Threat model for IEC 61850 based substation automation system

IF 5.3 3区工程技术 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

International Journal of Critical Infrastructure Protection Pub Date : 2025-08-23 DOI:10.1016/j.ijcip.2025.100789

Mihael Marović , Ante Đerek , Stjepan Groš , Ivan Kovačević

{"title":"Threat model for IEC 61850 based substation automation system","authors":"Mihael Marović , Ante Đerek , Stjepan Groš , Ivan Kovačević","doi":"10.1016/j.ijcip.2025.100789","DOIUrl":null,"url":null,"abstract":"<div><div>Threat models have major importance in the area of computer systems security, as they can help identify oversights in the security requirements of a system and influence the design of protection mechanisms. The objective of this paper is to improve the understanding of threats specific to the substation automation system based on the IEC 61850 standard. This would make the discussion and understanding of the protection mechanisms for IEC 61850 more fruitful. So, in this paper, we have developed a detailed threat model for a substation automation system based on the IEC 61850 standard. The developed threat model is based on attack trees and provides a visual and comprehensive overview of potential attack scenarios. The construction of the attack tree follows a top-down approach, starting with the attacker’s goal and encompassing all potential sequences of steps to achieve this goal. When considering possible ways to achieve a goal, we utilise the MITRE ATT&CK framework and take the specifics of the IEC 61850 substation automation system model into account. We used the threat model to discuss the effect of applying communication protection mechanisms to protect IEC 61850 substation automation system (SAS). While a few other threat models exist for IEC 61850 substation automation system, the model we presented here is significantly more comprehensive, it is adaptable and based on a novel threat modelling method that incorporates the MITRE attack pattern in the process of constructing an attack tree. One of the key findings of this article is the identification of the four fundamentally different ways to sabotage an IEC 61850 SAS. Other findings are related to the adaptivity of the attack tree, limitations of the attack tree, and mapping of known attacks on IEC 61850 SAS onto the attack tree.</div></div>","PeriodicalId":49057,"journal":{"name":"International Journal of Critical Infrastructure Protection","volume":"51 ","pages":"Article 100789"},"PeriodicalIF":5.3000,"publicationDate":"2025-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Critical Infrastructure Protection","FirstCategoryId":"5","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1874548225000502","RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Threat models have major importance in the area of computer systems security, as they can help identify oversights in the security requirements of a system and influence the design of protection mechanisms. The objective of this paper is to improve the understanding of threats specific to the substation automation system based on the IEC 61850 standard. This would make the discussion and understanding of the protection mechanisms for IEC 61850 more fruitful. So, in this paper, we have developed a detailed threat model for a substation automation system based on the IEC 61850 standard. The developed threat model is based on attack trees and provides a visual and comprehensive overview of potential attack scenarios. The construction of the attack tree follows a top-down approach, starting with the attacker’s goal and encompassing all potential sequences of steps to achieve this goal. When considering possible ways to achieve a goal, we utilise the MITRE ATT&CK framework and take the specifics of the IEC 61850 substation automation system model into account. We used the threat model to discuss the effect of applying communication protection mechanisms to protect IEC 61850 substation automation system (SAS). While a few other threat models exist for IEC 61850 substation automation system, the model we presented here is significantly more comprehensive, it is adaptable and based on a novel threat modelling method that incorporates the MITRE attack pattern in the process of constructing an attack tree. One of the key findings of this article is the identification of the four fundamentally different ways to sabotage an IEC 61850 SAS. Other findings are related to the adaptivity of the attack tree, limitations of the attack tree, and mapping of known attacks on IEC 61850 SAS onto the attack tree.

查看原文本刊更多论文

基于IEC 61850的变电站自动化系统的威胁模型

威胁模型在计算机系统安全领域具有重要意义，因为它们可以帮助识别系统安全需求中的疏忽，并影响保护机制的设计。本文的目的是提高对基于IEC 61850标准的变电站自动化系统特定威胁的理解。这将使对IEC 61850保护机制的讨论和理解更加富有成果。因此，本文基于IEC 61850标准，建立了变电站自动化系统的详细威胁模型。开发的威胁模型基于攻击树，提供了对潜在攻击场景的可视化和全面概述。攻击树的构造遵循自顶向下的方法，从攻击者的目标开始，并包含实现该目标的所有潜在步骤序列。在考虑实现目标的可能方法时，我们使用MITRE ATT&；CK框架，并考虑到IEC 61850变电站自动化系统模型的具体情况。利用威胁模型讨论了应用通信保护机制保护IEC 61850变电站自动化系统（SAS）的效果。虽然IEC 61850变电站自动化系统存在一些其他的威胁模型，但我们在这里提出的模型更加全面，适应性强，并且基于一种新的威胁建模方法，该方法在构建攻击树的过程中结合了MITRE攻击模式。本文的主要发现之一是确定了破坏IEC 61850 SAS的四种根本不同的方法。其他发现与攻击树的适应性、攻击树的局限性以及将针对IEC 61850 SAS的已知攻击映射到攻击树有关。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

International Journal of Critical Infrastructure Protection COMPUTER SCIENCE, INFORMATION SYSTEMS-ENGINEERING, MULTIDISCIPLINARY

CiteScore

8.90

自引率

5.60%

发文量

审稿时长

>12 weeks

期刊介绍： The International Journal of Critical Infrastructure Protection (IJCIP) was launched in 2008, with the primary aim of publishing scholarly papers of the highest quality in all areas of critical infrastructure protection. Of particular interest are articles that weave science, technology, law and policy to craft sophisticated yet practical solutions for securing assets in the various critical infrastructure sectors. These critical infrastructure sectors include: information technology, telecommunications, energy, banking and finance, transportation systems, chemicals, critical manufacturing, agriculture and food, defense industrial base, public health and health care, national monuments and icons, drinking water and water treatment systems, commercial facilities, dams, emergency services, nuclear reactors, materials and waste, postal and shipping, and government facilities. Protecting and ensuring the continuity of operation of critical infrastructure assets are vital to national security, public health and safety, economic vitality, and societal wellbeing. The scope of the journal includes, but is not limited to: 1. Analysis of security challenges that are unique or common to the various infrastructure sectors. 2. Identification of core security principles and techniques that can be applied to critical infrastructure protection. 3. Elucidation of the dependencies and interdependencies existing between infrastructure sectors and techniques for mitigating the devastating effects of cascading failures. 4. Creation of sophisticated, yet practical, solutions, for critical infrastructure protection that involve mathematical, scientific and engineering techniques, economic and social science methods, and/or legal and public policy constructs.