NERC-CIP’s most recent release, version 5, focuses primarily on BES substations and their critical Cyber Assets (CA), by establishing an Electronic Security Perimeter (ESP) around the substation’s control system. RAD’s Megaplex, a major building block in RAD’s Service Assured Networking (SAN) solutions for power utilities, is strategically located to manage all electronic access to the substation and the cyber assets within it from external and internal attacks.
This paper reviews Megaplex’ 3-tier ESP protection and outlines how it helps power utilities boost their compliance with NERC CIP 005 and 007 requirements
2. Abstract
NERC-CIP’s most recent release, version 5, focuses primarily
on BES substations and their critical Cyber Assets (CA), by
establishing an Electronic Security Perimeter (ESP) around the
substation’s control system. RAD’s Megaplex, a major building
block in RAD’s Service Assured Networking (SAN) solutions for
power utilities, is strategically located to manage all electronic
access to the substation and the cyber assets within it from
external and internal attacks.
This paper reviews Megaplex’ 3-tier ESP protection and
outlines how it helps power utilities boost their compliance
with NERC CIP 005 and 007 requirements.
4. Boosting NERC-CIP Compliance
2 RAD
1 Introduction
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) is a regulatory
authority whose mission is to assure the reliability of the bulk electric system (BES) in North America. NERC-CIP
standards deal with both physical and cyber security aspects. With regards to cyber security, NERC-CIP’s most
recent release, version 5, focuses primarily on BES substations and their critical Cyber Assets (CA), by
establishing an Electronic Security Perimeter (ESP) around the substation’s control system.
For over 30 years, RAD has been a supplier to the power utility industry, providing multiservice aggregation and,
more recently, 10 Gbps access/core networks, with its Megaplex line of networking platforms. RAD’s Megaplex, a
major building block in RAD’s Service Assured Networking (SAN) solutions for power utilities, is strategically
located to manage all electronic access to the substation and the cyber assets within it. It has therefore been
enhanced with Cyber Attack Prevention (CAP) capabilities to support the efforts of power utilities to achieve
NERC-CIP compliance for their BES.
Figure 1. RAD’s solutions for power grid control
1. The multiservice aggregation function combines all serial, Ethernet and analog substation traffic (voice,
video, data, automation, and Teleprotection) onto the WAN, for delivery to multiple users outside the
ESP.
5. Boosting NERC-CIP Compliance
RAD 3
2. The 10 Gbps access/core network builder establishes multiple Ethernet rings, allowing wide area
communications with fully redundant channels.
3. Three-layer CAP (Cyber-Attack Prevention), allowing device connection control within the ESP, SCADA-
aware security for all substation devices and Man in the Middle (MitM) attack prevention.
2 Multiservice Aggregation and 10 Gbps Access/Core
Platform
The Megaplex provides a single point of communications entry (or fallback redundancy) to the substation’s ESP.
It performs multiservice aggregation for the substation’s intelligent electronic devices (IED), Teleprotection
communications, voice and video, remote terminal unit (RTU) communications, etc. In addition, the Megaplex
acts as a 10 Gbps access/core network builder.
The field proven Megaplex has been widely deployed in substations worldwide, delivering robust communications
that meet power utilities exacting requirements, including sub-3 milliseconds signaling latency for Teleprotection
between nearby substations.
Figure 2: Multiservice Aggregation and 10 Gbps Access/Core Network with Megaplex
6. Boosting NERC-CIP Compliance
4 RAD
3 Cyber Attack Prevention (CAP)
Unprotected or low-security communication networks for ESPs jeopardize the reliable operations of power
utilities’ BES facilities. Primarily, security measures for critical infrastructure focus on assuring safety and
reliability.
Substation IEDs typically utilize serial or TCP-based protocols such as DNP 3, IEC 60870-5-101/4, and IEC 61850.
Secure operation can be significantly enhanced by monitoring the two-way data exchange between these IEDs
and the substation RTU or the aggregation unit, and intervening as necessary.
The CAP shown on Figure 3 below is deployed as an ultimate shield for the substation ESP, protecting its secure
operation from internal or external cyber attacks. Each IED, RTU or other device is separately connected to the
Megaplex, allowing port-specific protection mechanisms to be defined. Under normal operating conditions, each
device is communicating through the Megaplex and only safe commands are allowed to reach the IED, e.g., “send
buffer data”, or “get time synchronization”. Under no circumstances can the IED be reconfigured or reset to
factory default.
Figure 3: CAP security procedures offered by the Megaplex
7. Boosting NERC-CIP Compliance
RAD 5
Device Connection Control (DCC): The role of this function (marked as A) is to provide a single point of access
control through the Megaplex to each IED (or other device) operating within the ESP. Each communication
session traversing the Megaplex (to access the IED, RTU, or other device) is authenticated using a RADIUS or
TACACS server, and Role Based Access (RBAC) is enabled. This permits only authorized functions to access only
specific devices and only during predefined time periods. Each device and each port in the substation is
monitored and recorded for any connection/disconnection or reconnection.
SCADA-aware security layer: This function (marked as B) is performed by an embedded processing unit and
operates as an application-specific firewall, controlling all connections within the substation ESP. In addition to
typical firewall functionality, it may perform anomaly detection to prevent external cyber attacks.
Man in the Middle (MitM) attack prevention: IEEE 802.1AE (MACsec) integrity and confidentiality mechanisms
(marked as C) operate at Layer 2 (the Link Layer) of the OSI stack, thus securing all communications to and from
the substation, to prevent MitM attacks. MACsec is agnostic to higher-layer protocols (such as DNP 3, IEC 60870-
5-104, IEC 61850, Mirror Bit, etc.), and thus allows them to securely flow across the network.
With MACsec, each data packet is forwarded on a hop-by-hop basis, i.e., at each node the packet is
authenticated and checked for tampering (and if encryption is employed, decrypted and re-encrypted) using AES
with a 128 or 256 bit key. This guarantees a high level of data security by mitigating source spoofing, session
hijacking, MitM interventions, Denial of Service (DoS), and Distributed DoS (DDoS) attacks.
4 Supporting NERC-CIP Compliance
NERC-CIP compliance is an important challenge for power utilities. The requirements in the latest NERC-CIP
release (version 5, sections 002 to 011) provide best practices for ensuring secure operations. These, together
with physical and organizational measures, are required to be audited annually. The following table outlines how
RAD’s solutions promote compliance with the relevant NERC-CIP requirements.
NERC CIP 5 Section 005
R 1.3 Require inbound and outbound access
permissions, including the reason for
granting access, and deny all other access
by default.
The Megaplex provides the required security
measures by communicating with an
authentication server to ensure that
inbound/outbound communications are
authorized and to prevent unauthorized re-
configuration.
R 1.5 Have one or more methods for detecting
known or suspected malicious
communications for both inbound and
outbound communications.
The Megaplex includes a hosting processor
that enables deployment of customer-
specific applications, such as SCADA firewall
and anomaly detection for malicious traffic
and other unusual streams. IEEE 802.1AE
8. Boosting NERC-CIP Compliance
6 RAD
provides authentication, source address
verification, data integrity verification, and
optionally encryption (if required for the
used application).
R 2.1 Utilize an intermediate system such as that
the Cyber Asset initiating Interactive
Remote Access does not directly access an
applicable Cyber Asset
The Megaplex provides the necessary
security using IEEE 802.1AE encryption and
802.1X authorization, and prevents
Interactive Remote Access to Cyber Assets
within the ESP. A customer-specific SCADA
firewall can be deployed to filter incoming
data according to IP address and data
payload.
R 2.2 For all Interactive Remote Access sessions,
utilize encryption that terminates at an
Intermediate System
The Megaplex security procedure terminates
all encryption processes at the entry point.
This allows inspection of the data and
blocking of unwanted data and messages,
as well as prevention of unauthorized
applications.
R 2.3 Require Multifactor Authentication for all
Remote Access sessions.
Multifactor authentication can be achieved
by strengthening physical security to the
facility and the use of a separate login
password for all Remote Access sessions.
NERC CIP 5 Section 007
R5.1
R5.2
Enforce Authentication of interactive user
access where technically feasible
The Megaplex utilizes IEEE 802.1X based
authentication. Access Control, user
authentication and privilege-level
associations for local and remote access are
provided using Secure Shell (SSH) via
TACACS or RADIUS-type servers.
9. Boosting NERC-CIP Compliance
RAD 7
5 Why Select RAD’s Megaplex
RAD has more than 30 years of proven experience, a significant worldwide presence in more than 150 countries,
and an installed base of more than 13 million units. RAD is a member of the US$ 1.2 billion RAD Group of
companies, a world leader in communications solutions.
RAD’s SAN solutions ensure high reliability, smooth migration and cyber security for power utilities. The Megaplex
is an “all-in-one” platform, providing secure multiservice aggregation for substation IEDs, Teleprotection
communications, voice and video, RTU communications, etc. It delivers effective protection for BES and cyber
assets protected by the ESP. These and additional cyber defense measures support the efforts of power utilities
to comply with NERC CIP standards.
The Megaplex also acts as a 10 G access/core network builder. Upgrading the core communications network to
PSN and carrier-grade Ethernet allows the deployment of stronger defense measures to protect the power grid
from vulnerabilities and the risk of cyber attacks.