Professional Documents
Culture Documents
Montreal, Canada
Abstract—Network and system management (NSM) plays an information infrastructure through part 7 [3]. Indeed, the man-
important role in ensuring end-to-end security of power systems. agement of the grid’s information infrastructure is crucial to
As defined in IEC 62351-7, NSM provides system security providing the necessary high levels of security and reliability
awareness through the collection of a large amount of data in
order to monitor the power grid operational environments. In in power system operations [4]. This includes the definition
this paper, we follow the IEC 62351-7 guidelines to develop an of Network and System Management (NSM) data objects that
NSM platform for IEC 61850 substations. Then, on top of the reflect which information is needed to manage the information
developed platform, we build a hybrid, deep learning and rule- infrastructure [4]. However, the IEC 62351 does not address
based, anomaly detection system. Furthermore, considering IEC the use of the defined objects, how they can be leveraged to
61850 protocols, we develop a list of potential cyber attacks
on the substation that are likely to impact the power grid provide insights about the system security, or what solutions
availability. The effectiveness of the proposed anomaly detection can be developed on top of the collected information to detect
system against the identified attacks is confirmed by testing it and mitigate cyber attacks targeting the smart grid.
on an IEEE 8-Bus system in the presence of NSM using a smart In this paper, we adopt the security recommendations pro-
grid testbed.
vided by IEC 62351-7 edition 2017 to develop a hybrid
Index Terms—Anomaly detection, rule-based detection, net-
work and system management, NSM, IEC 61850, IEC 62351-7, anomaly detection system on top of the NSM data objects.
smart grid, security In particular, we design and implement an NSM platform
for IEC 61850 substations including the NSM data objects
I. I NTRODUCTION defined by IEC 62351-7 [3]. The NSM data collected by
the platform is used by a combined deep learning and rule-
The introduction of Information and Communication Tech- based anomaly detection system to detect the occurrence of
nologies (ICT) into the power grid is reshaping the grid cyber attacks. The developed approach is evaluated using real
as we know it by developing an advanced monitoring and time co-simulation with hardware-in-the-loop capability. The
control infrastructure to create a more reliable grid, the outcome of the performed experiments demonstrate the need
smart grid. This reformation spans across the different grid for such a system and its usefulness in providing a more secure
domains, establishing digital substations, investing in wide and reliable smart grid infrastructure.
area monitoring systems, and deploying advanced metering The main contributions of this paper can be summarized as
infrastructure among others. Along with this reformation on follows:
the grid, working groups have been developing standards
that guide the grid’s transformation. This includes digital 1) Design and implementation of IEC 62351-7 [3] compli-
substation automation standards namely IEC 61850 [1], data ant NSM monitoring and data collection platform.
and communication security standards, namely IEC 62351 [2]. 2) Presentation of a methodology to elaborate Denial of
Working Group 15 of the IEC TC57 addresses the end- Service (DoS) attacks on IEC 61850 communication protocols.
to-end security requirements of the grid through the different 3) Development of a deep learning and rule-based anomaly
parts of IEC 62351, and focuses on the management of the detection system on top of the developed NSM platform.
The rest of the paper is structured as follows. Section II
1 The research reported in this article has been supported by the introduces our system model. The NSM platform architecture
NSERC/Hydro-Qubec Thales Senior Industrial Research Chair in Smart Grid
Security
and design are outlined in section III. Section IV presents the
cyberattack elaboration methodology on IEC 61850 system.
Our anomaly detection scheme is introduced in section V and
978-1-5386-8099-5/19/$31.00 2019
c IEEE section VI presents the experimentation results. Section VII
k,(((
,(((,QWHUQDWLRQDO&RQIHUHQFHRQ&RPPXQLFDWLRQV&RQWURODQG&RPSXWLQJ7HFKQRORJLHVIRU6PDUW*ULGV6PDUW*ULG&RPP
using RNN, GRU and LSTM, and compared their performance
%XV
5
'\QDPLF/RDG
in terms of learning speed and accuracy.
As expected RNN being the simplest sequence model was
308
%XV
the fastest to train, followed by GRU than LSTM. LSTM
*
experienced the longest training time due to its complexity.
In term of prediction accuracy, LSTM and GRU show a Fig. 4. IEEE 8-Bus system schema.
slightly better accuracy than RNN. It should be noted however
that all models successfully predicted the input signal. On the
other hand, LSTM and GRU were more accurate. The R2 160DJHQW
$QDORJVLJQDO 160
(coefficient of determination) and root mean square (RMS) *DWHZD\ 6WDWLRQ/HYHO
/D\HUWUDIILF PDQJHU
/D\HUWUDIILF
used to measure the accuracy of prediction are shown in Table
III. As an outcome of this comparison, we decided to use 6WDWLRQ%XVVZLWFK'13&6103373
LSTM rather than GRU and RNN. 5HOD\ 5HOD\ 5HOD\ 308 %D\/HYHO
B. Rule based anomaly detection approach 3URFHVV%XVVZLWFK69*226(6103373
The rule based anomaly detection approach aims at comple-
menting the learning based part by enforcing rules to detect 08 08 08
%XV 3URFHVV/HYHO
anomalies directly on the snapshots as they are fed to the
&7 97 &% %XV
detection engine. We use simple rules to check if a certain
MIB value is within a certain range or it has been changed. &7 97
An example of this rule is a change on the MIB object ”iED- &7 97 &%
ConfigurationVersion 0”, which is reporting the configuration
changes, will be anomaly if this change is not scheduled. Fig. 5. The communication schema of the IEC 61850 substation with NSM.
Moreover, we define more complicated rules that involve
,(((,QWHUQDWLRQDO&RQIHUHQFHRQ&RPPXQLFDWLRQV&RQWURODQG&RPSXWLQJ7HFKQRORJLHVIRU6PDUW*ULGV6PDUW*ULG&RPP
NSM DOs are implemented as SNMP MIBs, much like other [4] F. Cleveland, “Enhancing the reliability and security of the information
existing MIBs such as TCP-MIB [22]. In the literature, we infrastructure used to manage the power system,” in 2007 IEEE Power
Engineering Society General Meeting, June 2007, pp. 1–8.
can find research that proposes attack detection mechanisms [5] W. Stallings, SNMP, SNMPv2, SNMPv3, and RMON 1 and 2. Addison-
based on data from SNMP MIBs. However, unlike our work, Wesley Longman Publishing Co., Inc., 1998.
None of them apply these techniques to the smart grid context [6] D. Dolev and A. Yao, “On the security of public key protocols,” IEEE
Transactions on information theory, vol. 29, no. 2, pp. 198–208, 1983.
or rely on the NSM DOs of IEC 62351-7. [7] IEC/TS 62351-6, “Power systems management and associated informa-
Yu et al. propose a mechanism to detect flooding attacks tion exchange data and communications security part 6: Security for
based on data collected using SNMP and machine learning IEC 61850.”
[8] N. Kush, E. Ahmed, M. Branagan, and E. Foo, “Poisoned goose: ex-
with Support Vector Machine (SVM) [23]. This work sug- ploiting the goose protocol,” in Proceedings of the Twelfth Australasian
gests that Intrusion Detection System (IDS) can benefit from Information Security Conference-Volume 149. Australian Computer
information available in SNMP MIBs, but there is insufficient Society, Inc., 2014, pp. 17–22.
[9] M. Strobel, N. Wiedermann, and C. Eckert, “Novel weaknesses in iec
integration between the two to enable this to happen. In 62351 protected smart grid control systems,” in Smart Grid Commu-
a further work by Yu et al. [24], an improved system is nications (SmartGridComm), 2016 IEEE International Conference on.
proposed where the C4.5 algorithm is used instead of SVM. IEEE, 2016, pp. 266–270.
[10] “IEEE Standard for a Precision Clock Synchronization Protocol for
Additionally, using association rule mining, this system can Networked Measurement and Control Systems,” IEEE Std 1588-2008
extract the rules used to classify flooding attacks into the three (Revision of IEEE Std 1588-2002), pp. 1–269, July 2008.
different types. [11] B. Moussa et al., “Security Assessment of Time Synchronization Mech-
anisms for the Smart Grid,” IEEE ComST, vol. 18, no. 3, 2016.
In a similar vein to the above, Priya et al. propose a Protocol [12] A. Albarakati et al., “OpenStack based evaluation framework for smart
Independent Detection and Classification (PIDC) system to de- grid cyber security,” in 2018 IEEE International Conference on Com-
tect Distributed Reflection Denial of Service (DRDoS) attacks munications, Control, and Computing Technologies for Smart Grids
(SmartGridComm) (IEEE SmartGridComm’18), Aalborg, Denmark, Oct.
using SNMP MIB data [25]. The intention is to classify TCP 2018.
and Domain Name System (DNS) DRDoS attacks respectively. [13] G. E. Box, G. M. Jenkins, G. C. Reinsel, and G. M. Ljung, Time series
Much like the work by Yu et al. [23], this research only analysis: forecasting and control. John Wiley & Sons, 2015.
[14] I. H. Witten, E. Frank, M. A. Hall, and C. J. Pal, Data Mining: Practical
attempts to detect one kind of attack, namely DRDoS. machine learning tools and techniques. Morgan Kaufmann, 2016.
[15] Y. LeCun, Y. Bengio, and G. Hinton, “Deep learning,” nature, vol. 521,
VIII. C ONCLUSION AND F UTURE W ORK no. 7553, p. 436, 2015.
[16] N. K. Ahmed, A. F. Atiya, N. E. Gayar, and H. El-Shishiny, “An empiri-
The secure operation of the substation is a cornerstone for cal comparison of machine learning models for time series forecasting,”
end-to-end security of the smart grid. Recently, network and Econometric Reviews, vol. 29, no. 5-6, pp. 594–621, 2010.
system management at the substation has been standardized [17] A. K. Palit and D. Popovic, Computational intelligence in time series
forecasting: theory and engineering applications. Springer Science &
in IEC 62351-7 to provide an additional layer of security. Business Media, 2006.
In this paper, we presented an implementation of an NSM [18] G. Bontempi, S. B. Taieb, and Y.-A. Le Borgne, “Machine learning
platform for the IEC 61850 substations that complies with strategies for time series forecasting,” in European business intelligence
summer school. Springer, 2012, pp. 62–77.
the IEC 62351-7 specifications. Furthermore, we defined a [19] A. Sfetsos and A. Coonick, “Univariate and multivariate forecasting
methodology for the elaboration of attacks on the communica- of hourly solar radiation with artificial intelligence techniques,” Solar
tion protocols used in the substation. In addition, we built an Energy, vol. 68, no. 2, pp. 169–178, 2000.
[20] S. McNally, J. Roche, and S. Caton, “Predicting the price of bitcoin using
anomaly detection system on top of the data collected through machine learning,” in 2018 26th Euromicro International Conference
NSM. The developed system uses statistical data as well as on Parallel, Distributed and Network-based Processing (PDP). IEEE,
values reported by the NSM data objects to detect cyber attacks 2018, pp. 339–343.
[21] I. Goodfellow, Y. Bengio, and A. Courville, Deep Learning. MIT Press,
on the substation. Finally, we concluded our study with testing 2016, http://www.deeplearningbook.org.
the developed approach on different types of attacks, and its [22] R. Raghunarayan, “Management information base for the transmission
effectiveness was evaluated. control protocol (tcp),” Tech. Rep., 2005.
[23] J. Yu, H. Lee, M.-S. Kim, and D. Park, “Traffic flooding attack detection
As a continuation for this work, we intend to enhance our with snmp mib using svm,” Computer Communications, vol. 31, no. 17,
NSM-based anomaly detection approach by considering fur- pp. 4212–4219, 2008.
ther NSM objects and to complement this approach with deep [24] J. Yu, H. Kang, D. Park, H.-C. Bang, and D. W. Kang, “An in-depth
analysis on traffic flooding attacks detection and system using data
packet inspection of the exchanged traffic. This is expected mining techniques,” Journal of Systems Architecture, vol. 59, no. 10,
to improve our attack detection capabilities, and harden the pp. 1005–1012, 2013.
security of the substation. [25] P. M. Priya, V. Akilandeswari, S. M. Shalinie, V. Lavanya, and M. S.
Priya, “The protocol independent detection and classification (pidc)
system for drdos attack,” in 2014 International Conference on Recent
R EFERENCES Trends in Information Technology. IEEE, 2014, pp. 1–7.
[1] International Electrotechnical Commission, “IEC 61850 communication
networks and systems for power utility automation,” International Elec-
trotechnical Commission Std, 2010.
[2] International Electrotechnical Commission and others, “Power systems
management and associated information exchange - Data and Commu-
nication Security,” IEC62351.
[3] IEC/TS 62351-7, “Power systems management and associated informa-
tion exchange data and communications security part 7: Network and
system management (NSM) data object models,” 2017.