DOI:10.1145/ 2602575
CyberPhysical
Testbeds
on the quality and
reliability of the services provided by networked
critical infrastructures (NCIs). Physical
infrastructures, including transportation systems,
electricity grids, and telecommunication networks,
deliver fundamental services for the smooth
functioning of the economy and for the lives of all
citizens. Accidental or intentional failure represents
one of the most important risks faced today.
The past few years have seen a dramatic increase
in the use of the information and communication
technologies (ICTs) within NCIs. The motivation for
companies was mainly to reduce the cost of industrial
installations and implement new services (such as
remote monitoring and maintenance of infrastructures,
MODER N SOCIETI E S D E PE ND
64
COMMUNICATIO NS O F TH E AC M
| J U NE 201 4 | VO L . 5 7 | NO. 6
key insights
E PIC supports execution of scientifically
rigorous cyber-physical security experiments, ensuring fidelity, repeatability, measurement accuracy, and safe execution.
instrumentcyber-physical testbeds
suitable for testing the effects of cyberattacks, validating novel countermeasures,
and training users in scenarios involving
a range of infrastructures, from local physical
processes (such as power plants) to
national grids and transportation systems.
JU N E 2 0 1 4 | VO L. 57 | N O. 6 | C OM M U N IC AT ION S OF T HE ACM
65
contributed articles
Table 1. Testbed features and cost-effectiveness compared: = strong support; = moderate support; and = weak support for
a specific feature.
Fidelity
Cyber Physical
Repeatability
Cyber Physical
Measurement
Accuracy
Cyber Physical
Safety
Cyber Physical
Cost
Multiple Critical
Effectiveness Infrastructures
ENEL-JRC15
DEFT25 (DETER+VPST)
PowerCyber11
HLA16
66
Objective
Nodes
Attack
Type
Evaluate effect of
network parameters
delay, packet loss,
and segmentation
on cyber attacks
targeting NCIs
615
Spoofing
Validate novel
approach for
anomaly detection
in cyber-physical
systems
21
DDoS and
spoofing
Power grid
Evaluate effect
of operational
decisions and
their cascading
effects on
interdependent
NCIs
12
Coordinated attack
Power grid
and railroad
transportation
Analyze effect
of operator reactions
and coordination in
well-known (YouTube)
BGP route hijacking
incidents
32
Hijacking
and manin-themiddle
COMMUNICATIO NS O F TH E AC M
Physical Process
| J U NE 201 4 | VO L . 5 7 | NO. 6
Outcome
contributed articles
the reaction of human operators to the
changes in the state of some physical
process. EPIC thus brings an important development in experimentation
testbeds through accurate experiments
that are closer to real NCI operation.
Testbed requirements. A cyberphysical testbed must be compatible
with and actively support the scientific
method, enabling researchers to apply
rigorous scientific methods by ensuring the fidelity, repeatability, measurement accuracy, and safe execution of
experiments:20
Fidelity. Experimentation testbeds
must be able to reproduce as accurately as possible the real system under
study. However, in many cases reproducing all details of a real system in an
absolute way might not be necessary
or even possible. It is thus preferable
for an experimental platform to offer
an adjustable level of realism, meaning researchers can use the level of detail that is sufficient to test the experimental hypothesis; for example, one
experiment might need to reproduce a
network at the physical layer using real
routers, while for another a software
router might be enough. The concept
of an adjustable level of realism means
having the option of using real hardware when really needed or emulators,
simulators, or other abstractions when
not needed.
Repeatability. This requirement reflects the need to repeat an experiment
and obtain the same or statistically
consistent results. Repeatable experiments require a controlled environment, but to achieve them researchers
must first define the experiments initial and final state, as well as all events
in between. To reproduce a previously
stored experiment scenario researchers must be able to set up the experimental platform in the initial state and
trigger all necessary events in the right
order and time of occurrence.
Measurement accuracy. Experiments
should be monitored but not interfere
with the experiment in a way that might
alter its outcome. Needed therefore are
separation of control, measurement,
and experiment processes.
Safe execution. In most cases security experiments assume the presence
of adversaries employing malicious
software to achieve their goals. The effect of the software is often unpredict-
Before choosing
the simulation step,
EPIC researchers
must verify
the output of
real-time
simulation
reproduces as
accurately as
possible
its counterpart
real-world process.
JU N E 2 0 1 4 | VO L. 57 | N O. 6 | C OM M U N IC AT ION S OF T HE ACM
67
contributed articles
in cyber-physical experimentation.
Within the DEFT consortium DETER
was interconnected25 in 2009 with
the Virtual Power System Testbed
(VPST) developed by the University
of Illinois.3 VPST provides simulation capabilities for electricity grids
through real-time simulators (such
as PowerWorld, a proprietary powersystem simulator), extending DETER
capabilities to experimentation with
cyber-physical systems.
The key difference between EPIC
and DEFT is EPIC provides a scalable
cost-effective solution for experimenting with multi-domain heterogeneous
physical processes (through its software simulators), while DEFT is more
focused on a specific infrastructure
(such as the power grid). EPIC can also
be viewed as complementary to the
DEFT initiative since the software simulators developed for EPIC are easily
reused through DETER.
The PowerCyber testbed developed
at Iowa State University11 in 2013 integrates SCADA-specific hardware and
software with real-time digital simulators to simulate electrical grids.
It uses virtualization techniques to
address scalability and cost and the
Internet-Scale Event and Attack Generation Environment project also developed at Iowa State University for
wide-area network emulation. The
testbed further provides non-real-time
simulation capabilities, primarily for
simulating larger systems and for performing state estimation and contingency analysis.
An approach using real components
for the physical dimension and partly
simulated components for the cyber
dimension comes from the Tsinghua
University of Beijing,8 using real SCADA
control servers and the NS-2 network
simulator combined with real control
hardware and field devices. This testbed was designed to determine the
effect of cyberattacks on the SCADA
system, including packet forging, compromised access-control mechanisms,
and compromised SCADA servers. Although it provides reliable experimental data, since almost everything in it
is real, it is unable to support tests on
large infrastructures (such as a national electric grid).
Sandia National Laboratory developed the Virtual Control System Envi68
COMMUNICATIO NS O F TH E AC M
| J U NE 201 4 | VO L . 5 7 | NO. 6
contributed articles
cal layer, since it provides an efficient,
safe, low-cost approach with fast, accurate analysis capabilities. Although it
weakens the fidelity requirement, software simulation enables disruptive experiments on multiple heterogeneous
physical processes. Moreover, we find
complex models of several physical systems in the literature, and the behavior
of real physical systems can be reproduced accurately by integrating them
into software simulators; one example
is the energy sector, where simulation
is so accurate and trusted it is commonly used to aid decision making by
operators of transmission systems.
Recreating cyber systems. Emulab24 is an advanced software suite for
emulation testbeds, with many private
installations worldwide and support
from multiple universities. In 2009, we
developed our first installation using
the Emulab architecture and software,
now under continuous development
and expansion through the Emulab
architecture and software (see Figure
1a). Adopting Emulab in EPIC, we automatically and dynamically map physical components (such as servers and
switches) to a virtual topology; that is,
Emulab software configures physical
topology to emulate the virtual topology as transparently as possible. The
basic Emulab architecture consists of
two control servers: a pool of physical
resources used as experimental nodes
(such as generic PCs and routers) and
a set of switches interconnecting the
nodes. Emulab software provides a
Web interface to describe the steps
that define the experiment life cycle
within the EPIC testbed:
Virtual network topology. EPIC researchers must first create a detailed
description of the virtual network topology, the experiment script; using a formal language for experiment
setup eases recreation of a similar arrangement by other researchers who
might want to reproduce our results;
Emulab software. Experiments are
instantiated through Emulab software,
which automatically reserves and allocates the physical resources needed
from the pool of available components;
Experimental nodes. The software
configures network switches to recreate virtual topology by connecting experimental nodes through multiple
virtual local-area networks, then con-
Figure 1. EPIC testbed architecture: (a) overview and experimentation steps; and
(b) software modules, including SSims and proxy units.
User provides
experiment
description
ns
Software
simulator
Proxy
Virtual topology
Proxy
Software
simulator
Servers running Emulab
software (boss and ops)
Pool of available resources
Switches
Routers
(a)
Simulink
Models
OS-level shared
memory regions
Real-world applications
(generic software, malware)
Internal
Memory
Write
Model Input
Read/Write Model
Outputs/Inputs
Read Model
Output
Proxy
.NET RPC Interface
Industrial protocol
(Modbus, DNP3)
(b)
JU N E 2 0 1 4 | VO L. 57 | N O. 6 | C OM M U N IC AT ION S OF T HE ACM
69
contributed articles
Figure 2. Execution time on a 2.8GHz CPU and limitations of various models; EPIC enables
experimentation with power plants, chemical plants, railway systems, and power grid
models from a suite of standard IEEE models.
The red line on the IEEE 118 bus model highlights real-time simulation requirements are not met since
model execution time exceeds the maximum simulation step, or the model-specific time interval or
granularity in which the model must run at least once, as allowed by model dynamics.
Model limitation
1000
1s
1s
100
155
24ms
24ms
24ms
10
7.12
2.98
1ms
24ms
0.62
0.27
0.25
0.1
0.023
0.01
Power
plant
Chemical
plant
Railway
System
IEEE 9
Bus Grid
IEEE 30
Bus Grid
IEEE 39
Bus Grid
IEEE 118
Bus Grid
Model
COMMUNICATIO NS O F TH E ACM
| J U NE 201 4 | VO L . 5 7 | NO. 6
contributed articles
This is a well-known limitation of
real-time software simulation but can
be addressed in several ways; for instance, researchers can leverage parallel processing techniques (such as GPU
computing) or dedicated hardware
simulators that are more powerful and
specifically designed for simulations.
However, these approaches are still
quite expensive and, in a multi-model
environment, could render the cost of
the cyber-physical testbed prohibitive.
Implementation details. Installation of EPIC at the European Commissions Joint Research Centre in Ispra,
Italy, consists of 120 PCs and approximately 100 virtual machines massively
interconnected through two stacks of
network switches. In addition, carrier-grade routers (such as Cisco 6503)
and industrial-control hardware and
software (such as ABB AC 800M control hardware, including Modbus interfaces with control server and humanmachine interface software from ABB)
are available as experimental resources.
We have also developed software
units (such as SSim and Proxy) in C#
and ported and tested them on Unixbased systems with the help of the
Mono platform, enabling cross-platform deployment of C# applications.
Scalability and Applicability
EPICs ability to recreate both the cyber and the physical dimensions of
NCIs provides a spectrum of experimentation options addressing critical infrastructures. Here, we offer an
overview of typical experiments conducted with EPIC, along with a full experimental scenario:
Typical experiments. EPIC is used
concurrently by many researchers for
developing, testing, and validating
a range of concepts, prototypes, and
tools (see Table 2); see also scientific
reports and papers on the EPIC website
http:// ipsc.jrc.ec.europa.eu/?id=693.
The first experiment covered in this
article weighed the effect of network
parameters on cyberattacks targeting
NCIs. We looked into network delay,
packet loss, background traffic, and
network segmentation on a spoofing cyberattack consisting of an adversary able to send legitimate commands to process controllers. We
showed that while communications
parameters have an insignificant ef-
As a general rule,
if the models
execution time
exceeds its
simulation step,
real-time simulation
is not possible.
JU N E 2 0 1 4 | VO L. 57 | N O. 6 | C OM M U N IC AT ION S OF T HE ACM
71
contributed articles
preparedness activities (such as an environment for cybersecurity exercises).
Illustrative experiment. Here, we
illustrate EPIC applicability by exploring the consequences ICT disruptions
can have on a critical infrastructure
(such as a national power grid). We
consider the hypothetical scenario of
a cyberattackspecifically a DDoS attackcausing significant telecommunication service degradation propagating across critical infrastructures.
Experiment setup. We thus recreated a typical architecture in which
the power grid is controlled remotely
(see Figure 3a). Site A located on the
operators premises runs a simplified
model of an energy-management system (EMS)21 to ensure voltage stability. The EMS continuously monitors
and adjusts the operational parameters of the power grid model running
Energy Management
Energy
Management
System
Simulator
System Simulator
Regular Industrial
Regular
Industrial
Customer
Traffic
Customer Traffic
Telecom operator
Telecom
MPLS operator
cloud
MPLS cloud
Gigabit
Gigabit
Gigabit
Gigabit
Industrial customer
Industrial
Sitecustomer
B
Site B
Gigabit
Daily Load Simulator
Gigabit
Daily Load Simulator
Attack Target
Attack Target
Industrial customer
Industrial
Sitecustomer
A
Site A
VPN 1
VPN 1
VPN 2
VPN 2
Gigabit
Gigabit
Public Internet Traffic
Public Internet Traffic
Bus
voltage
(p.u.)
Bus
voltage
(p.u.)
Public Internet
Public
Internet
Region
1
Region 1
72
1.4
1.4
1.2
1.2
1
1
0.8
0.8
0.6
0.6
0.4
0.4
0.2
0.2
0
0
Gigabit
Gigabit
Public Internet
Public
Internet
Region
2
Region 2
(a)
(a)
0
0
3
3
6
6
10
10
COMMUNICATIO NS O F TH E AC M
13
13
Voltage collapse
Voltage collapse
16
20
23
16
20
23
Time (minutes)
Time (minutes)
(b)
(b)
| J U NE 201 4 | VO L . 5 7 | NO. 6
26
26
30
30
33
33
36
36
contributed articles
the cyber-physical testbed through
real physical devices, assuming it is
feasible, economically cost effective,
and safe.
A look at reality. Most telecom
operators limit the interference between separate VPNs; for example,
with deployment of quality of service
(QoS) in the MPLS network an attack
on the public Internet barely affects
the private traffic of other telecom
customers. We validated this claim
by running our EMS-related experiment after activating QoS with packet
prioritization (a feature also used to
implement packet prioritization in
industrial communications) in the
MPLS cloud. The only measurable
effect was a slight increase of packet
round-trip times (by 1ms2ms), a
tolerable delay if we apply the IEEE
1646-2004 standard for communication delays in substation automation,
meaning high-speed messages must
be delivered in the 2ms10ms range.
However, such measures, delivered through policies and regulation,
are not compulsory. Our EMS-related
experiment demonstrated the severe
risk if the measures are not implemented, highlighting the potential
effect of ICT disruption on a range
of physical systems. Moreover, by designing and conducting experiments
based on real incidents we were
able to explore a number of what-if
scenarios. For example, we investigated a 2004 incident that affected
Romes remotely controlled power
grid managed through a public telecommunications network.4 Communications between remote sites was
disrupted due to a broken water pipe
flooding the server room of a telecom operator, short-circuiting critical hardware. Power-grid operators
were unable to monitor or control
the remote site. Fortunately, none
of the disturbances was harmful, so
the grid was stable. Nevertheless, as
shown in our experiments on EPIC, a
change in the balance between generated and consumed energy would
have serious consequences on the
electrical grid. In Rome, with a population of 2.5 million in 2004, it could
have caused blackouts throughout
the city and affected other critical infrastructure (such as transportation
and health care).
Conclusion
Combining an Emulab-based testbed with real-time software simulators, EPIC takes a novel approach to
cybersecurity studies involving multiple heterogeneous NCIs. EPIC can be
viewed as an instance of a new class of
scientific instrumentcyber-physical
testbedssuitable for assessing cyberthreats against physical infrastructures. It supports interesting studies
in many interdependent critical infrastructure sectors with heterogeneous
systems (such as transportation, chemical manufacturing, and power grids);
to explore several, see http://ipsc.jrc.
ec.europa.eu/?id=691.
References
1. Bell, R. and strm, K. Dynamic Models for BoilerTurbine Alternator Units: Data Logs and Parameter
Estimation for a 160MW Unit. Technical Report
TFRT3192. Lund Institute of Technology, Lund,
Sweden, 1987.
2. Benzel, T., Braden, R., Kim, D., Neuman, C., Joseph, A.,
Sklower, K., Ostrenga, R., and Schwab, S. Experience
with DETER: A testbed for security research.
In Proceedings of the International Conference
on Testbeds and Research Infrastructures for
the Development of Networks and Communities
(Barcelona, Mar. 13). IEEE, New York, 2006,
379388.
3. Bergman, D.C., Jin, D., Nicol, D.M., and Yardley, T.
The virtual power system testbed and inter-testbed
integration. In Proceedings of the Second Conference on
Cyber Security Experimentation and Test (Montreal, Aug.
1014). USENIX Association, Berkeley, CA, 2009, 55.
4. Bobbio, A., Bonanni, G., Ciancamerla, E., Clemente,
R., Iacomini, A., Minichino, M., Scarlatti, A., Terruggia,
R., and Zendri, E. Unavailability of critical SCADA
communication links interconnecting a power grid and
a telco network. Reliability Engineering and System
Safety 95, 12 (Dec. 2010), 13451357.
5. Charette, R. IT Hiccups of the week: Southwest
Airlines computer failure grounded all flights. IEEE
Spectrum Risk Factor Blog (June 2013); http://
spectrum.ieee.org/riskfactor/computing/it/it-hiccupsof-the-week-southwest-airlines-computer-failuregrounded-all-flights
6. Chen, T. and Abu-Nimeh, S. Lessons from Stuxnet.
Computer 44, 4 (Apr. 2011), 9193.
7. Chertov, R., Fahmy, S., and Shro, N.B. Fidelity of
network simulation and emulation: A case study
of TCP-targeted denial-of-service attacks. ACM
Transactions on Modeling and Computer Simulation
19, 1 (Jan. 2009), 4:14:29.
8. Chunlei, W., Lan, F., and Yiqi, D. A simulation
environment for SCADA security analysis and
assessment. In Proceedings of the 2010 International
Conference on Measuring Technology and
Mechatronics Automation (Changsha City, China, Mar.
1314). IEEE, New York, 2010, 342347.
9. Downs, J. and Vogel, E. A plantwide industrial process
control problem. Computers & Chemical Engineering
17, 3 (Mar. 1993), 245255.
10. Duggan, D. Penetration Testing of Industrial Control
Systems. Technical Report SAND2005-2846P. Sandia
National Laboratories, Albuquerque, NM, 2005.
11. Hahn, A., Ashok, A., Sridhar, S., and Govindarasu, M.
Cyber-physical security testbeds: Architecture,
application, and evaluation for smart grid. IEEE
Transactions on the Smart Grid 4, 2 (June 2013), 847855.
12. IBM and Cisco. Cisco and IBM provide highvoltage grid operator with increased reliability and
manageability of its telecommunication infrastructure.
IBM Case Studies, 2007; https://www.cisco.com/
web/partners/pr67/downloads/756/partnership/ibm/
success/terna_success_story.pdf
13. Manera, M. and Marzullo, A. Modelling the load curve
of aggregate electricity consumption using principal
components. Environmental Modeling Software 20, 11
(Nov. 2005), 13891400.
JU N E 2 0 1 4 | VO L. 57 | N O. 6 | C OM M U N IC AT ION S OF T HE ACM
73