LICSTER -- A Low-cost ICS Security Testbed for Education and Research

Unnoticed by most people, Industrial Control Systems (ICSs) control entire productions and critical infrastructures such as water distribution, smart grid and automotive manufacturing. Due to the ongoing digitalization, these systems are becoming more and more connected in order to enable remote control and monitoring. However, this shift bears significant risks, namely a larger attack surface, which can be exploited by attackers. In order to make these systems more secure, it takes research, which is, however, difficult to conduct on productive systems, since these often have to operate twenty-four-seven. Testbeds are mostly very expensive or based on simulation with no real-world physical process. In this paper, we introduce LICSTER, an open-source low-cost ICS testbed, which enables researchers and students to get hands-on experience with industrial security for about 500 Euro. We provide all necessary material to quickly start ICS hacking, with the focus on low-cost and open-source for education and research.


Introduction
New concepts brought by industry 4.0 start to drastically change the requirements for industrial plants. Predictive maintenance for example, a concept where machines get serviced before they fail based on collected usage data, demand for a high amount of data sources and pervasive communications. Industrial Control System (ICS) devices such as Human Machine Interfaces (HMIs) or Supervisory Control and Data Acquisition (SCADA) systems gather the data within these environments, e.g. from sensors and actors. Nowadays, most ICS devices communicate via TCP/IP protocols with each other. The rise in connected devices inherently increases the attack surface of a network and thus the systems within it. To keep the evermore complex ICSs secure, it takes trained and well educated personnel as well as substantial research in this area. However, it is risky to conduct research and training on productive plants, as minor disturbances can quickly lead to costly incidents. Due to this reason, testbeds for research and education are essential.
In principle, there are three types of testbeds: Virtualized, real-world and hybrid approaches. Just as there are different types, there are different tasks for which a testbed can be used. For security scenarios and attacks on an ICS in particular, a real-world testbed incorporating a physical process is preferred to wholly understanding the effects and attack vectors in a production environment. Unfortunately, purchasing real industrial hardware for a testbed is very expensive and particularly for education and research often not affordable. Additionally, the proprietary devices prevent pervasive changes, which makes research partly difficult. arXiv:1910.00303v1 [cs.CR] 1 Oct 2019 In this paper, we present LICSTER, an open-source, low-cost ICS testbed with the following contributions: • Testbed components for about 500 Euro, which is affordable by most researchers and students.
• A real-world physical process controlled by an ICS, which enables to demonstrate and analyze the impacts of cyber attacks in the real-world.
• The feasibility of the testbed is shown and ideas for research are discussed.
• The components are open-source and open-hardware, as far as possible. This allows a wide range of further research.
• We provide attacker models and attacks to understand threat scenarios in industrial environments.
The paper is structured as follows: In Section 2, the concept of LICSTER is presented. Section 3 describes the proposed implementation of the components. The paper continuous with an evaluation in Section 4, with a discussion about further training and research questions. Eventually, Section 5 concludes this work.

ICS Testbed
Setting up a testbed is mostly not the final goal, but simply a tool to achieve a bigger objective. That makes it crucial to have a clear understanding of that objective and its constraints before beginning to design a testbed. Especially for an ICS security testbed for education and research, having clear attacker models and a prepared list of attack scenarios is valuable.

ICS Basics
The International Electrotechnical Commission and others (2003)   Enterprise Resource Planning (ERP) stands for the entrepreneurial task of planning and controlling resources such as capital, personnel, operating resources and materials in a timely and appropriate manner. A Manufacturing Execution System (MES) refers to a process-related level of a multi-layered manufacturing management system. SCADA defines a system for monitoring and controlling of technical processes by a computer system. A HMI resides on level one of the Industrial Automation Pyramid and allows an operator to interact with a machine or plant. A Historian is a computer on level two, where conditions, input and output information is stored for long term analysis. A Programmable Logic Controller (PLC) is a device that is used to control a machine or plant and that is digitally programmed. Remote input/output (IO) devices read inputs and write outputs over a field-bus or network connection.

Testbed Requirements
As Green et al. (2017) concluded, a testbed, sophisticated and versatile as it may be, has little use unless it is broadly accessible. Additionally, many scenarios should be able to be covered with LICSTER, resulting in the following requirements: • In order to make the testbed affordable for teaching and research, it must be designed for low-cost.
• A physical process must be represented to study consequences of cyber attacks on ICSs.
• In order to obtain repeatable results, the entire process must be reproducible.
• The testbed must be portable, e.g. for teaching and demonstration to gain awareness. Furthermore, a small footprint is easier to handle, e.g. when modifying components.
• By using open-source software and hardware, research on components is feasible. • The testbed implementation should cover level 0 to level 2 of a common ICS, focusing on the physical process and SCADA environment.

Related Work
Due to the ongoing interests in ICS security a lot of testbeds were created around the world in the past years. Holm et al. (2015) Green et al. (2017) describe ten lessons learned by setting-up an ICS testbed. They built up a huge testbed, but also concluded that local access and e.g. a mobile demo unit are essential. McLaughlin et al. (2016) summarize the ICS landscape and also describe the requirement of testbeds. They highlight the need for real-world physical consequences and their monitoring. LICSTER matches these requirements and additionally enables monitoring the physical process. Maynard et al. (2018) and also Formby et al. (2018) introduced an open framework for SCADA virtualization and simulation. However, a pure simulation or virtualization does not fulfill our requirements. Nevertheless, this could be taken into consideration as an expansion. Foley et al. (2018) use a Fischertechnik simulation model for cyber security science hackathons. The basic idea is similar, but they are proprietary components and the testbed is significantly more expensive.

Attacker Modeling
There is no single defense mechanism to mitigate all threats to a digital system. Depending on the nature and origin of an attacker, some defenses might be less useful than others. Therefore, before defining the possible attack scenarios against LICSTER, the potential attackers must be defined.
The remote attacker has network access to the ICS through a router. That means that the attacker can reach the system only via its Internet Protocol (IP) address and thus preventing attacks below the OSI network layer three (Day & Zimmermann (1983)). This replicates the scenario of exposed control systems (Durumeric et al. (2015)), as for example, when devices are connected to the Internet for e.g. maintenance reasons.
In contrast to the capabilities of the remote attacker, the local attacker has direct access to the ICS. Being present at the plant site allows on the one hand the possibility for physical attacks on the individual ICS components. On the other hand, the direct access to the network switch where ICS components are connected to. This enables an attacker to perform Address Resolution Protocol (ARP) spoofing and all the attacks that rely on it.

Attack Scenarios
A central distinction between traditional office networks and production networks is, that ICS networks has to manage the transition to physical processes. That makes it all the more important for a relevant ICS testbed to incorporate a physical process, as it allows attacks on the system from an entirely different perspective. With LICSTER various attack scenarios on the ICS levels zero to two are possible.
The act of network sniffing can be separated into two methods. The first is a passive approach. An attacker can utilize a mirror port or network tap to capture the traffic or simply receive and read broadcast messages. The second method of network sniffing is an active technique, where traffic is redirected over the host of the attacker by manipulation on the Media Access Control (MAC) layer through e.g. ARP poisoning.
More uncomplicated is the DoS attack, where the target is flooded by network packages it needs to react to. Is the amount of requests high enough, the accumulated network and/or Central Processing Unit (CPU) load of reacting to each and every package eventually causes the regular execution of the target to slow down or stop completely.
With a Man in the Middle (MitM) attack, an intruder manages to place himself between two communication partners through manipulation of routing information on the IP layer or MAC layer. There the attacker is able to capture and/or manipulate the exchanged packages.
Additionally, a manipulation over the network of ICS components is possible, as e.g. shown by Niedermaier et al. (2017) where the network interface of a PLC is fuzzed to manipulated the PLC.
Apart from network based attack vectors, a culprit with physical access has a wide range of attacks at his disposal such as manipulating devices, e.g. sensors, plug-and unplugging systems and straightforward destroying components of the ICS. Following comes a certainly not comprehensive list of possible attacks mapped to the ICS levels:  Figure 2: System view of LICSTER.
Attacks on level 0 (process level): • Manipulating the physical process for example by removing the commodity • Physically damage machines so that the process is not performed properly, e.g. with raw violence Attacks on level 1 (field level): • DoS attack on e.g. sensors or actuators • Interfering with availability by disconnecting the network or power plug • Manipulating a sensor physically so it transmits spoofed values • MitM to manipulate the values between the PLC and remote IO Attacks on level 1 (control level): • DoS attack on the PLC or HMI • Sniffing network traffic, e.g. to get sensitive production information • MitM to manipulate the values of the PLC or HMI • Physical access to the HMI, e.g. to stop the process Attacks on level 2 (process control level): • DoS attack on the SCADA and historian systems • Sniffing network traffic, e.g. to get sensitive process details • MitM to manipulating the values of the SCADA or historian server • Manipulating the state of the SCADA system, e.g. to reduce the daily order count Attacks in the various ICS levels require different access rights and tools, which are described in detail in Section 4 of the evaluation of LICSTER.

Testbed Implementation
The testbed presented in this paper handles the physical, field, control and supervisory level of the Industrial Automation Pyramid as described in Figure 2. The implementation of the testbed is designed in a way to allow for industry 4.0 scenarios as well as the more traditional ICS cases. That means that the entire communication between the PLC, the HMI and even the remote IOs is based on TCP/IP protocols, namely Modbus/TCP. The sensors themselves communicate with the remote IOs on a fieldbus protocol, for which Modbus/TCP was chosen which is broadly used in the industry. An overview of the devices in the testbed is given in Table 1 and described in detail in the upcoming sections (Section 3.2 to Section 3.4). The total amount of 577.-Euro is not necessarily the cheapest choice, because it depends on the prices of the distributor.

PLC
As PLC the open-source solution OpenPLC from Alves et al. (2014) is used. It is a soft PLC, which means that it can be run on various operating systems and on hardware with and also without IOs. Within LICSTER OpenPLC runs on a Raspberry Pi, with our PLC procedure programmed in Structured Text (ST) which is uploaded to the PLC over its own web portal.
The program contains a simple, repeatable process which can be triggered and monitored by the HMI as shown in Figure 4. The process consists of five stages in which it moves and processes a plastic cylinder as an workpiece example.  Figure 4: Program sequence of the process implemented on the PLC.
1 Before starting, the initial conditions must be fulfilled with everything at rest and the cylinder at its place. 2 The conveyor belt moves the plastic cylinder to the punching machine and stops right underneath it. 3 The punching machine moves downwards until its lower limit switch is triggered, 4 then continues to move up again until its upper limit switch is triggered. 5 Finally, the conveyor belt moves the plastic cylinder away from the punching machine, back to its origin and then stops. 6 If an detectable error (e) occurs or the emergency stop is pressed, the machine goes in an error state, by stopping every movement. This can be reset on the HMI.

Human Machine Interface (HMI)
The HMI is provided by a webserver which runs on a dedicated Raspberry Pi attached to a touch-screen. The web application is split into three areas -view, order and control -where the user has the possibility to monitor the process, place orders and thus trigger the described process, and to manually control the conveyor belt and the punching machine via the touch panel. This behaviour resembles a real HMI. Figure 5 shows a screenshot of the HMI, where the process is observed. Through this functionality and usage, authentic attack scenarios can be set up. To base the HMI on a webserver has several perks: Firstly, it reflects the change of technology introduced by industry 4.0. Companies like Siemens are already pursuing this approach with their WinCC/Web Navigator 1 . Secondly, knowledge about web-technologies is wide-spread and conveniently accessible, making this HMI easy to understand, extend and exploit. And thirdly, with small modifications, such as introducing Wi-Fi to the Raspberry Pi, the HMI can be effortlessly ported to tablets or smartphones, which introduces new attack vectors and, again, represents the shift to contemporary technologies. Additionally to monitoring the process, orders can be placed and the controller can be set in a manual mode, where the process is controlled by the operator. This also brings the human component into play in the testbed.

Remote IO
The remote IOs are self-developed, open-source solutions based on a development board from STMicroelectronics. The base board is a STM32F767ZI 2 with an Arduino Uno V3 header, where our custom add-on board is connected to. Using the Arduino Uno V3 header for the custom Printed Circuit Board (PCB) allows the underlying prototyping board to be changed easily with other compatible boards. This is relevant, for example, if higher performance, an energy-saving solution or cheaper hardware is needed.

Transistors LEDs Network
Display IOs Custom PCB STM32 development board USB Figure 6: PCB of the remote IOs.
The Universal Serial Bus (USB) connector for programming and power is placed on the left side of the development board. The RJ45 Ethernet connector for networking is mounted on the right side. The custom PCB is mainly necessary to convert the 24V of the physical process to the 3.3V of the STM32 development board. Additionally, each remote IO is connected to a display as illustrated in Figure 7. There the operator can monitor the current state of the Modbus/TCP inputs registers and coils. Applying displays to field level components is a trend that can also be seen by real-world components. In larger plants and systems, it simplifies identifying erroneous devices for the operator. What is more, these devices often allow a simple on-site basic configuration during commissioning.

Physical Process (Fischertechnik)
One of the main requirements is to use a real physical process so that impacts are directly visible. However, in order to keep the necessary skills low, an affordable as well as manageable solution is used in our testbed. Another requirement to the process is, that it should be automatically repeatable without the need for human interaction. That way the researcher or student has enough time to execute his attacks and to observe the effects. The selected device is a Fischertechnik punching machine 96785 sim 3 , as shown in Figure 8  The Fischertechnik system consists out of a conveyor belt, two light-barrier, two limit-switches and two motors. The light-barriers are placed at each end of the conveyor belt and the limit-switches control the upper and lower limit of the punching machine. One electric motor drives the conveyor belt clockwise and counterclockwise and the other electric motor lifts and lowers the punching machine from and to the conveyor belt.

SCADA/Historian
The software used as SCADA system for our testbed is Scada-LTS 4 . It is an open-source solution which supports Modbus/TCP and is entirely web-based. It also represents the shift to contemporary technologies in industry 4.0. The software runs on a Raspberry Pi. Its webpage can be accessed by any system within the network.

Necessary Skills
Although the testbed is designed to keep the entry hurdle for new students as low as possible, basic knowledge about the following three aspects is necessary. 1 Basic electric knowledge is required to safely connect a few wires to the system. However, this is very limited, since only four sensors and two motors must be connected. 2 When the STM32-based remote IOs should be used, soldering skills and a soldering iron are necessary. This can be avoided by e.g. using Raspberry Pis with 24V IOs as recommended by the OpenPLC project, but this results in a smaller testbed and also a more expensive price. 3 Basic Linux skills are of benefit to set-up the Raspberry Pis and use the attacking tools. However, we provide necessary material and guides to setup the testbed, which reduce the initial hurdles to a minimum.

Evaluation and Benchmarking of the Testbed
The evaluation of our testbed consists of three tiers. At first it is assured that the overall concept is viable and the communication between the components works as expected. Secondly, the previously identified attacks are systematically applied to the testbed and evaluated for their feasibility and effects to the system. Finally, it is evaluated what open research questions could be assessed with the help of the proposed testbed.

Evaluation of the Implementation
For some research questions and learning content, network traffic is a critical element. For example, intrusion detection can be configured and evaluated based on the network traffic captures of executed attacks. Figure 9 shows the density distribution of outgoing packets per second per component during a one minute capture while the testbed was running its process.
It clearly shows that the amount of packets per second differs, depending on the device. The PLC (192.168.0.30), which contains most of the logic and therefore is the most communicative component with about 110 packets per second. This is because the PLC polls the remote IOs every 100 ms while simultaneously being polled by the SCADA and HMI. In comparison, the communication of the HMI, which updates the values only once every 500 ms, amounts to significantly less traffic. Either remote IOs takes about 55 packets per second to communicate, which is mostly due to the constant polling of the PLC. The similar behaviour of the remote IOs leads to a correlative density representation. Lastly, the SCADA system, which has no hard timing requirements, only amounts to about 20 packets per second.  Table 2 shows an overview of selected attacks performed on the testbed. In order to correlate the attacks with the ICS levels 1 , the first column enumerates the levels zero to two of the Industrial Automation Pyramid. The second column Attack description 2 of the table contains a list of attacks derived from Section 2.5. These are the scenarios for a potential attacker. The three basic protection goals of IT-Security are Confidentiality, Integrity and Availability. Therefore, the third column, CIA 3 , maps each attack to the protection goals it compromises. The STRIDE 4 threat model by Kohnfelder & Garg (1999) in the fourth column uses the indicators Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege as a more detailed threat mapping. Next, the column five maps the attacker model 5 introduced in Section 2.4 to each attack, to clarify which attacks actually need physical access and which do not. Column 6 contains Tools 6 which are used to evaluate and perform attacks on the testbed are. Where viable ready-made and open-source solutions are preferred. Additionally, customized scripts are provided to execute attacks where no ready to use tools is available. Here is a brief overview over the tools and the corresponding attacks:

Attack Validation within the Testbed
• Network scanning is done with nmap by Lyon (2009). The specific Modbus/TCP Nmap Scripting Engine (NSE) script 5 is used to identify Modbus/TCP devices. • For network sniffing the Linux tool tcpdump (Jacobson et al. (1989)) and wireshark (Combs et al. (2008)) is used. Wireshark, a software for traffic capture and protocol dissection for various protocols including Modbus/TCP, allows for easy package analysis. • For flooding and DoS attacks the tool hping3 (Sanfilippo (2005)) is used. It supports a multitude of protocols and configurations to perform different forms of DoS attacks. • For MitM attacks a custom python script for easy editing is used, based on the libraries pymodbus and scapy (Biondi et al. (2011)). • For active manipulation of values in the Modbus/TCP communication, a custom python script or interactive python shell with pymodbus is employed.
The seventh column, Skill level 7 , refers to the knowledge required by the attacker to achieve his malicious goals. Each attack scenario is rated from low, medium and high which primarily represents the amount of system specific insight an attacker needs to follow through with his attack. Other aspects, such as the basic technical knowledge and the expertise in available tools do not weigh in the rating quite as much since most tools and relevant documentation are freely and sufficiently available. To measure the Impact 8 in column eight, again a rating from low, over medium to high is used to reflect the consequences to the system and the physical process of each attack. The severity of the rating depends on factors such as whether or not the plant can be damaged as a direct or indirect result of the attack, e.g. when the punching machine does not stop at the limit switch and crashes into the ground. Finally, the Detection difficulty 9 is assessed in column nine in the three levels low, medium high, as mentioned previously. It represents a rough estimation of the likelihood of successful detection of an attack by defensive mechanisms, e.g. an Intrusion Detection System (IDS). The skill level, impact and detection difficulty are rated in three levels. Attacks in real scenarios depend on many circumstances and can vary heavily when compared with each other. This is why the table can only give a tendency, which should be taken with a grain of salt.
With this evaluation, we have shown that even low-cost testbeds offer many possibilities of attacks. It is important to see direct effects for new researchers and students, such as the physical process. This shows ICS specifics, as digital devices interacts with the real world and attacks on network devices can have an impact on a process.

Discussion of Extensions and Research Questions
This section elaborates on how LICSTER's functionality can be enhanced by extensions and what research questions could be assessed on the foundation of our testbed. Also the research ideas introduced by Cárdenas et al. (2008) are picked up in this paper as well. This demonstrates how adaptive LICSTER really is and how much room for research and discussion it provides, despite its simplicity. In fact, it is this very simplicity that makes this testbed so easy to use and promising for students and beginners.

Extensions
LICSTER can easily be extended, for example by virtual ICS components (Antonioli & Tippenhauer (2015)) or standard office clients in virtual machines. The extensibility of our testbed allows for the simulation of potentially huge environments, always with the physical process integrated. Apart from enhancing LICSTER by further components and clients, its communication capabilities can be extended by additional protocols such as, for example, OPC UA. That way LICSTER can be used as platform to evaluate the security aspects of upcoming ICS protocols (Renjie et al. (2010)). Evaluations like these could lead to the establishment of requirements for secure protocols in ICSs. One topic that is being discussed, e.g. by Givehchi et al. (2014) is to operate parts of an ICS, like PLCs, in the cloud or fog. It is interesting to examine further security research in addition to the evaluation of availability and control timings. All what is necessary is to move the OpenPLC, which runs on any Linux-based computer, into the cloud or fog.

Offense Scenarios
Morris & Gao (2013) presented 17 attacks against ICSs which use the same Modbus/TCP protocol as LICSTER.
Hence, these attacks can be executed on our testbed and evaluated with the real world impacts on the physical process.
One of the most serious dangers to critical infrastructures is an Advanced Persistent Threat (APT), as explained, among others, by Gouglidis et al. (2018). LICSTER provides an elementary but sufficient platform to further investigate these types of attacks, since it provides all of the relevant components of an ICS including the physical process.

Defense Mechanisms
A protection mechanism often used for ICSs is network monitoring (Zhu & Sastry (2010)). Due to the fact that LICSTER spans over multiple ICS layers, it incorporates various types of network communication, as can be seen in Section 4.1. For example, the communication between the PLC and the remote IOs shows clear timing criticality while the traffic between the SCADA system and the PLC does not. With these distinctive communication characteristics, LICSTER can be used to evaluate IDS implementations and to test their detection mechanisms. Also the remote IO, can be programmed with custom firmware, which is mostly not possible when proprietary hardware is used. With this, intelligent Industrial Internet of Things (IIoT) edge nodes, e.g. for intrusion detection, can be placed into the testbed. This small selection of selected topics shows that it is often not the size that counts, but it is more important to map an entire industrial process within a testbed. This allows a simple demonstration of impacts in the physical world caused by cyber attacks. Particularly for learning purposes, it is important to have simple tools to assess complex topics.

Conclusion
In this paper, we presented LICSTER, an open-source, low-cost ICS testbed for education and research. We have shown, that the concept can be and set-up for about 500 Euro, This way we lower the entry barrier so that more people can get hands-on experience with ICSs. To enhance the learning experience of how the physical world interacts with the digital environment, we introduced suitable attacker models and possible attacks. With these measures we intent to provide easy access to more students and researchers to the topic of ICS security.
Furthermore, even with a testbed as elementary as LICSTER, current and relevant research questions can be assessed, due to the open-source nature of the project and its components. With LICSTER offensive as well as defensive techniques can be tested and evaluated on different ICS levels. The physical process is a key segment of LICSTER, which allows for a haptic understanding of the effects of cyber attacks on ICSs.