Cybervulnerability and Mitigation Studies Using a SCADA Test Bed
A power grid is a critical infrastructure that relies on supervisory control and data acquisition (SCADA) systems for monitoring, control, and operation. On top of the power infrastructure reside layers of information and communications technology (ICT) that are interconnected with electric grids. The cyber and power infrastructures together constitute a large, complex cyberphysical system. ICTs on the power grids have evolved from isolated structures into open and networked environments based on TCP/IP and Ethernet. The technology is known to be vulnerable with respect to cyberintrusions. As ICTs of the power infrastructure have evolved into highly connected network environments, the use of firewalls has become a widely adopted access control method against intruders. Firewalls do not guarantee cybersecurity, however. The misconfiguration of company firewalls has been reported. Even if the configuration of a firewall is correct, it is still vulnerable because firewalls are not able to detect insider attacks and connections from the trusted side. Hence, solutions based solely on firewalls can be inadequate.
International Electrotechnical Commission (IEC) Technical Committee (TC) 57 has developed international standard protocols for power system data communication. These protocols, e.g., Distributed Network Protocol (DNP) 3.0, IEC 60870-5, IEC 60870-6, and IEC 61850, are widely used in power equipment, energy management system (EMS), SCADA, and distribution automation applications. These standard protocols have vulnerabilities, however, and open standards can be easy to access.
Protective relays in the substations are critical devices for system protection. Conventional relays have only local remote access using a serial cable connection. As ICTs evolve, remote access is often enabled for Ethernet-based networks, letting site engineers, operators, and vendor personnel access them remotely. Accessing intelligent electronic devices (IEDs) remotely from within a substation, corporate office, or locations external to the grid has become a common practice for maintenance purposes. Dial-up, virtual private network (VPN), and wireless technologies are all available mechanisms for connecting remote access points to the substation local area network (LAN). These access points are potential sources of cybervulnerabilities for the substations.
The Idaho National Laboratory of the U.S. Department of Energy (DOE) conducted a demonstration of a targeted cyberattack in March 2007 for its Aurora project. The attack was launched remotely against the control system of an electric generator, forcing the generator out of control; it then began shaking and smoking. The project demonstrated how a cyberattack can cause damage to physical devices. The latest widely publicized cyberattack on industrial control systems was the Stuxnet worm, a piece of malware that targeted SCADA systems. The objective was to corrupt a specific type of programmable logic controller (PLC) by rewriting parts of the code and turning it into the attacker’s agent. Some media outlets suggested that Stuxnet’s targets were nuclear plants. With modifications, it could become a serious threat to power grids. In February 2011, McAfee published a white paper, “Global Energy Cyber Attacks: Night Dragon,” stating that targeted cyberattacks have been launched against energy, oil, and petrochemical corporations by the use of remote administration tools (RATs) and special network techniques. The attacks were conducted from several countries, security was breached, and proprietary and confidential information was accessed.
Defense Against Cyberattacks
A research program at University College Dublin (UCD), sponsored by Science Foundation Ireland (SFI), is intended to develop the mathematical and computational foundations for vulnerability assessment and mitigation of the ICTs for critical infrastructures. Although cybersecurity issues are well known and new security technologies are available, research on the interdependency between ICT and physical systems for critical infrastructures is just emerging. In this project, analytical concepts, methods, and algorithms for the integrated ICT-physical system are being developed. The cybersecurity framework for SCADA systems, illustrated in Figure 1, consists of four major tasks: real-time monitoring, anomaly detection, impact analysis, and mitigation. This research program is intended to heighten the capacity for vigilance against cyberattacks by correlating events from various sources.
Anomaly detection requires a detailed analysis of data logs and correlation of detected anomalies events. Intrusion detection techniques are developed for the identification of unauthorized activities and event correlation based on data and information. Correlations can be based on spatial or temporal relationships. Algorithms are available for the correlation of events. An example of an anomaly detection method is looking for unauthorized changes made to critical parameters and/or files by intruders. A change is a variation over time. For practical applications to large-scale systems, however, the complexity of an attack scenario requires a large number of data sources spanning different locations and time durations. Coordinated, simultaneous attacks are such examples. The detection algorithm must be able to meet certain accuracy and performance requirements in order to permit timely mitigation.
Impact analysis is intended to analyze intrusions and determine the consequences of a cyberattack on the cyberphysical system. A useful vulnerability index is the loss of load caused by a cyberattack. A risk assessment approach that captures both power system vulnerabilities and the resulting impact on the real-time operation is desirable. The methodology has four key steps: modeling of the cyber power system, simulation of the physical behaviors of a power grid, development of a vulnerability index for the cyberphysical system, and mitigation measures. The cybernet model should incorporate the cybersystem configurations, authentication, and firewall/password models.
Mitigation actions can be conducted on the ICT side and the power grid side. On the ICT side, mitigation using dynamic and other enhanced firewall architectures is a natural extension of current industry practice. A preventive mitigation action is performed in real time to alleviate the threat in a cybersystem. For a firewall, this can be achieved by dynamic rejection rules or by delaying access through the firewall, there–by providing additional time to defeat an attack. Mitigation can also be performed as a remedial action. Computational algorithms for power systems have been used to determine power grid reconfiguration plans when an attack is encountered. Reconfiguration plans can incorporate control and protection techniques such as wide area protection and control, controlled islanding, power flow readjustment, and voltage controls. The ICT and power system mitigation strategies can be implemented and tested on the SCADA test bed. Different cyberattacks can be performed, and the effectiveness of the proposed cyberphysical system security techniques can be analyzed in a realistic environment.
A SCADA test bed is a critical facility for testing a broad range of cyberattacks and developing real-time defense strategies to mitigate their effects on a power system’s operating condition. Encryption and authentication techniques are required to secure the point-to-point communication. The interactions between the cybersystem and the electric grid have to be modeled to be able to evaluate the impact of cybervulnerability.
SCADA Test Bed Architecture and Simulation Scenarios
Efforts have been made internationally to develop SCADA test beds for cybersecurity assessment, among which are the DOE’s national SCADA test bed program and Italy’s RSE laboratory test bed. The proposed test bed at UCD includes two control centers and two substations, as shown in Figure 2. Two protocols are used for control centers, DNP 3.0 over TCP/IP and Inter-Control Center Communications Protocol (ICCP). DNP 3.0 is used for controls and measurements between control centers and substations, while ICCP is used for data exchange between control centers. In the future, ICCP will be connected to Iowa State University for information exchange. A dispatcher training simulator (DTS) is used for training of operators and simulation of system operation, control, and restoration scenarios. In the substation, IEC 61850–based communication is used between IEDs and the user interface. The user interface is able to acquire monitored data generated by power system simulation tools through Object Linking and Embedding for Process Control (OPC) communication. There are remote access points using dial-up, VPN, or wireless technology, which can serve as intrusion paths. Although the IEEE 39–bus system is the currently available test model, the test bed has the ability to model large, interconnected systems with thousands of buses. This test bed provides a powerful tool for studying vulnerabilities of the SCADA and substation communication networks and identifying the needed security enhancements.
In the SCADA test bed environment illustrated in Figure 2, it is possible for the following intrusions to originate from remote access connections to a substation communication network:
- outside a substation network: from one of the remote access points (A1, A2, or A3) to the substation router and firewall (T1); or to the router and firewall, the substation network, and the protocol gateway (T1-T4-T2); or to the router and firewall, the substation network, and the IEDs (T1-T4-T3)
- inside a substation network: from the user interface (A4) to the protocol gateway (T2); or to the substation network and the router and firewall (T4-T1); or to the substation network and the IEDs (T4-T3) .
Thus, intrusions from outside a substation network via dial-up, VPN, or wireless technology to the substation ICT network may target firewalls, the substation user interface, or IEDs. Intrusions from inside a substation network can also target these facilities.
The substation user interface has a human-machine interface (HMI) that enables an operator to control and monitor the substation facilities. If an attacker successfully compromises the user interface with a high access privilege, the attacker is able to access critical information and control circuit breakers and/or transformer taps, causing severe damage to the grid operation. IEDs are connected to circuit breakers and switching commands go through the IEDs and contain critical system information.
As depicted in Figure 3, an intrusion detection system (IDS) is installed on the user interface computer in the cybersecurity test bed. The IDS is a mitigation technology against intrusions. When the computer logs generated from the user interface, IEDs, and firewall are transmitted to the IDS database, an IDS algorithm searches for any anomalies. If the IDS detects an anomaly, it will send disconnect control commands to the firewall and block the intruder’s connection.
Impact Analysis and Mitigation
The impact of cyberattacks on power systems can be analyzed by means of computer simulations of system dynamics to quantify how seriously affected the system’s operating condition will be. To this end, it is necessary to model the electric grid and simulate the response due to cyberintrusions. A simple test power system has been built using commercially available, industrial-grade simulation software, as shown in Figure 4. The demo system consists of three hydroelectric power plants (150 MW each), six transmission lines (110 kV), and six loads. Power system dynamics are computed using a time-domain simulation tool. Simulated real-time measurements are created and sent to the OPC server. The substation HMI connects as an OPC client using a default user ID and password and acquires data from the simulated electric grid and from the substation IED. All data items are sent through the DNP 3.0 protocol to a control center that monitors and controls the system. The operator’s decisions are sent via the SCADA system to the power system simulation software, which computes the dynamics in real time and reports back the changes in the system’s operating condition. Figure 5 shows the one-line diagram of the SCADA system displayed on the operator’s console. Substations 2 and 3 correspond to substations A and B, respectively, shown in the test bed configuration (Figure 2).
The SCADA test bed is used to investigate the potential impact of cyberintrusions in different scenarios. Attack models were created and tested. For each scenario, details of the impact on the power grid were evaluated. Mitigation methods to stop the attack and disconnect the intruder were evaluated. Beyond firewall and anomaly detection issues, the purpose of the power system mitigation strategy is to avoid cascading failures following cyberattacks and to restore normal operating conditions.
The fictitious intruder compromises the site engineer’s computer and obtains the user IDs and passwords needed for VPN and substation HMI remote desktop connection. The substation firewall views the connection as legitimate, and the attacker gains access to the network. Using an IP and port-scanning tool, the intruder finds the substation user interface computer and accesses the HMI. The attacks are initiated from the substation user interface, using the OPC client-server communication between the HMI and the power system simulation software. Targeted cyberattacks are launched at multiple locations (substations 2 and 3 and hydroelectric power plant 2). The attacks trigger opening of a circuit breaker at substation 2 and another at substation 3, which disconnects two transmission lines and damages the generator. The results of the attacks are reported to the control center via DNP 3.0 communication. Operations at the control center are disrupted by a series of alarms, indicating major disturbances have occurred in the system (see Figure 6).
The attacks have a severe impact on the system condition. A generator is damaged and loads have to be dropped. Since lines 43 and 12b are disconnected, the only path to supply loads 2, 3a, 3b, and 3c is through line 12a. Under this condition, the system almost reaches its transfer capability. The remaining power plants are generating at full capacity, but there is not sufficient generation to supply all the loads. As a result, the frequency is falling (to below 48 Hz), as shown in Figure 7.
Intruders are disconnected by means of collaboration between the IDS and the firewall in the substation network, and emergency control actions are taken to mitigate the effects of the cyberattacks as an attempt to restore a normal condition. The mitigation strategy here is to use the optimal power flow (OPF) algorithm with an objective function that minimizes load shedding.
The OPF results show that loads 1 and 2 should be shed by 100% and 71%, respectively. Figures 8 and 9 indicate that the bus voltages and frequency can recover. Figure 9 illustrates how frequency varies after 15 s, at which time the circuit breakers are operated. After another 5 s, the attack on the generator is initiated (which leads to the sharp frequency decline). Before frequency reaches 49.4 Hz, the loads are shed and lines 12b and 43 are reconnected at 60 and 65 s, respectively. The system is steered to a stable operating point; however, hydroelectric power plant 2 is damaged, and there are unserved loads.
In a second scenario, the intruder installs a wiretap on one of the communication wires between the substations and the control center. It monitors the traffic and captures measurement packets. The contents are modified, and the attacker sends fabricated information to the state estimation module. Consequently, a false operating condition is now presented to the operators. In this scenario, system operators are -misguided and decide to take control actions to restore a normal operating condition. Unfortunately, their logical response drives the system into an emergency operating state. Specifically, an intruder sends falsified voltage data—135 kV—for all four buses, while the actual value is 110 kV. Three substations represent generator buses, and the voltages can be controlled and are normally set to 1 p.u. In response, operators have power plants generate less reactive power and decrease the voltage level by 22.7%. The actual bus voltages are now reduced to an abnormal value of 85 kV, which may further trigger voltage-related relay tripping actions. The simulation result is shown in Figure 10.
A polynomial model is used to represent the load characteristics and, as a result, the active and reactive powers vary with the bus voltages. Due to the low voltages, the load demand has also decreased, as indicated in Figure 11. At this moment the system finds itself in an emergency operating state and a cascading sequence of events is likely to follow.
Importance to Industry
An objective of the so-called “smart grid” is to use more information in a smarter way to optimize power systems. The EMSs and SCADA systems and protection and control systems in substations become less and less isolated from the ICT system in order to take advantage of new measurements and control actions. To facilitate communications between different entities while exchanging more and more information and to reduce costs, standardized protocols based on TCP/IP communication networks and Ethernet technologies are deployed. Most such protocols do not implement security technologies. Intruders can modify data so as to disturb the observability and controllability of the system. Intrusions into power companies’ private networks let attackers infect the machines with worms and viruses, which can launch denial-of-service (DoS) attacks.
The future challenge is to find the right balance between the security and fluidity of information exchanges, which would bring a real added value. Intrusion-detection systems, intrusion-prevention systems, and highly effective firewalls are examples of what is needed to enhance the cybersecurity of the power system infrastructure and advance the state of the art, which generally proposes—unrealistically—to close “all the doors” using very simple firewalls. The objective is to develop new technology, both hardware and software, for EMSs and SCADA systems. Many major transmission grids around the world are operated through SCADA systems. For example, Réseau de Transport d’Electricité (RTE), responsible for France’s high-voltage transmission grid, includes 100,000 km of power lines, 250,000 transmission towers, and more than 2,400 customer delivery points. To remotely supervise and control such a large-scale power grid, it is conceivable that the grid will have to have its own private telecom network that meets a very high cybersecurity requirement. Ongoing research on cyberphysical system security is expected to help RTE and other major transmission grids prevent cyberattacks and develop solutions capable of detecting anomalies and intrusions and mitigate their effects.
The authors acknowledge the support received from Science Foundation Ireland for a Principal Investigator Award at UCD. They are grateful for the collaborations with Dr. P. Gladyshev at UCD, Prof. M. Govindarasu at Iowa State University, and advisers from EirGrid (Ireland), Intel (Ireland), RSE (Italy), and RTE (France).
For Further Reading
C.-W. Ten, C.-C. Liu, and G. Manimaran, “Vulnerability assessment of cyber security for SCADA systems,” IEEE Trans. Power Syst., vol. 23, pp. 1836–1846, Nov. 2008.
A. Hahn, G. Manimaran, S. Sridhar, B. Kregel, M. Higdon, R. Adnan, and J. Fitzpatrick, “Development of the powercyber SCADA cyber security testbed,” in Proc. Cyber Security and Information Intelligence Research Workshop, Oak Ridge National Lab (ORNL), pp. 21:1–21:4, Apr. 2010.
Chen-Ching Liu is with Washington State University, Pullman, and University College Dublin, Ireland.
Alexandru Stefanov is pursuing his Ph.D. at University College Dublin, Ireland.
Junho Hong is pursuing his Ph.D. at Washington State University, Pullman, USA.
Patrick Panciatici is with RTE, France.