270 likes | 398 Views
Application-Aware Secure Multicast for Power Grid Communications. Jianqing Zhang * and Carl A. Gunter University of Illinois at Urbana-Champaign. * Now working at Energy Systems Research Lab, Intel Labs. Outline. Motivation Introduction Formal Model for Multicast
E N D
Application-Aware Secure Multicast for Power Grid Communications Jianqing Zhang* and Carl A. Gunter University of Illinois at Urbana-Champaign * Now working at Energy Systems Research Lab, Intel Labs
Outline • Motivation • Introduction • Formal Model for Multicast • Data Model and Publish-Subscribe Model • Multicast Configuration Anomaly • Implementation: SecureSCL • Performance Analysis of IPsec Based Multicast • Conclusion
Multicast in Power Grid Systems Substation Networks DNP3 PMUs PMU: Phasor Measurement Unit
IEC 61850 Substation Network Abstract Communication Service Interface (ACSI) Generic Object Oriented Substation Event (GOOSE) • Substation Bus * Ethernet Process Bus Sampled Measured Value (SMV) • Data objects model • Communication protocols suite • Link layer multicast • Substation Configuration Language (SCL) • IEC: International Electrotechnical Commission • HMI: Human Machine Interface • PMU: Phasor Measurement Unit * Based on Baigent, D. et. al. IEC 61850 Communication Networks and Systems in Substations: An Overview for Users
Cyber Security Threats to Substation Networks • Integrity • Tampered power grid status data • Faked control commands • Confidentiality • Valuable raw data • Availability • Data packets flood Cryptographically Secured Protocols?
Challenges:Manageable Configuration • Complex and error-prone configuration for current systems • Intricate system designs • Changing specifications during design phases • Large and hardly auditable configuration files • TVA Bradley Substation: 7.4Mbytes and 98K lines XML files • Proprietary configuration tools from multiple vendors • Complexity of current off-the-shelf security protocols and tools • Security vulnerabilities due to incorrect system configuration
Challenges: Latency Requirements • Timing requirements for real-time operations* • PMU: 30 times per second • Substation: event notification for protection e.g. GOOSE, 2-10ms • VT: Volt Transformer • CT: Current Transformer * IEEE Std. 1646: Communication Delivery Time Performance Requirements for Electric Power Substation Automation
Challenges: Efficient Group Key Management & Configuration • Integration with power grid systems • How to partition multicast groups in a particular domain, like a power substation? • What’s the role of each control device in a group? • How to distribute group keys? • Standardized security protocols • How to integrate group key management with secure multicast protocols?
Approach: Application-Aware Secure Multicast • Derive group membership by application data dependency in system functional configurations • Observation: data dependency determines publish-subscribe relationships and group memberships
Data Dependency in Substation Configuration Language (SCL) <IED name=“IED2” desc=“Switchgear (subsriber) ” > … <LN desc="CircuitBreaker" inst="1" …> <Inputs> <ExtRefdaName="general" doName="Tr" iedName="IED1" …/> <ExtRefdaName="q" doName="Tr" iedName="IED1" …/> <ExtRefdaName="general" doName="Op" iedName="IED1" …/> <ExtRefdaName="q" doName="Op" iedName="IED1" …/> <ExtRefdaName="general" doName="Op" iedName="IED1" …/> <ExtRefdaName="q" doName="Op" iedName="IED1" …/> </Inputs> </LN> </IED> … <IED name=“IED3” desc=“Switchgear (subsriber)” > … <LN desc="CircuitBreaker" inst=“2" …> <Inputs> <ExtRefdaName="general" doName="Tr" iedName="IED1" …/> <ExtRefdaName="q" doName="Tr" iedName="IED1" …/> <ExtRefdaName="general" doName="Op" iedName="IED1" …/> <ExtRefdaName="q" doName="Op" iedName="IED1" …/> <ExtRefdaName="general" doName="Op" iedName="IED1" …/> <ExtRefdaName="q" doName="Op" iedName="IED1" …/> </Inputs> </LN> </IED> <IED name="IED1" desc=“Protective relay (publisher)"> … <GSE cbName="gcbTrip" ldInst="PROT"> … <Address>… <P type="MAC-Address">01-0C-CD-01-01-46</P> </Address> </GSE> <DataSet name="dsTripLogic"> <FCDA daName="general" doName="Tr" …/> <FCDA daName="q" doName="Tr“ …/> <FCDA daName="general" doName="Op" …/> <FCDA daName="q" doName="Op" …/> <FCDA daName="general" doName="Op …/> <FCDA daName="q" doName="Op" …/> </DataSet> … </IED> Trip command
Approach: Application-Aware Secure Multicast • Derive group membership by application data dependency in system functional configuration • Detect inconsistent configurations automatically • Configure group key management system based on the derived group memberships and extended configuration files • Raise the link layer multicast to the network layer and secure multicast traffic using IPsec
A Formal Multicast Model: Components • D, the set of data objects • E, the entities which have relationships with data objects • O, the set of data owners • C, the set of data consumer • P, the set of publishers • S, the set of subscribers • G, the set of group controllers
Publish-Subscribe Model in SCL:Ownership & Publication <IED name="IED1" type="SecureIED" desc="Protective Relay"> ... <LDeviceinst="PROT"> <LN0 lnClass="LLN0" lnType="IED1-LLN0-Type"> <DataSet name="dsTripLogic"> <FCDA daName="general" doName="Tr" ... ldInst="PROT" lnInst="1"/> <FCDA daName="general" doName="Op" ... ldInst="PROT" lnInst="1"/> ... </DataSet> <GSEControlappID="TripGoose" datSet="dsTripLogic" name="gcbTrip".../> </LN0> ... <LN inst="1" lnClass="PTRC" lnType="IED1-PTRC-Type"/> </LDevice> ... </IED> ... <DataTypeTemplates> <LNodeType id="IED1_PTRC_Type" lnClass="PTRC"> <DO name="Tr" type="tPTRC_TrOp"/> <DO name="Op" type="tPTRC_TrOp"/> </LNodeType> </DataTypeTemplates>
Publish-Subscribe Model in SCL:Consumption & Subscription <IED name="IED2" desc="Switchgear" type="SecureIED"> ... <LDeviceinst="CTRL"> <LN desc="CircuitBreaker" inst="1" lnClass="XCBR" lnType="IED2-CTRL-XCBR"> <Inputs> <ExtRefdoName="Tr" ldInst="PROT”, iedName="IED1".../> <ExtRefdoName="Op" ldInst="PROT”, iedName="IED1".../> </Inputs> </LN> <\LDevice> <\IED>
Multicast Configuration Anomaly:Publication Anomaly • Ownership Anomaly: a publisher publishes data objects which are not owned by it • Publication Redundancy: • Full redundancy: No data object is consumed • Partial redundancy: some data objects are not consumed
Multicast Configuration Anomaly:Subscription Anomaly • Source Anomaly: a subscriber subscribes data from a “non-existent” publisher • Data Dissatisfaction • “Hard” data dissatisfaction: some data objects are not published by • “Soft” data dissatisfaction: some data objects are published by another publication
Benefits of IPsec Based Multicast in Power Grid Networks • Preserves a variety of security properties, proved by a degree of formal analysis • Supports wide area multicast, important to inter-substation communications and PMU networks • Obtains strong support from security communities • Capable of addressing latency constraints in medium scale networks
Performance Analysis of IPsec Based Multicast • Test Bed Setup • Hardware • Deterlab: 8, 16, 32, 64-node scenarios • Xeon Quad 3.00GHz PCs • Software • Platform: Ubuntu 8.04 • Process Control Emulation System* • Measure round trip latency * Credits to Chris Grier and Sam King
Conclusion • Application-aware secure multicast is an efficient solution for multicast in power grid systems • Automate group configuration and minimize errors • Integrate security configurations with functional configurations • IPsec is a promising solution for secure multicast in power grid systems • Future work • WAN or Inter-substation network multicast communication and configuration • Dynamic group management
Questions?http://seclab.illinois.edu/web/ Dr. Jianqing Zhang Intel Labs, RNB6-61 2200 Mission College Blvd. Santa Clara, CA 94054 Tel: (408)653-5461 Email: jianqing.zhang@intel.com Professor Carl A. Gunter • 4304 Siebel Center for Computer Science 201 N. Goodwin Ave. Urbana, IL 61801 • Tel: (217)244-1982 Email: cgunter@cs.illinois.edu
Contributions • Propose a formal multicast data model and a publish-subscribe model depicting the publish-subscribe relationships • Classify a number of configuration anomalies in multicast systems • Design algorithms detecting the anomalies • Design a multicast and group key management architecture • Develop a prototype system, SecureSCL • Provide a case study of secure GOOSE in IEC 61850 substations • Evaluate the performance of IPsec based multicast
Related Work • IEC 62351: sign each GOOSE frame using RSA • Gjermundrod, H. et al. GridStat: A Flexible QoS-Managed Data Dissemination Framework for the Power Grid, IEEE Transactions on Power Delivery, Jan. 2009 • EhabS. et al. Discovery of Policy Anomalies in Distributed Firewalls. INFOCOM 2004 CRC Header GOOSE PDU Authentication Value Length
GDOI Based Group Key Management Architecture • Group Domain of Interpretation (GDOI, RFC 3547): IKEv1 based group key management protocol for IPsec multicast IKEv1 Phase1: Reg. SA Phase 2 GROUPKEY-PULL: (first) Rekey SA and Data SA GROUPKEY-PUSH: subsequent Rekey SAs and Data SAs