Using Existing IEC 61850 GOOSE and Sampled Values Features for Intrusion Detection
Cyber security has been one of the main concerns of our industry for more than a decade as a result of the increased dependence of the protection,automation and control systems on communications.With the trend to transition into fully digital substations in the future all functions in the substation may become targets of cyber-attacks.The recently released information about extremely sophisticated malware probably developed by nations and not hackers and targeting critical infrastructures requires a look into our abilities to detect intrusions and prevent undesired operation of substation equipment based on the functionality of the IEC 61850 based digital substations and the proper processing of GOOSE and sampled values messages.The paper first analyses possible actions of a cyber-attacker who may have been able to penetrate the cyber protection. Considering the required by the standard use of multicast filtering and the configuration of the communications between the IEDs based on an engineering process using substation configuration language files, the paper analyses what possibilities does the cyber-attacker has without access to any of the configuration files. The following threats are considered: · Blocked or delayed flow of information through substation protection, automation and control system networks (SPACS), which could disrupt its operation · Unauthorized changes to settings, commands, or alarm thresholds, which could damage, disable, or shut down substation equipment, create environmental impacts, and/or endanger human life · Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects on the electric power system · SPACS software or configuration settings modified, or software infected with malware, which could have various negative effects · Interference with the operation of safety systems, which could endanger human life. Then it discusses the features of IEC 61850 GOOSE and Sampled values messages from the point of view of how they can be used to support the ability to detect intrusions and prevent any of the above listed threats. The mechanisms for processing of GOOSE messages are discussed with special attention given to the state numbers, sequence numbers and the time stamp. The impact of the transfer time from the attacker’s computer to the substation IED is also analyzed. The need for processing of all relevant information by the multifunctional IEC 61850 based IED in order to prevent an undesired operation is discussed. The possibility for implementation of IEC 61850 GOOSE based intrusion detection functions in a substation level monitoring application is later described. The impact of the substation communications architecture and the use of multicast filtering on such implementation is then analyzed. The mechanisms for processing of sampled values messages are later discussed with special attention given to the Sample counter values. The impact of the transfer time from the attacker’s computer to the substation IED is also analyzed.
Alexander Apostolov
OMICRON electronics USA
国际会议
国际大电网会议组织保护与自动化专业委员会年度会议暨学术研讨会
南京
英文
1-11
2015-09-20(万方平台首次上网日期,不代表论文的发表时间)