Int
ern
at
i
onal
Journ
al of Ele
ctrical
an
d
Co
mput
er
En
gin
eeri
ng
(IJ
E
C
E)
Vo
l.
8
,
No.
6
,
D
ece
m
ber
201
8
, pp.
4423
~
44
31
IS
S
N:
20
88
-
8708
,
DOI: 10
.11
591/
ijece
.
v
8
i
6
.
pp
4423
-
44
31
4423
Journ
al h
om
e
page
:
http:
//
ia
es
core
.c
om/
journa
ls
/i
ndex.
ph
p/IJECE
A Defense
-
in
-
de
pth
Cyber
securit
y for Sm
art Sub
stat
i
ons
M.
N. D
az
ah
r
a
,
F. Elm
aria
mi
,
A
. Belfqih
, J. B
ou
khe
ro
uaa
Depa
rtment
o
f
E
le
c
tri
c
al Net
wor
ks a
nd
Sta
ti
c
Co
nver
te
rs,
Nat
ion
al
super
ior
Scho
ol
of El
ec
tr
ic
i
t
y
and
Mec
h
anics,
Morocc
o
Art
ic
le
In
f
o
ABSTR
A
CT
Art
ic
le
history:
Re
cei
ved
Ma
r 27
, 201
8
Re
vised
Ma
y
27
, 2
01
8
Accepte
d
J
un
10
, 201
8
The
inc
r
ea
se
of
c
y
b
er
-
a
tt
a
cks
on
industri
al
and
p
ower
sy
st
ems
in
the
rec
en
t
y
e
ars
m
ake
the
c
y
ber
s
ec
uri
t
y
of
supervisor
y
cont
r
ol
and
da
ta
a
cqu
isit
ion
an
d
subs
ta
ti
on
au
to
m
at
ion
s
y
st
ems
a
high
important
engi
ne
eri
ng
issu
e.
Th
is
pape
r
proposes
a
def
e
nse
in
dept
h
c
yber
sec
uri
t
y
solu
t
ion
for
sm
art
su
bstat
ions
in
diffe
ren
t
lay
e
rs
of
the
subs
ta
tion
aut
om
at
ion
s
y
stem.
In
fa
ct
,
it
pre
sent
s
poss
ibl
e
vulne
r
a
bil
ities
in
the
subs
ta
ti
on
aut
om
at
ion
s
y
stem
an
d
propose
a
m
ult
ipl
e
lay
e
r
soluti
on
base
d
o
n
best
pra
ct
i
ce
i
n
c
y
be
r
s
ec
urity
such
as
the
har
deni
ng
ofd
evi
c
es,
white
l
i
sting,
net
work
conf
igura
t
ion,
net
work
segm
ent
at
ion
,
role
-
base
d
a
ccount
m
ana
gement
and
c
y
be
r
sec
ur
i
t
y
m
ana
gement and
depl
o
y
emen
t.
Ke
yw
or
d:
Cy
ber
sec
ur
it
y
Def
e
ns
e i
n dept
h
IEC6
1850
Sm
art su
bs
ta
ti
on
Substat
ion
aut
om
ation
Copyright
©
201
8
Instit
ut
e
o
f Ad
vanc
ed
Engi
n
ee
r
ing
and
S
cienc
e
.
Al
l
rights re
serv
ed
.
Corres
pond
in
g
Aut
h
or
:
Dazah
ra M
oh
a
m
ed
N
ouh,
Dep
a
rtm
ent o
f El
ect
rical
N
et
works a
nd Stat
ic
Conver
te
rs,
Nati
on
al
superi
or Sc
hool
of
Ele
ct
rici
ty
an
d
M
echan
ic
s
,
Road
El Ja
did
a
, K
m
7
, B
P: 8
1
18, Oasi
s
–
Ca
s
ablanca,
Mo
rocco.
Em
a
il
:
m
.n
.d
azahra
@g
m
ai
l.com
1.
INTROD
U
CTION
The
po
wer
gr
i
d
is
a
national
crit
ic
al
infr
ast
r
uctu
re
that
pla
ys
an
i
m
po
rtan
t
pill
ar
fo
r
the
dev
el
op
m
ent
of
a
nation,
w
hen
el
ect
rici
ty
stop
s
e
ver
yt
hi
ng
sto
p.
T
he
gr
ow
t
h
of
pow
er
gr
id
a
nd
the
use
of
c
omm
un
i
cat
ion
te
chnolo
gies
m
ake
it
vu
l
ner
a
bl
e
to
cy
be
r
-
at
ta
cks,
te
rror
ist
at
ta
cks,
va
nd
al
is
m
and
ot
her
t
hreat
s.
Accor
din
g
to
Nati
on
al
I
ns
ti
tute
of
Sta
ndar
ds
a
nd
Tec
hnol
og
y
NI
S
T
the
threats
of
cy
be
r
-
a
tt
acks
on
Super
visory
c
on
tr
ol
an
d
data acq
uisit
io
n
SC
ADA has
increase
d four
tim
es in th
e las
t y
ears.
The
fi
rst
at
ta
ck
on
a
powe
r
gr
i
d
was
t
he
at
ta
ck
on
a
Ukra
inian
util
it
y
(Ivano
-
Fr
a
nkivs
k)
SCA
DA
i
n
Decem
ber
2015.
Fi
rst,
the
ha
cker
got
acce
s
s
to
the
SCA
D
A
an
d
sta
rted
disablin
g
the
powe
r
backu
p
s
yst
e
m
.
The
n,
he
blo
c
ked
the
c
us
to
m
er
cal
l
centre
s.
Finall
y,
he
s
ta
rted
ope
ning
ci
rcu
it
brea
ke
rs
a
nd
delet
in
g
us
e
r’
s
accounts w
hich
pr
e
ve
nt
the operat
or
s
f
ro
m
cl
os
in
g
the
ci
rc
uit
breake
rs
t
o
resto
re n
orm
al
sta
te
.
the
dam
a
ges
of
these
at
ta
ck
w
ere
a
disc
onne
ct
ion
of
30
substat
ion
s
w
hich
im
pacted
225
00
0
cu
stom
ers
f
or
3
hour
s
[1]
.
The
im
pact o
f
this att
ack s
ho
ws
th
e
necessit
y of t
akin
g
act
i
on
s
to
secu
re t
he powe
r gr
id
against cy
ber
-
a
tt
acks.
Substat
ion
s a
re
the h
earth
of
t
he
powe
r
gri
d,
and
the sec
uri
ty
o
f
the pow
e
r
gr
i
d
nee
ds
to
be
d
one first
at
the
substat
ion
s
le
vel.
As
new
m
od
er
n
s
ub
sta
ti
ons
or
s
m
art
su
bs
ta
ti
ons
a
re
based
on
I
EC6
1850
st
and
a
r
ds
and
Et
hernet
com
m
un
ic
at
ion
;
al
so
,
they
are
connecte
d
to
S
CAD
A
an
d
co
rpor
at
e
n
et
wor
k,
w
hich
m
ake
the
m
m
or
e
vu
lne
rab
l
e
to
cy
ber
-
at
ta
cks
[
2].
Re
cent
ly
,
the
cy
ber
s
ecur
it
y
in
subs
ta
ti
on
s
has
rec
ei
ved
m
or
e
an
d
m
or
e
at
te
ntion
[3
]
-
[4]
.
Ther
e
ha
ve
be
en
m
any
research
es
a
nd
act
ion
s
on
the
c
ybersec
ur
it
y
of
substat
io
ns
.
In
fact,
the
Tech
nical
Com
m
i
tt
ee
Nu
m
ber
57
TC5
7
of
the
I
nternat
ion
al
Ele
ct
r
otechn
ic
al
Com
m
issi
on
I
EC
has
al
ready
dev
el
op
e
d
se
ve
ral
sta
ndar
ds
to
so
l
ve
sec
ur
i
ty
pr
oble
m
s
in
the
aut
om
ation
syst
em
IEC
62351
sta
ndar
ds
f
or
Power
syst
em
s
m
anag
e
m
ent
and
a
s
so
ci
at
ed
i
nfor
m
at
ion
exc
hange
-
d
at
a
a
nd
com
m
un
ic
at
ions
secur
it
y
[
5
]
-
[
6
]
.
T
he
I
EC
62
443
sta
ndar
d
de
fines
secu
rity
f
or
in
du
st
rial
co
ntr
ol
syst
em
s
of
the
po
wer
syst
e
m
s.
These
sta
ndar
ds gi
ve
a
guideli
ne on h
ow to
a
pp
ly
cybe
rsec
uri
ty
in
operati
on a
nd m
ai
ntenan
ce
[
7
]
.
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2088
-
87
08
In
t J
Elec
&
C
om
p
En
g,
V
ol.
8
, N
o.
6
,
Dece
m
ber
201
8
:
4423
-
4431
4424
More
resea
rches
ha
ve
be
e
n
done
on
t
he
cy
ber
sec
uri
ty
of
the
subst
at
ion
s.
I
n
[
8
]
-
[
10
]
aut
hors
pr
ese
nted
s
olu
t
ion
s
f
or
intrusi
on
detect
ion
ba
sed
on
IEC
61
850
pr
oto
c
ol.
I
n
[
8
]
-
[1
1
]
so
m
e
cy
ber
sec
ur
it
y
te
st
-
bed
w
he
re
pr
e
sented
to
te
st
and
detect
vulnera
bili
ti
es
in
the
S
ubsta
ti
on
A
uto
m
a
ti
on
S
yst
e
m
SA
S
ba
sed
on
fu
zzy
te
st.
S
om
e
research
e
s p
rese
nted
phys
ic
al
secur
it
y
usi
ng
unidirecti
onal
gate
ways
[
1
2
]
, while
oth
e
rs
we
re
interest
ed
i
n
a
ddin
g
e
ncr
y
ptio
n
to
pr
oto
c
ol [1
3
].
Howe
ver,
thes
e
work
s
sta
y
in
su
f
fici
ent
f
or
c
ybersec
ur
it
y
of
SA
S
becau
se
i
t
will
be
too
la
te
to
detect
an
intr
us
io
n
if
it
is
no
t
sto
pped
at
first
place
because
unti
l
the
zer
o
day
at
ta
ck
the
hac
ker
ca
n
ca
us
e
seve
r
e
dam
ages
on
th
e
substat
ion.
More
ov
e
r,
t
he
sta
nd
a
r
ds
have
not
bee
n
im
plem
ented
by
m
anu
fact
ur
es
because
they
are
f
oc
u
si
ng
on
op
e
rati
on
m
or
e
tha
n
se
cur
it
y,
f
or
exa
m
ple
the
app
li
cat
ion
of
t
he
e
ncr
y
ption
pro
pose
d
in
sta
nd
a
rds
IEC
62351
-
5
cause
d
a
tim
e
delay
to
the
pac
ket
s
wh
ic
h
is
not
acce
pted
in
t
he
ope
rati
on
of
SAS.
The
pr
opos
e
d
so
luti
ons
in
li
te
ratur
e
f
or
cy
be
rsecurit
y
i
n
su
bs
ta
ti
on
are
i
n
m
os
t
tim
e
no
t
pr
act
ic
al
or
c
om
plex
to
be
im
ple
m
e
nted
in
the
SAS.
Most
resea
r
ches
f
oc
us
ed
on
exter
nal
at
ta
cks
but
not
m
u
ch
on
ho
w
to
preve
nt
from
internal
at
ta
cks.
In
reali
ty
,
there
is
m
or
e
requirem
ents
of
in
-
de
pth
in
vestigat
io
n,
an
al
ysi
s
and
pr
ac
ti
cal
so
luti
on
f
or
c
ybersec
ur
it
y.
To
this
en
d,
this
pap
e
r
pro
po
s
es
a
reali
sti
c
def
ense
in
dep
th
s
olu
ti
on
f
or
cy
ber
sec
ur
it
y
in
sm
art
su
bs
ta
ti
on
s
base
d
on
best
pr
act
ic
es
in
cy
ber
secu
ri
ty
in
or
der
to
pr
e
ve
nt
interna
l
and
exter
nal treat
s
of cy
ber
-
at
t
ack
s at dif
fer
e
nt le
vels
of
t
he
S
A
S.
The
rem
ai
nd
er
of
this
pap
e
r
is
or
ga
nized
a
s
fo
ll
ow.
Sect
ion
2
pr
es
ents
the
arch
it
ect
ur
e
of
sm
ar
t
su
bst
at
ion
s
with
the
IEC6
1850
pr
oto
c
ol.
Sect
ion
3
giv
es
an
ov
e
rv
i
ew
of
the
cy
ber
vu
l
ner
a
bili
ti
es
in
su
bst
at
ion
a
ut
om
ation
syst
e
m
s
and
their
i
m
pact
on
s
ubsta
ti
on
opera
ti
on
.
Ba
se
d
on
the
vulne
ra
bili
ti
es
pr
ese
nted
in
s
ect
ion
2,
sect
i
on
4
pr
e
sents
a
fr
am
ewo
r
k
of
cy
ber
sec
uri
ty
fo
r
substat
io
n.
Fi
nally
,
sec
ti
on
5
con
cl
ud
e
s this
pap
e
r
a
nd s
ugge
sts f
utu
re
r
ese
arch w
ork.
2.
SU
BST
ATIO
N A
UTO
M
A
TION
SYST
EM
ARCHITE
CTU
RE
The
s
ubsta
ti
on
autom
at
ion
s
yst
e
m
in
s
m
art
su
bs
ta
ti
on
use
s
a
three
-
la
ye
r
arc
hitec
ture
form
ed
of
su
bst
at
ion
le
ve
l,
bay
le
vel
and
proces
s
le
ve
l.
The
substat
ion
le
vel
c
on
ta
i
ns
H
um
an
Mach
ine
I
nter
face
s
that
disp
la
ys
t
he
st
at
us
of
I
E
Ds,
bay
c
on
tr
oller
an
d
oth
e
r
de
vices,
it
al
lo
w
s
operat
or
s
to
co
ntr
ol
the
pri
m
ary
equ
i
pm
ent
su
ch
as
ci
rc
uit
breake
rs
a
nd
di
sconnecto
rs.
The
s
ub
sta
ti
on
le
vel
co
ntains
al
so
e
ngin
eerin
g
workst
at
ion
t
ha
t
al
lows
co
nfi
gurati
on
a
nd
set
ti
ng
s
of
a
ll
dev
ic
es
in
the
substat
io
n.
The
s
ubsta
ti
on
is
m
on
it
or
ed
rem
otely
by
co
ntr
ol
centre
c
onnec
te
d
via
a
gate
way,
a
nd
the
c
omm
un
ic
at
ion
is
ens
ur
e
d
acc
ordi
ng
to
so
m
e
protoc
ols
su
c
h
as
IE
C
60870
-
5
-
104,
IEC
60
870
-
5
-
101,
D
NP3
or
t
he
ne
w
pro
tocol
I
EC6
1850
-
90
-
2
[14]
-
[
15]
.
The
bay
le
vel
com
pr
ise
s
In
te
ll
igent
Ele
ct
ronic
De
vices
IE
D
su
c
h
as
num
eric
protect
ive
relay
s,
bay
con
t
ro
ll
ers
an
d
netw
ork
a
naly
ser.
T
he
proce
ss
le
vel
c
on
ta
i
ns
m
arg
in
unit
that
sen
ds
per
i
od
ic
al
sam
pled
value
of
th
ree
ph
a
se
s
cur
re
nt
an
d
vo
lt
age
us
in
g
the
Sam
pled
M
easur
e
Values
SMV;
al
so
,
th
e
pr
oce
ss
com
pr
ise
s
intel
li
gen
t
ci
rcu
it
br
ea
ker
tha
t
con
tr
olled
by
Gen
e
ric
Obje
ct
-
Or
ie
nted
S
ubsta
ti
on
E
ven
t
GOOSE
[
16]
-
[17].
The
i
nterf
ace
s
betwee
n
the
se
three le
vels are
two net
wor
ks
.
The
substat
io
n
networ
k
co
nnect
s
equ
ip
m
ents
in
su
bs
ta
ti
on
le
vel
with
de
vices
in
bay
le
vel.
I
n
the
su
bst
at
ion
net
work
the
Ma
nufactu
rin
g
Me
ssage
Sp
ec
ific
at
ion
MM
S
is
a
dopted
f
or
t
he
cl
ie
nt/serve
r
com
m
un
ic
at
ion
,
the
Pr
eci
si
on
Tim
e
Pr
oto
c
ol
PTP
def
i
ne
d
in
IEEE
15
88
is
us
e
d
f
or
high
preci
sio
n
tim
e
synch
ronisat
io
n
f
or
the
S
AS
[18],
ot
her
pro
tocols
s
uc
h
as
Si
m
ple
Netw
ork
Ma
nagem
ent
Pr
ot
oco
l
S
N
PM
is
us
e
d
f
or
Ma
na
gem
ent
of
S
AS
netw
ork,
File
Transfe
r
Proto
col
FTP
is use
d
to
tra
nsfer
se
tt
ing
to
I
EDs
a
nd
The
Hype
rtext
T
ra
ns
fe
r
P
r
oto
c
ol
is
us
e
d
to
ge
t
acce
s
s
to
e
m
bed
ded
we
b
ser
ver
i
n
s
om
e
IED
s.
T
he
process
netw
ork
c
onne
ct
s
the
bay
le
ve
l
and
the
pr
oc
ess
le
vel,
w
hile
G
OOSE
a
nd
SMV
a
re
a
dopt
ed
f
or
real
tim
e
hi
gh
sp
ee
d
c
omm
un
ic
at
ion
.
Fi
gure
1 pr
ese
nts t
he a
rch
it
ect
ure
of
a sm
art su
bs
ta
ti
on
.
3.
SU
BST
ATIO
N
AU
TO
M
A
TION
SYST
EMV
ULNE
R
A
BIL
ITIE
S
The
s
ubsta
ti
on
is expose
d
to
wide ran
ge of
cy
ber
th
reats, t
hese threat
s ca
n
be
ex
te
rn
al
t
hr
eat
s s
uc
h
as
te
rr
ori
st,
sp
yi
ng
or
hack
e
rs
;
al
so
,
they
can
be
inter
nal
threats
inten
ded
by
disgruntl
ed
em
plo
ye
es
or
inad
ver
te
ntly
t
hr
eat
s
ca
us
ed
i
n
m
ai
ntenan
ce
ph
a
ses.
Fig
ure
2
de
pict
the
sever
al
points
f
r
om
wh
ere
an
i
ntrude
r
can
get access
to the SA
S.
Evaluation Warning : The document was created with Spire.PDF for Python.
In
t J
Elec
&
C
om
p
En
g
IS
S
N:
20
88
-
8708
A D
ef
e
ns
e
-
in
-
de
pth
Cy
bersec
ur
it
y for
….
(
D
az
ahr
a
M
oham
ed
N
ouh
)
4425
Figure
1
.
Sm
art substat
ion
a
rc
hitec
ture
Figure
2
.
Vuln
erab
le
points i
n
a
sm
art
su
bs
t
at
ion
The
si
gn
i
ficat
ion an
d
t
he
im
pact o
f
the i
ntr
uder
in
eac
h p
oin
t f
ro
m
Figure
2
is
desc
ribe
d belo
w.
a.
Po
int
1: C
on
tr
ol cen
t
re
If
th
e
intr
uder
get
acce
ss
to
th
e
co
ntro
l
ce
ntr
e,
he
ca
n
se
nd
con
t
ro
l
orders
to
the
s
ubsta
ti
on
’s
pri
m
ary
equ
i
pm
ents, which
will
cause
a d
ist
urban
ce
or a
black
ou
t t
o
the
po
wer sy
stem
.
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2088
-
87
08
In
t J
Elec
&
C
om
p
En
g,
V
ol.
8
, N
o.
6
,
Dece
m
ber
201
8
:
4423
-
4431
4426
b.
Po
int
2: C
orporate Net
work
If
the
int
rude
r
get
acce
ss
to
the
enter
pri
se
corp
or
at
e
net
work,
he
ca
n
get
data
that
are
c
onfide
ntial
from
the substati
on
s
uc
h
as
r
eal
en
er
gy c
onsu
m
ption
.
c.
Po
int
3:
Gat
ew
ay
f
or c
omm
un
ic
at
ion
w
it
h
c
ontr
ol cen
tr
e
The
i
ntr
ud
e
r
c
an
do
a
n
at
ta
ck
in
t
wo
w
ay
s.
First,
a
m
al
war
e
in
US
B
key
because
gatew
ay
s
oft
en
use
an
em
bed
de
d
op
e
rati
ng
syst
e
m
wh
ic
h
will
m
ake
it
easi
ly
i
m
ple
m
ented.
The
m
al
war
e
c
an
se
nd
false
data
t
o
con
t
ro
l
cent
re
and
co
ntr
ol
orde
rs
to
the
prim
ary
equ
ipm
ents.
Seco
nd,
the
intruder
c
an
pr
et
e
nd
to
be
the
gateway
by
usi
ng
a
sim
ulator
of
le
gacy
protoc
ol
su
c
h
as
IEC6
0870
-
5
-
101,
IEC
6087
0
-
5
-
104
or
D
NP3
a
nd
sen
d
false
m
easur
em
ents
an
d
da
ta
to
the
con
t
ro
l
ce
ntre,
wh
ic
h
ca
n
af
f
ect
app
li
cat
ions
instal
le
d
in
con
t
rol
centre
t
hat
us
e
these
data
s
uc
h
as
ene
r
gy
m
anag
em
ent
sys
tem
or
distrib
ut
ion
m
anag
em
ent
syst
em
.
Also
,
the
intruder
s
can
interr
upt
con
t
rol
or
de
rs
f
ro
m
con
t
ro
l
cent
re
and
se
nd
false
feedback
,
w
hi
ch
can
distu
r
b
the
pow
e
r
syst
em
f
or exam
ple in t
he
case
of is
olati
ng
a
hea
vy lo
ad.
d.
Po
int
4:
Gatew
ay
f
or c
omm
un
ic
at
ion
w
it
h
e
nt
erp
rise
The
sam
e
case
at
point
3,
the
intr
ud
e
r
ca
n
pret
en
d
to
be
th
is
gateway
an
d
sen
d
false
m
easur
em
ents
wh
ic
h wil
l affe
ct
r
ep
or
ts
u
se
d by the e
nter
pr
i
se or in
fect t
he
g
at
eway
by
U
SB k
ey
m
al
war
e.
e.
Po
int
5:
Hu
m
an
Ma
c
hin
e
In
te
rf
ace
The
HMI
is
one
of
the
cr
ucial
point
t
o
be
protect
ed
i
n
a
substat
ion
beca
use
it
co
ntains
i
nterf
ace
s
t
o
con
t
ro
l
t
he
pr
i
m
ary
equ
i
pm
e
nt
a
nd
ha
ve
m
any
vu
l
ner
a
bili
ti
es.
I
n
fact,
t
he
in
tr
ud
e
r
c
an
do
se
ver
al
at
ta
cks
i
n
the
HM
I,
f
or
i
ns
ta
nce
,
he
can
crack
the
pass
word
of
the
use
r’
s
acc
ounts
a
nd
sta
rts
e
xecut
ing
c
on
tr
ol
order
s
t
o
sh
ut
down
t
he
su
bst
at
ion
;
al
so
,
he
ca
n
us
e
a
fak
e
IEC
61850
cl
ie
nt
an
d
s
end
c
on
t
ro
ls
to
diff
e
ren
t
IEC
6185
0
serv
e
r
s.
Besi
de
s,
he
ca
n delet
e arc
hiv
es a
nd
use
r’
s
acco
unts
or in
j
ect
a m
alw
are
v
ia
a
US
B key.
f.
Po
int
6: E
ngin
eerin
g Work
st
at
ion
The
E
WS
is
oft
en
us
e
d
to
cha
ng
e
the
set
ti
ng
and
pa
ram
et
er
s
of
protect
ive
relay
s,
bay
cont
ro
ll
er
an
d
gateways.
I
f
t
he
intr
ud
e
r
get
a
ccess
to
the
E
WS,
he
ca
n
se
nd
false
set
ti
ng
to
relay
s
w
hich
will
cause
trips
or
can
c
hange
c
omm
un
ic
at
ion
par
am
et
ers
f
or
t
he
c
omm
u
nicat
ion
with
con
t
ro
l
ce
ntre
wh
ic
h
will
le
ad
to
com
m
un
ic
at
ion
inte
rrup
ti
on.
Also
,
he
ca
n
c
hange
t
he
S
ubs
ta
ti
on
Co
nf
i
gu
rati
on
La
ngua
ge
of
I
EDs
w
hic
h
wil
l
disturb t
he whole
S
AS
.
g.
Po
int
7: stat
io
n b
us
If
t
he
i
ntr
ud
e
rs
get
acce
ss
to
t
he
sta
ti
on
bus
switc
hes
he
ca
n
us
e
a
n
IEC
6185
0
sim
ulator
in
orde
r
to
interr
up
t,
ta
m
per
,
pret
en
d
an
d
rep
la
y
the
MM
S,
SN
MP
or
PTP
et
hernet
pack
et
s
w
hich
can
le
ad
to
trips,
Den
ia
l
of ser
vi
ce D
oS
by
pac
ket sto
rm
o
r
er
rone
ou
s
sync
hron
isa
ti
on
for
t
he
en
ti
re s
yst
em
.
h.
Po
int
8:
IED
The
intr
ud
e
r
can
get
acce
ss
to
the
IE
D
dire
ct
ly
fr
om
the
c
omm
un
ic
at
ion
fron
t
port,
a
vaila
ble
in
the
total
it
y of
I
E
D
s,
by
us
i
ng uns
ecur
e
c
omm
un
ic
at
ion
pr
oto
c
ol
su
c
h
as tel
ne
t.
The
intr
uder
c
an
cha
ng
e
t
he
set
ti
ng
,
pa
ram
et
ers
or
update
fau
lt
y
firm
wa
re
to
the
IE
D
wh
ic
h
will
cau
se
an
equ
i
pm
ent f
ai
lure
or tri
ps
of
ci
rcu
it
brea
kers.
i.
Po
int
9: P
r
oces
s bus
If
t
he
i
ntr
ud
e
rs
get
acc
ess
t
o
the
process
b
us
switc
hes
he
can
i
nterru
pt,
t
a
m
per
,
pret
en
d
an
d
re
play
the GO
OS
ES
a
nd S
V
m
essages which
can
lead to
trips
, Do
S.
j.
Po
int
10: IE
D C
B
As
the
c
ontrol
of
IE
D
CB
is
connecte
d
t
o
th
e
process
bus
by
Ether
net,
t
he
intruder
ca
n
pr
et
e
nd
t
o
be
the
IE
D
of
a
ci
rcu
it
bre
a
ker
an
d
se
nd
fals
e
posit
ion
w
hi
ch
will
cause
pro
blem
s
to
t
he
op
e
rati
on
of
th
e
su
bst
at
ion
a
nd
the po
wer sy
stem
.
k.
Po
int
11: M
er
gi
n
U
nit
The
i
ntr
ud
e
r
c
an
pr
et
e
nd
to
be
t
he
MU
a
nd
se
nd
false
m
easur
em
ents
of
c
urren
t
an
d
vo
lt
a
ge
to
protect
ive
relay
s w
hic
h wil
l
cause tri
ps
.
In
a
dd
it
io
n
to
these
points,
t
her
e
sti
ll
oth
e
r
inad
ver
te
ntly
threats
tha
n
ca
n
af
fect
the
se
cur
it
y
of
t
he
su
bst
at
ion
s
s
uc
h
as
eq
ui
pm
ent
fail
ur
e,
disco
nn
ect
io
n
of
e
quipm
ent’s,
los
s
of
se
r
ver
s
or
m
isc
on
fig
urat
ion
of
IED w
hich
m
us
t be ta
ken in c
on
si
der
at
io
n o
f
cybersec
uri
ty
o
f
substat
io
n.
4.
DEFENSE
IN DEPTH
SOL
UTIO
N
Def
e
ns
e
i
n
de
pt
h
is
a
c
oncept
insp
ire
d
from
the
m
il
i
ta
ry
where
a
n
e
nem
y
c
annot
def
eat
e
f
fortl
essly
a
com
po
und
a
nd
m
ulti
-
la
ye
red
def
i
nes
syst
em
tha
n
to
punctu
re
a
sin
gle
fe
nc
e.
T
he
sam
e
P
rinciple
is
a
pp
l
ie
d
i
n
the
dom
ai
n
of
inf
or
m
at
ion
syst
e
m
s
by
the
use
of
m
ulti
ple
secur
it
y
co
unte
rm
easur
es
to
protect
the
i
nteg
rity
of
the in
form
at
io
n netw
ork.
Def
e
ns
e
i
n
de
pth
re
du
ce
th
e
pro
ba
bili
ty
t
hat
a
n
intr
ude
r
ca
n
s
uccee
d
to
pe
netrate
the
syst
em
.
De
fe
ns
e in d
e
pt
h
can also
hel
p
to iden
ti
fy in
tru
der
s wh
o
at
tem
pt to
the sys
tem
. I
f
an
intruder
gai
ns
acces
s to
a
syst
e
m
,
def
ens
e
in
de
pth
reduce
the
har
m
fu
l
i
m
pact
and
giv
es
a
dm
inistr
at
ors
an
d
e
ngineers
ti
m
e
to
updat
e
Evaluation Warning : The document was created with Spire.PDF for Python.
In
t J
Elec
&
C
om
p
En
g
IS
S
N:
20
88
-
8708
A D
ef
e
ns
e
-
in
-
de
pth
Cy
bersec
ur
it
y for
….
(
D
az
ahr
a
M
oham
ed
N
ouh
)
4427
counterm
easure
s
and
pr
e
ven
t
fu
tu
re
at
ta
c
ks.
In
this
pa
pe
r
,
we
pro
pose
a
def
e
ns
e
in
de
pth
s
olu
ti
on
f
or
the
cy
ber
sec
ur
it
y
of
s
ubsta
ti
on
a
uto
m
at
ion
syst
e
m
in
s
m
art
su
bs
ta
ti
on.
Fig
ure
3
de
pict
the
pro
po
se
d
de
fe
ns
e
in
dep
t
h
s
olu
ti
on.
The
d
if
fer
e
nt l
ay
ers
of t
his d
e
fen
se
in de
pth
are e
xp
la
ine
d
i
n
Fi
gure
3.
Figure
3
.
D
e
fe
ns
e i
n dep
t
h
s
ol
ution
4
.
1.
Archi
tect
ure
The
loss
of
a
GOOSE
or
S
V
in
the
case
of
com
m
un
ic
at
ion
cable
fail
ur
e
ca
n
le
ad
to
disastr
ous
dam
ages
to
the
su
bst
at
ion
.
As
a
m
itigati
on
to
this
pro
blem
,
we
enc
o
ur
a
ge
the
us
e
of
redu
nd
a
ncy
arc
hitec
ture
for
the
SAS.
F
or
the
pr
ocess
bu
s,
it
is
recom
m
end
ed
to
use
High
a
vaila
bili
ty
sea
m
le
ss
red
un
da
ncy
(H
SR
)
protoc
ol
an
d
f
or
the
substat
io
n
netw
ork
,
it
is
reco
m
m
end
ed
to
us
e
the
Par
al
le
l
Re
du
nd
a
nc
y
Pr
oto
c
ol
(PR
P)
as
desc
ri
bed in
IE
C 624
39
-
3
sta
ndar
ds
[19]. T
he
se two seam
le
s
s pro
t
oco
ls
off
er m
or
e sec
ur
it
y t
o
the
SAS a
s any
loss
of
G
OOS
E or SV
pac
kets can
b
e
r
ec
ov
e
red in
0m
s.
Secu
rity
of
protect
ive
relay
s
can
be
e
nhan
ced
us
in
g
lo
ca
l
backu
p
prote
ct
ion
as
prese
nted
i
n
[
20]
wh
ic
h
offer
a
backu
p
of
prot
ect
ive
relay
in
case
of
t
heir
f
ai
lure
or
a
trip
fail
ur
e
.
Also
,
we
e
ncourage
to
us
e
PTP
for
sy
nchr
on
isa
ti
on
as
it
offer
s
a
bette
r
synch
ronisat
io
n
acc
ur
acy
of
1u
s
c
om
par
ing
to
IRI
G
wh
ic
h
offe
rs
a sync
hron
isa
ti
on accu
racy
of
1m
s.
4.2. Ne
twork
Segme
ntati
on
We
pro
po
se
to
segm
ents
the
netw
ork
of
s
ubsta
ti
on
to
t
hree
zo
nes
s
epa
r
at
ed
by
fire
wa
ll
s
as
it
will
offer
m
or
e
sec
ur
it
y
beca
us
e
if
a
n
int
rude
r
c
om
pr
om
ise
the
pe
rim
e
te
r
zo
ne
he
m
us
t
co
m
pr
omi
se
the
oth
e
r
zon
e
s
beh
i
nd it
to get co
ntr
ol
of physi
cal
equ
ipm
ent. Th
ese
zon
e
s ar
e
prese
nted
i
n
F
i
gure
4.
Figure
4
.
N
et
w
ork
se
gm
entat
i
o
n i
n sm
art su
bst
at
ion
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2088
-
87
08
In
t J
Elec
&
C
om
p
En
g,
V
ol.
8
, N
o.
6
,
Dece
m
ber
201
8
:
4423
-
4431
4428
Zo
ne
3:
Is
a
D
e
m
ilit
arized
Zon
e
wh
ic
h
co
nt
ai
ns
the
gate
w
ay
fo
r
c
omm
un
ic
at
ion
with
en
te
rp
rise
netw
ork,
an
d
it
sh
ould
b
e
v
ia
a V
i
rtual P
riva
te
N
et
w
ork.
Zo
ne 2:
Co
ntains t
he
E
WS, L
og serve
rs,
H
MI and
gatewa
y for c
omm
un
i
cat
ion
with t
he
contr
ol cen
t
re
.
Zo
ne 1:
C
onta
ins t
he
sta
ti
on bus
a
nd the
pro
c
ess bus
with
MU, IE
D
a
nd Ci
r
cuit b
reak
e
r
.
4.3. Fi
rew
alls
Firewall
m
us
t
be
config
ur
e
d
to
auth
or
ise
on
ly
need
e
d
serv
ic
es
or
pr
oto
c
ols
for
co
m
m
un
ic
at
ion
betwee
n
the
th
ree se
gm
ented z
on
e
s.
T
hese
wi
ll
h
ide the
n
et
work str
uctu
re
and d
e
vices
fro
m
o
utside v
ie
w
.
4.4. Secure
Pr
otoc
ols
All
unsec
ur
e
prot
oco
l
or
cl
ea
r
te
xt
prot
oco
l
s
m
us
t
be
disabled
beca
us
e
da
ta
su
c
h
as
use
rn
am
e
an
d
pass
word
are
t
r
ansf
e
rr
e
d
with
ou
t
e
ncr
y
ption and
a
sim
ple
sn
iffi
ng
can g
et
them
.
we
encour
a
ge
to
us
e
on
ly
the
secur
e
ver
si
on
for
exam
ple.
Fo
r
the
netw
ork
m
anag
em
ent
t
he
us
e
of
Sim
ple
Netw
ork
Ma
nag
em
ent
Pr
ot
oco
l
V3
SN
MP
v3
i
ns
te
ad
of
S
N
MPv1
or
v2.
Fo
r
file
tra
ns
f
er
the
us
e
of
Secu
re
Fil
e
Tr
ansf
e
r
P
ro
t
oc
ol
SFTP
instea
d
of
FTP
.
For
web
ser
ve
r
the
us
e
of
t
he
sec
ur
e
Hyp
ertext
Tra
nsfer
Protoc
ol
HT
T
PS
instea
d
of
HTTP.
Fo
r
device
c
on
fig
ur
at
io
n
t
he use
of SS
H Se
cur
e
S
hel
l i
ns
t
ead
of Telnet
.
4.5. Har
denin
g
Dev
ic
es
On
e
of
best
sol
ution
a
gainst
inter
nal
at
ta
ck
is
harde
ning
de
vices
in
s
ub
sta
ti
on
s
.
Harde
nin
g
de
vice
s
m
ean
that
al
l
unus
e
d
ports,
protoc
ols
or
s
e
rv
ic
es
i
n
a
de
vice
m
us
t
be
disable
d.
F
or
each
e
qu
i
pm
e
nt
in
t
he
arch
i
te
ct
ure
w
e
propose
s
ome
act
ion
s
to
be
ta
ken
.
S
witc
he
s:
The
first
ac
ti
on
is
to
disab
le
the
def
ault
a
dm
in
account
an
d
cr
eat
e
new
acc
ount
wit
h
com
plex
pass
w
ord.
The
sec
ond
act
ion
2
is
to
disa
ble
unus
e
d
por
ts
fo
r
com
m
un
ic
at
ion
.
T
he
thi
rd
ac
ti
on
is
to
e
na
ble
se
cur
e
prot
oc
ol
an
d
disable
unsecu
re
protoco
ls
s
uc
h
as
HTTP,
FTP
an
d
Tel
ne
t.
Be
sides,
w
e
su
ggest
to
a
sso
ci
at
e
ports
with
m
edia
acce
ss
co
ntr
ol
(
MAC)
ad
dress
for
al
l
dev
ic
es
i
n
the
SA
S
.
I
n
this
c
ase,
If
t
he
intr
ud
e
r
trie
s
to
c
onnect
a
dev
ic
e
into
a
port
that
i
s
assigne
d
to
MAC
address
the
por
t wil
l be
disabl
ed pre
ve
nting
acce
ss to
t
he n
et
work.
Com
pu
te
rs:
G
at
eways
an
d
HMI
a
re
in
dustria
l
com
pu
te
rs
that
ar
e
r
unning
on
wind
ows
op
e
rati
ng
syst
e
m
.
The
first
act
ion
is
to
be
sure
t
hat
the
op
e
rati
ng
s
yst
e
m
is
installed
f
ro
m
trust
ed
a
nd
certi
fie
d
C
D
because
en
gine
ers
of
te
n
inst
al
l
wind
ows
f
or
m
m
a
te
rial
s
dow
nlo
a
ded
from
the
interne
t,
so
these
m
a
te
rial
s
cou
l
d
be
i
nf
ec
te
d
or
ha
ve
s
om
e
vu
lne
rab
il
it
ie
s.
The
sec
ond
act
io
n
is
to
instal
l
the
la
t
est
updates
f
rom
the
op
e
rati
ng
syst
e
m
pr
ov
i
der
tha
t
correct
al
l
vu
lnera
bili
ti
es
detect
ed
in
pr
e
vi
ou
s
ver
si
on.
T
he
thi
rd
Acti
on
is
t
o
disable
al
l
U
S
B
port
as
m
alw
ares
an
d
vir
us
can
be
i
nj
ect
ed
via
U
SB
ke
y
dr
ive
rs.
Acti
on
4
is
to
disa
ble
al
l
unus
e
d
se
r
vices,
a
pp
li
cat
ion
or
ports
in
t
he
com
pu
te
r.
IE
D:
f
or
the
bay
co
ntr
ollers
or
num
eric
protect
ive
relay
s w
e
sug
ge
st t
o delet
e d
e
fau
lt
us
er
and
pass
word a
nd
us
e m
or
e c
om
plex
pa
sswo
rd.
4.6
.
Access
C
ontr
ol Man
age
ment
Anothe
r
so
l
ution
for
protect
ion
a
gainst
in
te
rn
al
treat
s
can
be
done
by
us
ing
acce
s
s
con
tr
ol
m
anag
em
ent.
Fo
r
t
his
aim
we
su
ggest
to
ap
ply
the
reco
m
m
end
at
ion
of
pa
rt
8
f
or
m
IEC623
51,
w
hich
i
s
Role
-
base
d
acce
ss
con
t
ro
l.
F
or
eve
ry
dev
ic
e
in
th
e
su
bs
ta
ti
on
the
RB
AC
sh
ou
l
d
be
de
plo
ye
d,
so
for
ever
y
use
r
in
the
substat
io
n
acce
ss
sho
uld
be
grun
te
d
on
l
y
for
ob
j
ect
c
on
ce
r
ning
this
us
e
r
ope
rati
on.
for
e
xam
ple,
so
m
e
op
e
rato
r
will
hav
e
acce
ss
only
to
op
en
or
cl
os
e
pri
m
ary
eq
uip
m
ent
bu
t
will
no
t
hav
e
acc
ess
to
change
s
et
ti
ng
of
relay
set
ti
ngs.
The
RB
AC
al
lows
to
di
vide
acce
ss
by
areas
of
ex
pe
rtise
wh
ic
h
pr
e
ve
nt
from
un
intenti
on
a
l
op
e
rati
on
fau
lt
an
d
from
disg
r
untl
ed
em
plo
ye
es.
For
c
om
pu
te
rs
base
d
on
wind
ow
s
op
e
rati
ng
syst
e
m
,
we
su
ggest
t
o use
a dom
ai
n
con
tr
oller to
secu
re
authe
ntica
ti
on
requests
.
4.7
.
M
on
it
or
Tr
affic
The
Mo
nitor
i
ng
of
lo
ggin
g
act
ivit
ie
s
and
un
s
uccess
fu
l
lo
gin
at
tem
pts
can
giv
e
an
idea
ab
out
the
way
us
er
a
re
op
e
rat
ing
the
SAS.
F
or
t
his
ai
m
,
we
sugg
est
to
de
pl
oy
log
s
syst
e
m
m
anag
er
w
hi
ch
will
colle
ct
log
s
from
all
dev
ic
es
us
in
g
Sysl
og
pr
oto
c
ol
fo
ll
ow
i
ng
sta
ndar
d
RFC
31
64
a
nd
R
FC
5424.
This
will
gi
ve
the
po
s
sibil
it
y t
o
c
reate hist
ori
cal
audit
trail
s of i
nd
i
vidual u
ser a
ccount acce
s
s
acti
vity
.
4.8. Whi
te
-
li
st
ing
In
a
ddit
ion
t
o
the
antivir
us
t
hat
sho
uld
be
instal
le
d
on
c
om
pu
te
r
we
s
uggest
to
a
dd
a
wh
it
e
li
sti
ng
pro
gr
am
,
this
will
al
low
only
tr
us
te
d
a
ppli
cat
ion
s
a
nd
se
r
vi
ces
declare
d
i
n
th
e
li
st
to
be
execu
te
d,
w
hic
h
will
Bl
ock
s a
ny m
a
li
ci
ou
s s
of
t
ware, eve
n
i
f
it
is
unknow
n.
4.9.
B
ackup &
R
es
to
re
On
e
way
t
o
e
nh
a
nce
t
he
S
A
S
secu
rity
fro
m
equ
ipm
ent’s
fail
ur
e
is
to
hav
e
a
backu
p
an
d
re
store
po
li
cy
.
T
he
ba
ckup
a
nd
resto
re
of
com
pu
te
r
s
will
be
aut
om
at
ic
us
ing
de
dicat
ed
s
oft
wa
re.
In
the
case
IE
D
Evaluation Warning : The document was created with Spire.PDF for Python.
In
t J
Elec
&
C
om
p
En
g
IS
S
N:
20
88
-
8708
A D
ef
e
ns
e
-
in
-
de
pth
Cy
bersec
ur
it
y for
….
(
D
az
ahr
a
M
oham
ed
N
ouh
)
44
29
set
ti
ng
are
store
d
in their in
te
rn
al
m
e
m
or
y, s
o
the b
ac
kup
w
il
l be
m
anu
al
ly
b
y t
aking
a copy of
the last
k
now
n
validat
ed
set
ti
ngs.
In
t
he
case
of
a
n
eq
uip
m
ent
fail
ur
e
,
f
or
e
xam
ple,
a
com
pu
te
r
or
a
IE
D
dam
aged
due
to
an
ov
e
r
vo
lt
age
i
n
the
au
xili
ary
powe
r
sup
ply,
the
m
ai
ntenan
ce
te
am
can
change
t
he
eq
uip
m
ent
and
i
nj
ect
t
o
backu
p
set
ti
ng
w
hich
will
off
er
them
bette
r
tim
e
in
com
par
iso
n
to
the
ca
se
if
they
don’
t
hav
e
a
backu
p
a
nd
sh
oul
d
c
onfig
ure it
fro
m
zero.
4.10
.
Cyberse
curi
ty M
ana
ge
ment
Cy
ber
sec
ur
it
y i
s an
on
go
i
ng
process t
hat enc
om
passes
pro
cedures,
poli
ci
es, softwa
re,
a
nd
ha
rdware
.
We
sugg
e
st
to
i
m
ple
m
ent
a
plan
for
m
a
nag
i
ng
inci
de
nce
res
pons
e
in
case
of
an
y
extern
al
or
internal
vu
l
ner
a
bili
ty
r
eported
fro
m
the v
e
ndor
on any
d
evice i
n
t
he SAS
.
Fi
gure
5 pr
ese
nts t
he pr
opos
e
p
la
n
.
Figure
5
.
Cy
be
rsecurit
y m
ana
gem
ent p
la
n
First,
if
a
detect
ion
of
a
vu
l
ne
rab
il
it
y
occu
r
s,
an
im
pact
a
naly
sis
on
the
SA
S
s
hould
be
carry
ou
t.
The
n,
a
Patc
h
to
fix
t
he
vuln
erab
il
it
y
sh
oul
d
be
f
ound
an
d
te
ste
d
befo
re
bein
g
ap
plied
t
o
the
S
AS.
Fin
al
ly
,
a
repor
t
a
bout
t
he
vu
l
ner
a
bili
ty
sh
ould
be
s
har
e
d
with
othe
r
ve
ndors.
Cy
ber
sec
uri
ty
procedu
res
a
nd
po
li
ci
e
s
sh
oul
d
ha
ve
a
pp
li
ed
i
n
earl
y
ph
ase
of
S
AS
proj
e
ct
fo
l
lowing
the
cy
ber
se
c
uri
ty
lif
e
cy
cl
e
pr
ese
nted
in
F
igure
6
.
Figure
6
.
Cy
be
rsecurit
y l
ife c
yc
le
The
fi
rst
ste
p
is
to
determ
ine
baseli
ne
risk
and
secu
rity
le
vels.
T
he
sec
ond
ste
p
is
to
desig
n
the
syst
e
m
us
ing
the
ap
pro
pr
ia
te
secur
it
y
m
easur
em
ents
as
we
reco
m
m
end
ed.
The
thir
d
ste
p
is
to
i
m
ple
m
e
nt
the
secur
it
y
m
easur
em
ents
and
proce
dures
with
the
pur
pose
to
obta
in
the
m
ini
m
al
i
m
pact
on
t
he
ope
rati
on
of
su
bst
at
ion
.
Fin
al
ly
, th
e cy
bers
ecur
it
y sh
ould
be
m
anag
ed
b
y
an
i
ncide
nce
r
esp
on
se
p
la
n.
Disco
ver
vu
lnerabilities
Impa
ct
Analysis
Disco
ver
&
Test
P
atc
h
Applay
P
atc
h
Share
repo
rt
•
D
et
er
mine
r
i
sk
Ev
al
u
ate
•
Secu
r
i
t
y
M
eas
u
r
es
De
sign
•
Implem
en
t
se
c
u
r
i
t
y
M
eas
u
r
es
Ap
p
ly
•
ma
nage
Cybe
r
Sec
u
rity
Control
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2088
-
87
08
In
t J
Elec
&
C
om
p
En
g,
V
ol.
8
, N
o.
6
,
Dece
m
ber
201
8
:
4423
-
4431
4430
5.
CONCL
US
ION
Althou
gh
th
e
f
act
that
the
defense
in
de
pth
c
om
es
into
sight
to
be
a
com
p
le
x
an
d
fati
guing
s
olu
ti
on
to
im
ple
m
ent
i
n
s
ubsta
ti
on
au
tom
a
ti
on
syst
e
m
s,
it
is
m
and
at
or
y
to
a
pp
ly
i
t
on
powe
r
gr
i
ds
beca
us
e
the
c
yber
-
at
ta
cks
bec
ome
da
ng
e
rous
to
substat
ion
s;
al
so
,
t
he
m
ulti
ple
la
ye
rs
of
sec
ur
it
y
is
an
e
f
fici
ent
way
to
preve
nt
from
extern
al
at
ta
cks
and
es
pe
ci
al
ly
fr
om
int
ern
al
treat
s
tha
t
are
har
d
to b
e
detect
ed
or
p
r
even
te
d
as
the
m
ajo
r
el
e
m
ent in in
te
rn
al
treat
s
are
hu
m
an
w
hethe
r
at
ta
cks
a
re i
ntend
e
d o
r un
i
ntention
al
w
ron
g o
per
at
io
ns
.
In
t
his
pap
e
r,
first,
we
pr
es
e
nt
the
sm
art
s
ub
sta
ti
on
a
rch
i
te
ct
ur
e
based
on
the
IEC
61850
prot
oc
ol.
Seco
nd,
we
pr
esent
diff
e
re
nt
vu
lne
rab
le
po
int
in
the
s
ub
s
ta
ti
on
autom
ation
syst
em
of
a
s
m
art
su
bs
ta
ti
on
.
Finall
y,
we
pr
e
sent
the
def
e
nse
in
dep
th
s
olut
ion
.
I
n
the
f
utu
re
,
the
de
velo
pm
ent
of
intel
l
igent
crypt
ogra
ph
i
c
al
gorithm
s
wil
l
m
ake
the
app
li
cat
ion
of
IEC
62351
sta
nda
r
ds
easi
er
an
d
will
giv
e
m
or
e
secur
it
y
to
su
bs
ta
ti
on
autom
at
ion
syst
e
m
s.
REFERE
NCE
S
[1]
“
Anal
y
sis of
the
C
y
ber
At
tack
o
n
the Ukrai
n
ia
n
Pow
er
Grid”
,
De
fen
se
Us
e
C
ase
,
Marc
h
18,
2016
.
[2]
H
y
unguk
Yoo,
Ta
eshik
Shon,
C
hal
l
enge
s
and
r
e
sea
rch
dir
ection
s
for
het
ero
gen
e
ous
c
y
b
er
–
ph
y
s
i
ca
l
s
y
s
te
m
base
d
on
IEC
61850:
Vulner
abilities,
sec
urity
req
uir
e
m
ent
s,
and
se
cu
rity
a
rch
i
te
c
ture,
In
Future
G
enerat
ion
Com
put
er
S
y
stems
,
Volum
e
61,
2016,
Page
s 128
-
136,
ISS
N 0167
-
739X.
[3]
J.
Cai
,
Y.
Zhe
n
g
and
Z.
Zhou,
"Revi
ew
of
c
y
ber
-
sec
uri
t
y
challe
ng
es
and
m
ea
sures
in
s
m
art
s
u
bstat
ion"
,
2016
Inte
rna
ti
ona
l
Co
nfe
ren
c
e
on
Sm
art
Grid
and
C
lea
n
Ene
rg
y
T
ec
hn
ologi
es
(ICSG
CE),
Ch
engdu, 20
16,
pp
.
65
-
69
.
[4]
R.
Doroth
y
,
Sa
sila
tha,
"S
m
art
Grid
S
y
stems
Based
Surve
y
o
n
C
y
ber
Secur
i
t
y
Iss
ues",
Bull
e
ti
n
of
E
le
c
tri
c
al
Engi
ne
eri
ng
and
Inform
at
ic
s
,
Vo
l.
6
,
No
.
4
,
De
cem
ber
2017,
pp
.
3
37~342
.
[5]
Rom
an
Schle
ge
l,
Sebast
ia
n
Ob
ermei
er
,
Johann
es
Schnei
der
,
A
sec
urity
evalua
ti
on
of
IEC
62
351,
Journal
of
Inform
at
ion
Se
c
urity
and
Appli
c
at
ions,
Volum
e 34,
Part
2,
2017,
P
age
s 197
-
204
,
ISS
N 2214
-
2126
.
[6]
Cle
veland
F.
IE
C
62351
sec
urity
stand
ard
s
for
the
power
s
y
ste
m
informati
on
infra
struct
ur
e.
W
hit
e
pap
er,
ver
.
14.
Inte
rna
ti
ona
l El
e
ct
rot
ec
hni
ca
l
Co
m
m
is
sion;
June
2012
.
[7]
Industria
l
Com
muni
cation
Ne
tworks
-
Network an
d
S
y
stem Se
cur
ity
,
IEC
Std.
6244
3.
[8]
Yi
Yang,
K.
McLa
ughli
n
,
Lei
Gao,
S.
Seze
r
,
Yubo
Yuan
and
Yanfe
ng
Gong,
"Intrusion
det
e
ct
ion
sy
st
em
for
IE
C
61850
base
d
smart
subs
ta
ti
ons
"
,
2016
IEE
E
Pow
er
and
Ene
rg
y
Societ
y
Gen
era
l
Mee
ti
ng
(PESG
M),
Boston,
M
A,
2016,
pp
.
1
-
5.
[9]
U.
Prem
ara
tne
,
C.
Li
ng,
J.
Sam
ara
bandu
and
T
.
Sidhu
,
"P
oss
ib
il
isti
c
dec
ision
t
ree
s
for
Intrusion
Dete
ct
ion
in
IEC61850
aut
o
m
at
ed
subs
ta
ti
o
ns"
,
2009
Inte
rna
ti
on
al
Confer
en
ce
on
Industria
l
and
Inform
at
ion
Sy
st
ems
(ICIIS
),
Sri L
ank
a, 2009, pp. 204
-
209.
[10]
U.K.
Prem
ara
tn
e,
J.
Sam
ar
aba
n
du,
T
.
S.
Sidhu,
R.
Ber
esh
an
d
J.C.
T
an,
"A
n
Intrusion
Det
e
ct
ion
S
y
s
te
m
fo
r
IEC61850
Auto
m
at
ed
Subs
ta
ti
o
ns
"
,
in
IE
EE
Tr
ansa
ctions
on
Pow
er
Deli
v
er
y
,
vol.
25
,
no.
4,
p
p.
2376
-
2383,
Oct
.
2010.
[11]
Y.
Yang
et
al.,
"C
y
ber
se
cur
ity
t
est
-
bed
for
I
EC
61850
base
d
sm
art
subs
ta
ti
ons
"
,
2015
IEEE
Pow
e
r
&
Ener
g
y
Socie
t
y
G
ene
r
al
Mee
ti
ng
,
Denv
er
,
CO,
2015,
pp.
1
-
5.
[12]
Introduc
t
ion
to
wate
rfa
ll
unidi
r
e
ct
ion
al
sec
uri
t
y
gat
ewa
y
s:
tru
e
unidi
re
ct
ion
al
i
t
y,
true
sec
uri
t
y
.
Te
chn
ic
a
l
rep
ort
.
W
at
erf
all
Se
cur
i
t
y
Soluti
ons
Lt
d
.
;
Augus
t
2012.
[13]
Naia
ra
More
ira
,
El
ía
s
Molina
,
Jesús
Lá
za
ro,
E
duar
do
Jac
ob,
Arm
ando
As
ta
rloa
,
C
y
ber
-
se
cur
ity
in
subs
ta
ti
o
n
aut
om
at
ion
s
y
st
e
m
s,
In
Rene
wab
l
e
and
Sus
ta
in
able
En
erg
y
R
evi
e
ws
,
Volum
e
54,
2016,
Pages
155
2
-
1562
[14]
IEC
61850
-
1
S
ta
ndar
d
ed2
.
0.
Com
m
unic
at
ion
net
works
and
s
y
stems
for
po
wer
utilit
y
aut
o
m
at
ion
—
Part
1
:
Introduc
t
ion
and
over
vi
ew;
Mar
c
h
2013.
[15]
IEC
61850
-
90
-
2
Standa
rd
ed1.
0
.
Comm
unic
at
ion
net
works
and
s
y
stems
for
power
uti
li
t
y
aut
om
ation
—
Part
90
-
4:
Network
engi
n
e
eri
ng
gu
ide
l
ine
s;
Augus
t
2013.
[16]
IEC
61850
-
8
-
1
Standa
rd
ed2
.
0.
Com
m
unic
at
io
n
ne
tworks
and
s
y
stems
for
po
wer
uti
l
ity
aut
o
m
at
ion
—
Part
8
-
1:
Speci
fi
c
comm
unic
a
ti
on
servi
ce
m
appi
ng
(SCSM)
—
m
appi
ngs
to
MM
S
(IS
O
9506
-
1
and
ISO
9506
-
2)
and
to
ISO
/IE
C
8802
-
3;
June
2011
.
[17]
IEC
61850
-
9
-
2
Standa
rd
ed2
.
0.
Com
m
unic
at
ion
net
works
and
s
y
stems
for
po
w
er
uti
l
ity
aut
o
m
at
ion
—
Part
9
-
2:
Speci
fi
c
comm
unic
a
ti
on
serv
ice m
appi
ng
(SCS
M
)
—
sam
ple
d
val
u
es
over
ISO
/IE
C
8802
-
3;
Sep
te
m
ber
2011.
[18]
IEE
E
C37.
238
-
2
011.
Standa
rd
pr
ofil
e
for
use
of
IEE
E
1588
pre
c
i
sion
ti
m
e
protocol
in
power
sy
st
em
appl
ic
a
ti
ons;
Jul
y
2011
.
[19]
IEC
62439
-
3
ed
2.
0.
Industri
al
c
om
m
unic
at
ion
n
et
works
—
high
a
vai
l
abi
lit
y
au
to
m
at
ion
net
works
—
Part
3:
Para
llel
red
undancy
prot
ocol
(PRP
)
and
higha
va
il
ab
il
i
t
y
sea
m
le
ss
red
und
ancy
(HS
R);
July
2012
[20]
M.N.
Daz
ahr
a
,
F.
El
m
ariam
i,
A.
Bel
fq
ih,
J.
Boukherou
aa
.
"S
m
art
Local
Bac
kup
Prot
e
ct
ion
for
Sm
art
Subs
ta
ti
on",Inter
nat
ion
al
Journa
l of E
l
ec
tr
ical and
Com
pute
r
Eng
i
nee
ring
(IJECE)
,
Vol
7
,
No 5
Evaluation Warning : The document was created with Spire.PDF for Python.
In
t J
Elec
&
C
om
p
En
g
IS
S
N:
20
88
-
8708
A D
ef
e
ns
e
-
in
-
de
pth
Cy
bersec
ur
it
y for
….
(
D
az
ahr
a
M
oham
ed
N
ouh
)
4431
BIOGR
AP
H
I
ES
OF
A
UTH
ORS
Daz
ahr
a
Moham
ed
Nouh
has
obt
ai
ned
it
s
state
elec
tr
ic
i
t
y
engi
ne
e
ring
degr
ee
in
2
012
from
the
superior
Nat
ional
School
of
elec
t
ric
ity
and
M
ec
h
ani
cs
(
ENSEM).
Curre
ntly
D
aza
hra
is
pursuing
his
Ph.D.
Degre
e
progra
m
m
e
in
El
e
ct
ri
cal
Pow
e
r
Engi
ne
eri
ng
at
ENSEM.
He
is
a
m
ember
of
La
bora
tor
y
of
El
e
ct
ri
ca
l
Ne
tworks
and
Stat
ic
Convert
ers
in
ENSEM.
His
rese
arc
h
intere
sts
inc
lud
e
power
sy
stems
stab
il
i
t
y
using FACTS,
Sm
art
Grid
and
S
m
art
subs
ta
ti
on
.
El
m
ari
ami
Fa
issal
Profess
or
at
the
Super
ior
Nati
ona
l
School
of
elec
tri
c
ity
and
m
ec
han
ic
s
Casabl
an
ca,
elec
tri
c
al
eng
ineeri
n
g
depa
rtment
.
M
ember
of
the
stu
d
y
t
ea
m
"El
ec
tr
i
ca
l
Ne
tworks
and
Sta
ti
c
Conv
ert
ers".
He
work
s ont
he
st
abi
l
ity
of
the electri
ci
t
y
net
work a
nd
sm
art
gr
ids
Bel
fqih
Abde
laziz
Profess
or
a
t
the
Na
ti
on
al
High
School
of
El
e
ct
ri
cit
y
a
nd
Mec
hanics
(Unive
rsit
y
Has
san
II
of
Casab
l
anc
a
-
Morocc
o
).
PhD
,
Engi
n
eer
and
hold
er
of
the
Univer
si
t
y
Habil
itati
on
se
a
rch
es
(HD
R).
Hea
d
of
the
re
sea
rch
t
ea
m
"Ele
c
tri
c
al
Networ
ks
and
Stat
ic
Convert
ers. “
Teac
her
rese
arc
h
er
cur
ren
t
l
y
workin
g
on
e
lectr
i
ci
t
y
n
et
work a
nd
sm
art
grids
Boukheroua
a
Ja
m
al
Profess
or
A
bil
ity
to
Dire
c
t
Resea
rch
at
th
e
Nati
ona
l
School
of
El
ectri
ci
t
y
and
Mec
han
ic
s
(
ENSEM
-
Hass
a
n
II
Univer
sit
y
of
Casabl
an
ca
)
.
Doctor
Engi
n
ee
r
and
holde
r
of
HD
R.
RECS Res
ea
rch
Team
Leade
r. Curre
n
tly
working
on
high
-
fre
quency
sta
ti
c
conve
r
te
rs.
Evaluation Warning : The document was created with Spire.PDF for Python.