Smart Substation Security

Smart Substation Security SmartSec Europe 2014 Amsterdam 29/01/2014

Agenda Context Elia Introduction to the substation environment in Elia Security design and measures in the substation Near and far future 2

About the Elia Group Introduction Among the five largest transmission system operators in Europe Frontrunner in grid integration of renewables since incorporation in 2001 Listed on Stock Exchange since 2005 1,950 employees 380 kv and 220kV (down to 30kV in Be) 870 substations Fully unbundled World experience in RES integration 3

About Elia Belgium Customers: 130 direct customers (connected to ELIA s net) Over 25 Distribution System Operators 1.250 employees 11 sites in Belgium 800 HV Substations Network : Mostly owned or leased Cu, Fo Some Leased Lines (local telecom provider) Tests with satellite communication 4

General Concept : Defence in Depth Defense in depth principle: Security threats are not mitigated by a single counter measure only but by implementing several complementary security techniques at multiple levels 5

What has changed the world (of the substations)? Point to point connections Security Old Access network technology with TDM, SDH Low bandwidth needs No online access needs to information Only telephony needed Assets maintained locally and limited information about their state Business A lot of interaction between devices Need for IP and more mainstream technologies (MPLS) High bandwidth needs Technicians on the field need online access to office space online access to information Assets maintained remotely from a normal PC 6

Example : Old situation RTU 7

Today : connections based on IEC104 (IP) MPLS 8

Example : Asset Control Center 9

Steps in the design exercise with impact on security Step 1 inventory of data flows and protocols and their criticality Step 2 Architectural design of network and channels (VPN/VLAN) Step 3 cyber risk identification and mitigation (acceptance or compensating controls) 10

NEEDS GENERALITY DATA FLOWS Remote-reading & data management : Metering, power quality files Remote-monitoring : equipment status (alarms, events, ) Remote-maintenance : action on equipment (parameterization, ) Remote-control : action on HV substation (RTU) Others : telephony, cameras, 29/01/2014 SmartSec Europe 2014 11

Some results of this excercise LAN and WAN high level design Hub and spoke model Jumpserver (gateway functionality) Network authentication and port security in the substation 29/01/2014 SmartSec Europe 2014 12

LAN and WAN high level design SASLAN SAS LAN based on 2 physical independent LANs GLAN SLAN GLAN for general applications of HV substation SLAN for protection, control and automation => IEC61850 (> 2018) Why? High cyber-security level protection = segregation General applications require medium and low level performances and are not critical for protection & control of HV Substation Protection, control and automation applications require high level performances and are critical for protection & control of HV substation 13

LAN and WAN high level design VLAN Switch LAN Router WAN Router WAN SBUSLAN VLAN VLAN IP/MPLS WAN SCADA Switch LAN VPN tunnels Firewall Office network VLAN GLAN VLAN VLAN Network Management SBUS-LAN and G-LAN Telephony Data ELIA/Wifi and guest wifi Data Elia wired Videosurveillance, access control SBUS-LAN Electricity Management (RTU, ) G-LAN Electricity Management (Perturbo, Counter, Qwave, ) 14

LAN and WAN high level design IP address plan reflecting functional communication planes Allows easy configuration of firewalls based on L3 IP address Configuration based on L2 MAC addresses is not manageable Prioritisation of traffic / QOS / Classification 29/01/2014 SmartSec Europe 2014 15

Hub and spoke model Substation Substation 1 Central firewall X WAN IP/MPLS substation 2 + Manageability + Easy to change technology + Logging - Agree to possibly lose a complete substation - Single point of failure? 29/01/2014 SmartSec Europe 2014 16

Jumpserver : Access to devices in the substation Substation SBUSLAN switch access to applications based on Active Directory groups Substationgateway/ Jumpserver WAN switch GLAN Router Router Office LAN 17

Network authentication and port security First choice : network authentication 802.1x (mostly GLAN) Second choice : port security (based on MAC) BUT : Difficult to find IED s that support proper network authentication 18

Specific constraints in TSO world Long lifetime of electricity assets We don t trust the embedded security features for the moment and choose to bolt on security where possible Harsh environment (ruggedized equipment) mainstream security equipment is not always suited Long decision process with European Tender for frame agreements Not easy to make quick choices (long time between writing a tender and decision) Availability is still number 1 priority for some devices stopping a false positive can do more damage than letting through a potential attack 19

What s still on our roadmap? shortterm blackbox implementations based on common mainstream technology : (e.g. windows embedded no antivirus, no patching, local admin, no lockdown) Blackout mitigation out of design scenario : Emergency preparedness exercise Cyberattack on realtime environment Regular contact with vendors, SPOC for security, security roadmaps Midterm Establishment of 24/7 Security Operation Center Next-gen industrial firewalls in monitoring mode longer Next gen industrial firewalls in blocking mode based on business transaction monitoring? Embedded security in devices?, IEC 62351? 29/01/2014 SmartSec Europe 2014 20

Questions? kris.hallaert@elia.be 29/01/2014 SmartSec Europe 2014 21