application-aware secure multicast for power grid communications
DESCRIPTION
Application-Aware Secure Multicast for Power Grid Communications. Jianqing Zhang * and Carl A. Gunter University of Illinois at Urbana-Champaign. * Now working at Energy Systems Research Lab, Intel Labs. Outline. Motivation Introduction Formal Model for Multicast - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/1.jpg)
Application-Aware Secure Multicast for Power Grid Communications
Jianqing Zhang* and Carl A. Gunter
University of Illinois at Urbana-Champaign
* Now working at Energy Systems Research Lab, Intel Labs
![Page 2: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/2.jpg)
• Motivation• Introduction• Formal Model for Multicast
– Data Model and Publish-Subscribe Model– Multicast Configuration Anomaly
• Implementation: SecureSCL• Performance Analysis of IPsec Based Multicast• Conclusion
Outline
2
![Page 3: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/3.jpg)
Multicast in Power Grid Systems
Substation Networks
PMU: Phasor Measurement Unit PMUs
DNP3
3
![Page 4: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/4.jpg)
IEC 61850 Substation Network
* Based on Baigent, D. et. al. IEC 61850 Communication Networks and Systems in Substations: An Overview for Users
Generic Object Oriented Substation Event (GOOSE)
Sampled Measured Value (SMV)• Data objects model
• Communication protocols suite• Link layer multicast
• Substation Configuration Language (SCL)
• IEC: International Electrotechnical Commission
• HMI: Human Machine Interface• PMU: Phasor Measurement Unit
Abstract Communication Service Interface (ACSI)
Substation Bus
Process Bus
Ethernet
*
4
![Page 5: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/5.jpg)
Cyber Security Threats to Substation Networks
• Integrity– Tampered power grid status data– Faked control commands
• Confidentiality– Valuable raw data
• Availability– Data packets flood
Cryptographically Secured Protocols?
5
![Page 6: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/6.jpg)
Challenges:Manageable Configuration
• Complex and error-prone configuration for current systems– Intricate system designs– Changing specifications during design phases– Large and hardly auditable configuration files
• TVA Bradley Substation: 7.4Mbytes and 98K lines XML files
– Proprietary configuration tools from multiple vendors– Complexity of current off-the-shelf security protocols and tools
• Security vulnerabilities due to incorrect system configuration
6
![Page 7: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/7.jpg)
• Timing requirements for real-time operations*– PMU: 30 times per second– Substation: event notification for protection
e.g. GOOSE, 2-10ms
Challenges: Latency Requirements
* IEEE Std. 1646: Communication Delivery Time Performance Requirements for Electric Power Substation Automation
• VT: Volt Transformer• CT: Current
Transformer 7
![Page 8: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/8.jpg)
• Integration with power grid systems– How to partition multicast groups in a particular
domain, like a power substation? – What’s the role of each control device in a group?– How to distribute group keys?
• Standardized security protocols– How to integrate group key management with secure
multicast protocols?
Challenges: Efficient Group Key Management & Configuration
8
![Page 9: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/9.jpg)
• Derive group membership by application data dependency in system functional configurations– Observation: data dependency determines publish-
subscribe relationships and group memberships
Approach: Application-Aware Secure Multicast
9
![Page 10: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/10.jpg)
<IED name=“IED2” desc=“Switchgear (subsriber) ” >… <LN desc="CircuitBreaker" inst="1" …> <Inputs> <ExtRef daName="general" doName="Tr" iedName="IED1" …/> <ExtRef daName="q" doName="Tr" iedName="IED1" …/> <ExtRef daName="general" doName="Op" iedName="IED1" …/> <ExtRef daName="q" doName="Op" iedName="IED1" …/> <ExtRef daName="general" doName="Op" iedName="IED1" …/> <ExtRef daName="q" doName="Op" iedName="IED1" …/> </Inputs> </LN></IED>…<IED name=“IED3” desc=“Switchgear (subsriber)” >… <LN desc="CircuitBreaker" inst=“2" …> <Inputs> <ExtRef daName="general" doName="Tr" iedName="IED1" …/> <ExtRef daName="q" doName="Tr" iedName="IED1" …/> <ExtRef daName="general" doName="Op" iedName="IED1" …/> <ExtRef daName="q" doName="Op" iedName="IED1" …/> <ExtRef daName="general" doName="Op" iedName="IED1" …/> <ExtRef daName="q" doName="Op" iedName="IED1" …/> </Inputs> </LN></IED>
<IED name="IED1" desc=“Protective relay (publisher)">… <GSE cbName="gcbTrip" ldInst="PROT">… <Address>… <P type="MAC-Address">01-0C-CD-01-01-46</P> </Address> </GSE> <DataSet name="dsTripLogic"> <FCDA daName="general" doName="Tr" …/> <FCDA daName="q" doName="Tr“ …/> <FCDA daName="general" doName="Op" …/> <FCDA daName="q" doName="Op" …/> <FCDA daName="general" doName="Op …/> <FCDA daName="q" doName="Op" …/> </DataSet>…</IED>
Data Dependency in Substation Configuration Language (SCL)
Trip command
10
![Page 11: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/11.jpg)
• Derive group membership by application data dependency in system functional configuration
• Detect inconsistent configurations automatically
• Configure group key management system based on the derived group memberships and extended configuration files
• Raise the link layer multicast to the network layer and secure multicast traffic using IPsec
Approach: Application-Aware Secure Multicast
11
![Page 12: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/12.jpg)
• D, the set of data objects• E, the entities which have relationships with data
objects– O, the set of data owners– C, the set of data consumer– P, the set of publishers– S, the set of subscribers
• G, the set of group controllers
A Formal Multicast Model: Components
12
![Page 13: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/13.jpg)
A Formal Multicast Model:Publish-Subscribe Model
13
![Page 14: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/14.jpg)
<IED name="IED1" type="SecureIED" desc="Protective Relay">... <LDevice inst="PROT"> <LN0 lnClass="LLN0" lnType="IED1-LLN0-Type"> <DataSet name="dsTripLogic">
<FCDA daName="general" doName="Tr" ... ldInst="PROT" lnInst="1"/><FCDA daName="general" doName="Op" ... ldInst="PROT" lnInst="1"/>...
</DataSet> <GSEControl appID="TripGoose" datSet="dsTripLogic" name="gcbTrip".../> </LN0> ... <LN inst="1" lnClass="PTRC" lnType="IED1-PTRC-Type"/> </LDevice>...</IED>...<DataTypeTemplates> <LNodeType id="IED1_PTRC_Type" lnClass="PTRC"> <DO name="Tr" type="tPTRC_TrOp"/> <DO name="Op" type="tPTRC_TrOp"/> </LNodeType></DataTypeTemplates>
Publish-Subscribe Model in SCL:Ownership & Publication
𝑅𝑜𝑤𝑛 ( 𝐼𝐸𝐷1 ,𝑇𝑟 ) ,𝑅𝑜𝑤𝑛 ( 𝐼𝐸𝐷1 ,𝑂𝑝 )
𝑅𝑝𝑢𝑏 ( 𝐼𝐸𝐷1 ,𝑇𝑟 ) ,𝑅𝑝𝑢𝑏 ( 𝐼𝐸𝐷1,𝑂𝑝 )
14
![Page 15: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/15.jpg)
<IED name="IED2" desc="Switchgear" type="SecureIED">... <LDevice inst="CTRL"> <LN desc="CircuitBreaker" inst="1" lnClass="XCBR" lnType="IED2-CTRL-XCBR"> <Inputs> <ExtRef doName="Tr" ldInst="PROT”, iedName="IED1".../> <ExtRef doName="Op" ldInst="PROT”, iedName="IED1".../> </Inputs> </LN> <\LDevice><\IED>
Publish-Subscribe Model in SCL:Consumption & Subscription
𝑅𝑐𝑜𝑛 ( 𝐼𝐸𝐷 2 ,𝑇𝑟 ) ,𝑅𝑐𝑜𝑛 ( 𝐼𝐸𝐷2 ,𝑂𝑝 )
𝑅𝑠𝑢𝑏 ( 𝐼𝐸𝐷2 , 𝐼𝐸𝐷1 ,𝑇𝑟 ) ,𝑅𝑠𝑢𝑏 ( 𝐼𝐸𝐷 2 , 𝐼𝐸𝐷1,𝑂𝑝 )
15
![Page 16: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/16.jpg)
• Ownership Anomaly: a publisher publishes data objects which are not owned by it
• Publication Redundancy: – Full redundancy: No data object is consumed
– Partial redundancy: some data objects are not consumed
Multicast Configuration Anomaly:Publication Anomaly
16
![Page 17: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/17.jpg)
• Source Anomaly: a subscriber subscribes data from a “non-existent” publisher
• Data Dissatisfaction – “Hard” data dissatisfaction: some data objects are not
published by
– “Soft” data dissatisfaction: some data objects are published by another publication
Multicast Configuration Anomaly:Subscription Anomaly
17
![Page 18: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/18.jpg)
Architecture of SecureSCL
18
![Page 19: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/19.jpg)
• Preserves a variety of security properties, proved by a degree of formal analysis
• Supports wide area multicast, important to inter-substation communications and PMU networks
• Obtains strong support from security communities
• Capable of addressing latency constraints in medium scale networks
Benefits of IPsec Based Multicast in Power Grid Networks
19
![Page 20: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/20.jpg)
• Test Bed Setup – Hardware
• Deterlab: 8, 16, 32, 64-node scenarios• Xeon Quad 3.00GHz PCs
– Software• Platform: Ubuntu 8.04• Process Control Emulation System*
– Measure round trip latency
Performance Analysis of IPsec Based Multicast
* Credits to Chris Grier and Sam King 20
![Page 21: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/21.jpg)
Performance of IPsec Multicast
21
![Page 22: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/22.jpg)
• Application-aware secure multicast is an efficient solution for multicast in power grid systems– Automate group configuration and minimize errors– Integrate security configurations with functional configurations
• IPsec is a promising solution for secure multicast in power grid systems
• Future work– WAN or Inter-substation network multicast communication
and configuration– Dynamic group management
Conclusion
22
![Page 23: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/23.jpg)
Questions?http://seclab.illinois.edu/web/
Dr. Jianqing ZhangIntel Labs, RNB6-612200 Mission College Blvd.Santa Clara, CA 94054Tel: (408)653-5461Email: [email protected]
Professor Carl A. Gunter4304 Siebel Center for Computer Science201 N. Goodwin Ave.Urbana, IL 61801Tel: (217)244-1982 Email: [email protected]
![Page 24: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/24.jpg)
1. Propose a formal multicast data model and a publish-subscribe model depicting the publish-subscribe relationships
2. Classify a number of configuration anomalies in multicast systems
3. Design algorithms detecting the anomalies
4. Design a multicast and group key management architecture
5. Develop a prototype system, SecureSCL
6. Provide a case study of secure GOOSE in IEC 61850 substations
7. Evaluate the performance of IPsec based multicast
Contributions
24
![Page 25: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/25.jpg)
• IEC 62351: sign each GOOSE frame using RSA
• Gjermundrod, H. et al. GridStat: A Flexible QoS-Managed Data
Dissemination Framework for the Power Grid, IEEE Transactions on
Power Delivery, Jan. 2009
• Ehab S. et al. Discovery of Policy Anomalies in Distributed Firewalls.
INFOCOM 2004
Related Work
Header Authentication Value GOOSE PDU
Length
CRC
25
![Page 26: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/26.jpg)
System Working Phases
26
![Page 27: Application-Aware Secure Multicast for Power Grid Communications](https://reader035.vdocument.in/reader035/viewer/2022062310/568164c2550346895dd6d6fa/html5/thumbnails/27.jpg)
• Group Domain of Interpretation (GDOI, RFC 3547): IKEv1 based group key management protocol for IPsec multicast
GDOI Based Group Key Management Architecture
1. IKEv1 Phase1: Reg. SA2. Phase 2 GROUPKEY-PULL: (first) Rekey SA and Data SA3. GROUPKEY-PUSH: subsequent Rekey SAs and Data SAs
27