As SCADA systems move to use IP networks to take advantage of their cost benefits and implement smart-grid capabilities, the traditional assumptions that these systems are air-gapped and inaccessible to outside attackers no longer hold. While existing fault-tolerant SCADA architectures provide sufficient resilience to overcome benign failures, they are not adequate to cope with the hostile environments that SCADA systems are now being exposed to.
To address this problem, we present Spire, the first intrusion-tolerant SCADA system that is resilient to both system-level compromises and sophisticated network-level attacks and compromises.
In this talk, we will describe our experience developing the open-source Spire system and the intrusion-tolerance techniques that Spire uses to maintain correct operation (and performance guarantees) even while under a successful attack. Specifically, at the system level, Spire replicates the SCADA master, running multiple copies in parallel, and uses a voting protocol to ensure that the system will continue to operate correctly even if one of the SCADA master replicas is under the control of a sophisticated attacker. At the network level, an intrusion-tolerant network service provides authentication, encryption, and fairness while limiting the attack surface of system endpoints by forcing their network communication to be conducted through secure proxies. Spire uses diversity and proactive recovery to provide a dynamically changing attack surface for each SCADA Master replica, ensuring that no single exploit will take over the system while limiting the duration a successful attacker can lurk in the system.
We will also discuss two deployment experiences: a red team experiment conducted at Pacific Northwest National Lab in 2017 and a test deployment in Hawaiian Electric (HECO)’s mothballed Honolulu power plant in 2018. During the red team experiment, a group of expert hackers from Sandia National Labs attacked both a standard commercial SCADA system setup according to recommended best practices and our Spire system. During the test deployment, Spire managed a small power topology, meeting performance requirements without interfering with existing plant systems. We will conclude by describing an incremental path toward realizing the goal of a fully intrusion-tolerant power grid.