Browse Prior Art Database

A BEHAVIOR-BASED METHOD FOR THREAT DETECTION AND PREVENTION IN ENERGY AUTOMATION SYSTEMS

IP.com Disclosure Number: IPCOM000246409D
Publication Date: 2016-Jun-06
Document File: 4 page(s) / 133K

Publishing Venue

The IP.com Prior Art Database

Related People

Maik Seewald: AUTHOR

Abstract

Presented herein is a threat detection and protection method for electrical substations that relies on the detection of deviations and anomalies in a standard represented by the standard IEC 61850 and kept updated by "learning" normal behavior for each component of each individual substation.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 4

A BEHAVIOR-BASED METHOD FOR THREAT DETECTION AND PREVENTION IN ENERGY AUTOMATION SYSTEMS

 AUTHOR: Maik Seewald

CISCO SYSTEMS, INC.

ABSTRACT

    Presented herein is a threat detection and protection method for electrical substations that relies on the detection of deviations and anomalies in a standard represented by the standard IEC 61850 and kept updated by "learning" normal behavior for each component of each individual substation.

DETAILED DESCRIPTION

    Electrical substations make up a key component of a nation's power grid and critical infrastructure. Because of this importance they are at a high risk for attacks, on both primary and secondary substation equipment, where the malicious intent to take over or power down the grid. Well-known power grid attack patterns have in recent days been overshadowed by newer, more sophisticated threats. Such threats could be based on the modification of devices and protocols or simply by misuse in order to trigger disastrous events. These new threats use methods such as modification of devices and protocols, whereas in the past attacks were based on exploitation of network flaws and heavy use of "standardized scripts and packets."

    Traditional network-based Intrusion Detection System (IDS) or (Intrusion Prevention System (IPS) methods are designed to detect existing signatures or code patterns, and cannot detect and prevent such attacks. In order to counteract these new threats the security measures need to act in a system that "monitors the behavior of the actors" and the compares it to a "normal" behavior model for that substation.

    The solution presented herein is a method to use domain specific information derived from an extensive data model in order to configure security appliances such as firewalls with IPS/IDS functionalities within an electrical substation. This enables security appliances to establish and perform a behavior-based threat detection, mitigation

Copyright 2016 Cisco Systems, Inc.
1


Page 02 of 4

and prevention. Today's electrical substations are increasingly built based on the international standard IEC 61850. IEC 61850 comprises three main building blocks: an object model, communication mappings and a configuration language. The configuration of Intelligent Electronic Devices (IEDs) as well as of the entire substation automation system is defined in specific configuration files based on the Substation Configuration Language (SCL).

    The system and method presented herein make use of the domain specific engineering data used within the components of a given substation, such as a Substation Automation System (SAS) and IED's, in order to identify misuse, malicious modifications and threats thereof. From the SCL files, the security appliance (e.g., firewall) learns the...