Issues in Designing Cyber Security Proxy Gateways for Digital Substation Non-immune Bay Layers

Bay layer is the most fragile and deadly place for cyberattack if it has no cyber security features, due to the fact two crucial IEDs, i.E., protective relay (Protect IED) and measurementcontrol device (M&C IED), have the capability to open or close the circuit breaker in keeping with the presupposed scheme or after receiving a command from master station. Taking shielding relay as an example, its fundamental operation rule may be very simple, in case some electrical values are over the pre-stored setting point, commands of starting corresponding circuit breakers will be automatically issued to isolate the faulty equipment from the power system. In digital substation, the measured electric values are from Merging Unit (MU) in method layer in a message of Multicast Sampled Value (SMV), and the setting factor values can be changed by a message from station layer or master station in control center within the format of MMS (Manufacturing Message Specification).Nowadays, no cyber security features are applied on protective relays, i.E., protecting relays do now not have immune capability from cyberattack, therefore, in case of malicious tampering, false data injection, or replay attack of SMV messages or setting price focused MMS, a super possibility of malfunctions would show up which might cause major safety incident. Similarly, SMV messages are the main records for the SCADA/EMS for nation estimation and decision making, malicious tampering, false records injection, or replay attack of SMV messages can even lead SCADA/EMS to make a risky selection.

As for protection SMV messages, proposes an method to discover false facts primarily based on context information, along with voltage and current, of the same substation. Through gathering all records flowing in substation, include false facts, to enhance PNNs (probabilistic neural networks), after which use it to locate incursion; A scheme based totally on A-codes (authentication codes), known as unconditionally stable authentication codes, with the intention to guard the assault with infinite computer power is described, assumes that all devices have redundant CT/PT, and when redundant size is different in the identical bay, it proposes a singular fusion algorithm based on other c program languageperiod CTs/PTs dimension records, in order to determine whether the fault is really passed off within the bay, however it still has unsure intervals.

As for measuring and manage message, the possible attack method about false records injection is discussed in, from the angle of attacker. The attack module is described in [9] primarily based on graph theory and polynomial time complexity method, and it uses generalized likelihood ratio test method to come across the attack. In, through scanning a couple of key IEDs at the equal time, inference algorithm is used to come across the capability invasion event, and make sure that IEDs have a safety network environment. However, these techniques all forget about the real-time transmission requirement of message, in addition to the real-time of detection. All above research are initial with no application in practice. In this paper, we advise a two-layered cyber safety gateways as the proxy to prevent the non-immune safety relays from the cyber-assault.

Proposed Proxy Gateways in Digital Substations

According to IEC61850 standard, a digital substation can be divided into 3 layers from backside to top: manner layer, bay layer and station layer. Only the protective relays and measuring & manipulate IEDs within the bay layer have the electricity to trip the breakers. Therefore, ensuring of bay stage loose from cyber-attack is crucial. Fig.1 indicates the proposed framework of proxy gateways in the digital substation, an higher cyber proxy (UCP) can be implemented within the station layer, and decrease cyber proxy (LCP) inside the manner layer. According to IEC61850 standard, a digital substation can be divided into 3 layers from backside to top: procedure layer, bay layer and station layer. Only the protecting relays and measuring& manipulate IEDs within the bay layer have the energy to ride the breakers. Therefore, making sure of bay level free from cyber-assault is crucial. Fig.1 indicates the proposed framework of proxy gateways inside the virtual substation, an higher cyber proxy (UCP) could be implemented inside the station layer, and lower cyber proxy (LCP) inside the technique layer.


Downward command and Upward Message

All the downward command from notebook at station layer of substation, or from faraway manage center pc, will paintings on the IEDs at bay layer, i.E., protecting relays or M&C IEDs, through subsystem or RTU at station layer, this means that those bay layer IEDs are handiest operable via subsystem in substation layer. The implementation of UCP will make the bay layer free from cyber-assault originating from substation master station or from work stations at faraway manage middle.

Time-vital Control Command Secure Transmission

According to IEC62351-6, the cyber security prevention measures are in particular in two ways, i.E., authentication and encryption, authentication may be accomplished by way of digital signature. SCADA will difficulty a quick breaker control command to M&C IED to open or near the corresponding breaker, although such command will bypass through UCP and RTU to M&C, the steady transmission of such message have to meet the real-time requirement, which is similar just like the SMV secure transmission.

Non-time Critical Remote Operation

We anticipate that each one the non time-important far off operation of IEDs in bay layer from substation master station or from work stations at far off manipulate center can be in a layout of operation-order-sheet (OOS), and the model of OOS is just like the substation SCL XML description, however incorporates all the essential command and follows XML Security standards[12- 13] developed by W3C(World Wide Web Consortium) and IETF(Internet Engineering Task Force).

Digital Signature and Encryption of OOS

Digital signature use public key password system; each person has a private key that is held by himself for decryption and signatures, and has a public key this is publicly available for encryption and verification of signatures; while signing a report or message, the signer use signature characteristic to calculate the precise message digest, and then use his non-public key to translate it into digital signature, and the acquired digital signature is specific to the signed information, as well as the private key used to create the digital signature.

MMS Trnasmission of XML

The transmission is carried out the usage of the IEC61580 record transmission model within the shape of MMS message, and it makes use of the upper cyber proxy gateways because the server and far off computing device as a client.

Decryption and Signature Verification of XML

UCP will firstly read the sender’s public key, and use the important thing to verify the digital signature for affirm the record from sender, whilst it gets the encrypted XML file through the method of MMS ObtainFile; then use the irreversible set of rules to create new message digest of received document, and examine it with unique message digest, if they’re the equal, meaning the record has no longer been subject to any exchange after virtual signature; in any other case, the document is changed. And we can determine whether or not the file is modified by using this manner.

The operation of Upper Cyber Proxy Gateways

As a client, UCP will whole the operation together with set the constant value of protective relays, exchange the constant setting place and reset signal etc., in step with IEC 61850MMS; as for fixed periodic verification, it may additionally use the corresponding protocol to question the current constant cost and whole fixed periodic verification, after which go back the outcomes to the master station in the form of record.


Cyber-attack from Process Layer and its Defense Strategy

The main shape of method layer cyber-assault is procedure layer send fake or tampered SMV message to protecting relays of the bay degree. The conspiracy of assault is as follows: (1) Upload the fault modern-day while no fault happen; (2) Upload the fault-unfastened contemporary while fault happen; (3) Change the sample cost randomly. SMV message of manner layer belongs to rapid message[14], therefore it has a high real-time requirement (less than 4ms), and there are some light-weight encryption methods. An encryption method has been proposed in, which aim at a type of wide-vicinity protection system, and by way of Data Encryption Algorithm (DES) and Public Key Encryption (RSA), the check end result shows that DES can meet the safety necessities of wide-region safety and substation automation system. However, the message duration used in paper is 8B, which could’t reflect the real-time data that transmit in actual strength system. Similarly, an encryption method primarily based on tiny encryption set of rules (TEA) has been described, which most effective encrypt the key content material of SMV message (including electric powered values) so that it could avoid the large time consuming for the direct encryption of the complete message, the check end result, verified by the typical embedded hardware platform, shows that the encryption time is most effective zero.181ms, which can satisfies the real-time requirement; a safety framework proposed, which integrate with the SM2 password system.

SMV Detection and Protection

Module of LCP LCP will carry out the following operations at the message:

(1) If MU sends a digitally signed SMV message, then:

1) LCP will verify the integrity and signature of the message. And if the message passes the integrity verification, the SVED sends the message to IEDs thru a selected legal port, otherwise the message is discarded and a caution is generated, after which, the caution occasion is written to the warning log.

2) the SMV message surpassed the integrity verification will be ship to the SMV filtering module. And after reading in SMV message analysis module, the message will come into the specification-primarily based intrusion detection module which detects intrusion such as Dos attacks and generates warning, as well as discover the logical exception of message series number.

3) if the message passes the intrusion detection, then check it primarily based on historical events. Otherwise report the message, and file to grasp station; at the identical time, the message can be saved at the spot, waiting for the decision from grasp station.

(2) if MU sends a SMV message with out a virtual signature, then the SMV message will bypass the verification and go on the detection items. If the message passes the detection, it will be despatched to IEDs thru a specific legal port. And the whole time of detection is restricted inside 4ms. Otherwise, record the message, and document to grasp station, at the equal time, the message might be saved on the spot, waiting for the call from master station.

Design of the Lower Cyber Proxy Gateway

The detection algorithm of the lower cyber proxy gateway is primarily based on predefined specifications. The main precept is actively recognize the behavior that does not conform to the predefined logic, after which decide it. All the best conduct policies may be delivered right into a whitelist, and it is able to be enriched by means of schooling on the perfect behavior facts. And the statistics, which does now not meet the whitelist policies after education, could be added right into a blacklist. Six key modules of the decrease proxy gateway are as follows:

(1) message decryption module: confirm the digital signature of the SMV message that from MU, and decrypt the message in step with the encryption and decryption policies.

(2) message filtering module: due to GOOSE/SMV message having a excessive real-time requirement, GOOSE/SMV message is transmitted at once from application level to facts link stage, which does not use UDP/TCP/IP protocol. Therefore, it’s miles necessary to filter out SMV message in step with the special MVC star address.

(3) message analysis module: analyze the MAC address protocol of the message, extract the information inside the message, and send MAC address as well as information to the module of message anomaly detection.

(4) MAC cope with anomaly detection: all MAC cope with arriving at intrusion detection module ought to strictly abide via the predefined cope with receiving table. Once there’s a MAC deal with that does not in shape the table, the detection indicator MAC J is about to true, and the records is discarded with warning despatched immediately.

(5) specification-based totally intrusion detection module: carry out detection consisting of triggering trip facts, bad records, violation logic, over flow threshold caution and so on.

(6) facts detection based on historical events: locate whether or not the modern-day sampling statistics healthy the trigger situations of historic events, along with over contemporary, overvoltage and so on. And if it’s far confirmed, set the historic fault indicator lsft J to be true. Then, locate whether this sampling facts in shape the one of ancient attack, if it’s far confirmed, set the historical intrusion indicator lsit J to be true.

The remaining result may be respectively written to event log and warning log, consistent with the indicatorQ n that’s used to assess the strange. Warning, intrusion facts and indictorQ n might be send to grasp station, or displayed at the spot. If there is an ordinary detection end result, then the corresponding indicator is set to true, and the anomaly evaluation indexQ n turns into to 1, this means that intrusion detection module has ordinary intrusion events. And LCP will shows warning to the grasp station. On the contrary, the fee of Q n is 0 means there’s no intrusion.

Authentication and Encryption /Decryption Algorithm

Encryption/decryption of the SMV message, and virtual signature can make sure the integrity of statistics transmission, authenticate the identification of sender and keep away from the repudiation in facts exchange, however, it should consider each realtime and security. In this section, we will pick out a appropriate encryption /decryption approach and set of rules for MU as well as for decrease proxy gateway.

Because the core records, in addition to the maximum wanted facts to attacker, of the SMV message is the 4B information in front of every electric amount in DataSet field, that is in second half of every application service statistics unit (ASDU). As long as make certain the confidentiality of this a part of facts, the natural content material of SMV message will not be disclosed. Therefore, it could enhance the real-time transmission via encrypting the key data of SMV message. The description of the SM2 password system is now not brought indicates the special implementation procedure of SM2 password system.

Leave a comment

You must be logged in to post a comment.