Application of Monitoring Standards for enhancing Energy System Security G. DONDOSSOLA*, R. TERRUGGIA*, P. WYLACH*, G. PUGNI**, F. BELLIO*** RSE SpA*, Enel SpA**, Enel Produzione SpA*** Italy
About RSE Applied research on the electro-energetic sector, experimental activities including Cyber Security experimental assessment
Cigré Session 2016 Paper D2_204_2016 Security communication assessment over heterogeneous networks Laboratory testbed of Medium Voltage control cyber infrastructure for distribution grids connecting Distributed Energy Resources (DER) Field testbed of a real cyber-physical Hydro Power Plant (HPP) telecontrol infrastructure Ethernet, Mobile technologies (2G,3G,4G) 0.5/6.77/40 Mbps Dedicated Frame Relay-CDN lines with a speed of 32/64 Kbps IEC 61850/MMS IEC 60870-5-104 IEC 62351-4 IEC 62351-5 3
Outline Technical context Motivation and goal Methodology IEC 62351 Smart Energy Systems functions and architectures Distribution Grids connecting DER Medium Voltage (MV) Control Infrastructure
Outline IEC 62351 performance assessment MV Control: IEC 61850-8-1 communications secured with IEC 62351-4/3 communication performance assessment using cellular networks Security Monitoring Overview of IEC 62351-7 Security Monitoring Framework in the MV Control setup Wrap-up and Key lessons
Motivation and goal Smart energy systems deploy open ICT infrastructures exposed to a dynamic cyber threat environment Need to address cyber security requirements of power generation, distribution and DER domains by combining preventive measures with defensive actions Twofold focus security of communication protocols monitoring of information flows in system operation The complementary role of preventive measures and continuous monitoring is shown through the performance assessment of secure communications during attack scenarios
Methodology A common assessment methodology is used to evaluate the application of IEC 62351 security standards for protecting IEC 61850 and IEC 60870-5-104 communications of renewable DER and Hydro Power Plants over heterogeneous technologies Communication integrity and confidentiality are provided by authentication mechanisms and encryption algorithms at application and transport layers Ongoing anomalies and cyber attacks to energy systems are detected by a monitoring infrastructure supporting fast reactions and continuous defense enforcement
Methodology The distinguishing aspect of the assessment methodology is the definition of performance measures specific for the energy applications and communication/security protocols An analysis tool calculates the measures of interest from network traces, performs the statistical analysis of data collected during security/technology/attack tests, feeds in the agent data of the SNMP monitoring infrastructure The energy system monitoring collects data objects from IEDs and RTUs according to IEC 62351-7, and combine them with IETF data objects available in commercial network devices
IEC 62351 - overview Security means defined for Authentication and authorization (RBAC) Secure IP- based and serial communications Secure application level exchanges Key management Security monitoring and event logging Conformance test cases Guidelines for applying specific security measures by utilizing or profiling existing standards and recommendations 9
IEC TC57 Power System Communication Standards IEC 62351 - Secure Control protocols IEC 62351-1: Introduction IEC 60870-6 TASE.2 (ICCP) IEC 60870-5-104 & DNP3 IEC 60870-5-101 & Serial DNP3 IEC 61850-8-1 MMS IEC 61850-8-1 GOOSE and SV IEC 61850-8-2 MMS over XMPP IEC 61970 & IEC 61968 CIM IEC 62351-3: Profiles including TCP/IP IEC 62351-4: Profiles including MMS and similar Payloads IEC 62351-5: IEC 60870-5 and Derivates IEC 62351-6: IEC 61850 Profiles IEC 62351-11: Security for XML Files IEC 62351-2: Glossary IEC 62351-7: Objects for Network Management IEC 62351-8: Role based Access Control IEC 62351-9:Key Management IEC 62351-14: Cyber Security Event Logging IEC 62351-4 for securing MMS based applications (e.g. IEC 61850-8-1, IEC 60870-6) IEC 62351-100 Conformance Testing application profiles IEC 62351-100-1: IEC 60870-5-7 (Part 3/5) transport profiles (use of TLS, specified by Part 3) IEC 62351-90-1: RBAC Guidelines IEC 62351-90-2: Deep Packet Inspection IEC 62351-10: Security architecture guidelines for TC 57 systems IEC 62351-5 for securing IEC 60870-5 (Transmission protocols in Telecontrol equipment and systems), DNP3 and serial verisons IEC 62351-12: Resilience and Security Recommendations for Power Systems with DER IEC 62351-6 for securing application s using GOOSE and IEC 61850-9-2, requiring 4 ms response times IEC 62351-13: What Security Topics Should Be Covered in Standards and Specifications 10
IEC 62351 MV Control Security means defined for Authentication and authorization (RBAC) Secure IP- based and serial communications Secure application level exchanges Key management Security monitoring and event logging Conformance test cases Guidelines for applying specific security measures by utilizing or profiling existing standards and recommendations 11
IEC 62351 HPP Security means defined for Authentication and authorization (RBAC) Secure IP- based and serial communications Secure application level exchanges Key management Security monitoring and event logging Conformance test cases Guidelines for applying specific security measures by utilizing or profiling existing standards and recommendations 12
IEC 62351-4 Profiles including MMS IEC 62351 Part 4 (TS 2007) specifies procedures, protocol enhancements and algorithms targeting MMS security MMS Security Profiles A-Profile Application Layer Security T-Profile Transport Layer Security-> Part 3 Mandatory and recommended TLS options 13
IEC 62351-4 (2) A-Profile Application Layer Security T-Profile Transport Layer Security 14
IEC 62351-3: Communication network and system security Profile including TCP/IP IEC 62351 Part 3 (IS 2014) specifies how provide security for TCP/IP-based SCADA and telecontrol protocols Constraints on Transport Layer Security (TLS) for end to end security TLS Version Deprecated cyber suites, interoperability Bi-directional certificate exchange and validation is mandatory (mutual authentication) Session key update Session renegotiation time Session resumption time Certificate management 15
IEC 62351-7: Network and System Management (NSM) data object models IEC 62351 Part 7 (IS 2017) specifies data object models to monitor the health and the condition of the power system components/communications Monitoring for security purpose, enabling anomaly detection and recovery functions Monitoring network and IED devices and correlation of information from IEC 62351-7 data objects (OT devices) IETF data objects (OT/IT devises) 16
IEC 62351-7 (2) Information Infrastructure Power System Infrastructure Monitoring objects 17
IEC 62351-7 (3) Environment IED Application Protocol Interfaces Clock 18
Integrated monitoring Analysis Cloc k Enviromen t IED Applicati on Protocol Interfac es 19
IEC 62351-7 (4) IEC 62351-7 IS Abstract UML Model SNMP protocol MIB implementation 20
PCS ResTest activity Grid and ICT Control Centres Substation Control DER Control
QoS Assessment Technology Tests Security Tests Test Traces SG QoS Analyser QoS Measures SG QoS Analyser 22
Tests Cases Technology Tests Impact analysis of cellular technologies on IEC 61850/MMS control flows Ethernet as baseline (Switched Eth VLAN) Mobile access networks: 4G, 3G and 2G Security Tests Impact analysis of security technologies on IEC 61850/MMS control flows Plain Security (IP tunneling and ACL) Standard Security (TLS as add-on to Plain Security)
QoS Indicators TCP/TLS Handshake Time Handshake duration for TCP connection/tls session MMS HandshakeTime Time required for the establishment of the MMS session MMS Profile Exchange Time TLS renegotiation/resumption Time RTT (Round Trip Time)-Report RTT-Setpoint TCP connection active time Retransmissions # of TCP/TLS/MMS sessions Session Overhead Rate Report/Setpoint Losses Exchange duration of the MMS profile between client and server Time required for renegotiation/resumption operations Time interval between the output of a report and the reception of the corresponding TCP ack by the MMS server Time interval between the output of a setpoint request and the reception of the corresponding TCP ack by the MMS client A ratio between the TCP connection time available for transmitting control traffic over the total test duration Number of TCP Retransmissions Number of reports/setpoints retransmissions Number of correct establishment of TCP, TLS and MMS sessions Number of failed establishment of TCP, TLS and MMS sessions Time taken for session setup and restoration. Time not available for power grid control activities over the total time Number (Percentage) of lost reports/setpoints 24
Experimental results 25
Wrap-up Experimental platforms The work presents an experimental framework to assess the performance of security solutions in energy control systems and evaluate new functionality for the timely management of residual risks A common security assessment methodology is used to evaluate the application of IEC 62351 security standards for protecting IEC 61850 and IEC 60870-5-104 communications of renewable DER and hydro power plants over heterogeneous technologies in lab and field testbeds The distinguishing aspect of the assessment methodology is the definition of performance measures specific for the energy applications and communication/ security protocols Heterogeneous communication networks mobile networks wired links
Wrap-up Cyber Security measures End-to-end security conforming to IEC 62351-4/5 Communication integrity and confidentiality are provided by authentication mechanisms and encryption algorithms at application and transport layers Security monitoring conforming to IEC 62351-7 Ongoing anomalies and cyber attacks to energy systems are detected by a monitoring infrastructure supporting fast reactions and continuous defense enforcement The energy system monitoring collects data objects from IEDs according to IEC 62351-7, and combine them with IETF data objects available in commercial network devices
Key lessons Results The IEC 62351 implementation in IEC 60870-5-104 and IEC 61850 protocols results in good performances of end-to-end communications in all the tested technologies provided that the connection is stable The dependency of performance values on the packet size is clearly visible in both wired and wireless technologies The security profile configuration influences the transport handshake times, and the influence is stronger with low speed links Measures from field tests gave useful feedbacks on technological improvements of the HPP telecontrol infrastructure The performance assessment methodology allows specifying Quality of Service requirements that cover security extensions, useful for SLA with telco operators
Key lessons Results Results from monitoring tests contributed to the specification of IEC 62351-7 data objects The implementation of a monitoring infrastructure able to correlate the performance indicators from IED and network devices increases the effectiveness of attack detection and mitigation
Thank you! Contact: Giovanna.Dondossola@rse-web.it