CYBER SECURITY: SYSTEM SERVICES FOR THE SAFEGUARD OF DIGITAL SUBSTATION AUTOMATION SYSTEMS. Massimo Petrini (*), Emiliano Casale TERNA S.p.A.

Transcription

1 21, rue d Artois, F PARIS D2-102 CIGRE 2012 http : // CYBER SECURITY: SYSTEM SERVICES FOR THE SAFEGUARD OF DIGITAL SUBSTATION AUTOMATION SYSTEMS Massimo Petrini (*), Emiliano Casale TERNA S.p.A. Fouad Benlamkaddem, Andrea Faija, Paolo Grillo, Rosario Gulino, Federico Ridolfo COL Giovanni Paolo S.p.A. ITALY SUMMARY The electric power grid has evolved over the past decade with the introduction of digital technologies, such as Intelligent Electronics Devices (IEDs), and digital communication. As a result, the Digital Substation Automation Systems (DSAS) are a reality. One of the main features of these systems is the great level of interconnection between devices, both at bay and at substation level, finalized to provide real-time information and to allow strong reliability and high level of control. In this context, the new generation of automation systems adopts international standards, such as IEC 61850, IEC , SNMP, OPC, using industrial Ethernet and mainly TCP/IP based communication protocols. Modern DSAS have to give connectivity to external networks, such as central office intranet for real time and off-line operation and management, including remote testing, maintenance and data retrieval for monitoring and supervision (like SOE and oscilloperturbography). These changes in technology have brought huge benefits from an operational perspective, but they have also introduced the need for cyber security concerns, previously related only to office or enterprise IT systems. Cyber security risks are mainly due to the adoption of open IT standards, to the high level of network interconnection and complexity, to the lack of antivirus suite on the SCADA systems and to the use of common operating systems for the automation and control. The risks are inherited from the enterprise environment, but the solutions could be found by means of technologies coming from other environments: the security can be guaranteed thanks to networking devices and services, such as routers, firewalls, managed switches, antivirus, secure authentication, and so on. The security goals proposed by IEC TC57 WG15 and IEC include authentication of data transfer by means of digital signatures, ensuring the access only to authenticated users (avoiding spoofing), and intrusion detection. (*) massimo.petrini@terna.it 1

2 Utilities, Manufacturers and System Integrators should consider the importance of cyber security and its role in enhancing the security of DSAS, in order to avoid loss of control of the process system. Each DSAS architecture should provide various methods for the user authentication and the secure access to different substation IEDs, including relays, meters, RTUs, PLCs and substation servers. Configuration access, maintenance access and manual and automatic data retrieval of fault data have to be considered. Some threats may come from hackers, vandals and terrorists, but also from an authorized operator, who could become a clumsy operator, due to lack of specific operating rules. This paper shows several possible methods to reduce/eliminate damages in the DSASs, dealing with software, hardware, networking configurations and operating procedures in a typical DSAS scenario. Mainly, it proposes a secure architecture, able to provide useful additional services, such as monitoring or configuration of devices. These goals are reached by means of the configuration of current network devices (i.e. L2 managed switches) and the addition of a redundant firewall (verifying the use of CARP: Common Address Redundancy Protocol). The introduction of this service architecture must not impact on performances and reliability of the process control system. KEYWORDS Cyber Security, Firewall, Monitoring, VLAN, ACL, Antivirus, Sniffing. 2

3 1. INTRODUCTION Cyber security standards and procedures have reached a state of maturity in the sector of office or enterprise IT. The growing diffusion of digital technology and open standards in the automation of electric substations imposes to utilities, system integrators and SASs vendors to face cyber security issues also in this field [1]. Unfortunately, standards and methods developed for traditional IT don t apply to digital SAS (DSAS) just as they are, because in the SAS case the balance of security requirements with reliability ones is particularly critical: tools normally used to protect IT systems from cyber menaces, such as antivirus software, can significantly affect the performances of a digital SAS, if they involve components performing real time functions. So far, the main requirement of a SAS has been reliability, therefore the components of the first generation of DSAS are not ready yet to fully achieve cyber security requirements arising from international standards and working groups dedicated to this scope (an overview of these initiatives is available in [2]). Protection of DSASs was limited to the isolation of the local network from the corporate network by means of firewalls, while the physical access to the substation is controlled by means of video surveillance technologies. However, findings from different risk assessment activities, such as reported in [3], show that cyber menaces for DSAS can arise not only from hackers or people not authorized to access to the substation, but also from regular company operators who unintentionally can affect the system with malicious software. The introduction of appropriate countermeasures for DSASs is needed, but it requires a gradual approach: it s necessary to start from the definition of solutions that apply to operating DSASs, thus limiting the impact on their components. In order to describe and to analyze the problem, a typical architecture of DSAS, based on the standard IEC 61850, is considered (Figure 1); the two treated issues deal with: o intra-bay and inter-bay network traffic analysis, during a normal operating mode; o retrieval of data stored in the Station Computer and policies for the Access Control System. Figure 1 : Typical DSAS architecture 3

4 2. BAY NETWORK ANALYSIS IN OPERATING MODE In this application, the bay is considered the minimum network unit. In Figure 2 a typical bay is shown: it consists of IEDs and a switch that guarantees the interconnection with the whole DSAS. The transport of information between bay and substation level is made by using MMS messages based on TCP-IP communication, whereas GOOSE messages, based on a connectionless multicast communication, are used for peer-to-peer interface at bay level. GOOSE service substitutes physical I/O in order to reduce cabling within IEDs; for this purpose, it must fulfil real-time requirements, with transmission times of the order of a few milliseconds. During the operation of the system or during testing activities, it could be necessary to analyze the behaviour of this multicast messaging by means of a network traffic sniffer [4]. The analysis should neither affect the system performances, nor it should be a breach (Trojan) for typical IT attacks (Denial of services, data flooding). An improper or inadequate configuration of the bay switch can be the source of undesired behaviour and possible security breaches. An example of network interconnection at bay level is shown in Figure 2. Figure 2 : Typical connections at bay level o Ports 1,2,3 are dedicated to the IEDs. o Ports 7,8 are related to the interconnection with DSAS. o Ports 4,5 must be disabled because they are not used. o Port 6, or monitoring port, is used for the connection of a notebook performing traffic network sniffing. It is important to highlight that this device could be infected by viruses and worms, so it s necessary to add an appropriate protection to the DSAS. The proposed solution consists in configuring the bay switch in order to avoid input frames from the ports used by the operator for the network traffic monitoring; this switch (typically a Layer 2 switch) is capable to group subsets of its ports into virtual broadcast domains isolated 4

5 from each other. These domains are commonly known as virtual LANs (VLANs). In our case study we use the VLAN tagging. Called VLAN M the tag used for data flow dedicated to the monitoring analysis, an appropriate protection of the system is possible by means of the VLAN configuration shown in Table 1. In this way the traffic sniffing activity does not introduce any system vulnerability because the whole inbound traffic from the monitoring port is tagged as VLAN M by the switch; but this traffic is forbidden for the other ports. Therefore the introduction of any data packet in the network from the monitoring port is inhibited. As a consequence, the configuration of IEDs will not be possible from the bay switch, but this is not a real problem because, normally, IEDs are equipped with a configuration port in the front panel. The capture of the whole bay traffic from the monitoring port is possible by means of the mirroring mechanism. However, this could introduce packet duplication in output on the monitoring port ; an appropriate selection of mirrored port, depending on analysis needs, can reduce the impact of this issue. PORT STATE NATIVE VLAN FORBIDDEN VLAN MIRROR 1,2,3 ENABLED NO VLAN M - 4,5 DISABLED NO VLAN M - 6 ENABLED YES VLAN M - 1,2,3,7,8 7,8 ENABLED NO VLAN M - Table 1 : VLAN configuration for safe monitoring at bay level 3. RETRIEVAL OF DATA STORED IN THE SUBSTATION COMPUTER As already mentioned, the local network dedicated to the DSAS has to be segregated from the corporate network; the only point of access to the substation system from remote centre consists in a RTU using standard protocols such as IEC This kind of access reduces the amount of available services and network paths, but guarantees a high security level, limiting the point of fault to the RTU itself. On the other hand, data stored in the Substation Computer (oscilloperturbographies, event lists, alarm lists, etc.), are often analyzed outside the substation; it s therefore necessary to retrieve data from Substation Computer both locally and from remote. This means that there is a growing need for: o local safe USB data storage; o remote and local read only ftp and web access. A new and more secure approach is now necessary, but it s important to keep in mind that: o in case of local access, direct connection of removable devices, like USB storage device, to the Substation Computer, could cause viral infections, common to all IT systems; o in case of remote access threats grow exponentially. Furthermore, the addition of firewall and antivirus services to the Substation Computer is not possible because it causes an overload and, consequently, a serious risk of a loss in performances. 5

6 A possible solution consists in the introduction of a dedicated device implementing a redundant firewall, topologically located between routers and Substation Computer. This solution allows to: o control local access to the Substation Computer from USB data storages; o create a new obliged network path for the remote access to the DSAS. The device consists in two industrial embedded computers equipped with: o n.3 ethernet ports; o n.1 USB port; o Unix based operating system; o Access Control System; o antivirus; o redundant protocol (CARP); o optional mail service to send data backup. The insertion of the device in the DSAS is illustrated in Figure 3. Figure 3 : Redundant Firewall in DSAS The direct connection of removable devices to the Substation Computer or to other devices belonging to the DSAS must be forbidden. For local access to the Substation Computer, the operator has to insert the removable storage unit into the dedicate USB port of the firewall. The firewall scans the USB drive for virus and accept only clean removable supports. The result of the scanning procedure could be the activation of a red led if the device is infected, otherwise the activation of a green led if the device is clean ; only in the latter case the drive will be mapped as a network resource. After that, the operator can access to this network device from the Substation Computer or from other workstations belonging to the DSAS. A push button, on the proposed firewall, has to be pressed to safely remove the USB data storage. Moreover, the firewall provides a secure ethernet port to connect other devices used by an operator, such as a notebook, at the substation level, to locally use ftp and web access. Once the notebook is plugged on the ethernet port, it s necessary to open a web browser; then the firewall activates a captive portal system for the authentication of the operator. Only 6

7 authenticated operator can access to the ftp service available on the Substation Computer. The ftp resources must be, obviously, configured as read only. 4. CONCLUSIONS The described solutions are transparent towards DSAS based on switched LAN and IEDs; the higher level of security does not affect the standard performances of each part of the system. The safe monitoring at bay level is performed by means of a proper configuration of the bay switches. The addition of local and remote services is provided by using new devices without any network reconfiguration, neither logical nor physical. In order to guarantee an efficient security system, it is important to develop a maintenance strategy (e.g. antivirus updating and application of security patch): this is possible in the two following ways: o definition of a local procedure to be applied by a specialized IT operator; o definition of a remote procedure to be applied by the remote centre. Next step towards more secure DSAS consists in the development of DSAS components even more secure, starting from their design phase. BIBLIOGRAPHY [1] M. Petrini, C. Sabelli, E. Casale, New requirements for substation automation systems, (2010 Cigrè Session, SC B5 Protection and Automation, Paper 113) [2] M. Braendle, S. A. Kunsman, Balancing the Demands of Reliability and Security - Cyber Security for Substation Automation, Protection and Control Systems (ABB White Paper) [3] Idaho National Laboratory, National SCADA Testbed substation automation evaluation report, (October 2009) [4] B. Vandiver, A. Apostolov, Functional Testing of IEC Based Substation Automation Systems (2005 Cigrè SC B5 Colloquium, Calgary, CA, Paper 215) 7