You are on page 1of 9

Cybersecurity as Part of Modern Substations

Dwight Anderson and Garrett Leischner
Schweitzer Engineering Laboratories, Inc.

Presented at the
7th Annual Clemson University Power Systems Conference
Clemson, South Carolina
March 11–14, 2008

creating a circus-like environment. cybersecurity. Every month there are policy leads to standards and procedures. Given the rapidly changing world of technology and the R1. protection engineers. requirements in Standards CIP-002 through CIP- These threats are as real as the ones we may have personally 009. and terrorists attempting to breach and/or corrupt step is essential to achieve the goals to secure a modern sensitive control systems of power utilities. people.2. Schweitzer Engineering Laboratories. integration and automation engineers to take straightforward Many vendors claim that if you purchase their product. No one entity pages. situations. This responsibility comes There are a number of good sources of information and in many forms. It is one of the countermeasures to improve cybersecurity is relatively straightforward and is frequently present in the feature sets of reasons a security policy is one of the cornerstones to the equipment already in service. and procedures that lead to security: presents practical techniques that help mitigate potential “The Responsible Entity shall comply with the following vulnerabilities in the electric power infrastructure for little or requirements of Standard CIP-003: no additional cost. A device can only aid in compliance once (NERC CIP) standards are causing a heightened sense of a policy. and remote engineering access. Increasing awareness of cybersecurity and the the authors of the requirements clearly state. 1 Cybersecurity as Part of Modern Substations Dwight Anderson and Garrett Leischner. . standards. SCADA personnel. Cyber Security Policy — The Responsible Entity Many of us have had negative personal experiences. can thoroughly cover cybersecurity. STANDARDS. ensure the and television contain alarming reports of the many threats following: from hackers. The cyber security policy is readily relatively new recognition of the importance of cybersecurity. denial of service. defining what urgency throughout the industry. Fortunately. not exceeding two or three and access for such a wide variety of purposes. and credit card fraud. disgruntled employees. there is not a imminent deadlines by the North American Electric vendor or single product that will enable a substation utility to Reliability Corporation Critical Infrastructure Protection become compliant. Magazines. techniques to secure a substation’s infrastructure. GENERATE POLICY. shall document and implement a cyber security including identity theft. AND PROCEDURES information to a wide range of users in near real time and also automate a number of tasks that streamline operations and Generation of a security policy is the most critical performance. standard. It has to because modern data. available to all personnel who have access to.1. access control measures. newspapers. which produce a reports of threats and attacks from hackers. or procedure is created. such as the urging an almost knee-jerk reaction from modern substation NERC CIP requirements. starting with The SANS policy. and procedures to application of proven Security Policy Project [2]. or government? The responsibility belongs to all of should contain such subjects as classification of substation us who work for and with utilities. Abstract—Modern substation integrated systems deliver II. including provision for emergency experienced. Critical Cyber Assets” [1]. or it often seems as if there is no clear focus on the responsibility are responsible for. no “one-size-fits-all” policy exists. standards. Often these new performance advantages come underpinning for a modern utility. it steps to enhance the security of a modern substation. Once written. There is a lot of interest in securing the electric power After much discussion regarding the NERC CIP requirements. infrastructure. terrorists. The NERC CIP requirements are owners. and countries R1. This employees. as will be discussed in this paper. power systems use so many different kinds of electronic The policy must spell out acceptable-use constraints and instruments and so many different means of communications privacy. Compounding the sense of mitigation technique a company is going to undertake in urgency are many well-meaning “technical experts” who are response to an identified threat or requirement. It should also be short. enables you to comply with the NERC CIP requirements. The similar experiences and concerns. A company’s policy suppliers. phishing. for security. at minimum. Inc. customers. This paper shows and encourages NERC CIP requirements. the security with an additional cost. Does it belong with the information service The policy must be as unique as the company creating it. adding substation and must not be circumvented. Some companies even go so far as to list the NERC CIP I. from documentation and implementation of examples regarding security policy. computer policy that represents management’s commitment viruses. disgruntled security baseline of guidelines and a set of instructions. The cyber security policy addresses the with sophisticated information warfare plans and capabilities. Responsible Entity shall. This paper about policy. R1. Corporations and utilities have and ability to secure its Critical Cyber Assets. INTRODUCTION requirements and how their technology enables compliance.

Economic Model: Modest Investment Provides Great Benefit There are two methods of risk assessment regarding security: qualitative and quantitative. information technology. government. The ALE is equal to the single loss distance. as well as collaborative $1 M in damage.000. such as research and development. potential threat were to be successful. which provides a good overview of in effective security measures provides a very large reduction the security problem with general recommendations. if a substation’s total assets are worth $2. after establishing policy.000 The next step. identifying SLE = AV ($) • EF (%) (1) SCADA links. It uses the network diagram and conducting a visual walk of the network quantitative annual loss expectancy (ALE) to determine how communications links. transferred. advice.000 [8]. inspect all communications paths via a network diagram and either physical or electronic. for a modern substation. Because this knowledge may be quantitatively assess and assign these scenarios a value of low. 2 Also available is the National Institute of Standards and For example. updated guidance to assess and implement security in Unfortunately. or high. a modest investment Electronic Security [7]. standards. various departments. The ALE is the product telephone line. found throughout a company. However.000 substation. avoided. It is important to identify all interconnections and bridges between systems. This series focuses on the policy. One is the Official (ISC)2® Guide viewing the substation and communications makes to the CISSP® CBK® (Certified Information Systems Security overlooking a vulnerability less likely. Even an accidental cut would have taken down a expectancy (SLE) or the total asset value (AV) times the large part of the SCADA system with the potential to cause a percentage exposure factor (EF). Both methods yield IV. stated as: great deal of damage. This is a valuable resource for those seeking practical templates.000 Remediation Cost for clear and compelling security policies.5 M Technology (NIST) Special Publications (800 Series) reports and the threat analysis determines that one out of every five [3]. then walking tour of the network.500.000 III. the ARO is 1/5 or 20%. We recommend applying both methods. of the SLE and the annualized rate of occurrence (ARO) given as a percentage. legal. Also consider Information Security Policies Made Easy 2. in the potential remediation costs. purchasing an recently. engineering access. In this example. The goal for each team member is to changes in the outcome of an assessment. IDENTIFY AND MAP ALL COMMUNICATIONS PATHWAYS important data that make up a risk assessment and. A company NIST and SANS provide insight into the purpose and could choose to accept the risk and be “self-insured. the NIST SP 800-82 [5] and SP 800-53 [6] provide insurance policy and transferring the risk of an attack. Take The exposure factor is the percentage of asset loss if a time to identify and visually inspect wireless. for example. human identify technological shifts that could lead to significant resources. a team can The first step to mitigate risks is to identify and visually qualitatively list all the possible scenarios of attack vectors. After analyzing their Professional Common Body of Knowledge) [9]. but never completely eliminated.500. a team should be made up from medium. when used TO AND FROM A SUBSTATION congruently. is to conduct a risk assessment and analysis of the 500. provide an optimum of security measures. and facilities. The qualitative process needs review on a yearly basis to manufacturing. risk is accepted. or dedicated fiber connections. even maintenance. look at the substations and systems and contribute his or her A number of reference materials provide detailed examples view of potential vulnerabilities. procedures. and Total Cost procedures. Fig. A second pair of eyes of each type of assessment. and academic $1 M • 20% yielding an ALE of $50 K. a organizations. and years an attack would occur against this asset and result in guidelines for computer security. relating to likelihood and impact of attack. There are other alternatives to risk mitigation. reduced. one company discovered a fiber-optic much a utility should spend on countermeasures that mitigate line that was exposed and open to access for a very long risk for a critical asset.000. as seen in Fig. . useful for a modern utility’s security policy. 1. or industrial control systems (ICS). Most choose to transfer the risk. For example.” It might design of a security policy for a modern substation. Internet. CONDUCT RISK ANALYSIS 1. 1. with an SLE of activities with industry. For example. Part of any thorough security 0 20 40 60 80 100 assessment includes determining risks associated with these % Probability to Stop Attack critical assets. Part of the NERC CIP requirements is to determine and identify the critical cyber assets that may be part of the 0 bulk power infrastructure. Also the NERC Another good reference is the IEEE Standard 1402-2000: CIP standards and associated penalties do not allow for risk IEEE Guide for Electric Power Substation Physical and transference. the SP 800-12 Chapter 5 [4] utility can justify spending $50 K or more in countermeasures provides specific policy requirements for computer security to protect that asset from the threat. and instructions that help generate very 2. Cost in $ Cost Security 1.

11 hopping pattern [10] Dial-Up Line and use the same pseudo noise code. The optics is just as vulnerable to hackers as a wired or wireless drive to include web portals for telemetry. A similar scenario introduced the “Slammer” virus network. Electronic Security Perimeter Reference [10] describes the practice of spreading codes Electronic Attack Substation publicly so that companies can build compatible equipment Entry Points Private Fiber and users’ computer systems can more easily associate with Network Real-Time Protection Protective Relay access points. scanning signal intelligence. An attacker network (LAN) activities.” . an Protocol) processes are on an embedded system does not infer illegal eavesdropping device was discovered hooked into that they conform to the security standards your policy Verizon’s optical network. Just because HTTP (Hypertext Transfer breached at Frankfurt Airport in Germany. but if a person can acquire Lack of network segmentation and filtering is one of the physical access to the fiber. this type of access control provides little likelihood approach to infiltrate a network. detecting a password- perimeter server (firewall. Spread- This leads to viruses. many spread-spectrum radios are Processor or RTU designed in similar fashion to the 802. can lead can ascertain the spreading sequence and modulation to direct compromise of a computer on the “private” network. There modems provide little or no access control mechanisms. for B. technique with sophisticated spectrum analyzers. etc. internal modem. more importantly. low-risk attack vector. like email or web surfing. not security. and was no connection to the Internet and the intranet of the those that do often implement simple passwords that do not company was isolated. This Internet. just like the patch on an “isolated” frame relay network. it is “There have been few public reports of fiber hacks: In important for them to comply to security policy. Fiber largest and most obvious problems in utility networks. Access Leased Line (Telco) Ethernet C. backdoors. Most dial-up T-1 line and saturated the plant’s networks with traffic. The network Internet. including up. there are no intrusion detection mechanisms. Often they bombs that can spread to SCADA computers. 2. “Security through obscurity” is not a valid method to became connected to the Internet because the third-party protect the resources that connect to the Public Switched vendor’s computer had a broadband Internet wireless card Telephone Network (PSTN). This is not true. Internet connection to be a target. it was believed someone was requires. Because of this. and then being network-aware. Even when requirements regarding routable protocol. an attacker cannot reconstruct (despread) the signal without knowledge of the exact Spread-Spectrum spreading sequence used to spread out the signal during Radio SCADA Communications modulation. Internet Vulnerabilities network connection that is remotely accessible by a malicious There is a misconception that a substation must have an individual is a potential security risk. Because the PSTN is an open installed. measurement. an inadvertent interconnection was made from a The dial-up infrastructure of the public telephone system third-party vendor who connected their computer to install a allows any-point to any-point connections. susceptible to this type of threat. and use the compromised perimeter computer to launch a Some companies look at spread-spectrum radio technology fresh attack on vulnerable devices on a “private” network (not to provide security. The company met the NERC CIP conform to the NERC CIP password requirements. and logic spectrum sequences are not designed for security. metering information can also create conduits between Reference [11] reports the following: systems. The Internet is optical taps found on police networks in the Netherlands and Germany. three main trunk lines of Deutsche Telekom were to-date patching. 2000. are short and relatively easy to reverse engineer when using this type of threat may lead to rogue access points that allow real-time computational power in conjunction with high-speed intruders access. Unfortunately hackers tend to use an “island hopping” therefore. but its design is primarily for noise publicly addressable). However. In some cases. Typical Modern Substation Network many presume to be secure. In 2003. Dial-Up Vulnerabilities example. 3 A. an attacker does not need to take over any switchgear into a industrial plant. often the Dial-Up (Telco) Dial-Up Engineering Modem radios can receive and demodulate each other’s signal. web server. or access logs. and on the networks of pharmaceutical clearly the most dangerous of public networks. but it was still passwords provide electronic access control mechanisms. The typical corporate local area immunity and bandwidth sharing. it propagated via a network is a low-effort. but any giants in the United Kingdom and France.) guessing attack. In theory. and network. They begin with a vulnerable of deterring or. The virus originally came from the or computers at the phone company to perform an attack. it is easy to compromise. International incidents include electronic intrusion and other malicious intent. Fiber-Optic Vulnerabilities Engineering Access Fiber optics is a common communications medium that Fig. trying to access the quarterly statement of a mutual fund It is very important to note that any network connection company prior to its release—information that could have over public communications infrastructure is vulnerable to been worth millions. As more and more systems use web front ends. trojan horses.

A well-formed. it would take more words. date. intruders can not only shut down a system.3. lowercase letters. they can also use the system to distribute false data Vendor 6 2. protective relays. attempt. password is virtually impossible to guess and may take thousands of hours to crack. and modern substation should support multilevel password- nonalphanumeric characters). and six-character password in a continuous stream using a fast dictionaries that contain thousands of common passwords. support a password length of at least six characters.” detect.600 bps serial line and worldwide across the Internet. 10 11 B 201 Days mechanisms are used.2 Each password shall consist of a combination of alpha. have at password attempts.3 Each password shall be changed at least of a tap. Regardless of what other authentication Vendor 2 10. Some TABLE II newer devices and communications processors support SUMMARY OF MULTILEVEL PASSWORD-AUTHENTICATION MECHANISM IN password lengths of up to 12 characters. These products Processors and Relays allow the user to program passwords made up of any of 90 Communications processors and all protective relays in the characters (uppercase letters. Table I shows a MODERN SUBSTATION DEVICES comparison of the password strengths supported by power Authentication protection devices made by different vendors. distinct strong passwords include: an attacker to compromise the password-based authentication Ot35f7~~ A24. As a result. Brutus. or word. as technically feasible: View and Change Level 1 and Level 2 2 Settings Passwords R5. to annually. or more frequently based on risk. and popular culture terms and names.3 At a minimum. 57. and it takes time to process each password least one special character or digit. whereas an ill-chosen password is It is important to note that some devices shown in Table I crackable in just a few seconds.3. or cracked. acronym. Modern substation protective relays and communications A. automated password password values. 4 475 K 5 Minutes of a substation or SCADA system.1 Each password shall be a minimum of six characters. strong (assuming a 10-bit serial format). 6 1M 17 Minutes equipment against unauthorized settings but also safeguards the integrated system and helps ensure the reliable operation Vendor 4 26. maximum- length passwords in a continuous stream over a 57.600 bps serial line. common spouse and pet names.68!s #Ih2dcs4 @4u-Iw2g mechanisms in a modern substation device. It is extremely important to do not conform to the minimum password security length maintain the security of a system by using strong passwords in required by the NERC CIP requirements. .3. the Responsible Entity shall require 1 View Settings Level 1 Password and use passwords. Access Level User Privileges Requirements The NERC CIP requirements of CIP-007 [13] state the View Device following: 0 Identification Strings N/A “R5. Such taps have sold for under $1. Length Combinations Required for Brute Force* security experts agree that strong password protection is still the best defense against electronic intrusion and other forms of Vendor 1 90. This is because the relay must transmit words. you can make it virtually impossible for valid. In addition. and ‘special’ characters. 6 537 B 18 Years unauthorized access. This makes such taps difficult. 3 14 4 Milliseconds and sabotage other interconnected systems within a company * This is the amount of time required to transmit all possible. Use Multilevel Password Support in Communications processors should support strong passwords. and remote access points to your The six-character password with the support of 90 SCADA systems. if not impossible. all these devices authentication schemes (see Table II).000 on Internet TABLE I auctions. numbers. 4 41 K 27 Seconds easily guessed. controllers. subject to the following. use mixed-case sensitivity. and LC4. Vendor 5 14. USE AND MANAGE STRONG PASSWORDS Time Passwords still form an important layer of security. numeric. the password prompt and other feedback strings between Strong passwords consist of at least six characters. 4 The noise margin for fiber is larger than the insertion loss R5. characters (Vendor 1) provides over 537 billion unique Hackers have access to prebuilt. All #Char. If an attacker were to send every possible attack programs like John The Ripper. Examples of with link encryption. than 18 years to attempt to log into a substation relay using all passwords are immensely strengthened if they are not existing possible passwords. foreign transmit all of the passwords! In reality. PASSWORD STRENGTH COMPARISON IN PROTECTIVE RELAYS FROM DIFFERENT VENDORS [12] V. If you choose a strong password value and protect it and do not form a name. a good password not only protects your Vendor 3 10. it would take almost 18 years to including street slang. If a password is disabled. BREAKER Level 1 and Breaker Operate Breakers (Protective Relays Only) Level Password R5.

event reports. where the VPN separates and Guessing Attacks protects the traffic from the underlying infrastructure it is The modern substation’s protective systems should also traversing. Fig. If we mitigate the risk of Ethernet sniffing. such as radios. namely preventing an attacker from inheriting the login privileges of a previous user. and/or authentication algorithms. 4. download interfere with data flow on control and/or monitoring systems. This functionality increases the effective strength of the password-based authentication scheme on a substation communications processor and protective relay. The timeout setting disconnects after a set amount of inactivity. and integrity of the granting them the ability to perform potentially damaging transmitted data. or routable scheme outlined previously allows you to grant a group of protocol infrastructures. 4 illustrate the process of The multilevel password scheme makes it much more capturing a plaintext Telnet login dialog. acquire and uncomplicated to decode and interpret. Password Prompt From the IED reduces the effectiveness of a password-guessing attack by forcing the attacker to redial the local modem or reestablish the Telnet connection every three failed password attempts. difficult for an attacker to gain an access level with a high Using network switches instead of hubs can help to enough privilege to cause significant system damage. it should also disconnect any current engineering access sessions by forcing the modem to hang up or by terminating the Telnet connection. The hacker simply has to be within operate control points. Encrypt and Authenticate Communications Unfortunately. read-only work with wireless links. temporarily lock out the communications port in the event of three failed password-entry attempts. This is important to limit the dissemination of critical passwords as especially important if the data find their way onto publicly much as possible. a LAN through tunneling the traffic through a Virtual Private Network (VPN) based on Internet Protocol Security (IPsec) or B. Fig. authentication. Modern substation security should include the use of such as a dictionary or brute force attack. whenever the substation device locks out the remote communications port. such as those attacker has to successfully guess the Level 1 password before found on Modbus or DNP SCADA networks. telephone. or check metering data without simultaneously but ensure confidentiality. The modern substation device should provide a port timeout setting that also logs off the user. Encryption not only adds greater security control over the privileges granted to a given user. multilevel password scheme doubles the difficulty of carrying especially over untrusted communications links. 3 and Fig. The modern substation may achieve this over actions. The multilevel password authentication accessible networks. then the demonstrates the necessity of using encryption to secure links. with encryption beginning an attack on the Level 2 password. range of the signal. and information is readily available access to devices or to a group of users without giving from the airwaves without having to tap a physical them the ability to change critical device settings or communications line. but any shared media is assume that the goal of a malicious cyberattack is to change subject to the risk of data interception. These programs capture and dissect password authentication for the following reasons: frames and now even feature decoding of popular automation An attacker must compromise two independent protocols such as Modbus® and Distributed Network Protocol passwords to reach Level 2 or BREAKER Level (DNP). This forces all stale authenticated login sessions to terminate and not be available as an attack vector. This is because an devices that secure byte-oriented data packets. Password Returning to the IED C. out a successful attack using password-guessing techniques. capturing and dissecting Transmission Control Protocol/Internet Protocol (TCP/IP) frames over . 5 This multilevel password authentication scheme provides a Ethernet is a relatively simple process using freely available much stronger access-control mechanism than single-level tools from the Internet. This illustration further device settings or to operate critical control points. The tools The system administrator can grant limited. Time-Outs and Channel Disconnects Slow Password. It is but also provides privacy or confidentiality of the data. This action further Fig. Authentication of the data The modern substation with multilevel password packets ensures the data are from a trusted source and not mechanisms also provides a system administrator with more modified en route. 3. These security devices do not users the ability to view device settings and status. In addition. Secure Sockets Layer (SSL). The lockout period of one minute on substation equipment effectively limits the rate of a password-guessing attack to less than three password attempts per minute. Captures of serial information are just as easy to access.

ELECTRONIC ACCESS POINTS With a slightly more involved configuration.1. then they may confidentiality. utility security Analog Line management should consider using access models such as discretionary access control (DAC) or mandatory access control (MAC). It is then important to view the log files on a or they can simply provide transport services for TCP/IP regular basis to identify suspicious activity and receive timely .1. business phone and the information for there are similar offerings for Linux-based computer systems. The most common architecture is point-to-point. The devices seen in Fig. the owner determines who can obtain and access Modem data. information. or 2003 R5. also possible to aggregate many VPN tunnels at a single point use a serial encryption and authentication device in line with of concentration. servers) with relatively few configuration selections. ET Both DAC and MAC may seem cumbersome and too Computer controlling. Access Control — The Responsible Entity shall More computing platforms are finding their way into the document and implement a program for managing access modern substation. these defenses.” secure routable protocols that make their way into a substation network connection as required by the NERC CIP IX. or Computer modify the information. The military uses MAC as a means to secure highly sensitive data. Fig. It is To secure existing dial-up or remote engineering access. In a MAC system. Engineering PBX Access In MAC. 5. software and documentation about securing this type of R5. Windows XP. such as classified information. Encryption that allow you to monitor and create log entries of electronic devices may operate as termination endpoints for VPN tunnels connections. Consider keeping system Dedicated Communications Modem Modem ET Processor documentation safe and secure. which they are responsible for authorizing Once again the goal of encryption and authentication is to access. More information about these models is in Encrypting Transceiver (ET) ET [9]. If you give attackers unlimited time to devices for TCP/IP communications protocols provide probe your critical systems for vulnerabilities. but they do A variety of special-purpose encryption and authentication not make it impossible. SECURE TCP/IP LINKS “R5. attacker to compromise your electronic devices. for authorizing logical or physical access to protected example. In order to access an object. Fortunately there is a great deal of to protected Critical Cyber Asset information. In DAC. integrity. MONITOR THE SECURITY STATUS OF requirements. Also title. A way to combat this is to put technologies in place devices vary in cost and complexity of use. These types of devices provide data confidentiality and VIII. Strong encryption with hosts that are not part of their own domain or electronic access controls make it exceedingly difficult for an if a domain controller is not present [14]. To do so. can encrypt communications to compliant hosts information. Depending upon the feature sets.1. the existing computer/modem/radio/fiber communications links. (other computers and Windows 2000. 6 VI. PRACTICE NEED TO KNOW AND integrity. The owner of the data determines and provides the access rights and permissions for who can read. and authentication services for utility eventually succeed in exploiting a weak point in your communications. as well as prevent unauthorized access with session COMPARTMENTALIZE INFORMATION authentication. the PSTN subject must have a sensitivity level equal to or higher than Modem the label of the object. It is important to limit access to system details only to those who need it. SECURE DIAL-UP REMOTE ACCESS POINTS packets. subjects and objects have sensitivity labels that specify a level of trust. It is extremely important to detect potential electronic based system can communicate securely using IPsec attacks and react to them as quickly as possible. 5 are process of “need to know” and compartmentalization of protecting a remote access link. write. Using these types of devices protects the data Modern substation procedures should include a formal that travel across a PSTN. the policy and system defines who can access or modify information. A modern substation computer designated personnel who are responsible for combined with Windows® 2000 Active Directory Domain. Personnel shall be identified by name. they are well-proven security Engineering management tools that align well with the NERC CIP Access requirements for security management controls. Adding Serial Encrypting Transceivers Provides Data Security CIP-003 Cyber Security — Security Management Controls [13] states: VII. The Responsible Entity shall maintain a list of communications link. a Windows. however.

Fig. can use the same procedure to manage and monitor remote In these cases. Logic Access Active Fiber ED LTC Controller CCP ED Weather Station CCP equations can be used to generate an SOE report for a wide Connection Failed variety of conditions. Dedicated Alarm Contacts Controlling and monitoring the communications status It is important for modern substation IEDs to have a points via the remote SCADA link allows a substation owner dedicated alarm contact that will pulse in response to an event the ability to control and monitor engineering access occuring. routing the current status of the alarm bit breaker control in all relays connected to the communications through SCADA back to a central office alarm panel and log processor. enhancing the monitoring of the system by using an automated event messenger that delivers real-time alarm and event notification to the personnel via a telephone call allows the modern substation manager to react quickly to the situation. [16] modern substation. as pictured in Fig. coupled with the robust logic programming capabilities in modern substation devices. the digital inputs. there are event records that indicate user email recipient or mail group. C. operators can program devices to automatically Fiber Fiber SCADA Modem CE ED Relay CCP send a time-stamped Sequence of Events (SOE) record in PU ED Relay CCP EE Relay CCR response to a change in status. This prevents unauthorized connections and Whenever a user saves a new settings configuration to validates that a user is appropriately connected to an IED. The event messenger turns the contents of the text into a computer-generated voice message that will inform the recipient of the nature of the detected event. Many substation products provides the ability to monitor almost any event of interest. for example: permissions from a central control center. The substation event messenger receives a text message and automatically dials a preconfigured telephone number to notify the recipient of the event or SOE report. The event messenger is connected to land line or cellular telephone connections or SMS (short message service) interfaces for text messaging. D. HMI Screen Showing Status of Substation Communications and records from such a device as an example of securing a Control Status [15]. The SOE mechanism. Sequence of Events Records Collected From Various Devices transceiver captures the message and sends it to a predefined In this example. An Ethernet Fig. The event messenger saves the message so that it can be called back for confirmation or repeat of the message. physical perimeter breaches. You the device. Ethernet Network IRIG Synchronization ED Relay CCP including the alarm bit. and instructions. and the results of SCADA Active ED Relay CCP Engineering Access ED Relay CCR user-programmed logic equations. 6. Sequence of Events Records GPS Clock Communications Processor CCP ED ED ED ED ED ED ED ED EE ED ED In addition. 6 shows a collection of SOE Fig. An HMI Whenever there are three failed login attempts in a Communications Overview screen. access. enabling and disabling of remote breaker control. They can also use SOEs to ED Relay CCR monitor changes in the internal logic bits in the device. geographical information. remote administrators the ability to grant engineering access to Whenever a user attains a level that settings may each serial or Ethernet connection independently for security change. file allows a modern substation owner to detect potential PU password-guessing attacks or to detect unauthorized access or Firewall / Router Station Control Permissive CD settings changes in the device. 7 notification of a possible attack. This method supports any text string so that it can be customized with personnel names. 7. 7. gives short time period. Automated Event Messenger and Email Transceiver Finally. Monitoring Via Remote SCADA Links A. equipment names. electronic attacks. and many more valuable status indicators. sent via email directly to one or more recipients. The event-reporting Active Fiber ED Relay CCR SCADA & Engineering mechanism in modern devices is extremely flexible. or alternately. and safety. . It contain very effective electronic monitoring and alarming is then possible to consolidate and monitor these event technologies that will allow you to detect and react to notifications from a central location and to react as necessary. Remote Control Enabled B. These same text strings are also.

Available: http://csrc. SANS Institute [Online]. He is now the security product Use and manage strong passwords. Available: ftp://www. Tibbals. October effects by applying the suggestions outlined in this paper.pdf Laboratories. techtarget. Official (ISC)2 Guide to the CISSP CBK. Houston. VI.nist. Dec 2006 [Online].nist. In this Systems From Unauthorized Access. National Institute of Standards of Idaho in 2006. 2007 [Online].gov/publications/drafts/800-82/ 2nd-Draft-SP800-82-clean. Version 2. . and his MS in Computer Engineering from the University [3] NIST Special Publications (800 series).sans. National authored several technical papers and instructional courses. Automation Integration and Engineering Division. p. SANS Security Essentials. Inc. June 2006. Garrett received his BA in Business from Western Washington http://www. in Pullman. Available: ftp://www. 2000. May 17. 1.nerc. he worked twenty years for Practice “need to know” security and compartmen. These steps will greatly improve the overall security of your [15] D. and No. related to critical infrastructure protection. K. Though you can never completely [Online]. 2007. 3 communications links. you can greatly reduce the CIP-007-1. 2000. “Communications Technologies and Practices to Satisfy NERC Critical Infrastructure Protection (CIP).com/originalContent/0. [9] H. National Institute of Standards and Technology Special Publication 800-53 Rev. Henry. He has received his Global Information Assurance Certification Security Essentials Certification (GSEC) for IT managers and security professionals. [8] C. Inc. Tipton and K. 2006. Miller (2006. Information Security Policies Made Easy. Sep. “Using Passwords to Secure Relays. Clemson. CONCLUSIONS [11] S. here are the general steps to secure a SC.com/pub/sys/all_updl/standards/rs/ remove the possibility of attack. 15). and Technology [Online].gov/publications/ nistpubs/800-12/handbook. National Institute of Standards and Technology Special Publication 800-82 DRAFT. To summarize. WA. SANS Institute.html real-time protection. techniques. IEEE Standard 802. Texas: Information Shield. Inc. Boca Raton. Spokane.4 20071214 • TP6310-01 GHz Band. AG2001-05. Communications. Hewlett-Packard as an aerospace and defense business development manager and systems engineer working on projects ranging from electronic warfare talize information. Available: for Cray. Information Security Magazine. pp. Available: http://csrc. we have provided cost models.nist. IEEE Standard 1402-2000. Prior to joining SEL. June 2006 [Online]. methodologies that you can apply to secure critical [13] Standard CIP–007–1—Cyber Security—Systems Security Management.pdf [7] IEEE Guide for Electric Power Substation Physical and Electronic Security. paper.html Institute. Oman. April 2003. Secure all access points to protect from attacks. Washington.pdf [6] Recommended Security Controls for Federal Information Systems.sid14_gci1230106. “Methods for Securing Substation LAN Generate unique policy. XII.org/resources/policies/ University in 2003. 33-44 [Online]. Dwight Anderson received his Bachelor’s degree in Electrical Engineering from Steven’s Institute of Technology. F. Proceedings of the 5th Annual Power Systems Conference. North American Electric Reliability Corporation. Florida: Auerbach Publications. C. He has published a number of XI. During his time at SEL. manager for Schweitzer Engineering Laboratories. Controllers. Fiber Optic Networks Vulnerable to Attack. and the Software Engineering PubsSPs. North American Electric Reliability Corporation. (PHY) Specifications: Higher-Speed Physical Layer Extension in the 2.pdf probability of a successful attack and the severity of resulting [14] E.gov/ publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz. Prior to joining SEL in 2005. March 2006.gov/publications/ Association for Computing Machinery. [1] Standard CIP–003–Cyber Security—Security Management Controls.289142.11B. Available: http://searchsecurity. countermeasures to SCADA system programming. Nov. Dolezilek. Cole. Institute of Standards and Technology Special Publication 800-12.” SEL Application Guide Vol. 8 X. and SCADA links to a modern substation are susceptible to attack. and has several patents pending. Garrett Leischner is a product engineer with Schweitzer Engineering 1. Available: http://csrc. 2001. All rights reserved. Version 10. [10] Supplement to IEEE Standard for Information Technology- Telecommunications and Information Exchange Between Systems— Local and Metropolitan Area Networks—Specific Requirements—Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer © 2007 by Schweitzer Engineering Laboratories.pdf [5] Guide to Industrial Control Systems (ICS) Security.nist. where he manages the Rugged Computing Platform.00.. BIOGRAPHIES Identify and map all communications pathways to and from the substation. He is an active member of the IEEE Computer Society. He recently became a Monitor security status of critical electronic access member of the FBI InfraGard forum regarding the exchange of information points. Wood. Oct. he worked [2] The SANS Security Policy Project.” communications to and from a modern substation. modern substation: [16] D.6. 1995. The technologies used for implementing critical SCADA. standards and processes.nerc. Conduct a risk analysis based on qualitative and quantitative assessments. and engineering access communications [12] P. Available: http://csrc.com/pub/sys/all_updl/standards/rs/CIP-003. he has co- [4] An Introduction to Computer Security: The NIST Handbook. Inc. 2005. REFERENCES technical articles and most recently published an article in the UTC Journal regarding the effect to SCADA channel bandwidth when adding encryption.” Proceedings of the 5th Annual Western Power Delivery Automation Conference. Dolezilek and T.