INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT



Similar documents
Manage Utility IEDs Remotely while Complying with NERC CIP

Wireless Field Data Backhaul

DIGITAL CONTROL SYSTEM PRODUCT SOLUTIONS

RuggedCom Solutions for

future data and infrastructure

Cisco Smart Grid: Substation Automation Solutions for Utility Operations

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

Symphony Plus Cyber security for the power and water industries

How To Extend Security Policies To Public Clouds

Challenges and Opportunities for Aligning the Power System Cybersecurity and Reliability Objectives

How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework

ABB North America. Substation Automation Systems Innovative solutions for reliable and optimized power delivery

GE DigitalEnergy. Integrated Substation Control System (iscs) IEC based Substation Automation Solutions

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Cisco Nexus Planning and Design Service

CG Automation Solutions USA

John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

RUGGEDCOM CROSSBOW. Secure Access Management Solution. siemens.com/ruggedcom. Edition 10/2014. Brochure

Cisco Integrated Video Surveillance Solution: Expand the Capabilities and Value of Physical Security Investments

Industrial Security Solutions

NERC CIP VERSION 5 COMPLIANCE

Document ID. Cyber security for substation automation products and systems

NERC CIP Substation Cyber Security Update. John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

Cisco Outdoor Wireless Network Serves Up Automatic Meter Reading

Remote Management Services Portfolio Overview

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

THE FUTURE OF SMART GRID COMMUNICATIONS

Exam Name: Cisco Sales Associate Exam Exam Type: Cisco Exam Code: Doc Type: Q & A with Explanations Total Questions: 50

Cyber Security and Privacy - Program 183

How To Create A Large Enterprise Cloud Storage System From A Large Server (Cisco Mds 9000) Family 2 (Cio) 2 (Mds) 2) (Cisa) 2-Year-Old (Cica) 2.5

Testing Intelligent Device Communications in a Distributed System

Technology Spotlight on Cellular Data Networking for SCADA system networks. Presented by Teamwork Solutions, Inc.

Silver Peak s Virtual Acceleration Open Architecture (VXOA)

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Tufin Orchestration Suite

Policy Management: The Avenda Approach To An Essential Network Service

Cisco Unified Computing. Optimization Service

Open Enterprise Architectures for a Substation Password Management System

Optimally Manage the Data Center Using Systems Management Tools from Cisco and Microsoft

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

Cisco Network Optimization Service

Network Management System (NMS) FAQ

IBM Tivoli Netcool network management solutions for enterprise

Cisco IWAN and Akamai Intelligent Platform : Maximize Your WAN Investment

Best Practices for deploying unified communications together with SIP trunking connectivity

Payment Card Industry Data Security Standard

Securing Distribution Automation

Page 1 of 5. IS 335: Information Technology in Business Lecture Outline Computer Technology: Your Need to Know

GE Digital Energy. Digital Energy. Modular Substation Automation Systems Overview. gimagination at work. imagination at work

IT Security and OT Security. Understanding the Challenges

Out-of-Band Management: the Integrated Approach to Remote IT Infrastructure Management

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

Configuration Management: Best Practices White Paper

GE Measurement & Control. Cyber Security for NEI 08-09

Cisco Advanced Services for Network Security

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

Redesigning automation network security

5 Key Reasons to Migrate from Cisco ACE to F5 BIG-IP

Cisco Change Management: Best Practices White Paper

Visualization, Management, and Control for Cisco IWAN

Cyber Security Management for Utility Operations by Dennis K. Holstein (Opus Publishing) and Jose Diaz (Thales esecurity)

Cisco Virtual Network Management Center

Cyber Security. Smart Grid

SDN and NFV in the WAN

ISACA rudens konference

Infoblox vnios Software for CISCO AXP

IP-VPN Architecture and Implementation O. Satty Joshua 13 December Abstract

Alcatel-Lucent Services

Transform Your Business and Protect Your Cisco Nexus Investment While Adopting Cisco Application Centric Infrastructure

Cisco Unified Network Services: Overcome Obstacles to Cloud-Ready Deployments

Cisco Certified Security Professional (CCSP)

HBA Virtualization Technologies for Windows OS Environments

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Unlocking the Full Value of Your Meter Data

Extreme Networks Solutions for Microsoft Skype for Business Deployments SOLUTION BRIEF

CCNA Security 2.0 Scope and Sequence

Cisco Application Networking for BEA WebLogic

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

Utility Telecom Forum. Robert Sill, CEO & President Aegis Technologies February 4, 2008

Waterfall for NERC-CIP Compliance

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

The Importance of Cybersecurity Monitoring for Utilities

Smart Substation Security

HP Private Cloud Solutions

EMC IONIX FOR SMART GRID VISIBILITY AND INTELLIGENCE

Secure Substation Automation for Operations & Maintenance

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

TRIPWIRE NERC SOLUTION SUITE

Supporting Municipal Business Models with Cisco Outdoor Wireless Solutions

Ethernet Wide Area Networking, Routers or Switches and Making the Right Choice

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

This document describes how the Meraki Cloud Controller system enables the construction of large-scale, cost-effective wireless networks.

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Cisco Unified Communications Remote Management Services

Transcription:

Utilities WHITE PAPER May 2013 INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

Table of Contents Introduction...3 Problem Statement...4 Solution Requirements...5 Components of an Integrated Solution...6 Integrated Remote Access Management...6 Integrated Password Management...7 Integrated Configuration Management...7 Integrated Visualization and SCADA Control...8 Complete Substation Security Designs...10 Other Benefits of the Joint Solution...11 Operations Center Integration and Applications Deployment...11 Certified Interoperability...11 Conclusion...12 About Cisco Products...13 About SUBNET Solutions Inc. Products...14 For More Information...15

3 Introduction Introduction Today s modern substation architecture requires information technology (IT) devices just as much as it requires operational technology (OT) devices. The design and operation of the substation networks play a part in the reliability and control of the power grid. IT and OT technology has traditionally been managed separately, meaning that utilities stand up separate solutions for the different types of devices. These solutions include securing remote access, adhering to NERC/CIP regulations, providing status reporting through SCADA, and providing local substation situational awareness through graphical visualizations. But implementing separate IT and OT solutions imposes higher costs in capital expense; training, operating, and maintaining separate networks; and guaranteeing security. In this paper, Cisco and SUBNET Solutions Inc. (SUBNET) present several techniques that will help utilities solve the problem of requiring multiple device access and management solutions for their substation devices and specifically focuses on integrating the device access and management of substation IT and OT devices. The net results are an up-front savings in infrastructure costs, a continual savings in operations and maintenance costs, and easier access to information, with security and scalability to grow as needed.

4 Problem Statement Problem Statement Traditional substation architectures demonstrate levels of discontinuity between device functions and business systems. This has mainly risen from vendor-specific device functions being aligned with the vendor-specific business systems as well as the use of serial-based point-to-point connectivity to integrate the devices within the substation. This is true for OT devices, and is more-so true when IT devices are part of the substation architecture. This leads to duplicate systems being installed, one for each vendor type. The resulting system is fragmented, complex, and requires significant up-front and operations and maintenance investment to maintain. Figure 1 illustrates the typical situation today. Figure 1. Traditional Substation and Business System Architectures As shown in Figure 2, modern substation architectures using networking technology, physical and cyber-security infrastructure, and standards-based interoperability are able to normalize the environment and make sure the device and business system integration is consistent, does not require duplication, and is more cost-effective.

5 Problem Statement Figure 2. Modern Substation and Business System Architectures Solution Requirements Any solution to this problem must include the following elements: Centralized and in-the-field visualization of the system as a whole and all of its components. Multiple, disparate visualization systems can be confusing, require more training, and might lead to operator errors. Remote engineering access to the substation devices. Once the problem is consistently visualized, implementing a solution in a timely and costeffective manner is the next challenge. Remote access from the operations center reduces truck rolls and cuts to the time to rectify a problem. Strong security. Remote access and visibility without adequate cyber security can be disastrous if the communications network does not effectively mitigate the ever-present threat from hackers and coordinated attackers.

6 Components of an Integrated Solution Components of an Integrated Solution Integrated Remote Access Management SUBNET s PowerSYSTEM Center manages access to IEDs, allowing utilities to securely perform a broad range of operational, maintenance, and asset management tasks remotely. Through its single-sign-on capability, role-based access control is based on the user s IT username and password. Instead of having to know specific connection and password information for every different IED in the system, users need only know their existing IT username and password; the IED management system manages user access rights based on these credentials. (See Figure 3.) Figure 3. Integrated Remote Access Management This capability is also used to provide access to Cisco 2500 Series Connected Grid Switches and the Cisco 2010 Connected Grid Router (CGR 2010). When integrated with PowerSYSTEM Center, utility personnel manage access to the IT devices in the substation in the same manner as they manage the access to their OT devices. Role-based access control can make sure that only qualified personnel are allowed access to the Cisco equipment. Among the many benefits of remote access: Remote access avoids truck rolls, saving on the utility s operating costs Remote access leads to faster response times. Faster completion of work orders means: o Better operational efficiency o Improved CAIDI/SAIDI Remote access means less on-site human presence in the substation, enhancing worker safety Remote access usually leads to centralized, unified access with a common set of tools, reducing training costs PowerSystem Center provides interleaved SCADA control with remote access on a serial link, using existing substation cabling to provide remote access

7 Components of an Integrated Solution Integrated Password Management SUBNET s PowerSYSTEM Center automates the password management process for all IEDs, including the communications network, all of which are needed for compliance with NERC CIP. It becomes the secure password vault and repository for all IED passwords. More than that, however, administrators can make password changes at prescheduled times, while preserving the ability to make password changes on demand or manually, as required. They can grant and control local IED access without additional hardware at the substation. NERC/CIP requires devices to have their passwords rolled every so often. And critical infrastructure includes the communications network equipment in the substation. PowerSYSTEM Center provides this functionality. It can be a password vault solution for Cisco Connected Grid routers and switches. By providing role-based access control and comprehensive password management functionality, the SUBNET IED and substation device Management Solution PowerSYSTEM Center facilitates NERC CIP compliance and is a key part of a comprehensive solution needed for full compliance. It simplifies and facilitates NERC CIP audits by delivering easily maintained and accessible audit records. And, of course, it lowers security risk. The solution allows employees to better focus on their job function. It minimizes labor required to perform password changes by simplifying the password maintenance process. As a result, it lowers risk and increases reliability for both IEDs and networking equipment in the substation. Integrated Configuration Management The Configuration Management aspects of PowerSYSTEM Center are provided with the My Settings module. This module integrates Power- SYSTEM Center s native Data Model with SharePoint s Document Library infrastructure. This allows for the full search capabilities as defined by the Data Model metadata along with the full archiving and version control management capabilities of SharePoint s Document Libraries.

8 Components of an Integrated Solution Integrated Visualization and SCADA Control Most utilities today manage substation devices (IEDs and RTUs) using SCADA systems at the headend. Toolsets have been created using SCADA protocols. To enable use of this investment in management systems and personnel training and expertise, Cisco s substation switches report status via SCADA. This means that a management system such as PowerSystem Center can give unified access to both operational as well as IT equipment deployed in the substation. Modbus allows for the substation switches also be integrated into the SubSTATION Explorer HMI for local situational awareness and control. This aids in on-site diagnostics and troubleshooting and reduces the time it takes to determine errors and validate function. Visualization of Cisco substation switches is quickly realized in SubSTATION Explorer through the use of prebuilt templates. Figure 4 illustrates how this looks to an operator.

9 Components of an Integrated Solution Figure 4. Examples of centralized management of substation devices While command line interfaces and SCADA protocols are the norm for utility operations and control, many utilities are investing in the tools and protocols used in traditional IT network management such as SNMP and Cisco- Works NMS. Together, these tools smooth the path to integration of IT and OT by extending the view of the substation devices into the traditional IT network view, while extending the view of the substation LAN devices into the traditional SCADA-based HMI and visualization.

10 Complete Substation Security Designs Complete Substation Security Designs Moving beyond password security and into the realm of network security, the CGR 2010 helps to maintain a secure perimeter and access around the substation network. In conjunction with SUBNET s SubSTATION Server, the electronic security perimeter can be preserved through the security posturing within the router while working in combination with SUBNET s secure IED access features. Specific routing policies and firewall capabilities can be employed on the router and network to create and restrict all logical paths to IEDs to transit through the SubSTATION Server. Other functionality can also be deployed on the CGR 2010 to provide additional security aspects for the Substation Data Gateway. Data Confidentiality for all SCADA traffic can use the on board hardware acceleration within the CGR 2010 for increased encryption performance. Advanced VPN functionality within the router will also help integrate further with the network to provide greater end-to-end flexibility for the Substation Data Gateway. As mentioned previously, the Cisco IOS Firewall is a zone-based stateful firewall built into Cisco IOS Software that makes the CGR 2010 an ideal security and routing solution in one device for protecting the WAN entry point to the substation data gateway and associated IEDs. The Zone-based firewall capability provides segmentation while providing traffic inspection. Cisco can provide additional functionality for SCADA protocols like Firewall, Intrusion prevention, Data classification for Quality of Service (QoS) and Segmentation to bind the substation gateway and the network gateway more closely together.

11 Other Benefits of the Joint Solution Other Benefits of the Joint Solution Operations Center Integration and Applications Deployment Cisco s powerful and cost effective Cisco Unified Computing System (Cisco UCS ) servers can host PowerSYSTEM Center and other SUB- NET applications in a native or virtualized environment. Integrating and consolidating multiple management applications systems as VMs on a single Cisco UCS rack mount server can reduce the capital cost of operations center server infrastructure, and save on maintenance and enhancement costs, while providing scalability and future growth. Certified Interoperability SUBNET Solutions Inc. is a member of the Cisco Developer Network (CDN) for Connected Grid. Solutions described above have been jointly designed by Cisco and SUBNET, verified to be interoperable, and certified as Cisco Compatible. The certification helps ensure the customer that the joint solutions can be easily and cost-effectively deployed, avoiding time-consuming integration and testing at each site.

12 Conclusion Conclusion Cisco and SUBNET are partnering to enable an easier transition from traditional substation architectures to an integrated and secure substation architecture. Multiple devices, access technologies and vendors need to be accommodated during this evolution. As shown in this paper, SUBNET and Cisco provide real solutions for this integration by using networking technology, physical and cyber-security, and standards-based interoperability. The net result to the utility company is operational cost savings, improved reliability and safety, and improved security of the substation and power system infrastructure.

13 About Cisco Products About Cisco Products The Cisco Connected Grid portfolio of solutions is designed specifically for the harsh, rugged environments often found in the energy and utility industries. These solutions include the CGR 2010 and the Cisco 2520 Connected Grid Switch (CGS 2520), which have been designed to support the communications infrastructure needs of the energy delivery infrastructure across the generation, transmission, and distribution sectors. Designed for highly secure, reliable, and scalable infrastructure, the CGR 2010 and CGS 2520 are an ideal platform to support the Smart Grid and other energy delivery infrastructure needs of customers. These ruggedized products have been extensively tested and are KEMA certified to meet challenging substation compliance standards, including IEEE 1613 and IEC 61850-3. In addition, Cisco s Physical Security and Mobility products help monitor the substations while allowing secure and auditable access to maintenance personnel. Cisco s best-in-class WAN infrastructure products help to connect the substation and the operations center together seamlessly and securely. Finally, Cisco brings the highly scalable and cost-effective Cisco UCS platforms and associated data center products for hosting applications to the table. The SUBNET portfolio of solutions is designed specifically to provide utilities with multi-vendor compatibility for substation operational and non-operational data access, local substation data visualization, secure remote device access, automated password management, and configuration management. These solutions include SubSTATION Server, SubSTA- TION Explorer, and PowerSYSTEM Center.

14 About SUBNET Solutions Inc. Products About SUBNET Solutions Inc. Products SubSTATION Server is a multi-function software application that performs data concentration, protocol translation, automation logic, event file collection and enterprise connectivity. It replaces outdated RTU data concentrators, relay communication processors and other legacy integration devices and enables utilities to get more out of existing IED investments by helping them avoid unnecessary IED upgrades and replacements just to add new IED communication or security functionality. SubSTATION Explorer is an HMI that revolutionizes the way electrical utility substations are maintained and operated today while transforming these traditional substations into tomorrow s smart substations. For personnel who manage electrical utility substations, SubSTATION Explorer is a software application that enables you safely, securely and reliably view and control all of your critical substation data. PowerSYSTEM Center is a powerful multi-vendor, multi-function IED management solution. With PowerSYSTEM Center utilities are able to securely and centrally manage their large install base of many different intelligent electronic devices (meters, relays, RTUs, etc) deployed throughout their entire transmission and distribution system. Used by dozens of the largest T&D companies in North America for NERC CIP IED access control, PowerSYSTEM Center is a multi-function IED management solution that supports several additional functions including: unified relay event file collection and archiving, unified password management, unified asset monitoring and unified data historian interfaces.

15 For More Information For More Information For more information on the Cisco Connected Grid portfolio of products, visit www.cisco.com/web/strategy/energy/external_utilities.html. For more information on SUBNET s portfolio of products, visit www.subnet.com. 2013 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco s trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information