Cyber Security in Substation Automation (IEC 61850)

Cyber Security in Substation Automation(IEC 61850)

1

Braguta M.V., Nikandrov M.V.

August 2014 .

.

. .

. .

( , )

, .

, - . , - .

,

: , .

.

1

Recent trend: Migration to Ethernet/IP network protocols

High density of Electronic Intelligent Devices (IED) per controlled unit

Real time telemetry transmission is highly demanded

Lack of Security at the control device level, common practices of using default access parameters

Lack of Cyber Security knowledge and incident readiness

Modern Control Systems:

Trend and Risks

Major Risks:

Unauthorized remote access to control room, devices, manufacturing process,

Information theft, modification, altering network data,

Possible denial of service, sabotage of the manufacturing process

2

, , .

, , . .

2

Industry Incidents by Verticals

3

Energy

Energy sector is the most affected industry

3

The Attack Vectors

4

4

Information Disclosure:public websites

5

5

Social Networks Risks

6

(company)

(belgorodenergo)

(JSC MRSK-Centra belgorodenergo)

(Alexander has 516 friends)

USB devices: Major source of infection

7

7

Ransom Blockers at Control Room

8

IEC 61850 Capabilities

9

Advantage:

Promotion of high interoperability between systems from different vendors

Definition of basic services

Main protocols:

MMS and GOOSE

was

was

evolved

evolved

9

1. Spoofing of MMS

Sending false positioning control data to SCADA system

Record network traffic

Analyze transferred data

Construct message

Send to SCADA

10

10

Constructing Message

11

11

Sending to SCADA

http://youtu.be/MbxRhQP42N0

12

12

2. Spoofing MMS

Sending the false position of the breaker to relay protection terminal

Record network traffic

Analyze transferred data

Construct message

Send to Relay Terminal

13

13

Sending to Relay Terminal

http://youtu.be/oh5IAN3euK4

14

14

Result of unauthorized command

15

15

3. GOOSE spoofing - easy!

Record network traffic

Analyze transferred data

Edit message

Publish the message

16

Sending false commands to the relay terminal from another relay terminal

16

Edit the Message

17

17

Sending False GOOSE Message

http://youtu.be/fdnPkqIUWfA

18

18

Result of the Spoofing

19

GOOSE spoofing can applied to all relay terminals

certified by"Rosseti (Russian Power Company)

19

The IEC61850 standard supports RSA digital sign

Prevention and Protection

20

However, NONE of available IED Relays on market offer support for digital sign

20

Antivirus Issue: False Positive is quite dangerous

21

Suggestions

Short-term goals:

Stop ignoring the problem;

Allocate Cyber Security Personnel Education & Awareness time in Security Policy. Cover Basic Cyber Security and Social Engineering at least 1-2 per year;

Reduce attack surface and mitigate attack vectors using available methods and security standards;

Long-term goals:

Deploy Industrial Antivirus solutions certified for manufacturing zone;

Use Intrusion Detection and Deep packet inspection systems;

Add Integrity control system to protect manufacturing zone subnets and network assets. Detect unknown or unauthorized assets in the network perimeter;

Be able to isolate and manage devices firmware and detect unauthorized access or modifications;

Plan to migrate to encrypted network communications in manufacturing zone.

22

Conclusions

Power Control Systems need special, carefully designed Cyber Security Policy;

Overall state of Organization Cyber Security Policy is poor and demands immediate attention;

The Organization Cyber Security Policy must be reconsidered in general with respect of latest Local and International standards and advisories, the growing danger of ICS threats and lack of personnel readiness to detect threats;

The Power Control Systems requires Security Audit to all facilities as well as Compliance with modern Cyber Security standards and practices (local and international);

The Cyber Security requirements must be considered during design and implementation stages for all new objects and facilities;

All Cyber Security systems must go through extensive testing before to be installed into Control room or connected to power equipment. The testing should be done at manufacturing level as well as at Organization testing facilities in close to real world environment.

23

Thank you for your time!

Nikandrov Maksim

nixmak@mail.ru

Special appreciation to Kaspersky Lab

24