Professional Documents
Culture Documents
System Security
INSE 6640 - Smart Grid: Network Architecture (Part 1)
(Lecture 2)
3
Recap: How Smart Grid is architected?
• Manipulation of any one of these capabilities can affect the entire Grid
5
Recap: Risks and Malicious Attackers
• Risks examples:
• A manipulated reading of a Phasor Measurement Unit might initiate an
unnecessary load shedding (load reduction) to protect the electricity power
system from a total blackout
• The interruption of the metering network might prevent an end user from
being billed
• The manipulation of automation systems within a substation might cause a
loss of service to an entire community.
6
Distributed Generation Architecture
7
Distributed Generation Architecture
• The first key element in the Smart Grid is the energy generation system
• Energy generation systems are part of the Smart Grid. A Smart Grid is not only
Transportation (T) and Distribution (D)
• There is a tight interconnection with T&D: e.g. demand and response system
• Nowadays, the generation system is distributed, and it should support energy
generation at a micro level:
• In-home generation systems
• Power from small wind and solar farms
8
Types of Electrical Generation
• Electric generation sources are classified according to the different
fuels:
• Hydro-electric, using water
• Nuclear, using controlled nuclear fission
• Fossil fuel
• Natural gas
• Solar, using the power of the sun
• Wind farms, exploiting wind
• The energy generation systems are subject to specific vulnerabilities
and security challenges (later we will see common components and
related security concerns)
9
Fossil fuel generation system
• Process: fossil into the burner, combust, steam, turbine à energy (in
alternating current (AC) format)
• The condenser recycles the steam as water for the boiler
10
Solar generation system
• Sunlight, photoelectric cells, electricity (in the form of Direct Current
(DC)), Converter (DC-AC) à Electricity in AC form
• Solar power can also be used to power boilers for steam generation,
replacing coal fuel and burners with solar energy
11
Why a Convert? Why the transformer?
• The energy is historically transmitted in Alternate Current (AC)
format. The converter transforms Direct Current (DC) in Alternate
Current (AC).
• Once we have AC current then we can reduce the energy loss during
the transmission by using a voltage step-up transformer.
Current (i), Voltage (v) and Power (p) in input (primary side)
Energy loss after
the transformer
Current, Voltage and Power in output (secondary side)
with
13
Hydro-electric generation system
• Kinematic energy of the water, turbineà Electricity
14
General process to produce electricity
15
Renewable energy
• Advantages
• Clean energy, no waste material
• The energy generation system is very simple
• Disadvantages
• A small solar Photovoltaic (PV) system can produce 3kW (Watt (W) is the unit
measure of power) while a single nuclear reactor can produce at least 1000
MW
16
General System Architecture
• Regardless of the type of generation, there are subsystems and
automation systems that are common to all the energy generation
systems
• Starting from common components we can identify critical
subsystems that might be attacked or manipulated by malicious
actors
• Basically, any system that is controlled by a microprocessor or devices
with an operating system can be compromised, in principle, by a
malicious actor
17
Automation in the Fossil Fuel Generation System
Automation:
• The temperature control system that
regulates the rate of combustion and
steam pressure
• The intake valve control system that
regulates the flow of steam
• Turbine generator control system
• Converters (DC/DC, DC/AC)
21
Fossil Fuel Generation – Security concerns
• PLC may be manipulated overwriting the legitimate
control application with new code designed for a
malicious purpose.
• HMI could be used to establish a way to control the
process from outside of the control room (e.g.
backdoors). This can enable data theft and/or remote
attacks (changing PLC logic, overriding operations, etc.)
• A man-in-the-middle attack on the Ethernet network
could alter I/O variables for the the HMI and PLC
22
Attacks Consequences
24
Exploiting the Controllers (1)
• Controller modules like PLC usually consists of I/O devices, network
interfaces and automated control logic
• Controllers usually run on common hardware and commercially available
operating systems (e.g. Windows, embedded Windows, VxWorks (real-time
operation systems))
• Network connectivity to SCADA server exploits Ethernet and TCP/IP
• PLCs are potentially vulnerable because of:
• Many network interfaces
• Commercial OS
• An attacker can in theory gain access to PLC via the network and exploit an
OS vulnerability to launch an attack
25
Exploiting the Controllers (2)
• Threats involving the controller try to alter at least one of the
following:
• the control logic (the code to be executed in the control block) ,
• the desired output (reference signals)
• the sensor measurements
26
Example: Steam Generation Process (1)
• PLC 1 logic:
When there is a demand for fuel, the PLC activates
the fuel pulverize process and the conveyor. Both
systems works at a rate established by the control
logic in a coordinated fashion
27
Example: Steam Generation Process (2)
• Manipulation of the PLC 1 control logic: effects
• Introduction of unsuitable fuel onto the conveyor
• Too quick or too slow deliver of fuel into the burner
(increasing too much pressure or making it too
weak)
• The plant might be locked into an unwanted state
(idle for instance)
• If the SCADA connectivity is manipulated, then this
can prevent remote management and remediation
of abnormal behaviors
28
Example: Steam Generation Process (3)
• PLC 2 logic:
The burner combusts fuel to reach optimum
temperature to boil water; water is pumped
into the boiler as needed to produce steam; a
controlled valve regulate the velocity of the
steam driving the turbine
29
Example: Steam Generation Process (4)
• Manipulation of the PLC 2 control logic: effects
• Manipulation of temperature readings cause under
or over burning
• Manipulation of pressure readings cause unsafe
steam pressure levels
• Manipulation of the available water causes failures
in the boiler or turbine
• A malware can misrepresent input or output values
to HDMI and SCADA. This can trigger wrong
operators' actions or prevent SCADA remote
management and remediations
30
Exploiting the Controller: Stuxnet Example
• In 2010 the famous malware Stuxnet was used to target a critical
Iranian uranium enriching facility by specifically exploiting its PLC
controller.
• The control logic (PLC logic) was altered
• The communication with the HMI was altered
• Stuxnet effectively increased centrifuges pressures causing them to
spin in an erratic fashion, which caused plant damages.
• Malware affecting PLCs can:
• Manipulate the process behavior in order to reduce its performance
• Bypass security checks, safety control steps and so on
31
Network Vulnerabilities of Industrial Control Systems
32
Network Vulnerabilities of Industrial Control
Systems (1)
• Industrial control environments have many network-based
vulnerabilities
• Industrial control systems exploit fieldbus protocols (e.g. DNP3,
Modbus, PROFIBUS, PROFINET, CIP)
• Fieldbus is the name of a family of industrial computer network
protocols used for real-time distributed control. They work on Serial
or Ethernet communication channels and exploit Master-Slave
schemes.
• E.g. HMI is the master and PLC is the slave. HMI can force the PLC to read
measurements or impose a control action on the plant
• Because these industrial protocols lack authentication, encryption
and basic security measures, they represent a security risk.
33
Network Vulnerabilities of Industrial Control
Systems (2)
34
Network Vulnerabilities of Industrial Control
Systems (3)
• Since most protocols are application layer protocols transported over TCP, it is
easy to transport commands over non-standard ports or inject commands
into authorized traffic flows
• Protocol commands can list all the available function codes (i.e. function scan)
• Protocol command may be capable of broadcasting messages to many
devices at once (i.e. creating potential DoS)
35
Network Attacks of Industrial Control Systems
• The protocols vulnerabilities make network-based attacks very
feasible:
• Injection of malicious commands can provide control over the target process
• Man-in-the-middle attacks can both take control of the plant and
misrepresent results to the operator console.
36
Data Manipulation
37
Data Manipulation
• The “data” play an important role in the automation process of
generation facilities. Manipulation of input and outputs of PLC, HMI
and SCADA can either directly or indirectly manipulate the process.
• Showing to the operator misleading values through HMI:
• The operator overrides the automation logic trying to fix the problem (the operator is
induced to perform undesired actions!!)
• Manipulation of values used by the controller logic
• It can avoid triggering temperature protection systems (e.g. the boiler has a temperature
of 500°F but the protection system see only 400°F)
• Many other induced misbehaviors
• Stuxnet worm affected PLC, SCADA and Communication data as well
• Specific centrifuges used in the enrichment of uranium were altered to spin at
widely varying frequencies (PLC logic changed)
• SCADA communications were altered to avoid anomaly detection
38
Transmission architecture
39
Transmission and Distribution (T&D) Architecture
42
Transmission SCADAs and substation automation
• Transmission SCADAs (T-SCADAs) play the same role of the SCADA systems
used for energy Generation (G-SCADAs)
• T-SCADAs oversee and control automated substation processes
• T-SCADA are often distinguished in “local gateway T-SCADA” e “centralized
T-SCADA” or (Energy management system (EMS))
43
Transmission Gateway
• The substation gateway is the connection point between a substation and
the rest of the grid
• A gateway is a server, a computing platform that executes process automation logic
(like PLC for G-SCADA)
• It collects measurements and messages generated in the substation and from field
devices (e.g. PMU)
• It allows communication from/to the control room (centralized T-SCADA)
44
Substation Targets for cyber-attacks
• Manipulation of transmission
systems
• PMU measurements
• Power conditioning/protection
systems
• Manipulation of T-SCADA
• Gateway
• Communication between local
T-SCADA and central T-SCADA
45
Gateways
48
Compromising of the Substation Gateway and
T-SCADA
• Breaking the gateway is equivalent of taking complete control over the
transmission subsystems and T-SCADA automation systems (step up/step
down system, protection/breaker devices, load adjustment systems and
so on)
• Communication with the centralized server can be compromised or
altered
• Even if SSL or TLS mechanisms are employed, the attacker (from the inside) can
compromise an authorized devise and establish appropriate communications
• By compromising an authorized device, the secure wide-area
communications are also compromised
49
Phasor measurement unit (PMU)
https://tinyurl.com/y6yj4txd
• A PMU is a device that measures electrical parameters and send them back
to a phasor data concentrator (PDC) and ultimately to the T-systems
• The grid exploits distributed and synchronized PMUs to measure the
quality of the transmission in the grid (each measure is typically
synchronized to a common GPS-based time source )
• The information is essential to provide efficient and reliable transmission
• Each line can transmit its current power level
• Surges and ebbs can be reduced or eliminated
• PMU support remote management and control, enabling transmission
quality to be automated
• This exposes PMU to the same vulnerabilities of other SCADA system components 50
Compromise of the PMU infrastructure
If a PMU is compromised, the damage can range from the loss of
transmission efficiency up to the disruption of service.
Examples:
• Disabling a PMU or PDC could stall line condition monitoring and any
automation process that depends upon it.
• Manipulating a PMU or its phasor measurements could cause erroneous load
condition reports that could lead to improper load management.
• Manipulating phasor measurements could result in erroneous fault indicators,
resulting in unnecessary recovery actions.
• Manipulating process logic on a PMU or PDC could result in improper
operations and inaccurate phasor measurements (e.g. altering the
measurement synchronization).
51
Line Protection and Monitoring Systems
54
Thank you!
55