BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
RE3- Transmission Grid Technologies.pdf
1. Mirpur University of Science and Technology
Transmission Grid Technologies
Dr. Anwar Ul Haq
Week 4
Department of Electrical Engineering
Mirpur University of Science and Technology
2. Mirpur University of Science and Technology
Monitoring & Measurement Technologies
• These components will provide the data necessary for
monitoring the grid and the power market.
• With regard to metering and measurement
– new digital technologies using two way communications
– a variety of inputs (pricing signals, time-of-day tariff)
– a variety of outputs (real time consumption data, power quality,
electric parameters), the ability to connect/disconnect and interface
with generators, grid operators, and customer portals to enhance
power measurement.
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq 2
3. Mirpur University of Science and Technology
Wide Area Monitoring Systems (WAMS)
• Facilitated by the increased
utilization of
– digital electronics for metering
and measurements
– advancement of the electric
meter at the customer level, and
– installation of wide area
monitoring system (WAMs) for
advanced utility monitoring and
protection.
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq 3
4. Mirpur University of Science and Technology
WAMS Advantages
• WAMS are designed by the utilities for
– optimal capacity of the transmission grid and
– to prevent the spread of disturbances
• By providing real-time information on stability and
operating safety margins
• WAMS give early warnings of system disturbances
for the prevention and mitigation of system - wide
blackouts.
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq 4
5. Mirpur University of Science and Technology
WAMS Operation
• WAMS utilize sensors distributed throughout the
network in conjunction with GPS satellites for precise
time stamping of measurements during transmission
• The integrated sensors will interface with the
communication network
• This connection can be provided by SCADA systems
• Phasor measurements are a current technology that is a
component of most smart grid designs
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq 5
6. Mirpur University of Science and Technology
• Traditionally power delivery was unsophisticated
– Generation localised around communities
– Simple consumption (e.g. lights)
– Consumer billed monthly
• System relied on consumer phone calls for fault
notifications
• Ground crews dispatched to fix problems
• Time consuming process
Grid Evolution
6
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
7. Mirpur University of Science and Technology
Grid Evolution
• EPUs (Electric Power Utilities)
became more sophisticated to meet
energy demands
• Complex generation systems
• Longer interconnected transmission
lines
• Complex distribution systems
• Automation systems
• Communication became necessary
7
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
8. Mirpur University of Science and Technology
Grid Automation
• Grid evolution
– from manned substations to remotely
monitored and controlled system
– from electromechanical systems to dial-
up/IP based system
– from unsophisticated one-way
communication to two-way communication
• Automation became integrated with
preventative/predictive maintenance
• Need computers to process grid’s
operational and non operational data
• Achieved through automation called
SCADA
8
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
9. Mirpur University of Science and Technology
• Supports sophisticated two-way
communication
• Allows efficient power dispatch
• Easy to integrate with other
sources e.g. green energy
• Supports smart metering
• Can coordinate with home area
networks (HANs) for efficient
consumption
• Supports efficient self-healing
after faults
Smart Grid Review
9
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
10. Mirpur University of Science and Technology
• Supervisory Control And Data Acquisition
• A complex computer based system that uses modern
applications to analyse the electric power grid
system to acquire data, monitor and control facilities
and processes.
• SCADA applications can support dispatchers,
operators, engineers, managers, etc. with tools to
predict, control, visualize, optimise, and automate
the EPU.
SCADA Definition
10
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
11. Mirpur University of Science and Technology
• Originally EPUs used electro-mechanical automation
• In 1970s computer-based SCADA commenced
• Dial-up modems used for remote access
• Suppliers (e.g. IBM, Siemens, GE) supplied complete
proprietary systems
• More advanced with client-server computers
• Advanced functions became common (e.g. EMS, load
forecasting, dispatch, protection engineering, regulatory
reporting, etc)
• Communication link evolved from noisy narrow bandwidth
telephone lines to SONET, microwave, radio, power line
carrier, cellular networks
Summary of SCADA History
11
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
12. Mirpur University of Science and Technology
• SCADA Master Terminal Unit (MTU): The server that
acts as SCADA system
• RTU (remote terminal unit) : remote telemetry data
acquisition units located at remote stations
• IED (intelligent electronic devices) smart
sensors/actuators with intelligence to acquire data,
process it, and communicate
• HMI (human-machine interface) : software to provide
for visualisation and interaction with SCADA
Traditional SCADA Components
12
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
13. Mirpur University of Science and Technology
• Can be broken down into 3 categories
– Programmable Logic Controllers(PLCs), Remote Terminal Units
(RTUs), Intelligent Electronic Devices (IEDs)
– Communications Network
– SCADA host software at control center
Overall SCADA System architecture
13
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
14. Mirpur University of Science and Technology
Control Center
• Provides for real-time grid management
• SCADA Server
– Also known as the MTU (master terminal unit)
• HMI for visualisation and human interaction
• Data history, a database storage for operational activities
• Control server, hosts software to communicate with
lower level control devices
• Communication routers
• Could be connected to other regional control centers
(desired for large networks)
14
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
15. Mirpur University of Science and Technology
• Many possible topologies
• Direct connection
• Connection with slave
• Other. See IEEE C37.1
Implementation Examples
15
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
16. Mirpur University of Science and Technology
• MODBUS: master-slave application-layer protocol
– Attackers with IP access can run Modbus client simulator to effect many
types of attacks.
• DNP3 : Distributed Network Protocol is a set of open
communication protocols
– IEEE recommended for RTU to IED messages
– Has no in-built security: Messages can be intercepted, modified and
fabricated.
• IEC 60870 suite:
– Substation control centre communication (IEC 60870-5-101/104)
– Communication with protection equipment (IEC 60870-5-103)
– IEC 62351 intends to implement security (end-to-end encryption;
vendors reluctant to implement due to complexity)
• Other proprietary protocols
Protocols and standards
16
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
17. Mirpur University of Science and Technology
• Acquire telemetry, relay data from system
• Covert it to digital signals if necessary
• Send data to MTU or engineering stations
• Receive control, settings, resets from MTU
17
Field Components
Field component
Telemetry Meters
Relays, etc
SCADA MTU
Control,
Settings
Device Ports
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
18. Mirpur University of Science and Technology
• Reads status and alarms through relay and control circuit
auxiliary contacts.
• Manual/remote control e.g. activate alarm. RTU control
outputs connected to control relays
• No data storage
• Some PLCs equipped to be RTUs
• Either open standard or proprietary
– Modbus, DNP3, IEC 60870-5-101/104
• Serial communication
– RS232, RS485
Field Components: RTU
18
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
19. Mirpur University of Science and Technology
• Similar to RTU, is open or proprietary based
• Acquires data from electrical devices, e.g. relay or circuit
breaker status, switch position.
• DAQ and control (sensor and actuator)
• Some modern meters have IED capabilities, they can
communicate their readings with RTU or MTU.
• Newer substations only use modern IEDs
• IEDs can support horizontal communication
Field Components : IED
19
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
20. Mirpur University of Science and Technology
SCADA and Internet
20
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
21. Mirpur University of Science and Technology
• Vulnerabilities are weaknesses in the cyber system that
threats (actors) exploit to carry out attacks
• Examples of forms vulnerabilities:
– Technical
• Hardware
• Software and protocol
• Network
– Policy
SCADA Vulnerabilities
21
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
22. Mirpur University of Science and Technology
SCADA Security Holes
• Increased automation
widens SCADA network’s
attack surface
22
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
23. Mirpur University of Science and Technology
• CVE-2015-1179: Allows remote attackers to inject arbitrary
web script; found in Mango Automation systems
• CVE-2015-0981: Allows remote attackers to bypass
authentication and read/write to arbitrary database fields via
unspecified vectors.
• CVE-2015-0096 (MS15-018) : Stuxnet, a worm targeting
ICSs such as SCADA.
• Other examples from 2014: CVE-2014-8652 , CVE-2014-5429
• GE Energy's XA/21: 2003 flaw responsible for alarm system
failure at FirstEnergy's Akron, Ohio control center
Vulnerability examples
23
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
24. Mirpur University of Science and Technology
• Stuxnet: Intercepts and makes changes to data read
from and written to a PLC. Believed to be developed to
damage Iran’s nuclear plants
• Night Dragon : Suspected SCADA data exfiltration from
Exxon, Shell and BP
• Others: Havex (Trojan targeting industrial control
system and SCADA), Blacken (Targets users of SCADA
software Simplicity)
• Many others targeting the PCs used in SCADA.
Attack Examples
24
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
25. Mirpur University of Science and Technology
• Define SCADA security networking policy
– Access control
– Identify all SCADA assets and their connectivity
– Schedule regular vulnerability assessments
• User training and awareness (e.g. what to do when you
pick up a USB stick in parking lot)
• Technical
– Isolate SCADA from internet as much as possible
– Encryption of data
– Implement strict firewall rules between SCADA network and all
other networks.
– Perform anomaly detection
Securing SCADA
25
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
26. Mirpur University of Science and Technology
Phasor Measurement Units (PMU)
• Phasor Measurement Units or Synchro-phasors give
operators a time-stamped snapshot of the power system.
• Phasor measurements are taken with high precision
from different points of the power system (usually
power stations) at the same instant, allowing an
operator to visualize the exact angular difference
between different locations
• Can also measure system frequency
• Generates 30-60 measurements per second as
compared to traditional SCADA producing a
measurement every 2-4 seconds
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq 26
27. Mirpur University of Science and Technology
Phasor Measurement Units (PMU)
• PMUs are equipped with
GPS receivers which allow
synchronization of readings
taken at distant points.
• It helps with quick
recognition of the current
network situation (network
disturbances)
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq 27
28. Mirpur University of Science and Technology
PMU Components
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
https://www.researchgate.net/figure/Diagram-of-the-our-implementation-of-the-single-phase-PMU-structure_fig5_268237618
28
29. Mirpur University of Science and Technology
GIS AND GOOGLE MAPPING TOOLS
• GIS stands for Geographic Information System
• GIS is useful for managing traditional electric
transmission, distribution and telecom networks.
• It can also help to manage information about utility
assets for data collection and maintenance.
• Google’s free downloadable Google Earth software
offers geographical contextual information in an updated
user - friendly platform that facilitates inquiry - based
study and analysis.
• Users can create and share many types of dynamically -
updating data over the Internet.
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq 29
30. Mirpur University of Science and Technology
• Keyhole Markup Language
(KML) allows to overlay basic
data types such as images,
lines, and polygons.
• Through satellite imagery,
maps are available from
space to street-level.
• Provide partial context to
operators and planners, e.g.,
real-time sensors that collect
the data needed to reconfigure
networks for reducing outages
and equipment failures.
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
GIS AND GOOGLE MAPPING TOOLS
30
31. Mirpur University of Science and Technology
• The integration of GIS with Google Earth/Open Street
Maps will aid in understanding the relationship of the grid
network to its surroundings, for example, determining the
optimal location of rights of way, placement of sensors/
poles
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq
GIS AND GOOGLE MAPPING TOOLS
31
32. Mirpur University of Science and Technology
• IEEE Standard for SCADA and Automation Systems
C37.1, 2007
• IEC 61850 Communication networks and systems in
substations
• Guide to Supervisory Control and Data Acquisition
(SCADA) and Industrial Control Systems Security,
NIST, 2007
• G. Clarke, and D. Reynders, Practical Modern SCADA
Protocols, Elsevier 2004
References
32
Renewable Energy Systems (EE-48E6) | Dr. Anwar Ul Haq