A Collaborative Defense for Securing Protective

Relay Settings in Electrical Cyber Physical Systems

Reynaldo Nuqui Junho Hong, Anil Kondabathini, Dmitry Ishchenko,

David Coats
ABB
US Corporate Research Center ABB
Raleigh, NC, USA US Corporate Research Center
Reynaldo.nuqui@us.abb.com Raleigh, NC, USA

Abstract— Modern power systems today are protected and standards for bulk power system that cover the security of
controlled increasingly by embedded systems of computing critical cyber assets, physical and cyber security, electronic
technologies with a great degree of collaboration enabled by security perimeters as well as personnel training and security
communication. Energy cyber-physical systems such as power management. Similarly, International Electrotechnical
systems infrastructures are increasingly vulnerable to cyber- Commission (IEC) Technical Committee (TC) working group
attacks on the protection and control layer. We present a method 15 has also released IEC 62351 standard to secure industrial
of securing protective relays from malicious change in protective communication protocols , particularly IEC 61850.
relay settings via collaboration of devices. Each device checks the
proposed setting changes of its neighboring devices for consistency
and coordination with its own settings using setting rules based on
relay coordination principles. The method is enabled via peer-to-
peer communication between IEDs. It is validated in a cyber-
physical test bed containing a real time digital simulator and
actual relays that communicate via IEC 61850 GOOS E messages.
Test results showed improvement in cyber physical security by
using domain based rules to block malicious changes in protection
settings caused by simulated cyber-attacks. The method promotes
the use of defense systems that are aware of the physical systems
which they are designed to secure.

Keywords— critical infrastructure protection, cyber-physical

systems; cyber-attack; cyber security; relay coordination; protection
and control, IEC 61850 Fig. 1. An attack on the sensor network is an attack on the power system

I. INTRODUCTION An attack on the power system’s sensor network is an attack

Modern power systems are protected and controlled on the system itself (Fig.1) and security measures need to be in
increasingly by embedded systems of computing technologies place to secure the sensor network. Most existing cyber security
with a great degree of collaboration enabled by communication. techniques against cyber-attacks on protection and control
In view of these developments, power system infrastructure is devices of power grids are performed at the ICT (Information and
increasingly becoming vulnerable to cyber-attacks on the Communication Technology) layer. Several key issues are
protection and control layer. In the past, substations usually had attendant to ICT layer based mitigations: (1) first, they result in
limited connectivity with other systems , however, now most unacceptable false positive/negative ratio, (2) second, they can
substations incorporate advanced technologies including be compromised by new types of cyber-attacks, and (3) they
Intelligent Electronic Devices (IEDs), standardized protocols, need constant system updates or patches when new versions of
Ethernet based communication and remote access controls OS and ICT are available. This paper proposes a defense against
which bring benefits for both operations and engineering. malicious setting changes on protection relays based on domain
However, these new technologies expose new system principles of relay coordination and is intended to enhance the
vulnerabilities such as unauthorized remote access to cyber physical security of protection devices in general.
substations; misconfigured security devices (e.g., firewalls)
could result in security breaches by cyber intruders. Successful II. THREAT MODEL
attacks on substations may trip circuit breakers and could trigger In order to be able to design an efficient mitigation scheme,
cascaded sequences of events that could impact the power it is first necessary to understand the approaches on how relay
system. In the worst scenario, it could lead to blackouts with settings can be changed maliciously. The key is gaining access
severe economic consequences. In order to address these to the utility network, which puts an adversary in a position to
problems, North American Electric Reliability Corporation make changes to the protective relay settings. The adversary
(NERC) has mandated Critical Infrastructure Protection (CIP) could be an outsider who stole a user ID and password and/or
T his project was funded in part by the US Department of Energy’s
Cybersecurity for Energy Delivery Systems (CEDS) program under Award
No. DE-OE0000674.
978-1-5386-6913-6/18/$31.00 ©2018 IEEE 49
successfully hacked into the system. Inside the network the Compromised settings are like failures that can be exposed
attacker can subsequently determine the communication when a fault occurs. We can define a region of vulnerability that
parameters of a relay, conduct an investigation on the device corresponds to the condition when the impedance distance to the
configuration, and finally initiate protective relay setting fault calculated by the compromised relay will result in incorrect
changes. Similarly, it is also possible that an authorized user by tripping. It is illustrated as the shaded regions in Fig. 5 and Fig.
accident deploy the wrong settings in the relay. Fig. 2 shows a 6 where the characteristics of the two adjacent distance relays
high level attack tree showing the different avenues by which a are overlaid in the R-X diagram. Note that the adversary can
relay settings may be malicious ly changed. also change the time delay settings of zone 2 and zone 3 resulting
in further mis-coordination of the zonal protections. For
One credible threat from an adversary could be to extend the example, in this case and as indicated in the shaded region in
reach of distance protection with the malicious intent to mis -
Fig. 6, zone 2 of the target relay can also mis -coordinate with
coordinate two adjacent relays. Fig. 3 below illustrates how an zone 1 of the next relay. In view of the nature of the mho relay,
attacker could change the Zone 1 settings of a distance relay
even a fault with impedance falls within the regions of
IED1 to overreach to the Zone 1 setting of the next relay IED2. vulnerability.
When the fault happens in Line 2 as indicated in the shaded
region, circuit breaker CB3 will trip normally, but CB1 is also
forced to trip incorrectly. The action of distance protection in
this case results in more line outages than necessary. In high
voltage power systems, additional outages have the potential to
weaken the system in terms of its ability to hold the voltage level
or provide a path for new power flow patterns. Sometimes
multiple outages could result in cascading failures which could
lead to system collapse.
MALICIOUS CHANGE IN IED SETTING

UNAUTHORIZED ACCESS TO IED AUTHORIZED ACCESS TO IED

Fig. 5. Region of vulnerability between two mho distance relays caused by
malicious changes in zone1 relay settings

As long as access to the relay is established any kind of settable

STOLEN USER ID AND PW IT SECURITY BREACH DISGRUNTLED EMPLOYEE parameters can be compromised. The threat described here is
also applicable to other relays such as overcurrent protection
Fig. 2. A high level attack tree leading to a malicious change in relay setting
[1]. The attack goal is to miscoordinate a relay with its
neighbors.

Fig. 3. Conceptual threat to miscoordinate distance relays, zone 1 case

The same threat can be carried out on all settings of the

distance relay, that is, zone 2, zone 3, etc. Fig. 4 shows for
example an attack on the zone 2 setting of IED1 resulting in
overreaching into the zone 2 setting of the next line relay, IED2.
When a fault happens again on the shaded region, the attacker
Fig. 6. Region of vulnerability between two mho distance relays caused by
would succeed in falsely tripping circuit breaker CB1. Note that malicious changes in zone 2 relay settings
this concept is easily adopted for other types of distance relays ,
such as reactance type, impedance type or quadrilateral type. III. DISTRIBUTED SECURITY LAYER
Security against cyber-attacks can be realized by distributing
the defense across all intelligent electronic devices. This makes
each device aware of attacks on its neighbors and arms systems
with mitigation schemes to block such attacks. The scheme is
inherently distributed among all the intelligent components of
the system.

Fig. 4. Conceptual threat for zone 2 miscoordination of distance relays

50
 A. Peer-to-Peer IED Collaboration Condition 1: If Zone1IED1 ≥ZLINE1
The basic defense methodology proposed in this paper
Condition 2: If Zone2IED1 ≥ ZLINE1+Zone1IED2
requires that protective relays collaborate in determining the
consistency of the new relay settings. It requires protective Condition 3: If Zone3IED1 ≥ ZLINE1+ ZLINE2
relays to communicate with each relay in their neighborhood.
With this scheme security is distributed, making it hard for an Fig. 8. Simple Coordination Rules for Distance Protection
attacker to realize a successful attack (success here can only be
achieved if all the relays are attacked). The relays could be The aforementioned conditions are by no means
located within a substation or across different substations. The comprehensive. For example, another set of conditions can be
collaboration requires each relay to store information regarding stated for overcurrent relays [1]. They are stated to establish a
its neighbors’ settings and also information of the impedances flavor of the nature of the security algorithms within each of the
of all lines around it. Fig. 7 illustrates this concept of distributed relays.
architecture for collaboration between the relays. Informatio n C. Relay Coordination Principles in each Device
is freely transferred from one relay to the other using local
The rules of relay coordination, such as the ones mentioned
substation or inter substation communication. For examp le,
above are deployed in each device. The method requires each
IEC 61850-90-1 and IEC 61850-90-5 allow for communicatio n
device to have a database for at least the line impedances of each
between substations.
of the lines behind it, that is, lines wherein a fault would not by
design trip this relay. Each device will make an independent
assessment of the proposed changes in settings and can
independently make a decision whether the proposed settings of
its neighboring relays are coordinated with its own settings. If
at least one device does not confirm the setting change, the
attempted changes will not be finalized. The non-conforming
relay will issue a non-conforming signal that is received by the
target relay blocking the attempted relay setting changes.
The basic algorithm for the collaborative defense among the
relays or IEDs is shown in Fig. 9.

1. Attacker writes proposed settings to a relay

2. The relay (requesting relay) sends the proposed
settings to the neighboring relays
3. Each neighboring relay checks if the proposed settings
are coordinated with its own settings.
4. Neighboring relay sends either a confirmation or non-
Fig. 7. Distributed architecture of protective relays for collaborative defense confirmation signal to requesting relay.
5. Requesting relay receives confirmation or non-
B. Rule Based Algorithm confirmation from each neighboring relay
The methodology is based on relay coordination principle. 6. If at least one relay issues a non-conforming signal,
In the system shown in Fig. 3 for example, each relay’s firmware then the proposed settings will not be activated.
can be updated to host the relay coordination check logic. The
following relay setting changes are considered suspicious and Fig. 9. Collaborative defense algorithm for securing relay settings
should be invalidated: a) if the zone 1 setting of IED 1, Zone1IED1
exceeds the line 1 impedance, ZLINE1; b) if the zone 2 setting of The suggested approach will make setting changes more
IED 1, Zone2IED1 overreaches into the zone 2 setting of IED 2, secure. Fig. 10 shows an updated attack tree with this
Zone2IED2 ; and c) if the zone 3 setting of IED 1 overreaches into collaborative defense by the IEDs , illustrated here as the IED
the zone 3 setting of IED 2. The cases mentioned correspond to setting change request layer. It is shown that the attempted
mis-coordinated zone 1, zone 2, and zone 3 respectively of IED changes will only be finalized if all the IEDs send a confirmation
1 and IED 2. These conditions can be formally stated below. signal. The extra check by the neighboring relays will greatly
When satisfied, the conditions result in the target relay’s enhance the security of relay settings against cyber-attacks. It is
attempted changes not being confirmed by neighboring relay(s). worth mentioning that authorized correct settings will pass
through this layer. Nonetheless, an alarm is always issued by
the relay in case the attacker inputs correct settings that pass the
relay coordination check.

51
 MALICIOUS CHANGE IN IED SETTING
A. IEC 61850 - Enabler for Peer-to-Peer Communication
IED SETTING CHANGE REQUEST LAYER
The adaption of IEC 61850 standards has brought many
benefits such as: (1) reduced engineering effort and costs, (2)
ALL IEDS APPROVE CHANGE AT LEAST ONE IED DISAPPROVING resolved interoperability problems between different vendors,
and (3) enhanced reliability of substation operation. IEC 61850
SETTING CHANGE REQUEST is one communication medium by which distributed security can
be enabled. The standard is flexible enough to allow
communication between IEDs within a substation and also
UNAUTHORIZED ACCESS TO IED AUTHORIZED ACCESS TO IED between substations. In the cyber physical set up the relays were
made to communicate with each other using GOOSE messages.
GOOSE is used to transfer the relay setting proposed changes
STOLEN USER ID AND PW IT SECURITY BREACH DISGRUNTLED EMPLOYEE by the target relay. GOOSE is also used to communicate the
decision made by the polled relay if they agree to the attempted
Fig. 10. A high level attack tree with IED distributed setting change request changes or not.
security layer
B. Real Time Digital Simulator
IV. CYBER-PHYSICA L TEST BED Real time simulation of power system and related protection
To bring the proposed concept closer to practice it is equipment was modeled using real time digital simulator
necessary to validate the collaborative defense of the protective (RTDS), and the model is used as a basis for validating the
devices in a hardware-in-the-loop system. This cyber-physical protective schemes employed by the relays. It is to be noted that
test bed is necessary to validate the credibility of the threats, and the core functionality of the relays is to protect the system
also to validate that mitigation concepts will work in the real equipment against external events like faults. It is crucial to
world. This test bed is composed of a cyber and physical system demonstrate that the mitigation features employed using these
together [2,[3]. The physical system model is based on a relays does not compromise their primary protection function
substation with ring bus topology connected to two other during real time operation. The RTDS provides this very
substations via 500 kV transmission line. It is simulated using a important simulation environment to test the performance
real time digital simulator which is important to capture requirement of developed methods applicable to power system
potentially sudden changes to relay settings groups arising from operation.
loss of generation, line faults, and service restoration efforts [4].
The digital simulator allows the relays to receive measurement The RTDS simulator represents a physical model of a power
system in real time and provides interfaces to the protection
signals from the power system model in real time. The cyber-
physical system test bed is also used to assess the severity of an devices through Sampled Value streams (for measuring
voltage/current signals) and GOOSE messages (for status
attack on the power system. The cyber system is composed of
various ICT devices such as gateways, protective IEDs, and user signals). The RTDS has the capability to provide a real time
interface. The cyber physical system interacts using IEC 61850. communication link between simulator and protection relays via
Ethernet using Giga-Transceiver Network Communication Card
Fig. 11 shows the cyber-physical test bed with all the (GTNET). The GTNET card with GTNET-GSE configuration
components used to test the concept presented in this paper. implements GOOSE interface and GTNET-SV configuration
implements IEC 61850-9-2 Sampled Values interface to
Cyber system Physical system
User- Gateway Firewall Ring bus
communicate with the protective relays. The informatio n
GPS
interface
A3 CB1-1 received by the relays is utilized to continuously estimate the
Security
Disconnect switch
power system states in real time and the same information in
filter
CB1-2 CB1-3
500 kV
conjunction with the peer-to-peer communication between the
A2
Station bus
Protective . . .
Line Transformer
161 kV
relays is also used to assess the severity of an attack on the power
IEDs
system.
Process bus
DI/O
A1
CB2-1 Circuit
breaker
CB2-4
C. The Power System Model
RTDS
CB2-2 CB2-3 The single line diagram of the network and substation
Attackers
(MU and CB)
configuration is shown in Fig. 11. The power system network
IED E IED B
consists of source models and simple load equivalents connected
through 500kV and 161kV transmission lines. The network and
G IED D
substation components are modeled using standard power
IED C
IED A
Target substation
system libraries available through the RTDS/ RSCAD platform.
To demonstrate the threat model and collaborative defense
HMI : Human Machine Interface method the protection coordination was implemented on a
IED : Intelligent Electronic Device

Power system
DI/O: Digital Input / Output
MU: Merging Unit
500kV network using physical IEDs (IED A through IED E of
G
modeling in RTDS CB: Circuit Breaker
RTDS: Real Time Digital Simulator Fig. 12), which are configured as distance relays for Zone1 and
Zone2 protection of respective transmission lines. The breaker
Fig. 11. A cyber physical test bed and its components control IEDs are modeled using a combination physical IEDs
and RSCAD library models. The substation model incorporates

52
IEC61850-8-1 station bus standard with GOOSE messaging for conditions such as retirement of a transmission line or generator.
protection signals and IEC 61850-9-2 process bus standard for Even after successful calculation of correct settings a protection
voltage/current Sample Values streams. engineer or technician could key in the wrong protection
settings into the relays.
V. TESTING RESULTS
Z3 of
A. Threat Evaluation IED A
Z2 of
Cyber attacks on protective IED settings changes have been IED A
Z1 of
conducted to validate the proposed threat and mitigation models. IED A Z2 of
A cyber attack module intrudes into the substation Time IED B
Z1 of
communication network via a remote access point and IED B
compromises the user-interface that contains an IED
engineering tool. Then the cyber attacker gain access to the IED
engineering tool using the operator’s log in credentials (e.g., ID
and password). In order to execute a stealth attack, the cyber Distance

attacker analyzes the current setting of the distance protection.

As Fig. 12-(a) illustrated, the current zone 1 setting of IED A is Line A Line B
85% of the line whereas zone 2 setting of IED A is 140% of the IED B
IED A IED D IED E IED C IED F
transmission line A length, respectively. Similarly, the current (a) Normal configuration
zone 1 setting of IED B is 85% of the line whereas zone 2
setting of IED B is 140% of the transmission line B length, Changed Zone1 Z3 of
setting of IED A IED A
respectively. Zone 3 was set to fully back up the next by cyber attack Z2 of
transmission line. Based on these protection coordination Z1 of IED A
settings, IED A provides the main (primary) protection to line IED A Z2 of
Time IED B
A and back-up (secondary) protection to line B and same for Z1 of
IED B for line B. For instance, when a fault occurred at 30% of Overlapped IED B
region due to the
line B, IED B will be the main protection device that should cyber attack
detect and clear the fault. However, if IED B has a malfunctio n
and cannot clear the fault, the zone 2 protection of IED A will
Distance
detect and clear the fault as a back-up protection in order to
minimize the outage areas.
The first attack is initiated by changing the zone 1 setting of Line A Line B
IED A so as to overreach into zone 1 of IED B – a clear IED A IED D IED B IED E IED C IED F
violation of distance protection coordination as shown in Fig. (b) Zone 1 setting change attack
12-(b). Next a fault located at the beginning of line B is
simulated in RTDS. It is seen by the zone 1 of IED B resulting Changed Zone2
setting of IED A
in correct tripping of circuit breaker B; the relay at the other end by cyber attack
Z3 of
of the line (IED E) also tripped in this case. Additionally, the Z2 of IED A
compromised settings in IED A also resulted in the unwanted IED A
Z1 of
tripping of CB A. Similarly, the second attack is initiated by IED A Z2 of
changing the zone 2 setting of IED A so as to overreach into the Time IED B
Z1 of
zone 2 of IED B – another clear violation of distance protection IED B
Overlapped
region due to the
coordination as shown in Fig. 12-(c). Next a fault located at the cyber attack
overlapped region of the line B is simulated in RTDS. It is seen
by the zone 2 of IED B resulting in correct tripping of circuit
Distance
breaker B; the relay at the other end of the line (IED E) also
tripped in this additional scenario. Additionally, the
compromised settings in IED A also resulted in the unwanted Line A Line B
tripping of CB A. IED A IED D IED B IED E IED C IED F
In the real world, the consequence of this attack and/or (c) Zone 2 setting change attack
human error result in extended line outages or potential Fig. 12. Configuration Change (CC) Attack
customer interruptions. Another potential though unintended
disturbance may arise from mis-configuration by a protection B. Mitigation
engineer. This situation could potentially happen when electric The collaborative defense method described in Fig. 9 was
utilities building a new substation or transmission line and implemented in each of the relays in the test bed. Simulating an
protection engineers need to configure the existing and new attacker, IED A gets a configuration change request, which
protective relays’ settings. It is also possible when protection results in IED A issuing a GOOSE message containing the
engineers need to change settings due to changes in system proposed settings to each of the neighboring relays, IED B and

53
 IED C. The message contains (1) current setting of the IED and VII. REFERENCES
(2) requested setting change of the IED A. In the real world, the [1] Reynaldo Nuqui, Le Tang. “Collaborative Defense of Energy Distribution
communication between relays at different substations can be Protection and Control Devices.” US Patent 9,755,896, granted on
done by routable GOOSE that contains analog setting values September 5, 2017
communication (defined in IEC 61850-90-1 and 90-5). Once [2] J. Hong, R. Nuqui, D. Ishchenko, Z. Wang, T. Cui, A. Kondabathini, D.
Coats, and S. Kunsman, “Cyber-Physical Security Test Bed: A Platform
the adjacent IEDs have received the setting confirmatio n for Enabling Collaborative Cyber Defense Met hods,” in PACWorld
request, both evaluate the proposed settings for coordination Americas, 2015.
using the rules indicated in Fig. 8. [3] A. Martin, R. Nuqui, J. Hong, A. Kondabathini, W. Rees, D. Ishchenko,
Note that if there is no loss of coordination, the adjacent IEDs “Collaborative Defense of Transmission and Distribution Protection and
are programmed to send a true response via GOOSE to the Control of Devices against Cyber Attacks (CoDef)” Western Protection
Relay Conference, October 2016.
target IED. Otherwise, a false response is sent. The target IED
[4] V. Madani, E. T aylor, D. Erwin, A. Meklin and M. Adamiak, "High-
(i.e., IED A) will make a decision based on the response from Speed Control Scheme to Prevent Instability of A Large Multi-Unit Power
the adjacent IEDs. If any of neighbor IEDs sends a false Plant," 2007 60th Annual Conference for Protective Relay Engineers,
response, the target IED will discard/block the setting change College Station, TX, 2007, pp. 271-282.
request, keep the original setting values, and then send an alarm [5] M. Singh, T . Vishnuvardhan and S. G. Srivani, "Adaptive protection
coordination scheme for power networks under penetration of distributed
to operators to report the attempted change. For the simulated energy resources," in IET Generation, T ransmission & Distribution, vol.
test, IED B sent out a false response thereby blocking the 10, no. 15, pp. 3919-3929, 11 17 2016.
attempted unauthorized setting changes to IED A due to the [6] H. F. Habib, C. R. Lashway and O. A. Mohammed, "A Review of
protection coordination violation. This mitigation could be Communication Failure Impacts on Adaptive Microgrid Protection
particularly useful in systems with subsections undergoing Schemes and the Use of Energy Storage as a Contingency," in IEEE
T ransactions on Industry Applications, vol. 54, no. 2, pp. 1194-1207,
frequent settings changes such as in the case of integrated March-April 2018.
distributed energy resources with different modes (for examp le
grid connected versus islanded) [5],[6].
DISCLAIMER
This paper was prepared as an account of work sponsored by an
VI. CONCLUSIONS agency of the United States Government. Neither the United
States Government nor any agency thereof, nor any of their
This paper has presented a novel method of securing employees, makes any warranty, express or implied, or assumes
configuration changes of protective relays. It is based on a any legal liability or responsibility for the accuracy,
collaborative defense action of these devices enabled by peer- completeness, or usefulness of any information, apparatus,
to-peer communication. The architecture distributes the product, or process disclosed, or represents that its use would
security to each of the devices virtually blocking maliciou s not infringe privately owned rights. Reference herein to any
intent to mis-coordinate relays during an actual fault. The specific commercial product, process, or service by trade name,
method also minimizes the impact of incorrect settings caused trademark, manufacturer, or otherwise does not necessarily
by unintended human errors. Testing the method in a simulated constitute or imply its endorsement, recommendation, or
IEC 61850 digital substation has validated the concept. The favoring by the United States Government or any agency
method promotes the use of defense systems that are aware of thereof. The views and opinions of authors expressed herein do
the physical system of which they are designed to secure. not necessarily state or reflect those of the United States
Government or any agency thereof

54

Powered by TCPDF (www.tcpdf.org)