U of Alabama in Huntsville: SCADA Cybersecurity Lab Exercises via Online Portal

University of Alabama in Huntsville
Undergraduate (Two Year and Four Year) level.
“SCADA Cybersecurity Lab Exercises via Online Portal.”

The course materials described below are available via the Cyber Curriculum Library online portal - CLICK HERE TO LOGIN.

Topics and Subtopics include:

The lab exercises call for certain tasks to be completed at the two year level and additional tasks to be completed at the four year level. More details are forthcoming.

“Introduction to SCADA Control Systems” with emphasis on common components of a control system, physical system background, and ladder logic. The lab exercises call for the following tasks to be completed at the two year level: logging into the lab, using small gas pipeline, water storage tank, and large gas pipeline systems, changing set points, observing behaviors, and using manual and automatic modes, as well as configuring SCADA systems for unsafe operation. The tasks to be completed at the four year level are all the two year objectives, with the addition of updating ladder logic for small glass pipeline, and adding a PID controller.

“Networking in SCADA Control Systems” with emphasis on common network protocols, and common network architecture. The lab exercises call for the following tasks to be completed at the two year level: observing network traffic with Wireshark, using small gas and large gas pipeline, and using small water storage tank. The tasks to be completed at the four year level are all the two year objectives, with the addition of writing a Python script to open a network socket and send fake Modbus/TCP queries and responses to client and servers.

“SCADA Control System Risk Assessment” with emphasis on what risk assessment is, risk management framework, National Electric Reliability Corporation Critical Infrastructure Protection standards, and vulnerability testing for SCADA control systems. The lab exercises call for the following tasks to be completed at the two year level: using NMAP/Zenmap and to scan IP addresses in a system for network devices with service on common SCADA IANA port numbers, using NMAP to guess OS, manufacturer, and model of identified systems, and using Low Orbit Cannon to perform denial of service attack against identified nodes. The tasks to be completed at the four year level are all the two year objectives, with the addition of: writing a Python program to conduct a LAND attack.

“Applying Cybersecurity Principals to SCADA” with emphasis on availability, integrity, confidentiality triad, fail safe versus fail secure for SCADA, and security at rest, layering, minimization, modularity, open design, simplicity, and usability. The lab exercises call for the following tasks to be completed at the two year level: using Ettercap to initiate man-in-the-middle attacks, altering Modbus/TCP Query (Command) Packet, altering Modbus/TCP Response (Sensor Data, Error) Packet, using simply Modbus TCP Client to initiate extra MOdbus/TCP session with PLC, injecting Modbus/TCP Query (Command) Packet, and changing PLC register values. The tasks to be completed at the four year level are all the two year objectives, with the addition of: writing Ettercap scripts to alter all Modbus/TCP queries to change specific bytes, altering all sensor measurements to add fixed value to pipeline pressure, and to drop all Modbus/TCP traffic.

“Threats and Vulnerabilities for SCADA Control Systems” with emphasis on SCADA control system vulnerability taxonomies, SCADA control system kill chain, and case studies of known attacks against SCADA control systems and the Internet of Things. The lab exercises call for the following tasks to be completed at the two year level: configuring Snort to monitor SCADA Local Area Network traffic, using provided signatures to detect Ettercap Man-in-the-middle initiation, writing Snort rules to detect Modbus/TCP traffic, copying rules and editing to detect non-Modbus/TCP traffic, and writing rules to use packet arrival timing to detect Denial of Service. The tasks to be completed at the four year level are all the two year objectives, with the addition of: writing Snort rules to whitelist Modbus/TCP clients and servers, limiting traffic to defined sets of clients and servers communications, writing stateful Snort rules to detect NMAP scans, and Snort rules to detect invalid set points (command injection).

And “Defending SCADA Control Systems” with emphasis on common defense in depth approaches for SCADA, firewall access control lists for SCADA, signature, anomaly, and specification based intrusion detection for SCADA, data diodes, encryption and authentication in SCADA networks, and access control for SCADA. The lab exercises call for the following tasks to be completed at the two year level: creating two Linux VM’s and inserting as BITW nodes, enabling IPSEC transport mode, enabling IPSEC tunnel mode, and using Wireshark to observe locations of confidential and non-confidential traffic. The tasks to be completed at the four year level are all the two year objectives, with the addition of: writing Python script to parse PCAP files from Wireshark to measure client to server packet transport time for each mode, measuring client to server packet transport time during key change, and plotting transport times with and without encryption in Excel.

NCWF Categories included:

 

NCWF Specialty Areas included:

 

NCWF KSAs included:

K0001: Knowledge of computer networking concepts and protocols, and network security methodologies.

K0002: Knowledge of risk management processes.

K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.

K0004: Knowledge of cybersecurity and privacy principles.

K0005: Knowledge of cyber threats and vulnerabilities.

Summary:

Six total modules, with corresponding lab components. Lecture materials, homework, exam problems, lab exercises, and Virtual SCADA test beds are included in this curriculum. The Virtual SCADA test beds will be hosted on University of Alabama at Huntsville servers, or colleges and universities may deploy the UAH Virtual SCADA test beds on equipment locally. This curriculum has both two year college, and four year college application.