Network And System Management Using IEC 62351-7 In IEC .

2y ago
85 Views
3 Downloads
2.21 MB
169 Pages
Last View : 16d ago
Last Download : 2m ago
Upload by : Mariam Herr
Transcription

Network and System Management using IEC 62351-7 inIEC 61850 Substations: Design and ImplementationChantale RobillardA ThesisinThe DepartmentofConcordia Institute for Information Systems Engineering (CIISE)Presented in Partial Fulfillment of the Requirementsfor the Degree ofMaster of Applied Science (Information Systems Security) atConcordia UniversityMontréal, Québec, CanadaDecember 2018c Chantale Robillard, 2018

C ONCORDIA U NIVERSITYSchool of Graduate StudiesThis is to certify that the thesis preparedBy:Chantale RobillardEntitled:Network and System Management using IEC 62351-7 in IEC 61850Substations: Design and Implementationand submitted in partial fulfillment of the requirements for the degree ofMaster of Applied Science (Information Systems Security)complies with the regulations of this University and meets the accepted standards with respect tooriginality and quality.Signed by the Final Examining Committee:ChairDr. Jun YanExternal ExaminerDr. Yan LiuExaminerDr. Chadi AssiSupervisorDr. Mourad DebbabiCo-supervisorDr. Aiman HannaApproved byAbdessamad Ben Hamza, DirectorConcordia Institute for Information Systems Engineering (CIISE)2019Amir Asif, DeanGina Cody School of Engineering and Computer Science

AbstractNetwork and System Management using IEC 62351-7 in IEC 61850 Substations: Designand ImplementationChantale RobillardSubstations are a prime target for threat agents aiming to disrupt the power grid’s operation.With the advent of the smart grid, the power infrastructure is increasingly being coupled with anInformation and Communication Technologies (ICT) infrastructure needed to manage it, exposingit to potential cyberattacks. In order to secure the smart grid, the IEC 62351 specifies how toprovide cybersecurity to such an environment. Among its specifications, IEC 62351-7 states to useNetwork and System Management (NSM) to monitor and manage the operation of power systems.In this research, we aim to design, implement, and study NSM in a digital substation as per thespecifications of IEC 62351-7. The substation is one that conforms to the IEC 61850 standard,which defines how to design a substation leveraging ICT. Our contributions are as follows. Wecontribute to the design and implementation of NSM in a smart grid security co-simulation testbed.We design a methodology to elaborate cyberattacks targeting IEC 61850 substations specifically.We elaborate detection algorithms that leverage the NSM Data Objects (NSM DOs) of IEC 623517 to detect the attacks designed using our method. We validate these experimentally using ourtestbed. From this work, we can provide an initial assessment of NSM within the context of digitalsubstations.iii

AcknowledgmentsI would like to thank my supervisors Dr. Mourad Debbabi and Dr. Aiman Hanna for givingme the opportunity to work on this master’s degree. I have learned much about cybersecurity andacademic research from them and am forever grateful. I would also like to thank Dr. Marthe Kassouffrom the Hydro-Qubec Research Institute for her guidance during my research on topics such as thesecurity monitoring of digital substations. as well as the design and implementation of NSM andIEC 62351-7.I also want to thank everyone that helped me while working on this thesis. This includes everyone at the cybersecurity lab. Special thanks go to Mark Karanfil, Abdullah Albarakati, and Dr.Rachid Hadjidj for their help with building and using NSM in the co-simulation testbed. This workwould not have been complete without it. I would like to express my gratitude to Dr. Alf Zugenmaier, as our initial discussions inspired me in elaborating the methodology I propose in this thesis,and to Suo Tan, for providing an easy-to-use template to write the thesis itself.Finally, I would like to thank my family and my partner for their support while working on mydegree. I especially wish to thank my parents, who have always encouraged me to study my passionin computer science.iv

ContentsList of FiguresixList of TablesxiList of Acronyms12xiiiIntroduction11.1Motivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11.2Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21.3Thesis Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Background42.1Cybersecurity Goals and Cyberattacks . . . . . . . . . . . . . . . . . . . . . . . .42.1.1Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42.1.2Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52.1.3Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52.1.4Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52.1.5Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62.1.6Non-repudiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Smart Grid and Potential Threats . . . . . . . . . . . . . . . . . . . . . . . . . . .72.2.1Overview of the Smart Grid . . . . . . . . . . . . . . . . . . . . . . . . .72.2.2Threats to the Smart Grid . . . . . . . . . . . . . . . . . . . . . . . . . . .7IEC 61850: Standard for the Digital Substation . . . . . . . . . . . . . . . . . . .82.22.3v

2.42.52.632.3.1Substation Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . .92.3.2Information Model and Abstract Communication Service Interface . . . . .122.3.3Application Protocols and Specific Communication Service Mapping . . .12Simple Network Management Protocol . . . . . . . . . . . . . . . . . . . . . . . .182.4.1Management Information Bases and Objects . . . . . . . . . . . . . . . .192.4.2Messages Available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192.4.3Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20IEC 62351: Standard for Cybersecurity of Power Systems . . . . . . . . . . . . .222.5.1IEC 62351-1: Introduction to the Cybersecurity Standard . . . . . . . . . .222.5.2IEC 62351-3: Security for TCP Using Transport Layer Security . . . . . .242.5.3IEC 62351-4: Security Extensions for MMS T-Profile and A-Profile . . . .242.5.4IEC 62351-6: Security Extensions for GOOSE and SV . . . . . . . . . . .25IEC 62351-7: Network and System Management (NSM) . . . . . . . . . . . . . .282.6.1Objectives of IEC 62351-7 . . . . . . . . . . . . . . . . . . . . . . . . . .292.6.2Differences between Editions . . . . . . . . . . . . . . . . . . . . . . . .302.6.3NSM Data Objects Overview . . . . . . . . . . . . . . . . . . . . . . . .302.6.4NSM Data Objects as SNMP MIBs . . . . . . . . . . . . . . . . . . . . .32Related Work343.1Security Assessment of IEC Standards . . . . . . . . . . . . . . . . . . . . . . . .353.1.1Known Attacks on IEC 61850 Substations without IEC 62351 . . . . . . .363.1.2Security Evaluation of IEC 62351 . . . . . . . . . . . . . . . . . . . . . .40Automated Protocol Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443.2.1Fuzz Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443.2.2Formal Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45Study of Network and System Management and IEC 62351-7 . . . . . . . . . . . .463.3.1Design of Network and System Management Solution . . . . . . . . . . .463.3.2Implementations and Applications of Network and System Management . .48Smart Grid Models and Testbeds . . . . . . . . . . . . . . . . . . . . . . . . . . .503.23.33.4vi

3.54Network Simulation Tools . . . . . . . . . . . . . . . . . . . . . . . . . .513.4.2Co-simulation Testbeds . . . . . . . . . . . . . . . . . . . . . . . . . . . .52Intrusion Detection Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . .543.5.1Detection Using Simple Network Management Protocol . . . . . . . . . .543.5.2Detection Using IEC 61850 or Industrial Control Systems Traffic . . . . .57Network and System Management in the Digital Substation614.1Overview of Network and System Management and IEC 62351-7 . . . . . . . . .614.1.1Objectives of IEC 62351-7 . . . . . . . . . . . . . . . . . . . . . . . . . .614.1.2Capabilities in IEC 61850 Substation . . . . . . . . . . . . . . . . . . . .62Design of Network and System Management . . . . . . . . . . . . . . . . . . . .654.2.1Protocol Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .654.2.2Addition of Components . . . . . . . . . . . . . . . . . . . . . . . . . . .65Implementation in Co-simulation Testbed . . . . . . . . . . . . . . . . . . . . . .684.3.1Co-simulation Smart Grid Security Testbed . . . . . . . . . . . . . . . . .694.3.2Components for Network and System Management . . . . . . . . . . . . .73Real-time Data Collection and Detection . . . . . . . . . . . . . . . . . . . . . . .784.4.1Updating Data in NSM Agents . . . . . . . . . . . . . . . . . . . . . . . .784.4.2NSM Manager Polling . . . . . . . . . . . . . . . . . . . . . . . . . . . .794.4.3Detection Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .794.24.34.453.4.1Security Assessment of Network and System Management815.1Classification of Cyberattacks Targeting Substation . . . . . . . . . . . . . . . . .815.1.1Definition of Attacker’s Objective . . . . . . . . . . . . . . . . . . . . . .815.1.2Elaboration of Capabilities Available to Attacker . . . . . . . . . . . . . .825.1.3Study of Denial-of-Service Attacks . . . . . . . . . . . . . . . . . . . . .835.1.4Denial-of-Service Attacks in IEC 61850 Substation . . . . . . . . . . . . .88Elaboration of Attack Trees for IEC 61850 Substation . . . . . . . . . . . . . . . .915.2.1Description of Target Substation . . . . . . . . . . . . . . . . . . . . . . .915.2.2Description of Attack Trees . . . . . . . . . . . . . . . . . . . . . . . . .925.2vii

5.35.45.55.65.765.2.3Attack Tree: Prevent Tripping Breakers to Damage Equipment . . . . . . .925.2.4Attack Tree: Tripping Breakers Unnecessarily to Cause Blackout . . . . .935.2.5Sub-trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94Design of Attacks on GOOSE, SV and MMS Protocols . . . . . . . . . . . . . . .945.3.1Overall Methodology to Design Cyberattacks on Communication Protocols955.3.2Methodology to Design DoS Attacks on GOOSE and SV Protocols . . . .965.3.3Design of Attacks on GOOSE Protocol . . . . . . . . . . . . . . . . . . .995.3.4Design of Attacks on SV Protocol . . . . . . . . . . . . . . . . . . . . . . 1055.3.5Design of Attacks on IEC 61850 MMS Protocol . . . . . . . . . . . . . . 108Attack Execution in Co-simulation Testbed . . . . . . . . . . . . . . . . . . . . . 1105.4.1Selection of Attacks to Execute . . . . . . . . . . . . . . . . . . . . . . . 1105.4.2Execution of Attack in Testbed . . . . . . . . . . . . . . . . . . . . . . . . 113Detection of Attack Using NSM Data Objects . . . . . . . . . . . . . . . . . . . . 1155.5.1Rule-based Detection for GOOSE and SV . . . . . . . . . . . . . . . . . . 1155.5.2Anomaly Detection for GOOSE and SV . . . . . . . . . . . . . . . . . . . 1175.5.3Detection for MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1185.5.4Attacks without Relevant NSM Data Objects . . . . . . . . . . . . . . . . 119Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1195.6.1Attacks Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1195.6.2Attacks Not Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1215.6.3Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Recommendations for Network and System Management . . . . . . . . . . . . . . 1245.7.1Addition of Select NSM Data Objects . . . . . . . . . . . . . . . . . . . . 1245.7.2Limitations of NSM Solution . . . . . . . . . . . . . . . . . . . . . . . . 130Conclusion6.1134Limitations and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Bibliography137viii

List of FiguresFigure 2.1Example substation D2-1 according to IEC 61850 [20] . . . . . . . . . . .10Figure 2.2Example substation D2-1 with communication network [21] . . . . . . . .10Figure 2.3Example communication network for simplified substation D2-1 with dis-tinct station and process buses . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Figure 2.4Application protocols used in IEC 61850 and their related standards . . . .13Figure 2.5UML packages for NSM DOs defined by IEC 62351-7 . . . . . . . . . . .31Figure 2.6SNMP OIDs for the packages defined for IEC 62351-7 NSM DOs . . . . .33Figure 3.1Overview of topics covered in related work . . . . . . . . . . . . . . . . . .35Figure 3.2Security monitoring architecture with NSM according to IEC 62351-7 [8] .47Figure 3.3Overview of existing work done on NSM and IEC 62351-7 . . . . . . . . .48Figure 4.1Overall design of NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . .66Figure 4.2Example communication network for simplified substation D2-1 with NSMcomponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67Figure 4.3Transmission system line diagram as shown in HYPERSIM . . . . . . . . .70Figure 4.4Zoom in on IEDs of interest as shown in HYPERSIM interface . . . . . . .71Figure 4.5OpenStack network used for communications in HYPERSIM . . . . . . . .72Figure 4.6HYPERSIM interface to view status of breakers during a simulation . . . .72Figure 4.7HYPERSIM interface to view stN um and sqN um values during a simulation 73Figure 4.8Design of proxy NSM agent . . . . . . . . . . . . . . . . . . . . . . . . . .74Figure 4.9Kibana interface used to view anomaly alerts from NSM . . . . . . . . . .76Figure 5.1Categories of DoS attacks. . . . . . . . . . . . . . . . . . . . . . . . . . .84ix

Figure 5.2Substation architecture considered when constructing attack trees . . . . . .Figure 5.3Attack tree to damage equipment by preventing trip commands from reach-ing CBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9293Figure 5.4Attack tree to cause a blackout by tripping CBs unnecessarily. . . . . . . . .94Figure 5.5Attack tree to gain access to the substation network. . . . . . . . . . . . . .94Figure 5.6Web application used to toggle attacks in MitM switch . . . . . . . . . . . 114Figure 5.7HYPERSIM interface showing divergence of sqN um values during GOOSEdelay attack (G14) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Figure 5.8HYPERSIM interface showing physical impact of GOOSE delay attack (G14) 115x

List of TablesTable 2.1Message types defined in IEC 61850 . . . . . . . . . . . . . . . . . . . . . .13Table 2.2Types of traffic usually found in IEC 61850 substation . . . . . . . . . . . .14Table 2.3Fields in GOOSE PDUs and their meaning . . . . . . . . . . . . . . . . . .15Table 2.4Fields in SV PDUs and their meaning . . . . . . . . . . . . . . . . . . . . .16Table 2.5Fields in SV ASDUs and their meaning . . . . . . . . . . . . . . . . . . . .16Table 3.1Vulnerabilities and issues in IEC 61850 and IEC 62351 identified in previouswork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37Table 3.2Comparison of previous work on detection techniques . . . . . . . . . . . .55Table 4.1NSM capabilities for monitoring GOOSE . . . . . . . . . . . . . . . . . . .64Table 4.2NSM capabilities for monitoring SV . . . . . . . . . . . . . . . . . . . . . .64Table 4.3NSM capabilities for monitoring MMS . . . . . . . . . . . . . . . . . . . .65Table 4.4NSM DOs of IEC 62351-7 implemented for the devices on the testbed . . . .77Table 4.5MIBs outside of IEC 62351-7 implemented for the devices on the testbed . .78Table 5.1Attacker capabilities on hosts and networks . . . . . . . . . . . . . . . . . .83Table 5.2Cyberattacks against network communications and what they affect . . . . .98Table 5.3DoS conditions for GOOSE based on IEC standards . . . . . . . . . . . . . 100Table 5.4Variables used in DoS conditions for GOOSE . . . . . . . . . . . . . . . . . 100Table 5.5DoS attacks on GOOSE and their requirements . . . . . . . . . . . . . . . . 102Table 5.6DoS conditions for SV based on IEC standards . . . . . . . . . . . . . . . . 105Table 5.7Variables used in DoS conditions for SV . . . . . . . . . . . . . . . . . . . . 105Table 5.8DoS attacks on SV and their requirements . . . . . . . . . . . . . . . . . . . 107xi

Table 5.9General attacks on MMS and their requirements . . . . . . . . . . . . . . . 110Table 5.10 Results of tests on GOOSE ran on testbed . . . . . . . . . . . . . . . . . . . 111Table 5.11 Results of tests on SV ran on testbed . . . . . . . . . . . . . . . . . . . . . . 112Table 5.12 DoS conditions for GOOSE and their applicability to the testbed . . . . . . . 112Table 5.13 DoS conditions for SV and their applicability to the testbed . . . . . . . . . . 113Table 5.14 NSM DOs to be used to detect attacks on MMS . . . . . . . . . . . . . . . . 118Table 5.15 Attacks on GOOSE and SV to run on the testbed . . . . . . . . . . . . . . . 120xii

List of AcronymsACSE Association Control Service ElementACSI Abstract Communication Service InterfaceAES Advanced Encryption StandardAMI Advanced Metering InfrastructureAPDU Application Protocol Data UnitARP Address Resolution ProtocolASDU Application Service Data UnitASN.1 Abstract Syntax Notation OneBER Basic Encoding RulesCAM Content Addressable MemoryCB Circuit BreakerCBC Cipher Block ChainingCFS Correlation based Feature SelectionCNN Convolution Neural NetworkCNN-LSTM Convolutional Neural Network-Long Short-Term MemoryCPN Colored Petri Netxiii

CPU Central Processing UnitCRL Certificate Revocation ListCT Current TransformerDA Data AttributeDCU Data Concentrator UnitDGM Distribution Grid ManagementDER Distributed Energy ResourceDES Data Encryption StandardDES Discrete Event SimulationDMS Distribution Management SystemDNP3 Distributed Network ProtocolDNP3-SA DNP3 Secure AuthenticationDNS Domain Name SystemDO Data ObjectDoS Denial-of-ServiceDDoS Distributed Denial-of-ServiceDPI Deep Packet InspectionDHE Diffie-Hellman EphemeralDRDoS Distributed Reflected Denial-of-ServiceDHCP Dynamic Host Configuration ProtocolEM Expectation Maximizationxiv

EOL end-of-lifeEPRI Electric Power Research InstituteFTP File Transfer ProtocolGOOSE Generic Object Oriented Substation EventGPS Global Positioning SystemGRU Gated Recurrent UnitsGSE Generic Substation EventGSSE Generic Substation State EventHMAC Hashed Message Authentication CodeHSR High-availability Seamless RedundancyHTTP Hypertext Transfer ProtocolICMP Internet Control Message ProtocolICS Industrial Control SystemICT Information and Communication TechnologiesID Intrusion DetectionIDS Intrusion Detection SystemIEC International Electrotechnical CommissionIED Intelligent Electronic DeviceIEEE Institute of Electrical and Electronics EngineersIoT Internet of ThingsIP Internet Protocolxv

I-RNN Identity-Recurrent Neural NetworkISEAGE Internet-Scale Event and Attack Generation EnvironmentISO International Organization for StandardizationIT Information TechnologyLAN Local Area NetworkLD Logical DeviceLN Logical NodeLOF Local Outlier FactorLPT Large Power TransformerLSTM Long Short-Term MemoryMAC Media Access ControlMAC Message Authentication CodeMBR Master Boot RecordMD5 Message Digest 5MIB Management Information BaseMitM Man-in-the-MiddleMMS Manufacturing Message SpecificationMU Merging UnitNSTB National SCADA TestbedNERC North American Electric Reliability CorporationNESCOR National Electric Sector Cybersecurity Organization Resourcexvi

NIST National Institute of Standards and TechnologyNMS Network Management StationNSM Network and System ManagementNSM DO NSM Data ObjectOCSP Online Certificate Status ProtocolOID Object IdentifierOS Operating SystemOSI Open Systems InterconnectionOT Operations TechnologyOWASP Open Web Application Security ProjectP2P peer-to-peerPMU Phasor Measurement UnitP&C Protection and

Network and System Management using IEC 62351-7 in IEC 61850 Substations: Design and Implementation Chantale Robillard Substations are a prime target for threat agents aiming to disrupt the pow

Related Documents:

network.edgecount Return the Number of Edges in a Network Object network.edgelabel Plots a label corresponding to an edge in a network plot. network.extraction Extraction and Replacement Operators for Network Objects network.indicators Indicator Functions for Network Properties network.initialize Initialize a Network Class Object

Certified Network Defense (CND) Outline . Module 01: Computer Network and Defense Fundamentals Network Fundamentals Computer Network Types of Network Major Network Topologies Network Components Network Interface Card

suspicious network traffic. 6. ISO network management model We have touched on some network management activities in the previous section. The international Organization for Standardization (ISO) has created a network management model that assigns the network management activities to one of the following problem areas:

Old Objectives (N10-005) New Objectives (N10-006) Network Concepts 1 Network Architecture Network Installation & Configuration 2 Network Operations Network Media & Topologies 3 Network Security Network Management 4 Troubleshooting Network Sec

FOR NETWORK FUNCTIONS VIRTUALIZATION NETWORK FUNCTIONS VIRTUALIZATION: A PRIMER 3 VIRTUALIZING NETWORK FUNCTIONS: COULD NFV MEAN NETWORK NIRVANA? NEW MODELS New Management Models Needed for NFV When a cadre of giant global network oper-ators started the initiative known as Network Functions Virtualization (NFV) in late 2012,

Pipeline Integrity Management System (PIMS) Facility Integrity Management System (FIMS) Structural Integrity Management System (SIMS) Environmental Management System (ISO 14000) Asset Management System (ISO 5500) Quality Management System (ISO 9000) Safety Management System (API RP 1173) Figure 1. Interrelation of an organization management system. This example is for a pipeline operating .

Administrator Guide SolarWinds Orion Network Atlas 14 Installing Orion Network Atlas 3. In the Network Map resource, click Download Network Atlas. Note: If you do not see a Download Network Atlas link in your Network Map resource, click Edit, and then check the Show Network Atlas Download link option on the Edit Network Map resource page

It is necessary to consider the cooperation between the edge intra-cloud network (physical/virtual) and the extra-cloud network (access network/metropolitan area network), and the network should be optimized and evolved from the architecture. Edge cloud management requires to build a unified management and control system to