1 / 27

Application-Aware Secure Multicast for Power Grid Communications

This paper presents an innovative application-aware secure multicast solution tailored for power grid communications. It addresses the growing cybersecurity threats faced by substations by establishing a formal model for multicast communication. The proposed SecureSCL implementation enhances data dependency management, addressing extensive configuration challenges within substations. Through performance analysis and key management strategies integrated with secure multicast protocols, this approach ensures confidentiality, integrity, and availability of critical power grid data.

nevina
Télécharger la présentation

Application-Aware Secure Multicast for Power Grid Communications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Application-Aware Secure Multicast for Power Grid Communications Jianqing Zhang* and Carl A. Gunter University of Illinois at Urbana-Champaign * Now working at Energy Systems Research Lab, Intel Labs

  2. Outline • Motivation • Introduction • Formal Model for Multicast • Data Model and Publish-Subscribe Model • Multicast Configuration Anomaly • Implementation: SecureSCL • Performance Analysis of IPsec Based Multicast • Conclusion

  3. Multicast in Power Grid Systems Substation Networks DNP3 PMUs PMU: Phasor Measurement Unit

  4. IEC 61850 Substation Network Abstract Communication Service Interface (ACSI) Generic Object Oriented Substation Event (GOOSE) • Substation Bus * Ethernet Process Bus Sampled Measured Value (SMV) • Data objects model • Communication protocols suite • Link layer multicast • Substation Configuration Language (SCL) • IEC: International Electrotechnical Commission • HMI: Human Machine Interface • PMU: Phasor Measurement Unit * Based on Baigent, D. et. al. IEC 61850 Communication Networks and Systems in Substations: An Overview for Users

  5. Cyber Security Threats to Substation Networks • Integrity • Tampered power grid status data • Faked control commands • Confidentiality • Valuable raw data • Availability • Data packets flood Cryptographically Secured Protocols?

  6. Challenges:Manageable Configuration • Complex and error-prone configuration for current systems • Intricate system designs • Changing specifications during design phases • Large and hardly auditable configuration files • TVA Bradley Substation: 7.4Mbytes and 98K lines XML files • Proprietary configuration tools from multiple vendors • Complexity of current off-the-shelf security protocols and tools • Security vulnerabilities due to incorrect system configuration

  7. Challenges: Latency Requirements • Timing requirements for real-time operations* • PMU: 30 times per second • Substation: event notification for protection e.g. GOOSE, 2-10ms • VT: Volt Transformer • CT: Current Transformer * IEEE Std. 1646: Communication Delivery Time Performance Requirements for Electric Power Substation Automation

  8. Challenges: Efficient Group Key Management & Configuration • Integration with power grid systems • How to partition multicast groups in a particular domain, like a power substation? • What’s the role of each control device in a group? • How to distribute group keys? • Standardized security protocols • How to integrate group key management with secure multicast protocols?

  9. Approach: Application-Aware Secure Multicast • Derive group membership by application data dependency in system functional configurations • Observation: data dependency determines publish-subscribe relationships and group memberships

  10. Data Dependency in Substation Configuration Language (SCL) <IED name=“IED2” desc=“Switchgear (subsriber) ” > … <LN desc="CircuitBreaker" inst="1" …> <Inputs> <ExtRefdaName="general" doName="Tr" iedName="IED1" …/> <ExtRefdaName="q" doName="Tr" iedName="IED1" …/> <ExtRefdaName="general" doName="Op" iedName="IED1" …/> <ExtRefdaName="q" doName="Op" iedName="IED1" …/> <ExtRefdaName="general" doName="Op" iedName="IED1" …/> <ExtRefdaName="q" doName="Op" iedName="IED1" …/> </Inputs> </LN> </IED> … <IED name=“IED3” desc=“Switchgear (subsriber)” > … <LN desc="CircuitBreaker" inst=“2" …> <Inputs> <ExtRefdaName="general" doName="Tr" iedName="IED1" …/> <ExtRefdaName="q" doName="Tr" iedName="IED1" …/> <ExtRefdaName="general" doName="Op" iedName="IED1" …/> <ExtRefdaName="q" doName="Op" iedName="IED1" …/> <ExtRefdaName="general" doName="Op" iedName="IED1" …/> <ExtRefdaName="q" doName="Op" iedName="IED1" …/> </Inputs> </LN> </IED> <IED name="IED1" desc=“Protective relay (publisher)"> … <GSE cbName="gcbTrip" ldInst="PROT"> … <Address>… <P type="MAC-Address">01-0C-CD-01-01-46</P> </Address> </GSE> <DataSet name="dsTripLogic"> <FCDA daName="general" doName="Tr" …/> <FCDA daName="q" doName="Tr“ …/> <FCDA daName="general" doName="Op" …/> <FCDA daName="q" doName="Op" …/> <FCDA daName="general" doName="Op …/> <FCDA daName="q" doName="Op" …/> </DataSet> … </IED> Trip command

  11. Approach: Application-Aware Secure Multicast • Derive group membership by application data dependency in system functional configuration • Detect inconsistent configurations automatically • Configure group key management system based on the derived group memberships and extended configuration files • Raise the link layer multicast to the network layer and secure multicast traffic using IPsec

  12. A Formal Multicast Model: Components • D, the set of data objects • E, the entities which have relationships with data objects • O, the set of data owners • C, the set of data consumer • P, the set of publishers • S, the set of subscribers • G, the set of group controllers

  13. A Formal Multicast Model:Publish-Subscribe Model

  14. Publish-Subscribe Model in SCL:Ownership & Publication <IED name="IED1" type="SecureIED" desc="Protective Relay"> ... <LDeviceinst="PROT"> <LN0 lnClass="LLN0" lnType="IED1-LLN0-Type"> <DataSet name="dsTripLogic"> <FCDA daName="general" doName="Tr" ... ldInst="PROT" lnInst="1"/> <FCDA daName="general" doName="Op" ... ldInst="PROT" lnInst="1"/> ... </DataSet> <GSEControlappID="TripGoose" datSet="dsTripLogic" name="gcbTrip".../> </LN0> ... <LN inst="1" lnClass="PTRC" lnType="IED1-PTRC-Type"/> </LDevice> ... </IED> ... <DataTypeTemplates> <LNodeType id="IED1_PTRC_Type" lnClass="PTRC"> <DO name="Tr" type="tPTRC_TrOp"/> <DO name="Op" type="tPTRC_TrOp"/> </LNodeType> </DataTypeTemplates>

  15. Publish-Subscribe Model in SCL:Consumption & Subscription <IED name="IED2" desc="Switchgear" type="SecureIED"> ... <LDeviceinst="CTRL"> <LN desc="CircuitBreaker" inst="1" lnClass="XCBR" lnType="IED2-CTRL-XCBR"> <Inputs> <ExtRefdoName="Tr" ldInst="PROT”, iedName="IED1".../> <ExtRefdoName="Op" ldInst="PROT”, iedName="IED1".../> </Inputs> </LN> <\LDevice> <\IED>

  16. Multicast Configuration Anomaly:Publication Anomaly • Ownership Anomaly: a publisher publishes data objects which are not owned by it • Publication Redundancy: • Full redundancy: No data object is consumed • Partial redundancy: some data objects are not consumed

  17. Multicast Configuration Anomaly:Subscription Anomaly • Source Anomaly: a subscriber subscribes data from a “non-existent” publisher • Data Dissatisfaction • “Hard” data dissatisfaction: some data objects are not published by • “Soft” data dissatisfaction: some data objects are published by another publication

  18. Architecture of SecureSCL

  19. Benefits of IPsec Based Multicast in Power Grid Networks • Preserves a variety of security properties, proved by a degree of formal analysis • Supports wide area multicast, important to inter-substation communications and PMU networks • Obtains strong support from security communities • Capable of addressing latency constraints in medium scale networks

  20. Performance Analysis of IPsec Based Multicast • Test Bed Setup • Hardware • Deterlab: 8, 16, 32, 64-node scenarios • Xeon Quad 3.00GHz PCs • Software • Platform: Ubuntu 8.04 • Process Control Emulation System* • Measure round trip latency * Credits to Chris Grier and Sam King

  21. Performance of IPsec Multicast

  22. Conclusion • Application-aware secure multicast is an efficient solution for multicast in power grid systems • Automate group configuration and minimize errors • Integrate security configurations with functional configurations • IPsec is a promising solution for secure multicast in power grid systems • Future work • WAN or Inter-substation network multicast communication and configuration • Dynamic group management

  23. Questions?http://seclab.illinois.edu/web/ Dr. Jianqing Zhang Intel Labs, RNB6-61 2200 Mission College Blvd. Santa Clara, CA 94054 Tel: (408)653-5461 Email: jianqing.zhang@intel.com Professor Carl A. Gunter • 4304 Siebel Center for Computer Science 201 N. Goodwin Ave. Urbana, IL 61801 • Tel: (217)244-1982 Email: cgunter@cs.illinois.edu

  24. Contributions • Propose a formal multicast data model and a publish-subscribe model depicting the publish-subscribe relationships • Classify a number of configuration anomalies in multicast systems • Design algorithms detecting the anomalies • Design a multicast and group key management architecture • Develop a prototype system, SecureSCL • Provide a case study of secure GOOSE in IEC 61850 substations • Evaluate the performance of IPsec based multicast

  25. Related Work • IEC 62351: sign each GOOSE frame using RSA • Gjermundrod, H. et al. GridStat: A Flexible QoS-Managed Data Dissemination Framework for the Power Grid, IEEE Transactions on Power Delivery, Jan. 2009 • EhabS. et al. Discovery of Policy Anomalies in Distributed Firewalls. INFOCOM 2004 CRC Header GOOSE PDU Authentication Value Length

  26. System Working Phases

  27. GDOI Based Group Key Management Architecture • Group Domain of Interpretation (GDOI, RFC 3547): IKEv1 based group key management protocol for IPsec multicast IKEv1 Phase1: Reg. SA Phase 2 GROUPKEY-PULL: (first) Rekey SA and Data SA GROUPKEY-PUSH: subsequent Rekey SAs and Data SAs

More Related