See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/332372350
Analysis of Cyber-Attacks on IEC 61850 Networks
Conference Paper · September 2017
DOI: 10.1109/ICAICT.2017.8686894
CITATIONS
19
READS
1,423
2 authors:
Ahmed Elgargouri University of Vaasa 3PUBLICATIONS 55CITATIONS
SEE PROFILE
Mohammed Elmusrati University of Vaasa
160PUBLICATIONS 2,260CITATIONS SEE PROFILE
All content following this page was uploaded by Mohammed Elmusrati on 20 December 2019.
The user has requested enhancement of the downloaded file.
Analysis of Cyber-Attacks on IEC 61850 Networks
Ahmed Elgargouri Department of Computer Science
University of Vaasa Vaasa, Finland [email protected]
Mohammed Elmusrati Department of Computer Science
University of Vaasa Vaasa, Finland [email protected]
Abstract—Information security risk and hazard of IEC 61850-based power control grids is presently taken into deep consideration. It is expected that yet to come electric substations will be greatly dependent on intelligent electronic devices (IEDs), which run over communication protocols such as IEEE 802.3 (Ethernet)-based IEC61850. So far, most of IEC 61850 networks are LAN connected, i.e. it is secure by the nature of LANs, yet the mapping over few web applications such as Devices Profile for Web Services (DPWS) opens the door for common cyber-attacks on substation’s LAN. In addition, the upcoming extension of IEC 61850 part-9 contains specifications of routable GOOSE and SV for IEC 61850 WANs, which will make it possible for hackers to use e.g. packet sniffers. One security accepted solution to be implemented in order to increase the security of these networks is Intrusion Detection System (IDS). This paper highlights performance analysis when using IDS against a list of cyber- attacks on IEC 61850-based network.
Keywords— Cyber Attacks; IDS; IEC 61850; Security;
I. INTRODUCTION
IEC 61850 is a world-wide acknowledged Ethernet-based standard for substation communication. It is considered as the optimum solution for IEDs (Intelligent Electronic Devices) interoperability problems [1]. The standard’s main features are its comprehensive object-oriented data model and the Ethernet technology, which brings in a significant drop in configuration and maintenance costs.
When Electro-Technical Commission’s (IEC) Technical Committee 57 (TC57) established IEC 61850 in 2003, it did not have cyber security definitions in the standard’s documents as this was left to be defined later in another standard (IEC 62351) [2]. The best scenario for secure IEC 61850-based electric substations would to implement IEC 61850 within the same environment. The problem of implementing such a solution is the fact that many IEDs from different manufacturers nowadays do not support IEC 62351 [1]. Hence, alternative security solutions are needed in order to prevent possible attacks on the current IEC 61850-based networks, such as Intrusion Detection Systems (IDS) [3].
The expected deep dependency on IEDs in future substation automations and smart grids makes their security
very critical and cyber-attacks might cause significant technical and financial damages.
II. CYBER ATTACKS ONIEC61850NETWORKS A. Types of Attacks
Listed below are the possible attacks on IEDs in the current IEC 61850 local area networks [3]:
• Unauthorized Access (UA): when the IED is edited in a way to give an incorrect command, change in default settings or access to sensitive data.
• Denial of service (DoS): when disconnecting the IED from the grid by disabling it.
• Spoofing (SP): when the IED is spoofed (physically or logically) to mislead other IEDs.
• Data interception (DI): when critical data is intercepted.
• Stepping stone (SS): when one IED or more is compromised then used to launch a logical attack on another device.
• Man-in-the-middle (MITM) attack: This attack allows the attacker to forward the traffic between the monitoring system and the lED to an external destination, (e.g. the attacker’s laptop)
• Configuration Tampering (CT): Threat performer has interfered with the configured lED description (CID) file in a protection relay, and the relay operates inaccurately in case of network faults.
• Operation System Attack (OSA): The operation database is browbeaten using liabilities
There are two methods based on two different locations in order to lunch these attacks; straightly manipulating the IED from within the local-area network (LAN), over a wide-area network (WAN). In both cases, a user in the network might attempt these attacks or that user might be used as a bridge by an external user. Next table demonstrations a summary for
these types of attacks launched from different locations and the possible protection against them.
TABLE I. CYBER-ATTACKS ON IEC61850NETWORKS [3]
Attack Location/Protection
Direct LAN WAN
UA Access Control Physical Protection
MAC Address Control Firewall IDS DoS Access Control
Physical Protection
MAC Address Control Anti-Malware Firewall
IDS SP Physical Protection MAC Address Control Anti-Malware
Firewall IDS DI Access Control
Physical Protection
MAC Address Control IDS
Firewall IDS SS Access Control
Physical Protection IDS
MAC Address Control Patches Firewall
IDS MIT
M
Access Control Physical Protection
IDS
MAC Address Control IDS
Patches Firewall
IDS CT Access Control
IDS
MAC Address Control IDS
Firewall IDS OSA Access Control
IDS
MAC Address Control IDS
Firewall IDS
IEC Access control, physical protection, MAC address control, anti-malware, firewall and patches are well-known security solutions that are tested and acknowledged by all different types of network architectures as successful methods.
They are included at both station and bay levels’ software. One method to be investigated and how its performance might guarantee more secure IEC 61850 networks is IDS. Parts 3 and 4 and illustrate an introduction to IDS and system’s performance when using this solution against cyber-attacks in IEC 61850 networks.
B. Attacking Scenarios
There are three possible attacking scenarios in effect in an IEC 61850 LAN. They are listed as follows,
• An unauthorized user/device attempts to access to the by connecting to switches or by establishing a direct physical connection to IEDs in the network (as shown in Fig. 1 with the letter ‘A’).
• An infected USB driver (as shown in Fig. 1 with letter ‘B’).
• A client in the network creates a bridge by connecting to web services either at the substation level or bay level.
Fig. 1. Attacking Scenarios on a smart substation [4]
The first two scenarios can be prevented by using traditional hardware and software protection, such as security cameras, firewalls, anti-virus and anti-malware. The third scenario remains the challenging one because in this case the used device to perform a certain attack is authorized to access to the network data.
C. Impact of Cyber-Attacks
The previous listed attacks in part 2 may have several impacts on the smart substation, which are expected to cause different types of damage to the network. Most common impacts caused by different cyber-attacks are listed below according to the number of attacks in effect [4],
• Denial of service from control system
• Interruption of protection communication
• Interruption of monitoring system
• Network interruption
• Blocking protection
• Protection tripping failure
• undesirable protection operation
• Erroneous post analysis
First 3 impacts are a result of any of the previously listed cyber-attacks, whereas the remaining impacts might be caused by two or three of these attacks. Those impacts are serious hazards to both networks and human lives. This means even if these attacks are rarely to occur in a LAN network, their impact must be highly taken into account and prevention methods must be implemented.
III. INTRUSION DETECTION SYSTEMS (IDS)
Intrusion Detection (ID) is the definition of the mechanism when several functions are implemented to detect attacks before and/or after logging on a secure network. A typical Intrusion Detection System is included in the gateway [3], yet there are frequent newly defined types of IDS, such as Host- Based IDS and Anti-ARP IDS. However, the simplest known approach for IEC 61850 based network is to include it in the gateway.
ID systems are commonly used in wide range of application due to their simplicity. One of the well-known applications that highly rely on IDS is near field communication (e.g. RFID application’s security).
Nevertheless, ID is not an optimum solution. Its main drawback is the added duration due to the detection process, which causes certain delays that could be in the attacker’s favor. Any extra duration increases the probability of successful attack. One possible solution in this case is to use an enhanced handshake protocol can decrease this process delay to minimize the risk.
Fig. 2. Gateway-Based IDS
IDS come in two different classes. The classification is done based on the detection functionality:
• Rule/signature based;
• Anomaly detection based.
When a defined attack has clear recognizable signature, such as committing an unauthorized admission to sensitive data, in this case rule-based IDS is preferable.
Anomaly detection based IDS is implemented in those systems that attracts users who would attempt to act as genuine users in order to invade the system [5]. This class is expected to be associated with artificial intelligence and machine learning in order to adapt varied behaviors of attackers and develop more reliable detection capabilities [6].
Moreover, IDS can be categorized as host-based or distributed. A host based IDS functions by analyzing system demands and responding to suspicious system requests, while distributed IDS works throughout an entire grid (centralized or decentralized).
Each category has pros and cons. However, it is possible to create a hybrid system of the two types, combining the pros and cons of both. This might be considered as a third category [7].
IV. PERFORMANCE ANALYSIS OF IDS IN IEC61850NETWORK Based on packet switching theorems, transmission delay is defined as the amount of the compulsory time to insert all of the bits into the transmission medium. The relation between transmission duration and bit rate is given by:
= ⁄ (1) Where denoted the transmission delay, N is the size of the packet (Number of bits) and R is the transmission rate in bps.
In order to compare system performance when IDS is used, here an example of IEC 61850 traffic is given. The example is given for traffic calculation of three Nets-in-one based on IEC 61850 (part 9) merging unit where considering this standard assuming 80 points sampled rate in sample values and one frame is 1 point (12 analogue quantity channels), SMV data traffic of a merging unit is computed as follows:
S= (170 bytes/frame) × (8 bits/byte) × (50 cycles/s) × (80 frames/cycle) = 5.44 M bits/s.
The resultant number highpoints that the communication traffic of a merging unit consumes 5.44% of 100M port. Using equation 1, the delay can be computed as follows:
= 8K/5.44x10^6=1.47 ms
By taking the same example but this time using a packet with IDS. In this case, packet size will be 12 Kbits instead of 8.
By using the same formula, the delay is computed as follows:
= 12K/5.44 × 10 = 2.205 ms
It is clear that using IDS adds a significant delay, yet this delay is still accepted since the most critical operation in the network (protection relay) may accept up to = 4
V. SIMULATED ATTACKS AND RESULTS
In this part, different simulated attacks are implemented and the simulated IDS is set to detect any packet of size larger than 12 kB, which is the largest size of a regular substation package with IDS.
SCADA
Gatway
IDS
Switch
IEC 61850 System
The results of the simulated attacks are shown in the table below.
TABLE II. ATTACKS AND RESULTS USING IDS
Attack
IDS packet size (kB) Blocked data
(%) Connection status
DOS 64 99% No connection
MITM 32 97% No connection
SP 20 94% No connection
No
attack 12 0% Slow connection
VI. CONCLUSION
Current IEC 61850 based networks have a secure nature.
However, more challenges will be defined when the real implementation of routable GOOSE starts.
Further challenges are e.g. physical attacks such as Ethernet jamming attacks. Physical attacks are the main threat on the current IEC 61850 network, yet researchers shall also be aware of all possible cyber-attacks even though these are rarely to happen in the case of LANs.
IDS is not a model solution for IEC 61850 security drawbacks due to the added delay, yet the results shows that IDS is able to detect any unusual packets and block the connection before the performed attack accesses the network.
Referring to Fig. 2, it is recommended to add another IDS even after the switch in order to reduce the risk of direct attacks
on the switches as well as malware from e.g. an infected USB, but this solution will add extra delay that might exceed the limit of 4 ms!
REFERENCES
[1] U. Carmo, D.H. Sadok and Judith Kelner, “IEC 61850 Traffic Analysis in Electrical Automation Networks,” 2015 IEEE International Conference on Smart Grid Communications (SmartGridComm): Communications and Networks to Enable the Smart Grid, Miami, FL, USA, November 2015.
[2] IEC-62531; part 6: Data and communication security - Security for IEC 61850, 2007-01.
[3] U.K. Premaratne, J. Samarabandu, T.S. Sidhu, R. Beresh, T.
Jian-Cheng Tan, “An Intrusion Detection System for IEC61850 Automated Substations,” IEEE Transactions on Power Delivery Vol. 25, Issue 4, pp. 2376 – 2383, October 2010.
[4] Y. Yang, H. T. Jiang, K. McLaughlin, L. Gao, Y.B. Yuan, W.
Huang and S. Sezer, “Cybersecurity Test-Bed for IEC 61850 based Smart Substations,” Power & Energy Society General Meeting, 2015 IEEE, Denver, CO, USA, October 2015.
[5] M. Schonlau and M. Theus, “Detecting masquerades in intrusion detection based on unpopular commands,” Inf. Process. Lett., vol. 76, no. 1–2, pp. 33–38, Nov. 2000.
[6] R. Maxion and T. Townsend, “Masquerade Detection Augmented with Error Analysis,” IEEE Trans. Rel., vol. 53, no. 1, pp. 124–147, Mar 2004.
[7] W. DuMouchel, “Computer intrusion detection based on bayes factors for comparing command transition probabilities,” Tech.
Rep. 91, 1999.
View publication stats
