CHPCOMproject

Combined Heat and Power Communication

CHPCOM

IEC 61850 baseret datakommunikation i dansk kontekst

Securing Critical Infrastructure CommunicationSøren Peter Nielsen – Rump session atModern Identity Management Solutions 2. december 2014

2. december 2014 Modern Identity Management Solutions 1

CHPCOM

2. december 2014 Modern Identity Management Solutions 2

• Securing Critical Infrastructure Communication– Context

• Moving from software to cyber-physical systems– Examples of things that are different

Søren Peter Nielsen – Rump session – 2. december 2014

Danish Electricity Producers with growing communications demands

2. december 2014 Modern Identity Management

Solutions 3

CHPCOM

2. december 2014 Modern Identity Management Solutions 4

Balance responsibleGenerator

Power plantControl

Power

sale

Power buy

~

Internet

Accumulator

Electric Boiler Power Market

Data

Measurement

Supply of services

Supplying the grid with ancillary

services

Market control

Dat

a

District heat

Solar heat

TSO

CHPCOM

New Role

2. december 2014 Modern Identity Management Solutions 5

CHPCOM Concept

DSO/DNO

Balance responsibleGenerator

Power plantControl

Power

sale

Power buy

~

Internet

Accumulator

Electric Boiler Power Market

TSO

Data

MeasurementMeasurement

Open standard IEC 61850

Supply of services

Supplying the grid with ancillary

services

Market control

Measurement

Dat

a Flexibility Market AggregatorTechnical control

Local resources for local grid management

Measurement

District heat

Solar heat

New COM

CHPCOM

6

The SKIES landscape

RBAC

s/MMS s/MMS

61850 GW

61850 DBSCADA

DB

RTU

MMS

SCADA

s/MMS

”SecureMMSKomponent”

SCADA

SCADA frontend

MMS

INTERNETFirewall

PKIComponents

2. december 2014 Modern Identity Management Solutions

CA

RADirectory

CHPCOM

7

The SKIES landscape – Basic flow

2. december 2014 Modern Identity Management Solutions

s/MMS s/MMSServer security gateway Client security gateway

RA

CA

CHPCOM

2. december 2014 Modern Identity Management Solutions 8

• Safety considerations– Smart Grid PKI must consider the risk associated with a security protocol

failing. This can include protocols such as password lockouts, certificate expiration, or time-stamp mismatch. The PKI should still notify operators of these failures, but it may not be appropriate to fail the protocol, especially for critical power grid equipment.

• High Availability– PKI should avoid having a single point of failure– The various components of the PKI must also be able to operate

independently for extended lengths of time when regular communications are disrupted.

– E.g. a local cache of authentication information will allow the PKI to operate disconnected from the authentication server for an extended period of time

• Real-Time Operation– Security protocol behaviors should be defined in the event that the system

does not meet a real-time requirement– need to be designed with local information stores and use of caching

• Upgradeable– must be able to update the technologies used in the PKI with minimal impact

on the (long life HW) system

Special CIP requirements in relation to PKI

Source: “Adapting PKI for the Smart Grid” by Todd Baumeister, 2011

CHPCOM

2. december 2014 Modern Identity Management Solutions 9

– Examples of failures that must NOT be met with a HARD STOP in this case• Unable to build trust path to a trusted root CA• Certificate not yet valid or expired• Certificate revoked• Certificate or subject in certificate not on trusted whitelist• Missing mandatory certificate extensions• Invalid certificate extension (e.g. CA=false in

basicConstraints-extension of a intermediate certificate)• Unknown or wrong CP reference in certificate• Unknown critical extensions• Unaccepted use of cryptographic algorithms (e.g. small

RSA pairs, MD5 hashing)

One implication

CHPCOM

2. december 2014 Modern Identity Management Solutions 10

• Communication is from machine to machine• IEC standard says use RBAC with predefined

roles on server side to supply privileges to client

Roles

CHPCOM

2. december 2014 Modern Identity Management Solutions 11

• Ways to transfer client role info:– Embedded in Client M2M certificate– Embedded in separate Attribute Certificate to be

transferred together with Client M2M certificate

Roles

CHPCOM

2. december 2014 Modern Identity Management Solutions 12

• Ways to transfer client role info:– Embedded in Client M2M certificate– Embedded in separate Attribute Certificate to be

transferred together with Client M2M certificate

• HMM?– No (SAML-like) envelope to transfer role info in?– Every time a role assignment is updated new certificates

must be issued?– Mixing Authentication and Authorization !

Roles

CHPCOM

2. december 2014 Modern Identity Management Solutions 13

• WELL– Role is not attached to a person, but to a Device in an

Organisation – much more stable assignment– Of the predefined roles only two are relevant for the

Operations communication – manageable granularity• Viewer – Read• Operator – Read/Write

– High Availability is required – If role info is transferred via an alternate channel and this is not available what to do?

Roles

CHPCOM

2. december 2014 Modern Identity Management Solutions 14

• Think different about– PKI requirements– Role based access control

• When dealing with critical cyber-physical infrastructure

Contact info:

Søren Peter Nielsen

dk.linkedin.com/in/sorenp

twitter.com/sorenp

spn@nine.dk

Søren Peter Nielsen – Rump session – 2. december 2014