Cyber Storyboards

C1: Network Discovery with Port Scanning

This is a simple exercise that involves scanning of vulnerable nodes in a network.In this experiment, we can learn how an attacker uses port scanning to gather information that can be used later for an attack.We will also be able to discover what hosts are alive on a network and what services are running on them.

Port Scanning is the process of making connection attempts to another networked computing device in order to gain information about what services are running on the machine.

The most common tool to perform this operation is called Nmap. Nmap, and its graphical counterpart Zenmap, allow an individual to scan vast networks and to discover what machines are on the network and what services are being offered.

Launch   Manual

C2: Vulnerability Assessment with OpenVAS

This experiment is designed to understand the importance of discovering system vulnerabilities using detailed scans.We can analyze the severity of their impacts and potential solutions to patch critical vulnerabilities.

Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities, such as open ports, insecure software configuration, and susceptibility to malware.

Launch   Manual

C3: Wireshark, Scripting and Replay Attack

This experiment lets us gain a basic understanding of how packet sniffing tools could be used to understand traffic patterns and data formats.It also lets us understand the basics of how captured traffic could be used to replay command packets to create unintended effects on protective relays.

In this experiment, we will use a packet capturing tool called Wireshark, capture some packets between the Control Center and the substation and replay some of the packets to create a disturbance in the system.

Launch   Manual

C4: Pfsense Firewall Configuration

This experiment is an extension to the previous experiment. In this experiment, we will learn to configure firewall rules to meet certain security requirements.In addition, we will also learn how to restrict access to various devices connected based on the requirements.

This experiment also involves wireshark packet capture, scripting, replay attack. Then, we configure the firewall so that these kind of attacks don't happen in the system.

Launch   Manual

C5: DoS Attack (upcoming)

The attacker gains physical access to the process WAN, on which he is able to gain a network address. As the data flows between RTUs and SCADA are not encrypted the attacker is able to read any transmitted data in clear text. The attacker uses this opportunity to perform an ARP spoof attack and position himself between an RTU and the PCU (i.e., a man-in-the-middle attack).

As such, the attacker is able to both send malicious requests to the RTU and hide to the operator the real events. The attacker uses this for an unauthorized opening of a distribution feeder breaker feeding a major manufacturing industry connected directly on the 40 KV level. The attacker intention is to create a power outage that will severely disturb or stop the production in a continuously operated plant in order to create economical and/or physical damage.

ICS Storyboards

ICS1: Attack and defense on a Remedial Action Scheme (automated)

This experiment is based on attack modelling and defense method for the power system protection scheme, also known as Remedial Action Scheme (RAS). Typically, RAS is implemented to take specific corrective actions to prevent the widespread outages during disturbances in power system. The attacker initiates the coordinated attacks by performing the malicious line tripping through data integrity attack on unencrypted communication between the substation and the control center. Eventually, the attacker also blocks the communication in RAS through a targeted Denial of Service (DoS) attack on one of the protection controllers.

This prevents the successful operation of the RAS and in turn causes thermal overloading on other transmission lines. As a result of this coordinated attacks, the overall system stability is affected as it causes the islanding of a generator from the rest of the system.

Launch  Manual

ICS2: Attack and defense on a Remedial Action Scheme (interactive)

This experiment is based on attack modelling and defense method for the power system protection scheme, also known as Remedial Action Scheme (RAS). Typically, RAS is implemented to take specific corrective actions to prevent the widespread outages during disturbances in power system. The attacker initiates the coordinated attacks by performing the malicious line tripping through data integrity attack on unencrypted communication between the substation and the control center. Eventually, the attacker also blocks the communication in RAS through a targeted Denial of Service (DoS) attack on one of the protection controllers.

This prevents the successful operation of the RAS and in turn causes thermal overloading on other transmission lines. As a result of this coordinated attacks, the overall system stability is affected as it causes the islanding of a generator from the rest of the system.

Launch  Manual

ICS3: Attack and Defense on Model-based AGC (automated)

The attack involves a stealthy manipulation of measurements/controls used in Automatic Generation Control (AGC) algorithm to destabilize and affect the frequency of the power grid. This attack is a version of the classic Man-in-the-Middle attack, where the attacker intercepts the communication between the control center and the remote substations and chooses to stealthily modify either the frequency and tie-line measurements going to the control center, or the AGC control commands going to the generating stations.

This is achieved by executing an ARP poisoning attack first, which tricks the remote substation to forward the data to the attacker before sending it to the external gateway. The attacker then selects the appropriate information that is to be replaced and modifies it appropriately using custom attack scripts and forwards it to the external gateway.

As a result of this manipulation, there is a steady frequency deviation in the system. Eventually, this frequency deviation causes the load in the system to be shed in an attempt to restore frequency. A sustained attack could potentially lead to a major portion of the load in the power system to be unserved.

Launch  Manual

ICS4: Attack and Defense on Model-based AGC (interactive)

The attack involves a stealthy manipulation of measurements/controls used in Automatic Generation Control (AGC) algorithm to destabilize and affect the frequency of the power grid. This attack is a version of the classic Man-in-the-Middle attack, where the attacker intercepts the communication between the control center and the remote substations and chooses to stealthily modify either the frequency and tie-line measurements going to the control center, or the AGC control commands going to the generating stations.

This is achieved by executing an ARP poisoning attack first, which tricks the remote substation to forward the data to the attacker before sending it to the external gateway. The attacker then selects the appropriate information that is to be replaced and modifies it appropriately using custom attack scripts and forwards it to the external gateway.

As a result of this manipulation, there is a steady frequency deviation in the system. Eventually, this frequency deviation causes the load in the system to be shed in an attempt to restore frequency. A sustained attack could potentially lead to a major portion of the load in the power system to be unserved.

Launch  Manual

ICS5: Ukraine Style Attack and Defense Experiment

The attacker has physical access to the RTU communication network and is as such able to connect his own equipment to the network using a switch in an unmanned substation. From this point the attacker floods a number of logical connections with a continuous stream of packets, which creates an overload in the Front-End applications and blinds the operators to what is happening in the grid.

The attacker has chosen a time for the attack when a severe snow and ice storm is expected and the control operators are unable to counteract the loss of physical devices created by the storm. This leads to an overload of power lines feeding the capital city and this also goes unnoticed in the control centre. The blind SCADA severely delays the power restoration efforts to reenergize the capital city.An uninformed operator in the control room connects his workstation to Internet during a night shift. He does this and finds out he got a mail from the IT team to configure his VPN correctly. The attacker uses this to send a link to configure VPN properly.Without becoming suspicious, the operator clicks on the link and gives the attacker access to his control room workstation.

The attacker is now able to remotely connect to this system and he can open a shell with root privileges on the compromised system. From his own location the attacker is now able to open SCADA displays containing real-time information from the grid and to execute commands. He uses this to open HV breakers in the power grid, which leads to cascading events that causes a total blackout of the high voltage grid.

Launch  Manual

ICS6: Settings Manipulation (upcoming)

The attacker is an employee of the attacked utility and he has access to substations and to substation engineering tools. He uses the engineering tools for the substation protection devices to set line protection parameters to default values. The default values in the protection devices are defined at such low limits that the protection devices will trip all power lines also at a normal operating state. The attack is done in a central HV/MV substation on the MV side and it will cause a total blackout in the capital city.

ICS7: State Estimation (upcoming)

The attacker has physical access to the RTU communication network and is as such able to connect his own equipment to the network using a switch in an unmanned substation. From this point the attacker floods a number of logical connections with a continuous stream of packets, which creates an overload in the Front-End applications and blinds the operators to what is happening in the grid.

The attacker has chosen a time for the attack when a severe snow and ice storm is expected and the control operators are unable to counteract the loss of physical devices created by the storm. This leads to an overload of power lines feeding the capital city and this also goes unnoticed in the control centre. The blind SCADA severely delays the power restoration efforts to reenergize the capital city.