Network security for Substation automation systems

Power system reliability has achieved higher priority in equipment implementation in the power industry over the years. Power industry has paid more attention on the information structure that supports the monitoring and controlling the power system after the August 14, 2003 black out. Initial power equipment problem in 2003 blackout, on-going and cascading failures were due to problems in providing right information to the right place within the right time.

Communication protocols are one of the most critical parts of power system operations, responsible for communication between equipment and controlling them. Theses protocols rarely incorporated any security measures since these protocols were very specialized. “Security by Obscurity” has been the primary approach because only operators are allowed to control breakers from highly protected control center. With the increasing electricity market force security by obscurity is no longer a valid concept. Because the electricity market is pressuring market participants to gain any edge they can, it is all about winning bids and loosing bids. Also the older communications protocols are being replaced by standardized, well-documented protocols that are more susceptible to hackers and other security breaches.  Since power systems failure has greater scope and cost, it is obvious that the security in the power system is crucial factor.

Now there are two infrastructures to be managed in the power systems, one is power system infrastructure and the other is information infrastructure. With saying that we can see any unreliability in the information infrastructure can cause the power system unreliable. So the information system has to ensure its reliability level to provide the required reliability level in the power system.

The International Electrotechnical Commission (IEC) Technical Council (TC) 57 Power Systems Management and Associated Information Exchange is responsible for developing international standards for power system data communications protocols. IEC TC57 has developed three widely accepted protocols, and has been the source for the IEC 61850. Those three protocols are IEC 60870-5, DNP 3.0 and IEC 60870-6.

IEC 61850 protocol security

IEC61850 is an Ethernet (IEEE 802.3) based communication protocol used for control and automation of electric substations using microprocessor based Intelligent Electronic Devices (IED’s). It was developed jointly by the IEC (International Electrotechnical Commission) and the IEEE with the aim of providing a flexible and interpretable communication system which could be easily integrated into the infrastructure of existing substations.

IEC61850 is a protocol used for control and automation of substations. In substation automated by IEC 61850, the IED’s communicate via this protocol. An IED could be any measuring instrument which has a microprocessor such as a current transformer or voltage transformer or a protection device such as a relay. They are communicating peer to peer, broadcast messages and as client server. For an example if the current transformer detect over current in the line it broadcast the value to protective devices to act accordingly.

IED network within a substation contain two main busses. 

They are namely process bus and the station bus.

• Process Bus -Transfers unprocessed power system information to the processing IED’s
• Station Bus - integrates all process buses together and provides the interface to external networks. Human Machine Interfaces (HMI) are connected to the station bus.

IEC61850 has been designed considering the security aspects of the communication. The existing security mechanisms of IEC61850 are mentioned in IEC62351-4 and IEC62351-6.

These include:

• IEC62351-4 specifies the ciphers used by IEC61850 for encryption. In addition, IEC62351-6 specifies the use of Transport Layer Security (TLS).
• Security for IEC61850 profiles using VLAN’s. Partitioning of the network into VLAN’s prevent unauthorized access of IED’s outside the designated VLAN.
• Security for Simple Network Time Protocol (SNTP) via the mandatory use of the authentication algorithms of RFC2030. This prevents tampering via false time stamp packets.
• Explicit countering of man-in-the-middle attacks and tampering using the Message Authentication Code (MAC) of IEC62351-6.
• Explicit countering of replay attacks via the specialized processing state machines mentioned in IEC62351-4.

IEC 62351 - Data and communication security

IEC has published a standard for data and communication security in power systems as IEC 62351, wich includes parts 1 to 7.

·         IEC 62351-1: Data and Communication Security – Introduction

·         IEC 62351-2: Data and Communication Security – Glossary of Terms

·         IEC 62351-3: Data and Communication Security – Profiles Including TCP/IP

·         IEC 62351-4: Data and Communication Security – Profiles Including MMS

·         IEC 62351-5: Data and Communication Security – Security for IEC 60870-5 and Derivatives (i.e. DNP 3.0)

·         IEC 62351-6: Data and Communication Security – Security for IEC 61850 Profiles

·         IEC 62351-7: Data and Communication Security – Security Through Network and System Management

IEC 61850 profiles that run over TCP/IP will use IEC 62351-3, in which the primary security measures are IPSec and TLS. It specifies the use of Transport layer security (TLS) which is commonly used over the Internet for secure interactions, covering authentication, confidentiality, and integrity. IEC 62351-4 provides security for profiles that include the Manufacturing Message Specification (MMS) with TLS.

IEC 61850 also contains three protocols (GOOSE, GSE, and SMV) that are multicast datagrams and not routable, designed to run on a substation LAN or other non-routed network. The main protocol, GOOSE, is designed for protective relaying where the messages need to be transmitted within 4 milliseconds peer-to-peer between intelligent controllers. Encryption or other security measure which will affect the transmission rate is not acceptable here. So authentication is the only security measure acceptable and IEC 62351-6 provides mechanism where theses profiles can digitally sign the messages.

IEC 62351 Part 5 relates to the specialties of serial communication. Here, additional security measures are defined to especially protect the integrity of the connections. This part also specifies the key management necessary for the security measures. IEC 62351 Part 7 describes security related data objects for end-to-end network and system management (NSM) and also security problem detection. These data objects support the secure control of dedicated parts of the energy automation network. IEC 62351 Part 8 addresses the integration of role-based access control mechanisms into the whole domain of power systems.

Security in power system operation

Security requirements of power systems are different from the other industries. As an instance internet environment is vastly different form the power system environment. So it is critical to have a better understanding of the security requirements and the potential impact of the security measures on the communication requirements of the power system operations.

Security services have been developed for industries that do not have strict performance and high reliability requirements as power industries do.

• Denial of service has far more impact in the power industry than many typical internet transactions. Preventing authorized dispatcher form accessing the power system substation control has serious consequences than preventing a customer form accessing his bank account.
• Communication channels used in power system are narrow band which permitting the overhead needed for encryption and key exchange.
• In power system industries some substations and equipments are located in unmanned remote areas which makes lot of security measures are difficult to implementation
• Wireless communication are becoming used for many applications but have to be more careful in implementing in power system because the noisy electrical environment in the power substations.

 Power system security uses large variety of communication methods and performance characteristics, single security measure cannot counter all the security threats.  For instance VPNs only secure the transport level protocols, so we need additional security measures to protect the application level protocols.  In power system communication authentication plays a larger role in many security measures, because authentication of control actions is far more important than the data through encryption. Security truly is an “end-to-end” requirement to ensure authenticated access to sensitive power system equipment, reliable and timely information on equipment functioning and failures, backup of critical systems, and audit capabilities that permit reconstruction of crucial events.

GOOSE/SMV protection

GOOSE is stand for Generic Object Orientated System-wide Events. By using GOOSE with station bus communication, aims to replace the conventional hardwired logic necessary for intra-relay coordination. When IED detect an event it multicast values to notify devices which have registered to receive the data. Because this information is time critical, performance requirements are stringent. In the GOOSE communication no more than 4ms is allowed to elapse from the time an event occur to the time of message transmission.   In order to replace the conventional method of using contacts and wires, the performance of the GOOSE messaging, i.e. transfer time should be less than 3ms for a Trip GOOSE command and 20ms for a Block GOOSE command as specified in IEC 61850-5 'Communication requirements for functions and device models’. The amount of data that would be generated after the event is based on the network topology IEDs follow, number of IEDs in the network and the type of the event. We can see that in this scenario collision are quite possible, so the GOOSE messages are retransmitted multiple times by each IED.  GOOSE model groups data value in to data sets to be published. In peer to peer data value publishing GOOSE model has several attributes that can be used to control the publishing process.

GOOSE messaging is a very important in multi vendor interoperability. The purpose and the advantages of GOOSE:

• Only a single LAN cable/fibre is required instead of connecting conventional metallic wiring between protection devices or between protection devices and primary equipment. This reduces the total cost involve in building a system in substation.
• Multi vendor interoperability, Connection between IEDs provided by different vendors is much easier to achieve
• Modification or addition of data communications between IEDs can be easily achieved by the re-configuration of the IEDs’ GOOSE settings, rather than by complex metallic wiring.

Virtual LAN vulnerabilities

In the power industry they use VLAN for layer2 security. Virtual LAN (VLAN) technology is used to create logically separate LANs on the same physical switch. Each port of the switch is assigned to a VLAN.

VLAN is not secure enough for GOOSE and SMV messages. VLAN has security vulnerabilities and only VLAN implementation is not enough for GOOSE/SMV communication. VLAN switch implementations have been susceptible to a variety of Denial of Service attacks, including traffic flooding, MAC flooding and CAM table poisoning (CAM refers to the Content Addressable Memory used to list MAC addresses reachable through each switch port).

VLAN switch configurations and deployments have been vulnerable to a number of spoofing and man-in-the-middle attacks. The most well known exploits include the following. (Links at the end of this article lead to detailed descriptions.)

• MAC address spoofing
• VLAN tag spoofing (where the attack computer falsely identifies itself as a member of a VLAN by spoofing the IEEE 802.1q tag )
• ARP cache poisoning
• Connection hijacking following a successful ARP attack
•  Multicast Brute Force Attack
•  Random Frame Stress Attack
•  Private VLAN Attack

Power industry has paid more attention on the information structure that supports the monitoring and controlling the power system. Communication protocols are one of the most critical parts of power system operations, responsible for communication between equipment and controlling them. IEC61850 protocol which is used for control and automation of substations has been designed considering the security aspects of the communication. The existing security mechanisms of IEC61850 are mentioned in IEC62351 standard. Security requirements of power systems are different from the other industries. . In order to maintain security in power systems, constant vigilance and monitoring are needed as well as adaptation to changes in the overall power system. The main purpose of the security protection is to detect the attack and eliminate it form the system. Power system security uses large variety of communication methods and performance characteristics, single security measure cannot counter all the security threats.  In IEC 61850 there are mainly five message types used for communication sample measured values, GOOSE, MMS, GSSE and time sync. There are four types of information exchange methods. They are Client/server services, GOOSE/GSE Management Services, GSSE Services and Time Sync exchange. IEC 61850 profiles that run over TCP/IP will use security measures IPSec and Transport layer security (TLS).Client server and the GSSE information exchange which uses MMS are using network layer and transport layer security measures to achieve secure combination. With stringent performance requirement in GOOSE and SMV message communication, encryption or other security measures which may significantly affect transmission rates are not acceptable. Therefore, authentication is the primary security measure for GOOSE and SMV. VLAN has security vulnerabilities and VLAN implementation alone is not enough for GOOSE/SMV communication. We should research on the better authentication which matches to the substation communication requirements and we can implement that authentication value as an extension to the GOOSE message.