Application-Aware Secure Multicast for Power Grid Communications
description
Transcript of Application-Aware Secure Multicast for Power Grid Communications
Application-Aware Secure Multicast for Power Grid Communications
Jianqing Zhang* and Carl A. Gunter
University of Illinois at Urbana-Champaign
* Now working at Energy Systems Research Lab, Intel Labs
• Motivation• Introduction• Formal Model for Multicast
– Data Model and Publish-Subscribe Model– Multicast Configuration Anomaly
• Implementation: SecureSCL• Performance Analysis of IPsec Based Multicast• Conclusion
Outline
2
Multicast in Power Grid Systems
Substation Networks
PMU: Phasor Measurement Unit PMUs
DNP3
3
IEC 61850 Substation Network
* Based on Baigent, D. et. al. IEC 61850 Communication Networks and Systems in Substations: An Overview for Users
Generic Object Oriented Substation Event (GOOSE)
Sampled Measured Value (SMV)• Data objects model
• Communication protocols suite• Link layer multicast
• Substation Configuration Language (SCL)
• IEC: International Electrotechnical Commission
• HMI: Human Machine Interface• PMU: Phasor Measurement Unit
Abstract Communication Service Interface (ACSI)
Substation Bus
Process Bus
Ethernet
*
4
Cyber Security Threats to Substation Networks
• Integrity– Tampered power grid status data– Faked control commands
• Confidentiality– Valuable raw data
• Availability– Data packets flood
Cryptographically Secured Protocols?
5
Challenges:Manageable Configuration
• Complex and error-prone configuration for current systems– Intricate system designs– Changing specifications during design phases– Large and hardly auditable configuration files
• TVA Bradley Substation: 7.4Mbytes and 98K lines XML files
– Proprietary configuration tools from multiple vendors– Complexity of current off-the-shelf security protocols and tools
• Security vulnerabilities due to incorrect system configuration
6
• Timing requirements for real-time operations*– PMU: 30 times per second– Substation: event notification for protection
e.g. GOOSE, 2-10ms
Challenges: Latency Requirements
* IEEE Std. 1646: Communication Delivery Time Performance Requirements for Electric Power Substation Automation
• VT: Volt Transformer• CT: Current
Transformer 7
• Integration with power grid systems– How to partition multicast groups in a particular
domain, like a power substation? – What’s the role of each control device in a group?– How to distribute group keys?
• Standardized security protocols– How to integrate group key management with secure
multicast protocols?
Challenges: Efficient Group Key Management & Configuration
8
• Derive group membership by application data dependency in system functional configurations– Observation: data dependency determines publish-
subscribe relationships and group memberships
Approach: Application-Aware Secure Multicast
9
<IED name=“IED2” desc=“Switchgear (subsriber) ” >… <LN desc="CircuitBreaker" inst="1" …> <Inputs> <ExtRef daName="general" doName="Tr" iedName="IED1" …/> <ExtRef daName="q" doName="Tr" iedName="IED1" …/> <ExtRef daName="general" doName="Op" iedName="IED1" …/> <ExtRef daName="q" doName="Op" iedName="IED1" …/> <ExtRef daName="general" doName="Op" iedName="IED1" …/> <ExtRef daName="q" doName="Op" iedName="IED1" …/> </Inputs> </LN></IED>…<IED name=“IED3” desc=“Switchgear (subsriber)” >… <LN desc="CircuitBreaker" inst=“2" …> <Inputs> <ExtRef daName="general" doName="Tr" iedName="IED1" …/> <ExtRef daName="q" doName="Tr" iedName="IED1" …/> <ExtRef daName="general" doName="Op" iedName="IED1" …/> <ExtRef daName="q" doName="Op" iedName="IED1" …/> <ExtRef daName="general" doName="Op" iedName="IED1" …/> <ExtRef daName="q" doName="Op" iedName="IED1" …/> </Inputs> </LN></IED>
<IED name="IED1" desc=“Protective relay (publisher)">… <GSE cbName="gcbTrip" ldInst="PROT">… <Address>… <P type="MAC-Address">01-0C-CD-01-01-46</P> </Address> </GSE> <DataSet name="dsTripLogic"> <FCDA daName="general" doName="Tr" …/> <FCDA daName="q" doName="Tr“ …/> <FCDA daName="general" doName="Op" …/> <FCDA daName="q" doName="Op" …/> <FCDA daName="general" doName="Op …/> <FCDA daName="q" doName="Op" …/> </DataSet>…</IED>
Data Dependency in Substation Configuration Language (SCL)
Trip command
10
• Derive group membership by application data dependency in system functional configuration
• Detect inconsistent configurations automatically
• Configure group key management system based on the derived group memberships and extended configuration files
• Raise the link layer multicast to the network layer and secure multicast traffic using IPsec
Approach: Application-Aware Secure Multicast
11
• D, the set of data objects• E, the entities which have relationships with data
objects– O, the set of data owners– C, the set of data consumer– P, the set of publishers– S, the set of subscribers
• G, the set of group controllers
A Formal Multicast Model: Components
12
A Formal Multicast Model:Publish-Subscribe Model
13
<IED name="IED1" type="SecureIED" desc="Protective Relay">... <LDevice inst="PROT"> <LN0 lnClass="LLN0" lnType="IED1-LLN0-Type"> <DataSet name="dsTripLogic">
<FCDA daName="general" doName="Tr" ... ldInst="PROT" lnInst="1"/><FCDA daName="general" doName="Op" ... ldInst="PROT" lnInst="1"/>...
</DataSet> <GSEControl appID="TripGoose" datSet="dsTripLogic" name="gcbTrip".../> </LN0> ... <LN inst="1" lnClass="PTRC" lnType="IED1-PTRC-Type"/> </LDevice>...</IED>...<DataTypeTemplates> <LNodeType id="IED1_PTRC_Type" lnClass="PTRC"> <DO name="Tr" type="tPTRC_TrOp"/> <DO name="Op" type="tPTRC_TrOp"/> </LNodeType></DataTypeTemplates>
Publish-Subscribe Model in SCL:Ownership & Publication
𝑅𝑜𝑤𝑛 ( 𝐼𝐸𝐷1 ,𝑇𝑟 ) ,𝑅𝑜𝑤𝑛 ( 𝐼𝐸𝐷1 ,𝑂𝑝 )
𝑅𝑝𝑢𝑏 ( 𝐼𝐸𝐷1 ,𝑇𝑟 ) ,𝑅𝑝𝑢𝑏 ( 𝐼𝐸𝐷1,𝑂𝑝 )
14
<IED name="IED2" desc="Switchgear" type="SecureIED">... <LDevice inst="CTRL"> <LN desc="CircuitBreaker" inst="1" lnClass="XCBR" lnType="IED2-CTRL-XCBR"> <Inputs> <ExtRef doName="Tr" ldInst="PROT”, iedName="IED1".../> <ExtRef doName="Op" ldInst="PROT”, iedName="IED1".../> </Inputs> </LN> <\LDevice><\IED>
Publish-Subscribe Model in SCL:Consumption & Subscription
𝑅𝑐𝑜𝑛 ( 𝐼𝐸𝐷 2 ,𝑇𝑟 ) ,𝑅𝑐𝑜𝑛 ( 𝐼𝐸𝐷2 ,𝑂𝑝 )
𝑅𝑠𝑢𝑏 ( 𝐼𝐸𝐷2 , 𝐼𝐸𝐷1 ,𝑇𝑟 ) ,𝑅𝑠𝑢𝑏 ( 𝐼𝐸𝐷 2 , 𝐼𝐸𝐷1,𝑂𝑝 )
15
• Ownership Anomaly: a publisher publishes data objects which are not owned by it
• Publication Redundancy: – Full redundancy: No data object is consumed
– Partial redundancy: some data objects are not consumed
Multicast Configuration Anomaly:Publication Anomaly
16
• Source Anomaly: a subscriber subscribes data from a “non-existent” publisher
• Data Dissatisfaction – “Hard” data dissatisfaction: some data objects are not
published by
– “Soft” data dissatisfaction: some data objects are published by another publication
Multicast Configuration Anomaly:Subscription Anomaly
17
Architecture of SecureSCL
18
• Preserves a variety of security properties, proved by a degree of formal analysis
• Supports wide area multicast, important to inter-substation communications and PMU networks
• Obtains strong support from security communities
• Capable of addressing latency constraints in medium scale networks
Benefits of IPsec Based Multicast in Power Grid Networks
19
• Test Bed Setup – Hardware
• Deterlab: 8, 16, 32, 64-node scenarios• Xeon Quad 3.00GHz PCs
– Software• Platform: Ubuntu 8.04• Process Control Emulation System*
– Measure round trip latency
Performance Analysis of IPsec Based Multicast
* Credits to Chris Grier and Sam King 20
Performance of IPsec Multicast
21
• Application-aware secure multicast is an efficient solution for multicast in power grid systems– Automate group configuration and minimize errors– Integrate security configurations with functional configurations
• IPsec is a promising solution for secure multicast in power grid systems
• Future work– WAN or Inter-substation network multicast communication
and configuration– Dynamic group management
Conclusion
22
Questions?http://seclab.illinois.edu/web/
Dr. Jianqing ZhangIntel Labs, RNB6-612200 Mission College Blvd.Santa Clara, CA 94054Tel: (408)653-5461Email: [email protected]
Professor Carl A. Gunter4304 Siebel Center for Computer Science201 N. Goodwin Ave.Urbana, IL 61801Tel: (217)244-1982 Email: [email protected]
1. Propose a formal multicast data model and a publish-subscribe model depicting the publish-subscribe relationships
2. Classify a number of configuration anomalies in multicast systems
3. Design algorithms detecting the anomalies
4. Design a multicast and group key management architecture
5. Develop a prototype system, SecureSCL
6. Provide a case study of secure GOOSE in IEC 61850 substations
7. Evaluate the performance of IPsec based multicast
Contributions
24
• IEC 62351: sign each GOOSE frame using RSA
• Gjermundrod, H. et al. GridStat: A Flexible QoS-Managed Data
Dissemination Framework for the Power Grid, IEEE Transactions on
Power Delivery, Jan. 2009
• Ehab S. et al. Discovery of Policy Anomalies in Distributed Firewalls.
INFOCOM 2004
Related Work
Header Authentication Value GOOSE PDU
Length
CRC
25
System Working Phases
26
• Group Domain of Interpretation (GDOI, RFC 3547): IKEv1 based group key management protocol for IPsec multicast
GDOI Based Group Key Management Architecture
1. IKEv1 Phase1: Reg. SA2. Phase 2 GROUPKEY-PULL: (first) Rekey SA and Data SA3. GROUPKEY-PUSH: subsequent Rekey SAs and Data SAs
27