CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids Grid Automation - ABB Brasil)

—JULIO OLIVEIRA, ABB POWER GRIDS – GRID AUTOMATION, MAY 15TH
Cyber security for digital substations: Protection and control systems
CLASS 2018 – 3ª Conferência Latino Americana de Segurança em SCADA

—
Current challenges and changes facing utilities
May 14, 2018 Slide 2
Aging infrastructure
Legacy systems with static or
eletromechanical relays, and even
first microprocessor based relays
Workforce in transition
Maintenance and operation
engineering groups members
elegible for retirement in next few
years.
Reliability
There´s increasing pressure to
continually improve reliability
and customer satisfaction.
Spending justification
Revenue challenges and regulatory
inspection will drive the
costs/expenditure.
Cyber security
Attacks on critical infrastructure are
increasing in terms of regularity and
sophistication.
Disruptive technologies
Digitalization techniques for
substation automation via IEC
61850, concerns about cyber security
and asset management demands
attention by the utilities part.
Changes in business model
New players are entering in energy
market, and among them are investors
who are non-utilities companies. This
group will be responsible by 20% of
transmission and distribution around the
world until 2020.
Training
Network computers and its
protocols, topologies and
communication redundancy.
Costs
Minimize→ Optimize
Performance
Exceed→ Meet or beat
Risks
Avoid → Manage
$

—
Beyond the redundancy, synch and performance …
Meet the standards
Features and resources included

—
Digital substations concepts
What´s cyber security for utilities and its impacts growing?
A substation automation system risks
IEC 61850-9-2LE: Actions taken for process bus hardening
Protection and control cyber security features
Cyber security for digital substations
Agenda

—
Digital substations concepts

—
Intelligent
substation
HMI
SDM600
Data
manager
How the digitalization is understood by the utilities
Digital substation concepts and scenarios
Station bus
Process bus
Mobile workforce
management
CALM
Platform
SCADA NCC
Disturbanc
e records
Operation
Network control center
Super PDC
PMUs
SCADA Level 2
RTU Gateway Level 2
Cyber security
Merging
units
Ability
Primary apparatus sensing
Control room perimeter
Teleprotection over
MPLS with FOX615
1
2
3
4
7
x
Opportunities to explore with digital substations
- Process bus
- Cyber security
- MPLS/TP teleprotection
- PMUs
- Asset management
- MESH industrial Wifi communication
- Primary apparatus sensing
“A digitalized substation (no digital substation) doesn´t considers the gray areas!”
Asset Management
PMU and PDCs
WiFi Industrial
6
5

—

—
Definition and vulnerabilities
“Measures taken to protect substation automation systems and communication networks against unauthorized access, attacks, disruption or loss”
Cyber security
Vulnerabilities
Vulnerability is a weakness in a product that could allow an attacker to compromise the integrity, availability or confidentiality of that product.
Examples:
• allows an attacker to execute commands as another user and conduct a denial service
• allows an attacker to access data from a other user or pose as another entity
Heterogeneous nature of SAS nets has complicated tasks such as:
• revoking staff credentials and changing default passwords
Factory default accounts often remain unchanged after handover from manufacturer to customer.
• may even remain unchanged for their entire lifetime
Unchanged factory default accounts make it easy for an attacker to access devices in a short time.
• without the need for any special skills and special knowledge
User accounts in industrial enviroments

—
Legal and illegal penetration tools – the risks of not being up to date
– Legal and illegal penetration and hacking tools are freely
available today
– Penetration testing software
– Vulnerability Scanner
– Network discovery and security auditing
– Internet of Things (IoT)
– You can even buy Malware as a service !
The increasing risks Penetration tools
NMAP Metasploit
Shodan Nessus

—
Vulnerabilities in protection and control systems
May 14, 2018 Slide 10
ICS vulnerability – disclosures by year
Source: https://scadahacker.com/
Source: 2016 ICS vulnerability trend report
By FireEye

—
Grid automation cyber security approach
May 14, 2018 Slide 11
– Secure system architecture
– Product and system hardening
– Service offering to keep the cyber security over
the lifetime
Defence in depth

—

—
May 14, 2018 Slide 13
Threats and substation control layers

—
May 14, 2018 Slide 14
Layered architecture
Enterprise NetworkNetwork Control CenterMaintenance Center
Service PC
www.
Secure
SW/FW
Multi – technology
based
operational utility
core network
Core network element
PDH,, SDH Optical,
MPLS, L2 optical / el.
Radio; Wi-Fi, PLC
Any Substation,
Control-Center;
Power-Plant
down to private
consumer
DMZ
Individual User Accounts
Removable Media
Access
Disable Ports /
services
Malware Protection
Patch management
Firewall
Secure
Communication
Local security logging
Central security
logging /Account
Management
IDS
USB
SDM
600
Redundant &
reliable clock &
time
distribution
(not only GPS)
Remote
Support

—

—
Protocols alloacation over Ethernet: IEC 61850-8-1 and 9-2 togheter
May 14, 2018 Sources: ABBSlide 16
The station and process bus togheter offers the following
services. using the 7 OSI layers:
Vertical communication over MMS: Data exchange among
IEDs and supervisory system;
Horizontal communication with GSE messages: Information
between the IEDs;
Process communication: GSE for binary signals between the
IEDs and the merging units, SMV messages for analogs such
as currents and voltages;
IEEE 1588 (PTP) for devices synchronism, accuracy around 1
µs;
Network redundancy in IEC 62439-3 standard (PRP and HSR).
Protocols and services
1
2
3
GOOSE
SV,
GOOSE
Bay 1
Process
bus
Station bus
Merging
Unit
Prot &
Ctrl
Devices
Station
Computer
Gateway
Bay n
SAM600SAM600
4

—
The sampled values in process bus
Which signals are transmitted in a SMV frame?
Four currents, four voltages and their quality information.
Merging units and SMV according IEC 61850-
9-2LE
1
984 bits
This is the size of a
typical SMV frame
4800
It´s the number
of samples in one
second in a 60Hz
frequency rate
5Mb/s
It´s the Ethernet
network
bandwidth
allocated for a
single SMV frame
SMV frame captured with the IEC
61850 State of art testing tool
ITT600

—
Application of HSR protocol for the switchyard network
No switches required, no access point, no point of failures

—

—
May 14, 2018 Slide 20
Protocol hardening Account management Security event logging
Role based account control Certificates Supervision and configuration
- Fuzz testing all protocols
- Security development life cycle
- Protocol conformance
- Device security testing
- Extensive service and port configuration
- Flooding protection
- Local users created in the device
- PCM600 used to manage users
- Removal of default users and passwords
- Central account management –
IEC 62351 with LDAP
- Audit trail
- Reporting on IEC 61850
- Syslog
- Offline log in every IED
- User roles
- User rights
- IEC 62351 part 8
- Self signed certificates
- Customer signed certificates
- Encryption of communication
- Self supervision of hardware and software
- Denial of Service protection
- Extensive configuration possibilities
- Maintenance menu
Features overview

—
Reduce your attack surface Robustness
Only use required services
- All protocol in the IED is checked for protocol conformance
- Fuzz testing is used to make sure we withstand against
possible attack points
- All developers follow ABB’s security development life cycle
process
May 14, 2018 Slide 21
- To reduce the attack surface of the IED we have added
possibility to enable/disable protocols and services per
physical interface
- Configure only the services you need
Protocol hardening

—
Troubleshooting
May 14, 2018 Slide 22
To help the user with common configuration mistakes and to
give solutions to common problems, the IED now have a Hints
menu
– Typical hints can be
• Incorrect configuration of time synchronization
• Invalid reference channel detected
• IEC/UCA 61850-9-2LE data is substituted
Before doing a major change of your configuration, save a restore
point of your IEDs state. This possibility is now added to the
Maintenance menu of the IED.
- Store up to two restore points
With hints and undo possibilities

—
Encryption card
FOX615 and XMC20 Multiplexers
May 14, 2018 Slide 23

—
Cyber security deployment guidelines

—
Cyber security deployment guidelines
Where to find how to configure security?
In the cyber security deployment guideline there are available info
on how to configure the security for the Relion® 670 and 650
series IEDs
It covers
- System setup
- Account management (local / centralized)
- Activity logging
- Local HMI usage (incl. Maintenance menu)
- Standard compliance statement
Instructions for hardening

CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids Grid Automation - ABB Brasil)

CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids Grid Automation - ABB Brasil)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids Grid Automation - ABB Brasil)

Similar to CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids Grid Automation - ABB Brasil) (20)

More from TI Safe

More from TI Safe (20)

Recently uploaded

Recently uploaded (20)

CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids Grid Automation - ABB Brasil)