siemens corporate design powerpoint-templates · rsa breach diginotar apt targeted attacks ......

Cyber Security –

An industrial View on the Interplay of

Standards, Regulations, and Guidelines

on the Example of the Digital Grid

Darmstadt, January 11th, 2017

Siemens Corporate Technology Unrestricted © Siemens AG 2017

Unrestricted © Siemens AG 2017

11.01.2017 Siemens Corporate Technology

Outline

Cyber security implications for the Digital Grid A birds eye view on standardization, guidelines and regulation

Deep dive examples

• Security parameter management • Securing the substation process bus (GOOSE) • Integration of decentralized energy resources (DER)

Application examples & Conclusions

Introduction

2

3

4

5

1



Our milestones –

Across 170 years of history

1866

Dynamo

1816-1892

Company founder, visionary and inventor

1847

Pointer telegraph

1925

Electrification of Ireland with hydropower

1975

High-voltage direct-current (HVDC) transmission

2010

TIA Portal for automation

2016

MindSphere introduced as the digitalization platform for all industries

2012

Field testing of world's largest rotor at an offshore wind farm

1983

Magnetic resonance tomograph

1959

SIMATIC controller

Werner von Siemens Siemens innovations over 168 years

1 Introduction



Our innovative power in figures –

Siemens as a whole and Corporate Technology

1 In fiscal 2016 2 Centers of Knowledge Interchange

€4.7 billion 33,000

7,500 3,500

€ €

9 16

3 Employee figures: Status Sept. 30, 2016

Corporate Technology –

our competence center

for innovation and

business excellence3

400 1,600

University cooperations –

our knowledge edge

Expenditures for research and development

Inventions and patents –

securing our future

Expenditures for R&D in fiscal 2016 R&D employees1

inventions1 patent applications CKI universities2

principal partner universities

patent experts

7,400 4,800 employees worldwide

software developers

researchers

1



Our organization –

Corporate Technology at a glance

Corporate Technology (CT) CTO – Dr. Roland Busch

Business Excellence and

Quality Management

‒ Project Business@Siemens

‒ Quality Management

‒ Operational Excellence

Corporate

Intellectual Property

‒ Protection, use and defense of

intellectual property

‒ Patent and brand protection law

Development

and Digital Platforms

‒ Competence center for horizontal

and vertical product-and-system

integration as well as software,

firmware, and hardware

engineering

Research in Digitalization

and Automation

‒ Research activities covering all

relevant areas in digitalization

and automation for Siemens

next47

‒ Promoting disruptive ideas and

driving new technologies for

Siemens

‒ Exploiting the next step of digital

intelligence in innovation fields

University Relations

‒ Global access to the academic

world

‒ Top positioning in terms of

university cooperations

Technology and

Innovation Management

‒ Siemens’ technology and

innovation agenda

‒ Standardization, positioning

regarding research policy

‒ Provision of publications relating

to R&D

Research in Energy

and Electronics

‒ Research activities relating to

energy and electrification,

electronic, new materials and

innovative manufacturing

methods

1



Our industrial society confesses a growing demand for IT-Security

IT Security trends are determined by drivers such as

• Changes in industrial infrastructures (Digitalization)

• Increasing use of networked embedded systems

• Increasing device-to-device communication

• Need to manage intellectual property

and changing boundary conditions

• Increasing international organized crime

• Privacy

• Compliance enforcement

• Cyber war fare

• Cloud/Virtualization

• Data mining and smart data analytics

• Smart mobile devices

• ….

1



Increasing intelligence and open communication

drive security requirements in various industrial environments

Building Automation Digital Energy Grid

Factory Automation Urban Infrastructures

Mobility Systems

Process Automation

2 Cyber security implications for the Digital Grid



The threat level is rising –

Attackers are targeting critical infrastructures

Evolution of attacker motives, vulnerabilities and exploits

Hacking against physical assets Politics and Critical

Infrastructure

Cybercrime and Financial

Interests The Age of Computerworms

Code Red Slammer Blaster Zeus SpyEye Rustock Aurora Nitro Stuxnet

"Hacking for fun" "Hacking for money" "Hacking for political and

economic gains" States Criminals

Hobbyists Organized Criminals Hacktivists

State sponsored Actors Terrorists Activists

Backdoors Worms

Anti-Virus

Hackers

BlackHat Viruses

Responsible Disclosure

Credit Card Fraud

Botnets Banker Trojans

Phishing

SPAM Adware

WebSite Hacking

Anonymous SCADA

RSA Breach DigiNotar

APT

Targeted Attacks

Sony Hack

Cyber war

Hacking against

critical infrastructure

Identity theft

# of published exploits

# of new malware samples

# of published vulnerabilities

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Da

ta s

ourc

es:

IBM

X-F

orc

e T

rend

and

Ris

k R

epo

rt

HP

Cyb

er

Ris

k R

epo

rt

Sym

ante

c In

telli

gen

ce

Re

po

rt

Major loss of privacy

"Gläserner Bürger im Netz"

Ransomware

2



What makes security in the Digital Grid so important?

So

urc

e: IC

S R

epo

rt: Y

ear

in r

evie

w 2

01

5

Nu

mb

ers

re

pre

se

nt re

sp

on

se

s o

ut

of 29

5 p

art

icip

an

ts.

Security incidents can affect target solution

and connected (critical) assets

Cyber Security ensures reliable operation of

critical infrastructures like the Digital Grid

• Performance degradation

• Loss of system availability & control

• Loss of privacy

• Capturing, modification or loss of data

• Reputation (company image)

• Environmental impact

• Financial loss

• Loss of health/life

The Energy Sector

is a Prime Target !

2

https://ics-cert.us-cert.gov/sites/default/files/Annual_Reports/Year_in_Review_FY2015_Final_S508C.pdf



Digital Grid systems vs. Office IT – Protection targets for security

Lifetime 3-5 years Lifetime up to 20 years and more

Digital Grid Systems:

Protection of generation, transmission, and distribution

Office IT:

Protection of IT-Infrastructure

2



Digital Grid systems and Office IT have

different management & operational characteristics

Regular / scheduled

Medium, delays accepted

Scheduled and mandated

High (for IT Service Centers)

Common / widely used

3-5 years

Slow

Very high

Increasing

Very much varying

Uncommon, hard to deploy, white listing

Up to 20 years

Delays accepted Can be critical

IT- Infrastructure Generation, transmission, distribution

Application of patches

Availability requirement

Security testing / audit

Physical Security

Anti-virus

Component Lifetime

Real time requirement

Protection target for security

Office IT Digital Grid

2



Digital Grid systems and Office IT have

different functional security requirements

“Office“ security concepts and solutions are not directly applicable for Digital Grid systems

High

Medium

Medium, delays accepted

Medium

Low – medium

High

24 x 365 x …

Medium to High

High Increasing

Confidentiality (Data)

Integrity (Data)

Availability / Reliability (System)

Non-Repudiation

Security Standards Existing Under development, regulation

Office IT Digital Grid

Security Awareness

2



Digital Grid systems as critical infrastructure have an influence on safety

Security-by-Design is different from Safety-by-Design

Humans / Environment

Technical System

Safety

Prevention of threats to humans and

environment caused by technical

systems

IT Security

Prevention of consequences of threats

to a system (intentionally) caused by

humans and/or environment

Technical System

Humans / Environment

Despite different design goals, the interrelationship between of IT-security and safety, needs to

be obeyed during system design to prevent consequences of accidental and intentional threats.

2



Digital Grid – a critical infrastructure

Power system value chain and use case examples

Transmission Rail & Microgrids Distribution Generation Consumer / Prosumer

High Voltage

≥ 100kV

Transmission

Substation

Medium Voltage

20kV … 100kV

Low Voltage

≤ 400V

Distribution

Substation

Power Quality Monitoring

Network Optimization

Substation Automation

Inter Control Center Communication

Remote Maintenance and Service

DER Integration (Metering & Control)

Remote Services

Connecting Electric Vehicles to the Charging Infrastructure

2



Bay

Parallel wiring

Fault recorder

Protection

RTU

Mimic board

Ancient past

Parallel wiring

1st generation:

Standard cabling

Recent past

Other bays

Serial connection

Parallel wiring

Bay

Substation controller

HMI

2nd generation: Point-to-point

connections since 1985 ...

Changes to substation automation and protection over time

Evolving threat landscape (tomorrow today...)

3rd generation: Digital Substation with Ethernet, Serial, and IP

connections

Local HMI Substation Controller

IEDs, field devices

Field Level

Firewall

Remote AccessControl Center

Untrusted Network

Terminal Server

Application Servers

Operation Level

Station Level

Field Level

DMZ

2



Digital Grid masterplan architecture

Digitalization

Smart

transmission

Smart

distribution

Smart

consumption

and microgrids

Enterprise IT

IVR GIS Network planning

Asset management

WMS/mobile Weather Forecasting Web portals CIS/CRM Billing

Enterprise Service Bus

Market driven applications Grid control applications CIM

Cloud enabled Applications

Global Interoperability: IEC 61850 & 60870, DNP3, OpenADR, DLMS, …

Cyb

er

Se

cu

rity

Electrification

Automation

CIM – Common Information Model (IEC 61970)

2



Cyber Security is a an integral part of Digital Grids

to ensure reliable operation

Digitalization

Smart

transmission

Smart

distribution

Smart

consumption

and microgrids

Enterprise IT

IVR GIS Network planning

Asset management

WMS/mobile Weather Forecasting Web portals CIS/CRM Billing

Enterprise Service Bus

Market driven applications Grid control applications CIM

Cloud enabled Applications

Global Interoperability: IEC 61850 & 60870, DNP3, OpenADR, DLMS, …

Cyb

er

Se

cu

rity

Electrification

Automation

CIM – Common Information Model (IEC 61970) Appropriate security

2



Typical data exchanged in Digital Grid applications and their security impact

Information asset Description, potential content Security relation to

Customer ID and

location data Customer name, identification number, schedule information, location data customer privacy

Meter Data Meter readings that allow calculation of the quantity of electricity consumed or supplied over a time

period and may be used for controlling energy loads but also for interactions with an electricity market. system control and billing

Control

Commands

Actions requested by one component of other components via control commands. These commands

may also include Inquiries, Alarms, Events, and Notifications.

system stability and reliability

and also safety

Configuration Data

Configuration data (system operational settings and security credentials but also thresholds for alarms,

task schedules, policies, grouping information, etc.) influence the behavior of a component and may

need to be updated remotely.


and also safety

Time, Clock

Setting

Time is used in records sent to other entities. Phasor measurement directly relates to system control

actions. Moreover, time is also needed to use tariff information optimally. It is also used in security

protocols, e.g., when verifying the validity of using certificates.

system control (stability and

reliability and also safety) and

billing

Access Control

Policies

Components need to determine whether a communication partner is entitled to send and receive

commands and data. Such policies may consist of lists of permitted communication partners, their

credentials, and their roles.

system control and influences

system stability, reliability, and

also safety

Firmware,

Software, and

Drivers

Software packages installed in components may be updated remotely. Updates may be provided by the

utility (e.g., for charge spot firmware), the car manufacturer, or another OEM. Their correctness is critical

for the functioning of these components.


and also safety

Tariff Data Utilities or other energy providers may inform consumers of new or temporary tariffs as a basis for

purchase decisions.

customer privacy and also

competition

2



Based on NIST

Cyber Security

Framework

Tech-

nology

People Process

Detect Rapid identification of the occurrence

of a cyber security related event.

Identify Understanding the business context,

the resources that support critical functions

and the related cyber security risks.

Protect Protection of critical infrastructure service,

e.g., energy supply by safeguarding the

overall system.

Recover

Creating plans for resilience and restoration

of any capabilities or services that were

impaired due to a cyber security related event.

Respond

Taking action against detected cyber

security related events. Supports the ability

to contain the impact of a potential event.

How to provide appropriate security?

Cyber security needs a holistic methodology

2



Security activities (according to “Security by Design with CMMI® for Development”)

Defining & Maintaining secure products and solutions

requires an accompanying lifecycle process

Plan Realize Define Operate

Security

Objectives &

Business Impact

Security

Requirements

Secure Supplier &

Component

Selection

Secure

Configuration &

Hardening

Security Services

and Support

Security

Threat & Risk

Analysis

Secure

Architecture &

Design

Secure Coding

Security Incident

& Vulnerability

Management

Security

Testing

2



Evaluation of the risk from security threats to products, solutions or services

as one starting point for the derivation of security requirements

Intended operational environment

Risk level

Impact

categories

Likelihood rating

Impact rating

Product / solution

Asset

Threat

Attacker

(adversarial / accidental)

Likelihood

Imp

act

• Threat and risk analysis to

• identify security weaknesses and

vulnerabilities

• analyze threats that might exploit

these weaknesses or vulnerabilities

• evaluate of resulting risks.

Supports

• derivation of counter measures

• check the effectiveness of planned or

implemented counter measures.

• Different methods exists, e.g.,

• SGIS Toolbox

• NIST Guide for Risk Assessments

• Cyber Security Capability Model

• BSI -Standard 100-3 Risikoanalyse

Safety, Availability, Legal and Contractual Requirements , Intellectual Property, Repudiation

2

ftp://ftp.cen.eu/EN/EuropeanStandardization/HotTopics/SmartGrids/Security.pdf

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf






https://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-c2m2-program/cybersecurity

https://www.bsi.bund.de/DE/Themen/ITGrundschutz/itgrundschutz_node.html







Managing cyber security in Digital Grids through

Guidelines / Standards / Regulation

Smart Energy Grid

Coordination Group

SGAM – Smart Grid

Architecture Model

with integrated

security

Note: the stated organizations and standards are just examples and are not complete

• IEC 62351 Security for power systems

management and information exchange

• IEC 62443 Security in Industrial Process

Measurement, Control and Automation

• ISO/IEC 15118 Secure Vehicle to Grid

communication

• ISO 27001 – Information Security

Management (ISMS) - Requirements

• ISO 27002 – ISMS Code of Practice

• ISO 27019 – SMS for systems used

in the energy utility industry on the

basis of ISO/IEC 27002

Smart Grid Interoperability Panel,

Cyber Security WG

NIST IR 7628

Cyber Security

Framework

• Critical

Infrastructure

Protection

CIP 001-014

• Critical

Infrastructure

Protection,

Certification and

Key Measures

BDEW White Paper

Requirements for

Secure Control and

Telecommunication

Systems

• IEEE 1686 – Intelligent Electronic

Devices Cyber Security Capabilities

• IEEE 1588 –Precision Clock

Synchronization Protocol for

Networked Measurement and

Control Systems

• IT Security Act

• BNetzA Security

Catalogue

• Executive Order

EO 13636

Improving Critical

3 A birds eye view on standardization, guidelines and regulation

http://www.google.de/url?url=http://geospatial.blogs.com/geospatial/2014/09/ferc-order-745-vacated-negawatt-does-not-equal-a-megawatt.html&rct=j&frm=1&q=&esrc=s&sa=U&ei=h-E3VJGwA8Tl7gafroDgDg&ved=0CB4Q9QEwBA&usg=AFQjCNHboLiJV7Bufih2BplDjH1G0z4eeA



Digital Grid security involves vendors, integrators, and operators

• Standards have different

importance for

• Product and system vendor

• Integrator

• Operator

as they target

• specific technical means

ensuring interoperability

• procedural requirements

• addressing risk based

security requirements

• auditablity of actions

3



Standards and Regulations

ISO/IEC 270xx Series – Information Security Management System (ISMS)

Vocabulary

standard

Requirement

standards

Guideline

standards

Sector-specific

guidline

standard

ISM

S F

am

ily o

f sta

nd

ard

s

27000

Overview and vocabulary

27001

ISMS – Requirements

27006

Requirements for bodies providing audit

and certification of ISMS

27002

Code of practice for information

security controls

27005

Information security risk management

27003

ISMS – Implementation guidance 27007

Guidline for ISMS auditing

27004

ISMS – Measurement

27019

ISMS – Guidelines based on ISO/IEC

27002 for process control systems

specific to the energy utility industry

Addresses specifically

• Security Policies

• Organization and information security

• Human Resource Security

• Asset Management

• Access Control

• Cryptography

• Physical and Environmental Security

• Operations Security

• Communications Security

• System and Application

• Supplier Relationship

• Incident Management

• Business Continuity

• Compliance

Domain specific standards augment

ISO 27002 according to the target

environment

270xx

…



Information Security Management – Application of the ISO 270xx series

targets Digital Grid specific security controls in ISO 27019

Communication Network

Scope of

ISO27011

• Home Automation • Smart Appliances • E-Mobility • Industry • Controllable Loads • Small scale generation

• Marketplace Applications • Billing / Contracts • Energy Services

Market & Services

Smart Grid

Nodes

Scope of

ISO 27002

• Generation • Storage • Transmission • Distribution

Scope of

ISO TR 27019

Energy Control Systems

• ISO TR 27019 targets

• Process control systems [..] for controlling and monitoring the

generation, transmission, storage and distribution of electric

power, gas and heat in combination with the control of

supporting processes

• Augments ISO 27002, examples:

• Physical security

• Control centers and PCS equipment rooms

• Peripheral sites, e.g. substations or distributed

storage and generation sites

• Communications and operations management

• Treatment of potential insecure legacy systems

• Malware protection and patch management for critical systems

• Securing process control data communication

• Access control

• Special requirements for group accounts,

session timeouts etc.



IEC 62443 a framework specifying security requirements for industrial

automation control systems (IACS)

• Addresses organizational

and technical requirements

• Supports purpose fit

security solutions by

supporting security

features with different

strength

• Used for certification of

security processes and

security capabilities of the

solution

IACS environment / project specific

Independent of IACS environment

develops control systems

designs and

deploys

operates and

maintains

is the base for

Control System as a combination of components

Host

devices Network

components Applications Embedded

devices

develops components Product Supplier

System Integrator

Asset Owner

Operator

Industrial Automation and Control System

(IACS)

+

Operational policies and procedures

Automation solution

Basic Process Control System

(BPCS)

Safety Instrumented System (SIS)

Complementary Hardware and

Software

Maintenance policies and procedures

Hard coded passwords

Elevation of privileges

Default passwords not

changed

Temporary accounts not

deleted

Non confidential passwords

Passwords not renewed

Invalid accounts not deleted

Example: User Identification and Authentication

Every

part

icip

an

t can

cre

ate

weakn

esses



• Addresses

• Operator

• Integrator

• Product Supplier

• in terms of

• processes and

• security capabilities

• and allows for

• certification

IEC 62443 addresses the complete value chain from product to service



IEC 62443 as standard for industrial security enables a graded security

approach to achieve appropriate protection

3-3 System

Security Req.

2-4 Req. for

IACS Supplier



Core communication standards for Digital Grids

IEC TC57 reference architecture with domain-specific cyber security

Back Office Market System

EMS Apps.

DMS Apps.

SCADA

Communication Bus

RTUs Substation

Automation Systems

Protection, Control, Metering

Switchgear, Transformers,

Instrumental Transformers

IEC 61970 IEC 61968

IEC 61970

IEC 60870-6

TASE.2/ICCP

IEC

60

87

0-5

-10

2

60

87

0-5

-10

1/1

04

S

S-C

C

IEC

61

85

0

IEC

62

32

5

IEC

61

96

8

SS-SS

IEC 61850

DER Generator

IEC 61850-90-7, 8, 9, 10, 15

DER Storage

IEC

61

85

0-7

-42

0 IE

C 6

18

50-7

-41

0

IEE

E 1

81

5 (

DN

P3)

IEC 62351

Cybersecurity

Control Center A

Distributed Energy

Resources (DER)

Control Center B

Hydroelectric/ Gas

Turbine Power Plants

Substations / Field Devices

GOOSE, SV

IEC 61850

IEC 60870-5-103 IEC 61850

PMUs

IEC 61850-

90-5

IEC 61850

Turbine and

electric systems

Hydro systems

Electric Vehicle IEC 61970 / 61968 Common Information Model (CIM)

IEC 62325 Market Communication using CIM

IEC 61850 Substation, Distribution, DER Automation

IEC 60870 Telecontrol Protocols (serial/TCP)

IEC 62351 Security for Power Systems



Cyber security in Digital Grids

IEC 62351 provides technical security measures and guidelines

Security means defined for

Authentication and

authorization (RBAC)

Secure IP- based and serial

communication

Secure application level

exchanges

Security monitoring and

eventing

Test case definition

Guidelines for applying

specific security measures

by utilizing or profiling

existing standards and

recommendations



Security has to be suitable for the addressed environment

Since security is not just a technical

solution, which can be incorporated

transparently, we need to consider how

humans can get along with this issue.

This needs, especially for automation

environments, actions for:

awareness trainings

help people to understand security

measures and processes

provide user friendly interfaces and

processes

Awareness and Acceptance



Mutual trust based on X.509 key material –

A key element in power system security

4

• Key material in terms of certificates and corresponding private keys as well as the

managing infrastructure has been standardized by the ITU-T in X.509. It was also

published by the IETF as RFC 5280.

• Bases on a key pair, for which the public key has been certified by a trusted third party.

• The certificate binds the identity of the owner to the public key.

• A certificate has a limited lifetime.

Comparable with :

Subject Entity’s unique name

Validity Period of validity

Serial Number 12345

Subject Public Key

Extensions Extended Information

Issuer Name of the trust center

Signature Signature of trust center

Certificate has one corresponding private key. Its secrecy has to be protected separately. P

riva

te

Pu

blic

Public Key Certificate

Deep Dive Examples: Security parameter management

A trusted party certifies the

connection of an entity

identifier and public key Cryptography

connects the

public and the

private key

The entity protects its

private key against

unauthorized usage by

secure storage

entity's

identity

entity

goal

private

key

public

key



Handling of X.509 key material through a Public Key Infrastructure (PKI)

Registration & Enrollment Certification & Revocation Distribution & Fetching

Enrollment

• manual

• automated (SCEP, EST, CMP, CMC)

Revocation

• manual (CRL)

• automated (CRL, OCSP, SCVP)

Fetching

• manual (configuration)

• automated (LDAP, HTTP)

Realization examples

Registration

Authority (RA)

Local Registration

Authority (LRA)

Certification Authority (CA)

Key Generation

Revocation Lists

Key Distribution

Repository / Public Directory

(L)RA

Note: Key generation is

ideally done on devices Registration per ID card

through the applying person

Registration of a device series or

single devices through the vendor

4



Security bootstrapping requires procedural and technical means

and needs to be considered during product design and commissioning

Offline parameter distribution

Engineering tools with security

parameter sets directly

connected to the device or via a

separate network

In-band parameter distribution

Distribution using the same

communication channels as used

during regular operation, based

on pre-configured device

identifiers, manufacturer installed

security credentials or even

liaison devices.

Out-of-band parameter distribution

Separate logical communication

channel used to configure security

parameter. Devices may already

possess a cryptographic credential,

which can be provided by the device

manufacturer.

Security parameter are the base

to ensure appropriate protection

of communication between

different entities as well as

services like licensing or anti

counterfeiting.

Setting up security parameter

securely is crucial!

4



Application of security parameter on the example of Role Based Access

Control (RBAC) for operator and maintainer in power system management

IEC 62351-8 Role-based access control for power system management

There are two mappings to be configured by an administrator:

• Subject-to-role

• Role-to-right

4



Considering the embedding environment during the design of security

measures is essential – Example GOOSE

Wiring with IEC 61850

Conventional Wiring

Conventional wiring is replaced by Ethernet based communication using IEC 61850 with

Generic Object Oriented Substation Events (GOOSE) and Sample Values (SV)

Control model mechanism in which any format of data (status, value) is grouped into a data

set and transmitted as set of substation events, such as commands, alarms, or indications.

Usage of multicast transfer (device local subscription for events)

Security requirement: source authentication and message integrity

First solution approach

Digital signatures of the messages by the sender

Verification at subscriber / receiver site

BUT

High performance requirements, e.g., sample rate of 80 samples per cycle

sums up to 4000 packets per second for the common frequency of 50 Hz

Field test have shown that the performance of typical field devices does not

cope with the signature generation and verification


IEDs, field devices

Field Level

Firewall

Terminal Server

Application Servers

Station Level

Field Level

DMZ

4 Deep Dive Examples: Securing the substation process bus (GOOSE)




measures is essential – Example GOOSE (cont.)

Different cryptographic techniques

to achieve

authentication,

data integrity, and

data confidentiality

These techniques differs in

applicable use cases

performance

implementation (HW/SW)

bootstrapping and impact on

deployment environment

connected processes for key

lifecycle handling

…

4

Data

Confidentiality

Data Integrity,

Data Origin

Authentication

Entity/Source

Authentication

One Way Functions

(Hash)

Symmetric

Encryption

Asymmetric

Encryption

Symmetric

Authentication

Asymmetric

Authentication

Key Transport / Key Establishment

MAC: Message

Authentication Code

Digital

Signatures




measures is essential – Example GOOSE (cont.)

Second solution approach: Group security

Rely on entity certificates and digital signatures for the initial key

management and utilize symmetric key for integrity protection in

operational phase

Key Management based on Group Domain of Interpretation

(GDOI, RFC 6407)

IED authenticate towards KDC using IED specific certificates

and corresponding private keys

Integrity protection by using keyed hashes or symmetric

algorithms in MAC mode (e.g., AES-GMAC)

Copes with performance requirements

Source authentication during KDC subscription phase

Communication cannot traced back to an individual IED

KDC

Key Distribution Center (KDC)

• configured data stream related IED access list

• generates data stream related (group) keys GK

• may by collocated with a distinct IED

SUBSCRIBE

{IED-IDA, Stream-ID, CertA} SigA

PUBLISH

{Stream-ID, Key-ID, GK, Lifetime} CertA

IED A IED B

SUBSCRIBE

{IED-IDB, Stream-ID, CertB} SigB

PUBLISH

{Stream-ID, Key-ID, GK, Lifetime} CertB

Group

Data Exchange

MAC with GK

4



Integration of Distributed Energy Resources (DER) into Grid Control

via XMPP influences security requirements

Starting point power system automaton using IEC 61850

Support time critical and non-critical transmissions also over public networks

Utilize existing IEC 61850 data and communication model from substation

automation domain

4 Deep Dive Examples: Integration of decentralized energy resources (DER)


IEDs, field devices

Field Level

Firewall

Remote AccessControl Center

Untrusted Network

Terminal Server

Application Servers

Operation Level

Station Level

Field Level

DMZ

Enhancements through DER integration

XMPP as transport selected (in contrast to TCP/IP)

Data transmitted in XML encoded format instead

of ASN.1

Support of service discovery and presence monitoring

Firewall friendly necessary on application layer

Security enhancements of existing standard necessary as

Trust model has changed compared to substation automation:

DER is in control of the DER owner

XMPP Server may be operated by a 3rd party

access to end-to-end data not always wanted!

Currently applied hop-to-hop security through TLS not sufficient

End-to-end security necessary on application layer



Integration of Distributed Energy Resources (DER)

into Grid Control via XMPP

Mutual end-to-middle authentication, session integrity and confidentiality

of XMPP client – XMPP server or XMPP server – XMPP server

communication: Utilize TLS as specified in RFC 6120 for XMPP with the

TLS profile defined in IEC 62351-3

End-to-end authentication and message integrity on application layer

using the MMS secure session concept defined in IEC 62351-4:

Signed Diffie Hellman Key Agreement and application of negotiated key in

MAC calculation and /or data encryption

Intermediate Node

Se

ss

ion

In

itia

te

InitiateRequest enhanced with token signed

Control Field Device / DER

InitiateResponse enhanced with token signed

Request enhanced with token MAC protected

Response enhanced with token MAC protected

...

Calculation of session master key based DHSecret based on dhSet parameter

and derivation of separate keys for integrity and confidentiality protection

MMS Messages Crypto

Token SIG/

MAC TC

P

IP

(P)

S

4



Application of standards and guidelines

Enhancing IEDs in digital substations with cyber security

Secure communication (mutual authentication and encryption)

between Engineering (DIGSI5) and the IED (SIPROTEC 5) Secure maintenance

Patch management

Antivirus compatibility Connection password according to

Regulations and Standards

Recording of access attempts in a non-volatile security

log and IEC 61850 messaging

Confirmation codes for

safety-critical operations

Product Hardening

Independent testing

Secure development

Digitally signed firmware

Separation of process and

management communication

Internal firewall

Crypto-chip for secure information storage

5 Application Example & Conclusions



Application of standards and guidelines: The transition from digital

substations to secure digital substation addresses multiple aspects

Digital Substation

Secure Digital Substation

5



Siemens Cyber Security Framework –

Defined security measures covering all security aspects

5

Organizational

Preparedness

Secure

Development

Secure Integration

and Service

Vulnerability and

Incident Handling

Secure System

Architecture System Hardening

Access Control

and Account

Management

Security Logging &

Monitoring

Malware

Protection

Backup and

Restore

Secure Remote

Access

Data Protection

and Integrity

Privacy Security Patch

Management

Organizational Security & Processes

People, Policies, Processes, Governance

Products & Systems

Common security technologies need to be

implemented and contribute to the overall

secure architecture

Energy Management uses these security measures

to define security controls based on identified risks



Conclusions

Machine-2-Machine connectivity down to field devices is a major driver for the Digital Grid

The threat level for critical infrastructures like the Digital Grid is rising and requires appropriate means

Cyber security has been acknowledged as prerequisite for limiting risks in and to support a reliable Digital Grid

Standardization and guideline activities support the alignment of approaches and supports interoperability

Regulation fosters adoption of security by domain specific requirements (e.g., German IT-Security Law)

Security-by-Design is essential to provide appropriate security features from the ground

Cyber security needs a holistic approach – collaboration between vendors, integrators and operators;

taking into account people, processes, and products in the specific domain

Still, some challenges remain, like the migration from existing more closed environment to an open

environment featuring appropriate cyber security measures

5



References and further reading

General Introduction Material to Digital Grids (Examples)

European Task Force SG EG on Functionalities, Regulatory Requirements, Roles and Responsibilities

European SG-CG on (Reference Architecture, Set of Standards, Processes, Security, Interoperability)

Smart Grid Introduction from the US Department of Energy

NIST Framework and Roadmap for Interoperability Standards Version 2

Efficient Energy Automation with the IEC 61850 Standard – Application Examples

Smart Grid Standards Map from IEC

J. Weiss: Protecting Industrial Control Systems from Electronic Threats, ISBN-10: 1606501976 (2010)

Lars T. Berger, Krzysztof Iniewski: Smart Grid Communications, ISBN: 978-1-1180-0439-5 (2012)

http://ec.europa.eu/energy/gas_electricity/smartgrids/doc/expert_group1.pdf





ftp://ftp.cen.eu/EN/EuropeanStandardization/HotTopics/SmartGrids/Reference_Architecture_final.pdf

ftp://ftp.cen.eu/EN/EuropeanStandardization/HotTopics/SmartGrids/SGCG_Standards_Report.pdf

ftp://ftp.cen.eu/EN/EuropeanStandardization/HotTopics/SmartGrids/Sustainable Processes.pdf

ftp://ftp.cen.eu/EN/EuropeanStandardization/HotTopics/SmartGrids/Security.pdf

ftp://ftp.cen.eu/EN/EuropeanStandardization/HotTopics/SmartGrids/SGCG_Interoperability_Report.pdf

http://energy.gov/oe/downloads/smart-grid-introduction

http://www.nist.gov/smartgrid/upload/NIST_Framework_Release_2-0_corr.pdf

http://www.energy.siemens.com/hq/pool/hq/energy-topics/standards/iec-61850/Application_examples_en.pdf

http://smartgridstandardsmap.com/



References and further reading (cont.)

Security related standards & guidelines (examples)

European Smart Grid Information Security Report

NIST IR 7628: Guidelines for Smart Grid Cyber Security, Overview, Volume 1, Volume 2, Volume 3

BDEW Whitepaper: Requirements for Secure Control and Telecommunication Systems

White Paper on IEC 62351 (Security for Energy Automation Networks)

Cyber Security in Energy Management, (extract from Siemens power engineering guide) 2016

NIST SP 800-31r1: Guide for conducting Risk Assessments, 2012

Cybersecurity Capability Maturity Model (C2M2) from DoE, 2015

Best practice & guidelines

• Kryptographische Verfahren: Empfehlungen und Schlüssellängen, TR-02102-1, BSI, February 2016

• Comparison of recommendations, continuously updated

• ISO JTC1 SC27 Standing Document 12, Assessment of Cryptographic Techniques, 2014

• Algorithmenkatalog BNetzA, 2016

ftp://ftp.cen.eu/EN/EuropeanStandardization/HotTopics/SmartGrids/SGCG_SGIS_Report.pdf

http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf




https://www.bdew.de/internet.nsf/id/232E01B4E0C52139C1257A5D00429968/$file/OE-BDEW-Whitepaper_Secure_Systems V1.1 2015.pdf

http://iectc57.ucaiug.org/wg15public/Public Documents/White Paper on Security Standards in IEC TC57.pdf

https://www.downloads.siemens.com/download-center/Download.aspx?pos=download&fct=getasset&id1=DLA20_166





















https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf?__blob=publicationFile&v=1








http://www.keylength.com/

http://www.din.de/blob/78392/6f4bbd95d0cf11d1b32784948039600b/sc27-sd12-data.pdf

http://www.bundesnetzagentur.de/SharedDocs/Downloads/DE/Sachgebiete/QES/Veroeffentlichungen/Algorithmen/2016Algorithmenkatalog.html





Contact Information

Siemens AG

Steffen Fries

Principal Key Expert

CT RDA ITS

Otto-Hahn-Ring 6

81739 Munich

Germany

E-mail

[email protected]

Internet

siemens.com/corporate-technology

Digital Grid

siemens.com/digitalgrid

mailto:[email protected]

http://www.siemens.com/corporate-technology



http://siemens.com/digitalgrid

http://siemens.com/digitalgrid