UC Santa Cruz

Electrical substations are critical components of the power grid, facilitating electricity generation, transmission, and distribution. In the past twenty years these substations have been updated from analog components to fully digital equipment with modern computer devices and networks. While this modernization has increased their automation and efficiency, it also introduces a new attack surface that adversaries can exploit to create blackouts, like what the Industroyer malware caused in Ukraine over the past years. In this dissertation, our goal is to better understand modern substation networks and improve their security.

Despite their vital importance, substation networks remain under-researched in real-world settings due to operational restrictions and limited access to such systems, leading most studies to rely on simulations and testbeds. Our first step is to develop the first in-depth study of the operation of a large (500KV) real-world substation automation network. We provide a view of how these critical networks operate using packet captures and a Substation Configuration Description (SCD) file. We discuss the challenges we overcame to reconstruct a network with redundant paths, gateways, serial legacy devices, and sophisticated intelligent electronic devices (IEDs). Our work provides a deep-dive discussion of these critical networks in a real-world system and sheds light on their operation, configuration, and security.

Our second effort focuses on a detailed analysis of the IEC 61850 protocol, including its role in facilitating the Industroyer malware attacks on the Ukrainian power grid, is conducted. To achieve this, we created a custom-developed sandbox to emulate network and device characteristics, enabling an in-depth exploration of malware behavior. The study identifies previously undocumented features, such as the MMS protocol payload algorithm, and maps the actions malware could execute on substation equipment. The analysis also provides insights into the potential effects of similar malware on future systems and how to mitigate future malware attacks that target the power grid.

Our final effort focuses on helping other researchers use realistic substation network traffic under benign and malicious conditions. To achieve this, we focus on generating synthetic network traffic datasets to overcome the challenge of limited access to real-world operational datasets that other researchers have. These synthetic datasets are modeled from real-world traffic to replicate various substation network scenarios using a stable diffusion model and artificial intelligence technologies.

Our research helps advance the science of industrial network security by providing real-world baselines of normal and attack scenarios and generating synthetic data that can be shared with the larger research community.