G. Dondossola, F. Garrone, J. Szanto RSE Research context Test bed architecture Attack model

1. Experimental evaluation of cyber intrusions into Highly Critical Power Control Systems G. Dondossola, F. Garrone, J. Szanto RSE • Research context • Test bed architecture • Attack model • Attack experiments • Cyber-power risk evaluation DONDOSSOLA – IT – S3 – 0440

3. Context • Cyber-power risk assessment • Critical communication and control systems in the power grid operation • Cyber threats are increasing with the deployment of technologies relying on standard units and protocols • Sample attack experiments produce inputs to the calculation of the cyber-power risk index • Complex intrusion scenarios involving inter-operator communications DONDOSSOLA – IT – S3 – 0440

6. Test bed architecture • Interconnected HV/MV distribution networks • Substation automation networks • Control centre networks • ICT management networks • Technical security measures • Experiments of cyber threats to critical assets of the grid control network DONDOSSOLA – IT – S3 – 0440

8. Attack model (I) • Possible attack scenarios vary depending on the compromised nodes of the network topology • A full set of compromise paths may be derived from the topological analysis of the grid control network • An attack process is composed of intrusion steps along a given compromise path • Transition times from one step to the next one vary on a step and technique base • The malware development may last several months depending on the difficulty degree of the attack DONDOSSOLA – IT – S3 – 0440

9. Attack model (II) DONDOSSOLA – IT – S3 – 0440

10. Attack experiments (I) • Target  information exchanged by an emergency control procedure for automatic load shedding  Italian grid code • The procedure is based on • standard IEC 60870-5-104/TCP communications for the arming requests between the TSO/DSO centres • UDP multicast for the trip commands between the TSO/DSO substations • Attacked networks • DSO substations networks • DSO centre networks • TSO centre/substation networks DONDOSSOLA – IT – S3 – 0440

11. Attack experiments (II) • A malicious insider in the ICT management network identifies the process networks, their interconnection gateways, nodes and services • s/he compromises a workstation for gaining unauthorised remote access to the substation gateway • s/he accesses the process nodes and decides to compromise the substation gateway • s/he develops a malware code interfering with the IEC 6070-5-104 TCP/IP communications • causing the arbitrary trip of the power substation DONDOSSOLA – IT – S3 – 0440

12. DONDOSSOLA – IT – S3 – 0440

13. Operator’s Interface - warnings Performance measures

14. Conclusions • Topological analysis of the grid control network  possible compromise paths • ICT management and remote accesses • Serious attacks • Network access controls and user authentication mechanisms • Advanced security architectures • Results from experiments feed the calculation of the cyber-power risk • Analysis tools increasing the security capabilities in the operation of the power grid DONDOSSOLA – IT – S3 – 0440

15. Power Grid Security  Flexible/Integrated Multiple-Operated Defence Plans Power Grid Operation  Risk Management thank you Contact Point: Giovanna.Dondossola@rse-web.it Stratified Defence Lines  In-depth Security ICT Protections Do not miss the Poster Session Wednesday, 8 June 2011 DONDOSSOLA – IT – S3 – 0440