정보보호학회논문지 (Journal of the Korea Institute of Information Security & Cryptology)

  • 제34권4호
  • /
  • Pages.615-627
  • /
  • 2024
  • /
  • 1598-3986(pISSN)
  • /
  • 2288-2715(eISSN)
한국정보보호학회 (Korea Institute of Information Security and Cryptology)
권호 표지
DOI QR코드

DOI QR Code

DNP3 over TCP/IP 환경 전력 제어시스템에서의 상태추정 기반 침입 탐지 연구

A Study on State Estimation Based Intrusion Detection in Power Control Systems Using DNP3 over TCP/IP

  • 최현호 (고려대학교) ;
  • 이중희 (고려대학교)
  • Hyeonho Choi (Korea University) ;
  • Junghee Lee (Korea University)
  • 투고 : 2024.04.30
  • 심사 : 2024.06.05
  • 발행 : 2024.08.31
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

전력계통의 변화 및 IT 기술 발전 등에 따라 통신 방식 변경에 대한 요구가 커지고 있어 시리얼 기반 통신에서 TCP/IP 기반 통신으로의 변경은 불가피하다. 하지만 TCP/IP 기반 통신의 경우 보다 다양한 보안 위협이 존재하기 때문에 정보보안 측면에서 많은 고려가 필요하다. 인증 및 암호화 등의 보안대책은 원격소 장치(RTU : Remote Terminal Unit)의 교체, 암호 알고리즘의 성능 요건 충족 등의 문제로 단기간에 적용은 불가능하다. 본 논문에서는 이러한 상황 속에서 전력 제어시스템으로의 위협을 식별하고 효과적으로 탐지하기 위해 상태추정 기반의 침입 탐지 모델을 제안하였다. 제안된 모델은 시그니처 탐지 방식에 더해 취득 데이터의 유효성을 검증함으로써 데이터 위변조 등 기존의 방법으로 탐지하기 어려운 공격들을 탐지할 수 있었다.

With the evolution of power systems and advancements in IT technology, there is an increasing demand to shift from serial-based communication to TCP/IP-based communication. However, TCP/IP communication entails various security threats, necessitating extensive consideration from an information security perspective. Security measures such as authentication and encryption cannot be rapidly implemented due to issues like the replacement of Remote Terminal Units (RTUs) and the performance requirements of encryption algorithms. This paper proposes a state estimation-based intrusion detection model to identify and effectively detect threats to power control systems in such a context. The proposed model, in addition to signature detection methods, verifies the validity of acquired data, enabling it to detect attacks that are difficult to identify using traditional methods, such as data tampering.

키워드

참고문헌

  1. Monthly Electrical Journal, "Cyber Threats and Security Strategies in the Intelligence of Power Grids", http://www.keaj.kr/news/articleView.html?idxno=5126, Accessed: Apr. 2024.
  2. Cybersecurity and Infrastructure Security Agency, "Cyber-Attack Against Ukrainian Critical Infrastructure", https://www.cisa. gov/news-events/ics-alerts/ir-alert-h-16-056-01, Accessed: Apr. 2024.
  3. ESET, "WIN32/INDUSTROYER: A new threat for industrial control systems", https://web-assets.esetstatic.com/wls/2017/06/Win32_Industroyer.pdf, Accessed: Apr. 2024.
  4. J. Beerman, D. Berent, Z. Falter, and S. Bhunia, "A Review of Colonial Pipeline Ransomware Attack," 2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW), pp. 8-15, May. 2023.
  5. Ministry of Trade, Industry and Energy, The 10th Basic Plan for Long-term Electricity Supply and Demand (2022-2036), Jan. 2023.
  6. Korea Power Exchange, Electricity Market Operation Regulations, Feb. 2024.
  7. Moon-su Jang, Gun-hee Lee, Sin-kyu Kim, Byung-gil Min, Woo-nyon Kim, and Jung-taek Seo, "Testing Vulnerabilities of DNP3," Journal of Security Engineering, 7(1), pp. 15-28, Feb. 2010.
  8. Pauline Koh, Hwa-jae Choi, Se-ryoung Kim, Hyuk-min Kwon, and Huy-kang Kim, "Intrusion Detection Methodology for SCADA system environment based on traffic self-similarity property," Journal of The Korea Institute of Information Security & Cryptology, 22(2), pp. 267-281, Apr. 2012.
  9. Jeong-han Yun, Sung-ho Jeon, Kyoung-ho Kim, and Woo-nyon Kim, "Burst-based Anomaly Detection on the DNP3 Protocol," International Journal of Control and Automation, vol. 6, no. 2, pp. 313-324, Apr. 2013.
  10. Sung-moon Kwon, Hyung-uk Yoo, Sang-ha Lee, and Tae-shik Shon, "DNP3 Protocol Security and Attack Detection Method," Journal of Advanced Navigation Technology, 18(4), pp. 353-358, Aug. 2014.
  11. Myung-jong Kim, Sung-moon Kwon, Woo-yeon Jo, and Tae-shik Shon, "WhiteList-based DNP3 Intrusion Detection System for SCADA," Proceedings of the Korea Information Processing Society Conference, pp. 228-231, Nov. 2016.
  12. E. Michael, E. Gunther, and E. Dominik, "Comparison of approaches for intrusion detection in substations using the IEC 60870-5-104 protocol," Energy Informatics, vol. 3, no. S1, pp. 1-17, Oct. 2020.
  13. W. Patrick, S. Abhijeet, M. Zeyu, H. Hao, G. Ana, D. Kather-ine, and Z. Saman, "Man-in-the-middle attacks and defence in a power system cyber-physical testbed," IET Cyber- Physical Systems, vol. 6, no. 3, pp. 164-177, Apr. 2021.
  14. M. Altaha and S. Hong, "Anomaly Detection for SCADA System Security Based on Unsupervised Learning and Function Codes Analysis in the DNP3 Protocol," Electronics, vol. 11, no. 14, July. 2022.
  15. V. Kelli, P. Radoglou-Grammatikis, A. Sesis, T. Lagkas, E. Fountoukidis, E. Kafetzakis, I. Giannoulakis, and P. Sa-rigiannidis, "Attacking and Defending DNP3 ICS/SCADA Systems," 2022 18th International Conference on Distributed Computing in Sensor Systems(DCOSS), pp. 183-190, May. 2022.
  16. Hee-yong Kwon, Tae-sic Kim, and Mun-kyu Lee, "Advanced Intrusion Detection Combining Signature-Based and Behavior-Based Detection Methods," Electronics, vol. 11, no. 6, Mar. 2022.
  17. DNP Users Group, "Overview of DNP3 Protocol", https://www.dnp.org/About/ Overview-of-DNP3-Protocol, Accessed: Apr. 2024.
  18. DNP Users Group, A DNP3 Protocol Primer, Mar. 2005.
  19. DNP Users Group, DNP3 SPECIFICATION, Volume 1, Nov. 2002.
  20. Digital Bond, "Quickdraw-Snort DNP3 Rules", https://github.com/digitalbond/Quickdraw-Snort/blob/master/dnp3.rules, Accessed: Apr. 2024.
  21. Hyo-sang Lee, Wan-hong Kim, Min-ryung Park, and Yeo-jun Yoon, "A Study of SCADA Function Specific Design in Korean EMS," Proceedings of the KIEE Conference, pp. 402-403, Jul. 2007.
  22. Tae-young Song, Seuk-ha Song, Hyun-keun Riu, Hyung-ku Kang, and Bu-il Kang, "Application and Experience of State Estimation in Korea Power System," Proceedings of the KIEE Conference, pp. 89-91, Jul. 2003.
  23. Young-in Kim, Hong-ju Kim, Myung-hwan Lee, Byung-sub Kim, and Yong-hak Shin, "Data acquisition Status Check Method for Power System Analysis," Proceedings of the KIEE Conference, pp. 233-234, Jul. 2015.
  24. Hyung-koo Kang, Tae-eon Kim, Kwang-ho Kim, Young-min Choi, and Gun-woong Lee, "The Utilization Evolution of EMS Network Analysis for Optimal Power System Operation", Proceedings of the KIEE Conference, pp. 20-21, Jul. 2009.
  25. Yoon-seong Cho, Geon-soo Park, Young-in Kim, Jin Lee, Seong-ill Hur, Yeo-jun Yoon, and Hyo-sang Lee, "Validation Methodology of Network Analysis Applications in the K-EMS," Proceedings of the KIEE Conference, pp. 142-143, Jul. 2010.
  26. Yeon-jae Kang, Dae-kwon Pi, Hae-rin Kim, Sang-ho Lee, and Huy-kang Kim, "Intrusion Detection System Based on Sequential Model in SOME/IP," Journal of The Korea Institute of Information Security & Cryptology, 32(6), pp. 1171-1181, Dec. 2022.