Cyber Security in all details

Holistic solution for Energy Automation Systems with SIPROTEC and SICAM

Technical Article
A holistic approach to cyber security

Consistent cyber security in energy

automation for critical infrastructures
Cyber attacks on critical infrastructures are real and are regularly reported in the media. The risks
for critical infrastructures are also at the center of the German government's cyber security
legislation, which have been released on June 12, 2015 by the German Federal Parliament [1].
The government's cyber security bill obliges counteracting the real threats of a approach to determining and dealing with
the operators of critical infrastructures to potential attack and satisfying the legal the risks.This includes implementation of
protect their IT infrastructures against cyber requirements stipulated by the cyber a "management system for cyber security"
attacks. The definition of critical infrastructures security law. and appropriate protective measures
will follow in a subsequent ordinance. against threats to telecommunication
A holistic approach systems and electronic data processing
The operators of energy automation systems systems [1].
have to reconcile the goals of reaching their The legislative body is asking operators of
business targets, critical infrastructures to provide a holistic Product and system vendors of energy
automation systems also have to take a
holistic view of cyber security including
processes, communication, employees
and technologies. The first step is to root
cyber security in the organization by
defining the corresponding roles,
guidelines and processes.
This process has to be implemented by
corporate management. Next comes the
secure product development that satisfies
the most stringent demands on cyber
security and incorporates a secure
product architecture.
Product development includes the secure
implementation of software and
performing systematic cyber security
tests. Cyber security of the product
suppliers' infrastructure also plays a major
role. Internal design documentation and
the source code have to be protected
against unauthorized access and
tampering and the integrity needs to be
assured by means of revision control.
Processes ensuring the integrity of
Figure 1. challenge triangle of the operator non-proprietary software components
such as Open Source have to be in place.
The system integrator is responsible for
integrating products in a secure way.
This task, too, requires dedicated process
descriptions, guidelines and technical
Organizational Secure Secure Vulnerability descriptions to ensure secure integration.
Preparedness Development Integration and and Incident The system configuration is subsequently
Service Handling carried out according to the technical
descriptions. Security measures are
validated during the FAT (Factory
Secure System System Access Control Security Acceptance Test) and SAT (Site
Architecture Hardening and Account Logging/ Acceptance Test) based on defined test
cases.
Management Monitoring The system supplier's IT infrastructure has
to protect the project documentation and
Security Malware Backup and Secure Remote configuration data against unauthorized
Patching Protection Restore Access access. Secure processes need to be in
place to hand over the project
Data Privacy documentation, initial user names and
Protection and passwords to the operator.
Integrity
Figure 2. categorization of the cyber security aspects

Cyber Security with SIPROTEC and SICAM / Energy Automation – 08-2015

User manuals have to make sure that
systems can be operated securely. But
the responsibility of product and system
supplier extends beyond handing over
of the system to the operator. For the
operator, in order to keep the system
secure, the supplier has to provide a
vulnerability management solution for
its products and deliver security patches.
Ideally, the supplier has its own CERT
(Computer Emergency Response Team)
to discuss cyber security issues, publish
current warnings and inform about
vulnerabilities and upgrades of products
and solutions.
The task of cyber security not only falls
to a few specialists within product and
system suppliers. Rather, the integrated
approach calls for an awareness of cyber
security concerns by all employees in a
company. Among others, this also
requires role-specific training in
companies. The following technical
aspects are of key importance:
 Secure System Architecture
 System Hardening
 Access Control and Account
Management
 Security Logging/Monitoring
 Security Patching
 Malware Protection
 Backup and Restore
 Secure Remote Access.
Products
Secure energy automation products are
the foundation of a secure energy
automation system. Cyber security
requirements for the products depend
on various factors including the
intended function (protection, control,
operation and monitoring) and the
spatial layout of the products.
Security functions in modern energy
automation products follow the general
goals of cyber security: availability,
integrity and confidentiality.
State-of-the-art protection devices are
capable of satisfying these needs.
Secure communication between the
operating software and the device
comes first. The encrypted connection is
only established after mutual
authentication. A connection password
is used and managed in this process that
complies with the BDEW Whitepaper and
NERC CIP recommendations (North
American Electric Reliability Corporation
- Critical Infrastructure Protection) [2].
All security-relevant events are logged in
a non-erasable security log.
The protection device is equipped with a
crypto chip that assures the
cryptographic functions including an
integrity check of the device firmware.

https
IPSec-enabled router
IEC 60870-5-104
IEC 61850 Encryption
with IPSec
GPRS modem
serial WIFI https
 
Figure 3. example for a secure tele communication
During production, the firmware is fitted with The investment security of products is
a digital signature which the device uses to another key aspect.Product suppliers need to
authenticate. The device enables a physical assure that state-of-the-art security features
separation of process and management can be retrofitted for a long period of time by
communication. Moreover, devices means of software updates.
communicating outside of a physically
protected zone have to satisfy higher Migration strategy
communication security requirements than
devices communicating within a physically A great part of the existing energy
protected area. automation systems and facilities are
End-to-site or end-to-end encryption is potentially insecure and have to be
mandatory in these cases with the device overhauled to meet cyber security standards.
presenting the terminal point of the Since a complete and immediate overhaul is
encryption chain. The product supplier has to not advantageous economically, a migration
make sure that regular installations of OS strategy has to be adopted in order to make
security patches and virus patterns do not systems secure.
affect the availability of energy automation
functions.
Secure development
Encryption of the communication line
Patch management
between DIGSI 5 and the SIPROTEC 5 device
Antivirus compatibility
Connection password according to
NERC-CIP and BDEW White Paper
Recording of access attempts in a non-volatile
security log and IEC 61850 messaging
Confirmation codes for
safety-critical operations
Independent testing
Secure development
Digitally signed firmware
Internal firewall
Separation of process and
management communication
Crypto-chip for secure information storage
Figure 4. security features of a state of the art protection device
Cyber Security with SIPROTEC and SICAM / Energy Automation – 08-2015
 Legend
Account Mgmt.
RBAC (Roll based
Access Control)
Control Center
Level Malware Protection

VPN

Remote Access Zone

Firewall

Trusted Zone

Station Level
DMZ

Service PC Untrusted Network

Switch

Substation Control
Router with Firewall
Zone I

IEDs
(Protection Devices,
Substation Control Field Devices)
Zone II
Station Controller

Field Level
PC

Control Center

Hardening Measures

Figure 5. topology of a secure substation

The migration strategy must
account for the special boundary
conditions that apply to the
operation of energy automation
systems. Availability is the top goal
for protecting energy automation
systems. The system's uninterrupted
operation is expected 24/7. The
components used combine
Windows or Linux based systems
and proprietary systems. There are
links to insecure networks and to the
operator's office IT. Some older
components are still in use that
cannot be replaced yet due to
economical and functional aspects.
Additionally, proprietary
technologies are part of the mix.
Hence, an energy automation
system is frequently made up of
various components from different
vendors, different technologies and
different technological generations.
Many of the established office IT
measures prioritize protection goals
differently or inadequately account
for the special boundary conditions.
This calls for the implementation of
strategies tailored to the needs of
energy automation.
The first step of migration is to take
stock of all assets of the system. The
architecture of the communication
network and the physical expansion
of the system are documented. The
status quo then becomes the basis
of a risk assessment carried out in
collaboration with the plant
operator.
The analysis accounts for the impact
of damages of critical operating
information and of the protection
requirements of the corresponding
IT assets. Also, the analysis has to
allow for the functional
requirements of the operator and
the local regulatory stipulations.
A secure system architecture is the
basis of all subsequent cyber
security measures. The secure
architecture splits the system into
secure zones with identical
protection requirements. A
particularly secure zone can be used
to continue operating technically
outdated products for a certain
period of time without reducing the
level of protection of the other
zones. A demilitarized zone (DMZ) is
set up that accommodates all
engineering tools required for the
components inside the secure zone.
These zones are protected by
firewalls. The cyber security
measures are implemented on top
of this. The boundary conditions
described above have to be
observed in the process. For
instance, this means that
components from third-party
vendors have to be hardened. All
cyber security measures basically
follow the design principles of
defense-in-depth and need-to-know.
[2].
Outlook
The threat posed by cyber attacks and regulatory
requirements will have operators of critical infrastructures
deal intensively with the necessary security precautions
and processes and install them. Secure products and
solutions will be used on a wide scale. Operators will
establish these measures as crucial constituents of their
quality process to be free to deal with their actual core
business.
References
[1] Entwurf eines Gesetzes zur Erhöhung der Sicherheit
informationstechnischer Systeme (IT-Sicherheitsgesetz).
http://dip21.bundestag.de/dip21/btd/18/040/1804096.pdf
[2] Bundesverband der Energie- und Wasserwirtschaft e. V. (BDEW):
Whitepaper-Anforderungen an sichere Steuerungs und
Telekommunikationssysteme. Überarbeitete Version 1.1, März
2015, www.bdew.de
Authors
Dipl. Inf.
Chaitanya Bisale,
Product Lifecycle Manager,
Cyber Securtiy & Substation Automation,
Energy Management Division,
Energy Automation,
Siemens AG, Nuremberg
Dipl. Ing. Andreas Kohl,
Lifecycle Manager Cyber Securtiy,
Energy Management Division,
Energy Autoamtion,
Siemens AG, Nuremberg

Cyber Security with SIPROTEC and SICAM / Energy Automation – 08-2015