Cybersécurité des sous-stations électriques IEC 61850 Thèse CIFRE Maëlle Kabir-Querrec
Content • Introduction & Objectives • Context: the IEC 61850 standard • IDS for ICS: State of the art • IEC 61850 specification of an intrusion detection function • A rule-based implementation • Conclusion gipsa -lab RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 2 / 14
Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion Introduction ICS are part of SAS (Substation Automation System) Proprietary protocols Closed networks Security through obscurity Security through isolation Aspirations for interoperability & ever growing Interconnection with more global and open complexity of technologies networks IEC 61850 – Communication networks and systems Exposure to cyber vulnerabilities & threats for power utility automation Needs of dedicated digital security measures gipsa -lab RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 3 / 14
Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion PhD research project • CIFRE convention GIPSA-lab + Euro-System (nov. 2013 � nov. 2016) • Cybersecurity of smart-grid control systems Specify an IEC 61850 intrusion detection function for o IEDs (Intelligent Electronic Devices) Implement and test it o Propose other cybersecurity functionalities o gipsa -lab RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 4 / 14
Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion Context: IEC 61850 standard “ Communication networks and systems for power utility automation” • Substation Automation Systems (SAS) are key to S MART -G RID the grid protection. Power grid • Intelligent Electronic Devices (IED) IEC61850 Automa- ICT tion gipsa -lab RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 5 / 14
Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion Context: IEC 61850 standard “ Communication networks and systems for power utility automation” The IEC 61850 standard specifies communication in terms of Syntax - Semantics - Performance IEC 61850 communication architecture OSI mapping of IEC 61850 protocols gipsa -lab RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 6 / 14
Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion Context: IEC 61850 standard “ Communication networks and systems for power utility automation” IED services are based on an object-oriented model for data and functions. IEC 61850 data object modeling gipsa -lab RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 7 / 14
Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion State of the art IDS for ICS IDS: Monitoring a network or a system activity to detect attempts to gain unauthorized access or to cause damages. • Host-based or network-based • Signature-based/Blacklisting or Anomaly-based/Whitelisting gipsa -lab RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 8 / 14
Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion State of the art Anomaly-based IDS for ICS (1) • State approach Fovino I. N, Coletta A., Carcano A., Masera M. 2012. Critical State-Based Filtering System for Securing SCADA Network Protocols . Jin X., Bigham J., Rodaway J., Gamez D., Phillips C. 2006. Anomaly detection in electricity cyber infrastructures. • Communication approach • Rules Premaratne U., Samarabandu J., Sidhu T., Beresh R., Tan J.-C. 2010. An Intrusion Detection System for IEC 61850 Automated Substations. • Statistical models Sekar R., Gupta A. K., Frullo J., Shanbhag T., Tiwari A., Yang H., Zhou S. 2002. Specification-based anomaly detection: A new approach for detecting network intrusions. Cheung S., Dutertre B., Fong M., Lindqvist U., Skinner K., Valdes A. 2007. Using model-based intrusion detection for SCADA networks. • Implementation as a dedicated device gipsa -lab RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 9 / 14
Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion State of the art Anomaly-based IDS for ICS (2) SAS specificities to be used to design a tailored IDS: • Embedded systems • Real-time constraints • Dedicated communication protocols Fixed network topology & known mechanisms • Diallo D., Feuillet M. (ANSSI) 2014. Détection d'intrusion dans les systèmes industriels: Suricata et le cas de Modbus. Hong J., Liu C.-C., Govindarasu M. 2014. Integrated Anomaly Detection for Cyber Security of the Substations. � Network-based anomaly detection function relevant for broadcast packets gipsa -lab RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 10 / 14
Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion Specification of an IEC 61850 intrusion detection function Building new functionalities must follow rules to ensure the interoperability the IEC 61850 standard aims at. � The new IDS function specification… … compatible with the IEC 61850 standard IEC 61850 IDS model gipsa -lab RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 11 / 14
Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion Implementation of this IEC 61850 IDS • Using an open source rule- based NIDS, Suricata • Automatic rule generation Source address is not in the accepted list. For a given GoID, the sequence number of the received GOOSE message has not been incremented compared to the previous one. • Run and test it on our G- ICS platform, dedicated to G-ICS (GreEn-ER Industrial Control systems Sandbox) cybersecurity and interoperability of ICS gipsa -lab RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 12 / 14
Introduction IEC61850 standard State of the art Spec of IDS Implementation Conclusion Conclusion & perspectives • IEC 61850 specification of an intrusion detection function • Implementation of a rule-based intrusion detection module + automatic rule generation • Further work: other cybersecurity functions such as mapping of the communication architecture, resource availability, encryption… gipsa -lab RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 13 / 14
Questions & comments gipsa -lab RESSI 2015 21/05/2015 Maëlle Kabir-Querrec 14 / 14
Recommend
More recommend
