Professional Documents
Culture Documents
Key Issues in Designing Cyber Security Proxy Gateways For Digital Substation Non-Immune Bay Layers
Key Issues in Designing Cyber Security Proxy Gateways For Digital Substation Non-Immune Bay Layers
Key Issues in Designing Cyber Security Proxy Gateways For Digital Substation Non-Immune Bay Layers
Abstract—Protective relay and measurement-control devices to detect incursion; A scheme based on A-codes
in digital substation bay layers are two core IEDs at the bottom (authentication codes), called unconditionally secure
of the power grid control system which can directly open or close authentication codes, in order to defend the attack with infinite
circuit breakers. At present, the bay layer is the most vulnerable computer power is described in [2]; paper [3] assumes that all
layer at risk of cyber-attack as both IEDs lack of any anti cyber- devices have redundant CT/PT, and when redundant
attack measures. A novel scheme of cyber security proxy measurement is different in the same bay, it proposes a novel
gateways is proposed in this paper in that an upper cyber fusion algorithm based on other interval CTs/PTs
security proxy gateway is implemented in the station control measurement data, in order to determine whether the fault is
layer and a lower one in the station process layer, such that the
really occurred in the bay, but it still has uncertain intervals.
bay layer is immune from cyber-attack. Key issues and detailed
The results of [2], [3] are all based on simulation.
design are discussed.
As for measuring and control message, the possible attack
Keywords—digital substation; protective relay; non-immune; strategy about false data injection is discussed in [4-8], from
cyber security; proxy gateway the perspective of attacker. The attack module is described in
[9] based on graph theory and polynomial time complexity
I. INTRODUCTION method, and it uses generalized likelihood ratio test method to
Bay layer is the most fragile and deadly place for cyber- detect the attack. In [10], through scanning multiple key IEDs
attack if it has no cyber security measures, because two critical at the same time, inference algorithm is used to detect the
IEDs, i.e., protective relay (Protect IED) and measurement- potential invasion event, and ensure that IEDs have a security
control device (M&C IED), have the capability to open or network environment. However, these strategies all ignore the
close the circuit breaker according to the presupposed scheme real-time transmission requirement of message, as well as the
or after receiving a command from master station. Taking real-time of detection.
protective relay as an example, its basic operation rule is very All above studies are preliminary with no application in
simple, in case some electrical values are over the pre-stored practice. In this paper, we propose a two-layered cyber
setting point, commands of opening corresponding circuit security gateways as the proxy to prevent the non-immune
breakers will be automatically issued to isolate the faulty protection relays from the cyber-attack.
apparatus from the power system. In digital substation, the
measured electrical values are from Merging Unit (MU) in
II. PROPOSED PROXY GATEWAYS IN DIGITAL SUBSTATION
process layer in a message of Multicast Sampled Value (SMV),
and the setting point values can be changed by a message from Workstation 1 Workstation 1 Remote workstation
Station
station layer or master station in control center in the format of layer
MMS (Manufacturing Message Specification).Nowadays, no network
1310
Authorized licensed use limited to: Birla Inst of Technology and Science Pilani Dubai. Downloaded on November 02,2023 at 17:02:12 UTC from IEEE Xplore. Restrictions apply.
B. SMV Detection and Protection Module of LCP address that does not match the table, the detection indicator
LCP will perform the following operations on the message: J MAC is set to true, and the data is discarded with warning sent
immediately.
(1) If MU sends a digitally signed SMV message, then:
(5) specification-based intrusion detection module:
1) LCP will verify the integrity and signature of the perform detection such as triggering trip data, bad data,
message. And if the message passes the integrity verification, violation logic, over flow threshold warning and so on.
the SVED sends the message to IEDs through a specific
authorized port, otherwise the message is discarded and a (6) data detection based on historical events: detect
warning is generated, and then, the warning event is written to whether the current sampling data match the trigger conditions
the warning log. of historical events, such as over current, overvoltage and so
on. And if it is confirmed, set the historical fault indicator J lsft
2) the SMV message passed the integrity verification will
be send to the SMV filtering module. And after analyzing in to be true. Then, detect whether this sampling data match the
SMV message analysis module, the message will come into one of historical attack, if it is confirmed, set the historical
the specification-based intrusion detection module which intrusion indicator J lsit to be true.
detects intrusion such as Dos attacks and generates warning,
as well as detect the logical exception of message sequence The last result will be respectively written to event log
number. and warning log, according to the indicator Q n which is used
to assess the abnormal. Warning, intrusion data and
3) if the message passes the intrusion detection, then check indictorQ n will be send to master station, or displayed on the
it based on historical events. Otherwise record the message, spot.
and report to master station; at the same time, the message will
be stored on the spot, waiting for the call from master station. If there is an abnormal detection result, then the
corresponding indicator is set to true, and the anomaly
(2) if MU sends a SMV message without a digital
evaluation indexQ n will become to 1, which means intrusion
signature, then the SMV message will skip the verification and
go on the detection items. If the message passes the detection, detection module has abnormal intrusion events. And LCP
it will be sent to IEDs through a specific authorized port. And will shows warning to the master station. On the contrary, the
the total time of detection is limited within 4ms. Otherwise, value of Q n is 0 means there is no intrusion.
record the message, and report to master station, at the same
time, the message will be stored on the spot, waiting for the V. AUTHENTICATION AND ENCRYPTION/DECRYPTION OF SMV
call from master station.
MESSAGE
C. Design of the Lower Cyber Proxy Gateway A. Authentication and Encryption /Decryption Algorithm
The detection algorithm of the lower cyber proxy gateway MU of sending side SVDE of received side
is based on predefined specifications. The main principle is M waiting Received
actively recognize the behavior that does not conform to the for transfer message M
Decryption
predefined logic, and then judge it. All the correct behavior Encryption
by SM3 by SM3 verification
Transfer
rules will be added into a whitelist, and it can be enriched by algorithm (include M
algorithm
training on the correct behavior data. And the data, which does Hash value
of M(SM)
and SSM)
SM1 if(SM1==SM2){
SMV=true˗
not meet the whitelist rules after training, will be added into a Encryption }else if˄SM!=SM2){
by SM2
blacklist. Six key modules of the lower proxy gateway are as secret key SM2 SMV=false;
}
follows: of MU
Digital
Decryption
by SM2 public
signature
key of MU
(1) message decryption module: verify the digital Received SSM
signature of the SMV message that from MU, and decrypt the
message according to the encryption and decryption rules. Fig. 2 the authentication of integrity and digital signature for SMV message
(2) message filtering module: due to GOOSE/SMV Encryption/decryption of the SMV message, and digital
message having a high real-time requirement, GOOSE/SMV signature can ensure the integrity of data transmission,
message is transmitted directly from application level to data authenticate the identity of sender and avoid the repudiation in
link level, which does not use UDP/TCP/IP protocol. data exchange, however, it should take into account both real-
Therefore, it is necessary to filter SMV message according to time and security. In this section, we will select a suitable
the different MVC star address. encryption /decryption method and algorithm for MU as well
(3) message analysis module: analyze the MAC address as for lower proxy gateway.
protocol of the message, extract the data in the message, and Because the core data, as well as the most wanted data to
send MAC address as well as data to the module of message attacker, of the SMV message is the 4B data in front of each
anomaly detection. electric quantity in DataSet field, which is in second half of
(4) MAC address anomaly detection: all MAC address each application service data unit (ASDU). As long as ensure
arriving at intrusion detection module must strictly abide by the confidentiality of this part of data, the natural content of
the predefined address receiving table. Once there is a MAC SMV message will not be disclosed. Therefore, it can improve
1311
Authorized licensed use limited to: Birla Inst of Technology and Science Pilani Dubai. Downloaded on November 02,2023 at 17:02:12 UTC from IEEE Xplore. Restrictions apply.
the real-time transmission by encrypting the key data of SMV lower one in the process layer such that bay layer is free from
message. cyber-attack. Such strategy is completely independent of the
existing non cyber security immune IEDs in most fragile and
The description of the SM2 password system is no longer deadly bay layer, from which it can avoid the replacement or
introduced. Fig.2 shows the detailed implementation process upgrade of existing protective relays and control devices in
of SM2 password system. operational substation as well as those in the market.
B. Time-critical Simulation
ACKNOWLEDGE
The following is the analysis of the time cost of secure
transmission of SMV messages. Take protection from MU to This work is supported by China National Natural Science
the bus as an example, the total delay time of SMV message Foundation NSFC51677047 and State Grid Zhejiang Electric
transmission is T, and the timing is stars from the MU digital Power Company Sci.& Tech. Program ZBGW15-011-007-83.
signature processing until protective relays remove the data
message from its transmission stack. That means: REFERENCES
[1] S. Sheng, W.L. Chan, K. K. Li, et al. Context information-based cyber
T t1 t 2 t 3 t 4 (1) security defense of protection system [J]. IEEE Transaction on Power
Delivery, 2007, 22(3): 1477-1481
1) the digital signature processing time is denoted by t 1 . [2] T. Matsumoto, T. Kobayashi, S. Katayama, et al. Protection relay
systems employing unconditionally secure authentication codes [C]
Take HUADA INFOSEC SSM0901 encryption chip [18] as IEEE PowerTech, June 28 - July 2, Bucharest, Romania, 2009:1-6
an example, we can find the processing speed of SM3 [3] L. Zhu; D. Shi; X. Duan. Evidence theory-based fake measurement
algorithm to generate 256bit hash digest is 290Mbit/s, identification and fault-tolerant protection in digital substations [J]. IET
referring to SSM0901 module performer indicators. And the Generation, Transmission & Distribution, 2011, 5(1): 119-126
SMV message from MU to the IED of bus is 113B, including [4] L. Yao, M. K. Reiter, N. Peng. False data injection attacks against state
estimation in electric power grids[C].Proceedings of the 16th ACM
two ASDU data unit and the key message content is 8B, conference on Computer and Communications Security. Chicago, USA,
therefore the hash time is 0.00006ms. Meanwhile, the 2009: 21-23.
encryption time of SM2 for 256bit message is 0.438ms. [5] O.Kosut, L.Jia,J.R.Thomas, et al. On malicious data attacks on power
system state estimation [C]. 2010 45th International Universities Power
Finally, MU digital signature time is t 1 =0.43806ms. Engineering Conference (UPEC), Aug. 31 2010-Sept. 3 2010, Cardiff,
United Kingdom.
2) the delay, before the message package to the LCP [6] H. Sandberg, A.Teixeira, K.H. Johansson. On security indices for state
digital signature verification process, is denoted by t 2 . We estimators in power networks[C].Proceedings of the First Workshop on
Secure Control Systems, CPSWEEK 2010.Stockholm
simulate the star communication network and ring Sweden:IEEE,2010.
communication network composed of typically T-1 substation [7] G. Dan, H. Sandberg. Stealth attacks and protection schemes for state
on OPNET. The simulated result shows that, the delay of star estimators in power systems[C] Proceedings of 1st IEEE International
Conference on Smart Grid Communications. MD USA: IEEE, 2010.
communication network and ring communication network are [8] Abdallah A, Shen X S. Efficient prevention technique for false data
0.034ms and 0.052ms, respectively. injection attack in smart grid[C]. IEEE International Conference on
Communications. IEEE, 2016:1-6.
3) the cost time of LCP digital signature verification is [9] O. Kosut, L.Jia,J.R.Thomas, et al.Malicious data attacks on smart grid
denoted by t 3 . The time of SM2 algorithm to verify signature state estimation: attack strategies and countermeasures[C].Proceedings
of 1st IEEE International Conference on Smart Grid Communications.
is 0.713ms according to SSM0901 module performer index. MD USA, 2010.
And SM3 hash time is 0.00006ms. Therefore, LCP digital [10] C.W.Ten, J.H.Hong. Anomaly detection for cyber security of the
signature time is t 3 =0.71306ms. substations [J].IEEE Transactions on Smart Grid, 2012: 865-873.
[11] IEC62351-6. Power systems management and associated information
4) the transmission time of SMV message, which send to exchange-data and communication security:Part6 security for
IEC61850[S]. 2007.
protective relays with form of original message after remove [12] XML Signature Syntax and Processing (Second Edition) [EB/OL]
the signature digest section, is denoted by t 4 . The OPNET https://www.w3.org/TR/xmldsig-core/
simulated time delay of star communication network and ring [13] XML Encryption syntax and processing [EB/OL]
https://www.w3.org/TR/xmldsig-core/
communication network t 4 are 0.044ms and 0.075ms,
[14] P. Gaborit, M. Girault. Lightweight code-based identification and
respectively. signature[C].IEEE International Symposium on Information Theory.
IEEE Xplore, 2007:191-195.
In conclusion, the total transmission delay T of star/ring [15] X.Y.Tong. Proactive defense strategies for wide-area protection and
network substation SMV message is 1.229ms and 1.278ms, substation communication based on trusted computing[J]. Automation of
respectively. And all satisfy the real-time requirement that the Electric Power Systems,2011,35(20):53-58.
transmission delay less than 4ms. [16] Z.Wang, G. Wang, Y. LI, et al. An encryption method for IEC 61850-9-
2LE packet based on tiny encryption algorithm[J].Automation of
Electric Power Systems,2016,40(4):121-127.
VI. CONCLUSION [17] N Hong, X Zheng. A security framework for internet of things based on
SM2 cipher algorithm[C]. International Conference on Computational
In this paper, a novel scheme of cyber security proxy and Information Sciences. IEEE Computer Society, 2013:13-16.
gateways in digital substation is proposed, with an upper cyber [18] ISECMM1256Emodule:[EB/OL]
security proxy gateway implemented in station layer and http://www.istecc.com/productzz.asp?id=10.
1312
Authorized licensed use limited to: Birla Inst of Technology and Science Pilani Dubai. Downloaded on November 02,2023 at 17:02:12 UTC from IEEE Xplore. Restrictions apply.