Content uploaded by Libao Shi
Author content
All content in this area was uploaded by Libao Shi on Mar 01, 2023
Content may be subject to copyright.
Risk Assessment for Cyber Attacks in Feeder
Automation System
Qiangsheng Dai, Libao Shi, Yixin Ni
National Key Laboratory of Power Systems in Shenzhen,
Graduate School at Shenzhen, Tsinghua University, Shenzhen, 518055, China
shilb@sz.tsinghua.edu.cn
Abstract—The operating conditions of distribution system can
be perceived and optimized rapidly and effectively with the help
of information and communication technology. However, some
potential cybersecurity risk needs to arouse enough attention. In
this paper, a novel and practical cyber-attack method targeting
remote terminal unit (RTU) is proposed firstly. Regarding the
enormous cyber-physical devices in a distribution system and
the high maintenance costs, this paper also introduces a risk
index to identify the vulnerability of a distribution system to be
studied under cyber-attack. A Bayesian attack graph model is
applied to quantify the probability of successfully exploiting
known and zero-day vulnerabilities, and the relationship
between the attack behavior and the feeder automation action is
further analyzed. Simulation results demonstrate the
effectiveness and validity of the proposed model and method.
Index Terms--Cyber-physical system, cyber security, feeder
automation, Bayesian attack graph, risk assessment.
I. I
NTRODUCTION
In a distribution network, the safe, reliable and cost-
effective power supply cannot be separated from the
supervisory control and data acquisition (SCADA) system. It
is known that the SCADA system highly relies on the
integration of cyber and physical elements, and the SCADA
system is also one of the most important components to
implement the feeder automation (FA) that can protect the
electricity infrastructure and restore service to the outage areas
quickly. However, the deficiency and the vulnerability
existing in cyber surveillance system and cyber-physical
elements have posed severe threats to the distribution system
(DS). Recently, some electric utilities in China have found that
the potential weaknesses of distribution automation (DA)
communication system and the distribution terminal units
(DTUs) could be utilized to compromise the security of DS.
In recent years, due to the emergence of cyber-attack, there
have been extensive investigations of topics that attempt to
assess DS from different viewpoints involving security and
vulnerability [1-3]. Most of the existing research achievements
mainly focus on a hypothetical scene, that is, the DA system,
the protection system or the distributed energy resource are
damaged due to the cyber-attack, and the corresponding
assessment methods mostly use game theory and Monte Carlo
simulation, which are very difficult to be realized for practical
application. Especially, the zero-day vulnerability cannot be
analyzed quantitatively. On the other hand, several cyber-
attack detection methods have been developed to identify
some anomalous or malicious activities [4]. The
corresponding protection schemes and possible
communication risk mitigation mechanisms have also been
proposed [5][6]. In addition, some scholars have tried to
discover the cyber-physical interdependencies via setting up
the co-simulator of communication network and distribution
network [7].
All in all, this paper aims to study the vulnerability of DS
according to a proposed cyber-attack approach and a risk
index. Moreover, the likelihood of successful cyber-attack is
also quantified by applying Bayesian attack graph (BAG), and
the FA mechanism is considered in the analysis of attack
behavior.
II. P
ROBLEM
F
ORMULATION
Fig. 1 shows a typical structure of distribution network.
The top two layers (layer 1 and layer 2) indicate the cyber
system, and the bottom two layers (layer 3 and layer 4)
indicate the physical system. The power energy supplied from
the substation is distributed to the users in layer 4 via the main
feeders consisting of cables and overhead power lines located
in layer 3. Regarding the reliability of power supply, the
cables and overhead power lines are segmented by ring main
unit (RMU) and pole-mounted switch respectively. The open-
close statuses of these circuit breakers within each RMU and
the operating conditions of the DS are gathered by the DTUs
located in layer 2 and further uploaded to the master station in
layer 1 for further analysis. The DTUs will transmit system
operator’s control command to the corresponding breakers.
The communication function for a pole-mounted switch is
realized by feeder terminal units (FTUs).
Figure 1. Cyber-physical DS structure.
By directly releasing computer virus and malware to the
SCADA system or transmitting them from a communication
device, an attacker can control the master station of the DS in
order to cause the instantaneous power outage or even a
This work was supported in part by the National Basic Research
Program of China, 973 program (2013CB228203)
978-1-5386-7703-2/18/$31.00 ©2018 IEEE
Authorized licensed use limited to: Tsinghua University. Downloaded on March 01,2023 at 06:24:29 UTC from IEEE Xplore. Restrictions apply.
cascading blackout. Such case has always been the focus of
most studies. However, as the bi-directional firewall can block
any executable code, and the safe supervision mechanism of
the master station system will prevent any intrusion, this kind
of attack scenario rarely happens.
In fact, given the city appearance, the DTUs are often
installed in the inconspicuous area. The FTUs, mounted on the
distribution line pole, are usually about 3 meters away from
the ground according to the China’s national standards.
Therefore, these two kinds of unattended and widely used
remote terminal units (RTUs) are liable to be attacked. This
paper aims to investigate the corresponding consequences of
cyber-attack against the RTUs. Here, the following risk
assessment index (RI) is introduced to evaluate the cyber-
attack effects: =∗ (1)
where denotes the probability of the vulnerability used to
initiate a successful attack; means the consequences caused
by the attack. Here, the vulnerabilities of RTUs will be
analyzed by using the BAG and the conditional probability
table (CPT). In response to the cyber-attack, the FA system
will operate to locate and isolate the fake “failure”, and finally
restore service to the unaffected users.
III. S
OLUTION
M
ETHOD
A. Bayesian Attack Graph Model
In this paper, the deliberate cyber-attacks will take
advantage of the vulnerabilities of RTUs to control local
device or tamper with the message being sent to the master
station or the other cyber devices. Fig. 2 shows the cyber
system of DTU1 as illustrated in Fig. 1. There are three cyber
components of circuit breakers and two cyber components of
instrument transformers, and each component corresponds to
the physical device in RMU. The micro control unit (MCU)
keeps inquiring the operation statuses of components under
abnormal conditions and uploading them periodically via the
optical network unit (ONU). The MCU can be reconfigured by
DS infrastructure maintainer via the debug interface when
updating software or adjusting profile. In some cases, this
debug interface could also be used by an attacker when the
RTU is available.
Figure 2. Cyber system of DTU1 located in layer 2.
According to a certain cybersecurity inspection report
issued by the China’s electric utility, most RTUs being
installed have unnecessary open networks and Remote
Operations Services (ROS), such as the Telnet, SSH, FTP and
SNMP etc. On the other hand, a large number of services can
be accessed by using some weak passwords. Accordingly, the
attacker can easily access the DTUs from ONU once
connecting to the communication network. Besides, most
RTUs have opened up the web service that can be used to
bypass the login mechanism and access privilege management
page directly.
In this paper, the BAG model is applied to illustrate the
dependences among vulnerabilities and the potential attack
paths quantitatively [8]. The BAG is expressed as a pair
<,>, where is a directed graph composed of nodes and
their relationships. The nodes represent the vulnerability and
its executive condition. denotes the set of probabilities
passing through each node. A node
pointed to node
means that the value of
depends on the value of
, which is
expressed as the parent of
. Each node in graph is
associated with the CPT constituted by . The corresponding
unique joint distribution can be described as follows:
(
,…,
)=∏(
|(
))
(2)
Figure 3. BAG model for the risk assessment of RTU.
Fig. 3 shows the BAG model for the risk assessment of
RTU as described in Fig. 2. This model aims to obtain the
privilege for the user(4) who can change the communication
data. In Fig.3, the item inside a rectangle means the operating
conditions of exploiting the corresponding vulnerability. The
conditions include privilege (host), service (host) and
connection (source host, destination host), respectively [9].
The item inside an oval denotes the vulnerability (service
name, source host, destination host). Especially the oval
marked by blue color means the zero-day vulnerability. It
should be noticed that the vulnerability can be exploited only
when all the operating conditions mentioned above must be
satisfied simultaneously. In Fig. 3, <ssh,1,2> is the zero-day
vulnerability existed in the ROS, and the <debug,1,2> is the
known flaw that these RTUs can be modified via the debug
interface. In order to access these RTUs, the services ssh(1)
and debug(1) must be available in advance. After connecting
to the services via <1,2>, the intercommunication privilege for
the user(2) can be achieved by exploiting any of two
vulnerabilities. Then by utilizing the vulnerability <login,2,3>
which can be found based on the login authorization
mechanism or the weak password, the control and parameter
setting privilege for the user(3) can be obtained. Meanwhile,
the known vulnerability <web,1,3> can directly obtain the
authority of control privilege. Finally, by exploiting the known
vulnerability <protocol,3,4> existed in the communication
protocol, the packet change privilege can be obtained.
In order to calculate the probability of final privilege being
successfully achieved, the probability of exploiting each
vulnerability independently without considering the
preconditions should be calculated firstly. Such probability
can be estimated through the common vulnerability scoring
system (CVSS) that produces a numerical score according to
the principal characteristics of a vulnerability, such as attack
vector, attack complexity, privileges required and user
interaction etc [10]. As illustrated in [8], the CVSS score of
zero-day vulnerability is set to be 0.8 in this paper.
Authorized licensed use limited to: Tsinghua University. Downloaded on March 01,2023 at 06:24:29 UTC from IEEE Xplore. Restrictions apply.
T
ABLE
I.
CPT
T
ABLE OF THE VULNERABILITY AND THE
C
ONDITION
user(3)
<login,2,3> <web,1,3> T F
T T 1 0
T F 1 0
F T 1 0
F F 0 1
Next, according to the BAG, a CPT is built to calculate the
post-probability with consideration of the preconditions. Table
I shows the CPT for the vulnerability <login,2,3> and the
condition user(3) as shown in Fig. 3. It can be seen from Table
I that the vulnerability can be exploited only when all the
preconditions are satisfied, and the condition can be attained
when any one of the vulnerabilities is exploited. Then the
probabilities of vulnerability (vul
) and condition (
)
can be calculated as follows:
(vul
)=
(
)
∗∏con
,con
∈
(3)
(
)=(1−∏vul
)∗(
),vul
∈
(4)
where
,
are the set of condition of the vulnerability vul
and the set of vulnerability before the condition
,
respectively. As the CVSS score ranges from 0 to 10, the
score is divided by 10 to implement the normalization.
B. GOOSE-based Intelligent Distributed Approach
Relying on the communication that contains fault
information and refusing action information of breakers
among adjacent RTUs and the mutual collaboration between
them, the intelligent FA system can realize the fault location,
isolation and service restoration (FLISR) function. Based on
the generic object oriented substation event (GOOSE)
communication mechanism stated in IEC 61850 standard, the
communication delays should be less than 4ms. After
restoring the power supply, all the RTUs will upload the fault
information and the final fault processing results to the main
station. The 10kV circuit breakers located at the outlet of the
substation take the time-delayed overcurrent protection as the
general backup protection to isolate the fault current. This
function can also protect the physical devices from overload
operation.
As shown in Fig. 4, the feeder can be divided into several
power supply areas according to the breakers. Different
feeders are interconnected by the tie line breaker. The
intelligent distributed approach will judge a fault occurred in
the mth feeder and the kth power supply area
,
when the
only upstream breaker
reports fault signal (
,
,
). This
signal can be obtained when satisfying:
⋀(
,
,
)
⋀(
,
,
),
∈Ν
,
,
∈Μ
,
(5)
where Ν
,
, Μ
,
are the sets of all downstream breakers and
upstream breakers in
,
respectively. (⋅) denotes a non-
fault signal. It should be noticed that the
,
is restricted to
the non-terminal power supply area because there is no
downstream breaker. In our work, a virtual breaker signal for
the terminal power supply area, such as
,
which always
reports non-fault signal by default is applied during analysis. It
is known that the distribution network is generally designed
with the closed-loop idea and operated in open-loop topology,
i.e. every area has only one upstream breaker. Given that the
communication system in distributed FA is very reliable, the
fault signal from one feeder must be continuous. In other
words, the fault area can be confirmed under the condition
that the breaker before
must report the fault message
,
.
Figure 4. A typical DS with open-loop dual-feeder configuration.
According to (5), the non-tie-line breaker
will be
switched off automatically when its adjacent downstream
breaker
,
and upstream breaker
,
satisfy the following
condition:
((∧
,
∧(
)∧
,
)∨(∧
,
∧(
)∧
,
,
,
∈
,
,
∈
. (6)
where
and
are the sets of all downstream and upstream
breakers pertinent to breaker
. Once this breaker cannot be
tripped off immediately, it will report refusing action signal to
the adjacent breaker. Then the adjacent normal breaker will
operate to cut off the fault current, which may extend over the
blackout range.
Here, () denotes the off position state of the tie line
breaker
, and () denotes the on position state. The tie line
breaker
will be switched off to restore power supply under
the following condition:
(⋁(
))
⋀
•
,
∈Ο
(7)
where Ο
is the set of breakers between the substation and the
tie line at the mth main feeder. After finishing the restoration
service according to the proposed method, the circuit breakers
located at the outlet of the substation may be tripped off after a
certain time delay when the main feeder current exceeds the
relay setting of backup protection as described in following:
,
>
,
(8)
The power outage will cause long-term power loss when
the power supply area is separated from the feeder.
Furthermore, it will also cause short-term power loss during
FA.
C. Attack Scenario
Regarding the realistic cyber-attacks happened before, two
most possible attack scenarios, namely 1) tamper the fault
message and 2) tamper the fault message and refusing action
message (RAM), are proposed in this paper. It should be
<login,2,3>
<2,3> user(2) login(2) T F
T T T 0.8 0.2
F T T 0 1
T F T 0 1
T T F 0 1
F F T 0 1
F T F 0 1
T F F 0 1
F F F 0 1
Authorized licensed use limited to: Tsinghua University. Downloaded on March 01,2023 at 06:24:29 UTC from IEEE Xplore. Restrictions apply.
noticed that the proposed attack scenarios must be subject to
the following premises (assumptions):
a) The substation is under the strict monitoring state. Hence,
the RTUs located inside the substation are free from any
attacks.
b) The cyber-attacker is familiar with the information and
communication technology (ICT), especially has little
technical background in power system. Hence, the attacker
can make the cyber-attack look effortless.
c) The cyber-attacker does not know the geographical wiring
diagram of a certain DS. Therefore, the probability is the same
for attacking any RTU.
d) In order to implement a successful attack, the tampered
message MUST be sent to the correct communication channel
via GOOSE.
1) Scenario 1: Tamper the fault message
Taking (5) and (6) into consideration, the FA will operate
to isolate the power supply area located at the downstream of
, when the attacker fabricates these signals simultaneously
which are described as follows:
a) The fault signal (
) of
.
b) The fault message
,
received from the upstream
breaker of
. Here, as the fault signal is continuous, the
,
makes the RTU of
mistakenly believe that the
fault happens in the downstream area, and the automation
system runs well.
c) The non-fault message sent to the breakers
∈Ν
,
∪
Μ
,
located at the upstream power supply area
,
of
.
Taking the system shown in Fig. 4 as an example, the
messages (
,
,
),
,
,
,
and (
,
,
,
) are
elaborately created for
. Then all the other breakers will
report non-fault signal (
)
. The is the transmitted fault
message, and the ones marked by red color denote the
modified message. As a result, we can get
(
,
,
)⋀(
,
,
)
(
,
,
)⋀(
,
,
)⋀(
,
,
)
(
,
,
)⋀(
,
,
)
(
,
,
,
)⋀(
,
,
)
. (9)
It can be seen that only
,
satisfies (5), and it will lead to
a power outage between
and
based on (6). Furthermore,
this attack method will always cause power outage at the
downstream power supply area of the attacked breaker.
2) Scenario 2: Tamper the fault message and RAM
Combining with the aforementioned fault messages, the
attacker can set the RAM additionally. The FA mechanism
will cut off the adjacent breakers to isolate the “fault” which
actually cannot be isolated. This may cause more severe
power outages with little effort.
Regarding the vulnerabilities as given in Fig. 3, the fault
signal and the refusing action signal can be generated by
exploiting the privilege user(3). The communication
information between adjacent RTUs can be tempered by
utilizing the privilege user(4). Here, the information
transmitting and receiving between a pair of breakers will use
the <protocol,3,4> one time due to the service and connection.
This vulnerability has to be considered again when facing
another a pair of breakers.
D. Assessment procedure
Figure 5. Risk assessment considering FA cybersecurity.
Fig. 5 shows the flowchart of the proposed method. The
solution procedures mainly involve the system initialization,
the GOOSE-based intelligent distributed FA strategy, the relay
protection relevant technique and the calculation of risk index
considering the total number of scenarios (marked with
symbol S). In this paper, the consequences will be represented
by monetary losses which are calculated based on sector
customer damage function (SCDF) according to the power
outage time and the type of power consumer [11]. In our
work, the measure of short-term study is considered as 1
minute, and the long-term measure is considered as 120
minutes during analysis.
IV. C
ASE
S
TUDY
A modified three-feeder DS with hand-in-hand mode as
shown in Fig. 6 is studied to validate the effectiveness of the
proposed method. All the main distribution lines consist of
electric cables. Hence, there exist 13 RMUs marked by DTU*
or FTU* to control the relevant breakers. One of the outlet
lines in DTU4 is connected to the overhead power line that
delivers the electricity to the remote place via FTU1. The
detailed system data can be found in [12]. The categories of
power consumers are listed in Table II.
All DTUs and FTUs are controlled in terms of GOOSE-
based technique. The probabilities of preconditions are
assigned values between 0.8 and 1 as suggested in [9].
According to the practical FA projects built in China, the
CVSS scores of <debug,1,2>, <web,1,3>, <login,2,3> and
<protocol,3,4> are set to be 1.7, 2.9, 5.3 and 8 (the details can
be found in [10]) respectively. Hence, the post probability of
successfully exploiting individual RTU can be calculated. The
backup relay threshold settings for three main feeder breakers
Authorized licensed use limited to: Tsinghua University. Downloaded on March 01,2023 at 06:24:29 UTC from IEEE Xplore. Restrictions apply.
are given as follows:
,
=1.1kA,
,
=
1.6kA,
,
=0.7kA.
Fig. 7 shows the RI values of different breakers under
aforementioned two different attack scenarios considering the
skill level of attackers. It can be seen that the highest RI
corresponds to D53. The main reason is that the current of
main feeder S1 exceeds the threshold of relay setting after
FLISR, resulting in losing all consumers supplied by S1. The
risks pertinent to D41, D61 and D101 are 0, which means that
the proposed attack strategy is invalid for the tie line breaker.
It is reasonable that the fault signal sent from tie line breaker
will be considered as misinformation since there is no current
flowing through the breaker during operation.
Figure 6. Three-feeder DS with hand-in-hand mode.
T
ABLE
II.
C
ATEGORIES OF POWER CONSUMERS
Category Power Supply Are
a
Small industr
y
DTU1 DTU4
Business DTU2 DTU11
DTU5 DTU6
Residenc
e
DTU12 DTU3 DTU7 DTU10
FTU1
Im
p
ortant users DTU8
Government DTU9
Figure 7. RI indices of individual breakers under attack.
Figure 8. RI indices of RTUs under attack.
The RI values of DTUs that control all the breakers located
at the same RMU are shown in Fig. 8. The RI values of DTU 3,
DTU 6 and FTU1 are very low no matter how high the skill
level of an attacker is. This is because that the consumers are
connected to the end of the feeder, the FA will not affect the
other users. Besides, the power consumers supplied by DTU 7,
DTU 9 and DTU 12 with low values of SCDFs make the RI
values become relatively low. Whereas, such power
consumers with the high values of SCDFs make the RI values
of DTU 4 and DTU 8 extremely high. What makes the RI
value of DTU 5 become the highest one is that the backup
protection of DTU S1 sheds the consumers transferred from
the neighbor area and supplied by DTU S1 itself.
(a) Method1 (Normal) (b) Method 2 (Normal)
Figure 9. The proportion of RI of different kinds of breakers under attack.
In Fig.9, the RI values of breakers located at the same
DTU under cyber-attack are compared according to the types
of breakers. Generally, the inlet breaker will cause more
severe consequences under cyber-attack.
V. C
ONCLUSION
The potential risks in GOOSE-based intelligent distributed
automation system under two most possible cyber-attack
scenarios are elaborately studied in this paper. The probability
of successful attack is calculated by using the BAG and the
CPT. The simulation results demonstrate that not all cyber
assets are equally important. The more capital should be
invested in such assets with higher RI values and the
protection of inlet breaker. It should be noticed that the
categories of power consumers, the topology of the test system,
the protection settings and the maintenance time contribute a
lot to the RI.
R
EFERENCES
[1] D. Shelar and S. Amin, "Security Assessment of Electricity
Distribution Networks Under DER Node Compromises," IEEE
Transactions on Control of Network Systems, vol. 4, pp. 23-36, 2017.
[2] X. D. Liu, M. Shahidehpour, Z. Y. Li, X. Liu, Y. J. Cao, and Z. Y. Li,
"Power System Risk Assessment in Cyber Attacks Considering the
Role of Protection Systems," IEEE Transactions on Smart Grid, vol. 8,
pp. 572-580, Mar 2017.
[3] X. M. Ye, J. H. Zhao, Y. Zhang, and F. S. Wen, "Quantitative
Vulnerability Assessment of Cyber Security for Distribution
Automation Systems," Energies, vol. 8, pp. 5266-5286, Jun 2015.
[4] C. Wang, C. W. Ten, Y. H. Hou, and A. Ginter, "Cyber Inference
System for Substation Anomalies Against Alter-and-Hide Attacks,"
IEEE Transactions on Power Systems, vol. 32, pp. 896-909, Mar 2017.
[5] M. S. Rahman, M. A. Mahmud, A. M. T. Oo, and H. R. Pota, "Multi-
Agent Approach for Enhancing Security of Protection Schemes in
Cyber-Physical Energy Systems," IEEE Transactions on Industrial
Informatics, vol. 13, pp. 436-447, Apr 2017.
[6] E. Bou-Harb, C. Fachkha, M. Pourzandi, M. Debbabi, and C. Assi,
"Communication Security for Smart Grid Distribution Networks,"
IEEE Communications Magazine, vol. 51, pp. 42-49, Jan 2013.
[7] M. Levesque, D. Q. Xu, G. Joos, and M. Maier, "Communications and
power distribution network co-simulation for multidisciplinary smart
grid experimentations," in 45th Annual Simulation Symp., pp. 55-61.
[8] W. Nzoukou, L. Wang, S. Jajodia, and A. Singhal, "A Unified
Framework for Measuring a Network's Mean Time-to-Compromise,"
in 2013 IEEE 32nd International Symposium on Reliable Distributed
Systems, pp. 215-224.
[9] Y. C. Zhang, L. F. Wang, Y. M. Xiang, and C. W. Ten, "Power System
Reliability Evaluation With SCADA Cybersecurity Considerations,"
IEEE Transactions on Smart Grid, vol. 6, pp. 1707-1721, Jul 2015.
[10] P. Mell, K. Scarfone, and S. Romanosky, "Common vulnerability,
scoring system," IEEE Security & Privacy, vol. 4, pp. 85-89, Nov
2006.
[11] R. Li, Y. Li, J. Su, X. Bu, and Y. Hou, "Power supply interruption cost
of important power consumers in distribution network and its
emergency management," Power System Technology, vol. 35, pp. 170-
176, 2011.
[12] A. C. Santos, A. C. B. Delbem, J. B. A. London, and N. G. Bretas,
"Node-Depth Encoding and Multiobjective Evolutionary Algorithm
Applied to Large-Scale Distribution System Reconfiguration," IEEE
Transactions on Power Systems, vol. 25, pp. 1254-1265, 2010.
Authorized licensed use limited to: Tsinghua University. Downloaded on March 01,2023 at 06:24:29 UTC from IEEE Xplore. Restrictions apply.