1 / 27

Application-Aware Secure Multicast for Power Grid Communications

Application-Aware Secure Multicast for Power Grid Communications. Jianqing Zhang * and Carl A. Gunter University of Illinois at Urbana-Champaign. * Now working at Energy Systems Research Lab, Intel Labs. Outline. Motivation Introduction Formal Model for Multicast

jack
Download Presentation

Application-Aware Secure Multicast for Power Grid Communications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Application-Aware Secure Multicast for Power Grid Communications Jianqing Zhang* and Carl A. Gunter University of Illinois at Urbana-Champaign * Now working at Energy Systems Research Lab, Intel Labs

  2. Outline • Motivation • Introduction • Formal Model for Multicast • Data Model and Publish-Subscribe Model • Multicast Configuration Anomaly • Implementation: SecureSCL • Performance Analysis of IPsec Based Multicast • Conclusion

  3. Multicast in Power Grid Systems Substation Networks DNP3 PMUs PMU: Phasor Measurement Unit

  4. IEC 61850 Substation Network Abstract Communication Service Interface (ACSI) Generic Object Oriented Substation Event (GOOSE) • Substation Bus * Ethernet Process Bus Sampled Measured Value (SMV) • Data objects model • Communication protocols suite • Link layer multicast • Substation Configuration Language (SCL) • IEC: International Electrotechnical Commission • HMI: Human Machine Interface • PMU: Phasor Measurement Unit * Based on Baigent, D. et. al. IEC 61850 Communication Networks and Systems in Substations: An Overview for Users

  5. Cyber Security Threats to Substation Networks • Integrity • Tampered power grid status data • Faked control commands • Confidentiality • Valuable raw data • Availability • Data packets flood Cryptographically Secured Protocols?

  6. Challenges:Manageable Configuration • Complex and error-prone configuration for current systems • Intricate system designs • Changing specifications during design phases • Large and hardly auditable configuration files • TVA Bradley Substation: 7.4Mbytes and 98K lines XML files • Proprietary configuration tools from multiple vendors • Complexity of current off-the-shelf security protocols and tools • Security vulnerabilities due to incorrect system configuration

  7. Challenges: Latency Requirements • Timing requirements for real-time operations* • PMU: 30 times per second • Substation: event notification for protection e.g. GOOSE, 2-10ms • VT: Volt Transformer • CT: Current Transformer * IEEE Std. 1646: Communication Delivery Time Performance Requirements for Electric Power Substation Automation

  8. Challenges: Efficient Group Key Management & Configuration • Integration with power grid systems • How to partition multicast groups in a particular domain, like a power substation? • What’s the role of each control device in a group? • How to distribute group keys? • Standardized security protocols • How to integrate group key management with secure multicast protocols?

  9. Approach: Application-Aware Secure Multicast • Derive group membership by application data dependency in system functional configurations • Observation: data dependency determines publish-subscribe relationships and group memberships

  10. Data Dependency in Substation Configuration Language (SCL) <IED name=“IED2” desc=“Switchgear (subsriber) ” > … <LN desc="CircuitBreaker" inst="1" …> <Inputs> <ExtRefdaName="general" doName="Tr" iedName="IED1" …/> <ExtRefdaName="q" doName="Tr" iedName="IED1" …/> <ExtRefdaName="general" doName="Op" iedName="IED1" …/> <ExtRefdaName="q" doName="Op" iedName="IED1" …/> <ExtRefdaName="general" doName="Op" iedName="IED1" …/> <ExtRefdaName="q" doName="Op" iedName="IED1" …/> </Inputs> </LN> </IED> … <IED name=“IED3” desc=“Switchgear (subsriber)” > … <LN desc="CircuitBreaker" inst=“2" …> <Inputs> <ExtRefdaName="general" doName="Tr" iedName="IED1" …/> <ExtRefdaName="q" doName="Tr" iedName="IED1" …/> <ExtRefdaName="general" doName="Op" iedName="IED1" …/> <ExtRefdaName="q" doName="Op" iedName="IED1" …/> <ExtRefdaName="general" doName="Op" iedName="IED1" …/> <ExtRefdaName="q" doName="Op" iedName="IED1" …/> </Inputs> </LN> </IED> <IED name="IED1" desc=“Protective relay (publisher)"> … <GSE cbName="gcbTrip" ldInst="PROT"> … <Address>… <P type="MAC-Address">01-0C-CD-01-01-46</P> </Address> </GSE> <DataSet name="dsTripLogic"> <FCDA daName="general" doName="Tr" …/> <FCDA daName="q" doName="Tr“ …/> <FCDA daName="general" doName="Op" …/> <FCDA daName="q" doName="Op" …/> <FCDA daName="general" doName="Op …/> <FCDA daName="q" doName="Op" …/> </DataSet> … </IED> Trip command

  11. Approach: Application-Aware Secure Multicast • Derive group membership by application data dependency in system functional configuration • Detect inconsistent configurations automatically • Configure group key management system based on the derived group memberships and extended configuration files • Raise the link layer multicast to the network layer and secure multicast traffic using IPsec

  12. A Formal Multicast Model: Components • D, the set of data objects • E, the entities which have relationships with data objects • O, the set of data owners • C, the set of data consumer • P, the set of publishers • S, the set of subscribers • G, the set of group controllers

  13. A Formal Multicast Model:Publish-Subscribe Model

  14. Publish-Subscribe Model in SCL:Ownership & Publication <IED name="IED1" type="SecureIED" desc="Protective Relay"> ... <LDeviceinst="PROT"> <LN0 lnClass="LLN0" lnType="IED1-LLN0-Type"> <DataSet name="dsTripLogic"> <FCDA daName="general" doName="Tr" ... ldInst="PROT" lnInst="1"/> <FCDA daName="general" doName="Op" ... ldInst="PROT" lnInst="1"/> ... </DataSet> <GSEControlappID="TripGoose" datSet="dsTripLogic" name="gcbTrip".../> </LN0> ... <LN inst="1" lnClass="PTRC" lnType="IED1-PTRC-Type"/> </LDevice> ... </IED> ... <DataTypeTemplates> <LNodeType id="IED1_PTRC_Type" lnClass="PTRC"> <DO name="Tr" type="tPTRC_TrOp"/> <DO name="Op" type="tPTRC_TrOp"/> </LNodeType> </DataTypeTemplates>

  15. Publish-Subscribe Model in SCL:Consumption & Subscription <IED name="IED2" desc="Switchgear" type="SecureIED"> ... <LDevice inst="CTRL"> <LN desc="CircuitBreaker" inst="1" lnClass="XCBR" lnType="IED2-CTRL-XCBR"> <Inputs> <ExtRef doName="Tr" ldInst="PROT”, iedName="IED1".../> <ExtRef doName="Op" ldInst="PROT”, iedName="IED1".../> </Inputs> </LN> <\LDevice> <\IED>

  16. Multicast Configuration Anomaly:Publication Anomaly

  17. Multicast Configuration Anomaly:Subscription Anomaly

  18. Architecture of SecureSCL

  19. Benefits of IPsec Based Multicast in Power Grid Networks • Preserves a variety of security properties, proved by a degree of formal analysis • Supports wide area multicast, important to inter-substation communications and PMU networks • Obtains strong support from security communities • Capable of addressing latency constraints in medium scale networks

  20. Performance Analysis of IPsec Based Multicast • Test Bed Setup • Hardware • Deterlab: 8, 16, 32, 64-node scenarios • Xeon Quad 3.00GHz PCs • Software • Platform: Ubuntu 8.04 • Process Control Emulation System* • Measure round trip latency * Credits to Chris Grier and Sam King

  21. Performance of IPsec Multicast

  22. Conclusion • Application-aware secure multicast is an efficient solution for multicast in power grid systems • Automate group configuration and minimize errors • Integrate security configurations with functional configurations • IPsec is a promising solution for secure multicast in power grid systems • Future work • WAN or Inter-substation network multicast communication and configuration • Dynamic group management

  23. Questions?http://seclab.illinois.edu/web/ Dr. Jianqing Zhang Intel Labs, RNB6-61 2200 Mission College Blvd. Santa Clara, CA 94054 Tel: (408)653-5461 Email: jianqing.zhang@intel.com Professor Carl A. Gunter 4304 Siebel Center for Computer Science 201 N. Goodwin Ave. Urbana, IL 61801 Tel: (217)244-1982 Email: cgunter@cs.illinois.edu

  24. Contributions • Propose a formal multicast data model and a publish-subscribe model depicting the publish-subscribe relationships • Classify a number of configuration anomalies in multicast systems • Design algorithms detecting the anomalies • Design a multicast and group key management architecture • Develop a prototype system, SecureSCL • Provide a case study of secure GOOSE in IEC 61850 substations • Evaluate the performance of IPsec based multicast

  25. Related Work • IEC 62351: sign each GOOSE frame using RSA • Gjermundrod, H. et al. GridStat: A Flexible QoS-Managed Data Dissemination Framework for the Power Grid, IEEE Transactions on Power Delivery, Jan. 2009 • Ehab S. et al. Discovery of Policy Anomalies in Distributed Firewalls. INFOCOM 2004 CRC Authentication Value Header GOOSE PDU Length

  26. System Working Phases

  27. GDOI Based Group Key Management Architecture • Group Domain of Interpretation (GDOI, RFC 3547): IKEv1 based group key management protocol for IPsec multicast IKEv1 Phase1: Reg. SA Phase 2 GROUPKEY-PULL: (first) Rekey SA and Data SA GROUPKEY-PUSH: subsequent Rekey SAs and Data SAs

More Related