Keywords – SCADA; Smart Grid; Reproduction Number; Local Stability; Programming logic controller

I.

INTRODUCTION

According to the 2016 Digital Cyber Crime Unit of Microsoft Corporation, malware attacks cost global economy an estimated 3 trillion US Dollars annually [ 1 ]. This is higher than entire GDP estimate of Africa in 2015 [2], [3], and approximately the external reserve of the People’s Republic of China which stood at about 3.17 trillion US Dollars as at September 2016 [4].

In this modern era, there is an increasing spate of dependency on the effectiveness and efficiency of a wellstructured electric power system, a major infrastructure in the economic development of a country or society and also a backbone to the proper functioning of other critical infrastructures, which very much need electric power to function at full capacity. These include infrastructures such as telecommunications, internet, water, air traffic control and transportation [5]. Though these infrastructures can operate without main power supply for a short period of time, in the long run, longer and larger outages in power may put them in jeopardy, and as a result, creating a crippling effect on the economy. These power outages can be as a result of technical or/and operational faults. However, over the years, they have also been caused by targeted malware attacks on the Supervisory Control and Data Acquisition (SCADA) systems, which control the flow of data and information on most modern power grids.

Control systems such as SCADA systems are structured to achieve/maintain set goals by reducing the probability of unwanted behavior, to meet demand of the critical infrastructure the system is controlling, and to obtain maximum production profit. SCADA systems are mostly found in critical national infrastructures such as the electric power grid, transportation systems and oil and gas distributions. And it is because of their critical nature that these SCADA systems remain at high risk of attack from an instantaneously growing set of attackers, who are highly skilled and motivated. SCADA systems consist of several components including programming logic controllers (PLCs)/remote terminal units, which communicate with the SCADA servers and perform most of the supervisory and overriding controls, such as controlling continuous flow of signals, and providing enabling conditions for fault detention.

To effectively run a functional power grid, there is a strong dependency on SCADA systems. But keeping the systems secure and immune to malware attacks from external forces, as well as internally generated errors, is very essential in avoiding outages. This is a massive challenge because of the complexity of the SCADA systems and their operation on real-time, as well as their connectivity to the internet, all of which makes the systems perform their various duties.

Malware attacks have over time evolved from the more common internet worm and virus attacks to more precise attacks on target systems. While there have been significant damages by these internet worms and virus attacks, present set of malware are designed to specifically steal information which are considered confidential, take control of systems for malicious purposes, create pathways (backdoors) through which other attacks can be launched or cause complete breakdown of targeted infrastructures. A typical example of such malware is Stuxnet [6].

Malware attacks on SCADA systems vary from mere invasive forms (e.g. to steal confidential information or to analysis the traffic of power supply by the system) to more invasive forms (e.g. to take control of the system or to cause a disruption in the normal functions of the systems) [7]. Figure 1 depicts a SCADA system malware attack.

In this paper, we investigate the effectiveness of existing control strategies for SCADA system malware, specifically, the use of antivirus signatures, and also propose a new control strategy, which combines vulnerability scanning and implementation of security patches.

The ensuing contents of this paper are organized thus: Section II describes related works. Section III introduces the proposed model, as well as its variables and parameters. In Section IV, the equilibrium points, effective reproduction number and the local stability of the infectious-free equilibrium point are presented. Section V presents the numerical simulations and analysis of obtained results. The study is finally concluded in Section VI.

II.

RELATED WORKS

The need to fully grasp the dynamics of the spread of various malwares has over the years necessitated the formulation of various models. The use of epidemiology in many of the models has been inspired by the near similarities which the spread of malware share with biological virus [8]. Mathematically, epidemiology has developed quite rapidly since the mid 20th century [9].

One main procedure used in epidemiology is application of a compartmental model, where the population is divided into various sectors according to their epidemic status. Another important procedure entails the use of a system of differential equations.

Many existing models of malware propagation find their root in some classical classic epidemiology models including [ 10 ]–[ 13 ], and often consider malware attacks on computer systems. For instance, [9] developed an SIR model to determine the dynamics of malware attacks on computer networks. Misra, Verma and Sharma [ 14 ] also focused on computer network. Their model considered two states: infected and susceptible. The effect of anti-malware was equally investigated. Liu, Liu, Liu, Cui, and Huang [ 15 ] proposed a new compartmental model. They however investigated the effect of heterogeneous immunization on the spread of the malware. Piqueira, Vasconcelos, Gabriel and Araujo [ 16 ], on their part, considered more states. Specifically, using simple systems identification techniques, they developed a model named SAIC (Susceptible, Antidotal, Infectious, Contaminated), based on the SIR model [ 10 ]–[ 12 ]. In [ 17 ], the SIS model was modified to include what was termed a re-introduction parameter, which represents the re-introduction of an existing computer virus or the introduction of a new virus.

Few studies have considered spread of malware on other systems. One of these is the work of [ 18 ]. They combined generic epidemiological models with graph theory to model and monitor the evolution of malware that target telephony networks, specifically, the Private Branch eXchanges (PBX).

In modeling attacks on SCADA systems, studies have considered different SCADA systems, and focused on various attacks. While many have modeled other attacks few studies have attempted malware attacks on SCADA networks.

On smart-grid/electric power systems, [ 19 ] presented a framework that models a category of cyber-physical switching vulnerabilities. Chopade, Bikdash, and Kateeb [ 20 ] proposed a flexible and extensible framework for survivability of smart –grid and SCADA systems. They considered survival under severe emergencies, vulnerabilities and WMD attacks. The work of [ 21 ] focused on the development of a novel hierarchical method applied to Petri nets to model coordinated attacks on smart grid, while that of [ 22 ] entailed the simulation and evaluation of the impacts of data integrity attacks on automatic generation control.

Regarding other SCADA systems, [ 23 ], focusing on stealthy deception attacks, proposed some enhanced hydrodynamic models which were used for detection of physical faults and cyber attacks to automated canal systems; while an aspect-oriented model for evaluating the security of automotive cyber-physical systems was proposed by [ 24 ]. They focused on four attacks: man-in-the-middle, fuzz, interruption and replay attacks.

On the other hand, in modeling attacks that affect any type of SCADA system, [ 25 ] and [ 26 ] proposed models for intrusion detection. While in the former, the models were Modus/TCP-based, in the latter study, behavioral modeling was applied. Another study, by [ 27 ], entails a SCADA security framework which includes real-time monitoring, anomaly detection, impact analysis, and mitigation strategies, and the proposal and evaluation of a new algorithm which considers both password policies and port auditing for evaluating cybersecurity.

One of the few studies, however, that considered malware propagation on SCADA networks is [ 28 ]. The authors modeled Stuxnet attack using Boolean Logic Driven Markov Processes (BDMP).

III.

FORMULATION OF MODEL

A model formulation involves a process whereby the basic assumptions of the model are clearly stated while relating these assumptions from the real world to the mathematical model [ 12 ]. The assumptions of the proposed model include:  The entire population is divided into four (4) states i.e. the Vulnerable Class, the Infectious Class, the Immune Class and the Recovered Class; all based on their epidemiological status.  Every new PLC added to the network is considered to be vulnerable, while a few of them are considered to be infected.  The rate at which new PLCs are added to the network and existing ones which die due to noninfectious reason is assumed to be constant.  The active population includes all the PLCs.  There is a vertical transmission into the infectious class as a result of connectivity to the internet.  It is assumed that there is an external factor i.e. a Universal Serial Bus (USB) device that can be introduced into the smart grid network, as mountable devices, to transfer and copy files.  All model parameters are constant.  All interactions within the network occur homogeneously.

Another basic procedure of modelling is the description of the various notations, as well as the parameters used in the formulation of the model.

The various notations are described below:     

V(t), which represents the number of vulnerable SCADA PLCs/software-based remote terminal units (RTUs) within each substations over an electric smart grid network at time, t, after connection has been established.

I(t), which represents the number of infectious SCADA PLCs/RTUs within each substations over an electric smart-grid

network at time, t, after connection has been established.

IMUN(t), which represents the number of immune SCADA PLCs/RTUs within each substations over an electric smart grid

network at time, t, after connection has been established.

R(t), which represents the number of recovered SCADA PLCs/RTUs within each substations over an electric smart grid

network at time, t, after connection has been established.

USB(t), which represents the number of Universal Serial Bus (USB) devices used by employees on any of the substations

within an electric smart grid at time, t, after connection has been network established. The following are the parameters used in the model: N(t), which represents the total number of SCADA PLCs/RTUs within each substations over an electric smart grid network at time, t, after connection has been established. is the constant rate at which new PLCs are, on the average, added to the electric smart grid network. is the probability of recruiting PLCs from number of PLCs. β is the constant rate of interaction of the vulnerable class with the infectious class. is the natural death rate or death due to noninfectious reason. 1 is the proportion of time of scanning due to implementation of vulnerability scanning of the network. network. 2 is the rate of the effectiveness of detection of vulnerabilities due to vulnerability scanning of the antivirus. 3 is the rate of removal of vulnerabilities due to implementation of security patches on the network. is the rate of vertical transmission of infected

= − − − 1 2 3 ( ) = − − − − ( ) ( )

( )

( ) = 1 2 3 ( ) − = − (1) = − = − − − ( )

was also considered but do not constitute part of the population of the entire system, i.e.

Thus, the total population of SCADA system PLCs is given as  is the death rate due to SCADA malware attack on

 is the rate of natural recruitment of Universal = ; = ; 1 2 3 = the electric smart grid network.

Serial Bus (USB) devices into the network.

A VIMR (Vulnerable Class, Infectious Class, Immune Class and Recovered Class) model, depicted in Figure 2, is proposed to explain the dynamics of spread of malicious codes. The total size of the population is N, where N = V + I + M + R, and varies with time.

The system in (1) above as well as the external factor becomes

= − − − ( ) ( )

( )

= + − − − ( )

= ( ) − = − (2) ( )

= − IV. INFECTIOUS-FREE AND ENDEMIC EQUILIBRIUM POINTS

AND EFFECTIVE REPRODUCTION NUMBER

Points whereby the SCADA systems and electric smart grid configuration do not change with time or when no force is acting on the system, are known as the equilibrium points.

A. Equilibrium Points

We obtain Infectious-Free Equilibrium ( ) ( ) ( ) ( ) = = = = 0 0 =

, + + − + − − − − + + − + − − − − − − − − − −  = B. Effective Reproduction Number and Local Stability

A major procedure in modeling the dynamics of malware is the effective reproduction number denoted by 0and it also helps in predicting part of the population which will not be infected.

System (2) has an infectious-free equilibrium whereby the infective part of the population is zero while the vulnerable and immune remain positive denoted by 0 = , = 0, , = 0 

Thus, analyzing the local stability of the infectious-free equilibrium give the endemic point whereby there will be a rise or reduction to zero when a small number of infectious PLCs are brought into a highly vulnerable population.

Eliminating R, system (2) reduces to = − − − ( ) = + − − − (3)

We obtain the effective reproduction number 0 by investigating the local stability of the infectious-free equilibrium.

The infectious-free equilibrium is locally asymptotically stable whenever 0 < 1

We obtain the Jacobian of system (3) at infectious-free equilibrium = −( + ) 0

− ( ) + [ − − − ] 

Reducing the matrix to an upper triangular matrix, we have a characteristic equation as − − − − + + + + + 2 + − − − − − + + + + + 2 +

Similarly, population-dependent parameter values usually have to be inputted based on computer malware epidemiology and population data. We set out in Table II parameters and corresponding values. Since 0 < 1, thus we have a local stability, which implies that the malware can be curtailed through appropriate corresponding countermeasure parameters.   application of anti-virus signatures with time i.e.( = 0.1, 0.5, 0.9), we discovered that if the anti-virus is used at the rate of 10% (i.e. on 1 out of 10 systems), the infectious class of PLCs continue to increase instantaneously from the initial population of 5,000 to above 15,000 in the first two days of interaction with the vulnerable class. The instant increase then tends to stabilize a bit, mostly due to the little effect of the disinfected PLCs. It then rises instantaneously, and after the next 5 days, rises to above 25,000, at 50% (i.e. on 2 out of 10 systems) it increases to about 10,000 in the next one and half days due to interaction with the vulnerable class of PLCs, before it starts decreasing gradually in the next two to five days to little below 5,000, mostly due to the positive effect of the anti-virus signatures; though this happens with a possibility of re-infection. But at 90% (i.e. on 9 out of every 10), the infectious population of PLCs increase minimally to about 7,000 in the first day due to the interaction

with the vulnerable class before it gradually decreases mainly due to the very high effect of the antivirus signatures and the infectious population of PLCs will continually decline till it goes into extinction after 5days.

Figure 4 shows the variation in the rate of natural recruitment of the USB devices into the network. At 10% usage of USB devices for transfer and copying of files, there is an instant increase in the population of infectious PLCs from the initial 5,000 to above 10,000 after just one and half days due to interaction between the vulnerable class and the USB devices plugged into the system, which of course, some

0 = = − − 0 1 2 3 4 5 1 2 3 4 5 6 7 8

V I M R B a Varies 2 0.1 0.1 Varies Varies 0.2 0.1

Source Assumed Assumed Assumed Assumed Assumed

Source Assumed Assumed Assumed Assumed Assumed Assumed Assumed Assumed are infected. But population of the infectious PLCs then stabilizes mostly due to the implementation of anti-virus signatures which at this point gradually detects infected USB devices. After the second day, the population of the infectious PLCs begins a rapid decline due to the disinfection of the infected USB devices by the anti-virus signatures until it the infected power line carries goes into extinction totally after five days.

Figure 5 shows the variation in the rate of vulnerability scanning, detection of vulnerability and implementation of security patches. At 10% vulnerability scanning, detention of vulnerability and implementation of security patches, the infectious population of PLCs increases from the initial 5,000 to above 14,000 in the one and half days due to the interaction with the vulnerable class, then it stabilizes a bit and decreases gradually to about 7,000 due to the implementation of the security patches. At 50% vulnerability scanning, detention of vulnerability and implementation of security patches, the population of the infectious PLCs increases to about 11,000 in one and half days due to the interaction with the vulnerable class but stabilizes and then decreases gradually to about 5,000 (the initial population) mainly due to the detection and implementation of the security patches. But at 90% vulnerability scanning, detention of vulnerability and implementation of security patches, the population of the infectious PLCs increase from the initial 5,000 to almost 10,000 in the first day mainly due to the interaction with the vulnerable class, then stabilizes a bit and gradually declines until it goes into extinction in the next 5 days, mainly due to the effect of the vulnerability scanning, detention of vulnerability and implementation of security patches.

From Figures 3, 4 & 5, it was discovered that there is always an instantaneous increase in the infectious class of the PLCs due to their interaction with the vulnerable class of the PLCs; and the consequences of this initial increase include power outages, damages to equipments, as well as financial losses. These are mainly due to the fact that these infectious PLCs can be used by interest groups or syndicates to carry out their agenda before such infections are detected and mitigated.

VI.

CONCLUSION

We developed a model for the dynamics of SCADA system malware on smart-grid electricity networks for a population consisting of the Vulnerable, Infected, Immune and Recovered classes of PLCs or Remote Terminal Units. We also incorporated an external factor, the Universal Serial Bus (USB), and considered three control parameters: vulnerability scanning, detection from vulnerability scanning and the implementation of security patches.

Our findings highlight the necessity of control strategies, viz. antivirus, vulnerability scanning, and application of security patches, at mitigating malware spread on SCADA systems.

Future studies could consider other parameters including human behavior. Many studies have confirmed that many security breaches are the result of non-technical factors. In this study, the propagation was considered as a function of time. Propagation as a function of geographical spread and cost should be explored.