CHPCOM project Combined Heat and Power Communication CHPCOM IEC 61850 baseret datakommunikation i...
-
Upload
bertha-sullivan -
Category
Documents
-
view
218 -
download
0
Transcript of CHPCOM project Combined Heat and Power Communication CHPCOM IEC 61850 baseret datakommunikation i...
CHPCOMproject
Combined Heat and Power Communication
CHPCOM
IEC 61850 baseret datakommunikation i dansk kontekst
Securing Critical Infrastructure CommunicationSøren Peter Nielsen – Rump session atModern Identity Management Solutions 2. december 2014
2. december 2014 Modern Identity Management Solutions 1
CHPCOM
2. december 2014 Modern Identity Management Solutions 2
• Securing Critical Infrastructure Communication– Context
• Moving from software to cyber-physical systems– Examples of things that are different
Søren Peter Nielsen – Rump session – 2. december 2014
Danish Electricity Producers with growing communications demands
2. december 2014 Modern Identity Management
Solutions 3
CHPCOM
2. december 2014 Modern Identity Management Solutions 4
Balance responsibleGenerator
Power plantControl
Power
sale
Power buy
~
Internet
Accumulator
Electric Boiler Power Market
Data
Measurement
Supply of services
Supplying the grid with ancillary
services
Market control
Dat
a
District heat
Solar heat
TSO
CHPCOM
New Role
2. december 2014 Modern Identity Management Solutions 5
CHPCOM Concept
DSO/DNO
Balance responsibleGenerator
Power plantControl
Power
sale
Power buy
~
Internet
Accumulator
Electric Boiler Power Market
TSO
Data
MeasurementMeasurement
Open standard IEC 61850
Supply of services
Supplying the grid with ancillary
services
Market control
Measurement
Dat
a Flexibility Market AggregatorTechnical control
Local resources for local grid management
Measurement
District heat
Solar heat
New COM
CHPCOM
6
The SKIES landscape
RBAC
s/MMS s/MMS
61850 GW
61850 DBSCADA
DB
RTU
MMS
SCADA
s/MMS
”SecureMMSKomponent”
SCADA
SCADA frontend
MMS
INTERNETFirewall
PKIComponents
2. december 2014 Modern Identity Management Solutions
CA
RADirectory
CHPCOM
7
The SKIES landscape – Basic flow
2. december 2014 Modern Identity Management Solutions
s/MMS s/MMSServer security gateway Client security gateway
RA
CA
CHPCOM
2. december 2014 Modern Identity Management Solutions 8
• Safety considerations– Smart Grid PKI must consider the risk associated with a security protocol
failing. This can include protocols such as password lockouts, certificate expiration, or time-stamp mismatch. The PKI should still notify operators of these failures, but it may not be appropriate to fail the protocol, especially for critical power grid equipment.
• High Availability– PKI should avoid having a single point of failure– The various components of the PKI must also be able to operate
independently for extended lengths of time when regular communications are disrupted.
– E.g. a local cache of authentication information will allow the PKI to operate disconnected from the authentication server for an extended period of time
• Real-Time Operation– Security protocol behaviors should be defined in the event that the system
does not meet a real-time requirement– need to be designed with local information stores and use of caching
• Upgradeable– must be able to update the technologies used in the PKI with minimal impact
on the (long life HW) system
Special CIP requirements in relation to PKI
Source: “Adapting PKI for the Smart Grid” by Todd Baumeister, 2011
CHPCOM
2. december 2014 Modern Identity Management Solutions 9
– Examples of failures that must NOT be met with a HARD STOP in this case• Unable to build trust path to a trusted root CA• Certificate not yet valid or expired• Certificate revoked• Certificate or subject in certificate not on trusted whitelist• Missing mandatory certificate extensions• Invalid certificate extension (e.g. CA=false in
basicConstraints-extension of a intermediate certificate)• Unknown or wrong CP reference in certificate• Unknown critical extensions• Unaccepted use of cryptographic algorithms (e.g. small
RSA pairs, MD5 hashing)
One implication
CHPCOM
2. december 2014 Modern Identity Management Solutions 10
• Communication is from machine to machine• IEC standard says use RBAC with predefined
roles on server side to supply privileges to client
Roles
CHPCOM
2. december 2014 Modern Identity Management Solutions 11
• Ways to transfer client role info:– Embedded in Client M2M certificate– Embedded in separate Attribute Certificate to be
transferred together with Client M2M certificate
Roles
CHPCOM
2. december 2014 Modern Identity Management Solutions 12
• Ways to transfer client role info:– Embedded in Client M2M certificate– Embedded in separate Attribute Certificate to be
transferred together with Client M2M certificate
• HMM?– No (SAML-like) envelope to transfer role info in?– Every time a role assignment is updated new certificates
must be issued?– Mixing Authentication and Authorization !
Roles
CHPCOM
2. december 2014 Modern Identity Management Solutions 13
• WELL– Role is not attached to a person, but to a Device in an
Organisation – much more stable assignment– Of the predefined roles only two are relevant for the
Operations communication – manageable granularity• Viewer – Read• Operator – Read/Write
– High Availability is required – If role info is transferred via an alternate channel and this is not available what to do?
Roles
CHPCOM
2. december 2014 Modern Identity Management Solutions 14
• Think different about– PKI requirements– Role based access control
• When dealing with critical cyber-physical infrastructure
Contact info:
Søren Peter Nielsen
dk.linkedin.com/in/sorenp
twitter.com/sorenp
Søren Peter Nielsen – Rump session – 2. december 2014