Cybersecurity Challenges of Implementing IEC- 61850 for ...Lights Out: A Cyberattack, A Nation...
Transcript of Cybersecurity Challenges of Implementing IEC- 61850 for ...Lights Out: A Cyberattack, A Nation...
Cybersecurity Challenges of Implementing IEC-61850 for Automation Between the Smart Distribution
Control Center and the Substation
J. Matt Cole, PE (Presenter) – Sargent & Lundy, LLC Raymond Arnold (Presenter) – Sargent & Lundy, LLC
Matt LaCourt – Sargent & Lundy, LLC
Authors/Presenters:
1
Date: October 24, 2017
S&L Logo
Main Benefits of Using IEC-61850
IEC-61850 Benefits
Widely used protocol in Europe & US for P&C and Substation Automation
Eliminates hard wiring (uses less copper)
Provides cost savings for substation designs, installations, commissioning andoperationsEasier to implement (ease of use compared to other protocols)
Smooth data exchanges with multi-vendor devices
Eliminates the need for special vendor proprietary protocol converters
Provides reliable, high priority network messaging (GOOSE, GSE)
Capable of providing real-time data and control between control centers andsubstationsUses an object oriented data hierarchy
2
Paper Focus
• Everything is getting hacked– WannaCry Ransomware
• PCs infected in over 150 countries• Files encrypted and ransomed for bitcoins • Worst attack in 2017
• Ukraine Cyber Attacks (2015 & 2016)– Adversaries gained full control to SCADA & control room
functions• Interrupted power to several customers on both attacks• Implemented a telephone DoS, UPS shutdown & Killdisk
3
This paper focuses on cybersecurity vulnerabilities distribution utilities face with using IEC-61850 protocol communications outside the substation for SA or SCADA. Improvements are recommended to minimize these security risks.
Cybersecurity Concerns Using IEC-61850
• Widely used by both transmission & distribution (T&D) utilities (if not most widely used)– NERC & other entities not governing cybersecurity
protection for distribution utilities (vulnerable)
• Heavily used in Substation Automation (SA) and Distribution Automation (DA) applications– Exchange of data between multi-vendor devices
(IEDs, SCADA, HMI, Metering, etc.)– Requiring more real-time data functionality
(Control Data functions are unprotected)
• Utilities using 61850 for communications outside the substations– 61850 communicating from substation to substation or
substation to control center (IEDs, SCADA, etc.)– Man-in-the-middle (MITM) attacks
4
Cybersecurity Concerns Using IEC-61850
• Utilities using 61850 for communications outside the substations– Using a utilities communications path
(authentication and/or encryption recommended)• Fiber, copper, radio or wireless (WIFI)• Man-in-the-middle (MITM) attacks
– Using a 3rd party communications path / lease line (unprotected)
• Authentication and/or encryption recommended• Fiber, copper, radio or wireless (WIFI)• Man-in-the-middle (MITM) attacks
5
SMART Distribution Control Center (SDCC)
6Source: NIST’s Guideline for Smart Grid Cybersecurity
IEC-61850 Protocol
State Laws Passed Enforcing Cybersecurity
7
• 48 States have embraced and enforced cybersecurity laws– Imposing security breach notification obligations on all
entities that own and process personal data• Including Distribution Utilities
• Alabama & South Dakota not passed yet
NERC CIP versus NIST (IEC-61850)
8
• NERC CIP only governs transmission voltage levels– Distribution Utilities are excluded by NERC CIP
• NERC CIP views IEC-61850 today as not in scope– IEC 61850 is an Ethernet-based standard for the design of electrical
substation automation • Abstract data models can be mapped to a number of protocols,
including:MMS GOOSEWeb Services
– IEC 61850 is not a data link or network layer protocol• Declaring IEC 61850 to be a routable or non-routable protocol is not
appropriate• Time critical messages (GOOSE) run over flat Layer 2 (i.e. not routable)• Non-time critical (MMS, web services) run over Layer 3 (i.e. routable)
NERC CIP versus NIST (IEC-61850) – cont.
9
NERC CIP views continued• Registered entity should evaluate the communication
environment supporting the IEC 61850 data protocol to determine if routable communication exists
• If the IEC 61850 data is being communicated over a TCP/IP network, then that network connectivity is considered routable and should be protected per the CIP Standards accordingly
NISTIR 7628• NIST Guideline for Smart Grid Cyber Security has defined IEC
61850 as an insecure protocol
Enhancing IEC-61850 for Cyber Resiliency
10
• Technologies– TLS Encryption
• Prevents eavesdropping by adversary• Enabled between end devices most effective
– Multifactor Authentication• Applies to users and devices• Prevents unauthorized access/modification of
data• Holds users accountable for actions
Enhancing IEC-61850 for Cyber Resiliency (cont.)
11
• Devices– Firewalls/Gateways/DMZs
• Defines Electronic Security Perimeter• Provides encryption and authentication• Configure to deny all unanticipated traffic by
default– Intrusion Detection Systems (IDS)
• Monitors network traffic• Logs unexpected traffic
Recommended Substation Protections
12Source: IEC-62351 Recommended Substation Protections
Conclusions
When using 61850 protocol for SA and SCADA communications outside the substation – all unencrypted data is at risk
Substation LANs are vulnerable – if no firewalls, IPS/IDS, data gateways or DMZs are implemented
If the utility is relying on others for outside communications or outside the ESP – all data is vulnerable
Perform security risk assessments of all data entering or leaving the substation to determine if encryption is feasible• Add authentication at a minimum
The cost of doing nothing can be considered immeasurable –if attacked by a cyber intrusion
13
Conclusions (cont.)
Exercise caution and thorough testing - before selecting a vendor to supply smart substation devices
Test all security updates and patches – within a lab or testing environment before pushing onto the live system
Ensure vendors or suppliers are providing timely updates if there is a potential vulnerability or threat
14
Future Research/Discussions
Likelihood of NERC CIP being applied to distribution systems?
Vulnerable access points fromcurrent versions of NERC CIP needs further review: Smart meter/AMI system Leased lines through telcos Shared access points at jointly owned stations
that are currently NOT defined as CIP sites
15
Questions?
16
J. Matt Cole, PE (Presenter) – Sargent & Lundy, LLCRay Arnold (Presenter) – Sargent & Lundy, LLC
Matt LaCourt – Sargent & Lundy, LLC
“There are three power grids that generate and distribute electricity throughout the United States, and taking down all or any part of a grid would scatter millions of Americans in a desperate search for light, while those unable to travel would tumble back into something approximating the mid-nineteenth century.”Ted Koppel, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath