See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/316460531

Detecting Data Manipulation Attacks on IEC61850-Based Substation

Interlocking Function Using Direct Power Feedback

Conference Paper · March 2017

CITATIONS READS

0 1,371

3 authors, including:

Eniye Tebekaemi Duminda Wijesekera

George Mason University George Mason University
10 PUBLICATIONS 128 CITATIONS 296 PUBLICATIONS 4,613 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Eniye Tebekaemi on 25 April 2017.

The user has requested enhancement of the downloaded file.

i
ii
Chapter 1

DETECTING DATA MANIPULATION ATTACKS

ON IEC61850-BASED SUBSTATION INTERLOCKING
FUNCTION USING DIRECT POWER FEEDBACK

Eniye Tebekaemi, Edward Colbert and Duminda Wijesekera

Abstract Any form of deliberate activity (physical or cyber) that attempts to un-
dermine control mechanisms that maintain the objectives of reliability,
efficiency, and safety of a physical system can be considered an attack
on the system. Such attacks can be as subtle as configuration changes
that prevent the optimal operation of the power system through data
modification. In this work, we introduce a system that enhances the se-
curity of the interlocking functions in power distribution substations by
using the power flow behavior of the physical system during switching
events as a direct power feedback. This solution detects potential over
the network data modification attacks on the interlocking function us-
ing out of bounds sensor measurements as direct power feedback. This
direct power feedback adds an extra layer of security and redundancy
to any existing security mechanisms of power substation interlocking.

Keywords: Cyber-Physical Security, Smart Grid, Smart Power Systems, Intrusion

Detection, Cyber Attacks, IEC-61850 standard.

1. Introduction
In the age of smart grids, power substations will be expected to
support bidirectional power flows between distributed energy sources,
storage facilities, and power consumers. Substations use switchgears to
maintain the appropriate flow of power, protect equipment, and pro-
vide redundancy during power source or equipment failures. Interlock-
ing functions in the substations prevent mal-operation of switchgears by
keeping information about the operational state of the switchgear and
permissible state transitions from the current state to the next state.
Doing so ensures the correct sequences of switching and prevents any
2

switch operation that can violate the integrity of a substation. Due

to the significant role played by interlocking functions on the safe and
reliable operation of power systems any attack that compromises state
information and state transition integrity of the interlocking function
can have disastrous consequences on a power system.
Interlocking functions implemented as IEDs in IEC61850-based power
substations rely exclusively on the Generic Object Oriented Substation
Event (GOOSE) status messages among switchgear controllers in order
to maintain the state information of all switchgears in the substation as
shown in Fig. 1. Relying solely on GOOSE status messages result in a
single point of failure for the interlocking function and fails to provide
the required resiliency for a substation under cyber-physical attack. In
this paper, we explore the unique physical system behavior character-
istics in response to switchgear events, extract useful consequent sys-
tem behavioral attributes to develop a method that uniquely identifies
switchgear events, and design a cyber-physical security solution that in-
tegrates these observations into traditional cyber security controls. The
physical system behavior is an important but often neglected part of
cyber-physical security research; understanding the physical behavior of
power substation systems plays a significant role in the design of any
resilient security solution.

2. Related Work
Using extraneous peripheral information from sensor measurements
in physical systems to observe the system behavior and state is com-
mon in cyber-physical systems. However, there has been little effort
to integrate this information into intrusion detection systems for cyber-
physical systems. An example solution is discussed by Colbert et al. [1]
who developed a process-oriented method for intrusion detection for use
on Industrial Control Systems (iPoid). In their system, data from crit-
ical elements in the physical system are collected by sensors and used
to estimate the state of the system by an intrusion detection system
(IDS). Control operations sent over the network are intercepted by the
IDS and evaluated using the estimated system state and system guard
conditions. Alerts are raised if the network controlled operation violates
the guard conditions based on the estimated system state.
Koustandria et al. [2] proposed the hybrid control network intrusion
detection system (HC-NIDS). By using expected communications pat-
terns and physical limitations of the physical system they developed an
intrusion detection system that leverages the physical part of the sys-
tem and able to detect a wide range of attack scenarios. Their work was
Tebekaemi, Colbert & Wijesekera 3

limited to protective digital relays for power transmission grids and fo-
cused primarily on attack detection using packet sequence, the time gap
between packets, and the measured current value of relays. They eval-
uate each packet and communications flow against the expected packet
sequence, the maximum allowed time delay, the current measurement of
the relay, and detects an attack if any of these constraints are violated
or a circuit breaker activation request is received when the measured
current is less than the cut-off current.
Mitchell et al. [3] created a behavioral rule-based unmanned air vehi-
cles IDS (BRUIDS). BRUIDS is an adaptive intrusion detection mech-
anism, focusing on unmanned air vehicles using behavior rule specifica-
tions. They use a set of the systems physical behavioral rules and the
system state transformation rules to identify attacks. Their system con-
sists of monitor nodes (sensors and actuators) monitoring other nodes
(sensors and actuators) or a neighbor system (UAV) monitoring another
trusted system (UAV). The monitoring system evaluates the monitored
systems behavior against a set of predefined behavioral and transition
rules and identifies any violation as an attack.
Sawada et al. [4] and Harshe et al. [5] propose a solution to the cyber-
physical security problem by using local (backup) controllers that kicks
in when the remote (central) controller becomes compromised or un-
available. The central controllers usually optimize the networked control
system (NCS) for high performance and the local controller guarantees
minimum performance requirement for the logical subsystem. Their sys-
tem continuously evaluates control signals received from the central con-
troller against the physical system and switches to the backup controller
if a violation is observed.
For cyber-physical systems, security solutions must be designed to
understand the physical system’s unique process behavior. The solutions
discussed above do not directly address data manipulation attacks of the
substation interlocking process, but they provide a useful starting point
in reasoning about security for cyber-physical systems.

3. Substation Interlocking
Switchgears implement protection and control functions which are
triggered in response to system guard conditions, automation and opti-
mization functions or by human intervention. Substations are equipped
with switchgear devices that are independently controlled, and perform
functions such as fault isolation, sectionalization, overcurrent, and over-
voltage protection. Types of switchgear used in substations include; iso-
lator Switches, contactor Switch, earthing switches, and circuit breakers.
4

Figure 1. IEC-61850 CILO Controlled Switchgear Operation [6]

3.1 Substation Switching

The IEC61850 standard recommends switchgears be triggered by IEDs
that implement the circuit breaker (XCBR) or circuit switch (XSWI)
logical nodes at the process level. In turn, the XCBR and XSWI logi-
cal nodes are controlled by IEDs that implement protection and control
functions like time over-voltage protection (PTOV), instantaneous over-
current protection (PIOC) and switch controller (CSWI). The first letter
of the logical node name is used as a group identifier for logical nodes
with similar functions. For example, the ”I” in ”IHMI” (human machine
interface) identifies IHMI as belonging to the interface group I.
A typical example of an operation sequences of the IEC61850 substa-
tion interlocking function discussed in Pan et al. [6] is shown in Fig-
ure 1.Human experts create interlocking rules and feed them to the
system through the human machine interface (IHMI). Message 1, the
interlocking function (CILO) imports the rules, validates the state of all
the switchgear devices (Mesaages 3,4, and 8), and waits for a request
from the switch controller (CSWI). Message 2, the human controller is-
sues a switch OPEN command to the CSWI and in turn, the CSWI
requests the CILO to verify if the execution of the command violates
any interlocking rule. Message 6, the CILO responds with an allow if no
rule is violated or a forbid otherwise. Message 7, The CSWI proceeds
with a switch OPEN command if an allow response was received by in-
structing the XCBR/XSWI to OPEN. Message 9, the XCBR or XSWI
Tebekaemi, Colbert & Wijesekera 5

notifies the CSWI about the failure or success of the operation and in
turn, the CSWI notifies the IHMI of any success or failure. Finally, the
XCBR notifies the CILO of the state change if any in message 8. In Pan
et al. [6], the GOOSE update messages are protected with a keyed-hash
message authentication code (HMAC). From time to time the XCBR
and XSWI are expected to send status messages to the CILO to ensure
the state information maintained by the CILO correctly reflects that of
the physical switchgears.

3.2 Interlocking Function Operation

The IEC 61850 standard implements substation automation functions
as logical nodes. The CILO logical nodes (LN) are implemented at
the station level or bay level and contain the set of rules governing all
valid switchgear configurations, the current state of each switchgear,
and transition sequences. From the interlocking rules imported from the
IHMI, the CILO generates the valid configurations table and transition
sequences. In our testbed, we implement a single bay substation with
two separate power sources. The testbed consists of five switchgears;
one earthing switch (ES), two contactor switches (CS1 and CS2), one
isolator switch (IS) and one circuit breaker (CB). We also implemented
an interlocking logical node (CILO) containing eleven valid switchgear
configurations as shown in table 1. The zeros (0) indicate that the
switchgear is in an OPEN position and the ones (1) indicate that the
switchgear is a CLOSE position.

Algorithm 1 Validate CSWI Request

1: procedure validateCSWIRequest(request)
2: temp = FALSE
3: if request 6= NULL then
4: n = getNoSwitch(request)
5: curConfig = getCurConfig()
6: newConfig = getNewConfig(request)
7: temp = isValid(newConfig, validConfigTable)
8: if n == 1 then
9: RETURN temp
10: CALL transSeqFn(request,curConfig)
11: RETURN temp

The behavior of the CILO is described using the validate CSWI re-
quest algorithm (Algorthm 1). The validate CSWI request algorithm
request is called whenever a new request is received. In line 4, the CILO
6

Table 1. Valid configurations table of switchgears in the testbed

Config. CS1 CS2 CB IS ES

1 0 0 0 0 0
2 0 1 0 0 0
3 0 1 1 0 0
4 0 1 1 1 0
5 0 0 0 0 1
6 0 0 0 1 1
7 0 0 1 0 1
8 0 0 1 1 1
9 1 0 0 0 0
10 1 0 1 0 0
11 1 0 1 1 0

checks for the number of switchgears that would be affected by the re-
quest, obtains the current switchgear configuration in line 5, and the
new configuration based on the change request in line 6. In line 7, the
CILO checks to ensure that the request does not violate any interlocking
rule and returns a true or false. If the number of switchgear that would
be affected by the request is no more than one and the new configura-
tion is valid, the CILO returns a true to the CSWI meaning the change
is allowed. If more than one switchgear is affected by request, the al-
gorithm proceeds to line 10 calling transition sequence function. The
transition sequence specifies the order in which the switchgear affected
by the change request should be implemented. Usually, an execution in-
terval of between 1ms to 10ms delay is allowed for concurrent switchgear
operations.

3.3 Substation Communication Protocols

IEC 61850 specifies the use of sampled value (SV), and generic object
oriented substation event (GOOSE) communication protocols for power
substation communications. The GOOSE and SV are fast data transfer
protocols that run on the data link layer and used at the process local
area network (LAN) to control, report events, and transmit measured
values.

3.3.1 The GOOSE Protocol. The GOOSE protocol, speci-

fied in the IEC 61850-8-1 standard is a multicast/broadcast protocol that
uses a publisher-subscriber communication model to send and receive
data between IEDs. Bay-level IEDs use the GOOSE protocol to report
the switch state changes (ON and OFF). The GOOSE protocol uses the
Tebekaemi, Colbert & Wijesekera 7

Status Number (StNum) and the Sequence number (SqNum) to distin-

guish between state change events and re-transmissions. StNum starts
from 1 and is incremented for every state change (OPEN or CLOSE)
event. The SqNum, starting from zero, indicates re-transmissions of
a previous notification. For example, the first status change in the
switchgear will have StNum=1 and SqNum=0. The switchgear will keep
broadcasting its state information at time intervals less than 60s until a
new state is recorded. For each re-transmission, the StNum remains the
same but the SqNum is incremented.

3.3.2 The SV Protocol. The SV communication proto-

col defined in IEC 61850-9-2 is a multicast/Broadcast protocol using
a publisher-subscriber communication model to send and receive data
streams of sampled values from sensors in the substation. The SV pro-
tocol uses the sample count (SmpCnt) field in the SV protocol data unit
to indicate every new sample and the sample rate (SmpRate) to specify
the number of samples per second. The SmpCnt is incremented for ev-
ery new sample and there are no re-transmissions. The substation uses
the SV protocol primarily to send voltage and current measurements
obtained from current and voltage sensors to all subscribing IEDs.

4. Attack Description
The CILO translates switchgear configuration rules into a valid con-
figuration table as shown in Figure 1. A valid configuration is a vector
that indicates the permitted state of all the switchgear devices at any
given instant. The valid configuration table is the collection of all pos-
sible valid configurations. Let s be the number of switchgear devices in
the substation, then all possible switchgear configuration C ∈ {0, 1}s .
Assuming C ~ 0 is a valid configuration, and n be the total number of
valid configuration, we can define the valid configuration table as a set
T = {C ~0,C ~0,···,C ~ n0 }. Therefore a state change request τi+1 , can only
1 2
be allowed to change the CILO current configuration state from C ~ 0 to
i
C~ 0 if and only if F : C ~ 0 × τi+1 ⇒ C~ 0 ∈ T , where F is the transition
j i j
mapping function, and 1 ≤ i, j ≤ n, i 6= j. Whenever a change request is
successfully executed by the XCBR or XSWI, a status update message is
sent to the CILO, and the CILO updates its current configuration state
from C ~ 0 to C
~0.
i j
Process level communications is time critical as IEC 61850 requires a
delay of not more than 4ms in the transmission of GOOSE and SV mes-
sages. This requirement makes implementing encryption based security
solutions difficult. IEC 61850 does not recommend the encryption of SV
8

and GOOSE messages and says that encryption-based message integrity

checks can be used for GOOSE only if it meets the 4ms time require-
ment. IEDs in the process LAN depend on the timestamps, StNum, and
SqNum for GOOSE messages and SmpCnt for CV messages to detect
any data manipulation. Tebekaemi et al. in [7] demonstrate success-
ful GOOSE attack when the attacker has physical access to the process
LAN. Attacks on SV messages are more difficult to detect especially at
high SmpRate values, as it becomes more difficult to predict the next
SmpCnt value.

4.1 Scenario 1: Dropped Update Message

We assume the attacker has physical access to the process LAN at
the substation and is able to block GOOSE update messages to the
CILO. When a status change request is received by the CSWI, the CSWI
queries the CILO to validate the request. The CILO validates the re-
quest against the system’s current state C ~ 0 and instructs the XSWI to
i
execute the request. The XSWI executes the request and broadcasts its
new status which is blocked by the attack. Since no update message is
received by the CILO, the CILO still thinks the system is in the state
~ 0 instead of the new state C
C ~ 0 . The current state of the CILO no longer
i j
reflects the actual state of the physical system. Although The CILO
and the physical system may still be in a valid configuration, any new
change request will result in the F using the wrong input C ~ 0 instead of
i
~ .
C 0
j

4.2 Scenario 2: Corrupt Update Message

We assume the attacker has access to the process LAN and modifies
the GOOSE update messages, injects new GOOSE packets, or arbitrarily
sends GOOSE update messages. The attacker may be able to deceive
the CILO that an update has occurred and its current state should be
updated, causing the CILO to update its current state to C ~ 0 , while the
j
system remains in C ~ 0.
i
Both scenarios have the same impact of poisoning the CILO config-
uration state. If the malicious update is a valid configuration state, no
flag is raised and the attack goes unnoticed by the IED. If an attacker is
able to successfully put the CILO in an invalid state the result could be
disastrous. For example, from Table 1 we know that CS1 and CS2 can-
not be closed at the same. Assuming we want to disconnect the bay for
maintenance autonomously, both CS1 and CS2 need to be open before
ES closes. The CILO configuration table is poisoned to think that both
CS1 and CS2 are open and then validates an ES close request when ei-
Tebekaemi, Colbert & Wijesekera 9

Table 2. Voltage and Current Measurements in p.u. During ON/OFF Switchgear

Operations.

Device Position Type Sensor 1 Sensor 2 Sensor 3

CS ON V 1.001 1.001 0.465
A 0.528 0.525 1.229
OFF V 0.195 0.195 0.09
A 0.103 0.102 0.24
CB ON V 1.001 1.001 0.465
A 0.529 0.525 1.229
OFF V 1 0.102 0.047
A 0.107 0.053 0.125
IS ON V 1.001 1.001 0.465
A 0.528 0.525 1.229
OFF V 1 1 0.009
A 0.066 0.012 0.023
ES ON V 0 0 0
A 850 0 0
OFF V 1.001 1.001 0.465
A 0.528 0.525 1.229

Table 3. Switchgear Event Truth Table.

Close Open Type Sensor 1 Sensor 2 Sensor 3

CS V 0 0 0
A 0 0 0
CS CB V 1 0 0
A 0 0 0
CB IS V 1 1 0
A 0 0 0
IS V 1 1 1
A 1 1 1
ES V 0 0 0
A 1 0 0

ther CS1 or CS2 is closed. Executing the request will raise current values
astronomically (since the voltage is suddenly reduced to approximately
0) which could damage equipment and cause fatal accidents. In Table 2
row 14, we see that executing such request raised the current value to
850 times the nominal current value.

5. Proposed Solution
Electrical equipment and appliance show unique physical attributes
properties when triggered by ON/OFF commands, which can be seen
10

Figure 2. Transient and steady state voltage behavior during switch close operation
(p.u. = measured value/nominal value )

as transients, steady state changes, amplitude and frequency changes

in the voltage and current waveforms. These properties can be used to
provide direct power feedback on physical and cyber controlled events
by observing disturbances in the voltage and current waveforms. It is
possible to monitor and detect such turn ON or OFF events of electrical
equipment and trace these events to the originating equipment using
their transient state, steady state, or frequency changes of the measured
voltage and current [8, 9]. Similar techniques have been used to detect
and locate of faults in power systems [10], [13], and [11].
Current and voltage sensors are used in substations to provide infor-
mation about the voltage and current of the supplied electric power,
which is used to drive substation functions such as voltage/voltage-
ampere reactive (VAR) control, frequency control, power quality control,
over-voltage and over-current protection. Current and Voltage sensors
give information about which part of the system is energized. IEDs
can use this information to determine the switchgear position (OPEN
or CLOSE) at any given instant. Switchgear events are also observ-
able through the electrical waveforms they generate, as switching ON or
OFF generates transients seen as spikes in their waveforms and steady
state amplitude changes as seen in Figure 2. Monitoring these events
can provide useful information about the time an event occurs and the
originating switchgear, that can be used to detect illegal switchgear ma-
nipulations.

5.1 Switchgear Event Detection

Event detection algorithms compare measured values of a signal to a
reference value and if there is any significant difference an event of inter-
est is declared to have occurred. To increase event detection accuracy in
Tebekaemi, Colbert & Wijesekera 11

power signals, the change event is computed on properties of the signal

over a time frame usually called the event detection window. This helps
to reduce the effects of noise in the signal and reduce false event detection
ratio. In our initial simulated testbed, the electrical noise is normally
distributed, which may not be the case for an actual substation. The
detection algorithm is a simple mean change detector that compares
the detection window wi to the pre-event window P wi−1 . If
n Pnn = |w|,
i=1 xi − i=1 yi
wi = x1 , x2 , · · · , xn , and wi−1 = y1 , y2 , · · · , yn then | n |>ξ
indicates the occurrence of an event, where µ is the mean value, xi and
yi represent sample points of the DC component of the signal, and ξ is
a predetermined threshold value.

5.1.1 Event Detection under Electrical Noise. Voltage

and current signals usually contain noise caused by imperfections in
electrical equipment and devices, thermal conditions, electrostatic inter-
ference, electromagnetic interference, radio frequency interference, and
cross-talk. Noise in measured signals could cause detection systems to
have an increase in the number false positives or a complete misdetec-
tion of the event. To address the effect of noise, the sensitivity of the
detection system (threshold) needs to be set so that we can attain high
detection rates (like 100%) given the noise level, and the lowest possi-
ble false positive rate in an acceptable response time. More sensitive
threshold makes the system detect small events and responds quicker
but with less accuracy, while a less sensitive threshold makes the sys-
tem miss smaller events and responds slower but with better accuracy.
In this work, we considered environments where the measured voltage
and current signals contain noise and used change detection method dis-
cussed in Jin et al. [8]. We assume the noise ei is a continuous white
Gaussian process so that x0i = xi + ei and yi0 = yi + ei . The detection
threshold ξ = χ2α,k−1 is a chi-square goodness of fit test with a confi-
dence interval of (100 − α)% and a detection sensitivity factor of k. An
(x0 −y 0 )2
event is detected when ni=1 i y0 i > ξ. The detection threshold can
P
i
be pre-computed and fixed if the noise level is expected to be the same,
or dynamically computed during the system operation if we expect the
noise level to change.

5.2 Switchgear State Identification

The switchgear state detection process involves the determination of
sections of the bay that are energized based on the sensor measurements.
The sensor measurements are mapped using the switchgear state truth
table (Table. 3) to identify which switchgear device may be ’CLOSE’
12

or ’OPEN’. The switchgear truth table is preconfigured and contains

the combination of high and low voltage and current values measured
by all the sensors in the testbed that maps to an ON of OFF state of
switchgears in the substation. The switchgear state identification serves
two purposes; firstly, to attribute a detected event to the originating
switchgear and secondly, to validate the state of the physical system
during the CILO request validation operation. Table 2 show the mea-
sured values of each switch when it is turned CLOSE and OPEN. The
information contained in Table 2 is used to generate the switchgear event
truth table in Table 3. The event truth table is used to predict which
switchgear is OPEN or CLOSE based on sensor measurements. In the
event truth table Table 3, a ”0” indicates that the measured value from
a given sensor is low and a ”1” indicates the opposite.

5.3 CILO Security Controller

Switchgear status update information are sent from the XCBR or
XSWI to the CILO using the process LAN as GOOSE packets. The
IEC-61850 standard also supports sampled voltage and current measure-
ments to be sent from the merging units to IEDs using the process LAN
as sampled values (SV) packets. The CILO security controller using the
SV messages can detect changes in the waveforms and obtain the direct
power feedback for any switchgear event. The CILO security controller
uses both GOOSE and SV messages which are two independent sources
to validate the correct state of the switchgears in the system. The fol-
lowing algorithm describes the high-level the behavior of the proposed
CILO security controller.

Algorithm 2 Check for modified GOOSE updates

1: procedure isMessageModified(gooseUpdate)
2: if stNumChange(updateMsg) then
3: powFeedback == getPowFeedback()
4: if updateMsg.stVal == powFeedback.val then
5: if updateMsg.time ≈ powFeedback.time then
6: return FALSE
7: return TRUE

Algorithm 2 is called whenever GOOSE update messages (updateMes-

sage) are received from switchgears (XCBR and XSWI). The security
controller first checks whether the update message is a retransmission
or a new event notification in line 2. If the update message is a new
event notification, the security controller obtains the power feedback in-
formation from the SV messages in line 2. In line 3 the most recent
Tebekaemi, Colbert & Wijesekera 13

Algorithm 3 Check for missing GOOSE updates

1: procedure isUpdateMissing
2: while TRUE do
3: if eventDetected() then
4: powFeedback == getPowFeedback()
5: if stChange(powFeedback) == TRUE then
6: return true

measurements from the sensors are obtained and used to estimates the
current state of the switchgears. In line 4 and 5, the goose update mes-
sage and the power feedback information are compared if the reported
event is consistent and within the same time frame. The GOOSE up-
date and SV feedback messages will arrive at the interlocking function
at slightly times, so we approximate the time values and check if both
messages arrives within an acceptable time frame. If any inconsistency
is found in the reported event or the time frame, then there is a high
probability the GOOSE update message has been modified.
Algorithm 3 runs continuously as a background process and checks
for changes in voltage and current waveforms obtained from the SV
messages. If any significant change is detected in line 3, the security
controller proceeds to obtain the change information using line 4. The
reported change is checked in line 5 to ascertain if the event is a result
of a state change using, and returns true if the event is caused by a
switchgear. If the event is a result of a switchgear operation and no
GOOSE update message is received, then there is a high probability
that the update message has been blocked.

6. Implementation and Results

Power substations consist of bays that connect feeders to power sources,
and each bay contains switchgears that implement the bay-level protec-
tion and control function. The IEC61850 gives no preference where the
interlocking function should be implemented (the station level or the
bay level), instead it leaves this for the substation designer to decide.
At the station level, the interlocking function will have to keep the state
and configuration information of switchgears from all the bays in the
substation. Thus for a substation with n number bays and x number
switchgears per bay, the interlocking function will keep n ∗ x switchgear
states with (2x )n possible switchgear configurations. The configuration
table can grow rapidly as x and n increases and can easily overwhelm the
IED. Also, Our proposed solution relies on SV messages obtained from
merging units by the interlocking function. SV messages are a continuous
14

stream of currents and voltages sampled at high rates and transmitted as

multi-cast packets. For a multi-bay substation, the interlocking function
will need to process the continuous streams of multi-cast packets from
all the merging units distributed across the bays in the substation. This
will overburden the station LAN causing network congestion and may
also lead to the failure of the interlocking function IED’s network inter-
face controller. For these reasons, we recommend that the interlocking
function be implemented at the bay level, and our proposed solution is
designed for bay-level interlocking function.

6.1 Implementation Details

In our earlier work [7], we designed and implemented a substation
simulation testbed. Some modifications were made to our initial testbed
to support the substation interlocking function discussed in this paper.
The modified testbed is implemented as shown in Figure 3 using three
virtual machines (VM) running on a VMware ESXi server and a Mac-
Book Pro computer.

6.1.1 Power System (VM1). The substation is simulated in

the MacBook Pro computer( Intel corei7 MacBook Pro computer with a
processor speed of 2.5ghz, 16GB of RAM, and 512GB SSD.). The sub-
station is a single bay step-down station designed with Matlab/Simulink
and consists of contactor switches (CS1 and CS2), grounding/earthing
switch (ES), isolator switch (IS) and the circuit breaker (CB). Voltage
and current measurements are obtained from sensor1, sensor2, and sen-
sor3 installed at different locations along the bay.

6.1.2 Virtual IEDs.

Merging Unit and Switchgear Controller (VM1): The merging unit and
switchgear controller are both implemented as standalone C/C++
applications based on the IEC 61850 standard. These applications
also run on VM1 (Ubuntu 14.04.4LTS 2GB RAM, 2 Core Pro-
cessor, 20GB HDD). The merging unit and switchgear controller
communicate with the simulated substation using UDP ports. The
merging unit collects sampled measurements from all three sen-
sors, timestamps them and broadcast the values using the SV pro-
tocol. The switchgear controller relays OPEN/CLOSE GOOSE
commands from the bay controller to the appropriate switchgear.
Bay Controller IED (VM2): The bay controller IED is implemented as
a C/C++ applications based on the IEC 61850 standard and runs
on VM2 (Ubuntu 14.04.4LTS 2GB RAM, 2 Core Processor, 20GB
Tebekaemi, Colbert & Wijesekera 15

Figure 3. Implementation Schematics of the Substation Testbed

HDD). The bay controller IED consists of five switch controller

logical nodes (CSWI CS1, CSWI CS2, CSWI ES, CSWI CB, and
CSWI IS), each corresponding to a switchgear device in the sub-
station.
Interlocking IED (VM2): The interlocking IED consists of five CILO
logical nodes (CILO CS1, CILO CS2, CILO ES, CILO CB, and
CILO IS) each of which maintains the state information of the
corresponding switchgear device in the testbed. The interlocking
IED runs the data manipulation detection algorithms and main-
tains the switchgear configuration and transition rules. We created
The following interlocking rules (Algorithm 4) for the Interlocking
IED from Table 1.

Algorithm 4 Interlocking Rules

1: if CS2==CLOSE then DENY CS1 Close
2: if CS1==CLOSE then DENY CS2 Close
3: if ES==CLOSE then DENY CS1 Close
4: if ES==CLOSE then DENY CS2 Close
5: if CS1==CLOSE then DENY ES Close
6: if CS2==CLOSE then DENY ES Close
16

6.1.3 Attacks.

Blocked GOOSE Update: We assume that the attack has access to the
process LAN and blocks the sending of GOOSE update messages.
To simulate this we configured the controllers not to send update
messages after a state change operation.

Modified GOOSE Update: We assume that the attack has access to

the process LAN. GOOSE update messages are broadcast in plain
text to all subscriber-IEDs. Using TCPDump (network traffic cap-
ture tool) we were able to capture network traffic, and replay it
unmodified using TCPReplay (network traffic replay tool) or mod-
ified using Scapy (network traffic manipulation tool).

6.2 Results
The simulation was first run with the CILO security controller de-
activated. The interlocking IED used the GOOSE stNum, sqNum,
and timestamp fields to detect replay attacks. However, if the stNum,
sqNum, and timestamp is modified to mimic a new update message we
were able to successfully modify the interlock configuration state. For
missing or blocked update messages, the interlocking IED had no way
of detecting such events and easily entered an inconsistent state. When
the security controller was activated, both the modified replay attacks
and the missing update messages were detected. The Security controller
always validates the GOOSE update messages with the power feedback
SV messages to ensure that the GOOSE update message is valid. Also,
by continuously listening to changes in the physical system, security con-
trol can detect configurations changes observed by the power feedback
SV messages but not report by the GOOSE update messages.Table 4
shows a summary of the performance of the interlocking function with
and without the security controller. The time (ms) is the time in mil-
liseconds it takes from when the control operation is initiated by the
switch controller (CSWI) to when the interlocking IED updates its con-
figuration state.

7. Conclusion
Interlocking is a critical substation automation function that ensures
the safety of lives and equipment, reliability and resiliency of power
systems. Failures of interlocking functions could result in loss of lives
and property and therefore a high value target for malicious attackers.
Power systems have very constraining time requirements which make the
use of cryptographical techniques and tools to protect data undesirable
Tebekaemi, Colbert & Wijesekera 17

Table 4. Comparison of the Interlocking Function with and without Security.

No Security Security (no-noise) Security (noise)

Replay X X X
Modified Replay × X X
Missing Update × X X
Time (ms) 1.351 1.446 57.955

at present speeds. Therefore, other methods for securing the operation

of power systems should be exploited.
In this work, we present a novel method to detect data manipulation
attacks using the behavior of the physical system and integrating it into
conventional intrusion detection mechanisms. The approach described
in this paper is applicable to other areas of power systems were auto-
mated switching functions are desired, such as distribution bus networks
and ship power systems. As this work show, Integrating the physical be-
havior of cyber-physical systems into the cyber security controls of the
cyber-physical system is vital for the cyber-physical system is to operate
resiliently.

References
[1] E. Colbert D. Sullivan, S. Hutchinson, K. Renard, and S. Smith,
A process-oriented intrusion detection method for industrial control
systems, International Conference on Cyber Warfare and Security,
Academic Conferences International Limited, pp. 497, 2016.
[2] G. Koutsandria, V. Muthukumar, M. Parvania, S. Peisert, C. Mc-
Parland, and A. Scaglione, A hybrid network IDS for protective dig-
ital relays in the power transmission grid, 2014 IEEE International
Conference on Smart Grid Communications (SmartGridComm),
pp. 908-913, 2014.
[3] R.Mitchell and R.Chen, Adaptive intrusion detection of malicious
unmanned air vehicles using behavior rule specifications. IEEE
Transactions on Systems, Man, and Cybernetics Systems, vol. 44(5),
pp. 593-604, 2014.
[4] K. Sawada, T. Sasaki, S. Shin, and S. Hosokawa, A fallback con-
trol study of networked control systems for cybersecurity, Control
Conference (ASCC), 2015 10th Asian, pp. 1-6, 2015.
[5] O. A. Harshe N. T Chiluvuri, C. D. Patterson, and W. T. Baumann,
Design and implementation of a security framework for industrial
 18

control systems, 2015 International Conference on Industrial Instru-

mentation and Control (ICIC), pp. 127-132, 2015.
[6] J. Pan, B. Duan, C. Qiu, and G. Li, Research on interlocking cilo
based on iec 61499/62351, 2012 Asia-Pacific Power and Energy En-
gineering Conference, pp. 1-4, 2012.
[7] E. Tebekaemi and D. Wijesekera, Designing an IEC 61850 based
power distribution sub- station simulation/emulation testbed for
cyber-physical security studies, CYBER 2016, The First Interna-
tional Conference on Cyber-Technologies and Cyber-Systems, In-
ternational Academy, Research, and Industry Association ( IARIA
), pp. 41-49, 2016.
[8] Y. Jin, E. Tebekaemi, M. Berges, and L. Soibelman, Robust adaptive
event detection in non-intrusive load monitoring for energy aware
smart facilities, 2011 IEEE International Conference on Acoustics,
Speech and Signal Processing (ICASSP), pp. 4340-4343, 2011.
[9] A. R. Rababaah and E. Tebekaemi, Electric load monitoring of res-
idential buildings using goodness of fit and multi-layer perceptron
neural networks, 2012 IEEE International Conference on Computer
Science and Automation Engineering (CSAE), vol. 2, pp. 733-737,
2012.
[10] A. Al-Mohammed and M. Abido, An adaptive fault location algo-
rithm for power system networks based on synchrophasor measure-
ments, Electric Power Systems Research, vol. 108, pp. 153-163, 2014.
[11] P. K. Nayak, A. K. Pradhan, and P. Bajpai, A fault detection tech-
nique for the series-compensated line during power swing, IEEE
transactions on power delivery, vol. 28(2) pp. 714-722, 2013.
[12] R. Liu, C. Vellaithurai, S. S. Biswas, T. T. Gamage, and A. K.
Srivastava. Analyzing the cyber-physical impact of cyber events on
the power grid, IEEE Transactions on Smart Grid, vol. 6(5) pp.
2444-2453, 2015
[13] M. Riera-Guasp, J. A. Antonino-Daviu, and G. A. Capolino Ad-
vances in electrical machine, power electronic, and drive condition
monitoring and fault detection: State of the art, IEEE Transactions
on Industrial Electronics, vol. 62(3), pp. 1746–1759, 2015.

View publication stats