Substation Cyber Security
 

Like this? Share it with your network

Share

Substation Cyber Security

on

  • 1,618 views

The electric power grid has changed significantly over the past decade and continues to change as technology evolves. More and more, new-generation substation control systems are based on open ...

The electric power grid has changed significantly over the past decade and continues to change as technology evolves. More and more, new-generation substation control systems are based on open standards and commercial technology, including Ethernet and TCP/IP based communication protocols such as IEC 60870-5-104, DNP 3.0 or IEC 61850. While this change in technology has brought about huge operational benefits, it has introduced cyber security concerns and a potential challenge to network reliability. Electronic intrusion into a substation can misdirect or terminate service, and this intrusion can be from internal individuals or external hackers or organizations.

Many substation control and diagnostic systems in deployment were not designed for real-time security functionality and centralized system administration with robust access control. Utilities must implement policies to protect their substation systems against intrusion from within and from outside the corporate network. Further, they must be able to detect intrusion when it does occur to eliminate future untoward effects. Finally, they need to be prepared with planned response and restoration that not only returns targeted functionality but can improve system security.

The global power industry has stepped up its focus on cyber security for control and automation systems, and standards are in place identifying the functionalities required for secure substation operation. Utilities looking to protect against cyber attack on their substation automation systems must implement the SCADA, RTU and IED solutions that incorporate proven-technology and the security mechanisms meeting these standards.

Statistics

Views

Total Views
1,618
Views on SlideShare
1,605
Embed Views
13

Actions

Likes
1
Downloads
40
Comments
0

1 Embed 13

https://twitter.com 13

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Substation Cyber Security Document Transcript

  • 1. Substation Cyber SecurityProtecting the automated control systemJune 2012Make the most of your energy SM
  • 2. SummaryExecutive Summary . ................................................................................... p 1Introduction ................................................................................................. p 2Substation systems: security threat targets................................................... p 4Vulnerability of the substation automation system ........................................ p 6Measures to enhance substation automation system.................................... p 9Addressing cyber security for the substation automation system . ................ p 13Conclusion................................................................................................... p 15
  • 3. Substation Cyber SecurityExecutive summaryThe electric power grid has changed significantly over the past decade andcontinues to change as technology evolves. More and more, new-generationsubstation control systems are based on open standards and commercialtechnology, including Ethernet and TCP/IP based communication protocols suchas IEC 60870-5-104, DNP 3.0 or IEC 61850. While this change in technologyhas brought about huge operational benefits, it has introduced cyber securityconcerns and a potential challenge to network reliability. Electronic intrusion intoa substation can misdirect or terminate service, and this intrusion can be frominternal individuals or external hackers or organizations.Many substation control and diagnostic systems in deployment were not designedfor real-time security functionality and centralized system administration withrobust access control. Utilities must implement policies to protect their substationsystems against intrusion from within and from outside the corporate network.Further, they must be able to detect intrusion when it does occur to eliminatefuture untoward effects. Finally, they need to be prepared with planned responseand restoration that not only returns targeted functionality but can improve systemsecurity.The global power industry has stepped up its focus on cyber security for controland automation systems, and standards are in place identifying the functionalitiesrequired for secure substation operation. Utilities looking to protect against cyberattack on their substation automation systems must implement the SCADA,RTU and IED solutions that incorporate proven-technology and the securitymechanisms meeting these standards. White paper | 01
  • 4. Substation Cyber SecurityIntroductionTraditionally, an electric utility’s concerns regarding substation asset securitycentered on physical threats, both natural and human. In locations other thanthose experiencing civil strife, the primary human threat was considered to bea single, disgruntled employee; an angry customer; or a politically motivatedvandal. In any of these cases, the malfeasant had to be within, or physicallyclose to, the substation to cause damage. To protect assets from these humanthreats, the utility used fences, locked gates, security cameras, SCADA-monitored intrusion alarms and occasional onsite monitoring visits by utilitysecurity staff.More recently, both the nature and magnitude of the threat to substation assetshave changed. Now, the equipment for monitoring and controlling substationdevices is usually connected by communication lines to wide-area networkspotentially accessible by the general public. Consequently, an individual seekingto damage utility assets can do so from places hundreds or thousands ofkilometers distant and potentially impact multiple substations simultaneously.The magnitude of the threat also has changed. Organized and well-fundedgroups have publicly stated their goal of damaging key elements of society’scritical infrastructure. Evidence shows that some organizations have beengathering information about public utilities and investigating the electronicdefenses of corporate computing networks. Probes specifically targeting thebusiness systems of electric utilities have been documented. However, becausesubstations generally do not have firewalls or intrusion detection systems, it isnot possible to know if they are being targeted.This paper addresses the nature of cyber threats, their potential to damage utilityassets and the means to detect and recover from them. White paper | 02
  • 5. Substation Cyber Security
  • 6. Substation Cyber SecuritySubstation systems: security threat targetsThe IEEE 1402 standard refers to cyber intrusions as‘electronic intrusions’ and defines them as “Entry intothe substation via telephone lines or other electronic-based media for the manipulation or disturbanceof electronic devices. These devices include digitalrelays, fault recorders, equipment diagnosticpackages, automation equipment, computers,programmable logic controllers, and communicationinterfaces.”Power substation security threats are primarilyrelated to the ability to remotely access protection,control, automation and SCADA equipment. Througha power substation’s communications vulnerability,an electronic intruder could access the substationSCADA system. Inappropriate circuit breaker other utilities, as well as industry equipment suppliers,operation sequence would result in an electric arc contractors and consultants, are well acquaintedbetween the contacts of the disconnector and high- with the hardware, software, architecture andrate optic and acoustic phenomena. Manifesting as communication protocols implemented in substationan explosion, the event would spray melted metal operations. Often, the suppliers of hardware,and result in an inter-phase short circuit. software, and services to the utility industry are granted the same level of trust and access as theSuch a failure would lead to complete destruction of utility individuals themselves – making the definition ofthe disconnector and partial or complete destruction an ‘insider’ much more broad.of other components in the substation, along withdisturbance in substation operation and interruption Further, a utility employee who has access keysof energy supply to consumers. Personnel can be and passwords can be motivated by the prospectseriously injured. Depending on the state of the of financial gain from making that informationpower system at the moment of switching operation, available. Computer-based systems at substationsthe incorrect switching sequence could also cause contain data of value to a utility’s competitors asa large power system failure and compromise the well as information – such as the electric load of asafety of the electric power system. customer industrial plant – that might be of value to that customer’s competitors. Certainly, corporateInternal attackers. Investigations of threats to employees are approached to provide interestedcorporate computer hardware and software systems parties with valuable information; it can’t be ruledtypically reveal that the majority of attacks come from out that a similar situation could occur with utilityinternal sources. Substation control systems and employees who have access to substation systems.intelligent electronic devices (IEDs) are different from Further, the possibility exists of an employee beingthose at work in corporations, in that information bribed or blackmailed to cause physical damage orabout their computer hardware and software systems to disclose privileged information that would enableis not well known to the general public. However, other parties to cause damage. White paper | 04
  • 7. Substation Cyber SecuritySuppliers. A potential threat exists with employees Terrorists. The most serious security concern isof substation equipment suppliers, who also have with those antagonists, domestic or foreign, whoaccess to – or the knowledge that enables access have the resources to mount a serious attack. Theyto or damage of – substation assets. One access can be quite knowledgeable, since the computer-path is through the diagnostic port of the substation based systems that outfit a substation are sold withmonitoring and control equipment. It is common minimal export restrictions worldwide – complete withthat the manufacturer of a substation device has documentation and operational training. The dangerthe ability to establish an Internet link or telephone from an attack mounted by an organized hostileconnection with the device for the purpose of power is increased by the fact it can occur in manyperforming diagnostics. An unscrupulous employee places simultaneously and would likely be coupledof the manufacturer could use this link to cause with other cyber, physical, or biological attacks aimeddamage or gather confidential information, as has at crippling response capabilities.happened many times in other industries. Employeesof the utility or equipment supplier also can illicitlyaccess computer-based substation equipment via thecommunications paths into the substation.Hackers. Other potential intruders include the hackerwho is simply browsing and probing for weak links topenetrate corporate defenses and the individual whois motivated to cause damage by a grievance againstthe utility or against society in general.Criminals. Another potential security problemlies with those who threaten to do damage, in theattempt to extort money, or attempt to accessconfidential corporate records, such as the customerdatabase, for sale or use. White paper | 05
  • 8. Substation Cyber SecurityVulnerability of the substation automationsystemConventional computer systems have always beensusceptible to those exploiting programming errorsin operating systems and application software;cracking user passwords; taking advantage ofsystem installations that leave extraneous servicesand open ports susceptible; and penetratingimproperly configured firewalls that do guard againstunauthorized communications.In addition to these common vulnerabilities, thecontrol and diagnostic systems in substationshave a number of system-related cyber securityvulnerabilities –Slow processorsOne way to strengthen the privacy and authenticity The remote terminal units (RTUs) and IEDs in someof messages transmitted across insecure channels substation systems use early microprocessoris to use encryption. However, encryption technique technology. They have limited memory and oftenoften is too resource-intensive for most current IEDs have to meet stringent time constraints on theirand many existing substation automation systems. communications. With microprocessors that do notFurther, many substation communications channels have the processing capability to support additionaldo not have sufficient bandwidth for the transmission computational burden, it is not feasible to enhanceof longer, block-encrypted messages. communications security through data message encryption.Real-time operating systemsDesign of the real-time operating systems embeddedwithin many IEDs poses another security risk. Somesuppliers of these embedded operating systemshave not had to meet the requirements for securecommunications. Their software systems weredesigned to operate in an environment focusing ondeterministic response to events; information securitywas a lower priority. White paper | 06
  • 9. Substation Cyber SecurityCommunications mediaThe data messages that substation IEDs exchange In addition, much of the data traffic to and from awith the outside world are often transmitted over substation travels over wireless networks. Intrudersmedia that are potentially open to eavesdropping with the proper equipment can record and interpretor active intrusion. Dial-in lines are common, and data exchanges and can insert their own messagesthe IED will accept phone calls from anyone who to control power system devices.knows its phone number. Many IEDs are IP (Internetprotocol)-enabled, which means they can beaddressed by computers connected to the Internet.Open protocolsMany protocols have been used for communications An RTU test set usually involves a portable devicebetween the substation and the utility control center. and communications port with a user interface thatIn the past, these protocols typically were vendor- interprets the messages being sent to and from thespecific and proprietary. However, in recent years RTU or IED, allowing the user to define and issuethe majority of communications implementations commands to the substation device. An intruderhave been executed to the IEC 60870-5 standard can patch into the communications channel to a(in Europe), the DNP3 standard (in North America), substation and use a test set to operate devices ator – to much less extent – the IEC 60870-6 TASE.2 the substation.standard, also called ICCP. These protocols are non-proprietary, well documented and available to thegeneral public. When these protocols were designed,security was not a key issue.Lack of authenticationCommunication protocols in current use do notprovide a means for confirming each other’s identityand securing data exchange. An intruder with accessto a communications line to a controllable devicecan execute a control in the same manner as anauthorized user. Intruders can also mimic a datasource and substitute invalid data. In most cases,the program receiving the data does not performvalidation that would detect this kind of interference. White paper | 07
  • 10. Substation Cyber SecurityLack of centralized system administrationUnlike the IT domain, where there is a central system personnel who have no reason for access. They wouldadministrator to designate and track authorized users, be able to perform critical functions such as assigningsubstation automation system users often are their passwords, assigning log-in IDs, configuring theown system administrators and have the authority to system and adding or deleting software.perform all security functions. This situation can makeaccess to substation automation systems available toLarge numbers of remote devicesA typical utility has from several dozen to severalhundred substations at geographically dispersedlocations, and each automated substation typicallyhas many IEDs. Therefore, there is a high cost toimplement any solution that requires upgrading,reprogramming or replacing the IEDs. White paper | 08
  • 11. Substation Cyber SecurityAddressing cyber security for the substationautomation systemThe strategies for enhancing cyber security of control and diagnostic systems at substations are the same asthose that would be applied for other corporate computer systems: (1) prevent cyber intrusion where possible;(2) detect intrusion where it could not be prevented; (3) recover from an intrusion after detection; and (4) usethe experience to improve preventive measures.Protecting Substation SystemsIntrusion from inside the corporate network. Withsubstation control and monitoring systems connectedto the utility’s corporate wide-area network, alarge potential threat to these systems exists fromunauthorized users on that corporate network. Thecorporate network should be made as secure aspossible –•  he most important measure is one of the simplest: T ensuring that all default passwords have been removed from all substation systems and that there are no accounts without any password.•  ser passwords should not be simplistic. U However, passwords that are difficult to guess are also difficult to remember. Procedures should discourage users from posting their passwords on the terminal of the system being protected.•  asswords should be immediately terminated as P soon as its owner leaves employment or changes job assignments. Intrusion from outside the corporate network.•  ifferent sets of privileges should be established for D The possibility of intrusion by outsiders who have different classes of users. For example, some users gained direct access to substation devices through should be allowed only to view historical substation unprotected communications channels poses data. Other users might be permitted to view only new challenges to the cyber security of substation real-time data. Operators should be given only systems. control privileges, and relay engineers’ authority The SCADA communication line links the utility should be limited to changing relay settings. control center and the substation. This line carries White paper | 09
  • 12. Substation Cyber Securityreal-time data from substation devices todispatchers at the control center and controlsmessages from the dispatchers back to thesubstation. In the case of substation automation, adata concentrator or a substation automation hostprocessor serves as the RTU in sending substationdata to the control center and in responding to thedispatcher’s control commands.A variety of media, such as power line, leasedlines, microwave, multiple-address radio, satellite-based communications, fiber optic cable andothers, are used to connect the substationRTU with the control center. It is quite commonfor communications from control center tosubstation to use different media along different There are two lines of defense that a utility cansegments of the path. Some of these media, take –especially the wireless ones, are subject toeavesdropping or active intrusion. At least one •  trengthening the authentication of the user Scase has been reported in which an intruder confirms the identity of the prospective IED user.used radio technology to commandeer SCADA As the very first step, the utility should ensurecommunications and sabotage the system. Of that the default passwords originally suppliedthe many alternatives, using fiber optics offers the with the IEDs are changed and that a set ofmost security against SCADA communications strong passwords are implemented.intrusion. • Encrypting communications between the In substation integration and automation user and the IED to ensure that only users insystems, IEDs intrinsically support two-way possession of the secret key would be ablecommunications. Once the user has logged on to to interpret data from the IED and change IEDthe IED, the user can use the connection to: parameters.• Acquire data that the IED has stored Note: once the industry has agreed on a standard technique for encrypting messages,•  hange the parameters of the IED, such as the C IED manufacturers can plan for economies of settings of a protective relay scale. If there is a demand for encryption of IED communications, and industry-wide consensus• Perform diagnostics on the IED on the approach, IED manufacturers will develop an effective way to embed the algorithm in the•  ontrol the power system device connected to C processor of IEDs at little incremental cost. the IED; that is, operate a circuit breaker White paper | 10
  • 13. Substation Cyber SecurityDetecting IntrusionWhile it is extremely important to prevent intrusions to a security breach instead of some other failureinto one’s systems and databases, an axiom of cyber such as a voltage transient, relay failure or softwaresecurity is that any intrusions must be detected, bug.because an intruder who gains control of a substationcomputer can gather data – including the log-on For these reasons, it is important to make everypasswords of legitimate users – and use that data at effort to detect intrusions when they occur and deraila later time to operate power system devices. Further, future data manipulation by the intruder. To thisthe intruder can set up a mechanism, sometimes end, a number of IT security system manufacturersreferred to as a ‘backdoor’, that will allow easy have developed intrusion detection systems (IDS).access at a future time. These systems are designed to recognize intrusions, based on parameters such as communicationsIf no obvious damage was done at the time of the attempted from unauthorized or unusual addressesintrusion, it can be very difficult to detect that the and an unusual pattern of activity, and generate logssoftware has been modified. For example, if the goal of suspicious events. This response allows systemof the intrusion was to gain unauthorized access administrators, control engineers and operatorsto utility data, the fact that another party is reading to apply solutions powered by security eventconfidential data might never be noticed. Even when management technology to quickly recognize andthe intrusion does intentionally open a circuit breaker respond to events impacting security, complianceon a critical circuit or cause other damage, it might and operational efficiency.not be at all obvious that the false operation was dueResponding to IntrusionThe ‘three Rs’ of response to cyber intrusion are as evidence in court in the event the intruder isrecording, reporting, and restoring – apprehended. However, due to the high frequency of SCADA communications, the low cost of substationTheoretically, it would be desirable to record all communications equipment, and the fact thatdata communications into and out of all substation substations are distant from corporate security staff,devices. If an intruder successfully attacks the it might be impractical to record all communications.system, the recordings could be used to determine System owners will probably defer any attemptswhat technique the intruder used to modify the to record substation data communications untilsystem and then close that particular vulnerability. (a) storage media are developed that are fast, voluminous and inexpensive, or (b) SCADA-orientedRecording would be invaluable in helping identify intrusion detection systems are developed that canthe intruder. Further, a recording made in a way filter out usual traffic and record only the deviantthat is demonstrably inalterable can be admissible patterns. White paper | 11
  • 14. Substation Cyber SecurityBut even if the communications sequenceresponsible for an intrusion is neither detectednor recorded when it occurs, it is essential thatprocedures be developed for the restoration ofservice after a cyber attack. It is extremely importantthat the utility maintain backups of the software of allprogrammable substation units and documentation ofall IED standard parameters and settings.After the utility suspects an intrusion or determinesthat a particular programmable device has beencompromised, the software should be reloadedfrom the secure backup. If the settings on an IEDhad been illicitly changed, the original settings mustbe restored. Unless the nature of the breach ofsecurity is known and can be repaired, the utilityshould seriously consider taking the device off line orotherwise making it inaccessible to prevent a futureexploitation of the same vulnerability. White paper | 12
  • 15. Substation Cyber SecurityAddressing cyber security for the substationautomation systemCyber security risks were inherited when open ITstandards were adopted. Fortunately, this movementalso inspired the development of cyber securitymechanisms in a large number of enterpriseenvironments to address these risks. Substationautomation system providers are taking a systematic,global approach, continuously adapting to meetchanging demand through standardization andproactive R&D efforts.Standards activity addresses cyber securityrequirements both at the system level and theproduct level and includes –•  IST SGIP-CSWG Smart Grid Interoperability Panel N – Cyber Security Working Group•  ERC CIP Cyber Security regulation for North N Security mechanisms designed and developed American power utilities specifically for substation automation systems use proven technology to support advanced account• EC 62351 Data and Communications Security I management and detailed security audit trails in RTUs/IEDs and SCADA. Utilities should look for cyber• EEE PSRC/H13 Cyber Security Requirements for I security solutions that enable: Substation & SUB/C10 Automation, Protection and Control Systems •  ser account management – Supports user U authentication and authorization at the individual-• EEE 1686 IEEE Standard for Substation I user level. User authentication is required and Intelligent Electronic Devices (IEDs) Cyber Security authorization is enforced for all interactive access to Capabilities the device.• SA S99 Industrial Automation and Control System I •  ser accounts – Allows full management of user U Security accounts, including creating, editing and deleting. User names and passwords can be configuredVerified antivirus software protects station according to user‘s requirements.computers from attacks and viruses. Cyber securityalso can be improved by limiting the use of removablemedia in the station computers. White paper | 13
  • 16. Substation Cyber Security• Role-based access control – Enables each  • External security clients – Sends security  user account to be assigned a specific role, and events to external security log clients such user roles can be added, removed and changed as the Security Event Manager, which uses a as needed. monitoring and response device for visibility of real time security events.•  assword complexity – Enforces password P policies with minimum password length, •  ecurity events to control system – Sends S maximum password lifetime and use of security events and alarms via host protocol to lower case, upper case, numeric and special the control systems. User configures settings for characters. security alarms.• HTTPS support – Permits encrypted  • VPN function – Offers one encrypted channel  communication between the web browser and between the SCADA or RTU and the IPsec the RTU. A standard browser can be utilized Router on the user’s side. The VPN tunnel such as Internet Explorer or Firefox. In addition, provides confidentiality, integrity and authenticity. self-signed certificates, pre-installed at web A secure communication via public networks client, can be used. with fixed IP addresses is possible. The authentication is managed with pre-shared keys.•  ocal logging – Creates audit trails (log files) L of all security-relevant user activities. Security events logged include user login, logout, change of parameters, configurations and updates of firmware. For each event, the date and time, user, event ID, outcome and source of event is logged. Access to the audit trail is available to authorized users only. White paper | 14
  • 17. Substation Cyber SecurityConclusionThe electric utility’s concern about cyber security of its substation automationsystems is well founded. These systems are, in several ways, even more subjectto intrusion than conventional computer systems. Yet, the utility has many optionsfor preventing and detecting electronic intrusion from within its organization andfrom outside the corporate network. Substation automation system providers haveidentified cyber security as a key requirement and are designing and developingsolutions, using proven technology, to provide advanced account managementand detailed security audit trails for their network RTUs, IEDs and SCADA. White paper | 15
  • 18. ©2012 Schneider Electric. All rights reserved.Schneider Electric USA, Inc. 4701 Royal Vista Circle Fort Collins, CO 80528 Phone:  -866-537-1091 1 + (34) 9-17-14-70-02 Fax: 1-970-223-5577 www.schneider-electric.com/us July 2012