Two-stage advanced persistent threat (APT) attack on an IEC 61850 power grid substation

IF 2.4 4区计算机科学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

International Journal of Information Security Pub Date : 2024-05-14 DOI:10.1007/s10207-024-00856-6

Aida Akbarzadeh, Laszlo Erdodi, Siv Hilde Houmb, Tore Geir Soltvedt

{"title":"Two-stage advanced persistent threat (APT) attack on an IEC 61850 power grid substation","authors":"Aida Akbarzadeh, Laszlo Erdodi, Siv Hilde Houmb, Tore Geir Soltvedt","doi":"10.1007/s10207-024-00856-6","DOIUrl":null,"url":null,"abstract":"<p>Advanced Persistent Threats (APTs) are stealthy, multi-step attacks tailored to a specific target. Often described as ’low and slow’, APTs remain undetected until the consequences of the cyber-attack become evident, usually in the form of damage to the physical world, as seen with the Stuxnet attack, or manipulation of an industrial process, as was the case in the Ukraine Power Grid attacks. Given the increasing sophistication and targeted nature of cyber-attacks, especially APTs, this paper delves into the substantial threats APTs pose to critical infrastructures, focusing on power grid substations. Through a detailed case study, we present and explore a 2-stage APT attack on an IEC 61850 power grid substation, employing a Hardware-in-the-Loop (HIL) testbed to simulate real-world conditions. More specifically, this paper discusses two significant experiments conducted to assess vulnerabilities in the control protocols used in IEC 61850 substations: IEC 60870-5-104 and IEC 61850. The integration of findings from these experiments revealed a number of previously undiscussed potential threats to power grid infrastructure that could arise from attacking one or more substations. To better address these potential threats, the paper proposes an extension to the Industrial Control System (ICS) kill chain that explicitly accounts for the consequences of attacks on the physical aspects of Cyber-Physical Systems (CPSs).</p>","PeriodicalId":50316,"journal":{"name":"International Journal of Information Security","volume":"155 1","pages":""},"PeriodicalIF":2.4000,"publicationDate":"2024-05-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Information Security","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s10207-024-00856-6","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Advanced Persistent Threats (APTs) are stealthy, multi-step attacks tailored to a specific target. Often described as ’low and slow’, APTs remain undetected until the consequences of the cyber-attack become evident, usually in the form of damage to the physical world, as seen with the Stuxnet attack, or manipulation of an industrial process, as was the case in the Ukraine Power Grid attacks. Given the increasing sophistication and targeted nature of cyber-attacks, especially APTs, this paper delves into the substantial threats APTs pose to critical infrastructures, focusing on power grid substations. Through a detailed case study, we present and explore a 2-stage APT attack on an IEC 61850 power grid substation, employing a Hardware-in-the-Loop (HIL) testbed to simulate real-world conditions. More specifically, this paper discusses two significant experiments conducted to assess vulnerabilities in the control protocols used in IEC 61850 substations: IEC 60870-5-104 and IEC 61850. The integration of findings from these experiments revealed a number of previously undiscussed potential threats to power grid infrastructure that could arise from attacking one or more substations. To better address these potential threats, the paper proposes an extension to the Industrial Control System (ICS) kill chain that explicitly accounts for the consequences of attacks on the physical aspects of Cyber-Physical Systems (CPSs).

Abstract Image

查看原文本刊更多论文

针对 IEC 61850 电网变电站的两阶段高级持续性威胁 (APT) 攻击

高级持续性威胁（APT）是针对特定目标的隐蔽、多步骤攻击。APT 通常被描述为 "低速而缓慢"，在网络攻击的后果显现之前一直未被发现，通常表现为对物理世界的破坏（如 Stuxnet 攻击）或对工业流程的操纵（如乌克兰电网攻击）。鉴于网络攻击（尤其是 APT）的复杂性和针对性日益增强，本文将以电网变电站为重点，深入探讨 APT 对关键基础设施构成的重大威胁。通过详细的案例研究，我们介绍并探讨了针对 IEC 61850 电网变电站的两阶段 APT 攻击，采用了硬件在环 (HIL) 测试平台来模拟真实世界的条件。更具体地说，本文讨论了为评估 IEC 61850 变电站使用的控制协议中的漏洞而进行的两项重要实验：IEC 60870-5-104 和 IEC 61850。这些实验结果的整合揭示了许多以前未曾讨论过的潜在威胁，攻击一个或多个变电站可能会对电网基础设施造成威胁。为了更好地应对这些潜在威胁，本文提出了对工业控制系统 (ICS) 杀伤链的扩展，明确说明了对网络物理系统 (CPS) 物理方面的攻击所造成的后果。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

International Journal of Information Security 工程技术-计算机：理论方法

CiteScore

6.30

自引率

3.10%

发文量

审稿时长

12 months

期刊介绍： The International Journal of Information Security is an English language periodical on research in information security which offers prompt publication of important technical work, whether theoretical, applicable, or related to implementation. Coverage includes system security: intrusion detection, secure end systems, secure operating systems, database security, security infrastructures, security evaluation; network security: Internet security, firewalls, mobile security, security agents, protocols, anti-virus and anti-hacker measures; content protection: watermarking, software protection, tamper resistant software; applications: electronic commerce, government, health, telecommunications, mobility.