Application-Aware Secure Multicast for Power Grid Communications Jianqing Zhang* and Carl A. Gunter University of Illinois at Urbana-Champaign * Now working at Energy Systems Research Lab, Intel Labs
Motivation Introduction Formal Model for Multicast – Data Model and Publish-Subscribe Model – Multicast Configuration Anomaly Implementation: SecureSCL Performance Analysis of IPsec Based Multicast Conclusion Outline 2
Multicast in Power Grid Systems Substation Networks PMU: Phasor Measurement Unit PMUs DNP3 3
IEC Substation Network * Based on Baigent, D. et. al. IEC Communication Networks and Systems in Substations: An Overview for Users Generic Object Oriented Substation Event (GOOSE) Sampled Measured Value (SMV) Data objects model Communication protocols suite Link layer multicast Substation Configuration Language (SCL) IEC: International Electrotechnical Commission HMI: Human Machine Interface PMU: Phasor Measurement Unit Abstract Communication Service Interface (ACSI) Substation Bus Process Bus Ethernet * 4
Cyber Security Threats to Substation Networks Integrity – Tampered power grid status data – Faked control commands Confidentiality – Valuable raw data Availability – Data packets flood Cryptographically Secured Protocols? 5
Challenges: Manageable Configuration Complex and error-prone configuration for current systems – Intricate system designs – Changing specifications during design phases – Large and hardly auditable configuration files TVA Bradley Substation: 7.4Mbytes and 98K lines XML files – Proprietary configuration tools from multiple vendors – Complexity of current off-the-shelf security protocols and tools Security vulnerabilities due to incorrect system configuration 6
Timing requirements for real-time operations* – PMU: 30 times per second – Substation: event notification for protection e.g. GOOSE, 2-10ms Challenges: Latency Requirements * IEEE Std. 1646: Communication Delivery Time Performance Requirements for Electric Power Substation Automation VT: Volt Transformer CT: Current Transformer 7
Integration with power grid systems – How to partition multicast groups in a particular domain, like a power substation? – What’s the role of each control device in a group? – How to distribute group keys? Standardized security protocols – How to integrate group key management with secure multicast protocols? Challenges: Efficient Group Key Management & Configuration 8
Derive group membership by application data dependency in system functional configurations – Observation: data dependency determines publish- subscribe relationships and group memberships Approach: Application-Aware Secure Multicast 9
… … … … … 01-0C-CD … Data Dependency in Substation Configuration Language (SCL) Trip command 10
Derive group membership by application data dependency in system functional configuration Detect inconsistent configurations automatically Configure group key management system based on the derived group memberships and extended configuration files Raise the link layer multicast to the network layer and secure multicast traffic using IPsec Approach: Application-Aware Secure Multicast 11
D, the set of data objects E, the entities which have relationships with data objects – O, the set of data owners – C, the set of data consumer – P, the set of publishers – S, the set of subscribers G, the set of group controllers A Formal Multicast Model: Components 12
A Formal Multicast Model: Publish-Subscribe Model 13
Publish-Subscribe Model in SCL: Ownership & Publication 14
... Publish-Subscribe Model in SCL: Consumption & Subscription 15
Multicast Configuration Anomaly: Publication Anomaly 16
Multicast Configuration Anomaly: Subscription Anomaly 17
Architecture of SecureSCL 18
Preserves a variety of security properties, proved by a degree of formal analysis Supports wide area multicast, important to inter- substation communications and PMU networks Obtains strong support from security communities Capable of addressing latency constraints in medium scale networks Benefits of IPsec Based Multicast in Power Grid Networks 19
Test Bed Setup – Hardware Deterlab: 8, 16, 32, 64-node scenarios Xeon Quad 3.00GHz PCs – Software Platform: Ubuntu 8.04 Process Control Emulation System* – Measure round trip latency Performance Analysis of IPsec Based Multicast * Credits to Chris Grier and Sam King 20
Performance of IPsec Multicast 21
Application-aware secure multicast is an efficient solution for multicast in power grid systems – Automate group configuration and minimize errors – Integrate security configurations with functional configurations IPsec is a promising solution for secure multicast in power grid systems Future work – WAN or Inter-substation network multicast communication and configuration – Dynamic group management Conclusion 22
Questions? Dr. Jianqing Zhang Intel Labs, RNB Mission College Blvd. Santa Clara, CA Tel: (408) Professor Carl A. Gunter 4304 Siebel Center for Computer Science 201 N. Goodwin Ave. Urbana, IL Tel: (217)
1.Propose a formal multicast data model and a publish- subscribe model depicting the publish-subscribe relationships 2.Classify a number of configuration anomalies in multicast systems 3.Design algorithms detecting the anomalies 4.Design a multicast and group key management architecture 5.Develop a prototype system, SecureSCL 6.Provide a case study of secure GOOSE in IEC substations 7.Evaluate the performance of IPsec based multicast Contributions 24
IEC 62351: sign each GOOSE frame using RSA Gjermundrod, H. et al. GridStat: A Flexible QoS-Managed Data Dissemination Framework for the Power Grid, IEEE Transactions on Power Delivery, Jan Ehab S. et al. Discovery of Policy Anomalies in Distributed Firewalls. INFOCOM 2004 Related Work Header Authentication Value GOOSE PDU Length CRC 25
System Working Phases 26
Group Domain of Interpretation (GDOI, RFC 3547): IKEv1 based group key management protocol for IPsec multicast GDOI Based Group Key Management Architecture 1.IKEv1 Phase1: Reg. SA 2.Phase 2 GROUPKEY-PULL: (first) Rekey SA and Data SA 3.GROUPKEY-PUSH: subsequent Rekey SAs and Data SAs 27