IEEE ISGT Asia 2013 1569806151

Cyber Security Solution for Wide Area Measurement

Systems in Wind Connected Electric Grid
Kiran Gajrani, Annapurna Bhargava
and Krishan Gopal Sharma

Ramesh Bansal
Department of Electrical, Electronic and Computer
Engineering
University of Pretoria
Pretoria, South Africa

Department of Electrical Engineering

Rajasthan Technical University
Kota, India

laying their own fiber optical network, along with

transmission and distribution assets, or depending on telecom
service providers to obtain greater visibility over a larger area
of the grid, thereby providing better monitoring and control.
Electric grid has become the integration of WAMS,
communication systems, and IT infrastructure hence, cyber
security issue arises. It is also evident that attacks are now
more sophisticated and articulated against electric grid with
malicious intentions like interrupting power grid services or
gaining confidential/propriety data. One of the recent
examples is cyber security attack on telvent, the smart grid
giant owned by Schneider Electric, where hackers were able to
access the critical Supervisory Control and Data Acquisition
System (SCADA), which is used to control power grid, oil,
and gas pipeline systems. Hackers were able to install
malicious software and access project files of SCADA
systems [1]. North American Electric Reliability Corporation
Critical Infrastructure Protection (NERC-CIP) was
developed to address the risks and vulnerabilities associated
with WAMS by designing and enforcing various standards
and regulations [2].

AbstractWind energy is considered as the most promising,

cost-effective, and green energy among the prevailing renewable
energy sources. The integration of wind power with conservative
electric grid poses challenges related to power system dynamics
due to its intermittent nature. This necessitates the real time
monitoring of electric grid, which can be achieved through Wide
Area Measurement Systems (WAMS). The real time control
operations require cost effective, high speed, and secure
communication infrastructure. Modern electric grid has become
the integration of WAMS, communication systems, and
information technology infrastructure hence, cyber security
issue arises. New cyber security challenges needs to be addressed
adequately. This paper proposes the cyber security architecture
for electrical grid and the functioning of various parts of the
architecture has been discussed. We have simulated the
proposed architecture to check the impact on latency, due to the
introduction of IPSec for securing data while, transmitted over
communication channel.
Index Terms--Cyber Security; IPSec; PMU; WAMS; Wind
Farm

I.

INTRODUCTION

Although the integration of geographical scattered wind

farms has a number of advantages like voltage and peak load
demand support, reduction of power losses, and opportunity to
utilize local wind energy resources, it may lead to stability
problems due to its inherent random and intermittent nature.
This restructuring of power system poses new challenges for
the stability, operation, and control of power systems. The
possible solution is Wide Area Measurement Systems
(WAMS), which monitors the power system in real time to
avoid any major blackout/outages. Synchronized data from
geographically scattered Phasor Measurement Units (PMUs)
are analyzed in control center and used for various
applications like wide area monitoring, control, protection,
and also for post term analysis of any disturbance/outages.
The successful implementation of time critical WAMS
applications require cost effective, high speed, reliable, and
secure communication infrastructure. Utilities have been either

The paper [3] provides brief introduction of cyber security

concepts and issues related to emerging modern electric grid.
The paper [4] addresses the cyber security and power system
communication as smart grid solution. It also highlights access
points in a substation. The author [5] evaluates three levels;
system, scenarios, and access point vulnerabilities of SCADA
systems.
Although previously proposed cyber security architectures
provide protection against cyber threats, but no one has
addressed its impact on the latency of real time applications.
To the best of our knowledge, this aspect has neither been
attempted nor been documented. This paper proposes an
architecture, which will protect WAMS based modern electric
grid from prevailing cyber security threats. The complete
cyber security solution is discussed in detail. The secured
communication based on Internet Protocol Security (IPSec) is

simulated in OPNET to check its impact on latency, which is

critical for real time monitoring, protection, and control of
electric grid.

Database

Use
Users

PMU

Wind
Farm

Substation

WT 1
WT

WT
W
T4
IEDs

Communication Channel
(WAN)

WT
T2
WT
W
T5

RELAYS

WT
W
T3

Figure 2. Architecture of WAMS

WAMS requires high performance communication

infrastructure to transfer data from substations to control
center or vice versa. Bandwidth, reliability, and throughput
(packets/sec) are the primary factors for choosing the
communication channel for WAMS.

WIND FARM VIRTUAL ARCHITECTURE

Wind farm consists of clusters of Wind Turbines (WTs),

which are connected in different configurations. The real
physical components of WT can be represented using IEC
61400-25 standard [6], which is based on the concept of
virtualization. According to IEC 61400-25 standard, the
explicit function of various components of real physical WT
can be mapped into logical nodes. This standard focuses on
the communication between wind farm components such as
WTs and actors such as SCADA systems.

To facilitate synchronized phasor measurements in electric

grid, the IEEE C37.118 standard was developed. Further the
standard was divided into two parts; IEEE C37-118.1.2011
deals with measurement whereas IEEE C37-118.2.2011 deals
with data transfer. The IEEE C37-118.2.2011 [9] standard
specifies message formats for data, configuration, header and
command, but does not specify communication medium. The
first three message types are transmitted from PMU/PDC that
serve as the data source, and the last is received by PMU/PDC
in case of any control signal issued by control center.

A WT can be represented by nine logical nodes as shown

in Figure 1. Each logical node is defined as a class, which
consists of various attributes, and is categorized into different
types like status, analogue, and control information. The status
and analogue information can be further divided based on
critical parameters. These parameters require real time
monitoring for safe and optimized working of WT.
III.

SPDC

Real Time
Monitor

This paper is organized as follows. Section II deals with

wind farm virtual architecture. Section III provides the
overview of WAMS technology. Section IV deals with the
fundamental of cyber security. Section V proposes cyber
security architecture in detail. Simulation and results are
presented in section VI and the paper has been concluded in
section VII.
II.

Analysis and Control

Control
Center

The implementation of WAMS requires the grid

communication technologies to migrate, from propriety
technologies to open standard. This resulted migration of
closed loop control systems to open systems like, internet and
makes the modern grid vulnerable to cyber security threats
[10]. The cyber threat can exploit vulnerabilities, which
already exist in open system standard in order to launch cyber
attacks against modern grid. These vulnerabilities may result
into catastrophic disruptions. It is important to understand the
concepts of cyber security before designing and implementing
the architecture of WAMS, which is discussed in the
following section.

OVERVIEW OF WAMS TECHNOLOGY

The synchronized measurements are used in WAMS to

provide the dynamic situation of the grid, hence, can be used
as a powerful tool [8] for the real time monitoring and control
of the grid. Figure 2 depicts the architecture of WAMS based
electric grid integrated with wind farm. It consists of
substations, wind farms, communication channel, and control
center. Substations are equipped with PMUs, relays,
Intelligent Electronic Devices (IEDs). Communication within
the substation takes place through Local Area Network
(LAN); where ethernet is generally used. The data from
geographically scattered PMUs are transmitted to Super
Phasor Data Concentrator (SPDC) at control center. The PDC
realigns the data and are used for various applications such as;
real time visualization, monitoring, control, protection, and
alarm for critical situations. Large amount of stored data are
utilized for post term analysis of blackout/critical events.

IV. FUNDAMENTALS OF CYBER SECURITY

The three main pillars of cyber security are confidentiality,
integrity, and availability, which are represented by CIA triad
and are the fundamental concepts of information security [11].
Cyber security is required for electric grid, as it is critical
element of our economic and social infrastructure. The other
security related aspects like; identification, authentication,
authorization, accountability, auditing, nonrepudiation, and
privacy must be taken into account for complete cyber security
of the electrical grid. Implementation of security controls
implies mitigation of vulnerabilities, risks, and threats.
A. Confidentiality
Confidentiality ensures prevention of illicit revelation or
disclosure of data [12]. Confidentiality prevents exposure of
stored data, processed data within system, and data
transmission though LAN/ Wide Area Network (WAN).
Confidentiality can be breached either through well
coordinated attacks or, through unauthorized disclosure of.

Figure 1. WT virtual model [7]

Confidentiality can be achieved through data encryption,

access control, training & awareness, and data classification.

F. Nonrepudiation
WAMS technology operates on heterogeneous
environment where different vendors and applications depend
on each other for data inputs and decisions. It is very
important to ensure in electrical grid that the sender of
particular data doesnt have any option to refuse or refute that
the data were sent by him. Nonrepudiation ensures that source
of an event cant deny that the event has occurred.
Accountability depends on nonrepudiation to make entity
accountable for his actions. Nonrepudiation can be achieved
through digital certificates, audit trail, and access control
system.

B. Integrity
Integrity prevents unauthorized modification and
destruction of information, and ensures nonrepudiation and
authenticity of information. Integrity can be classified as;
system and data integrity. System integrity deals with the
protection of systems like PMUs, IEDs, relays, wind
controllers, and PDCs. Data integrity protects unauthorized
modification of data either within the system or while
transmitting across the LAN/WAN. Integrity can be achieved
through hash verifications, input/output checksums, stringent
access and authentication systems and well designed security
policies.

G. Auditing
Auditing is an important aspect of grid cyber security as it
keeps track of activities and logs, as and when it occurs. It
tracks all the logs generated within PDUs, PMUs, servers,
security devices, and communication devices. Audit trail
keeps all the information of the event like; when & what type
of event has occurred, who has caused, how & when it was
detected. Audit activities help to identify any critical changes.
SIEM tools like RSA Envision [15] and ArcSight [16] are
used for real time monitoring and logging of events.

C. Availability
Availability ensures uninterrupted, reliable, timely access
of data, and resources to authorized users. It implies to
network, communication infrastructure, systems, applications,
database, and supporting infrastructure. Availability also
works in parallel with confidentially and integrity. Availability
can be achieved through proper segregation of network using
routers, switches, firewalls, Intrusion Detection System (IDS),
Security Incident & Event Management (SIEM) tools,
effective access control systems, proper backup, and recovery
strategy.

V.

CYBER SECURITY ARCHITECTURE

The cyber security architecture of the electric grid is

shown in Figure 3. The architecture comprises of security
components, communication networks, and application
servers, in addition to WAMS architecture, as shown in
Figure 2. This architecture is based on defense in depth
approach, where attack on or failure of one security
component will not lead to failure of complete electric grid.
This approach divides network into various sub networks and
the security is implemented on each sub network. Electric
grid cyber security architecture is divided into four parts;
substation network, wind farm, control center, and
communication channel. Implementing security on each part
leads to overall cyber security solution. The security
components used in substation network and wind farm are
mainly routers, firewalls, ethernet switches, and IDS. Firewall
is a network layer device, which allows only authorized
traffic and block malicious traffic between substations, wind
farms, and control center. IDS persistently scans log
generated in the network to detect any malicious or anomaly
traffic and generate real time alerts. Communication other
than WAMS, to and from substation, will process via control
center only. To login remotely to any substation, user should
first dial in through Virtual Private Network (VPN) to control
center and will get access to substation via control center.
Substation perimeter is protected by firewall and traffic
across substation is monitored though IDS, which sends alerts
to SIEM tool at control center. Control center is further
divided into internal network, De-Militarized Zone (DMZ),
and user network. All the sub networks are protected, and
segregated through firewalls where, only necessary and
minimal ports/services are allowed to communicate. Internal
network contains servers pertaining to WAMS technology
only. Authorized WAMS ports are allowed to communicate
to substations and other control centers. WAMS management
and monitoring ports shall only be allowed to user network,

D. Authentication and Authorization

Electric grid comprises of various critical systems and
users. A user, program, systems or process must prove its legal
identity to grid system before actual data transmission takes
place
through
authentication,
authorization,
and
accountability. After authentication, authorization takes place
which determines the access rights of an entity. Electric grid
comprises of different types of critical components like;
PMUs, PDCs, database servers, and different users like; grid
engineers, support staff, system engineers and security
analysts. There is no need of security analyst to have access to
PMUs and PDCs, as he doesnt have to perform any action on
these devices. Security analysts role is to maintain security
and should have access limited to security devices. In the same
way, the grid engineers access must be limited to their
respective PMUs and PDCs. WAMS can develop its own
access control systems but it is preferable to use third party
services like; Kerberos [13], Secure European System for
Applications in a Multi-vendor Environment (SESAME) [14].
E. Accountability
Electrical grid is very complex in nature, so various job
roles and profiles must be defined for efficient functioning of
the grid. Everyone must be accountable for ones own work. If
the PMU is malfunctioning, and monitoring team at control
center has not observed it which in turn lead to major
blackout; In such a case, monitoring team is accountable for
the failure. Team must be liable for any legal action or
termination. Grid security can only be enforced if
accountability is maintained and entities are held responsible
for their activities. Accountability can be achieved through
implementation of authorization, authentication, auditing, and
nonrepudiation.

Figure 3. Architecture of WAMS from cyber security point of view

encapsulates it into a new packet with new IP header. IPSec

supports two protocols; Authentication Headers (AH) and
Encapsulation Security Payload (ESP). AH supports
authentication and message integrity whereas ESP supports
confidentiality, authentication, integrity, and anti-replay
protection.

and management port is allowed to DMZ, only for limited

systems like; remote logins through dial up VPNs. DMZ
consists of servers required for communication other than
WAMS. It contains but not limited to email server, proxy
server for web access, remote access for dial up VPN
connections, antivirus server, and SIEM server. Internet
facing firewall in DMZ should allow only limited ports like;
port 80 for http traffic to proxy server. Any port, which is
used for WAMS applications should not be left open. User
network contains a number of workstations used for
administration and real time monitoring of electric grid. IDS
are placed on strategic locations to detect any anomaly and
malicious traffic within the electric grid. For example; IDS
placed on internal network will generate alert in case it
detects traffic on ports other than WAMS. Proxy server in
control centre will govern and regulate the flow of web traffic
from electric grid to internet. This will protect users visiting
malicious sites. Antivirus server is used to deploy latest
signatures to the servers and workstations to detect and
protect any malicious activity. All the logs and alerts
generated from various security devices, network devices,
servers, and workstations are collected, aggregated, and
correlated through SIEM tool, and used for real time
monitoring and auditing. Electrical utilities depend on service
provider for cost effective, high speed, and reliable
communication channel. As the communication network is
being shared by various customers, we cannot guarantee man
in middle attack. VPN protocols are used to secure data
across WAN. IPSec is the de facto VPN protocol, which can
be used for securing WAMS across WAN.

Electric grids are distributed across the cities, villages,

and remote places. It is not possible to have one service
provider or the same type of communication network across
the electrical grid. Electric grid communication network is a
combination of many service providers, and different
technologies that works coherently to provide reliable and
secure communication. Figure 4 shows the flowchart for
choosing modes and protocols of IPSec.
VI.

SIMULATION AND RESULTS

We simulated the proposed architecture in Opnet, which is a

tool to simulate different applications and network
architectures. Substations are connected to control center via
Point-to-Point Protocol (PPP) E1 (2 Mbps) link. Wind farm is
connected to control center via Optical Carrier (OC12)
(594.43 Mbps) link. Simulated network diagram is shown in
Figure 5. Simulation performed for 150 seconds. PMU
application generates 30 packets per second, each of 38 bytes
destined to PDC at control center using User Datagram
Protocol (UDP). Control center server sends control
commands in case of emergency situations. A similar
scenario was simulated by a command signal of size 100
bytes using Transmission Control Protocol (TCP) to relay at
substation and relay acknowledges with 10 bytes signal.
IPSec transport mode is used for secured communication
between PMUs and control center. Wind farm comprises of
two clusters; each cluster includes ten WTs. A WT generates
29 status signals, 51 mechanical signals, and 36

IPSec is a combination of various cryptographic services,

and works at network layer of the Open Systems
Interconnection (OSI) model to provide confidentiality,
integrity, authentication, and access control. IPSec is an open
source protocol and can be easily configured for different
WAMS applications. It can also be implemented through
IPSec services provided by the operating systems, or through
other hardware devices like; routers, firewalls, and VPN
concentrators. IPSec works in two modes: tunnel mode and
transport mode. When IPSec is implemented as a part of
WAMS applications or on operating system, transport mode
can be used, where the payload of Internet Protocol (IP)
packet is encrypted. When IPSec is implemented as hardware,
tunnel mode is used where it encrypts the whole packet and

IPSec

Is WAMS support
IPSec

NO

YES

Tunnel
Mode

Transport
Mode

Is Confidentiality
required

IPSec AH

NO

YES

IPSec ESP

Figure 4: Flowchart for mode and protocol selection

VII. CONCLUSION
Cyber security has become a vital element of WAMS
technology in electric grid. The move from legacy propriety
systems to open system standards has accelerated the cyber
risk associated with the electric grid. Cyber security requires
a holistic approach to deal with vulnerabilities and threats
associated with grid. This paper discussed the concepts of
cyber security in detail and proposed cyber security
architecture to mitigate such risks. This paper has discussed
the security over data exchange, and can be used as a
guideline to assist VPN technologies for grid communication.
This paper also examined the impact of incorporation of
cyber security architecture on real time applications of
WAMS in terms of latency. Architecture has provided
detailed insight on the security requirement of the electric
grid; however, it does not guarantee complete security as the
vulnerabilities are also evolving with the advancement of
information & communication technologies.

Figure 5: Simulated network diagram in Opnet

Electrical signals. The total data generated by status signals,

mechanical signals, and electrical signals are 29 bytes/sec
(29*1*1) 2550 bytes/sec (51*25*2), and 3600 bytes/sec
(36*50*2) respectively. The cumulative traffic generated by
wind farm is 123580 bytes/sec. IPSec tunnel mode is used for
secured communication between wind farm and control
center.Figure 6 shows the latency of traffic between PMU
and PDC is 0.49 ms without cyber security protection,
whereas it is 0.73 ms with IPSec. Figure 7 shows that the
latency of traffic between wind farm and control center is 2.5
ms without cyber security protection and 3.4 ms with IPSec.
Latency is high with wind farm traffic since large amount of
data are transmitted to control center for proper functioning
of WTs. Figure 8 shows the control signal latency from
control center to relay, which is 0.09 ms without cyber
security protection and 0.14 ms with IPSec.

REFERENCES
[1]
[2]
[3]

[4]

It is observed that latency has increased by almost 50%,

due to IPSec and firewalls deployed in the proposed
architecture. However, increase in latency is still under the
limit of 4 ms [17], which is prerequisite for real time
monitoring of critical WAMS.

[5]

[6]
[7]

[8]

[9]
Figure 6. Latency of traffic from PMU to PDC

[10]

[11]

[12]

Figure 7. Latency of traffic from wind farm to control center

[13]
[14]
[15]
[16]
[17]

Figure 8. Latency of control command from control center to relay

[Online].
Available: http://krebsonsecurity.com/2012/09/chinesehackers -blamed-for-intrusion-at-energy-industry-giant-telvent/.
[Online].
Available:
http://www.nerc.com/pa/Stand/Standards/
Appendix_3A_StandardsProcessesManual_20120131.pdf.
J. Hull, H. Khurana, T. Markham, and K. Staggs, Staying in control
cybersecurity and the modern electric grid, IEEE Power & Energy
Magazine, vol.10, no. 1, pp. 41-48, Feb. 2012.
G. N. Ericsson, Cyber security and power system communication essential parts of a smart grid infrstructure, IEEE Trans. Power
Delivery, vol. 25, no. 3, pp. 1501-1507, Jul. 2010.
C. W. Ten, C. C. Liu, and G. Manimaram, Vulnerability assessment of
cybersecurity for SCADA systems, IEEE Trans. Power Systems, vol.
23, no. 4, pp. 1836-1846, Nov. 2008.
Communication for Monitoring and Control of Wind Power Plants
Information Models, International standard IEC 61400-25-2, 2006.
K. Gajrani, K. G. Sharma, and A. Bhargava, Resillency in offshore
wind farm communication networks, Journal of Renewable and
Sustainable Energy, vol. 5, no. 2, pp. 2-11, Apr. 2013.
J. D. L. Ree, V. Centeno, J. S. Thorp, and A. G. Phadke, Synchronized
phasor measurement applications in power system, IEEE Trans. Smart
Grid, vol. 1, no. 1, pp. 20-27, Jun. 2010.
IEEE Standard for Synchrophasor Data Transfer for Power Systems,
IEEE std C37.118.2TM , 2011.
Y. Yang, T. Litter, S. Sezer, K. Mclaughlin, and H. F. Wang, Impact
of cyber-security issues on smart grid, in Proc. 2011 Innovative Smart
Grid Technologies (ISGT Europe) Conf ., pp. 1-7.
Y. Yan, Y. Qian, H. Sharif, and D. Tipper, A survey on cyber security
for smart grid communications, IEEE Communications Surveys and
Tutorials, vol. 14, no. 4, pp. 998-1010, Jan. 2012.
R. B. Bobba, J. Dagle, H. Khurana, W. H. Sanders, P. Sauer, and T.
Yardlet, Enhancing grid measurement: wide area measurement
systems, NASPInet, and security, IEEE Power & Energy Magazine,
vol. 10, no. 1, pp. 67-73, Feb. 2012.
[Online]. Available: http://web.mit.edu/kerberos.
[Online]. Available: http://www.cosic.esat.kuleuven.be/sesame/html/
sesame _what.html.
[Online]. Available: http://www.rsa.com/products/envision/datasheets/
9245_h9037-3in1-ds-0112.pdf.
[Online].
Available:
http://
www8.hp.com/us/en/
softwaresolutions/software.html?compURI=1340477.
M. Wei and Z. Chen, Study of LANs access technologies in wind
power system, in Proc. 2010 IEEE Power and Energy Society General
Meeting Conf., pp. 1-6.