Information from Alectrix –
Substation installations offer several potential attack vectors for cyber-attacks. Effective cyber-security measures therefore must be implemented in the substation itself, not just in the control centre. The Austrian supplier OMICRON has been studying this requirement for many years and in 2015 added the DANEO 400 analysis device to its portfolio as a decentralised and hybrid solution for the continuous monitoring of sampled values, GOOSE and PTP time synchronisation.
“It so happened that we were approached by engineers from the Centralschweizer Kraftwerke AG (CKW), who were looking for an appropriate solution for their substation installations”, says Andreas Klien, head of the power utility communications division at OMICRON. A period of close cooperation with the protection and process control engineers at CKW followed this enquiry and led to the development of StationGuard, the functional security monitoring system. The experiences from several proof-of-concept installations of other energy suppliers around the world have meanwhile been absorbed into the development process. With StationGuard, OMICRON has introduced an innovative approach for IEC 61850 installations.
Essentially, the package uses substation configuration language (SCL) files, in which the entire automation system, with all its devices, data models, and the communication parameters of the IEC 61850 installations, is described in a standardised format. These files also contain information about the primary equipment and in many cases even the single-line equivalent circuit diagram for the substation.
“This information can be used to develop a completely new approach to the detection of cyber-attacks”, explains Klien. The monitoring system can create a complete model of the automation system and the substation and compare every single packet in the network with the live system model. Even the data contained in the protocol messages, be they GOOSE (Generic Object Oriented Substation Event), MMS (Manufacturing Message Specification), or SV (Sampled Values) can be assessed based on what the system model is expecting.
“This process requires no learning phase and is only possible because of the configuration of the SCL”, stresses Klien.
To detect any cyber threats in the network, StationGuard carries out a highly detailed functional verification of all data traffic. It possesses a detailed model of all anticipated communications, which it compares with the network packages. The fact that the data traffic is continuously monitored means that threats to IT security, such as unauthorised packets and control operations, can be identified. Communication faults, problems with time synchronisation and the various types of malfunction which can occur in the substation are also detected.
“If the system has access to the installation’s circuit diagram and is able to monitor the measured values in the MMS communication, then there are practically no limits to what we can monitor”, explains Klien and cites, as an example, the 33 different alarm codes that StationGuard maintains just for GOOSE – from simple status and sequence number faults to more complex problems, such as unusually long message transmission times. The latter are detected by the precise measurement of the difference between the EntryTime stamp in the message and its actual arrival time.
If the transmission time of the network for a GOOSE (as per IEC 61850-5) is longer than 3 ms, this will indicate a problem in the transmitting IED, in the network or at the very least in the time synchronisation. The concept can also be applied to MMS communication. The system model shows which logical nodes are controlling which items of equipment. This enables a distinction to be made between correct/incorrect (or critical/non-critical) actions.
“The same sequence in the MMS protocol is used whenever a circuit breaker trips, or IEC 61850 test mode is activated. The effect in the installation is however markedly different in each case”, says Klien. “If a test PC switches the IEC 61850 test mode of a relay, this may well be a justified action as part of a protection test. However, what would most likely not be permitted is if the test PC were to trip a breaker.”
Besides avoiding false alarms, it is also vital that the displayed alarm messages are easily understood by protection and process control engineers alike. This not only speeds up response times, it also means that IT security experts and the protection and process control engineers can work closely together. To enable alarms to be allocated more accurately to bays and devices, they are represented in StationGuard not just as an alarm list that a firewall might provide, but are also displayed graphically in a zero-line diagram – an overview display introduced with OMICRON StationScout.
To reduce false alarms even further, the routine testing and maintenance operations are also represented in the system model of the installation in StationGuard. This means that the system model can also contain the testing equipment, including the protection test sets.
Configuring the IDS system
“Monitoring begins as soon as the device is switched on and cannot, for security reasons, be disabled”, says Klien. All IEDs are shown as unknown devices until the installation’s SCD file is loaded, after which the IEDs and the structure of the installation are displayed in the zero-line diagram. “The configuration can also be prepared in the office and quickly installed on site”, says Klien. In situations where the SCD file does not contain all the IEDs, additional ones can be imported individually. After importing, the user can then assign roles such as “test PC” or “engineering PC”, and so on, to the remaining unknown devices.
If an action is “not permitted”, an alarm is raised. This alarm can be passed to the control centre via the gateway/RTU (Remote Terminal Unit). Alternatively, alarms can also be sent to a separate system known as a Security Incident Event Management System (SIEM) which collates security warnings. Depending on the version of the hardware in use, binary outputs will be available which can be used to transmit alarms to an RTU very easily. In this case, alarm messaging takes place without any network communication and the alarms can be integrated into the signal list of the control centre just like any other hard-wired signal.
Cyber security of the IDS
“We’ve all seen it in Hollywood films: the intruders always go for the alarm system first”, says Klien. An important security feature of StationGuard is that it uses autonomous, secure hardware rather than a virtual machine. In both hardware versions of StationGuard, i.e. the 19” version (RBX1) for permanent installation in substation systems and the mobile version (MBX1), both platforms are hardened to the same extent and both use a secure cryptographic chip which conforms to ISO/IEC 11889. This ensures that the cryptographic keys are not stored in flash memory but on a separate chip which is protected against manipulation. The OMICRON certificates are installed on this chip during the production process to provide a secure, mutually verifiable boot chain. The signatures of the next module or driver to be loaded are therefore checked at every stage of the firmware boot process. As a result, only software with an OMICRON signature can be installed and executed. The device’s memory is encrypted using a key that is unique to this hardware and is protected on the cryptographic chip. Additional mechanisms ensure that the processes on the device cannot be attacked or misused; the philosophy of “defense in depth” thus extends deep into the software running on the device.
Contact Andre Huddlestone, Alectrix, Tel 021 790-1665, firstname.lastname@example.org