1KHA001149 en Cyber Security for Substation Automation Systems by ABB
Short Description
Download 1KHA001149 en Cyber Security for Substation Automation Systems by ABB...
Description
Cyber security for substation automation systems by ABB
ABB addresses cyber security in every respect The electric power grid has evolved significantly over the past decade thanks to many technological advancements and breakthroughs. As a result, the emerging “Smart Grid” is quickly becoming a reality. At the heart of these intelligent advancements are specialized IT systems – various control and automation solutions such as substation automation systems. To provide end users with comprehensive real-time information and allow for higher reliability and greater level of control, these systems have become more and more interconnected.
The new generation of automation systems utilizes open standards such as IEC 60870-5-104, DNP 3.0 and IEC 61850 and commercial technologies, in particular Ethernet and TCP/IP based communication protocols. They also enable connectivity to external networks, such as office intranet and internet. These
changes in technology have brought huge benefits from an operational perspective, but they have also introduced cyber security concerns previously known only from office or enterprise IT systems. Cyber security risks were inherited by adopting open IT standards, but fortunately, so were the cyber security mechanisms that have been developed in a large number of enterprise environments to address these risks. These mechanisms allow for the design and development of cyber security solutions specifically for control systems – such as substation automation systems – utilizing proven technology. ABB fully understands the importance of cyber security and its role in advancing the security of substation automation systems. As our customer investing in new ABB technologies, you can rely on system solutions where reliability and security have the highest priority.
Main Control Center
Remote Access
Office Access
MicroSCADA Pro SYS600C
DNP 3.0 via Ethernet
IEC 60870-5-104
MicroSCADA Pro SYS600C
Communication Gateway
Communication Gateway
RTU560 IEC 61850
System architecture for substation automation system. 2
Redundant Communication Gateway with Integrated Control System HMI
MicroSCADA Pro SYS600C IEC61850
Communication Gateway and Control System HMI MicroSCADA Pro SYS600C
MicroSCADA Pro SYS600C IEC 61850
Systematic approach to ensure cyber security Over the last couple of years, the global power industry has steadily increased focus on cyber security for control and automation systems. As a result, many different drivers and trends have emerged. ABB has identified cyber security as a key requirement and is committed to providing our customers with products, systems and services that clearly address this issue. ABB takes a systematic approach to cyber security through its operations on a global level. For instance, ABB has established the Power Systems Security Council to keep track of the global needs and requirements concerning cyber security. The mandate of the council is to ensure that products and solutions used in power systems meet the expectations of customers. Besides continuously adapting security requirements to keep up with the changing demand, the Security Council drives proactive R&D efforts to support future trends, and ensures fast and efficient security improvements.
ABB also recognizes the importance of cyber security standards and is an active member and driver of various industry initiatives, including active involvement within IEEE and IEC. This involvement also allows the Security Council to ensure that ABB’s products and systems are compliant with and support all industry standards and regulations related to cyber security.
Standard
Main Focus
NIST SGIP-CSWG
Smart Grid Interoperability Panel – Cyber Security Working Group
NERC CIP
Cyber Security regulation for North American power utilities
IEC 62351
Data and Communications Security
IEEE PSRC/H13
Cyber Security Requirements for Substation
& SUB/C10
Automation, Protection and Control Systems
IEEE 1686
IEEE Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities
ISA S99
Industrial Automation and Control System Security
Key Cyber-Security initiatives driven or supported by ABB
3
Cyber security embedded Cyber security is embedded in ABB’s product lifecycle, and addressing cyber security is an integral part of our substation automation products and system solutions. This means that cyber security is addressed in every phase from design and development, to maintenance of the products in our portfolio. Threat modeling and security design reviews, security training of software developers as well as in-house and external security testing as part of quality assurance processes are examples of numerous actions ABB is taking to ensure reliable and secure solutions for its customers. Individual user accounts or detailed security event logs are just two examples of built-in security features available in our products. ABB’s substation automation systems can be offered with firewalls and pre-defined antivirus software, and the system deliveries follow our strict guidelines concerning handling cyber security.
4
Cyber security without compromises Evolving technologies like Ethernet and industry specific standards such as IEC 61850 are enablers for information exchange that support higher system reliability. Additionally, it is important to safeguard interoperability, which allows information exchange between different vendors’ IEC 61850 compliant products and systems. Ensuring reliability and interoperability are two of the main goals when designing and engineering IEC 61850-based substation automation systems. Supporting availability, reliability and interoperability, while at the same time addressing cyber security, is a challenging task. ABB is committed to working towards providing our customers with solutions that address all these aspects without compromise.
Cyber security - Addressed throughout the system life cycle ABB aims to provide products and solutions that enable substation automation customers to fulfill the requirements of cyber security standards, such as NERC CIP. We view cyber security not only as a single, one-time activity, but as an integrated part of different phases of the product and system life cycle – from early design and development, to testing and commissioning, as well as to processes supporting products and systems in operation both now and in the future. One key element of this process is our independent robustness test center, where all our products are tested using current state-of-the-art security testing tools.
A centralized security testing process applying up-to-date and rigorous test procedures guarantees a common and best practice approach. The test center conducts regular regression tests on ABB products and systems to warrant a high level of robustness against cyber security attacks. ABB is also constantly extending and improving security-related organizational processes such as those handling vulnerabilities. The proper and timely handling of software vulnerabilities is an important factor in helping our customers to minimize their risk exposure to cyber security threats.
5
Cyber security on system level
Interactions between the substation automation system, corporate networks and the outside world are usually handled on the station level, which means that ensuring a high level of security on the station level is vital to the security of the SA system itself. Therefore, ABB uses best-in-class firewalls, intrusion detection or prevention systems, or VPN technology. All communication from the outside world to a substation can, for instance, be protected by using a firewall and/or VPN-enabled communication. Systems can additionally be divided into multiple security zones as needed to further improve security.
The key requirements that need to be covered by a secure substation automation system are: Availability
avoid denial of service
Integrity
avoid unauthorized modification
Confidentiality
avoid disclosure
Authentication
avoid spoofing / forgery
Authorization
avoid unauthorized usage
Auditability
avoid hiding of attacks
Remote Control Center
Maintenance Center (Security Zone 4)
(Security Zone 3) Encrypted communication Workstation Antivirus
Security Zone 2 MicroSCADA Pro SYS600 Antivirus
Encrypted communication
Firewall / Router / VPN Firewall / Router / VPN
Station LAN
MicroSCADA Pro SYS600C
IEC 61850-8-1 Station Bus
Control and Protection IED Security Zone 1 Perimeter Protection
Secure architecture for MicroSCADA Pro based solution.
6
Cyber security features in station level products ABB is addressing cyber security requirements both on a system as well as on a product level. Verified antivirus software is supported to protect the station computers from attacks and viruses. The cyber security can be for instance further improved by limiting the use of removable media in the station computers. Additionally, ABB has built security mechanisms such as advanced account management and detailed security audit trails into its RTU560 and MicroSCADA Pro products. ABB‘s product security approach is completed by robust bay level devices supporting many security features. ABB’s station-level products MicroSCADA Pro and RTU560 have been designed with cyber security in mind and thus provide state-of-the-art functionality in this regard. This allows our customers to easily address NERC CIP requirements and maintain compliance according to the standards and beyond. Overview of security features − − Individual user accounts − − Role based access control − − Enforced password policies − − Session management −− Detailed audit trails − − Secure remote management connection − − Built-in firewall − − Built-in VPN capabilities − − Support for antivirus solutions − − Disabled unused ports and services
Authentication and authorization Both MicroSCADA Pro and RTU560 support user authentication and authorization on an individual user level. User authentication is required and authorization is enforced for all interactive access to the products. Customers can manage user accounts freely, allowing them to create, edit and delete user accounts, and define usernames and passwords according to their policies. User rights can be managed completely by either assigning access permissions to accounts directly or by using roles (Role Based Access Control). To support NERC-CIP and IEEE 1686 requirements, both MicroSCADA Pro and RTU560 support password policies that allow customers to specify minimum password length as well as password complexities. Passwords are case sensitive and support alphanumeric and special characters.
Remote Control Center (Security Zone 3)
Encrypted communication
Firewall / Router / VPN In Integrated W HMI Web
Security Zone 2 RTU560 Mobus, DNP 3.0
IEC 61850-8-1 Station Bus
I/O
Protection and Control IED Security Zone 1 Perimeter Protection
Secure architecture for RTU 560 based solution.
Auditability and logging ABB substation automation devices create audit trails (log files) of all security relevant user activity. Security events that are being logged include user log-in, log-out, change of parameters or configurations, and updates to software or firmware. For each event date and time, user, event ID, outcome and source of event are logged. Access to the audit trail is available to authorized users only. Product and system hardening The robustness of a product can be significantly improved by closing all the ports and services that are not used. MicroSCADA Pro and RTU560 have been systematically hardened. For example, unused services have been removed and unused ports closed, and have been thoroughly tested at ABB‘s dedicated, independent security test center using state-ofthe-art commercial and open source security testing tools. Hardening steps as well as the resulting configurations, such as open ports and services, are documented in detail. Only ports and services for normal operation are enabled in ABB devices by default.
7
ABB Switzerland Ltd Power Systems Bruggerstrasse 72 CH-5400 Baden, Switzerland Phone: +41 58 585 77 44 Fax: +41 58 585 55 77 ABB Oy Substation Automation Products P.O. Box 699 FI-65101 Vaasa, Finland Phone: +358 10 22 11 Fax: +358 10 22 41094 ABB AG Power Systems Division P.O. Box 10 03 51 DE-68128 Mannheim, Germany Phone: +49 621 381 3000 Fax: +49 621 381 7662
ABB AB Substation Automation Products SE-72159 Västerås, Sweden Phone: +46 21 32 50 00 Fax: +46 21 14 69 18 www.abb.com/substationautomation
1KHA - 001 149, - SEN 1000 - 12.10 - Printed in Switzerland © ABB Switzerland Ltd, December 2010. The right to modifications or deviations due to technical progress is reserved.
Contact us
View more...
Comments