SEGREGATION OF NETWORK IN DIG-ISL SUBSTATION
As the substation moves closer to a virtual world and utilities verbal exchange networks improve, new verbal exchange kinds to the substation LAN end up possible (including remote get right of entry to for maintenance), bringing possibilities for savings, but also protection threats.
A piece of the defence-in-depth method to defend the substation is network segregation. Network segregation and the usage of DMZ (demilitarized zones) have long been an essential a part of IT protection, but how does they integrate inside the OT world?
After a brief creation on the hazard landscape and generic safety method, the principles of networks segregation are described, at the side of the vital hardware and software program. Management constraints and expenses are highlighted.
The only communique hyperlink to a substation was once the tele-control bus. In an effort to enhance community operation and decrease fee at the same time, utilities installation a second communique link used to download disturbance recording files, add relay settings. Once this remote access is established, it opens a whole new global of possibilities: supervision, asset control, troubleshooting… however it also opens new doorways for attacks.
Threats to govern systems can come from numerous sources, together with antagonistic governments, terrorist companies, disgruntled employees, malicious intruders, accidents, herbal disasters, etc. In the past, virus and worms goals ranged from genuinely destroying their host to transforming their host into a spam or a DoS assault bot. But within the previous couple of years, new stealth malware regarded that were mainly centered at Industrial Control Systems, together with Stuxnet, Flame or Havex, making the menace extra real.
Consequently utilities and carriers now face the burden of securing the substation, from a cyber-protection angle. Over the years, policies which includes NERC CIP, requirements our bodies consisting of IEEE and IEC and working groups have posted requirements, requirements and guidelines to achieve higher security.
The selected solutions have to consequently restrict remote get entry to to the substation to authorised users and deny malware propagation without changing the substation automation software whilst, at the same time, minimising the management overhead. This may be executed with a chain of safety layers which combine into a ‘defence-in-depth’ approach. This layered arsenal is capable of withstanding or minimising the impact of a failure in any one layer. System hardening, AAA (Authentication Authorisation, Accounting), malware prevention, person training, use of secure protocols and network segregation provide multiple layers of protection, like moats, high walls, secondary fortifications and a donjon shield a castle.
Network Segregation and Segmentation
Information structures want to talk with one another: substation, SCADA control center, community operation center, company website online are interconnected, commonly sharing a not unusual infrastructure, for efficient operation. All those structures collaborate however also ought to be covered from one another. Network segmentation, as its call implies, consists in keeping different structures into one of a kind networks (LANs), so that they can’t speak one with another. Network segregation adds regulations to manipulate and display the communication exchanges. Network segregation is critical to limit network propagation or lateral movement after a first element of the system is compromised. When a bit of malware penetrates a gadget, it scans the network looking for other targets to compromise, jumping from host to host to its very last intention or absolutely trying to reflect itself as much as possible. An example of real network propagation by way of a bug in a software is given in: the Slammer Worm “(…) did reputedly migrate thru the company networks till it sooner or later reached the vital SCADA network via a faraway pc via a VPN connection. The bug propagated, blocking SCADA traffic”. Network segregation in large part reduces the number of devices that can be reached and the protocols that may be used to speak with them.
A style of technologies are to be had to gain segregation:
• Physical separation of hardware and cables
• Separation of hardware and records
• Virtual LANs (VLANs) and Private VLANs
• Network Access Control
• Tunnels (GRE, VPN, IPSec)
• Network firewalls
• Host-based firewalls
• Application firewalls and intrusion prevention systems (IPS)
Network Segmentation for S/S Boundaries
Network segmentation between one-of-a-kind sort of traffic (far off maintenance, SCADA, video surveillance…) is executed using virtual private networks (VPNs) over a number of technologies (BGP/MPLS, IPsec, GRE,…) that require particular hardware and networking expertise. This form of segmentation typically ends at the substation edge. Another type of segregation can be performed by using the usage of the faraway laptop protocol (RDP) to remotely get admission to a PC within the substation. This achieves separation of hardware and facts: the far off PC is effectively simplest a far flung keyboard/show and hosts nor stocks neither software nor statistics used inside the substation perimeter.
Network Segregation inside the Substation
Inside the substation, the LAN is divided in different “zones”. Communication between each zone is controlled at numerous degrees:
• Network access control: an access manipulate list (ACL) is assigned to customers or gadgets primarily based on authentication;
• The router authorizes communique primarily based on the ACL: which IP addresses (OSI layer 3) and VLANs (OSI layer 2) may be reached;
• The community firewall further authorizes conversation based totally on the protocols and ports (OSI layer 4);
• The utility firewall (IPS) authorizes conversation based on the payload content (OSI layer 7). The application firewall understands the software protocol.
Note the use of “authorize” as a substitute than “restrict”. A good practice is to enforce a default “deny all” rule and whitelist simplest the recognised traffic. Also, be aware that segregation takes place at exceptional stages of the OSI model for extra resilience.
The usual zones in the substation LAN are:
• DMZ for faraway access
• Protection and manage lan
• Physical security, video surveillance
All communications initiated from outdoor the substation have to be routed to the DMZ simplest. Communication to the protection and manipulate LAN have to be authorized most effective from the DMZ.
Network segregation may be in addition refined within the PAC LAN. For example, a SCADA nearby operator interface PC and an IED ought to simplest talk the usage of the IEC61850 protocol and don’t need to see every other’s renovation or time synchronization ports. By putting the PCs and IEDs in separate zones (or VLAN), they’re higher protected from each other.
IEC 61850, HSR, PRP, IEEE1588
IEC61850-8-1 GOOSE and IEC61850-9-2 Sample Values messages are non-routable which means that that they are limited in a single LAN (or VLAN) so gadgets that depend upon those messages ought to be within the identical community segment. IEC61850-90-five opens the direction to routable GOOSE that would relieve that constraint and permit to secure PMU and tele-safety applications.
At writing time, there are no PRP/HSR compliant routers/firewalls on the market. It method that redboxes are needed, introducing more complexity in the topology.
In addition, VLAN control in HSR is cumbersome as configuration must be done on each HSR device. IEEE1588 (and time synchronization in general) is a service that ought to get right of entry to all community segments because it is critical that all gadgets on the community be synchronized from a unmarried source. It makes the time server a priority goal for attackers.
Network Monitoring Centre
All devices that take part in community safety will generate logs, specifically alarms when site visitors attempts to violate a rule. It is essential that the alarm be acquired to a community tracking centre in which a protection group can then respond to the alarm. Too often, this institution doesn’t exist and the utility forwards the alarm to the SCADA, typically using a SNMP to IEC61850 converter. This is bad practice as this breaks segmentation between safety and operation. In addition, a dispatcher may not be a safety specialist and can reply to an alarm inappropriately.
Scalability and Cost
The illustrations above display a community topology wherein the router, firewall (commonly a single appliance) and redboxes are in the substation. For availability reasons, all are doubled. A huge TSO with one thousand substations would then need to set up and maintain eight 000 devices.
With 10 protocols and ports and multiple destinations (SCADA, upkeep centre, network operation centre,…) the number of guidelines can explode in the variety of thousands.
This does now not scale very well. Some techniques can be used to simplify the system’s management:
• substations could be designed so that the equal rules follow to all of them: identical zones, identical IP cope with plan. This permits preserving a single set of regulations that can be deployed on all firewalls.
• firewalls can be centralized in a hub-and-spoke architecture. Zones ought to be cautious designed so that a lack of communication to the firewall does now not result in a lack of local protection and manipulate availability. This typically calls for that a router with easy ACL be installed within the substation.
Whatever the architecture, the hassle length is big and may be addressed only via designing a global answer upfront. A substation by substation answer won’t scale.
Network segregation is vital to guard different areas of responsibility, prevent malware propagation and espionage movement. It need to be implemented not best at the substation boundaries however also in the substation. Implementation requires a high degree of networking expertise, particular hardware and heavy configuration. The generation is mature but the actual constraint is monetary and cultural: the value to implement protection will increase proportionally with each substation and the substation operator ought to be given that an IT expert manages its network.