Vulnerabilities & Intrusion Scenarios
The cyber security of power substations has been recognized as a critical issue since it consists of various types of critical physical and cyber devices. They can be physically or electrically connected, e.g., a protection and control unit of a transformer is connected to userinterface via the substation local area network.
The remote access to substation networks, e.g., IED or user-interface, is a common way for maintenance of the substation facilities. However, there are many potential cyber security issues, such as:
- Well-trained intruder(s) compromise the remote access points for cyber attacks,
- Standardized communication protocols allow intruders to analyze the substation communications,
- Unencryptable multicast messages (e.g., GOOSE and SMV) due to the requirements,
- Misconfigured firewalls, and
- IEDs and user-interfaces with default passwords.
Power Substation Vulnerabilities
Unsecured Industrial Protocols
Communication protocol is an important element for the operation of a power grid. The protocol must not be modified, fabricated or monitored except by system operators.
Therefore, IEC TC 57 WG 15 established the IEC 62351 standard. The primary objective is to develop standards for security of the communication protocols defined by IEC TC 57.
The GOOSE and SMV messages contain critical information and use the multicast scheme. The multicast scheme has potential cyber vulnerabilities, e.g., group access control and group center trust.
Most encryption schemes or other cyber security features that delay the transmission time are not applicable for these protocols since the performance requirement of GOOSE and SMV messages is within 4 [msec].
Therefore, IEC 62351 standard recommends an authentication scheme with a digital signature using Hash-based Message Authentication Code (HMAC) for GOOSE and SMV.
However, the performance test to apply the authentication scheme to GOOSE and SMV is yet to be performed. The existing intrusion and anomaly detection systems do not normally support IEC 61850 based protocols since they are more focused on general cyber intrusions such as Distributed Denial of Service attack (DDoS).
In order to mitigate the communication based cyber attacks to substation automation networks, the work of  proposed an Intrusion Detection System (IDS) for IEC 61850 based substation automation system.
Objectives and Contributions
This dissertation is concerned with anomaly detection at a substation. An integrated method for host-based and network-based anomaly detection schemes is proposed.
The main contribution of this dissertation is a new method for:
- An integrated anomaly detection system for protection of IEC 61850 based substation automation system, e.g., IEDs, user-interface and firewall,
- A network-based anomaly detection algorithm that can be used to detect malicious activities of IEC 61850 based multicast protocols, e.g., GOOSE and SMV, across the substation network,
- An impact evaluation method is proposed based on the detected anomalies, and
- Simultaneous anomaly detection among multiple substations using anomaly detection system data.
Anomaly detection for multicast messages in a substation automation network is a new field of research for the power grids. In this research, a cyber security testbed has been developed and used to validate the proposed anomaly detection algorithms.
Cyber intrusions are simulated using the testbed including protective IEDs. The test results demonstrate that proposed anomaly detection algorithms are effective for the detection of simulated attacks.
|Title:||Cyber security of substation automation systems – JUNHO HONG – A dissertation submitted in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY at WASHINGTON STATE UNIVERSITY School of Electrical Engineering and Computer Science|
|Download:||Right here | Video Courses | Membership | Download Updates|