2009 International Conference on Web Information Systems and Mining
Hacking Risk Analysis of Web Trojan in Electric Power System
Yong Wang1,2 Dawu Gu1
1. Dept. of computer Science and Engineering
Shanghai Jiao Tong University
Shanghai, China
wy616@126.com
Abstract—The threat from web Trojan in electric power
systems (EPS) is complex, which perhaps infects computers,
damage SCADA system, or even cause electricity fail. The
paper presents the potential Trojan attack risks of EPS by
analyzing the security architecture of power systems, such as
firewall, intrusion detection system and intrusion prevention
system. The paper analyzed some possible attack methods
from web Trojan and Botnet. In order to find or track the
possible Trojan attacks, the detection and defense methods in
virtual power system surroundings, such as web-based SCADA
system, VMware station, honeynet, anti-Trojan software and
operation system security, are presented.
Keywords-power system; security; Trojan; web
I. INTRODUCTION
Power systems security is very important issue. The
remote control and electric transport system may give
hackers opportunities to intrude the systems by Cyber.
Studies commissioned by the White House, FBI, and North
American Electric Reliability Council (NERC) have
identified several factors that increase the probability of an
electronic, computer-based attack being launched against a
substation, causing regional and possibly widespread power
outage[2,3]. Hacking risk from internet or in web server is
very huge, though there are lots of Intrusion Detection
System and Firewalls in power systems.
Once Trojan or virus from cyber damage or change some
parameters of the Supervisory Control and Data Acquisition
(SCADA), the electric power systems will suddenly collapse
for self-safe function. SCADA does not implement adequate
security measures in their products [10]. Power systems
consists of SCADA, electric power communication and
power data networks. SCADA is widely used in industrial
infrastructures such as railways and electricity grid, and
managed remotely using communication networks.
New SCADA system is designed in the power system of
Montenegro with ICCP/TASE.2 and web-based real-time
electricity demand metering extensions [11]. IEEE P1547.6
draft recommended practice for interconnecting distributed
resources with electric power systems distribution secondary
networks. This standard establishes recommended criteria,
requirements and tests, and provides guidance for
interconnection of distribution secondary network system
types of area electric power systems (AEPS) with distributed
resources (DR) providing electric power generation in local
electric power systems (Local EPS).
978-0-7695-3817-4/09 $26.00 © 2009 IEEE
DOI 10.1109/WISM.2009.109
Jianping Xu2 Haizhou Du2
2. Dept. of computer Science and Technology
Shanghai University of Electric Power
Shanghai, China
Further, this standard identifies communication and
control recommendations and provides guidance on
considerations that will have to be addressed for such DR
interconnections. The network control center in one AEPS
domain operates as an administrator of all its local EPS
domains and communicates with users in other AEPS
domains. The International Electro technical Commission
(IEC) has recently published a substation automation system
communication standard - IEC61850 [1]. The SCADA and
AEPS both need computers to control EPS in different
networks. Trojan can now control remote computers without
detection of anti-virus software and firewall. Once Trojan
attack EPS through cyber, the EPS will face to great
dangerous status. Vulnerability assessment is a requirement
of cyber security standards for electric power systems. It is
required to study the impact of a cyber attack on SCADA
systems [6].
We will analysis the potential web Trojan attack risks of
EPS. Through analyzing the security architecture of power
systems by firewall, intrusion detection system and intrusion
prevention system, we will find out some possible attack
methods from Trojan and Botnet in virtual power system
surroundings, such as web-based SCANDA system,
VMware station, Honeynet, anti-Trojan software and
operation system security.
II. SECURITY ARCHITECTURE OF POWER SYSTEMS
A. IEEE Standards of Power Systems Security
The IEEE defines electronic intrusions as: Entry into the
substation via telephone lines or other electronic-based
media for the manipulation or disturbance of electronic
devices. These devices include digital relays, fault recorders,
equipment diagnostic packages, automation equipment,
computers, programmable logic controllers, and
communication interfaces.[1]
The IEEE standards show that during operational stage,
intrusions can affect the integrity of the electric power
supply and the reliability of the transmission and distribution
grid, if the intrusion results in power interruptions. Examples
include projectiles, poles, or kites that come in contact with
energized parts and electronic interference with relaying and
control circuits. Intruders have been known to open valves,
push buttons, and operate circuit breakers, reclosers and
switches [1].
510
 The IEEE 1547 family of standards gives utilities a
technical framework to integrate power from diverse local
sources by considering such topics as operation, testing,
interconnection, safety, maintenance, interoperability, design,
engineering, installation and certification. IEEE 1547
standards are sponsored by the IEEE Standards Coordinating
Committee 21 for Fuel Cells, Photovoltaics, Dispersed
Generation, and Energy Storage.
IEEE P1547.6, "Recommended Practice for
Interconnecting Distributed Resources with Electric Power
Systems Distribution Secondary Networks", will overcome
this deficiency by recommending technical criteria,
requirements and tests relevant to the performance, operation,
testing, safety and maintenance for interconnecting DR on
such networks. It will consider the needs of local and area
electric power systems so as to serve owners, operators,
manufacturers, system integrators, regulators and other
constituencies.
B. Web-based SCADA System
IntegraXor is architect based on web technologies,
IntegraXor server is indeed a standard compliant web server
that added with HMI/SCADA requirements. A complete
IntegraXor system always accomplished with at least another
client, which runs on web browser, either locally or remotely.
IntegraXor was developed based on open web standard as
much as possible, as advocated by World Wide Web
Consortium, W3C, hence reduced the learning curve of the
system, especially when the documentation is widely
available for non-proprietary system. The real time alarms
and event log of simulate SCADA in web is as Figure 1:
Figure 1. Real time alarms and event log of simulate SCADA in web.
C. Firewall of Power Systems
The UK government’s National Infrastructure Security
Coordination Center (NISCC) recently released its
guidelines for effective use of firewalls in SCADA networks
(NISCC, 2005) [5]. Firewall of power systems can detect
network communication protocol, Denial of Service (DOS)
attack and other attacks. Some firewall equipments are used
in EPS.
The FortiGate-5000 Series addresses this problem by
tightly integrating multi-threat protection into a purpose-built
platform to effectively block today’s file-based threats and
network-based threats. Examples of critical threats that are
blocked by the FortiGate include: viruses, Trojans, worms,
phishing schemes, intrusion attempts, denial of service (DoS)
511
attacks and an ever increasing number of attacks that use
blended threat vectors.
SunScreen 3.1 firewall with the full-feature version is
used in power system. Which is a versatile stateful, packet-
filtering firewall that is used to control access, authenticate
users, and encrypt network data and that operates in either
routing or stealth mode. The SunScreen 3.1 installation guide
covers installation overview and considerations, installing in
routing mode with local and remote Administration Stations,
installing in stealth mode, installing on Trusted Solaris,
upgrading from the SunScreen EFS and SPF firewalls,
converting from Checkpoint's Firewall1, removing the
SunScreen software, command-line installation, and
upgrading cryptographic modules.
D. Power Intrusion Detection and Intrusion Prevention
System
Intrusion detection system (IDS) of power system can
detect virus attack and detect malicious code through
network communications. Some antivirus software can be
installed in power system information area.
The British Columbia Institute of Technology (BCIT) is
one of a few groups to track industrial cyber security
incidents. The BCIT Industrial security Incident Database
(ISID) contains information regarding security related
attacks on process control and industrial networked systems
[12].
AVG Anti-Virus SBS protect for Microsoft Windows
Small Business Server network. The function includes
protection against viruses, worms, Trojans, against spyware,
adware, identity-theft, against hidden threats rootkits, web
Shield, against malicious websites.
ZoneAlarm Pro provides you with advanced firewall
with identity and privacy protection against spyware, hackers
and identity thieves.
FortiGuard Antivirus Service prevents both new and
evolving virus, spyware and malware threats and
vulnerabilities from gaining access to your network and its
valuable applications or data assets by preventing and
responding to today's fast-spreading attacks. FortiGuard
Antivirus Service employs the most advanced virus, spyware,
and heuristic detection engines to provide comprehensive
protection against all the content level threats.
Intrusion Prevention Service (IPS) of FortiGuard
provides alerts based on a customizable database of more
than 4000 known attack signatures. This enables FortiGate
Security Systems to stop attacks that evade conventional
host-based antivirus systems, and provides immediate
response to fast spreading threats. Fortinet 's worldwide IPS
engineering teams "follow the sun" allowing Fortinet to
provide customers with real-time attack signatures. Using the
global FortiGuard Distribution Network, FortiGate systems
stop the most damaging attacks at the network border
regardless of whether the network is a wired, wireless,
partner extranet or branch office network connection.
Furthermore Fortinet's unique technology also supports
behavior-based heuristics adding valuable recognition
capabilities beyond simply matching content against known
signatures.
 III. POSSIBLE ATTACK METHODS OF POWER SYSTEM
A. Possible Hacking Vulnerabilities of Power Systems
Paul w. Oman research on the power system security of
possible attacks from internet and defend tools. Portions of
his work were funded by the U.S. Department of Commerce
National Institute of Standards and Technology Critical
Infrastructure Protection Grant. The Figure 2 is shown in his
paper.
Figure 2. Electronic access vulnerabilities[4].
1. Modem access via telecommunications providers.
2. Public network access via the Internet.
3. Wireless network access.
4. Long-run private network lines.
5. Leased network lines (e.g., ATM or Frame-Relay
connections) using telecommunications providers. [4]
We focus attention to electronic access and discussion
with anatomy of a cyber attack, like gaining access to the
inside of substation and changing settings. The web hacking
vulnerabilities of power systems is shown as Figure 3:
Figure 3. Web hacking vulnerabilities of power systems.
B. Firewall Hacking by Web Trojan
Firewall is an integrated collection of security measures
designed to prevent unauthorized electronic access to a
networked computer system, designed to prevent
512
unauthorized access to or from a private network. Firewalls
can be implemented in both hardware and software, or a
combination of both. Firewalls are frequently used to prevent
unauthorized Internet users from accessing private networks
connected to the Internet, especially intranets. All messages
entering or leaving the intranet pass through the firewall,
which examines each message and blocks those that do not
meet the specified security criteria.
Trojan horse, at first glance will appear to be useful
software but will actually do damage once installed or run on
your computer. Bifrost would bypass many software
firewalls back then, and now being better at bypassing
firewalls.
Web shell Trojan can hide their server in any picture.
Once the picture with Trojan was upload the web server, the
hacker can get administrator privilege by improve privilege
tools by the picture. The web Trojan can control the web
server as their own computer, such as download files, upload
files, record password even format the server disk. They can
cause serious damage by deleting files and destroying
information on your system.
Trojans in local network can download virus from
outside web. Once one computer is hacked, all the other
computers in local network will face on hacking risk.
C. Trojan anti-Intrusion detection system methods
Firewalls work well in conjunction with Intrusion
Detection Systems (IDS). Similar to firewalls, the problem
with IDS for SCADA networks is that most commercial IDS
are not capable of monitoring SCADA protocols for
suspicious behaviors (Pollet, 2002; Stamp et al., 2004) [5].
Current IDS technology is not suited to be widely deployed
inside SCADA environment [6].
Rootkits Trojan can hide its own process by inserting
remote thread into other process, hook the interrupt descript
table (IDT) to change the interrupt. Besides the IDT hoking,
there are many kernel mode hooks such as system enter
hooks, system service dispatch table (SSDT) hooks, code
patching hooks, layered driver hooks and driver hooks [4].
The kernel lever IDT hooks Trojan threaten the operating
system security. The vista has better security rule than
Winxp, many rootkit Trojan can’t work properly under this
operating system. It dose not mean the system is perfect,
which still has lots of security bug.
Besides kernel hooks Trojan there are many user hooking
processes such as Import Address Table (IAT) hooking.
When an application uses a function in another binary, the
application must import the address of the function. Most
applications that use the Win32 API could pass through an
IAT, so the Trojan can use the IAT hooks technology.
Inline function hooks Trojan are much more powerful
than IAT hooks. They do not suffer from the problems
associated with the binding time of the DLL.
Injecting DLL Trojan is more popular, which can use two
methods to inject. Injecting a DLL using Windows Hooks:
Applications receive event messages for many events in the
computer that relate to the application. Injecting a DLL using
Remote Threads: Another way to load your Rootkit DLL
into the target process is to create a remote thread in that
process.
We test some hooks Trojans which can work in vista
operating system, pass through IDS and control remote
computers without detection of many virus software. It
seems that there are lots of things to do to enhance the
security of operating system.
D. Distributed Deny of Service Attack of Botnet
Online criminals can use a virus to take control of large
numbers of computers at a time, and turn them into
"zombies" that can work together as a powerful "botnet" to
perform malicious tasks. Botnets, which can control huge
number of zombie computers, can distribute spam e-mail,
spread viruses, attack other computers and servers, and
commit other kinds of crime and fraud. According to a report
from Russian-based Kaspersky Labs, botnets currently pose
the biggest threat to the Internet.
The computers that form a botnet can be programmed to
redirect transmissions to a specific computer, such as a Web
site that can be closed down by having to handle too much
traffic - a distributed denial-of-service (DDoS) attack.
Agobot3 is a modular IRC bot for Win32 or Linux. The
Agobot family quickly grew larger than other bot families.
Other bots in the Agobot family are: Forbot, Phatbot, Urxbot,
Rxbot, Rbot. Agobot now has several thousand variants. The
majority of the development force behind Agobot is
targeting the Microsoft Windows platform; as a result the
vast majority of the variants are not Linux compatible. In
fact the majority of modern Agobot strains must be built
with Visual Studio due to its reliance on Visual Studio's
SDK and Processor Pack.
The web server in power systems needs to defense the
DDOS attack. Actually the risk of DDOS in power systems
is not as high as single Trojan. Because the EPS will deny
any other IP range except their own IP range. The ARP
Trojan would damage the whole power systems information
web, even though only one computer is once hacked.
IV. DETECTION AND DEFENSE METHODS IN VIRTUAL
POWER SYSTEMS
A. Virtual SCADA
With the recent development of industrial computing
systems and human machine interface software packages,
power systems research and development engineers ceased
the opportunity to come up with virtual simulation tools to
emulate the operation of power systems. The paper describes
the development of a virtual SCADA (V-SCADA) system
tool for IDS test [9]. PC based simulator for SCADA system
which can be used for analysis of distribution networks. The
system consists of one PC representing the master station
connected through a physical RS 232 link to another PC,
which represents the RTU networks. The master station is
equipped with all standard SCADA modules such as network
analysis functions, data acquisition applications,
communication protocols and HMI. The RTU station
simulates field data acquisition and data transfer to the
master station [8].
513
B. Virtual Intrusion Detection Architecture
Because we can’t test the Trojan in real network of
power system, so we had to build a virtual experimental
environment. The virtualization is a proven software
technology that can build the virtual power system.
VMware scales across hundreds of interconnected
physical computers and storage devices to form an entire
virtual infrastructure. You don’t need to assign servers,
storage, or network bandwidth permanently to each
application. Instead, your hardware resources are
dynamically allocated when and where they’re needed. In
VMware station, you need a minimum of two Network
Interface Cards, one connected to the internal, Honeynet
network and one connected to the external network or
internet. You need three cards if you want the ability for
remote management or remote logging, including the use of
the Walleye interface.
The Honeynet Project is an international, non-profit
research organization dedicated to improving the security of
the Internet at no cost to the public. Honeywall CDROM is
primary high-interaction tool for capturing, control and
analyzing attacks. It creates an architecture that allows you to
deploy both low-interaction and high-interaction Honeypots,
but is designed primarily for high-interaction. Know Your
Enemy: Honeynets: the paper can help you familiarize with
the concepts of a Honeynet, especially the risks and legal
issues involved. The Web Interface is the interface to
administering the Honeywall. It allows you to remotely
administrate your system and analyze the data collected by
Honeynet from Trojan intrusion.
C. Iris Capture Packets from SCADA Network
Iris eEye Digital Security is committed to bringing
visibility and control over computer and application
vulnerabilities, and providing a means to mitigate attacks
before they compromise sensitive information or critical
computing devices.
The tools can capture web SCADA packets from the
current network segment, decode many types of trace files
containing IP packets, reconstructs the TCP sessions and
shows the Emails, web pages, ftp sessions and everything
that goes unencrypted in your network. Iris lets you search
for certain words through captured sessions (web pages,
emails, instant messages, etc) .
With Iris tools you can Log Network Wide Foreign
Connection Attempts. Iris can watch over your office and
alarm you when someone from the outside tries to connect to
your computers. The details are as Figure 4:
Figure 4. Capture packets from SCADA.
D. Web Trojan Hacking Detection
Web Trojan hacking detection of power systems is
compost of four components, analysis of power systems
safety devices features, analysis of hiding features of Trojan,
analysis of intrude method of Trojan and intrusion detection
in power system.
Power systems safety devices have two kinds of features,
read features and write features. Read features stands the
information from SCADA to outside. Write features stand
the information from outside to SCADA.
Hiding features of Trojan includes process hiding, files
hiding, port hiding and so on. The intrusion methods of
Trojan are anti virus detection and firewall detection in
power system.
After analysis three features, the last component is
intrusion detection, which is composed of memory detection,
files detection and behavior detection. Web Trojan hacking
detection architecture is as Figure 5:
Figure 5. Web Trojan hacking detection of power systems.
V. DISCUSSION
We have analysis the potential web Trojan attack risks of
EPS through analyzing the security architecture of power
systems by firewall, intrusion detection system and intrusion
prevention system. We find out some possible attack
methods from Trojan and Botnet in virtual power system
surroundings, such as web-based SCANDA system,
VMware station, Honeynet, anti-trojan software and
operation system security.
We test some hooks Trojans which can work in windows
xp and vista operating system, pass through firewall and
514
control remote computers without detection of many virus
software. The Trojan hacking risk exist in power systems. It
seems that there are lots of things to do to enhance the
security of power system.
ACKNOWLEDGMENT
The paper is supported by National hi-tech research and
development project No.2006AA01Z405. Supported by
Shanghai Postdoctoral Scientific Program (No.08R214131).
Supported Innovation Program of Shanghai Municipal
Education Commission (No. 09YZ346).
REFERENCES
[1] IEEE Power Engineering Society, IEEE Standard 1402-2000: IEEE
Guide for Electric Power Substation Physical and Electronic Security,
IEEE, New York, NY, April 4, 2000.
[2] Paul Oman, Edmund O. Schweitzer, III, and Jeff Roberts,
“Safeguarding IEDS, substations, and SCADA systems against
electronic intrusions” , pp. 1-18.
[3] Paul W. Oman, Allen D. Risley, Jeff Roberts, and Edmund O.
Schweitzer, III, “Attack and defend tools for remotely accessible
control and protection equipment in electric power systems”, pp.1-26.
[4] Paul Oman and Edmund O. Schweitzer, III and Deborah Frincke,
“Concerns about intrusions into remotely accessible substion
controllers and SCADA systems”, pp.1-16.
[5] Vinay M. Igure, Sean A. Laughter, and Ronald D. Williams,
“Security issues in SCADA networks” , computers & security 25
(2006), pp.498-506.
[6] Chee-Wooi Ten, Chen-Ching Liu and Manimaran G., “Vulnerability
assessment of cybersecurity for SCADA systems power systems”,
IEEE Transactions on Volume 23, Issue 4, Nov. 2008 pp.1836-1846.
[7] Verba, J., Milvich, M., “Idaho national laboratory supervisory control
and data acquisition intrusion detection system (SCADA IDS)”,
Technologies for Homeland Security, 2008 IEEE Conference on 12-
13 May 2008 , pp.469-473.
[8] Awad, M., Ibrahim, A.I., “PC-Based SCADA simulator for
distribution system analysis”, Innovations in Information Technology,
2007. Innovations '07, 4th International Conference on18-20 Nov.
2007, pp.332-337.
[9] Darwish, K.W., Al Ali, A.R. and Dhaouadi, R., “Virtual SCADA
simulation system for power substation innovations in information
technology”, 2007 Innovations '07. 4th International Conference on
18-20 Nov. 2007 , pp.:322-326.
[10] Chikuni, E., Dondo, M., “Investigating the security of electrical
power systems SCADA” ,AFRICON 2007 26-28 Sept. 2007 ,pp.1-7.
[11] Stojkovic, B., Vukasovic, M., “new SCADA system design in the
power system of Montenegro - ICCP/TASE.2 and web-based real-
time electricity demand metering extensions”, Power Systems
Conference and Exposition, 2006. PSCE '06. 2006 IEEE PES ct. 29
2006-Nov. 1 2006 pp.2194 - 2199
[12] Creery, A.; Byres, E.J., “Industrial cyber security for power system
and SCADA networks”, Petroleum and Chemical Industry
Conference, 2005. Industry Applications Society 52nd Annual 12-14
Sept. 2005, pp.:303-309.