Making the most out of substation IEDs in a secure, NERC compliant manner

Transcription

1 Making the most out of substation IEDs in a secure, NERC compliant manner Jacques Benoit, Product Marketing Manager, Cybectec Inc. Jean-Louis Pâquet, Chief of Technology, Cybectec Inc. Abstract An increasing number of sophisticated electronic devices are finding their way to the substation. These include traditional devices such as RTUs, DFRs and SERs, as well as newer devices such as PLCs, protection relays, equipment monitoring devices, metering devices and power quality meters. Utilities are just beginning to appreciate the value of the information these Intelligent Electronic Devices (IED) can provide. The benefits that can be achieved by implementing an integration solution that provides immediate access to operational and non-operational data have been described at length in previous articles and presentations. So has the interest of providing remote access to devices for maintenance and configuration. However, many of these IEDs must now be considered critical cyber-assets and must be secured in compliance with NERC CIP through CIP Cyber Security Standards (formerly 1300). While the easiest way to achieve NERC compliance is to isolate IEDs from the outside world and operate them in standalone mode, this option is increasingly unattractive for the reasons mentioned above. Utilities that wish to achieve secure access to their substation devices will need to confront numerous technologies traditionally reserved for corporate Information Technology (IT) applications. Because of conflicting goals and requirements, the results of the confrontation between automation and control engineers, vendors, and security experts from corporate IT groups can easily result in less than perfect solutions that fail to meet the potential benefits. This presentation will discuss strategies now being implemented by major utilities in order to achieve the benefits of IED integration, while meeting NERC Cyber Security Standards. For each major NERC requirement, we will discuss the benefits and tradeoffs of various solutions at the IED level, the substation level and the enterprise level. 1 Introduction Utilities are currently installing a large number of new IEDs for protection and equipment monitoring purposes. In many cases, the IEDs are installed in a standalone manner, preventing the utility from benefiting from all the capabilities of these devices. New protection relays can provide data such as events and waveforms that can be quite valuable for protection engineers and outage management groups. Equipment monitoring devices produce data, such as gas concentration trends, that can be quite valuable for asset management, engineering and maintenance groups. Thus, the goal of IED integration solutions is therefore to make the substation data available to all interested parties. To meet this goal, many utilities are working with their Information Technology (IT) group to extend or replace the existing SCADA architecture with a new modern communications infrastructure based on standard networking technology. While such new architectures promise to provide unlimited connectivity, we will see that if they are not correctly applied, the result is a more complex system that does not bring the expected

2 benefits. Furthermore, networking technologies extend the security weaknesses of the corporate network to the control network. 1 Corporate networks and their technologies are based on the premise that performance is paramount and outages, while undesirable, are acceptable. This is clearly not true for a control system. Even where security is well defined, the primary goal in the corporate network is to protect the central server and not the edge client. In process control, the edge device, such as the PLC or smart drive controller, is considered far more important than a central host such as a data historian server. 2 SCADA vulnerabilities Up to now, the SCADA architecture had been considered secure because it used dedicated communication lines and proprietary technologies. The threats were mostly internal, with accidents, inappropriate employee activity, and disgruntled employees accounting for most of the documented problems. However, this situation is changing with the increased use of IT solutions in the field of process control. A report by the British Columbia Institute of Technology (BCIT) 2 indicates that from 2001 to 2003, the source of 70% of incidents was external. The BCIT analysis of the SQL Slammer Worm incident identifies the infiltration paths of this threat in control systems, some of which were in the power sector 3 : The Davis-Besse nuclear power plant process computer and safety parameter display systems were infected via a contractor s T1 line A power SCADA system was infected via a VPN A petroleum control system was infected via a laptop A paper machine HMI was infected via a dial-up modem Even if the Slammer worm was not targeted specifically at SCADA, it resulted in the complete paralysis of the affected control networks. The SCADA architecture was designed to provide safe and reliable process control, without any consideration for cyber security. The protocols used in the power industry include a number of features such as data quality, timestamps, and select-before-operate command functions that ensure the safety of the network and its operators. However, SCADA protocols are quite vulnerable to attack. If an attacker can gain access to the process network, it is a rather simple feat to disable a device or even to perform illegitimate control operations 4. The vulnerabilities of the power network were highlighted by the August 2003 blackout. While the blackout was not caused by a cyber incident, it clearly demonstrated what the results of an attack could be, prompting regulatory agencies to implement drastic measures to ensure the security of the network. In August 2003, the North American Electric Reliability Council (NERC) issued the NERC 1200 Urgent Action Cyber Security Standard in order "To reduce risks to the reliability of the bulk electric systems from any compromise of critical cyber assets (computers, software and communication networks) that support those systems."

3 The NERC 1200 standard evolved into NERC 1300, and is now known as NERC CIP to CIP Cyber Security Standards. These standards describe measures that utilities will have to implement, as well as a strict timeline for implementation. 3 NERC Cyber Security Standards The NERC Critical Infrastructure Protection standards require utilities to define critical assets in general, and critical cyber-assets in particular. Utilities must also implement a complete security policy that will protect these assets from different types of potential attacks. The standard is subdivided into 8 sub-standards that are labeled CIP to CIP CIP Critical Cyber-Assets Utilities must define, maintain and document a list of all critical assets in general, and of all critical cyber-assets in particular. Critical cyber-assets are defined as being cyber-assets that are directly or indirectly accessible via routable protocols (networks) or via dial-up mechanisms (modems). Many, if not most, of the new IEDs now being installed must be considered critical cyber-assets. CIP Security Management Controls Utilities must have a master plan to manage all security related aspects of all critical assets, as defined in part CIP CIP Personnel and Training All persons having access to critical assets shall be assessed for risk, properly trained to be aware of the risks, and familiar with the security policies that have been put in place. CIP Electronic Security Utilities must define, implement, document and manage: Electronic security perimeters around critical cyber-assets Effective Access Control mechanisms at all access points to the perimeters Strong procedural or technical controls to ensure authenticity of the accessing party Controls for logging authorized access, detecting unauthorized access (intrusions), and attempts at unauthorized access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week. Of all the NERC CIP sub-standards, Electronic Security is the one that most directly addresses substation integration and automation systems. CIP Physical Security Utilities must define, implement, document and manage: Physical security perimeters around all critical assets Physical Access control mechanisms at all physical access points Processes and tools to monitor accesses to the perimeter CIP Systems Security Management Utilities must define, implement, document and manage an overall System Security Management Program. The objective is to prevent, or at least minimize, the risk of failure or compromise from misuse or malicious cyber activity. Elements of compliance include account and password management, security patch management, access log management, test procedures, access reviews, integrity software, identification and documentation of vulnerabilities, change control and configuration management, backup and recovery tools, status monitoring tools, and so on. CIP-008 Incident Response Planning This part of the standard specifies that utilities must have established mechanisms for dealing with security related incidents. Incidents must be

4 monitored, classified, logged and reported. Actions must be taken to prevent similar incidents in the future. Roles and responsibilities related to these issues must be defined within the organization. It is considered that compliance with this requirement could be quite expensive and requires the hiring of full-time security analysts, or the use of external MSSP (managed security service provider) services 5. CIP-009 Recovery Plans - Utilities shall have appropriate recovery plans for all critical cyberassets and shall exercise these plans at least annually. Such plans must be defined, documented, tested, maintained up to date, and communicated to all personnel responsible for the operation of the critical Cyber assets. In the sections that follow we will describe how substation devices are being integrated and the vulnerabilities in the solutions being applied. We will also outline strategies for dealing with these vulnerabilities. 4 Integrating Substation Devices There are two important aspects to integrating a device. First, its information should be made available to all interested parties throughout the organization. Second, the device should be accessible locally and remotely for maintenance and configuration. As we have already mentioned, some data is used by SCADA. However, the greatest benefit is realized when the other types of data, such as event recordings, are made available to the parties that are best equipped to put the data to good use. Substation integration brings the following technical challenges There is a large variety of devices, produced by different manufacturers Substation devices use a variety of communication links: TCP/IP, RS-232, RS-422 or RS-485 Each device typically uses a proprietary communications protocol Typical devices use one communications port for data, and a separate port for maintenance and access to non-operational data Most devices support a single data link and cannot connect to multiple clients There are numerous parties interested in substation data: SCADA, EMS, OMS, maintenance, engineering, and asset management, to name the most common. There are two major approaches to device integration. The first approach uses traditional IT networking solutions. In this approach, all substation devices are connected to a port switch, terminal server or Frame Relay Access Device (FRAD). These devices provide the ability to connect a serial device to a TCP/IP network and make it accessible to any computer on the corporate network.

5 Figure 1: Integrating devices using a port switch Port switches provide a cost effective way to access remote serial devices from the enterprise level. However, this architecture has a number of limitations Typical port switches are designed for office environments and are not substation-grade equipment. Each device still only supports a single connection. Data cannot be distributed simultaneously to a number of interested parties. In effect, the port switch extends the cable from the device to a remote computer. Each application on each remote computer must be able to handle the variety of protocols used by the substation devices. While it is conceivable that a port switch could manage authentication through the use of a password, it will not manage access permissions. The user will have to know the access password for each remote device. A second approach to device integration is based on the use of an intelligent substation gateway that acts as a front-end processor and effectively processes and concentrates the data at the substation level. Since there is no equivalent off-the-shelf IT technology, intelligent substation gateways are generally provided by manufacturers of substation equipment or by specialized vendors.

6 Figure 2: Integrating devices using an intelligent gateway Intelligent substation gateways typically provide the following functions Connect serial devices using RS-232, RS-422 or RS-485, to a TCP/IP LAN. Poll each connected device using the device's own protocol, at the most appropriate rate, and store the data in the internal database. Perform data normalization. Convert data in proprietary formats to standard formats. Let remote systems access data from the gateway's internal database, at the most appropriate rate, using the most appropriate protocol. Make device data available simultaneously to multiple systems. Act as a port server and let remote users access any connected device for maintenance and engineering purposes. As we will see in the sections that follow, intelligent substation gateways can be used to solve many of the integration challenges, including enforcing security at the substation level. 4.1 Accessing Substation Devices Typical IEDs support two types of connections. The first is used by SCADA to retrieve data and perform control functions. The second is the device maintenance port used to configure the device and retrieve data, such as waveforms, that is not supported by the SCADA architecture. The maintenance port is most often accessed directly, using a laptop computer, or indirectly using a dialup modem. Most gateways implement a passthru capability to provide remote device access to corporate users.

7 USER 5 REMOTE ACCESS THROUGH CORPORATE LAN USER 6 REMOTE MODEM ACCESS TO CORPORATE LAN USER 7 REMOTE ACCESS THROUGH INTERNET INTERNET CORPORATE LAN WAN SUBSTATION LAN USER 4 REMOTE MODEM ACCESS TO GATEWAY USER 3 REMOTE ACCESS THROUGH SUBSTATION LAN USER 2 REMOTE MODEM ACCESS TO DEVICE USER 1 DIRECT ACCESS THROUGH DEVICE MAINTENANCE PORT Figure 3: Device access scenarios The figure above represents 7 different device access scenarios User 1 is in the substation and connects directly to the IED. In this scenario, the user has been granted access to the physical perimeter, but the electronic perimeter must be implemented by the device itself. In many cases, this will not be sufficient to meet NERC requirements. In the subsequent sections, we will discuss how this scenario should be replaced by the User 3 scenario. User 2 is outside the substation and uses a dialup modem to connect to the IED. This scenario is the most vulnerable. NERC recommends that modem access be disabled by default. User 3 is in the substation, connected to the LAN, and uses the gateway passthru capability to connect to the device. At first glance, this scenario is similar to the User 1 scenario. However, if the gateway implements true authentication, access control, logging and auditing, an electronic perimeter is effectively created, protecting all the devices connected to the gateway. User 4 is outside the substation and connects to the gateway using a dialup modem. As in scenario 3, the gateway implements an effective electronic perimeter. Furthermore, it can secure the modem access by performing caller ID validation, encrypting the communications link, and implementing SCADA-controlled modem enabling and disabling.

8 User 5 is connected to the corporate LAN. This type of connection is similar to scenario 3, except that the connection is from outside the substation. The gateway can enforce authentication and use a VPN to encrypt the communications link. Firewalls, routers and managed switches can be used to restrict access to certain computers only. However, we will show later on how this type of access can be eliminated almost completely by implementing an enterprise gateway. Users 6 and 7 are connected to the corporate LAN via a MODEM or Internet connection. These scenarios are extensions of scenario 5. Standard IT solutions are available to implement secure remote access for roaming employees. 4.2 IED Vulnerabilties Operating IED outputs, changing IED protection settings, or modifying IED control logic can have disastrous consequences when performed by unauthorized personnel. Yet, existing IEDs have very few, if any, inherent security related capabilities Data links are not encrypted and are vulnerable. Unauthorized parties can eavesdrop on data exchanges, disable devices or perform control functions. No support for true user authentication. Passwords are used to control access to different configuration levels, but do not identify the user accessing the device. No logging of successful and failed access attempts. At best, there is an alarm output and lockout capability when unsuccessful access attempts are detected. Maintenance and configuration functions are performed using vendor specific tools, through an unencrypted LAN or serial connection. In many cases, all data is exchanged in clear, using a terminal emulation program and a simple ASCII command language. The large number of devices being installed also introduces numerous organizational challenges Many IEDs are considered critical cyber-assets. To meet NERC CIP requirements, these devices must be identified, managed and secured. It is impossible for anyone to remember a different address and password for each IED in each substation. As a result, passwords tend to be the same for all IEDs. Anybody who knows one password knows them all. It is virtually impossible to change all the passwords in all the IEDs at any given time to revoke access for a single user. In the next section, we will describe how an intelligent substation gateway can be used to overcome most of these difficulties. 4.3 Using an Intelligent Substation Gateway to Secure IEDs Since it is impossible to secure each individual IED, we suggest using an intelligent gateway to manage all data and maintenance communication with the IED. As we mentioned previously, IEDs usually provide separate data and maintenance communication links. Both of these links are connected to the gateway, which then becomes the single point of access to the device Connect each IED to the gateway only. Block access to all other IED ports via appropriate IED configuration. Block any other features that are not required (IED control operations are a good example).

9 If it is deemed necessary, use a serial link encryption device to protect data exchanges between the IED and the gateway. Give each IED a unique and strong password. Further on, we will see how the gateway can be used to manage the passwords. Eliminate the need for users to connect to the IED. Use the gateway to collect all IED information that may be needed by external users or applications, including both operational and non-operational information. Channel remaining IED access requirements through the gateway s passthru mechanisms. Do not let users connect directly to the IED for maintenance. Most of the benefits of the above solution are derived from the additional intelligence that can be provided by an intelligent gateway. In the subsequent sections, we will analyze the functions that a gateway must support in order to make this possible. 4.4 Required Substation Gateway Capabilities In order to secure access to the substation IEDs, the gateway must effectively create an electronic perimeter that protects all included devices. To create this perimeter, the gateway needs to implement the following capabilities Perform true authentication with user names and passwords. Set up true authorization by assigning users to groups with well-defined privileges. Provide passthru connections to and from any IED for maintenance and configuration. These connections can be used locally in the substation, or remotely through the WAN or dial-up connection to the intelligent gateway. Grant passthru connection rights to authorized users only. Log all successful or failed passthru attempts in a tamper-proof log. Manage the passwords of all connected devices. Reveal the passwords to authorized users only. Whenever possible, automatically manage the login without revealing the password. Encrypt all passthru connections that span the WAN and/or dial-up connection. If required, encrypt all data communications with SCADA or other control centers. Provide the SCADA with internal data points to indicate the state of passthru connections, globally or to any specific IED. Provide the SCADA with internal control points to enable or disable passthru access, globally or to any specific IED. Provide the SCADA with the state of each device link, to detect device failure or tampering. Monitor passthru connections and block specific IED commands to unauthorized users, if possible. Log all operations performed using passthru connections. With these capabilities, the gateway becomes the single point of access for substation devices. In the next section, we will see how the gateway implements these capabilities.

10 4.4.1 Authentication As we have mentioned, most IEDs offer only a limited form of authentication using passwords. However, this is not sufficient to meet NERC CIP accountability requirements. If the gateway is to effectively limit access to authorized users and maintain a comprehensive log of all operations, each person or system accessing the gateway, or one of the connected IEDs, must be unambiguously identified. Users identify themselves uniquely by producing credentials that consist of something Only they know a secret password Only they have a smart-card, a token, a certificate, etc. Only they are a face, an iris, a fingerprint, etc. The gateway can validate the provided credentials in different ways. Decentralized (or distributed) authentication The simplest solution, adequate for small networks, is to store a list of all users in the gateway itself. This is the same type of security that is used when you set up user accounts on a home computer. However, this approach has serious limitations when there are multiple gateways to manage When a change occurs, each gateway must be updated. Unless an automatic synchronization mechanism is available, it is very difficult to remove or change a user within a limited time period. NERC CIP requires that access be revoked within 24 hours for any personnel terminated for cause. The fact that each computer must be updated whenever a change occurs generally precludes the possibility of using individual user accounts and of letting users change their own passwords. As we will see, even with these limitations, decentralized (or distributed) authentication is often the only feasible approach. Centralized authentication Centralized authentication removes the limitations mentioned above. In this type of authentication, the gateway connects to a trusted authentication server to validate the user credentials. This is the type of security implemented in corporate environments. The main advantage of centralized authentication is, of course, that the user list is managed in a single central location, often managed by the IT group. Changes to the user list become effective immediately, or at least the next time the gateway validates user credentials. With this approach, users can have a single corporate account that they can use to log in to all systems to which they have been granted access. However, there are difficulties with this approach Each gateway needs to establish an initial trust relationship with the authentication server. This process is usually supported by the operating system and must be performed by a person with network administrative privileges.

11 Each gateway needs to maintain access to the central authentication server to validate credentials. Access to an authentication server, such as Windows Active Directory, may require opening a large number of ports in firewalls, thereby increasing other vulnerabilities. Local access is not possible if contact is lost with the authentication server. While the application server can maintain a cache of valid credentials, the validity of this information must be limited in time to prevent unauthorized access by a user whose access has been revoked. An alternate means of authentication must be provided to ensure local access in the event of network loss. Since centralized authentication is part of all standard PC operating systems such as Windows XP or Linux, it is tempting to use these systems in the substation. However, hackers are constantly looking for new vulnerabilities in these systems, potentially making them more vulnerable to virus or worm attacks. Centralized authentication is the logical choice for services implemented at the enterprise level. In most utilities, network security is already implemented by the IT group, and users already have logins to access their files and mail. As we have seen, there still remain technical challenges to extending this solution to the substation Authorization Authorization consists of granting well-defined privileges to users that have been previously authenticated, and ensuring that all implicated parties know and enforce these privileges. To simplify management, privileges are usually assigned to groups. Users are then assigned to these groups, which define their privileges. For instance, users could be assigned to groups such as System Management manage all device configuration settings, including hardware configuration, networking, etc. Security Management manage device security settings Configuration Management manage device settings Device Maintenance view system logs and statistics Monitoring view real-time data Operation perform control operations Remote Access access device remotely using dialup modem or passthru connections As with authentication, groups and privileges are best managed in a centralized manner. The user provides credentials, and the authentication server responds with the group memberships, which define permissions. However, centralized authorization is subject to the same technical difficulties as those described for centralized authentication.

12 4.4.3 Encryption We mentioned previously that all communications between the IEDs and the gateway, as well as between the gateway and the control centers, are vulnerable. Encryption ensures the confidentiality of data exchanges, and up to a certain point, their integrity. If necessary, data exchanged on a serial link between the IEDs and the gateway can be secured by encryption devices. To secure data exchanges with control centers and remote users, the substation gateway will use two forms of encryption SSL (Secure Socket Layer) is an encryption technology used to create a secure communication channel between two systems. IEC TC57 Working Group 15 is currently defining standards for the security of the protocols used in the power industry. While they consider that it does not offer complete protection, they recommend using SSL to encrypt data exchanges 6. VPN (Virtual Private Network) enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses tunneling to encrypt all information at the IP level. 4.5 Securing the Network All the benefits of IED integration are made possible by the TCP/IP networks being installed to connect the substation to the enterprise. The network and external modems are the privileged intrusion paths through which substation devices can be compromised. The network must be carefully designed to protect the gateway and other network devices. Industry best practices must be understood and applied 7. Firewalls and routers should be used to isolate devices. Managed switches should be used to set up VLANs and filter network traffic so that data can only be exchanged among authorized devices. The gateway should have a built-in firewall that limits access to only those ports required for connecting to control centers, and managing the gateway itself. Whenever possible, the use of standard TCP/IP services (FTP, TFTP, SNMP, HTTP, SMTP) should be avoided since they are often the source of vulnerabilities. If necessary, these services can be accessed through a secure VPN tunnel. The combination of an intelligent gateway and networking best practices can help put together a secure substation integration system that meets NERC CIP requirements. However, as long as users can access devices, there still remain some difficulties. In the next sections, we will see how we can set up services at the enterprise level to improve security and facilitate the management of the large number of IEDs installed in utilities. 5 Providing Enterprise-Wide Access to Substation Data The goal of substation integration is to make device data available to all interested parties throughout the organization. However, it is simply not practical to provide every single user and computer application with access to every single field device. Besides being incredibly insecure, the applications resulting from such a solution would be unwieldy and unmanageable.

13 But, do users really need to access IEDs? In many cases, users are connecting to devices to retrieve data that is not otherwise available. We mentioned earlier that new IEDs can produce data types such as waveform recordings, sequence of events and transformer oil analysis data, that cannot be handled by the existing SCADA architecture. Often, the only way to retrieve this type of data is by connecting to the IED maintenance port. To surmount this difficulty, the substation gateway should be capable of retrieving all the data types produced by the devices in the substation. Very few standard protocols support the retrieval of event files. The gateway manufacturer should go beyond simply supporting protocols, and provide complete data retrieval capability for all supported devices. With such capability, the substation gateway truly becomes the single access point to the substation. It then becomes possible to apply at the enterprise level, the strategy that was applied at the substation level. That is, as the substation gateway concentrates and processes data from all connected devices, the enterprise gateway could concentrate and process all substation data produced by all the substation gateways. The enterprise gateway would then become the single point of access at the enterprise level. The enterprise gateway could also be used to manage remote access to the substation gateways, when required for maintenance and configuration. Figure 4: Proposed enterprise architecture 5.1 Enterprise Gateway Functions In most utilities, there already exists a network infrastructure that provides secure access to corporate data and shared services such as . The security of this network is already assured by a central authentication and authorization service, such as Active Directory. An enterprise gateway service integrates into the corporate information infrastructure and provides the following services

14 Act as a front-end processor and manage communication with all substation gateways, using a variety of communication links. Some substations may be connected to the enterprise with high-bandwidth fiber connections, while remote substations may only be accessible through on-demand dialup access. The enterprise gateway must ensure reliable data exchange for all enterprise applications, whatever the communications link. Retrieve data from the substation gateways and make it available to various enterprise applications. Real-time data may be retrieved by continuous polling or by scheduled connections. Substation gateways may be configured to push up event files as soon as they are available. Perform data normalization. Most data produced by substation devices is in proprietary format. The substation and enterprise gateways convert data to standard formats. For instance, event files can be made available in industry-standard COMTRADE format. Retrieve gateway security logs and make them available for further analysis. Provide authorized users with passthru access to substation devices. 5.2 Enterprise Applications By providing enterprise-level access to substation data, the enterprise gateway becomes the infrastructure on which high-level enterprise applications can be developed. The following applications come to mind An event management application would use the enterprise gateway to retrieve files from protection relays, Digital Fault Recorders (DFR) and Sequence of Event Recorders (SER). The application could manage a database of events, notify the appropriate users when an event occurs, and make the data easily available through web-based access. A historian application or service would use the enterprise gateway to retrieve metering and state information from all substations, without any of the usual device interfacing and protocol conversion difficulties. Such an application would manage a historical database and would be useful for energy management, asset management and maintenance. An IED management application would use the enterprise gateway to manage all substation devices. The application could provide a central repository of device settings, software versions, and passwords, helping to meet NERC CIP requirements. The application could also maintain a history of version changes and offer a dashboard-like functionality, providing a high-level view of the state of all connected devices. A passthru application would provide authorized users with the ability to connect to any substation device for maintenance and configuration, in a secure, encrypted, manner. Lastly, the enterprise gateway would provide corporate and third-party application developers with an open, secure and well-documented interface to substation data. 6 Conclusion As we have seen, utilities can benefit by making better use of the data that is available in the new devices being installed in substations. However, providing access to these devices exposes

15 them to an unacceptable level of risk. NERC has recognized this situation and established guidelines to protect critical cyber-assets. In this paper, we have exposed a strategy for providing secure access to substation data. In short, the strategy consists of providing a technological infrastructure to retrieve substation data, with a minimum of human intervention. Intelligent gateways are used at the substation and enterprise levels to perform data acquisition and normalization. The substation network infrastructure can be secured and communication limited to machine-to-machine data exchanges through encrypted channels. Data is made available at the corporate level through enterprise applications. These applications can directly benefit from the secure infrastructure already deployed by IT departments in most utilities. 1 Common vulnerabilities in critical infrastructure control systems, Jason Stamp, John Dillinger, William Young, Jennifer DePoy, Sandia National Laboratories, 2 nd Edition, revised November 11, 2003, 2 The Myths and Facts behind Cyber Security Risks for Industrial Control Systems Eric Byres, British Columbia Institute of Technology, Justin Lowe, PA Consulting Group, 3 "SQL Slammer Worm Lessons Learned For Consideration By The Electricity Sector", North American Electric Reliability Council, Princeton NJ, June 20, SCADA Exposed, Mark Grimes, ToorCon 7 Conference, 5 The Compliance Cost of NERC Attack Prevention Standards, By Doug Howard, Counterpane Internet Security, and Dale G. Peterson, Digital Bond Inc., New Power Executive, May 2, 2005, 6 IEC TC57 Security Standards for the Power System s Information Infrastructure Beyond Simple Encryption, Frances Cleveland, Xanthus Consulting International, er%205.pdf 7 NISCC Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, British Columbia Institute of Technology,