ISU students are developing cyber attacks in order to learn how to fix them when they pop up in real time.

Electrical and computer engineering students have designed a SCADA test bed in order to simulate and study cyber attacks and to study methods of protecting critical infrastructures from cyber attacks.

“The idea is to try to create cyber attacks before the actor does it and see invulnerabilities and how to fix them. Basically what this test bed allows us to do is a risk assessment. What we try to do is to emulate what happens in the real world,” said Manimaran Govindarasu, associate professor of electrical and computer engineering.

Funded in part by the National Science Foundation, the project is designed to find vulnerabilities in security control and data systems or SCADA systems and their defense strategies. To overcome these vulnerabilities, it is working to develop software models and test attack and defense strategies for critical infrastructures along with trying to determine the potential recovery and survivability of these systems.

Critical infrastructures are assets that are essential for a population to function and survive. These assets are things like electric power grids, telecommunication, water production, transportation and financial services along with other important systems like the Department of Defense (DOD).

An attack on one of these assets could result in catastrophic failure of the system and lead to a breakdown of society. The ensuing chaos could leave the population open to kinetic or direct military attack – as was proposed in the recent film Live Free or Die Hard.

There are other possible dangerous, albeit nonviolent, attacks that could lead to things like blackouts and telecommunication failure. For example, an attack on the New York Stock Exchange to corrupt data or shut down servers could lead to a collapse of the U.S. stock market that would have global ramifications.

Accordingly, ISU researchers are finding new ways to examine and test defensive strategies in order to protect these assets.

The SCADA test bed intends to find the security vulnerabilities of SCADA systems and their defense strategies, to develop models for defense mechanisms, develop software models and to test attack and defense strategies.

“Attacks may generally be different, like, between different SCADA subsystems or control subsystems, but general themes or the idea of what could happen … is still there,” said Adam Hahn, graduate student in electrical and computer engineering.

The multidisciplinary team of Ph.D. candidates is examining power systems and their ability to withstand different kinds of cyber attack. There are two primary kinds of attack, the first of which is a distributed denial-of-service (DDoS) attack, and the second is a direct attack from an individual or team of hackers to corrupt or remove data.

A DDoS is an attack in where “An Internet site, a server or router is flooded with more requests for data than the site can respond to or process,” as defined by Richard Clarke in his book, “Cyber War.” Essentially a DDoS attack takes control of “zombie” computers to bog down a system until it is completely unable to function.

Hackers have used DDoS attacks in cases like the Russian attack against Estonia in 2007 and more recently against companies like Mastercard and Amazon in defense of Julian Assange, the creator of WikiLeaks.

Also, an individual or team of hackers could directly infiltrate a system and corrupt data that could lead to failure or malfunction. The three-part structure of many of the systems of critical assets – generation, transmission and distribution, is almost completely automated and therefore is open to attack at every level of the system.

There are many other methods for attack and many targets within the United States. Legislation is just beginning to emerge as attacks and incidents increase. Although lawmakers are slowly becoming more aware of the potential ramifications of a large-scale attack, there is little effort on behalf of the federal government to regulate cyber defenses of critical infrastructure assets.

Consequently, the DOD has classified the Internet as a new plane for modern warfare that needs to be controlled and defended. In 2010, President Obama established a department called Cyber Command in order to defend one critical network, the Department of Defense.

Experts like counterterrorism specialist Clarke are critical of the federal government’s actions because there are few policies or regulations in place to protect private companies. In his book, “Cyber War,” Clarke claims the government is not adequately defending our infrastructures and is leaving the United States open to attack.

The federal government has not established security standards and protection for other critical infrastructures like the power grid or telecommunications because they are privately owned, and current legislation prevents the government from adequately regulating security.

“There is definitely movement,” Govindarasu said in regard to government regulation. “But there is not enough.”