3rd International Conference on Electric and Electronics (EEIC 2013) Development of a Testbed for Process Control System Cybersecurity Research Dongqing Chen, Yong Peng Huazhong Wang China Information Technology Security Evaluation Department of Automation Center East China University of Science and Technology Beijing 100085, China Shanghai 200237, China e-mail: [email protected], [email protected] e-mail: [email protected] Abstract—Testbed plays an important role in the cybersecurity mitigate the control system risk should be tested carefully research of process control system. It helps us design and test before they were put into use. Therefore, it is important to solutions to various attacks against control system. A hybrid develop testbed, instead of the real industrial process, for the structure process control testbed, combining programmable study of process control system cybersecurity research. logic controllers and other real process control systems with The cybersecurity testbed is used to identify existing simulated Tennessee-Eastman process, was proposed in this industrial control system vulnerabilities, develop vulner- paper. Principles and details of the testbed are described in the ability taxonomies to identify common cybersecurity paper. Cybersecurity scenario on the testbed through Modbus deficiencies in need of solutions development, and to serve worm attack was implemented to show the adverse impact on as a platform for validating research cybersecurity solutions process control system and the industrial process being which serve industry and government[2]. Testbed offers a controlled. low cost means to model industrial control systems and the Keywords-testbed; process control; cybersecurity; TE process effects of cyber security attacks on such systems. Study on testbed within the process control system cybersecurity research community is a hot topic recently. I. INTRODUCTION The Idaho National Labs (INL) National SCADA Testbed, Industrial control systems, especially the distributed supported by Department of Energy, USA, is a large scale control systems(DCS) used in process industry, play very testbed dedicated to control system cybersecurity assessment, important roles in many critical infrastructures, e.g. power standards improvement, outreach, and training[3]. The generation, water and wastewater treatment, oil mining and British Columbia Institute of Technology (BCIT) houses a refining and so on. With the widely use of modern process control system testbed known as the Industrial information technology in process control system, the Instrumentation Process Laboratory. The BCIT lab includes traditional isolated control system was made into a network a fully operational distillation column, evaporator, a batch system. Although many benefits are achieved with such pulp digester, a chemical blending reaction process, and technical innovation, the side effects is also obvious, it power boiler. The BCIT lab includes a variety of SCADA exposes the process control system to various cyber attacks, equipment including Emerson DeltaV and Provox distributed which threats the security of critical infrastructures. Stuxnet control systems, F&P MC5000 controllers, Foxboro I/A attack on the Iranian nuclear power facilities makes the digital control systems, Rockwell PLC-5s, Schnieder 984 cybersecurity issue to an alarm stage[1]. It happened even and Quantum programmable logic controllers, Honeywell when the facilities and its control system were highly TDC 3000 distributed control systems, Bailey Net90 secured, located underground physically and distributed control system, GE/Fanuc Series 90/70, Series electromagnetically isolated from insecure networks. 90/30 programmable logic controllers with Genius I/O, and Securing the industrial control systems is a complex and other field devices, such as valves and measurement even very difficult task because of little attention been paid instrumentations[4]. on it in the past. In light of the growing prevalence of cyber Although there are many cybersecurity researches on the attacks on the computer networks and systems in various industrial control system in the past decade, only a few of infrastructure worldwide, study on the cybersecurity of them are focused on the control equipments themselves, and industrial control systems, especially those used in the even few conclusions are made public. In this paper, we critical infrastructures, is of great importance. present the design and development of a process control Because of the differences between industrial control testbed for control system security studies. Since we are system and IT system used in business applications, it is eager to investigate the cybersecurity of the widely used difficult to use the IT cybersecurity techniques available control systems, several different programmable logic directly to tackle the problems within industrial control controllers and distributed control system is adopted in the system. For example, industrial control system may works testbed. Because of the focus of this research being on the continuously as long as several years, any modification or real cyber layer, and the advantages associated with updates to the on-line control system may cause unexpected simulated process, the simulated Tennessee-Eastman process damages to the process and equipments. Countermeasures to is adopted in this study. © 2013. The authors - Published by Atlantis Press 158 The rest of the paper is organized as follows. Section II distributed framework for simulation was proposed. For analyzes and summaries the issues with control system test example, high level architecture (HLA), involved in IEEE beds for cybersecurity research. Section III presents the 1516 standard, is widely used in a verity of testbeds details of the development of the control system testbed. development. Cybersecurity study on the testbed is shown in Section IV. Finally, conclusions are made in Section V. III. DEVELOPMENT OF TESTBEDS FOR PROCESS CONTROL SYSTEM CYBERSECURITY RESEARCH II. CONTROL SYSTEM TESTBED FOR CYBERSECURITY Process control system, which can be regarded as a A. Description of Tennessee-Eastman Process cyber-physical system(CPS), is consists of cyber layer Tennessee-Eastman(TE) chemical process is a testbed including control system hardware and software, control and widely used in plant-wide control strategy design, multi- communication network, and physical layer, i.e. the indus- variable control, optimization, predictive control, estimation trial process itself. Therefore, the control system testbed is /adaptive control, nonlinear control, process diagnostics and also consists of cyber layer and physical layer. The cyber education. The complexity associated with it also makes it layer and physical layer of the testbed can be either real or suitable for cyber-physical security related studies[10]. The simulated component, it is reasonable to classify the testbed TE chemical plant is a process with 41 measured parameters based on such features. In this sense, three categories of and 12 manipulated variables. The manipulated variables are cyber layer and two categories of physical layer implement- the control actions based on the measured parameters to tations can be identified by now. For cyber layer implement- maintain certain operational goals such as constant reactor tations the following approaches were found: only real temperature. The architecture of the TE process includes five components[5]; hybrid one, i.e. real components combined main units: a two-phase reactor, a product condenser, a with simulated ones[6]; and only simulated components[7]. recycle compressor, a vapor/liquid separator and a product On the other hand, for physical layer implementations, two stripper. More details on the TE process can be found in the categories can be found: only real components[8]; and only original paper by Downs and Vogel[11]. simulated components[9]. Different approaches possess B. Structure of Testbed based on TE Process advantages and disadvantages. For example, testbed in which the cyber layer consisting exclusively of real components Engineering Cybersecurity provides few experiment management capabilities and is Station HMI Station Test Machine dedicated to specified process, but it is intuitive in display the results when the control system is under attack and can Swtich be connected to the control system easily. Furthermore, the Ethernet cybersecurity problems associated with intelligent field Schnieder A-B Siemsn devices, such as measurement instruments, valves can also Centum VP Quantum Contrologix S7-300 DCS PLC PLC PLC be tackled. The field bus used in the plant layer can be Hybrid accessed by invader and through which attack of the control Cyber Layer system is possible. As for the hybrid cyber layer proposals, Wiring which combine multiple simulation models together with real components, increase the functionalities and flexibility Process Input/Output Interface of testbed. But it mainly targeted towards a specific domain such as power transmission and distribution. For the approaches that use simulators for both cyber and physical Virtual Measurement Instruments and Actuators layers without any real components, its functions is limited due to the diversity and complexity of protocols, systems and architectures. Besides, for the process control system cyber- TE Process Simulation Model security research, investigate the vulnerabilities inhered in the real control components and control system architectures