Cyber security of the smart grid control systems: intrusion detection in IEC 61850 communication networks

To read the full-text of this research, you can request a copy directly from the author.


Information and Communication Technologies have been pervading Industrial Automation and Control Systems (IACS) for a few decades now. Initially, IACS ran proprietary protocols on closed networks, thus ensuring some level of security through obscurity and isolation. Technologies and usages have evolved and today this intrinsic security does not exist any longer, though. This transition is in progress in the electricity domain, the power infrastructure turning into the "smart grid".The IEC 61850 standard is key to the smart grid development. It is aimed at making interoperability possible in ``Communication networks and systems for power utility automation''. It thus defines a common data object model and a stack of protocols answering different purposes.Although the cyber risk in IACS is now widely acknowledged, IEC 61850 does not address cyber security in any way whatsoever.This work tackles the question of cyber security through network intrusion detection in IEC 61850 networks, and more specifically in real-time GOOSE communications. The idea is to get the most out of the protocol specifications and system configuration while developing a tailored NIDS. This enables detection accuracy.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the author.

... As information technology spreads into ever new domains, trends like the Industrial Internet of Things (IIoT) lead to a diversification of the traditional TCP/IP-based protocol stack [7,46]. For example, numerous works that address security in production [10,47,45,32] or energy systems [25,4] show the large demand for deep packet inspection (DPI) of non-IP protocol stacks. This need is also unabated with regard to the proliferation of machine learning, as it has been shown that the knowledge of protocol semantics has a higher influence on the quality of trained models than the applied algorithm [3]. ...
... The need for visibility into GOOSE communication is well recognized. Kabir-Querrec already extended Zeek to parse GOOSE messages [25]. Recently, another patch has been released by the ResiGate project of the Advanced Digital Sciences Center (ADSC) [8]. ...
... Due to the limited practical feasibility of mechanisms to secure GOOSE communication, a lot of recent research particularly addresses attack detection [23,25,4]. For example, Bohara et al. discuss a so-called poisoning attack [4]: During normal operation, GOOSE endpoints regularly send messages announcing their current state. ...
Full-text available
With information technology entering new fields and levels of deployment, e.g., in areas of energy, mobility, and production, network security monitoring needs to be able to cope with those environments and their evolution. However, state-of-the-art Network Security Monitors (NSMs) typically lack the necessary flexibility to handle the diversity of the packet-oriented layers below the abstraction of TCP/IP connections. In this work, we advance the software architecture of a network security monitor to facilitate the flexible integration of lower-layer protocol dissectors while maintaining required performance levels. We proceed in three steps: First, we identify the challenges for modular packet-level analysis, present a refined NSM architecture to address them and specify requirements for its implementation. Second, we evaluate the performance of data structures to be used for protocol dispatching, implement the proposed design into the popular open-source NSM Zeek and assess its impact on the monitor performance. Our experiments show that hash-based data structures for dispatching introduce a significant overhead while array-based approaches qualify for practical application. Finally, we demonstrate the benefits of the proposed architecture and implementation by migrating Zeek's previously hard-coded stack of link and internet layer protocols to the new interface. Furthermore, we implement dissectors for non-IP based industrial communication protocols and leverage them to realize attack detection strategies from recent applied research. We integrate the proposed architecture into the Zeek open-source project and publish the implementation to support the scientific community as well as practitioners, promoting the transfer of research into practice.
... Most of the risk management includes risk assessment. The risk assessment is the "key component", which provides sufficient knowledge, awareness, and understanding of the risks for justifying security measures to reduce the risks [83] in the risk management process. The risk assessment consists of the risk identification step, the risk analysis step, and the risk evaluation steps: ...
... The context establishment aims to prepare all necessary input information (such as information on the operation, system, setting risk evaluation criteria, risk acceptance criteria, etc.) for the risk assessment (see Figure 2.1). The context establishment is considered a critical activity influencing the final result [83], [88]. Risk treatment refers to reduce the risks after the risk assessment by implementing different treating options. ...
... This standard provides processes and best practices to develop, integrate, and assess components about the cybersecurity threat. The IEC 62443 is built on the concept of ISO 27005 series and refines them to adapt the differences between the Operational Technology (OT) and the Information Technology (IT) [83]. However, the integration of Internet of Thing (IoT) devices into IACS has accelerated the convergence of OT and IT and resulted in new cyber-security threats for IACS. ...
Nowadays, the increasing number of Unmanned Aircraft System (UAS) operations raises public concerns on cybersecurity issues. Therefore, it requires methodologies to address these issues during the UAS development. It is the focal point of our research. This thesis has two significant contributions. Firstly, we propose a system-centric methodology to reinforce the cybersecurity of an existing (or designed) UAS. This methodology provides the user with a workflow to analyze the UAS, identify the possible attack scenarios, and identify suitable countermeasures. We call this methodology “System cybersecurity risk management”. Secondly, we propose an operation-centric methodology that considers the cybersecurity issues in the early phase of the UAS development (before the UAS is designed). This methodology is an extended version of the Specific Operation Risk assessment methodology (SORA). The SORA is a wide-known methodology to assess the risks of UAS operations under the “Specific” category. However, the current stage of the SORA methodology focuses only on safety but ignore cybersecurity. Our extension modules fulfill this missing part. We call our extension methodology as Specific Operation Risk assessment for Safety and Cybersecurity (SORA-C2S). Based on this methodology, we built a web-based tool that helps the user to perform the risk assessment semi-automatically. This thesis is a part of the cooperation between the SOGILIS Company and the GIPSA lab.
... The testbed is used for teaching automation, supervisory control, communication networks, cybersecurity and for research. It was used for the experimental validation of three PhD thesis [11,14,3] and as a demonstrator for the Grenoble Alpes Cybersecurity Institute and Nanoelec Research Technological Institute. ...
... Our smart-grid cybersecurity studies were targeted to the triggering of protection functions either by injection of false sampled measures in the SMV flow (a false electrical flow) either by injecting false controller state events (a false command sent to a protection relay via GOOSE protocol). We were also able to inhibit legitimate trip sig- [11][12][13]. The SMV attack part together with the datasets will be soon available. ...
... We were also able to inhibit legitimate trip signals via GOOSE protocol corruption. Results on GOOSE protocol were published in [11][12][13]. The SMV attack part together with the datasets will be soon available. ...
Conference Paper
Full-text available
Industrial control systems are targeted by cyberattacks since Stuxnet in 2010 and attacks have increased in the past years wtr. interconnection with IT systems. Due to their contact with the real world, industrial systems must be protected and engineers must be trained accordingly. In this paper, we present a scal-able physical process virtualization platform for cybersecurity study of SCADA systems. Our virtualization platform includes electronic interfaces and a software physical processes simulator, directly connected with the input/output cards of industrial control system hardware. Our system is entirely open source including electronic card schematics, printed circuit boards, embedded software and physical process simulation software and provides a reasonable real-time performance.
... This protocol-based approach is often called rule-based, model-based, or specification-based anomaly detection. The papers [42][43][44][45][46][47][48][49] derive the profile regarding IEC 61850 protocols, and the papers [50] propose IDS based on IEC 60870-5-104 and DNP3.0 protocols. The paper [51] proposes IDS relating to Modbus protocol, and the paper [52] proposes the framework to generate dynamic rules for multi-protocols. ...
Full-text available
Cyber attacks targeting the Supervisory Control and Data Acquisition (SCADA) systems are becoming more complex and more intelligent. Currently proposed security measures for the SCADA systems come under three categories: physical/logical network separation, communication message security, and security monitoring. However, the recent malwares which were used successfully to disrupt the critical systems show that these security strategies are necessary, but not sufficient to defend these malwares. The malware attacks on the SCADA system exploit weaknesses of host system software environment and take over the control of host processes in the SCADA system. In this paper, we explain how the malware interferes in the important process logics, and invades the SCADA host process by using Dynamic Link Library (DLL) Injection. As a security measure, we propose an algorithm to block DLL Injection efficiently, and show its effectiveness of defending real world malwares using DLL Injection technique by implementing as a library and testing against several DLL Injection scenarios. It is expected that this approach can prevent all the hosts in the SCADA system from being taken over by this kind of malicious attacks, consequently keeping its sanity all the time.
... Dans tous les cas, très peu d'informations sont données sur les conditions d'expérimentations. Comme explicité par Kabir-Querrec [Kabir-Querrec, 2017], cela montre le manque de maturité du domaine et l'importance d'améliorer les méthodes pour évaluer les risques de sécurité informatique sur les systèmes industriels. On peut remarquer par ailleurs que les approches prennent en compte soit la topologie du système en s'intéressant à la position des attaquants et à leurs capacités, soit à la logique applicative du procédé mais ne considèrent que très peu ces deux aspects ensemble. ...
Full-text available
Les systèmes industriels, souvent appelés SCADA (pour Système d’acquisition et de contrôle de données) sont la cible d’attaques informatiques depuis Stuxnet en 2010. Dû à la criticité de leurs interactions avec le monde réel, ils peuvent représenter une menace pour l’environnement et les humains. Comme ces systèmes ont par le passé été physiquement isolés du reste du monde, ils ont été majoritairement protégés contre des pannes et des erreurs (ce qu’on appelle la sûreté). La sécurité informatique diffère de la sûreté dans le sens où un attaquant cherchera activement à mettre en défaut le système et gagnera en puissance au cours du temps. L’un des challenges dans le cadre de la sécurité des systèmes industriels est de faire cohabiter des propriétés de sécurité avec les contraintes métier du système. Nous répondons à cette question par trois axes de recherche.Tout d’abord, nous proposons un filtre dédié aux communications des systèmes industriels, permettant d’exprimer des propriétés au niveau applicatif. Ensuite, nous nous intéressons à la vérification de protocoles cryptographiques appliquée à des protocoles industriels comme MODBUS ou OPC-UA. À l’aide d’outils classiques du domaine, nous modélisons les protocoles afin de vérifier s’ils garantissent des propriété de confidentialité, d’authentification et d’intégrité. Enfin, nous proposons une approche, nommée ASPICS (pour Applicative Attack Scenarios Production for Industrial Control Systems), permettant de vérifier si des propriétés de sûreté (similaires à celles vérifiées par le filtre) peuvent être mises en défaut par des attaquants en fonction de leur position et de leur capacité. Nous implémentons cette analyse dans le model-checker UPPAAL et l’appliquons sur un exemple.
Full-text available
Security monitoring is a viable solution to enhance the security capability in the current power control Supervisory Control and Data Acquisition (SCADA) system, more broadly Industrial Control System (ICS), since the intrusion detection system as a main tool for monitoring can be easily deployed without any change of SCADA configuration. We explain how to design the SCADA domain-specific network security monitoring system, reflecting semantics of the target SCADA network. However, the attack vectors of the recent attacks to the SCADA/ICS systems are the vulnerabilities of the software underlying the host systems. In this respect, we need security monitoring running on host systems which can provide process and memory protection. Furthermore, network and system management (NMS), which incorporates the traditional network management into the power control system, can not only help to manage and maintain the IT/OT (information technology and operational technology) systems in a unified way, but also enhance the security capability of the SCADA system with collaboration with network and host security monitoring.
ResearchGate has not been able to resolve any references for this publication.