Professional Documents
Culture Documents
Abstract - Supervisory Control and Data Acquisition type of attack. An example of such a threat is a worm Stuxnet,
(SCADA) system play the most important roles in the remote discovered in 2009 in the Iranian nuclear power plants. This
surveillance system. The development of the communication virus, after being infected machine tries to access and modify the
system of the new substations such as renewable energy sources, software PLC SCADA system specific manufacturer. This is an
smart grid houses, new energy sources in power network, example of both the automatic threat difficult to be detected by
increases the nodes in a data communications network, which antivirus software because of the narrow specialization, while
increases the number of possibilities to connect to the SCADA the risk of direct taking into account the known weaknesses
system. In designing the new substation, no one takes into account affected system (in this case to leave the default password to
the aspect of cyber security. This is limited only to choose the mode
configure PLC). Despite the fact, that the creation of such a
of communication in the station and method of communication to
SCADA system. Preparing project major communication are
worm requires a significant financial effort, should take into
made on IEC 60870-5 [1], DNP3[2], IEC61850 [3] protocol on SS consideration this type of threat. The basic tool used to protect
level, connection to SCADA mostly works with IEC 60870-5-104 against attacks are:
[4] transmission protocol or DNP3.0 presents network access for Antivirus software - can run in monitor mode (automatic,
IEC 60870-5-101 [5] based on Transmission Control ongoing checks processed files) and scan (search disks on
Protocol/Internet Protocol (TCP/IP), which can be utilized for request). The effectiveness depends primarily on news
basic telecontrol tasks in SCADA systems. However, the IEC
signatures of known viruses. In some cases, the AV allows
60870-5-104 protocol transmits messages in clear text without any
authentication mechanism. Furthermore, the IEC 60870-5-104
identification of malicious software based on heuristic methods.
protocol is based on TCP/IP, which also has cyber-security, issues In this case, the infected files are actually detrimental only with
itself. (IEC/104 is used as the notation, instead of IEC 60870-5-104 a certain probability. As a result, the AV can detect not only
in the remainder of the paper.) known malicious software, but also suspicious software code.
The Firewall (called. Firewall) - software or hardware with
Keywords: cyber security, smart power grid, internet protocol, dedicated software. It allows you to filter so that only pass
digital communication.
comply with certain rules of network traffic. Most often
associated with blocking access from the external network to the
I. INTRODUCTION internal or local workstation. Another important, but often
The most common external threats that we encounter on a overlooked because of the cumbersome configuration function
daily basis, are automated attacks through viruses, Trojans and is to block outgoing traffic. It allows you to protect data before
software vulnerabilities on the victim workstation. Often, the leaving a local area network / workstation. A very important
main purpose of such attacks is to increase workstations botnet
by another network (a network of infected computers, forming a
group over which control is exercised by the creator of the
malicious software). These risks are relatively easy to detect and
disposal through the use of current software and virus definition
subscription and spyware. It should however be borne in mind
that many viruses can also lead to unstable operating system, and
even loss of data integrity on an infected machine.
Another type of external threats are coordinated direct
attacks aimed at the acquisition or modification of the data on
the victim machine. These attacks are usually performed using
security vulnerabilities 0-day type (ie. The newly disclosed
information about the vulnerability to attack), and the gaps
caused by incorrect configuration. They relate to greater extent
machines available in public IP addresses, such as servers. From
the perspective of technology, digital stations, Fig. 1. Digital communication in Power Line network as OSI model
a particular threat can be a combination of direct and automatic conception.
Modern Electric Power Systems 2015 – MEPS’15 Wroclaw, Poland – July 6-9, 2015
www.meps15.pwr.edu.pl
Fig. 3. Example diagram of information flow in SCADA systems using IEC 61850.
b) by security class:
• protection from unauthorized access to digital data
transmission media and physical security of devices in
intermediate stations,
• protection of end-use telemetric devices from
unauthorized access, transmission disruption or complete
lock of their activities,
• analytical optimization models and decision-making
processes,
c) by policy:
• data access policy – user authorization, permission
management,
• management security policy – investment processes’
principles and rules,
• system security policy – reaction to incidents, managing Fig. 5. Exchange communication in SNMP version no 3.
confidential information like passwords, cryptographic
keys. • information falsification,
Making an ICT power grid available for the needs of external • software code theft,
users is a potential source of threat. It is necessary to separate
information transferred for the needs of the power sector to the • hardware theft,
eternal traffic. Moreover, the administrative and office traffic • damage to computer systems [11].
should also be separated from traffic related to remote
supervision over energy facilities. The most commonly
encountered problems related to incorrect grid architecture V. GOOD PRACTICES IN SECURE
design and its management are: OF LOW/MEDIUM VOLTAGE POWERLINE NETWORK
• lack of proper security architecture, In order to ensure safety, monitoring network traffic must be
taken into account in policy. For this purpose, you can use event
• errors in information security management, logs obtained from the previously described firewall. More
• software errors, complex and more filtered information is available through
intrusion detection system (IDS), which greatly facilitates the
• human errors and intentional actions, observation of anomalies in network traffic.
• insufficient security monitoring. In the case of active network devices, ie. Network switches,
you should use the solutions divisions, with trouble reporting
The most common threats to information systems include: software, eg. This facilitates diagnosis in case of incorrect
• blocking access to a service, operation of the network and significantly reduces the time to
solve the problem.
• hacking into an information system’s infrastructure,
In order to verify proper operation in / in mechanisms should
• data loss, periodically perform penetration tests involving the simulation
• data theft, of attacks and system errors. In this way, you can get information
whether all known methods of attacks are captured by network
• confidential data disclosure, protection mechanisms.
SNMP assumes the existence of two types of devices in a
managed network: managing and managed. The device
(computer) is the manager (called NMS - Network Management
Station) when it is running the appropriate program manager
SNMP (SNMP manager). The device is managed if the program
runs on an SNMP agent. Advantages and disadvantages. SNMP
is currently the most popular protocol for managing networks
(Fig. 5).
Its popularity is due to the following advantages:
• relatively small additional load on the network
generated by the protocol itself,
Fig. 4. Communication via RS485.
Fig. 6. ITC security functional diagram of Smart Grid.
• a small amount of custom commands lowers the cost of Default Username and Password: the default
devices supporting it, username/password set by the manufacturer, allowing access to
the configuration router, should be changed and should be set
• low costs implementation to operation. strong enough to prevent unauthorized access to our home. The
The main disadvantage of SNMP: inability to ensure the attacker will firstly attempt to enter its default password for our
security of transmitted data (SNMP first and second version). model, and in turn will make the password he used in other
models or similar devices in its class.
Below are listed the main safety functions
telecommunication devices in digital communications used SSID: the default Service Set Identifier (SSID) is the name
SNMP compatible with IEC 61850 (IEC 61850-3 IEEE 1613) of the network and uniquely identifies a particular network and
[12]: Protection - Miss-wiring avoidance, Repowered auto ring wireless devices must know the SSID of the wireless network to
restore (node failure protection), Loop protection. System Log - connect to that network. Manufacturers set the default SSID that
Support System log record and remote system log server. DHCP identifies the device (name betrays their potentially default
- Provide DHCP Client/ DHCP Server/DHCP Option 82/Port passwords). SSID is sent in plain text, so it can be easily
based&VLAN based DHCP distribution (DHCP relay agent). overheard using sniffers, because SSID cannot be treated as
MAC based DHCP Server - Assign IP address by Mac that can protection of network. Some believe that the SSID broadcast
include dumb switch in DHCP network. DNS - Provide DNS should be excluded to impede unauthorized use of the network
client feature and support Primary and Secondary DNS server. users. However, this does not improve the security of the
Goose monitoring - Show individual Goose TX / RX counter network because the SSID is sent by any authorized station when
(IEC packets). Environmental Monitoring - Internal sensor to connecting to an access point, and can then be eavesdropped.
detect temperature, voltage, current, total PoE budget (IPGS- Not only that, when dispreading off SSID network is vulnerable
5400-2P-PT) and send SNMP traps and emails if any abnormal to masquerading as an access point person with evil intentions,
events. Factory reset button & watch dog design - Factory so that the data users of the network may be in danger [13].
reset button to restore back to factory default settings. Watch dog Wireless Security: there are three types of wireless security
design can reboot switch automatically under certain on routers or access points:
circumstances. Configuration backup and restore - Supports
text editable configuration files for system quick installation to • WEP (Wired Equivalent Privacy),
backup and restore.
• WPA (Wi-Fi Protected Access),
With knowledge of the ICT network administration, a bit of
time and desire in a few steps, we can definitely increase the • WPA2 (Wi-Fi Protected Access 2).
security of our, own network. The basic functions and also the It is always advisable to use WPA2 encryption CCMP/AES,
mechanisms of defense against intruders (Fig. 6, red padlock), which is the safest option if WPA2 is not supported by the router,
can be the following: WPA with TKIP/RC4 is an alternative, but WEP is less secure
option and should be avoided because it is as secure as hard to dropped, and device which wants to establish a connection
break. WPA may use mode: cannot access transmission medium. In addition, this
information and the MAC address of the device, along with the
• Enterprise – uses a RADIUS server (for business use), date and result of the events will be save in logs of router.
which assigns the keys to the right users,
Universal plug and play (UPnP): this feature allows
• Personal – does not share the keys to individual users, all network devices to discover and establish communication with
connected stations use a shared key PSK (Pre-Shared each other on the network, this feature makes the initial network
Key) – it used, e.g. in the HAN or Wi-Fi. configuration easy but it should be disabled when not needed
Limit Network Coverage: it is always advisable to limit the because a malware within a network could use UPnP to open a
broadcast coverage of a network to prevent the intruders from loop hole in a router firewall to let intruders in.
gaining access to a home network. Turn-On Firewall: a router has an inbuilt firewall which
Disable Remote Management: this feature should be should be activated and configured properly to allow authorized
disabled on the router to prevent intruders from accessing and users to access a home network, it is advisable to create a black
changing the configuration of the router. If remote list for unauthorized websites, services etc. Also a firewall
administration is necessary, it should be realized via non- should be configured not to reply to ping requests to prevent
standard ports. exposing a home network to intruders, thus firewall should be
used to control both incoming and outgoing traffic.
Firmware Update: one should check to see if there is a new
firmware version for the router. After the security configuration Network Management Tool: an efficient network
in the router, one should make a copy of the settings and store it management tool can be used to monitor and manage a network
in a safe place in case of a forced device settings reset. and prevent intruders from having an unauthorized access to a
network. Some other security measures are advisable to disable
Static DHCP reserved IP addresses: since a router should remote upgrade, unnecessary services and Demilitarized Zone
assign a private IP address to a particular device to share the (DMZ) features in a router. One should change passwords
Internet connection using a DHCP concept, the reserved IP frequently on all networking devices and make it strong enough,
address should be limited, so that a router can’t assign an IP so that it cannot be easily guessed by an intruder [14].
address to any device which is trying to get un-authorized access
to a home network, the number of IP addresses reserved should In order to maintain a high level of security, it is necessary
be as many as the number of devices in need of internet access to observe predefined procedures and security policies. A grid
within a home network. An additional difficulty is to change of meters and concentrators starts to look more and more like a
from the classic network addressing Class C to Class A or B with traditional corporate network, which means that similar security
a very unique and unusual subnet mask of the initial and final measures can be put in place, including systems for intruder
subnet address broadcast address. detection, access control and event monitoring. Especially
vulnerable to packet data attacks are concentrators which,
Network Filter: enabling Media Access Control address connected to Ethernet switches, utilize the commonly used
filtering in a router whose prevents unauthorized client from TCP/IP protocol [15].
getting right IP address and join this network. Devices with
addresses that are not included in the filter list addresses, will be