Abstract
Control systems rely on correct causal ordering and typically also on exact times and time relationships between events. For non-trivial systems, this implies synchronisation between distributed components, potentially from sensors and actuators to SCADA hierarchies. Whilst this can be accomplished by point-to-point synchronisation against a common reference such as GNSS (global navigation satellite) signals, common practice and codification in the ISO/IEC 60870-5-104 protocol widely used in the power control domain calls for the Network Time Protocol (NTP). In this paper we therefore describe attack patterns allowing the undetected partial re-play of legitimate messages and injection of messages even in the presence of ISO/IEC 62351 protective measures in a multi-staged attack targeting time synchronisation protocols and specifically the NTP protocol, and resulting in a de-synchronisation between a PLC/RTU and higher-level SCADA components. We demonstrate the feasibility of such attacks in a co-emulation environment.
Original language | English |
---|---|
Title of host publication | Proceedings of the 2018 IEEE PES Innovative Smart Grid Technologies Conference |
Publisher | IEEE Press |
Pages | 1-6 |
Number of pages | 6 |
ISBN (Electronic) | 978-1-5386-4505-5 |
DOIs | |
Publication status | Published - 2018 |