Smart substation security Kris Hallaert
Transcript of Smart substation security Kris Hallaert
Smart Substation Security
SmartSec Europe 2014
Amsterdam 29/01/2014
Agenda
Context Elia Introduction to the substation environment in Elia Security design and measures in the substation Near and far future
29/01/2014 SmartSec Europe 2014 2
29/01/2014 SmartSec Europe 2014 3
• Among the five largest transmission system operators in Europe
• Frontrunner in grid integration of renewables since incorporation in 2001
• Listed on Stock Exchange since 2005
• 1,950 employees
• 380 kV and 220kV (down to 30kV in Be)
• 870 substations
• Fully unbundled
• World experience in RES integration
About the Elia GroupIntroduction
About Elia Belgium
29/01/2014 SmartSec Europe 2014 4
• Customers: • 130 direct customers (connected to ELIA’s net) • Over 25 Distribution System Operators…
• 1.250 employees
• 11 sites in Belgium
• 800 HV Substations
• Network : Mostly owned or leased Cu, Fo Some Leased Lines (local telecom provider) Tests with satellite communication
General Concept : Defence in Depth
29/01/2014 5
“Defense in depth“ principle: Security threats are not mitigated by a single counter measure only but by implementing several complementary security techniques at multiple levels
SmartSec Europe 2014
What has changed the world (of the substations)?
Point to point connections Old Access network technology with TDM, SDH Low bandwidth needs No online access needs to information Only telephony needed Assets maintained locally and limited information about their state
A lot of interaction between devices Need for IP and more mainstream technologies (MPLS) High bandwidth needs Technicians on the field need online access to office space online access to information Assets maintained remotely from a normal PC
29/01/2014 6
Security Business
SmartSec Europe 2014
Example : Old situation RTU
29/01/2014 7SmartSec Europe 2014
Today : connections based on IEC104 (IP)
29/01/2014 8
MPLS
SmartSec Europe 2014
Example : Asset Control Center
929/01/2014 SmartSec Europe 2014
Steps in the design exercise with impact on security
1029/01/2014 SmartSec Europe 2014
Step 1• inventory of data flows and protocols and their criticality
Step 2• Architectural design of network and channels (VPN/VLAN)
Step 3• cyber risk identification and mitigation
(acceptance or compensating controls)
NEEDSGENERALITY – DATA FLOWS
11
Remote-reading & data management : Metering, power quality files
Remote-monitoring :equipment status (alarms, events, …)
Remote-maintenance : action on equipment (parameterization, …)
Remote-control : action on HV substation (RTU)
Others : telephony, cameras, …
SmartSec Europe 201429/01/2014
Some results of this excercise
12SmartSec Europe 201429/01/2014
LAN and WAN high
level designHub and
spoke model
Jumpserver(gateway
functionality)
Network authentication
and port security in the
substation
LAN and WAN high level design
SAS LAN based on 2 physical independent LANs
GLAN for “general applications” of HV substation SLAN for “protection, control and automation” => IEC61850 (> 2018)
Why ? High cyber-security level protection = segregation General applications require medium and low level
performances and are not critical for protection & control of HV Substation Protection, control and automation applications require
high level performances and are critical for protection & control of HV substation
1329/01/2014 SmartSec Europe 2014
SASLAN
SLANGLAN
LAN and WAN high level design
14
GLAN
SBUSLAN
Router WAN
Switch LAN
Switch LAN Router WAN
SCADA
FirewallVPN tunnels
Office network
VLAN
VLANVLAN
VLAN
VLANVLAN
IP/MPLS WAN
Network Management SBUS-LAN and G-LAN Telephony Data ELIA/Wifi and guest wifi Data Elia wired Videosurveillance, access control SBUS-LAN Electricity Management (RTU, …) G-LAN Electricity Management (Perturbo, Counter, Qwave, …)
29/01/2014 SmartSec Europe 2014
15
LAN and WAN high level design
• IP address plan reflecting functional communication planes
• Allows easy configuration of firewalls based on L3 IP address
• Configuration based on L2 MAC addresses is not manageable
•Prioritisation of traffic / QOS / Classification
SmartSec Europe 201429/01/2014
Hub and spoke model
Substation
16
Substation 1
WAN IP/MPLS
Central firewall
substation 2
X
+ Manageability+ “Easy“ to change technology+ Logging- Agree to possibly lose a complete substation- Single point of failure ?
SmartSec Europe 201429/01/2014
Jumpserver : Access to devices in the substation
Substation
17
GLAN
SBUSLAN
WAN
Substationgateway/Jumpserver
Router Router
switch
switch
Office LAN
29/01/2014 SmartSec Europe 2014
access to applications based on Active Directory groups
Network authentication and port security
• First choice : network authentication 802.1x (mostly GLAN)
• Second choice : port security (based on MAC)
BUT : Difficult to find IED’s that support proper network authentication
1829/01/2014 SmartSec Europe 2014
Specific constraints in TSO world
Long lifetime of “electricity” assetsWe don’t trust the embedded security features for the moment and choose to bolt on security where possible
Harsh environment (ruggedized equipment)mainstream security equipment is not always suited
Long decision process with European Tender for frame agreementsNot easy to make quick choices (long time between writing a tender and decision)
Availability is still number 1 priority for some devicesstopping a false positive can do more damage than letting through a potential attack
1929/01/2014 SmartSec Europe 2014
What’s still on our roadmap?
20
shortterm
• “blackbox” implementations based on common mainstream technology : (e.g. windows embedded no antivirus, no patching, local admin, no lockdown)
• Blackout mitigation out of design scenario : Emergency preparedness exercise “Cyberattack on realtime environment“
• Regular contact with vendors, SPOC for security, security roadmaps
Midterm• Establishment of 24/7 Security Operation Center• Next-gen industrial firewalls in monitoring mode
longer
• Next gen industrial firewalls in blocking mode based on business transaction monitoring?
• Embedded security in devices?, IEC 62351?
SmartSec Europe 201429/01/2014