Cyber Security in communication of SCADA systems using IEC 61850

Robert CZECHOWSKI*

Department of Electrical Power Engineering Wroclaw University of Technology

Wroclaw, Poland robert.czechowski@pwr.edu.pl

Paweł WICHER* Department of Electrical Power Engineering

Wroclaw University of Technology Wroclaw, Poland

pawel.wicher@pwr.edu.pl

Bernard WIECHA* Department of Electrical Power Engineering

Wroclaw University of Technology Wroclaw, Poland

bernard.wiecha@pwr.edu.pl

Abstract - Supervisory Control and Data Acquisition (SCADA) system play the most important roles in the remote surveillance system. The development of the communication system of the new substations such as renewable energy sources, smart grid houses, new energy sources in power network, increases the nodes in a data communications network, which increases the number of possibilities to connect to the SCADA system. In designing the new substation, no one takes into account the aspect of cyber security. This is limited only to choose the mode of communication in the station and method of communication to SCADA system. Preparing project major communication are made on IEC 60870-5 [1], DNP3[2], IEC61850 [3] protocol on SS level, connection to SCADA mostly works with IEC 60870-5-104 [4] transmission protocol or DNP3.0 presents network access for IEC 60870-5-101 [5] based on Transmission Control Protocol/Internet Protocol (TCP/IP), which can be utilized for basic telecontrol tasks in SCADA systems. However, the IEC 60870-5-104 protocol transmits messages in clear text without any authentication mechanism. Furthermore, the IEC 60870-5-104 protocol is based on TCP/IP, which also has cyber-security, issues itself. (IEC/104 is used as the notation, instead of IEC 60870-5-104 in the remainder of the paper.)

Keywords: cyber security, smart power grid, internet protocol, digital communication.

I. INTRODUCTION

The most common external threats that we encounter on a daily basis, are automated attacks through viruses, Trojans and software vulnerabilities on the victim workstation. Often, the main purpose of such attacks is to increase workstations botnet by another network (a network of infected computers, forming a group over which control is exercised by the creator of the malicious software). These risks are relatively easy to detect and disposal through the use of current software and virus definition subscription and spyware. It should however be borne in mind that many viruses can also lead to unstable operating system, and even loss of data integrity on an infected machine.

Another type of external threats are coordinated direct attacks aimed at the acquisition or modification of the data on the victim machine. These attacks are usually performed using security vulnerabilities 0-day type (ie. The newly disclosed information about the vulnerability to attack), and the gaps caused by incorrect configuration. They relate to greater extent machines available in public IP addresses, such as servers.

From the perspective of technology, digital stations, a particular threat can be a combination of direct and automatic type of attack. An example of such a threat is a worm Stuxnet, discovered in 2009 in the Iranian nuclear power plants. This virus, after being infected machine tries to access and modify the software PLC SCADA system specific manufacturer. This is an example of both the automatic threat difficult to be detected by antivirus software because of the narrow specialization, while the risk of direct taking into account the known weaknesses affected system (in this case to leave the default password to configure PLC). Despite the fact, that the creation of such a worm requires a significant financial effort, should take into consideration this type of threat. The basic tool used to protect against attacks are:

Antivirus software - can run in monitor mode (automatic, ongoing checks processed files) and scan (search disks on request). The effectiveness depends primarily on news signatures of known viruses. In some cases, the AV allows identification of malicious software based on heuristic methods. In this case, the infected files are actually detrimental only with a certain probability. As a result, the AV can detect not only known malicious software, but also suspicious software code.

The Firewall (called. Firewall) - software or hardware with dedicated software. It allows you to filter so that only pass comply with certain rules of network traffic. Most often associated with blocking access from the external network to the internal or local workstation. Another important, but often

This paper was realized within NCBR project: ERA-NET, No 1/SMARTGRIDS/2014, acronym SALVAGE. "Cyber-Physical Security for the Low-Voltage Grids".

Fig. 1. Digital communication in Power Line network as OSI model

conception.

overlooked because of the cumbersome configuration function is to block outgoing traffic. It allows you to protect data before leaving a local area network / workstation. A very important function is to monitor and record the most important events in the log. Correct firewall configuration possible to refute the known types of attacks software patches (called. patch) - Amendments made available by the software manufacturer or operating system. It is very important to maintain the system and programs possible date versions. Significant gaps due to the type 0-day, which are not known on a large scale. With time, however, access to knowledge on how to apply such a gap becomes simple, and the outdated version PC can easily become the victim of the attack.

Encryption of connections - to ensure the confidentiality of transmitted information over computer networks is recommended to use encryption algorithms. The client-server architecture, data is transferred in the form of ciphertext, illegible for other than transmission sites. Especially recommended is the use of encryption during authentication, so that the username and password were not sent over the network in clear text. Optionally, you can also use intrusion detection systems (called. Intrusion Detection System) operating on the basis of signatures (by searching the packets of data strings typical of the attacks) or heuristics (by analyzing headers and protocols) on fragmented, ie. The combined packages. Because defragmentation can be used only in those parts of the network where delays are acceptable associated with it. More elaborate systems allow intrusion prevention (ang. Intrusion Prevention System) by responding to abnormal behavior in the network. Action on the basis of signatures are required by their live updates.

II. PRESENT PROBLEMS IN SMART COMMUNICATION

On SS Level standard protocol is IEC 103 or DNP 3. Each protection producer have own implementation of this standard which is not always compatible with SCADA RTU’s or manufacturers. IEC61850 was development by the IEC Technical Committee 57 by a group of manufacturers (ABB, Alstom, Schneider, SEL, Siemens, Toshiba, etc.) and electrical utilities (Electricité de France, Iberdrola, Hydro-Quebec, etc.) with the target of improving the interoperability of equipment [6]. IEC 61850 is completely different than all protocols which we are using on SS’s and it change everything. 61850 it’s describe how connection should works (exchange information between RTU-IED) (Fig. 2). In IEC 61850 we are using data object modelling to replace aspect of no significant of addresses. Modelling is based on logical Nodes (LN) which is a named grouping of data associated services and everything have relation to protection function or control function. For example PTOC represents Overcurrent Protection, measurements we have in LN MMXU where we can read power, voltages, currents etc. Protocol works on standard TCP IP protocol so on standard network connection like in home. It have more advantage than defects. Ethernet protocols are easy in implementation and for cybersecurity we can use algorithms like in bank or standard Ethernet networks (Fig. 1).

Security threats to connect into Substation system can be divided into two parts based on physical and cyber assets. Physical assets are the hardware like GSM Modems, wireless Router, some Bluetooth sticks. Also IED connected somewhere on SS. Cyber assets are some software, gate in firewall, open ports. This gates help intruder to connect into SS level. Using IEC103, DNP, MODBUS protocols we have a little easier way to connect of course on SS. Using IEC103, DNP, MODBUS protocols we have a little easier way to connect of course on SS.

III. PRESENT PROBLEMS IN SMART COMMUNICATION

First problem for intruder is FO how to connect and where. If someone connect between RTU and IED the only access is to one bay. Potential place of attack is between SCADA and Substation. If someone will install converter in telecommunication room or connect between SCADA and RTU will get access to all devices. In those protocols when we sending a command nothing will be in history (maybe only trip in system). Serial protocols implementations are lacking both the confidentiality and strong integrity guarantees to prevent possible attacks on wire. If attacker connect to protocols is able to send commands, read values, send something to SCADA and will causing disruption. Current state of these SCADA protocols security spurred attacker to try to connect to some object. On power station or industrial SCADA, best security is to isolated network to prevent such situation (Fig. 3). No one is checking what is connected in telecommunication room. So serial protocols are quite easy to attack and really hard to identify if there was attack or not.

Different is when we using TCP/IP communication. IEC62351 standard define security of TC57 protocols which works on TCP/IP. Connection over Ethernet is more secured because communication is between client and server. It’s a first problem for attacker to connect like a server to RTU but SAS allows for remote access, since on substation we using separate channel for various purposes. They are using it to remotely access and manage data or make settings correction.

Fig. 2. Communication in Ethernet network based on IEC 61850.

It’s less secure access to substation using engineering channel because this network mostly is not isolated even is connected to standard industry network with limited access. In existing remote access IED offer password but on most substations is the same like “000000, AAAA, aaaa, 1234”. In most companies password is good know for everyone. The only way to disable access for some individuals is changing password in some period of time.

Most IEDs/RTU using role based authentication. In conclusion when we using protocols working on standard IEC62351 for security we can use many possibilities to secure access like Active Directory rights and authentication users. Intruder mostly will try to connect over serial protocols (Fig. 4) or using remote maintenance connection its mostly less secure and employees don’t care about who have access.

IV. SAFETY FEATURES AND DETECTION OF ATTACKS

Increased automation and communication within smart grids certainly comes with many benefits, but it is not devoid of flaws, either – due to the availability of the ICT technology in a new, hitherto unknown (for such solutions) branch of industry, there will surely be individuals willing to test their skills and abilities, which will translate into these grids’ increased vulnerability to attacks. Ensuring years of proper functionality of such grids, their safety and protection from cyber-criminals or hackers attack becomes a serious problem [7]. Resources protected in smart power grids are: access to management software, inventory of computer equipment, company’s data, personnel (including a list of ICT/AMI specialists), documentation of metering equipment, like e.g. access to the ERP (Enterprise Resource Planning) system and company’s critical data: data concerning contractors,

commercial information, data endangering the positive image, ways of unauthorized access, the so-called Information Security Policy [8]. In summary, attacks on smart power grids can be divided as follows: a) by the attack location in the power supplier infrastructure:

• attack on AMI devices (main meters), • attack on the data transmission medium, intermediate

devices (active and passive), • attack on the operator’s datacenter (extortion of

passwords and access to services by use of various techniques, even bordering on social engineering, attack on access control servers, databases, warehouses and permissions).

b) by the target and scale of a potential attack: • attack on a single client [9], • attack on the functionality of the entire system or its

significant portion [10]. Transformation of the current grid structure into a smart grid necessitates a series of novel security solutions borrowed from already used ones. Typical problems of modern computing include hacking, data theft, and even cyberterrorism, which will sooner or later also affect power grids. Introduction of smart power grids through installation of remote reading meters, electronic grid elements, construction of new information systems consisting of data on energy usage causes energeticists many new security-related problems.

A complex multi-layered security system requires an overall concept of providing information security. Security in Smart Grid can be divided into three groups: a) by the continuity and security of services:

• ensuring continued electrical energy supply at a contractually guaranteed level, binding the supplier and customer (it also concerns cases of bidirectional energy transfer – smart grids with the participation of

Fig. 3. Example diagram of information flow in SCADA systems using IEC 61850.

prosumer), • ensuring confidentiality of information on clients and

security of statistical data generated by them, such as “consumption amount”, time of the greatest energy demand or its total absence,

• security related to energy distribution management process, and telemetry and personal data protection in datacenters,

b) by security class: • protection from unauthorized access to digital data

transmission media and physical security of devices in intermediate stations,

• protection of end-use telemetric devices from unauthorized access, transmission disruption or complete lock of their activities,

• analytical optimization models and decision-making processes,

c) by policy: • data access policy – user authorization, permission

management, • management security policy – investment processes’

principles and rules, • system security policy – reaction to incidents, managing

confidential information like passwords, cryptographic keys.

Making an ICT power grid available for the needs of external users is a potential source of threat. It is necessary to separate information transferred for the needs of the power sector to the eternal traffic. Moreover, the administrative and office traffic should also be separated from traffic related to remote supervision over energy facilities. The most commonly encountered problems related to incorrect grid architecture design and its management are:

• lack of proper security architecture, • errors in information security management, • software errors, • human errors and intentional actions, • insufficient security monitoring.

The most common threats to information systems include: • blocking access to a service, • hacking into an information system’s infrastructure, • data loss,

• data theft, • confidential data disclosure, • information falsification, • software code theft, • hardware theft, • damage to computer systems [11].

V. GOOD PRACTICES IN SECURE OF LOW/MEDIUM VOLTAGE POWERLINE

NETWORK

In order to ensure safety, monitoring network traffic must be taken into account in policy. For this purpose, you can use event logs obtained from the previously described firewall. More complex and more filtered information is available through intrusion detection system (IDS), which greatly facilitates the observation of anomalies in network traffic. In the case of active network devices, ie. Network switches, you should use the solutions divisions, with trouble reporting software, eg. This facilitates diagnosis in case of incorrect operation of the network and significantly reduces the time to solve the problem.

In order to verify proper operation in / in mechanisms should periodically perform penetration tests involving the simulation of attacks and system errors. In this way, you can get information whether all known methods of attacks are captured by network protection mechanisms.

SNMP assumes the existence of two types of devices in a managed network: managing and managed. The device (computer) is the manager (called NMS - Network Management Station) when it is running the appropriate program manager SNMP (SNMP manager). The device is managed if the program runs on an SNMP agent. Advantages and disadvantages. SNMP is currently the most popular protocol for managing networks (Fig. 5). Its popularity is due to the following advantages:

Fig. 5. Exchange communication in SNMP version no 3.

Fig. 4. Communication via RS485.

• relatively small additional load on the network generated by the protocol itself,

• a small amount of custom commands lowers the cost of devices supporting it,

• low costs implementation to operation. The main disadvantage of SNMP: inability to ensure the security of transmitted data (SNMP first and second version).

Below are listed the main safety functions telecommunication devices in digital communications used SNMP compatible with IEC 61850 (IEC 61850-3 IEEE 1613) [12]: Protection - Miss-wiring avoidance, Repowered auto ring restore (node failure protection), Loop protection. System Log - Support System log record and remote system log server. DHCP - Provide DHCP Client/ DHCP Server/DHCP Option 82/Port based&VLAN based DHCP distribution (DHCP relay agent). MAC based DHCP Server - Assign IP address by Mac that can include dumb switch in DHCP network. DNS - Provide DNS client feature and support Primary and Secondary DNS server. Goose monitoring - Show individual Goose TX / RX counter (IEC packets). Environmental Monitoring - Internal sensor to detect temperature, voltage, current, total PoE budget (IPGS-5400-2P-PT) and send SNMP traps and emails if any abnormal events. Factory reset button & watch dog design - Factory reset button to restore back to factory default settings. Watch dog design can reboot switch automatically under certain circumstances. Configuration backup and restore - Supports text editable configuration files for system quick installation to backup and restore.

With knowledge of the ICT network administration, a bit of time and desire in a few steps, we can definitely increase the security of our, own network. The basic functions and also the

mechanisms of defense against intruders (Fig. 6, red padlock), can be the following:

Default Username and Password: the default username/password set by the manufacturer, allowing access to the configuration router, should be changed and should be set strong enough to prevent unauthorized access to our home. The attacker will firstly attempt to enter its default password for our model, and in turn will make the password he used in other models or similar devices in its class.

SSID: the default Service Set Identifier (SSID) is the name of the network and uniquely identifies a particular network and wireless devices must know the SSID of the wireless network to connect to that network. Manufacturers set the default SSID that identifies the device (name betrays their potentially default passwords). SSID is sent in plain text, so it can be easily overheard using sniffers, because SSID cannot be treated as protection of network. Some believe that the SSID broadcast should be excluded to impede unauthorized use of the network users. However, this does not improve the security of the network because the SSID is sent by any authorized station when connecting to an access point, and can then be eavesdropped. Not only that, when dispreading off SSID network is vulnerable to masquerading as an access point person with evil intentions, so that the data users of the network may be in danger [13].

Wireless Security: there are three types of wireless security on routers or access points:

• WEP (Wired Equivalent Privacy), • WPA (Wi-Fi Protected Access), • WPA2 (Wi-Fi Protected Access 2).

Fig. 6. ITC security functional diagram of Smart Grid.

It is always advisable to use WPA2 encryption CCMP/AES, which is the safest option if WPA2 is not supported by the router, WPA with TKIP/RC4 is an alternative, but WEP is less secure option and should be avoided because it is as secure as hard to break. WPA may use mode:

• Enterprise – uses a RADIUS server (for business use), which assigns the keys to the right users,

• Personal – does not share the keys to individual users, all connected stations use a shared key PSK (Pre-Shared Key) – it used, e.g. in the HAN or Wi-Fi.

Limit Network Coverage: it is always advisable to limit the broadcast coverage of a network to prevent the intruders from gaining access to a home network.

Disable Remote Management: this feature should be disabled on the router to prevent intruders from accessing and changing the configuration of the router. If remote administration is necessary, it should be realized via non-standard ports.

Firmware Update: one should check to see if there is a new firmware version for the router. After the security configuration in the router, one should make a copy of the settings and store it in a safe place in case of a forced device settings reset.

Static DHCP reserved IP addresses: since a router should assign a private IP address to a particular device to share the Internet connection using a DHCP concept, the reserved IP address should be limited, so that a router can’t assign an IP address to any device which is trying to get un-authorized access to a home network, the number of IP addresses reserved should be as many as the number of devices in need of internet access within a home network. An additional difficulty is to change from the classic network addressing Class C to Class A or B with a very unique and unusual subnet mask of the initial and final subnet address broadcast address.

Network Filter: enabling Media Access Control address filtering in a router whose prevents unauthorized client from getting right IP address and join this network. Devices with addresses that are not included in the filter list addresses, will

be dropped, and device which wants to establish a connection cannot access transmission medium. In addition, this information and the MAC address of the device, along with the date and result of the events will be save in logs of router.

Universal plug and play (UPnP): this feature allows network devices to discover and establish communication with each other on the network, this feature makes the initial network configuration easy but it should be disabled when not needed because a malware within a network could use UPnP to open a loop hole in a router firewall to let intruders in.

Turn-On Firewall: a router has an inbuilt firewall which should be activated and configured properly to allow authorized users to access a home network, it is advisable to create a black list for unauthorized websites, services etc. Also a firewall should be configured not to reply to ping requests to prevent exposing a home network to intruders, thus firewall should be used to control both incoming and outgoing traffic.

Network Management Tool: an efficient network management tool can be used to monitor and manage a network and prevent intruders from having an unauthorized access to a network. Some other security measures are advisable to disable remote upgrade, unnecessary services and Demilitarized Zone (DMZ) features in a router. One should change passwords frequently on all networking devices and make it strong enough, so that it cannot be easily guessed by an intruder [14].

In order to maintain a high level of security, it is necessary to observe predefined procedures and security policies. A grid of meters and concentrators starts to look more and more like a traditional corporate network, which means that similar security measures can be put in place, including systems for intruder detection, access control and event monitoring. Especially vulnerable to packet data attacks are concentrators which, connected to Ethernet switches, utilize the commonly used TCP/IP protocol [15].

V. CONCLUSION

It is quite a challenge to protect each and every one of extensive distribution systems, with cyberterrorism becoming a

Fig. 7. Substation automation architecture with possibility of access.

particularly serious problem. These days, destroying important objects (factories and power plants, but also computer databases) does not require significant power or resources. Examples show that a single person with proper knowledge and access to computer technology is able to perform a successful attack on a power grid. Additionally, cyberterrorism is cheap, it does not put the perpetrator in immediate danger and can be catastrophic in results. By disrupting the operation of banking computer systems, a cyberterrorist could cause a collapse of the world economy. By introducing false data into systems managing a military, power and fuel infrastructure, they could initiate explosions of pipelines, demolition of water intakes and destruction of nuclear power plants [16].

In the future, an important role in this areas, will be realization of infrastructure and delivering preconfigured devices by Internet Service Provider. With time, we can except more auto-configuration devices. Which at least in part allow simple configurations. Unfortunately, in many cases, this solution will not provide an adequate level of security. There are many methods to ensure safety. Even the very simple solutions such as changing the default password or hiding the name of the wireless network are able to fend off the novice attacker. On the other hand, we cannot require that each user is a specialist in the range of telecommunications or computer science. Thus, in the next ten years, the electricity supplier will need specialists who possess the practical skills and IT knowledge, which may be used in the energy sector. Smart Grid ICT specialists will take care of not only the home devices configuration or running such systems in Local Area Networks, but also taking care of widely understood security in the information transmission in the Metropolitan Area Network or Wide Area Network. A separate group, will specialise in databases, computer networks, business analysis layers and complex Enterprise Resource Planning systems.

Moreover, it becoming increasingly important to ensure data verification, reliability and security. In order to decrease the amount of incorrect data grids are secured from hackingers attacks. Security policy procedures, that hamper the work of normal application users, are constantly added to. It is not difficult to predict the consequences of such security policies.

The project network or system can be divided into three stages: design, implementation and use. For each of them there is a recommendation, consistent with a high grade of safety.

In the design stage, be sure to use only the required hardware and software. Redundancy (except for redundancy links, used to provide high availability and reliability) promotes the formation of additional security vulnerabilities in the system. Unused services should remain disabled or blocked by a firewall. When you assign user rights to be reduced to a minimum. In addition, the network should be designed to limit the ability to connect foreign devices, eg. By disabling unused ports, network switches and requiring authorization to change the settings above mentioned. Similarly, in the case of workstations and servers, turn off all unused interfaces that can facilitate such intrusion. USB, FireWire or Bluetooth. At the design, network monitoring

mechanisms, such as the aforementioned firewall, intrusion detection, etc. stage should be included. Access to services should also be limited to only those parts of the network where it is necessary (Fig. 7). Same services should be started with the lowest possible privileges. A common mistake is to run all services with administrator privileges, even when it is not required. A very important aspect of security is that its structure to make it convenient for the user and not encouraged him to bypass security to "go for shortcuts." Implementation phase should possibly be carried out in accordance with project documentation and in the event of any discrepancy any changes must be documented and included in the policy.

Frequently overlooked and forgotten in the use phase is the continuous replenishment of documentation and security policy. Operating stage beyond the use of computer systems and networks should take into account the aforementioned network monitoring, tracking anomalies, including conducting periodic penetration testing to find possible gaps use it attacker. This paper was realized within NCBR project: ERA-NET, No 1/SMARTGRIDS/2014, acronym SALVAGE. "Cyber-Physical Security for the Low-Voltage Grids"

REFERENCES [1] G. Clarke, D. Reynders, “Practical Modern Scada Protocols: Dnp3,

60870.5 and Related Systems.” Newnes. pp. 47–51.

[2] 1815-2012–IEEE Standard for Electric Power Systems CommunicationsDistributed Network Protocol (DNP3). 2012.

[3] Core IEC standards, IEC 61850: Power Utility Automation., IEC 62351:Security.Available: http:// www.iec.ch/smartgrid/standards/.

[4] Telecontrol Equipment and Systems-Part 5-104: Transmission Protocols-Network Access for IEC 60870-5-101 Using Standard Transport Profiles,IEC Standard 60870, 2006.

[5] IEC Telecontrol Equipment and Systems–Part 5-101: Transmission Protocols–Companion Standard for Basic Telecontrol Tasks,IEC Standard 60870, 2003.

[6] IEC Standard TC57. [Online]. Available: www.tc57.iec.ch

[7] C. Xavier, Power Line Communications in Practice, ArtechHouse 2006.

[8] K. Billewicz, Problematyka bezpieczeństwa informatycznego w inteligentnych sieciach., Instytut Energoelektryki Politechnika Wrocławska, 2012.

[9] A.T. Kearney GmbH, Raport Technologiczny, Infrastruktura Sieci Domowej (ISD) w ramach Inteligentnych Sieci / HAN within Smart

Grids., 2012. [10] M. J. Cronin. “Smart Products, Smarter Services. Stratiegies for Embedded Control”, cambrige University Press, 2010. [11] K. Billewicz, “Smart Metering. Inteligentny system pomiarowy.”, Instytut Energoelektryki Politechnika Wrocławska,

Wydawnictwo Naukowe PWN, 2012. [12] Lantech documentation of Industrial IEC 61850-3 Switches

http://www.lantechcom.tw/global/eng/IGS-5400-2P-PT.html

[13] W. Lewis, “LAN Switching and Wireless: CCNA Exploration Companion Guide (Cisco Networking Academy Program),” Cisco Press 2008.

[14] R.C. Parks, “Advanced Metering Infrastructure – Security Considerations,” Sandia Report, Sandia National Laboratories, November 2007.

[15] T. Flick, J. Morehouse, “Securing the Smart Grid. Next Generation Power Grid Security,” Elsevier Inc. 2011.

[16] A. Fronczak, P. Fronczak, Świat sieci złożonych. Od fizyki do Internetu. Wydawnictwo PWN, 2009 r.