Network Security in Power Systems

8/6/2019 Network Security in Power Systems

1/23

Network Security inNetwork Security inPower SystemsPower Systems

Maja Knezev and Zarko DjekicMaja Knezev and Zarko Djekic


2/23

OutlineOutline

nn IntroductionIntroduction

nn Protection controlProtection control

nn

EMS, SCADA, RTU, PLCEMS, SCADA, RTU, PLC

nn Attacks using power systemAttacks using power system

nn VulnerabilitiesVulnerabilities

nn SolutionSolutionnn ConclusionConclusion


3/23

IntroductionIntroduction

Generator User

nn Providing electrical energy in the power system at aProviding electrical energy in the power system at aminimal cost with a due respect to safety andminimal cost with a due respect to safety andreliability.reliability.


4/23

Protective controlProtective control

nn Protective relays are designed to respond toProtective relays are designed to respond to

system faults such as short circuits.system faults such as short circuits.

Transmission relaying must locate and isolate aTransmission relaying must locate and isolate a

fault with a sufficient speed to preserve stability,fault with a sufficient speed to preserve stability,

to reduce fault damage and to minimize theto reduce fault damage and to minimize the

impact on the rest of the system.impact on the rest of the system.


5/23

Generator

Load

Generator

Load

Load

Transmission Network

Protective Relay

Circuit Breaker

nn Relays should respond when fault occurs butRelays should respond when fault occurs but

they should not respond in any other situationthey should not respond in any other situation


6/23

EMS(Energy Management System)EMS(Energy Management System)

nn CONSISTS OF computers, display devices , software,CONSISTS OF computers, display devices , software,

communication channels and remote terminal units thatcommunication channels and remote terminal units that

are connected to RTUs, control actuators in powerare connected to RTUs, control actuators in power

plants and substations.plants and substations.nn PURPOSE: to manage the production, purchase,PURPOSE: to manage the production, purchase,

transmission, distribution and sale of electrical energy intransmission, distribution and sale of electrical energy in

the power system. It provides status of huge area tothe power system. It provides status of huge area to

operator who makes decisions and it is capable ofoperator who makes decisions and it is capable of

making decisions automatically by itself.making decisions automatically by itself.


7/23

System Control And Data AcquisitionSystem Control And Data Acquisition

SCADASCADAnn CONSISTS OF one or more computers with appropriateCONSISTS OF one or more computers with appropriate

applications software connected by a communicationsapplications software connected by a communicationssystem to a number of RTUs placed at various locations tosystem to a number of RTUs placed at various locations tocollect data. Communication protocols differ fromcollect data. Communication protocols differ from

substation to substation.substation to substation.

nn PURPOSE: provides three critical functionsPURPOSE: provides three critical functions

--Data AcquisitionData Acquisition

--Supervisory controlSupervisory control--Alarm Display and ControlAlarm Display and Control

--Supports operator control of remote (or local) equipmentSupports operator control of remote (or local) equipment


8/23

nn RTU(Remote Terminal Unit)RTU(Remote Terminal Unit)

RTUs are microprocessor based computersRTUs are microprocessor based computers

which contain ADC and DAC, digital inputs forwhich contain ADC and DAC, digital inputs forstatus and digital output for control.status and digital output for control.

nn PCL (Programmable Logic Controller)PCL (Programmable Logic Controller)

PCLs have extended I/ O and control outputsPCLs have extended I/ O and control outputscan be controlled by software residing in PLC ascan be controlled by software residing in PLC aswell as via remote commands from a SCADA.well as via remote commands from a SCADA.The PLC user can make changes in the softwareThe PLC user can make changes in the software

without major hardware or software changes.without major hardware or software changes.

nn Both have many real time communication linksBoth have many real time communication linksinside and outside the substation or plantsinside and outside the substation or plants


9/23

Attacks using power systemAttacks using power system

nn Attacks upon the power systemAttacks upon the power systemAttacking two substations simultaneously in order to cause aAttacking two substations simultaneously in order to cause ablack outblack out

nn Attacks by the power systemAttacks by the power system

Using dangerous nature of power plants for generatingUsing dangerous nature of power plants for generatingattack (chemical, biological agents)attack (chemical, biological agents)

nn Attacks through the power systemAttacks through the power system

Using some installations of the power system to attack civilUsing some installations of the power system to attack civilinfrastructure. For example by coupling an electromagneticinfrastructure. For example by coupling an electromagneticpulse through the grid computer and telecommunicationspulse through the grid computer and telecommunications

infrastructure could be damagedinfrastructure could be damaged


10/23

SCADA system attacks

n On the Ohio Davis-Besse nuclear power plant processcomputer, a 2003 Slammer worm attack, which disableda nuclear safety monitoring system over five hours

n A wireless link to the SCADA system for the

Queensland, Australia, Maroochy Shire sewage controlsystem in 2000 was exploited by one Vitek Boden. Thisattack caused millions of gallons of sewage to bedumped into Maroochy waterways over a four-monthperiod.

n Security consultant Paul Blomgren and his associateswere hired to assess SCADA vulnerabilities at a largesouthwestern power utility, they were able to penetratethe power stations operational control network andcomputer systems through wireless connections fromlaptops in a vehicle parked outside of the plant.


11/23

SCADA/ EMS vulnerabilitiesSCADA/ EMS vulnerabilities

nn N etwork ArchitectureNetwork Architecture vulnerabilitiesvulnerabilities

nn Physical connection vulnerabilitiesPhysical connection vulnerabilities

nn RTUs and IDEs vulnerabilitiesRTUs and IDEs vulnerabilities

nn Protocol vulnerabilitiesProtocol vulnerabilities


12/23

Network ArchitectureNetwork Architecture

vulnerabilitiesvulnerabilities

nn 20 years ago20 years ago -- separated Administrative andseparated Administrative and

Control networksControl networks

nn Today networks are tightly coupledToday networks are tightly couplednn Connection between SCADA and otherConnection between SCADA and other

corporate networks are not protected bycorporate networks are not protected by

strong access controlsstrong access controls


13/23

Physical connectionsPhysical connections

vulnerabilitiesvulnerabilities

nn Internet connection between remote devicesInternet connection between remote devices

and control center in order to avoid moreand control center in order to avoid more

expensive private linesexpensive private linesnn Wireless connectionsWireless connections

nn Dial up telephone linesDial up telephone lines


14/23

RTUs and IDEsRTUs and IDEs vulnerabilitiesvulnerabilities

nn Physical securityPhysical security

nn Many RTUs and IDEs have no passwordMany RTUs and IDEs have no password

protectionprotection

nn Many actuators (breakers, pumps) have itsMany actuators (breakers, pumps) have its

own network connectionown network connection


15/23

Protocol vulnerabilitiesProtocol vulnerabilities

nn Many plainMany plain--text SCADA protocols aretext SCADA protocols are

developed for private serial networks in 60sdeveloped for private serial networks in 60s

and 70sand 70s and today they have been adapted

to function over TCP/ IP (MODBUS,FIELDBUS, DNP3)

n Standard wireless protocols vulnerabilitiesvulnerabilities

(IEEE 802.11b)(IEEE 802.11b)


16/23

SolutionsSolutions

Physical network insulationPhysical network insulation

nn Separate intranet (SCADA/ EMS) networkSeparate intranet (SCADA/ EMS) network

and external network physicallyand external network physically

X

X X

Ref. [5]Ref. [5]


17/23

Firewall TechniqueFirewall Techniquenn

FirewallsFirewalls -- between enterprise network and Internetbetween enterprise network and Internetnn IntrawallsIntrawalls -- betweenbetween enterprise and process control network

N ISCC, BCIT ; Firewall Deployment for SCADA and ProcessControl N etworks, February 2005

Ref. [9]Ref. [9]


18/23

Physical connectionsPhysical connections

nn Private linesPrivate lines

nn Dial back modemsDial back modems

nn

Private wireless protocolsPrivate wireless protocolsnn VPN (Virtual private network)VPN (Virtual private network)

--IPsecIPsec

--PPTP (PointPPTP (Point--toto--Point Tunneling Protocol)Point Tunneling Protocol)


19/23

RTUs and IDEsRTUs and IDEs

nn Assure physical security of all remote sitesAssure physical security of all remote sites

connected to networkconnected to network

nn Do not allow live network access point atDo not allow live network access point at

remote, unguarded sitesremote, unguarded sites

nn Disable all necessary connections to RTUs,Disable all necessary connections to RTUs,

IDEs and actuatorsIDEs and actuators

nn Update firmwareUpdate firmware


20/23

RTUs and IDEsRTUs and IDEs

nn Interface between network and devicesInterface between network and devices


21/23

Security PoliciesSecurity Policies

nn Password policyPassword policy

nn Identification and Authentication of UsersIdentification and Authentication of Users

nn

Secure ESecure E--mail (PGP, PEM)mail (PGP, PEM)nn Intrusion detectionIntrusion detection

nn System RedundancySystem Redundancy

nn System Backup and Recovery planSystem Backup and Recovery plan


22/23

ConclusionConclusion

nn SCADA/ EMS networks were initially designed toSCADA/ EMS networks were initially designed to

maximize functionality and reliability, with littlemaximize functionality and reliability, with little

attention paid to securityattention paid to security

nn SCADA/ EMS networks can be very vulnerable andSCADA/ EMS networks can be very vulnerable andthat could result huge consequence to public safetythat could result huge consequence to public safety

and disruptions in the nations critical infrastructure.and disruptions in the nations critical infrastructure.

nn N o unique and entire solutionNo unique and entire solution every network isevery network is

different and requires custom solutiondifferent and requires custom solution


23/23

ReferencesReferences

n [1]Ronald L. Krutz; Securing SCADA Systems; Wiley Publishing, Inc. 2006

n [2]George D. Jelatis, Information Security Primer, EPRI 2000

n [3]21 Steps to Improve Cyber Security of SCADA Networks, President' s CriticalInfrastructure Protection Board , U.S. Dept. of Energy, 2002

n [4]A.Creery, E.J.Byres,Industrial Cybersecurity for Power System and

SCADA,IE EE Paper N o. PCIC-2005-34n [5]M.T.O. Amanullah, A. Kalam,A. Zayegh, Network Security Vulnerabilities

in SCADA and E MS, IEEE/ PES 2005

n [6]Yongli Zhu, Baoyi Wang, Shaomin Zhang; The Analysis and Design ofNetwork and Information Security of Electric Power System, IEEE/ PE S 2005

n [7]Gran N. Ericsson, On Requirements Specifications for a Power System

Communications System, IEEE TRANSACTIONS ON POWER DELIVERY,VOL. 20, NO. 2, APRIL 2005

n [8]Alan S. Brown, SCADA vs. the H ackers, Mechanical Engineering Dec. 2002

n [9]N ISCC, BCIT ; Firewall Deployment for SCADA and Process ControlN etworks, February 2005

Network Security in Power Systems

Documents

Transcript of Network Security in Power Systems