Presentation is loading. Please wait.

Presentation is loading. Please wait.

CHPCOM project Combined Heat and Power Communication CHPCOM IEC 61850 baseret datakommunikation i dansk kontekst Securing Critical Infrastructure Communication.

Published byBertha Sullivan Modified over 9 years ago

Similar presentations

Presentation on theme: "CHPCOM project Combined Heat and Power Communication CHPCOM IEC 61850 baseret datakommunikation i dansk kontekst Securing Critical Infrastructure Communication."— Presentation transcript:

1 CHPCOM project Combined Heat and Power Communication CHPCOM IEC 61850 baseret datakommunikation i dansk kontekst Securing Critical Infrastructure Communication Søren Peter Nielsen – Rump session at Modern Identity Management Solutions 2. december 2014  2. december 2014  Modern Identity Management Solutions 11

2 CHPCOM  2. december 2014  Modern Identity Management Solutions 22 Securing Critical Infrastructure Communication – Context Moving from software to cyber-physical systems – Examples of things that are different Søren Peter Nielsen – Rump session – 2. december 2014

3 Danish Electricity Producers with growing communications demands  2. december 2014  Modern Identity Management Solutions 33

4 CHPCOM 2. december 2014Modern Identity Management Solutions4 Balance responsible Generator Power plant Control Power sale Power buy  ~   Internet Accumulator Electric Boiler Power Market Data Measurement Supply of services Supplying the grid with ancillary services Market control Data District heat Solar heat TSO

5 CHPCOM New Role 2. december 2014Modern Identity Management Solutions5 CHPCOM Concept DSO/DNO Balance responsible Generator Power plant Control Power sale Power buy  ~   Internet Accumulator Electric Boiler Power Market TSO Data Measurement Open standard IEC 61850 Supply of services Supplying the grid with ancillary services Market control Measurement Data Flexibility Market Aggregator Technical control Local resources for local grid management Measurement District heat Solar heat New COM

6 CHPCOM 6 The SKIES landscape RBAC s/MMS 61850 GW 61850 DB SCADA DB RTU MMS SCADA s/MMS ”SecureMMS Komponent” SCADA SCADA frontend MMS INTERNET Firewall PKI Components 2. december 2014Modern Identity Management Solutions CA RA Directory

7 CHPCOM 7 The SKIES landscape – Basic flow 2. december 2014Modern Identity Management Solutions s/MMS Server security gateway Client security gateway RA CA

8 CHPCOM  2. december 2014  Modern Identity Management Solutions 88 Safety considerations – Smart Grid PKI must consider the risk associated with a security protocol failing. This can include protocols such as password lockouts, certificate expiration, or time-stamp mismatch. The PKI should still notify operators of these failures, but it may not be appropriate to fail the protocol, especially for critical power grid equipment. High Availability – PKI should avoid having a single point of failure – The various components of the PKI must also be able to operate independently for extended lengths of time when regular communications are disrupted. – E.g. a local cache of authentication information will allow the PKI to operate disconnected from the authentication server for an extended period of time Real-Time Operation – Security protocol behaviors should be defined in the event that the system does not meet a real-time requirement – need to be designed with local information stores and use of caching Upgradeable – must be able to update the technologies used in the PKI with minimal impact on the (long life HW) system Special CIP requirements in relation to PKI Source: “Adapting PKI for the Smart Grid” by Todd Baumeister, 2011

9 CHPCOM  2. december 2014  Modern Identity Management Solutions 99 – Examples of failures that must NOT be met with a HARD STOP in this case Unable to build trust path to a trusted root CA Certificate not yet valid or expired Certificate revoked Certificate or subject in certificate not on trusted whitelist Missing mandatory certificate extensions Invalid certificate extension (e.g. CA=false in basicConstraints-extension of a intermediate certificate) Unknown or wrong CP reference in certificate Unknown critical extensions Unaccepted use of cryptographic algorithms (e.g. small RSA pairs, MD5 hashing) One implication

10 CHPCOM  2. december 2014  Modern Identity Management Solutions  10 Communication is from machine to machine IEC standard says use RBAC with predefined roles on server side to supply privileges to client Roles

11 CHPCOM  2. december 2014  Modern Identity Management Solutions  11 Ways to transfer client role info: – Embedded in Client M2M certificate – Embedded in separate Attribute Certificate to be transferred together with Client M2M certificate Roles

12 CHPCOM  2. december 2014  Modern Identity Management Solutions  12 Ways to transfer client role info: – Embedded in Client M2M certificate – Embedded in separate Attribute Certificate to be transferred together with Client M2M certificate HMM? – No (SAML-like) envelope to transfer role info in? – Every time a role assignment is updated new certificates must be issued? – Mixing Authentication and Authorization ! Roles

13 CHPCOM  2. december 2014  Modern Identity Management Solutions  13 WELL – Role is not attached to a person, but to a Device in an Organisation – much more stable assignment – Of the predefined roles only two are relevant for the Operations communication – manageable granularity Viewer – Read Operator – Read/Write – High Availability is required – If role info is transferred via an alternate channel and this is not available what to do? Roles

14 CHPCOM  2. december 2014  Modern Identity Management Solutions  14 Think different about – PKI requirements – Role based access control When dealing with critical cyber-physical infrastructure Contact info: Søren Peter Nielsen dk.linkedin.com/in/sorenp twitter.com/sorenp spn@nine.dk Søren Peter Nielsen – Rump session – 2. december 2014

Download ppt "CHPCOM project Combined Heat and Power Communication CHPCOM IEC 61850 baseret datakommunikation i dansk kontekst Securing Critical Infrastructure Communication."

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Geneva, Switzerland, 15-16 September 2014 Security by Design in Smart Grids A Need to Rethink ICT in Power System Controls Carsten Strunge, Senior Development.

Geneva, Switzerland, September 2014 Security by Design in Smart Grids A Need to Rethink ICT in Power System Controls Carsten Strunge, Senior Development.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Civil Registry Agency of the Ministry of Justice, Georgia Digital Signature Services in Georgia Mikheil Kapanadze.

Civil Registry Agency of the Ministry of Justice, Georgia Digital Signature Services in Georgia Mikheil Kapanadze.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.

Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Similar presentations

Ads by Google