Case Study: Cybersecure Railway Substation Networks

6th Annual Rail Cybersecurity Europe Conference 2021

Andreas Klien, OMICRON, Austria
About OMICRON

 Innovative power system testing and

cybersecurity solutions
 Focus on innovation, customer support and
knowledge provision
 Social and ecological responsibility is one of our
core values

 800+ employees FTE

 24 offices worldwide
 Customers in more than 160 countries
 R&D quota > 15 % of OI
Case study: Secure Substation Architecture

 This presentation is based on a case study:

 New secure substation network architecture by the Swiss

system operator CKW

 Commissioning of first substation started 2019

See paper here.

 They implemented many security measures

without compromising efficiency.

Source: Centralschweizer Kraftwerke AG (CKW), Switzerland

Basis: NIST Security Framework

 Basis for Swiss OT security guideline

Many EU member states also align their EU-NIS Directive implementation on it

 Cyber security seen as process:

Identify assets and attack vectors

Protect against the vectors with highest risk

Detect attacks/threats as they occur

Respond to detected threats to minimize damage and to learn

Recover affected services

Attack vectors of traction substations
Attack vectors of traction substations
How hard is it to attack a protective relay?

 Well known vulnerability, a single UDP packet required to exploit it

Source: exploit-db.com

 Freezes whole relay until next reboot

Disables communication
Disables protective functions
“Denial of OT-Service”

 Security patch for this relay has been available since 2015
 Included in Metasploit by default...

Source: Skipshearer, CC BY-SA-3.0

Case study: Secure Substation Architecture at CKW

 Measures implemented

1. Secure remote access

2. Multiple firewall zones on process level

3. Role-Based Access Control

for all activity

4. MAC Auth. Bypass

Prepared for 802.1X

5. Intrusion Detection System (IDS)

Source: Centralschweizer Kraftwerke AG (CKW), Switzerland

Secure Remote Access (Case Study Ctd.)

 Attack vector with highest risk: Connection to corporate IT

 No permanent connections to external networks, all services replicated locally

 Remote connection must be enabled by control center

4-eye principle

 Engineering stations are virtual machines in the DMZ

Secure Local Access (Case Study Ctd.)

 Can’t plug in engineering laptops to station network

 Local access = remote access:

Using the engineering VM in DMZ

 Role-Based Access Control

Even for manual operation on display

 Local Active Directory and RADIUS server,

synchronized with remote servers
Limiting Attack Surface (Case Study Ctd.)

 Separate VLANs for management and process

Two physical Ethernet ports on the devices

 Multiple firewall zones on the process level

Extended ACLs for the protocol level

 Only certain protocols are allowed between the zones

 Still important attack vectors remained.

 → Decision for IDS at substation level
Problems of current IDS in substations

 Signature-based Deny list

PC virus scanner approach
Very few exploits/attacks known for our niche

 Baseline-method, “learning-based”
Many false alarms: switching, maintenance, routine testing, ...
Complex alerts, because the IDS doesn’t know what is going on in the substation

Black box

Difficult for to analyze,

even for experts
StationGuard Approach

 Substations are quite predictable

 Machine-readable documentation available
IEC 61850 SCL-files describe whole system behavior

 StationGuard knows the substation

 Substation lifecycle considered:

Maintenance activities
Switching operations
...

 Verifies all packets against a system model of the substation

System model/
allow list
Functional Monitoring

 Detects IED configuration changes

Monitoring of configuration revision fields in messages

 Continuous GOOSE transmission time measurements

To detect failures in IED, network, and time sync.

 Logging of critical events:

Control commands on switchgear, tap changers, etc.
Monitoring and logging of all file transfers
What about other protocols?

 Modern substations: 98% of traffic is IEC 61850 protocols

System model approach possible

 Other protocols: DNP3, IEC 60870-5-104, Modbus, FTP, HTTP ...

Deep packet inspection, baseline approach

 In general: all connections must be allowed in the system model

Src./dest. MAC + src./dest. IP + VLAN + Port Number + Application

 Proprietary protocols protected by Maintenance Mode

System model/
allow list
You need to work together with the OT-engineers

 OT engineers need to participate in alert analysis

 User interface should allow OT engineers and security officers to analyze the cause together
Asset Inventory Discovery & Export

 Information combined from

Passive asset discovery

Engineering files – SCL

Active device interrogation (separate tool)

Conclusion

 Many attack vectors exist for traction substations

 Security solutions must speak the language of

OT engineers

 Tailor-made IDS solutions available

 Thank you for your attention!

 Andreas Klien
andreas.klien@omicronenergy.com
 www.stationguard.com