White Paper - Multi-layer Security Architecture for Electrical Substatio...

8/12/2019 White Paper - Multi-layer Security Architecture for Electrical Substatio...

1/14


2/14

connectivity to field area networks, metering networks, and home area networks (at the distribution level).Secure transport of data from substations to their multiple peers poses significant challenges to theoperator. Today, automation and control systems within the substations are built on open standards such

as IEC 61850, IEC 60870-5-104, and DNP 3.0 by using communication based on Ethernet and IP. Themost important international standard in this regard is IEC 61850 which comprises an extensive andextensible data model, a flexible configuration language as well as various communication services.

From the security perspective, the status of todays substations is fragmented and comes along with acouple of challenges. It is essential to point out that certain specifics determine the development and roll-out of comprehensive security solutions. The subsequent bullets list some of them:

Availability and integrity are the major security objectives. The ultimate task is to protect thefunctionalities of the primary substation equipment in order deliver power without any interruption.Confidentiality and privacy come into play when AMI systems are getting integrated.

The integration of so-called legacy devices is a big challenge for all stakeholders. Security hasnot been a major requirement for this type of equipment in the past. The majority of these devicescomes with weak or even no authentication, shared user accounts, unencrypted credential

storage - just to name a few of weaknesses. On the other hand, a long life-time (often longer than15 years) in operation is a given.

Co-existence and integration of vulnerable protocols (with no or weak security mechanisms) is arealistic use case scenario.

Substation installations are complex and often in remote facilities, sometimes in extremeenvironments.

Remote access solutions based on unsecure dial-up solutions as well as connectivity to theEnterprise-LAN has happened mostly for convenience.

The adoption of so-called Commercial Off the Shelf (COTS) software as well as standard-hardware components introduce a lot of new challenges like the need for an extensive patchmanagement or the operation of anti-malware protection. And, because of standard hard- and

software, no special hacking know-how (fu) is required anymore. Safety has always been a major concern in the environments of substations. This must be

addressed when security measurements get defined.

Typical substation th reatsBased on the specifics of electrical substation in terms of installations and deployment of field devices,various threat vectors exist. Table 01 lists the most prominent attack scenarios.

Table 01

# Route of entry / Scenario Description

1 From Control Center into theSubstation Various links could be used to access the critical assets withinthe substation:

- Database connections

- Application access connections

- Backup systems

- Patch management, Anti-malware updates

- Parallel links (VPN) from the Office-LAN

2 From a 3rdparty through aControl Center into the

Routed vendor patches and updates are typical issues


3/14

# Route of entry / Scenario Description

Substation

3 From a peer substation into thesubstation

Substation-to-substation communication links withoutadequate protection

4 Remote access The classical route of entry. Various options exist:

- Remote engineering

- Remote vendor maintenance and support

- Direct access from the Office-LAN

5 From Control Center or otherexternal peers to the fieldequipment

Direct access to communication equipment and field devicesrouted through the substation network expose the(Substation Automation Solution) SAS to big risks

6 From the field devices intosubstation network

Unintended access using communication links from the fieldequipment into the substation network

7 Substation internal threats Direct access to substation network:

- Using malware-infested laptops

- Provisioning of unintended wireless access

- Weak access control of systems and devices (e.g.: sharedaccounts)

- Disgruntled employees

All scenarios listed in table 01 as well as possible pathways are depicted in figure 01.

Figure 01: Substation threats and pathways


4/14

Motivations to attack an electrical substation can be manifold. Substations are a core building block ofutility power delivery networks. Possible threats and actors comprise vandalism, cyber hackers, terrorism,theft, malware, industrial espionage, and disgruntled employees.The consequences of a successful

attack could be severe with impact on the electrical grid and far beyond: Loss of energy supply

Loss of life

Penalties and lawsuits

Loss of public trust

Environmental damage

Damage to reputation

Regulations and standardsRegulations in many countries already address the criticality of electrical substations as an essential partof the critical infrastructure. They mandate strict security measurements in order to safeguard installations.The NERC CIP standards in North America are the most prominent example. They focus on so-calledCritical Cyber Assets (CCAs) that need to be protected by Physical Security Perimeters (PSP) andElectronic Security Perimeters (ESP). Compliance is the objective of audits, gap analysis and mitigationsteps. Standards do not exist to become an end in itself. Technical standards are a means to achieveinteroperability between systems and devices. This is true for communication as well as for security,especially in an end-to-end scenario. Further on, standards are the opposite of proprietary technologiesthat are prone to security flaws and vulnerabilities. The following list comprises the most importantregulations and recommendations as well as standards with impact on substation security:

NERC Critical Infrastructure Protection (CIP) Standards (for North America) [5]

NIST Interagency or Internal Reports (NISTIR) 7628 - Guidelines for Smart Grid Cyber Security

[2] DHS - Cyber Security Procurement Language for Control Systems (for North America)

BDEW Whitepaper Requirements for Secure Control and Telecommunication Systems (forGermany and Austria)

ISO/IEC 27001: Information technology Security techniques Information securitymanagement systems Requirements

The most relevant standards to protect communications links are defined within the networksecurity domain. RFC 6272 (Internet Protocols for the Smart Grid) [1] covers communication andsecurity standards relevant for Smart Grid in which substations are an essential component. It isimportant to emphasize that these standards are already implemented in large industrialinstallations as well as in other critical industries. They are proven technologies that are providing

scalability and accompanying technologies for management and monitoring. In this context, thefollowing standards should be highlighted because of their importance for network and protocolsecurity:

- IPSec [covered by the relevant RFCs]

- Authentication, Authorization, and Accounting (AAA) as in RFC 4962

- IEEE 802.1AE (MAC security)

- IEEE 802.1X (Port Based Network Access Control)

- Transport Layer Security (TLS) [RFC 5246]

- Extensible Authentication Protocol (EAP) [RFC 5247]

- IEEE 802.1AR (secure device identity)


5/14

- Group Domain of Interpretation (GDOI) [RFC 6407]

Standard IEC 62351: within TC 57 (Technical Committee 57 Power Systems and associatedinformation exchange) working group 15 is responsible for a series of standards with the objective

to define adequate security for protocols used in TC 57 and to strive for end-to-end security.Currently, IEC 62351 comprises 10 parts, 1 additional is in the pipeline. Table 02 provides aconcise overview on the content of the standard parts. [7],[8]

The Technical Recommendation (TR) IEC 61850-90-5 defines the data exchange between PMU,Phasor Data Concentrator (PDC) and WAMPAC applications. It enhances the IEC 61850standard with routable profiles for other IEC 61850 protocols like the Generic Object OrientedSubstation Event (GOOSE) protection messaging and the Sampled Value (SV) process busmessaging (IEC 61850-9-2) and enables these protocols to be transported over WANconnections. The TR contains a security model definition in order to safeguard synchrophasor-data communication. The Routable-Profiles for GOOSE and Sample Values as well as thesecurity model will be integrated into the corresponding standards within the IEC 61850 and IEC62351 series: IEC 61850-8-1, IEC 61850-9-2, IEC 62351-6, and IEC 62351-9.

Table 02

Part Content

01 Introduction and Overview contains general aspects like security threats, vulnerabilities,requirements, attacks, and countermeasures typically for a substation environment as well asbasic concepts for protection

02 Glossary contains key terms and definitions used in the scope of IEC 62351

03 Profiles including TCP/IP - applies to:[IEC 60870-6 TASE.2, IEC 61850 over MMS, IEC 60870-5-104 & DNP3]

04 Profiles including MMS - applies to:

[IEC 60870-6 TASE.2, IEC 61850 over MMS]05 IEC 60870-5 & Derivatives - applies to:

[IEC 60870-5-104 & DNP3, IEC 60870-5-101,102,103 & Serial DNP]

06 Security for IEC 61850 - applies to:[IEC 61850 over MMS, IEC 61850 GOOSE, SV]

07 Network and system management (NSM) data object models defines NSM data objectsspecific for power system operations; uses naming conventions of IEC 61850

08 Roles Based Access Control (RBAC) for power system management specifies mandatoryroles for TC 57 domains like substation automation based on IEC 61850; covers a PUSH andPULL model; defines credential (security token) and transport profiles

09 Cyber Security Key Management for power system equipment (not finalized yet)

10 Security Architecture Guidelines - describes guidelines for the security power systems basedon essential security controls

Substation Security

Any development of an architecture and solution starts with requirements. In terms of substation security,the following are essential:


6/14

Meet regulatory requirements - the most important ones are listed above. Regulations are strongdrivers for security. It is a wise approach to meet them completely but not just by checklistmentality.

Customer requirements are the source for functional and non-functional security requirements.Non-functional ones are often implicit and need to be derived from best practise and fromextensive analysis processes.

A flexible and extensible architectural framework is an important non-functional requirement whichaddresses complexity, long lifetime and new challenges and threats in this industry domain.Standards are the foundation to accomplish this. The layered IP network architecture offers as ascalable, robust and open architecture as well as other essential quality attributes.

The ultimate goal is to protect critical assets against cyber attacks and insider threats. This objective canbe transformed into the following security principles: integrity, availability, confidentiality, non-repudiation,and accountability. Security experts are familiar with the CIA (Confidentiality, Integrity, and Availability)triad. In the power automation domain, the order has to be changed to AIC.

Security Controls

In order to safeguard a substation adequately, a variety of security controls must be implemented.Security controls are means to protect critical assets in a preventive, detective and corrective way. In thesecurity domain, such controls are categorized as listed by the subsequent bullets:

Administrative controls (e.g.: policies, guidelines, security training)

Physical controls (e.g.: locks, security fencing, adequate security lighting, video surveillance,

access card systems)

Technical controls (e.g.: access control, encryption, electronic signatures)

It is important to emphasize that all of these categories must be addressed properly in order to protect a

substation (or any other given system). It is a very true statement that security is only as strong as theweakest link. This is about the problem of the defender: The defender needs to plan for everything. Theattacker just needs to find and hit a weak point in the system. Given the nature of this white paper, thefocus of this document is on the technical controls. Though, especially physical controls gets more andmore tightly integrated with technical controls.

Security Architecture

The most effective way to combine and integrate technical security controls is a security architecture. Itprovides an excellent tool to foster common understanding between all stakeholders and delivers a solidfoundation for further development and implementation. The security architecture described in the paper isbased on a reference substation and the connected peers as depicted in figure 02.


7/14

Figure 02: Substation Automation (basic architecture)

This reference is the foundation to define and apply the appropriate security controls. The core part is thesubstation automation network itself which can be divided in the following six segments as listed in table03. It must be added, that the segmentation depends on the substation specific setup and can differ inimplementation and content (systems and devices within a segment).

Table 03:

Segment / Security Zone Description

Protection and control This is the process network in a substation. Typical componentsare (digital) protection relays, IEDs, RTUs, and PMUs. Within theprocess network, further segmentation might be applieddepending on the technologies and protocols used in this area. InIEC 61850, station and process bus are typical sub-segments.

Engineering and administration The segment contains substation controller, Human MachineInterface (HMI) and Historian.

Multi-services Based on the capabilities of the IP-protocol, additional services areused in a substation such as IP-telephony, video as well as remoteworkforce management. A tight integration with physical security,including video surveillance and access control for establishingand protecting the physical security perimeter is another importantfeature.

Distributed security services This segment addresses the specifics of a substation in terms ofremote facilities and the requirement to have important securityservices available at any time. It might contain key server as wellas directory services.


8/14

FAN / AMI aggregation Typical systems are data concentrator applications operated onspecific devices (field area router) that connect to Field AreaNetworks (FANs) based on wired, wireless and power-line

technologies.

DMZ (Demilitarized Zone) A DMZ is not a must and might contain terminal- or remote accessserver. It is not depicted in figure 02.

The other peers, a substation and their components are typically communicating with via private andpublic WAN-links, are:

1. Control Center - typical components are SCADA applications, Data Historians, EnergyManagement System (EMS), application server and workstations; in addition, EMS / ControlSystem Training LANs and a number of DMZs are part of the overall installation

2. Data Center - runs enterprise applications, operates data bases and workstations

3. Other Substation(s) - with a similar setup as specified in table 3

4. Network Operation Center (NOC) - hosts systems for network and security management,monitoring and control. It may or may not be physically located with the control center.

5. Peers with external access over public networks (remote engineering)

6. Centralized (Inter-utility) Security Services for PMU networks (see figure 05)

This overall context is depicted in figure 02. On the perimeter, a dedicated Substation Automation Router(SAR) provides communication and security services. The SAR is the key device for establishing andprotecting the Electronic Security Perimeter (ESP). The strict segmentation allows the implementation of alayered security architecture based on the defence in depth paradigm. In the following, the main buildingblocks based on dedicated security services will be explained in more detail. Because of the nature ofsecurity appliances, security services typically interact with each other and cannot be seen as isolated

functionalities.Traffic segregation within the substation

Within the substation automation network, VirtualLocal Area Networks (VLAN) are used to segregatetraffic between the segments (security zones) listed in table 03. Moreover, it is possible to segregatetraffic within a zone (e.g.: to segregate phasor measurement data from data sent by digital protectionrelays or to implement process and station bus according to IEC 61850 recommendations) of thesubstation. Its good security practise to assign all unused ports to a so-called Blackhole-VLAN. In thecontext of the overall architecture, each VLAN typically matches the traffic from a corresponding WLANsegment. In correlation with access control, only authenticated user should be assigned to the respectiveVLANs. Network engineering should strive to limit flooding domains in the phase of network definition.Beside logical segmentation, physical redundant switches should be used for mission critical equipment.

WAN-Network segmentationis a strong means to separate traffic based on application classes; e.g.

Tele-Protection, SCADA, Engineering, Physical Security, and PMU data (see figure 03: SCADA VRF,PMU VRF, etc). Multiprotocol Label Switching (MPLS) VPN technology is recommended for thecommunication between the substations and the other peers. VRF (Virtual Routing and Forwarding)based on MPLS VPN is the key technology to implement the logical segmentation. In addition, Quality ofService policies can be applied discretely. VRF segments typical have corresponding VLANs within thesubstation.

Strong perimeter security is a foundation for thezone-based concept and is enforced by firewallingprovided by the Substation Automation Router (SAR). Traffic between zones must be permitted explicitlyby rule definitions. Invalid access alarm integrates firewall capabilities with event management providedby the Security Information and Event Manager (SIEM). The implemented security zones are typicallymatching corresponding VRF segments on the WAN-side and VLANs on the substation network side. In


9/14

general, the substation automation network must be separated strictly from enterprise networks. Figure 03depicts these concepts within the overall context.

Figure 03: Overview on Segmentation, Threat Detection and Mitigation

Access control

Access control provides the necessary services for authentication, authorization and accountability withinand to the substation. The ultimate goal is to ensure that only authorized peers (devices and personnel)access the network and the components connected to it. This can be implemented on different levels. Onthe network level, user authentication can be implemented based on IEEE 802.1x functionality. Substationswitches should come with rich port security features (802.1x) to support local security and remoteworkforce management. Secure device identity can be achieved via X.509 Certificates. Strong useridentities with Role-Based Access Control (RBAC) ensures that only entitled personnel connects to thesubstation and the components.Multiple user groups with different access permissions to substationdevices (like IEDs) are a typical setup. RADIUS and TACACS+ are the preferred protocols that provide

Authentication, Authorization and Accounting (AAA) for users and devices. Central and DistributedAuthentication Services, located in the NOC and in Distributed Service Segment, ensure high availability

of these crucial services. In addition to network based access control, parts of the standard IEC 62351address authentication needs on the application layer. As an example, IEC 62351-4 defines mutualauthentication for profiles including MMSwhich applies in the substation context for IEC 61850-8-1.Furthermore, some devices might implement RBAC based on IEC 62351-8 in the future.

Data security, conf identiality, and privacy

Data confidentiality and integrity for operational and control data used in substation automation andWAMS is a must. All traffic between the substation automation network and the connected peers likecontrol center or other substations should be encrypted. VPN topologies such as Dynamic Multipoint VPN(DMVPN) and (GET)VPN are technologies to ensure confidentiality, data integrity, and authentication.


10/14

DMVPN is a tunnel-based encryption solution for public networks. It provides overlay routing,peer-to-peer protection based on point-to-point IPSec to secure the tunnels. DMVPN can be usedas an overlay with a Multi-VRF topology.

Group Encrypted Transport (GETVPN) is a tunnel-less VPN technology that provides end-to-endsecurity for network traffic in a native mode while maintaining a fully meshed topology. Keymanagement is based on groups. It is targeted at securing an existingVPN and cannot be usedacross public address space.

In general, network and link-layer encryption preserves data visibility at intermediate hops and allows theuse of IP services (QoS, etc). Furthermore, network-based VPN can scale and leverage the PKIcapabilities of network platforms such as routers or firewalls. TLS-based VPNs provide flexible solutions toprotect remote-engineering connections. In addition to these strong network based means, securitycapabilities of devices (like IEDs) implementing IEC 62351 (e.g.: IEC 62351-Part 6 to protect IEC 61850communication) can be used to achieve security-in-depth.

Figure 04: Overview on Data Confidentiality and Privacy

Security for Phasor Measurement Unit (PMU) data networks for Wide Area Measurement Systems(WAMS) extents the already described scenarios in terms of involved peers and participants. Figure 05shows the basic architecture of such an installation. IP Multicastenables efficient transmission of PMUdata, provides resource efficiency and supports a large number of receivers. Data transport security canbe implemented using GETVPN in a scalable manner. Another external (to the substation) peer needs tobe part of this setup an inter-utility Security Service for PMU registration and cryptographic keymanagement based on GDOI (Group Domain of Interpretation).

In addition, IEC/TR 61850-90-5 (Use of IEC 61850 to transmit synchrophasor information according toIEEE C37.118) specifies a security model with the following definitions: information authentication andintegrity are mandatory, confidentiality is optional. GDOI for key management is used in this TR as well.Both options, GETVPN and the IEC/TR 61850-90-5 basic security model, can be extended by using IEC62351-6-2007 implemented by the publishers and subscribers of GOOSE messages and SV data. IEC62351-6:2007 provides cryptographic integrity for IEC 61850-8-1 GOOSE and IEC 61850-9-2 SV


11/14

(Sampled Values). This approach supports all scenarios where perimeters are defined in an end-to-endscenario.

But security for all relevant data in motion is not enough in such a sensitive environment. Data encryption

is also needed for stored data like configuration and engineering files and, of course, security credentialssuch as keys and certificates. The best way to achieve secure generation and storage of keys arehardware-based solutions. A flexible and reliable key management solution is the foundation for alltechnical security controls based on cryptographic keys, symmetric and asymmetric ones. Key servers aretypically located in the NOC as well as a part of the distributed service segment within the substationautomation network. Scalable key management protocols like GDOI (RFC 6407) are the basis for thehandling of cryptographic keys at scale. For asymmetric cryptography based on a Public KeyInfrastructure(PKI), essential services can be provided centralized and locally within the substationautomation network.

Figure 05: PMU Network Security (basic architecture)

Threat detection and mitigation

Visibility and monitoring are important principles in order to support detective security controls. IPnetworks support inherently maximized visibility into the whole network environment including allconnected systems, devices and events. Network intrusions can be detected through the use of IPS(Intrusion Prevention Systems) at critical points in the substations network. This is typically combined withperimeter security and provided by the SAR. IPS modules for malware detection and prevention can beupdates based on the availability of SCADA IPS signatures. Integrated IPS functionality stops attacks atthe entry point to the substations and protects the router and the network from DoS attacks. Responsesare necessary in real time through alarms and further actions. Logging of security events is a crucialrequirement in many regulations like in NERC CIP. Time-stamped logs should be provided across devices(see figure 03). A dedicated appliance for security event management and audit logging, the SecurityInformation and Event Manager (SIEM), provides this functionality and is typically located in the NOC.Furthermore, it enables incident reporting through log correlation and alerts to identify security incidents.In general, it is good security practice to monitor and correlate perimeter and inside events.


12/14

Host security is especially important for substation components based on standard hard- and softwaresuch as substation controller or data historians. Consequent hardening is good security practice. Thiscomprises an approach where a minimum of services and applications is running along with a well-defined

patch management process. Patching control systems and embedded fields devices has many pitfalls.Long life time of components and mission-critical tasks with zero downtime requirements are just twoexamples to highlight the complexity. White listing to allow only dedicated applications or services to beexecuted complements these measurements. Furthermore, all ports that are not needed must be shutdown. No engineering ports must be allowed. In many devices, integrated web servers provideengineering capabilities based on the Hypertext Transfer Protocol (HTTP) in order to support browser-based applications. Such interfaces must be protected particularly because of the risks related to webapplications. Anti-Virus & Anti-Malware Protection is especially important on systems and devices that areoperated on standard operating systems and frameworks. On the other hand, scanning procedures mustnot interfere with critical processes of the systems. For mission-critical devices like digital protectionrelays, strong authentication is needed. Local HMIs and interfaces must be protected to prevent misuse.Shared user accounts are a threat to the whole substation installation. In general, host security alreadystarts with the development of those critical components.

Inherent network security

Unified LAN and WAN design based on standards incorporating security, resilience, and intelligencebetween substations and from the substation to the control center is an essential success factor foreffective substation security. IP networks as the underlying platform support main security paradigms andprinciples that are essential for an overall and en-to-end security. With IEC 61850-90-5, routable profilesfor IEC 61850-8-1 GOOSE and IEC 61850-9-2 SV packets exist. This new option will help to exploit thebenefits of IP networks for GOOSE and SV messages in future. In contrast to tunnelling solutions, largefault domains where substation network faults are spread can be avoided. Beside dedicated securitymeasurements, network capabilities offer pervasive visibility and control, reduce complexity and increaseprotection. As an example, QoS (Quality of Services) policies can help to detect traffic abnormalities andoffer Denial-of-Services (DOS) prevention. Within the substation automation network, the following Layer-

2 security mechanisms should be enabled: Strict port security on all switches prevents MAC address flooding

DHCP Snooping [eliminates rogue devices from behaving as the DHCP server]

Dynamic Address Resolution Protocol (ARP) Inspection (DAI) [to mitigate ARP spoofing or ARPpoisoning attacks]

IP Source Guard [helps to prevent snooping of data or anonymous launching of attacks]

Security management

Complex security services need to be managed efficiently. As briefly described in table 03, securitymanagement is located in the NOC and, if a distributed scenario is implemented, within the multi-service

segment of the substation. Typical components are:

Network Management System (NMS) responsible for Network Fault, Configuration, Accounting,Performance, and Security (FCAPS) management. In terms of security, a NMS performs theprocesses of controlling access to assets in the network.

AAA-Server - provides network authentication, authorization, and accounting.

Identity Service Engine and Directory Services provides information from users, devices, andnetwork services. It supports consistent policies across the whole installation and can be tightlyintegrated with an AAA-Server.

CA Certificate Authority and PKI Services supports the utilization of public key cryptography(e.g.: X.509 certificates) for many security services and protocols. Compromised and revoked


13/14

certificates must be managed (e.g.: by Certificate Revocation List (CRL) or by Online CertificateStatus Protocol (OSCP) based solutions) in order to prevent any misuse.

Key-Server (for centralized key management) the availability of a key server (often called Key

Distribution Server (KDS) is an important requirement. The option, to run a key server in acentralized and decentralized scenario, accomplishes this in a scalable manner.

Security Information and Event Manager (SIEM) - provides real-time analysis of security alertsgenerated by network appliances and applications.

Beyond substation security

In order to achieve a sustainable and comprehensive substation security, all components used withinmust be developed based on detailed security requirements using a development process which takessecurity seriously. Secure coding guidelines and accompanying training are efficient measures fordevelopment teams. Security principles like defence in depth, least privilege or plan-for-failure are goodparadigms for architecture and design. Code reviews and intense testing are completing the development

efforts. Back doors and undocumented features are severe vulnerabilities especially in a substationenvironment. Attacks on hardware and software must be taken into account and addressed by threatmodelling. Anti-counterfeit hardware detection and tampered software detection are essentialrequirements for mission-critical components. For critical communication appliances like the Substation

Automation Router (SAR), purpose built hardware and hardened firm- and software are a must. Deviceand Platform Integrity of all components is an essential precondition to achive security-in-depth forelectrical substations.

Conclusion

A comprehensive architectural approach is needed to secure electrical substations adequately. Strongsecurity measures provided by the network infrastructure are the foundation to protect substations in ascalable and efficient way. Existing network security appliances and technologies are in place to deliver all

services needed to ensure that critical substation components can fulfil their core functionalities at anytime. In order to apply a layered security, additional safeguards are recommended. Emerging securitystandards for the power systems domain like the ICE 62351 series are helpful to achieve security indepth. According to the approach of separation of concerns, security features should never interfere withcritical automation and protection functions. A good example to illustrate this are the challenges to secureICE 61850-8-1 GOOSE and ICE 61850-9-2 SV (Sampled Values) data. Tough performance requirementsand high message rates raise the bar for security implementations of IEDs or other devices in charge ofprotection and control. Furthermore, any encryption on the application layer has impact on the securityservices provided by firewalls, IDS, IPS where, for instance, packet inspection is an importantcountermeasure. Finally, all security implementations based on keys, certificates or any other type ofcredentials need an infrastructure for management and monitoring. This should be considered thoroughly,especially when such an infrastructure is already in place for network security. To exploit the capabilitiesof network security as much as possible is a good design paradigm to cope with conflicting requirements.

Outlook

With the modernization of the power grid and the advent of Smart Grids, the complexity of power systeminstallations will increase. New devices will be introduced and integrated in order to provide moredistributed intelligence. In parallel, much more inter-connected systems will be rolled-out and operated.This raises the bar for adequate substation security as well. Resilience and survivability are importantquality attributes for mission-critical installations. Insufficient efforts to adapt electrical substations to thechanging threats and vulnerabilities of the cyber world expose the operator to the very real possibility of adisastrous event. This must be addressed by ongoing efforts to improve and maintain substation security.It is still true - security is always a journey, not a destination.


14/14

REFERENCES

[1] RFC 6272, Internet Protocols for the Smart Grid:ftp://ftp.ietf.org/rfc/rfc6272.txt

[2] Introduction to NISTIR 7628, Guidelines for Smart Grid Cyber Security, The Smart Grid InteroperabilityPanel, Cyber Security Working Group, September 2010:http://csrc.nist.gov/publications/nistir/ir7628/introduction-to-nistir-7628.pdf

[3] NISTIR 7628, Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy,Architecture, and High-Level Requirements The Smart Grid Interoperability Panel Cyber SecurityWorking Group, August 2010: http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf

[4] NISTIR 7628, Guidelines for Smart Grid Cyber Security: Vol. 3, Supportive Analyses and References:http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf

[5] NERC, North American Reliability Corporation, Standards: http://www.nerc.com/page.php?cid=2|20

[6] Cisco GridBlock Architecture, a reference model for modernizing the electrical grid:http://www.cisco.com/web/strategy/energy/gridblocks_architecture.html

[7] ISO-IEC 62351, Data and communication security Part 1: Introduction and overview, December 2005

[8] ISO-IEC 62351-10 TR Power systems management and associated information exchange Data andcommunications security Part 10: Security architecture guidelines

[9] Whitepaper: Cisco Connected Grid Security for Field Area Network:http://www.cisco.com/web/strategy/docs/energy/C11-696279-00_cgs_fan_white_paper.pdf

White Paper - Multi-layer Security Architecture for Electrical Substatio...

Documents

Transcript of White Paper - Multi-layer Security Architecture for Electrical Substatio...