contact information - roma tre universitycritis08.dia.uniroma3.it/pdf/critis_08_28.pdf · critis...
TRANSCRIPT
Testbeds for assessing critical scenarios
in Power Control Systems
Contact informationContact informationName: DONDOSSOLA Giovanna
Phone: +39-02-3992 5779Fax: +39-02-3992 5557e-mail: [email protected]
CESI RICERCA
Name: DECONINCK Geert
Phone: +32-16-31 11 26Fax: +32-16-32 19 85e-mail: [email protected]
G. Dondossola1, G. Deconinck2, F. Garrone1, H. Beithollahi2
1 Power System Development CESI RICERCA, Milan, Italy2 ESAT/Electa Katholieke Universiteit, Leuven, Belgium
2CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
ArchitecturesArchitecturesEvaluationsEvaluations
Power control Power control infrastructuresinfrastructuresModelsModels
T2.1
T1.3
T1.2T1.1
T2.2
T3.1 T3.2 T3.3
T4.1
T4.2
T4.3
T4.4
T5.1 T5.2
T5.3
CRUTIAL
3CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
Table of Content
• Testbed activity in CRUTIAL WP3
• Control system scenarios
• T1 – Hierarchical Teleoperation of Macrogrids with Bulk Generation
• Architecture, control scenarios, test plan
• T2 – Distributed Control of Microgrid with Distributed Generation
• Architecture, control scenarios, test plan
• Conclusions
4CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
Testbed activity in CRUTIAL
• CESI RICERCA Grid teleoperation testbed (T1): power substation controllers on real-time control networks, interconnected to control centre operation networks in turn connected to corporate networks
• K.U.Leuven testbed Microgrid testbed (T2) : power electronic converters controlled from PCs interconnected over an open communication network
• Aims
• identify critical aspects of power-ICT dependencies
• assess the ICT infrastructure vulnerability to plausible cyber attacks
• assess the severity of potential damages
• evaluate the resiliency of possible architectures/mechanisms/solutions to cyber threats
5CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
Control system scenarios
• scenario 1: DSO teleoperation– use of an IP backbone for DSO supervision and control– assess redundant communication architecture– assess vulnerabilities of standard protocols and their impact on
control functions
• scenario 2: interaction between TSO/DSO in emergency– assess defense plan actuation (automatic load shedding)– assess security of the TSO-DSO communications– evaluate the impact of attacks in emergency conditions
• scenario 3: ICT driven decentralised control algorithms in microgridswith Distributed Energy Resources– Evaluate the impact of network latency, packet loss, network
unavailability, DoS attacks on overlay networks, incorrect values on tertiary (economic) and secondary (voltage) control
6CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
TELECOMMUNICATIONSERVICE
PROVIDER
CESI RICERCA LAN
TSO Remote SCADA
DSO Telecontrol
DSO Centre DMZ
DSO Corporate
DSO Remote SCADA
Substation1 Bus
IED SlaveSUB1 IEDS2
IED SlaveSUB1 IEDS3
Station ComputerLocal HMISUB1 SC
IED MasterSUB1 IEDM
GatewayDSO GC1
Demo ControllerSUB1 DC
SUBSTATION 1
Internet
Substation2 Bus
Station ComputerDemo Controller
SUB2 SC
GatewayDSO GC2
SUBSTATION 2
GatewayDSO CG1
Grid MaintenanceDSO GM
DSO CONTROL CENTRE
DSO Centre Web ServerGatewayDSO WS
DSO Telecontrol DatabaseDSO DBS
REMOTE SCADAOperator Workstattion
DSO SCADA
TSO CONTROL CENTRE
Operator WorkstationUPDM Simulator
TSO UPDM-01
GatewayTSO GC1
DSO ICT MONITORING CENTRE
Remote ICT MonitorGateway
ICT MAINT
Development StationLinux
SW LINUX
DEPARTMENT OFFICE
Development StationWindowsSW HMI
Maintenance Mobile
WorkstationDemostration
FirewallDSO CF
AttackerA2
AttackerA1
DevelopmentIED
SW IED
PSTN
IED SimulatoSUB1 IEDS1
IED MasterSUB2 IEDM
REMOTE SCADAOperator Workstation
TSO SCADA
TSO SUBSTATION
Automation DevelopmentWindowsSW WIN
T1: Grid teleoperation
• The Grid Teleoperation testbed implements a scaled down power control platform with its integrated ICT infrastructure for testing the cyber security of SCADA, substation automation and communication systems
Transformer
Breaker
Bus-bar
Line
Transformer
Bus-bar
Voltage meter
Switch
Current meter
SUBSTATION 1
LV
LOADS
INTERNETWorld
TELCOCOMMUNICATION
NETWORK
Local AreaNetwork
DSOCOMMUNICATION
NETWORK
Router
MCD-TU
Firewall / Gateway
Router
Firewall / Gateway
NNM
ICT NATIONALCONTROL CENTRE
DISTRIBUTION SYSTEMOPERATOR
IPTVCCVideo Surveillance
Local AreaNetwork
Router
TSOCOMMUNICATION
NETWORK
RVR
REGIONALCONTROLCENTRE
TRANSMISSION SYSTEMOPERATOR
RTS
Local AreaNetwork
Firewall / Gateway
Local AreaNetwork
Router
Local AreaNetwork
Firewall / GatewayNATIONAL CONTROLCENTRE
NTSNVRSFR STATEESTIMATOR
LocalStation Bus
SUBSTATION
IED IEDIED
Local AreaNetwork
Control Network(VPN)
OTHERDEPARTMENT
OTHERDEPARTMENT
Local AreaNetwork
Router
ATS
AREA CONTROLCENTRE
LocalArea
Network
Firewall / Gateway
Local AreaNetwork
VoIP
Local AreaNetwork
LVMaintenance
RouterMV
Maintenance
ATSweb server
RemoteVideosurveillance
Local AreaNetwork
CNM
STATION LEVEL
BAY LEVEL
Local AreaNetwork
Router
MCD-TU
Firewall / Gateway
LocalStation Bus
SUBSTATION
IED IEDIED
STATION LEVEL
BAY LEVEL
Corporate Intranet(VPN)
TELCOOPERATOR
TELCOOPERATOR
TELCOOPERATOR
CNMLocal Area
Network
Router
Firewall / Gateway NATIONALCOMMUNICATION
NETWORKCONTROL CENTRE
Local AreaNetwork
CNM
TELCOCOMMUNICATION
NETWORK
Local AreaNetwork
EHV-HVMaintenance Router
Corporate Intranet(VPN)
TELCOOPERATOR
NTSweb server
EHV-HVMaintenance
Router
Local AreaNetwork
OTHERDEPARTMENT
RouterRouter
Firewall Firewall
ACCESSPOINT
EMS
Transformer
Breaker
Bus-bar
Line
Transformer
Bus-bar
Voltage meter
Switch
Current meter
SUBSTATION 1
LV
LOADS
7CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
T1: Grid teleoperation
• Aims– to improve the security know-how in power control– to mitigate the vulnerabilities of the standard protocols
(e.g. IEC 60870-6, IEC 60870-5-104, IEC 61850)– to assess the capability of secure and redundant
architectures to tolerate the threat hypotheses – to offer a testing infrastructure for SCADA and
automation system properties, difficult to reproduce in real infrastructures
– to facilitate the development of cyber security standards, guidelines and practices for industrial usage (e.g. NERC, IEC, IEEE, NIST, ISA)
– to support risk assessment and model based evaluationwith statistics from experiments
9CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
T1: power infrastructure
– EHV-HV Grid
– Substations HV/MV
– MV Grid
•• The Electric Infrastructure is currently simulated The Electric Infrastructure is currently simulated through prethrough pre--compiled Input sequencescompiled Input sequences
10CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
•• The laboratory architecture is based on building blocks The laboratory architecture is based on building blocks implementing functional componentsimplementing functional components– Grid Control Centres, control devices, substations, ICT
Control Centres
T1: functional components
11CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
Laboratory: building blocks
•• The ICT components are related to these functions The ICT components are related to these functions –– Automation Automation –– CommunicationCommunication–– SCADASCADA–– HMIHMI
•• The ICT components are developed as prototypes The ICT components are developed as prototypes to easily produce logsto easily produce logs
•• Automation relevant aspectsAutomation relevant aspects–– Automatic code generation (bug free)Automatic code generation (bug free)–– Distributed architectures (IEC 61850)Distributed architectures (IEC 61850)–– Fault tolerant architecturesFault tolerant architectures
12CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
Laboratory: building blocks
•• Communication relevant aspectsCommunication relevant aspects–– Open transport/network layer standard protocols (TCP/IP, UDP/IP)Open transport/network layer standard protocols (TCP/IP, UDP/IP)–– Power domain Power domain -- application layer standard protocols (IEC 60870application layer standard protocols (IEC 60870--55--
104)104)–– Security standard protocols (IPSEC, VPN)Security standard protocols (IPSEC, VPN)
•• SCADA relevant aspectsSCADA relevant aspects–– Standard DBMSStandard DBMS–– Standard Web serversStandard Web servers–– Process Process vsvs corporate network separationcorporate network separation
•• HMIHMI–– Both Power and ICT viewsBoth Power and ICT views–– Both Power and ICT alarm warningsBoth Power and ICT alarm warnings–– To increase operatorsTo increase operators’’ awareness on the ICT Infrastructure statusawareness on the ICT Infrastructure status
13CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
Laboratory: software components
•• The test bed software components layoutThe test bed software components layout
Maintenanceweb client
DBMS
Area Control Centre web Server
Corporate Maintenanceweb server
Telecontrol SCADA
DB process data loader
IEC 60870-5-104 Slave
Gateway/Firewall/VPN
Gateway/Firewall/VPNSubstation SCADA &
Local GUI(socket application)
Central Firewall
IEC 60870-5-104 Master
Demo ControField Simulation
Distributed Automation
14CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
• DoS attacks to the teleoperationcommunications, generated by enemies located on the Telecom IP backbone
• Intrusions into the Centre/Substation communication flow followed eventually by the execution of faked commands
• Authentication violations of a Substation Computer on the process control LAN through hostile use of maintenance activities
Threats
15CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
DoS attack to Centre/Substation communications• Attack to a Substation router/gateway by TSP insider
2 - Communication bandwidth reduction
3 - Communication backup line
1 - TSP insider starts attack
Backup Channel
4 - Loss of remote control functions of a Substation
Grid Teleoperation: Scenario 1
16CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
DoS attack to Centre/Substation communications• Attack to Centre router/gateway by TSP insider
2 - Communication bandwidth reduction
4 - Loss of remote control functions of a group of Substations
1 - TSP insider starts attack
Backup
Channel3 - Loss of a Centre
remote control functions of a group of Substations
Grid Teleoperation: Scenario 1
17CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
• Simulation of DoS attack processes to IEC 60870-5-104 communications– Based on standard TCP/IPSEC communication
• Attack phases– Pre-attack phase
• TSP Scanning/sniffing/dump activities– Attack execution
• Message flooding: Syn packets• Message flooding: ICMP packets• Message flooding: UDP packets• TCP replay: ICMP, TCP, ESP
– Attack monitoring• Firewall logs• IPSEC logs• Tcpdump• Communication sniffing• IEC 60870-5-104 communication logs
DoS Attack: Simulation
19CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
– Scenario 1: manual teleperations• fault-free (reference TCP/IP/overhead of VPN)
– for different VPN configurations• Threats: DoS, autentication violation, viral infection• Measures: delayed packets, lost packets, time to failure• Consequences: grid supervision, preventive maintenance,
normal operation, pre-emergency operation
– Scenario 2: automatic teleoperations• fault-free (reference/overhead of VPN)
– for different VPN configurations• Threats: DoS, intrusion• Measures: delayed packets, lost packets, time to failure• Consequences: grid supervision, emergency operation
Grid Teleoperation: evaluation plan
20CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
• dispersed energy resources (DER)– at distribution level (MV, LV)– renewable sources
• PV, CHP, wind, fuel cell, etc.– storage systems
• supercaps, fuel cells, UPS, …– intelligent loads
• IEDs (intelligent electronic devices)– connected to grid via power electronics
• inverter front-ends– interconnected via communication network
T2: Distributed microgrid control
21CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
Distributed control systems
• distributed control of DER– optimize voltage level (secondary control)– optimize production costs (tertiary control)– data aggregation, system monitoring etc.
• layout of communication architecture– point to point infrastructure vs. overlay network– distributed agents vs. centralised control
• + small capital investment• + no single point of failure• - security more difficult
22CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
ICT threat assessment in distributed microgrid applications
• accidental fault scenarios– network delays/packet loss→ slower convergence of 2nd-ary / 3rd-ary control loops– communication failure; soft-/hardware crash→ overlay network can manage dynamism, if available
• malicious fault scenarios– denial-of-service attacks → similar, not critical– intrusions on control PCs
• attacks on middleware level → critical– e.g. influence overlay topology
• attacks at application level→ critical– e.g. tampering with 3rd-ary control (financial gain)– e.g. tampering with 2nd-ary control (voltage profile
disturbance)
23CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
Microgrid simulation model
• low voltage power distribution segment– grid connected– high DG penetration– variable loads
• agents – form overlay network– control power output
• primary, secondary, tertiary control
• many scenarios (ICT fault EPS)
24CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
Overlay topology attack (1)
• overlay networks dynamically constructed– here: neighbour choice based on node
description• malicious node send wrong descriptions
– other nodes choose it as a direct neighbour
25CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA •25
Overlay topology attack (2)
• malicious node more powerful– e.g. network partitioning
• disable 2nd-ary / 3rd-ary control
– leads to non optimal behaviour
26CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
Secondary control attack (1)
• secondary control = voltage profile management
• uses distributed averaging primitive– = averages system-wide divergence from optimal
voltage level• malicious node injecting false values
– false values aggregate– leading to system wide power output increase
27CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
DER increases active power output
Secondary control attack (2)
28CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
Rapid prototyping platform
• modular rapid prototyping platform– reconfigurable – scalable– 1-4 phases– different types of power stages
• transparent programming• fast protection• EMC mitigation
••measurement /measurement /••acquisitionacquisition
••inverter /inverter /••actuatoractuator
••processing & processing & controlcontrol
••host /host /••monitoring /monitoring /
••communicationcommunication
29CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
•electricity grid
•communication•network
Microgrid test set-up
• power-electronics, electrically connected– controlled via inverter-server– Matlab interface on user-PC
• algorithm design and compilation• for setting parameters and reading measurement
data• link to inter-inverter communication
• microgrid algorithm– operating several inverters in parallel– primary control: no communication needed– secondary and tertiary control
• via TCP/IP network• link into Crutial building blocks
30CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
Microgrid control: experimental results
• primary + secondary + tertiary control– distributed, decentralised
• 4 IEDs, with specific cost functions– photovoltaic (PV) unit (0-3 kW)– coupled heat power (CHP) unit– battery – intelligent load– + dummy load changing
• interconnected by an Agora overlay network– subject to a mix of load and supply variations
31CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA •31.
Microgrid control: reference control scenario
• t = 0 to 100 s: demand is very low– IEDs & primary control
• battery nearly full, no CHP• PV unit provides few electricity (cloudy)• intelligent load is fully activated
– small excess power is absorbed by battery– marginal cost is about 40 €/MWh
• determined by most expensive activated unit (c.q. battery)• at t = 100 s: load increases to 1.3 kW
– primary control battery @ full output & CHP @ partial output– tertiary control equalises marginal costs @ 100 €/MWh
• from t = 200 to 300 s: load increases further to 2.3 kW– battery gets empty marginal cost ↑ battery lowers generation – CHP compensates by increasing output – and intelligent load reduces demand– marginal cost ↑ to 165 €/MWh
• at t = 300 s– battery empty cost increase furthers halts generation– CHP takes over partially & intelligent load further decreases demand– marginal cost increases further to about 167 €/MWh
• etc…
33CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
Microgrid control: test plan
– scenario point-to-point communication• fault-free (reference)• influence of delayed packets • influence of lost packets• influence of DoS attack
– scenario overlay communication• fault-free (overhead of overlay)
– for different overlay sizes / configurations• influence of lost packets• influence of DDoS attack
– integrate Crutial building blocks• re-assess
34CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
Conclusions
• Current developments– Testbed evaluation frameworks– Execution of attack experiments– Collection of data statistics from experiments– Evaluation of collected data
• Possible future developments– Integrate a power system simulator into the testbed– Develop other CRUTIAL scenarios involving GENCO– Integrate Macrogrid Teleoperation and Microgrid Control ->
towards SmartGrids
35CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA
• D2 Analysis of new control applications
• D24 Testbeds deployment of representative control algorithms – Interim Report
• D9 Testbed deployment of representative control algorithms
• D14 Architectural patterns evaluated on the testbeds
• D17 On EPS-ICT interdependencies in the testbeds
CRUTIAL Testbeds: Deliverables
CRUTIAL is a RTD Project in the area of Critical Information Infrastructure Protection launched by the European Union under the Information Society Technologies priority of the Sixth Framework Programme.
The project addresses new networked ICT systems for the management of the electric power grid, in which artefacts controlling the physical process of electricity transportation need to be connected with information infrastructures, through corporate networks(intranets), which are in turn connected to the Internet.
CESI RICERCA
electricity grid
communicationnetwork
Critical Utility InfrastructurAL ResilienceCritical Utility InfrastructurAL ResilienceFP6-2004-IST-4-027513 http://crutial.cesiricerca.it
modelling interdependent infrastructures
resilient to both accidental failures and malicious attacks
CRUTIAL’s innovative approach resides in
attempting at casting them into new architectural patterns
ObjectivesObjectivesInvestigation of models andarchitectures that cope with openness,heterogeneity and evolvability enduredby electrical utilities infrastructures
Analysis of critical scenarios which ICTfaults provoke serious impact on thecontrolled electric power infrastructures
Evaluation of distributed architecturesenabling dependable control and management of the power grid
Work PackagesWork PackagesWP1 Identification and description of
Control System Scenarios
WP2 Interdependencies modelling
WP3 Testbed development
WP4 Architectural solutions
WP5 Analysis and evaluation of ControlSystem Scenarios
WP6 Dissemination
WP7 Management