The use of protective relays as an attack vector – the cyber vulnerability of the electric grid

Protective relays are used to protect electric equipment such as motors and generators from electric faults. As an analogy, they are the circuit breakers in your house. Digital protective relays provide a higher level of reliability, more functionality, and the ability to provide direct integration into multiple devices including SCADA compared to the older mechanical protective relays. Consequently, digital protective relays are an integral part of Smart Grid, grid modernization, use of renewables, etc.

When a relay fails to operate as designed, major equipment damage or failure can occur with little opportunity to prevent the event because it was the protection that was compromised.  Aurora was an example of using the relays as the attack vector to damage all alternating current (AC) equipment connected to the substation using those relays. Because of the importance of digital protective relays, DOE has spent large sums of money on R&D to make digital protective relays more cyber secure.

Mission Secure, Inc (MSI) is working with a number of control systems and devices to understand their cyber vulnerabilities in order to develop appropriate mitigation. When looking at the electric grid, MSI recognized that a weak link was the protective relays. Consequently, MSI procured a modern digital protective relay to analyze. They chose an SEL relay (in this case, the SEL751A) as SEL relays are prevalent throughout the US electric system and other industries and the SEL relays have very powerful computational capability including the ability to program the relays. The SEL 751A is a feeder protection relay that is also used for Aurora protection. While the SEL is a well-designed piece of equipment and important across the power sector and beyond, it was not designed to defend against a cyber attack. The members of the MSI attack team were neither nation-state actors nor even familiar with electric grid operations or protective relays. Yet, within a short period of time, MSI was able to take complete control of the HMI, the box, etc. MSI developed a variety of attack scenarios including locking out the operators and administrators, removing the ability to trip, removing the ability to use any of the buttons as a manual override and more. MSI did this to show how these devices, as with most all control devices, are not designed for cyber threats and can be easily compromised. MSI demonstrated these various attacks at an electric industry conference in early July. It garnered great interest from various people in the utility space.

                        

The implications of the cyber vulnerabilities of digital protective relays have great importance for Smart Grid, grid modernization, NERC CIP, large plant electric equipment protection, and even nuclear plant safety. There will be a discussion of the ease of hacking relays and potential mitigation at the October ICS Cyber Security Conference in Atlanta. Full disclosure- I am on MSI’s Technical Advisory Board.

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • I can confirm most of the attacks are possible with other, older relays. I don't know how MSI did it, but one way to lock out operators' and administrators' access that works with most IEDs is to simply change the listening port from the default. Programming and HMI software is not able to adapt to that and the only resolution is to have a technician scan the IP interface of the device. Older devices are configured via serial link or telnet - I'm not familiar enough with the 751 but it appears to be remotely configurable either through a custom protocol, 61850, 60870, telnet, or possibly http.

    Reply

  • If you build a house and you don't fit locks to the doors, don't blame the house if bad people get in. If you don't lock your door when you leave the house, don't blame the design of the house if bad people get in. perhaps this might be a weird thought, ... but just perhaps it might be a good idea to make sure your relay selections have some form of password controls AND they are implemented IEEE 1686 is a reasonably comprehensive Standard for applying passwords to IEDs such as relays ... maybe, just maybe, procurement specs should include such requirements and perhaps they should be implemented ... no point in leaving the default manufacturers password yet few utilities actually change them :( OK – that is a first layer But then you should consider how the baddies got access to the device in the first place!! Getting on the LAN is the first part of breaking into the relay (regardless of whether default password are changed or not)! Perhaps (??) securing the remote engineering access is also a good idea as a means to fit the equivalent of the door locks to the system! just perhaps (??).. Systems like the Siemens Ruggedcom Crossbow http://w3.siemens.com/mcms/industrial-communication/en/rugged-communication/products/software/pages/crossbow.aspx are quite comprehensive solutions (and I still like them even though I don’t work for them anymore …)

    Reply

  • Question: Did access to the SEL relay was done by exploiting a new (discovered by MSI) vulnerability in the firmware? Was it reported to SEL ? @CRMunoz27 (at twitter)

    Reply

RSS feed for comments on this page | RSS feed for all comments