Andreas Klien, OMICRON, Austria
CYBERSECURE SUBSTATION NETWORKS
How to Protect Modern Substations Against Cyberattacks?
About OMICRON
> Innovative power system testing and cybersecurity solutions
> Focus on innovation, customer support and knowledge provision
> Social and ecological responsibility is one of our core values
> 800+ employees
> 24 offices worldwide
> Customers in more than 160 countries
> R&D quota > 15 % of OI
Page 3© OMICRON
Case study: Secure Substation Architecture
> This presentation is based on a case study:
> New secure substation network architecture by the Swiss generation and distribution utility CKW
> Commissioning of first substation started 2019See paper here.
> They implemented many security measureswithout compromising efficiency.
Page 4© OMICRON
Source: Centralschweizer Kraftwerke AG
Basis: NIST Security Framework
> Basis for Swiss OT security guideline
> Assumption: There is no 100% protection,attacks can always come through
> Cybersecurity seen as process:
> Identify assets and attack vectors
> Protect against the vectors with highest risk
> Detect attacks/threats as they occur
> Respond to detected threats to minimize damage and to learn
> Recover affected services
© OMICRON
Substation Attack Vectors
Page 6© OMICRON
How hard is it to attack a relay?
> Well known vulnerability, a single packet required to exploit it
> Freezes whole relay until next reboot> No communication> No protection> “Denial of Service”
> Security patch for this relay has been availablesince 2015
Page 7© OMICRON
Source: exploit-db.com
Case study: Secure Substation Architecture at CKW
Measures implemented
> Secure remote access
> Multiple firewall zones on station bus
> Role-Based Access Controlfor all activity
> Switch port access control
> Intrusion Detection System (IDS)
Page 8© OMICRON
Source: Centralschweizer Kraftwerke AG (CKW), Switzerland
Secure Remote Access (Case Study Ctd.)
Connection to corporate IT or DMZ is attack vector with highest risk
> No permanent connections to external networks, all services replicated locally
> Remote connection must be enabled by control center4-eye principle
> Engineering stations are virtual machines in the DMZ
Page 9© OMICRON
Secure Local Access (Case Study Ctd.)
> Can’t plug in engineering laptops to station network
> Local access is remote access:Using the engineering VM in DMZ
> Role-Based Access ControlEven for manual operation on display
> Local Active Directory and RADIUS server,synchronized with remote servers
Page 10© OMICRON
Limiting Attack Surface (Case Study Ctd.)
> Separate VLANs for management and process> Two physical Ethernet ports on the devices
> Multiple firewall zones on the process level> Extended ACLs on protocol level
> Only certain protocols are allowed between the zones
Still important attack vectors remained.
→ IDS at substation level
Page 11© OMICRON
Substation IDS Hardware Requirements
> Monitor 8+ separate networks simultaneously> 8x Gigabit fiber Ethernet ports
> Binary I/Os for alarms and fault signal contact> For integration into SCADA signal list
> DC supply, redundant
> Rugged and fan-less designIEC 61850-3 compliant
> Cybersecurity features in hardware
Page 12© OMICRON
Problems of Current IDS in Substations
1. Signature-based> PC virus scanner approach> Very few exploits/attacks known for substations
2. Learning-based> Many false alarms: switching, maintenance, routine testing, ...> Complex alerts: IDS doesn’t know what happens in substation
Page 13© OMICRON
Difficult for to analyze,
even for experts
Deny list
Black box
The StationGuard approach
StationGuard knows the substation> System model created from SCL
> Each packet evaluated against live system model
_ alarm_ no alarm
> Maintenance and testing is part of system model
> Detailed verification of whole communication> Detects not just cyber threats, but also malfunctions
Functional security monitoring
Page 14© OMICRON
System model/
allow list
Functional Monitoring
> Detects IED configuration changesMonitors configuration revision fields in messages
Page 15© OMICRON
> Continuous GOOSE transmission time measurementsTo detect failures in IED, network, and time sync.
> Logging of critical events:> Control commands on switchgear, tap changers, etc.> Monitoring and logging of all file transfers
What about other protocols?
> General: All connections must be allowed – otherwise alarm
> IEC 61850 protocols: 98% of the traffic in modern substations> Analyzed down to the smallest detail
> DNP3, IEC-104, Modbus, FTP, HTTP, ...> Deep packet inspection for dozens of protocols
> Proprietary vendor protocols additionally protected byMaintenance Mode
Seite 16© OMICRON
Src./dest. MAC + src./dest. IP + VLAN + Port Number + Application
System model/
allow-list
Minimum:
Asset Inventory Export
Information combined from
1. Passive asset discovery
2. Engineering files – SCL
3. Active device interrogation (StationScout)
Page 17© OMICRON
Understandable alarms
> Security systems must be usable for protection and control engineers
> Supports collaboration between security officers and PAC engineers
Page 18© OMICRON
How do I configure it?
1. Import the SCL file of substation> Possible to capture SCL from the live system
2. Assign roles to remaining devices
> “RTUs may perform control commands on bay controllers.”
> “Engineering PCs may use vendor protocol X during maintenance.”
> “Fault Record Collectors may download disturbance recordsfrom relays.”
3. Add additional permissions based on alerts> “Allow X for all Engineering PCs”
Page 19© OMICRON
How they integrated the IDS (Case Study Ctd.)
> StationGuard Dashboard in Security Operations Center (SOC)
> StationGuard client on local HMI PC to collaborating on alerts locally
> Binary outputs → RTU → Control Center> SCADA signal: “Unacknowledged IDS alert”
> Syslog for SIEM integration> Security Information and Event
Management system (SIEM)
> StationGuard Splunk™ App
Page 20© OMICRON
Page 21© OMICRON
Security systems must consider the special requirements of substations
Intrusion detection systems should speak the language of protection and control engineers
Engineering file import (SCL) enables low effort to configure and more accurate results
Thank you for your attention!
Andreas [email protected]
www.omicronenergy.com/stationguard