iec tc57 wg15 - security status & roadmap , july 2008

TC 57

IEC TC57 WG15 - SecurityStatus & Roadmap,July 2008

Frances Cleveland

Convenor WG15

WG15 Status October 2007 3

TC 57Scope of WG15 on Security

Undertake the development of standards for security of the communication protocols defined by the IEC TC 57, specifically the IEC 60870-5 series, the IEC 60870-6 series, the IEC 61850 series, the IEC 61970 series, and the IEC 61968 series.

Undertake the development of standards and/or technical reports on end-to-end security issues.


TC 57 Security Functions vs. Threats

Unauthorized Access to

Information

Unauthorized Modification or Theft

of Information

Denial of Service or Prevention of

Authorized Access

Denial of Action that took place, or Claim of Action

that did not take place

Resource Exhaustion

Integrity Violation

Planted in System

Virus/Worms

Trojan Horse

Trapdoor

Service SpoofingStolen/Altered

Eavesdropping

Traffic Analysis

EM/RFInterception

Indiscretionsby Personnel

Media Scavenging

Listening

After-the-Fact

Denial of Service

Interactions

Masquerade

BypassingControls

AuthorizationViolation

PhysicalIntrusion

Man-in-the-Middle

Integrity Violation

Theft

Replay

Intercept/Alter

Repudiation

Modification

Repudiation

- Actively Being Addressed

- Desired

Confidentiality

Integrity Availability

Non-Repudiation

Security Functions, Threats, and WG15 Work Pattern

Unauthorized Modification or Theft of Information

IntegrityUnauthorized

Access to Information

Confidentiality Denial of Service or

Prevention of Authorized Access

AvailabilityDenial of Action that took place, or Claim of Action that did not

take place

Non-Repudiation

Corporate Security Policy and Management

Cigre, Utilities

Sec

uri

ty M

anag

emen

t

Security Testing, Monitoring, Change Control, and Updating

Security Compliance Reporting

Security Risk Assessment of Assets

Security Policy Exchange

Security Attack Litigation

During-Attack Coping and Post-Attack Recovery

Security Incident and Vulnerability Reporting

Firewalls with Access Control Lists (ACL)

Intrusion Detection Systems (IDS)

Audit Logging

Anti-Virus/ Spy-wareIEC62351 Security

for TASE.2, DNP, 61850

Public Key Infrastructure (PKI)

Transport Level Security (TLS)

Virtual Private Network (VPN)

AGA 12-1 “bump-in-the-wire”

WPA2/80211.i for wireless

Digital Signatures

CRC

Symmetric and Asymmetric Encryption (AES, DES)

Network and System Management (NSM)

Credential Establishment, Conversion, and Renewal

CertificatesPasswords

Authentication

Data Backup

Identity Establishment,

Quality, and Mapping

Role-Based Access Control

Certificate and Key Management

Tele-comm

Being Addressed by many other bodies

New Work


TC 57

IEC 62351: Data and Communications Security Part 1: Introduction Part 2: Glossary Part 3: Security for profiles including TCP/IP Part 4: Security for profiles including MMS Part 5: Security for IEC 60870-5 and derivatives Part 6: Security for IEC 61850 profiles Part 7: Objects for Network Management

Status of Security Documents, May 2007

Submitted as Technical Specifications in Dec 2006, being finalized by IEC

Submitted as DTS ver 2 January 2007. Comments being awaited

Issued as CD, (NWIP)


TC 57 For increased power system reliability and security in the future, the two closely intertwined infrastructures must be designed, implemented, and managed as a whole …

Central GeneratingPlant

Step-Up Transformer

DistributionSubstation

TransmissionSubstation



Commercial

Industrial Commercial

Gas Turbine

DieselEngine

Cogeneration

DieselEngine

Fuel cell

Micro-turbine

Wind

Residential

Photovoltaics

Batteries

Data Concentrator

Control Center

Operators, Engineers, & Other Users

2. Information Infrastructure

1.Power System Infrastructure


TC 57 Security Monitoring Architecture Using NSM

H istorica l D atabaseand D ata In terface

C ontro l C enter

Security M onitoring A rch itecture, U sing N SM D ata O bjects

C lients

S ervers

Legend:

TA SE .2 link toE xternal System s

O perator U serIn terface

E ngineeringS ystem s

O ther

S C A D A System

Substation

C ircu itB reaker P rotection

R elay

Load TapC hanger

C TP T

A utom atedS w itch

V oltageR egulator

C apacitor BankC ontro ller

Feeders

S ubstationM aster

W AN

Firew all

S ecurityS erver

S ecurityC lient

N SM D ata O bjects

ID S

ID S

Firew all

F irew all

F irew all

In trusion D etectionSystem (ID S)

ID S


TC 57NERC’s Top Ten Vulnerabilities for Control Systems

1. Inadequate policies, procedures, and culture that govern control system security.

2. Inadequately designed control system networks that lack sufficient defense-in-depth mechanisms.

3. Remote access to the control system without appropriate access control.

4. System administration mechanisms and software used in control systems are not adequately scrutinized or maintained.

5. Use of inadequately secured WiFi wireless communication for control.

6. Use of a non-dedicated communications channel for command and control and/or inappropriate use of control system network bandwidth for non-control purposes.

7. Insufficient application of tools to detect and report on anomalous or inappropriate activity.

8. Unauthorized or inappropriate applications or devices on control system networks.

9. Control systems command and control data not authenticated.

10. Inadequately managed, designed, or implemented critical support infrastructure


TC 57Format of Normative Clauses of Part 7 – Using 61850 Naming and Style

Object Data Type Definition Access M/O

Configura tion Settings

EndLst OI List List of end systems connected in network. r-w O

NodLst OI List List of intermediate network nodes, such as routers, bridges, gateways, etc

r-w O

PthLst OI List List of paths in network r-w O

ACLLst OI List Set or update the Access Control List, based on the l ist of Object Identifiers

r-w O

PthRoutLst OI List List of path routes and rout ing priorit ies to end devices

r-w O

ActSet VS List Set act ion steps for equipment failures, such as switch to backup

r-w O

Alarms

EndDct Alarm Detection of a new end device in the network

r-o O

NodDct Alarm Detection of a new network node r-o O

PthDct Alarm Detection of a new path r-o O

EndLos Alarm Loss of connection with end device r-o O

NodLos Alarm Loss of connection with network node r-o O

PthLos Alarm Loss of path r-o O

Values

r-o O

Controls

HrdPwr Control Hardware

Switch power on or off of a specified piece of hardware – hard disconnect from power

w-o O

NodRs Control Software

Reset node through software capabilit ies w-o O


TC 57 TC57 Security (62351) Roadmap As of July 2008

Current Work NWIPs to be Issued On-Going Coordination

• Parts 1, 3, 4, 6 – Finalized as TS Standards

• Party 2: Glossary – CDV

• Part 5: Security for IEC 60870-5 Protocols – CDV

• Part 7: Network and System Management /MIBs as CD

• Part 8: Role-Based Access ControlActivities by 2008 To be issued 2008 Current and Future

• Remote Changing of Update Keys for IEC 60870-5

• Implementation Specification for IEC 60870-5

• Conformance testing and interoperability testing

• Security for Access to CIM (Interfaces and RBAC)

• Security Architecture

• IEC TC65C WG10

• ISA, CIGRE D2.22

• EPRI,NERC, PCSF

• National Labs

• IEEE PSRC

• IEEE Security P1711, P1686, P1689

• TC57 WG03

• TC57 WG07?


TC 57Role-Based Access Control

The scope of the proposed work is to define a specification for the use of Role Based Access Control not only in field devices but also for a whole system, consisting of field devices, station control and network control – the complete pyramid, in order to support end to end security. The specification will refer to the standards IEC 61970 CIM, IEC 61850 and IEC 62351 and also to ANSI INCITS 359-2004.