Cyberscurit des sous-stations lectriques IEC 61850 Thse CIFRE - - PowerPoint PPT Presentation

cybers curit des sous stations lectriques iec 61850
SMART_READER_LITE
LIVE PREVIEW

Cyberscurit des sous-stations lectriques IEC 61850 Thse CIFRE - - PowerPoint PPT Presentation

Sep 18, 2023 533 likes •702 views

Cyberscurit des sous-stations lectriques IEC 61850 Thse CIFRE Malle Kabir-Querrec Content Introduction & Objectives Context: the IEC 61850 standard IDS for ICS: State of the art IEC 61850 specification of an

slide-1
SLIDE 1

Cybersécurité des sous-stations électriques IEC 61850

Thèse CIFRE Maëlle Kabir-Querrec

slide-2
SLIDE 2

gipsa-lab

Content

  • Introduction & Objectives
  • Context: the IEC 61850 standard
  • IDS for ICS: State of the art
  • IEC 61850 specification of an intrusion detection

function

  • A rule-based implementation
  • Conclusion

RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 2 / 14

slide-3
SLIDE 3

gipsa-lab

Interconnection with more global and open networks Exposure to cyber vulnerabilities & threats

Needs of dedicated digital security measures

Closed networks

Security through isolation

ICS are part of SAS (Substation Automation System)

Introduction

RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 3 / 14

Aspirations for interoperability & ever growing complexity of technologies IEC 61850 – Communication networks and systems for power utility automation Proprietary protocols

Security through obscurity

Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion

slide-4
SLIDE 4

gipsa-lab

PhD research project

  • CIFRE convention GIPSA-lab + Euro-System (nov.

2013 nov. 2016)

  • Cybersecurity of smart-grid control systems
  • Specify an IEC 61850 intrusion detection function for

IEDs (Intelligent Electronic Devices)

  • Implement and test it
  • Propose other cybersecurity functionalities

RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 4 / 14 Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion

slide-5
SLIDE 5

gipsa-lab

Context: IEC 61850 standard “Communication networks and systems for power utility

automation”

  • Substation Automation

Systems (SAS) are key to the grid protection.

  • Intelligent Electronic

Devices (IED)

RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 5 / 14 Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion

Automa- tion ICT IEC61850 Power grid SMART-GRID

slide-6
SLIDE 6

gipsa-lab

Context: IEC 61850 standard “Communication networks and systems for power utility

automation” The IEC 61850 standard specifies communication in terms of Syntax - Semantics - Performance

RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 6 / 14

OSI mapping of IEC 61850 protocols IEC 61850 communication architecture

Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion

slide-7
SLIDE 7

gipsa-lab

Context: IEC 61850 standard “Communication networks and systems for power utility

automation” IED services are based on an

  • bject-oriented model for

data and functions.

RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 7 / 14

IEC 61850 data object modeling

Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion

slide-8
SLIDE 8

gipsa-lab

State of the art

IDS for ICS

IDS: Monitoring a network or a system activity to detect attempts to gain unauthorized access or to cause damages.

  • Host-based or network-based
  • Signature-based/Blacklisting or Anomaly-based/Whitelisting

RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 8 / 14 Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion

slide-9
SLIDE 9

gipsa-lab

State of the art

Anomaly-based IDS for ICS (1)

  • State approach

Fovino I. N, Coletta A., Carcano A., Masera M. 2012. Critical State-Based Filtering System for Securing SCADA Network Protocols. Jin X., Bigham J., Rodaway J., Gamez D., Phillips C. 2006. Anomaly detection in electricity cyber infrastructures.

  • Communication approach
  • Rules

Premaratne U., Samarabandu J., Sidhu T., Beresh R., Tan J.-C. 2010. An Intrusion Detection System for IEC 61850 Automated Substations.

  • Statistical models

Sekar R., Gupta A. K., Frullo J., Shanbhag T., Tiwari A., Yang H., Zhou S. 2002. Specification-based anomaly detection: A new approach for detecting network intrusions. Cheung S., Dutertre B., Fong M., Lindqvist U., Skinner K., Valdes A. 2007. Using model-based intrusion detection for SCADA networks.

  • Implementation as a dedicated device

RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 9 / 14 Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion

slide-10
SLIDE 10

gipsa-lab

State of the art

Anomaly-based IDS for ICS (2)

SAS specificities to be used to design a tailored IDS:

  • Embedded systems
  • Real-time constraints
  • Dedicated communication protocols
  • Fixed network topology & known mechanisms

Diallo D., Feuillet M. (ANSSI) 2014. Détection d'intrusion dans les systèmes industriels: Suricata et le cas de Modbus. Hong J., Liu C.-C., Govindarasu M. 2014. Integrated Anomaly Detection for Cyber Security of the Substations.

Network-based anomaly detection function relevant for broadcast packets

RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 10 / 14 Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion

slide-11
SLIDE 11

gipsa-lab

Specification of an IEC 61850 intrusion detection function

Building new functionalities must follow rules to ensure the interoperability the IEC 61850 standard aims at. The new IDS function specification… … compatible with the IEC 61850 standard

RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 11 / 14

IEC 61850 IDS model

Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion

slide-12
SLIDE 12

gipsa-lab

Implementation of this IEC 61850 IDS

  • Using an open source rule-

based NIDS, Suricata

  • Automatic rule generation

Source address is not in the accepted list. For a given GoID, the sequence number of the received GOOSE message has not been incremented compared to the previous one.

  • Run and test it on our G-

ICS platform, dedicated to cybersecurity and interoperability of ICS

RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 12 / 14

G-ICS (GreEn-ER Industrial Control systems Sandbox)

Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion

slide-13
SLIDE 13

gipsa-lab

Conclusion & perspectives

  • IEC 61850 specification of an intrusion detection

function

  • Implementation of a rule-based intrusion detection

module + automatic rule generation

  • Further work: other cybersecurity functions such as

mapping of the communication architecture, resource availability, encryption…

RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 13 / 14 Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion

slide-14
SLIDE 14

gipsa-lab

Questions & comments

RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 14 / 14