Motivation Security in Smart Grid
Security is an essential way to promote safety, protection and data privacy. Security in Critical Infrastructure is about making data availability only to authorized and authenticated users and ensuring reliability of system’s operation with confidentiality and integrity. It is a balance between having the right mix of policies, strategies and tools to secure the environment. In our research we will introduce smart-grid as part of the critical infrastructure of the energy sector and we will assess various smart-grid vulnerabilities and provide better understanding to threats associated with them. By using DETER network testbed and virtualization environments we will perform cyberattack scenarios and evaluate various vulnerabilities of smart-grid protocols. Defense-in-depth security model will be highly required for Critical Infrastructure Protection (CIP) and we need to ensure protection is enforced in all layers of the model. Detection and mitigation techniques will be adopted using theoretical modeling and analysis.
Today’s critical infrastructure involves both cyber and physical components, integrated using legacy systems and new technologies working together over TCP/IP platform. Legacy “Supervisory Control and Data Acquisition” (SCADA) systems were initially designed to be isolated systems that had dedicated and separate communication links and therefore cyber and physical security threats were never considered to be an issue. High availability, controllability, and maintainability requirements of today’s systems demand a much higher level ofcommunication to exist among various smart-grid automation components, like Intelligent Electronic Devices (2IED’s). Specifically, IED’s are designed to automate protection, control, monitoring and metering of the smart grid system in both peer-to-peer and client server implementation that communicate directly to SCADA supervisory and control system.
Security, especially data integrity in communication protocols is one of the most challenging research area involving smart grids. Communication is not just about data transfer, it is about ensuring accuracy, integrity and confidentiality to critical data. Smart-grid systems are complex environment that facilitate an improved and an efficient two-way path of communication and power handling capabilities. This involves up to date technologies in areas such as power, communication, and renewable energy resources in order to achieve highly secure, reliable, economic, and environmentally friendly electric power system.
The cyber and physical components are integrated to provide critical services to various elements of the smart grid. Measurements data are being collected by the SCADA control center and then being analyzed to ensure that proper control messages are being transmitted to the remote devices. The integration has promoted risk associated with the potential of security breaching to the infrastructure by intruders trying to manipulate and invoke manipulated messages and commands that can have severe impact to the functionality of the grid and to some extent can lead to blackout scenario.
Interruption or blackout of the services related to the power grid can be due to natural causes like hurricane or deliberately executed by human intervention which in both cases can lead to catastrophic and disastrous situation. Attacking the grid can be initiated either internally as an insider type of attack or externally from the outside boundary of the internal network. The attack may follow different methods or approaches including malware injection like viruses or worms, denial of service attack (DoS) for the purpose of causing service interruption, distributed denial of service (DDoS) where multiple users attack the same target or system to prevent it from running the necessary services. Man-In-The-Middle (MITM) is another serious internal attack that can lead to complete penetration and data manipulation to the command messages in SCADA environment.
There are several intrusion incidents that were publically reported and documented in the literature related to cyber-attacks to the SCADA and other critical infrastructure facilities. One example to mention here is the recent cyber incident occurred on Dec 30th 2016 targeting Burlington Electrical Department in Vermont. According to many resources including, a code with Russian hacking campaign signature was discovered on a laptop related to the electric utility. Fortunately the laptop was not connected to the grid and no penetration occurred. Even though this incident was not directly linked to Russian hackers but it is still considered to be an alarming incident that can expose critical infrastructure to potential intrusion.
Another recent attack incident to the power grid was initiated on December 23, 2015 where one of the Ukrainian regional electricity distribution company reported interruption to their services. It was due to illegal hacking activities to their SCADA operation causing substations disconnection and distribution grid malfunctioning and hence outages and loss of power to approximately 225,000 customers. The outages was discovered to be related to a cyber-attack conducted remotely by the Russian security services who were able to control SCADA distribution management system of the distribution company. To accomplish such a sophisticated attack the adversaries used several tools and techniques to control the SCADA operation system. Some of the technical components that allowed the intruders to gain access to the network included spear phishing using emails, variation of BlackEnergy 3 malware, Virtual Private Network (VPN) access through credential theft and writing scripts to control field devices at the substations.
In June 2010, a major attack, as our third example, was launched to infect several SCADA based operations in multiple industrial sites in Iran. The attack was attributed to the “Stuxnet” worm, a malware code that infect software and requires to be planted on the system which can then spread to the entire network on its own. The worm was crafted intelligently and attacks the system in three phases, infecting and replicating itself to other computers in the network as the first phase, then it attacks industrial control system related applications which operate and control equipment and in the final phase it will compromise the Programmable Logic Controllers (PLCs) or the Remote Terminal Units (RTUs) that can cause commands to be changed and manipulated that can lead to equipment malfunctioning.
Once the attack is successful, the attacker can have full control over the accessed information including operation details, system architecture, devices and network topology and critical control data. In fact, the entire grid can be infiltrated that can lead to complete shutdown of the power grid infrastructure. Now, in order to overcome illegitimate hacking and intrusion to network operation facilities and to provide protection to critical infrastructure, many devices, techniques and tools were built including anti-virus utilities, proxies, firewalls and intrusion detection systems. Some of the tools can be effective but others like the firewall can’t detect insider type of attacks. Security tools work closely with various communication protocols to enhance and to harden their capabilities running in SCADA environment. Therefore more effective detection and mitigation techniques can be considered to improve the security of the smart grid.
Several standards were developed over the years to provide communication within SCADA, such as MODBUS, DNP3, PROFIBUS, ICCP, and the latest, IEC 61850. Distributed Network Protocol Version 3 (DNP3) is our main focus in this research experimentally and theoretically.
DNP3 is an IEEE-1815 standard and the primary protocol being deployed in smart-grids system and other utility providers. It is considered to be the predominant SCADA protocol in the US energy sector. In DNP3, the delivery of measurement data from an outstation or slave located in the field to a utility master operating in the control center is one activity that is established when control requests are made from the master to outstations by an operator or by using an automated process. Time synchronization, file transfer and other related tasks between the master and the outstation occur and therefore, it is very critical to study its behavior and application in real-time implementation.
In , 28 security threats and vulnerabilities were identified and classified according to the target and the threat categories. Additional examples of possible threats and vulnerabilities are highlighted here as follows:
DNP3 operates as an open standard communication protocol. It allows IED’s to communicate using many different protocols like TCP, UDP, HTTP etc.. This will lead to having more threats and vulnerabilities in the smart grid environment.
DNP3 promotes an architecture which supports remote network access for all types of data within the IED. The system depends on remote access point, which is a logical location to implement security function (i.e. authentication, encryption.). This means that communication within IED’s are clear text and vulnerable.
Current deployments of DNP3 are with or without the secure authentication (DNP3-SA) which can still lead to having a system with mixed protocols, thus increasing the risk and potential for penetration due to having devices running DNP3 without the authentication.
DNP3 does not define any security mechanism for IED’s, and the only security measure for remote access authentication is username and password available only to DNP3 version with Secure Authentication. Due to system limitations, most IED’s come with factory defined usernames and passwords. This means that any adversary (an insider or outsider) who can infiltrate the network access point, can easily attack the smart grid system by using dictionary attacks on IED’s to gain access.
The protocol allows remote client to IED’s to download IED Configuration Definition files which allows interoperability, and it also allows transfer of other files, remote control of IED, reconfiguration of IED, restarting the IED, logging etc. So, any adversary who successfully infiltrates an IED, is able to reconfigure the IED for malicious purposes, render IED inaccessible, or worse, use the IED as a stepping stone to discover connectivity graph, pinpoint other IED’s that might possibly have bigger impact on the overall system by downloading Configuration Definition file which contains all necessary information about substation network such as network diagram, IED composition, etc. and cause expensive and irreversible damage to the power grid.