The evolution of the electric distribution network towards the smart grid introduces new control elements and devices. This progress allows for greater communication and supervision capacities among control centres, substations and end users.
The smart grid’s value chain is quite extensive and includes all types of communication devices and protocols at different levels:
- At the field (or substation) level: we can find sensors, actuators, Remote Terminal Units (RTUs), Intelligent Electronic Devices (IEDs), etc.
- At the administrative (control centre) level: we can find IT devices such as computers, servers, databases, WEB applications, desktop applications, etc.
Protecting a smart grid is a complex task that requires a great deal of effort and a sustained commitment. In these types of infrastructures it is common to find obsolete devices that were designed at a time when security was not a concern. On the other hand, many players are involved in these infrastructures: manufacturers, installation technicians, integrators, consultants, etc.; these players form part of the value chain where security must be present at all times.
Smart grid cybersecurity should be applied from devices at the end of the chain to control centres, thus reaching the entire system. Keep in mind that security as a whole is very important. For example, if new devices are configured incorrectly in an infrastructure where certain security measures have already been applied, in an RTU for instance, the whole infrastructure could be compromised.
- Network architecture for an electric distribution network -
Security configuration in smart grid systems
A key element which is often overlooked in terms of the security of any industrial control system is the correct configuration settings for all integral components. Specifically, the following configuration guidelines are suggested for smart grids:
Device configuration is a key element when it comes to cybersecurity. In an electric substation where all control equipment can be found, security configuration must be organised systematically and must bear in mind the following points:
- Physical access: In order to reduce system exposure, critical system devices must receive adequate physical protection, thus limiting access to them.
- Network access: Network identification must be specific to each system/infrastructure. There are some specific guides for assigning ports to services. Below we will show an example of a recommended guide.
*Statuses may vary depending on the project and system status
- Access: Enable FTP over SSL.
- Encryption: Use algorithms with TLS, using 128-256 bit AES.
- Status monitoring:Functions for measuring the status of system process resources.
- Certificates: Certificate authority (CA) management and self-signed certificates.
Configuration of IEDs
The specific security configuration aspects for Intelligent Electronic Devices are based on some of the following checkpoints in accordance with the IEEE 1686 standard:
- Electronic access control: Access can be remote or local with in situ device access. The latter option is the recommended access method.
- User accounts The device supports a certain number of user accounts for their access and control. This factor will depend upon the service and control needs. The number of user accounts will depend on the types of user profiles essential for proper administration.
- Password policy: This policy defines criteria such as password length, uppercase/lowercase sensitivity, use of numeric and special characters, etc.
- Access to data:This access is controlled by individual user account depending on their role.
- Access to configuration settings: This access is controlled by individual user account that have privileges.
- Force values (integrity): This is controlled by individual user account.
- Firmware change/update:This is controlled by individual user account that have privileges.
- Computer password supervision: Password storage will always be encrypted with a strong algorithm.
- ID/password management: Management is controlled by individual user account that have privileges.
- Access time-out: Individual user account can activate and configure access time-out.
- Events: Cybersecurity-related event logging. The need for event logging profiles.
- Alarms: Activated. Computer alarms operating to report suspicious or dangerous events (for example, if the client does not use digital certificates the alarm will go off, or if the computer detects a data overload in its connectivity).
Configuration of RTUs
The RTU is another computer that stands out in smart grids when it comes to handling, linking and retransmitting data.
The RTU uses protocols such as IEC 60870-5-101 and 104, Modbus or DNP 3.0, and is making increasing use of Ethernet and TCP/IP. Manufacturers of these devices are developing new security classifications in accordance with the NERC CIP and IEEE 1686 standards. Below we will discuss the default configuration settings for an electric substation:
- Authorisation system: A system based on roles (RBAC – Role Based Access Control). A minimum of 4 roles (deployer, configurator, Admin and operator). The role system varies depending on the project.
- User access control: Configuration based on profiles with different privileges for accessing RTU services and resources. Required authentication and forced authorisation for each individual user account.
- Password complexity:
- Minimum password length: 8 characters
- Maximum password lifetime: varies depending on the project
- Use of alpha-numeric and special characters: Activated
- Uppercase/lowercase sensitivity: Activated
- HTTPS support: Acceptance of self-signed digital certificates, properly managed and implemented.
- VPN functionality: Optional function for remote management. Communication is between the RTU and the substation router (using IPSEC protocol). If authentication is configured it will use pre-shared passwords.
- Security event audits: At the local level they must at least contain the following events:
- Parameter change
- Configuration change
- Firmware updates
- Security alarms: The capacity to list a group of security events under unique alarms that are meaningful for the HMI. Activated
- System hardening: Depending on the project. Minimum privileges and minimum services policy: Only the required ports and services are opened. The rest are closed. Access is blocked by the authorisation system at the operating system level, depending on user account
As can be seen in the image below, 6% of the vulnerabilities are related to security and maintenance configuration and is also the only part which can be directly improved by the product consumer. The rest of the problems detected depend directly on the manufacturer.
Once devices are configured it is a good practice to run a security test in order to optimise configuration and check whether the parameters established can support the required security levels. It is advisable to carry out tests on all of the computers that will be installed in the field, both individually as well as when they are functioning together. By taking this measure it is possible to minimise a part of the attacks on industrial control systems. However, it is especially possible to prevent those vulnerabilities which do not require a high level of technical expertise in order to be exploited such as insecure or default passwords, SSH trivial access, etc. According to ICS-CERT, the vulnerabilities found in industrial control systems can be broken down as seen in the image below:
- Vulnerabilities in industrial control systems -
There are some automated tools that can carry out security tests in order to verify configurations. One of the options is Nessus, which, by using a series of expressly designed plugins for control systems in the Bandolier Project, verifies whether device configuration is correct. The configuration templates have been developed with the help of manufacturers, vendors and consumers.
Using these automated tools to perform security analyses allows us to meet some of the requirements established in industrial standards, such as the NERC CIP-007 R8 standard which calls for an annual vulnerability analysis.
- Bandolier project functioning -
Checkpoints for security configurations
Generally speaking and based on the information discussed in this article, in the following table we can summarise the key points to be reviewed for smart grid computer configurations:
Security in a smart grid is an issue that all players involved (manufacturers, distributors and consumers) must be accountable for. All players must also take the appropriate measures to improve system protection.