Essay: Cyber threats in Wide Area Monitoring System

The resilience operation in communication networks in smart grid critical infrastructure is essential to sustaining network availability
Cyber threats in Wide Area Monitoring System
It is almost impossible to ensure every part or node to be invulnerable to network attacks in smart grid. The smart grid must be resilient to the cyber/ physical attacks by using some of the smart grid security protocol, and the smart grid network must have the self-healing ability to continue network operations in the presence of attacks. WAMS, being an integral part of smart grid, it is crucial to ensure the availability and integrity of the data it carries and the communication and computation infrastructure involved. The WAMS is expected to operate over large scattered geographical areas, which make the security aspect more complex [16]. The security risk grows as the deployment of PMUs becomes more widespread.
To ensure secure and reliable operation, it is essential to understand what are the security objectives and requirements before providing a comprehensive treatment of cyber security in the context of data delivery and management. The cyber security objectives and requirements for the PMUs communication in WAMS are discussed as follow.
Smart Grid Security Objectives
Considering the crucial role of synchronized measurements in order to achieve a smart grid, various groups/organizations are working on developing security standards and recommendations for WAMS. The NISTIR 7628 [www.nist.gov/itl/upload/discussion-draft_preliminary-cybersecurity-framework, August 28, 2013], ‘Guidelines for Cyber Security in the Smart Grid’ standard provides a comprehensive set of guidelines for designing cyber-security mechanisms or systems for the smart grid. The standard proposes methods for assessing risks in the smart grid, and then identifies and applies appropriate security requirements to mitigate these risks. NIST has also released a draft on Cyber Security Framework for critical infrastructure. The IEC 62351 standard series [IEC 62351 Security Standards for the Power System Information Infrastructure, 2012], developed by WG15 of IEC TC57, defines security mechanisms to protect communication protocols for substation systems, in particular, IEC 60870 and IEC 61850. The primary focus of this standardization is to provide end-to-end security. The Critical Infrastructure Protection (CIP) set of standards [North American Electric Reliability Corporation. Critical Infrastructure Protection (CIP) Reliability Standards, 2009.] developed by the North American Electric Reliability Corporation (NERC) aims at introducing compliance requirements to enforce baseline cyber-security efforts throughout the bulk power system (transmission). IEC 61850 90-5 is a communication standard currently in preparation which allows transmission of synchrophasor data and includes a digital signature to provide authentication and tamper detection and optionally provides encryption to provide confidentiality. Table 1 provides a summary of these initiatives.
Table 1. Research initiatives on security challenges to WAMS.
Initiative Research Direction
IEC 62351 Describes recommended security profiles for various communications media and protocols
NERC CIP 002-009 Deals with cyber-security standards
IEEE 1686-2007 Describes security measures from the perspective of an IED
IEEE C37.118 The communications protocol for PMU communications
NISTIR Guidelines for smart grid security
IEC 61850-90-5 Security issues
In [58, 59, 21, and 60], smart grid is defined as a cyber-physical system (CPS) and identifies unique security challenges and issues encountered in such systems that are not prevalent in traditional IT security. They also discuss security solutions to address these unique challenges. [61] Proposes a layered security framework for protecting power grid automation systems against cyber attacks. The security framework satisfies the desired performance in terms of modularity, scalability, extendibility, and manageability and protects the smart grid against attacks from either Internet or internal network via integrating security agents, security switches and security managements.
There are three high-level security objectives of synchrophasor system as shown in Fig. 2. According to [17] availability and integrity are crucial for such systems, whereas data confidentiality is less important because there is no customers’ private information involved.
Fig.2. Objective of secure synchrophasor system
Availability:
Availability ensures uninterrupted, reliable, timely access of data, and resources to authorized users. It implies to network, communication infrastructure, systems, applications, database, and supporting infrastructure. Services must be available to authorized users. Availability also works in parallel with confidentially and integrity.
Ensuring timely and reliable access to and use of PMUs synchrophasor information is of the most importance in the WAMS. This is because a loss of availability is the disruption of access to or use of information, which may further undermine the power delivery.
Integrity:
Integrity of the data transferred in communication should be guaranteed so that any modification of the data can be detected. Data integrity protects unauthorized modification and destruction of information either within the system or while transmitting across the LAN/WAN. Integrity, and ensures non repudiation and authenticity of information. Integrity can be classified as; system and data integrity. System integrity deals with the protection of systems like PMUs, IEDs, relays, and PDCs. Integrity can be achieved through hash verifications, input/output checksums, stringent access and authentication systems and well designed security policies. A loss of integrity is the unauthorized modification or destruction of information and can further induce incorrect decision regarding power management.
Confidentiality:
Data confidentiality in transmission should be protected. Otherwise, utility consumption values will be known by attackers, which will leak much information on consumers’ behaviors. Confidentiality ensures prevention of illicit revelation or disclosure of data [19]. Confidentiality prevents exposure of stored data, processed data within system, and data though LAN/ WAN. Confidentiality can be breached either through well coordinated attacks or, through unauthorized disclosure of. Confidentiality can be achieved through data encryption, access control, training & awareness, and data classification. Along with availability, integrity, and confidentiality, other objective such as authentication and authorization, accountability, non repudiation, and auditing are presented in [2]. In general, the primary security objective for control systems is availability, with integrity second, and confidentiality third
Security Requirements in Wide Area Monitoring System
Prior to installment of synchrophasor system, a set of cyber security requirements must be developed, new devices must be undergo vulnerability testing, and proper security controls must be designed to protect the synchrophasor system from unauthorized access. The cyber security requirements may be based on availability, integrity, and confidentiality of system, data, and process.
Availability
The availability cyber security requirements assure the PMUs and PDC network servers must remain available to perform its primary functions in timely manner. An attacker normally creates situations which can lead to the unavailability of the data. Attacks like denial-of-service can cause instability of the system and can have adverse effect on the applications.
Integrity
Integrity is also one of the important security requirements for the synchrophasor system in WAMS. This requirement unsure that network traffic sent to and from PMUs and PDC is unaltered validates the identification of communicating parties and device, ensure logged records are unaltered. Modification of PMUs data can cause the control center or the operators to take the inappropriate actions. For example, an attacker could modify the voltage angles fed into a wide area synchronism-check system by adding pi radians to the real value. It could close the breaker while systems are out of synchronism and cause significant damage to the power system equipment. So modification of data or unauthorized access to synchrophasor data can make the system vulnerable to the attacker which can lead heavy damage to the reliability of the system [Johan Stewart].
Confidentiality
The transfer of information between different components in the synchrophasor system in WAMS such as PMU, PDU, GPS, Control center and applications must be confidential. The confidentiality cyber security requirements are limited for PMUs and PDC. Generally, utilities do not consider PMUs, PDC synchrophasor measurements, commands, and settings confidential information. The confidentiality of user credentials is only exception. These confidentiality requirements extend to network transmission of passwords for remote access and safe storage of passwords within a device. Symmetric or asymmetric cipher should also not be used to protect password confidentiality [TM Morris].
Identification, authentication and access control.
It is one of the important requirements to maintain the security of the system. PMU data authentication and authorization are critical security services for a WAMS. Nowadays, the PMUs data is transmitted over the public network, so it is easy for an adversary to manipulate the PMUs data without device authentication. A failed authentication can cause the attacker to modify the data or gain access to the PMU or PDC devices for unauthorized access to the system. Identification and authentication is the key process of verifying the identity of a device or user as a prerequisite for granting access to resources in the WAMS information system. The focus of access control is to ensure that resources are accessed only by the appropriate personnel that are correctly identified. Strict access control must be enforced to prevent unauthorized users from accessing sensitive information and controlling critical infrastructures. To meet these requirements, each network in the WAMS must have at least basic cryptographic functions, such as symmetric and asymmetric cryptographic primitives, to perform data encryption and authentication.
Secure and efficient substation and communication protocols.
One of the security requirements for the synchrophasors system is the secure substation .Smart grid comprises of different types of critical components like; PMUs, PDCs, database servers, and different users like; grid engineers, support staff, system engineers and security analysts. Attacks can take place directly on the substation which can affect the efficiency and reliability of synchrophasor system. Moreover it can also lead to the malfunction of the system. Access points in synchrophasor system which are connected to substation as well as with other systems in the power network should be secured. These are the access points where the attack to substation is most likely to come from. One of these access points are PMUs. Normally the PMUs and PDC are present within a perimeter network. When accessing the PMU settings remotely through an unsecured protocol like Telnet, it may possess cyber threats. Telnet transmit data in a cleat text format. This can lead to much vulnerability, as PMUs setting and login information is exposed in the network. Secure channel like Secure Shell (SSH) should be used for remote access [Johan Stewart]. A security gateway device separates the substation LAN and the perimeter network.
The majority of protocols used by a WAMS, however, do not include security mechanisms in their specifications.
Based on the recommendations of various studies, the requirements of cyber security measures for a WAMS are []:
1) The security measures adopted should not in any way hamper the primary objective of the WAMS.
2) The access to every PMU or PDC of a utility should be through an authentication procedure.
3) The system should accept only authenticated and authorized changes in the configuration of the network.
4) Accountability must be achieved through implementation of authorization, authentication, auditing, and non repudiation.
5) There should be proper mechanism to validate the integrity of data exchanged.
6) The system should continue to perform essential functions in case of loss of synchronized measurements.
7) The security mechanism should be able to minimize the impact of abnormalities on the performance of WAMS.
Type of Cyber Attacks at WAMS Communication network
There are main two vulnerable points in WAMS where data can be hacked and manipulated at substation level (PMUs) and control center level as shown in fig. However, cyber attacker can attacks at any level i.e., component-wise, protocol-wise, topology-wise [20].
Several modes of attack can take place to tamper the WAMS system which can range from physical attacks to remote access attacks. Cyber attackers reconnoiter a system before attacking. It is highly crucial to prevent these attacks for the proper functioning of the WAMS system. The current attacks that threaten PMU networks are Denials of Service (DoS), physical, Man-in-the-Middle, packet analysis, malicious code injection, and data spoofing attacks [13].
Physical Attack
A PMU can be isolated from the substation network using physical attacks that damage hardware or infrastructure. This includes cutting a network connection between the PMU and PDC or sabotaging the PMU. Limiting access to critical infrastructure can mitigate this type of attack [13]
Access Attacks
Access attacks such as masquerading, session hijacking and repudiation can affect integrity, confidentiality and availability of the system. In access attacks, the attacker may attempt to gain access to the network and its resources. The attacker can gain unauthorized access and modify the PMUs information and user information. Manipulation of PMUs information can affect the financial aspect, power usage and the monitoring and controlling information.
An adversary, who gains local or remote access to a field device like PMUs, can reconfigure it such that it behaves in an undesirable way. After getting access to PMUs or PDC, attacker may change PMUs and PDC setting e.g., number of samples per second, the number and types of measurements, interpolation settings, and missing data settings; settings also include security related items such as changing password, changing minimum number of password features to trigger a lock out , and changing the lock out duration. This can lead to improper actions carried out by the control centre in the system.
Eavesdropping attack
In eavesdropping attack, the message that is being exchanges between different devices in the system is leaked to the intruder, without the consent of the system. Normally the kind of information exchanged in the WAMS system contains data such as power measurements from power system, time tag information from GPS, etc. Attackers can also collect traffic data which indirectly lead them to guess the information that is exchanged. This attack can cause much more damage if the information exchanged is of secret keys that should be known only by concerned parties.
Modification attack
In modification attack, false messages are delivered to the substation or other entities in the system like PMU after altering the contents of the messages that is exchanged between the different entities in the system. These false messages can make the system unstable as it can affect the quality of the electricity delivered by the utilities due to the modified message.
An example of a modification attack is malicious code injection. In malicious code injection, the attacker inserts new instructions into code to alter its execution. One common modification attack is Structured Query Language (SQL) injection. SQL is a standardized language for managing databases. Commonly SQL injection attacks occur when queries are generated using user input [64]
PMUs data sent to the PDC is stored in a database, PMUs are particularly susceptible to SQL injection attacks [49]. Before measurements are sent, the PMU sends a configuration message to the PDC to specify the data table structure to be defined in the database [55]. The PDC does not authenticate the configuration message. Instead, it creates the new tables specified in the configuration message. This leaves the system vulnerable to code injection.
The SQL injection vulnerability most frequently comes when queries are formulated occur if user input is not properly validated before inclusion in an SQL query [50]. The attacker can make the transmission system state appear to be the opposite of reality. For example, if there is an issue with a transmission bus or line, an attacker can modify measurements to indicate it is normal, which could put the power system at risk of an outage. Researchers in [51], describe two insertion attacks: code-injection and return- oriented programming. In code-injection, the attacker directly inserts shell code (a set of malicious instructions) into the program. Return-oriented programming reuses binary code already present in the system as shell code. Shell code is the software exploit payload. Either attack can send malicious instructions to the database management system, to add, delete, or modify the database, or take control of the system.
Authors [52] show the security gateway using encryption and decryption to send packets across the internet. One security gateway encrypts measurement packets from the PMU. The other security gateway decrypts them before sending to the PDC. Since packets are encrypted before crossing the network, the attacker should be unable to decipher them. In modern operating systems, code injection is made difficult by randomizing the system address space, separating code and data, and monitoring the stack to detect buffer overflows [53.]. The PMU and PDC should use operating systems that have these countermeasures.
To counteract SQL injection attacks: either check inputs for characters that can be abused, or use parameterized statements that force user inputs to follow a static template [8]. These templates only allow certain inputs to be translated into queries. For further prevention, databases should also have strict access controls for allowing users to modify or manipulate data [53]. In [54] authors also discuss using static analysis and run-time monitoring, proxy filters, intrusion detection systems, and encapsulating database queries to provide safe and effective ways to access databases.
The packets containing the measurements can be modified and resent at a later time which is called a replay attack. Replay attacks consist of taking data from a system and then resubmitting it at a timing of the attackers choosing. This is problematic to PMU networks since the measurements are vital to the stability of the system.
Data manipulation attacks
In data manipulation attacks, attacker may corrupt data in three possible ways, by attacking PMUs, by tampering with the communication network or by breaking into the synchrophasor system through the control center LAN, if an adversary is able to fake PMU data causing biasing of the power system state estimates without being detected, the operator may take erroneous control actions that are detrimental to the system. It can cause uneconomic dispatch choices, congestion, failure of generators, failures of transmission lines, as well as cascading failures leading to blackout [44.]
Denial of Service (DoS)
In D0S attack, the attacker attempts to deny access to legitimate user to a particular resource, or, at the very least, reduce the quality of service of a resource. It is one of the most common threats on the synchrophasor systems. An attacker, who manages to gain access to the communication infrastructure, can launch a Denial-of-Service (DoS) attack by flooding a critical link with bogus traffic or by saturating the computing resources of a critical network device such as a router or metering field device. Such an attack causes real-time measurement data from field devices to be delayed or at worst dropped. DoS attack can also delay or drop critical control signals from a controller.
At substation, a DoS attacker does not need to completely shut down network access by using some extreme means (e.g., all-time jamming) but instead it may launch weaker versions of attacks to intentionally delay the transmission of a time-critical message to violate its timing requirement. This can also be catastrophic for power infrastructures. Therefore, the goals of DoS attacks in WAMS infrastructure include not only disrupting the resource access but also violating the timing requirements of critical message exchange.
The threat of large-scale DoS attacks that overwhelm a substation network is mainly from the outside of a substation. In this regard, the substation computer (the network gateway of the substation) becomes the primary target of TCP/IP DoS attacks. In other words, substation gateways must enforce strong access control and filtering policies for incoming communication flows. Furthermore, when wireless technologies are adopted in a substation, jamming attacks may become a primary security threat. Therefore, anti-jamming technologies need to be used to protect wireless communication in substations.
PDC hold data from on time PMU to wait for data packets from late arriving PMU streams. A denial of service attack can have a persistent effect if the attacked PMU’s date stream becomes consistently late after the attack. PDC eventually drop old data packets and begin to interpolate. PMU and PDC which recover from a denial of service attack should clear their transmit queues to avoid the aforementioned effects.
Denial of Service attacks against synchrophasor systems can cause a loss of system visibility.
Spoofing
In spoofing attack, attacker can make the system to act in malicious way by sending illegal message to the different components and devices in the system. Attacker can act as the server or can intercept the communication channel in form of man-in-the-middle attack. This can lead to the instability or malfunction of the system depending on the wrong information sent by the attacker.
In this single-hop network, spoofing attacks can lead to loss of both availability and integrity. In particular, spoofing attacks targeting the protection system should be a primary focus. For example, switches are used to protect power infrastructures in substations, when an IED detects an abnormal status (e.g. high current), it will send close/open messages to switches to balance the power load (or simply break the circuit for protection) [28]. If a spoofing attacker successfully masquerades itself as a monitoring IED, it could send false close/open messages to switches and lead the protection system to a mess-up status, resulting in potential loss of power supply for customers. Therefore, strong point-to-point authentication schemes should be enforced to prevent such spoofing attacks in substations.
The PMU GPS receiver provides the one pulse per second for synchronizing the sampling clock, and second of century counter for packaging actual time values into the sampling data. For a GPS spoofer, its task is to mislead the GPS receiver into acquiring a fake signal. If the spoofer generates a new signal that has higher signal to noise ratio (SNR) with higher correlation peak, the GPS receiver will track the false/fake signal once it lose track caused by intentional signal interference. After that, the timing information calculated from the victim receiver has been manipulated by the spoofer [43]. Humphreys et al. [65] demonstrated a spoofing attack against a GPS time reference receiver installed in a PMU. Data spoofing occurs when attackers falsify data. The PMUs continuously send data to the PDC. Instructions on how to set up database tables are included [13]. If the PDC does not authenticate PMU connections, the PDC may accept fabricated data. PMU data gives operators information so they can be aware of the condition of the electric grid. Data accuracy is important. Data spoofing gives the program forged data instead of actual data. This can be detrimental to grid stability and reliability [13]. In [21] researchers inject false data into the system. This data can either be PMU measurements or time stamps. In [22] authors spoof GPS measurement time stamps. Altering measurement times can render measurements useless. For example, readings can be reordered to make capacity reduction seem to be capacity increase, etc. Data spoofing has little effect when it is limited to a single data feed [23].
To mitigate data spoofing, the grid can use multiple PMUs to monitor the same transmission bus or line, which makes spoofing more complicated. The use of redundant measuring devices is suggested in [24], where the authors use redundant smart meters. The same idea is relevant to PMUs.
There are some techniques that could be employed in the data authentication, such as secret password and cryptographic technology, symmetric key based scheme, tokens, etc.
Another problem for using PMUs to realize the wide area synchronization is that the GPS signal receiver is the only source for supplying precise time. GPS signal may become unreliable due to weather changes, solar activities, intentional or unintentional jamming, or even worse that the Department of Defense (DoD) changes the GPS accuracy or turns off the civilian signal in some emergency cases. If that happens, the entire power grid system will be paralyzed, and the security of power operation will be precarious. Therefore, alternative wide area synchronization mechanism should be in consideration [43]
Man-in-the-Middle Attacks
An attacker who intrudes in the communication channel of a distribution network can launch a man-in-the-middle attack by selectively dropping or modifying sensor data (control signals) sent from a field device (controller), thus compromising the availability and/or integrity of message exchanges. A replay attack is another form of the man-in-the-middle attack: an attacker sniffing the communication channel can copy measurement data or control commands and forward them later on. Replay attacks can have catastrophic consequences especially when applied to control signals. The man-in-the-middle attacks on measurement data are effective mainly if the attack is persistent. This is because the system is a dynamic system, i.e., measurement data are continuously refreshed by a new set of measurements. Thus the effect of a single man-in-the-middle attack is negligible, especially for synchrophasor measurements that are refreshed several times per second. On the contrary, a single attack on control signals can be catastrophic.
In a PMU network the Man-in-the-Middle attack occurs between the PMU and the PDC. The attacker disguises themselves as the PDC to the PMU and as the PMU to the PDC. Man-in-the-Middle attacks can use route table poisoning and compromised certificates [13]. Researchers [25] discuss using false certificates to conduct a Man-in-the-Middle attack. The paper discusses the false certificate vulnerability for a HTTPS connection. But, this method could be used in any system that uses certificates to secure connections. If the PDC uses X.509 certificates for authentication then a man-in-the-middle attack between the PDC and the PMU would be possible [13]. To prevent this type of attack clients need to authenticate the server they connect to [26].
Packet Analysis
Contents of the PMU TCP/IP packets are susceptible to packet analysis (sniffing). Programs such as Wireshark [62] allow attackers to look at traffic sent across the network. If encryption is not used, all information communicated can be seen by the attacker. In [55] researchers used Wireshark [http://www.wireshark.org/.] to analyze the synchrophasor network. They found the packets were in clear text. This makes it possible for an attacker to get passwords and other information sent across the network. To further evaluate the network, researchers [55] added a security gateway to the network. The packets are then sent through a virtual private network (VPN) tunnel. Since all of the packets are sent over a VPN, the traffic is encrypted. VPNs create a virtual network that connects two trusted sub-networks. The packets sent within the VPN are in a secure tunnel between clients. To secure communications, VPN tunnels commonly use the Secure Socket Layer (SSL)/Transport Layer Security (TLS) or Secure Shell (SSH) protocols. To insure a secure connection the parties on the network use X.509 certificates to authenticate users and then exchange symmetric keys. This process is supposed to provide the system with security, but may have implementation and design errors. Known attacks on SSL/TLS include [64]:
‘ DNS Cache Poisoning is where the attackers send spoofed responses to the DNS server, instead of the user. This causes the DNS to retain faulty information and return wrong IP addresses when queried.
‘ ARP Poisoning is when the attacker broadcasts an ARP packet containing the desired IP and their MAC address. Computers then cache that IP for the attackers MAC address. All information sent to the desired IP will be routed through the attacker’s computer.
‘ Man-in-the-Middle Attacks occur when attackers make independent connections with victims and relays messages between them.
‘ TLS/SSL Certificate Attacks occur when attackers authenticate themselves on the network using compromised or faulty certificates.
VPNs are essential for securing traffic, but need to be carefully implemented and their security verified. These attacks have been shown to work on networks; research still needs to be conducted to see their impacts on PMU networks.
In general, existing DoS attacks can happen at a variety of communication layers in the Smart Grid, which are shown in Table 1. DoS attacks, also, attempt to delay, block or corrupt the communication in the WAMS.
Table Denial of service attacks in power system
Communication Layer Attacks in power system
Application layer –
Network/ Traffic flooding
Transport layer Buffer flooding
MAC layer ARP spoofing
Physical layer Jamming in substation
Channel jamming (e.g., [29, 30] is one of the most efficient ways to launch physical layer DoS attacks, especially for wireless communications. Since intruders only need to connect to communication channels rather than authenticated networks, it is very easy for them to launch DoS attacks at the physical layer. A recent work [31] has showed that jamming attacks can lead to a wide range of damages to the network performance of power substation systems, from delayed delivery of time-critical messages to complete denial-of-service.
MAC layer is responsible for reliable point to- point communication as well as fairness. An attacker (e.g., a compromised device) may deliberately modify its MAC parameters (e.g., backoff parameters [32]) to have better opportunities in accessing the network at the cost of performance degradation of others that are sharing the same communication channel. Therefore,
MAC layer misbehavior can lead to a weak version of DoS attacks. In the Smart Grid, spoofing is a relatively harmful threat at the MAC layer because it targets both availability and integrity. A spoofing attacker, by taking advantage of the openness of the address fields in a MAC frame, can masquerade itself as another device to send fake information to other devices. For example, in a power substation network, a malicious node can broadcast forged address resolution protocol (ARP) packets to shut down connections of all IEDs to the substation gateway node [33].
Network and transport layers.
According to the TCP/IP protocol model; these two layers need to provide reliability control for information delivery over multi-hop communication networks. DoS attacks at both layers can severely degrade the end-to-end communication performance, such as distributed traffic flooding and worm propagation attacks on the Internet [34, 35]
Recently, few studies [36, 37] have evaluated the impact of network/transport-layer DoS attacks on the network performance of power systems. For example, a recent study investigated the impact of a buffer-flooding attack on the DNP3-based SCADA network with real SCADA system hardware and software, and showed that current SCADA system is quite vulnerable to the DoS attack [37]
Application layer.
Lower layer attacks focus mainly on transmission bandwidth in communication channels, computers or routers. Application-layer DoS attacks, however, intend to exhaust resources of a computer, such as CPU or I/O bandwidth. As shown in [38.], application layer attacks can easily overwhelm a computer with limited computing resources by flooding computationally intensive requests. As millions of computing and communication devices in the Smart Grid are equipped with limited computational abilities, they can be potential victims of application-layer DoS attacks. Denial of Service (DOS) attackers attempt to consume systems resources, such as bandwidth, to prevent users from accessing the system. One common type of DOS attack is an Internet Control Message Protocol (ICMP) Smurf attack. The attacker sends an ICMP echo packet with the victims IP address, all the hosts accept the ICMP echo packet and reply to the victim computer [39]. While DOS attacks on traditional IP networks are well studied, DOS attacks could also be performed on PMU networks. Researchers [40], tested DOS attacks such as network layer attacks, Internet Control Message Protocol (ICMP) attacks, transport layer attacks, Local Area Network Denial (LAND) attacks, and teardrop attacks on a PMU network. These attacks take advantage of weaknesses in network protocols. PMU networks dependence on real-time measurement data makes them vulnerable to this attack. If a malicious person were to attack multiple PMUs, all measurements from those PMUs would be dropped or delayed. This could cause inaccurate predictions about the status of the transmission system, delayed mitigation of power system problems, or total failure of measurement devices along the network.
One possible solution to DOS attacks on PMU networks would be to use an ‘air gap’. An air gap physically isolates the network. Air gapped networks have no physical connection to the larger internet. This isolation is costly. Some common DOS countermeasures are large bandwidth connections to insure the network can handle the traffic. DOS traffic can also be mitigated using distributed or redundant infrastructure.
The denial of service (DoS) attack is a common attack method in computer based networks. The DoS attack attempts to prevent the provider from supplying resources and functions available to its users. In communication network areas, the main objects of DoS attack are popular website servers, data centers, wireless communication base stations, etc. The consequences of DoS attack include:
‘ The computational or communicational recourses of the attack objects are exhausted and no additional performance to supply the normal services.
‘ The system configuration information such as package routing information is disrupted, and the information cannot reach to the destinations properly.
‘ The package state information is tampered, and the system executes a wrong operation.
‘ Physical damages are applied to the service provider and communication media, so that there are no connections available between the users and provider.
There are dozens of DoS attack methods found in cyber network. Among them, the flooding DoS attack is one of the most common types. The flooding DoS attack blocks the whole network channel by repeatedly sending high-priority data packets to the server, so that the server has no time to respond other requests, such as Internet control message protocol (ICMP) flood and synchronize message (SYN) flood. For some critical time applications, the requirements of end-to-end delays should be less than 50 ms [41]. Therefore, these kinds of applications are more vulnerable to DoS attack.
Defending methods against DoS attacks usually involves using firewalls to detect the attacks, or configuring routers to classify the network channels and block the illegitimate traffic flows. The researchers in [42] did experiments to evaluate the impacts of DoS attack against the transmission delay of communication network in a smart grid.
Different protocols can be vulnerable to DOS attacks. As IEC 61850 is based on Ethernet and TCP/ IP [27], IEDs in a substation can become targets of DoS attacks, such as traffic-flooding and TCP SYN attacks.
Attacks targeting integrity and confidentiality
Different from DoS attacks that can be launched at various layers, attacks targeting integrity and confidentiality in general occur at the application layer, since they attempt to acquire or manipulate data information in the WAMS. Attacks targeting data integrity can be considered less brute-force yet more sophisticated than DoS attacks. Such attacks attempt to stealthily modify data in order to corrupt critical information exchange in WAMS. The target can be either customers’ information (e.g., pricing information and account balance) or status values of power systems (e.g., voltage readings and device running status). Because such information in power systems is valuable to both end users and utility companies, fault-tolerant and integrity-check methods are deployed in power systems to protect data integrity [45]. However, the risk of integrity attacks is indeed real.
Packet Injection Attacks
Packet injection can be classified into two subgroups; sensor measurement injection and command injection. Sensor measurement injection attacks inject false sensor measurement data into a control system. Sensor measurement injection can be used by attackers to cause control algorithms to make misinformed decisions. Command injection attacks inject false control commands into a control system. [18]
Synchrophasor System Security Measures
The Synchrophasor system security measures are divided into two groups
1) Substation Security Measures
2) Information Security Measures
Substation Security Measures
Security Gateway
One of the main security concerns in synchrophasor system is the attack on the substation network and cyber assets within it. PMUs and PDCs need to be shielded from the larger network. One of the ways to protect the substation from external cyber attack is to secure the access points and limit their exposure to the outside world. The attacks to substation will most likely come from, these access points, as they are connected to substation and other entities the systems. As shown in the figure, PMUs devices which send the data outside the substations are in security gateway device. These security gateways devices have the same properties which can fulfill the roles of Firewall and Virtual Private Network (VPN) tunneling.
The security gateway provides an interface between the critical network components and the internet. Security gateways provide the network with a firewall [55]. In [56.] the authors suggest firewalls should have three main properties: all traffic must enter; only trusted traffic may pass, and the firewall is immune to penetration. All traffic from the PMU to the PDC, or from PDC to PMU, needs to pass through the security gateway to improve security. It generally uses a deny by default approach (also known as white-list) to filter traffic. If the component trying to connect to the PMU or PDC is not on the trusted list for the security gateway, then it is not allowed to pass. So, if the security gateway is configured and setup correctly, only traffic from the trusted list may pass. Although, this provides some security, data spoofing still remains a threat to the system.
Figure Security Gateway as a Firewall
Figure shows the PMU and PDC being shielded from the wider network by the security gateway. It can be a local area network behind the security gateway. The other job of the security gateway within the network is to establish a VPN. Establishing a VPN between substations allows measurement and configuration data to be sent securely between substations.
The security gateway uses the IPsec protocol to establish VPN connections. IPsec uses Encapsulated Security Payload (ESP) and Authentication Header (AH) protocols to secure data [57]. Once the payload is encrypted, it is sent across the network. When it reaches the designated security gateway, the gateway will check to see if the packets were delayed or replayed and decipher the packet [57]. The measurements are then recorded in the PDCs’ database.
Firewalls:
Firewalls are like imaginary walls that restrict the entry and exit of information i.e. incoming and outgoing of network traffic depending on the rules and policies defined by the users. White- list approach is mostly recommended for substation security, while setting the rules and policies for the firewalls. As in white list approach all the traffic and data is blocked and only data that is explicitly defined in the rules is allowed to pass. By using the white-list approach, only the necessary data which is required to be delivered to the client outside the substation is allowed to pass. Moreover gateway devices make the access points like PMU devices, which are behind these gateway devices, invisible to other entities that are outside the gateway security. It is visible to only those clients to whom the data is delivered. Figure 4-5 shows the example of firewall, as where it is normally positioned in the security architecture [55].
Virtual Private Network (VPN):
A VPN network is normally developed to encrypt and secure the synchrophasor data from the other traffic in the network. The termination points of the VPN tunnel are the security gateway devices of the substation and another device that supports the same VPN protocol at the control center. Thus, synchrophasor data flow across the untrusted network in an encrypted format. Then the data is decrypted at another termination point which is then delivered to the client. So the main advantage of these VPN network is that the client, PMU or PDC devices doesn’t have to support any encryption to secure the data from attacker. Figure 4-6 shows the example of the VPN working along with firewall [55].
In this multilayer architecture, even the PDC device can act as an additional layer to avoid the direct access of PMU. So client will receive the data from PDC instead of directly from the PMU. It will definitely minimize the need for the client to directly access the PMU settings. Example, if the IP settings of the control center changes, it is easier and sufficient to change the settings of PDC by remotely accessing it instead of changing the settings of individual PMUs.
Even with the multilayer architecture, the traffic of synchrophasor data has to pass through the untrusted network. For this security issue, unidirectional synchrophasor streams which are normally known as UDP Secure (UDP_S) can be used. UDP_S allows more simple and restrictive firewall rules because of its unidirectional characteristic. UDP datagram is the only traffic that is allowed to pass from the server to a given destination endpoint. All the other incoming and outgoing traffic is blocked by UDP_S. As server is not the one who initiates the datagram, and to initiate the datagram client does not need to know the address of the server, the client can be made invisible to the network. Moreover it is also secure against attacks like spoofing as it does not take messages like ‘stop ‘commands frames [55].
Currently four primary tunneling protocols relevant to VPNs:
‘ Layer 2 Tunneling Protocol (L2TP) Tunnel
‘ Layer 2 Forwarding (L2F) Tunnel
‘ IP Security (IPSec) Tunnel
‘ Generic Route Encapsulation (GRE) Tunnel
IP Security
IPSEC can be used in conjunction with IEEE C37.118 communication to provide security services, such as access control, data integrity, authentication, confidentiality (encryption), and replay protection to IP layer as well as layers above [55]. IPSec is a combination of various cryptographic services, and works at network layer of the Open Systems Interconnection (OSI) model to provide confidentiality, integrity, authentication, and access control. IPSec is an open source protocol and can be easily configured for different WAMS applications. It can also be implemented through IPSec services provided by the operating systems, or through other hardware devices like; routers, firewalls, and VPN concentrators.
IPSec is the de facto VPN protocol, which can be used for securing WAMS across WAN. IPSec can be configured to operate in two different modes, Tunnel mode and Transport mode. Tunnel mode is used to encapsulate IP packets; Transport mode provides protection primarily for upper layer protocols. Use of each mode depends on the requirements and implementation of IPSec. IPSec Transport mode is used for end to end communications. Tunneling increases the length of IP packets. IPSec transport mode is used for secured communication between PMUs and control center.
With tunnel mode, the entire original IP packet is protected by IPSec. This means IPSec wraps the original packet, encrypts it, add a new IP header and sends it to other side of the VPN tunnel. Tunneling increases the length of IP packets. In tunnel mode, an IPSec header (AH or ESP header) is inserted between the IP header and the upper layer protocols. Between AH and ESP, ESP is most commonly used in IPSec VPN tunnel configuration.
When IPSec is implemented as a part of WAMS applications or on operating system, transport mode can be used, where the payload of Internet Protocol (IP) packet is encrypted. When IPSec is implemented as hardware, tunnel mode is used where it encrypts the whole packet and encapsulates it into a new packet with new IP header. IPSec supports two protocols; Authentication Headers (AH) and Encapsulation Security Payload (ESP). AH supports authentication and message integrity whereas ESP supports confidentiality, authentication, integrity, and anti-replay protection
Information Security Measures
A cyber attack is not only limited to the attack on the substation, but also on the data that is coming out of the substation. Security requirements such as confidentiality, integrity, availability and authentication should be maintained from end-to-end in synchrophasor system for information security. All these requirements should be maintained all the way from PMU devices, substations, Wide-area network (WANs) to the end user application. As synchrophasor data are used in power system monitoring and control, a potential attack on these data can be dangerous. In this section, the best practices for information security in the synchrophasor system are discussed [55].
Data Transmission
To ensure integrity of the message, mutual authentication should be used between substations and the clients. The information in the synchrophasor system needs to be encrypted in order to provide data confidentiality. Synchrophasor systems uses VPN to encrypt the data and send the information to the client in decrypted form and at the end point of VPN, the data are decrypted and delivered to the client.
Data Handling Practices
In synchrophasor system, data is not only exchanged between the substation and utilities but also between the substation and third party contractors. Reusing or disclosing of data by third parties could affect the working and reliability of the power system and can also affect the quality of the energy. So data transmission must be done in secured condition so that only authorized entities can access the data and only necessary information is exchanged with outside entities.
Encryption
Encryption is an elementary cryptographic method to achieve secure communication and information protection for any information system. The design of encryption schemes is the essential mechanism to protect data confidentiality and integrity in the synchrophasor system.
Data in synchrophasor system is mainly transmitted through the IP networks or direct serial links. Communication link connects various substations to one another and to control centers. However, these links cannot be trusted as they may be passing through the untrusted networks. This can lead to many threats and attacks on the synchrophasor data, if the data confidentiality and integrity is not maintained. One of the solutions to maintain data confidentiality and integrity across these untrusted networks is encryption during the link layer or IP layer.
Encryption schemes can be based on symmetric key cryptography (e.g., AES, DES) or asymmetric key cryptography (e.g., RSA). Symmetric key cryptography uses the same key for encryption and decryption. Asymmetric or public key cryptography uses private and public keys to encrypt and decrypt, respectively. There are a lot of works in the literature [] that have provided comprehensive comparisons in/between symmetric and asymmetric schemes for network protocol design.
Asymmetric key cryptography requires more computation resources than symmetric key cryptography for long key size (strong security). Symmetric key cryptography requires approximately constant computational resources regardless of the key size; however, it requires secure exchange and update of secret keys among network nodes, thereby complicating the process of key management.
Authentication is a crucial identification process to eliminate attacks targeting data integrity. For a message authentication code (MAC) based authentication protocol, a MAC is generated using a keyed hash function, and appended to a message. Essentially, the MAC is redundancy to the information the message contains, making the message longer to transmit. However, it provides the authenticity of the source of the information: the longer the MAC, the harder the falsification of the information. Hence, it is always desirable to balance a good tradeoff between redundancy and security.
Computation involved in authentication (e.g., digital signature and verification) must be fast enough to meet timing requirements of messages in the Smart Grid. In public key based multicast authentication, all receivers share the public key of the sender. The sender signs a message with its own private key, and then each receiver uses the sender’s public key to verify the message.
Key management is another critical process to ensure the secure operation of the Smart Grid. Based on cryptographic primitives, key management can be also classified into public key infrastructure and symmetric key management.
Public key infrastructure (PKI). PKI is a mechanism that binds public keys with unique user identities by a certificate authority (CA). Users have to obtain certificated public keys of their counterparts from the CA before initiating secure and trustworthy communication with each other. Metke et al. in [62] propose a security solution for smart grid utilizing PKI along with trusted computing.
Symmetric key management. This is the key management scheme for symmetric cryptography, which includes key generation, key distribution, key storage, and key update. Accordingly, it requires more coordination and interaction between two or more entities than PKI. However, the advantage of symmetric key cryptography is the efficiency for large amounts of data.
As key management for conventional computer networks has been well categorized and summarized in several survey papers []. As key management is a critical mechanism for Smart Grid security, the NIST report has made considerable efforts to discuss security issues associated with key management in the Smart Grid.
Link Layer Encryption:
Link layer encryption takes place at the data link level between the two points of transmission in the network, where the communication link for transmission cannot be trusted. In link layer encryption the plain text data is encrypted by the source of data and is then send to the destination. Data is then decrypted at the next end point which can either be destination or another access point in the link. Data is then once again encrypted and then send to the next access point. This process is continued till the data reaches its destination. Each link can use different algorithm for encryption or can also use different key for same algorithms. Various encryption methods are available at the link layer, depending on the communication link used during the transmission. For example serial encryption device like EIA-232 can be used for serial encryption. SONET multiplexer can also be used for encryption, which provides security which is similar to end-to-end encryption security but with much greater data rates.
The list of security concerns to the synchrophasor systems and best practices to deal with those issues in the system is shown in Table
Table Security Concerns and its Solutions [55]
Cyber Security Concerns and its Solutions
Concerns Solutions
External attack on PMU
Unauthorized access to substations Multilayered security architecture
Firewalls and VPNs
UDP_S
Disable unused ports and devices
When traffic flows through untrsuted network UDP_S
Spoofing UDP_S
Confidentiality VPNs or Link encryption
Integrity VPNs or Link encryption
Availability Limited exposure of communication link
Real-time status and notification Logic checks for data availability and validity
Denial of Service (DoS) attack Firewalls