WO2021177899A1 - Power system security enhancement - Google Patents

Power system security enhancement Download PDF

Info

Publication number
WO2021177899A1
WO2021177899A1 PCT/SG2021/050109 SG2021050109W WO2021177899A1 WO 2021177899 A1 WO2021177899 A1 WO 2021177899A1 SG 2021050109 W SG2021050109 W SG 2021050109W WO 2021177899 A1 WO2021177899 A1 WO 2021177899A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
devices
system network
security
agent
Prior art date
Application number
PCT/SG2021/050109
Other languages
French (fr)
Inventor
Nandha Kumar KANDASAMY
Jit Biswas
Original Assignee
Singapore University Of Technology And Design
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Singapore University Of Technology And Design filed Critical Singapore University Of Technology And Design
Publication of WO2021177899A1 publication Critical patent/WO2021177899A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2127Bluffing
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Definitions

  • the present invention relates, in general terms, to a system and method for enhancing security of a system network.
  • the present invention relates to, but is not limited to, enhancing security of substation automation systems.
  • Electric power supply is an essential component for several sectors. Interruptions in power supply can greatly impact the overall operation of power systems including those in commercial, residential and industrial applications. The impact of power supply interruption attacks has been experienced through many incidents, one of the more prominent ones being the Ukraine power blackout that affected over 200,000 civilians.
  • PDSs such as modern substations
  • SAS Substation Automation System
  • Modbus DNP3
  • IEC61850 TCP/IP and associated protocols.
  • SST trusted secondary source of truth
  • the SST allows a SAS to deal with several attacks that may be experienced by modern substations.
  • a network of devices is proposed as an augmentation to an existing substation. In some cases, the network of devices runs side-by-side the substation network and uses the same resources as devices of the substation network.
  • the devices in the proposed network of devices together act as a friendly agent, cooperating with the substation control systems in ways designed to detect anomalies, contain malicious agents, raise alerts, and other purposes.
  • a method for enhancing security of a system network comprising one or more devices, the method comprising: building an agent network comprising one or more security devices, the one or more security devices being designed to: appear to an external party as at least one of hidden and indistinguishable from the one or more devices of the system network; and provide one or more enhanced security operations; and connecting the agent network to the system network thereby incorporating the enhanced security operations into the system network.
  • an "enhanced security operation” is a security operation not afforded by the existing devices on the system network.
  • Connecting the agent network to the system network may comprise operating the agent network parallel to the system network, using existing network and communication infrastructure of the system network.
  • Connecting the agent network to the system network may comprise deploying the agent network on independent network and communication infrastructure, and connecting the independent network and communication infrastructure with infrastructure of the system network. Connecting the agent network to the system network may comprise, connecting the agent network to receive signals received by the system network.
  • the one or more security devices may analyse the signals to determine whether one or more of said signals is an abnormal signal.
  • the one or more security devices may be configured to validate legitimacy of control and data packets.
  • the one or more security devices may monitor operation of the one or more devices of the system network in response to signals received by the system network.
  • the one or more security devices may determine whether the one or more devices of the system network are operating as expected and, if not, raise an alarm.
  • the agent network may act on behalf of the system network by incorporating additional protocols into the system network without modifying operation of the one or more devices of the system network.
  • the one or more security devices may validate the legitimacy of control and data packets by: selecting consistency criteria based on physical layer invariants; and comparing the control and data packets to the physical layer invariants.
  • a system for enhancing security of a system network comprising one or more devices, comprising: an agent network comprising one or more security devices, the one or more security devices being designed to: appear to an external party as at least one of hidden and indistinguishable from the one or more devices of the system network; and provide one or more enhanced security operations; wherein the agent network is connected to the system network thereby incorporating the enhanced security operations into the system network.
  • Connecting the agent network to the system network may comprise operating the agent network parallel to the system network, using existing network and communication infrastructure of the system network.
  • Connecting the agent network to the system network may comprise deploying the agent network on independent network and communication infrastructure, and connecting the independent network and communication infrastructure with infrastructure of the system network.
  • Connecting the agent network to the system network may comprise, connecting the agent network to receive signals received by the system network.
  • the one or more security devices may analyse the signals to determine whether one or more of said signals is an abnormal signal.
  • the one or more security devices may be configured to validate the legitimacy of control and data packets.
  • the one or more security devices may monitor operation of the one or more devices of the system network in response to signals received by the system network.
  • the one or more security devices may determine whether the one or more devices of the system network are operating as expected and, if not, raise an alarm.
  • the agent network may act on behalf of the system network by incorporating additional protocols into the system network without modifying operation of the one or more devices of the system network.
  • the one or more security devices validate the legitimacy of control and data packets by: selecting consistency criteria based on physical layer invariants; and comparing the control and data packets to the physical layer invariants.
  • a power generation system comprising a system as described above, and the system network the security of which is enhanced by said system.
  • embodiments of the present invention can detect anomalies in the operation of substation plant, control signals delivered to substation plant and can contain malicious agents.
  • embodiments of the systems taught herein particularly those referred to as a secondary source of truth network (SSTNet) provide an orthogonal method of obtaining information in distributed power systems connected by a network.
  • SSTNet secondary source of truth network
  • the SSTNet may not limited by computation or time constraints.
  • embodiments of the present system involve friendly agents that are unknown to, or unidentifiable by, potential threat agents. This provides a reliable and trusted mechanism for detecting malevolent events of compromise in distributed power system generation, transmission and distribution.
  • Figure 1 schematically depicts the position of devices of a trusted secondary source of truth network (SSTNet) of devices at the physical layer of a SAS;
  • SSTNet trusted secondary source of truth network
  • Figure 2 shows experimental or simulated results of a normal synchronization process of two generators
  • Figure 3 shows experimental results on the synchronisation of the same two generators the normal (i.e. without attack) response for which is illustrated in Figure 2, after launch of a synchronisation attack;
  • Figure 4 shows implementation of SSTnet Device in a network fragment of an electric power and intelligent control (EPIC) testbed designed for improving defense against synchronization attacks;
  • EPIC electric power and intelligent control
  • Figure 5 shows apparent power during load sharing between two generators - G1 and G2;
  • Figure 6 illustrates a method implemented by the SSTNet.
  • a network of devices that act as a friendly agent on behalf of the substation.
  • the devices are positioned side-by-side devices in the substation - either physically or in terms of communication pathways such that the friendly devices receive the same signals as the devices of the substation.
  • the friendly devices are indistinguishable from devices of the substation, making it possible for attempts to be made to directly alter the behaviour of the friendly devices. Such attempted alterations in behaviour can be directly recognised and the attacker contained.
  • FIG. 1 shows a power generation system 100.
  • the power generation system 100 includes a system 102 (e.g. SSTNet as it will hereinafter be interchangeably referred to) for enhancing security of a system network 104 (e.g. SAS) in accordance with present teachings, along with the network of SAS devices 104 itself.
  • system network 104 e.g. SAS
  • the system network 104 will comprise multiple devices Si ... Sm as shown though, at its most granular conceptual level, the present teachings can be used to enhance security of a single device Si.
  • the system 102 consists of a network of friendly agents (devices Ti ... T n ) that act on behalf of the substation - i.e. system network 104 - by participating in security protocols that are beyond the scope of the production intelligent electronic devices (IEDs) and programmable logic controllers (PLCs) or for which the suppliers of those devices are unwilling participate in the added protocols.
  • friendly agents devices Ti ... T n
  • PLCs programmable logic controllers
  • Devices Si ... S are, for example, IEDs and PLCs used to operate and control the substation or system network 104. It is normally expected that n will be much smaller than m. Both networks 102, 104 contain network elements such as switches (not shown), that are inherent to proper functioning of the network. Devices Ti ... T n are, incorporate or connect to, sensors that report observations about the substation through the SST network 102, which operates parallel to the substation automation system (SAS) network, i.e. system network 104.
  • SAS substation automation system
  • the system 102 therefore produces an output that represents a true state of the system network 104. This prevents an attack being made where behaviour of the system network 104 is altered but the substation or system operator remains unaware due to the attacker spoofing messages that would be expected to be received from devices of the system network 104 during normal operation. Instead, the system 102 provides a check. If the system 102 itself detects an anomaly, or if there is disagreement between the output of system 102 and system network 104, then an alarm can be raised.
  • the system 102 comprises an agent network comprising one or more security devices labelled Ti ... T n . While, in its broadest sense, the system 102 may comprise only a single security device Ti, the present embodiments will be described with reference to single or multiple such devices purely for context. In each case, it will be understood that the singular can imply the plural and vice versa.
  • Each security device Ti ... T n is designed to be undetectable to an external party. Being undetectable may mean that each security device Ti ... T n is hidden on the network or is otherwise indistinguishable from the devices of the system network 104.
  • each security device Ti ... T n provides one or more enhanced security operations.
  • the agent network can be connected to (i.e. incorporated into) the system network to incorporate the enhanced security operations into the system network 104. This means the system network 104 obtains the enhanced security operations (i.e. security functions, for example, for detecting anomalous operation of devices Si ... S ) without yielding access to the devices Si ... S .
  • the security of the system network 104 can be updated without physically updating the system network 104 or even updating the software of devices Si ... S .
  • the enhanced security operations of devices Ti ... T n can be updated to incorporate new security functionality into the system 100.
  • the agent network 102 can be connected to the system network 104 in a variety of ways.
  • the agent network 102 is connected such that it operates parallel to the system network 104, using existing network and communication infrastructure of the system network 104.
  • the devices Ti ... T n may be physically connected into the system network 104, in parallel with devices Si ... S .
  • the agent network 102 is deployed on independent network and communication infrastructure, and the independent network and communication infrastructure is connected to infrastructure of the system network 104. This avoids resource sharing and reduces the installation time. In each case, the operation of the devices Si ... S is undisturbed, thereby removing the need to modify or reacquire certifications for those devices Si ... S .
  • the agent network 102 is connected to the system network 104 in a manner that it can receive signals received by the system network 104.
  • the agent network 102 can therefore test the authenticity of those signals prior to implementation thereof by the system network 104, if there is sufficient time for that test. For time critical processes, the agent network 102 can still rapidly identify malicious signals (e.g. commands sent to devices Si ... S ) and halt incorrect behaviour early.
  • the individual devices Ti ... T n of the SST network 102 may have any structure.
  • the devices Ti ... T n were composed of single board computers that run the SST system software (enhanced security operations) and operate within a substation (system 100) along with the SAS (system network 104).
  • the SAS devices Si ... S do not run SST system software and are only accessed by means of agreed upon substation automation protocols such as IEC61850.
  • Substation operators select consistency criteria based on physical layer invariants - e.g. receiving a circuit breaker 'close' command when the upstream breakers are opened - in order to validate control commands received at the SAS devices Si ... S . Detected anomalies are flagged as intrusions and can be reported as alerts or prevented from execution depending on the severity of the attack.
  • the system 102 was developed in view of a gap between the provision of security for cyber physical systems in general and power systems in particular. This gap arises from the fact that intrusions go undetected and intrusive behaviour also goes undetected. Since all information for perceived health of a system arrives via a single source of truth, namely the interconnected network of substation devices, it is not possible to deal with this gap. Instead, information from the interconnected network of substation devices is taken at face value. Further, conventional security measures such as authentication and encryption may result in the time critical functions being delayed beyond the limits allowed by the standards such as IEC61850. In other words, it is not practical to implement them. For example, circuit breakers need to be able to operate in an emergency to cut off power. Signals causing power to be cut off therefore cannot await verification of the network and the performance of other security processes, before implementing the command to cut power.
  • the present system 102 provides a secondary source of truth - i.e. a source other than the system network 104 itself. It does so by looking into physical layer invariants that must exist, in order for any system to operate in accordance with its specifications. If there is a difference between the SSTNet provided information and the information provided by the substation monitoring network, it is immediate cause to raise and alarm, or to even take pre-emptive control action.
  • SSTNets 102 are able to make use of a variety of protocols from different layers of the substation network or levels of the substation automation system - i.e. of the system network 104.
  • a SSTNet 102 carries out network wide (which may incorporate multiple substations and other facilities), sub-station wide surveillance. It does so incorporating measures (enhanced security operations) that are known to work against intruders by identification (through fingerprinting techniques), or location of inconsistent behaviour (for example through invariants) or through isolation by means of direct participation in the monitoring protocol itself, as in the case of IEC61850.
  • An SSTNet 102 may or may not share the same physical resources as the rest of the substation.
  • SSTNet 102 based on physical invariants, can leverage on the direct measurements at the sensor and actuator level (e.g. current/voltage transformers and circuit breakers respectively) and deploy an independent and trusted communication network for implementing the SST.
  • the system 102 utilizes the existing network and communication infrastructure of system network 104.
  • Most devices Si ... S that belong to a Substation Automation System (SAS) support the use of computer networks to a certain extent, along with protocols such as Modbus, DNP3 and the IEC61850 protocol suite.
  • SAS Substation Automation System
  • Standard vendor- provided devices often do not support incremental control and management software development, whether by refusal of the manufacturer to provide access by having fixed internal configuration.
  • the devices Si ... S need to have interfaces that allow programmability.
  • networked agents such as publishers and subscribers, clients and servers must support key introduction, distribution and protocols for revocation of keys and other security features, from time to time. Devices that provide this programmability are also therefore vulnerable to attacks.
  • the added devices Ti ... T n it is possible to detect attackers and observe anomalies.
  • the real devices Si ... S are easy to compromise because of the lack of security features, the added devices Ti ... T n belonging to SSTNet cannot be compromised. Instead, they provide an effective mechanism to detect and isolate attackers and also to validate the legitimacy of control and data packets in the SAS network.
  • the attack vectors include wide variety of actors such as in-device vulnerabilities of OT devices, vulnerabilities of the IT devices and network vulnerabilities. Some of these attacks seek to effect synchronisation of generators, load balancing between generators or produce parallel control commands and signals. These attacks can be very difficult to identify. However, the present system 102 facilitates identification of these attacks and defense against them.
  • the attacker seeks to prevent or delay synchronisation of generators. Synchronization is an important process for connecting the individual generators to rest of the grid. Attack vectors such as Stuxnet and PLC/controller root-kit attacks the target by maliciously modifying the underlying physical process. To perform this attack, the control logic of PLCs (of devices Si ... S ) may be modified - this can be achieved by exploiting the remote access vulnerability of Wago PLCs i.e., 'CVE-2012-6068'. In one example attack, during normal operation an incoming generator is accelerated to 1500.4 RPM to facilitate synchronization. The attacker modifies the relevant line in the code to 1500 RPM. Theoretically, the generators should not synchronize.
  • Attack vectors such as Stuxnet and PLC/controller root-kit attacks the target by maliciously modifying the underlying physical process. To perform this attack, the control logic of PLCs (of devices Si ... S ) may be modified - this can be achieved by exploiting the remote access vulnerability of Wago
  • the proposed defense for the synchronisation attack is referred to herein as Level 0-1 security. This is because the device from Ti ... T n involved in detection of the attack is located one layer above physical layer security (process based in-device defense).
  • SSTnet 102 implements the security for attacks against synchronization of generators.
  • the SSTNet 102 measured or obtained measurements of the actual performance of the generators during synchronisation. These measurements differed from those outputted from the IED intended to control behaviour of the generators. The discrepancy gave rise to an alert.
  • the proposed defense was able to detect the attack within 10-20 seconds. This is well within the time taken for the normal synchronization process. Once the anomaly is detected, SSTNet device Ti ... T n displays a message that an attack has been detected.
  • the defense was implemented on an SBC (Raspberry Pi) using C program and LibIEC61850 library to detect such attacks on the synchronization process. If an anomaly is detected, the system 100 or system 102 may display a message that an attack has been detected.
  • SBC Sespberry Pi
  • the experimental setup 400 is shown in Figure 4.
  • the setup 400 forms a fragment of a larger network 412.
  • generators 402 and 404 are controlled via operation of switch or IED 406.
  • the circuit between the generators is closed through the switch or IED 406 and connection 408.
  • the switch or IED 406 receives the erroneous synchronisation command from a spoofed or compromised device from Si ... S (410).
  • the switch or IED 406 accurately measures performance of the generators 402, 404 but cannot, under normal conditions, receive an update command if the response from the switch or IED 406 is also being compromised through device 410 - i.e. the output of the device 410 is spoofed to suggest that synchronisation is proceeding as normal.
  • the SST device from Ti ...
  • T n (414) also receives the output from the switch or IED 406.
  • the device 414 may analyse the output, or pass it to a remote server for analysis, to detect the abnormal behaviour. This detection can be performed using machine learning techniques trained to distinguish between normal behaviour and abnormal behaviour (i.e. behaviour indicative of an attack or malfunction).
  • the device 414 analyses the signals from the device 406 to determine whether one or more of the signals from that device 406 is an abnormal signal - i.e. indicative of abnormal behaviour. In this way, the device 414 monitors operation of the generators 402, 404 of the system network in response to signals received by the system network - i.e. the signal from the compromised or spoofed device 410. In other embodiments, the device 414 may intercept or receive a signal from device 410 and determine that the signal itself is abnormal - e.g. likely to trigger abnormal behaviour in the generators.
  • the security devices Ti ... T n can be configured such that one of their security enhancement operations is to validate the legitimacy of control and data packets.
  • Validation can be performed by selecting consistency criteria based on physical layer invariants and comparing the control and data packets to the physical layer invariants. In this manner devices Ti ... T n can pre-emptively identify attacks based on anomalous control signals, as well as detect attacks in progress based on sensor measurements.
  • the device 414 can raise an alarm to alert the substation operator of the anomaly. Therefore, without impacting or modifying operation of components of the system network 412, the device 414 acts on behalf of the system network 412 by incorporating additional protocols into the system network 412.
  • Malicious power generation attack is a special class of attack defined as an attack that affects the normal operation of power generation by a given set of generators, in such manner that the balance is affected in multiple aspects. For example, if two generators are designed to supply equal power, the attack can target to modify the balance, say to 75%:25%. In doing so, the attacker can increase the losses (as higher current is flowing in one generator), increase the aging factor of the overloaded generator, increase the wear and tear of the overloaded generator and hence the maintenance schedule, and create an unexpected trip (power supply interruption) during peak load conditions.
  • the control logic of the PLC can be modified by exploiting the same remote access vulnerability mentioned above.
  • generators G1 and G2 will share the power equally when supplying power to loads.
  • the smart home PLC (SPLC) has the control code that issues a subsequent command to the variable speed drives (VSDs) to run at a specific speed (1500RPM in this case), for enabling equal power-sharing among the two generators.
  • VSDs variable speed drives
  • the normal operation is shown in Figure 5 from time 0 seconds up to around time 2000 seconds, and operation remains normal until briefly after the attack up to around time point 2380 seconds. During this period, the apparent power generation is equally shared between the generators and marked as normal.
  • SSTNet 102 was implemented to defend against malicious power generation attacks for generators connected in parallel.
  • This defense can involve detecting performance of the generators and determining, using the abovementioned machine learning model for distinguishing between (i.e. categorising) normal and anomalous behaviour, that the behaviour is anomalous.
  • anomalous behaviour in response to one control command may initially look like normal behaviour in response to another control command - e.g. intentional shutdown of one generator would result in unbalanced power generation - the SSTNet 102 or devices Ti ... T n may analyse the behaviour of the devices Si ...
  • SSTNet 102 would rapidly identify behaviour as anomalous if it did not move towards a balanced loading condition or did not move towards that condition as quickly as would be expected.
  • the defense to the load balancing attack was implemented on an SBC (Raspberry Pi) using C program and LibIEC61850 library.
  • SBC Rospberry Pi
  • C program and LibIEC61850 library The experimental setup is similar to the setup shown in Figure 4, only the position of SSTnet device shifts from the network fragment onto the rest of the network 412 - see device 416.
  • the attacker sends parallel commands to alter behaviour of components on a substation. In some cases, the behaviour must be implemented rapidly, without sufficient time to verify the authenticity of control commands.
  • the SST device T performed physical invariant validation on the control signal.
  • the device T was a single board computer (SBC) that implemented physical invariant validation for one specific command i.e., open circuit breaker, using the measurement from the corresponding IED.
  • SBC single board computer
  • the present communication channel used Modbus over TCP/IP for command validation - this mode is only an example, and the method can be implemented using any other form such as physical contacts and other secured network protocols.
  • the experimental setup is similar to the setup shown in Figure 4, only the position of SSTnet device is different - it's location will be similar to, or the same as, that of device 416.
  • the proposed defense prohibited oscillation between open and closed states of the breaker, which can otherwise cause significant stress on the generators.
  • the proposed defense prohibited the command from being executed as well as avoiding chattering attacks. In other words, the defense was pre-emptive and the attack was not implemented.
  • the security device T analysed the control data packet and gave the system network device a command to skip the packet - i.e. no anomaly or alarm is raised in this scenario, and the PLC is instead given command by the SSTNet device to skip the command. Therefore, the security devices Ti ... T n do not raise an alarm in all instances of a detected anomaly.
  • the present teachings provides a trusted approach using system 102 that aids the SASs to deal with several attack vectors and attack goals.
  • the network of devices proposed as an augmentation to an existing SAS device is proved to be minimally invasive and versatile.
  • the SSTNet devices can either run side-by-side on the substation network using the same resources or could be standalone trusted network.
  • the proposed system when combined with physical invariants-based anomaly detection could be an effective solution for defending SAS operations.
  • the present system 102 can be incorporated into existing systems such as: energy storage systems for smaller standalone systems or grid connected systems; Power Generation Company (Genco) operated substations with distinct interfaces facing the grid and the substation - operations management may want to put in place their own set of criteria which may or may not include vendor provided monitoring systems and, in this case, the secondary source of truth (SST) is a strong validation of reliability of a system and its components; power systems to detect control packet injection which is a threat to all substations; and SAS advice to enhance the security functionalities of those devices without affecting the time critical operations and with absolutely no intrusion into the device hardware/software.
  • SST secondary source of truth
  • the present system 102 and method described below with reference to Figure 6 creates a methodology to put in place guards that provide additional checks based on physical layer invariants, before carrying out a control action in a substation.
  • the system 102 employs a method for enhancing security of a system network, such as method 600 of Figure 6.
  • the method 600 broadly comprises:
  • Step 602 building an agent network
  • Step 604 connecting the agent network to the system network.
  • Step 602 involves building an agent network comprising one or more security devices Ti ... T n .
  • the one or more security devices Ti ... T n are designed to appear to an external party as at least one of hidden and indistinguishable from the one or more devices of the system network.
  • the devices Ti ... T n are also designed to provide one or more enhanced security operations.
  • the agent network is then connected, per step 604, to the system network to incorporate the enhanced security operations into the system network.
  • the various connection schema are described with reference to Figure 1.

Abstract

Disclosed is a method for enhancing security of a system network. The system network includes one or more devices. The method involves building an agent network comprising one or more security devices. The one or more security devices are designed to appear to an external party as at least one of hidden and indistinguishable from the one or more devices of the system network, and to provide one or more enhanced security operations. The method also involves connecting the agent network to the system network thereby incorporating the enhanced security operations into the system network.

Description

POWER SYSTEM SECURITY ENHANCEMENT
Technical Field
The present invention relates, in general terms, to a system and method for enhancing security of a system network. In particular, the present invention relates to, but is not limited to, enhancing security of substation automation systems.
Background
Electric power supply is an essential component for several sectors. Interruptions in power supply can greatly impact the overall operation of power systems including those in commercial, residential and industrial applications. The impact of power supply interruption attacks has been experienced through many incidents, one of the more prominent ones being the Ukraine power blackout that affected over 200,000 civilians.
Previously reported attacks tend to focus on traditional generation systems, transmission systems and loss of a line. Little attention has been given to power distribution systems (PDSs) or the individual components that are more vulnerable to attacks than the highly secured transmission systems.
To facilitate remote control and monitoring, PDSs, such as modern substations, are typically internet-enabled. With the extensive use and availability of Ethernet, modern Substation Automation System (SAS) employ various protocols to monitor and control devices. Some examples are Modbus, DNP3 and IEC61850, many of which are using TCP/IP and associated protocols. This has made access to the substation available to malicious agents via the SAS. Skilled attackers may gain access to control signals, network structure and other information that can be used or manipulated to hinder power system operation - e.g. power generation. It would be desirable to overcome or ameliorate at least one of the above- described problems, namely the rapid identification of attackers or the effects of their attacks, or at least to provide a useful alternative.
Summary
Disclosed are methods and systems that make us of a trusted secondary source of truth (SST) to enhance system network security. The SST allows a SAS to deal with several attacks that may be experienced by modern substations. A network of devices is proposed as an augmentation to an existing substation. In some cases, the network of devices runs side-by-side the substation network and uses the same resources as devices of the substation network. The devices in the proposed network of devices together act as a friendly agent, cooperating with the substation control systems in ways designed to detect anomalies, contain malicious agents, raise alerts, and other purposes.
In general, if there is disagreement between the information gathered by the network of proposed devices and the substation network, then analysis is conducted to determine if that disagreement is result of an attack.
Disclosed herein is a method for enhancing security of a system network, the system network comprising one or more devices, the method comprising: building an agent network comprising one or more security devices, the one or more security devices being designed to: appear to an external party as at least one of hidden and indistinguishable from the one or more devices of the system network; and provide one or more enhanced security operations; and connecting the agent network to the system network thereby incorporating the enhanced security operations into the system network. In the present context, an "enhanced security operation" is a security operation not afforded by the existing devices on the system network.
Connecting the agent network to the system network may comprise operating the agent network parallel to the system network, using existing network and communication infrastructure of the system network.
Connecting the agent network to the system network may comprise deploying the agent network on independent network and communication infrastructure, and connecting the independent network and communication infrastructure with infrastructure of the system network. Connecting the agent network to the system network may comprise, connecting the agent network to receive signals received by the system network. The one or more security devices may analyse the signals to determine whether one or more of said signals is an abnormal signal. The one or more security devices may be configured to validate legitimacy of control and data packets.
The one or more security devices may monitor operation of the one or more devices of the system network in response to signals received by the system network. The one or more security devices may determine whether the one or more devices of the system network are operating as expected and, if not, raise an alarm.
The agent network may act on behalf of the system network by incorporating additional protocols into the system network without modifying operation of the one or more devices of the system network.
The one or more security devices may validate the legitimacy of control and data packets by: selecting consistency criteria based on physical layer invariants; and comparing the control and data packets to the physical layer invariants. Also disclosed herein is a system for enhancing security of a system network, the system network comprising one or more devices, comprising: an agent network comprising one or more security devices, the one or more security devices being designed to: appear to an external party as at least one of hidden and indistinguishable from the one or more devices of the system network; and provide one or more enhanced security operations; wherein the agent network is connected to the system network thereby incorporating the enhanced security operations into the system network.
Connecting the agent network to the system network may comprise operating the agent network parallel to the system network, using existing network and communication infrastructure of the system network.
Connecting the agent network to the system network may comprise deploying the agent network on independent network and communication infrastructure, and connecting the independent network and communication infrastructure with infrastructure of the system network.
Connecting the agent network to the system network may comprise, connecting the agent network to receive signals received by the system network. The one or more security devices may analyse the signals to determine whether one or more of said signals is an abnormal signal. The one or more security devices may be configured to validate the legitimacy of control and data packets.
The one or more security devices may monitor operation of the one or more devices of the system network in response to signals received by the system network. The one or more security devices may determine whether the one or more devices of the system network are operating as expected and, if not, raise an alarm. The agent network may act on behalf of the system network by incorporating additional protocols into the system network without modifying operation of the one or more devices of the system network.
The one or more security devices validate the legitimacy of control and data packets by: selecting consistency criteria based on physical layer invariants; and comparing the control and data packets to the physical layer invariants.
Also disclosed herein is a power generation system comprising a system as described above, and the system network the security of which is enhanced by said system. Advantageously, embodiments of the present invention can detect anomalies in the operation of substation plant, control signals delivered to substation plant and can contain malicious agents.
Advantageously, embodiments of the systems taught herein, particularly those referred to as a secondary source of truth network (SSTNet), provide an orthogonal method of obtaining information in distributed power systems connected by a network.
Advantageously, unlike the devices in typical power control systems, the SSTNet may not limited by computation or time constraints.
Advantageously, embodiments of the present system involve friendly agents that are unknown to, or unidentifiable by, potential threat agents. This provides a reliable and trusted mechanism for detecting malevolent events of compromise in distributed power system generation, transmission and distribution.
Brief description of the drawings Embodiments of the present invention will now be described, by way of non limiting example, with reference to the drawings in which: Figure 1 schematically depicts the position of devices of a trusted secondary source of truth network (SSTNet) of devices at the physical layer of a SAS;
Figure 2 shows experimental or simulated results of a normal synchronization process of two generators;
Figure 3 shows experimental results on the synchronisation of the same two generators the normal (i.e. without attack) response for which is illustrated in Figure 2, after launch of a synchronisation attack; Figure 4 shows implementation of SSTnet Device in a network fragment of an electric power and intelligent control (EPIC) testbed designed for improving defense against synchronization attacks;
Figure 5 shows apparent power during load sharing between two generators - G1 and G2; and
Figure 6 illustrates a method implemented by the SSTNet.
Detailed description
Presently disclosed is a network of devices that act as a friendly agent on behalf of the substation. The devices are positioned side-by-side devices in the substation - either physically or in terms of communication pathways such that the friendly devices receive the same signals as the devices of the substation. Moreover, in some embodiments the friendly devices are indistinguishable from devices of the substation, making it possible for attempts to be made to directly alter the behaviour of the friendly devices. Such attempted alterations in behaviour can be directly recognised and the attacker contained.
Figure 1 shows a power generation system 100. The power generation system 100 includes a system 102 (e.g. SSTNet as it will hereinafter be interchangeably referred to) for enhancing security of a system network 104 (e.g. SAS) in accordance with present teachings, along with the network of SAS devices 104 itself. In general, the system network 104 will comprise multiple devices Si ... Sm as shown though, at its most granular conceptual level, the present teachings can be used to enhance security of a single device Si.
The system 102 consists of a network of friendly agents (devices Ti ... Tn) that act on behalf of the substation - i.e. system network 104 - by participating in security protocols that are beyond the scope of the production intelligent electronic devices (IEDs) and programmable logic controllers (PLCs) or for which the suppliers of those devices are unwilling participate in the added protocols.
Devices Si ... S are, for example, IEDs and PLCs used to operate and control the substation or system network 104. It is normally expected that n will be much smaller than m. Both networks 102, 104 contain network elements such as switches (not shown), that are inherent to proper functioning of the network. Devices Ti ... Tn are, incorporate or connect to, sensors that report observations about the substation through the SST network 102, which operates parallel to the substation automation system (SAS) network, i.e. system network 104.
The system 102 therefore produces an output that represents a true state of the system network 104. This prevents an attack being made where behaviour of the system network 104 is altered but the substation or system operator remains unaware due to the attacker spoofing messages that would be expected to be received from devices of the system network 104 during normal operation. Instead, the system 102 provides a check. If the system 102 itself detects an anomaly, or if there is disagreement between the output of system 102 and system network 104, then an alarm can be raised.
The system 102 comprises an agent network comprising one or more security devices labelled Ti ... Tn. While, in its broadest sense, the system 102 may comprise only a single security device Ti, the present embodiments will be described with reference to single or multiple such devices purely for context. In each case, it will be understood that the singular can imply the plural and vice versa.
Each security device Ti ... Tn is designed to be undetectable to an external party. Being undetectable may mean that each security device Ti ... Tn is hidden on the network or is otherwise indistinguishable from the devices of the system network 104. In addition, each security device Ti ... Tn provides one or more enhanced security operations. Using this strategy, the agent network can be connected to (i.e. incorporated into) the system network to incorporate the enhanced security operations into the system network 104. This means the system network 104 obtains the enhanced security operations (i.e. security functions, for example, for detecting anomalous operation of devices Si ... S ) without yielding access to the devices Si ... S .
In addition, this means the security of the system network 104 can be updated without physically updating the system network 104 or even updating the software of devices Si ... S . Instead, the enhanced security operations of devices Ti ... Tn can be updated to incorporate new security functionality into the system 100.
The agent network 102 can be connected to the system network 104 in a variety of ways. In some embodiments, the agent network 102 is connected such that it operates parallel to the system network 104, using existing network and communication infrastructure of the system network 104. For example, the devices Ti ... Tn may be physically connected into the system network 104, in parallel with devices Si ... S . In other embodiments, the agent network 102 is deployed on independent network and communication infrastructure, and the independent network and communication infrastructure is connected to infrastructure of the system network 104. This avoids resource sharing and reduces the installation time. In each case, the operation of the devices Si ... S is undisturbed, thereby removing the need to modify or reacquire certifications for those devices Si ... S .
In each case, the agent network 102 is connected to the system network 104 in a manner that it can receive signals received by the system network 104. The agent network 102 can therefore test the authenticity of those signals prior to implementation thereof by the system network 104, if there is sufficient time for that test. For time critical processes, the agent network 102 can still rapidly identify malicious signals (e.g. commands sent to devices Si ... S ) and halt incorrect behaviour early.
Leveraging off the above concept, the present teachings provide a method and a system for intrusion detection. The individual devices Ti ... Tn of the SST network 102 may have any structure. In testing, the devices Ti ... Tn were composed of single board computers that run the SST system software (enhanced security operations) and operate within a substation (system 100) along with the SAS (system network 104). The SAS devices Si ... S do not run SST system software and are only accessed by means of agreed upon substation automation protocols such as IEC61850. Substation operators select consistency criteria based on physical layer invariants - e.g. receiving a circuit breaker 'close' command when the upstream breakers are opened - in order to validate control commands received at the SAS devices Si ... S . Detected anomalies are flagged as intrusions and can be reported as alerts or prevented from execution depending on the severity of the attack.
The system 102 was developed in view of a gap between the provision of security for cyber physical systems in general and power systems in particular. This gap arises from the fact that intrusions go undetected and intrusive behaviour also goes undetected. Since all information for perceived health of a system arrives via a single source of truth, namely the interconnected network of substation devices, it is not possible to deal with this gap. Instead, information from the interconnected network of substation devices is taken at face value. Further, conventional security measures such as authentication and encryption may result in the time critical functions being delayed beyond the limits allowed by the standards such as IEC61850. In other words, it is not practical to implement them. For example, circuit breakers need to be able to operate in an emergency to cut off power. Signals causing power to be cut off therefore cannot await verification of the network and the performance of other security processes, before implementing the command to cut power.
The present system 102 provides a secondary source of truth - i.e. a source other than the system network 104 itself. It does so by looking into physical layer invariants that must exist, in order for any system to operate in accordance with its specifications. If there is a difference between the SSTNet provided information and the information provided by the substation monitoring network, it is immediate cause to raise and alarm, or to even take pre-emptive control action.
SSTNets 102 are able to make use of a variety of protocols from different layers of the substation network or levels of the substation automation system - i.e. of the system network 104. In some embodiments, a SSTNet 102 carries out network wide (which may incorporate multiple substations and other facilities), sub-station wide surveillance. It does so incorporating measures (enhanced security operations) that are known to work against intruders by identification (through fingerprinting techniques), or location of inconsistent behaviour (for example through invariants) or through isolation by means of direct participation in the monitoring protocol itself, as in the case of IEC61850. An SSTNet 102 may or may not share the same physical resources as the rest of the substation. Where it does not, it provides for a completely separate path for communication between entities in the system, and also avoids burdening the computation and communication resources of the substation. Accordingly, SSTNet 102, based on physical invariants, can leverage on the direct measurements at the sensor and actuator level (e.g. current/voltage transformers and circuit breakers respectively) and deploy an independent and trusted communication network for implementing the SST. In other embodiments, the system 102 utilizes the existing network and communication infrastructure of system network 104. Most devices Si ... S that belong to a Substation Automation System (SAS) support the use of computer networks to a certain extent, along with protocols such as Modbus, DNP3 and the IEC61850 protocol suite. Standard vendor- provided devices often do not support incremental control and management software development, whether by refusal of the manufacturer to provide access by having fixed internal configuration. To support the security (meaning confidentiality, authentication and integrity and other properties) of networked environments the devices Si ... S need to have interfaces that allow programmability. For example, in order to secure protocols such as GOOSE and MMS, networked agents such as publishers and subscribers, clients and servers must support key introduction, distribution and protocols for revocation of keys and other security features, from time to time. Devices that provide this programmability are also therefore vulnerable to attacks.
To reduce the impact of attacks, networked devices Ti ... Tn are introduced side- by-side with the SAS devices Si ... S in such a manner, that from the perspective of the attacker, it is difficult to tell which device is a fake and which is a real component of the SAS 104. Substation configuration description language (SCL) files are used to list the devices in the network 104. The SAS 104 creates the SCL files. It is therefore possible to modify SCL files to introduce the additional devices Ti ... Tn. Therefore, even if an attacker obtains the entire directory of the substation 104, they will be unaware of the presence of the added devices Ti ... Tn which have added security algorithms built in. Connecting the system 102 to the system network 104 may therefore involve updating a directory of system network 104 to include the devices Ti ... Tn.
Through the added devices Ti ... Tn it is possible to detect attackers and observe anomalies. Though the real devices Si ... S are easy to compromise because of the lack of security features, the added devices Ti ... Tn belonging to SSTNet cannot be compromised. Instead, they provide an effective mechanism to detect and isolate attackers and also to validate the legitimacy of control and data packets in the SAS network.
The attack vectors include wide variety of actors such as in-device vulnerabilities of OT devices, vulnerabilities of the IT devices and network vulnerabilities. Some of these attacks seek to effect synchronisation of generators, load balancing between generators or produce parallel control commands and signals. These attacks can be very difficult to identify. However, the present system 102 facilitates identification of these attacks and defense against them.
In one form of attack, the attacker seeks to prevent or delay synchronisation of generators. Synchronization is an important process for connecting the individual generators to rest of the grid. Attack vectors such as Stuxnet and PLC/controller root-kit attacks the target by maliciously modifying the underlying physical process. To perform this attack, the control logic of PLCs (of devices Si ... S ) may be modified - this can be achieved by exploiting the remote access vulnerability of Wago PLCs i.e., 'CVE-2012-6068'. In one example attack, during normal operation an incoming generator is accelerated to 1500.4 RPM to facilitate synchronization. The attacker modifies the relevant line in the code to 1500 RPM. Theoretically, the generators should not synchronize. However, in practice they nevertheless synchronize due to imperfections in proportional-integral-derivate (PID) control of the generators as shown in the Figure 2. Notably, skilled attackers will also carry out adequate spoofing on the monitoring system to postpone the detection. In Figure 2, synchronisation is achieved when the angle (e.g. between generators) reaches 0°. Notably, the angle changes from -180° to 180° at a significantly slower pace when compared to Figure 3, which represents synchronisation under normal conditions. The breaker is closed when the generators are synchronized - this took more than 5200 seconds (nearly 1.5 hours) in the case of the attack, whereas usually synchronization took an average of around 200 seconds in the absence of an attack.
The proposed defense for the synchronisation attack is referred to herein as Level 0-1 security. This is because the device from Ti ... Tn involved in detection of the attack is located one layer above physical layer security (process based in-device defense). SSTnet 102 implements the security for attacks against synchronization of generators. The SSTNet 102 measured or obtained measurements of the actual performance of the generators during synchronisation. These measurements differed from those outputted from the IED intended to control behaviour of the generators. The discrepancy gave rise to an alert. The proposed defense was able to detect the attack within 10-20 seconds. This is well within the time taken for the normal synchronization process. Once the anomaly is detected, SSTNet device Ti ... Tn displays a message that an attack has been detected.
The defense was implemented on an SBC (Raspberry Pi) using C program and LibIEC61850 library to detect such attacks on the synchronization process. If an anomaly is detected, the system 100 or system 102 may display a message that an attack has been detected.
The experimental setup 400 is shown in Figure 4. The setup 400 forms a fragment of a larger network 412. Here, generators 402 and 404 are controlled via operation of switch or IED 406. The circuit between the generators is closed through the switch or IED 406 and connection 408. The switch or IED 406 receives the erroneous synchronisation command from a spoofed or compromised device from Si ... S (410). The switch or IED 406 accurately measures performance of the generators 402, 404 but cannot, under normal conditions, receive an update command if the response from the switch or IED 406 is also being compromised through device 410 - i.e. the output of the device 410 is spoofed to suggest that synchronisation is proceeding as normal. In contrast, the SST device from Ti ... Tn (414) also receives the output from the switch or IED 406. The device 414 may analyse the output, or pass it to a remote server for analysis, to detect the abnormal behaviour. This detection can be performed using machine learning techniques trained to distinguish between normal behaviour and abnormal behaviour (i.e. behaviour indicative of an attack or malfunction).
Therefore, the device 414 analyses the signals from the device 406 to determine whether one or more of the signals from that device 406 is an abnormal signal - i.e. indicative of abnormal behaviour. In this way, the device 414 monitors operation of the generators 402, 404 of the system network in response to signals received by the system network - i.e. the signal from the compromised or spoofed device 410. In other embodiments, the device 414 may intercept or receive a signal from device 410 and determine that the signal itself is abnormal - e.g. likely to trigger abnormal behaviour in the generators. To this end, the security devices Ti ... Tn can be configured such that one of their security enhancement operations is to validate the legitimacy of control and data packets. Validation can be performed by selecting consistency criteria based on physical layer invariants and comparing the control and data packets to the physical layer invariants. In this manner devices Ti ... Tn can pre-emptively identify attacks based on anomalous control signals, as well as detect attacks in progress based on sensor measurements.
On detection of an anomaly either in the control and data packets, or in the operation of the generators 402, 404, the device 414 can raise an alarm to alert the substation operator of the anomaly. Therefore, without impacting or modifying operation of components of the system network 412, the device 414 acts on behalf of the system network 412 by incorporating additional protocols into the system network 412.
In another form of attack, the attacker seeks to effect load balancing between generators. Malicious power generation attack is a special class of attack defined as an attack that affects the normal operation of power generation by a given set of generators, in such manner that the balance is affected in multiple aspects. For example, if two generators are designed to supply equal power, the attack can target to modify the balance, say to 75%:25%. In doing so, the attacker can increase the losses (as higher current is flowing in one generator), increase the aging factor of the overloaded generator, increase the wear and tear of the overloaded generator and hence the maintenance schedule, and create an unexpected trip (power supply interruption) during peak load conditions.
To realize the attack, the control logic of the PLC can be modified by exploiting the same remote access vulnerability mentioned above. During normal operation, generators G1 and G2 will share the power equally when supplying power to loads. The smart home PLC (SPLC) has the control code that issues a subsequent command to the variable speed drives (VSDs) to run at a specific speed (1500RPM in this case), for enabling equal power-sharing among the two generators. The normal operation is shown in Figure 5 from time 0 seconds up to around time 2000 seconds, and operation remains normal until briefly after the attack up to around time point 2380 seconds. During this period, the apparent power generation is equally shared between the generators and marked as normal.
After the attack was launched on generator G1 as indicated in Figure 5 at around 2000 seconds, the speed of the prime mover of G2 is reduced to 1500 RPM when generator G1 is supplying more power. Thus, the power-sharing process is disabled. As indicated in Figure 5, after the attack, whenever G2 is supplying more power than Gl, G1 takes over until equal power is shared among the two generators G1 and G2. However, when G1 is supplying more power, G2 fails to take over even after synchronization. This results in G1 supplying more power under scenarios where G2 is synchronized as the second generator. This can result in premature wear of G1 which, when out of action, can result in greater power demand and wear of G2.
The proposed defense was able to detect the attack within 10-20 seconds, once the anomaly is detected, SSTNet device displays a message that an attack has been detected. In particular, SSTnet 102 was implemented to defend against malicious power generation attacks for generators connected in parallel. This defense can involve detecting performance of the generators and determining, using the abovementioned machine learning model for distinguishing between (i.e. categorising) normal and anomalous behaviour, that the behaviour is anomalous. Given that anomalous behaviour in response to one control command may initially look like normal behaviour in response to another control command - e.g. intentional shutdown of one generator would result in unbalanced power generation - the SSTNet 102 or devices Ti ... Tn may analyse the behaviour of the devices Si ... S against the control command to more rapidly identify behaviour as anomalous. For example, in receiving a load balancing control signal, SSTNet 102 would rapidly identify behaviour as anomalous if it did not move towards a balanced loading condition or did not move towards that condition as quickly as would be expected.
As with the defense to the synchronisation attack, the defense to the load balancing attack was implemented on an SBC (Raspberry Pi) using C program and LibIEC61850 library. The experimental setup is similar to the setup shown in Figure 4, only the position of SSTnet device shifts from the network fragment onto the rest of the network 412 - see device 416. In another form of attack, the attacker sends parallel commands to alter behaviour of components on a substation. In some cases, the behaviour must be implemented rapidly, without sufficient time to verify the authenticity of control commands.
In the simulated example, parallel command validation was implemented for opening of the circuit breakers. Owing to the time sensitive nature of some operations by substation devices and the network, network authentication may not be feasible under all scenarios. Even when such authentication is feasible, network-based authentication cannot protect the system from attacks that originate from an authentic OT device (e.g. a device compromised by malware).
In this defense, the SST device T, performed physical invariant validation on the control signal. The device T, was a single board computer (SBC) that implemented physical invariant validation for one specific command i.e., open circuit breaker, using the measurement from the corresponding IED. The present communication channel used Modbus over TCP/IP for command validation - this mode is only an example, and the method can be implemented using any other form such as physical contacts and other secured network protocols. The experimental setup is similar to the setup shown in Figure 4, only the position of SSTnet device is different - it's location will be similar to, or the same as, that of device 416.
The proposed defense prohibited oscillation between open and closed states of the breaker, which can otherwise cause significant stress on the generators. The proposed defense prohibited the command from being executed as well as avoiding chattering attacks. In other words, the defense was pre-emptive and the attack was not implemented. In this case, the security device T, analysed the control data packet and gave the system network device a command to skip the packet - i.e. no anomaly or alarm is raised in this scenario, and the PLC is instead given command by the SSTNet device to skip the command. Therefore, the security devices Ti ... Tn do not raise an alarm in all instances of a detected anomaly. The present teachings provides a trusted approach using system 102 that aids the SASs to deal with several attack vectors and attack goals. The network of devices (SSTNet) proposed as an augmentation to an existing SAS device is proved to be minimally invasive and versatile. The SSTNet devices can either run side-by-side on the substation network using the same resources or could be standalone trusted network. The proposed system when combined with physical invariants-based anomaly detection could be an effective solution for defending SAS operations. The present system 102 can be incorporated into existing systems such as: energy storage systems for smaller standalone systems or grid connected systems; Power Generation Company (Genco) operated substations with distinct interfaces facing the grid and the substation - operations management may want to put in place their own set of criteria which may or may not include vendor provided monitoring systems and, in this case, the secondary source of truth (SST) is a strong validation of reliability of a system and its components; power systems to detect control packet injection which is a threat to all substations; and SAS advice to enhance the security functionalities of those devices without affecting the time critical operations and with absolutely no intrusion into the device hardware/software. In general, the present system 102 and method described below with reference to Figure 6, creates a methodology to put in place guards that provide additional checks based on physical layer invariants, before carrying out a control action in a substation. The system 102 employs a method for enhancing security of a system network, such as method 600 of Figure 6. To implement the system 102, the method 600 broadly comprises:
Step 602: building an agent network; Step 604: connecting the agent network to the system network. Step 602 involves building an agent network comprising one or more security devices Ti ... Tn. As described above, the one or more security devices Ti ... Tn are designed to appear to an external party as at least one of hidden and indistinguishable from the one or more devices of the system network. The devices Ti ... Tn are also designed to provide one or more enhanced security operations.
The agent network is then connected, per step 604, to the system network to incorporate the enhanced security operations into the system network. The various connection schema are described with reference to Figure 1.
It will be appreciated that many further modifications and permutations of various aspects of the described embodiments are possible. Accordingly, the described aspects are intended to embrace all such alterations, modifications, and variations that fall within the spirit and scope of the appended claims.
Throughout this specification and the claims which follow, unless the context requires otherwise, the word "comprise", and variations such as "comprises" and "comprising", will be understood to imply the inclusion of a stated integer or step or group of integers or steps but not the exclusion of any other integer or step or group of integers or steps.
The reference in this specification to any prior publication (or information derived from it), or to any matter which is known, is not, and should not be taken as an acknowledgment or admission or any form of suggestion that that prior publication (or information derived from it) or known matter forms part of the common general knowledge in the field of endeavour to which this specification relates.

Claims

Claims
1. A method for enhancing security of a system network, the system network comprising one or more devices, the method comprising: building an agent network comprising one or more security devices, the one or more security devices being designed to: appear to an external party as at least one of hidden and indistinguishable from the one or more devices of the system network; and provide one or more enhanced security operations; and connecting the agent network to the system network thereby incorporating the enhanced security operations into the system network.
2. The method of 1, wherein connecting the agent network to the system network comprises operating the agent network parallel to the system network, using existing network and communication infrastructure of the system network.
3. The method of 1, wherein connecting the agent network to the system network comprises deploying the agent network on independent network and communication infrastructure, and connecting the independent network and communication infrastructure with infrastructure of the system network.
4. The method of 2 or 3, wherein connecting the agent network to the system network comprises, connecting the agent network to receive signals received by the system network.
5. The method of 4, wherein the one or more security devices analyse the signals to determine whether one or more of said signals is an abnormal signal.
6. The method of 4 or 5, wherein the one or more security devices are configured to validate legitimacy of control and data packets.
7. The method of any one of 1 to 3, wherein the one or more security devices monitor operation of the one or more devices of the system network in response to signals received by the system network.
8. The method of 7, wherein the one or more security devices determine whether the one or more devices of the system network are operating as expected and, if not, raise an alarm.
9. The method of any one of 1 to 8, wherein the agent network acts on behalf of the system network by incorporating additional protocols into the system network without modifying operation of the one or more devices of the system network.
10. The method of 6, wherein the one or more security devices validate the legitimacy of control and data packets by: selecting consistency criteria based on physical layer invariants; and comparing the control and data packets to the physical layer invariants.
11. A system for enhancing security of a system network, the system network comprising one or more devices, comprising: an agent network comprising one or more security devices, the one or more security devices being designed to: appear to an external party as at least one of hidden and indistinguishable from the one or more devices of the system network; and provide one or more enhanced security operations; wherein the agent network is connected to the system network thereby incorporating the enhanced security operations into the system network.
12. The system of 11, wherein connecting the agent network to the system network comprises operating the agent network parallel to the system network, using existing network and communication infrastructure of the system network.
13. The system of 11, wherein connecting the agent network to the system network comprises deploying the agent network on independent network and communication infrastructure, and connecting the independent network and communication infrastructure with infrastructure of the system network.
14. The system of 12 or 13, wherein connecting the agent network to the system network comprises, connecting the agent network to receive signals received by the system network.
15. The system of 14, wherein the one or more security devices analyse the signals to determine whether one or more of said signals is an abnormal signal.
16. The system of 14 or 15, wherein the one or more security devices are configured to validate the legitimacy of control and data packets.
17. The system of any one of 11 to 13, wherein the one or more security devices monitor operation of the one or more devices of the system network in response to signals received by the system network.
18. The system of 17, wherein the one or more security devices determine whether the one or more devices of the system network are operating as expected and, if not, raise an alarm.
19. The system of any one of 11 to 18, wherein the agent network acts on behalf of the system network by incorporating additional protocols into the system network without modifying operation of the one or more devices of the system network.
20. The system of 16, wherein the one or more security devices validate the legitimacy of control and data packets by: selecting consistency criteria based on physical layer invariants; and comparing the control and data packets to the physical layer invariants.
21. A power generation system comprising a system according to any one of claims 11 to 20, and the system network the security of which is enhanced by said system.
PCT/SG2021/050109 2020-03-05 2021-03-04 Power system security enhancement WO2021177899A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SG10202002020Q 2020-03-05
SG10202002020Q 2020-03-05

Publications (1)

Publication Number Publication Date
WO2021177899A1 true WO2021177899A1 (en) 2021-09-10

Family

ID=77614510

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2021/050109 WO2021177899A1 (en) 2020-03-05 2021-03-04 Power system security enhancement

Country Status (1)

Country Link
WO (1) WO2021177899A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100020724A1 (en) * 2007-03-30 2010-01-28 Abb Technology Ag Method of configuring an intelligent electronic device
CN106982235A (en) * 2017-06-08 2017-07-25 江苏省电力试验研究院有限公司 A kind of power industry control network inbreak detection method and system based on IEC 61850
US20180276375A1 (en) * 2015-11-26 2018-09-27 Rafael Advanced Defense Systems Ltd. System and method for detecting a cyber-attack at scada/ics managed plants
US20180307841A1 (en) * 2014-11-26 2018-10-25 Howard University Computer control system security
US20190253440A1 (en) * 2016-09-07 2019-08-15 Singapore University Of Technology And Design Defense system and method against cyber-physical attacks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100020724A1 (en) * 2007-03-30 2010-01-28 Abb Technology Ag Method of configuring an intelligent electronic device
US20180307841A1 (en) * 2014-11-26 2018-10-25 Howard University Computer control system security
US20180276375A1 (en) * 2015-11-26 2018-09-27 Rafael Advanced Defense Systems Ltd. System and method for detecting a cyber-attack at scada/ics managed plants
US20190253440A1 (en) * 2016-09-07 2019-08-15 Singapore University Of Technology And Design Defense system and method against cyber-physical attacks
CN106982235A (en) * 2017-06-08 2017-07-25 江苏省电力试验研究院有限公司 A kind of power industry control network inbreak detection method and system based on IEC 61850

Similar Documents

Publication Publication Date Title
Zhang et al. Power system reliability evaluation with SCADA cybersecurity considerations
Liu et al. Intruders in the grid
Zeller Myth or reality—Does the aurora vulnerability pose a risk to my generator?
Parvania et al. Hybrid control network intrusion detection systems for automated power distribution systems
Lei et al. Security and reliability perspectives in cyber-physical smart grids
Chavez et al. Hybrid intrusion detection system design for distributed energy resource systems
Albarakati et al. Security monitoring of IEC 61850 substations using IEC 62351-7 network and system management
Sridhar et al. Cyber attack-resilient control for smart grid
Wermann et al. ASTORIA: A framework for attack simulation and evaluation in smart grids
Wang et al. Cyber-attacks related to intelligent electronic devices and their countermeasures: A review
Yang et al. Attack and defence methods in cyber‐physical power system
Kleinmann et al. A statechart-based anomaly detection model for multi-threaded SCADA systems
Mashima et al. Securing substations through command authentication using on-the-fly simulation of power system dynamics
Duman et al. Modeling supply chain attacks in IEC 61850 substations
Nicol Hacking the lights out
Negi et al. Vulnerability assessment and mitigation for industrial critical infrastructures with cyber physical test bed
Meyur A Bayesian attack tree based approach to assess cyber-physical security of power system
Qassim et al. Simulating command injection attacks on IEC 60870-5-104 protocol in SCADA system
Flå et al. Tool-assisted threat modeling for smart grid cyber security
Zhang et al. Reliability analysis of power grids with cyber vulnerability in SCADA system
Zeller Common questions and answers addressing the aurora vulnerability
Banik et al. Implementing man-in-the-middle attack to investigate network vulnerabilities in smart grid test-bed
Silveira et al. Security analysis of digitized substations: A systematic review of GOOSE messages
Vittor et al. Cyber security-security strategy for distribution management system and security architecture considerations
WO2021177899A1 (en) Power system security enhancement

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21764494

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 07.12.2022)

122 Ep: pct application non-entry in european phase

Ref document number: 21764494

Country of ref document: EP

Kind code of ref document: A1