IEEE ITOEC(ISSN: 2693-289X)
2023 IEEE 7th Information Technology and Mechatronics Engineering Conference (ITOEC) | 979-8-3503-3421-0/23/$31.00 ©2023 IEEE | DOI: 10.1109/ITOEC57671.2023.10291726
Three-level Vertical Cyber Security Protection
Architecture Based on Power Grid Node Grading
Hai Lin1,4, Hongyu Zhu1,4, Weiqiang Luo3, Jianwei Tian1,4, Mingguang Li2, Yixiong Tang1, Zhibang Yang5
1. State Grid Hunan Electric Power Company Limited Information and Communication Company, Changsha, China
2. Hunan University, Changsha, China
3.State Grid Hunan Electric Power Co., Ltd., Changsha, China
4. Hunan Key Laboratory for Internet of Things in Electricity, Changsha, China
5. Hunan Province Key Laboratory of Industrial Internet Technology and Security, Changsha University,
Changsha,China
linh@hn.sgcc.com.cn, 602983840@qq.com, luowq@hn.sgcc.com.cn
Corresponding Author: Hongyu Zhu Email: 602983840@qq.com
Abstract—As the interconnectivity of the power grid
increases, various risks associated with the overall defense
system, including network boundary protection, entity
security protection, and core application protection, pose a
threat to network security. Existing solutions mainly include
deploying boundary protection devices, identifying entity
vulnerabilities, and detecting abnormal application
activities, but these solutions lack sufficient differentiated
security protection measures and blocking capabilities.
Therefore, the paper proposes a power node division
method, which involves dividing nodes into levels based on
their importance and implementing differentiated defense
measures accordingly. This results in the construction of a
three-level vertical defense system based on differential
defense proposals, namely “boundary defense, self
protection, application monitoring”. The solution
implements fine-grained differential defense measures
based on node grading, formulates general defense
strategies for low-level nodes, and executes customized
defense measures for high-level nodes, making the allocation
of defense resources more reasonable, ensuring the security
of power nodes, and improving the security defense
capabilities of the power supervision and control system.
Keywords—node grading; cyber security protection; power
supervision and control system;
I.
INTRODUCTION
As the distributed access scale of new energy
increases rapidly, the interconnectivity of the power grid
is further enhanced, and the network security boundary
and impact surface expand, the network security
protection of the electric power system faces a series of
challenges[1,2]. In terms of the overall defense system,
the current grid-based cyber security protection
architecture lacks flexibility and application relevance. In
terms of network boundary protection, improper
configuration of boundary protection equipment or
inherent vulnerabilities pose critical risks to the protection
system[3,4]. In terms of self security protection, the
general vulnerability library used for self vulnerability
investigation is not deep enough, the applicability is not
high, and there is a lack of self security hidden danger
intelligence asset correlation and closed-loop control
979-8-3503-3421-0/23/$31.00 ©2023 IEEE
technology means, which cannot automatically track the
latest vulnerability intelligence[5]. In terms of core
application protection, the current monitoring methods
have weak application pertinence and weak protection
capability against customized attacks utilizing power
application logic vulnerabilities.
Currently, various solutions have been proposed to
address the challenges faced by the power supervision and
control system. In terms of boundary risk prevention and
control, the main solution is to streamline the network
topology structure, determine the industrial control
network boundary, and deploy boundary protection
devices[6]. In terms of self security protection,
vulnerability excavation technologies mainly include
manual testing, fuzzing technology[7], diff and bin diff
technology[8], static analysis technology[9] and dynamic
analysis technology[10]. In terms of abnormal behavior
detection technology for power systems, there are
currently intrusion detection products from Qihoo 360,
Green Alliance, and others to cope with general network
attacks. However, the above solutions lack in-depth
considerations for core control application in the
production control zone, no fine-grained division of
power application, and the establishment of differentiated
protection strategies for different core applications.
Therefore, we propose a scientific grading method for
power network nodes with the characteristics of power
primary and secondary network integration, and adopt
differentiated defense measures to achieve differential
protection for power network nodes with different security
levels. The "boundary-ontology-application" three-level
vertical defense concept is established, and a three-level
vertical defense system based on differential defense
proposals is built to enhance the resistance ability of
power control systems against high-intensity network
attacks.
II.
THREE-LEVEL VERTICAL DEFENSE SYSTEM B
ASED ON DIFFERENTIAL DEFENSE PROPOSALS
The core idea of the security defense measures in the
existing power supervision and control system is “security
1998
Authorized licensed use limited to: Universidade de Macau. Downloaded on February 16,2025 at 07:13:25 UTC from IEEE Xplore. Restrictions apply.
zoning, dedicated network, lateral isolation, vertical
authentication[11]”, but lacks fine-grained differentiated
defense measures. Therefore, a depth defense system
based on differential defense proposals is proposed, which
first divides power nodes into levels based on their
importance using information-physical fusion and then
refines defense measures according to the level
differences of the nodes. This system rationally allocates
defense resources to strengthen the security defense
capabilities of the power system.
methods for different power core applications, mid-risk
warning and multi-level instruction interception
mechanisms, and post-security operation self-healing
mechanisms to ensure that power core applications are not
subject to network attacks or have the ability to recover to
normal operation after being attacked.
A. Three-level Vertical Defense System Based on
Differential Defense Proposals
To enhance the security defense capabilities of the
power supervision and control system, we propose a
differential security protection approach based on node
importance to address the issues of insufficient
differentiated protection and lack of blocking measures in
existing power supervision and control system security
defense measures. A three-level vertical defense system,
"boundary defense, self protection, application
monitoring" is established to improve the effectiveness of
security protections for power monitoring systems.
The system architecture is shown in Figure 1. The first
level of defense is boundary defense, mainly using
network boundary devices to strengthen the security of
network access. This is achieved by setting up a secure
and reliable boundary defense system through boundary
protection technologies such as firewalls, network
isolation devices, and intrusion detection systems,
accurately identifying the access behavior of intruders to
internal computers and isolating them, preventing external
attackers from illegally invading the internal network, and
keeping the network attackers "out of the door". The
second level of defense is self protection, which uses
vulnerability mining, host hardening, configuration
optimization, and other technologies to enhance the
security of the system. By deploying vulnerability
scanning systems to identify security vulnerabilities and
potential attack paths in the system, security
administrators can perform pre-security reinforcement on
the system based on vulnerability scanning results and
establish a hierarchical power information network
security threat assessment and situational awareness
model, refine various security event indicator information,
evaluate the current security situation of the entire system,
and predict future security situations, so as to effectively
guide operation and maintenance personnel in performing
security reinforcement on the system. The third level of
defense is application monitoring, which is mainly
customized defense for the power core application. Since
boundary defense and entity protection can only defend
against common network attack events, it is difficult to
detect customized defense against application layer
application data and control instructions for power core
application, making it difficult to prevent advanced
attacks such as malicious data injection and control
instruction tampering. Therefore, the third level of defense
system establishes pre-attack behavior monitoring
Fig. 1. Architecture diagram of three-tiered defense-in-depth system.
B. Power Grid Node Grading Methods
In the traditional security defense system of power
control systems, coarse-grained division of power nodes
has resulted in inadequate defense measures for some
nodes or redundant defense measures in the
implementation process. Therefore, we propose a
scientific power network node classification method with
power primary and secondary network fusion features,
which divides power nodes according to their importance
and provides important references for defense resource
allocation. The specific method of power node grading
division is as follows.
Firstly, classify the power nodes. According to the
different levels of the nodes, all nodes are divided into
station-level nodes and equipment-level nodes. Among
them, the station-level nodes are divided into power plant
nodes and substation nodes, and the equipment-level
nodes are divided into information domain nodes and
physical domain nodes according to their respective
domains. Physical domain nodes are primary and
secondary equipment such as transformers and relay
protection devices in substations and power plants, while
information domain nodes are communication equipment
and station security defense equipment.
Secondly, calculate the importance of nodes. The
importance of different categories of power nodes is
evaluated by specific evaluation indicators, as shown in
Table 1. The importance evaluation indicators for stationlevel nodes are node attribute degree, node topology
importance degree, and node flow importance degree.
Among them, the attribute degree evaluation indicators
for power plant nodes are power plant type, rated capacity,
and actual annual power generation, while the attribute
degree evaluation indicators for substation nodes are
substation type, voltage level, operating mode, rated
1999
Authorized licensed use limited to: Universidade de Macau. Downloaded on February 16,2025 at 07:13:25 UTC from IEEE Xplore. Restrictions apply.
capacity, and load importance degree. The importance
evaluation indicators for physical domain nodes at the
equipment level are flow importance degree, load loss
amount, and equipment classification score, while the
importance evaluation indicators for information domain
nodes at the equipment level are node bearing application
importance degree and attack impact value.
TABLE I.
THE IMPORTANCE EVALUATION INDICATORS OF NODES
Nodes
station-level
substation nodes
station-level power
plant nodes
equipment-level
physical
domain
nodes
equipment-level
information domain
nodes
Importance Evaluation Indicators
node attribute degree (substation type, voltage
level, operating mode, rated capacity, load
importance degree）, node topology importance
degree, flow importance degree
node attribute degree （ power plant type, rated
capacity, actual annual power generation ） ,
node topology importance degree, node flow
importance degree
flow importance degree, load loss amount,
equipment classification score
node bearing application importance degree,
attack impact value
Thirdly, devise the levels of nodes. the calculation
results of the node importance degree range from 0 to 10.
The nodes are classified into different levels according to
their importance degree. Specifically, nodes with an
importance degree value between 0 and 4 are classified as
ordinary nodes, those between 4 and 6 are classified as
secondary nodes, those between 6 and 8 are classified as
important nodes, and those between 8 and 10 are
classified as extremely important nodes.
C. Differential Defense Measures
To enhance the security of the defense system,
differentiated defense measures are implemented based on
the level of power nodes. For ordinary nodes, only basic
boundary network security defense and ontology system
defense are employed to ensure the normal operation of
related application. For secondary nodes, security defense
measures are selected based on the actual importance
degree evaluation scores of the nodes. For important and
extremely important nodes, strict three-level defense
measures are adopted to block the intrusion of malicious
software and timely discover any malicious injection data
that may affect the information communication and
control process in the application data. The differentiated
defense measures include the following seven aspects.
1) Intrusion detection and security audit: Different
intrusion detection and security design measures are
adopted according to the node grading. On one hand,
ordinary and secondary nodes do not affect the normal
operation of the system after being attacked, while
important and extremely important nodes are prone to
cause system crashes and are the main target of attackers.
Therefore, ordinary and secondary nodes are deployed
with intrusion detection and security audit measures at
the ordinary level, while important and extremely
important nodes are equipped with intrusion detection
and security audit measures that can detect new types of
attacks. On the other hand, due to the immaturity of the
existing blocking technology, there is a certain false
positive rate in the blocking measures. If a large number
of ordinary and secondary nodes adopt intrusion
detection measures with blocking capabilities, it will
increase the number of false alarms in the system and
affect dispatching personnel's analysis and judgment of
the current situation. Therefore, intrusion detection and
security audit measures with blocking capabilities are
only deployed at important and extremely important
nodes.
2) Isolation: Different intrusion detection and
security design measures are adopted according to the
node grading. On one hand, ordinary and secondary
nodes do not affect the normal operation of the system
after being attacked, while important and extremely
important nodes are prone to cause system crashes and
are the main target of attackers. Therefore, ordinary and
secondary nodes are deployed with intrusion detection
and security audit measures at the ordinary level, while
important and extremely important nodes are equipped
with intrusion detection and security audit measures that
can detect new types of attacks. On the other hand, due to
the immaturity of the existing blocking technology, there
is a certain false positive rate in the blocking measures. If
a large number of ordinary and secondary nodes adopt
intrusion detection measures with blocking capabilities, it
will increase the number of false alarms in the system
and affect dispatching personnel's analysis and judgment
of the current situation. Therefore, intrusion detection and
security audit measures with blocking capabilities are
only deployed at important and extremely important
nodesl.
3) Malware prevention. For the nodes that need to be
protected, different measures against malicious codes are
selected based on their different levels, and the update
time for the malicious code library is specified. Highlevel nodes store a large amount of important data and
have a greater impact on the safe and stable operation of
the entire system if they crash. Therefore, trusted-based
measures against malicious codes should be adopted for
high-level nodes. Conversely, most of the data contained
in ordinary and secondary nodes are non-critical data.
Even if they are attacked by malicious codes, the safe and
stable operation of the entire system will not be affected.
Therefore, it is not necessary to deploy measures against
malicious codes for each node. Instead, trusted-based
measures against malicious codes should be set up in the
higher-level dispatching centers corresponding to
ordinary and secondary nodes, to prevent the reverse
transmission of malicious codes, and to reduce the
2000
Authorized licensed use limited to: Universidade de Macau. Downloaded on February 16,2025 at 07:13:25 UTC from IEEE Xplore. Restrictions apply.
infection area. The update frequency of the malicious
code library for important and extremely important nodes
should be the same as the virus forecast frequency of the
"National Computer Emergency Response Center". As
for the update frequency for ordinary and secondary
nodes, it depends on specific situations.
4) Self security reinforcement. Different host
hardening strengths are selected based on node grading,
and the deployment nodes of attack trapping measures
are specified. Currently, 0day[12] attacks are one of the
common attack methods, which have simple exploitation
but cause great harm. To reduce the impact of 0day
attacks on the power supervision and control system,
installation time for vulnerability patches for differentlevel nodes should be specified. For extremely important
and important nodes, due to their wide control range, the
system may suffer from irreparable effects or even
collapse if nodes under their control are attacked. The
installation frequency of vulnerability patches for these
two types of nodes is the same as that of the official
website, and the time is real-time. On the other hand, the
control authority of secondary and ordinary nodes is
much smaller than that of the first two types of nodes,
and the impact is relatively small if attacked. Therefore,
the frequency and real-time of software upgrades and
patch installations are determined based on specific
situations. When deploying attack trapping measures, if
they are deployed in important or extremely important
nodes, there is a risk of normal operation systems being
penetrated, while if they are deployed in nodes with low
scores in ordinary or secondary nodes, attackers are more
likely to detect the trapping traps. Therefore, attack
trapping measures should be deployed in high-scoring
nodes of secondary nodes to ensure the concealment of
the trapping device and prevent attacks from penetrating
into higher-level nodes.
5) Standby and disaster recovery. The data backup
objects are determined based on the importance of
station-level nodes, as follows: for extremely important
nodes, local and off-site backups should be implemented
for real-time data, power supervision and control system,
and real-time application at three levels. For important
nodes, local and off-site backups should be implemented
for real-time data and power supervision and control
system. For secondary nodes, local backups should be
implemented for real-time data, and for ordinary nodes,
local backups should be implemented for important
application data within the station.
6) Internal network security monitoring. Existing
network attacks against power supervision and control
system target specific application systems to cause a
device misoperation controlled by this system, leading to
a large-scale power outage accident[13,14]. Therefore,
internal network security monitoring measures are
crucial[15]. The internal network security monitoring
measures of this plan are mainly divided into
communication application security and specialized
application security. The general application security
measures have four functions: First, verifying the
authenticity and integrity of telemetry and telecontrol
data. Second, the ability to recover important telemetry
and telecontrol data that has been tampered with. Third,
the ability to detect and block high-risk telecontrol and
teleadjustment commands. Fourth, the ability to recover
data that has been tampered with. The specialized
application security measures have three functions: First,
verifying the authenticity of the settings of relay
protection devices. Second, verifying the controllability
of loads in the existing system to avoid incorrect
execution of load reduction schemes in low frequency
load reduction devices. Third, formulating offline
decision tables for the system and combining with the
uncontrollability of generators and load nodes under
network attacks to avoid control decision matching errors.
7) Fault emergency control. In the emergency fault
control measures, the operational and attack situation of
the nodes are predicted, and emergency control measures
are taken to prevent the initial fault from developing into
a large-scale power outage accident, thus fundamentally
solving the problem that defense is lagging behind
attacks. The emergency control strategy of key nodes can
meet the characteristics of communication system
incompleteness, telemetry and telecontrol data invisibility,
and uncontrollability of generators and load nodes under
network attacks. In addition, control equipment such as
relay protection, self-rescue systems, and low-frequency
load shedding are linked to security equipment such as
firewalls and intrusion detection to achieve collaborative
emergency control between information and physical
domains. The emergency fault control measures have
self-learning ability. Based on the behavioral
characteristics of network attacks that power supervision
and control system is currently suffering, the current
system running status and trends, the emergency control
strategy library is updated automatically, making the
emergency control strategies applicable to network attack
scenarios in real-time.
III.
SUMMARY
In response to the problem that the traditional power
industrial control system security defense system only
divides the node importance of the protected object into
rough levels, resulting in insufficient defense of some
nodes or redundant defense measures during
implementation, a three-level deep defense system based
on differentiated protection recommendations is proposed.
First, the node grading is divided according to the
importance of power nodes, and based on this, a deep
defense system based on differentiated protection
2001
Authorized licensed use limited to: Universidade de Macau. Downloaded on February 16,2025 at 07:13:25 UTC from IEEE Xplore. Restrictions apply.
recommendations is proposed from seven aspects
including intrusion monitoring and auditing, isolation, and
host security reinforcement. This system implements
sufficient differentiated defense measures based on node
grading, which improves the security defense capability of
the power supervision and control system.
ACKNOWLEDGMENT
This work is supported by State Grid Hunan Electric
Power Co., Ltd research project No. 5216A6210076 and
Hunan Key Laboratory for Internet of Things in
Electricity, P.R.China No. 2019TP1016.
REFERENCES
[1]
[2]
[3]
[4]
[5]
Z.Q. Li. “Security risks and prevention strategies faced by smart
grids,” Popular Utilization of Electricity, vol. 38, issue 3, pp. 5254, 2023.
Y. Wang, B. Zhang, W. Lin and T. Zhang, “Smart grid
information security - a research on standards,” International
Conference on Advanced Power System Automation and
Protection, pp. 1188-1194, 2011.
Y. Cao, X. Li, J. Liu, J. Yan, J. Zhao and H. Li, “Research on
interacted response technology of cyber security protection
devices based on deep reinforcement learning oriented to new
generation of power system,” International Conference on
Electrical Engineering and Control Science (IC2ECS), pp. 377381, 2022.
Y. Cao, X. Li, J. Liu, C. Li, J. Yan and J. Zhao, “Research on
intelligent cyber security protection for electric power dispatching
and control system,” International Conference on Machine
Learning, Big Data and Business Intelligence (MLBDBI), pp.
540-543, 2020.
S. Su, G. Wang, L. Liu, Q.Q. Chen and K. Wang. “Review on
Security of Power Internet of Things Terminals,” High Voltage
Engineering, vol. 48, issue 2, pp. 513-525, 2022.
[6]
S.Y. Ye. “Research on Boundary Security Protection of
Information Intranet,” Power & Energy, vol.42, issue. 1, pp. 123126, 2021.
[7] S.J. Niu, P. Li and Y.J. Zhang. “Survey on fuzzy testing
technologies,” Computer Engineering & Science, vol. 44, issue.
12, pp. 2173-2186, 2022.
[8] S.J. Wu, T. Guo, G.W. Dong and P.H. Zhang, Software
vulnerability analysis techniques, Shanghai, Science Press, 2014.
[9] Y.W. Zheng, H. Wen, K. Cheng, Z.W. Song and H.S. Zhu. “A
Survey of IoT Device Vulnerability Mining Techniques,” Journal
of Cyber Security, vol.4, issue.5, pp. 61-75, 2019.
[10] Z. Wang, Z. Tang, K. Zhou, R. Zhang, Z. Qi and H. Guan, “DsVD:
An Effective Low-Overhead Dynamic Software Vulnerability
Discoverer,” Tenth International Symposium on Autonomous
Decentralized Systems, pp. 372-377,2011
[11] National Development and Reform Commission. Safety protection
regulations for power monitoring systems ［EB/OL］. http：
//www. gov. cn/gongbao/content/2014/content_2758709.htm.
[12] Ning Zhang, Hong Chen, Yu Wang, Shi-Jun Cheng and MingFeng Xiong, “Odaies: ontology-driven adaptive Web information
extraction system,” IEEE/WIC International Conference on
Intelligent Agent Technology , pp. 454-460,2003.
[13] D. Buddhi, P. A, A. A. Hamad, A. Sarojwal, J. Alanya-Beltran
and M. K. Chakravarthi, “Power System Monitoring, Control and
protection using IoT and cyber security,” International Conference
on Innovative Computing, Intelligent Communication and Smart
Electrical Systems (ICSES), pp. 1-5, 2022.
[14] M. Ni, A. K. Srivastava, R. Bo and J. Yan, “Design of A Game
Theory Based Defense System for Power System Cyber Security,”
IEEE 7th Annual International Conference on CYBER
Technology in Automation, Control, and Intelligent Systems, pp.
1049-1054,2017.
[15] A. Xu, Y. Jiang, Y. Zhang, C. Hong and X. Cai, “A Double-Layer
Cyber Physical Cooperative Emergency Control Strategy
Modification Method for Cyber-Attacks Against Power System,”
2020 12th IEEE PES Asia-Pacific Power and Energy Engineering
Conference, pp. 1-5, 2020.
2002
Authorized licensed use limited to: Universidade de Macau. Downloaded on February 16,2025 at 07:13:25 UTC from IEEE Xplore. Restrictions apply.