Cyber-Vulnerability of Power Grid Monitoring and Control Systems Chee-Wooi Ten
Chen-Ching Liu
Manimaran Govindarasu
Iowa State University 2215 Coover Hall Ames, IA 50011 +1 (515) 294-9338
Iowa State University 1117 Coover Hall Ames, IA 50011 +1 (515) 294-4763
Iowa State University 3219 Coover Hall Ames, IA 50011 +1 (515) 294-9175
[email protected]
[email protected]
[email protected]
ABSTRACT In this paper, a methodology is proposed for the evaluation of the impact of cyber attacks on the power grid. This is a systematical approach to evaluate the vulnerabilities of SCADA system at three levels, i.e., system, scenario, and access points. The impact of potential intrusion is evaluated based on the power flow solution. The cause-effect on the proposed method determines the likelihood of the consequence, which can be evaluated based on a substation outage. An IEEE 30 bus system is used to build a test case for the proposed method.
Keywords Cyber-Vulnerability, Automation.
Dependability
Measures,
and
Power
1. INTRODUCTION Technological innovation over the last decade has enabled communication protocols to become more flexible and accommodating to industry’s needs for the purpose of interoperability and maintainability in an open architecture environment [1], [2]. By introducing the standard protocols using TCP/IP, the innovation also raises concerns about cyber-related issues [3], [4]. These concerns include large scale interdependencies between computers, communication, and power infrastructures due to the complexity of required compliances [5]. Although the complex infrastructure provides the capabilities for operation, control, business, and analysis, it also increases the security risks, including threats and vulnerabilities of cybersecurity. The future needs to overcome deficiencies of the communication architecture are discussed in [6]. The drawback of technological innovations includes security breaches that may lead to electronic intrusions. A successful intrusion into the control networks can lead to undesirable switching operations executed by attackers, resulting in widespread power outages. Three modes of malicious attacks on the power infrastructure are (i) attack upon the system, (ii) attack by the system, and (iii) attack through the system [7]. The American Gas Association (AGA) 12 task group established protection guidelines for gas SCADA systems that can also apply to water and electricity SCADA systems due to the technical and operational similarity [8]. The compliance mandated by NERC CIP has established the policies for all utilities in the U.S. that are intended to reduce the risks from the
compromise of critical cyber assets [9]. Furthermore, the International Electrotechnical Commission Technical Council (IEC TC 57), power systems management and associated information exchange, has advanced the standard communication protocols security in IEC62351 for improving the authentication mechanisms with stronger encryption [10]. This also assures a higher security level for access to sensitive power equipment with audit capabilities. The high speed communication of a fully automated substation system by IEC61850 provides comprehensive application usages for control and data acquisition through an Ethernet-based network. Its distributed applications, such as GOOSE or GSSE messages, that relate to the main functions of integrated protection, control, monitoring, and archiving can be configured through the local user interface. The use of the Ethernet-based substation automation system (SAS) leads to cybersecurity issues toward power automation [11]. Regardless of the password strength, malicious intrusion attempts remain a potential threat. A typical intrusion involves the following steps: (i) identification of access points, (ii) penetration to the networks through access points, (iii) determination of the targeted systems and learning to launch an attack, and (iv) termination by executing the attack. Although conducting a cyber-attack depends on an individual’s motivation, the irregularity of the routine maintenance on a SAS may be prone to attacks. Attacks, such as disabling or changing the functionality of relay settings, can be made through the user interface in the SAS where it is linked to the intelligent electronic devices (IEDs) [12], [13]. This modification can be accomplished by accessing the web server of SAS through the web-based user interface. Such modifications may not be noticed since auditing of unmanned substations is not conducted frequently. Conducting a cyber-attack that may lead to equipment damages requires planning and in-depth knowledge. Compliance of NERC’s cybersecurity standards has become increasingly challenging due to the complexity of interdependencies between computer communication system and physical infrastructure. This research proposes a methodology to study the impact of a cyber attack on supervisory control and data acquisition (SCADA) systems at three levels: system, scenarios, and access points. This method is embedded with firewall and password models, which is the primary mode of protection in the power industry today. A test case based on IEEE 30 bus system is formulated to evaluate
the impact of attacks launched from outside or within the substation networks [14-16].
2. Modeling for Cyber-Vulnerability The methodology is to model intrusions and evaluate the consequences of a cyber-attack on the SCADA system. The proposed method is used to assess the vulnerability of computer networks and the potential loss of load in a power system as a result of a cyber attack. Fig. 1 shows the relationship between the cyber attacks and resulting impact on a power system. It is composed of two aspects: 1. cyber-net model, and 2. power flow simulation. A cyber-net defines the intrusion scenarios and its events and status. Power flow simulation is to determine the steady state operating condition of a power system. The integration of these two models makes it possible to quantify the impact caused by a potential cyber attack.
A case study using the IEEE 30 bus test system has been set up with 24 substations. To validate the analytical approach, the attacks launched from different locations are formulated. Two cases for vulnerabilityevaluations are considered: 1) An attack from outside the substation-level networks 2) An attack from within the substation networks To formulate a realistic case, actual logon data from Iowa State University information technology division was observed. The sample data is approximately 3 million records captured from the Kerberos authentication system for all users, which has been randomly generated between the range of 1e-5 and .005. This is used to calculate the probability set for firewall and password models. The rates are assumed to be constant for all computer systems and firewalls. Table I demonstrates the vulnerability level for each substation. The highlight indicates the bottleneck of system vulnerability. TABLE I VULNERABILITY ASSESSMENT FOR OUTSIDE AND INSIDE THREATS Sub.
Fig. 1. Cyber-Attack upon Power Systems The proposed methodology can be used to: 1. Model the access points of control networks with a cyber-net model based on the firewall and password models. 2. Simulate a resulting impact based on power flow simulations. 3. Improve cybersecurity of the SCADA system in accordance with the vulnerability assessment results. The proposed vulnerability assessment method is performed in three levels: system, scenarios, and access points. Fig. 2 demonstrates a scenario consisting of the access points that are embedded with firewall and password models. The system vulnerability is the maximum value among all the substations.
From Outside
Within Control Networks
Existing
Improved
Existing
Improved
1
0.1513
0.0313
0.923
0.3176
2
0.2944
0.1154
0.8857
0.3007
3
0.1173
0.022
0.7486
0.5167
4
0.4437
0.093
1.1019
0.2613
5
0.2798
0.0628
1.2137
0.344
6
0.5386
0.2938
1.03
0.2719
7
0.5054
0.1128
1.0216
0.2803
8
0.4173
0.0939
1.082
0.2647
9
0.3126
0.0671
1.0702
0.3213
10
0.5218
0.1057
0.6861
0.2295
11
0.7225
0.2236
1.3175
0.523
12
0.5594
0.0964
0.8999
0.2244
13
0.3007
0.0687
0.9506
0.2761
14
1.1402
0.3625
1.4858
0.524
15
0.6633
0.1553
1.1364
0.3189
16
0.8287
0.1546
1.2061
0.2486
17
0.7949
0.2618
1.3743
0.4959
18
0.1745
0.0301
0.6885
0.418
19
0.2798
0.0371
0.8495
0.236
20
0.4075
0.0777
1.1085
0.2872
21
1.0377
0.3158
1.4457
0.4915
22
0.2329
0.0833
0.6731
0.2949
3. CONCLUSION AND FUTURE WORK A comprehensive cybersecurity framework for critical infrastructure systems is needed. This paper introduces a procedure for cyber-based (electronic) intrusion attacks on a power system control network. The proposed approach opens up several opportunities for the future research: Fig. 2. Combination of a Firewall with n Rules and n Computers
[7] M. Amin, “Security challenges for the electricity infrastructure,” IEEE Security Privacy, vol. 35, no. 4, pp. 8– 10, Apr. 2002.
1.
Extending the proposed risk modeling approach with comprehensive economic and intrusion models.
2.
Extending the proposed risk modeling to model DoS attack and their resulting consequence on the power system.
3.
Developing offline and online mitigation strategies to minimize the cyber associated risks of the power control network.
[8] F. T. Sheldon, S.G.Batsell, P. S. J., and M. A. Langston, “Cryptographic protection of SCADA communications – part 1: Background, policies and test plan,” Prepared by AGA 12 task group, Draft 6, no. 12, Sep. 7, 2003.
4.
Development of visualization techniques to deliver the vast and relevant information from geographically dispersed substations is needed to show the outcome of risk analysis.
[9] “User manual for the workshop,” in Cybersecurity standards workshop, North American Electric Reliability Council (NERC), Minneapolis, MN, Sep. 2006.
4. ACKNOWLEDGMENTS The authors gratefully acknowledge the support of Electric Power Research Center (EPRC), Iowa State University.
5. REFERENCES [1] A. G. Bruce and R. Lee, “A framework for the specification of SCADA data links,” IEEE Trans. Power Syst., vol. 9, no. 1, pp. 560–564, Feb. 1994. [2] M. Adamiak and W. Premerlani, “The role of utility communications in a deregulated environment,” Proc. the 32nd Annual Hawaii Intl. Conf. on System Sciences (HICSS32.), vol. Track3, pp. 3026–2032, 1999. [3] Supervisory control and data acquisition (SCADA) systems. National Communications System, Technical Information Bulletin 04-1, Oct. 2004. [Online]. Available: http://www.ncs.gov/library/techbulletins/2004/tib 04-1.pdf. [4] R. L. Krutz, Securing SCADA Systems, 1st ed. Wiley Pub., Nov. 28, 2005. [5] M. Amin and B. F. Wollenberg, “Toward a smart grid: Power delivery for the 21st century,” IEEE Power & Energy Mag., vol. 3, no. 5, pp. 34–41, Sep. 2005. [6] F. F. Wu, K. Moslehi, and A. Bose, “Power system control centers: Past, present, and future,” Proc. IEEE, vol. 93, no. 11, pp. 1890–1908, Nov. 2005.
[10] F. Cleveland, “IEC TC57 security standards for power systems information infrastructure - beyond simple encryption,” in Proc. IEEE Power Engineering Society General Meeting, Tampa, FL, Jun. 24-28 2007. [11] S. Su, W.-L. Chan, K.-K Li, X. Duan, and X. Zeng, “Context information-based cybersecurity defense of protection system,” IEEE Trans. Power Del., vol. 22, no. 3, pp. 14771481, Jul. 2007. [12] M. Naedele, D. Dzung, and M. Stanimirov, “Network security for substation automation systems,” in SpringerVerlag Berlin, HeidelbergU. Voges (Ed.): SAFECOMP 2001, LNCS 2187, 2001, pp. 25–34. [13] R. Mackiewicz. Benefits of IEC61850 networking. Technical report, UCA User Group by Sisco. [Online]. Available: http://www.ucausersgroup.org/. [14] C.-W. Ten, C.-C. Liu, and M. Govindarasu, “Vulnerability assessment of cybersecurity for SCADA systems,” to appear in IEEE Trans. Power Syst. [15] C.-W. Ten, C.-C. Liu, and M. Govindarasu, “Vulnerability assessment of cybersecurity for SCADA systems using attack trees,” in Proc. IEEE Power Engineering Society General Meeting, Tampa, FL, Jun. 24-28 2007. [16] C.-W. Ten, M. Govindarasu, and C.-C. Liu, “Cybersecurity for electric power control and automation systems,” in Proc. eNetworks Cyberengineering Workshop, IEEE Syst., Man, and Cybernetics 2007, Montreal, Canada.
