Network and System Management using IEC 62351-7 in IEC 61850 Substations: Design and Implementation Chantale Robillard A Thesis in The Department of Concordia Institute for Information Systems Engineering (CIISE) Presented in Partial Fulfillment of the Requirements for the Degree of Master of Applied Science (Information Systems Security) at Concordia University Montreal,´ Quebec,´ Canada December 2018 c Chantale Robillard, 2018 CONCORDIA UNIVERSITY School of Graduate Studies This is to certify that the thesis prepared By: Chantale Robillard Entitled: Network and System Management using IEC 62351-7 in IEC 61850 Substations: Design and Implementation and submitted in partial fulfillment of the requirements for the degree of Master of Applied Science (Information Systems Security) complies with the regulations of this University and meets the accepted standards with respect to originality and quality. Signed by the Final Examining Committee: Chair Dr. Jun Yan External Examiner Dr. Yan Liu Examiner Dr. Chadi Assi Supervisor Dr. Mourad Debbabi Co-supervisor Dr. Aiman Hanna Approved by Abdessamad Ben Hamza, Director Concordia Institute for Information Systems Engineering (CIISE) 2019 Amir Asif, Dean Gina Cody School of Engineering and Computer Science Abstract Network and System Management using IEC 62351-7 in IEC 61850 Substations: Design and Implementation Chantale Robillard Substations are a prime target for threat agents aiming to disrupt the power grid’s operation. With the advent of the smart grid, the power infrastructure is increasingly being coupled with an Information and Communication Technologies (ICT) infrastructure needed to manage it, exposing it to potential cyberattacks. In order to secure the smart grid, the IEC 62351 specifies how to provide cybersecurity to such an environment. Among its specifications, IEC 62351-7 states to use Network and System Management (NSM) to monitor and manage the operation of power systems. In this research, we aim to design, implement, and study NSM in a digital substation as per the specifications of IEC 62351-7. The substation is one that conforms to the IEC 61850 standard, which defines how to design a substation leveraging ICT. Our contributions are as follows. We contribute to the design and implementation of NSM in a smart grid security co-simulation testbed. We design a methodology to elaborate cyberattacks targeting IEC 61850 substations specifically. We elaborate detection algorithms that leverage the NSM Data Objects (NSM DOs) of IEC 62351- 7 to detect the attacks designed using our method. We validate these experimentally using our testbed. From this work, we can provide an initial assessment of NSM within the context of digital substations. iii Acknowledgments I would like to thank my supervisors Dr. Mourad Debbabi and Dr. Aiman Hanna for giving me the opportunity to work on this master’s degree. I have learned much about cybersecurity and academic research from them and am forever grateful. I would also like to thank Dr. Marthe Kassouf from the Hydro-Qubec Research Institute for her guidance during my research on topics such as the security monitoring of digital substations. as well as the design and implementation of NSM and IEC 62351-7. I also want to thank everyone that helped me while working on this thesis. This includes ev- eryone at the cybersecurity lab. Special thanks go to Mark Karanfil, Abdullah Albarakati, and Dr. Rachid Hadjidj for their help with building and using NSM in the co-simulation testbed. This work would not have been complete without it. I would like to express my gratitude to Dr. Alf Zugen- maier, as our initial discussions inspired me in elaborating the methodology I propose in this thesis, and to Suo Tan, for providing an easy-to-use template to write the thesis itself. Finally, I would like to thank my family and my partner for their support while working on my degree. I especially wish to thank my parents, who have always encouraged me to study my passion in computer science. iv Contents List of Figures ix List of Tables xi List of Acronyms xiii 1 Introduction 1 1.1 Motivations ...................................... 1 1.2 Contributions ..................................... 2 1.3 Thesis Organization .................................. 3 2 Background 4 2.1 Cybersecurity Goals and Cyberattacks ........................ 4 2.1.1 Authentication ................................ 4 2.1.2 Authorization ................................. 5 2.1.3 Confidentiality ................................ 5 2.1.4 Integrity .................................... 5 2.1.5 Availability .................................. 6 2.1.6 Non-repudiation ............................... 6 2.2 Smart Grid and Potential Threats ........................... 7 2.2.1 Overview of the Smart Grid ......................... 7 2.2.2 Threats to the Smart Grid ........................... 7 2.3 IEC 61850: Standard for the Digital Substation ................... 8 v 2.3.1 Substation Architecture ............................ 9 2.3.2 Information Model and Abstract Communication Service Interface . 12 2.3.3 Application Protocols and Specific Communication Service Mapping . 12 2.4 Simple Network Management Protocol ........................ 18 2.4.1 Management Information Bases and Objects . 19 2.4.2 Messages Available .............................. 19 2.4.3 Security .................................... 20 2.5 IEC 62351: Standard for Cybersecurity of Power Systems . 22 2.5.1 IEC 62351-1: Introduction to the Cybersecurity Standard . 22 2.5.2 IEC 62351-3: Security for TCP Using Transport Layer Security . 24 2.5.3 IEC 62351-4: Security Extensions for MMS T-Profile and A-Profile . 24 2.5.4 IEC 62351-6: Security Extensions for GOOSE and SV . 25 2.6 IEC 62351-7: Network and System Management (NSM) . 28 2.6.1 Objectives of IEC 62351-7 .......................... 29 2.6.2 Differences between Editions ........................ 30 2.6.3 NSM Data Objects Overview ........................ 30 2.6.4 NSM Data Objects as SNMP MIBs ..................... 32 3 Related Work 34 3.1 Security Assessment of IEC Standards ........................ 35 3.1.1 Known Attacks on IEC 61850 Substations without IEC 62351 . 36 3.1.2 Security Evaluation of IEC 62351 ...................... 40 3.2 Automated Protocol Analysis ............................. 44 3.2.1 Fuzz Testing ................................. 44 3.2.2 Formal Methods ............................... 45 3.3 Study of Network and System Management and IEC 62351-7 . 46 3.3.1 Design of Network and System Management Solution . 46 3.3.2 Implementations and Applications of Network and System Management . 48 3.4 Smart Grid Models and Testbeds ........................... 50 vi 3.4.1 Network Simulation Tools .......................... 51 3.4.2 Co-simulation Testbeds ............................ 52 3.5 Intrusion Detection Techniques ............................ 54 3.5.1 Detection Using Simple Network Management Protocol . 54 3.5.2 Detection Using IEC 61850 or Industrial Control Systems Traffic . 57 4 Network and System Management in the Digital Substation 61 4.1 Overview of Network and System Management and IEC 62351-7 . 61 4.1.1 Objectives of IEC 62351-7 .......................... 61 4.1.2 Capabilities in IEC 61850 Substation .................... 62 4.2 Design of Network and System Management .................... 65 4.2.1 Protocol Selection .............................. 65 4.2.2 Addition of Components ........................... 65 4.3 Implementation in Co-simulation Testbed ...................... 68 4.3.1 Co-simulation Smart Grid Security Testbed . 69 4.3.2 Components for Network and System Management . 73 4.4 Real-time Data Collection and Detection ....................... 78 4.4.1 Updating Data in NSM Agents ........................ 78 4.4.2 NSM Manager Polling ............................ 79 4.4.3 Detection Engine ............................... 79 5 Security Assessment of Network and System Management 81 5.1 Classification of Cyberattacks Targeting Substation . 81 5.1.1 Definition of Attacker’s Objective ...................... 81 5.1.2 Elaboration of Capabilities Available to Attacker . 82 5.1.3 Study of Denial-of-Service Attacks ..................... 83 5.1.4 Denial-of-Service Attacks in IEC 61850 Substation . 88 5.2 Elaboration of Attack Trees for IEC 61850 Substation . 91 5.2.1 Description of Target Substation ....................... 91 5.2.2 Description of Attack Trees ......................... 92 vii 5.2.3 Attack Tree: Prevent Tripping Breakers to Damage Equipment . 92 5.2.4 Attack Tree: Tripping Breakers Unnecessarily to Cause Blackout . 93 5.2.5 Sub-trees ................................... 94 5.3 Design of Attacks on GOOSE, SV and MMS Protocols . 94 5.3.1 Overall Methodology to Design Cyberattacks on Communication Protocols 95 5.3.2 Methodology to Design DoS Attacks on GOOSE and SV Protocols . 96 5.3.3 Design of Attacks on GOOSE Protocol ................... 99 5.3.4 Design of Attacks on SV Protocol . 105 5.3.5 Design of Attacks on IEC 61850 MMS Protocol . 108 5.4 Attack Execution in Co-simulation Testbed . 110 5.4.1 Selection of Attacks to Execute . 110 5.4.2 Execution of Attack in Testbed . 113 5.5 Detection of Attack Using NSM Data Objects . 115 5.5.1 Rule-based Detection for GOOSE and SV . 115 5.5.2 Anomaly Detection for GOOSE and SV . 117 5.5.3 Detection for MMS .............................. 118 5.5.4 Attacks without Relevant NSM Data Objects . 119 5.6 Results ......................................... 119 5.6.1 Attacks Detected ............................... 119 5.6.2 Attacks Not Detected