—

JULIO OLIVEIRA, ABB POWER GRIDS – GRID AUTOMATION, MAY 15TH

Cyber security for digital substations: Protection and control systems

CLASS 2018 – 3ª Conferência Latino Americana de Segurança em SCADA
 —
Current challenges and changes facing utilities

Aging infrastructure Workforce in transition

Legacy systems with static or Maintenance and operation
eletromechanical relays, and even engineering groups members
first microprocessor based relays elegible for retirement in next few
years.
Reliability
There´s increasing pressure to
continually improve reliability Training
and customer satisfaction. Network computers and its
protocols, topologies and
Disruptive technologies $ communication redundancy.
Digitalization techniques for
substation automation via IEC
61850, concerns about cyber security
and asset management demands Spending justification
attention by the utilities part.
Risks Costs Revenue challenges and regulatory
Avoid  Manage Minimize Optimize inspection will drive the
costs/expenditure.

Changes in business model

New players are entering in energy
market, and among them are investors
who are non-utilities companies. This Cyber security
group will be responsible by 20% of Attacks on critical infrastructure are
transmission and distribution around the
world until 2020.
Performance increasing in terms of regularity and
Exceed Meet or beat sophistication.

July 27, 2018 Slide 2

—
Meet the standards
Beyond the redundancy, synch and performance …
Features and resources included

July 27, 2018 Slide 3

—
Cyber security for digital substations
Agenda

Digital substations concepts

What´s cyber security for utilities and its impacts growing?
A substation automation system risks
IEC 61850-9-2LE: Actions taken for process bus hardening
Protection and control cyber security features

July 27, 2018 Slide 4

—
Cyber security for digital substations
Digital substations concepts
—
Digital substation concepts and scenarios
How the digitalization is understood by the utilities Asset Management
4
PMU and PDCs Network control center
“A digitalized substation (no digital substation) doesn´t considers the gray areas!” Ability
CALM
3
Super PDC Disturbanc
SCADA NCC
PMUs e records Platform
Control room perimeter WiFi Industrial
SCADA Level 2

1 6
Teleprotection over
MPLS with FOX615 RTU Gateway Level 2

Intelligent SDM600
substation Data
HMI manager Operation
Station bus
Cyber security

2 5 Primary apparatus sensing 7

Process bus
Opportunities to explore with digital substations
- Process bus Merging
units
x
- Cyber security
- MPLS/TP teleprotection Mobile workforce
management
- PMUs
- Asset management
- MESH industrial Wifi communication
- Primary apparatus sensing

July 27, 2018 Slide 6

—
Cyber security for digital substations
What´s cyber security for utilities and its impacts growing?
—
What´s cyber security for utilities and its impacts growing?
Definition and vulnerabilities

Cyber security
“Measures taken to protect substation automation systems and communication networks against unauthorized access, attacks, disruption or loss”

Vulnerabilities
Vulnerability is a weakness in a product that could allow an attacker to compromise the integrity, availability or confidentiality of that product.
Examples:
• allows an attacker to execute commands as another user and conduct a denial service
• allows an attacker to access data from a other user or pose as another entity

User accounts in industrial enviroments

Heterogeneous nature of SAS nets has complicated tasks such as:
• revoking staff credentials and changing default passwords
Factory default accounts often remain unchanged after handover from manufacturer to customer.
• may even remain unchanged for their entire lifetime
Unchanged factory default accounts make it easy for an attacker to access devices in a short time.
• without the need for any special skills and special knowledge

July 27, 2018 Slide 8

—
What´s cyber security for utilities and its impacts growing?
Legal and illegal penetration tools – the risks of not being up to date

The increasing risks Penetration tools

– Legal and illegal penetration and hacking tools are freely
available today
– Penetration testing software
– Vulnerability Scanner
– Network discovery and security auditing
NMAP Metasploit
– Internet of Things (IoT)

– You can even buy Malware as a service !

Shodan Nessus

July 27, 2018 Slide 9

—
What´s cyber security for utilities and its impacts growing?
Vulnerabilities in protection and control systems

ICS vulnerability – disclosures by year

Source: https://scadahacker.com/

Source: 2016 ICS vulnerability trend report

By FireEye

July 27, 2018 Slide 10

—
What´s cyber security for utilities and its impacts growing?
Grid automation cyber security approach

Defence in depth
– Secure system architecture
– Product and system hardening
– Service offering to keep the cyber security over
the lifetime

July 27, 2018 Slide 11

—
Cyber security for digital substations
A substation automation system risks
—
A substation automation system risks
Threats and substation control layers

July 27, 2018 Slide 13

—
A substation automation system risks Remote

Layered architecture Support

Secure
Maintenance Center Network Control Center Enterprise Network SW/FW

www.
Service PC
Multi – technology
based Redundant &
operational utility reliable clock &
core network time
distribution
(not only GPS)

Individual User Accounts

Removable Media
USB
Access
Core network element Disable Ports /
PDH,, SDH Optical, services
MPLS, L2 optical / el.
Radio; Wi-Fi, PLC Malware Protection

Patch management
Any Substation,
Control-Center; Firewall
Power-Plant
down to private Local security logging
consumer
Central security SDM
logging /Account 600
Management
Secure
Communication
DMZ

IDS

July 27, 2018 Slide 14

—
Cyber security for digital substations
IEC 61850-9-2LE: Actions taken for process bus hardening
—
IEC 61850-9-2LE: Actions taken for process bus hardening
Protocols alloacation over Ethernet: IEC 61850-8-1 and 9-2 togheter

Protocols and services

The station and process bus togheter offers the
following services. using the 7 OSI layers: Station Gateway
Computer

1 Vertical communication over MMS: Data exchange

among IEDs and supervisory system; Station bus

Horizontal communication with GSE messages:

2 Information between the IEDs;
GOOSE

Process communication: GSE for binary signals Prot &

Ctrl
3 between the IEDs and the merging units, SMV SV, Devices
messages for analogs such as currents and voltages; GOOSE Process
bus
IEEE 1588 (PTP) for devices synchronism, accuracy
4 around 1 µs;
SAM600

Merging
SAM600

Unit
Network redundancy in IEC 62439-3 standard (PRP Bay 1 Bay n
and HSR).

July 27, 2018 Slide 16 Sources: ABB

—
IEC 61850-9-2LE: Actions taken for process bus hardening
The sampled values in process bus
SMV frame captured with the IEC
Merging units and SMV according IEC 61850- 61850 State of art testing tool
9-2LE ITT600
984 bits
Which signals are transmitted in a SMV frame? This is the size of a
Four currents, four voltages and their quality typical SMV frame
information.

1
4800
It´s the number
of samples in one
second in a 60Hz
frequency rate

5Mb/s
It´s the Ethernet
network
bandwidth
allocated for a
single SMV frame

July 27, 2018 Slide 17 Sources: ABB

—
IEC 61850-9-2LE: Actions taken for process bus hardening
Application of HSR protocol for the switchyard network

No switches required, no access point, no point of failures

July 27, 2018 Slide 18 Sources: ABB

—
Cyber security for digital substations
Protection and control cyber security features
—
Protection and control cyber security features
Features overview

Protocol hardening Account management Security event logging

- Fuzz testing all protocols - Local users created in the device - Audit trail
- Security development life cycle - PCM600 used to manage users - Reporting on IEC 61850
- Protocol conformance - Removal of default users and passwords - Syslog
- Device security testing - Central account management – - Offline log in every IED
IEC 62351 with LDAP
- Extensive service and port configuration
- Flooding protection

Role based account control Certificates Supervision and configuration

- User roles - Self signed certificates - Self supervision of hardware and software
- User rights - Customer signed certificates - Denial of Service protection
- IEC 62351 part 8 - Encryption of communication - Extensive configuration possibilities
- Maintenance menu

July 27, 2018 Slide 20

—
Protection and control cyber security features
Protocol hardening

Reduce your attack surface Robustness

- All protocol in the IED is checked for protocol conformance
- Fuzz testing is used to make sure we withstand against
possible attack points
- All developers follow ABB’s security development life cycle
process

Only use required services

- To reduce the attack surface of the IED we have added
possibility to enable/disable protocols and services per
physical interface
- Configure only the services you need

July 27, 2018 Slide 21

—
Protection and control cyber security features
Troubleshooting

With hints and undo possibilities

To help the user with common configuration mistakes and to
give solutions to common problems, the IED now have a Hints
menu
– Typical hints can be
• Incorrect configuration of time synchronization
• Invalid reference channel detected
• IEC/UCA 61850-9-2LE data is substituted

Before doing a major change of your configuration, save a restore

point of your IEDs state. This possibility is now added to the
Maintenance menu of the IED.
- Store up to two restore points

July 27, 2018 Slide 22

—
FOX615 and XMC20 Multiplexers
Encryption card

July 27, 2018 Slide 23

—
Cyber security for digital substations
Cyber security deployment guidelines
—
Cyber security deployment guidelines
Instructions for hardening

Where to find how to configure security?

In the cyber security deployment guideline there are available info
on how to configure the security for the Relion® 670 and 650
series IEDs
It covers
- System setup
- Account management (local / centralized)
- Activity logging
- Local HMI usage (incl. Maintenance menu)
- Standard compliance statement