Transcript Insert Presentation Title (3rd blue) Insert Subtitle (4th

Sukumara T, Janne S, Kishan SG, Harish G, Eashwar / Presented to CIGRE Colloquium, Mysore, 14.11.2013
Cyber Security Secure communication design for
protection & control IEDs in sub-stations
D2-02_17
© ABB
July 18, 2015
| Slide 1
Table of contents
Introduction
Network Communication and Protocols
Communication Security
Security Architecture Design in IED
Conclusion
© ABB
July 18, 2015
| Slide 2
Introduction
© ABB
July 18, 2015
| Slide 3
Introduction
Substation as a Energy and Information Hub
Sub-station not just delivers energy at certain voltage level, it also transfers
the information for effective monitoring and control of power system
© ABB
July 18, 2015
| Slide 4
Introduction
Numerical Relay(IED)s essential part of power system
IEDs are first level intelligent devices in substations/power system network. IEDs not just
perform protection, control & monitoring of power system but also play crucial role in postfault power restoration and self-healing network with the help of supported communication
network which is an integral part of smart grid vision and framework.
© ABB
July 18, 2015
| Slide 5
Introduction
IED’s communication environment
IED’s communication environment include SCADA Communication for local/remote
monitoring and control, Operational data to remote control centers, Bay level and Process
level data exchange between IEDs, Remote Configuration & Firmware update,
Fault/Disturbance analysis data for maintenance centers etc..
© ABB
July 18, 2015
| Slide 6
Introduction
Information Security in IEDs
Security is not Just
Antivirus
Availability
Integrity
© ABB
July 18, 2015
Firewall
• Avoid denial of Service
• Avoid unauthorized modification
Confidentiality
• Avoid disclosure
Authentication
• Avoid spoofing / forgery
Authorization
• Avoid unauthorized usage
| Slide 7
Auditability
• Avoid hiding of attacks
Nonrepudiation
• Avoid denial of responsibility
Network Communication and
Protocols
© ABB
July 18, 2015
| Slide 8
Network Communication and Protocols
Network Communication Architecture in IED
IED
Application
Layer
HTTP
FTP
DNP
IEC61850
IEC104
Sockets
Network
Layer
TCP/IP layer
Ethernet
IEDs in Substation and Distribution Automation System communicate with remote
gateways and controllers mostly through Ethernet and TCP/IP based
communication protocols these days. Some of these protocols are power system
domain specific and some are generic protocols.
© ABB
July 18, 2015
| Slide 9
Network Communication and Protocols
Operational & Engineering/ Configuration Protocols
From Power system network communication perspective, Operational protocols exchange
real-time information for monitoring and control purposes continuously and consistently
through-out.
Ex:
61850,
3.0,
-TCP,
60870-5-104 etc..
Engineering/ configuration protocols used in retrieving data like historical events,
fault/disturbance records for analysis, device health/ prognosis parameters, IED
parameterization/configuration data, firmware loading, some basic monitoring for certain
period of time etc.. Ex:
FTP,
HTTP ,ODBC etc…
For example Web server support in IED shall use HTTP protocol when communicating with
remote web clients like Internet Explorer, Firefox or chrome browsers for monitoring and
some basic configuration purposes. They also enable connectivity to external networks such
as office intranet and internet
© ABB
July 18, 2015
| Slide 10
Communication Security
© ABB
July 18, 2015
| Slide 11
Communication Security
Securing Substation Communication network
© ABB
July 18, 2015
| Slide 12
•
The
main
idea
of
communication security is to
create a secure channel over
an unsecure network. This
ensures
reasonable
protection
from
eavesdroppers and man-inthe-middle attacks.
•
Designing robust security
architecture in the IED
should
also
be
complemented with robust
and secured network setup
when we are connecting our
substation system to external
internet network
Communication Security
Defense-In-Depth Approach
Substation network architecture must be based on the approach of “defense-in-depth”
which advocates the use of multiple layers of protection to guard against failure of single
security component and secure communication is just one part of this approach..
© ABB
July 18, 2015
| Slide 13
Communication Security
Standards and Regulations
© ABB
July 18, 2015
| Slide 14
Communication Security
Security Protocols ( SSL/TLS Vs. IPsec)

Securing data over the network involves ensuring
CIA triad (Confidentiality, Integrity and Availability)
requires a strong Authentication and encryption
algorithm.

Most famous and widely deployed security tools
are “SSL/TLS” (Secure Socket Layer/Transport
Layer Security) and “IPsec”.

“SSL/TLS” is implemented at application level
(between application and transport layer).

TLS protocol based systems are more
interoperable compared to IPSec based secured
devices.

Since interoperability is a critical requirement in
substation automation domain, TLS based
secure communication design is better option for
IEDs in power system domain.
Application
Transport
SSL / TLS
Internet
Transport
Network
Internet
Network
Record Layer
Application
Handshake
layer
Application
Handshake
Cipher
Spec
Alert
Fragmentation
Compression
Authentication
Encryption
Transport
Internet
Network
© ABB
July 18, 2015
| Slide 15
Communication Security
SSL and application protocols in IED
IED
Application
Layer
HTTP
FTP
DNP
IEC61850
IEC104
SSL Sockets
Network
Layer
Secure Socket Layer (SSL)
Sockets
TCP/IP layer
Ethernet
Secure socket layer introduced between traditional application layer protocols in the
power system domain and TCP/IP layer in the network layer architecture.
In implementation, there will be a common wrapper for SSL stack with a set of common
interfaces to provide transparent access to SSL layer. This wrapper can be extended to
support the security of other protocols. This approach enables to adapt the solution in
future depending on IEC 62351 standard.
© ABB
July 18, 2015
| Slide 16
Security Architecture Design in IED
© ABB
July 18, 2015
| Slide 17
Security Architecture Design in IED
SSL Layer adaptation in IED Architecture
© ABB
July 18, 2015
| Slide 18

From the perspective of information exchange
over Ethernet network, IEDs in the substation are
the source of information. IEDs provide real time
data to local and remote clients like SCADA
systems, Control Centers, web clients etc. So
naturally from network socket communication
perspective, IEDs act as socket servers and
remote systems are socket clients.

Enabling/Disabling Secure Communication option
locally in IED provides local control and decides
on data exchange mode.

Input Validation at the first entry point of
application layer protocols level is critical in
Secure IED design
Security Architecture Design in IED
SSL handshaking process
Server side (FTPS
& Web server)
Security
parameter:
Enabled
Client side
(FTPS clients,
Web clients)
FTPS
client
Connect to FTP
FTP/FTPS
sockets binded
to and listening
at ports 20 and
21
220 Connection successful
Accept FTP
connection

The exchange of information like SSL
version support, cipher suite selection,
key exchange and certification handling
are part of this handshaking process.

Once successful handshaking is done, a
valid and secure session is created for
further data exchange.

The SSL handshaking process is an
independent activity and each application
module/session will have a separate
handshaking process with in the IED.
AUTH TLS
238 Start negotiation/handshake
FTPS
Web client
Connect to HTTPS
Connection successful
HTTP/HTTPS
sockets binded
to and listening
at ports 80 and
443
Accept HTTPS
connection
HTTPS
Client Hello (1)
Server Hello (2)
Certificate (11)
Server Key Exchange (12)
Client Certificate Request (13)
Server Hello Done (14)
Client Certificate (11)
FTPS and
HTTPS
TLS
Handshak
e
sequence
Client Key Exchange (16)
Change Cipher Spec
Finished (encrypted) (20)
Change Cipher Spec
Finished (encrypted) (20)
Application Data (encrypted) (23)
Application Data (encrypted) (23)
© ABB
July 18, 2015
| Slide 19
Encrypted
Applicatio
n Data
(FTPS/
HTTPS)
exchange
Security Architecture Design in IED
Secured IED Configuration and Monitoring
© ABB
July 18, 2015
| Slide 20
•
IEDs support FTP protocol mainly
for transferring device configuration
information,
transferring
disturbance record data, trend/load
profile data, history log and
operation events information.
•
IEDs
also
support
basic
parameterization,
control
and
monitoring through web-clients
using HTTP protocol.
•
Concepts like remote diagnostics,
configuration and maintenance
services are catching-up in power
systems automation domain. Hence
It is essential to secure these
protocols used for above purposes.
Security Architecture Design in IED
Secure Certificates
In a substation automation/ power system network, before an IED makes a secure
connection to another system over a network, a valid SSL certificate must be installed/
available in the IED.
An SSL certificate can be either self-signed certificate or a trusted CA certificate. A selfsigned certificate is an authentication mechanism that is created and authenticated by
the system on which it resides. The IED could generate its own self signed certificate or
the trusted static CA certificate could be ported / stored in the IED’s flash memory.
© ABB
July 18, 2015
| Slide 21
Security Architecture Design in IED
FTPS
Start
No
Is FTP
Connection
Received
Close FTP Ctrl
Connection
No
YES
Yes
Is FTP
Timeout ?
No
Is Cmd
received
Yes
Is Auth Cmd
Received ?
Yes
Start Ctrl conn
SSL Negotiation &
set mode as FTPS
No
Process Cmd
Is Data
Connection
Required ?
Yes
Open Data socket
and Connect or
Open and wait for
connection
Is FTP secured
Mode ?
Wait for
Cmd
No
Yes
Data Conn SSL
Negotiation
Read / Write Data
using SSL
connection
Close SSL
Connection
Close Data Socket
© ABB
July 18, 2015
Send Command
Response
| Slide 22
No
Read / Write Data
Security Architecture Design in IED
HTTPS
Start
Web server listening to
HTTP port 80 and
HTTPS port 443
Is Security
parameter
“Enabled”?
User types:
“http://IP
Address”?
NO
NO
Then user types:
“https://IP Address”.
Request comes to the
HTTPS port 443.
YES
User types:
“http://IP
Address”?
NO
Then user types:
“https://IP Address”.
Request comes to the
HTTPS port 443.
YES
1. Request comes to HTTP
port 80 of server.
2. Send a Redirection
response to the web client
so the request is sent to
HTTPS port 443 of server.
YES
Perform the HTTPS
handshake
Is Handshake
successful?
Show relevant SSL
Error code in the client
NO
YES
Show username and
password prompt to
the user.
And start HTTPS
session if
authenticated
Show username and
password prompt to
the user
And start HTTP
session if
authenticated
End
© ABB
July 18, 2015
| Slide 23
Security Architecture Design in IED
Managing System Resources: Security Vs Performance

The IED architecture design needs to
consider how many secure application
protocol sessions can be supported with
available system resources like runtime
memory and CPU processing capability,
network bandwidth etc.

Cyber security feature takes considerable
system resources like CPU power, memory,
bandwidth etc. The IED architecture needs to
consider these characteristics and constraints
and optimize the design such that the system
performance, availability and reliability are
maintained while supporting the cyber
security features.
CPU
Processing
Runtime
Storage
Memory
Network
© ABB
July 18, 2015
| Slide 24
Conclusion
© ABB
July 18, 2015
| Slide 25

Cyber security environment is most dynamic
and development efforts should be constantly
vigilant and check for technology trend and rebuild strong security mechanism.

The secured communication mechanism can
be developed using available security
technologies and seamlessly integrate it to
IED architecture to realize certain cyber
security requirements.

Security Architecture should adapt “defensein-depth” strategy where each system
component is an active participant in the
creation of secured system in order to overcome the threats to make strong and robust
power system networks.