Premium Membership ♕

Save 50% on all Video Courses with Enterprise Membership Plan and study specialized LV/MV/HV technical articles and guides.

Home / Download Center / Electrical Engineering Books and Technical Guides / Power substation guides / Cyber intrusions into substations of a power grid and proposed security framework

Vulnerabilities & Intrusion Scenarios

The cyber security of power substations has been recognized as a critical issue since it consists of various types of critical physical and cyber devices. They can be physically or electrically connected, e.g., a protection and control unit of a transformer is connected to userinterface via the substation local area network.

Cyber intrusions into substations of a power grid
Cyber intrusions into substations of a power grid

The remote access to substation networks, e.g., IED or user-interface, is a common way for maintenance of the substation facilities. However, there are many potential cyber security issues, such as:

  1. Well-trained intruder(s) compromise the remote access points for cyber attacks,
  2. Standardized communication protocols allow intruders to analyze the substation communications,
  3. Unencryptable multicast messages (e.g., GOOSE and SMV) due to the requirements,
  4. Misconfigured firewalls, and
  5. IEDs and user-interfaces with default passwords.

Power Substation Vulnerabilities

Unsecured Industrial Protocols

Communication protocol is an important element for the operation of a power grid. The protocol must not be modified, fabricated or monitored except by system operators.

Despite their importance, cyber security features are not included in most industrial protocols since cyber security was not a major concern when industrial communication protocols were published, e.g., DNP 3.0, IEC 61850, IEC 60870-5 and Inter-Control Centre Communication Protocol (ICCP).

Therefore, IEC TC 57 WG 15 established the IEC 62351 standard. The primary objective is to develop standards for security of the communication protocols defined by IEC TC 57.

The GOOSE and SMV messages contain critical information and use the multicast scheme. The multicast scheme has potential cyber vulnerabilities, e.g., group access control and group center trust.

 Overview of substation ICT network diagram and security threats
Overview of substation ICT network diagram and security threats

Most encryption schemes or other cyber security features that delay the transmission time are not applicable for these protocols since the performance requirement of GOOSE and SMV messages is within 4 [msec].

Therefore, IEC 62351 standard recommends an authentication scheme with a digital signature using Hash-based Message Authentication Code (HMAC) for GOOSE and SMV.

However, the performance test to apply the authentication scheme to GOOSE and SMV is yet to be performed. The existing intrusion and anomaly detection systems do not normally support IEC 61850 based protocols since they are more focused on general cyber intrusions such as Distributed Denial of Service attack (DDoS).

In order to mitigate the communication based cyber attacks to substation automation networks, the work of [11] proposed an Intrusion Detection System (IDS) for IEC 61850 based substation automation system.

Attack tree diagram for substation automation systems
Attack tree diagram for substation automation systems

Objectives and Contributions

This dissertation is concerned with anomaly detection at a substation. An integrated method for host-based and network-based anomaly detection schemes is proposed.

The host-based anomaly detection uses a systematic extraction technique for intrusion footprints that can be used to identify credible intrusion events within a substation, e.g., firewall, user-interface, IEDs, and circuit breakers. The network-based anomaly detection is focused on multicast messages in a substation network. It also detects, in a real-time environment, anomalies that demonstrate abnormal behaviors.

The main contribution of this dissertation is a new method for:

  1. An integrated anomaly detection system for protection of IEC 61850 based substation automation system, e.g., IEDs, user-interface and firewall,
  2. A network-based anomaly detection algorithm that can be used to detect malicious activities of IEC 61850 based multicast protocols, e.g., GOOSE and SMV, across the substation network,
  3. An impact evaluation method is proposed based on the detected anomalies, and
  4. Simultaneous anomaly detection among multiple substations using anomaly detection system data.

Anomaly detection for multicast messages in a substation automation network is a new field of research for the power grids. In this research, a cyber security testbed has been developed and used to validate the proposed anomaly detection algorithms.

Cyber intrusions are simulated using the testbed including protective IEDs. The test results demonstrate that proposed anomaly detection algorithms are effective for the detection of simulated attacks.

Title:Cyber security of substation automation systems – JUNHO HONG – A dissertation submitted in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY at WASHINGTON STATE UNIVERSITY School of Electrical Engineering and Computer Science
Size:1.4 MB
Download:Right here | Video Courses | Membership | Download Updates
Cyber security of substation automation systems
Cyber security of substation automation systems

Premium Membership

Get access to premium HV/MV/LV technical articles, advanced electrical engineering guides, papers, and much more! It will help you to shape up your technical skills in your everyday life as an electrical engineer.
50% Discount 💥 - Save 50% on all 90+ video courses with Enterprise Membership plan.

More Information

One Comment

    Jan 28, 2020

    Hope more papers on the issue to come from different study centers and experts. If anyone can advice what precautions to be provided in your local substations and user end facilities, please share in my mail
    Thank you all

Leave a Comment

Tell us what you're thinking. We care about your opinion! Please keep in mind that comments are moderated and rel="nofollow" is in use. So, please do not use a spammy keyword or a domain as your name, or it will be deleted. Let's have a professional and meaningful conversation instead. Thanks for dropping by!

ninety six  ⁄  16  =  

Learn How to Design Power Systems

Learn to design LV/MV/HV power systems through professional video courses. Lifetime access. Enjoy learning!

Subscribe to Weekly Newsletter

Subscribe to our Weekly Digest newsletter and receive free updates on new technical articles, video courses and guides (PDF).
EEP Academy Courses - A hand crafted cutting-edge electrical engineering knowledge