1

State of Security in IEC 61850 Substations

Nik Urlaub

AbstractAn examination of security issue and current best practice associated with the deployment of IEC 61850 in a substation.
This will cover vulnerabilities and attack that could be used in a 61850 substation, the role of IDS and IEC 62351.

Index TermsCyber Security of Substations, Network Security, IEC61850, IEC62351, GOOSE, SMV, MMS, intrusion detection

1 INTRODUCTION

O VER the last forty year the has been a move towards greater connectivity in the substation. The latest movement in

this process has been IEC 61850. One of the unique aspects of IEC 61850s associate protocols are they were designed na-

tively for an Ethernet based network [1]. Unlike the legacy protocols of DNP3 and MODBUS which were originally serial

protocols that were recast to IP based protocols after the fact. This is important because the initial description of the IEC

61850 did not include any security features.

This demonstrates the lack of security consciousness in the field of power systems. Something that the unveiling of

Stuxnet in 2010 showed as flaw in the thought process of the power industry. This paper will examine vulnerabilities and

attacks that could be found or used against as 61850 substations. It will touch on the limits to the security IEC 62351 might

provide security of IEC 61850. Finally, how an IDS may be used to provide protection against some of these attacks.

2 ATTACKS AND VULNERABILITIES IN 61850 SUBSTATION

2.1 Network Attacks
According to Rashid et al. [2], there are three types of network based security attacks; a Denial of Service (DoS) attack,

Password Cracking Attack, and a Packet sniffing attack.

A DoS attack as the name implies is based around the idea of denying access to a service. The first type of DoS attack

described is a SYN flood attack. This functions by continuously sending spoofed SYN packet to an IED. This leads to nu-

merous half open TCP request eventual this exhaust resource on the IED and eventual makes the IED unable to maintain

an Ethernet connation. Another idea discussed was to take advantage of services on the devices. These include file trans-

fer protocol (FTP) and Telnet. The idea is to continuously open new connection for each until you have exhausted all re-

source or the device has no more room for remote connections. I am suspect of the second one would be very effective.

Most IED I have seen have an upper limit on the number of connection to service like FTP and Telnet. So, at most you

might stop remote access. The SYN flood is likely to completely stop Ethernet communication on the device.

They also describe another DoS attack that involve transmitting malicious code with oversize data that would lead to a

buffer overflow due to a un-check boundary in the IED. This would be the most dangerous of the DoS attack since it is the
2

only attack that is likely to create issues for actual function of the device itself. This could also allow for more than just a

DoS on the device. Since this could lead to execution of the attackers code on the IED. It should also be noted that this

would be the most specific DoS attack since it would be need to be tailored to IED type and potential firmware version.

Second type of network attack is a password cracking attack. This involves trying to guess the password to the IED.

There are two ways to do this. This first is a brute force attack. It involve just guess every single possible option until you

find the correct one. Second is a dictionary attack. This means going through a list of predetermined likely password until

you find the correct one. This may be just word out of the dictionary or some other list of options. The attacks are made

possible by the fact that some IED do not lock you out of them after a number of bas password attempt or do not have the

option turned on by default. This would allow you to log into the box and change setting or potential open/close breaker.

In some cases an attack like this may not even be required since I have seen a number of companies that keep default

password on their IED.

The third type of network attacks are packet sniffing attacks. The idea here is to find a way to eavesdrop on the packets

other connections are sending out. Under normal operation this is not possible unless a hub is being used to communicate

and this is very unlikely. I never heard of or seen a hub used in substation. This is because a switch will pass packet along

only to the device that has a MAC address matching the destination of the packet. So, in order to do this you have to force

the switch to either send those packets to the device sniffing instead or to get it to send those packets to everyone. Rashid

et al. [2] discusses three options for this. The first is an ARP poisoning attack. ARP is the protocol used to convert an IP

address to a MAC address. An ARP poisoning attack tricks the source into associating the IP address with an incorrect

MAC address. This is done by sending out ARP packets with incorrect information. Since most hosts learn MAC to IP

address links based on the ARP Traffic. It is possible to trick the host this way. From here is possible to collect this infor-

mation you desired from the packet or move onto something more completed like a man-in-the-middle attack. The second

method of a packet sniffing attack is a CAM table overflow. The CAM table is the table used to store information from the

ARP protocol. If a device manages to overflow the CAM table in the switch, the switch may start sending those packets to

everyone basically functioning like a switch. At this point you again can collect the desired information. The third option

is switch port stealing. Similar to ARP poisoning but instead of focusing on the source, it targets the switch. So, the switch

associates the wrong MAC address with the IP in question. With these techniques you could potentially see password or

other important information since unencrypted protocols are currently the norm for communication in a substation.

It should be noted that all of the techniques described here could be used in any substation but an IEC 61850 substation

is much more likely to have communication between the device potential making it more susceptible to them and making
 3

the results of such an attack potential more damaging.

2.2 IEC 61850 Protocol Attacks

Rashid et al. describes three classes of attacks that exploit GOOSE and SV messages [2]. These protocols are unique in In-

dustrial control system (ICS) communication protocols because they are multicast messages using a publish-subscribe

methodology. This means they are send out to all host on the broadcast domain instead of something like DNP, MODBUS

or MMS that is sent to single host. This is something that substation networks have not had to deal with yet.

The first described attack class is a modification attack [2]. This is accomplished by listening for packets to be sent out

on the network from a device that is either providing control or important data. The attack copies this packet then makes

any desired changes for example changing close breaker to open or increase the current reported to a very high or low

value. Rashid et al. describes two papers that present these attacks. They are largely the same expect one took this a step

further and wrote malware to perform this task.

Hoyos et al. performed this attack with the GOOSE protocol and demonstrated this could be done fairly easily [4].

They used the scappy python library to watch for these packets it identified as a GOOSE packet through the GOOSE ether-

type. It then decodes the GOOSE message looking for the status number, sequence number, and the Boolean value. This

test only has single publisher and only one command. So, it did not need to determine context but the descriptive nature

of IED 61850 would make this something that could be accomplished. Scappy then increment the status number and se-

quence number, changed the Boolean value and sent this message. These leads to an output on their test relay asserting.

This would have tripped the breaker [4].

The second described attack class is a DoS attack [2]. The concept of this is similar to the one described in the previous

section except this DoS is functioning on the SV and GOOSE protocols. The simplest way would be to just spam SV or

GOOSE packets until there is no remaining bandwidth available. A most complex version of this is the GOOSE poisoning

attack. This version was examined by Kush et al. [3]. There are three variants of this attack described. First is a high sta-

tus number attack. This sends a single packet with a very high status number. The status number changes each time the

contents of a message change. So, an IED know if the values being sent are different. This means the other IED will ignore

future messages from the targeted IED since they think the messages being sent are old messages. The second variant is a

high rate flood attack. Here they spam packets with an increasing status values again until you pass the target IEDs cur-

rent status value. The third attack is a semantic attack. This involves watching the GOOSE messages from the target until

you found the rate of change then sending out message such to keep ahead of the targeted IED. All of these will prevent

legitimate GOOSE traffic from being processed.

The third described attack class is a replay attack [3]. As the name implied you are capturing traffic then replaying it to
4

get the desired result. This could be replaying GOOSE messages of a trip to trip the breaker later or replaying SV result of

a trip to gain trip the breaker or possible to avoid tripping the breaker and cause more damaged. There are some issues

with the replay attack on GOOSE due to the status value discussed above.

3 SECURITY OPTION FOR IEC 61850

3.1 IEC 62351
The original version of IEC 61850 had no security built into the protocols. At the time it was not considered a significant

issue. Substations were largely considered to be more or less isolated networks [4]. In 2007, the IECs TC 57 released new

standard IEC 62351 to discuss security for substation communications. IEC 62351 focused primarily on how to authenti-

cate and encrypted messages [5]. It talked about the uses of both symmetric and asymmetrical encryption and how to ap-

ply the current web standard of TLS to a substation and how PKI may be implemented in a substation. While these meth-

od would stop almost all of the potential GOOSE attack discussed above [3]. There is an issue. The computational over

head for the method cannot currently be implemented within the 4 ms delay envelope the IEC 61850 lays down for

GOOSE messages related to breaker tipping [4]. Hoyos et al. cite a 2010 study from ABB that even the use of Message

autheication code (MAC) could not be done with this response limit [4].

3.2 Intrusion Detection System

Intrusion detection is the process of detecting a malicious intruder while attempting to or after entering a secure system.

An Intrusion detection system (IDS) is a system to aid in this process. There three kind of IDS; Signature, behavioral, and

specification [6] [7]. A signature based IDS scan traffic and looks for result that match a signature in it database. While

this allows the user to tune the IDS toward areas of concern them self. It has the problem of being unable to detect intru-

sions that are not included in its database of signatures. A behavioral IDS is built around the idea of learning what traffic

seems normal then raising a red-flag when it encounters traffic it sees as unusual. This issue with a behavioral IDS is they

can lead to a very high rate of false positives unless they are well tuned [6]. A specification (white list) IDS is built around

training the correct behavior of the system into it. This is trickier than the other two IDS because it requires knowledge at

the application level. This means there has to be more knowledge built into the system at that level.

The concept of an intrusion prevention system (IPS) should also be mentioned here. An IPS is largely the same as an

IDS except it is in-line with the communication and can decide to block certain communications. I am hesitant to place an

IPS in a substation due to the potential effect with a false positive. The difference of between a Host based IDS (HIDS) and

a Network based IDS (NIDS) should also be mentioned. The names are largely self-explanatory.

A HIDS live on a single host and performs the IDS functionality on it [6]. While NIDS preforms IDS functionality on a
 5

network. A HIDS can have a more detail of the host but is confined to only it. While the NIDS can take advantage of set-

ting the whole network. It should also be noted that the computational power of most devices in a substation rather lim-

ited making the HIDS problematic to implement.

Huang et al. and Premaratne et al. both implanted IDS designed to handle issue in the IEC 61850 substations [6] [7].

Premaratnes IDS was a signature based IDS using SNORT. It was design around stopping the network attacks discussed

in section 2.1 [6]. The test performed showed it has a high rate of success detecting the issues it was designed to stop.

Huangs IDS was specification IDS built around a number of free tools and some C++ code [7]. It was designed around

stopping attack against multicast protocols and was successful in stopping version of the three attack classes discussed in

section 2.2 [7].

3 CONCLUSION
The intent of this paper was to show that while there is solid potential for IEC 61850. The increased connectivity it brings

has a number of vulnerabilities inherent to connectivity and in the design of the protocols themselves. While IEC 62351

has a number of solutions to a majority of these issues, there exist problems with the implementation of IEC 62351 due to

the 4 ms requirement on certain GOOSE messages and the lack of computational power available in the substation. We

also briefly touch on a potential mitigation of the issues the IDS.

Areas of future research would be developing either new methods of encryption and authentication or more powerful

devices for the substation in order to be able to properly implement IEC 62351. I would also be interested to see how an

IDS would perform in a real substation environment. Especially since the new version of CIP includes a requirement to

use IDS at certain places in the system.

REFERENCES
[1] R. E. Mackiewicz, Overview of IEC 61850 and Benefits, Transmission and Distribution Conference and Exhibition, 2005/2006 IEEE PES. 21-24 May
2006, pp. 376-383, doi:
[2] Rashid, M.T.A.; Yussof, S.; Yusoff, Y.; Ismail, R., "A review of security attacks on IEC61850 substation automation system network," Information Tech-
nology and Multimedia (ICIMU), 2014 International Conference on , vol., no., pp.5,10, 18-20 Nov. 2014
doi: 10.1109/ICIMU.2014.7066594
[3] N. Kush, E. Ahmed, M. Branagan, E. Foo, Poisoned GOOSE: Exploiting the GOOSE Protocol, Proceedings of the Twelfth Australasian Information
Security Conference (AISC 2014)., Vol. 149,pp. 17-22, 2014.
[4] Hoyos, J.; Dehus, M.; Brown, T.X., "Exploiting the GOOSE protocol: A practical attack on cyber-infrastructure," Globecom Workshops (GC Wkshps),
2012 IEEE , vol., no., pp.1508,1513, 3-7 Dec. 2012 doi: 10.1109/GLOCOMW.2012.6477809.
[5] Fries, S.; Hof, H.J.; Seewald, M., "Enhancing IEC 62351 to Improve Security for Energy Automation in Smart Grid Environments," Internet and Web
Applications and Services (ICIW), 2010 Fifth International Conference on , vol., no., pp.135,142, 9-15 May 2010 doi: 10.1109/ICIW.2010.28
[6] Premaratne, U.K.; Samarabandu, J.; Sidhu, T.S.; Beresh, R.; Jian-Cheng Tan, "An Intrusion Detection System for IEC61850 Automated Substations,"
Power Delivery, IEEE Transactions on , vol.25, no.4, pp.2376,2383, Oct. 2010 doi: 10.1109/TPWRD.2010.2050076
[7] Junho Hong; Chen-Ching Liu; Govindarasu, M., "Detection of cyber intrusions using network-based multicast messages for substation automation," Inno-
vative Smart Grid Technologies Conference (ISGT), 2014 IEEE PES , vol., no., pp.1,5, 19-22 Feb. 2014 doi: 10.1109/ISGT.2014.6816375