当前位置:首页 >> 电力/水利 >>

Security Analysis and Auditing of IEC61850-Based Automated Substations


2346

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 25, NO. 4, OCTOBER 2010

Security Analysis and Auditing of IEC61850-Based Automated Substations
Upeka Premaratne, Jagath Samarabandu, Member, IEEE, Tarlochan Sidhu, Fellow, IEEE, Robert Beresh, Senior Member, IEEE, and Jian-Cheng Tan, Member, IEEE
Abstract—This paper proposes a scheme for auditing the security of an IEC61850-based network based upon a novel security metric for intelligent electronic devices (IEDs). A detailed security analysis on an IEC61850 automated substation is peformed initially with a focus on the possible goals of the attacker. This is followed by the development of a scheme to audit the security of such a network. Security metrics are considered since they provide a tangible means of quantifying the security of a network. The proposed auditing scheme is tested by using it to audit the security of an IEC61850 network. The results are then compared with two other metric schemes—the mean time to compromise (MTTC) metric and the VEA-bility metric, which are used for auditing conventional computer networks. The input data for both metrics are obtained by using a network security tool to scan the IEDs of the network. The impact of using high-traf?c generating network security tools on a time-critical IEC61850 network is also investigated. Index Terms—IEC61850, information security, security analysis, security auditing, security metrics, security tools, substation automation.

II. SECURITY ANALYSIS The purpose of security analysis is to identify the possible threats to an IEC61850 automated substation. Numerous schemes exist for the identi?cation of various aspects of information and network security. These schemes can be separated into two main categories, which are 1) identi?cation according to the perspective of a defender or 2) the perspective of an attacker. A. Defender Perspective Security analysis in the perspective of the defender involves looking at the security requirements of the defender. This leads to a security policy which, in turn, requires security mechanisms to enforce [2]. The enforceability of a security policy depends on the mechanisms used [3] which should be selected in a manner that they do not compromise the performance of the system [4], [5]. The report of the Power System Relaying Committee of the IEEE Power and Energy Society [6], [7] provides a comprehensive listing of security mechanisms applicable to IEDs. B. Attacker Perspective The other method of security design involves looking at the problem through the perspective of the attacker [8]. Intuitively, this perspective is more effective because an attacker is always motivated to achieve the set goal. Research in this context is more realistic, because realistic data can be obtained through simulated attacks [9] and bait networks known as Honeypots [10]. In a Honeypot, a network is set up with the intent of luring and recording the behavior of real attackers. C. Threat Identi?cation The next step would be to apply the analysis technique to the IEC61850-based system. In this context, two main attacker goals can be identi?ed by using the attacker perspective approach [8]. These are: 1) disruption of the utility service (attack on availability); 2) gaining access to con?dential information for malicious purposes, such as unfair competition, blackmail, etc. (attack on con?dentiality). Only two of the four types of attacks listed by Stallings [11] are listed. In, for example, a ?nancial institution, modi?cation and fabrication would be the likely goals of the attacker. However, in a substation both modi?cation and fabrication would be used as techniques to ful?ll the two main goals. For example, an attacker may send false information or modify existing information to confuse and shutdown a substation (goal of disrupting service) or obtain con?dential information [12]. These two goals can then be analyzed in detail to identify the methods an attacker

I. INTRODUCTION

I

EC61850 IS AN Ethernet (IEEE 802.3)-based communication standard proposed for the control and automation of electric substations. It was developed jointly by the International Electrotechnical Commission (IEC) and IEEE with the aim of providing a ?exible and interpretable communication system which could be easily integrated into the infrastructure of existing substations [1]. Electric substations are critical installations in the electric power grid and, hence, a prime target for malicious activity. This paper focuses on a novel method to assess and audit the security of an IEC61850-based network. This paper commences with a security analysis of electric substations (Section II). This is followed by an introduction to the proposed auditing scheme (Section III). Section IV introduces the novel metric for IEDs. The impact of security tools on the network is investigated in Section V. Section VI details the results of the sample audit using the scheme.

Manuscript received January 15, 2009; revised April 29, 2009. First published April 19, 2010; current version published September 22, 2010. This work was supported by Kinectrics. Paper no. TPWRD-00043-2009. U. Premaratne, J. Samarabandu, and T. Sidhu are with the Department of Electrical and Computer Engineering, University of Western Ontario, London, ON N6A 3K7, Canada (e-mail: upremara@uwo.ca; jagath}@uwo.ca; sidhu@eng.uwo.ca). R. Beresh and J. C. Tan are with Kinectrics, Inc., Toronto, ON M8Z 6C4, Canada (e-mail: bob.beresh@kinectrics.com; jian-cheng.tan@kinectrics.com). Digital Object Identi?er 10.1109/TPWRD.2010.2043122

0885-8977/$26.00 ? 2010 IEEE

PREMARATNE et al.: SECURITY ANALYSIS AND AUDITING OF IEC61850-BASED AUTOMATED SUBSTATIONS

2347

TABLE I ATTACKS ON CONFIDENTIALITY

4) Explicit countering of man-in-the-middle attacks and tampering using the message authentication code (MAC) of IEC62351–6. 5) Explicit countering of replay attacks via the specialized processing state machines mentioned in IEC62351–4. In addition, the North American Electrical Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard for the protection of critical cyber assets, requires the incorporation of ?rewalls and anti-malware for compliance [15]. These security mechanisms are capable of countering a signi?cant number of security threats listed in Tables I and II. However, a determined attacker is bound to innovate new methods over time to compromise these existing security mechanisms. III. PROPOSED SECURITY AUDITING SCHEME Security auditing is the process of assessing the security of a computer system and making recommendations to the client. The IEC61850 network to be audited consists of the IEDs, switches, routers, ?rewall/gateway, HMI, and servers. The proposed audit scheme consists of the following stages: 1) preliminary survey of the network to identify its components, topologies etc.; 2) security assessment of the hosts of the network (e.g., IEDs, gateway, HMI, and servers) and other components (e.g., switches and routers); 3) disclosing the results and recommendations to the client; 4) veri?cation of implementation of recommendations. Out of these stages, the focus of this paper is on the security assessment of the hosts. This stage consists of: 1) a security tool assessment to uncover potential vulnerabilities of the entire network that may be visible to an attacker; 2) an IED assessment to unravel the vulnerabilities of each IED and calculate the proposed IED metric from the obtained results. The scope of this auditing scheme is focused on the network infrastructure and can be integrated into organization-wide security audits, such as ISO/IEC27001 [16]. IV. NOVEL IED SECURITY METRIC The main motivation behind research into obtaining metrics for network security is to provide a tangible means of measuring the security of a network [17]. Due to the technical difference between an IED and a standard computer, applying the common vulnerability scoring system (CVSS), which is used by the National Institute for Standards and Technology (NIST) [18], for threats can only be accomplished for computer-based nodes of an IEC61850 network, such as database servers, engineering stations, HMIs, and gateways. Hence, it is necessary to come up with an entirely new metric scheme for IEDs. This new metric scheme is compared with security metrics developed for conventional computers. These include the mean time to compromise (MTTC), proposed by Leversage and Byres and McQueen et al. [20] and the VEA-bility metric proposed by Tupper and Zincir-Heywood. When looking at an IED from an attacker’s perspective, different categories of IEDs will have different levels of importance depending on the goal of the attacker. For example, an attacker hoping to sabotage the grid may focus on tripping a relay

TABLE II DISRUPTION OF SERVICE

can use to achieve them. Such generic attacks along with their possible countermeasures can be identi?ed using the approach of Ohta and Chikaraishi [13] as shown in Tables I and II. D. IEC61850 Security Mechanisms The existing security mechanisms of IEC61850 are mentioned in IEC62351–4 and IEC62351–6 [14]. These include: 1) IEC62351–4 speci?es the ciphers used by IEC61850 for encryption. In addition, IEC62351–6 speci?es the use of transport layer security (TLS). 2) Security for IEC61850 pro?les using VLANs. Partitioning of the network into VLANs prevents unauthorized access of IEDs outside the designated VLAN. 3) Security for simple network time protocol (SNTP) via the mandatory use of the authentication algorithms of RFC2030. This prevents tampering via false time-stamp packets.

2348

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 25, NO. 4, OCTOBER 2010

while someone seeking con?dential information may target a data logging unit. Also, depending on their importance, different units will have different levels of security. Therefore, a security metric for IEDs should have the following properties: ? The ability to quantify the threat to the IED based upon the goal of the attacker. ? It should quantify the vulnerability of an IED based upon its security features. ? It should be capable of contrasting between a secure and insecure network similar to the VEA-bility metric. A. Threat Identi?cation The ?rst step is to identify the threats to different categories of IEDs. This is accomplished by taking categories of IEDs according to their designated function category and identifying the possible attack scenarios, both physical and logical. In addition, hidden security threats due to the use of insecure protocols (e.g., ftp, telnet) or security vulnerabilities in the operating systems can be identi?ed by the scan done by the security tool. When taken into broad categories, the possible scenarios include: 1) unauthorized access (UA)—the IED is accessed in order to give a false command, change the settings, or access sensitive data; 2) denial of service (DoS)—knocking out the IED from the network by disabling it or overwhelming it; 3) spoof (SP)—the IED is spoofed either physically or logically to mislead other devices; 4) data interception (DI)—sensitive data are intercepted; 5) stepping stone (SS)—the IED can be logically used as a stepping stone to launch an attack on another target. B. Countermeasure Identi?cation Once the threats to an IED have been identi?ed, it is now possible to check whether the device has the appropriate security countermeasures. These are determined by: 1) scrutinizing the security features of the IED as speci?ed by the manufacturer (e.g., encryption of data, use of secure protocols); 2) examining the security mechanisms of the network infrastructure (e.g., MAC address restriction by the switches to counter a DoS or ARP sniffer attack); 3) in case the device has vulnerabilities in its software or operating system, check for available countermeasures in vulnerability repositories, such as the common vulnerabilities and exposures (CVE) database. If a particular threat has the appropriate countermeasures, it can be nulled (i.e., eliminated) from the threat list. C. Susceptibility Each threat can also be adjusted according to its relative susceptibility. For example, in order to spoof a particular IED, it may be required to physically manipulate the device. Hence, this attack can be considered unlikely. On the other hand, the same device may be susceptible to remote false commands or false inputs, which are far more likely. This parameter de?nes relative risk or likeliness of the attack based upon the location of the attacker.

D. Metric Formula and Calculation From this, it is possible to come up with a formula to quantify the security of an IED and the IEC61850 network. The procedure for calculation involves: 1) prior identi?cation of all known threats to each individual IED ( threats); 2) identi?cation of the available countermeasures for each ). If a particular threat has threat (where one or more countermeasures, its countermeasure factor is set to one. The value of is set to zero if no countermeasures exist; of each threat, 3) identi?cation of the susceptibility where a) if the attack can be executed on the IED remotely from 1; a WAN connected to the IEC61850 network, b) if it has to be executed from within the IEC61850 0.2; [local-area network (LAN)] network c) if physical manipulation is needed for launching the 0.1. attack The values are selected so that the relative risk between a node, LAN, or wide-area network (WAN)-based attack are contrasted based upon their likelihood. The most likely type of attack is a remote attack launched from a distant location while the least likely is an attack involving physical manipulation of a device where there is a high risk of the attacker being detected. 4) based on this, a score can be calculated for each threat; 5) from this, the score for each IED can be calculated; 6) ?nally, the score for the entire network can be obtained. based upon its To calculate the score for a particular threat and countermeasure factor susceptibility (1) The score for the th IED with the threats would hence be (2) Finally, the overall score of the network with calculated from IEDs can be

(3)

E. Compliance Threshold Based on the ?nal score , it is possible to de?ne a compliance threshold. For example, the network can be considered secure if and only if the score for R exceeds 9. In this case: ? a minor vulnerability where the attack needs to be executed by directly manipulating the IED or over the LAN would bring down the score to 9.9 or 9.8, respectively; ? if the network has a serious vulnerability where an attack can be launched over the WAN, the score would become 9 so the network will be vulnerable and noncompliant;

PREMARATNE et al.: SECURITY ANALYSIS AND AUDITING OF IEC61850-BASED AUTOMATED SUBSTATIONS

2349

TABLE III SECURITY TOOL TRAFFIC STATISTICS

TABLE IV SECURITY TOOL HIGH-TRAFFIC LOADING TIME (APPROXIMATE)

Fig. 1. Typical traf?c generated by nessus 3.2.1 (Windows).

is the most advanced tool capable of giving a comprehensive list of vulnerabilities which can be used to calculate the VEA-bility metric. The main disadvantages of Nessus 3.2.1 is that unlike its open source counterpart, the tests that are performed by the tool are not listed and its comprehensive assessment generates a large amount of traf?c.
Fig. 2. Typical traf?c generated by NMap 4.68 (Windows).

B. Data Analysis The collected data are then analyzed using MATLAB. The instantaneous traf?c rate in packets per second for each scan is ?rst calculated. If the instantaneous traf?c rate is greater than 100 packets/s then it is considered high and based on this, the time during which the generated traf?c is high is obtained.. From this the average time during which the security tool generates high traf?c can be obtained. Table III gives the traf?c statistics for each tool for a particular host platform. According to it, Nessus which does a more comprehensive set of tests takes longer to assess a Windows machine than Linux machine. The same can be said of Nmap. Figs. 1 and 2 show typical security tool traf?c pro?les for computers. The important factor to be considered is the time during which the tool generates high traf?c. Table IV shows the summary of high loading for different tools and target machines, approximated to the nearest multiple of 5 for convenience. Further study on the impact of security tools is done via simulations. C. Parallel Scans Nessus 3.2.1 allows multiple hosts to be scanned in parallel. Fig. 3 shows the traf?c generated when ?ve hosts are scanned in parallel. The scan time is approximately 140 s but the average traf?c is around 3000 packets/s, which is nearly 5 times greater than the maximum value for a single host (Table III). For nearly 80% of the scan time (110 s), the traf?c is signi?cantly greater than 100 packets/s. D. Simulation The simulation of the effect of the security tool is peformed by using the open source simulator called the Network Simu-

? if there are a small number of serious vulnerabilties or a large number of minor vulnerabilities, the score will tend toward 0 and indicate a highly insecure network. Due to this, normalization of the result according to the size of the network or considering the geographical spread is not needed. V. SECURITY TOOL TRAFFIC ANALYSIS The delivery time for certain packets of IEC61850 is critical. The proposed security auditing scheme relies heavily on data obtained from scans on the IEDs using security tools. Therefore, it is necessary to assess the impact of the traf?c generated by the security tool used on the network. This requires data collection, simulation and testing of available network security tools and weigh them against their bene?ts. A. Data Collection Data are collected using Ethereal, an open source network analyzer available on both Windows and Linux platforms. While Ethereal is running, each security tool is used to scan a target machine. The resulting traf?c is then captured and used for analysis. A total of 10 target machines are tested of which 5 have Windows-based operating systems and the rest have Linux-based operating systems. The network tools tested were Nessus 3.2.1 and NMap 4.68. Both tools were tested on Windows and Linux platforms. NMap 4.68 is a tool capable of identifying the operating system and list a limited amount of vulnerabilities. Nessus 3.2.1

2350

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 25, NO. 4, OCTOBER 2010

Fig. 5. Physical and logical connection of a bay network. Fig. 3. Traf?c generated by nessus 3.2.1 (linux) for a parallel host scan.

Fig. 6. Topology of the entire substation network.

Fig. 4. NS-2 logical model.

lator 2.33 (NS 2.33). Using the simulation, the delay and drop rate of packets are analyzed and compared to the standards of IEC61850–5. 1) IED Model: NS-2 logically abstracts a network node (Fig. 4) into a node which contains the data link and physical layers of the OSI model. The network and transport layers are handled by an entity known as an agent while the application layer is handled by an application. Connection elements are used to connect nodes together. In order for two nodes to communicate, the sending node should have the relevant source agent to transmit the data according to the required protocol and application. The receiving node must have a sink agent. When modeling an IED using NS-2, it is possible to model a packet that bypasses the TCP/IP stack as a UDP agent with constant bit rate (CBR) traf?c. Other packets, which use the TCP/IP protocol stack, can be modeled by using different TCP agents. 2) Substation Network: For simulation, the IEDs corresponding to a transformer bay and feeder bay have to be constructed. A feeder bay would consist of a Merging Unit (MU) taking raw data samples, two Protection and Control Relays (PC) to monitor the raw data and a circuit breaker (CB) to act according to the fault. The transformer bay would consist of an MU, two PCs, and two CBs. All of the IEDs of a particular bay will be connected to a single switch. Fig. 5 shows the physical and logical connection of a bay network. Each bay switch will, in turn, be connected to the central station switch. The server collecting data from the substation and the HMI would also be connected to this switch. The entire topology of the station network is shown in Fig. 6. For the simulation, substations consisting of two transformer bays and two to six transformer bays are used. Each MU is assumed to take 1920 raw data samples per second to achieve class P3 protection [22]. During a fault, the PC IEDs send GOOSE

packets to the CB while the CB returns a reply to con?rm reception. Four packets are exchanged eeach way. A fault is simulated every 0.5s. In addition, each PC IED uploads a 2kb status report to the server every 2s. 3) Security Tool Model: The next stage of the simulation involves developing a model for the security tool. It is assumed that during a security audit, it will be connected to the station switch via a laptop. The security tool is modeled as a burst of high traf?c, lasting the duration of the load time (Table IV). Due to constraints of simulation time and in order to generalize the situation, the burst duration is restricted to 10s during which a traf?c of 1000 packets per second are generated. A UDP agent with Pareto traf?c is used to produce the traf?c of the security tool. 4) Results: Table V shows the results of the simulation for 10-Mb/s and 100-Mb/s Ethernet, respectively, in terms of the packet delay and drop rate. The simulation is performed for the following scenarios: 1) nothing (only sample values); 2) system with ftp transfers; 3) system with security tool running; 4) both ftp transfers and security tool running; 5) system with fault; 6) fault with ftp transfers; 7) fault with security tool running; 8) fault with both ftp transfers and security tool running. The results clearly show that whenever the tool is in use, there is a signi?cant increase in the packet drop rate. The effect on packet delay does not appear to be signi?cant. Despite that, the safety of the network is still affected because during the use of the security tool, a critical packet (e.g., GOOSE packet) can get dropped. VI. SAMPLE AUDIT This section details a sample audit done on a IEC61850 network. The network contained the IEDs given in Table VI. Model and manufacturer details of all IEDs are withheld for con?dentiality reasons. The groups IED1-IED4 (GROUP2), IED5-IED6 (GROUP1) and IED7 (GROUP3) come from three different manufacturers and tend to have common characteristics. The network switches come in two models SWITCH1 and SWITCH2 from the same manufacturer.

PREMARATNE et al.: SECURITY ANALYSIS AND AUDITING OF IEC61850-BASED AUTOMATED SUBSTATIONS

2351

TABLE V NETWORK SIMULATION RESULTS

TABLE VI SAMPLE IEC61850 NETWORK DEVICES

TABLE VIII SECURITY TOOL TRAFFIC STATISTICS—NESSUS 3.2.1

TABLE VII SECURITY TOOL SCAN RESULTS—OPEN PORTS TABLE IX SECURITY TOOL TRAFFIC STATISTICS—NMAP 4.68

A. Security Tool Scan Results The security tools reveal the open ports and services of each IED during the scan. When looking at the results (Table VII) it becomes apparent that Nessus 3.2.1 has a better capability of identifying open ports and services, such as modbus, ntp, and

tftp. NMap 4.68, on the other hand, can identify most key ports and services but fails to identify the critical protocol modbus as well as udp-based services. Despite identifying more vulnerabilities, Nessus takes a long time to scan a single device when compared to NMap. It was also observed that Nessus would take an excessive amount of time when scanning tcp ports 102 and 502. However, when compared to a computer (Table III), the time during which the security tool loads the network with more then 100 packets is much less for either security tool. On average, for Nessus (Table VIII) it is just around 0.5 s and for NMap (Table IX), it is around 0.15 s. B. MTTC Calculation Table X shows the MTTC for the hosts of the network based upon individual vulnerabilities. The MTTC for the entire network is 1.8806 days. However, none of the vulnerabilities can

2352

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 25, NO. 4, OCTOBER 2010

TABLE X SAMPLE NETWORK HOST VULNERABILITIES

TABLE XIII COUNTERMEASURES FOR GROUP1 DEVICES

TABLE XI SAMPLE NETWORK HOST VULNERABILITY CVSS SCORES

TABLE XII SAMPLE NETWORK VEA-BILITY SCORE

be mitigated unless the services such as telnet are completely disabled. This is not feasible. Hence, the MTTC of the network will not change. C. VEA-Bility Calculation The VEA-bility score of the network is obtained from the Common Vulnerabilities and Exposures (CVEs) of the network. Table XI gives the CVEs of devices in the network uncovered by Nessus. The individual scores of attackability, exploitability and vulnerability are then obtained for each device. Since the device has a ?rewall, the attackability score is zero for all devices. The individual score is then multiplied by the number of devices to get the VEA-bility score of the entire network (Table XII). The ?nal score of 3.333 indicates a highly insecure network. D. IED Assessment—GROUP1 The devices of GROUP1 are used for line protection and control. The settings of either device can be set via the front panel, via RS232 or TCP/IP. The software provided by the manufacturer can be used as a graphical user input (GUI)-based HMI for it. 1) Packet Snif?ng: This device uses ftp and telnet protocols. Both of these protocols have serious security vulnerabilities. In both protocols, passwords and data are unencrypted, hence, vulnerable to an eavesdropping attack. In this attack scenario, the attacker would be able to obtain the passwords for the ftp or telnet protocol and launch an attack using this. With the use of switches that match different Ethernet speeds and reduced use of network hubs, the risk of a direct packet snif?ng attack is reduced. This is because multi speed switches

do not simply send the packet to all ports unless it is a broadcast packet. This makes an eavesdropping attack dif?cult but not impossible. According to Spangler [23], the three possible methods of attack are: 1) ARP cache poisoning; 2) CAM table ?ooding; 3) switch port stealing. Nevertheless, it should be remembered that in order to launch a packet snif?ng attack, the attacker would have to either compromise a machine within the IEC61850 network or have physical access to the network infrastructure. 2) Protocol Password Crack: The ftp and telnet protocols used by the relay can also be subjected to a password crack attack. Similar to the relay passwords, a brute force attempt may take too long and a dictionary attack may be more likely. When telnet is used, access to these devices is trivial and the passwords are prompted. Since telnet transmits character by character, an automated brute force attack would be non-trivial job for an attacker. Transmitting a single character at a time would also generate an abnormal amount of telnet packets with a single character payload which can be detected by an IDS. In the case of the ftp server, a brute force attack can be launched from a password cracker. For such an attack, the only thing the attacker needs to know is the user names for the ftp server of the IED which can be found by consulting the manual. 3) Denial of Service Attacks: There are two possible scenarios of an attacker launching a DoS attack on these devices. The ?rst scenario is an attacker explicitly targeting one of the services of the device either ftp (port 21) or telnet (port 23) by opening idle connections. In the second scenario, the attacker launches a generic DoS by overwhelming the device and network by generating unwanted traf?c. 4) Countermeasures: Table XIII shows the countermeasures for the possible attacks on GROUP1 devices. When calculating the metric for this device, it is necessary to ?nd out if at least one of the required countermeasures is implemented within the network. E. IED Assessment—GROUP2 The devices are mainly protection relays. They can be accessed via the front panel, RS232, or TCP/IP. The manufacturer provides a software suite to manipulate the settings via a GUI-based HMI. 1) Packet Snif?ng: The software communicates with the relay via http and Modbus protocols. The Modbus protocol

PREMARATNE et al.: SECURITY ANALYSIS AND AUDITING OF IEC61850-BASED AUTOMATED SUBSTATIONS

2353

TABLE XIV COUNTERMEASURES FOR GROUP2 DEVICES

TABLE XV COUNTERMEASURES FOR THE GROUP3 DEVICE

G. Firewall is widely used in SCADA systems via TCP or RS232 and has no security mechanisms [24]. Similarly, http also has no security mechanisms and is used when information of the relay is viewed via a web browser. Thus, both of these protocols are vulnerable to a packet snif?ng attack since all of the data they transfer are unencrypted. The attack scenarios are similar to those of Section VI-DI. 2) Relay and Protocol Password Crack: Relays of this group use a 10 digit number as the password. Hence, a brute force password crack would require combinations. Such a crack would therefore take a signi?cant amount of time, hence detectable. The main advantage of using only digits is that a dictionary attack is infeasible. Hence, it can be considered to be more secure than devices of GROUP1. In order to crack the password, the Modbus protocol has to be used. 3) Denial of Service Attacks: Both Modbus and http are protocols designed for handling multiple clients or slaves. Hence, launching a DoS attack is non-trivial, especially for http since it is a stateless protocol. However, a DoS attack by overwhelming the client via fake traf?c is highly realistic. 4) Generic Unauthorized Access: In order to counter the possibility of unauthorized access, these devices have a security feature known where a command or change of setting requires con?rmation from the user and the supervisory control and data-acquisition (SCADA) operator. 5) Countermeasures: Table XIV gives the countermeasures for the possible threats for all GROUP2 devices. F. IED Assessment—GROUP3 The IED7 is a differential protection relay which can be accessed by its front panel, RS323, or TCP/IP using the software suite provided by the manufacturer. The possible attacks on this device include: ? The software uses the http and ftp protocols for communication, both are insecure and unencrypted. Therefore, this device is vulnerable to the same packet snif?ng attack scenario (Section VI-D-I ) as the former two. ? Both http and ftp protocols are vulnerable to protocol password crack attacks. ? It is also vulnerable to a ICMP DoS attack. Table XV lists the countermeasures for possible attacks on the device. The gateway/?rewall runs Windows XP and connects the IEC61850 network to external TCP/IP or DNP3 networks. This device runs the anti-malware software hence protects the network from such threats. It has both secure https and NERC CIP-compliant VPN support for security. This device can be the target of a stepping stone attack where an outside attacker can execute arbitrary code on the machine in order to compromise the security of the network. However, during the security tool scan of the device no such vulnerabilities were uncovered. H. Database Server The database server runs Microsoft SQL Server on Windows XP. It has no explicit secure protocols such as ssh or https because of the security implemented by MS SQL server itself. These services should however be properly enabled for optimum security. Similar to the Firewall, this device can also be used as a stepping stone by executing arbitrary code on it. Again, such vulnerabilities were not revealed during the security tool scan. I. Switches The network switches have a high number of security features implemented within them. These security features are implemented via secure protocols running on operating system within the switch. The security features can be categorized for switch management and network security. The protocols telnet, rsh, ssh, http, and https are used for switch management. Out of these, ssh and https are highly secure. In order to guarantee proper security, the remaining insecure protocols (telnet, http and rsh) have to be disabled. This device allows MAC address-based ?ltering, including associating single or multiple addresses to a single port. This security feature is vital in countering a number of possible threats, such as general unauthorized access and ARP-based packet snif?ng. J. IED Metric Calculation In order to calculate the IED metric for the entire network, the score for each threat is evaluated using (1) from the data of Tables XVI–XVIII. Since most threats have the appropriate countermeasures, their respective threat scores are zero. The only threats which have nonzero scores are the DoS attacks which can be launched from a remote location across a WAN. This is because, despite having a ?rewall which can block

2354

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 25, NO. 4, OCTOBER 2010

TABLE XVI METRIC CALCULATION FOR GROUP1 DEVICES

TABLE XX NETWORK METRIC SCORES

K. Audit Results Table XX compares the score of the network in terms of the three metric schemes used. All three metric schemes are consistent in terms of indicating the weak security of the network when it is connected to a WAN. Should the network be limited to a single LAN, then the existing security measures would be suf?cient to protect it from all foreseeable threats that can be launched from within the LAN. However, if the network is connected to a WAN, it is highly insecure. This is because an attacker can trivially launch ICMP or protocol DoS attacks at almost all IEDs and the protocol passwords of most IEDs can easily be subjected to the password crack attack. These attacks can only be effectively countered via an IDS which is not present on the network. Another notable fact is that the VEA-bility metric indicates that the network is insecure based on the CVEs of the database server and network switches. Despite using highly insecure protocols, there are no host CVEs for the IEDs themselves. However, the IED metric obtained using (3), indicates the poor security of the network based on vulnerabilities of the IEDs themselves.

TABLE XVII METRIC CALCULATION FOR GROUP2 DEVICES

TABLE XVIII METRIC CALCULATION FOR THE GROUP3 DEVICE

VII. CONCLUSIONS
TABLE XIX NETWORK METRIC CALCULATION

unwanted hosts, there is the possibility of an attacker using a legitimate host allowed by the ?rewall to launch the attack. Only an IDS would be able to detect such an attack. is calcuBased on this, using (2) the total threat score lated for each IED (Table XIX). The metric for the entire network can be obtained from (3). It is calculated assuming that the network is only limited to a single LAN or interconnected to a WAN.

Electric substations are prime targets for malicious attackers. Hence being able to assess the information security of electric substations is an essential need, especially with increased interconnection over insecure public networks. The novel metric scheme introduced in this paper shows promise when used to perform a security audit on a sample IEC61850 network. In order to perform security audits, it is necessary to use network security tools. Tests on personal computers and simulations reveal that they have a high impact in terms of introduced traf?c which result in high network traf?c and high packet drop rates. However, the tests on IEDs show that the times during which the tools introduce high volumes of traf?c is substantially less than that of personal computers. In general, most IEDs still use highly insecure protocols which require specialized countermeasures. These specialized countermeasures may turn out to be costly in the long run. Therefore, it would be necessary for IED manufacturers to collectively phase out such insecure protocols and keep in pace with the state of the art of network security. During the course of the research, it was revealed that intrusion detection on a network and host level can be considered as a viable security countermeasure for IEC61850 networks. Future work would consist of investigating this further.

PREMARATNE et al.: SECURITY ANALYSIS AND AUDITING OF IEC61850-BASED AUTOMATED SUBSTATIONS

2355

ACKNOWLEDGMENT The authors would like to thank H. Ou for his assistance during the sample audit.

REFERENCES
[1] R. E. Mackiewicz, “Overview of IEC61850 and bene?ts,” in Proc. IEEE Power Eng. Soc. General Meeting, Jun. 18–22, 2006, pp. 1–8. [2] M. Bishop, “What is computer security?,” IEEE Security Privacy, vol. 1, no. 1, pp. 67–69, Jan./Feb. 2003. [3] F. B. Schneider, “Enforceable security policies,” ACM Trans. Inf. Syst. Security, vol. 3, no. 1, pp. 30–50, Feb. 2000. [4] S. Hariri, Q. Guangzhi, T. Dharmagadda, M. Ramkishore, and C. Raghavendra, “Impact analysis of faults and attacks in large-scale networks,” IEEE Security Privacy, vol. 1, no. 5, pp. 49–54, Sep./Oct. 2003. [5] K. P. Yee, “Aligning security and usability,” IEEE Security Privacy, vol. 2, no. 5, pp. 48–55, Sep./Oct. 2004. [6] C1 Working Group Members of Power System Relaying Committee, “Cyber security issues for protective relays,” in Proc. IEEE Power Eng. Soc. General Meeting, 2007, pp. 1–8. [7] C1 Working Group Members of Power System Relaying Committee, in Cyber Security Issues for Protective Relays, Date Accessed:2008.12.04. Security Issues for Protective Relays.pdf. [Online]. Available: http://www.pes-psrc.org/Reports/Cyber [8] S. Evans and J. Wallner, “Risk-based security engineering through the eyes of the adversary,” in Proc. IEEE Workshop on Information Assurance and Security, 2005, pp. 158–165. [9] E. Jonsson and T. Olovsson, “A quantitative model of the security intrusion process based on attacker behavior,” IEEE Trans. Softw. Eng., vol. 23, no. 4, pp. 235–245, Apr. 1997. [10] Honeynet Attack Data, Date Accessed: 2008.06.30 Honeynet Project. [Online]. Available: http://www.honeynet.org. [11] W. Stallings, Cryptography and Network Security Principles and Practice. Upper Saddle River, NJ: Prentice-Hall, 1998. [12] U. Premaratne, J. Samarabandu, T. Sidhu, B. Beresh, and J. C. Tan, “Evidence theory based decision fusion for masquerade detection in IEC61850 automated substations,” in Proc. Int. Conf. Information and Automation for Sustainabilty, 2008, pp. 194–199. [13] T. Ohta and T. Chikaraishi, “Network security model,” in Proc. IEEE Singapore Int. Conf. Networks, Sep. 6–11, 1993, pp. 507–511. [14] IEC Technical Committee Number 57 (TC57), IEC62351 Std., 2007. [15] NERC CIP Standards, Date Accessed: 2008.04.17, Std. no. CIP-007-1 [Online]. Available: http://www.nerc.com/?les/CIP-007-1.pdf [16] ISO/IEC Joint Technical Committee Number 1 (JTC1), ISO/IEC27001 Std., 2005.

[17] Security Metrics Guide for Informatioin Technology, Date Accessed: 2008.06.21 Nat. Inst. Standards Technol. [Online]. Available: http:// csrc.nist.gov/publications/nistpubs/800–55/sp800–55.pdf [18] Common Vulnerability Scoring System, Date Accessed: 2008.06.16. CVSS Team. [Online]. Available: http://www.?rst.org/cvss/v1/guide. html [19] D. J. Leversage and E. J. Byres, “Estimating a system’s mean time to compromise,” IEEE Security Privacy, vol. 6, no. 1, pp. 52–60, Jan./Feb. 2008. [20] D. J. Leversage and E. James, “Estimating a system’s mean time-tocompromise,” IEEE Security Privacy Mag., vol. 6, no. 1, pp. 52–60, Jan./Feb. 2008. [21] M. Tupper and A. N. Zincir-Heywood, “VEA-Bilty security metric: A network security analysis tool,” in Proc. 3rd Int. Conf. Availability, Reliability and Security, 2008, pp. 950–957. [22] IEC Tech. Committee Number 57 (TC57), IEC61850 Std., 2003. [23] R. Spangler, Packet Snif?ng on Layer 2 Switched Local Area Networks, Date Accessed: 2008.10.03. [Online]. Available: http://www. packetwatch.net/documents/papers/layer2snif?ng.pdf [24] G. Y. Liao, Y. J. Chen, W. C. Lu, and T. C. Cheng, “Toward authenticating the master in the modbus protocol,” IEEE Trans. Power Del., vol. 23, no. 4, pp. 2628–2629, Oct. 2008. Upeka Premaratne received the B.Sc.Eng. degree in electronic and telecommunication engineering from the University of Moratuwa, Sri Lanka, in 2005 and is currently pursuing the M.E.Sc. degree in electrical and computer engineering at the University of Western Ontario, London. ON, Canada.

Jagath Samarabandu (M’92) is an Associate Professor in the Department of Electrical and Computer Engineering at the University of Western Ontario, London, ON, Canada.

Tarlochan Sidhu (M’90–SM’94–F’04) is a Professor and the Chair of the Department of Electrical and Computer Engineering at the University of Western Ontario, London, ON, Canada.

Robert Beresh (M’80–SM’02) is the Service Line Leader (Protection and Control) of Kinectrics, Inc.

Jian-Cheng Tan (M’96) is the Principal Engineer of the Kinectrics Interoperability Testing Lab.


相关文章:
Security Analysis and Auditing of IEC61850-Based Au....doc
Security Analysis and Auditing of IEC61850-Based Automated Substations 翻译_英语考试_外语学习_教育专区。基于 IEC61850 的自动化变电站安全分析和审计 基于 IEC...
基于IEC61850_9_2及GOOSE共网传输的数字化变电站技术应....pdf
IEC 61850-9-1 mode and web-based IEC 61850-9...the simulation and application analysis of the proposed...for relay protection in digitized substations[J]...
IEC61850报告控制块和日志控制块的研究.pdf
[3] IEC61850-7-1.Communication Networks and Systems in Substations Part 7...Application of Fault Tree Analysis to Large-scale Power Transformer Fault ...
IEC61850变电站间隔层IED的建模与分析_图文.pdf
(2012)07一0891一05 IEC61850basedmodelingandanalysisofbayleVelIEDinsubstation...InIEC61850,substations are arranged as a 1ayeredarchitecture so as to ...
IEC61850规约转换器.txt
IEC 61850 for the communication between substations and control centers)...based data model using IEC 608705101/104)实现IEC 61850标准到IEC...
基于IEC61850标准的电动汽车充电桩监控信息模型研究.pdf
based on IEC61850 GUO Zi-jian1, TANG Ming2 (...analysis of AC charging pile monitoring and ...security 常规安全的直接 控制 sboclass operate-once...
IEC61850最近进展状况_图文.ppt
? 5 IEC61850和CIM协调 ? IEC61850_90_2:Use of IEC 61850 for the communication between control centers and substations(IEC61850用于 控制中心和变电站之间...
IEC 61850专题介绍.ppt
based data model using IEC 60870-5101/104 Part 90-1: Using IEC 61850 ...Using IEC 61850 for the communication between substations and control centres ...
IEC 61850-en-chs_图文.ppt
IEC 61850 Communication Networks and Systems in Substations IEC 61850 变电站...OMICRON June 13, 2015 Page: 12 Other Work based on IEC 61850 Concepts...
GE数字能源IEC61850通信解决方案_图文.pdf
空气污染: 灰尘, 金属尘埃, 凝露, 太阳幅射 3 IEC61850通信标准 IEC 61850-3 (2002) “Communications networks and systems in substations” 变电站中的通信...
iec61850-intro_图文.pdf
iec61850-intro_能源/化工_工程科技_专业资料。IEC61850介绍 IEC 61850 - Communication Networks and Systems in Substations: An Overview of Computer Science ...
基于IEC61850-9-2数字化变电站的二次检修.pdf
电子式互感器;二次检修 Secondarytestingofdigitalsubstationsbasedon IEC61850--9...whentheprocesslayerUSeS digitalsampling andthe samplevaluestransmitting USeS ...
IEC61850-2(2000-12-15)-20.doc
XXXX 替代 DL/T XXX-19XX Communication networks and systems in substations Part 2 Glossary 前言(Introduction) IEC61850 标准这部分内容为该标准中...
IEC61850 SCD文件导人生成嵌入式远动系统装置定义的通....pdf
ofthesubsysteminFang,et a1.Modelingandon substationsbased IEC 61850[J】....MAWenlong.Reconsiderationandeompro-mise 通过数据集名称和表1的规则对应,找到第...
IEC61850在电力系统的应用.doc
Model Problem Based on IEC61850," The Journal of Systems and Software, ...227-236 [5] IEC 61850:Communication networks and system in substations, ...
IEC61850到MMS映射分析及实现.pdf
of MMS and its advantages based on the analysis and understanding of the ...and Implementation of the Subsystem in Substations Based on IEC 61850[J]. ...
IEC61850第2版简介及其在智能电网中的应用展望.pdf
IEC61850第2版简介及其在智能电网中的应用展望_电力...substations, and all respects of power utility ...CDC-based data model using IEC 60870-5-101 or...
IEC61850与MMS的映射的研究.pdf
and Control 电力系统保护与控制 Vol.38 No.10 ...Based on the analysis of IEC61850 protocol, this...security data exchange[C].//Proceedings of CIGRE...
IEC61850介绍.ppt
IEC 61850 Communication Networks and Systems in Substations 变电站通讯网络及...security | sbo-with-normal-security | direct-withenhanced-security | sbo-...
IEC61850通讯标准中的编码规范.pdf
IEC 61850-7-1, Communication Networks and Systems in Substations Part 7...Analysis and Implementation of TCP/TP Based Specific Communication Service ...
更多相关标签: