James G. Wright

Accurate time synchronisation is a key requirement for control and automation protocols with (near) real time requirements such as the IEC 60870-5-104 and 61850 family of standards relying on IP transport, and also represents an attractive attack vector against power systems. We propose a modelling and analytical technique based on queueing theory and study model the behaviour of both protocol standard families for deliberately limited, weak adversaries. We demonstrate the efficacy of the model by identifying a way of undermining measurement and control signal QoS whilst remaining compliant with standards merely by varying inter-arrival rates of legitimate traffic, resulting in de-synchronisation.

Applications developed for Supervisory Control And Data Acquisition (SCADA) protocols in several domains, particularly the energy sector, must satisfy hard real-time constraints to ensure the safety of the systems they are deployed on. These systems are highly sensitive to Quality of Service (QoS) violations, but it is not always clear whether a compliant implementation will satisfy the stated QoS of the standard. This paper proposes a framework for studying a protocol’s QoS properties based on a queuing network approach that offers a number of advantages over state machine or model-checking approaches.

The authors describe the framework as an instance of a network of M/M/1/K of queues with the block-after-service discipline, to allow for the analysis of probabilistic packet flows in valid protocol runs. This framework allows for the study of denial of service (DoS), performance degradation, and de-synchronisation attacks. The model is validated by a tool allowing automation of queue network analysis, and is used to demonstrate a possible breach of the QoS guarantees of the ISO/IEC 61850-7-2 substation automation standard with a de-synchronisation attack.

IEC61850 and IEC62351 combined provide a set of security promises for the communications channels that are used to run a substation automation system (SAS), that use IEC61850 based technologies. However, one area that is largely untouched by these security promises is the generic object oriented substation events (GOOSE) messaging service. GOOSE is designed to multicast commands and data across a substation within hard real time quality of service (QoS) requirements. This means that GOOSE is unable to implement the required security technologies as the added latency to any message would violate the QoS.

The ISO/IEC 61850 protocol for substation automation is a key component for the safe and efficient operation of smart grids, whilst offering a substantial range of functions. While extension standards, particularly ISO/IEC 62351 provide further security controls, the baseline protocol offers the assurances of access control and availability. In this paper a systematic study of selected aspects of the basic ISO/IEC 61850 protocol demonstrates that protocol-level vulnerabilities exist. The main finding is the development of a credential interception attack allowing an adversary, without credentials, to hijack a session during an initial association; the feasibility of this attack is proven using a formal language representation. A second attack based on a workflow amplification attack which relies on the assumptions in the protocol’s substation event model, which is independent of layered security controls and only relies on the protocol’s communication patterns is shown.

The ISO/IEC 62351 standard provides a set of security controls and protocols for communications in smart grids based on the ISO/IEC 60870, 61850, and DNP3 standards. It offers the protection goals of confidentiality, integrity, and authentication. In this paper we perform a systematic study of the ISO/IEC 62351-3 standard regarding the use of public key infrastructure in smart grid communication. We show that the standard at present does not align with the quality of service requirements for performance and interoperability in the ISO/IEC 61850 standard and thereby may jeopardise effective operations. We demonstrate that it is possible to claim conformance with the ISO/IEC 62351-3 standard but be vulnerable to denial of service attacks arising from insufficiently specified behaviour for public key certificate validation and revocation. Further issues can give rise to downgrade attacks against cipher suites and protocols used, allowing a man-in-the-middle attacks contrary to the standard's claims.

A plasma accelerator research station (PARS) has been proposed to study the key issues in electron driven plasma wakefield acceleration at CLARA facility in Daresbury Laboratory. In this paper, the quasi-nonlinear regime of beam driven plasma wakefield acceleration is analysed. The wakefield excited by various CLARA beam settings are simulated by using a 2D particle-in-cell (PIC) code. For a single drive beam, an accelerating gradient up to 3 GV/m can be achieved. For a two bunch acceleration scenario, simulation shows that a witness bunch can achieve a significant energy gain in a 10–50 cm long plasma cell.

PARS (Plasma Acceleration Research Station) is an electron beam driven plasma wakefield acceleration test stand proposed for VELA/CLARA facility in Daresbury Laboratory. In order to optimise various operational configurations, 2D numerical studies were performed by using VSIM for a range of parameters such as bunch length, radius, plasma density and positioning of the bunches with respect to each other for the two-beam acceleration scheme. In this paper, some of these numerical studies and considered measurement methods are presented.

Plasma acceleration research station is an electron beam driven plasma wakefield acceleration test stand proposed for CLARA facility in Daresbury Laboratory. In this paper, the interaction between the electron beam and the plasma is numerically characterised via 2D numerical studies by using VSIM code. The wakefields induced by a single bunch travelling through the plasma were found to vary from 200 MV/m to 3 GV/m for a range of bunch length, bunch radius, and plasma densities. Energy gain for the particles populating the bunch tail through the wakefields driven by the head of the bunch was demonstrated. After determining the achievable field for various beams and plasma configurations, a reference setting was determined for further studies. Considering this reference setting, the beam quality studies were performed for a two-bunch acceleration case. The maximum energy gain as well as the energy spread mitigation by benefiting from the beam loading was investigated by positioning the witness and driver bunches with respect to each other. Emittance growth mechanisms were studied considering the beam-plasma and beam-wakefield interactions. Eventually, regarding the findings, the initial commissioning plans and the aims for the later stages were summarised.