Sukumara T, Janne S, Kishan SG, Harish G, Eashwar / Presented to CIGRE Colloquium, Mysore, 14.11.2013 Cyber Security - Secure communication design for.

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

Cryptography and Network Security
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Chapter 7 HARDENING SERVERS.
Chapter 8 Web Security.
Terminal Services in Windows Server ® 2008 Infrastructure Planning and Design.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Enabling Embedded Systems to access Internet Resources.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
Cryptography and Network Security (SSL)
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.
IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University.
Security fundamentals Topic 10 Securing the network perimeter.
SOCKS By BITSnBYTES (Bhargavi, Maya, Priya, Rajini and Shruti)
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.
Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.
Security fundamentals
Computer and Network Security
The Secure Sockets Layer (SSL) Protocol
BUILD SECURE PRODUCTS AND SERVICES
TOPIC: HTTPS (Security protocol)
Jean-Philippe Baud, IT-GD, CERN November 2007
CompTIA Security+ Study Guide (SY0-401)
Apache web server Quick overview.
Network Security Basics: Malware and Attacks
Cryptography and Network Security
SECURING NETWORK TRAFFIC WITH IPSEC
Secure Sockets Layer (SSL)
UNIT.4 IP Security.
Securing the Network Perimeter with ISA 2004
Cryptography and Network Security Chapter 16
BY GAWARE S.R. DEPT.OF COMP.SCI
Introduction to Networks
IBM Certified WAS 8.5 Administrator
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
CompTIA Security+ Study Guide (SY0-401)
Cryptography and Network Security
* Essential Network Security Book Slides.
Server-to-Client Remote Access and DirectAccess
Goals Introduce the Windows Server 2003 family of operating systems
Check Point Connectra NGX R60
Security & .NET 12/1/2018.
IS4680 Security Auditing for Compliance
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
The Secure Sockets Layer (SSL) Protocol
Security.
Transport Layer Security (TLS)
Introduction to Network Security
Network Security 4/21/2019 Raj Rajarajan.
Building Security into Your System
Unit 8 Network Security.
Advanced Computer Networks
Designing IIS Security (IIS – Internet Information Service)
Cryptography and Network Security
Sending data to EUROSTAT using STATEL and STADIUM web client
Presentation transcript:

Sukumara T, Janne S, Kishan SG, Harish G, Eashwar / Presented to CIGRE Colloquium, Mysore, 14.11.2013 Cyber Security - Secure communication design for protection & control IEDs in sub-stations D2-02_17 November 21, 2018

Table of contents Introduction Network Communication and Protocols Communication Security Security Architecture Design in IED Conclusion November 21, 2018

Introduction November 21, 2018

Introduction Substation as a Energy and Information Hub Sub-station not just delivers energy at certain voltage level, it also transfers the information for effective monitoring and control of power system November 21, 2018

Introduction Numerical Relay(IED)s essential part of power system IEDs are first level intelligent devices in substations/power system network. IEDs not just perform protection, control & monitoring of power system but also play crucial role in post- fault power restoration and self-healing network with the help of supported communication network which is an integral part of smart grid vision and framework. November 21, 2018

Introduction IED’s communication environment IED’s communication environment include SCADA Communication for local/remote monitoring and control, Operational data to remote control centers, Bay level and Process level data exchange between IEDs, Remote Configuration & Firmware update, Fault/Disturbance analysis data for maintenance centers etc.. November 21, 2018

Introduction Information Security in IEDs Avoid denial of responsibility Non-repudiation Avoid denial of Service Availability Avoid unauthorized modification Integrity Avoid disclosure Confidentiality Avoid spoofing / forgery Authentication Avoid unauthorized usage Authorization Avoid hiding of attacks Auditability Security is not Just Antivirus Firewall November 21, 2018

Network Communication and Protocols November 21, 2018

Network Communication and Protocols Network Communication Architecture in IED IEDs in Substation and Distribution Automation System communicate with remote gateways and controllers mostly through Ethernet and TCP/IP based communication protocols these days. Some of these protocols are power system domain specific and some are generic protocols. November 21, 2018

Network Communication and Protocols Operational & Engineering/ Configuration Protocols From Power system network communication perspective, Operational protocols exchange real-time information for monitoring and control purposes continuously and consistently through-out. Ex: 61850, 3.0, -TCP, 60870-5-104 etc.. Engineering/ configuration protocols used in retrieving data like historical events, fault/disturbance records for analysis, device health/ prognosis parameters, IED parameterization/configuration data, firmware loading, some basic monitoring for certain period of time etc.. Ex: FTP, HTTP ,ODBC etc… For example Web server support in IED shall use HTTP protocol when communicating with remote web clients like Internet Explorer, Firefox or chrome browsers for monitoring and some basic configuration purposes. They also enable connectivity to external networks such as office intranet and internet November 21, 2018

Communication Security November 21, 2018

Communication Security Securing Substation Communication network The main idea of communication security is to create a secure channel over an unsecure network. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks. Designing robust security architecture in the IED should also be complemented with robust and secured network setup when we are connecting our substation system to external internet network November 21, 2018

Communication Security Defense-In-Depth Approach Substation network architecture must be based on the approach of “defense-in-depth” which advocates the use of multiple layers of protection to guard against failure of single security component and secure communication is just one part of this approach.. November 21, 2018

Communication Security Standards and Regulations November 21, 2018

Communication Security Security Protocols ( SSL/TLS Vs. IPsec) Securing data over the network involves ensuring CIA triad (Confidentiality, Integrity and Availability) requires a strong Authentication and encryption algorithm. Most famous and widely deployed security tools are “SSL/TLS” (Secure Socket Layer/Transport Layer Security) and “IPsec”. “SSL/TLS” is implemented at application level (between application and transport layer). TLS protocol based systems are more interoperable compared to IPSec based secured devices. Since interoperability is a critical requirement in substation automation domain, TLS based secure communication design is better option for IEDs in power system domain. November 21, 2018

Communication Security SSL and application protocols in IED Secure socket layer introduced between traditional application layer protocols in the power system domain and TCP/IP layer in the network layer architecture. In implementation, there will be a common wrapper for SSL stack with a set of common interfaces to provide transparent access to SSL layer. This wrapper can be extended to support the security of other protocols. This approach enables to adapt the solution in future depending on IEC 62351 standard. November 21, 2018

Security Architecture Design in IED November 21, 2018

Security Architecture Design in IED SSL Layer adaptation in IED Architecture From the perspective of information exchange over Ethernet network, IEDs in the substation are the source of information. IEDs provide real time data to local and remote clients like SCADA systems, Control Centers, web clients etc. So naturally from network socket communication perspective, IEDs act as socket servers and remote systems are socket clients. Enabling/Disabling Secure Communication option locally in IED provides local control and decides on data exchange mode. Input Validation at the first entry point of application layer protocols level is critical in Secure IED design November 21, 2018

Security Architecture Design in IED SSL handshaking process The exchange of information like SSL version support, cipher suite selection, key exchange and certification handling are part of this handshaking process. Once successful handshaking is done, a valid and secure session is created for further data exchange. The SSL handshaking process is an independent activity and each application module/session will have a separate handshaking process with in the IED. November 21, 2018

Security Architecture Design in IED Secured IED Configuration and Monitoring IEDs support FTP protocol mainly for transferring device configuration information, transferring disturbance record data, trend/load profile data, history log and operation events information. IEDs also support basic parameterization, control and monitoring through web-clients using HTTP protocol. Concepts like remote diagnostics, configuration and maintenance services are catching-up in power systems automation domain. Hence It is essential to secure these protocols used for above purposes. November 21, 2018

Security Architecture Design in IED Secure Certificates In a substation automation/ power system network, before an IED makes a secure connection to another system over a network, a valid SSL certificate must be installed/ available in the IED. An SSL certificate can be either self-signed certificate or a trusted CA certificate. A self-signed certificate is an authentication mechanism that is created and authenticated by the system on which it resides. The IED could generate its own self signed certificate or the trusted static CA certificate could be ported / stored in the IED’s flash memory. November 21, 2018

Security Architecture Design in IED FTPS November 21, 2018

Security Architecture Design in IED HTTPS November 21, 2018

Security Architecture Design in IED Managing System Resources: Security Vs Performance The IED architecture design needs to consider how many secure application protocol sessions can be supported with available system resources like runtime memory and CPU processing capability, network bandwidth etc. Cyber security feature takes considerable system resources like CPU power, memory, bandwidth etc. The IED architecture needs to consider these characteristics and constraints and optimize the design such that the system performance, availability and reliability are maintained while supporting the cyber security features. CPU Processing Runtime Memory Network Storage November 21, 2018

Conclusion Cyber security environment is most dynamic and development efforts should be constantly vigilant and check for technology trend and re- build strong security mechanism. The secured communication mechanism can be developed using available security technologies and seamlessly integrate it to IED architecture to realize certain cyber security requirements. Security Architecture should adapt “defense- in-depth” strategy where each system component is an active participant in the creation of secured system in order to over- come the threats to make strong and robust power system networks. November 21, 2018

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.