Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sukumara T, Janne S, Kishan SG, Harish G, Eashwar / Presented to CIGRE Colloquium, Mysore, 14.11.2013 Cyber Security - Secure communication design for.

Published byYolanda Ortega Villalba Modified over 5 years ago

Similar presentations

Presentation on theme: "Sukumara T, Janne S, Kishan SG, Harish G, Eashwar / Presented to CIGRE Colloquium, Mysore, 14.11.2013 Cyber Security - Secure communication design for."— Presentation transcript:

1 Sukumara T, Janne S, Kishan SG, Harish G, Eashwar / Presented to CIGRE Colloquium, Mysore, Cyber Security - Secure communication design for protection & control IEDs in sub-stations D2-02_17 November 21, 2018

2 Table of contents Introduction Network Communication and Protocols
Communication Security Security Architecture Design in IED Conclusion November 21, 2018

3 Introduction November 21, 2018

4 Introduction Substation as a Energy and Information Hub
Sub-station not just delivers energy at certain voltage level, it also transfers the information for effective monitoring and control of power system November 21, 2018

5 Introduction Numerical Relay(IED)s essential part of power system
IEDs are first level intelligent devices in substations/power system network. IEDs not just perform protection, control & monitoring of power system but also play crucial role in post- fault power restoration and self-healing network with the help of supported communication network which is an integral part of smart grid vision and framework. November 21, 2018

6 Introduction IED’s communication environment
IED’s communication environment include SCADA Communication for local/remote monitoring and control, Operational data to remote control centers, Bay level and Process level data exchange between IEDs, Remote Configuration & Firmware update, Fault/Disturbance analysis data for maintenance centers etc.. November 21, 2018

7 Introduction Information Security in IEDs
Avoid denial of responsibility Non-repudiation Avoid denial of Service Availability Avoid unauthorized modification Integrity Avoid disclosure Confidentiality Avoid spoofing / forgery Authentication Avoid unauthorized usage Authorization Avoid hiding of attacks Auditability Security is not Just Antivirus Firewall November 21, 2018

8 Network Communication and Protocols
November 21, 2018

9 Network Communication and Protocols
Network Communication Architecture in IED IEDs in Substation and Distribution Automation System communicate with remote gateways and controllers mostly through Ethernet and TCP/IP based communication protocols these days. Some of these protocols are power system domain specific and some are generic protocols. November 21, 2018

10 Network Communication and Protocols
Operational & Engineering/ Configuration Protocols From Power system network communication perspective, Operational protocols exchange real-time information for monitoring and control purposes continuously and consistently through-out. Ex: , , TCP, etc.. Engineering/ configuration protocols used in retrieving data like historical events, fault/disturbance records for analysis, device health/ prognosis parameters, IED parameterization/configuration data, firmware loading, some basic monitoring for certain period of time etc.. Ex: FTP, HTTP ,ODBC etc… For example Web server support in IED shall use HTTP protocol when communicating with remote web clients like Internet Explorer, Firefox or chrome browsers for monitoring and some basic configuration purposes. They also enable connectivity to external networks such as office intranet and internet November 21, 2018

11 Communication Security
November 21, 2018

12 Communication Security Securing Substation Communication network
The main idea of communication security is to create a secure channel over an unsecure network. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks. Designing robust security architecture in the IED should also be complemented with robust and secured network setup when we are connecting our substation system to external internet network November 21, 2018

13 Communication Security
Defense-In-Depth Approach Substation network architecture must be based on the approach of “defense-in-depth” which advocates the use of multiple layers of protection to guard against failure of single security component and secure communication is just one part of this approach.. November 21, 2018

14 Communication Security Standards and Regulations
November 21, 2018

15 Communication Security
Security Protocols ( SSL/TLS Vs. IPsec) Securing data over the network involves ensuring CIA triad (Confidentiality, Integrity and Availability) requires a strong Authentication and encryption algorithm. Most famous and widely deployed security tools are “SSL/TLS” (Secure Socket Layer/Transport Layer Security) and “IPsec”. “SSL/TLS” is implemented at application level (between application and transport layer). TLS protocol based systems are more interoperable compared to IPSec based secured devices. Since interoperability is a critical requirement in substation automation domain, TLS based secure communication design is better option for IEDs in power system domain. November 21, 2018

16 Communication Security SSL and application protocols in IED
Secure socket layer introduced between traditional application layer protocols in the power system domain and TCP/IP layer in the network layer architecture. In implementation, there will be a common wrapper for SSL stack with a set of common interfaces to provide transparent access to SSL layer. This wrapper can be extended to support the security of other protocols. This approach enables to adapt the solution in future depending on IEC standard. November 21, 2018

17 Security Architecture Design in IED
November 21, 2018

18 Security Architecture Design in IED
SSL Layer adaptation in IED Architecture From the perspective of information exchange over Ethernet network, IEDs in the substation are the source of information. IEDs provide real time data to local and remote clients like SCADA systems, Control Centers, web clients etc. So naturally from network socket communication perspective, IEDs act as socket servers and remote systems are socket clients. Enabling/Disabling Secure Communication option locally in IED provides local control and decides on data exchange mode. Input Validation at the first entry point of application layer protocols level is critical in Secure IED design November 21, 2018

19 Security Architecture Design in IED SSL handshaking process
The exchange of information like SSL version support, cipher suite selection, key exchange and certification handling are part of this handshaking process. Once successful handshaking is done, a valid and secure session is created for further data exchange. The SSL handshaking process is an independent activity and each application module/session will have a separate handshaking process with in the IED. November 21, 2018

20 Security Architecture Design in IED Secured IED Configuration and Monitoring
IEDs support FTP protocol mainly for transferring device configuration information, transferring disturbance record data, trend/load profile data, history log and operation events information. IEDs also support basic parameterization, control and monitoring through web-clients using HTTP protocol. Concepts like remote diagnostics, configuration and maintenance services are catching-up in power systems automation domain. Hence It is essential to secure these protocols used for above purposes. November 21, 2018

21 Security Architecture Design in IED Secure Certificates
In a substation automation/ power system network, before an IED makes a secure connection to another system over a network, a valid SSL certificate must be installed/ available in the IED. An SSL certificate can be either self-signed certificate or a trusted CA certificate. A self-signed certificate is an authentication mechanism that is created and authenticated by the system on which it resides. The IED could generate its own self signed certificate or the trusted static CA certificate could be ported / stored in the IED’s flash memory. November 21, 2018

22 Security Architecture Design in IED
FTPS November 21, 2018

23 Security Architecture Design in IED
HTTPS November 21, 2018

24 Security Architecture Design in IED
Managing System Resources: Security Vs Performance The IED architecture design needs to consider how many secure application protocol sessions can be supported with available system resources like runtime memory and CPU processing capability, network bandwidth etc. Cyber security feature takes considerable system resources like CPU power, memory, bandwidth etc. The IED architecture needs to consider these characteristics and constraints and optimize the design such that the system performance, availability and reliability are maintained while supporting the cyber security features. CPU Processing Runtime Memory Network Storage November 21, 2018

25 Conclusion Cyber security environment is most dynamic and development efforts should be constantly vigilant and check for technology trend and re- build strong security mechanism. The secured communication mechanism can be developed using available security technologies and seamlessly integrate it to IED architecture to realize certain cyber security requirements. Security Architecture should adapt “defense- in-depth” strategy where each system component is an active participant in the creation of secured system in order to over- come the threats to make strong and robust power system networks. November 21, 2018

26

Download ppt "Sukumara T, Janne S, Kishan SG, Harish G, Eashwar / Presented to CIGRE Colloquium, Mysore, 14.11.2013 Cyber Security - Secure communication design for."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Chapter 8 Web Security.

Chapter 8 Web Security.
Terminal Services in Windows Server ® 2008 Infrastructure Planning and Design.

Terminal Services in Windows Server ® 2008 Infrastructure Planning and Design.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Enabling Embedded Systems to access Internet Resources.

Enabling Embedded Systems to access Internet Resources.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.

Web Security : Secure Socket Layer Secure Electronic Transaction.
Cryptography and Network Security (SSL)

Cryptography and Network Security (SSL)

Similar presentations

Ads by Google