1KHA001149 en Cyber Security for Substation Automation Systems by ABB

October 7, 2017 | Author: Bharadwaj_Vasu_7233 | Category: Online Safety & Privacy, Computer Security, Virtual Private Network, Smart Grid, Automation
Share Embed Donate


Short Description

Download 1KHA001149 en Cyber Security for Substation Automation Systems by ABB...

Description

Cyber security for substation automation systems by ABB

ABB addresses cyber security in every respect The electric power grid has evolved significantly over the past decade thanks to many technological advancements and breakthroughs. As a result, the emerging “Smart Grid” is quickly becoming a reality. At the heart of these intelligent advancements are specialized IT systems – various control and automation solutions such as substation automation systems. To provide end users with comprehensive real-time information and allow for higher reliability and greater level of control, these systems have become more and more interconnected.

The new generation of automation systems utilizes open standards such as IEC 60870-5-104, DNP 3.0 and IEC 61850 and commercial technologies, in particular Ethernet and TCP/IP based communication protocols. They also enable connectivity to external networks, such as office intranet and internet. These

changes in technology have brought huge benefits from an operational perspective, but they have also introduced cyber security concerns previously known only from office or enterprise IT systems. Cyber security risks were inherited by adopting open IT standards, but fortunately, so were the cyber security mechanisms that have been developed in a large number of enterprise environments to address these risks. These mechanisms allow for the design and development of cyber security solutions specifically for control systems – such as substation automation systems – utilizing proven technology. ABB fully understands the importance of cyber security and its role in advancing the security of substation automation systems. As our customer investing in new ABB technologies, you can rely on system solutions where reliability and security have the highest priority.

Main Control Center

Remote Access

Office Access

MicroSCADA Pro SYS600C

DNP 3.0 via Ethernet

IEC 60870-5-104

MicroSCADA Pro SYS600C

Communication Gateway

Communication Gateway

RTU560 IEC 61850

System architecture for substation automation system. 2

Redundant Communication Gateway with Integrated Control System HMI

MicroSCADA Pro SYS600C IEC61850

Communication Gateway and Control System HMI MicroSCADA Pro SYS600C

MicroSCADA Pro SYS600C IEC 61850

Systematic approach to ensure cyber security Over the last couple of years, the global power industry has steadily increased focus on cyber security for control and automation systems. As a result, many different drivers and trends have emerged. ABB has identified cyber security as a key requirement and is committed to providing our customers with products, systems and services that clearly address this issue. ABB takes a systematic approach to cyber security through its operations on a global level. For instance, ABB has established the Power Systems Security Council to keep track of the global needs and requirements concerning cyber security. The mandate of the council is to ensure that products and solutions used in power systems meet the expectations of customers. Besides continuously adapting security requirements to keep up with the changing demand, the Security Council drives proactive R&D efforts to support future trends, and ensures fast and efficient security improvements.

ABB also recognizes the importance of cyber security standards and is an active member and driver of various industry initiatives, including active involvement within IEEE and IEC. This involvement also allows the Security Council to ensure that ABB’s products and systems are compliant with and support all industry standards and regulations related to cyber security.

Standard

Main Focus

NIST SGIP-CSWG

Smart Grid Interoperability Panel – Cyber Security Working Group

NERC CIP

Cyber Security regulation for North American power utilities

IEC 62351

Data and Communications Security

IEEE PSRC/H13

Cyber Security Requirements for Substation

& SUB/C10

Automation, Protection and Control Systems

IEEE 1686

IEEE Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities

ISA S99

Industrial Automation and Control System Security

Key Cyber-Security initiatives driven or supported by ABB

3

Cyber security embedded Cyber security is embedded in ABB’s product lifecycle, and addressing cyber security is an integral part of our substation automation products and system solutions. This means that cyber security is addressed in every phase from design and development, to maintenance of the products in our portfolio. Threat modeling and security design reviews, security training of software developers as well as in-house and external security testing as part of quality assurance processes are examples of numerous actions ABB is taking to ensure reliable and secure solutions for its customers. Individual user accounts or detailed security event logs are just two examples of built-in security features available in our products. ABB’s substation automation systems can be offered with firewalls and pre-defined antivirus software, and the system deliveries follow our strict guidelines concerning handling cyber security.

4

Cyber security without compromises Evolving technologies like Ethernet and industry specific standards such as IEC 61850 are enablers for information exchange that support higher system reliability. Additionally, it is important to safeguard interoperability, which allows information exchange between different vendors’ IEC 61850 compliant products and systems. Ensuring reliability and interoperability are two of the main goals when designing and engineering IEC 61850-based substation automation systems. Supporting availability, reliability and interoperability, while at the same time addressing cyber security, is a challenging task. ABB is committed to working towards providing our customers with solutions that address all these aspects without compromise.

Cyber security - Addressed throughout the system life cycle ABB aims to provide products and solutions that enable substation automation customers to fulfill the requirements of cyber security standards, such as NERC CIP. We view cyber security not only as a single, one-time activity, but as an integrated part of different phases of the product and system life cycle – from early design and development, to testing and commissioning, as well as to processes supporting products and systems in operation both now and in the future. One key element of this process is our independent robustness test center, where all our products are tested using current state-of-the-art security testing tools.

A centralized security testing process applying up-to-date and rigorous test procedures guarantees a common and best practice approach. The test center conducts regular regression tests on ABB products and systems to warrant a high level of robustness against cyber security attacks. ABB is also constantly extending and improving security-related organizational processes such as those handling vulnerabilities. The proper and timely handling of software vulnerabilities is an important factor in helping our customers to minimize their risk exposure to cyber security threats.

5

Cyber security on system level

Interactions between the substation automation system, corporate networks and the outside world are usually handled on the station level, which means that ensuring a high level of security on the station level is vital to the security of the SA system itself. Therefore, ABB uses best-in-class firewalls, intrusion detection or prevention systems, or VPN technology. All communication from the outside world to a substation can, for instance, be protected by using a firewall and/or VPN-enabled communication. Systems can additionally be divided into multiple security zones as needed to further improve security.

The key requirements that need to be covered by a secure substation automation system are: Availability

avoid denial of service

Integrity

avoid unauthorized modification

Confidentiality

avoid disclosure

Authentication

avoid spoofing / forgery

Authorization

avoid unauthorized usage

Auditability

avoid hiding of attacks

Remote Control Center

Maintenance Center (Security Zone 4)

(Security Zone 3) Encrypted communication Workstation Antivirus

Security Zone 2 MicroSCADA Pro SYS600 Antivirus

Encrypted communication

Firewall / Router / VPN Firewall / Router / VPN

Station LAN

MicroSCADA Pro SYS600C

IEC 61850-8-1 Station Bus

Control and Protection IED Security Zone 1 Perimeter Protection

Secure architecture for MicroSCADA Pro based solution.

6

Cyber security features in station level products ABB is addressing cyber security requirements both on a system as well as on a product level. Verified antivirus software is supported to protect the station computers from attacks and viruses. The cyber security can be for instance further improved by limiting the use of removable media in the station computers. Additionally, ABB has built security mechanisms such as advanced account management and detailed security audit trails into its RTU560 and MicroSCADA Pro products. ABB‘s product security approach is completed by robust bay level devices supporting many security features. ABB’s station-level products MicroSCADA Pro and RTU560 have been designed with cyber security in mind and thus provide state-of-the-art functionality in this regard. This allows our customers to easily address NERC CIP requirements and maintain compliance according to the standards and beyond. Overview of security features − − Individual user accounts − − Role based access control − − Enforced password policies − − Session management −− Detailed audit trails − − Secure remote management connection − − Built-in firewall − − Built-in VPN capabilities − − Support for antivirus solutions − − Disabled unused ports and services

Authentication and authorization Both MicroSCADA Pro and RTU560 support user authentication and authorization on an individual user level. User authentication is required and authorization is enforced for all interactive access to the products. Customers can manage user accounts freely, allowing them to create, edit and delete user accounts, and define usernames and passwords according to their policies. User rights can be managed completely by either assigning access permissions to accounts directly or by using roles (Role Based Access Control). To support NERC-CIP and IEEE 1686 requirements, both MicroSCADA Pro and RTU560 support password policies that allow customers to specify minimum password length as well as password complexities. Passwords are case sensitive and support alphanumeric and special characters.

Remote Control Center (Security Zone 3)

Encrypted communication

Firewall / Router / VPN In Integrated W HMI Web



Security Zone 2 RTU560 Mobus, DNP 3.0

IEC 61850-8-1 Station Bus

I/O

Protection and Control IED Security Zone 1 Perimeter Protection

Secure architecture for RTU 560 based solution.

Auditability and logging ABB substation automation devices create audit trails (log files) of all security relevant user activity. Security events that are being logged include user log-in, log-out, change of parameters or configurations, and updates to software or firmware. For each event date and time, user, event ID, outcome and source of event are logged. Access to the audit trail is available to authorized users only. Product and system hardening The robustness of a product can be significantly improved by closing all the ports and services that are not used. MicroSCADA Pro and RTU560 have been systematically hardened. For example, unused services have been removed and unused ports closed, and have been thoroughly tested at ABB‘s dedicated, independent security test center using state-ofthe-art commercial and open source security testing tools. Hardening steps as well as the resulting configurations, such as open ports and services, are documented in detail. Only ports and services for normal operation are enabled in ABB devices by default.

7

ABB Switzerland Ltd Power Systems Bruggerstrasse 72 CH-5400 Baden, Switzerland Phone: +41 58 585 77 44 Fax: +41 58 585 55 77 ABB Oy Substation Automation Products P.O. Box 699 FI-65101 Vaasa, Finland Phone: +358 10 22 11 Fax: +358 10 22 41094 ABB AG Power Systems Division P.O. Box 10 03 51 DE-68128 Mannheim, Germany Phone: +49 621 381 3000 Fax: +49 621 381 7662

ABB AB Substation Automation Products SE-72159 Västerås, Sweden Phone: +46 21 32 50 00 Fax: +46 21 14 69 18 www.abb.com/substationautomation

1KHA - 001 149, - SEN 1000 - 12.10 - Printed in Switzerland © ABB Switzerland Ltd, December 2010. The right to modifications or deviations due to technical progress is reserved.

Contact us

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF