Intelligent Electronic Device Security

With the introduction of a wide range of embedded devices into the substation environment, comes an increase in attack surfaces and vectors. It is often the case the deployed IEDs are not updated and utilize code that contains known vulnerabilities [56]. These devices are networked in order to be remotely controlled. This opens up a wide range of attacks such as spoofing, command injection and malicious firmware updates [57]. They are susceptible to malware [58], some of which can even be pre-installed on deployed devices [59]. Furthermore, they sometimes do not have any authentication [60], which allows malicious entities or employees to manipulate the devices [56]. Clearly, it is often the case that the security concerns of IEDs are barely taken into account [61].

In light of this information and the critical nature of the smart grid, it is essential to mitigate the aforementioned security vulnerabilities. These solutions must place an emphasis on ensuring proper authentication, authorization and integrity schemes [56]. One proposed approach is to design and implement secure deployment architectures that are tamper resistant, remotely recoverable and securely updatable [57]. LeMay et al. [62] propose an example of one that can be applied to the IED context. Dubbed cumulative attestation kernel, it aims at providing firmware auditing structure that is implemented in a remote and secure fashion [57]. It is however extremely difficult to develop blanket solutions that can ensure IED and other embedded device security [63]. This is primarily due to the complexity and diversity of deployments. Contributing factors include device diversity (e.g., vendors, functionality, implementations), implementation constraints due to requirements [64] and scalability [63]. Due to this, there is a wide range of specialized analysis techniques that can be used to better IED device security. It is possible to analyze a device’s firmware in order to identify weaknesses it contains. A recent example of such an attempt is performed by Kwon et al. [13] where they search for known vulnerabilities in smart grid devices. Such an approach is however not prevalent due to its high degree of difficulty [65]. Pour et al. [66] suggest the use of an IED specific rule based IDS that is based off the IEC 61850 standard. Another possibility is to diversify the range of deployed device manufacturers and firmware in order to complicate large-scale attacks [56]. This solution is unfortunately often too expensive and time consuming to implement.

Another critical aspect is to secure all communication channels. In order to exchange informa- tion, IEDs leverage the previously discussed substation communication protocols. Several research proposals have examined the weaknesses is such communication mechanisms. Kush et al. [52] demonstrate an IED GOOSE based DoS attack. They describe their proposed attack as GOOSE poisoning. This attack utilizes malicious GOOSE packets whose status numbers are manipulated in order to make them higher than current non malicious packets. This tricks the IED into dropping all packets (e.g., valid ones) whose sequence numbers are lower than the malicious packets. This basic principle is used to implement two other attack variations namely a high rate flooding attack and a semantic attack. Valdes et al. [54] focus on the abuse of protective relay IEDs. Under normal circumstances, these relays are configured to detect faults and react to them through tripping the appropriate breakers. The authors intent is to create malicious GOOSE or SV packets. This is either done from the ground up or by modifying intercepted ones. These packets can then be injected back into the network, and used to trick the system into believing there is a fault. Such an attack will result in the triggering of protective relays, which will potentially lead to power outages. If such an attack is carefully designed to concurrently target multiple critical protective relay IEDs, it could result in large-scale power outages. Very similarly, Hong et al. [55] take advantage of IEDs and circuit breakers by sending them crafted commands. This achieved by taking advantage once again of the fact that SV and GOOSE protocols do not have any integrity or replay prevention

capabilities. Thus, they are able to perform replay attacks that maliciously open circuit breakers. If well coordinated, a large-scale attack that leverages this approach could lead to massive power outages.

These concerns have been taken into account by standardization bodies who have produced more specialized IED cyber security standards. These are further discussed and presented in Table 8. The most relevant of these within the current context is IEEE 1686-2013 [67]. It describes IED specific cyber security requirements and is divided into seven sections. These sections are each further discussed in Table 9.

Table 8: Relevant Smart Grid IED Security Standards

Name Description

IEEE 1402-2000: Guide for Electric Power Substation Physical and Electronic Security [68]

• Highlights that all physical devices in substations, including IEDs, are vulnerable to physical and cyber intrusions

• Proposes different security procedures to assist in mitigating these • Evaluates the effectiveness of the proposed mitigations

IEEE 1686-2013: Standard for Intelligent Electronic Devices Cyber Security Capabilities [67]

• Provides all implementation details necessary to conform to NERC CIP IED security requirements [44]

• Designed to be generic and applicable to any IED

• Covers topics such as IED access, operation, configuration, firmware revision and communication

Table 9: IEEE 1686-2013 Parts

Part Description

Electronic Access Control

• Defines mandatory and uncircumventable device user identification and password requirements

• Mandates the use of RBAC to manage individual user capabilities • Defines a set of sensitive operations that require specific RBAC roles

to perform

Audit Trail

• Mandates that certain system events must be recorded • Provides event storage format and integrity requirements • Defines a set of system events that must be logged

Supervisory Monitoring and Control

• Mandates that IEDs report events (authorized activities) and alarms (unauthorized activities) to its supervising system

• Defines a set of events and alarms, along with how to group them • Defines how a supervising system can control IEDs along with its re-

quired permissions to do so

IED Cyber Security Features

• Defines which protocols should be used to enable IED network com- munications

• Enforces the use of current NIST cryptographic requirements • Enforces the use of encryption as defined in IEEE 1711

Part Description

IED Configuration Software

• Enforces the use and validation of digital signatures for all configuration files and firmware updates

• Defines two configuration viewing and modification modes that require the proper privileges to access

• Defines four roles that have varying configuration modification privi- leges

Communications Port Access

• States that all ports can be enabled or disabled via configuration • Stipulates that disabled ports must ignore all communications • Stipulates that all unused ports must be disabled

Firmware Quality Assurance

• Enforces the use of firmware quality assurance as defined in IEEE C37.231