Detection of Cyber Intrusions Using Network-Based ... - IEEE Xplore

1 downloads 0 Views 603KB Size Report
e.g., Generic Object Oriented Substation Event (GOOSE) and. Sampled Value (SV). NIDS detects anomalies and intrusions that violate predefined security rules ...
1

Detection of Cyber Intrusions Using Network-Based Multicast Messages for Substation Automation Junho Hong*, Student Member, IEEE, Chen-Ching Liu*+, Fellow, IEEE, Manimaran Govindarasu#, Senior Member, IEEE * Washington State University, + University College Dublin, # Iowa State University 

Abstract — This paper proposes a new network-based cyber intrusion detection system (NIDS) using multicast messages in substation automation systems (SASs). The proposed networkbased intrusion detection system monitors anomalies and malicious activities of multicast messages based on IEC 61850, e.g., Generic Object Oriented Substation Event (GOOSE) and Sampled Value (SV). NIDS detects anomalies and intrusions that violate predefined security rules using a specification-based algorithm. The performance test has been conducted for different cyber intrusion scenarios (e.g., packet modification, replay and denial-of-service attacks) using a cyber security testbed. The IEEE 39-bus system model has been used for testing of the proposed intrusion detection method for simultaneous cyber attacks. The false negative ratio (FNR) is the number of misclassified abnormal packets divided by the total number of abnormal packets. The results demonstrate that the proposed NIDS achieves a low fault negative rate. Index Terms — Cyber Security of Substations, Intrusion Detection System, Network Security, GOOSE and SV.

I. INTRODUCTION

A

BLACKOUT of a power grid has a significant impact on the society and economy. These catastrophic outages can be caused by human errors, equipment failures and natural disasters [1]. Research has been conducted on the mitigation of these outages, e.g., methods to identify and isolate the faulted area(s) and restore unaffected areas by selfhealing technologies [2]. With the increasing deployment of information and communications technology (ICT), power grids need to incorporate cyber intrusion as a major threat since well organized cyber attacks at multiple substations may trigger a sequence of cascading events, leading to a blackout [3-4]. It is important to model the cyber-power system as one integrated complex structure. For instance, what are the consequences and impact of a cyber attack on the information and communications technology on a power systems? The work of [5] explains the concept of cyber-physical security in four steps: (1) modeling of the cyber-net, (2) simulation of the physical behaviors of a power grid, (3) development of a vulnerability index for the cyber-physical system, and (4) determination of mitigation measures.

This research is sponsored by U.S. National Science Foundation, “Collaborative Research: Resiliency Against Coordinated Cyber Attacks on Power Grid.” EECS-1202229. J. Hong is with the School of Electrical Engineering and Computer Science (EECS), Washington State University (WSU), Pullman, WA (e-mail: [email protected]). C.-C. Liu is with EECS, WSU, Pullman, and School of Mechanical and Materials Engineering, University College Dublin, Ireland (email: [email protected]). M. Govindarasu is with Iowa State University, Ames, IA (e-mail: [email protected]).

978-1-4799-3653-3/14/$31.00 ©2014 IEEE

Substation automation based on IEC 61850 is a key element to achieve interoperability in a smart grid [6]. The concept of IEC 61850 is adopted in distribution automation and the deployment of distributed energy resources (DERs). Cyberphysical security of substations is a critical issue for the smart grid as substations play an important role in monitoring and control of the power grids. However, the substation automation standard, IEC 61850, does not include cyber and information security features for substations so a cyber security standard for substations is needed. IEC technical committee (TC) 57 published the cyber security standards, IEC 62351, for power systems management and associated information exchange [7]. IEC 62351 standards proposed the authentication method as a primary security measure for GOOSE and sampled value messages since they required fast transmission time (less than 4 ms). However, performance testing for the application of the authentication method to GOOSE and SV is in an early stage. Cyber intrusions related to these protocols may cause serious damages to a power grid. Intruder(s) may modify GOOSE control messages and operate circuit breakers in a substation. They can also send fabricated (and improper) protection coordination messages to other substations. A SV message attack can generate fabricated analog values to a control center, leading to undesirable operations. In order to mitigate the cyber attacks related to substation automation, an intrusion detection system for IEC 61850 based substation automation system was proposed [8]. The work of [9] proposed a retrofit data logger solution and an intrusion detection system for serial communication based MODBUS and DNP3 in the substations. Temporal anomaly detection in a substation has been developed in the authors’ previous work [10]. However, none of them proposed the cyber security measures to detect cyber threats for substation multicast protocols such as GOOSE and SV. Therefore, technologies to detect anomalies and intrusions for multicast messages of substation automation protocols are critically needed. This paper proposes a network-based intrusion detection system for the substations. The network-based intrusion detection is focused on multicast messages in a substation network, e.g., GOOSE and SV. It also detects, in a real-time environment, anomalies that demonstrate abnormal behaviors. The main contribution of this paper is a new methodology that proposes a network-based intrusion detection system that can be used to detect the anomaly behaviors and malicious activities of substation multicast messages. The analytical foundation of the proposed substation intrusion detection is reported in [11]. This paper extends the method by incorporate communication delays and evaluates the method in a system level.

2

In order to validate the proposed network-based intrusion detection system, a cyber-physical testbed is used. Cyber attacks are simulated on the testbed. The test results show that the proposed specification-based detection algorithms are effective for detection of multicast message anomalies and simulated attacks to substation networks. In the remaining of this paper, Section II describes the substation automation system and its vulnerabilities. Section III explains the multicast messages in IEC 61850. Section IV includes the specification-based algorithm for network-based intrusion detection. Section V describes the cyber security testbed and provides the test results of the proposed networkbased IDS. The conclusions and recommendations for the future work are given in Section VI.

voltage and current values are sent from a MU to an IED. Many devices are synchronized by GPS. The Manufacturing Message Specification (MMS) is used for monitoring, control and reporting between the user-interface system and IEDs. Potential cyber security vulnerabilities in the substation automation network as illustrated in Fig. 1 include:

II. SUBSTATION AUTOMATION SYSTEM AND VULNERABILITIES

It is crucial to protect the substation automation ICT against cyber intrusions as a successful cyber attack can cause significant damages on the power grid. For instance, the cyber attack A2 can disrupt time synchronization in the substation ICT network, and operator(s) will lose the availability of substation communications. This paper is focused on the multicast messages related cyber intrusions.

Station level

Userinterface

A1

Firewall A9

A2 A3

Station bus

Bay level

GPS

Remote access

IEC TC 57 published IEC 61850 standards for the design of electrical substation automation. The main goals of substation automation standards are: (1) interoperability, (2) simplified configuration, and (3) long term stability. Interoperability enables substations to accommodate intelligent electronic devices (IEDs) from different vendors. IEDs from different manufacturers can exchange information and maintain general system properties [12]. A simplified configuration changed hardwired connections (from current transformer (CT) and voltage transformer (VT) to protection relays) to Ethernet based communication using IEC 61850 based protocols. Hence, it reduces engineering efforts and costs significantly. The evolving cycle of ICT is much faster than that of power substation functions. Long term stability ensures that upgrading of ICTs does not require re-engineering of the entire substation system.

A4

A5

IED

Relay

PMU

A6 A7 A8

Process bus Process level

Actuator Circuit breaker

Merging unit CT and VT

Fig. 1. Potential Cyber Threats in a Substation Automation System.

As shown in Fig. 1, the devices of a substation automation system can be organized in three levels, e.g., the station, bay and process level. In the station level, a user-interface system with database, server, workstation, and engineering facilities is installed. The protection and control (P&C) IEDs, and phasor measurement unit (PMU) are installed at the bay level. Process level devices include the sensors, CT, VT, circuit breaker (CB) and merging unit (MU). IEC 61850 based protocols are used by substation automation facilities, e.g., GOOSE, SMV and MMS. GOOSE is used to send tripping signals from IEDs to circuit breakers. Sampled measured

A1: Compromise user-interface A2: Interrupt time synchronization A3: Compromise station level communication bus A4: Gain access to bay level devices A5: Change protective device settings A6: Capture and modify GOOSE message A7: Compromise process level communication bus A8: Generate fabricated analog values (SV) A9: Compromise firewall and gain access to substation

III. MULTICAST MESSAGES IN IEC 61850 Due to the real-time requirement of multicast messages in IEC 61850, e.g., GOOSE and SV, there are three communication stacks, i.e., physical, data link, and application layer. The Media Access Control (MAC) address is used for multicast messages [13]. GOOSE uses a re-transmission scheme (no response from the receiver) to achieve the appropriate level of communication speed and reliability. When a GOOSE server generates a "SendGOOSE Message" request, the current data set values are encoded in a GOOSE message and transmitted with a different time interval. However, different vendors' GOOSE re-transmission times vary since the specific time of re-transmission (interval) is not defined in IEC 61850 standards [14]. The GOOSE scheme uses recommended MAC address from 01-0C-CD-01-00-00. The sampled value messages are used for transmitting measured current and voltage values from a merging unit to protection IEDs. The resolution (bits) amplitude of SV for protection and control is defined in IEC 61850-5, e.g., 8 bits (P1 class), 16 bits (P2 class) and 32 bits (P3 class) [15]. The SV message counter is incremented each time a new SV packet is published. The SV scheme uses MAC address that starts from 01-0C-CD-04-00-00. IV. NETWORK-BASED INTRUSION DETECTION SYSTEM A specification-based detection algorithm is used for the proposed network-based intrusion detection system. Specification-based detection refers to the identification of deviations from a correct behavior profile using predefined logical specifications. A specification based IDS uses a whitelist approach. In order to train the whitelist-based IDS, it requires the identification of system data corresponding to normal or correct behaviors. A specification-based IDS will monitor the system activities to check if there is any violation that escapes from the predefined system boundaries. A specification-based IDS is normally more accurate than other

3

Fig. 3. Testbed for Cyber Security of the Substations.

IDS algorithms, e.g., signature-based. However, a specification-based (whitelist) IDS has limitations. That is, it is often more difficult to train the system, relative to a blacklist-based IDS, as it requires a high-level understanding to define the logical specifications [16]. Human machine Interface (HMI) module

Event logs

Shared memory

Alarm logs

Normal operation

IDS Data

Violation Specification-based IDS module

Substation ICT network

- Predefined logics - Security constraints - Alarm data

Network data

- Data violation - Detected intrusions - Event data

GOOSE Packet filtering module

SV

Packet parser module

Fig. 2. Specification-Based IDS Modules.

The proposed method provides a network-based anomaly detection algorithm for multicast messages in the substation automation network. Fig. 2 is an illustration of the proposed IDS. The packet filtering module receives all substation network packets from the ICT network. The filter will only allow passing for GOOSE and SV messages so that the burden of processing can be reduced, and the system performance will increase. The packet parser module will extract three communication stacks, i.e., physical, data link and application layer, of GOOSE and SV packets, and store all extracted GOOSE and SV packets. They are sent to the main IDS module. The IDS module is used to find violations based on

predefined rules and logic. After the intrusion detection module is completed, a network-based substation vulnerability index ܸ௡ is defined by: ͳǡ ‹ˆߚீ  ൌ ‫݁ݑݎݐ‬ ܸ௡ ൌ ቐ ͳǡ ‹ˆߚ ௌ௏ ൌ ‫ ݁ݑݎݐ‬ Ͳǡ‘–Š‡”™‹•‡ǡ

(1)

where ߚ ீ and ߚ ௌ௏ are the GOOSE network-based intrusion indicator and SV network-based intrusion indicator, respectively. If any violation of GOOSE or SV security is detected, it will set the intrusion indicator ߚீ or ߚ ௌ௏ to the value of true. Therefore, a result of ܸ௡ ൌ ͳ indicates the existence of an intrusion based on GOOSE and SMV messages whereas ܸ௡ ൌ Ͳ indicates that there is no evidence of a multicast message based cyber intrusion. Table I gives example (predefined) security rules for the proposed networkbased IDS. Based on IEC 61850 [15], the GOOSE state number αୋୱ୲ǡ୧ will increase and sequence number αୋୱ୯ǡ୧ will be set to 0 when the data status is changed, where i is i-th number of sequence and status number in rule A of Table I. Hence, if the sequence number of a captured GOOSE message is not set to zero after the state is changed, it will detect anomalies that are likely to be packet modifications or injections to the substation network by intruders. The GOOSE data violation indicator Ɏୋୢୟ୲ୟ will be changed from 0 to 1. As explained in Section III, SV messages use different types of resolution (bits) amplitude. As shown in rule B of Table I, if the total number ୗ୚ is higher than SV of SV packets within one second ୮୩୲ǡଵୱୣୡ ୗ୚ threshold α୲୦ , it will detect anomalies that appear to be caused by a DoS attack to the substation network. The SV threshold violation indicator Ɏୗ୚ ୲୦ will be changed from 0 to 1. The SV threshold can be calculated by ୫ ୗ୚ ୗ୚ αୗ୚ ୲୦ ൌ ൫σ୨ αୱ୰ǡ୨ ൈ ˆ୨ ൯ ൈ ሺͳ ൅ Ɂ୫ୣ ሻ,

(2)

4

where m is total number of merging units, αୗ୚ ୱ୰ǡ୨ is the resolution (bits) amplitude and ˆ୨ is the frequency of the j-th ୗ୚ merging unit, and Ɂୗ୚ ୫ୣ is a margin of error. In this study, Ɂ୫ୣ has been set as 20%. For instance, if there are 2 types of merging units using 60 Hz (e.g., P2 and P3 class), then the SV threshold αୗ୚ ୲୦ is 3456. After all predefined logic and security constraints are considered, the IDS module reports normal operations to event logs, violations to alarm logs and all data to shared memory. A security operator can monitor IDS behaviors and activities using HMI in a real-time environment. TABLE I EXAMPLES OF PREDEFINED SECURITY RULES FOR IDS Violation Type IDS rules indicator

GOOSE

SV

if αୋୢୟ୲ୟǡ୧  ് αୋୢୟ୲ୟǡ୧ାଵ then if (αୋୱ୲ǡ୧ାଵ > αୋୱ୲ǡ୧ ) ‫( ש‬αୋୱ୯ǡ୧ାଵ ൌൌ Ͳ) Ɏୋୢୟ୲ୟ ൌ ͳ; return else Ɏୋୢୟ୲ୟ ൌ Ͳ; end if ୗ୚ if ୮୩୲ǡଵୱୣୡ > αୗ୚ ୲୦ ୗ୚ Ɏୱ୮ ൌ ͳ; return else Ɏୗ୚ ୱ୮ ൌ Ͳ; end if

(A)

Ɏୋୢୟ୲ୟ

(B)

Ɏୗ୚ ୲୦

V. SIMULATION RESULTS A. Testbed A testbed is developed at WSU to perform different types of cyber intrusions and analyze the effectiveness of the proposed detection and mitigation techniques in a realistic substation environment. The testbed is illustrated in Fig. 3. In this paper, several types of cyber attacks have been generated for validation of the proposed anomaly detection algorithms, e.g., replay, packet modification, injection, generation and DoS using the testbed.

Network-based Intrusion Detection System

Intrusion Detection System

Fig. 4. Network-Based Intrusion Detection System.

Table II shows different types of GOOSE and SV based attacks that are simulated in this study. The P2 class (16 bits) merging unit has been used, and the simulated data from power system simulation tools are used as an input to the merging unit. The simulation is performed under different types of packet delays, e.g., 1, 10, 20 and 30 [msec], since the delay between SV packets of P2 class merging unit is approximately 1 [msec]. The false negative ratio (FNR) is defined as the number of misclassified abnormal packets divided by the total number of abnormal packets. Fig. 5 shows the mean value of FNR of each test case: (a) 1 ms: ͹Ǥ͹ʹ ൈ ͳͲെͶ, (b) 10 ms: ͷǤͻͳൈͳͲെͶ, (c) 20 ms: ͵ǤͲͷൈͳͲെͶ and (d) 30 ms: ʹǤʹͻ ൈ ͳͲିସ , respectively. The FNR performance of the proposed network-based intrusion detection system depends on the delay between packets. This is due to the fact that IDS may lose packets when the duration between packets is too small.

B. Network-Based Intrusion Detection Results TABLE II CONSEQUENCE OF GOOSE AND SV BASED MALICIOUS BEHAVIORS WITHOUT AN INTRUSION DETECTION SYSTEM Intrusions Results Replay attack Open CB G Modify transferred time Warning occurred at CB O O Modify GOOSE control data Open CB S Denial of Service attack Lost availability of IED E Generate GOOSE control data Open CB Increase measured values Open CB Modify SMV dataset Warning occurred at IED S V Denial of Service attack Lost availability of IED Generate SMV data Open CB

The proposed network-based intrusion detection algorithms are implemented in the C language. C++ has been used for IDS HMI in order to test the real-time intrusion detection and alarms to the substation operator. As shown in Fig. 4, the circuit breaker subscribes to GOOSE messages generated from the IEDs. IED C subscribes to SV messages from the Merging Unit IED. Free available software tools are used for all intrusion processes, e.g., Wireshark, Colasoft Packet Builder, and Nmap. Table II shows the consequence of GOOSE and SV based attacks without an IDS.

(a) 1 [msec]

(b) 10 [msec]

(d) 30 [msec] (c) 20 [msec] Fig. 5. False Negative Ratio (FNR) with Different Packet Delays.

The false positive ratio (FPR) is defined as the number of misclassified normal packets divided by the total number of normal packets. As shown in Fig. 6, the mean value of FPR of each test case are (e) 1 ms: ͶǤ͸͸ ൈ ͳͲିସ , (f) 10 ms: ͵Ǥ͸Ͷ ൈ ͳͲെͶ, (g) 20 ms: ʹǤͲൈͳͲെͶ and (h) 30 ms: ͳǤ͸ͳൈͳͲെͶ, respectively.

5

VII. REFERENCES [1]

[2] [3]

[4] (b) 10 [msec]

(a) 1 [msec]

[5]

[6]

[7]

[8] (c) 20 [msec] (d) 30 [msec] Fig. 6. False Positive Ratio (FPR) with Different Packet Delays.

IEEE 39-bus system is used to evaluate detection of simultaneous attacks at multiple substations. The simulation starts at time 0 with a normal operating condition. Then cyber attacks are carried out at times 5, 10 and 15 with different attack methods and locations, respectively. TABLE III SIMULTANEOUS ATTACK RESULT TO IEEE 39 BUS SYSTEM Time IDS operation Target substations Attack method (second) result GOOSE packet replay 5 2, 25, 30, 37 Detected/Alarm (trip) Generate SMV packets 10 24, 28 Detected/Alarm (high current value) Generate GOOSE 15 29, 38 Detected/Alarm control data packets

The proposed IDS successfully identifies the location of targeted substations and type of attack methods as shown in Table III.

[9]

[10]

[11]

[12] [13] [14]

[15]

[16]

CRO Forum, Power Blackout Risks: Risk Management Options, Emerging Risk Initiative - Position Paper, Nov. 2011 [Online]. Available: https://www.allianz.com/v_1339677769000/media/responsibility/documents/position_paper_power_blackout_risks.pdf M. Kezunovic, “Smart Fault Location for Smart Grids,” IEEE Trans. Smart Grid, vol. 2, no. 1, pp. 11-22, Mar. 2011. J.-W. Wang and L.-L. Rong, “Cascade-Based Attack Vulnerability on the US Power Grid,” Safety Science, vol. 47, no. 10, pp. 1332–1336, Dec. 2009. S. Sridhar, A. Hahn, and M. Govindarasu, “Cyber-Physical System Security for the Electric Power Grid,” IEEE Proc., vol. 100, no. 1, pp. 210-224, Jan. 2012. C.-C. Liu, A. Stefanov, J. Hong, and P. Panciatici, “Intruders in the Grid,” IEEE Power Energy Magazine, vol. 10, no. 1, pp. 58-66, Jan. 2012. J. McGhee, and M. Goraj, “Smart High Voltage Substation Based on IEC 61850 Process Bus and IEEE 1588 Time Synchronization,” IEEE Smart Grid Communications (SmartGridComm), pp. 489-494, Oct. 2010. Power Systems Management and Associated Information Exchange Data and Communications Security, IEC TS 62351-1 Standard: Part 1: Communication Network and System Security - Introduction to Security Issues, May 2007, 1st Edition. U.-K. Premaratne, J. Samarabandu, T.-S. Sidhu, R. Beresh, and J.-C. Tan, “An Intrusion Detection System for IEC 61850 Automated Substations,” IEEE Trans. Power Del., vol. 25, no. 4, pp. 2376-2383, Oct. 2010. T. Morris and K. Pavurapu, “A Retrofit Network Transaction Data Logger and Intrusion Detection System for Transmission and Distribution Substations,” IEEE International Conference on Power and Energy (PECon), pp. 958-963, Nov. 2010. C.-W. Ten, J. Hong, and C.-C. Liu, “Anomaly Detection for Cybersecurity of the Substations,” IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 865-873, Dec. 2011. J. Hong, C.-C. Liu, and M. Govindarasu, “Integrated Anomaly Detection for Cyber security of the Substations,” Approved for publication in IEEE Trans. Smart Grid, 2013. Communication Networks and Systems in Substations, IEC 61850-1 Standard: Introduction and overview, April 2003, 1st Edition. Specific Communication Service Mapping (SCSM), IEC 61850 9-2 Standard: Sampled Values over ISO/IEC 8802-3, Apr. 2004, 1st Edition. Specific Communication Service Mapping (SCSM), IEC 61850 8-1 Standard: Mapping to MMS (ISO/IEC9506-1 and ISO/IEC 9506-2), May 2004, 1st edition. Communication Networks and Systems in Substations, IEC 61850-5 Standard: Communication Requirements for Functions and Device Models, July 2003, 1st Edition. R. Berthier, W.H. Sanders, and H. Khurana, “Intrusion Detection for Advanced Metering Infrastructures: Requirements and Architectural Directions,” IEEE International Conference on Smart Grid Communications (SmartGridComm), pp. 350-355, Oct. 2010.

VI. CONCLUSION This paper provides a network-based intrusion detection system for a single substation, and simultaneous intrusion detection at multiple substations. The proposed IDS can detect malicious behaviors that are related to multicast messages in the substation network. The simultaneous intrusion detection monitoring method is able to detect the same type of attacks on multiple substations and their locations. The methods have been validated with realistic intrusion scenarios using the testbed, e.g., replay, modification, man-in-the-middle, generation, and DoS. For the future work, the network-based anomaly detection algorithm needs to be updated periodically since it is not able to detect unknown attacks that are not defined in the algorithm. Also, it will be useful to include more substation automation communication protocols, e.g., MMS, SNTP based anomalies.

VIII. BIOGRAPHIES Junho Hong (S’08) received his BSEE and MSEE from Myongji University, Korea, in 2008 and 2010, respectively. He is pursuing his Ph.D. at Washington State University. His research interests include cyber-physical security of EMS/DMS/AMI systems, substation automation, and power system restoration. Chen-Ching Liu (F’94) is Boeing Distinguished Professor at Washington State University and Professor of Power Systems at University College Dublin, Ireland. He was Palmer Chair Professor at Iowa State University and a Professor of EE at the University of Washington. Dr. Liu served as Chair of the IEEE PES Technical Committee on Power System Analysis, Computing and Economics (PSACE). He is a Fellow of the IEEE. Manimaran Govindarasu (SM’10) is a Professor in Electrical and Computer Engineering at Iowa State University. His expertise is in the areas of real-time systems, cyber security, cyber-physical systems security of power grids. He co-authored, “Resource Management in Real-Time Systems and Networks,” MIT Press, 2001. He is chairing the Cyber Security Task Force at IEEE PES CAMS Subcommittee.