Cybersecurity Challenges of Implementing IEC-61850 for Automation Between the Smart Distribution

Control Center and the Substation

J. Matt Cole, PE (Presenter) – Sargent & Lundy, LLC Raymond Arnold (Presenter) – Sargent & Lundy, LLC

Matt LaCourt – Sargent & Lundy, LLC

Authors/Presenters:

1

Date: October 24, 2017

S&L Logo

Main Benefits of Using IEC-61850

IEC-61850 Benefits

Widely used protocol in Europe & US for P&C and Substation Automation

Eliminates hard wiring (uses less copper)

Provides cost savings for substation designs, installations, commissioning andoperationsEasier to implement (ease of use compared to other protocols)

Smooth data exchanges with multi-vendor devices

Eliminates the need for special vendor proprietary protocol converters

Provides reliable, high priority network messaging (GOOSE, GSE)

Capable of providing real-time data and control between control centers andsubstationsUses an object oriented data hierarchy

2

Paper Focus

• Everything is getting hacked– WannaCry Ransomware

• PCs infected in over 150 countries• Files encrypted and ransomed for bitcoins • Worst attack in 2017

• Ukraine Cyber Attacks (2015 & 2016)– Adversaries gained full control to SCADA & control room

functions• Interrupted power to several customers on both attacks• Implemented a telephone DoS, UPS shutdown & Killdisk

3

This paper focuses on cybersecurity vulnerabilities distribution utilities face with using IEC-61850 protocol communications outside the substation for SA or SCADA. Improvements are recommended to minimize these security risks.

Cybersecurity Concerns Using IEC-61850

• Widely used by both transmission & distribution (T&D) utilities (if not most widely used)– NERC & other entities not governing cybersecurity

protection for distribution utilities (vulnerable)

• Heavily used in Substation Automation (SA) and Distribution Automation (DA) applications– Exchange of data between multi-vendor devices

(IEDs, SCADA, HMI, Metering, etc.)– Requiring more real-time data functionality

(Control Data functions are unprotected)

• Utilities using 61850 for communications outside the substations– 61850 communicating from substation to substation or

substation to control center (IEDs, SCADA, etc.)– Man-in-the-middle (MITM) attacks

4

Cybersecurity Concerns Using IEC-61850

• Utilities using 61850 for communications outside the substations– Using a utilities communications path

(authentication and/or encryption recommended)• Fiber, copper, radio or wireless (WIFI)• Man-in-the-middle (MITM) attacks

– Using a 3rd party communications path / lease line (unprotected)

• Authentication and/or encryption recommended• Fiber, copper, radio or wireless (WIFI)• Man-in-the-middle (MITM) attacks

5

SMART Distribution Control Center (SDCC)

6Source: NIST’s Guideline for Smart Grid Cybersecurity

IEC-61850 Protocol

State Laws Passed Enforcing Cybersecurity

7

• 48 States have embraced and enforced cybersecurity laws– Imposing security breach notification obligations on all

entities that own and process personal data• Including Distribution Utilities

• Alabama & South Dakota not passed yet

NERC CIP versus NIST (IEC-61850)

8

• NERC CIP only governs transmission voltage levels– Distribution Utilities are excluded by NERC CIP

• NERC CIP views IEC-61850 today as not in scope– IEC 61850 is an Ethernet-based standard for the design of electrical

substation automation • Abstract data models can be mapped to a number of protocols,

including:MMS GOOSEWeb Services

– IEC 61850 is not a data link or network layer protocol• Declaring IEC 61850 to be a routable or non-routable protocol is not

appropriate• Time critical messages (GOOSE) run over flat Layer 2 (i.e. not routable)• Non-time critical (MMS, web services) run over Layer 3 (i.e. routable)

NERC CIP versus NIST (IEC-61850) – cont.

9

NERC CIP views continued• Registered entity should evaluate the communication

environment supporting the IEC 61850 data protocol to determine if routable communication exists

• If the IEC 61850 data is being communicated over a TCP/IP network, then that network connectivity is considered routable and should be protected per the CIP Standards accordingly

NISTIR 7628• NIST Guideline for Smart Grid Cyber Security has defined IEC

61850 as an insecure protocol

Enhancing IEC-61850 for Cyber Resiliency

10

• Technologies– TLS Encryption

• Prevents eavesdropping by adversary• Enabled between end devices most effective

– Multifactor Authentication• Applies to users and devices• Prevents unauthorized access/modification of

data• Holds users accountable for actions

Enhancing IEC-61850 for Cyber Resiliency (cont.)

11

• Devices– Firewalls/Gateways/DMZs

• Defines Electronic Security Perimeter• Provides encryption and authentication• Configure to deny all unanticipated traffic by

default– Intrusion Detection Systems (IDS)

• Monitors network traffic• Logs unexpected traffic

Recommended Substation Protections

12Source: IEC-62351 Recommended Substation Protections

Conclusions

When using 61850 protocol for SA and SCADA communications outside the substation – all unencrypted data is at risk

Substation LANs are vulnerable – if no firewalls, IPS/IDS, data gateways or DMZs are implemented

If the utility is relying on others for outside communications or outside the ESP – all data is vulnerable

Perform security risk assessments of all data entering or leaving the substation to determine if encryption is feasible• Add authentication at a minimum

The cost of doing nothing can be considered immeasurable –if attacked by a cyber intrusion

13

Conclusions (cont.)

Exercise caution and thorough testing - before selecting a vendor to supply smart substation devices

Test all security updates and patches – within a lab or testing environment before pushing onto the live system

Ensure vendors or suppliers are providing timely updates if there is a potential vulnerability or threat

14

Future Research/Discussions

Likelihood of NERC CIP being applied to distribution systems?

Vulnerable access points fromcurrent versions of NERC CIP needs further review: Smart meter/AMI system Leased lines through telcos Shared access points at jointly owned stations

that are currently NOT defined as CIP sites

15

Questions?

16

J. Matt Cole, PE (Presenter) – Sargent & Lundy, LLCRay Arnold (Presenter) – Sargent & Lundy, LLC

Matt LaCourt – Sargent & Lundy, LLC

“There are three power grids that generate and distribute electricity throughout the United States, and taking down all or any part of a grid would scatter millions of Americans in a desperate search for light, while those unable to travel would tumble back into something approximating the mid-nineteenth century.”Ted Koppel, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath