Mohamed F. Elrawy,Camilla Fioravanti,Gabriele Oliva,Maria K. Michael,Roberto Setola

DOI: https://doi.org/10.1109/access.2024.3361753

IF: 3.9

2024-02-10

IEEE Access

Abstract:Smart grid technology drives economic and social development but raises vulnerability to cyber threats due to digital substations' growing reliance. To counter these risks, recent updates to communication standards, including encryption and authentication processes, have been integrated into the infrastructure. Notably, adhering to the IEC 62351 standard governing the GOOSE protocol for substation communication faces practical challenges due to conflicting time requirements with traditional security procedures. In this paper, we present an innovative geometric approach for GOOSE message authentication and encryption. Utilizing vector coordinate shifts, our method exhibits efficiency and speed of implementation, ensuring compliance with the protocol's stringent time constraints. Importantly, unlike other approaches in the literature, our technique has the potential to be easily applicable and effective for a wide range of infrastructures without requiring the use or addition of specific hardware components or changes to the GOOSE message format, while guaranteeing high performances and computational simplicity. The paper is complemented by a simulation campaign on a digital substation model, assessing the approach's performance and its efficacy in countering cyber threats.

computer science, information systems,telecommunications,engineering, electrical & electronic

Mansi Girdhar,Junho Hong,Wencong Su,Akila Herath,Chen-Ching Liu

2024-03-08

Abstract:In recent years, critical infrastructure and power grids have experienced a series of cyber-attacks, leading to temporary, widespread blackouts of considerable magnitude. Since most substations are unmanned and have limited physical security protection, cyber breaches into power grid substations present a risk. Nowadays, software-defined network (SDN), a popular virtual network technology based on the OpenFlow protocol is being widely used in the substation automation system. However, the susceptibility of SDN architecture to cyber-attacks has exhibited a notable increase in recent years, as indicated by research findings. This suggests a growing concern regarding the potential for cybersecurity breaches within the SDN framework. In this paper, we propose a hybrid intrusion detection system (IDS)-integrated SDN architecture for detecting and preventing the injection of malicious IEC 61850-based generic object-oriented substation event (GOOSE) messages in a digital substation. Additionally, this program locates the fault's location and, as a form of mitigation, disables a certain port. Furthermore, implementation examples are demonstrated and verified using a hardware-in-the-loop (HIL) testbed that mimics the functioning of a digital substation.

Cryptography and Security,Computers and Society

Suleman Ashraf,Mohammad H Shawon,Haris M Khalid,S M Muyeen

DOI: https://doi.org/10.3390/s21196415

2021-09-26

Abstract:The generation of the mix-based expansion of modern power grids has urged the utilization of digital infrastructures. The introduction of Substation Automation Systems (SAS), advanced networks and communication technologies have drastically increased the complexity of the power system, which could prone the entire power network to hackers. The exploitation of the cyber security vulnerabilities by an attacker may result in devastating consequences and can leave millions of people in severe power outage. To resolve this issue, this paper presents a network model developed in OPNET that has been subjected to various Denial of Service (DoS) attacks to demonstrate cyber security aspect of an international electrotechnical commission (IEC) 61850 based digital substations. The attack scenarios have exhibited significant increases in the system delay and the prevention of messages, i.e., Generic Object-Oriented Substation Events (GOOSE) and Sampled Measured Values (SMV), from being transmitted within an acceptable time frame. In addition to that, it may cause malfunction of the devices such as unresponsiveness of Intelligent Electronic Devices (IEDs), which could eventually lead to catastrophic scenarios, especially under different fault conditions. The simulation results of this work focus on the DoS attack made on SAS. A detailed set of rigorous case studies have been conducted to demonstrate the effects of these attacks.

Ghada Elbez,Klara Nahrstedt,Veit Hagenmeyer

DOI: https://doi.org/10.1109/tsg.2023.3272749

IF: 10.275

2024-01-01

IEEE Transactions on Smart Grid

Abstract:The requirements for the security of the network communication in critical infrastructures have been more focused on the availability of the data rather than the integrity and the confidentiality. The availability of communication in IEC 61850 substations can be hindered by Generic Object Oriented Substation Event (GOOSE) poisoning attacks that might result in threats such as Denial of Service (DoS) or flooding attacks. In order to accurately detect similar attacks, a novel method for the Early Detection of Attacks for GOOSE Network Traffic (EDA4GNeT) is developed in the present work. The EDA4GNeT method considers the dynamic behavior of network traffic in electrical substations. A mathematical modeling of GOOSE network traffic is adopted for the anomaly detection based on statistical hypothesis testing. The developed mathematical model of the communication traffic can also support the management of the network architecture in IEC 61850 substations based on appropriate performance studies. To test the novel anomaly detection method and compare the obtained results with related works found in the literature, a simulation of a DoS attack against a 66/11kV substation with several experiments is used as a case study.

engineering, electrical & electronic

Longhua Guo,Mianxiong Dong,Kaoru Ota,Jun Wu,Jianhua Li

DOI: https://doi.org/10.1109/GLOCOM.2016.7841519

2016-01-01

Abstract:With the rapid growth of the Internet, the current TCP/IP based network cannot well satisfy the requirements such as scalable content distribution, mobility, security and so on. The new networking architectures which aren't based on TCP/IP have been a trade of next generation networking such as Information-Centric Networking (ICN). In smart grid, parts of communication protocol in IEC 61850 are also not based on TCP/IP architecture such as Sampled Value (SV) and Generic Object-Oriented Substation Event (GOOSE). IEC 61850 based smart substation employing wireless network has significantly improved the interoperability and interconnection of substation devices. However, with the amount and openness growth of Intelligent Electronic Devices (IED) nodes, these changes introduce new efficiency, reliability and security challenges especially in wireless network. The strict time requirement has limited the use of heavyweight security protocols to fight against cyber-attacks. To address these issues, a name-based security mechanism using ICN is proposed for the non TCP/IP based SV and GOOSE communication. Publish/subscribe (pub/sub) based access control and lightweight encryption algorithm are utilized to secure the decentralized large-scale smart grid data sharing. The results show the proposed mechanism is secure and efficient for IEC 61850 communication employing wireless network.

Oscar A. Tobar-Rosero,Omar A. Roa-Romero,Germán D. Rueda-Carvajal,Alexánder Leal-Piedrahita,Juan F. Botero-Vega,Sergio A. Gutierrez-Betancur,John W. Branch-Bedoya,Germán D. Zapata-Madrigal

DOI: https://doi.org/10.3390/en17236098

IF: 3.2

2024-12-04

Energies

Abstract:Cybersecurity in Critical Infrastructures, especially Digital Substations, has garnered significant attention from both the industrial and academic sectors. A commonly adopted approach to support research in this area involves the use of datasets, which consist of network traffic samples gathered during the operation of an infrastructure. However, creating such datasets from real-world electrical systems presents some challenges: (i) These datasets are often generated under controlled or idealized conditions, potentially overlooking the complexities of real-world operations within a digital substation; (ii) the captured data frequently contain sensitive information, making it difficult to share openly within the research community. This paper presents the creation of a new dataset aimed at advancing cybersecurity research, specifically focused on GOOSE spoofing attacks, given the crucial role of the GOOSE protocol in managing operational and control tasks within Digital Substations. The dataset highlights the real-world impacts of these attacks, demonstrating the execution of unintended operations under different operational scenarios, including both stable conditions and situations involving system failures. The data were collected from a laboratory testbed that replicates the actual functioning of a real digital substation with two bays. The experiments provided insights into key characteristics of GOOSE protocol traffic and the vulnerability of DS infrastructure to Spoofing Attacks.

energy & fuels

Ömer Sen,Dennis van der Velde,Sebastian N. Peters,Martin Henze

DOI: https://doi.org/10.48550/arXiv.2110.02040

2021-10-05

Abstract:While the digitization of power distribution grids brings many benefits, it also introduces new vulnerabilities for cyber-attacks. To maintain secure operations in the emerging threat landscape, detecting and implementing countermeasures against cyber-attacks are paramount. However, due to the lack of publicly available attack data against Smart Grids (SGs) for countermeasure development, simulation-based data generation approaches offer the potential to provide the needed data foundation. Therefore, our proposed approach provides flexible and scalable replication of multi-staged cyber-attacks in an SG Co-Simulation Environment (COSE). The COSE consists of an energy grid simulator, simulators for Operation Technology (OT) devices, and a network emulator for realistic IT process networks. Focusing on defensive and offensive use cases in COSE, our simulated attacker can perform network scans, find vulnerabilities, exploit them, gain administrative privileges, and execute malicious commands on OT devices. As an exemplary countermeasure, we present a built-in Intrusion Detection System (IDS) that analyzes generated network traffic using anomaly detection with Machine Learning (ML) approaches. In this work, we provide an overview of the SG COSE, present a multi-stage attack model with the potential to disrupt grid operations, and show exemplary performance evaluations of the IDS in specific scenarios.

Cryptography and Security,Networking and Internet Architecture,Systems and Control

Mansi Girdhar,Kuchan Park,Wencong Su,Junho Hong,Akila Herath,Chen-Ching Liu

2024-11-12

Abstract:In recent years, critical infrastructure and power grids have increasingly been targets of cyber-attacks, causing widespread and extended blackouts. Digital substations are particularly vulnerable to such cyber incursions, jeopardizing grid stability. This paper addresses these risks by proposing a cybersecurity framework that leverages software-defined networking (SDN) to bolster the resilience of substations based on the IEC-61850 standard. The research introduces a strategy involving smart cyber switching (SCS) for mitigation and concurrent intelligent electronic device (CIED) for restoration, ensuring ongoing operational integrity and cybersecurity within a substation. The SCS framework improves the physical network's behavior (i.e., leveraging commercial SDN capabilities) by incorporating an adaptive port controller (APC) module for dynamic port management and an intrusion detection system (IDS) to detect and counteract malicious IEC-61850-based sampled value (SV) and generic object-oriented system event (GOOSE) messages within the substation's communication network. The framework's effectiveness is validated through comprehensive simulations and a hardware-in-the-loop (HIL) testbed, demonstrating its ability to sustain substation operations during cyber-attacks and significantly improve the overall resilience of the power grid.

Cryptography and Security,Emerging Technologies

Mengxiang Liu,Zexuan Jin,Jinhui Xia,Mingyang Sun,Ruilong Deng,Peng Cheng

DOI: https://doi.org/10.1109/infocomwkshps51825.2021.9484453

2021-01-01

Abstract:In DC microgrids (DCmGs), distributed control is becoming a promising framework due to prominent scalability and efficiency. To transmit essential data and information for system control, various communication network topologies and protocols have been employed in modern DCmGs. However, such communication also exposes the DCmG to unexpected cyber attacks. In this demo, a scalable cyber security testbed is established for conducting hardware-in-the-loop (HIL) exper-iments and comprehensively investigating the security impact on DCmGs. Specifically, the testbed employs a Typhoon HIL 602+ emulator, which is professional in power electronics system emulation, to demonstrate four (12 at most) distributed energy resources (DERs). The communication network is implemented through the self-loop RS-232 interface. Based on the testbed, we systematically investigate the impact of two kinds of typical cyber attacks (i.e., false data injection and replay attacks). Experimental results show that both attacks will deteriorate the point-of-common coupling (PCC) voltages of the DERs and jeopardize the stability of the whole DCmG.

Lianquan Hou,Jianmin Zhang,Naizheng Jin,Ma Zhu,Yong Li

DOI: https://doi.org/10.1109/ccdc.2016.7531789

2016-01-01

Abstract:Cyber security is a major issue and a hard work for digital substation who uses Ethernet communication network and open IEC 61850 communication protocol. Based on message type and data stream analysis of digital substation communication, the cyber security threats faced by digital substation have been classified and analyzed at first; knowing the performance of a cyber-attack is the first step for latter attack detection and defense, for which simulation is a better choice; in this paper, the most malicious and harmful SYN-Flood attack has been taken as a simulation case by OPNET platform, and from which the performance of SYN-Flood attack has been observed and analyzed for further attack detection and defense.

Aydin Zaboli,Seong Lok Choi,Tai-Jin Song,Junho Hong

2024-02-26

Abstract:Cybersecurity breaches targeting electrical substations constitute a significant threat to the integrity of the power grid, necessitating comprehensive defense and mitigation strategies. Any anomaly in information and communication technology (ICT) should be detected for secure communications between devices in digital substations. This paper proposes large language models (LLM), e.g., ChatGPT, for the cybersecurity of IEC 61850-based digital substation communications. Multicast messages such as generic object oriented system event (GOOSE) and sampled value (SV) are used for case studies. The proposed LLM-based cybersecurity framework includes, for the first time, data pre-processing of communication systems and human-in-the-loop (HITL) training (considering the cybersecurity guidelines recommended by humans). The results show a comparative analysis of detected anomaly data carried out based on the performance evaluation metrics for different LLMs. A hardware-in-the-loop (HIL) testbed is used to generate and extract dataset of IEC 61850 communications.

Cryptography and Security,Systems and Control

O. V. Gnana Swathika,Aayush Karthikeyan,Kreet Rout,Shreyash Hatkar

DOI: https://doi.org/10.1109/access.2024.3443312

IF: 3.9

2024-08-25

IEEE Access

Abstract:Soaring energy demand in power sector demands an intelligent electricity grid which is able to meet the energy requirements of consumers with higher efficiency and reliability. This paper discusses about how Smart Grid (SG) is the solution for such requirements in the energy sector. SG constitutes of three main components: Information Technology (IT), Operational Technology (OT), and Advanced Metering Infrastructure (AMI). It is important to synchronize these three components in order to seamlessly deliver electricity to the consumers connected to the electric network. Cyberattack is increasing sharply in the SG infrastructure and triggers disrupting or malicious manipulation of entire electricity network. It is crucial to maintain the data traffic, power transmission and distribution with high reliability. This paper aims at arriving at the taxonomy of attacks that are subjected to IT, OT and AMI components of SG. This exhaustive taxonomy further opens avenues to evolve mitigation strategies for these attacks which will eventually aid in SG protection. Elaborate discussion about various mitigation strategies for various types of attacks is performed. The systematic approach of methods and techniques along with the type of solution it provides to SG applications is discussed. It is evident from literature that Machine Learning (ML), Deep Learning (DL) and signal processing techniques are very efficient and robust in attack detection and retaliating in SG. ML model pro. Hence the importance of framework and tools in SG environment is analyzed. A case study is also presented that emphasizes on SG Attacks on the specific system and its mitigation strategies.

computer science, information systems,telecommunications,engineering, electrical & electronic

Y. Yang,H. T. Jiang,K. McLaughlin,L. Gao,Y. B. Yuan,W. Huang,S. Sezer

DOI: https://doi.org/10.1109/pesgm.2015.7286357

2015-01-01

Abstract:With the development and deployment of IEC 61850 based smart substations, cybersecurity vulnerabilities of supervisory control and data acquisition (SCADA) systems are increasingly emerging. In response to the emergence of cybersecurity vulnerabilities in smart substations, a test-bed is indispensable to enable cybersecurity experimentation. In this paper, a comprehensive and realistic cyber-physical test-bed has been built to investigate potential cybersecurity vulnerabilities and the impact of cyber-attacks on IEC 61850 based smart substations. This test-bed is close to a real production type environment, and has the ability to carry out end-to-end testing of cyber-attacks and physical consequences. A fuzz testing approach is proposed for detecting IEC 61850 based intelligent electronic devices (IEDs) and validated in the proposed test-bed.

Onur Duman,Azadeh Tabiban,Lingyu Wang,Mourad Debbabi

DOI: https://doi.org/10.1109/tim.2024.3400328

IF: 5.6

2024-05-24

IEEE Transactions on Instrumentation and Measurement

Abstract:The measurement of security is essential for defending critical infrastructures such as smart grid substations against emerging threats of supply chain attacks. However, security measurement in general is still in its infancy and especially lacks tool support. In particular, supply chain attacks exploit vulnerabilities injected into devices before their shipment or during firmware updates and represent a significant security threat to substations. Preventing such attacks through the naïve solution of purchasing devices only from trusted vendors may not always be feasible (e.g., due to operational constraints of an operator being bound to particular vendors). Furthermore, in many cases, the effectiveness of applying ad hoc hardening options can be limited, while it may not be feasible to deploy all possible security mechanisms due to budget constraints. Finally, manually assessing and applying different hardening options while respecting a given budget is usually very challenging for system operators and can be prone to human error. In this article, we develop a hardening system, namely, hardening framework for substations (HFS), to measure and optimally improve the security posture of substations against supply chain attacks. First, HFS provides a hardening mechanism for securing substations while considering the budget and operational constraints. Second, HFS provides a visual framework that allows operators to generate attack graphs and manually experiment with various hardening options. We validate the effectiveness of HFS based on several scenarios, including the case in which supply chain attacks are mitigated by fixing nonsupply chain vulnerabilities. Our simulation results demonstrate that HFS improves the security postures of substations against supply chain attacks even with limited supply chain-related hardening options by reducing the number of successful supply chain attackers. Finally, we discuss how our work may be improved through leveraging existing concepts and techniques from instrumentation and measurement.

engineering, electrical & electronic,instruments & instrumentation

Aydin Zaboli,Seong Lok Choi,Tai-Jin Song,Junho Hong

2024-06-08

Abstract:Cybersecurity breaches in digital substations can pose significant challenges to the stability and reliability of power system operations. To address these challenges, defense and mitigation techniques are required. Identifying and detecting anomalies in information and communication technology (ICT) is crucial to ensure secure device interactions within digital substations. This paper proposes a task-oriented dialogue (ToD) system for anomaly detection (AD) in datasets of multicast messages e.g., generic object oriented substation event (GOOSE) and sampled value (SV) in digital substations using large language models (LLMs). This model has a lower potential error and better scalability and adaptability than a process that considers the cybersecurity guidelines recommended by humans, known as the human-in-the-loop (HITL) process. Also, this methodology significantly reduces the effort required when addressing new cyber threats or anomalies compared with machine learning (ML) techniques, since it leaves the models complexity and precision unaffected and offers a faster implementation. These findings present a comparative assessment, conducted utilizing standard and advanced performance evaluation metrics for the proposed AD framework and the HITL process. To generate and extract datasets of IEC 61850 communications, a hardware-in-the-loop (HIL) testbed was employed.

Cryptography and Security,Systems and Control

Kang-Di Lu,Zheng-Guang Wu

DOI: https://doi.org/10.1109/tcsii.2022.3181827

2022-01-01

Abstract:In cyber-physical power systems (CPPSs), false data injection attack (FDIA) has drawn much attention due to its stealthiness. It is of great importance to investigate the potential behaviors of attackers to improve the cyber-security of CPPSs. However, most FDIA models are often constructed separately on the effect of attackers or the impact of attacks. Accordingly, this brief proposes a multi-objective stealthy FDIA scheme in AC grid model. The attack model is described as a multi-objective optimization problem, where minimization of contaminated measurements and maximization of the attack impact are considered as two objectives while remaining stealthy. To deal with the established attack model, a non-dominated sorting genetic algorithm II (NSGAII) is introduced as the solver. To improve the efficiency of generating attack vector, a new representation mechanism is proposed to describe locations and values of injected states. Additionally, during the evolutionary process, we propose a mutation operation to balance the sparsity and impact of FDIA. Simulation results on the IEEE 14-bus, 30-bus, and 118-bus systems demonstrate the feasibility of the NSGAII-based FDIA model.

Kwasi Boakye-Boateng,Ali A. Ghorbani,Arash Habibi Lashkari

DOI: https://doi.org/10.3390/smartcities7010005

2023-12-30

Smart Cities

Abstract:The Smart Grid is a cyber-integrated power grid that manages electricity generation, transmission, and distribution to consumers and central to its functioning is the substation. However, integrating cyber-infrastructure into the substation has increased its attack surface. Notably, sophisticated attacks such as the PipeDream APT exploit multiple device protocols, such as Modbus, DNP3, and IEC61850. The substation’s constraints pose challenges for implementing security measures such as encryption and intrusion detection systems. To address this, we propose a comprehensive trust-based framework aimed at enhancing substation security. The framework comprises a trust model, a risk posture model, and a trust transferability model. The trust model detects protocol-based attacks on Intelligent Electronic Devices and SCADA HMI systems, while the risk posture model dynamically assesses the substation’s risk posture. The trust transferability model evaluates the feasibility of transferring and integrating a device and its trust capabilities into a different substation. The practical substation emulation involves a Docker-based testbed, employing a multi-agent architecture with a real-time Security Operations Center-influenced dashboard. Assessment involves testing against attacks guided by the MITRE ICS ATT&CK framework. Our framework displays resilience against diverse attacks, identifies malicious behavior, and rewards trustworthy devices.

Zhigang Chu,Andrea Pinceti,Ramin Kaviani,Roozbeh Khodadadeh,Xingpeng Li,Jiazi Zhang,Karthik Saikumar,Mostafa Sahraei-Ardakani,Christopher Mosier,Robin Podmore,Kory Hedman,Oliver Kosut,Lalitha Sankar

DOI: https://doi.org/10.48550/arXiv.2104.13908

2021-04-29

Abstract:In this paper, we investigate the feasibility and physical consequences of cyber attacks against energy management systems (EMS). Within this framework, we have designed a complete simulation platform to emulate realistic EMS operations: it includes state estimation (SE), real-time contingency analysis (RTCA), and security constrained economic dispatch (SCED). This software platform allowed us to achieve two main objectives: 1) to study the cyber vulnerabilities of an EMS and understand their consequences on the system, and 2) to formulate and implement countermeasures against cyber-attacks exploiting these vulnerabilities. Our results show that the false data injection attacks against state estimation described in the literature do not easily cause base-case overflows because of the conservatism introduced by RTCA. For a successful attack, a more sophisticated model that includes all of the EMS blocks is needed; even in this scenario, only post-contingency violations can be achieved. Nonetheless, we propose several countermeasures that can detect changes due to cyber-attacks and limit their impact on the system.

Systems and Control

Filip Holik,Sule Yildirim Yayilgan,Guro Bråten Olsborg

DOI: https://doi.org/10.3390/electronics13122318

IF: 2.9

2024-06-14

Electronics

Abstract:Increasing power consumption and reliance on non-predictable renewable power generation is pushing the transition from analog to digital power grid substations forward. Grid digitalization helps to reduce substation complexity and therefore costs, and improves observability and management, but introduces new cyber security issues. To make the digital substations secure, cyber security awareness and efficient personnel training is one of the most important research areas as the power grid is a part of critical infrastructure. In our previous work, we have proposed an approach for analyzing cyber security threats and attacks in digital substations based on a case study from Norway. In this article, we present how we developed a tool for emulation of digital substation communication for cyber security awareness based on experiences from the case study. We present technical details of the tool—called the SGSim—so the community can easily replicate the process or only the selected parts. We also freely provide source code on GitHub and distribution in the form of a virtual machine on request. Finally, we validate the tool performance in several scenarios and evaluate its usability on a survey conducted among a wide range of professionals.

engineering, electrical & electronic,physics, applied,computer science, information systems

John E. Efiong,Abiodun Akinwale,B. O. Akinyemi,Emmanuel Olajubu,Sola Aderounmu

DOI: https://doi.org/10.1080/23335777.2024.2350004

2024-05-05

Cyber-Physical Systems

Abstract:A cyber range provides a controlled environment for simulating mission-critical systems for cybersecurity research following the high risks involved in conducting experiments in real-life systems. Existing cyber ranges do not provide close emulation of Cyber-Physical Systems (CPS) in the Smart Grid Networks (SGNs), with emphasis on industry-based proprietary and IED protocols. This paper presents CyberGrid Testbed – a virtual Cyber-Range developed by the CyberSCADA Research Laboratory at Obafemi Awolowo University, Ile-Ife, Nigeria, which emulates Substation Automation processes with IEC61850 and Modbus/TCP protocols and support for MMS, and IED. This was built on OpenPLC6185, simulating Twelve attack patterns, and four attack types.