march 29, 2018 cyber securityprorelay.tamu.edu/wp-content/uploads/sites/3/2018/...domain and tcp/ip...
TRANSCRIPT
—
MARCH 2018
71ST ANNUAL CONFERENCE FOR PROTECTIVE RELAY ENGINEERS, MARCH 26 – MARCH 29, 2018
Cyber Security -Securing the protection and control relay communication in SubstationJay Vellore, ABB Inc.
—
• Introduction
• Network Communication and Protocols
• Communication Security
• Security Architecture Design in relays
• Conclusion
March 29, 2018 Slide 2
Cyber Security – Securing the protection and control relay communication in SubstationTable of Contents
—
Substation not only delivers energy at certain voltage level, it also transfers the information for effective monitoring and control of power system.
March 29, 2018 Slide 3
INTRODUCTIONSubstation as an Energy and Information Hub
—
Protective relays are first level intelligent devices in substations/power system network. Protective relays don’t just perform protection, control & monitoring of power system but also play crucial role in post-fault power restoration and self-healing network with the help of supported communication network which is
an integral part of smart grid vision and framework.
z
March 29, 2018 Slide 4
INTRODUCTIONProtective relays are essential part of power system
—
Communication environment for protective relays include SCADA Communication for local/remote monitoring and control, operational data to remote control centers, bay level and process level data exchange between relays, remote configuration & firmware update, fault/disturbance analysis data for maintenance centers, and other functions.
March 29, 2018 Slide 5
INTRODUCTIONCommunication environment for protective relays
—
March 29, 2018 Slide 6
INTRODUCTIONInformation Security in protective relays
• Avoid denial of responsibilityNon-
repudiation
• Avoid denial of ServiceAvailability
• Avoid unauthorized modificationIntegrity
• Avoid disclosureConfidentiality
• Avoid spoofing / forgeryAuthentication
• Avoid unauthorized usageAuthorization
• Avoid hiding of attacksAuditability
Security is not just
Antivirus Firewall
—
Protective relays in Substation and Distribution Automation System communicate with remote gateways and controllers mostly through Ethernet and TCP/IP based communication protocols these days. Some of these protocols are power system domain specific and some are generic protocols.
March 29, 2018 Slide 7
NETWORK COMMUNICATIONS AND PROTOCOLSNetwork communication architecture in relays
HTTP
TCP/IP layer
FTP DNP IEC61850 IEC104
Ethernet
IED
Sockets
ApplicationLayer
NetworkLayer
—
From Power system network communication perspective, Operational protocols exchange real-timeinformation for monitoring and control purposes continuously and consistently throughout.
Ex: 61850, 3.0, -TCP, 60870-5-104
Engineering / configuration protocols used in retrieving data like historical events, fault/disturbancerecords for analysis, device health / prognosis parameters, IED parameterization/configuration data,firmware loading, some basic monitoring for certain period of time etc.. Ex: FTP, HTTP, ODBC.
For example Web server support in relays shall use HTTP protocol when communicating with remote webclients like Internet Explorer, Firefox or Chrome browsers for monitoring and some basic configurationpurposes. They also enable connectivity to external networks such as office intranet and internet.
March 29, 2018 Slide 8
NETWORK COMMUNICATIONS AND PROTOCOLSOperational & Engineering / Configuration Protocols
—
• The main idea of communication security isto create a secure channel over an unsecurenetwork. This ensures reasonable protectionfrom eavesdroppers and man-in-the-middleattacks.
• Designing robust security architecture in theprotective relays should also becomplemented with robust and securednetwork setup when we are connecting oursubstation system to external internetnetwork.
March 29, 2018 Slide 9
COMMUNICATION SECURITYSecuring Substation Communication network
—
Substation network architecture must be based on the approach of “defense-in-depth” which advocates the use of multiple layers of protection to guard against failure of single security component and secure communication is just one part of this approach.
March 29, 2018 Slide 10
COMMUNICATION SECURITYDefense-In-Depth Approach
—
March 29, 2018 Slide 11
COMMUNICATION SECURITYStandards and Regulations
—
• Securing data over the network involves ensuring CIAtriad (Confidentiality, Integrity and Availability). Thisrequires a strong Authentication and encryptionalgorithm.
• Most famous and widely deployed security tools are“SSL/TLS” (Secure Socket Layer/Transport LayerSecurity) and “IPsec”.
• “SSL/TLS” is implemented at application level (betweenapplication and transport layer).
• TLS protocol based systems are more interoperablecompared to IPSec based secured devices.
• Since interoperability is a critical requirement insubstation automation domain, TLS based securecommunication design is better option for IEDs inpower system domain.
March 29, 2018 Slide 12
COMMUNICATION SECURITYSecurity Protocols ( SSL/TLS vs IPSec)
Application
Transport
Internet
Network
SSL / TLS
Ha
nd
sh
ake
laye
rR
eco
rd L
aye
r
HandshakeCipher
Spec
Alert
Fragmentation
Compression
Authentication
Encryption
Transport
Internet
Application
Network
Application
Transport
Internet
Network
—
Secure socket layer introduced between traditional application layer protocols in the power systemdomain and TCP/IP layer in the network layer architecture.
In implementation, there will be a common wrapper for SSL stack with a set of common interfaces toprovide transparent access to SSL layer. This wrapper can be extended to support the security of otherprotocols. This approach enables to adapt the solution in the future to support the IEC62351 standard.
March 29, 2018 Slide 13
COMMUNICATION SECURITYSSL and application protocols in relays
HTTP
Secure Socket Layer (SSL)
TCP/IP layer
FTP DNP IEC61850 IEC104
Ethernet
IED
SSL Sockets
Sockets
Application
Layer
Network
Layer
—
• From the perspective of information exchange overEthernet network, relays in the substation are thesource of information. Relays provide real time datato local and remote clients like SCADA systems,Control Centers, web clients etc. So naturally fromnetwork socket communication perspective, relaysact as socket servers and remote systems aresocket clients.
• Enabling/Disabling Secure Communication optionlocally in relay provides local control and decides ondata exchange mode.
• Input Validation at the first entry point ofapplication layer protocols level is critical in Securerelay design
March 29, 2018 Slide 14
SECURITY ARCHITECTURE DESIGN IN RELAYSSSL Layer adaptation in relay architecture
—
• The exchange of information like SSL versionsupport, cipher suite selection, key exchange andcertification handling are part of this handshakingprocess.
• Once successful handshaking is done, a valid andsecure session is created for further data exchange.
• The SSL handshaking process is an independentactivity and each application module/session willhave a separate handshaking process within therelay.
March 29, 2018 Slide 15
SECURITY ARCHITECTURE DESIGN IN RELAYSSSL handshaking process
Client Hello (1)
Server Hello (2)
Certificate (11)
Server Key Exchange (12)
Client Certificate Request (13)
Server Hello Done (14)
Client Certificate (11)
Client Key Exchange (16)
Change Cipher Spec
Finished (encrypted) (20)
Change Cipher Spec
Finished (encrypted) (20)
Application Data (encrypted) (23)
Application Data (encrypted) (23)
AUTH TLS
FTP/FTPS
sockets binded
to and listening
at ports 20 and
21Connect to FTP
FTPS and
HTTPS
TLS
Handshak
e
sequence
Encrypted
Applicatio
n Data
(FTPS/
HTTPS)
exchange
220 Connection successful
FTPS
client
Accept FTP
connection
HTTP/HTTPS
sockets binded
to and listening
at ports 80 and
443Connect to HTTPS
Connection successful
Accept HTTPS
connection
238 Start negotiation/handshake
Web clientFTPS
HTTPS
Client side
(FTPS clients,
Web clients)
Server side (FTPS
& Web server)
Security
parameter:
Enabled
—
• Relays support FTP protocol mainly for transferringdevice configuration information, transferringdisturbance record data, trend/load profile data,history log and operation events information.
• Relays also support basic parameterization, controland monitoring through web-clients using HTTPprotocol.
• Concepts like remote diagnostics, configurationand maintenance services are catching-up in powersystems automation domain. Hence it is essentialto secure these protocols used for above purposes.
March 29, 2018 Slide 16
SECURITY ARCHITECTURE DESIGN IN RELAYSSecured relay Configuration and Monitoring
—
In a substation automation / power system network, before a relay makes a secure connection to another system over anetwork, a valid SSL certificate must be installed/ available in the relay.
An SSL certificate can be either self-signed certificate or a trusted CA certificate. A self-signed certificate is anauthentication mechanism that is created and authenticated by the system on which it resides. The relay could generateits own self-signed certificate or the trusted static CA certificate could be ported / stored in the relay’s flash memory.
March 29, 2018 Slide 17
SECURITY ARCHITECTURE DESIGN IN RELAYSSecure Certificates
—
March 29, 2018 Slide 18
SECURITY ARCHITECTURE DESIGN IN RELAYSFTPS Start
Is FTP
Connection
Received
Is Cmd
received
Is Data
Connection
Required ?
Open Data socket
and Connect or
Open and wait for
connection
Read / Write Data
using SSL
connection
Yes
No
No
Is FTP secured
Mode ?
Data Conn SSL
Negotiation
Close SSL
Connection
Close Data Socket
Send Command
Response
Yes
Read / Write Data
No
Yes
YES
Is FTP
Timeout ?No
No
Wait for
Cmd
Is Auth Cmd
Received ?
Start Ctrl conn
SSL Negotiation &
set mode as FTPS
Yes
No
Close FTP Ctrl
Connection
Yes
Process Cmd
—
March 29, 2018 Slide 19
SECURITY ARCHITECTURE DESIGN IN RELAYSHTTPS Start
Is Security
parameter
“Enabled”?
User types:
“http://IP
Address”?
Then user types:
“https://IP Address”.
Request comes to the
HTTPS port 443.
1. Request comes to HTTP
port 80 of server.
2. Send a Redirection
response to the web client
so the request is sent to
HTTPS port 443 of server.
End
YES
NO
NO
Show username and
password prompt to
the user.
And start HTTPS
session if
authenticated
Show relevant SSL
Error code in the client
Web server listening to
HTTP port 80 and
HTTPS port 443
Is Handshake
successful?
Perform the HTTPS
handshake
NO
YES
User types:
“http://IP
Address”?NO
Then user types:
“https://IP Address”.
Request comes to the
HTTPS port 443.
Show username and
password prompt to
the user
And start HTTP
session if
authenticated
YES
YES
—
• The relay architecture design needs to considerhow many secure application protocol sessions canbe supported with available system resources likeruntime memory and CPU processing capability,network bandwidth etc.
• Cyber security feature takes considerable systemresources like CPU power, memory, bandwidth etc.The relay architecture needs to consider thesecharacteristics and constraints and optimize thedesign such that the system performance,availability and reliability are maintained whilesupporting the cyber security features.
March 29, 2018 Slide 20
SECURITY ARCHITECTURE DESIGN IN RELAYSManaging System Resources: Security vs Performance
Runtime memory
Software / Applications
Network Interface
Storage
CPU processing
—
• Cyber security environment is most dynamic anddevelopment efforts should be constantly vigilantand check for technology trends and re-buildstrong security mechanism.
• The secured communication mechanism can bedeveloped using available security technologies andseamlessly integrate it to relay architecture torealize certain cyber security requirements.
• Security Architecture should adapt “defense-in-depth” strategy where each system component isan active participant in the creation of securedsystem in order to over-come the threats to makestrong and robust power system networks.
March 29, 2018 Slide 21
CONCLUSION
—Cyber Security – Securing the protection and control relay communication in Substation
March 29, 2018 Slide 22
QUESTIONS?