Centralized cyber security management and monitoring applications based on open standards ichael brist, Frank Hohlbaum michael.obrist@ch.abb.com ABB Switzerland, Ltd Steven Kunsman, José Ruiz, Bharadwaj Vasudevan ABB Substation Automation Raleigh, NC Summary With the introduction of Ethernet based communication protocols in Substation Automation Systems (SAS), cyber security aspects became an additional part of the SAS design. Today cyber security related requirements are part of customer specifications and need to be considered during the complete life cycle of the SAS. Applying cyber security to any system has to be treated as a continuous process. Protecting a system against attacks, managing the system to ensure long term stability and monitoring the system are the focus areas of the described cyber security process. Protecting a SAS starts by using only components that are designed cyber security compliant. Extensive testing of cyber security relevant aspects during the development cycles of all system components such as IEDs are essential. But to harden the individual component is not enough. Likewise in the system design adequate levels of cyber security protection have to be applied. The required protection level can be different for individual stations and should be based on a risk assessment or threat analysis, international standards as well as best practices. The security management can become complex, therefore security managers need software applications to be efficient. A Role Based Access Control System (RBAC) is such an application. It allows to manage the users and their roles from a central point even for many substations in different locations. Last but not least access and other user activity in the different system components need to be monitored. Central user activity logging will collect cyber security related events from the equipment and present this information to the responsible personnel. An efficient and user friendly approach is the key feature also for a monitoring application. Tracking the deployed software versions is not only a maintenance or asset management issue but also an additional way to detect potential attacks. A firmware version of an embedded device should not change without having one of the service engineers assigned a task to do this. Being able to retrieve such version information automatically improves the overall efficiency in the cyber security management. This paper describes the benefits of centralized cyber security related functions such as Role Based Access Control (RBAC), User Activity Logging (UAL) and software version tracking. The paper also highlights how these new tasks can been implemented in an interoperable and user friendly way.
Introduction With the introduction of mainstream communication means like Ethernet based communication protocols in Substation Automation Systems (SAS), cyber security aspects became an additional part of the SAS design. Today cyber security related applications and functionalities are part of customer specifications and have to be considered during the design of the SAS. Cyber security is not a static one time installation of a product, but needs to be followed up on a regular basis during the complete life cycle of the SAS. Cyber security process Applying cyber security to any system has to be treated as a continuous process. Protecting the SA system against an attack, managing the system to ensure long term stability and monitoring security related events in the system are the focus areas of the described cyber security process. Figure 1 : The described cyber security process Protect Protecting a SAS starts by using only components that are designed cyber security compliant. Extensive testing of security relevant aspects during the development cycles of all system components such as IEDs are essential. But to harden the individual component is not enough. Likewise in the system design adequate levels of cyber security protection have to be applied. The required protection level may be different for individual substations and should be based on a risk assessment, threat analysis referring to international standards as well as to best practices. anage The protected system needs to be managed to ensure a sustainable solution. anaging a system means to keep its protection always up to date. The management of cyber security aspects can become complex, therefore security managers need support from software applications to be efficient. Applying a Role Based Access Control System (RBAC) is such an application. It allows the responsible person to manage users and their roles consistently from a central point - even for many substations in different locations.
onitor Finally, security related events like access and other user activities in the different system components need to be monitored to identify potential attacks and to optimize the protection. Central user activity logging will collect cyber security related events from the equipment and present the information to the responsible personnel. An efficient and user friendly approach such as automatically recognizing event patterns and bursts are key features of such a monitoring application. ulti-vendor environments To ensure consistent cyber security related functionality and protection in heterogeneous installations it is fundamental to follow international standards as much as possible. nly by implementing and using standardized mechanisms, the same level of protection can be achieved for many SAS systems, even when delivered from different vendors. Cyber security standards and regulations relevant for SAS In addition to government driven efforts, the increased importance of cyber security for power systems has also lead to various standard bodies and working groups taking on this challenging topic. The focus, level of detail and maturity of the standards made is quite broad. Each of them is covering and focusing on different areas or parts of the overall system, thus leaving many gaps in between. The following picture shows an overview about standards and regulations relevant for substation automation systems and products: Figure 2: Cyber Security standards relevant for substation automation
NERC CIP The NERC CIP regulations have had the biggest impact on electric utilities so far and been the focal point of most security programs. The regulation makes a clear statement that the main responsibility for securing the electric grid lies with the utilities and that it is not just about technology but also about processes. There are some shortcomings of the current version, i.e. the exclusion of serial protocols or the focus on a single electronic security perimeter. An additional area for improvement is the definition of critical assets and critical cyber assets. While the definition of what is deemed critical and what is not has been made a bit clearer with version 4, protection of critical (cyber) assets is still done in an all or nothing fashion. If a cyberasset is classified as critical all NERC CIP requirements apply, if it is not classified as critical then it must not be protected at all (unless it is within the electronic security perimeter). This all or nothing approach does not take into account different levels of criticality and does not allow for different levels of security, which is a common best practice for security of computer based systems. However, the current ongoing revision is looking at different levels of criticality, which will hopefully lead to a more realistic and more granular approach to cyber security. ISA/IEC-62443 (formerly ISA-99) ISA/IEC-62443 is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This guidance applies to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems. All ISA-62443 standards and technical reports are organized into four general categories called General, Policies and Procedures, System, and Component. 1. The first category includes common or foundational information such as concepts, models and terminology. Also included are work products that describe security metrics and security life cycles for IACS. 2. The second category of work products targets the Asset wner. These address various aspects of creating and maintaining an effective IACS security program. 3. The third category includes work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model. 4. The fourth category includes work products that describe the specific product development and technical requirements of control system products. This is primarily intended for control product vendors, but can be used by integrator and asset owners for to assist in the procurement of secure products. IEEE C37.240 Jointly within IEEE PES Substations and PSRC, this standard is based on the applicability and the technical implementation of the NERC CIP and NIST Smart Grid security efforts for substation automation, protection and control systems. The standard on Cyber Security Requirements for Substation Automation, Protection and Control Systems provides technical requirements for substation cyber security. It presents sound engineering practices that can be applied to achieve high levels of cyber security of automation, protection and control systems independent of voltage level or criticality of cyber assets. Cyber security includes trust and assurance of data in motion, data at rest and incident response. IEC 62351 IEC 62351 is a technical security standard that aims to secure power system specific communication protocols such as IEC 61850 or IEC 60870-5-104. While most parts of the standard have been released in 2009 more work is needed before systems compliant to IEC 62351 can be put on the market. First of all the affected communication standards must be changed to support IEC 62351. In addition there are some technical challenges with securing real time traffic that must be addressed by the working group of IEC 62351. IEEE 1686 Security of intelligent electronic devices is the scope of IEEE 1686. The document defines in technical detail security requirements for IED s, e.g. for user authentication or security event logging. The standard very nicely points out that a) adherence to the standard does not ensure adequate cyber security, i.e. that adherence to the standard is only one piece in the overall puzzle, and that b) adherence to every clause in
the standard may not be required for every cyber security program. With this the standard gives vendors clear technical requirements for product features but at the same time leaves room for specific, tailored system solutions at the customer site. The standards applicable for substation automation system consist of different parts, which are in different phases. Some parts have been finalized and are released, some are still under development. For instance, the IEC 62351 standard, which secures all TC 57 protocols, has many parts which are still under development. Part 8 of the IEC 62351 [3] is finalized and was published in 2013. It defines the role-based access control (RBAC) for power systems. This is not a new concept, it is in fact part of best practices in many IT systems. The use of RBAC in power systems allows to reduce the number of permissions that have to be assigned to certain users such that they only have the permissions they need to perform their duties. This reduces the risk to the power system as permissions are only assigned when they are actually needed, according to the principle of least privileges. The standard also defines a list of pre-defined roles (e.g., VIEWER, PERATR, etc.), and of pre-defined rights (e.g., View, Read, Control, etc.). In addition, the standard also defines two different models (i.e., push and pull) for authorization mechanisms, and provides more information on how to handle sessions. ther IEC62351 parts are being revised because implementations based on the first versions have turned out to be difficult. The published IEC 62351 Part 6 has been proven not to be feasible for practical implementation and a second edition is under preparation. Several important areas like security for XL files, or key handling have just been started and need some time until they are finalized. ne important part of standardisation is interoperability. IEC 62351 has just started to address this topic and is going to extend each part with conformance testing. As long as conformance testing is not introduced, interoperability can t be guaranteed. Centralized cyber security management and monitoring applications Role Based Access Control Not everybody needs to be a system administrator. A common sense approach in cyber security management is to grant the least possible privileges to every user. anaging users and their privileges individually on a per device approach is error prone and very inefficient. Using a centralized Role Based Access Control (RBAC) system according IEC 62351-8 allows the security responsible person of a company to manage users and assign roles to those users at a central level. The installed devices within various substations may be of different age, hence another key aspect is the ability to integrate IEDs and network equipment with different capabilities. odern, new IEDs might support centralized RBAC out of the box, but legacy devices lack this functionality. The access to those IEDs can be restricted by applying configuration policies on the computer hosting their configuration software. Either the software provides the functionality to restrict access to certain functionality based on a user authentication (login) or the computer operating system has to be configured in such a way that only certain users have access or are allowed to start the configuration software. Adding features to the configuration software can in general be expected as more easy than updating the firmware of many IEDs. Updating or changing the configuration of an IED usually results in re-testing of the main functionality (e.g. protection or control). Assuming that the access control is applied, the central RBAC server can be used easily for adding or removing users, or changing the role of a specific user. Removing a user will result immediately, since the authentication is done on the server. The proposed design assumes that at least one RBAC server is available in each substation to guarantee high availability. To complement the RBAC system, a master server is required at a higher level to allow the utility to consistently manage their users for all substations from the same place. The RBAC is not just a vendor initiative. It could be a very useful way to accomplish current regulations. As an example, the North American Electric Reliability Corporation (NERC) has taken this into consideration on the standard CIP-003-3.
Figure 3 : Simple role based access control (RBAC) Event logging The security of a system can t be optimized without knowing what is going on. Two potential strategies on how to obtain the information exist. First by receiving the information spontaneously from the devices, or secondly, polling the devices for the information. The optimal solution will be a combination of both to collect the information online from devices and in case of re initialization after a communication breakdown to poll the devices for historical events that are stored in their internal memory. In both cases also the security related events have to be always time tagged. The memory in the devices is limited, therefore a communication (or reachability) supervision is essential. nce the communication to a device is interrupted, maintenance personnel has to check the situation on site and re-establish the communication. When polling the IEDs, the central cyber security logging application has to ensure that events are not duplicated. In other words the application has to ignore security related and all other events in the local storage that have already be transferred to its database. The integrity of the data retrieved from the IED has to be validated and in case of suspicious data a user, usually the cyber security responsible, has to be alerted. The identification of suspicious data can be based on received events, or on the fact that expected events are missing. A common problem in logging is that there are currently no international standards describing the semantics of the individual events. The Syslog protocol [4] describes a way to exchange notification messages in a more or less free-form way which makes it hard to identify semantically equal messages. For example one device could send User Bob successfully logged in whereas another device would send User: Bob; Log-In; K. Both events mean the same and it is relatively easy for a human to interpret it in this way. But to automatically process and convey statistical information out of all cyber security event by an application this approach is not optimal. Hence the central logging application needs a standardized event definition to which all non-standardized incoming events are translated. In the previous example both incoming syslog messages would be translated into Event:ID=1110, UserInformation:Name=Bob. The application has to save both, the original message and the translated one, in their storage to ensure not to lose original firsthand information. To make this translation more efficient it is desirable that a common standardized message format with semantics will be based on international standards in the future.
The security events exposed to users are always the translated events, which can as additional benefit also easily be localized. f course all evolved functions like statistics, evaluations and interpretations are based on this common format. Syslog does not allow to query a device for all possible messages, thus a logging system cannot be considered as maintenance free. Event texts that have never been received by the system have to be translated into the common format over time. This translation or event mapping is not a hard requirement, as a first step one could also use the raw original event data for monitoring. The amount of security related events can become huge. Providing efficient management of this data requires automatic pre-processing and categorization. A central security logging application has to remove time consuming filtering and searching for specific events. It rather shall help the user to identify certain patterns that need to be analyzed closer. Such pattern shall trigger an internal alarm and subscribed users shall automatically be notified. Figure 4 : Central cyber security event logging Version Tracking Knowing what software and configuration versions are used within the system is an important monitoring task not only for maintenance and asset management but also cyber security. Even hardened components might become vulnerable to newly discovered or exposed attacks. Vendors publish device vulnerabilities and firmware patches on their websites, but without a time consuming manual inventory of the system it is impossible to identify where and which devices require new firmware patches. Sometimes it is enough to update the device configuration to eliminate a certain vulnerability. As a consequence also configuration updates need to be documented manually. Therefore, a centralized version tracking system can assist end users to easily accomplish this task in an automated way. Especially if the NERC CIP-007-5 requirements are taken into consideration. Devices implementing IEC 61850 [5] provide access to firmware, software and configuration version information based on a standardized and therefore interoperable data model. As an example, the IEC 61850-7-3 standard on its withdrawn edition 1 [6] and current edition 2 [7] considers to be mandatory, denoted by on the tables below, the IED vendor name and software version (swrev) on the logical node name plate.
Logical node name plate (LPL) common data class specification: Attribute //C Attribute vendor vendor swrev swrev d d du du configrev AC_LN0_ configrev ldns AC_LN0_EX paramrev lnns AC_DLD_ valrev cdcns AC_DLNDA_ ldns cdcname AC_DLNDA_ lnns datans AC_DLN_ cdcns cdcname Table 1 : LPL from IEC61850-7-3 Ed.1 datans //C AC_LN0_ AC_LN0_EX AC_DLD_ AC_DLNDA_ AC_DLNDA_ AC_DLN_ Table 2 : LPL from IEC61850-7-3 Ed.2 But the amount of information that can be retried from an IED for tracking purposes is not limited to the two above tables. The IEC 61850-7-3 leaves to the IED vendors some optional information to be included on the device name plate, such as the relay serial number (sernum), model, and so on. Device name plate (DPL) common data class specification: Attribute //C Attribute vendor vendor hwrev hwrev swrev swrev sernum sernum model model location location cdcns AC_DLNDA_ name cdcname AC_DLNDA_ owner datans AC_DLN_ epsname primeper Table 3 : LPL from IEC61850-7-3 Ed.1 secondper latitude longitude altitude mrid d du cdcns cdcname datans //C AC_DLNDA_ AC_DLNDA_ AC_DLN_ Table 4 :LPL from IEC61850-7-3 Ed.2 This allows central applications to collect and track this kind of information automatically. Such automatic version tracking allows the end user to locate the equipment that requires a firmware patch released by a vendor much more efficient. nly such devices have a future in SAS.
The NERC CIP group of standard provides a framework for the entitled utility to identify and protect their cyber critical asset to support reliable operation of their bulk electric system. They provide a general guideline for the utilities to document and monitor these assets for the utility [7]. In NERC CIP-003-3 [7], the basic requirement for security management controls for critical assets is elucidated. The need for a cyber security policy, information protection, access control are a part of this standard. Adherence and compliance to these NERC CIP requirements has always been a challenge, which requires continuous auditing and documentation. To come up with maximum compliance at minimal effort, utilities will have to take a holistic approach for a solution. Tool based approach, like an enterprise level software that can perform a range of security related management like access control, asset management etc. provides a standard platform to adhere to the NERC-CIP requirements. In addition to this, new strict policies are to be implemented to secure and maintain all cyber critical assets. ne advantage of using standards based tools is that they provide a methodology to create these policies. For example, today's tools can provide a platform to implement a 90- day automatic password change policy. Awareness of security risks, strong policy implementation, asset monitoring and maximum visibility of the installed base, these are a driving force to meet NERC-CIP compliance requirements. Conclusion When we look at the organizations involved in maintaining utility system security - vendors, integrators, end users - it s fair to say that security is everybody s business. To the extent these groups cooperate with one another throughout the system lifecycle, security will be enhanced. At the same time, perhaps the most important aspect of security for the various players to keep in mind is that it is a journey and not a destination. There will always be new threats. Likewise, there will be new methods and technologies for meeting those threats. Vigilance, cooperation and technical expertise, when applied in unison, offer the best defense. Fear is usually results from a lack of information or even misinformation compounded by the massive liability of non-compliance and this supports our human behavior is to resist. This is the main motivation that is to embrace the cyber security requirements as enablers to allow critical data that can help higher level control system have situational awareness and proactively make decisions. Information being available at a mouse click facilitates reliability improvements and contingency / scenario engagement. If the fear of cyber security prevents this real time information access from our data sources in the substations, then we have failed. Technology advances require infrastructure changes and the faster we embrace and enable, the quicker we will realize the untapped potential of the modern systems. Central cyber security applications are key functions to efficiently manage and monitor modern protected Substation Automation Systems (SAS). It provides users with at-a-glance status reports and highlight important events without losing crucial details needed to make correct decisions. Releasing users from cumbersome and error prone manual tasks allows them to focus on further optimizations of the cyber security. Proprietary cyber security implementations should be avoided for seamless integration of multi vendors systems even if some aspects are not properly addressed by individual standards today. IEC 61850 based substation automation systems make these tasks much easier.
References [1] Cigré SC B5 Colloquium Nanjing 2015 Paper PS1-105 Centralized cyber security management and monitoring applications [2] PacWorld Americas 2014, Replacing Fear with Knowledge - Cyber Security for Substation Automation, Protection and Control Systems [3] IEC 62351-8 Power systems management and associated information exchange Data and communications security Role-based access control [4] RFC 5424 The Syslog Protocol [5] IEC 61850 Communication networks and systems for power utility automation [6] IEC 61850-7-3 Edition 1.0: Basic communication structure for substation and feeder equipment Common data classes [7] IEC 61850-7-3 Edition 2.0: Basic communication structure for substation and feeder equipment Common data classes [8] NERC CIP Standards (http://www.nerc.com/pa/stand/pages/cipstandards.aspx) Authors Information ichael brist Global Product anager, ABB Switzerland Ltd. - Substation Automation Products ichael is working for ABB s Power Systems - Network anager Business Unit based in Baden, Switzerland. At ABB, ichael is a Product anager and responsible for Software Products in the IEC 61850 domain. He spent nearly 20 years at ABB working across commissioning, R&D and Product anagement within Substation Automation. ichael holds a PET degree in information technology and a master of advanced studies in software engineering. He is member of the Cigré WG B5.51. Frank Hohlbaum - Global Security anager, ABB Switzerland Ltd. - Substation Automation Frank is globally responsible for all aspects of cyber security within ABB s Substation Automation System and drives the security activities in this business unit. He is an active member of the Power System Security Council and represents the business unit Substations Automation. Frank Hohlbaum joined ABB Inc. in 1996 and has 19 years of experience in Substation Automation. He graduated from University in Furtwangen (Germany) with Bachelor of Sciences concentrated in software and electrical technologies. Additionally he did post graduate studies in business administration at the University in Zurich (Switzerland). Steven A. Kunsman - Vice-President Business Development and arketing, ABB Power Systems - Substation Automation North America Steve joined ABB Inc. in 1984 and has 31 years of experience in Substation Automation, Protection and Control. He graduated from Lafayette College with a BS in Electrical Engineering and Lehigh University with an BA concentrated in anagement of Technology. Today, Steve is responsible for ABB North American Power Systems Substation Automation business. He is an active member of the IEEE Power Engineering Society PSRC including working group chairperson for H13, an IEC TC57 US delegate in the development of the IEC61850 communication standard and UCA International Users Group Executive Committee co-chairperson.
Jose L. Ruiz - Protection Application Engineer, ABB Power Systems - Substation Automation North America Jose joined ABB as a post graduate student. During his graduate study, he learned and tested IEC 61850 with different vendor relays. In his current role with ABB, Jose shares his expertise in IEC 61850 with customers in the power industry in trainings, projects, and providing technical support. Jose received his.s. degree (2012) in Electrical Engineering from the University of Tennessee at Chattanooga. He is a member of the IEEE PES. Bharadwaj Vasudevan - Application Engineer, ABB Power Systems - Substation Automation North America Bharadwaj graduated from North Carolina State University with a aster of Science degree in Electrical Engineering. During his school days, he worked as a Research Assistant in the FREED Systems Center, designing and maintaining the labs automation infrastructure. He began his career with Areva T&D Ltd in New Delhi, India as a Power Systems Engineer. He has worked on various EHV substation design projects throughout India. Bharadwaj started at ABB as a consulting engineer for the Power systems group. With a strong background in real time power system modelling, he got to work on developing transient system models for a couple of transmission planning projects under the group. He is currently working as an application engineer with the Power Systems Automation group for North America market. He supports all transmission level Relion relay products from Raleigh, NC. He is a member of the IEEE power system relay committee and contributes to various working groups in the relay communications subcommittees.