Application of Monitoring Standards for enhancing Energy System Security

Transcription

1 Application of Monitoring Standards for enhancing Energy System Security G. DONDOSSOLA*, R. TERRUGGIA*, P. WYLACH*, G. PUGNI**, F. BELLIO*** RSE SpA*, Enel SpA**, Enel Produzione SpA*** Italy

2 About RSE Applied research on the electro-energetic sector, experimental activities including Cyber Security experimental assessment

3 Cigré Session 2016 Paper D2_204_2016 Security communication assessment over heterogeneous networks Laboratory testbed of Medium Voltage control cyber infrastructure for distribution grids connecting Distributed Energy Resources (DER) Field testbed of a real cyber-physical Hydro Power Plant (HPP) telecontrol infrastructure Ethernet, Mobile technologies (2G,3G,4G) 0.5/6.77/40 Mbps Dedicated Frame Relay-CDN lines with a speed of 32/64 Kbps IEC 61850/MMS IEC IEC IEC

4 Outline Technical context Motivation and goal Methodology IEC Smart Energy Systems functions and architectures Distribution Grids connecting DER Medium Voltage (MV) Control Infrastructure

5 Outline IEC performance assessment MV Control: IEC communications secured with IEC /3 communication performance assessment using cellular networks Security Monitoring Overview of IEC Security Monitoring Framework in the MV Control setup Wrap-up and Key lessons

6 Motivation and goal Smart energy systems deploy open ICT infrastructures exposed to a dynamic cyber threat environment Need to address cyber security requirements of power generation, distribution and DER domains by combining preventive measures with defensive actions Twofold focus security of communication protocols monitoring of information flows in system operation The complementary role of preventive measures and continuous monitoring is shown through the performance assessment of secure communications during attack scenarios

7 Methodology A common assessment methodology is used to evaluate the application of IEC security standards for protecting IEC and IEC communications of renewable DER and Hydro Power Plants over heterogeneous technologies Communication integrity and confidentiality are provided by authentication mechanisms and encryption algorithms at application and transport layers Ongoing anomalies and cyber attacks to energy systems are detected by a monitoring infrastructure supporting fast reactions and continuous defense enforcement

8 Methodology The distinguishing aspect of the assessment methodology is the definition of performance measures specific for the energy applications and communication/security protocols An analysis tool calculates the measures of interest from network traces, performs the statistical analysis of data collected during security/technology/attack tests, feeds in the agent data of the SNMP monitoring infrastructure The energy system monitoring collects data objects from IEDs and RTUs according to IEC , and combine them with IETF data objects available in commercial network devices

9 IEC overview Security means defined for Authentication and authorization (RBAC) Secure IP- based and serial communications Secure application level exchanges Key management Security monitoring and event logging Conformance test cases Guidelines for applying specific security measures by utilizing or profiling existing standards and recommendations 9

10 IEC TC57 Power System Communication Standards IEC Secure Control protocols IEC : Introduction IEC TASE.2 (ICCP) IEC & DNP3 IEC & Serial DNP3 IEC MMS IEC GOOSE and SV IEC MMS over XMPP IEC & IEC CIM IEC : Profiles including TCP/IP IEC : Profiles including MMS and similar Payloads IEC : IEC and Derivates IEC : IEC Profiles IEC : Security for XML Files IEC : Glossary IEC : Objects for Network Management IEC : Role based Access Control IEC :Key Management IEC : Cyber Security Event Logging IEC for securing MMS based applications (e.g. IEC , IEC ) IEC Conformance Testing application profiles IEC : IEC (Part 3/5) transport profiles (use of TLS, specified by Part 3) IEC : RBAC Guidelines IEC : Deep Packet Inspection IEC : Security architecture guidelines for TC 57 systems IEC for securing IEC (Transmission protocols in Telecontrol equipment and systems), DNP3 and serial verisons IEC : Resilience and Security Recommendations for Power Systems with DER IEC for securing application s using GOOSE and IEC , requiring 4 ms response times IEC : What Security Topics Should Be Covered in Standards and Specifications 10

11 IEC MV Control Security means defined for Authentication and authorization (RBAC) Secure IP- based and serial communications Secure application level exchanges Key management Security monitoring and event logging Conformance test cases Guidelines for applying specific security measures by utilizing or profiling existing standards and recommendations 11

12 IEC HPP Security means defined for Authentication and authorization (RBAC) Secure IP- based and serial communications Secure application level exchanges Key management Security monitoring and event logging Conformance test cases Guidelines for applying specific security measures by utilizing or profiling existing standards and recommendations 12

13 IEC Profiles including MMS IEC Part 4 (TS 2007) specifies procedures, protocol enhancements and algorithms targeting MMS security MMS Security Profiles A-Profile Application Layer Security T-Profile Transport Layer Security-> Part 3 Mandatory and recommended TLS options 13

14 IEC (2) A-Profile Application Layer Security T-Profile Transport Layer Security 14

15 IEC : Communication network and system security Profile including TCP/IP IEC Part 3 (IS 2014) specifies how provide security for TCP/IP-based SCADA and telecontrol protocols Constraints on Transport Layer Security (TLS) for end to end security TLS Version Deprecated cyber suites, interoperability Bi-directional certificate exchange and validation is mandatory (mutual authentication) Session key update Session renegotiation time Session resumption time Certificate management 15

16 IEC : Network and System Management (NSM) data object models IEC Part 7 (IS 2017) specifies data object models to monitor the health and the condition of the power system components/communications Monitoring for security purpose, enabling anomaly detection and recovery functions Monitoring network and IED devices and correlation of information from IEC data objects (OT devices) IETF data objects (OT/IT devises) 16

17 IEC (2) Information Infrastructure Power System Infrastructure Monitoring objects 17

18 IEC (3) Environment IED Application Protocol Interfaces Clock 18

19 Integrated monitoring Analysis Cloc k Enviromen t IED Applicati on Protocol Interfac es 19

20 IEC (4) IEC IS Abstract UML Model SNMP protocol MIB implementation 20

21 PCS ResTest activity Grid and ICT Control Centres Substation Control DER Control

22 QoS Assessment Technology Tests Security Tests Test Traces SG QoS Analyser QoS Measures SG QoS Analyser 22

23 Tests Cases Technology Tests Impact analysis of cellular technologies on IEC 61850/MMS control flows Ethernet as baseline (Switched Eth VLAN) Mobile access networks: 4G, 3G and 2G Security Tests Impact analysis of security technologies on IEC 61850/MMS control flows Plain Security (IP tunneling and ACL) Standard Security (TLS as add-on to Plain Security)

24 QoS Indicators TCP/TLS Handshake Time Handshake duration for TCP connection/tls session MMS HandshakeTime Time required for the establishment of the MMS session MMS Profile Exchange Time TLS renegotiation/resumption Time RTT (Round Trip Time)-Report RTT-Setpoint TCP connection active time Retransmissions # of TCP/TLS/MMS sessions Session Overhead Rate Report/Setpoint Losses Exchange duration of the MMS profile between client and server Time required for renegotiation/resumption operations Time interval between the output of a report and the reception of the corresponding TCP ack by the MMS server Time interval between the output of a setpoint request and the reception of the corresponding TCP ack by the MMS client A ratio between the TCP connection time available for transmitting control traffic over the total test duration Number of TCP Retransmissions Number of reports/setpoints retransmissions Number of correct establishment of TCP, TLS and MMS sessions Number of failed establishment of TCP, TLS and MMS sessions Time taken for session setup and restoration. Time not available for power grid control activities over the total time Number (Percentage) of lost reports/setpoints 24

25 Experimental results 25

26 Wrap-up Experimental platforms The work presents an experimental framework to assess the performance of security solutions in energy control systems and evaluate new functionality for the timely management of residual risks A common security assessment methodology is used to evaluate the application of IEC security standards for protecting IEC and IEC communications of renewable DER and hydro power plants over heterogeneous technologies in lab and field testbeds The distinguishing aspect of the assessment methodology is the definition of performance measures specific for the energy applications and communication/ security protocols Heterogeneous communication networks mobile networks wired links

27 Wrap-up Cyber Security measures End-to-end security conforming to IEC /5 Communication integrity and confidentiality are provided by authentication mechanisms and encryption algorithms at application and transport layers Security monitoring conforming to IEC Ongoing anomalies and cyber attacks to energy systems are detected by a monitoring infrastructure supporting fast reactions and continuous defense enforcement The energy system monitoring collects data objects from IEDs according to IEC , and combine them with IETF data objects available in commercial network devices

28 Key lessons Results The IEC implementation in IEC and IEC protocols results in good performances of end-to-end communications in all the tested technologies provided that the connection is stable The dependency of performance values on the packet size is clearly visible in both wired and wireless technologies The security profile configuration influences the transport handshake times, and the influence is stronger with low speed links Measures from field tests gave useful feedbacks on technological improvements of the HPP telecontrol infrastructure The performance assessment methodology allows specifying Quality of Service requirements that cover security extensions, useful for SLA with telco operators

29 Key lessons Results Results from monitoring tests contributed to the specification of IEC data objects The implementation of a monitoring infrastructure able to correlate the performance indicators from IED and network devices increases the effectiveness of attack detection and mitigation

30 Thank you! Contact: