Smart Grids and Control

System Security
INSE 6640 - Smart Grid: Network Architecture (Part 1)
(Lecture 2)

Prof. Walter Lucia

Lecture Outline
• Recap: Introduction to Smart Grids
• Generation Architecture
• Types of electrical generation systems
• Critical subsystems
• SCADA systems
• Network vulnerabilities
• Cyber-attacks involving generation facilities
• Transmission Architecture
• Local T-SCADA, Gateway, Centralized T-SCADA
• Targets of substation cyber-attacks
• Remote communications, Cyber-security concerns
2
Recap: How Smart Grid is architected?
• A Smart Grid is not a single easily defined system
• Smart Grid is given by the complex interconnection of multiple systems. Each
system is built upon newer and more intelligent components for efficient and
reliable:
• Generation of energy
• Transmission of energy
• Distribution of energy
• Metering

3
Recap: How Smart Grid is architected?

• Architecturally, a smart grid has mostly the same components of an

old energy distribution system (the same since decades!!)
• With Smart Grid, components can provide information about their
tasks to other subsystems. A centralized unit can collect all these
information to improve reliability and efficiency
• Understanding each component and how they are interconnected is
fundamental to evaluate the Smart Grid vulnerabilities
4
Recap: How Smart Grid is architected?

• A Smart Grid, equipped with sensing and communication capability can

be viewed in human terms
• Monitoring and sensing = eyes, ears, nose and sensory receptors of the brain
• Communication system = mouth, vocal cord and the ears
• Automation system = arms, hands, motor function of the brain

• Manipulation of any one of these capabilities can affect the entire Grid

5
Recap: Risks and Malicious Attackers

• Risks examples:
• A manipulated reading of a Phasor Measurement Unit might initiate an
unnecessary load shedding (load reduction) to protect the electricity power
system from a total blackout
• The interruption of the metering network might prevent an end user from
being billed
• The manipulation of automation systems within a substation might cause a
loss of service to an entire community.

6
Distributed Generation Architecture

7
Distributed Generation Architecture

• The first key element in the Smart Grid is the energy generation system
• Energy generation systems are part of the Smart Grid. A Smart Grid is not only
Transportation (T) and Distribution (D)
• There is a tight interconnection with T&D: e.g. demand and response system
• Nowadays, the generation system is distributed, and it should support energy
generation at a micro level:
• In-home generation systems
• Power from small wind and solar farms
8
Types of Electrical Generation
• Electric generation sources are classified according to the different
fuels:
• Hydro-electric, using water
• Nuclear, using controlled nuclear fission
• Fossil fuel
• Natural gas
• Solar, using the power of the sun
• Wind farms, exploiting wind
• The energy generation systems are subject to specific vulnerabilities
and security challenges (later we will see common components and
related security concerns)
9
Fossil fuel generation system
• Process: fossil into the burner, combust, steam, turbine à energy (in
alternating current (AC) format)
• The condenser recycles the steam as water for the boiler

10
Solar generation system
• Sunlight, photoelectric cells, electricity (in the form of Direct Current
(DC)), Converter (DC-AC) à Electricity in AC form
• Solar power can also be used to power boilers for steam generation,
replacing coal fuel and burners with solar energy

11
Why a Convert? Why the transformer?
• The energy is historically transmitted in Alternate Current (AC)
format. The converter transforms Direct Current (DC) in Alternate
Current (AC).
• Once we have AC current then we can reduce the energy loss during
the transmission by using a voltage step-up transformer.
Current (i), Voltage (v) and Power (p) in input (primary side)
Energy loss after
the transformer
Current, Voltage and Power in output (secondary side)

with

Fan ideal step-up transformer N>1 and

12
Wind Turbines generation system
• Kinematic energy of the wind, turbineà Electricity (Wind turbines are
a simple electric generation system!!)

13
Hydro-electric generation system
• Kinematic energy of the water, turbineà Electricity

14
General process to produce electricity

• Most energy generations systems exploit the same general process:

• Fuel is utilized to create “kinetic” energy

• Raw “kinetic” energy is converted to electricity (turbine, photoelectric cells)
• The electricity is conditioned for transmission and distribution (T&D) (e.g. DC-
AC, and Step-Up Transformers) or stored (in DC form for batteries)

15
Renewable energy
• Advantages
• Clean energy, no waste material
• The energy generation system is very simple

• Disadvantages
• A small solar Photovoltaic (PV) system can produce 3kW (Watt (W) is the unit
measure of power) while a single nuclear reactor can produce at least 1000
MW

16
General System Architecture
• Regardless of the type of generation, there are subsystems and
automation systems that are common to all the energy generation
systems
• Starting from common components we can identify critical
subsystems that might be attacked or manipulated by malicious
actors
• Basically, any system that is controlled by a microprocessor or devices
with an operating system can be compromised, in principle, by a
malicious actor

17
Automation in the Fossil Fuel Generation System
Automation:
• The temperature control system that
regulates the rate of combustion and
steam pressure
• The intake valve control system that
regulates the flow of steam
• Turbine generator control system
• Converters (DC/DC, DC/AC)

Manipulating one of the above control

systems will affect the whole energy
generation process 18
Fossil Fuel Generation – Components and
Terminology (1)
• Subsystems (plant): Hopper, conveyor
mechanism, burner, turbine, coolant
system
• Sensor measurements (y(t)):
available fuel, speed of the conveyor,
fuel in the burner, pressure of the
steam, turbine speed, etc…
• Controlled devices/variables (u(t)):
fuel pulverization motors, fuel
conveyor speed, valves and pumps
19
Fossil Fuel Generation – Components and
Terminology (2)
• Specific logics are used to automate
each process (subsystem).
• Supervisory Control and Data
Acquisition (SCADA) systems
• Is an architecture that uses computers,
networked data communications and
graphical user interfaces for high-level
process supervisory management
• It uses peripheral devices such as
programmable logic controllers (PLC) to
control a process
• The operator can monitor the plant’s status
by means of Human Machine Interfaces
(HMI)
20
Fossil Fuel Generation – Components and
Terminology (3)
• Programmable logic controller (PLC)
• I/O to the process devices (to acquire
measurements and send command
inputs)
• A processing module containing the
controller logic (nowadays with
capabilities equivalent to a desktop
computer/workstation)
• Network interface to connect the PLC
with the SCADA network and HMI

21
Fossil Fuel Generation – Security concerns
• PLC may be manipulated overwriting the legitimate
control application with new code designed for a
malicious purpose.
• HMI could be used to establish a way to control the
process from outside of the control room (e.g.
backdoors). This can enable data theft and/or remote
attacks (changing PLC logic, overriding operations, etc.)
• A man-in-the-middle attack on the Ethernet network
could alter I/O variables for the the HMI and PLC

22
Attacks Consequences

• Steal data about the production

• Slowing or interrupting the supply of fuel
• Increasing the supply of fuel causing over firing
• Limit the flow of the steam, increasing pressure and damaging pumps and
boiler
• Alter the measurements viewed by the operator inducing him/her to take
incorrect actions
• Crash the HMI creating a loss-of-view and effectively disabling basic control
within the plant
• Crash the PLC creating a loss-of-control situation that disables supervisory
control while locking the process in its current state (open-loop situation).
23
Exploiting the Controller for Attacks

24
Exploiting the Controllers (1)
• Controller modules like PLC usually consists of I/O devices, network
interfaces and automated control logic
• Controllers usually run on common hardware and commercially available
operating systems (e.g. Windows, embedded Windows, VxWorks (real-time
operation systems))
• Network connectivity to SCADA server exploits Ethernet and TCP/IP
• PLCs are potentially vulnerable because of:
• Many network interfaces
• Commercial OS
• An attacker can in theory gain access to PLC via the network and exploit an
OS vulnerability to launch an attack

25
Exploiting the Controllers (2)
• Threats involving the controller try to alter at least one of the
following:
• the control logic (the code to be executed in the control block) ,
• the desired output (reference signals)
• the sensor measurements

26
Example: Steam Generation Process (1)

• PLC 1 logic:
When there is a demand for fuel, the PLC activates
the fuel pulverize process and the conveyor. Both
systems works at a rate established by the control
logic in a coordinated fashion

27
Example: Steam Generation Process (2)
• Manipulation of the PLC 1 control logic: effects
• Introduction of unsuitable fuel onto the conveyor
• Too quick or too slow deliver of fuel into the burner
(increasing too much pressure or making it too
weak)
• The plant might be locked into an unwanted state
(idle for instance)
• If the SCADA connectivity is manipulated, then this
can prevent remote management and remediation
of abnormal behaviors

28
Example: Steam Generation Process (3)

• PLC 2 logic:
The burner combusts fuel to reach optimum
temperature to boil water; water is pumped
into the boiler as needed to produce steam; a
controlled valve regulate the velocity of the
steam driving the turbine

29
Example: Steam Generation Process (4)
• Manipulation of the PLC 2 control logic: effects
• Manipulation of temperature readings cause under
or over burning
• Manipulation of pressure readings cause unsafe
steam pressure levels
• Manipulation of the available water causes failures
in the boiler or turbine
• A malware can misrepresent input or output values
to HDMI and SCADA. This can trigger wrong
operators' actions or prevent SCADA remote
management and remediations

30
Exploiting the Controller: Stuxnet Example
• In 2010 the famous malware Stuxnet was used to target a critical
Iranian uranium enriching facility by specifically exploiting its PLC
controller.
• The control logic (PLC logic) was altered
• The communication with the HMI was altered
• Stuxnet effectively increased centrifuges pressures causing them to
spin in an erratic fashion, which caused plant damages.
• Malware affecting PLCs can:
• Manipulate the process behavior in order to reduce its performance
• Bypass security checks, safety control steps and so on

31
Network Vulnerabilities of Industrial Control Systems

32
Network Vulnerabilities of Industrial Control
Systems (1)
• Industrial control environments have many network-based
vulnerabilities
• Industrial control systems exploit fieldbus protocols (e.g. DNP3,
Modbus, PROFIBUS, PROFINET, CIP)
• Fieldbus is the name of a family of industrial computer network
protocols used for real-time distributed control. They work on Serial
or Ethernet communication channels and exploit Master-Slave
schemes.
• E.g. HMI is the master and PLC is the slave. HMI can force the PLC to read
measurements or impose a control action on the plant
• Because these industrial protocols lack authentication, encryption
and basic security measures, they represent a security risk.
33
Network Vulnerabilities of Industrial Control
Systems (2)

• A malicious actor can exploit the “request and respond” way of

working of master-slave protocols for “command and control” the
industrial control system
• Malformed packets or excessive latency can cause protocol failures
• Protocol commands can force the slave into inoperable states, including
powering-off, disabling alarm, restarting communications and interrupting
processes
• Protocol commands are capable of erasing or resetting diagnostic information
or request sensitive information about controller and configurations

34
Network Vulnerabilities of Industrial Control
Systems (3)

• Since most protocols are application layer protocols transported over TCP, it is
easy to transport commands over non-standard ports or inject commands
into authorized traffic flows
• Protocol commands can list all the available function codes (i.e. function scan)
• Protocol command may be capable of broadcasting messages to many
devices at once (i.e. creating potential DoS)

35
Network Attacks of Industrial Control Systems
• The protocols vulnerabilities make network-based attacks very
feasible:
• Injection of malicious commands can provide control over the target process
• Man-in-the-middle attacks can both take control of the plant and
misrepresent results to the operator console.

• If the network is not properly protected the attacks become trivial

to be performed!!!
• e.g. the network should never be connected to public network like Internet

36
Data Manipulation

37
Data Manipulation
• The “data” play an important role in the automation process of
generation facilities. Manipulation of input and outputs of PLC, HMI
and SCADA can either directly or indirectly manipulate the process.
• Showing to the operator misleading values through HMI:
• The operator overrides the automation logic trying to fix the problem (the operator is
induced to perform undesired actions!!)
• Manipulation of values used by the controller logic
• It can avoid triggering temperature protection systems (e.g. the boiler has a temperature
of 500°F but the protection system see only 400°F)
• Many other induced misbehaviors
• Stuxnet worm affected PLC, SCADA and Communication data as well
• Specific centrifuges used in the enrichment of uranium were altered to spin at
widely varying frequencies (PLC logic changed)
• SCADA communications were altered to avoid anomaly detection
38
Transmission architecture

39
Transmission and Distribution (T&D) Architecture

• Transmission and Distribution:

• Transmission occurs at high voltage (115kV or above)
• Distribution occurs at a lower voltage
• After the energy is generated, it must first be “stepped up” for efficient
Transmission (do you remember why?) and then “stepped down” for
Distribution and use by the final consumer 40
 Transmission Architecture
• Transmission architecture begins where generation ends
• It uses Substation Automation Systems (SAS) for energy conditioning,
protection and management
• Risks:
• Unlike generation systems,
transmission systems are often
physically accessible
• Substations may have physical security
control, but remote substations still
have physical access risks
• Transmission requires wide-area
communication technology to support
real-time measurements
• Both cyber and physical attacks are,
in principle, possible 41
Transmission Architecture
• Modernization of transmission focuses on adding intelligence and
automation in order to:
• Make energy transmission more efficient (through grid optimization of
dynamic load management)
• More reliable (Resilient to physical/cyber anomalies/attacks and capable to
quick recover from unexpected events)
• More Flexible (to support distributed generation)

• Modernization bring with it cyber-security challenges because it

enables new attack surfaces that expose transmission to a variety of
cyber threats.

42
Transmission SCADAs and substation automation
• Transmission SCADAs (T-SCADAs) play the same role of the SCADA systems
used for energy Generation (G-SCADAs)
• T-SCADAs oversee and control automated substation processes
• T-SCADA are often distinguished in “local gateway T-SCADA” e “centralized
T-SCADA” or (Energy management system (EMS))

43
Transmission Gateway
• The substation gateway is the connection point between a substation and
the rest of the grid
• A gateway is a server, a computing platform that executes process automation logic
(like PLC for G-SCADA)
• It collects measurements and messages generated in the substation and from field
devices (e.g. PMU)
• It allows communication from/to the control room (centralized T-SCADA)

44
Substation Targets for cyber-attacks
• Manipulation of transmission
systems
• PMU measurements
• Power conditioning/protection
systems

• Manipulation of T-SCADA
• Gateway
• Communication between local
T-SCADA and central T-SCADA

45
 Gateways

• Gateways are crucial in the transmission systems

• Perfectly positioned within the transmission system for cyber-attacks
• Reachable via both wide area network (TCP/IP) and the device network (serial
bus protocols)
• It supports control and data acquisition aspects of SCADA
• It is responsible for the communication with the central control room
• It runs (typically) a commercially available OS
46
 Gateways and Cyber Security Concerns
• Almost all Gateways share the following
capabilities/features:
• Time synchronization via the network time protocol (NTP) and/or
IRIG-B.
• Web-based data viewing via HTTPS.
• Event logging via Syslog.
• Remote shell access via SSH (with SCP).
• Remote file transfer via FTP or SFTP.
• USB ports for data extraction.
• Multiple Ethernet interfaces.
• Multiple serial interfaces.
• A local console/HMI.
• A terminal server (for connection to the gateway and/or to devices
inside the
• substation).
• Support for common SCADA and automation protocols including IEC
61850,
• IEC 60870, DNP3 (serial and TCP), and Modbus (serial and TCP).
• All these features result in a series of open ports and
services that if not properly protected pave the way to
potential attacks 47
Compromising the wide area network (WAN)
• WAN connections between substations and control room is crucial
• Luckily, at least some degrees of secure connectivity is offered
• SSL or TLS
• However vulnerabilities still exist
• Man-in-the middle attacks can break some SSL connections
• DoS attacks on SSL server can shut off the ability to communicate on the network
causing a storm of SSL renegotiations
• Older TLS are susceptible to toolkit-based attacks
• Summary: Broader defensive strategies than TLS alone are needed
• A significant security concern is the use of e-mail and web-services
• An attacker can exploit open ports (often open TCP ports) and services to perform
man-in-the-middle attacks, DoS, manipulation of TCP/IP communication channels
and so on

48
Compromising of the Substation Gateway and
T-SCADA
• Breaking the gateway is equivalent of taking complete control over the
transmission subsystems and T-SCADA automation systems (step up/step
down system, protection/breaker devices, load adjustment systems and
so on)
• Communication with the centralized server can be compromised or
altered
• Even if SSL or TLS mechanisms are employed, the attacker (from the inside) can
compromise an authorized devise and establish appropriate communications
• By compromising an authorized device, the secure wide-area
communications are also compromised

49
Phasor measurement unit (PMU)
https://tinyurl.com/y6yj4txd

• A PMU is a device that measures electrical parameters and send them back
to a phasor data concentrator (PDC) and ultimately to the T-systems
• The grid exploits distributed and synchronized PMUs to measure the
quality of the transmission in the grid (each measure is typically
synchronized to a common GPS-based time source )
• The information is essential to provide efficient and reliable transmission
• Each line can transmit its current power level
• Surges and ebbs can be reduced or eliminated
• PMU support remote management and control, enabling transmission
quality to be automated
• This exposes PMU to the same vulnerabilities of other SCADA system components 50
 Compromise of the PMU infrastructure
If a PMU is compromised, the damage can range from the loss of
transmission efficiency up to the disruption of service.
Examples:
• Disabling a PMU or PDC could stall line condition monitoring and any
automation process that depends upon it.
• Manipulating a PMU or its phasor measurements could cause erroneous load
condition reports that could lead to improper load management.
• Manipulating phasor measurements could result in erroneous fault indicators,
resulting in unnecessary recovery actions.
• Manipulating process logic on a PMU or PDC could result in improper
operations and inaccurate phasor measurements (e.g. altering the
measurement synchronization).
51
Line Protection and Monitoring Systems

• Line Protection Systems are in charge of preventing undercurrent and

overcurrent conditions
• Breakers are triggered to prevent potentially hazardous faults
• Sophisticated protection mechanisms combine line monitoring with
automation logic to allow efficient response to a variety of line conditions
• Line Protection Systems heavily rely on PMU capabilities
• Line Monitoring are also used to detect anomaly working conditions and
equipment failures
52
Transformers

• We have already seen what they do…right?

• Transformers usually communicate with protection systems and substations
• Usually they are considered an attack-safe component of the transmission (in a
direct sense):
• Very few network communications (protected by the standard IEC 61850)
• There are no SCADA or controller functions
• No web-based console or interfaces, or remote consoles using common protocols
• Transformers are usually not directly attacked. They are affected only once the
attacker has gained access to the transmission system through another
component
• Attack consequences:
• Transforming electricity to a non-optimal voltage and cause unsafe operating condition for
the downstream line conditions
53
Distribution Architecture
(next lecture)

54
Thank you!

55