Cyber-physical security in a substation

Abstract

New technologies including microprocessor-based Intelligent Electronic Devices (IEDs) and standardized protocol and TCP/IP over wide area networks (WAN) are well-adopted in the substations. Remote access to IEDs or user interfaces in a substation for maintenance purposes is a common practice. However, there are potential cyber-physical system vulnerabilities in a substation, e.g., unsecured standard protocols, remote controllable IEDs, and unauthorized remote access to substation IEDs. In addition, some substation IEDs and user interfaces have a web server and hence it may provide a remote configuration change and control with default passwords. Even if firewalls and cryptography schemes are used for cyber security, weak security key management cryptography and mis-configured firewalls are still exposed to intruders. From IT point of view, cyber security issues are well known and new security technologies are available. However, security research on the integration of IT and physical power systems for critical infrastructures is still an emerging area. Intruders behaviors will generate logs across all substation-level networks, e.g., IEDs, firewalls and user interfaces. For instance, the steps of Stuxnet attack are based on: (1) intrusion attempts, (2) change of the file system, (3) change of target systems setting, and (4) change of target systems status. Therefore, anomaly detection is performed based on logs of intruders foot prints. Temporal anomaly can be determined from discrepancies between event logs from two different time periods. In the proposed anomaly index, a value of 0 implies no difference, whereas 1 indicates the maximal discrepancy [1]. In order to identify the impact of substation cyber intrusion to the power grid, cyber intrusion scenarios have been conducted on the substation IT network using a SCADA testbed at University College Dublin (UCD). The first intrusion scenario involves compromised substation gateway. A false signal is generated and an open circuit breaker (CB) command is sent to substation CBs. The second scenario is to generate forged CB status at the gateway. As a result of this attack, control center operators will observe fake data about the CB status. However, the actual substation CBs status has not changed. The third scenario is to generate fabricated analogue values to a control center using a man-in-the-middle attack. Once an intruder successfully compromises the substation LAN, (s)he is able to monitor and capture all measured data which comes from power grids. If attackers send fabricated data to the control center and the data travel through the state estimation filter, control center operators will observe an operational emergency. As a result, the operators may take emergency control actions such as reducing the generation voltage or reactive power while the power system is actually in a normal condition. There is a possibility these (logical) actions based on fabricated data will drive the system into a sequence of cascading events, leading to a power outage. Mitigation actions are conducted on substation IT and power grid. For IT mitigation, intrusion detection system (IDS) which uses anomaly detection algorithm based on temporal event construction has been used in a substation network. An Optimal Power Flow (OPF) algorithm with an objective function that minimizes load shedding in the grid is used for power system mitigation. The proposed collaboration scheme between IDS and the firewall is able to disconnect intruders in the substation network. Emergency control actions are taken to mitigate the effects of cyber intrusions as an attempt to restore a system back to a normal condition.