1
Challenges in Power System Information
Security
Gy
¨
orgy D
´
an, Henrik Sandberg, Gunnar Bj
¨
orkman, Mathias Ekstedt
Abstract
The transition from today’s power systems to the smart grid will be a long evolutionary
process. While it might introduce new vulnerabilities, it will also open up for opportunities for
improving system security. In this article we consider various facets of power system security. We
discuss the difficulty of achieving all-encompassing component level security in power system IT
infrastructures due to its cost and potential performance implications. We outline a framework for
modeling system-wide security, which facilitates the assessment of the system’s security despite
its complexity by capturing the interaction between system components. We use the example
of power system state estimation to illustrate how the security of the system can potentially be
improved by leveraging the knowledge of the physical processes and the significant amount of
redundant information. Finally, we touch upon the problem of information availability, a key
security requirement in power system control and operation systems.
Index Terms
System-wide security, SCADA communications, State estimation, Information availability
I. INTRODUCTION
The vision of the smart grid brings along challenges for both the power engineering and the IT
community. From a power engineering perspective the challenges are mainly in how to integrate
distributed generation and renewable energy sources with large-scale central power generation and
demand side management, without loosing on operational efficiency and on power system reliability.
The solution to this challenge seems to be in a tighter integration of the power system with
information technology (IT). Tighter integration leads unavoidably to that the proper operation of the
future power grid will rely increasingly on the reliable and secure operation of the communication
and IT infrastructure.
Reliability and performance have traditionally been key design goals for the IT infrastructure used
in power systems, and only in recent years has also security received attention. One main reason for
why security only recently has become a concern is that the power system IT infrastructure used
to be an isolated, stand alone system. Power system IT infrastructures are, however, increasingly
integrated with other IT infrastructures at the power utilities, including public infrastructures. The
primary reasons for IT integration are increased business efficiency and effectiveness, as well as
reduced operational costs by for instance allowing corporate decision makers to obtain instant
access to critical data about the status of their operating assets. Information flow across system
boundaries is expected to increase in the future, among others, in order to enable the vision of the
smart grid.
G. Bj
¨
orkman is with ABB AG, Mannheim, Germany. E-mail:gunnar.bjoerkman@de.abb.com
G. D
´
an, H. Sandberg and M. Ekstedt are with the School of Electrical Engineering, KTH, Royal Institute of Technology,
Stockholm, Sweden. E-mail: {gyuri,hsan,mathias.ekstedt}@ee.kth.se
Corresponding author: Gy
¨
orgy D
´
an, Osquldas v
¨
ag 10, 10044 Stockholm, Sweden.
The integration of the power system IT infrastructure with other IT infrastructures and the need
to access information across system boundaries increases the exposure of the power system IT
infrastructure to attacks, and hence security will be of increasing importance in the future. When
designing the security solutions for future power systems, we should, however, make use of the
lessons learnt from securing the existing infrastructure for a number of reasons.
First, the way to the smart grid of the future will be a long evolutionary process starting from
today’s power grid, both in terms of technology and in terms of organizational structures. The new
deployments will have to coexist and interoperate with old, legacy equipment and will have to fit
into the current organizational structures and security practices.
Second, the communication and IT infrastructure of today’s power systems have to satisfy
very diverse application requirements. At one extreme, in the case of management information
exchanged between utilities, data is transferred in batches with very loose delay constraints, and
standard cryptographic protocols like TLS can be used to provide authentication and confidentiality.
At the other extreme, in the case of substation automation and inter-substation protection, the
communication delays must be kept in the order of a few milliseconds, so that the delay introduced
by encryption algorithms can already be critical for proper system operation. Thus, security solutions
might have to be tailor-made for the specific application scenarios.
Third, the power system’s communication and IT infrastructure already consist of a vast number
of components. The cost of securing the millions of components of a continent-wide infrastructure
can be prohibitive, and therefore it is important to understand how the security of individual system
components contributes to and affects the secure operation of the power grid. Also, in addition to the
traditional IT and communication infrastructure security solutions and practices, in a cyber-physical
system models of the physical process can often be leveraged to improve system security.
In this article we survey some recent results related to power system information security. To
illustrate the main ideas, we give examples from three areas with a focus on system level security,
i.e., proper system operation despite attacks. In Section II, we outline the current role of SCADA
systems in power system operation, we discuss important aspects of their operational security and
outline a framework for modeling and analyzing the system-wide security with a focus on network
induced security threats. In Section III, we summarize some recent results from power system
state monitoring. This example illustrates how knowledge of the physical process can be used to
improve system security in spite of unsecure communication networks and protocols. In Section IV,
we discuss the communication and security aspects of interconnecting the control systems operated
by different actors of the power market. Section V concludes the paper.
II. COMPONENT-LEVEL VS. SYSTEM-LEVEL SCADA SECURITY
At the heart of the IT infrastructure for power system control and operation there are one or
several so called Supervisory Control And Data Acquisition (SCADA) systems. Apart from the
remote collection of vast amounts of real-time process measurements taken from the grid, e.g., in
transformer stations, SCADA systems include functions for the remote control of process devices
like breakers and tap changers. The acquired data are presented to the operators in the central control
room via an advanced graphical user interface, among others equipped with alarming features to
alert the operators to changing operating conditions. Many SCADA systems include computerized
models of the supervised process (i.e., the power system). The models enable simulation of al-
ternative process states parallel to the physical process, which can be used for optimization and
contingency analysis, as further discussed in Section III.
In addition to the centralized control managed by the SCADA systems, there are also a large
number of local control systems in the transformer substations. The intelligence in those distributed
2
Fig. 1. Simplified architecture of a power system control and operation system. The central SCADA systems, the
distributed substation automation systems, and the communication between them constitute a very complex ”system of
systems”.
local systems varies from data acquisition units with simple logic to advanced control systems.
The functions in the local control systems, such as protection and interlocks, have very stringent
performance requirements on the underlying communication infrastructure. Altogether, the central
SCADA systems, the distributed substation automation systems, and the communication between
them constitute a very complex ”system of systems”, which we refer to as the power system control
and operation system. A schematic figure of a power system control and operation system is shown
in Fig. 1.
A. Performance, reliability and security in a slowly evolving complex system
A particular challenge when studying the security of power system control and operation systems
is the mix of modern and legacy system components that are in operation. The typical life time of
a power system control and operation system component is often very long. Especially equipment
located in the primary substations tend to have a considerable age due to the cost and the difficulty
of replacement: it is not uncommon to have 30 years old equipment, e.g., Remote Terminal Units
(RTUs), with similarly old proprietary communication protocols. At the same time, the central
system at the control room can be relatively modern and can consist of a variety of third party
products, like relational databases and power applications from a specific vendor.
With a history of proprietary system components from specialized vendors, the trend today is to
rely increasingly on off-the-shelf products, both for hardware and for software, when developing
and upgrading power system control and operation systems. This trend makes the development and
maintenance cheaper but it also increases the systems’ vulnerability, since the vendors no longer
have full control of all system components. Another trend is the use of standard communication
interfaces to ensure interoperability between components from different vendors. Standardized
protocols for RTU communication like IEC60870-5-101 and -104 have been in use for a long
time and, in the same way, control center to control center communication nowadays uses the
3
Application
Performance - Typical values Security - Importance
Distance Latency Throughput Confidentiality Integrity Availability
[km] [s] [1/sec] Authenticity
S2CC
SCADA
Data acquisition
1000
1− 10 5000 meas Medium High High
Commands 1 0.1 command High High High
Alarms and events 1 500 events Medium High High
PMU data for WAMS 2× 10
−2
18 meas/PMU Medium High High
Substation automation
0.5 1 200 meas Medium High High
(Intra-substation)
Line protection
50
10
−3
2 meas Low High High
(Inter-substation)
TABLE I
APPROXIMATE PERFORMANCE AND SECURITY REQUIREMENTS OF SUBSTATION TO CONTROL-CENTER (S2CC),
INTRA-SUBSTATION AND INTER-SUBSTATION COMMUNICATION FOR VARIOUS APPLICATIONS. HIGH LEVEL OF
INTEGRITY AND AVAILABILITY HAS TO BE PROVIDED WHILE SATISFYING VERY DIVERSE PERFORMANCE
REQUIREMENTS.
standard protocol ICCP or IEC 60870-6/TASE.2. The standardization efforts today focus mainly
on power system models like the Common Information Model (CIM) with the goal to ease the
exchange of engineering data between and within utilities.
Achieving security in slowly evolving power system control and operation systems is a complex
problem. Simply adding state-of-the-art security solutions and mechanisms to existing systems is
often not feasible: security solutions can violate requirements on performance and reliability, which
continue to have highest priority. Some security solutions would probably meet the requirements
if completely new systems and architectures were deployed, but today as well as in the future we
have to live with a large share of legacy equipment. Thus, in practice the challenge of security
design in power system control and operation systems implies finding a proper level of trade-off
between security, system properties like performance and reliability, and cost. Table I illustrates the
heterogeneity of the performance and the security requirements of some power system applications.
The next challenge of securing evolving power system control and operation systems is that
security itself is an area with many facets. The list of security mechanisms or practices can be
made long; firewalls, access control, authentication mechanisms, hardened operating systems, secure
communication, intrusion detection systems, just to mention a few. All of these are good practices
for improving system security. On top of these the overall security is, of course, also dependent on
organizational issues, such as security awareness among staff so that passwords are not revealed
or that USB sticks are not introduced without proper precautions, etc.
There exist a number of standards and reference reports that cover several aspects of system
security, some with a focus on industrial control systems. One of the more extensive works for
power systems is found in NIST’s reports on smart grid security [1]. Nevertheless, a great challenge
when designing system security solutions is to comprehend how all the implementable security
measures affect and depend on each other: while some measures might complement each other,
others might be counterproductive. It is often said that the security of a system is not better than its
weakest link. A few advanced security solutions will not increase the system’s security if there are
poor security solutions elsewhere in the system architecture or its surrounding organization. As a
simple example in Fig. 1, securing the substation to control center communication is of little benefit
if access to the SCADA LAN is possible from the office LAN, which in turn can be accessed from
the Internet if the firewalls are not properly configured. To complicate matters even more, security
4
is a moving target. What was considered secure yesterday can become an open hole overnight if
a severe vulnerability is discovered in a software component, like an operating system.
B. System-wide security analysis
The complexity of the problem calls for a system-wide conceptual framework. In the VIKING
project we have developed a system architecture modeling language for modeling and analyzing
security in power system control and operation systems. An important requirement for this modeling
language is that the assessment delivered by it should take a holistic approach to cyber security.
However, when looking at security from a system-wide perspective the amount of detailed pa-
rameters influencing system security is enormous. All parameters are simply impossible to survey
in a consistent manner in practice. One way to manage the overwhelming complexity is to use
a ’top-down’ approach. This raises the level of abstraction, so that a deductive and deterministic
approach must be abandoned in favor of an indicative and probabilistic one. The developed analysis
mechanism is based on attack graphs, but due to the system-level of abstraction the graphs are
not deterministic as originally suggested by [2], but instead they are implemented in Bayesian
networks. Bayesian networks quantify conditional dependencies between random variables, which
represents security states of the system. By combining the Bayesian attack graphs with a system
architecture modeling language one can achieve an integrated security analysis mechanism for
system architecture models. The resulting security estimates are thus probabilities that attacks will
be successful, rather than formally proven statements that the systems are in a secure or insecure
state. The first version of the modeling language following these ideas was presented in [3]. More
detailed attack graphs require quantified conditional probabilities, which is an important area of
ongoing work with some initial results in, e.g., [4].
Fig. 2 illustrates the concept of attack graphs. In this simple example the goal is to gain access
to the SCADA server, which can be achieved for example through a man-in-the-middle attack. The
success of the attack depends on how well the communication links are protected and on the strength
of the authentication protocol used to communicate with the SCADA system. By comparing the
likelihood of different attack paths it is possible for industrial decision makers to prioritize among
the possible countermeasures and choose what equipment to upgrade or install first. This model
based and top-down approach thus support rational decision making for improving cyber security
in large and complex legacy system architectures.
III. MODEL BASED SECURE STATE ESTIMATION
The modeling language outlined above provides a high-level estimate of the security of the ICT
infrastructure, but disregards the inherent resilience of certain SCADA system functionalities. One
Exploit
buffer overflow
Man-in-the-middle attack
Message
authentication
Comm. link
physically protected
Bypass firewall
Use unknown
connection
Asset inventory
Network
access control
Install backdoor
in network
Reconfigure
firewall
Firewall
configuration protected
Fig. 2. A simple attack tree illustrating some possibilities for getting access to the SCADA server.
5
![Fig. 4. Attack cost (average or minimumαk) vs. number of secure RTU to CC communication channels for the IEEE 118 bus power system, reproduced from [8]. Results are shown fortwo greedy algorithms. MMA aims to maximize the average attack cost. MSM aims to maximize the shortest attack cost. MSM turns o t to perform better with respect to both aims. In particular, when securing 36 out of the 118 RTUs using MSM, it is no longer possible to make undetectable attacks against any RTU (the minimum attack cost is infinite).](/figures/fig-4-attack-cost-average-or-minimumak-vs-number-of-secure-2t6bp7xm.webp)
![Fig. 5. Schematic view of the SCADA communication infrastructure of the Italian transmission system, which used to be the largest ICCP deployment world-wide [10]. In the actual systemm asurement data from around 250 RTUs are delivered to one of 22 communication nodes using IEC 60870-5-104 over TCP/IP. ICCP is used to deliver data from the communication nodes to the 3 regional control centers of the transmission ystem operator (TSO), and to the 3 regional control centers and to the national control center of the indepent system operator (ISO). ICCP is used also to communicate to the control center of the Union for the Co-ordination of Transmission of Electricity (UCTE). For simplicity, the figure does not show ICCP connections to power generationcontrol centers.](/figures/fig-5-schematic-view-of-the-scada-communication-1l8jfobq.webp)
