Prelim Slides - Illinois Security Lab - University of Illinois at Urbana

download report

Transcript Prelim Slides - Illinois Security Lab - University of Illinois at Urbana

Application-Aware Secure
Multicast for Power Grid
Communications
Jianqing Zhang* and Carl A. Gunter
University of Illinois at Urbana-Champaign
* Now working at Energy Systems Research Lab, Intel Labs
Outline
• Motivation
• Introduction
• Formal Model for Multicast
– Data Model and Publish-Subscribe Model
– Multicast Configuration Anomaly
• Implementation: SecureSCL
• Performance Analysis of IPsec Based Multicast
• Conclusion
2
Multicast in Power Grid Systems
Substation
Networks
PMU: Phasor Measurement Unit
DNP3
PMUs
3
IEC 61850 Substation Network
Abstract Communication
Service Interface (ACSI)
Substation Bus
Generic Object Oriented
Substation Event (GOOSE)
*
Ethernet
Process Bus
Sampled Measured
• Data objects model
Value (SMV)
• Communication protocols suite
• Link layer multicast
• Substation Configuration Language (SCL)
• IEC: International Electrotechnical Commission
• HMI: Human Machine Interface
• PMU: Phasor Measurement Unit
* Based on Baigent, D. et. al. IEC 61850 Communication Networks and Systems in Substations: An Overview for Users
4
Cyber Security Threats to
Substation Networks
•
Integrity
– Tampered power grid status data
– Faked control commands
•
Cryptographically Secured
Protocols?
Confidentiality
– Valuable raw data
•
Availability
– Data packets flood
5
Challenges:
Manageable Configuration
• Complex and error-prone configuration for current
systems
– Intricate system designs
– Changing specifications during design phases
– Large and hardly auditable configuration files
• TVA Bradley Substation: 7.4Mbytes and 98K lines XML files
– Proprietary configuration tools from multiple vendors
– Complexity of current off-the-shelf security protocols and
tools
• Security vulnerabilities due to incorrect system
configuration
6
Challenges: Latency Requirements
• Timing requirements for real-time operations*
– PMU: 30 times per second
– Substation: event notification for protection
e.g. GOOSE, 2-10ms
• VT: Volt Transformer
• CT: Current Transformer
* IEEE Std. 1646: Communication Delivery Time Performance Requirements for Electric Power Substation Automation
7
Challenges: Efficient Group Key
Management & Configuration
• Integration with power grid systems
– How to partition multicast groups in a particular
domain, like a power substation?
– What’s the role of each control device in a group?
– How to distribute group keys?
• Standardized security protocols
– How to integrate group key management with secure
multicast protocols?
8
Approach: Application-Aware
Secure Multicast
• Derive group membership by application data
dependency in system functional configurations
– Observation: data dependency determines publishsubscribe relationships and group memberships
9
Data Dependency in Substation
Configuration Language (SCL)
<IED name="IED1" desc=“Protective relay (publisher)">
…
<GSE cbName="gcbTrip" ldInst="PROT">
…
<Address>…
<P type="MAC-Address">01-0C-CD-01-01-46</P>
</Address>
</GSE>
<DataSet name="dsTripLogic">
<FCDA daName="general" doName="Tr" …/>
<FCDA daName="q" doName="Tr“ …/>
<FCDA daName="general" doName="Op" …/>
<FCDA daName="q" doName="Op" …/>
<FCDA daName="general" doName="Op …/>
<FCDA daName="q" doName="Op" …/>
</DataSet>
…
</IED>
Trip command
<IED name=“IED2” desc=“Switchgear (subsriber) ” >
…
<LN desc="CircuitBreaker" inst="1" …>
<Inputs>
<ExtRef daName="general" doName="Tr" iedName="IED1" …/>
<ExtRef daName="q" doName="Tr" iedName="IED1" …/>
<ExtRef daName="general" doName="Op" iedName="IED1" …/>
<ExtRef daName="q" doName="Op" iedName="IED1" …/>
<ExtRef daName="general" doName="Op" iedName="IED1" …/>
<ExtRef daName="q" doName="Op" iedName="IED1" …/>
</Inputs>
</LN>
</IED>
…
<IED name=“IED3” desc=“Switchgear (subsriber)” >
…
<LN desc="CircuitBreaker" inst=“2" …>
<Inputs>
<ExtRef daName="general" doName="Tr" iedName="IED1" …/>
<ExtRef daName="q" doName="Tr" iedName="IED1" …/>
<ExtRef daName="general" doName="Op" iedName="IED1" …/>
<ExtRef daName="q" doName="Op" iedName="IED1" …/>
<ExtRef daName="general" doName="Op" iedName="IED1" …/>
<ExtRef daName="q" doName="Op" iedName="IED1" …/>
</Inputs>
</LN>
</IED>
10
Approach: Application-Aware
Secure Multicast
• Derive group membership by application data dependency in
system functional configuration
• Detect inconsistent configurations automatically
• Configure group key management system based on the derived
group memberships and extended configuration files
• Raise the link layer multicast to the network layer and secure
multicast traffic using IPsec
11
A Formal Multicast Model:
Components
• D, the set of data objects
• E, the entities which have relationships with data
objects
– O, the set of data owners
– C, the set of data consumer
– P, the set of publishers
– S, the set of subscribers
• G, the set of group controllers
12
A Formal Multicast Model:
Publish-Subscribe Model
13
Publish-Subscribe Model in SCL:
Ownership & Publication
<IED name="IED1" type="SecureIED" desc="Protective Relay">
...
<LDevice inst="PROT">
<LN0 lnClass="LLN0" lnType="IED1-LLN0-Type">
<DataSet name="dsTripLogic">
<FCDA daName="general" doName="Tr" ... ldInst="PROT" lnInst="1"/>
<FCDA daName="general" doName="Op" ... ldInst="PROT" lnInst="1"/>
...
</DataSet>
<GSEControl appID="TripGoose" datSet="dsTripLogic" name="gcbTrip".../>
</LN0>
...
<LN inst="1" lnClass="PTRC" lnType="IED1-PTRC-Type"/>
</LDevice>
...
</IED>
...
<DataTypeTemplates>
<LNodeType id="IED1_PTRC_Type" lnClass="PTRC">
<DO name="Tr" type="tPTRC_TrOp"/>
<DO name="Op" type="tPTRC_TrOp"/>
</LNodeType>
</DataTypeTemplates>
14
Publish-Subscribe Model in SCL:
Consumption & Subscription
<IED name="IED2" desc="Switchgear" type="SecureIED">
...
<LDevice inst="CTRL">
<LN desc="CircuitBreaker" inst="1" lnClass="XCBR" lnType="IED2-CTRL-XCBR">
<Inputs>
<ExtRef doName="Tr" ldInst="PROT”, iedName="IED1".../>
<ExtRef doName="Op" ldInst="PROT”, iedName="IED1".../>
</Inputs>
</LN>
<\LDevice>
<\IED>
15
Multicast Configuration Anomaly:
Publication Anomaly
16
Multicast Configuration Anomaly:
Subscription Anomaly
17
Architecture of SecureSCL
18
Benefits of IPsec Based Multicast
in Power Grid Networks
• Preserves a variety of security properties, proved by
a degree of formal analysis
• Supports wide area multicast, important to intersubstation communications and PMU networks
• Obtains strong support from security communities
• Capable of addressing latency constraints in medium
scale networks
19
Performance Analysis of IPsec
Based Multicast
• Test Bed Setup
– Hardware
• Deterlab: 8, 16, 32, 64-node scenarios
• Xeon Quad 3.00GHz PCs
– Software
• Platform: Ubuntu 8.04
• Process Control Emulation System*
– Measure round trip latency
* Credits to Chris Grier and Sam King
20
Performance of IPsec Multicast
21
Conclusion
• Application-aware secure multicast is an efficient
solution for multicast in power grid systems
– Automate group configuration and minimize errors
– Integrate security configurations with functional
configurations
• IPsec is a promising solution for secure multicast in
power grid systems
• Future work
– WAN or Inter-substation network multicast
communication and configuration
– Dynamic group management
22
Questions?
http://seclab.illinois.edu/web/
Dr. Jianqing Zhang
Intel Labs, RNB6-61
2200 Mission College Blvd.
Santa Clara, CA 94054
Tel: (408)653-5461
Email: [email protected]
Professor Carl A. Gunter
4304 Siebel Center for Computer Science
201 N. Goodwin Ave.
Urbana, IL 61801
Tel: (217)244-1982
Email: [email protected]
Contributions
1. Propose a formal multicast data model and a publishsubscribe model depicting the publish-subscribe relationships
2. Classify a number of configuration anomalies in multicast
systems
3. Design algorithms detecting the anomalies
4. Design a multicast and group key management architecture
5. Develop a prototype system, SecureSCL
6. Provide a case study of secure GOOSE in IEC 61850
substations
7. Evaluate the performance of IPsec based multicast
24
Related Work
• IEC 62351: sign each GOOSE frame using RSA
CRC
Header
GOOSE PDU
Authentication Value
Length
• Gjermundrod, H. et al. GridStat: A Flexible QoS-Managed Data
Dissemination Framework for the Power Grid, IEEE Transactions on
Power Delivery, Jan. 2009
• Ehab S. et al. Discovery of Policy Anomalies in Distributed Firewalls.
INFOCOM 2004
25
System Working Phases
26
GDOI Based Group Key Management
Architecture
• Group Domain of Interpretation (GDOI, RFC 3547): IKEv1
based group key management protocol for IPsec multicast
1. IKEv1 Phase1: Reg. SA
2. Phase 2 GROUPKEY-PULL: (first) Rekey SA and Data SA
3. GROUPKEY-PUSH: subsequent Rekey SAs and Data SAs
27