Intruders in the Grid A - IEEE Power & Energy Magazine · 2019. 6. 20. · Protective relays in the...
Transcript of Intruders in the Grid A - IEEE Power & Energy Magazine · 2019. 6. 20. · Protective relays in the...
-
1540-7977/12/$31.00©2012 IEEE58 IEEE power & energy magazine january/february 2012
Intrudersin the Grid
By Chen-Ching Liu, Alexandru Stefanov, Junho Hong, and Patrick Panciatici
AA POWER GRID IS A CRITICAL INFRASTRUCTURE THAT RELIES ON SUPERVISORY control and data acquisition (SCADA) systems for monitoring, control, and operation. On top of the power infrastructure reside layers of information and communications technology (ICT) that are interconnected with electric grids. The cyber and power infrastructures together con-stitute a large, complex cyberphysical system. ICTs on the power grids have evolved from isolated structures into open and networked environments based on TCP/IP and Ethernet. The technology is known to be vulnerable with respect to cyberintrusions. As ICTs of the power infrastructure have evolved into highly connected network environments, the use of fi rewalls has become a widely adopted access control method against intruders. Firewalls do not guar-antee cybersecurity, however. The misconfi guration of company fi rewalls has been reported. Even if the confi guration of a fi rewall is correct, it is still vulnerable because fi rewalls are not able to detect insider attacks and connections from the trusted side. Hence, solutions based solely on fi rewalls can be inadequate.
International Electrotechnical Commission (IEC) Technical Committee (TC) 57 has devel-oped international standard protocols for power system data communication. These protocols, e.g., Distributed Network Protocol (DNP) 3.0, IEC 60870-5, IEC 60870-6, and IEC 61850, are widely used in power equipment, energy management system (EMS), SCADA, and distribu-tion automation applications. These standard protocols have vulnerabilities, however, and open standards can be easy to access.
Protective relays in the substations are critical devices for system protection. Conventional relays have only local remote access using a serial cable connection. As ICTs evolve, remote access is often enabled for Ethernet-based networks, letting site engineers, operators, and ven-dor personnel access them remotely. Accessing intelligent electronic devices (IEDs) remotely from within a substation, corporate offi ce, or locations external to the grid has become a com-mon practice for maintenance purposes. Dial-up, virtual private network (VPN), and wireless technologies are all available mechanisms for connecting remote access points to the substation local area network (LAN). These access points are potential sources of cybervulnerabilities for the substations.
Digital Object Identifi er 10.1109/MPE.2011.943114 Date of publication: 13 December 2011
-
january/february 2012 IEEE power & energy magazine 59
Cybervulnerability and Mitigation Studies Using a SCADA Test Bed
© P
HO
TOD
ISC
Cyberintrusions The Idaho National Laboratory of the U.S. Department of Energy (DOE) conducted a demonstration of a targeted cyberattack in March 2007 for its Aurora project. The attack was launched remotely against the control system of an electric generator, forcing the generator out of con-trol; it then began shaking and smoking. The project dem-onstrated how a cyberattack can cause damage to physi-cal devices. The latest widely publicized cyberattack on industrial control systems was the Stuxnet worm, a piece of malware that targeted SCADA systems. The objective was to corrupt a specifi c type of programmable logic con-
troller (PLC) by rewriting parts of the code and turning it into the attacker’s agent. Some media outlets suggested that Stuxnet’s targets were nuclear plants. With modifi ca-tions, it could become a serious threat to power grids. In February 2011, McAfee published a white paper, “Global Energy Cyber Attacks: Night Dragon,” stating that targeted cyberattacks have been launched against energy, oil, and petrochemical corporations by the use of remote adminis-tration tools (RATs) and special network techniques. The attacks were conducted from several countries, security was breached, and proprietary and confi dential informa-tion was accessed.
-
60 IEEE power & energy magazine january/february 2012
Defense Against CyberattacksA research program at University College Dublin (UCD), sponsored by Science Foundation Ireland (SFI), is intended to develop the mathematical and computational foundations for vulnerability assessment and mitigation of the ICTs for critical infrastructures. Although cybersecurity issues are well known and new security technologies are available, research on the interdependency between ICT and physical systems for critical infrastructures is just emerging. In this project, analytical concepts, methods, and algorithms for the integrated ICT-physical system are being developed. The cybersecurity framework for SCADA systems, illustrated in Figure 1, consists of four major tasks: real-time moni-toring, anomaly detection, impact analysis, and mitigation. This research program is intended to heighten the capacity for vigilance against cyberattacks by correlating events from various sources.
Anomaly detection requires a detailed analysis of data logs and correlation of detected anomalies events. Intrusion detection techniques are developed for the identifi cation of unauthorized activities and event correlation based on data and information. Correlations can be based on spatial or temporal relationships. Algorithms are available for the
correlation of events. An example of an anomaly detection method is looking for unauthorized changes made to critical parameters and/or fi les by intruders. A change is a variation over time. For practical applications to large-scale systems, however, the complexity of an attack scenario requires a large number of data sources spanning different locations and time durations. Coordinated, simultaneous attacks are such examples. The detection algorithm must be able to meet certain accuracy and performance requirements in order to permit timely mitigation.
Impact analysis is intended to analyze intrusions and determine the consequences of a cyberattack on the cyberphysical system. A useful vulnerability index is the loss of load caused by a cyberattack. A risk assessment approach that captures both power system vulnerabili-ties and the resulting impact on the real-time operation is desirable. The methodology has four key steps: model-ing of the cyber power system, simulation of the physical behaviors of a power grid, development of a vulnerability index for the cyberphysical system, and mitigation mea-sures. The cybernet model should incorporate the cyber-system configurations, authentication, and firewall/pass-word models.
Mitigation actions can be con-ducted on the ICT side and the power grid side. On the ICT side, mitigation using dynamic and other enhanced fi rewall architec-tures is a natural extension of cur-rent industry practice. A preven-tive mitigation action is performed in real time to alleviate the threat in a cybersystem. For a fi rewall, this can be achieved by dynamic rejection rules or by delaying access through the fi rewall, there- by providing additional time to defeat an attack. Mitigation can also be performed as a remedial action. Computational algorithms for power systems have been used to determine power grid recon-fi guration plans when an attack is encountered. Reconfi guration plans can incorporate control and protection techniques such as wide area protection and control, figure 1. The SFI cybersecurity program for power grids.
ImpactAnalysis
AnomalyDetection
ControlCenters
Power Grids
Mitigation
ICT
Substations
Real-TimeMonitoring
A preventive mitigation action is performed in real time to alleviate the threat in a cybersystem.
-
january/february 2012 IEEE power & energy magazine 61
Use
rIn
terf
ace
Use
rIn
terf
ace
Use
rIn
terf
ace
Use
rIn
terf
ace
SC
AD
AN
etw
ork
SC
AD
AN
etw
ork
Rou
ter/
Fire
wal
l
Rou
ter
Fire
wal
l
Rou
ter/
Fire
wal
l
Rou
ter
Fire
wal
lDis
patc
her
Tra
inin
gS
imul
ator
ICC
PS
erve
r
ICC
PS
erve
r
Con
trol
Cen
ter
A
Con
trol
Cen
ter
B
Pow
er S
yste
m
OP
CC
lient
OP
CS
erve
r
Pow
erS
yste
mS
imul
atio
nS
ubst
atio
n A
Sub
stat
ion
B
OP
C C
lient
Pro
toco
l Gat
eway
Pro
toco
l Gat
eway
IDS
IDS
Sta
tion
Leve
l
Bay
Lev
el
Sta
tion
Leve
l
Bay
Lev
el
A4
A4
T2
T2
T1
T1
T4
T3
T4
T3
IED
IED
Sub
stat
ion
Net
wor
kIE
C 6
1850
-8-1
: M
MS
IEC
618
50-7
-2 :
GO
OS
E
Sub
stat
ion
Net
wor
kIE
C 6
1850
-8-1
: M
MS
IEC
618
50-7
-2 :
GO
OS
E
ICC
P
DN
P 3
.0
Dia
l-Up,
VP
Nor
Wire
less
A3
A2
A1
Ven
dor
Per
sonn
el o
rS
ite E
ngin
eer
Intr
uder
s
SC
AD
A: S
uper
viso
ry C
ontr
ol a
nd D
ata
Acq
uisi
tion
ICC
P: I
nter
cont
rol C
ente
r C
omm
unic
atio
ns P
roto
col
DN
P: D
istr
ibut
ed N
etw
ork
Pro
toco
l
VP
N: V
irtua
l Priv
ate
Net
wor
kM
MS
: Man
ufac
turin
g M
essa
ge S
peci
ficat
ion
GO
OS
E: G
ener
ic O
bjec
t Orie
nted
Sub
stat
ion
Eve
nts
IDS
: Int
rusi
on D
etec
tion
Sys
tem
OP
C: O
LE fo
r P
roce
ss C
ontr
olIE
D: I
ntel
ligen
t Ele
ctro
nic
Dev
ice
To/
Fro
mC
orpo
rate
Net
wor
k
figu
re 2
. Cyb
erse
curi
ty te
st b
ed a
t UC
D.
-
62 IEEE power & energy magazine january/february 2012
controlled islanding, power fl ow readjustment, and voltage controls. The ICT and power system mitigation strategies can be implemented and tested on the SCADA test bed. Dif-ferent cyberattacks can be performed, and the effectiveness of the proposed cyberphysical system security techniques can be analyzed in a realistic environment.
A SCADA test bed is a critical facility for testing a broad range of cyberattacks and developing real-time defense strat-egies to mitigate their effects on a power system’s operat-ing condition. Encryption and authentication techniques are required to secure the point-to-point communication. The interactions between the cybersystem and the electric grid have to be modeled to be able to evaluate the impact of cybervulnerability.
SCADA Test Bed Architecture and Simulation ScenariosEfforts have been made internationally to develop SCADA test beds for cybersecurity assessment, among which are the DOE’s national SCADA test bed program and Italy’s RSE laboratory test bed. The proposed test bed at UCD includes two control centers and two substations, as shown in Figure 2. Two protocols are used for control centers, DNP 3.0 over TCP/IP and Inter-Control Center Communications Protocol (ICCP). DNP 3.0 is used for controls and measure-ments between control centers and substations, while ICCP is used for data exchange between control centers. In the future, ICCP will be connected to Iowa State University for information exchange. A dispatcher training simulator (DTS) is used for training of operators and simulation of sys-tem operation, control, and restoration scenarios. In the sub-station, IEC 61850–based communication is used between IEDs and the user interface. The user interface is able to acquire monitored data generated by power system simula-tion tools through Object Linking and Embedding for Pro-cess Control (OPC) communication. There are remote access points using dial-up, VPN, or wireless technology, which can
serve as intrusion paths. Although the IEEE 39–bus system is the currently available test model, the test bed has the abil-ity to model large, interconnected systems with thousands of buses. This test bed provides a powerful tool for studying vulnerabilities of the SCADA and substation communication networks and identifying the needed security enhancements.
In the SCADA test bed environment illustrated in Figure 2, it is possible for the following intrusions to originate from remote access connections to a substation communication network:
✔ outside a substation network: from one of the remote access points (A1, A2, or A3) to the substation router and fi rewall (T1); or to the router and fi rewall, the sub-station network, and the protocol gateway (T1-T4-T2); or to the router and fi rewall, the substation network, and the IEDs (T1-T4-T3)
✔ inside a substation network: from the user interface (A4) to the protocol gateway (T2); or to the substation network and the router and fi rewall (T4-T1); or to the substation network and the IEDs (T4-T3) .
Thus, intrusions from outside a substation network via dial-up, VPN, or wireless technology to the substation ICT network may target fi rewalls, the substation user interface, or IEDs. Intrusions from inside a substation network can also target these facilities.
The substation user interface has a human-machine inter-face (HMI) that enables an operator to control and monitor the substation facilities. If an attacker successfully compro-mises the user interface with a high access privilege, the attacker is able to access critical information and control circuit breakers and/or transformer taps, causing severe damage to the grid operation. IEDs are connected to circuit breakers and switching commands go through the IEDs and contain critical system information.
As depicted in Figure 3, an intrusion detection system (IDS) is installed on the user interface computer in the cyber-security test bed. The IDS is a mitigation technology against
intrusions. When the computer logs generated from the user interface, IEDs, and fi rewall are transmitted to the IDS database, an IDS algo-rithm searches for any anomalies. If the IDS detects an anomaly, it will send disconnect control com-mands to the fi rewall and block the intruder’s connection.
Impact Analysis and MitigationThe impact of cyberattacks on power systems can be analyzed by means of computer simulations of system dynamics to quantify how seriously affected the system’s operating condition will be. To figure 3. Proposed IDS in the test bed.
UserInterface
Logs
Logs
Reconfiguration/Disconnect
Logs
IEDIntruders
Firewall Router
Intrusion Detection System
Database
-
january/february 2012 IEEE power & energy magazine 63
this end, it is necessary to model the electric grid and s imulate the response due to cyberintrusions. A simple test power system has been built using commercially available, industrial-grade simu-lation software, as shown in Fig -ure 4. The demo system consists of three hydroelectric power plants (150 MW each), six transmission lines (110 kV), and six loads. Power system dynamics are computed using a time-domain simulation tool. Simulated real-time measure-ments are created and sent to the OPC server. The substation HMI connects as an OPC client using a default user ID and password and acquires data from the simulated electric grid and from the substa-tion IED. All data items are sent through the DNP 3.0 protocol to a control center that monitors and controls the system. The operator’s decisions are sent via the SCADA system to the power system simulation software, which com-putes the dynamics in real time and reports back the changes in the system’s operating condition. Figure 5 shows the one-
line diagram of the SCADA system displayed on the operator’s console. Substations 2 and 3 correspond to substations A and B, respectively, shown in the test bed confi guration (Figure 2).
Ld_1 SM1
Ld_2 SM2 Ld_4SM4
Ld_3
a
Ld_3
b
Ld_3
c
G~
G~ G~
B110_1
B110_2 B110_3 B110_4
L12a
L12b
L14a
L14b
L23 L43
figure 4. Four-bus demo power system.
figure 5. Control center one-line SCADA display.
Gen 1
Gen 4 Load 4
Load 1
Gen 2 Load 2 Load 3aLoad 3b
Load 3c
Substation 1
Substation 2
Substation 3
Substation 4
Line 12 a Line 12 b
Line 23
Line 14 a Line 14 b
Line 43
+103.04 MW +18.04 MVar
+8.02 MW –1.00 MVar
+8.02 MW –1.00 MVar
+8.02 MW –1.00 MVar
+8.02 MW –1.00 MVar
–8.02 MW+0.00 MVar
–8.02 MW+0.00 MVar
–8.02 MW+0.00 MVar
–8.02 MW+0.00 MVar
+103.21 MW+41.09 MVar
+70.15 MW+23.05 MVar
+39.08 MW+13.03 MVar
+39.08 MW+13.03 MVar
+19.04 MW+9.02 MVar
+103.21 MW+41.09 MVar
+70.15 MW+23.05 MVar
+50.10 MW+17.04 MVar
+50.10 MW+17.04 MVar
–49.10 MW–17.04 MVar
–49.10 MW–17.04 MVar
+70.00 MW+23.05 MVar
110.23 kV
110.23 kV110.23 kV
109.24 kV
-
64 IEEE power & energy magazine january/february 2012
The SCADA test bed is used to investigate the poten-tial impact of cyberintrusions in different scenarios. Attack models were created and tested. For each sce-nario, details of the impact on the power grid were evaluated. Mitigation methods to stop the attack and disconnect the intruder were evaluated. Beyond fire-wall and anomaly detection issues, the purpose of the power system mitigation strategy is to avoid cascading failures following cyberattacks and to restore normal operating conditions.
Scenario 1 The fi ctitious intruder compromises the site engineer’s computer and obtains the user IDs and passwords needed for VPN and substation HMI remote desktop connection. The substation fi rewall views the connection as legitimate, and the attacker gains access to the network. Using an IP- and port-scanning tool, the intruder fi nds the substation user interface computer and accesses the HMI. The attacks are initiated from the substation user interface, using the OPC client-server communication between the HMI and
Gen 1
Gen 4 Load 4
Load 1
Gen 2 Load 2 Load 3aLoad 3b
Load 3c
Substation 1
Substation 2
Substation 3
Substation 4
Line 12 a Line 12 b
Line 23
Line 14 a Line 14 b
Line 43
+147.06 MW +29.06 MVar
+159.33 MW+61.13 MVar
+0.00 MW+0.00 MVar
+0.00 MW+0.00 MVar
–39.08 MW –27.06 MVar
–39.08 MW –27.06 MVar
+39.08 MW+26.05 MVar
+39.08 MW+26.05 MVar
–158.33 MW–57.12 MVar
+0.00 ⎤MW+0.00 MVar
+69.14 MW+23.05 MVar
+37.08 MW+12.03 MVar
+39.08 MW+13.03 MVar
+19.04 MW+9.02 MVar
+147.31 MW+75.16 MVar
+69.14 MW+23.05 MVar
+92.19 MW+35.07 MVar
+0.00 MW–1.00 MVar
–92.19 MW–33.07 MVar
+0.00 MW+0.00 MVar
+69.00 MW+23.05 MVar
108.23 kV
108.23 kV
104.23 LkV
106.22 kV
figure 6. Test system after cyberattacks.
figure 7. Frequency after cyberattacks.
51.00
50.00
49.00
48.0012.71 14.71 16.71 18.71 20.71 22.71
(s)
B110_1: Electrical Frequency in Hz
114.00
111.00
108.00
105.00
102.00
99.0075.000.00 25.00 50.00 100.00
(s)
B110_1: Line-Line Voltage, Magnitude in kVB110_2: Line-Line Voltage, Magnitude in kVB110_3: Line-Line Voltage, Magnitude in kVB110_4: Line-Line Voltage, Magnitude in kV
figure 8. Bus voltages after mitigation.
-
january/february 2012 IEEE power & energy magazine 65
the power system simulation software. Targeted cyberat-tacks are launched at multiple locations (substations 2 and 3 and hydroelectric power plant 2). The attacks trigger opening of a circuit breaker at substation 2 and another at substation 3, which disconnects two transmission lines and damages the generator. The results of the attacks are reported to the control center via DNP 3.0 communication. Operations at the control center are disrupted by a series of alarms, indicating major disturbances have occurred in the system (see Figure 6).
The attacks have a severe impact on the system condition. A generator is damaged and loads have to be dropped. Since lines 43 and 12b are disconnected, the only path to supply loads 2, 3a, 3b, and 3c is through line 12a. Under this condi-tion, the system almost reaches its transfer capability. The remaining power plants are generating at full capacity, but there is not suffi cient generation to supply all the loads. As a result, the frequency is falling (to below 48 Hz), as shown in Figure 7.
Intruders are disconnected by means of collaboration between the IDS and the fi rewall in the substation network, and emergency control actions are taken to mitigate the effects of the cyberattacks as an attempt to restore a normal condition. The mitigation strategy here is to use the optimal power fl ow (OPF) algorithm with an objective function that minimizes load shedding.
The OPF results show that loads 1 and 2 should be shed by 100% and 71%, respectively. Figures 8 and 9 indicate
that the bus voltages and frequency can recover. Fig-ure 9 illustrates how frequency varies after 15 s, at which time the circuit breakers are operated. After another 5 s, the attack on the generator is initiated (which leads to the sharp frequency decline). Before frequency reaches 49.4 Hz, the loads are shed and lines 12b and 43 are recon-nected at 60 and 65 s, respectively. The system is steered to a stable operating point; however, hydroelectric power plant 2 is damaged, and there are unserved loads.
An objective of the so-called “smart grid” is to use more information in a smarter way to optimize power systems.
figure 9. Frequency after mitigation.
51.50
51.00
50.50
50.00
49.50
49.0075.000.00 25.00 50.00 100.00
(s)
B110_1: Electrical Frequency in Hz
120.00
110.00
100.00
90.00
80.00
70.006.000 8.0000.000 2.000 4.000 10.000
(s)
B110_1: Bus 1, 2, 4 Voltages in kVB110_2: Bus 3 Voltage in kV
figure 10. Bus voltages in the second attack scenario.
figure 11. Reactive power loads during the second attack scenario.
25.00
20.00
15.00
10.00
5.00
0.006.000 8.0000.000 2.000 4.000 10.000
(s)
Ld_1: Loads 1, 2, 4 Reactive Power in MVarLd_3a: Loads 3a, 3b Reactive Power in MVarLd_3c: Loads 3c Reactive Power in MVar
-
66 IEEE power & energy magazine january/february 2012
Scenario 2 In a second scenario, the intruder installs a wiretap on one of the communication wires between the substations and the control center. It monitors the traffi c and captures measure-ment packets. The contents are modifi ed, and the attacker sends fabricated information to the state estimation mod-ule. Consequently, a false operating condition is now pre-sented to the operators. In this scenario, system operators are misguided and decide to take control actions to restore a normal operating condition. Unfortunately, their logi-cal response drives the system into an emergency operat-ing state. Specifi cally, an intruder sends falsifi ed voltage data—135 kV—for all four buses, while the actual value is 110 kV. Three substations represent generator buses, and the voltages can be controlled and are normally set to 1 p.u. In response, operators have power plants generate less reactive power and decrease the voltage level by 22.7%. The actual bus voltages are now reduced to an abnormal value of 85 kV, which may further trigger voltage-related relay tripping actions. The simulation result is shown in Figure 10.
A polynomial model is used to represent the load char-acteristics and, as a result, the active and reactive powers vary with the bus voltages. Due to the low voltages, the load demand has also decreased, as indicated in Figure 11. At this moment the system fi nds itself in an emergency oper-ating state and a cascading sequence of events is likely to follow.
Importance to Industry An objective of the so-called “smart grid” is to use more information in a smarter way to optimize power systems. The EMSs and SCADA systems and protection and control systems in substations become less and less isolated from the ICT system in order to take advantage of new measurements and control actions. To facilitate communications between different entities while exchanging more and more informa-tion and to reduce costs, standardized protocols based on TCP/IP communication networks and Ethernet technologies are deployed. Most such protocols do not implement security technologies. Intruders can modify data so as to disturb the observability and controllability of the system. Intrusions into power companies’ private networks let attackers infect the machines with worms and viruses, which can launch denial-of-service (DoS) attacks.
The future challenge is to fi nd the right balance between the security and fl uidity of information exchanges, which would bring a real added value. Intrusion-detection sys-
tems, intrusion-prevention systems, and highly effec-tive fi rewalls are examples of what is needed to enhance the cybersecurity of the power system infrastructure and advance the state of the art, which generally proposes—unrealistically—to close “all the doors” using very sim-ple fi rewalls. The objective is to develop new technology, both hardware and software, for EMSs and SCADA sys-tems. Many major transmission grids around the world are operated through SCADA systems. For example, Réseau de Transport d’Electricité (RTE), responsible for France’s high-voltage transmission grid, includes 100,000 km of power lines, 250,000 transmission towers, and more than 2,400 customer delivery points. To remotely supervise and control such a large-scale power grid, it is conceivable that the grid will have to have its own private telecom network that meets a very high cybersecurity requirement. Ongoing research on cyberphysical system security is expected to help RTE and other major transmission grids prevent cyber-attacks and develop solutions capable of detecting anoma-lies and intrusions an d mitigate their effects.
AcknowledgmentsThe authors acknowledge the support received from Sci-ence Foundation Ireland for a Principal Investigator Award at UCD. They are grateful for the collaborations with Dr. P. Gladyshev at UCD, Prof. M. Govindarasu at Iowa State Uni-versity, and advisors from EirGrid (Ireland), Intel (Ireland), RSE (Italy), and RTE (France).
For Further ReadingC.-W. Ten, C.-C. Liu, and G. Manimaran, “Vulnerability assessment of cyber security for SCADA systems,” IEEE Trans. Power Syst., vol. 23, pp. 1836–1846, Nov. 2008.
A. Hahn, G. Manimaran, S. Sridhar, B. Kregel, M. Hig-don, R. Adnan, and J. Fitzpatrick, “Development of the powercyber SCADA cyber security testbed,” in Proc. Cyber Security and Information Intelligence Research Workshop, Oak Ridge National Lab (ORNL), pp. 21:1–21:4, Apr. 2010.
BiographiesChen-Ching Liu is with Washington State University, Pull-man, and University College Dublin, Ireland.
Alexandru Stefanov is pursuing his Ph.D. at University College Dublin, Ireland.
Junho Hong is pursuing his Ph.D. at Washington State University, Pullman, USA.
Patrick Panciatici is with RTE, France. p&e
The future challenge is to find the right balance between the security and fluidity of information exchanges, which would bring a real added value.