. Moore, I. Portugues, R. Watson, and R. Rutherford. Performance of zigbee in electricity supply substations. In Wireless Communications, Networking and Mobile Computing, 2007. WiCom 2007. International Conference on, pages 3871--3874, Sept 2007.Google Scholar
Cross Ref
- M. Zalewski. p0f v3. http://lcamtuf.coredump.cx/p0f3/. Accessed 2015-11-23.Google Scholar
Index Terms
A Case Study in Power Substation Network Dynamics
Recommendations
A Case Study in Power Substation Network Dynamics
SIGMETRICS '17 Abstracts: Proceedings of the 2017 ACM SIGMETRICS / International Conference on Measurement and Modeling of Computer SystemsThe modern world is becoming increasingly dependent on computing and communication technology to function, but unfortunately its application and impact on areas such as critical infrastructure and industrial control system (ICS) networks remains to be ...
A Case Study in Power Substation Network Dynamics
Performance evaluation reviewThe modern world is becoming increasingly dependent on computing and communication technology to function, but unfortunately its application and impact on areas such as critical infrastructure and industrial control system (ICS) networks remains to be ...
An Empirical Study of TCP Vulnerabilities in Critical Power System Devices
SEGS '14: Proceedings of the 2nd Workshop on Smart Energy Grid SecurityImplementations of the TCP/IP protocol suite have been patched for decades to reduce the threat of TCP sequence number prediction attacks. TCP, in particular, has been adopted to many devices in the power grid as a transport layer for their applications ...






Comments