Power System Reliability Evaluation With SCADA Cybersecurity Considerations

IEEE TRANSACTIONS ON SMART GRID, VOL. 6, NO.
4, JULY 2015 1707
Power System Reliability Evaluation With

SCADA Cybersecurity Considerations
Yichi Zhang, Student Member, IEEE, Lingfeng Wang, Member, IEEE, Yingmeng Xiang, Student Member, IEEE,
and Chee-Wooi Ten, Senior Member, IEEE
Abstract—As information and communication networks are concerning the SCADA system is of vital importance [2].
highly interconnected with the power grid, cyber security of As the open Transmission Control Protocol/Internet
the supervisory control and data acquisition (SCADA) system Protocol (TCP/IP)-based protocol is being developed
has become a critical issue in the electric power sector. By
exploiting the vulnerabilities in cyber components and intruding and deployed between the SCADA and other networks of
into the local area networks of the control center, corporation, the power system, more effective cybersecurity policies are
substations, or by injecting false information into communica- urgently needed. For instance, secure tunnels are required for
tion links, the attackers are able to eavesdrop critical data, power utilities, which are responsible for providing secure
reconfigure devices, and send trip commands to the intelligent control and management to their substation automation
electronic devices that control the system breakers. Reliability
of the power system can thus be impacted by various cyber systems [3]. However, improvement of the cybersecurity
attacks. In this paper, four attack scenarios for cyber compo- is a challenging task. The power system is composed of
nents in networks of the SCADA system are considered, which complicated physical components, and the ICT in power
may trip breakers of physical components. Two Bayesian attack systems has evolved into a highly intertwined network, which
graph models are built to illustrate the attack procedures and is remote access enabled and Ethernet-based. In addition,
to evaluate the probabilities of successful cyber attacks. A mean
time-to-compromise model is modified and adopted considering a number of vulnerabilities can be found in the standard
the known and zero-day vulnerabilities on the cyber compo- communication protocols of the power system, including
nents, and the frequencies of intrusions through various paths distributed network protocol (DNP) 3.0 and International
are estimated. With increased breaker trips resulting from the Electrotechnical Commission (IEC) 61850 [4].
cyber attacks, the loss of load probabilities in the IEEE reliability The security of the cyber networks is severely threatened
test system 79 are estimated. The simulation results demonstrate
that the power system becomes less reliable as the frequency of by vulnerabilities in the cyber components [5]. By exploiting
successful attacks on the cyber components increases and the either known or zero-day vulnerabilities [6] of cyber com-
skill levels of attackers increase. ponents in networks such as local area networks (LANs) of
Index Terms—Bayesian attack graph model, critical the SCADA control center, corporation, substation automa-
infrastructure protection, cyber-physical systems, cyber tion systems, or communication links between the control
security, power system reliability, supervisory control and center and substations, critical cyber components in the net-
data acquisition (SCADA) system. works can be manipulated. For instance, the root control
of the human machine interface (HMI) in the substation
I. I NTRODUCTION LAN can be gained by remotely penetrating into a substa-
HE INFORMATION and communication technol- tion LAN. Intruders may also inject false data into or modify
T ogy (ICT) is being more widely deployed by the
modern power grid [1]. Since the power system relies on
data on the communication links. The unauthorized trip signals
and reconfiguration messages can be specified on the intruded
the control and monitoring functions of the supervisory components, which may then isolate corresponding transmis-
control and data acquisition (SCADA) system, cybersecurity sion lines and generators [7], [8]. The complicated cascading
events may thereafter be triggered and exacerbate the opera-
Manuscript received April 14, 2014; revised August 28, 2014 and tion of power systems [9]. Thus, it is of importance to evaluate
December 18, 2014; accepted January 20, 2015. Date of publication the impact of cyber attacks on the power systems.
February 16, 2015; date of current version June 18, 2015. This work was
supported by the National Science Foundation under Award ECCS1128594 Vulnerabilities of cyber networks in the power system are
and Award ECCS1128512. Paper no. TSG-00320-2014. being evaluated for quantifying their impact. Petri nets are
Y. Zhang is with the Department of Electrical Engineering and Computer used in [10] and [11] for the vulnerability evaluation. In [10],
Science, University of Toledo, Toledo, OH 43606 USA.
L. Wang and Y. Xiang were with the Department of Electrical Engineering a vulnerability assessment framework is proposed by utilizing
and Computer Science, University of Toledo, Toledo, OH 43606 USA. They the Petri net-based firewall and password models as protec-
are now with the Department of Electrical Engineering and Computer Science, tion schemes. In [11], cyber-physical attacks against the smart
University of Wisconsin–Milwaukee, Milwaukee, WI 53211 USA (e-mail:
l.f.wang@ieee.org). grid are modeled using a hierarchical method, which com-
C.-W. Ten is with the Department of Electrical and Computer Engineering, bines several small Petri nets of cyber and physical domains.
Michigan Technological University, Houghton, MI 49931 USA. In [8], by constructing a cyber-to-physical bridge, the cyber
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org. attack vectors and the reliability effects on the power grid are
Digital Object Identifier 10.1109/TSG.2015.2396994 quantified and examined.
1949-3053 c 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Università Bocconi. Downloaded on June 02,2023 at 21:28:13 UTC from IEEE Xplore. Restrictions apply.
1708 IEEE TRANSACTIONS ON SMART GRID, VOL. 6, NO. 4, JULY 2015
Several metrics have been proposed to quantify the impacts attack paths on the cyber networks of the SCADA system
of cyber attacks on the SCADA system. For instance, in [12], are discussed in Section II. In Section III, the background
an attack tree model is built, and potential attack scenarios knowledge on the MTTC model is briefly reviewed. In
are constituted by combining different attack leaves. In [13], Sections IV and V, two modified Bayesian attack graph mod-
a strategy of the quantitative risk reduction estimation was els and the MTTC models are described and analyzed. In
performed for the CS60 SCADA control system. The risk is Section VI, by using the attack graph and MTTC models, the
assessed by evaluating the mean time needed for a successful time intervals of successful attacks targeting various cyber net-
cyber attack on the SCADA system, and the risk is reduced works are calculated. Also, the loss of load probability (LOLP)
by patching the components and decreasing the number of values for IEEE reliability test system 79 (RTS79) [19] are
vulnerabilities. In [3], a testbed is built by simulating the pro- derived based on the MCS with the updated available inter-
cesses of cyber attacks in the control center and substations. vals of physical components, and this paper is concluded in
And by assigning various ratios to the cyber and power risk, Section VII.
a risk metric is defined to evaluate the relationship between
the occurrence of cyber attacks and the resulting impact on
II. C YBER ATTACK S CENARIOS IN P OWER S YSTEMS
the power service.
Cyber attacks have brought severe impacts to the power A. Architecture of the Cyber Network in the SCADA System
system. As a result, there are more uncertain factors which Fig. 1 illustrates a defense-in-depth security architecture of
may affect the reliability of the cyber-physical power system. cyber networks in the SCADA system.
For instance, the change of the network topology of the The SCADA system in the power system is used to monitor
power system will impact the flow, and the risk of the sys- and control distributed components from the control center to
tem may be increased [14]. A number of evaluations have substations. At the same time, the status information measured
been performed based on the characteristics of the physical from the substations is transmitted to the control center. By
system, but very limited quantitative work has been conducted collecting the field information, transferring it to the central
on the impacts brought by the cyber attacks on the power computer facility, and displaying the information to the opera-
system. In this paper, a mean time-to-compromise (MTTC) tor through the HMI, the SCADA system enables the operator
model [15] is extended and used to estimate the time inter- to monitor or control the entire power system in the control
vals for successfully intruding cyber components in control center.
networks. Breakers in the substations are then randomly The SCADA system is composed of both hardware and soft-
tripped when the false commands are sent by the penetrated ware. Typical hardware is known as components in the control
cyber components. In order to depict different attack paths, center, such as front end processors (FEP), engineering work-
Bayesian networks (BN) are used for modeling all potential stations, and various servers which can store and process the
attack steps in a network [16]. Two Bayesian attack graph data. The hardware also includes communication equipment
models [17], [18] are modified and used to quantify various such as radio, telephone line, and cable, which can be used as
attack scenarios in the cyber networks of the power system. the communication channels. And the distributed field devices
The first model is suitable for LANs of the control center, reside in the substations, which consist of the remote terminal
corporation, and substations. It is adopted to estimate the prob- units (RTU) and the programmable logic controller (PLC). The
abilities of successful vulnerability exploits to gain the root servers and FEP store and process the information sent from
privileges of control components. Various MTTCs consumed and to the RTUs; and the RTU or PLC controls the process
by execution of exploits are calculated by considering the of the field devices. The communication hardware allows the
ratio of exploits. The second attack graph model is applied information to transmit between the control center and substa-
to evaluate the probability of successful attacks on the com- tions. The software is able to tell the system about the time and
munication links between the control center and substations. information to be monitored, as well as the acceptable range
This model decomposes a man-in-the-middle (MITM) attack of the parameter. The intelligent electronic devices (IEDs) in
against the communication links into multiple sub-processes. the substation communicate with the control center. They can
Security countermeasures are implemented in the model to also be polled by the local RTUs, and the collected data from
mitigate the damaging impacts of cyber attacks. And combina- IEDs can be transmitted to the control center [20].
tions of the MTTC consumed in exploiting the vulnerabilities The communication protocols used in the SCADA sys-
of each countermeasure are the time interval of cyber attack tem are different from those in the corporation network.
on the links. Bayesian attack graph models and MTTC model The SCADA system protocols include the Modbus/TCP,
are used to quantitatively estimate the probabilities and aver- EtherNet/IP, and DNP 3.0, and they are widely used in com-
age frequencies of the successful attacks on the target cyber munications between most control devices. However, these
components of the SCADA system. With cyber attacks occur- protocols are designed without adequate security considera-
ring on different scenarios, system breakers are forced to trip, tions. For instance, severe security vulnerabilities are found in
which leads to the prolonged outage of physical components. the Modbus/TCP protocol, and malicious codes such as worms
And the reliability analysis of the power system is performed can be installed in the network if no firewall is considered [20].
using the Monte Carlo simulation (MCS). Thus, these protocols are only allowed to be used within the
The remainder of this paper is organized as follows. networks of the control center and substations, and they are
A SCADA system network architecture and four types of not allowed to cross into the corporation network.
ZHANG et al.: POWER SYSTEM RELIABILITY EVALUATION WITH SCADA CYBERSECURITY CONSIDERATIONS 1709
Fig. 1. Representative SCADA system architecture.
In Fig. 1, cyber networks are constituted by the corpora- A hardware firewall is used with an isolated DMZ. The
tion network, primary and backup control center networks, authentication server and the security server are combined in
and 24 substation networks with different degrees of automa- the DMZ of the control center. The authentication server is
tion which are able to communicate with each other. The installed, and this is because separate authentication mech-
control center controls and monitors the operations of a num- anisms should be provided to users of the corporation and
ber of transmission or distribution substations. Intercontrol control center network. Due to the limited security in the
center communication protocols (ICCP) is implemented as communication protocols in the SCADA, authentication is
the communication protocol between two control centers [1]. always forbidden in the remote commands [20]. To resume
DNP 3.0 over TCP/IP is used for communicating control the authentication mechanism in the SCADA system, the
commands and measurements between control centers and authentication server is added, and the process of verifying
substations. The protocol used in the substation is IEC 61850. the user identity is provided for the remote access control.
The cyber security strategy includes policies of firewalls, the The security server is the one with the patch and antivirus
generation of demilitarized zones (DMZ), and the allocation of management [20]. With the security managements in the seg-
intrusion detection systems (IDS) along with effective security mented DMZ, the controlled and secure updates of the traffic
policies [20]. The policies of the firewalls in this architecture can be provided to the control center. The malware which
are strict to both communications in and out of the control attempts to intrude into the control centers may be dif-
system. For instance, inbound information to the control center ferent from those in the corporation network, and efficient
should be blocked, and all communications to the devices in antivirus products can be selected for the control center
the control center should go through the DMZ. Also, outbound protection.
communication through the firewall should be limited to the The equipment in the DMZ such as DNS servers and web
crucial information. As security requirement is the highest on servers are able to receive requests from external networks,
the control center network, countermeasures with the highest while the firewall of the corporation LAN allows the network
strength are taken within it. to receive only requested data from the external networks.
Fig. 2. Cyber attacks on the control center LAN.
Fig. 3. Cyber attacks on the corporation LAN.
Substations with different structures feature various automa-

tion and security levels.
Although firewall or even IDS are applied as security coun- the ICCP servers [21]. The intruder may send the trip com-
termeasures in each network, a large number of vulnerabilities mands to the RTUs in different substations. By obtaining the
such as remote access points are available to the intruders for root privilege of the application server, trip commands can
launching the cyber attacks. be directly sent to the IED relays in one substation through
the FEP. The FEP is a server that translates the protocols with-
out checking the authority if the commands are sent from the
B. Cyber Attack Scenarios and Attack Paths to IED Control applications server, and the commands are directly forwarded
By exploiting the vulnerabilities of the power system cyber to remote devices in substations [21].
networks, attacks are initiated from access points of different 2) Intrusion in Corporation LAN: Due to the complicated
LANs of the SCADA system. Attack scenarios through these communication links between the intruders and some sub-
four types of access points are discussed in the following, station networks, the attackers may first gain access to the
which illustrate how adversaries can successfully penetrate corporation LAN via the internet. Available access points and
into various networks and send trip signals to protective target components to the corporation LAN can be found in
relays for tripping breakers of generators, transmission lines, Fig. 3 [22]. The inconvenience of the intrusion into the sub-
and loads. station network can be significantly decreased by obtaining
Cyber attacks against the SCADA system may be motivated confidential inside data or substation login information from
by financial gain or terrorism. But in order to impact the reli- the corporation database server. The attacker is able to access
ability of the power system, cyber attacks that can manipulate the corporation network when the firewall is bypassed. The
the messages or signals will be selected as the attack scenarios. attacker may first start from the web server and the FTP server,
Only by sending the false commands or status signals, the which have more communications with outside components.
breakers of the generators, transmission lines, and the loads When the servers connected with database server are breached,
can be abnormally tripped. And eventually, the reliability of the database server installed in the inner zone of the corpora-
the power system can be affected. The tasks of four attack sce- tion network can be achieved. With the inside data, the intruder
narios all enable the attackers to send the false messages or will be able to access the HMI in substations and send trip
signals, by improving privileges or inserting the manipulated commands with a permitted identity.
messages. 3) Attacks Against Substation Networks: Taking advantage
1) Attacks on Control Center LAN: Although it is diffi- of a port-scanning tool or a war-dialer, an intruder identifies
cult to intrude into the control center, attacks on the control active system ports and IP addresses of one substation. He
center LAN are considered here since they may occur in prac- logs on one router using the brute-force password attack, and
tical environments. In Fig. 2, a simplified control center LAN bypasses the firewall successfully. As the adversary has gained
is illustrated. After bypassing the hardware firewall with the access to the network of the substation, the IP scanning tool
advanced intrusion strategy without violating the firewall rules, is deployed again for the different component user interface
the intruder is able to gain access to the switch with the port intrusions. Unauthorized operations such as trip commands are
scanning approach. When the attacker successfully intrudes sent to one or several relays. Since the automation and security
into the LAN, he is able to scan the hosts and services of the levels of the substation LANs differ from each other, various
network by intruding into the historian server without trigger- architectures of the substation networks exist.
ing alarms of the IDS. Since the application server is able Three substation LANs with different automation stages and
to transmit the commands directly to the other devices, it is network architectures are considered and illustrated through
selected as the target of the cyber intrusion. The application Figs. 4–6. Substation LAN 1 is composed of the sim-
server is used to store the point data and send the updated plest automation stage and the architecture [7]. Since it only
data to other clients, such as the HMI, data historian, and deploys the firewall as the countermeasure, the attacker is able
switch is used to control the communication between VLANs,

and two switches are used to control communication between
devices. In order to communicate with the devices in the Bay
VLAN, the attackers should also gain the access to the shared
server. This indicates attackers should intrude at least two
VLANs divided by switches so that the substation HMI can
be reached. Unwanted data traffic can be filtered by VLANs,
thus this architecture of the substation network is more secure
than the architecture of the substation LAN 1.
Substation LAN 3 is a network with higher automation,
which comprises a local SCADA for more convenient local
Fig. 4. Cyber attacks on the substation LAN 1. or remote control [7]. The local SCADA of the substation
is a modular system for communication and control of each
component in the substation. It enables the authorized interac-
tions between panels of the substation with specific network
protocols or standard industrial network protocols, such as
IEC6185, IEC61870, and Modbus/TCP [24]. In this network,
the local SCADA is the only component which can be con-
nected to other networks, and the HMI is prevented from
directly connecting to the components of the other networks. In
order to send malicious commands from the HMI, the attacker
needs to first breach the local SCADA and obtain the user priv-
ilege, then he is able to intrude into the HMI through the local
SCADA.
4) MITM Attack on Communication Links Between the
Control Center and Substations: By accessing the commu-
nication links between the control center and the substations,
the intruder may install the eavesdropping equipment either in
the wired or wireless network [18]. In order to inject the false
data into the communication link, the traffic can be monitored
Fig. 5. Cyber attacks on the substation LAN 2.
by the intruder. A number of messages in the SCADA commu-
nications are plain text, which are easy to be understood by the
attackers. If the message is encrypted, the attacker may first
eavesdrop the message and look for an appropriate decoding
approach, so that the information can be analyzed. This may
be used in traffic analysis for understanding the traffic patterns
in the networks [18]. The measurements or the state data pack-
ets are intercepted during the transmission. The intruder then
replaces some actual state data with the fabricated data. These
false data are sent to the state estimation modules. When the
false operating conditions are finally presented to the opera-
tors, some operators may be misguided and send the incorrect
trip commands to the relays.
Fig. 6. Cyber attacks on the substation LAN 3.
III. P RELIMINARIES
to intrude into the HMI and obtain its root privilege if he A. BN and Attack Graph
is able to successfully intrude into the substation LAN 1. Attack graphs represent the dependences among vulnerabil-
The HMI provides the operation and supervision of the ities and potential sequences of attacks [17]. It is a directed
substation [23], thus the attacker is able to directly send the graph composed of predefined nodes as vertices, and the
trip commands to the IEDs when the HMI is controlled. Some directed relationships as edges. The BN are widely used to
malicious data traffic can be prevented from flowing into the model the attack graphs in a probabilistic manner, which
substation LAN if the firewall is well configured. However, is effective in quantifying the process and impacts of cyber
malicious packets disguised as regular packets are allowed to attacks [18]. BN is composed of a pair G, N, where G rep-
flow into the network by following the firewall rules. resents a direct graph, N is a set of parameters in the network.
LAN 2 deploys a more complicated and secure architec- ai and aj , which are nodes in the networks, are connected
ture by separating the substation network into two virtual by a directed edge. It indicates the value of aj is influenced
LAN (VLAN)-based substation networks [22]. An Ethernet by the value of ai . It is considered ai is the parent of aj .
The probability of each ai is thus associated with conditional

probability table (CPT) in N. The unique joint distribution of
ai is denoted as

n
P (a1 , . . . , an ) = P(ai |parents(ai )). (1)
i=1
B. Common Vulnerability Scoring System

The vulnerability of the cyber network of the power system
is evaluated by scoring the system security [17]. The Common
Vulnerability Scoring System (CVSS) is used to score the vul-
nerabilities as the probabilities of successful exploits on hosts
or devices [18]. CVSS is widely utilized for scoring the vul-
nerabilities and their relative severity in the networks, and
CVSS scores can be calculated via the public vulnerability Fig. 7. Bayesian attack graph model of vulnerabilities.
databases [23]. By assigning various levels to the vectors such
as the access vector (AV), and confidentiality impact (CI) in
the base scores (BS) equation, fundamental characteristics of are exploits to vulnerabilities V and component condi-
the vulnerabilities can be quantified by values 0–10. A higher tions C. The sequence of the exploits composes a minimal
score implies more severe vulnerability of the component, i.e., attack sequence, which means the attacker is efficient on
the component has a higher probability of being intruded. BS the vulnerabilities and takes no unnecessary effort on the
can be adjusted to the temporal score (TS) and environmental path to the target [17]. It is assumed that all preconditions
score (ES) by considering additional time and environmental of an exploit are either the initial condition or the post-
vectors. The threat of the vulnerabilities to the components conditions of some exploits which have occurred before
may vary with time due to the upgrade of countermeasures, it. The conditions are distinguished as service (S), which
while the environment is not specific to the users. Thus, the is shown as service(host); connection (N) represented as
TS is adopted to evaluate the impact of the vulnerabilities. <source host, destination host>; and privilege (L) denoted as
privilege(host). The conditions are either satisfied as initial
C. Mean Time to Compromise conditions or as post-conditions [17]. The post-conditions will
Similar to the mean time to failure (MTTF) of the com- be satisfied when any vulnerability is exploited. Fig. 7 illus-
ponents in the power system, the MTTC is modeled. It is trates a Bayesian attack graph model of vulnerabilities in
used to estimate the average frequency of the cyber attacks on the control center LAN, which describes the minimal attack
the components of the power systems [15]. The MTTC mea- sequence to obtain the root privilege of the application server.
sures the efforts (represented by time) spent by an attacker for Vulnerabilities are illustrated by ovals with white or light
a successful attack in the statistical form. The concept of the blue colors representing the known or zero-day vulnerabil-
minimal attack sequence is used, which assumes the attack ities, respectively. One vulnerability can be exploited when
does not consume unnecessary efforts on the attacks [17]. As its Si , Ni , and Li are satisfied. For instance, Dos, 0, 1
the MTTC increases, the likelihood and frequency of the suc- represents the zero-day exploit of the vulnerability found
cessful attack will decrease. With the attack graph and the BN, in the historian server. Before exploiting vulnerabilities of
the MTTC for a state (or condition) is used to reflect the aver- the server, intruder host user(0) should exist and be con-
age time required by the attacker to reach the condition [17]. nected to the historian server. This means that the privilege
In this paper, the increased privilege is considered as the post user(0) and the connection <0, 1> should be satisfied. At
condition. In order to reach these conditions, several vulnera- the same time, Dos(1) and Exec(1), which are two ser-
bilities should be exploited. The overall MTTC is the mean of vices of the historian server, should be available to the
the sum of MTTCs of the exploits in this paper. The MTTC intruder. By exploiting two zero-day vulnerabilities of the
can be influenced by different features of the attack scenarios, historian server, the intruder is able to obtain the user priv-
such as different attack paths, cyber networks, vulnerabilities ilege user(1) of the historian server. He then obtains the user
of the components, and levels of attackers. privilege user(2) of the application server by exploiting the
zero-day vulnerability of the ssh service ssh, 1, 2. Finally,
the goal privilege root 2 is reached from the user privilege
IV. ATTACK G RAPH M ODEL U SING BN S
user(2) in the application server by exploiting the known
A. Bayesian Attack Graph Model of Vulnerabilities vulnerability bof, 2, 2.
In this paper, two Bayesian attack graph models are The goal of using the Bayesian attack graph model is to
considered. The first one is the attack graph of vulnera- determine the probabilities that an intruder will successfully
bilities, which describes the probability of successful root reach the given target condition, which is the post-condition.
privilege acquisition through LANs of the control cen- Three steps are needed to fulfill the task for calculating the
ter, corporation, and substations. Given an attack graph probabilities that attackers are able to successfully reach each
G(V ∪ C) possessing two types of nodes as vertices, which post-condition. The first step is the estimation of probability
TABLE I
that an attacker is able to execute each exploit independently, CPT TABLES OF THE E XPLOIT AND THE C ONDITION
and it is denoted as p(vi |Si = T, Ni = T, Li = T) [17].
For the known vulnerabilities, p(vi |Si = T, Ni = T, Li = T)
denotes the probability of the successful execute on each
exploit when preconditions are satisfied. Since this probability
requires the intrinsic difficulty of exploiting the vulnerability,
CVSS scores are used to reflect the nature severity levels of the
vulnerabilities [25]. Since the CVSS score ranges from 0 to 10,
in order to normalize the values of the probabilities, it is
assumed that the probability of successful independent exploit
is obtained by
CVSS(vi )
p(vi |Si = T, Ni = T, Li = T) = (2)
10
where CVSS(vi ) is the score of the vulnerability which
evaluates different configurations of the network.
Since various services are available to the communication
among components in the LANs of SCADA system, it is
assumed that the scores of known vulnerabilities are ran-
domly distributed, which implies a random CVSS(vi ) score
is calculated and given to p(vi |Si = T, Ni = T, Li = T).
Although they are discovered by cyber attackers, zero-day
exploits are executed on vulnerabilities not publicly known,
thus it is difficult to find the differences between zero-day
vulnerabilities. With the specific configuration of CVSS met-
rics and scores, a zero-day vulnerability is considered as a spe- achievability of the privilege. These probabilities are randomly
cial vulnerability with an unavailable remediation level, an assigned with values between 0.8 and 1.
unconfirmed report confidence, and the zero-day vulnerability Also, “OR” relationships should be satisfied when the nodes
has neither high nor functional exploitability metric [17]. And are privileges or connection conditions as their preconditions
based on the characteristics of the zero-day vulnerabilities, are one or several vulnerabilities. This relationship is satisfied
the vulnerability metrics are assumed as local AV, high access because privileges or successful connections can be gained
complexity, and multiple authentications [17], the BS of the if any related vulnerabilities are exploited. For instance, the
CVSS is calculated as 0.8. Thus, the exploit of zero-day vul- condition user(1) is reached through the disjunction over the
nerability is assigned with a fixed nominal probability, which exploits Dos, 0, 1 and Exec, 0, 1. With the probability of
is the BS over 10. The probability of successful exploit on successful exploit of each vulnerability leading to its goal
a zero-day vulnerability is condition, the probability that the attacker can successfully
reach the target condition p(c) is calculated with the overall
p vi |Si = T, Ni = T, Li = T = 0.08. (3) probability formula
Preconditions of the vulnerability are considered in the sec-
n

ond step. The BN-based attack graph is built. Except for the p (ci ) = p ci = T vj · p vj (6)
node representing an initial condition of the graph, a CPT is j=1
developed for each node of the graph and the post-probability
where n indicates the number of the vulnerabilities leading to
is calculated accounting for the CPT [16]. Table I repre-
one target condition ci , which represents a higher privilege in
sents the CPT tables of the condition user(1) and the exploit
the following analysis.
ssh, 1, 2. Since one exploit is able to be executed only if all
In the third step, the probability of a successful exploit
preconditions are satisfied, the “AND” relationships should be
leading to its goal condition is calculated. Each exploit to
satisfied if the node is the exploit to the vulnerability. Thus, the
the vulnerability in the minimal attack sequences is denoted
exploit ssh, 1, 2 is reached by the conjunction over the con-
as p(vi ∧ c), where c is the goal condition. With the total
ditions <1, 2>, user(1), and ssh(2). The probability of known
probability of successful exploit to vulnerability leading to
vulnerability p(vi = T) (or p(vi )) and zero-day vulnerability
the goal condition, a backward traversal is performed from
p(vi ) by considering preconditions are denoted as
the target condition to its preconditions, and the probabili-
CVSS(e) ties of the preconditions (i.e., p(vi )) are estimated. The ratio
p(vi ) = × p(Si ) × p(Ni ) × p(Li ) (4) of each prevulnerability to the target vulnerability is rep-
10
p vi = 0.08 × p (Si ) × p (Ni ) × p (Li ) (5) resented by assuming the attacker will always choose the
easiest exploit [15]. In this assumption, the probabilities of
where p(Si ), p(Ni ), and p(Li ) indicate the probabilities of avail- n prevulnerabilities to the target vulnerability are sorted in
ability of service, successful connection of two devices, and a descending order. Each probability of the successful exploit
TABLE II
C OUNTERMEASURES , S UB -G OALS , AND OVERALL G OALS
Fig. 8. Bayesian attack graph model of communication link.
to the target vulnerability is denoted as
⎧
⎨p (vi = T) × p
(c = T | vi = T), i=1
p (vi ∧ c) = p (vi = T) × i−1j=1 p vj = F
⎩
× p (c = T | vi = T, v1 . . . vi−1 = F), 2≤i≤n
(7) The probabilities of successfully achieving the sub-goals
and overall goals also depend on the implementation of secu-
where i indicates different numbers of the prevulnerabili- rity countermeasures. The difficulty of achieving the sub-goals
ties leading to the target vulnerability. Prevulnerabilities that is influenced by the strength of countermeasures Aj . It is
are easier to exploit will have higher probabilities of being applied on various sub-goals Bi on the communication links.
reached. Reaching a sub-goal with the influences of countermeasures
can be quantified as a CPT. It is assumed that known and
B. Bayesian Attack Graph Model of Communication Links zero-day vulnerabilities are randomly given on each coun-
termeasure Aj denoted using blue and red colors. When the
The second Bayesian attack graph model estimates the prob-
conditional probability of the successful attack on the sub-
ability of successful intrusion on communication links [18].
goal is denoted as p(Bi = T|A1, A2 , . . . , An ), the probability
MITM attack is launched to the communication link, thus no
of the successful attack on the sub-goal Bi influenced by its
privilege of the device is needed to reach it. The model is
security countermeasures is
illustrated in Fig. 8 and is composed of three layers. The first
layer is composed of the countermeasures, which is denoted
n

by Aj . The second layer represents the sub-goals Bi , which p (Bi ) = p Bi = T Aj · p Aj . (9)
j=1
are denoted by circle nodes. By bypassing or defeating corre-
sponding countermeasures Aj , the sub-goals are to be reached. It should be noticed that the success of sub-goal Bi is not
The overall goals are composed of the third layer. The sub- only influenced by exploiting vulnerabilities on the counter-
goals Bi leading to their corresponding overall goals need measures Aj , but some sub-goals Bi are also influenced by
to be all successfully reached, so that the overall goal can the success of overall goals Cm . For instance, the sub-goal
be achieved by the intruders. Circle nodes labeled as Cm B7 (i.e., generating a valid new message) is influenced by the
represent the overall goals, which can be quantified as the usages of countermeasures A7 (i.e., signature cryptography)
probability of successful unauthorized operations on the target and A9 (i.e., remote password), as well as the success of over-
communication link. all goal C1 (i.e., eavesdrop messages). This is because the
The middle layer depicts the sub-goals of the attacks, which new information may not be generated correctly if the con-
are composed of sub-processes of the attacks such as accessing tents of messages being transmitted are not eavesdropped and
the network and intercepting the message. The connections analyzed.
between goals and sub-goals are expressed by AND or OR The nodes representing countermeasures, sub-goals, and
relationships. In this model, the overall goal Cm is achieved overall goals are listed in Table II.
through an AND relationship of its sub-goals from B1 to Bn . Only if cyber attacks disrupt the integrity of the data trans-
This is because all sub-goals should be achieved so that the mitted to the IED relays, it may lead to faulty operations of
connected overall goal can be reached. For instance, in order to the system breakers and impact the reliability of the power
achieve C2 , both B2 and B3 should be reached. The probability system. Since eavesdropping and traffic analysis are primar-
of Cm is denoted as follows: ily related to the activities which support the faulty operations

n on the devices rather than the operations for tripping break-
p (Cm = T) = p (Bi = T). (8) ers directly, they are not considered as the ultimate goal of
i=1 the cyber attacks against the communication links. While the
faulty operations that manipulate state data and reconfigure of vulnerabilities and exploits
the relays are able to trip the circuit breakers, C3 , C4 , and C5 E
are considered as the overall goals of the attack targeting the P 1 = 1 − e−V × S . (11)
communication links.
Since it is assumed that the attackers are familiar with at
least one available exploit and vulnerability, the time con-
V. MTTC E STIMATION OF C YBER ATTACKS ON P OWER sumed by compromising the familiar vulnerability is similar
S YSTEM AND R ELIABILITY A NALYSIS for attackers with different skill levels [15]. As at least one
A. Compromise Time Model of Vulnerabilities exploit of the zero-day vulnerability is directly available to
By considering the severity of the cyber vulnerabilities, the the attackers, the mean time for exploiting the zero-day
modified MTTC model in [15] is applied to estimate the aver- vulnerabilities in the process 1 is also 1 day.
age time interval that one vulnerability can be exploited by Since processes 1 and 2 are mutually exclusive, the proba-
attackers. The actions of intruders can be divided into three bilities that the attacker in process 2 are 1 − P1 and 1 − P1 ,
statistical processes. Process 1 illustrates that the attacker has respectively when the vulnerabilities are known and zero-day
found one or several exploits to one or several identified types. The mean time consumed in process 2 is estimated as
vulnerabilities. In process 2, no exploits are available to the 5.8 days for one attempt of exploit [15], so the mean time in
attacker, although one or several vulnerabilities are identified. process 2 is
It can be found that processes 1 and 2 are mutually exclusive. t2 = 5.8 × ET (12)
In process 3, the attacker found neither vulnerabilities nor
exploits, thus vulnerabilities or exploits are probed in this where ET is the expected frequency of attempts to search
process by attackers. Although process 3 is parallel to the for new exploits, which is influenced by the skill levels of
previous two processes and runs continuously in reality, it is attackers. The expected number of attempts is
assumed that this process occurs when processes 1 and 2 are ⎧ ⎡ ⎤⎫
⎨
V−AM+1 i ⎬
unsuccessful. ⎣i × V − AM − j + 2 ⎦
ET = k × 1 +
In [15], the probability that an attack is in the process 1, ⎩ V −j+1 ⎭
i=2 j=2
which is represented as P1 , is estimated by the search the-
ory. The search theory has been used in the physical security (13)
systems [26]. The probability that an attack is in process 1 is where AM is the average number of the vulnerabilities needed
estimated as follows: to create or find one exploit. k is the skill level factor, which
P1 = 1 − e−V×E/S (10) is k = AM/V. The proof of (13) can be found in [15], which
identifies ET as a statistical frequency of the exploit attempts.
where V is the number of known vulnerabilities in the compo- A larger value of the skill level factor implies that more vul-
nent being examined. It is assumed that one vulnerability exists nerabilities are exploitable by the attackers. When k becomes
in one service entity, thus the number of reachable services is larger, the associated frequency will decrease. That is because
also V. E is the number of available exploits, it is influenced as k increases, the number of vulnerabilities on the component
by the skill levels of attackers, values of E are set as 50, 150, of interest V is fixed, the average number of the vulnerabili-
250, and 360 when the levels of attackers are novice, beginner, ties needed to create or find one exploit AM will be increased.
intermediate, and expert. These values of E are given to indi- In (13), the value of the vulnerabilities that will not be used
cate the different attack levels, and various values of E may V − AM will be decreased, which makes the number of iter-
be given if more detailed attack levels are needed. S is the ations in (13) decreased dramatically, so that less mean time
total number of vulnerabilities in the target cyber network. will be consumed in the attempts of exploit searching.
Since information on the vulnerabilities in cyber networks In process 2, the time of the successful exploit develop-
of power system is limited, the value of S is hypothesized ment is only influenced by skill levels of attackers. Whether
based on the national vulnerability database. In this paper, S is this vulnerability is known or zero day has no impact on the
assumed to be 7000, which can be updated when the vulner- number of attempts because vulnerabilities are known by the
ability database of power system network becomes available attacker in the process.
with the wider smart grid practices. The mean time of exploit Process 3 continues until new vulnerabilities or exploits
consumed in process 1 is estimated as 1 day in [15] since both are searched. In [15], the occurrence of new vulnerabili-
vulnerabilities and exploits are available. ties or exploits is considered as a constant rate, and the
If no known vulnerabilities are found on the component, mean time between vulnerabilities (MTBV) is estimated as
zero-day vulnerabilities will be searched or exploited by the 30.42 days. Since different types of vulnerabilities are consid-
attacker to access the target device. S indicates the properties ered in this paper, two MTBV values are assumed. The MTBV
of components and database, and the numbers of zero-day of the known vulnerabilities is specified to be 30.42 days
vulnerabilities and exploits are denoted as V and E , respec- and 5.8 days as time intervals of vulnerability and cor-
tively. Since 491 zero-day vulnerabilities are found in [27], responding exploits announcements. More time is needed
with the same skill levels of attackers, values of E are set for discovering zero-day vulnerabilities. Since it is found
as 55, 164, 273, and 393. The probability of exploiting the that the average lifetime of zero-day vulnerabilities is about
zero-day vulnerability is calculated by changing the numbers 130 days, and about half of its lifetime is needed to discover
new vulnerabilities [15]. Thus, the MTBV of the zero-day sum of portioned MTTC of each exploit leading to the goal
vulnerabilities is extended as 65 days. Since about one month post-condition.
is needed to sell one zero-day vulnerability with correspond- Given the attack graph G(V C) and one goal condition c,
ing proof-of-concept exploit, the mean time of creating an the MTTC of this goal condition is
exploit of zero-day vulnerability is extended to 32 days [17].
vi ∈V T(vi ) · p(vi ∧ c)
Thus, the lifetime of the known vulnerabilities in process 3 is MTTC (c) = (20)
estimated as follows: p(c)

1 where T(vi ) is the MTTC needed on exploiting the vulnera-
t3 = − 0.5 × 30.42 + 5.8. (14) bility vi . p(vi ∧ c) is the probability of successful vulnerability
k
exploit leading to the goal condition, which is calculated
While the lifetime of zero-day vulnerabilities in process 3 is by (7). p(c) represents the probability that the goal condition

1 is reached successfully [17].
t3 = − 0.5 × 65 + 32 (15) For the LANs of the control center, corporation, and sub-
k
stations, the MTTC of intruding into the network is the sum
where 1/k indicates the vulnerability rate, which is scaled by
of all MTTCs of goal conditions. Suppose n − 1 goal condi-
V/AM based on the portion of the vulnerability/exploit pairs
tions are needed before the final condition (root privilege) is
used by the attack level [15]. The MTBV is multiplied by 1/k,
reached, the total time needed to control the target component
and subtracted by half in (14) and (15). This is because the
is represented as
fault cycle often starts at its midpoint. And a complete lifetime
of the process 3 is satisfied by adding the mean time to create
n

the exploit, which are 5.8 days and 32 days for known and MTTC = MTTC cj . (21)
j=1
zero-day vulnerabilities.
The overall compromise time is estimated by considering For the attack graph model of the communication links,
the time consumed by all three processes. The time T indi- the MTTC is calculated with a similar approach. In order
cates the average time interval that one known vulnerability is to calculate the MTTC of intrusion targeting the commu-
exploited nication links, the ratio of each exploit to vulnerability on
the countermeasures is also needed. The ratio calculation fol-
T = t1 P1 + t2 (1 − P1 ) (1 − u) + t3 u(1 − P1 ) (16)
lows (9) by substituting vi and c into Aj and Bi . Since the
where t1 , t2 , and t3 are the average values of the processes 1–3. sub-goal Bi is achieved by exploiting vulnerabilities on the
P1 is the probability that the attacker is in process 1. countermeasure Aj , the MTTC for realizing the sub-goal is
u indicates the probability of the unsuccessful process 2. It is
vi ∈V T Aj · p Aj ∧ Bi
denoted as follows: MTTC (Bi ) = (22)
p(Bi )
(1 − k)V V ≥ 1
u= (17) where T(Aj ) is the MTTC of exploiting the known or zero days
1 V=0
vulnerability on the countermeasure Aj . Based on the AND
where V is the number of the known vulnerabilities in the relationship of sub-target Bi and Cm , attackers may reach Cm
examined component, and k is the skill level factor. by exploiting n connected sub-target Bi one-by-one, thus the
The average time interval to exploit one zero vulnerability MTTC of each overall goal is denoted as
is represented as

n
T = t1 P 1 + t2 1 − P 1 (1 − u) + t3 u 1 − P1 (18) MTTC (Cm ) = MTTC (Bi ). (23)
j=1
P
where 1 indicates the probability that the attacker is in pro-
cess 1 as the vulnerability is the zero-day vulnerability. u is Since any of C3 , C4 , and C5 is able to realize the injection
denoted as of control commands to the substations [18], the least time
spent in reaching one overall goal is used as the MTTC of the
(1 − k)V V ≥ 1
u = (19) attack on communication links.
1 V = 0
where V is the number of the zero-day vulnerabilities in the C. Reliability Analysis
examined component of the network. If cyber attacks successfully intrude into the cyber compo-
nents of the SCADA system, such as HMI in the control center
B. MTTC of Attack Paths in the SCADA System or substations, trip commands can be sent by intruders to IEDs
With the models of MTTC of each vulnerability exploit and in substations and severe impacts may be resulted in, includ-
the attack graph, the MTTCs of the goal conditions in various ing unauthorized or faulty tripping of generators, transmission
networks or links are calculated. Since the initial conditions are lines, and loads. Further, considering the random behavior of
preconditions that have no vulnerabilities to exploit, the MTTC the intruder and the potential isolation action of IDSs, the
of an initial condition is set as zero. The post-conditions are consequence of each cyber attack can be stochastic. In order
goal conditions that can be reached by exploiting correspond- to represent this stochastic consequence, a random number of
ing vulnerabilities, thus the MTTC of a post-condition is the breakers in the target substation are assumed to be tripped
after each successful cyber attack. In the SCADA networks

such as substation LANs, the process LAN and Dual-LAN
networks, the data acquisition units (DAUs) can be used [28].
Different DAUs may be installed in the yard, and data from
voltage transformers, current transformers, and status infor-
mation will be collected by the DAUs. The transformers are
controlled by different breakers. The DAUs in the substation
will collect the signals at an agreed and synchronized rate. At
the same time, each IED relay is able to acquire data from Fig. 9. Bayesian attack graph of the control center.
multiple DAUs, the data can be processed automatically by
the IEDs. The DAUs are also able to receive the protection
commands from various IEDs on the other direction, and the 7) If the stopping criterion is met, calculate the final reli-
protection devices can be opened or closed. Since one IED ability index; otherwise go to step 3. In this paper, the
relay controls several breakers, the breakers in the substations simulation duration is specified as 30 years, and it is
can be randomly controlled when one IED is controlled. sufficient long for the result to converge.
After each successful cyber attack, the associated physi- In power system reliability assessment, the random failures
cal components will go through a restoration process. The of physical components could be modeled by MTTF. The time
basic idea of calculating reliability index proposed is that cyber to failure is random and varying as it is primarily determined
attacks are constantly launched and if the attack is successful, by the aging process of the physical components, and this
the repair process would begin. This matches the real practice random nature is modeled by MTTF. Similarly, the time to
as in real scenarios the cyber attacks against power systems compromise refers to the time required to launch a successful
are constantly launched, and they will become more frequent cyber attack, and it is random and varying as it is determined
in the envisioned smart grid environment. In [29], many elec- by various attack and defense factors. In a same manner, we
tric power companies were interviewed and they responded model the random nature of the time to compromise by MTTC
that the power system was under constant cyber attacks. It as shown in Section V.
is found that a number of utilities reported daily or frequent The LOLP used in this paper features the same physical
attempted cyber-attacks ranging from phishing to malware significance as that used in the conventional power system reli-
infection to unfriendly probes. Thus, this assumption is valid ability assessment. The concept of reliability most often refers
considering the fact that electric power systems are in actuality to the system adequacy in the context of probabilistic reliabil-
under constant cyber attacks. The repair time mainly consists ity evaluation. It is defined as the ability of the power system
of the cyber forensics time and physical restoration time [8]. to supply the aggregate electric power to the consumers dur-
The mean time-to-repair is denoted as the MTTR. Thus, the ing the observation period, taking into account the scheduled
probability of a cyber attack is and unscheduled component outages [31]. From this defini-
tion, the reliability index, such as LOLP, is an estimation of
MTTR
pa = . (24) the inherent adequacy of the power system. The system ade-
MTTR + MTTC quacy evaluation does not specify that the power outages are
The reliability evaluation process considering both physi- only caused by the physical failures. Rather, the reliability
cal failures and cyber attacks based on MCS is proposed as index is independent of the outage causes, and it is desirable
follows. to include more uncertain factors for achieving a more com-
1) Model the reliability of physical components, includ- prehensive evaluation. While in conventional power system
ing the generators, transmission lines, and loads. In this reliability assessment most work is only associated with the
paper, the simulation step is 1 h. physical failures, the cyber attack may also a significant factor
2) Model the MTTCs based on the attack type, cyber struc- for causing the power outages, especially in the cyber-physical
ture of the SCADA system, attack path, and attack skills, power grids. So it should be incorporated in the reliability
etc. In this paper, the MTTR is assumed to be a constant. evaluation of next generation power grids. Our work here is
3) Randomly select a physical system state based on to incorporate the uncertainties from cyber attacks into the
MCS. This can be accomplished using a random number conventional reliability assessment framework, and the signif-
generator. icance of the commonly used reliability indices, such as LOLP,
4) Check whether there is a successful cyber attack. This remains unchanged.
step is conducted by generating a random number within
[0, 1] and comparing it with pa . If there is no successful
VI. S IMULATION R ESULTS AND A NALYSIS
cyber attack, go to step 6; otherwise, go to the next step.
5) Update the statuses of the physical components affected A. Bayesian Attack Graphs and MTTCs of Targets
by the cyber attacks. For example, if a generator is suc- By omitting the nodes which represent service (S) and
cessfully tripped, its status will be changed from up connection (N), and only remaining the most crucial nodes
to down. privilege (L) and exploits to vulnerabilities V, Fig. 9 illus-
6) Evaluate the physical system state with optimal power trates the simplified Bayesian attack graph of the control
flow analysis [30]. center LAN with the minimal sequence of vulnerabilities to be
Fig. 10. Bayesian attack graph of the corporation.
exploited. The attack path between the intruder (host(0)) and Fig. 11. MTTC of attack on the LAN of the control center.
the application server (host(2)) shows the processes to gain
the root privilege of the application server in the control cen-
ter LAN. Since it is the attack on the control center, zero day
exploits are preferred to prevent being detected. It is assumed
that two zero-day vulnerabilities are exploited in the histo-
rian (host(1)), which are <Dos, 0, 1> and <Exec, 0, 1>. And
one zero-day vulnerability <ssh, 1, 2> is found in the appli-
cation server. The root privileges of the application server can
be obtained by exploiting the vulnerability <bot, 2, 2> to ele-
vated from the user privilege. It is assumed that the exploit
<bot, 2, 2> of the application server is a known vulnerability.
The Bayesian attack graph of the corporation LAN is illus-
trated in Fig. 10. Due to the configuration of the firewall,
the direct communication from the external networks is only
available to the web server (host(1)), thus the attacker should
first execute the exploit <http, 0, 1> on the web server. Then, Fig. 12. MTTC of attack on the LAN of the corporation.
by exploiting the FTP vulnerability, the attacker is able to
breach the FTP server, and access to the database server from
the FTP server. If the second firewall is not well config-
ured, the attacker is able to intrude into the database server
through the web server by exploiting the zero-day database
vulnerability. Thus, there are two paths from the web server
to reach the database server. By calculating the probability
that each exploit (<ftp, 1, 2>, <DB, 2, 3>, and <DB, 1, 3>)
is successfully executed, the MTTC of the intrusion into
the database server user(3) can be estimated. In the attack
sequence, only vulnerability of the database server is assumed
as the zero-day vulnerability, it is because the database server Fig. 13. Bayesian attack graph of substation LAN1.
is isolated and protected, the attacker should look for the
advanced vulnerability to prevent the detection.
The MTTCs taken in reaching the target components of different levels, which are all less than attack intervals on the
the control center and the corporation are illustrated in control center. Although the total number of the exploits of the
Figs. 11 and 12, respectively. In Fig. 11, it is found that attack- corporation LAN is more than exploits in the control center
ers with four levels (novice, beginner, intermediate, and expert) LAN, only a single type of zero-day vulnerability needs to
take about 1039, 401, 163.5, and 44 days in attacking the be exploited. The total MTTC consumed in controlling the
control center LAN. It is observed that as the skill levels of database server is still less than that needed for intruding the
intruders increase, less MTTC of the attack is needed to gain target component of the control center LAN.
access to the root privilege of the application server. The Bayesian attack graph of the substation LAN 1 is illus-
MTTCs of gaining the control privilege with four skill levels trated in Fig. 13. The user privilege can be gained by bypassing
on the database server are illustrated in Fig. 12. Compared one firewall and executing two exploits of the vulnerabilities
with the MTTCs of exploiting the control center LAN, the on the targeted HMI. It is assumed that the executed exploits
MTTCs of intrusion to the corporation are about 734, 289.6, in the HMI are one zero-day exploit < ssh, 0, 1 > and one
120, and 39.3 days respectively needed by attackers of four known day exploit <ftp, 0, 1> respectively.
Fig. 14. Bayesian attack graph of substation LAN2. Fig. 16. MTTC of attacks on 24 substation LANs.
Fig. 15. Bayesian attack graph of substation LAN3.
The attack graph of the substation LAN 2 is shown in

Fig. 14. Although a shared server is installed to increase the Fig. 17. MTTC of attacks on 24 communication links.
security, it can be reached by the attacker by bypassing the
firewall and the switches. And due to the frequent commu-
nications between the station VLAN and the Bay VLAN, LAN 1 is the least compared with that of attacks on substation
known vulnerabilities can be found in the shared server. LANs 2 and 3. The attacker may take about half a month to
The attacker may first breach the server and obtain the user control the HMI if his level is the expert. This is due to the
privilege by executing the exploit <DB, 0, 1>, and he will simplest network structure of the LAN 1. It is also found that
exploit two vulnerabilities in the HMI, which are <ftp, 1, 2> MTTC of attacks on substation LAN 2 is slightly higher than
and <ssh, 1, 2>, and gain the user privilege of the target that of substation LAN 1, although more exploits are avail-
component. Also, he may gain the user privilege by executing able in LAN 2. This is caused by the multiple attack paths
the exploits <ssh, 0, 2> and <ftp, 0, 2> in the HMI directly. brought by the shared server and the availability of the com-
Fig. 15 represents the attack graph of the substation LAN 3. munication to the HMI. The MTTC of the LAN 2 is about
The attack sequence is similar to that of the corporation 1.1 times of that of the LAN 1. Also, due to its higher isolat-
LAN. Since the local SCADA is the only component that ing graph structure, largest MTTCs of the substation LAN 3
can be remotely monitored or controlled by the operator from are calculated even though its vulnerabilities are less than the
the outside network, the intruder can only access the local vulnerabilities in the substation LAN 2. The MTTCs of the
SCADA. He is then able to intrude into the HMI while the successful intrusion on the target component in the LAN 3
local SCADA is compromised. It is assumed that when one may be 1.5 times larger than MTTCs taken on the LAN 1.
known vulnerability <http, 0, 1> is exploited in the local Fig. 17 illustrates the MTTCs taken on 24 links between
SCADA, the exploits of the HMI can be executed. the control center and the substations by attackers with four
MTTCs of gaining the control privilege on HMIs through skill levels. Since the known and zero-day vulnerabilities are
three substation LANs are shown in Fig. 16. For the randomly assigned to the countermeasures of 24 links, the
24 substations, it is assumed that 12 substations use the net- MTTCs needed to achieve the same sub-goal in the attack
work of substation LAN 1, eight substations use substation model can be different among 24 links. However, it is still
LAN 2, and four substations use substation LAN 3. It can found that the smallest MTTC of injecting the faulty data to
be found that MTTCs needed for the intrusion into substation the links is caused by the attacker at the expert level.
TABLE III
ATTACK S CENARIOS ON D IFFERENT N ETWORKS larger than those resulted from attackers with lower skill levels.
It is illustrated in Fig. 18 that all LOLP values represented by
the green line are larger than those represented by the yellow
line. This indicates that attackers with higher skill levels will
bring higher risks to the power system. It can also be seen
that LOLP values of the fourth scenario are larger than the
previous three scenarios, which is due to the small MTTCs of
the substations.
VII. C ONCLUSION
In this paper, two modified BN-based attack graph models
are utilized to evaluate the probabilities of successful attacks
on the power system. By considering different cyber attack
paths and skill levels of attackers, MTTCs of successful attacks
against various cyber networks or communication links are
evaluated. It is found that as more known vulnerabilities are
exploited, smaller MTTC is resulted in. Also, less attack time
is needed for attackers with higher skill level. The LOLP
values are simulated by applying the MCS in IEEE RTS79,
where the trips of generators, transmission lines, and loads
are increased due to the influence of increased probabilities of
successful attacks. It can be seen that as a smaller MTTC of
the attack on the target cyber component is needed, the power
system becomes less reliable.
In the future research, more cyber-attack scenarios in the
cyber-physical power system will be considered and analyzed.
More attack targets and countermeasures such as IDS will be
incorporated into the Bayesian and MTTC models and the
integrity of the model will be improved. A more comprehen-
sive and realistic probabilistic model describing the impacts
of cyber attacks will be investigated. Additionally, other fac-
tors that may affect the reliability of the power system will be
analyzed along with the cyber attacks, and their impacts on
the overall system reliability will be evaluated.
R EFERENCES
Fig. 18. LOLP curves of four-level attackers for the IEEE RTS79. [1] C.-C. Liu, A. Stefanov, J. Hong, and P. Panciatici, “Intruders in the grid,”
IEEE Power Energy Mag., vol. 10, no. 1, pp. 58–66, Jan./Feb. 2012.
[2] B. Zhu, A. Joseph, and S. Sastry, “A taxonomy of cyber attacks on
SCADA systems,” in Proc. Int. Conf. 4th Int. Conf. Cyber Phys. Soc.
B. LOLP Curves for IEEE RTS79 Comput. Internet Things (iThings/CPSCom), Dalian, China, Oct. 2011,
The test system used for reliability study is the IEEE RTS79, pp. 380–388.
[3] G. Dondossola, F. Garrone, and J. Szanto, “Cyber risk assessment of
and the MTTR is assumed to be 4 h. LOLP values of the power power control systems—A metrics weighed by attack experiments,”
system are calculated by considering impacts of 14 combi- in Proc. IEEE Power Energy Soc. Gen. Meeting, San Diego, CA, USA,
nations of attack scenarios. LOLP values are calculated in Jul. 2011, pp. 1–9.
[4] R. E. Mackiewicz, “Overview of IEC 61850 and benefits,” in Proc.
different attack scenarios, and the combinations of attacks on IEEE Power Energy Soc. Gen. Meeting, Montreal, QC, Canada, 2006,
different networks are listed in Table III. The LOLP curves pp. 623–630.
are illustrated in Fig. 18. [5] J. Eom, Y.-J. Han, S.-H. Park, and T.-M. Chung, “Active cyber attack
model for network system’s vulnerability assessment,” in Proc. Int. Conf.
It is found that the LOLP values are largely influenced Inf. Sci. Security (ICISS), Seoul, Korea, Jan. 2008, pp. 153–158.
by the probability of successful cyber attacks pa on the tar- [6] L. Wang, S. Jajodia, A. Singhal, P. Cheng, and S. Noel, “k-zero day
get components, which are represented by the values of the safety: A network security metric for measuring the risk of unknown
vulnerabilities,” IEEE Trans. Depend. Sec. Comput., vol. 11, no. 1,
MTTCs for various cyber networks. As the MTTC of the pp. 30–44, Jan./Feb. 2014.
attack decreases, larger pa and LOLP values will be obtained [7] B. Johnson and K. Barnes, “National SCADA test bed substation
accordingly. It indicates as the probability of successful cyber automation evaluation report,” Idaho Nat. Lab., Idaho Falls, ID, USA,
attacks on the networks in the SCADA system increases, more Tech. Rep. INL/EXT-09-15321, Oct. 2009.
[8] J. Stamp, A. McIntyre, and B. Ricardson, “Reliability impacts from
severe impact may be brought to the power system. It rep- cyber attack on electric power systems,” in Proc. IEEE/PES Power Syst.
resents all LOLP values caused by higher level attackers are Conf. Expo. (PSCE), Seattle, WA, USA, Mar. 2009, pp. 1–8.
[9] C.-W. Ten, J. Hong, and C.-C. Liu, “Anomaly detection for cybersecurity Yichi Zhang (S’10) received the B.E. degree in
of the substations,” IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 865–873, electronics information engineering from Yanshan
Dec. 2011. University, Qinhuangdao, China, and the M.S.
[10] C.-W. Ten, C.-C. Liu, and G. Manimaran, “Vulnerability assessment of degree in electrical engineering from the University
cybersecurity for SCADA systems,” IEEE Trans. Power Syst., vol. 23, of Toledo, Toledo, OH, USA, in 2009 and 2011,
no. 4, pp. 1836–1846, Nov. 2008. respectively, where she is currently pursuing the
[11] M. Chen, J. C. Sanchez-Aarnoutse, and J. Buford, “Petri net modeling Ph.D. degree.
of cyber-physical attacks on smart grid,” IEEE Trans. Smart Grid, vol. 2, Her current research interests include cyber secu-
no. 4, pp. 741–749, Dec. 2011. rity of smart grid.
[12] C.-W. Ten, C.-C. Liu, and M. Govindarasu, “Vulnerability assessment
of cybersecurity for SCADA systems using attack trees,” in Proc. IEEE
Power Eng. Soc. Gen. Meeting, Tampa, FL, USA, Jun. 2007, pp. 1–8.
[13] M. A. McQueen, W. F. Boyer, M. A. Flynn, and G. A. Beitel,
“Quantitative cyber risk reduction estimation methodology for a small
SCADA control system,” in Proc. 39th Annu. Hawaii Int. Conf. Syst.
Sci. (HICSS), Jan. 2006, p. 226. Lingfeng Wang (S’02–M’09) received the B.E.
[14] W. Li, J. Zhou, K. Xie, and X. Xiong, “Non-coherence in transmission degree in measurement and instrumentation from
line arrangements,” in Proc. Int. Conf. Power Syst. Technol. (PowerCon), Zhejiang University, Hangzhou, China; the M.S.
Chongqing, China, Oct. 2006, pp. 1–6. degree in electrical and computer engineering from
[15] M. A. McQueen, W. F. Boyer, M. A. Flynn, and G. A. Beitel, the National University of Singapore, Singapore;
“Time-to-compromise model for cyber risk reduction estimation,” and the Ph.D. degree from the Electrical and
in Proc. 1st Workshop Qual. Prot., Milan, Italy, Sep. 2005, pp. 49–64. Computer Engineering Department, Texas A&M
[16] M. Frigault and L. Wang, “Measuring network security using University, College Station, TX, USA, in 2008.
Bayesian network-based attack graphs,” in Proc. 32nd Annu. IEEE Int. He is currently an Associate Professor with the
Comput. Softw. Appl. Conf. (COMPSAC), Turku, Finland, Aug. 2008, Department of Electrical Engineering and Computer
pp. 698–703. Science, University of Wisconsin–Milwaukee,
[17] W. Nzoukou, L. Wang, S. Jajodia, and A. Singhal, “A unified framework Milwaukee, WI, USA. He was an Assistant Professor at the University
for measuring a network’s mean time-to-compromise,” in Proc. IEEE of Toledo, Toledo, OH, USA, and an Associate Transmission Planner
32nd Int. Symp. Reliable Distrib. Syst., 2013, pp. 215–224. at the California Independent System Operator, Folsom, CA, USA. His
[18] T. Sommestad, M. Ekstedt, and L. Nordström, “Modeling security current research interests include power system reliability and cybersecurity,
of power communication systems using defense graphs and influence renewable energy integration, intelligent and energy-efficient buildings,
diagrams,” IEEE Trans. Power Del., vol. 24, no. 4, pp. 1801–1808, electric vehicles integration, and cyber-physical systems.
Oct. 2009. Prof. Wang is an Editor of the IEEE T RANSACTIONS ON S MART G RID.
[19] P. M. Subcommittee, “IEEE reliability test system,” IEEE Trans. Power He also serves on the Steering Committee of the IEEE T RANSACTIONS ON
App. Syst., vol. PAS-98, no. 6, pp. 2047–2054, Nov. 1979. C LOUD C OMPUTING.
[20] K. Stouffer, J. Falco, and K. Kent, Guide to Supervisory Control and
Data Acquisition (SCADA) and Industrial Control Systems Security—
Recommendations of the National Institute of Standards and Technology,
NIST Standard Special Publication 800-82, Sep. 2006.
[21] J. Verba and M. Milvich, “Idaho national laboratory supervisory control
and data acquisition intrusion detection system (SCADA IDS),” in Proc. Yingmeng Xiang (S’11) received the B.S.
IEEE Conf. Technol. Homeland Security, 2008, pp. 469–473. degree from Chongqing University, Chongqing,
[22] (Mar. 18, 2014). U.S. Cert. Control Systems Security Program China, and the M.S. degree from the Huazhong
CSSP: Overview of Cyber Vulnerabilities. [Online]. Available: University of Science and Technology, Wuhan,
http://ics-cert.us-cert.gov/ content/overview-cyber-vulnerabilities China, in 2010 and 2013, respectively, both in
[23] H. Hajian-Hoseinabadi, “Reliability and component importance analysis electrical engineering. He is currently pursuing the
of substation automation systems,” Int. J. Elect. Power Energy Syst., Ph.D. degree in electrical engineering from the
vol. 49, pp. 455–463, Jul. 2013. Department of Electrical Engineering and Computer
[24] Secheron. (2007). Control Command and Local Scada. [Online]. Science, University of Wisconsin–Milwaukee,
Available: http://www.secheron.com/Products/Control-command-and- Milwaukee, WI, USA.
supervision His current research interests include power
[25] P. Mell, K. Scarfone, and S. Romanosky, “Common vulnerability scoring system adequacy evaluation, cyber-physical system modeling, and power
system,” IEEE Security Privacy, vol. 4, no. 6, pp. 85–89, Nov. 2006. system operations.
[26] J. A. Major, “Advanced techniques for modeling terrorism risk,” J. Risk
Finance, vol. 4, no. 1, pp. 15–24, Dec. 2002.
[27] M. A. McQueen, T. A. McQueen, W. F. Boyer, and M. R. Chaffin,
“Empirical estimates and observations of 0day vulnerabilities,” in Proc.
42nd Hawaii Int. Conf. Syst. Sci. (HICSS), Jan. 2009, pp. 1–12. Chee-Wooi Ten (S’06–M’10–SM’11) received the
[28] M. Shen, F. Chan, R. Laprise, and L. Lu, “A fully integrated substation B.S.E.E. and M.S.E.E. degrees in electrical engineer-
LAN network for protection, control and data acquisition,” in Proc. IEEE ing from Iowa State University, Ames, IA, USA, in
Power Energy Soc. Gen. Meeting (PES), Calgary, AB, Canada, Jul. 2009, 1999 and 2001, respectively, and the Ph.D. degree in
pp. 1–6. power systems engineering from University College
[29] E. J. Markey and H. A. Waxman. (May 2013). Electric Grid Dublin—National University of Ireland, Dublin,
Vulnerability. [Online]. Available: http://democrats.energycommerce. Ireland, in 2009.
house.gov/sites/default/files/documents/Report-Electric-Grid- From 2002 to 2006, he was an Application
Vulnerability-2013-5-21.pdf Engineer with Siemens Energy Management and
[30] R. Billinton and W. Li, Reliability Assessment of Electric Power Systems Information System, Singapore. He is currently an
Using Monte Carlo Methods. New York, NY, USA: Plenum, 1994. Assistant Professor with Michigan Technological
[31] NERC. (Dec. 2007). Definition of Adequate Level of Reliability. University, Houghton, MI, USA. His current research interests include
[Online]. Available: http://www.nerc.com/docs/pc/Definition-of-ALR- modeling for critical cyberinfrastructures and supervisory control and data
approved-at-Dec-07-OC-PC-mtgs.pdf acquisition (SCADA) automation applications for power grids.

Power System Reliability Evaluation With SCADA Cybersecurity Considerations

Uploaded by

Copyright:

Available Formats

Power System Reliability Evaluation With SCADA Cybersecurity Considerations

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Power System Reliability Evaluation With SCADA Cybersecurity Considerations

Uploaded by

Copyright:

Available Formats

IEEE TRANSACTIONS ON SMART GRID, VOL. 6, NO.

4, JULY 2015 1707

Power System Reliability Evaluation With

Fig. 1. Representative SCADA system architecture.

Fig. 2. Cyber attacks on the control center LAN.

Fig. 3. Cyber attacks on the corporation LAN.

Substations with different structures feature various automa-

switch is used to control the communication between VLANs,

The probability of each ai is thus associated with conditional

B. Common Vulnerability Scoring System

Fig. 8. Bayesian attack graph model of communication link.

to the target vulnerability is denoted as

after each successful cyber attack. In the SCADA networks

Fig. 10. Bayesian attack graph of the corporation.

Fig. 15. Bayesian attack graph of substation LAN3.

The attack graph of the substation LAN 2 is shown in

You might also like