876

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 26, NO. 2, APRIL 2011

Asset Analysis of Risk Assessment for IEC 61850-Based Power Control SystemsPart II: Application in Substation
Nian Liu, Jianhua Zhang, Member, IEEE, and Xu Wu
AbstractThe information security risk assessment of IEC 61850-based power control systems is currently an unsolved problem. One of the reasons is a lack of methodology for asset analysis, which is an important process of risk assessment. In the companion paper (Part I), a specic methodology of asset analysis for the IEC 61850-based power control systems is introduced. To explain and verify the proposed methodology, the substation automation systems are selected as a typical application eld. Before the case study, a basic principle for value assignment in a specic qualitative scale is proposed as a foundation for asset valuation. Then, an instance system based on IEC 61850 is introduced to apply the methodology. The overall procedures of the asset identication and asset valuation are represented step by step. From the results of the application, the methodology can meet the requirements of risk assessment. Index TermsAsset identication, asset valuation, cybersecurity, risk assessment, substation automation system.

a basic principle for value assignment in a specic qualitative scale. Section III introduces an IEC 61850-based SAS for a case study. Sections IV and V represent the procedures of asset identication and asset valuation, respectively. Finally, conclusions are given in Section VI. II. BASIC PRINCIPLE FOR THE VALUE ASSIGNMENT IN A SPECIFIC QUALITATIVE SCALE A. Purpose To calculate the value of information exchange, the principle for value assignment of each security property is needed. According to the methodology, the qualitative form is chosen for valuation; therefore, the qualitative scale should also be provided. In fact, the principle and the scale ought to be set up by electric power utilities (EPUs) in terms of the demands, experiences, or features of the system. To test the usefulness of the methodology, we try to propose a basic principle for value assignment in a specic qualitative scale, based on the instructions of IEC 61850 and IEC 62351. These also could be used as a reference for EPUs to develop their own principles and scales. B. Process to Assign the Value of Security Properties The security properties of each piece of information for communication (PICOM) always include condentiality, integrity, and availability. The IEC 61850 denes thousands of PICOMs, which have a lot of similarities in attributes. Therefore, these PICOMs are further classied into seven types of messages, according to the performance requirements of communications [3]. Since the PICOMs in the same type have common requirements, the principles for value assignment of the security properties could also be dened by types. In order to describe the principles more conveniently, the seven types of PICOM are briey introduced in advance: Type1) fast messages (subdivided into Type 1A Trip and Type 1B Others); Type2)medium speed messages; Type3)low speed messages; Type4)raw data messages (subdivided into Type 4A Raw data for protection and control and Type 4B Raw data for metering); Type5)le transfer functions; Type6)time synchronization messages; Type7)command messages with access control. For more detail about these types, the denition can be found in IEC 61850-5 [3].

I. INTRODUCTION OWARD the asset analysis of risk assessment (RA) for IEC 61850-based power control systems (PCSs), the rst part of this joint paper introduced the methodology, which is comprised of asset identication and asset valuation. The usefulness of the methodology should be tested through applications. For a specic system, it is important to determine that the results of the application can meet the requirements of RA. In the asset identication, the results should be able to provide classied assets and business processes at a suitable level of detail, and to describe the relationships between assets and business processes. In the asset valuation, the results of three levels of value can objectively reect the consequence incurred due to the loss of security properties. To achieve the purpose of asset valuation, the basic principle for value assignment should be provided in a specic qualitative scale. IEC 61850 series are originally published for substation automation systems (SASs), and gradually extended to many other elds of PCSs [1], [2]. Therefore, we choose SASs as an application instance to explain and verify the methodology. The content of this paper is organized as follows. Section II provides

Manuscript received January 29, 2010; revised September 21, 2010; accepted October 26, 2010. Date of publication December 17, 2010; date of current version March 25, 2011. This work was supported in part by the National Natural Science Foundation of China (No. 50877026 and No. 51007022) and in part by the Fundamental Research Funds for the Central Universities (No. 09QG03). Paper no. TPWRD-00073-2010. The authors are with the School of Electric and Electronic Engineering, North China Electric Power University, Beijing 102206, China (e-mail: nian_liu@163. com). Digital Object Identier 10.1109/TPWRD.2010.2090951

0885-8977/$26.00 2010 IEEE

LIU et al.: ASSET ANALYSIS OF RISK ASSESSMENT FOR IEC 61850-BASED POWER CONTROL SYSTEMSPART II

877

For each security property of the PICOM types, the qualitative scale of value has ve levels, from 1 to 5, which means negligible, low, medium, high, and crucial. The principles for value assignment in this ve-level qualitative scale are introduced as follows. 1) Condentiality: The value assignment of condentiality depends on the consequences incurred due to the disclosure of information to unauthorized individuals, processes, or other entities. Value 5 (Crucial): the information contains the most important secret of an organization (e.g., EPU), which has crucial impacts on the business process (function). If the secret is disclosed, it will cause catastrophic failure. Value 4 (High): the information contains an important secret of an organization. It will cause serious damage when the secret is disclosed. Value 3 (Medium): the information contains a general secret of an organization. It will cause damage when the secret is disclosed. Value 2 (Low): the information can only be opened inside an organization, the disclosure of which could cause slight damage. Value 1 (Negligible): the information can be opened publicly without adverse impact. Types 1 and 4 are the messages that are critical at transmission time (in milliseconds level). The communication models of these two types are generic object oriented substation events (GOOSE) and sampled measured values (SMV), respectively [4]. According to IEC 62351-1, the security measures for GOOSE and SMV do not include encryption, since this adds too many bytes to the messages that have not been considered necessary. Only if hardware encryption in the future is able to meet the time requirements, the encryption might be considered [5]. As we know, encryption is the security measure used for condentiality of information. Then, we can nd out that the condentiality of these types is not necessary, but they also can be applied when they meet the time requirements. Thus, value 2 of condentiality is assigned to Type 1 and Type 4. According to IEC 61850, the manufacturing message specication (MMS) messages based on the transmission control protocol/internet protocol (TCP/IP) are used as protocol for the medium- and low-speed messages (Types 2 and 3). The IEC 62351-3 and IEC 62351-4 recommend transport layer security (TSL) to ensure the condentiality of these messages [6], [7]. These types of messages are mainly transmitted locally (e.g. in a substation), and the data size in a single message is relatively small, so the value 3 of condentiality is assigned to the Type 2 and Type 3. The Type 5 is the messages of the le transfer, which used for transmission of large amount of data with remote access, such as recording, settings, etc. The Type 7 is the command messages with access control, which also may be available through remote access. According to IEC 62351-3 and IEC 62351-4, the TSL with Virtual Private Networks (VPN) are recommended to ensure the condentiality of these messages, because of the big data size and remote access. Therefore, value 4 of condentiality is assigned to the Type 5 and Type 7. The Type 6 is time synchronization messages, which are used to synchronize the internal clock among intelligent electronic

devices (IEDs). This type of message absolutely has no requirements on condentiality, so value 1 is assigned. 2) Integrity: The value assignment of integrity depends on the consequences incurred due to the unauthorized modication or undetected errors of information. Value 5 (Crucial): the unauthorized modication or undetected errors will result in a signicant or unacceptable inuence on the organization. These can cause serious disruption on the business process and are very difcult to compensate. Value 4 (High): the unauthorized modication or undetected errors will result in signicant inuence in the organization. These can cause a serious impact on the business process and are difcult to compensate. Value 3 (Medium): the unauthorized modication or undetected errors will result in inuence on the organization. These can cause an obvious impact on the business process, but are possible to compensate. Value 2 (Low): the unauthorized modication or undetected errors will result in slight inuence on the organization. These can cause a minor impact on the business process, but are easy to compensate. Value 1 (Negligible): the inuence of unauthorized modication or undetected errors on the organization and business process can be negligible. There are two types of integrity denitions described in IEC 61850-5 and IEC 62351-1. In IEC 61850-5, the integrity means that for given background noise, the resulting errors are below a certain acceptable limit [3]. In the IEC 62351-1, the purpose of the integrity is to prevent the unauthorized modication or theft of information [5]. Comparing the two meanings of integrity, the cause is different, but the consequence incurred due to the loss of integrity is consistent. As described in the IEC 61850-5, all safety-related messages, such as commands and trips with a direct impact on the process, shall have the highest integrity class; all other messages may be transmitted with lower data integrity, but not lower than the medium class [3]. Taking the description of IEC 61850-5 as a basis, we can further assign the value of integrity for each message type. The messages with a direct impact on the process include Type 1, Type 4A, Type 6, and Type 7. The value of integrity for these four types should be greater than or equal to 4. The Type 1A, Type 4A, and Type 7 are directly associated with IEDs of protection or the circuit breaker (CB). The loss of integrity may cause tripping or even power outages, so value 5 is assigned to them. For Type 1B and Type 6, the value 4 is assigned since the integrity requirements are slightly low. The integrity of other messages, such as Type 2, Type 3, and Type 4B, is not lower than the medium class, so the assignment is value 3. 3) Availability: The value assignment of availability depends on the consequences incurred due to the denial of service and prevention of authorized access to information. Value 5 (Crucial): availability of the service is more than 99.9% per year, or interruption is not allowed in the system. Value 4 (High): availability of the service is more than 90% per day, or the permissible interruption time is less than 10 min. Value 3 (Medium): availability of the service is more than 70% during the normal working hours, or the permissible interruption time is less than 30 min.

878

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 26, NO. 2, APRIL 2011

TABLE I VALUE ASSIGNMENT OF SECURITY PROPERTIES PER TYPES OF PICOM

Value 2 (Low): availability of the service is more than 25% during the normal working hours, or the permissible interruption time is less than 60 min. Value 1 (Negligible): availability of the service is less than 25% during normal working hours. The IEC 61850-5 has provided specic time requirements for all types of messages. For Type 1A and 4A, the required transmission time of a message is less than 4 ms. This means that for these two types, the system does not allow any interruption. The time requirement of Type 6 has to be one order of magnitude better than that requested by the functional requirements [3]. In this case, the availability of Type 6 is crucial to all functions. Therefore, value 5 of availability is assigned to Type 1A, Type 4A, and Type 6. The time requirement of Type 5 is the lowest of all types of messages, but considering the importance of SASs, the assignment of value 3 is necessary. For the remaining types of messages, value 4 of availability is assigned because of the time requirements. C. Values of Security Properties Per Types of PICOM Based on the aforementioned discussion, the values of condentiality, integrity, and availability for the seven types of PICOM are summarized in Table I. In applications, these values can be used as a basic principle for value assignment. III. INSTANCE SYSTEM FOR CASE STUDY The study system for asset analysis is selected from a part of SAS. Taking the IEDs with functions of basic protection, control, and metering into account, the related logical nodes of the IEDs in a bay are modeled, as shown in Fig. 1. There are seven IEDs in the system: E1Q1KA1, E1Q1KA2, E1Q1KA3, E1Q1KA4, E1Q1KA5, AA1KA1, and AA1KA2. The WX01 and WX02 are communication buses of the process level and station level, respectively. The logical nodes include XSWI, XCBR, TVTR, TCTR, MMXU, MMTR, RFLO, PDIS, RREC, PDIR, RPSB, PTRC, CILO, CSWI, IARC, IHMI, and CALH. The actual meanings of these logical nodes can be found in the IEC 61850-5 or IEC 61850-7-4 [8]. IV. ASSET IDENTIFICATION OF THE INSTANCE SYSTEM

Fig. 1. Instance substation automation system. TABLE II ASSET LIST OF THE INSTANCE SYSTEM

TABLE III FUNCTION LIST OF THE INSTANCE SYSTEM

switch control, and distance protection, and can be implemented by the assets in Table II. Furthermore, the functions and the involved logical nodes are listed in Table III. B. Structured Asset Model

A. Preparation The asset list of the instance system is established, and shown in Table II. The functions include measuring and metering,

According to the Denition 1 and Denition 2, the asset and information exchange of the instance system are identied, respectively.

LIU et al.: ASSET ANALYSIS OF RISK ASSESSMENT FOR IEC 61850-BASED POWER CONTROL SYSTEMSPART II

879

Assets

Information exchanges
Fig. 2. Function graph of f .

C. Function-Oriented Business Process Model According to the Denition 3, the set of functions is described as follows:

Then construct the Function Graphs by Denition 4. For excan be described as follows ample, the function graph (see Fig. 2):

Similarly, the function graphs of Figs. 3 and 4.

and

are shown in

V. ASSET VALUATION OF THE INSTANCE SYSTEM In order to explain the process of asset valuation in detail, we choose to take the assets involved in function as an example. A. Valuation of Information Exchange From the function graph of , the information exchanges include to . Based on the aforementioned principles of value assignment and the 15 qualitative scale, the value of security properties can be derived by types of PICOM. Then, the value of each information exchange can be calculated by Denition 6. The results are

880

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 26, NO. 2, APRIL 2011

TABLE IV RESULT OF THE ASSET VALUATION OF THE FUNCTION LEVEL

TABLE V ASSET VALUE OF THE SYSTEM LEVEL

Similarly, the asset values of the function level for and can also be calculated. The results are shown in Table IV.
Fig. 3. Function graph of f .

C. Asset Valuation of the System Level To further calculate the asset value of the system level, the impact factors of the functions should be determined rst. For testing the methodology, the value 0.7, 0.8 and 0.9 are, respec, , and . (Note: The values of tively, selected for impact factors selected here are only used to explain the methodology, and may not be very accurate to reect the importance of functions to the electric power system.) as an example, the asset value of the Taking the Asset system level is

Similarly, the asset values of the system level for shown in Table V. VI. ANALYSIS
Fig. 4. Function graph of f .

to

are

A. Analysis for the Value of Information Exchange to , the messages belong to the Type 4B, and the For values of security properties are (2, 3, 4). Then, the value of to is 3.2224, which is smaller than the maximum value of security properties (availability-4), but larger than the average value of security properties (3). For to , the messages belong to Types 3 and 5, and the values of security properties are (3, 3, 4) and (4, 3, 3), respectively. Then, the value of to is equal to 3.4150, which is also between the maximum value (4) and average value (3.33) of security properties. From the results, we can nd out that the value of information exchange is decided by the message type, and affected by the maximum value and average value of security properties. B. Analysis for the Asset Value of the Function Level From the results, we can nd out that the asset values mostly depend on the maximum value of the related information exand are larger changes. For example, the asset values of than the asset value of , because of their maximum values of related information exchanges. The number of information exchanges related to the asset can also affect the asset values. For example, in , the maximum value of information exchanges related to , , and is 3.4150, but the number of information exchanges related to

B. Asset Valuation of the Function Level Prior to calculating the asset value of the function level, it is necessary to initialize values of information exchanges associated with the asset. First, according to Step1, obtain the

Second, following Step 2 and Step 3, the results are:

Third, the asset values of the function level are calculated by Denition 7

LIU et al.: ASSET ANALYSIS OF RISK ASSESSMENT FOR IEC 61850-BASED POWER CONTROL SYSTEMSPART II

881

is more than the other two, so the asset value of and . than C. Analysis for the Asset Value of the System Level

is larger

From the results, the asset value of the system level is not only determined by the asset value of the function level, but it is also affected by the importance of the functions to the electric power system. Taking the asset as an example, the asset value of the system level is lower than the maximum value of the function level, since the impact factor takes effect. VII. CONCLUSION In the asset identication, the assets are classied by IEDs, and the detail of each IED is provided by a structured asset model, which includes logical nodes of the IEDs and information exchanges between these IEDs. Furthermore, the function-oriented business process model uses a function graph to establish the relationships among functions, assets, and information exchanges. These two parts not only determine the specic objects of assets, but also provide enough details and relations for the asset valuation. In the asset valuation, the value of information exchange is determined by the message types and the values of security properties. For a specic function, the asset value of function level mostly depends on the maximum value of the related information exchanges, and it is also affected by the number of these information exchanges. For a specic system, the asset value of the system level is determined by the asset value of the function level and the impact of the functions on the electric power system. From these three levels of asset valuation, the factors for evaluating the consequences that incurred due to the loss of security properties are taken into consideration step by step. There is still a problem that needs to be considered further: how to choose the value of impact factors for functions. The importance of functions in PCSs is affected by many aspects, such as substation capacity, voltage level, task of the function, and the time frame of performance, etc. Perhaps the approach of multiple criteria decision making (MCDM) is a possible solution. REFERENCES
[1] Communication networks and systems in substationsAll parts, IEC 61850-SER ed1.0, Mar. 2009. [2] Communication networks and systems for power utilities automationPart 7-420: Basic communication structuredistributed energy resources logical nodes, IEC 61850-7-420, Mar. 2009.

[3] Communication networks and systems in substationPart 5: communication requirement for functions and device models, IEC 61850-5, 2003. [4] Communication networks and systems in substationPart 7-2: basic communication structure for substation and feeder equipmentabstract communication service interface (ACSI), IEC 61850-7-2, 2003. [5] Power systems management and associated information exchange data and communications securityPart 1: communication network and system securityintroduction to security issues,, IEC TS 62351-1, May 2007. [6] Power Systems management and associated information exchange data and communications securityPart 3: communication network and system securityproles including TCP/IP, IEC TS 62351-3, Jun. 2007. [7] Power systems management and associated information exchange data and communications securityPart 4: communication network and system securityproles including MMS, IEC TS 62351-4, Jun. 2007. [8] Communication networks and systems in substation part 7-4: Basic communication structure for substation and feeder equipment-compatible logical node classes and data classes, IEC 61850-7-4, 2003.

Nian Liu received the B.S. and M.S. degrees in electric engineering from Xiangtan University, Hunan, China, in 2003 and 2006, respectively, and the Ph.D. degree in electrical engineering from North China Electrical Power University, Beijing, China, in 2009. Currently, he is a Lecturer in the School of Electrical and Electronic Engineering of North China Electrical Power University. His research interests are power system management and associated information exchange, monitoring and control of new energy sources, communication systems of substation automation system, and power system security assessment.

Jianhua Zhang (M04) was born in Beijing, China, in 1952. He received the M.S. degree in electrical engineering from North China Electric Power University, Beijing, China, in 1984. He was a Visiting Scholar with the Queens University, Belfast, U.K., from 1991 to 1992, and was a Multimedia Engineer of Electric Power Training with CORYS T.E.S.S., France, from 1997 to 1998. Currently, he is a Professor and Head of the Transmission and Distribution Research Institute, North China Electric Power University. He is also the Consultant Expert of National 973 Planning of the Ministry of Science and Technology. His research interests are in power system security assessment, operation and planning, and emergency management. Mr. Zhang is an IET Fellow and a member of several technical committees.

Xu Wu received the B.S. and M.S. degrees in electric engineering from North China Electrical Power University, Beijing, China, in 2007 and 2009, respectively, where he is currently pursuing the Ph.D. degree. His research interests are security assessment of power systems.