Cyber-Vulnerability of Power Grid

Monitoring and Control Systems

Chee-Wooi Ten Chen-Ching Liu Manimaran Govindarasu
Iowa State University Iowa State University Iowa State University
2215 Coover Hall 1117 Coover Hall 3219 Coover Hall
Ames, IA 50011 Ames, IA 50011 Ames, IA 50011
+1 (515) 294-9338 +1 (515) 294-4763 +1 (515) 294-9175
[email protected] [email protected] [email protected]

ABSTRACT The American Gas Association (AGA) 12 task group

In this paper, a methodology is proposed for the evaluation of the established protection guidelines for gas SCADA systems that can
impact of cyber attacks on the power grid. This is a systematical also apply to water and electricity SCADA systems due to the
approach to evaluate the vulnerabilities of SCADA system at technical and operational similarity [8]. The compliance mandated
three levels, i.e., system, scenario, and access points. The impact by NERC CIP has established the policies for all utilities in the
of potential intrusion is evaluated based on the power flow U.S. that are intended to reduce the risks from the compromise of
solution. The cause-effect on the proposed method determines the critical cyber assets [9]. Furthermore, the International
likelihood of the consequence, which can be evaluated based on a Electrotechnical Commission Technical Council (IEC TC 57),
substation outage. An IEEE 30 bus system is used to build a test power systems management and associated information exchange,
case for the proposed method. has advanced the standard communication protocols security in
IEC62351 for improving the authentication mechanisms with
stronger encryption [10]. This also assures a higher security level
Keywords for access to sensitive power equipment with audit capabilities.
Cyber-Vulnerability, Dependability Measures, and Power
The high speed communication of a fully automated
Automation.
substation system by IEC61850 provides comprehensive
application usages for control and data acquisition through an
1. INTRODUCTION Ethernet-based network. Its distributed applications, such as
Technological innovation over the last decade has enabled GOOSE or GSSE messages, that relate to the main functions of
communication protocols to become more flexible and integrated protection, control, monitoring, and archiving can be
accommodating to industry’s needs for the purpose of configured through the local user interface. The use of the
interoperability and maintainability in an open architecture Ethernet-based substation automation system (SAS) leads to
environment [1], [2]. By introducing the standard protocols using cybersecurity issues toward power automation [11]. Regardless of
TCP/IP, the innovation also raises concerns about cyber-related the password strength, malicious intrusion attempts remain a
issues [3], [4]. These concerns include large scale potential threat. A typical intrusion involves the following steps:
interdependencies between computers, communication, and power (i) identification of access points, (ii) penetration to the networks
infrastructures due to the complexity of required compliances [5]. through access points, (iii) determination of the targeted systems
Although the complex infrastructure provides the capabilities for and learning to launch an attack, and (iv) termination by
operation, control, business, and analysis, it also increases the executing the attack. Although conducting a cyber-attack depends
security risks, including threats and vulnerabilities of on an individual’s motivation, the irregularity of the routine
cybersecurity. The future needs to overcome deficiencies of the maintenance on a SAS may be prone to attacks. Attacks, such as
communication architecture are discussed in [6]. The drawback of disabling or changing the functionality of relay settings, can be
technological innovations includes security breaches that may made through the user interface in the SAS where it is linked to
lead to electronic intrusions. A successful intrusion into the the intelligent electronic devices (IEDs) [12], [13]. This
control networks can lead to undesirable switching operations modification can be accomplished by accessing the web server of
executed by attackers, resulting in widespread power outages. SAS through the web-based user interface. Such modifications
Three modes of malicious attacks on the power infrastructure are may not be noticed since auditing of unmanned substations is not
(i) attack upon the system, (ii) attack by the system, and (iii) conducted frequently.
attack through the system [7]. Conducting a cyber-attack that may lead to equipment
damages requires planning and in-depth knowledge. Compliance
Permission to make digital or hard copies of all or part of this work for of NERC’s cybersecurity standards has become increasingly
personal or classroom use is granted without fee provided that copies are challenging due to the complexity of interdependencies between
not made or distributed for profit or commercial advantage and that computer communication system and physical infrastructure. This
copies bear this notice and the full citation on the first page. To copy research proposes a methodology to study the impact of a cyber
otherwise, to republish, to post on servers or to redistribute to lists, attack on supervisory control and data acquisition (SCADA)
requires prior specific permission and/or a fee.
CSIIRW '08, May 12-14, Oak Ridge, Tennessee, USA
Copyright © 2008 ACM 978-1-60558-098-2 ... $5.
systems at three levels: system, scenarios, and access points. This
method is embedded with firewall and password models, which is
the primary mode of protection in the power industry today. A test
case based on IEEE 30 bus system is formulated to evaluate the
impact of attacks launched from outside or within the substation
networks [14-16].

2. Modeling for Cyber-Vulnerability

The methodology is to model intrusions and evaluate the
consequences of a cyber-attack on the SCADA system. The
proposed method is used to assess the vulnerability of computer
networks and the potential loss of load in a power system as a
result of a cyber attack. Fig. 1 shows the relationship between the
cyber attacks and resulting impact on a power system. It is
composed of two aspects: 1. cyber-net model, and 2. power flow
simulation. A cyber-net defines the intrusion scenarios and its
events and status. Power flow simulation is to determine the
steady state operating condition of a power system. The
integration of these two models makes it possible to quantify the
impact caused by a potential cyber attack.

Fig. 2. Combination of a Firewall with n Rules and n Computers

A case study using the IEEE 30 bus test system has been set
up with 24 substations. To validate the analytical approach, the
attacks launched from different locations are formulated. Two
cases for vulnerabilityevaluations are considered:
1) An attack from outside the substation-level networks
2) An attack from within the substation networks
Fig. 1. Cyber-Attack upon Power Systems To formulate a realistic case, actual logon data from Iowa State
University information technology division was observed. The
The proposed methodology can be used to: sample data is approximately 3 million records captured from the
1. Model the access points of control networks with a cyber-net Kerberos authentication system for all users, which has been
model based on the firewall and password models. randomly generated between the range of 1e-5 and .005. This is
2. Simulate a resulting impact based on power flow used to calculate the probability set for firewall and password
simulations. models. The rates are assumed to be constant for all computer
3. Improve cybersecurity of the SCADA system in accordance systems and firewalls. Table I demonstrates the vulnerability level
with the vulnerability assessment results. for each substation. The highlight indicates the bottleneck of
The proposed vulnerability assessment method is performed in system vulnerability.
three levels: system, scenarios, and access points. Fig. 2
demonstrates a scenario consisting of the access points that are TABLE I
embedded with firewall and password models. The system VULNERABILITY ASSESSMENT FOR OUTSIDE AND
vulnerability is the maximum value among all the substations. INSIDE THREATS
From Outside Within Control Networks
Sub.
Existing Improved Existing Improved
1 0.1513 0.0313 0.923 0.3176
2 0.2944 0.1154 0.8857 0.3007
3 0.1173 0.022 0.7486 0.5167
4 0.4437 0.093 1.1019 0.2613
5 0.2798 0.0628 1.2137 0.344
6 0.5386 0.2938 1.03 0.2719
7 0.5054 0.1128 1.0216 0.2803
8 0.4173 0.0939 1.082 0.2647
9 0.3126 0.0671 1.0702 0.3213
10 0.5218 0.1057 0.6861 0.2295
11 0.7225 0.2236 1.3175 0.523
12 0.5594 0.0964 0.8999 0.2244
 13 0.3007 0.0687 0.9506 0.2761 Bulletin 04-1, Oct. 2004. [Online]. Available:
http://www.ncs.gov/library/techbulletins/2004/tib 04-1.pdf.
14 1.1402 0.3625 1.4858 0.524
[4] R. L. Krutz, Securing SCADA Systems, 1st ed. Wiley Pub.,
15 0.6633 0.1553 1.1364 0.3189
Nov. 28, 2005.
16 0.8287 0.1546 1.2061 0.2486
[5] M. Amin and B. F. Wollenberg, “Toward a smart grid:
17 0.7949 0.2618 1.3743 0.4959 Power delivery for the 21st century,” IEEE Power & Energy
18 0.1745 0.0301 0.6885 0.418 Mag., vol. 3, no. 5, pp. 34–41, Sep. 2005.

19 0.2798 0.0371 0.8495 0.236 [6] F. F. Wu, K. Moslehi, and A. Bose, “Power system control
centers: Past, present, and future,” Proc. IEEE, vol. 93, no.
20 0.4075 0.0777 1.1085 0.2872 11, pp. 1890–1908, Nov. 2005.
21 1.0377 0.3158 1.4457 0.4915 [7] M. Amin, “Security challenges for the electricity
22 0.2329 0.0833 0.6731 0.2949 infrastructure,” IEEE Security Privacy, vol. 35, no. 4, pp. 8–
10, Apr. 2002.
3. CONCLUSION AND FUTURE WORK [8] F. T. Sheldon, S.G.Batsell, P. S. J., and M. A. Langston,
A comprehensive cybersecurity framework for critical “Cryptographic protection of SCADA communications – part
infrastructure systems is needed. This paper introduces a 1: Background, policies and test plan,” Prepared by AGA 12
procedure for cyber-based (electronic) intrusion attacks on a task group, Draft 6, no. 12, Sep. 7, 2003.
power system control network. The proposed approach opens up [9] “User manual for the workshop,” in Cybersecurity standards
several opportunities for the future research: workshop, North American Electric Reliability Council
1. Extending the proposed risk modeling approach with (NERC), Minneapolis, MN, Sep. 2006.
comprehensive economic and intrusion models. [10] F. Cleveland, “IEC TC57 security standards for power
2. Extending the proposed risk modeling to model DoS attack systems information infrastructure - beyond simple
and their resulting consequence on the power system. encryption,” in Proc. IEEE Power Engineering Society
3. Developing offline and online mitigation strategies to General Meeting, Tampa, FL, Jun. 24-28 2007.
minimize the cyber associated risks of the power control [11] S. Su, W.-L. Chan, K.-K Li, X. Duan, and X. Zeng, “Context
network. information-based cybersecurity defense of protection
4. Development of visualization techniques to deliver the vast system,” IEEE Trans. Power Del., vol. 22, no. 3, pp. 1477-
and relevant information from geographically dispersed 1481, Jul. 2007.
substations is needed to show the outcome of risk analysis. [12] M. Naedele, D. Dzung, and M. Stanimirov, “Network
security for substation automation systems,” in Springer-
Verlag Berlin, HeidelbergU. Voges (Ed.): SAFECOMP 2001,
LNCS 2187, 2001, pp. 25–34.
4. ACKNOWLEDGMENTS
The authors gratefully acknowledge the support of Electric Power [13] R. Mackiewicz. Benefits of IEC61850 networking. Technical
Research Center (EPRC), Iowa State University. report, UCA User Group by Sisco. [Online]. Available:
http://www.ucausersgroup.org/.
5. REFERENCES [14] C.-W. Ten, C.-C. Liu, and M. Govindarasu, “Vulnerability
[1] A. G. Bruce and R. Lee, “A framework for the specification assessment of cybersecurity for SCADA systems,” to appear
of SCADA data links,” IEEE Trans. Power Syst., vol. 9, no. in IEEE Trans. Power Syst.
1, pp. 560–564, Feb. 1994. [15] C.-W. Ten, C.-C. Liu, and M. Govindarasu, “Vulnerability
[2] M. Adamiak and W. Premerlani, “The role of utility assessment of cybersecurity for SCADA systems using
communications in a deregulated environment,” Proc. the attack trees,” in Proc. IEEE Power Engineering Society
32nd Annual Hawaii Intl. Conf. on System Sciences (HICSS- General Meeting, Tampa, FL, Jun. 24-28 2007.
32.), vol. Track3, pp. 3026–2032, 1999. [16] C.-W. Ten, M. Govindarasu, and C.-C. Liu, “Cybersecurity
[3] Supervisory control and data acquisition (SCADA) systems. for electric power control and automation systems,” in Proc.
National Communications System, Technical Information eNetworks Cyberengineering Workshop, IEEE Syst., Man,
and Cybernetics 2007, Montreal, Canada.