CYBER SECURITY - SECURITY STRATEGY FOR DISTRIBUTION .

2y ago
44 Views
7 Downloads
510.83 KB
5 Pages
Last View : 8d ago
Last Download : 2m ago
Upload by : Eli Jorgenson
Transcription

24th International Conference on Electricity DistributionGlasgow, 12-15 June 2017Paper 0936CYBER SECURITY - SECURITY STRATEGY FOR DISTRIBUTION MANAGEMENTSYSTEM AND SECURITY ARCHITECTURE CONSIDERATIONSSukumara TABB Inc. – USAsukumara.t@us.abb.comSudarsan SDJanne StarckABB Corporate Research - India ABB Oy – omABSTRACTWe cover some practices and methods in creating effectivecyber security architectures for substation and distributionautomation systems and products which are robust enoughto withstand cyber-attacks and resilient enough to recoverin the event of security compromise and keeping devicefunctional and executing its core functionality even duringattack. This is achieved by a defense-in-depth strategystarting from product design, a dedicated security testcenter, secure system architecture, patch management andsecurity audits. Understanding practices and processeshelp in handling cyber security in a holistic manner withan explicit focus on operational performance.INTRODUCTIONThe recent cyber-attack on the power grid in Ukraineresulted in half the homes in Ivano-Frankivsk region witha population of 1.4 million being without electricityreportedly for 6 hours. Reports say on December 23, 2015,Kyivoblenergo utility company provided public updates tocustomers, indicating an unauthorized intrusion thatdisconnected 7 transmission substations (110 kV) and 23(35 kV) distribution substations leading to an outage formore than 80,000 customers [4].The attack was conducted mainly through distributionSCADA system computers along with a denial of serviceattack to the phone systems. Computers running theSCADA HMI software and related SCADA servers,mainly based on Windows operating system, were infectedusing booby-trapped macro functions and malwaresembedded in Microsoft Office documents. The industrialcontrol systems used to supply power to millions of peoplecould be infected using such a simple social-engineeringploy of tricking the users to click on attachments. In thiscase, the utility operators resorted to turn the system to“Manual mode” of operation in order to restore the powersystem back into operation.Also another suspected cyber security incident in Ukrainereported on 19th December 2016 and this time it’s on atransmission level substation.Cyber security once considered a non-issue has gainedtraction and become main stream as InformationTechnology (IT) networks get integrated with OperationalTechnology (OT) networks. This is highlighted by severalcyber security incidents including the one mentionedabove.CIRED 2017Timothy R. VittorABB Inc. - USAtimothy.r.vittor@us.abb.comConcepts such as remote configuration/parameterization,monitoring, remote SCADA communication, remotediagnostics and firmware updates are becoming importantrequirements for relays and control systems. This leads toinherent requirements of integration of IT and OTnetworks. This in turn necessitates “Availability”,“Integrity” and “Confidentiality” of information and datain Substation Automation systems and DistributionAutomation networks.While electric utility systems and processes havingresponsibility of creating and maintaining secure powersystem networks consistently provided some of the highestlevels of reliability and security in the world by virtue ofbeing isolated stand-alone networks that are oftenproprietary which limits interoperability. Performancebased standards like NERC CIP, IEC 62443, ISO 27000,EU NIS Directive require utilities and end-users toimplement a comprehensive security program and submitto regular compliance audits which makes only powerutilities and other end users to be NERC CIP compliant.Vendors can provide technical features that support theutilities or end-users to be NERC CIP compliant andsupport utilities and end-users to know how they canoptimally secure their devices by adopting best practicesand also build up awareness. The key challenge is in ourability to support end users in creating a converged IT-OTnetwork without compromising on security aspects.CHALLENGES RELATED TO SECURITYMEASURES FOR DISTRIBUTION SYSTEMInternet of Things (IoT) coupled with integration of IT-OTnetworks is changing the landscape including utilities.Utilities are currently installing large numbers of modernrelays in their substations, not only to replace legacyprotective relays, but also for metering and equipmentmonitoring. These devices provide valuable informationthat can be put to use to improve reliability and reduceoperating costs while throwing up new cyber securitychallenges.At the outset, systems are becoming cyber-physical.Isolated physical access controlled systems can now becontrolled using logical access from cyber-space. Substation and feeder equipment like protection, automationand control relays, and smart meters are being deployedwith advanced communications networks which makethem more vulnerable to cyber threats. Threat landscapingand identifying threat vectors is a key challenge to be dealtwith to provide appropriate logical access controlmechanisms.1/5

24th International Conference on Electricity DistributionGlasgow, 12-15 June 2017Paper 0936Modern protection and control relays/sensors are the firstlevel intelligent devices close to primary equipment,playing a critical role in substation protection, control andmonitoring functionalities. Relays being at the bottom ofthe hierarchical communication network having first handaccess to power system, not only play the role of protectionwhich isolates the faulty section of subsystems from therest of grid but also play an active role in post-fault powerrestoration and self-healing with the help of supportedcommunication network. Yet these systems have limitedresources and hence most vulnerable in a connected world.Especially the relays in the distribution systems unlikerelays placed in secured network inside substations andgeneration plants. For example most of the recloser relaysare installed on the poles near residential neighborhoodsbut exchanging data to with remote substation ordistribution management systems (DMS).Security standards applicable to such relays like NERCCIP, IEC 62351, ISO 27000 etc. are still evolving. Gaps inthese standards from cyber security perspective are beingcontinuously understood and addressed. Even whenidentified issues are addressed, their adoption takes time.Technology (NIST) 7628 Guidelines for Smart GridCybersecurity, Advanced Security Acceleration Projectfor the Smart Grid (ASAP-SG), ISO 27000, EU NISDirective etc. Part of these standards define the cybersecurity capabilities to be adapted by relays in thesubstation and distribution systems. These standards alsoenable utilities effectively and consistently evaluate andbenchmark cyber security capabilities of the system/devices.As per NERC CIP V6 the first step in any security programis the development of a security policy that forms the basisfor any technical, procedural, or organizational securitymechanism. Creating, communicating, and enforcing asecurity policy is a mandated management’sresponsibility. The next step is to build in processes to helpestablish and enforce the security policy which include adocumented plan for employee hiring & separation,incident handling and disaster recovery.Though NERC CIP (CIP-002) stresses on bulk electricsystem covering mostly transmission, sub-transmission,large control centers as high critical cyber assets to beprotected for the reliable power system operation, manytimes a cyber-attack on connected distribution systemwould have cascading effect resulting massive impact onthe power system reliability.MANAGING SYSTEM RESOURCES:SECURITY VS PERFORMANCEFigure 1: Confidentiality vs Availability prioritization indifferent networksMoving from controlled intranet to open IT-OT networkscannot always guarantee things like timely delivery,reliability, and access control. Even with no maliciousintent, being not able to deliver payloads within time limitscan bring down services. Malicious intent adds to thecomplication. Integration of IT-OT networks, at identiality, integrity & availability. In fact, ITnetworks prioritize confidentiality over availability whilein OT networks availability is paramount overconfidentiality. Once integrated, we need mechanisms thatsupport both confidentiality and availability in equalfooting as shown in figure 1.STANDARDIZATION AND ITS IMPACT ONPOWER SYSTEMThe cyber security standards for power system domain arecontinuously evolving. Many standardization activities areon-going and cyber security groups are set-up tostrengthen security capabilities of critical powerinfrastructure, e.g., IEC 62351, NERC CIP regulations,IEEE 1686, National Institute of Standards andCIRED 2017The core function of relays is executing protection andcontrol algorithms, with other functions, e.g., SCADAcommunication, tool interface etc. being support nsStorageNetworkInterfaceFigure 2: Constituents or resources of a typical Protectionand Control relay architectureResource consumption by support functions likeprocessing power and memory are concerns that should beaddressed by appropriate architecture as in figure 2 byassigning highest priority to protection modules. Hackingattempts like Denial of Service, fuzzing, eavesdropping,spoofing, man-in-the-middle, malformed packets sentthrough SCADA protocols etc. should not affect the coreprotection and control algorithm execution.The relay architecture design needs to assign highest2/5

24th International Conference on Electricity DistributionGlasgow, 12-15 June 2017Paper 0936priority to its core protection functions to ensure that therelay is functional and is executing its core protectionfunctionality during the attack period while other functionsmay recover at a later time.Relay manufacturer need to test this behavior and itsability to maintain proper operation extensively throughcyber security evaluation tests as part of device robustnesstest. These tests to be carried out preferably during productdevelopment life cycle and mandatorily before propriately.Our experiences show that, the focus on vulnerabilityassessment or threat modeling and robustness testing doneusing a combination of proven commercial, open-sourceand proprietary security tools in a dedicated devicesecurity assurance center during product development andrelease cycles helps in creating robust device architecture.DEFENSE-IN-DEPTH APPROACHCyber security threats can be either Internal (insider withpossible privileged access) or External, both capable ofcausing huge damage to the power system.Network Separation, Communication Security, SystemHardening, Application Security, Secure Storage.Physical SecurityPhysical perimeter protection is a critical requirement inthe line of defense for cyber security. NERC CIP-006requires operational or procedural controls to restrictphysical access definitions. Physical protection includessetting up physical boundaries, e.g. a fence, a closedcontrol house, locked cabinets, or installing video camerasfor monitoring purposes. A tight security management,with up-to-date asset registers, regular site surveys andaudits can help identify rogue devices, personnel and givean early warning of intrusion attempts.Access ManagementAn important security principle to follow is the principleof “least privileges”. RBAC (Role based Access Control)principle needs to be adopted in providing right personwith right privileges to operate/work on substationoperation and control. No user or process should be able todo more in the system than what is needed for a given joband role. This principle helps prevent malicious attacksand accidents. Devices should enforce minimum passwordcomplexity and password protection mechanism.NERC CIP (CIP-005) Electronic Perimeter Securityrequires monitoring and updation of access managementcredentials on continuous basis. The relay shall be able todetect and alert for the attempts at of or actualunauthorized accesses and provide access log for review.Audit trailFigure 3: A typical substation automation setup withsecurity mechanismsThe most important principle for any security architectureis defense-in-depth with several layers to avoid singlepoint of failure. At the least, the most sensitive parts of thesystem are to be protected by multiple rings of defense asin the figure 3 [1]. In addition to protection mechanisms,means of detecting attacks including both technicalmeasures, such as intrusion detection systems, as well asprocedural measures, such as review of log files or accessrights are required.SECURITY CONTROL MEASURES FORPOWER DISTRIBUTION SYSTEMCyber security architecture of a substation and devices inthe sub-station or power distribution system should havefollowing security considerations along with strongsecurity polices as a part of defense-in-depth approach tosupport the overall security posture of the device/system:Physical Security, Access Management, Audit Trail,CIRED 2017Logs record events and enable monitoring of theoperations. Protection and control relays in powertransmission and distribution systems must have capabilityto record user activities associated with relayconfiguration, monitoring and control, as per NERC CIP(CIP-007), including failed login/logout, object access,configuration change, control operation like breakerclosing and opening and administrative tasks. Also the EUNIS Directive is primarily focusing on the obligation forCritical Infrastructure to report cyber security incidentsmaking security event logging particularly relevant. Theaudit trail can be used to: Review security-critical events Discover attempts to bypass security mechanisms Track usage of privileges by users Provide a deterrent against attempted attacks Perform forensic analysisNetwork separationNetwork should be divided into different zones dependingon the criticality of the nodes within each zone. In a typicalsubstation automation environment, separation could bebased on bay and station level devices and computersdepending on the size of the substation. Zones should beseparated by appropriate security mechanisms.3/5

24th International Conference on Electricity DistributionGlasgow, 12-15 June 2017Paper 0936The substation network must be separated from anyexternal network. To authenticate accessing entities, thecombination of a firewall with a VPN (virtual privatenetwork) gateway is a good option. A more securearchitecture is to work with DMZ (demilitarized zone); azone that serves as a proxy between external networks andthe control system. The single electronic securityperimeter required by NERC CIP will often not be enoughand is a good example of why security for compliance sakeis not sufficient. Security zones that separate systemsbased on their communication and protection needsminimizes security risks and provides defense-in-deptharchitecture.Secure communicationsUsing Internet of Things (IoT) technology to retrieve thedata and provide information for decision making throughadvanced analytics can help utilities in improvingoperation efficiency of power system network.IoT based concepts like Microsoft's Azure, “ABBAbility”, support advanced analytics of data gatheredthrough networked devices and sensors.individual system component that includes systemhardening. As in NERC CIP (CIP-007), every singledevice or computer within the substation must be hardenedto minimize its attack surface. As in figure 5, hardeningincludes restricting applications, open ports and services toan absolute minimum with least privilege principle. Thisstep is best done from vendors provided information onnecessary ports or applications for normal operations, aswell as security hardening guidelines for their products andsystems.Harden the system by removing or deactivating all unusedprocesses, communication ports and services. It should bepossible to open or close all physical ports dedicated forstation bus communication in relay configuration. Therelay manufacturer must mention in a cyber securitydeployment guideline or document, the IP ports which areopened by default as part of factory configuration andother ports available for configuration in order to set-up IPfirewall for the station gateway.Network ControlMonitoring & Engineering CentrePublic network / InternetIntruder sniffing IED data will not beable to understand the informationVPN TunnelSubstationWorkstation(Configuration Tool, SCADA,Web HMI etc)ConfigurationTool atWorkstationWeb HMI onWorkstationSubstation AEthernetNetworkSecured Communication with IED A(HTTPS, FTPS, other protocols)Intruder sniffing IED data willnot be able to understand theinformationFigure 5: General System hardening and robustness testprocessThe main idea of secure communication is to create asecure channel over an unsecure network. This ensuresprotection from eavesdroppers and man-in-the-middleattacks by using appropriate cipher suites and trusteddigital certificates. As in figure 4, for external connections,use of VPN is recommended for both operational,maintenance and engineering connections [2].System hardening is a continuous activity that starts frominstallation, commissioning, and during its life time. Whilesystem level vendors can at best provide some guidelines,it is the responsibility of the plant owner to decide securitymechanisms and appropriate level of hardening. Serviceslike finger printing and patch management as well asvulnerability assessment and penetration testing are key.Robustness of the communication protocol need to betested. A robust implementation allows the device torecover from attacks. E.g., if a protocol is not implementedas per RFC, then the device may fail or restart whenspecific packet sequence is not followed. Robustnesstesting and analysis identifies such cases and forces thedevice manufacturer to fix these issues before offering itto the customer. While robustness may not be able to stopcyber-attacks due to lack of authentication and cryptomechanisms in the protocols themselves, it does ensurerecovery post attack. This increases the availability of thedevice which is the primary need in OT environment.System hardening & RobustnessApplication SecurityRelying on network separation and protected/securedcommunication is to be augmented by protecting eachSCADA system in the substation includes relays, gatewaysand HMIs which use many custom and genericIED BIED ASecurity parameterstatus: Enabled Secured AccessFigure 4: Secure communication through Public NetworkE.g., IoT based “ABB Ability” concept is being used formonitoring 20,000 substation transformers and breakers inthe network of American Electric Power with an AssetHealth Center to analyze asset health, recommendmaintenance actions and prioritize replacements [5]. Keyfactor here is to secure transfer of information or data toremote control and monitoring centers.CIRED 20174/5

24th International Conference on Electricity DistributionGlasgow, 12-15 June 2017Paper 0936applications, databases etc. to receive, store and processthe information for the decision making. Applications likeweb servers, event handlers, fault data recorders etc.communicate and exchange data with other parts of thesystem or with external programs or users. Theseapplications must perform proper data validation beforeexchanging the information. Applications should useproper defenses to prevent any kind of cyber-attack orhacking to prevent or limit information leakage.Robustness analysis of the applications are as valid as thecommunication robustness analysis.Security Storage & portable mediaSecuring sensitive data and operational information isnecessary, and relevant files are to be encrypted. Analternative to this would be applying strict access controland generating alerts when this data is accessed.Besides static connections between the substation andexternal networks there exists temporary, indirectconnections, e.g., mobile devices connected torelay/computer, that are often overlooked when securingsubstation systems.PATCH MANAGEMENT AND HANDLINGFIRMWARE UPDATESCyber security updates and software improvements driverelay manufacturers to release firmware updatesoccasionally if not regularly.Firmware patch management is usually a cumbersomeeffort for the relay manufacturers as well as utilities.Relays are pure embedded devices with a life cycle of 20years. Once in service on critical feeder or primaryequipment, it’s very difficult to obtain shutdown in orderto update firmware at customer site/field. Also it’s veryimportant to retain or restore the customer’s owncustomized configuration and protection settings after thecompletion of firmware update process.For remote firmware update, prerequisite is thatcommunication link must be secured. Updates on therelays installed on the fields may have to be done throughdial-up connections over VPN links.SECURITY CONSIDERATIONS FORRELAYS CONNECTED VIA WIRELESSIn distribution automation, many times relays like recloserprotection and feeder protection relays are outside in thefield mounted on a pole or fitted in field marshalling boxesconnected to main substation through wireless media.Only secure wireless communication with appropriateconfiguration is to be used as wireless traffic can be easilyintercepted and manipulated by attackers.directional antennas. Since wireless communication can bejammed, the overall system should be designed to reactsafely to loss of any wireless connection. In case of cyberattacks relays still be able to perform its core protectionfunctions and recovers back its communication capabilityas soon attack vectors diminished also the secure logevents need to be generated to provide clue about thesecurity breaching incidents.CONCLUSIONCyber security environment is very dynamic. Relays andSCADA systems are key elements in the distributed powersystem network. In order to reap the benefits promised bythe Smart Grid, continuous improvements are needed forthese devices and systems to be secure.The security architecture in the relays need to evolvecontinuously to keep power system network robust tohandle cyber security threats effectively. We need toensure that modern communications technology cancontinue to be used to retrieve the data provided by thethousands of relays in the power system network. It isalways essential to do robustness analysis to ensurerecovery from attacks and increase availability. It isimportant to adapt secure product development practicesincluding security assessment in order to create robustdevice architecture. The defense-in-depth principledemands protecting each individual system component inthe power system network.REFERENCES[1] Markus Braendle, Steven A. Kunsman, “White paperBalancing the Demands of Reliability and Security CyberSecurity for substation Automation, Protection andControl Systems”, Cyber Security ABB White Paper.[2] Sukumara T, Janne Starck,, Kishan SG, Harish G,Eashwar Kumar, 2013, “Cyber Security – SecureCommunication design for protection and control IEDs insub-station”, CIGRE D2 Colloquium, Mysore.[3] Sukumara T, Eashwar Kumar, Niko Lehtonen, JanneStarck, Fabrizio Commuzi, 2015, “Handling Cybersecurity updates for protection and control IEDs insubstation during product's life cycle”, CIRED 23rdInternational Conference on Electricity Distribution ,Lyon, France, 15-18 June 2015[4] SANS ICS, “Confirmation of a Coordinated Attack onthe Ukrainian Power wer-grid[5] ABB drives the Internet of Things and 8/HannoverMesse-2016/iotsp positioing en 1.pdf?sfvrsn 4Access points should be positioned and arranged such thatthe useful signal strength is limited as far as possible towithin the physically secured perimeter, e.g. by use ofCIRED 20175/5

As per NERC CIP V6 the first step in any security program is the development of a security policy that forms the basis for any technical, procedural, or organizational security mechanism. Creating, communicating, and enforcing a security policy is a mandated management’s respo

Related Documents:

Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original

Cyber Vigilance Cyber Security Cyber Strategy Foreword Next Three fundamental drivers that drive growth and create cyber risks: Managing cyber risk to grow and protect business value The Deloitte CSF is a business-driven, threat-based approach to conducting cyber assessments based on an organization's specific business, threats, and capabilities.

the 1st Edition of Botswana Cyber Security Report. This report contains content from a variety of sources and covers highly critical topics in cyber intelligence, cyber security trends, industry risk ranking and Cyber security skills gap. Over the last 6 years, we have consistently strived to demystify the state of Cyber security in Africa.

10 tips och tricks för att lyckas med ert sap-projekt 20 SAPSANYTT 2/2015 De flesta projektledare känner säkert till Cobb’s paradox. Martin Cobb verkade som CIO för sekretariatet för Treasury Board of Canada 1995 då han ställde frågan

service i Norge och Finland drivs inom ramen för ett enskilt företag (NRK. 1 och Yleisradio), fin ns det i Sverige tre: Ett för tv (Sveriges Television , SVT ), ett för radio (Sveriges Radio , SR ) och ett för utbildnings program (Sveriges Utbildningsradio, UR, vilket till följd av sin begränsade storlek inte återfinns bland de 25 största

Hotell För hotell anges de tre klasserna A/B, C och D. Det betyder att den "normala" standarden C är acceptabel men att motiven för en högre standard är starka. Ljudklass C motsvarar de tidigare normkraven för hotell, ljudklass A/B motsvarar kraven för moderna hotell med hög standard och ljudklass D kan användas vid

LÄS NOGGRANT FÖLJANDE VILLKOR FÖR APPLE DEVELOPER PROGRAM LICENCE . Apple Developer Program License Agreement Syfte Du vill använda Apple-mjukvara (enligt definitionen nedan) för att utveckla en eller flera Applikationer (enligt definitionen nedan) för Apple-märkta produkter. . Applikationer som utvecklas för iOS-produkter, Apple .

What is Cyber Security? The term cyber security refers to all safeguards and measures implemented to reduce the likelihood of a digital security breach. Cyber security affects all computers and mobile devices across the board - all of which may be targeted by cyber criminals. Cyber security focuses heavily on privacy and