Access Control and Availability Vulnerabilities in the ISO/IEC 61850 Substation Automation Protocol

  • James G. Wright
  • Stephen D. WolthusenEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10242)


The ISO/IEC 61850 protocol for substation automation is a key component for the safe and efficient operation of smart grids, whilst offering a substantial range of functions. While extension standards, particularly ISO/IEC 62351 provide further security controls, the baseline protocol offers the assurances of access control and availability. In this paper a systematic study of selected aspects of the basic ISO/IEC 61850 protocol demonstrates that protocol-level vulnerabilities exist. The main finding is the development of a credential interception attack allowing an adversary, without credentials, to hijack a session during an initial association; the feasibility of this attack is proven using a formal language representation. A second attack based on a workflow amplification attack which relies on the assumptions in the protocol’s substation event model, which is independent of layered security controls and only relies on the protocol’s communication patterns is shown.


Smart grid ISO/IEC 61850 Access control Amplification attack Substation automation protocol 



This work is supported by an EPSRC Academic Centres of Excellence in Cyber Security Research PhD grant.


  1. 1.
    NERC implementation plan for cyber security standards CIP-002-1 through CIP-009-1. Technical report, NERC, 2006Google Scholar
  2. 2.
    Brand, D., Zafiropulo, P.: On communicating finite-state machines. J. ACM 30(2), 323–342 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theor. 29(2), 198–208 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    East, S., Butts, J., Papa, M., Shenoi, S.: A taxonomy of attacks on the DNP3 protocol. In: Palmer, C., Shenoi, S. (eds.) ICCIP 2009. IAICT, vol. 311, pp. 67–81. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  5. 5.
    Elgargouri, A., Virrankoski, R., Elmusrati, M.: IEC 61850 based smart grid security. In: 2015 IEEE International Conference on Industrial Technology (ICIT), pp. 2461–2465, March 2015Google Scholar
  6. 6.
    Hoyos, J., Dehus, M., Brown, T.X.: Exploiting the GOOSE protocol: a practical attack on cyber-infrastructure. In: 2012 IEEE Globecom Workshops, pp. 1508–1513, December 2012Google Scholar
  7. 7.
    Karnouskos, S.: Stuxnet worm impact on industrial cyber-physical system security. In: 37th Annual Conference on IEEE Industrial Electronics Society, IECON 2011, pp. 4490–4494, November 2011Google Scholar
  8. 8.
    Konstantinou, C., Maniatakos, M., Saqib, F., Hu, S., Plusquellic, J., Jin, Y.: Cyber-physical systems: a security perspective. In: 2015 20th IEEE European Test Symposium (ETS), pp. 1–8, May 2015Google Scholar
  9. 9.
    Kush, N., Ahmed, E., Branagan, M., Foo, E.: Poisoned GOOSE: exploiting the GOOSE protocol. In: Proceedings of the Twelfth Australasian Information Security Conference, AISC 2014, Darlinghurst, Australia, vol. 149, pp. 17–22. Australian Computer Society Inc. (2014)Google Scholar
  10. 10.
    Liu, F., Xie, T., Feng, Y., Feng, D.: On the security of PPPoE network. Secur. Commun. Netw. 5(10), 1159–1168 (2012)CrossRefGoogle Scholar
  11. 11.
    TC 57 Power Systems Management and Associated Information Exchange: Power systems management and associated information exchange, data and communication security. IEC standard 62351. Technical report, International Electrotechnical Commission (2007)Google Scholar
  12. 12.
    TC 57 Power Systems Management and Associated Information Exchange: Communication networks and systems for power utility automation - Part 7–2: basic information and communication structure - abstract communication service interface. IEC standard 61850-7-2. Technical report, International Electrotechnical Commission (2010)Google Scholar
  13. 13.
    TC 57 Power Systems Management and Associated Information Exchange: Communication networks and systems for power utility automation - Part 5: communication requirements for functions and device models. IEC standard 61850–5. Technical report, International Electrotechnical Commission (2013)Google Scholar
  14. 14.
    Mander, T., Nabhani, F., Wang, L., Cheung, R.: Data object based security for DNP3 over TCP/IP for increased utility commercial aspects security. In: 2007 IEEE Power Engineering Society General Meeting, pp. 1–8, June 2007Google Scholar
  15. 15.
    Mo, Y., Kim, T.H.J., Brancik, K., Dickinson, D., Lee, H., Perrig, A., Sinopoli, B.: Physical security of a smart grid infrastructure. Proc. IEEE 100(1), 195–209 (2012)CrossRefGoogle Scholar
  16. 16.
    Poll, E., Ruiter, J.D., Schubert, A.: Protocol state machines and session languages: specification, implementation, and security flaws. In: 2015 IEEE Security and Privacy Workshops (SPW), pp. 125–133, May 2015Google Scholar
  17. 17.
    Premaratne, U., Samarabandu, J., Sidhu, T., Beresh, R., Tan, J.C.: Security analysis and auditing of IEC61850-based automated substations. IEEE Trans. Power Deliv. 25(4), 2346–2355 (2010)CrossRefGoogle Scholar
  18. 18.
    Rashid, M.T.A., Yussof, S., Yusoff, Y., Ismail, R.: A review of security attacks on IEC61850 substation automation system network. In: 2014 International Conference on Information Technology and Multimedia (ICIMU), pp. 5–10, November 2014Google Scholar
  19. 19.
    Kaspersky Lab’s Global Research and Analysis Team: Shamoon the wiper copycats at work.
  20. 20.
    Sassaman, L., Patterson, M.L., Bratus, S., Locasto, M.E.: Security applications of formal language theory. IEEE Syst. J. 7(3), 489–500 (2013)CrossRefGoogle Scholar
  21. 21.
    Shamir, U.: Analyzing a new variant of BlackEnergy 3 likely insider-based execution. Technical report, SentinelOne (2016)Google Scholar
  22. 22.
    Sipser, M.: Introduction to the Theory of Computation, 1st edn. International Thomson Publishing, Boston (1996)zbMATHGoogle Scholar
  23. 23.
  24. 24.
    Wang, W., Lu, Z.: Survey cyber security in the smart grid: survey and challenges. Comput. Netw. 57(5), 1344–1371 (2013)CrossRefGoogle Scholar
  25. 25.
    Wei, D., Lu, Y., Jafari, M., Skare, P.M., Rohde, K.: Protecting smart grid automation systems against cyberattacks. IEEE Trans. Smart Grid 2(4), 782–795 (2011)CrossRefGoogle Scholar
  26. 26.
    Wood, D.K.N., Harang, D.R.E.: Grammatical inference and language frameworks for LANGSEC. In: 2015 IEEE Security and Privacy Workshops (SPW), pp. 88–98, May 2015Google Scholar
  27. 27.
    Yang, Y., Littler, T., Sezer, S., McLaughlin, K., Wang, H.F.: Impact of cyber-security issues on smart grid. In: 2011 2nd IEEE PES International Conference and Exhibition on Innovative Smart Grid Technologies (ISGT Europe), pp. 1–7, December 2011Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.School of Mathematics and Information SecurityRoyal Holloway, University of LondonEghamUK
  2. 2.Norwegian Information Security LaboratoryNorwegian University of Science and TechnologyTrondheimNorway

Personalised recommendations