In today’s utility industry, smart grids are a key topic, with most utilities having already migrated, or being in the process of migrating over to a distributed Ethernet network to interconnect various remote sites and control rooms into a single system. Before looking at the security requirements, we need to understand what a smart grid is.
Concept definition
A smart grid is a modernised utility grid that uses communications networks and information technology to gather and act on information in an automated fashion. This is done in order to improve efficiency, reliability, economics, and sustainability of the production and distribution of electricity. Generally smart grids use an Ethernet-based communication network to interlink all substations, control rooms, and other major generation, transmission and distribution sites across a wide area, such as a state or country-wide network. Using the distributed communications technology of Ethernet allows two-way communication between all devices connected to the network, and provides smart control of the entire grid, from generation all the way to the end user meters.
The benefits that a smart grid provide are numerous, and include a large saving of both time and money as much remote maintenance and data gathering can be performed without the need to send an engineer or technician out to site (Which can often turn out to be a full day’s work with travelling). However, moving to a smart grid solution does create more security concerns that need to be addressed. Using the correct policies, planning and setup these security concerns can be dealt with, leading to the knowledge that your smart grid is running in a secure and reliable fashion.
Security concerns
Security on these critical networks is in place to stop two kinds of threats. The first is an actively malicious user, who wishes to intentionally cause harm to the grid. This type of threat will generally originate externally to the local network (e.g. a hacker gaining access through a WAN interface to a public network). This is generally the more dangerous security threat, as they have a goal in mind and are more focused in their attacks. The second type of threat is a user who could unintentionally cause damage to the grid and communications network, which generally originates from within the local network. This could be a user that logs onto the wrong device to change its configuration, or a user who is not sure of what they are doing when configuring a device. Either of these can cause serious harm to the network and grid, and often can cause problems that are not as easily identifiable as those left by someone with a clear goal in mind.
Security can broadly be divided into two topics, namely physical and logical security. Physical security relates to preventing unwanted users from gaining physical access to premises or a device, where they could potentially change the configuration, depower or damage the device, or change communication links in such a way as to cause communications failures between critical parts of the network, which in turn can lead to major damage to utility hardware or loss of production for extended periods of time.
Having gate guards at large sites can provide the access control to the site, however one would need a veritable army of gate guards in order to provide access control at every site, and if 24 hour access is required multiple guards would be needed to take shifts. Physical security is greatly facilitated by the Ethernet communications network, allowing much more remote access control, which can be managed by a single operator from a central location. Using an IP based camera solution, the operator can get a visual confirmation of who is trying to access the site, and if necessary a VoIP (Voice over IP) solution can allow the operator to communicate to the user wishing to gain entry, even in the case that little or no cellular signal exists at the remote site.
Biometric access control is another option that can be added to the system to further automate the access control aspect of the solution. Ethernet ready biometric hardware will be able to plug into the network and communicate directly with a main controller in the central control room. This means that even if a user does not currently have access to the site, their details can be added to the system remotely to give them access. Once again this saves time and money as an administrator does not have to travel to the remote site in order to provide access for the user.
Logical security is the next aspect that needs to be discussed, and is generally more critical than physical security. This is due to the fact that by using a distributed communications network to link all remote sites together, we are potentially allowing any user who can access the network, to access any critical part of the network. For this reason we need to make sure that strong logical security is in place to restrict users’ access to devices that are directly related to their work, and also to block access for any outside, unauthorised user.
Ethernet does cater for various security mechanisms and solutions; however these must be properly planned and implemented to make sure that the system is properly secure. One of the base components for security in an Ethernet network are the firewalls that control access between various sections of the network. A firewall can be setup to monitor and control traffic based on various aspects, such as protocol type, source or destination IP address and more. This gives a high level of granular control over the communications that are allowed to pass through the router. Firewalls must be extensively planned and tested, and it is recommended to start with a policy of “no data gets through unless specifically allowed”. This means that if a rule for particular access has not been created, then this will be easily noticed (As the data will be blocked) and can be quickly rectified. However, a default policy allowing all data through, with specific rules to block certain data streams, means that if a rule is not configured it will not be easily noticed until it causes a problem due to someone accessing a device they should not be able to access.
Secure access management solutions
Another important form of security, especially in larger smart grid networks, is a SAM (secure access management) solution. A SAM solution will act as a master server to control access to end devices on the network. Rather than logging directly into an end device, a user will instead log into the SAM server with their unique username and password. Once they have access to the SAM server, they will be presented with a list of devices they are authorised to access. Upon selecting a device they will be asked to confirm details such as which application they wish to use for connection to the device, as well as the level of access they want (Again this will be restricted to the access levels they are authorised for). Once confirming these details the SAM server will log the user into the end device automatically, in such a way that details such as username and password for the end device are unknown by the user.
SAM solutions will also generally have options to add extra functionality such as password management or data retrieval. These options will allow the SAM server to automate process such as changing passwords on end devices according to a schedule, or downloading relevant files and data from end devices. SAM solutions will often also provide mechanisms to automatically produce reports required for various standard compliance, such as NERC CIP (North American Electrical Reliability Corporation – Critical Infrastructure Protection). In addition, they will generally have features to allow automatic checking of device configuration and firmware against a ‘master’ version, allowing for a more pro-active approach to network maintenance.
SAM servers simplify device and user management, and allow this to all be controlled from a central location. If a new employee or outside contractor needs access to a specific device, a SAM operator can add their details from the control room and allow them the required access within minutes. All user activity is monitored and logged, and often SAM solutions will provide even more control over what users can manipulate on a device using command blocking. Command blocking involves banning certain users from entering specified text strings into devices. If the user does try to enter a blocked command, a notification can be generated to an administrator and to the user, and the command will not go through to the device. SAM servers will also often have the ability to be integrated with an authorisation server, such as RADIUS or Active Directory, adding a further level of security to the system.
SAM solutions not only add to the access control management and security of a smart grid, they also facilitate quick troubleshooting and maintenance, as they will automate many day-to-day tasks, and will allow a high level of traceability in the event that a problem on the network is detected. Their benefit on a smart grid system should not be overlooked or underestimated.
Malware
Another big concern to network security, especially when the network is linked to a corporate site or the public Internet, is a potential virus/Trojan infection. General viruses can cause havoc by rendering end devices non-functional, or by corrupting data or applications running on devices and servers on the network. More specific viruses can even specifically target a certain site, company or device type. An example of this is the Stuxnet virus, an online weapon that was used to damage and destroy uranium enrichment facilities in Iran. By changing PLC output data before it was sent to the scada, this virus was able to slowly change PLC configurations to a point that machinery started having critical failures, whilst keeping scada operators blissfully ignorant to this fact. Although targeted viruses like these are rare, they must still be protected against as a precaution.
Protecting against virus infection on a network takes many different aspects, but again can be broadly divided into physical and logical aspects. The physical side of virus protection involves preventing users from bringing in their own piece of potentially infected hardware and connecting this to the network. Policies should be in place to prevent or restrict the use of USB flash drives and other external storage devices or cater for more secure forms of file transmission, such as FTP (file transfer protocol). USB ports on servers can be disabled, meaning that even if a device is plugged in the virus will not transfer to the network. If a user needs some data off a USB drive, policies should exist to make sure the device is properly virus scanned before being connected to any critical hardware.
Other potential virus carriers that must be taken into account are personal devices bought onto site by engineers, technicians and other workers on the site. With the proliferation of smart phones and tablets these days, many users will have devices with network interfaces (generally Wi-Fi, although some tablets do provide wired Ethernet interfaces). Policies should be in place to restrict or prohibit the use of BYOD (bring your own device) hardware on critical sites, as well as protecting wireless APs etc. with passwords and encryption so as to prevent unwanted users from connecting to them. This is even more important when users could potentially connect to the local network and a public cloud (such as the Internet). These could provide potential incursion points for malicious users. Also, protecting wireless access points correctly will prevent outside users from gaining network access from outside the physical sites.
Anti-virus programs are also essential on these critical networks, and it is crucial to make sure these anti-viruses are fully up to date at any time, and are actively checking devices and communications for possible viruses. However, it is important to fully test any anti-virus on your systems, to make sure that they do not induce any unacceptable delays to the communications. The SAM solutions mentioned earlier can also facilitate the discovery of some virus. Any virus that works by changing the configuration of an end device (such as Stuxnet did) can be discovered when the SAM performs an automated configuration compare on that unit. A notification will be sent to relevant administrators about this fact, which will prompt them to investigate the change and discover that no user initiated the change. This would be an indicator that an outside force (In this case the virus) changed the configuration without any user knowledge.
So as we can see, planning for and implementing security on a communications network for a smart grid system is a large task, but is absolutely crucial to having a secure, stable smart grid system. This process must not be underestimated or rushed, and the security system should be fully tested before implementing it on a live system. Security on these networks is critical, and should be undertaken with the assistance of a team who is well versed on Ethernet and security, and can help provide a solution that gives peace of mind while increasing productivity and savings.
| Tel: | +27 11 454 6025 |
| Fax: | +27 11 454 6024 |
| Email: | [email protected] |
| www: | www.h3isquared.com |
| Articles: | More information and articles about H3iSquared |
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version