Download - Cyber Security in Substation Automation (IEC 61850)

Transcript
Page 1: Cyber Security in Substation Automation (IEC 61850)

CYBER SECURITY IN SUBSTATION AUTOMATION

(IEC 61850)

1

Braguta M.V., Nikandrov M.V.August 2014 г.

Page 2: Cyber Security in Substation Automation (IEC 61850)

• Recent trend: Migration to Ethernet/IP network protocols

• High density of Electronic Intelligent Devices (IED) per controlled unit

• Real time telemetry transmission is highly demanded

• Lack of Security at the control device level, common practices of using default access parameters

• Lack of Cyber Security knowledge and incident readiness

Modern Control Systems:Trend and Risks

Major Risks:- Unauthorized remote access to control room, devices, manufacturing process,- Information theft, modification, altering network data,- Possible denial of service, sabotage of the manufacturing process

2

Page 3: Cyber Security in Substation Automation (IEC 61850)

Industry Incidents by Verticals

3

Energy

Energy sector is the most affected industry

Page 4: Cyber Security in Substation Automation (IEC 61850)

The Attack Vectors

4

internet

Reley protection terminal

object management

Router

Operator workstation 1

switches

ВЛ 220 кВW2E

K2E

QSG3.2

QW2E QS3QS2

QSG 2 QSG3.1

Router

Operator workstation 2Engineeringworkstation

Redundantserver station

network ETHERNET

network ETHERNET

In a corporate network

Control center Engineeringworkstation

Reley protection terminal

Reley protection terminal

Reley protection terminal

Page 5: Cyber Security in Substation Automation (IEC 61850)

Information Disclosure:public websites

5

Page 6: Cyber Security in Substation Automation (IEC 61850)

Social Networks Risks

6

(company)

(belgorodenergo)

(JSC MRSK-Centra belgorodenergo)

(Alexander has 516 friends)

Page 7: Cyber Security in Substation Automation (IEC 61850)

USB devices: Major source of infection

7

Page 8: Cyber Security in Substation Automation (IEC 61850)

Ransom Blockers at Control Room

8

Page 9: Cyber Security in Substation Automation (IEC 61850)

IEC 61850 Capabilities

9

Advantage:- Promotion of high interoperability between systems

from different vendors- Definition of basic services

Main protocols: MMS and GOOSE

was

was

evol

ved

evolved

Page 10: Cyber Security in Substation Automation (IEC 61850)

1. Spoofing of MMS

Sending false positioning control data to SCADA system

• Record network traffic

• Analyze transferred data

• Construct message

• Send to SCADA

10

Page 11: Cyber Security in Substation Automation (IEC 61850)

Constructing Message

11

Page 12: Cyber Security in Substation Automation (IEC 61850)

Sending to SCADA

http://youtu.be/MbxRhQP42N012

Page 13: Cyber Security in Substation Automation (IEC 61850)

2. Spoofing MMS

Sending the false position of the breaker to relay protection terminal

• Record network traffic

• Analyze transferred data

• Construct message

• Send to Relay Terminal

13

Page 14: Cyber Security in Substation Automation (IEC 61850)

Sending to Relay Terminal

http://youtu.be/oh5IAN3euK414

Page 15: Cyber Security in Substation Automation (IEC 61850)

RESULT OF UNAUTHORIZED COMMAND

15

Page 16: Cyber Security in Substation Automation (IEC 61850)

3. GOOSE spoofing - easy!

• Record network traffic

• Analyze transferred data

• Edit message

• Publish the message

16

Sending false commands to the relay terminal from another relay terminal

Page 17: Cyber Security in Substation Automation (IEC 61850)

Edit the Message

17

Page 18: Cyber Security in Substation Automation (IEC 61850)

Sending False GOOSE Message

http://youtu.be/fdnPkqIUWfA18

Page 19: Cyber Security in Substation Automation (IEC 61850)

Result of the Spoofing

19

GOOSE spoofing can applied to all relay terminalscertified by"Rosseti“ (Russian Power Company)

Page 20: Cyber Security in Substation Automation (IEC 61850)

The IEC61850 standard supports RSA digital sign

Prevention and Protection

20

However, NONE of available IED Relays on market offer support for digital sign

Page 21: Cyber Security in Substation Automation (IEC 61850)

Antivirus Issue: False Positive is quite dangerous

21

Page 22: Cyber Security in Substation Automation (IEC 61850)

Suggestions Short-term goals: • Stop ignoring the problem;

• Allocate Cyber Security Personnel Education & Awareness time in Security Policy. Cover Basic Cyber Security and Social Engineering at least 1-2 per year;

• Reduce attack surface and mitigate attack vectors using available methods and security standards;

Long-term goals: • Deploy Industrial Antivirus solutions certified for manufacturing zone;

• Use Intrusion Detection and Deep packet inspection systems;

• Add Integrity control system to protect manufacturing zone subnets and network assets. Detect unknown or unauthorized assets in the network perimeter;

• Be able to isolate and manage devices firmware and detect unauthorized access or modifications;

• Plan to migrate to encrypted network communications in manufacturing zone.22

Page 23: Cyber Security in Substation Automation (IEC 61850)

Conclusions• Power Control Systems need special, carefully designed Cyber Security Policy;

• Overall state of Organization Cyber Security Policy is poor and demands immediate attention;

• The Organization Cyber Security Policy must be reconsidered in general with respect of latest Local and International standards and advisories, the growing danger of ICS threats and lack of personnel readiness to detect threats;

• The Power Control Systems requires Security Audit to all facilities as well as Compliance with modern Cyber Security standards and practices (local and international);

• The Cyber Security requirements must be considered during design and implementation stages for all new objects and facilities;

• All Cyber Security systems must go through extensive testing before to be installed into Control room or connected to power equipment. The testing should be done at manufacturing level as well as at Organization testing facilities in close to real world environment.

23

Page 24: Cyber Security in Substation Automation (IEC 61850)

Thank you for your time!

Nikandrov [email protected]

Special appreciation to «Kaspersky Lab»

24