Presentation

Report
ITU Workshop on “ICT Security Standardization
for Developing Countries”
(Geneva, Switzerland, 15-16 September 2014)
Smart Grid cyber security
within IEC TC57 WG15
Fernando Alvarez,
Cyber Security Technical PM
ABB Switzerland
Geneva, Switzerland, 15-16 September 2014
Topics
Industrial Cyber Security Essentials
Mission and Scope of TC57 WG15
Members
IEC 62351 Parts & Status
IEC 62351 Roadmap
About IEC 62351 Parts 7, 8 and 9
Liaisons and Coordination
Standardization Issues
Geneva, Switzerland, 15-16 September 2014
2
Cyber Security – Essentials
without / before IEC 62351
Physical perimeter protection
Fences, gates, motion sensors, cameras
Electronic perimeter protection
Firewalls, VPN
Antivirus and IDS
Unused ports & services disabled
Debug services, USB ports, etc.
Robustness tested releases
No device crashes due DOS attacks
Geneva, Switzerland, 15-16 September 2014
3
Cyber Security – Essentials
Is all this enough?
Geneva, Switzerland, 15-16 September 2014
4
IEC 62351 – Even more essential
Geneva, Switzerland, 15-16 September 2014
5
IEC 62351 – Even more essential
Secure the protocols w/authentication+
Distributed Energy
Resources (DER)
Electric Vehicle
Back Office
Market System
DER Generator
IEC 61850-7-420
DMS
EMS
Apps.
Apps.
IEC 61970
IEC 61968
Communication Bus
IEC 61970
IEC 60870-6
TASE.2/ICCP
IEC 62351
Cybersecurity
SS-CC
IEC 61850
60870-5-101/104
IEEE 1815 (DNP3)
IEC 60870-5-102
IEC 61850-7-410
SCADA
Hydro systems
Hydroelectric/ Gas
Turbine Power Plants
Substations / Field Devices
IEC 6185090-5
Turbine and
electric systems
IEC 61850
Control Center B
IEC 61968
DER Storage
Control Center A
IEC 62325
IEC 61850-90-7, 8,
9, 10, 15
RTUs
Substation
Automation Systems
IEC 60870-5-103
PMUs
IEC 61850
Protection, Control, Metering
SS-SS
IEC 61850
GOOSE, SV
IEC 61850
Switchgear, Transformers,
Instrumental Transformers
Geneva, Switzerland, 15-16 September 2014
6
Topics
Industrial Cyber Security Essentials
Mission and Scope of TC57 WG15
Members
IEC 62351 Parts & Status
IEC 62351 Roadmap
About IEC 62351 Parts 7, 8 and 9
Liaisons and Coordination
Standardization Issues
Geneva, Switzerland, 15-16 September 2014
7
Mission and Scope of
TC57 WG15 on Cyber Security
Undertake the development of standards for
security of the communication protocols
defined by the IEC TC 57
Specifically the IEC 60870-5 series, the IEC 60870-6
series, the IEC 61850 series, the IEC 61970 series,
and the IEC 61968 series.
Undertake the development of standards
and/or technical reports on
end-to-end security issues.
IEC 62351
Geneva, Switzerland, 15-16 September 2014
8
Topics
Industrial Cyber Security Essentials
Mission and Scope of TC57 WG15
Members
IEC 62351 Parts & Status
IEC 62351 Roadmap
About IEC 62351 Parts 7, 8 and 9
Liaisons and Coordination
Standardization Issues
Geneva, Switzerland, 15-16 September 2014
9
TC57 WG15 Members
76 members
Participants from 22 countries
Argentina
Canada
China
Croatia
Czech Republic
Denmark
Finland
France
Germany
Great Britain
India
Japan
Geneva, Switzerland, 15-16 September 2014
10
Topics
Industrial Cyber Security Essentials
Mission and Scope of TC57 WG15
Members
IEC 62351 Parts & Status
IEC 62351 Roadmap
About IEC 62351 Parts 7, 8 and 9
Liaisons and Coordination
Standardization Issues
Geneva, Switzerland, 15-16 September 2014
11
Mapping of TC57 Communication Standards
to IEC 62351 Security Standards
IEC TC57 Communication Standards
IEC 62351 Security Standards
IEC 62351 Part 1: Introduction
IEC 62351 Part 2: Glossary
IEC 62351 Part 4: Profiles
including MMS
IEC 61850 over MMS
IEC 62351 Part 5: IEC 60870-5
& Derivatives
IEC 61850 GOOSE & SV
IEC 62351 Part 6: IEC 61850
Profiles
IEC 61970 & IEC 61968 CIM
IEC 62351 Part 9: Cybersecurity
Key Management
IEC 60870-5-101 & Serial
DNP3
IEC 62351 Part 8: Role-Based
Access Control (RBAC)
IEC 60870-5-104 & DNP3
IEC 62351 Part 7 Object Models for
Network Management
IEC 62351 Part 3: Profiles
including TCP/IP
IEC 62351 Part 11: Security for XML
Files
IEC 60870-6: TASE.2 (ICCP)
IEC 62351 Part10: Security Architecture Guidelines for TC57 Systems
Geneva, Switzerland, 15-16 September 2014
12
IEC 62351 Parts & Status
IEC 62351 Part
Released
Activities (by May 2014)
IEC/TS 62351-1: Introduction
IEC/TS 62351-2: Glossary of terms
2007
2008
Review Report pending
IEC/TS 62351-3: Security for
profiles including TCP/IP
IEC/TS 62351-4: Security for
profiles including MMS
2007
Ed. 2: Responses to Comments on CDV
being developed
Starting Edition 2
After amendment process was rejected,
the decision was made to start Edition 2
IEC/TS 62351-5: Security for IEC
60870-5 and derivatives
2009
IEC/TS 62351-6: Security for IEC
61850 profiles: GOOSE & SV
2007
IEC/TS 62351-7: Objects for
Network Management
IEC/TS 62351-8: Role-Based Access
Control : RBAC
IEC/TS 62351-9:
Key Management
2010
IEC/TR 62351-10:
Security Architecture
IEC/TS 62351-11:
Security for XML Files
PWI: Resiliency and Security for
power systems with DER
PWI: Conformance Testing for IEC
62351
2007
2011
Pending
2012
Pending
DC Pending
NWIP
Pending
PWI: IEC 62351-90-1: Guidelines
TR Pending
Geneva, Switzerland, 15-16 September 2014
for Using Part 8 RBAC
Ed. 2 released April 2013
Ed. 2 planed: Updates underway, based
on security requirements in
IEC 61850-90-5
Working on Ed. 2: Responded to
comments on RR changing TS to IS
Working on Ed. 2: Discussions on
developing categories of roles
Working on Ed. 1: 1st CD issued August
2013; Responses submitted Feb 2014. 2 nd
CD planned
TR published Oct 2012
No further work planed.
Working on Ed. 1: Developing CD for
WG15 review by May 2014
Need broader review by WG17 & 21
before submittal as TR as 62351-12
Pending
Work in progress
Planned Release
Pending
Submitted as CDV by Dec 2012,
FDIS Dec 2013, IS Ed. 2 by 2014?
Comments on Q rec’d Dec 2013
Ed. 2: CD 6/2015, CDV 3/2016,
FDIS 6/2016, IS Jun 2017
TS Released April 2013
Possible clarifications
RR to be issued mid-2014, to be
released in parallel with Part 4
CD 9/2014, CDV 6/2015, FDIS
3/2016, IS 9/2016
Planning IS in 2014/15 after
TR 90-1 issued
2nd CD August 2014, CDV in (early)
2015 and IS in (late) 2015
Done
CD 6/2014, CDV 2/2015, FDIS
12/2015, IS 6/2016
Review in WG17 and WG21,
Circulated in WG19 early 2014
Pending
Pending
13
Topics
Industrial Cyber Security Essentials
Mission and Scope of TC57 WG15
Members
IEC 62351 Parts & Status
IEC 62351 Roadmap
About IEC 62351 Parts 7, 8 and 9
Liaisons and Coordination
Standardization Issues
Geneva, Switzerland, 15-16 September 2014
14
TC57 Security (IEC 62351) Roadmap
Completed
• Ed. 1 of Parts:
1, 2, 3, 4, 5, 6,
7, 8, and 10 –
finalized as TRs
or TS
• Ed. 2 of Part 5
Updates in Process
Potential New Work
• Part 2 Glossary: adding amendments
probably update in 2014
• Part 3 Security using TLS: Submitted as
FDIS Dec 2013 as IS by 2014
• Part 4 Security for MMS: Edition 2 started
• Part 6 on IEC 61850: GOOSE & SVs.
Updates to equivalent to IEC 61850-90-5
• Part 7 Network and System Management:
update process to Ed 2 started in 2013
• Part 8 developing TR 62351-90-1 as
Guidelines for using RBAC
• Part 9 Key Management: CD issued in
August 2013; comments being addressed
• Part 11 Security for XML Files: in progress
• Resilience and Security for DER systems
and other field devices (collaborate with
WG17 and WG21 as appropriate)
• Conformance Testing
TR
Geneva, Switzerland, 15-16 September 2014
• Profiles for web
services including
XMPP (once the
requirements are
determined in the IEC
61850-8-2
development)
• Metering (collaborate
with TC13)
• Explore customer
premises security
issues with WG21
15
Topics
Industrial Cyber Security Essentials
Mission and Scope of TC57 WG15
Members
IEC 62351 Parts & Status
IEC 62351 Roadmap
About IEC 62351 Parts 7, 8 and 9
Liaisons and Coordination
Standardization Issues
Geneva, Switzerland, 15-16 September 2014
16
Topics
Industrial Cyber Security Essentials
Mission and Scope of TC57 WG15
Members
IEC 62351 Parts & Status
IEC 62351 Roadmap
About IEC 62351 Parts 7, 8 and 9
Liaisons and Coordination
Standardization Issues
Geneva, Switzerland, 15-16 September 2014
17
IEC 62351-7 ~ Standardized
Network and System Management
Network and system management
(NSM) data object models
Using Simple Network Management
Protocol (SNMP)
Coherent status and monitoring data
of the power infrastructure/grid
Different grid areas, diff. comm. channels,
network segments, different protocols, etc.
Geneva, Switzerland, 15-16 September 2014
18
IEC 62351-7
Network and System Management
S e c u r ity M o n ito r in g A r c h ite c tu r e , U s in g N S M D a ta O b je c ts
C o n tro l C e n te r
T A S E . 2 lin k t o
E x te rn a l S y s te m s
E n g in e e r in g
S y s te m s
H is t o r ic a l D a t a b a s e
a n d D a ta In te rfa c e
ID S
F ir e w a ll
F ir e w a ll
S e c u r it y
C lie n t
O p e ra to r U s e r
In te rfa c e
S C A D A S y s te m
ID S
W AN
Legend:
S u b s t a t io n
F ir e w a ll
C lie n t s
ID S
S e c u r it y
S e rv e r
S e rv e rs
S u b s t a t io n
M a s te r
C a p a c it o r B a n k
C o n t r o lle r
O th e r
F ir e w a ll
PT
N S M D a t a O b je c t s
C ir c u it
B re a k e r
I n t r u s io n D e t e c t io n
S y s te m (ID S )
Geneva, Switzerland, 15-16 September 2014
CT
P r o t e c t io n
R e la y
Load Tap
C hanger
A u to m a te d
S w it c h
V o lt a g e
R e g u la t o r
F e e d e rs
19
Topics
Industrial Cyber Security Essentials
Mission and Scope of TC57 WG15
Members
IEC 62351 Parts & Status
IEC 62351 Roadmap
About IEC 62351 Parts 7, 8 and 9
Liaisons and Coordination
Standardization Issues
Geneva, Switzerland, 15-16 September 2014
20
IEC 62351-8 ~ Standardized
Role-Based Access Control
Standardized Central User Account
Management in the automation,
industrial, embedded world
Standardized RBAC (Role Based Access
Control)
User tokens : X.509 certificates
User certificates specify user’s roles,
roles grouped in AoRs
Pull (e.g. LDAP) &
Push (e.g. SmartCards) methods supported
Geneva, Switzerland, 15-16 September 2014
21
Topics
Industrial Cyber Security Essentials
Mission and Scope of TC57 WG15
Members
IEC 62351 Parts & Status
IEC 62351 Roadmap
About IEC 62351 Parts 7, 8 and 9
Liaisons and Coordination
Standardization Issues
Geneva, Switzerland, 15-16 September 2014
22
IEC 62351-9 ~ Standardized
Key Management Methods
Device/user X.509 digital certificates
PKI methods and protocols
Full key life cycle : from
Creation until the end-of-life
GDOI (distribution of symmetrical keys)
Geneva, Switzerland, 15-16 September 2014
23
Topics
Industrial Cyber Security Essentials
Mission and Scope of TC57 WG15
Members
IEC 62351 Parts & Status
IEC 62351 Roadmap
About IEC 62351 Parts 7, 8 and 9
Liaisons and Coordination
Standardization Issues
Geneva, Switzerland, 15-16 September 2014
24
Liaisons with Other Security
Activities
Liaison with ISO JTC 1 / SC 27 IT Security:
WG15 has provided lists of Smart Grid security standards & documents to SC27.
WG15 has reviewed documents of the 270xx series on general cyber security.
WG15 welcomes the publication of ISO/IEC TR 27019.
SC27 liaison : SC27 expects to attend additional WG15 meetings
Liaison D with M/490 SGIS:
WG15 is exchanging information with SGIS
Liaison D with UCAIug:
Discussions with SG-Security in UCAIug are underway.
Liaison A with IEC TC65C which is standardizing the work of the
ISA SP99 Security Standards.
Some WG15 members have reviewed and commented on IEC 62443 drafts
Liaison D with the IEEE PES PSCC Security Subcommittee
Working with IEEE Substations on Cybersecurity Standard IEEE 1686
Geneva, Switzerland, 15-16 September 2014
25
Coordination with Security Groups
Coordination mostly through common membership:
NIST’s Smart Grid Interoperability Panel (SGIP) Smart
Grid Cybersecurity Committee (SGCC) (used to be called
CSWG)
SGIS
NERC CIPs
Cigré D2.34
MultiSpeak Security / Security for Web Services
(e.g. WS-Security)
NESCOR
IEC TC13
ITU-T
Geneva, Switzerland, 15-16 September 2014
26
Topics
Industrial Cyber Security Essentials
Mission and Scope of TC57 WG15
Members
IEC 62351 Parts & Status
IEC 62351 Roadmap
About IEC 62351 Parts 7, 8 and 9
Liaisons and Coordination
Standardization Issues
Geneva, Switzerland, 15-16 September 2014
27
Cyber Security Standardization Issues
Although we have cybersecurity experts, they are very busy
Cybersecurity is a very dynamic, rapidly changing field
which is quite new for the power & automation industries
Need to coordinate with other industries and
standards groups
Need rapid development of new standards and updates
to existing standards
Need guidelines for end-to-end security, but only for
very specific aspects
Need both standards and technical reports
Need input from power system domain experts on
security requirements
Need conformance and/or interoperability testing for
IEC 62351
Abstract conformance test cases should be in each Part,
with IEC 61850-10 providing specifics for 61850
Interoperability testing?
Geneva, Switzerland, 15-16 September 2014
28
Questions? Comments?
Geneva, Switzerland, 15-16 September 2014
29
Thanks
Geneva, Switzerland, 15-16 September 2014
30
Geneva, Switzerland, 15-16 September 2014
31

similar documents