1540-7977/12/$31.00©2012 IEEE58 IEEE power & energy magazine january/february 2012

Intrudersin the Grid

By Chen-Ching Liu, Alexandru Stefanov, Junho Hong, and Patrick Panciatici

AA POWER GRID IS A CRITICAL INFRASTRUCTURE THAT RELIES ON SUPERVISORY control and data acquisition (SCADA) systems for monitoring, control, and operation. On top of the power infrastructure reside layers of information and communications technology (ICT) that are interconnected with electric grids. The cyber and power infrastructures together con-stitute a large, complex cyberphysical system. ICTs on the power grids have evolved from isolated structures into open and networked environments based on TCP/IP and Ethernet. The technology is known to be vulnerable with respect to cyberintrusions. As ICTs of the power infrastructure have evolved into highly connected network environments, the use of fi rewalls has become a widely adopted access control method against intruders. Firewalls do not guar-antee cybersecurity, however. The misconfi guration of company fi rewalls has been reported. Even if the confi guration of a fi rewall is correct, it is still vulnerable because fi rewalls are not able to detect insider attacks and connections from the trusted side. Hence, solutions based solely on fi rewalls can be inadequate.

International Electrotechnical Commission (IEC) Technical Committee (TC) 57 has devel-oped international standard protocols for power system data communication. These protocols, e.g., Distributed Network Protocol (DNP) 3.0, IEC 60870-5, IEC 60870-6, and IEC 61850, are widely used in power equipment, energy management system (EMS), SCADA, and distribu-tion automation applications. These standard protocols have vulnerabilities, however, and open standards can be easy to access.

Protective relays in the substations are critical devices for system protection. Conventional relays have only local remote access using a serial cable connection. As ICTs evolve, remote access is often enabled for Ethernet-based networks, letting site engineers, operators, and ven-dor personnel access them remotely. Accessing intelligent electronic devices (IEDs) remotely from within a substation, corporate offi ce, or locations external to the grid has become a com-mon practice for maintenance purposes. Dial-up, virtual private network (VPN), and wireless technologies are all available mechanisms for connecting remote access points to the substation local area network (LAN). These access points are potential sources of cybervulnerabilities for the substations.

Digital Object Identifi er 10.1109/MPE.2011.943114 Date of publication: 13 December 2011

january/february 2012 IEEE power & energy magazine 59

Cybervulnerability and Mitigation Studies Using a SCADA Test Bed

© P

HO

TOD

ISC

Cyberintrusions The Idaho National Laboratory of the U.S. Department of Energy (DOE) conducted a demonstration of a targeted cyberattack in March 2007 for its Aurora project. The attack was launched remotely against the control system of an electric generator, forcing the generator out of con-trol; it then began shaking and smoking. The project dem-onstrated how a cyberattack can cause damage to physi-cal devices. The latest widely publicized cyberattack on industrial control systems was the Stuxnet worm, a piece of malware that targeted SCADA systems. The objective was to corrupt a specifi c type of programmable logic con-

troller (PLC) by rewriting parts of the code and turning it into the attacker’s agent. Some media outlets suggested that Stuxnet’s targets were nuclear plants. With modifi ca-tions, it could become a serious threat to power grids. In February 2011, McAfee published a white paper, “Global Energy Cyber Attacks: Night Dragon,” stating that targeted cyberattacks have been launched against energy, oil, and petrochemical corporations by the use of remote adminis-tration tools (RATs) and special network techniques. The attacks were conducted from several countries, security was breached, and proprietary and confi dential informa-tion was accessed.

60 IEEE power & energy magazine january/february 2012

Defense Against CyberattacksA research program at University College Dublin (UCD), sponsored by Science Foundation Ireland (SFI), is intended to develop the mathematical and computational foundations for vulnerability assessment and mitigation of the ICTs for critical infrastructures. Although cybersecurity issues are well known and new security technologies are available, research on the interdependency between ICT and physical systems for critical infrastructures is just emerging. In this project, analytical concepts, methods, and algorithms for the integrated ICT-physical system are being developed. The cybersecurity framework for SCADA systems, illustrated in Figure 1, consists of four major tasks: real-time moni-toring, anomaly detection, impact analysis, and mitigation. This research program is intended to heighten the capacity for vigilance against cyberattacks by correlating events from various sources.

Anomaly detection requires a detailed analysis of data logs and correlation of detected anomalies events. Intrusion detection techniques are developed for the identifi cation of unauthorized activities and event correlation based on data and information. Correlations can be based on spatial or temporal relationships. Algorithms are available for the

correlation of events. An example of an anomaly detection method is looking for unauthorized changes made to critical parameters and/or fi les by intruders. A change is a variation over time. For practical applications to large-scale systems, however, the complexity of an attack scenario requires a large number of data sources spanning different locations and time durations. Coordinated, simultaneous attacks are such examples. The detection algorithm must be able to meet certain accuracy and performance requirements in order to permit timely mitigation.

Impact analysis is intended to analyze intrusions and determine the consequences of a cyberattack on the cyberphysical system. A useful vulnerability index is the loss of load caused by a cyberattack. A risk assessment approach that captures both power system vulnerabili-ties and the resulting impact on the real-time operation is desirable. The methodology has four key steps: model-ing of the cyber power system, simulation of the physical behaviors of a power grid, development of a vulnerability index for the cyberphysical system, and mitigation mea-sures. The cybernet model should incorporate the cyber-system configurations, authentication, and firewall/pass-word models.

Mitigation actions can be con-ducted on the ICT side and the power grid side. On the ICT side, mitigation using dynamic and other enhanced fi rewall architec-tures is a natural extension of cur-rent industry practice. A preven-tive mitigation action is performed in real time to alleviate the threat in a cybersystem. For a fi rewall, this can be achieved by dynamic rejection rules or by delaying access through the fi rewall, there- by providing additional time to defeat an attack. Mitigation can also be performed as a remedial action. Computational algorithms for power systems have been used to determine power grid recon-fi guration plans when an attack is encountered. Reconfi guration plans can incorporate control and protection techniques such as wide area protection and control, figure 1. The SFI cybersecurity program for power grids.

ImpactAnalysis

AnomalyDetection

ControlCenters

Power Grids

Mitigation

ICT

Substations

Real-TimeMonitoring

A preventive mitigation action is performed in real time to alleviate the threat in a cybersystem.

january/february 2012 IEEE power & energy magazine 61

Use

rIn

terf

ace

Use

rIn

terf

ace

Use

rIn

terf

ace

Use

rIn

terf

ace

SC

AD

AN

etw

ork

SC

AD

AN

etw

ork

Rou

ter/

Fire

wal

l

Rou

ter

Fire

wal

l

Rou

ter/

Fire

wal

l

Rou

ter

Fire

wal

lDis

patc

her

Tra

inin

gS

imul

ator

ICC

PS

erve

r

ICC

PS

erve

r

Con

trol

Cen

ter

A

Con

trol

Cen

ter

B

Pow

er S

yste

m

OP

CC

lient

OP

CS

erve

r

Pow

erS

yste

mS

imul

atio

nS

ubst

atio

n A

Sub

stat

ion

B

OP

C C

lient

Pro

toco

l Gat

eway

Pro

toco

l Gat

eway

IDS

IDS

Sta

tion

Leve

l

Bay

Lev

el

Sta

tion

Leve

l

Bay

Lev

el

A4

A4

T2

T2

T1

T1

T4

T3

T4

T3

IED

IED

Sub

stat

ion

Net

wor

kIE

C 6

1850

-8-1

: M

MS

IEC

618

50-7

-2 :

GO

OS

E

Sub

stat

ion

Net

wor

kIE

C 6

1850

-8-1

: M

MS

IEC

618

50-7

-2 :

GO

OS

E

ICC

P

DN

P 3

.0

Dia

l-Up,

VP

Nor

Wire

less

A3

A2

A1

Ven

dor

Per

sonn

el o

rS

ite E

ngin

eer

Intr

uder

s

SC

AD

A: S

uper

viso

ry C

ontr

ol a

nd D

ata

Acq

uisi

tion

ICC

P: I

nter

cont

rol C

ente

r C

omm

unic

atio

ns P

roto

col

DN

P: D

istr

ibut

ed N

etw

ork

Pro

toco

l

VP

N: V

irtua

l Priv

ate

Net

wor

kM

MS

: Man

ufac

turin

g M

essa

ge S

peci

ficat

ion

GO

OS

E: G

ener

ic O

bjec

t Orie

nted

Sub

stat

ion

Eve

nts

IDS

: Int

rusi

on D

etec

tion

Sys

tem

OP

C: O

LE fo

r P

roce

ss C

ontr

olIE

D: I

ntel

ligen

t Ele

ctro

nic

Dev

ice

To/

Fro

mC

orpo

rate

Net

wor

k

figu

re 2

. Cyb

erse

curi

ty te

st b

ed a

t UC

D.

62 IEEE power & energy magazine january/february 2012

controlled islanding, power fl ow readjustment, and voltage controls. The ICT and power system mitigation strategies can be implemented and tested on the SCADA test bed. Dif-ferent cyberattacks can be performed, and the effectiveness of the proposed cyberphysical system security techniques can be analyzed in a realistic environment.

A SCADA test bed is a critical facility for testing a broad range of cyberattacks and developing real-time defense strat-egies to mitigate their effects on a power system’s operat-ing condition. Encryption and authentication techniques are required to secure the point-to-point communication. The interactions between the cybersystem and the electric grid have to be modeled to be able to evaluate the impact of cybervulnerability.

SCADA Test Bed Architecture and Simulation ScenariosEfforts have been made internationally to develop SCADA test beds for cybersecurity assessment, among which are the DOE’s national SCADA test bed program and Italy’s RSE laboratory test bed. The proposed test bed at UCD includes two control centers and two substations, as shown in Figure 2. Two protocols are used for control centers, DNP 3.0 over TCP/IP and Inter-Control Center Communications Protocol (ICCP). DNP 3.0 is used for controls and measure-ments between control centers and substations, while ICCP is used for data exchange between control centers. In the future, ICCP will be connected to Iowa State University for information exchange. A dispatcher training simulator (DTS) is used for training of operators and simulation of sys-tem operation, control, and restoration scenarios. In the sub-station, IEC 61850–based communication is used between IEDs and the user interface. The user interface is able to acquire monitored data generated by power system simula-tion tools through Object Linking and Embedding for Pro-cess Control (OPC) communication. There are remote access points using dial-up, VPN, or wireless technology, which can

serve as intrusion paths. Although the IEEE 39–bus system is the currently available test model, the test bed has the abil-ity to model large, interconnected systems with thousands of buses. This test bed provides a powerful tool for studying vulnerabilities of the SCADA and substation communication networks and identifying the needed security enhancements.

In the SCADA test bed environment illustrated in Figure 2, it is possible for the following intrusions to originate from remote access connections to a substation communication network:

✔ outside a substation network: from one of the remote access points (A1, A2, or A3) to the substation router and fi rewall (T1); or to the router and fi rewall, the sub-station network, and the protocol gateway (T1-T4-T2); or to the router and fi rewall, the substation network, and the IEDs (T1-T4-T3)

✔ inside a substation network: from the user interface (A4) to the protocol gateway (T2); or to the substation network and the router and fi rewall (T4-T1); or to the substation network and the IEDs (T4-T3) .

Thus, intrusions from outside a substation network via dial-up, VPN, or wireless technology to the substation ICT network may target fi rewalls, the substation user interface, or IEDs. Intrusions from inside a substation network can also target these facilities.

The substation user interface has a human-machine inter-face (HMI) that enables an operator to control and monitor the substation facilities. If an attacker successfully compro-mises the user interface with a high access privilege, the attacker is able to access critical information and control circuit breakers and/or transformer taps, causing severe damage to the grid operation. IEDs are connected to circuit breakers and switching commands go through the IEDs and contain critical system information.

As depicted in Figure 3, an intrusion detection system (IDS) is installed on the user interface computer in the cyber-security test bed. The IDS is a mitigation technology against

intrusions. When the computer logs generated from the user interface, IEDs, and fi rewall are transmitted to the IDS database, an IDS algo-rithm searches for any anomalies. If the IDS detects an anomaly, it will send disconnect control com-mands to the fi rewall and block the intruder’s connection.

Impact Analysis and MitigationThe impact of cyberattacks on power systems can be analyzed by means of computer simulations of system dynamics to quantify how seriously affected the system’s operating condition will be. To figure 3. Proposed IDS in the test bed.

UserInterface

Logs

Logs

Reconfiguration/Disconnect

Logs

IEDIntruders

Firewall Router

Intrusion Detection System

Database

january/february 2012 IEEE power & energy magazine 63

this end, it is necessary to model the electric grid and s imulate the response due to cyberintrusions. A simple test power system has been built using commercially available, industrial-grade simu-lation software, as shown in Fig -ure 4. The demo system consists of three hydroelectric power plants (150 MW each), six transmission lines (110 kV), and six loads. Power system dynamics are computed using a time-domain simulation tool. Simulated real-time measure-ments are created and sent to the OPC server. The substation HMI connects as an OPC client using a default user ID and password and acquires data from the simulated electric grid and from the substa-tion IED. All data items are sent through the DNP 3.0 protocol to a control center that monitors and controls the system. The operator’s decisions are sent via the SCADA system to the power system simulation software, which com-putes the dynamics in real time and reports back the changes in the system’s operating condition. Figure 5 shows the one-

line diagram of the SCADA system displayed on the operator’s console. Substations 2 and 3 correspond to substations A and B, respectively, shown in the test bed confi guration (Figure 2).

Ld_1 SM1

Ld_2 SM2 Ld_4SM4

Ld_3

a

Ld_3

b

Ld_3

c

G~

G~ G~

B110_1

B110_2 B110_3 B110_4

L12a

L12b

L14a

L14b

L23 L43

figure 4. Four-bus demo power system.

figure 5. Control center one-line SCADA display.

Gen 1

Gen 4 Load 4

Load 1

Gen 2 Load 2 Load 3aLoad 3b

Load 3c

Substation 1

Substation 2

Substation 3

Substation 4

Line 12 a Line 12 b

Line 23

Line 14 a Line 14 b

Line 43

+103.04 MW +18.04 MVar

+8.02 MW –1.00 MVar

+8.02 MW –1.00 MVar

+8.02 MW –1.00 MVar

+8.02 MW –1.00 MVar

–8.02 MW+0.00 MVar

–8.02 MW+0.00 MVar

–8.02 MW+0.00 MVar

–8.02 MW+0.00 MVar

+103.21 MW+41.09 MVar

+70.15 MW+23.05 MVar

+39.08 MW+13.03 MVar

+39.08 MW+13.03 MVar

+19.04 MW+9.02 MVar

+103.21 MW+41.09 MVar

+70.15 MW+23.05 MVar

+50.10 MW+17.04 MVar

+50.10 MW+17.04 MVar

–49.10 MW–17.04 MVar

–49.10 MW–17.04 MVar

+70.00 MW+23.05 MVar

110.23 kV

110.23 kV110.23 kV

109.24 kV

64 IEEE power & energy magazine january/february 2012

The SCADA test bed is used to investigate the poten-tial impact of cyberintrusions in different scenarios. Attack models were created and tested. For each sce-nario, details of the impact on the power grid were evaluated. Mitigation methods to stop the attack and disconnect the intruder were evaluated. Beyond fire-wall and anomaly detection issues, the purpose of the power system mitigation strategy is to avoid cascading failures following cyberattacks and to restore normal operating conditions.

Scenario 1 The fi ctitious intruder compromises the site engineer’s computer and obtains the user IDs and passwords needed for VPN and substation HMI remote desktop connection. The substation fi rewall views the connection as legitimate, and the attacker gains access to the network. Using an IP- and port-scanning tool, the intruder fi nds the substation user interface computer and accesses the HMI. The attacks are initiated from the substation user interface, using the OPC client-server communication between the HMI and

Gen 1

Gen 4 Load 4

Load 1

Gen 2 Load 2 Load 3aLoad 3b

Load 3c

Substation 1

Substation 2

Substation 3

Substation 4

Line 12 a Line 12 b

Line 23

Line 14 a Line 14 b

Line 43

+147.06 MW +29.06 MVar

+159.33 MW+61.13 MVar

+0.00 MW+0.00 MVar

+0.00 MW+0.00 MVar

–39.08 MW –27.06 MVar

–39.08 MW –27.06 MVar

+39.08 MW+26.05 MVar

+39.08 MW+26.05 MVar

–158.33 MW–57.12 MVar

+0.00 ⎤MW+0.00 MVar

+69.14 MW+23.05 MVar

+37.08 MW+12.03 MVar

+39.08 MW+13.03 MVar

+19.04 MW+9.02 MVar

+147.31 MW+75.16 MVar

+69.14 MW+23.05 MVar

+92.19 MW+35.07 MVar

+0.00 MW–1.00 MVar

–92.19 MW–33.07 MVar

+0.00 MW+0.00 MVar

+69.00 MW+23.05 MVar

108.23 kV

108.23 kV

104.23 LkV

106.22 kV

figure 6. Test system after cyberattacks.

figure 7. Frequency after cyberattacks.

51.00

50.00

49.00

48.0012.71 14.71 16.71 18.71 20.71 22.71

(s)

B110_1: Electrical Frequency in Hz

114.00

111.00

108.00

105.00

102.00

99.0075.000.00 25.00 50.00 100.00

(s)

B110_1: Line-Line Voltage, Magnitude in kVB110_2: Line-Line Voltage, Magnitude in kVB110_3: Line-Line Voltage, Magnitude in kVB110_4: Line-Line Voltage, Magnitude in kV

figure 8. Bus voltages after mitigation.

january/february 2012 IEEE power & energy magazine 65

the power system simulation software. Targeted cyberat-tacks are launched at multiple locations (substations 2 and 3 and hydroelectric power plant 2). The attacks trigger opening of a circuit breaker at substation 2 and another at substation 3, which disconnects two transmission lines and damages the generator. The results of the attacks are reported to the control center via DNP 3.0 communication. Operations at the control center are disrupted by a series of alarms, indicating major disturbances have occurred in the system (see Figure 6).

The attacks have a severe impact on the system condition. A generator is damaged and loads have to be dropped. Since lines 43 and 12b are disconnected, the only path to supply loads 2, 3a, 3b, and 3c is through line 12a. Under this condi-tion, the system almost reaches its transfer capability. The remaining power plants are generating at full capacity, but there is not suffi cient generation to supply all the loads. As a result, the frequency is falling (to below 48 Hz), as shown in Figure 7.

Intruders are disconnected by means of collaboration between the IDS and the fi rewall in the substation network, and emergency control actions are taken to mitigate the effects of the cyberattacks as an attempt to restore a normal condition. The mitigation strategy here is to use the optimal power fl ow (OPF) algorithm with an objective function that minimizes load shedding.

The OPF results show that loads 1 and 2 should be shed by 100% and 71%, respectively. Figures 8 and 9 indicate

that the bus voltages and frequency can recover. Fig-ure 9 illustrates how frequency varies after 15 s, at which time the circuit breakers are operated. After another 5 s, the attack on the generator is initiated (which leads to the sharp frequency decline). Before frequency reaches 49.4 Hz, the loads are shed and lines 12b and 43 are recon-nected at 60 and 65 s, respectively. The system is steered to a stable operating point; however, hydroelectric power plant 2 is damaged, and there are unserved loads.

An objective of the so-called “smart grid” is to use more information in a smarter way to optimize power systems.

figure 9. Frequency after mitigation.

51.50

51.00

50.50

50.00

49.50

49.0075.000.00 25.00 50.00 100.00

(s)

B110_1: Electrical Frequency in Hz

120.00

110.00

100.00

90.00

80.00

70.006.000 8.0000.000 2.000 4.000 10.000

(s)

B110_1: Bus 1, 2, 4 Voltages in kVB110_2: Bus 3 Voltage in kV

figure 10. Bus voltages in the second attack scenario.

figure 11. Reactive power loads during the second attack scenario.

25.00

20.00

15.00

10.00

5.00

0.006.000 8.0000.000 2.000 4.000 10.000

(s)

Ld_1: Loads 1, 2, 4 Reactive Power in MVarLd_3a: Loads 3a, 3b Reactive Power in MVarLd_3c: Loads 3c Reactive Power in MVar

66 IEEE power & energy magazine january/february 2012

Scenario 2 In a second scenario, the intruder installs a wiretap on one of the communication wires between the substations and the control center. It monitors the traffi c and captures measure-ment packets. The contents are modifi ed, and the attacker sends fabricated information to the state estimation mod-ule. Consequently, a false operating condition is now pre-sented to the operators. In this scenario, system operators are misguided and decide to take control actions to restore a normal operating condition. Unfortunately, their logi-cal response drives the system into an emergency operat-ing state. Specifi cally, an intruder sends falsifi ed voltage data—135 kV—for all four buses, while the actual value is 110 kV. Three substations represent generator buses, and the voltages can be controlled and are normally set to 1 p.u. In response, operators have power plants generate less reactive power and decrease the voltage level by 22.7%. The actual bus voltages are now reduced to an abnormal value of 85 kV, which may further trigger voltage-related relay tripping actions. The simulation result is shown in Figure 10.

A polynomial model is used to represent the load char-acteristics and, as a result, the active and reactive powers vary with the bus voltages. Due to the low voltages, the load demand has also decreased, as indicated in Figure 11. At this moment the system fi nds itself in an emergency oper-ating state and a cascading sequence of events is likely to follow.

Importance to Industry An objective of the so-called “smart grid” is to use more information in a smarter way to optimize power systems. The EMSs and SCADA systems and protection and control systems in substations become less and less isolated from the ICT system in order to take advantage of new measurements and control actions. To facilitate communications between different entities while exchanging more and more informa-tion and to reduce costs, standardized protocols based on TCP/IP communication networks and Ethernet technologies are deployed. Most such protocols do not implement security technologies. Intruders can modify data so as to disturb the observability and controllability of the system. Intrusions into power companies’ private networks let attackers infect the machines with worms and viruses, which can launch denial-of-service (DoS) attacks.

The future challenge is to fi nd the right balance between the security and fl uidity of information exchanges, which would bring a real added value. Intrusion-detection sys-

tems, intrusion-prevention systems, and highly effec-tive fi rewalls are examples of what is needed to enhance the cybersecurity of the power system infrastructure and advance the state of the art, which generally proposes—unrealistically—to close “all the doors” using very sim-ple fi rewalls. The objective is to develop new technology, both hardware and software, for EMSs and SCADA sys-tems. Many major transmission grids around the world are operated through SCADA systems. For example, Réseau de Transport d’Electricité (RTE), responsible for France’s high-voltage transmission grid, includes 100,000 km of power lines, 250,000 transmission towers, and more than 2,400 customer delivery points. To remotely supervise and control such a large-scale power grid, it is conceivable that the grid will have to have its own private telecom network that meets a very high cybersecurity requirement. Ongoing research on cyberphysical system security is expected to help RTE and other major transmission grids prevent cyber-attacks and develop solutions capable of detecting anoma-lies and intrusions an d mitigate their effects.

AcknowledgmentsThe authors acknowledge the support received from Sci-ence Foundation Ireland for a Principal Investigator Award at UCD. They are grateful for the collaborations with Dr. P. Gladyshev at UCD, Prof. M. Govindarasu at Iowa State Uni-versity, and advisors from EirGrid (Ireland), Intel (Ireland), RSE (Italy), and RTE (France).

For Further ReadingC.-W. Ten, C.-C. Liu, and G. Manimaran, “Vulnerability assessment of cyber security for SCADA systems,” IEEE Trans. Power Syst., vol. 23, pp. 1836–1846, Nov. 2008.

A. Hahn, G. Manimaran, S. Sridhar, B. Kregel, M. Hig-don, R. Adnan, and J. Fitzpatrick, “Development of the powercyber SCADA cyber security testbed,” in Proc. Cyber Security and Information Intelligence Research Workshop, Oak Ridge National Lab (ORNL), pp. 21:1–21:4, Apr. 2010.

BiographiesChen-Ching Liu is with Washington State University, Pull-man, and University College Dublin, Ireland.

Alexandru Stefanov is pursuing his Ph.D. at University College Dublin, Ireland.

Junho Hong is pursuing his Ph.D. at Washington State University, Pullman, USA.

Patrick Panciatici is with RTE, France. p&e

The future challenge is to find the right balance between the security and fluidity of information exchanges, which would bring a real added value.