Vous êtes sur la page 1sur 8

Cyber Security in communication of SCADA systems

using IEC 61850


Robert CZECHOWSKI* Pawe WICHER* Bernard WIECHA*
Department of Electrical Power Engineering Department of Electrical Power Engineering Department of Electrical Power Engineering
Wroclaw University of Technology Wroclaw University of Technology Wroclaw University of Technology
Wroclaw, Poland Wroclaw, Poland Wroclaw, Poland
robert.czechowski@pwr.edu.pl pawel.wicher@pwr.edu.pl bernard.wiecha@pwr.edu.pl

Abstract - Supervisory Control and Data Acquisition (SCADA) From the perspective of technology, digital stations, a
system play the most important roles in the remote surveillance particular threat can be a combination of direct and automatic
system. The development of the communication system of the type of attack. An example of such a threat is a worm Stuxnet,
new substations such as renewable energy sources, smart grid discovered in 2009 in the Iranian nuclear power plants. This
houses, new energy sources in power network, increases the
virus, after being infected machine tries to access and modify
nodes in a data communications network, which increases the
number of possibilities to connect to the SCADA system. In the software PLC SCADA system specific manufacturer. This
designing the new substation, no one takes into account the is an example of both the automatic threat difficult to be
aspect of cyber security. This is limited only to choose the mode detected by antivirus software because of the narrow
of communication in the station and method of communication to specialization, while the risk of direct taking into account the
SCADA system. Preparing project major communication are known weaknesses affected system (in this case to leave the
made on IEC 60870-5 [1], DNP3[2], IEC61850 [3] protocol on SS default password to configure PLC). Despite the fact, that the
level, connection to SCADA mostly works with IEC 60870-5-104 creation of such a worm requires a significant financial effort,
[4] transmission protocol or DNP3.0 presents network access for should take into consideration this type of threat. The basic tool
IEC 60870-5-101 [5] based on Transmission Control
used to protect against attacks are:
Protocol/Internet Protocol (TCP/IP), which can be utilized for
basic telecontrol tasks in SCADA systems. However, the IEC Antivirus software - can run in monitor mode (automatic,
60870-5-104 protocol transmits messages in clear text without ongoing checks processed files) and scan (search disks on
any authentication mechanism. Furthermore, the IEC 60870-5- request). The effectiveness depends primarily on news
104 protocol is based on TCP/IP, which also has cyber-security, signatures of known viruses. In some cases, the AV allows
issues itself. (IEC/104 is used as the notation, instead of IEC identification of malicious software based on heuristic
60870-5-104 in the remainder of the paper.) methods. In this case, the infected files are actually detrimental
only with a certain probability. As a result, the AV can detect
Keywords: cyber security, smart power grid, internet protocol,
not only known malicious software, but also suspicious
digital communication.
software code.
The Firewall (called. Firewall) - software or hardware with
I. INTRODUCTION dedicated software. It allows you to filter so that only pass
The most common external threats that we encounter on a comply with certain rules of network traffic. Most often
daily basis, are automated attacks through viruses, Trojans and associated with blocking access from the external network to
software vulnerabilities on the victim workstation. Often, the the internal or local workstation. Another important, but often
main purpose of such attacks is to increase workstations botnet
by another network (a network of infected computers, forming
a group over which control is exercised by the creator of the
malicious software). These risks are relatively easy to detect
and disposal through the use of current software and virus
definition subscription and spyware. It should however be
borne in mind that many viruses can also lead to unstable
operating system, and even loss of data integrity on an infected
machine.
Another type of external threats are coordinated direct
attacks aimed at the acquisition or modification of the data on
the victim machine. These attacks are usually performed using
security vulnerabilities 0-day type (ie. The newly disclosed
information about the vulnerability to attack), and the gaps
caused by incorrect configuration. They relate to greater extent
machines available in public IP addresses, such as servers.
Fig. 1. Digital communication in Power Line network as OSI model
conception.
This paper was realized within NCBR project: ERA-NET,
No 1/SMARTGRIDS/2014, acronym SALVAGE. "Cyber-Physical
Security for the Low-Voltage Grids".
overlooked because of the cumbersome configuration function Security threats to connect into Substation system can be
is to block outgoing traffic. It allows you to protect data before divided into two parts based on physical and cyber assets.
leaving a local area network / workstation. A very important Physical assets are the hardware like GSM Modems, wireless
function is to monitor and record the most important events in Router, some Bluetooth sticks. Also IED connected
the log. Correct firewall configuration possible to refute the somewhere on SS. Cyber assets are some software, gate in
known types of attacks software patches (called. patch) - firewall, open ports. This gates help intruder to connect into
Amendments made available by the software manufacturer or SS level. Using IEC103, DNP, MODBUS protocols we have a
operating system. It is very important to maintain the system little easier way to connect of course on SS. Using IEC103,
and programs possible date versions. Significant gaps due to DNP, MODBUS protocols we have a little easier way to
the type 0-day, which are not known on a large scale. With connect of course on SS.
time, however, access to knowledge on how to apply such a
gap becomes simple, and the outdated version PC can easily
become the victim of the attack.
Encryption of connections - to ensure the confidentiality
of transmitted information over computer networks is
recommended to use encryption algorithms. The client-server
architecture, data is transferred in the form of ciphertext,
illegible for other than transmission sites. Especially
recommended is the use of encryption during authentication, so
that the username and password were not sent over the network
in clear text. Optionally, you can also use intrusion detection
systems (called. Intrusion Detection System) operating on the
basis of signatures (by searching the packets of data strings
typical of the attacks) or heuristics (by analyzing headers and
protocols) on fragmented, ie. The combined packages. Because
defragmentation can be used only in those parts of the network
where delays are acceptable associated with it. More elaborate Fig. 2. Communication in Ethernet network based on IEC 61850.
systems allow intrusion prevention (ang. Intrusion Prevention
System) by responding to abnormal behavior in the network.
III. PRESENT PROBLEMS IN
Action on the basis of signatures are required by their live
SMART COMMUNICATION
updates.
First problem for intruder is FO how to connect and where.
II. PRESENT PROBLEMS IN If someone connect between RTU and IED the only access is
SMART COMMUNICATION to one bay. Potential place of attack is between SCADA and
On SS Level standard protocol is IEC 103 or DNP 3. Each Substation. If someone will install converter in
protection producer have own implementation of this standard telecommunication room or connect between SCADA and
which is not always compatible with SCADA RTUs or RTU will get access to all devices. In those protocols when we
manufacturers. IEC61850 was development by the IEC sending a command nothing will be in history (maybe only trip
Technical Committee 57 by a group of manufacturers (ABB, in system). Serial protocols implementations are lacking both
Alstom, Schneider, SEL, Siemens, Toshiba, etc.) and electrical the confidentiality and strong integrity guarantees to prevent
utilities (Electricit de France, Iberdrola, Hydro-Quebec, etc.) possible attacks on wire. If attacker connect to protocols is able
with the target of improving the interoperability of equipment to send commands, read values, send something to SCADA
[6]. IEC 61850 is completely different than all protocols which and will causing disruption. Current state of these SCADA
we are using on SSs and it change everything. 61850 its protocols security spurred attacker to try to connect to some
describe how connection should works (exchange information object. On power station or industrial SCADA, best security is
between RTU-IED) (Fig. 2). In IEC 61850 we are using data to isolated network to prevent such situation (Fig. 3). No one is
object modelling to replace aspect of no significant of checking what is connected in telecommunication room. So
addresses. Modelling is based on logical Nodes (LN) which is serial protocols are quite easy to attack and really hard to
a named grouping of data associated services and everything identify if there was attack or not.
have relation to protection function or control function. For Different is when we using TCP/IP communication.
example PTOC represents Overcurrent Protection, IEC62351 standard define security of TC57 protocols which
measurements we have in LN MMXU where we can read works on TCP/IP. Connection over Ethernet is more secured
power, voltages, currents etc. Protocol works on standard TCP because communication is between client and server. Its a
IP protocol so on standard network connection like in home. It first problem for attacker to connect like a server to RTU but
have more advantage than defects. Ethernet protocols are easy SAS allows for remote access, since on substation we using
in implementation and for cybersecurity we can use algorithms separate channel for various purposes. They are using it to
like in bank or standard Ethernet networks (Fig. 1). remotely access and manage data or make settings correction.
Its less secure access to substation using engineering commercial information, data endangering the positive image,
channel because this network mostly is not isolated even is ways of unauthorized access, the so-called Information
connected to standard industry network with limited access. In Security Policy [8].
existing remote access IED offer password but on most In summary, attacks on smart power grids can be divided as
substations is the same like 000000, AAAA, aaaa, 1234. In follows:
most companies password is good know for everyone. The a) by the attack location in the power supplier infrastructure:
only way to disable access for some individuals is changing attack on AMI devices (main meters),
password in some period of time. attack on the data transmission medium, intermediate
Most IEDs/RTU using role based authentication. In devices (active and passive),
conclusion when we using protocols working on standard attack on the operators datacenter (extortion of
IEC62351 for security we can use many possibilities to secure passwords and access to services by use of various
access like Active Directory rights and authentication users. techniques, even bordering on social engineering, attack
Intruder mostly will try to connect over serial protocols (Fig. on access control servers, databases, warehouses and
4) or using remote maintenance connection its mostly less permissions).
secure and employees dont care about who have access. b) by the target and scale of a potential attack:
attack on a single client [9],
attack on the functionality of the entire system or its
IV. SAFETY FEATURES significant portion [10].
AND DETECTION OF ATTACKS Transformation of the current grid structure into a smart grid
Increased automation and communication within smart necessitates a series of novel security solutions borrowed from
grids certainly comes with many benefits, but it is not devoid already used ones. Typical problems of modern computing
of flaws, either due to the availability of the ICT technology include hacking, data theft, and even cyberterrorism, which
in a new, hitherto unknown (for such solutions) branch of will sooner or later also affect power grids. Introduction of
industry, there will surely be individuals willing to test their smart power grids through installation of remote reading
skills and abilities, which will translate into these grids meters, electronic grid elements, construction of new
information systems consisting of data on energy usage causes
increased vulnerability to attacks. Ensuring years of proper
energeticists many new security-related problems.
functionality of such grids, their safety and protection from
A complex multi-layered security system requires an
cyber-criminals or hackers attack becomes a serious problem
overall concept of providing information security.
[7]. Resources protected in smart power grids are: access to
Security in Smart Grid can be divided into three groups:
management software, inventory of computer equipment,
a) by the continuity and security of services:
companys data, personnel (including a list of ICT/AMI
ensuring continued electrical energy supply at a
specialists), documentation of metering equipment, like e.g.
contractually guaranteed level, binding the supplier and
access to the ERP (Enterprise Resource Planning) system and
customer (it also concerns cases of bidirectional energy
companys critical data: data concerning contractors,
transfer smart grids with the participation of

Fig. 3. Example diagram of information flow in SCADA systems using IEC 61850.
prosumer),
ensuring confidentiality of information on clients and
security of statistical data generated by them,
such as consumption amount, time of the greatest
energy demand or its total absence,
security related to energy distribution management
process, and telemetry and personal data protection in
datacenters,
b) by security class:
protection from unauthorized access to digital data
transmission media and physical security of devices in
intermediate stations,
protection of end-use telemetric devices from
unauthorized access, transmission disruption or
complete lock of their activities,
analytical optimization models and decision-making
processes,
c) by policy:
data access policy user authorization, permission Fig. 5. Exchange communication in SNMP version no 3.
management,
management security policy investment processes data theft,
principles and rules, confidential data disclosure,
system security policy reaction to incidents, managing information falsification,
confidential information like passwords, cryptographic software code theft,
keys. hardware theft,
Making an ICT power grid available for the needs of external damage to computer systems [11].
users is a potential source of threat. It is necessary to separate
information transferred for the needs of the power sector to the V. GOOD PRACTICES IN SECURE
eternal traffic. Moreover, the administrative and office traffic OF LOW/MEDIUM VOLTAGE POWERLINE
should also be separated from traffic related to remote NETWORK
supervision over energy facilities. The most commonly
In order to ensure safety, monitoring network traffic must
encountered problems related to incorrect grid architecture
be taken into account in policy. For this purpose, you can use
design and its management are:
event logs obtained from the previously described firewall.
lack of proper security architecture,
More complex and more filtered information is available
errors in information security management,
through intrusion detection system (IDS), which greatly
software errors,
facilitates the observation of anomalies in network traffic.
human errors and intentional actions,
In the case of active network devices, ie. Network switches,
insufficient security monitoring.
you should use the solutions divisions, with trouble reporting
The most common threats to information systems include:
software, eg. This facilitates diagnosis in case of incorrect
blocking access to a service,
operation of the network and significantly reduces the time to
hacking into an information systems infrastructure,
solve the problem.
data loss,
In order to verify proper operation in / in mechanisms
should periodically perform penetration tests involving the
simulation of attacks and system errors. In this way, you can
get information whether all known methods of attacks are
captured by network protection mechanisms.
SNMP assumes the existence of two types of devices in a
managed network: managing and managed. The device
(computer) is the manager (called NMS - Network
Management Station) when it is running the appropriate
program manager SNMP (SNMP manager). The device is
managed if the program runs on an SNMP agent. Advantages
and disadvantages. SNMP is currently the most popular
protocol for managing networks (Fig. 5). Its popularity is due
to the following advantages:
Fig. 4. Communication via RS485.
Fig. 6. ITC security functional diagram of Smart Grid.

relatively small additional load on the network mechanisms of defense against intruders (Fig. 6, red padlock),
generated by the protocol itself, can be the following:
a small amount of custom commands lowers the cost of Default Username and Password: the default
devices supporting it, username/password set by the manufacturer, allowing access to
low costs implementation to operation. the configuration router, should be changed and should be set
The main disadvantage of SNMP: inability to ensure the strong enough to prevent unauthorized access to our home. The
security of transmitted data (SNMP first and second version). attacker will firstly attempt to enter its default password for our
Below are listed the main safety functions model, and in turn will make the password he used in other
telecommunication devices in digital communications used models or similar devices in its class.
SNMP compatible with IEC 61850 (IEC 61850-3 IEEE 1613) SSID: the default Service Set Identifier (SSID) is the name
[12]: Protection - Miss-wiring avoidance, Repowered auto of the network and uniquely identifies a particular network and
ring restore (node failure protection), Loop protection. System wireless devices must know the SSID of the wireless network
Log - Support System log record and remote system log server. to connect to that network. Manufacturers set the default SSID
DHCP - Provide DHCP Client/ DHCP Server/DHCP Option that identifies the device (name betrays their potentially default
82/Port based&VLAN based DHCP distribution (DHCP relay passwords). SSID is sent in plain text, so it can be easily
agent). MAC based DHCP Server - Assign IP address by overheard using sniffers, because SSID cannot be treated as
Mac that can include dumb switch in DHCP network. DNS - protection of network. Some believe that the SSID broadcast
Provide DNS client feature and support Primary and Secondary should be excluded to impede unauthorized use of the network
DNS server. Goose monitoring - Show individual Goose TX / users. However, this does not improve the security of the
RX counter (IEC packets). Environmental Monitoring - network because the SSID is sent by any authorized station
Internal sensor to detect temperature, voltage, current, total when connecting to an access point, and can then be
PoE budget (IPGS-5400-2P-PT) and send SNMP traps and eavesdropped. Not only that, when dispreading off SSID
emails if any abnormal events. Factory reset button & watch network is vulnerable to masquerading as an access point
dog design - Factory reset button to restore back to factory person with evil intentions, so that the data users of the
default settings. Watch dog design can reboot switch network may be in danger [13].
automatically under certain circumstances. Configuration Wireless Security: there are three types of wireless
backup and restore - Supports text editable configuration files security on routers or access points:
for system quick installation to backup and restore. WEP (Wired Equivalent Privacy),
With knowledge of the ICT network administration, a bit of WPA (Wi-Fi Protected Access),
time and desire in a few steps, we can definitely increase the WPA2 (Wi-Fi Protected Access 2).
security of our, own network. The basic functions and also the
It is always advisable to use WPA2 encryption CCMP/AES, be dropped, and device which wants to establish a connection
which is the safest option if WPA2 is not supported by the cannot access transmission medium. In addition, this
router, WPA with TKIP/RC4 is an alternative, but WEP is less information and the MAC address of the device, along with the
secure option and should be avoided because it is as secure as date and result of the events will be save in logs of router.
hard to break. WPA may use mode: Universal plug and play (UPnP): this feature allows
Enterprise uses a RADIUS server (for business use), network devices to discover and establish communication with
which assigns the keys to the right users, each other on the network, this feature makes the initial
Personal does not share the keys to individual users, network configuration easy but it should be disabled when not
all connected stations use a shared key PSK (Pre-Shared needed because a malware within a network could use UPnP to
Key) it used, e.g. in the HAN or Wi-Fi. open a loop hole in a router firewall to let intruders in.
Limit Network Coverage: it is always advisable to limit Turn-On Firewall: a router has an inbuilt firewall which
the broadcast coverage of a network to prevent the intruders should be activated and configured properly to allow
from gaining access to a home network. authorized users to access a home network, it is advisable to
Disable Remote Management: this feature should be create a black list for unauthorized websites, services etc. Also
disabled on the router to prevent intruders from accessing and a firewall should be configured not to reply to ping requests to
changing the configuration of the router. If remote prevent exposing a home network to intruders, thus firewall
administration is necessary, it should be realized via non- should be used to control both incoming and outgoing traffic.
standard ports. Network Management Tool: an efficient network
Firmware Update: one should check to see if there is a management tool can be used to monitor and manage a
new firmware version for the router. After the security network and prevent intruders from having an unauthorized
configuration in the router, one should make a copy of the access to a network. Some other security measures are
settings and store it in a safe place in case of a forced device advisable to disable remote upgrade, unnecessary services and
settings reset. Demilitarized Zone (DMZ) features in a router. One should
Static DHCP reserved IP addresses: since a router change passwords frequently on all networking devices and
should assign a private IP address to a particular device to make it strong enough, so that it cannot be easily guessed by an
share the Internet connection using a DHCP concept, the intruder [14].
reserved IP address should be limited, so that a router cant In order to maintain a high level of security, it is necessary
assign an IP address to any device which is trying to get un- to observe predefined procedures and security policies. A grid
authorized access to a home network, the number of IP of meters and concentrators starts to look more and more like a
addresses reserved should be as many as the number of devices traditional corporate network, which means that similar
in need of internet access within a home network. An security measures can be put in place, including systems for
additional difficulty is to change from the classic network intruder detection, access control and event monitoring.
addressing Class C to Class A or B with a very unique and Especially vulnerable to packet data attacks are concentrators
unusual subnet mask of the initial and final subnet address which, connected to Ethernet switches, utilize the commonly
broadcast address. used TCP/IP protocol [15].
Network Filter: enabling Media Access Control address
filtering in a router whose prevents unauthorized client from V. CONCLUSION
getting right IP address and join this network. Devices with It is quite a challenge to protect each and every one of
addresses that are not included in the filter list addresses, will extensive distribution systems, with cyberterrorism becoming a

Fig. 7. Substation automation architecture with possibility of access.


particularly serious problem. These days, destroying important mechanisms, such as the aforementioned firewall, intrusion
objects (factories and power plants, but also computer detection, etc. stage should be included. Access to services
databases) does not require significant power or resources. should also be limited to only those parts of the network where
Examples show that a single person with proper knowledge it is necessary (Fig. 7). Same services should be started with
and access to computer technology is able to perform the lowest possible privileges. A common mistake is to run all
a successful attack on a power grid. Additionally, services with administrator privileges, even when it is not
cyberterrorism is cheap, it does not put the perpetrator in required. A very important aspect of security is that its
immediate danger and can be catastrophic in results. By structure to make it convenient for the user and not
disrupting the operation of banking computer systems, encouraged him to bypass security to "go for shortcuts."
a cyberterrorist could cause a collapse of the world economy. Implementation phase should possibly be carried out in
By introducing false data into systems managing a military, accordance with project documentation and in the event of any
power and fuel infrastructure, they could initiate explosions of discrepancy any changes must be documented and included in
pipelines, demolition of water intakes and destruction of the policy.
nuclear power plants [16]. Frequently overlooked and forgotten in the use phase is the
In the future, an important role in this areas, will be continuous replenishment of documentation and security
realization of infrastructure and delivering preconfigured policy. Operating stage beyond the use of computer systems
devices by Internet Service Provider. With time, we can except and networks should take into account the aforementioned
more auto-configuration devices. Which at least in part allow network monitoring, tracking anomalies, including conducting
simple configurations. Unfortunately, in many cases, this periodic penetration testing to find possible gaps use it
solution will not provide an adequate level of security. There attacker.
are many methods to ensure safety. Even the very simple
solutions such as changing the default password or hiding the This paper was realized within NCBR project:
ERA-NET, No 1/SMARTGRIDS/2014, acronym SALVAGE.
name of the wireless network are able to fend off the novice "Cyber-Physical Security for the Low-Voltage Grids"
attacker. On the other hand, we cannot require that each user is
a specialist in the range of telecommunications or computer REFERENCES
science. Thus, in the next ten years, the electricity supplier will [1] G. Clarke, D. Reynders, Practical Modern Scada Protocols: Dnp3,
need specialists who possess the practical skills and IT 60870.5 and Related Systems. Newnes. pp. 4751.
knowledge, which may be used in the energy sector. Smart [2] 1815-2012IEEE Standard for Electric Power Systems
Grid ICT specialists will take care of not only the home CommunicationsDistributed Network Protocol (DNP3). 2012.
devices configuration or running such systems in Local Area [3] Core IEC standards, IEC 61850: Power Utility Automation., IEC
62351:Security.Available: http:// www.iec.ch/smartgrid/standards/.
Networks, but also taking care of widely understood security in
[4] Telecontrol Equipment and Systems-Part 5-104: Transmission
the information transmission in the Metropolitan Area Protocols-Network Access for IEC 60870-5-101 Using Standard
Network or Wide Area Network. A separate group, will Transport Profiles,IEC Standard 60870, 2006.
specialise in databases, computer networks, business analysis [5] IEC Telecontrol Equipment and SystemsPart 5-101: Transmission
layers and complex Enterprise Resource Planning systems. ProtocolsCompanion Standard for Basic Telecontrol Tasks,IEC
Moreover, it becoming increasingly important to ensure Standard 60870, 2003.
data verification, reliability and security. In order to decrease [6] IEC Standard TC57. [Online]. Available: www.tc57.iec.ch
the amount of incorrect data grids are secured from hackingers [7] C. Xavier, Power Line Communications in Practice,
ArtechHouse 2006.
attacks. Security policy procedures, that hamper the work of
[8] K. Billewicz, Problematyka bezpieczestwa informatycznego w
normal application users, are constantly added to. It is not inteligentnych sieciach., Instytut Energoelektryki Politechnika
difficult to predict the consequences of such security policies. Wrocawska, 2012.
The project network or system can be divided into three [9] A.T. Kearney GmbH, Raport Technologiczny, Infrastruktura Sieci
Domowej (ISD) w ramach Inteligentnych Sieci / HAN within Smart
stages: design, implementation and use. For each of them there
Grids., 2012.
is a recommendation, consistent with a high grade of safety. [10] M. J. Cronin. Smart Products, Smarter Services. Stratiegies for
In the design stage, be sure to use only the required Embedded Control, cambrige University Press, 2010.
hardware and software. Redundancy (except for redundancy [11] K. Billewicz, Smart Metering. Inteligentny system pomiarowy.,
Instytut Energoelektryki Politechnika Wrocawska,
links, used to provide high availability and reliability)
Wydawnictwo Naukowe PWN, 2012.
promotes the formation of additional security vulnerabilities in [12] Lantech documentation of Industrial IEC 61850-3 Switches
the system. Unused services should remain disabled or http://www.lantechcom.tw/global/eng/IGS-5400-2P-PT.html
blocked by a firewall. When you assign user rights to be [13] W. Lewis, LAN Switching and Wireless: CCNA Exploration
reduced to a minimum. In addition, the network should be Companion Guide (Cisco Networking Academy Program), Cisco
Press 2008.
designed to limit the ability to connect foreign devices, eg. By [14] R.C. Parks, Advanced Metering Infrastructure Security
disabling unused ports, network switches and requiring Considerations, Sandia Report, Sandia National Laboratories,
authorization to change the settings above mentioned. November 2007.
Similarly, in the case of workstations and servers, turn off all [15] T. Flick, J. Morehouse, Securing the Smart Grid. Next Generation
Power Grid Security, Elsevier Inc. 2011.
unused interfaces that can facilitate such intrusion. USB,
[16] A. Fronczak, P. Fronczak, wiat sieci zoonych. Od fizyki do
FireWire or Bluetooth. At the design, network monitoring Internetu. Wydawnictwo PWN, 2009 r.