Information Security

WiseOwl^™
The Secure Automation Developer's Resource

Substation Information Security

Dennis K. Holstein, Publisher
May 2000

Substation information security has been a hot topic at the last several IEEE Power Engineering Society meetings in the Substations Committee and the Power System Relaying Committee. Both of the project teams developing IEEE 1525 and its companion standard IEEE C37.115 continue to debate the implications of an "open information system" in terms of changes to utility operating practice and vendor requirements for providing security functions in their intelligent electronic devices (IEDs). The purpose of this newsletter is to engage our readers in this debate, and in turn bring their concerns to the table in the IEEE venues.

We all know what "hackers" can do on the internet. Either by intent, or just having nothing else to do, the same malicious pests can cause a great deal of trouble by accessing the information in the intelligent electronic devices that control power delivery. Access to substation information could be used to significantly disrupt network operations by planting a "Trojan Horse" in the Substation Information System that will cause serious failures in control functions.

Unauthorized access to substation metering and load data can be used to unfairly compete in the power brokering market place. This would of course have serious impact on the economics that we hope will drive down the cost of electricity to the end user.

A reference architecture shown below provides a graphical view of the access interfaces of particular concern for analysis of information security. The box containing the substation LAN, router, firewall, local HMI, Database Server, Remote Terminal Unit (RTU), Relay IED, and other IEDs represent the information components inside the substation. External to the substation is the Remote SCADA that interfaces to the substation by either a dedicated channel or over the Utility WAN.

Distribution and energy management system (DMS & EMS) network operations also interface to the substation over the WAN, and have access to the substation information. These systems could also have dedicated channels to the substation, but they are not shown in the figure for graphical simplicity. Furthermore in the new "open access" environment, a Utility's WAN may be connected to other WANs owned by other businesses brokering power to their customers. And to exacerbate the information security problem, the Utility WAN and the Other WAN may be connected to the Internet.

Access from the Internet, Other WAN, and DMS/EMS network operation functions over the Utility WAN represents opportunities for information security threats that must be countered. Thus information security for SCADA and automation systems requires the specification of Discretionary Access Control, Object Reuse, Identification and Authentication, and Audit requirements.

Before discussing the details of these requirements, a point needs to be made about where in the substation communication architecture the firewall should be placed. The reference architecture used for information security analysis shows the firewall installed between the substation router and the substation LAN. The firewall should not be installed between the Utility WAN and the Substation router because this will not protect against "backdoor" access through dedicated channels into the router; e.g., remote SCADA to the substation (not shown in the figure).

However, a common practice is to use dedicated channels between the remote SCADA and an RTU as shown in the figure. This is an obvious "backdoor" to the substation IEDs and their information, and of course the firewall will not provide any security protection for this communication channel.

Now some food-for-thought! Lets look at some of the information security requirements that must be implemented to counter the threats and provide a reasonable level of substation information security. I will focus on discretionary access control and identification & authentication in this note. At a later time I will discuss object reuse and audit requirements.

Discretionary Access Control

SCADA and automation systems shall define and control access between named users and named objects (e.g., files, programs, and peripherals) in the substation automation system (SAS).
SAS security shall include an enforcement mechanism (e.g., self/group/public controls) that allows users to specify and control sharing of those objects by named individuals or defined groups of individuals, or both.
SAS security shall include an enforcement mechanism that limits the propagation of access rights.
SAS security shall include controls that protect objects from unauthorized access to the granularity of a single user.
SAS security shall only permit authorized users to assign access permission to an object by users not already possessing access permission.

Identification & Authentication

SAS security shall use the combination of user identification (userID) for an individual user and a password known only to that user.

SAS security shall provide the Utility IT System Administrator (UITSA) the capability to create their own superuserID and deactivate the vendor-provided default superuserIDs.

SAS security shall provide the UITSA the capability to assign access to user resources based on the principle of least privilege.

SAS security shall be able to verify and require that passwords are at least six characters in length, alphanumeric, a mixture of upper and lower case, and include at least one number and one letter.

SAS security shall provide the capability to apply Utility-approved alternative means of positive identification to components, which lack password capabilities.

SAS security shall permit both the UITSA to generate and assign passwords and the individual user to generate their own passwords.

SAS security shall disallow a new password, which duplicates the old password.

SAS security shall invalidate passwords after 90 days.

SAS security shall protect password files so that users can only access their own password.

SAS security shall provide only the UITSA deletion and modification rights to password files and their contents.

SAS security shall prevent users from changing their passwords more frequently than every 10 days.

SAS security shall provide only the UITSA the capability to immediately expire and invalidate passwords.

SAS security shall require that only the UITSA can reset expired passwords.

Once the UITSA has reset a password, SAS security shall require the user to enter a new password.

SAS security shall limit the number of consecutive incorrect access attempts by a userID to no more than three.

SAS security shall automatically deactivate the user ID after the third unsuccessful logon attempt.

	This deactivation attempt shall affect only that userID.
	This deactivation shall not disable or otherwise affect the terminal, workstation, IED, etc.
	This deactivation shall not affect any other userID subsequently attempting to use the terminal, workstation, IED, etc.

SAS security shall reset the number of unsuccessful attempts for that userID to zero only after a successful login.

Now its your turn to talk back.

As a utility, consultant, or system integrator what is your opinion of these requirements? What has been left unsaid or left unclear? From the IED vendors, what is the implication of implementing these security functions in the IED software to provide substation information security? And last, do you think these requirements should be included in substation automation standards?

Please use the reply block below to respond. Be sure to include your EMAIL address so you can participate in the dialog.

Where do you want to go now?

Send mail to postmaster@opusss.com with questions or comments about this web site.

OPUS Publishing and OPUS Subscription Service are trademarks of OPUS Publishing. All other products mentioned are registered trademarks or trademarks of their respective companies.
Copyright © 2001 OPUS Publishing. All rights reserved.
Last modified: Sunday August 01, 2004 .