Frankfurt (Germany), 6-9 June 2011

G. Dondossola, F. Garrone, J. Szanto

RSE Research context Test bed architecture Attack model Attack experiments Cyber-power risk evaluation

DONDOSSOLA – IT – S3 – 0440

Experimental evaluation of cyber Experimental evaluation of cyber intrusions into Highly Critical Power intrusions into Highly Critical Power

Control SystemsControl Systems

Frankfurt (Germany), 6-9 June 2011

Cyber-power risk assessment Critical communication and control systems in the power

grid operation Cyber threats are increasing with the deployment of

technologies relying on standard units and protocols Sample attack experiments produce inputs to the

calculation of the cyber-power risk index Complex intrusion scenarios involving inter-operator

communications

DONDOSSOLA – IT – S3 – 0440

Context

Frankfurt (Germany), 6-9 June 2011

Interconnected HV/MV distribution networks Substation automation networks Control centre networks ICT management networks

Technical security measures Experiments of cyber threats to critical assets of

the grid control network

DONDOSSOLA – IT – S3 – 0440

Test bed architecture

Frankfurt (Germany), 6-9 June 2011

Possible attack scenarios vary depending on the compromised nodes of the network topology

A full set of compromise paths may be derived from the topological analysis of the grid control network

An attack process is composed of intrusion steps along a given compromise path

Transition times from one step to the next one vary on a step and technique base

The malware development may last several months depending on the difficulty degree of the attack

DONDOSSOLA – IT – S3 – 0440

Attack model (I)

Frankfurt (Germany), 6-9 June 2011

DONDOSSOLA – IT – S3 – 0440

Attack model (II)

Frankfurt (Germany), 6-9 June 2011

Target information exchanged by an emergency control procedure for automatic load shedding Italian grid code

The procedure is based on standard IEC 60870-5-104/TCP communications for the arming

requests between the TSO/DSO centres UDP multicast for the trip commands between the TSO/DSO

substations Attacked networks

DSO substations networks DSO centre networks TSO centre/substation networks

DONDOSSOLA – IT – S3 – 0440

Attack experiments (I)

Frankfurt (Germany), 6-9 June 2011

A malicious insider in the ICT management network identifies the process networks, their interconnection gateways, nodes and services

s/he compromises a workstation for gaining unauthorised remote access to the substation gateway

s/he accesses the process nodes and decides to compromise the substation gateway

s/he develops a malware code interfering with the IEC 6070-5-104 TCP/IP communications

causing the arbitrary trip of the power substation

DONDOSSOLA – IT – S3 – 0440

Attack experiments (II)

Frankfurt (Germany), 6-9 June 2011

DONDOSSOLA – IT – S3 – 0440

Frankfurt (Germany), 6-9 June 2011

Performance measures

Operator’s Interface - warnings

Frankfurt (Germany), 6-9 June 2011

Topological analysis of the grid control network possible compromise paths

ICT management and remote accesses Serious attacks

Network access controls and user authentication mechanisms Advanced security architectures

Results from experiments feed the calculation of the cyber-power risk

Analysis tools increasing the security capabilities in the operation of the power grid

Conclusions

DONDOSSOLA – IT – S3 – 0440

Frankfurt (Germany), 6-9 June 2011

Power Grid Security Flexible/IntegratedMultiple-Operated

Defence Plans Power Grid Operation

Risk Management

Stratified Defence Lines

In-depth Security ICT Protections

Contact Point: Giovanna.Dondossola@rse-web.it

DONDOSSOLA – IT – S3 – 0440Do not miss the Poster Session

Wednesday, 8 June 2011