research-article

Open access

Attacking Power Grid Substations: An Experiment Demonstrating How to Attack the SCADA Protocol IEC 60870-5-104

Authors:

László Erdődi,

Pallavi Kaliyar,

Siv Hilde Houmb,

Aida Akbarzadeh,

Andre Jung Waltoft-OlsenAuthors Info & Claims

ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

Article No.: 69, Pages 1 - 10

https://doi.org/10.1145/3538969.3544475

Published: 23 August 2022 Publication History

All formats PDF

Abstract

Smart grid brings various advantages such as increased automation in decision making, tighter coupling between production and consumption, and increased digitalization. Because of the many changes that the smart grid inflicts on the power grid as critical infrastructure, cyber security and robust resilience against cyberattacks are essential to handle. With an increased number of attack interfaces and more use of IP-enabled communication, digital stations or IEC 61850 substations need to operate according to a zero-trust security model. Cyber resilience needs to be an integrated part of the substation and its components. This paper presents an experiment utilizing a Hardware-In-the-Loop (HIL) Digital Station environment (enclave), where the focus is on attacking the SCADA protocol IEC 60870-5-104. We implemented 14 attacks, the attacks are described in detail, including the result of each attack action. Furthermore, the paper discusses the implications of the findings in the experiment and what power grid asset owners can do to protect their substations as part of their digitizing efforts.

References

[1]

M. Chlela. 2017. Cyber Security Enhancement Against Cyber-Attacks On Microgrid Controllers, McGill University Montréal, Montréal, QC, Canada. https://escholarship.mcgill.ca/concern/theses/1c18dh978., 177 pages.

[2]

Boldizsár Bencsáth, Gábor Pék, Levente Buttyán, and Márk Félegyházi. 2011. Duqu: A Stuxnet-like malware found in the wild. CrySyS Lab Technical Report 14 (2011), 1–60.

[3]

US Nuclear Regulatory Commission 2003. NRC Information Notice 2003-14.

[4]

Cybersecurity & Infrastructure Security Agency. 2016. Cyber-Attack Against Ukrainian Critical Infrastructure. https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01.

[5]

David Kushner. 2013. IEEESpectrum ”The Real Story of STUXNET”. https://spectrum.ieee.org/the-real-story-of-stuxnet.

[6]

Quang Do, Ben Martini, and Kim-Kwang Raymond Choo. 2019. The role of the adversary model in applied security research. Computers & Security 81(2019), 156–181.

[7]

DRAGOS. 2017. CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. https://www.dragos.com/wp-content/uploads/CrashOverride-01.pdf.

[8]

Zhong Fan, Parag Kulkarni, Sedat Gormus, Costas Efthymiou, Georgios Kalogridis, Mahesh Sooriyabandara, Ziming Zhu, Sangarapillai Lambotharan, and Woon Hau Chin. 2013. Smart Grid Communications: Overview of Research Challenges, Solutions, and Standardization Activities. IEEE Communications Surveys Tutorials 15, 1 (2013), 21–38. https://doi.org/10.1109/SURV.2011.122211.00021

[9]

Fianance news. 2016. Hackers attacked Prykarpattiaoblenerho, de-energizing half of the region for 6 hours. http://news.finance.ua/ua/news/-/366136/hakery-atakuvaly-prykarpattyaoblenergo-znestrumyvshy-polovynu-regionu-na-6-godyn.

[10]

Péter György and Tamás Holczer. 2020. Attacking IEC 60870-5-104 Protocol. In Proceedings of the 1st Conference on Information Technology and Data Science, Debrecen, Hungary.

[11]

Kevin E Hemsley, E Fisher, 2018. History of industrial control system cyber incidents. Technical Report. Idaho National Lab.(INL), Idaho Falls, ID (United States).

[12]

Ersi Hodo, Stepan Grebeniuk, Henri Ruotsalainen, and Paul Tavolato. 2017. Anomaly Detection for Simulated IEC-60870-5-104 Trafiic. In Proceedings of the 12th International Conference on Availability, Reliability and Security (Reggio Calabria, Italy) (ARES ’17). Association for Computing Machinery, New York, NY, USA, Article 100, 7 pages. https://doi.org/10.1145/3098954.3103166

Digital Library

[13]

Brian Krebs. 2008. Cyber incident blamed for nuclear power plant shutdown. Washington Post, June 5, 2008 (2008), 5.

[14]

Kelvin Mai, Xi Qin, Neil Ortiz Silva, and Alvaro A. Cardenas. 2019. IEC 60870-5-104 Network Characterization of a Large-Scale Operational Power Grid. In 2019 IEEE Security and Privacy Workshops (SPW). 236–241. 10.1109/SPW.2019.00051

[15]

Peter Maynard, Kieran McLaughlin, and Berthold Haberler. 2014. Towards Understanding Man-In-The-Middle Attacks on IEC 60870-5-104 SCADA Networks. In Proceedings of the 2nd International Symposium on ICS & SCADA Cyber Security Research 2014(ICS-CSR 2014). BCS, 30–42.

Digital Library

[16]

P. Matouˇsek. 2017. Description and analysis of IEC 104 protocol. https://www.fit.vut.cz/research/publication-file/11570/TR-IEC104.pdf., 12 pages.

[17]

Durga Samanth Pidikiti, Rajesh Kalluri, R. K. Senthil Kumar, and B. S. Bindhumadhava. 2013. SCADA communication protocols: vulnerabilities, attacks and possible mitigations. In CSI Transactions on ICT, Vol. 1. 135–141. https://doi.org/10.1007/s40012-013-0013-5

[18]

Ludovic Pietre-Cambacédes, Marc Tritschler, and Göran N Ericsson. 2010. Cybersecurity myths on power control systems: 21 misconceptions and false beliefs. IEEE Transactions on Power Delivery 26, 1 (2010), 161–172.

[19]

Qais Saif Qassim, Norziana Jamil, Maslina Daud, Norhamadi Ja’affar, Salman Yussof, Roslan Ismail, and Wan Azlan Wan Kamarulzaman. 2018. Simulating command injection attacks on IEC 60870-5-104 protocol in SCADA system. International Journal of Engineering & Technology 7, 2-14(2018), 153–159. https://www.sciencepubco.com/index.php/ijet/article/view/12816

[20]

Panagiotis Radoglou-Grammatikis, Panagiotis Sarigiannidis, Ioannis Giannoulakis, Emmanouil Kafetzakis, and Emmanouil Panaousis. 2019. Attacking IEC-60870-5-104 SCADA Systems. In 2019 IEEE World Congress on Services (SERVICES), Vol. 2642-939X. 41–46. 10.1109/SERVICES.2019.00022

[21]

REUTERS. 2017. Ukraine’s power outage was a cyber attack: Ukrenergo. https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA.

[22]

Marco Rocchetto and Nils Ole Tippenhauer. 2016. On attacker models and profiles for cyber-physical systems. In European Symposium on Research in Computer Security. Springer, 427–449.

[23]

Luis Salazar, Neil Ortiz, Xi Qin, and Alvaro A. Cardenas. 2020. Towards a High-Fidelity Network Emulation of IEC 104 SCADA Systems. In Proceedings of the 2020 Joint Workshop on CPS and IoT Security and Privacy (Virtual Event, USA) (CPSIOTSEC’20). Association for Computing Machinery, New York, NY, USA, 3–12. https://doi.org/10.1145/3411498.3419969

Digital Library

[24]

SANS Blog. 2016. Confirmation of a Coordinated Attack on the Ukrainian Power Grid. https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid.

[25]

David E. Whitehead, Kevin Owens, Dennis Gammel, and Jess Smith. 2017. Ukraine cyber-induced power outage: Analysis and practical mitigation strategies. In 2017 70th Annual Conference for Protective Relay Engineers (CPRE). 1–8. https://doi.org/10.1109/CPRE.2017.8090056 ISSN: 2474-9753.

[26]

Yildirim Yayilgan. 2021. Emulation of IEC 60870-5-104 Communication in Digital Secondary Substations. In Proceedings of the 4th International Conference on Intelligent Technologies and Applications, INTAP, GRIMSTAD, NORWAY.

[27]

Kim Zetter. 2016. Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid. https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/.

Cited By

Bruschi DDi Pasquale ALanzi APagani E(2024)Ensuring cybersecurity for industrial networks: A solution for ARP-based MITM attacksJournal of Computer Security10.3233/JCS-230023(1-29)Online publication date: 1-Feb-2024
https://doi.org/10.3233/JCS-230023
Reyna ACollins THossain-McKenzie SBlakely LGoes CAnderson RHubbell C(2024)Towards the Design of Grid Cyber-Physical Integrated Security Operations Center Visualizations2024 IEEE Kansas Power and Energy Conference (KPEC)10.1109/KPEC61529.2024.10676242(1-6)Online publication date: 25-Apr-2024
https://doi.org/10.1109/KPEC61529.2024.10676242
Akbarzadeh AErdodi LHoumb SSoltvedt T(2024)Two-stage advanced persistent threat (APT) attack on an IEC 61850 power grid substationInternational Journal of Information Security10.1007/s10207-024-00856-623:4(2739-2758)Online publication date: 14-May-2024
https://doi.org/10.1007/s10207-024-00856-6
Show More Cited By

Index Terms

Attacking Power Grid Substations: An Experiment Demonstrating How to Attack the SCADA Protocol IEC 60870-5-104
1. Computer systems organization
  1. Dependable and fault-tolerant systems and networks
    1. Redundancy
  2. Embedded and cyber-physical systems
    1. Embedded systems
    2. Robotics
2. Networks
  1. Network properties
    1. Network reliability

Recommendations

Towards Understanding Man-In-The-Middle Attacks on IEC 60870-5-104 SCADA Networks
ICS-CSR 2014: Proceedings of the 2nd International Symposium on ICS & SCADA Cyber Security Research 2014

This paper investigates cyber attacks on ICS which rely on IEC 60870-5-104 for telecontrol communications. The main focus of the paper is on man-in-the-middle attacks, covering modification and injection of commands, it also details capture and replay ...
Two-stage advanced persistent threat (APT) attack on an IEC 61850 power grid substation
Abstract
Advanced Persistent Threats (APTs) are stealthy, multi-step attacks tailored to a specific target. Often described as ’low and slow’, APTs remain undetected until the consequences of the cyber-attack become evident, usually in the form of damage ...
Fuzzing Framework for IEC 60870-5-104 Protocol
CSSE '22: Proceedings of the 5th International Conference on Computer Science and Software Engineering

The importance of SCADA systems within the power grid is currently increasing due to the increased complexity of the grid. Thus, these systems may contain various security vulnerabilities, the exploitation of which may lead to large-scale blackouts. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

August 2022

1371 pages

ISBN:9781450396707

DOI:10.1145/3538969

Copyright © 2022 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 August 2022

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES 2022

ARES 2022: The 17th International Conference on Availability, Reliability and Security

August 23 - 26, 2022

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
2,604
Total Downloads

Downloads (Last 12 months)1,496
Downloads (Last 6 weeks)192

Reflects downloads up to 26 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bruschi DDi Pasquale ALanzi APagani E(2024)Ensuring cybersecurity for industrial networks: A solution for ARP-based MITM attacksJournal of Computer Security10.3233/JCS-230023(1-29)Online publication date: 1-Feb-2024
https://doi.org/10.3233/JCS-230023
Reyna ACollins THossain-McKenzie SBlakely LGoes CAnderson RHubbell C(2024)Towards the Design of Grid Cyber-Physical Integrated Security Operations Center Visualizations2024 IEEE Kansas Power and Energy Conference (KPEC)10.1109/KPEC61529.2024.10676242(1-6)Online publication date: 25-Apr-2024
https://doi.org/10.1109/KPEC61529.2024.10676242
Akbarzadeh AErdodi LHoumb SSoltvedt T(2024)Two-stage advanced persistent threat (APT) attack on an IEC 61850 power grid substationInternational Journal of Information Security10.1007/s10207-024-00856-623:4(2739-2758)Online publication date: 14-May-2024
https://doi.org/10.1007/s10207-024-00856-6
Storm JHoumb SKaliyar PErdodi LHagen J(2023)Testing Commercial Intrusion Detection Systems for Industrial Control Systems in a Substation Hardware in the Loop TestlabElectronics10.3390/electronics1301006013:1(60)Online publication date: 21-Dec-2023
https://doi.org/10.3390/electronics13010060
Akbarzadeh AErdodi LHoumb SSoltvedt TMuggerud H(2023)Attacking IEC 61850 Substations by Targeting the PTP ProtocolElectronics10.3390/electronics1212259612:12(2596)Online publication date: 8-Jun-2023
https://doi.org/10.3390/electronics12122596
Teryak HAlbaseer AAbdallah MAl-Kuwari SQaraqe M(2023)Double-Edged Defense: Thwarting Cyber Attacks and Adversarial Machine Learning in IEC 60870-5-104 Smart GridsIEEE Open Journal of the Industrial Electronics Society10.1109/OJIES.2023.33362344(629-642)Online publication date: 2023
https://doi.org/10.1109/OJIES.2023.3336234
Chan SNopphawan P(2023)Bespoke Weighting Schema and Sequence of Transformations for Enhanced Insight into Prospective False Command Injection Attacks2023 International Conference On Cyber Management And Engineering (CyMaEn)10.1109/CyMaEn57228.2023.10051057(230-239)Online publication date: 26-Jan-2023
https://doi.org/10.1109/CyMaEn57228.2023.10051057

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents