The present invention relates generally to systems, apparatus, and methods for recording network events associated with a power generation system or a power delivery grid, and more particularly to (1) systems, apparatus, and methods for recording, on an intelligent electronic device coupled to a power generation or delivery system which includes power protection, network packets that are communicated before, during, and after an internally detected event, and (2) systems, apparatus, and methods for recording, on a network device coupled to a network associated with one or more intelligent electronic device, network packets that are communicated before, during, and after an event detected by an intelligent electronic device, and (3) methods for recording, on an intelligent electronic device coupled to a power generation or delivery system, network packets that are communicated before, during, and after an event is detected by a different intelligent electronic device.
Power protection devices, such as relays and other intelligent electronic devices (“IEDs”), maintain a record of many protection events. For example, a relay typically includes an event recorder that records information before, during, and after a protection event. This information may include, but is not limited to, measured line current, measured line voltage, phasor information, the result of certain internal logic functions, and other protection and automation information. When a system event occurs and causes a protection or automation event operation within an IED, an event report is generated including pertinent information for a particular time period before and after the IED event operation. Appropriate personnel can access this event report at a later time and determine if the IED acted appropriately or whether troubleshooting of the device is required.
Data networking has become an important element for protecting, controlling, and automating the power grid. Prior to the use of data networking to communicate system parameters actual physical measurements had to be made for each monitored parameters. For example, for each device that needed to monitor a particular voltage, an instrument transformer and data acquisition board would be utilized. While networking has allowed for numerous advances and improvements over older, non-networked power protection systems, the networked nature of the power grid also provides an additional point of failure and attack. Indeed, network communications can even cause a power protection event, as detailed in U.S. Pat. No. 5,793,750, which is assigned to Schweitzer Engineering Laboratories, Inc., and hereby incorporated by reference in its entirety. However, network communications are not included in event reports generated by prior art power protection devices. One reason for this is that power generation and delivery systems typically did not use standard networking technologies. For example, power systems use specialized network protocols, such as MirroredBits®, a proprietary high-performance protocol used by equipment manufactured by Schweitzer Engineering Laboratories, Inc., and IEC61850, an open-standards power protection networking protocol, to communicate among themselves. In addition, while “Ethernet” may be used, certain power system specific modifications should be made. The use of non-standard networking technologies makes the use of off-the-shelf recording solutions problematic.
It is also known to examine network traffic and classify packets as being associated with a particular application. This aids in reviewing network traffic by allowing a reviewer to focus on a particular type of packet. For example, packets associated with a file transfer protocol (“FTP”) operation can be marked by a network monitor as “FTP packets.” Further, the use of a “sliding window” is also known as a mechanism whereby network traffic can be stored for a limited period of time unless an external trigger causes it to be stored indefinitely. The stored network traffic can then be examined for occurrences of interest, such as potential intrusion attempts. The article “Mnemosyne: Designing and Implementing Network Short-Term Memory,” by Giovanni Vigna and Andrew Mitchell and hereby incorporated by reference in its entirety, describes one such system. Nonetheless, while logging network communications is known in other fields, it is not presently practiced within the field of power generation and delivery, nor is it triggered by actions within IEDs rather than network traffic or coordinated among multiple IEDs.
According to the Central Intelligence Agency of the United States government, several attempts have been made by criminal elements to sabotage the power grids of various states for the purpose of extorting money or concessions. One way that security has been improved in other areas is by recording network events. While recording an event may not directly improve security, it does allow experts to review the event after the fact, identify any particular problems, and correct them with, for example, software upgrades or device replacement. In addition, network recorders are often used to troubleshoot problems with a network, such as outages and other problematic conditions, as they are occurring. Generally, a network recorder will be triggered manually, and will then stop recording on a secondary trigger, such as the amount of packets recorded, the amount of time elapsed, an additional manual trigger, etc. Selective network recorders, meaning those that record a subset of all messages are also known in the art. For example, World Intellectual Property Organization Publication WO 2005/086418, titled “DATA STORAGE AND PROCESSING SYSTEMS,” and hereby incorporated by reference in its entirety, discloses a network recorder that can “cull” certain irrelevant messages from the recorded messages, thereby lowering the time and processing power required to analyze the recorded messages. In addition, other technological areas also utilize different methods to cull inappropriate information from log files. For example, U.S. Pat. No. 6,539,341, titled “METHOD AND APPARATUS FOR LOG INFORMATION MANAGEMENT AND REPORTING,” and hereby incorporated by reference in its entirety, discloses a general logging system that allows a user to specify multiple levels of log granularity, with higher levels of granularity resulting in a greater number of log entries.
Firewalls are commonly used network protection devices. A firewall is generally placed between a protected network and any external networks, so that any packets seeking to contact a device coupled to the protected network must pass through the firewall. Generally, firewalls examine network traffic and look for problematic occurrences, such as packets from a banned address, or a stream of packets indicative of a denial-of-service attack. When a problematic occurrence is identified, the packet or packets embodying the occurrence are isolated, and not allowed to reach their intended destination device. Specifically, firewalls have developed numerous different indications of potential network problems, including those caused by intruders. Examples of firewall technology can be found in U.S. Pat. Nos. 5,623,601, 5,826,014, and 5,898,830, all of which are hereby incorporated by reference. The use of firewalls within power protection networks is also known in the art; see U.S. Pat. No. 6,751,562, hereby incorporated by reference.
Accordingly, it is an object of this invention to provide a network recorder within an intelligent electronic device, so that network traffic surrounding an event will automatically be recorded.
Another object of this invention is to combine into the network event report recorded network traffic and traditionally recorded information which may include, but is not limited to, measured line current, measured line voltage, phasor information, the result of certain internal logic functions, and other protection and automation information.
Another object of this invention is to provide a stand alone network recorder adapted for use in power generation and delivery systems, so that network traffic surrounding an event triggered operation can be independently recorded.
Another object of this invention is to provide a method within the IEDs and the network recorder to trigger recording of network traffic surrounding an event in other IEDs or network recorders.
Another object of this invention is to provide an event report including network packets communicated temporally coincident with an event that can be reviewed after an operation to verify correct action or troubleshoot any problems relating to the operation, including any potential security vulnerabilities.
Another object of this invention is to provide evidence of a network attack on a power protection system that can be used by law enforcement to identify and apprehend malicious parties.
Other advantages of the disclosed invention will be clear to a person of ordinary skill in the art. It should be understood, however, that a system, method, or apparatus could practice the disclosed invention while not achieving all of the enumerated advantages, and that the protected invention is defined by the claims.
The disclosed invention achieves these objectives by providing a network recorder adapted for use in a networked power generation and delivery system. The network recorder itself comprises a network port coupled to the communications network utilized by the power generation and delivery system and a storage device for storing packets that are communicated on the communications network. Further, the network recorder includes a processor that generates an event report on reception of a trigger, where a trigger can be any external event, such as, for example, the operation of a relay contact, or the occurrence of a packet or sequence of packets indicating a protection or automation operation by an IED within the power generation and delivery system.
In one embodiment, the network recorder is provided as a standalone device. In an alternative embodiment, the network recorder is integrated into an intelligent electronic device operating within the power protection system. Both embodiments may use a mechanism to trigger other IEDs or network recorders to act so that a collection of devices record in a synchronized manner.
In either embodiment, the storage device may store packets permanently, using a suitable storage solution, or it may store packets in a first-in first-out manner, i.e., a fixed amount of space is dedicated to storing packets, and, when that space becomes full, the oldest packets are overwritten. Further, the event report may include packets that are communicated on the network temporally coincident with the trigger. In particular, the event report may include packets starting with those that were stored a first time period before the occurrence of the trigger until a second time period after the occurrence of the trigger.
Although the characteristic features of this invention will be particularly pointed out in the claims, the invention itself, and the manner in which it may be made and used, may be better understood by referring to the following description taken in connection with the accompanying drawings forming a part hereof, wherein like reference numerals refer to like parts throughout the several views and in which:
Turning to the Figures, and to
In accordance with one embodiment of the disclosed invention, a network control station 120 is coupled to the networking medium 112. The network control station 120 includes a network recorder 122. In addition, the network control station 120 may optionally include a firewall 124 and a connection to an external network 130. Note that the firewall is not an essential element of the system, and is only present to provide security additional to that already within the different networked devices. The network recorder 122 records packets that are communicated on the network that it monitors. In
In one embodiment of the disclosed invention, the network recorder 122 is responsive to one or more triggers. A trigger is any external stimulus, and can include, without limitation, an external signal, such as a relay contact, or a particular sequence of packets, such as a sequence of packets indicating that a protection operation has occurred, a trip command sent by an IED to a breaker, recloser, switchgear, or other IED, a sequence of packets signaling the loss of communication with a particular IED, a packet indicating that a certain status bit of an IED has been set, a sequence of packets indicating the occurrence of a local or wide area power system anomaly from a local or remote source, a sequence of packets indicating an abnormality in the communications network, a packet indicating that the receiving device should generate an event report, or the reception of a packet implementing a particular network command. In this embodiment of the invention, when a trigger occurs, the network recorder will generate an event report including packets that were communicated on the monitored network for some period of time before and after the triggering event, as well as during the event. One such sequence of packets is depicted in
As outlined above, an event report may be triggered by the network recorder 122 noting an abnormality in the communications network. Such an abnormality may include, for example, one or more packets indicating a denial of service attack is occurring, one or more improperly formatted packets, one or more packets with improper MIME headers, a long period of time without any packets being transmitted by a particular device, the failure of a device to respond to a query packet, or some other network abnormality.
The embodiments of
Further, after a particular device notes the occurrence of an event or some other trigger, that device may generate one or more packets causing other devices to generate event reports, thereby guaranteeing that more complete data is available for review. For example, the network recorder 122 of
The foregoing description of the invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or to limit the invention to the precise form disclosed. The description was selected to best explain the principles of the invention and practical application of these principles to enable others skilled in the art to best utilize the invention in various embodiments and various modifications as are suited to the particular use contemplated. It is intended that the scope of the invention not be limited by the specification, but be defined by the claims set forth below.