Security Analysis of Power Control Systems : Emerging Standards and Methodological Issues

Publication REE REE 2005-8
contenu protégé  Document accessible sous conditions - vous devez vous connecter ou vous enregistrer pour accéder à ou acquérir ce document.
- Accès libre pour les ayants-droit


Security Analysis of Power Control Systems : Emerging Standards and Methodological Issues


2.15 Mo


Creative Commons Aucune (Tous droits réservés)
<resource  xmlns:xsi=""
        <identifier identifierType="DOI">10.23723/1301:2005-8/20230</identifier><creators><creator><creatorName>Giovanna Dondossola</creatorName></creator><creator><creatorName>Oliver Lamguet</creatorName></creator><creator><creatorName>Marcello Masera</creatorName></creator></creators><titles>
            <title>Security Analysis of Power Control Systems : Emerging Standards and Methodological Issues</title></titles>
        <resourceType resourceTypeGeneral="Text">Text</resourceType><dates>
	    <date dateType="Created">Wed 11 Oct 2017</date>
	    <date dateType="Updated">Wed 11 Oct 2017</date>
            <date dateType="Submitted">Sun 24 Mar 2019</date>
	    <alternateIdentifier alternateIdentifierType="bitstream">b5b375b4ae7faab29358f6bc3f4a266a535b41eb</alternateIdentifier>
            <description descriptionType="Abstract"></description>

Dossier INFRASTRUCTURES CRITIQUES Security Analysis of Power m Control Systems : Emerging Standards and Methodological Issues Mots clés Security, Monitoring Systems, Standards, Electric Power Systems, Risks Evaluation Par Giovanna DONDOSSOLA', Oliver LAMGUET', Marcelo MASERA 1 CESI - Centro Elettrotecnico Sperimentale Italiano, Italy 1 JRC - Joint ResearchCentreof the European Commission, Italy 1 The evolution of control systems put them at risk of malicious security attacks. Existing standards haven't considered the potential problems. The paper presents a review of standard initiatives, and a security assessment. Introduction Security issues deriving from the massive usage of information and communication devices are an unavoi- dable concern of modern infrastructures. There is a gene- ralized perception (although no major related catastrophe has happened yet) that the probability and potential impact of security breaches have grown heavily in recent years due to the increasing interconnectedness among systems and organisations. It is also recognised that potential chains of events, concatenated across interlin- ked infrastructures, could propagate magnifying the effects of perhaps minor triggering glitches. The primary role played by electric energy and the highly dynamic context that characterises the new econo- mie and organisational models of national deregulated energy markets, put highly critical security issues on the power systems. This requires on the one hand robust technologies and architectures, and on the other effective methodologies for the assessment of the security risks. The importance of the security aspects in the electric power field is confirmed by the constitution of security working groups by standard organisations, such as the Working Group 15 "Data and communication security " (WG15) inside the Technical Committee No. 57 " Power system control and associated coiitîiunications Il of the IEC - International Electro-technical Commission (IEC TC57). IEC TC57 WG15 has published a Technical Report 62210 " Pou,er ssteiii control and associated cotiiiîîtini- cations - Data and communication security " [1] which represents a valuable approach for introducing security in power system control. In this paper we present a contribution to the security analysis of power systems. Section 2 describes and com- ments on the IEC TR 62210 report ; section 3 illustrates key aspects of our methodology under development. A more detailed version of this paper was presented in the -2 "'International Conference on Critical Infrastructures -29ÀIM Les systèmesélectriques utilisentde plusen plus lestechnologies de l'information et de la communication, en particulier pour le contrôle à distance des installations.Cette tendance permet le développement des capacités fonctionnelles et opérationnelles des systèmes, mais s'accompagneégalement d'une augmenta- tion des risques liés à la sécurité informatique des installations. Les organismes de standardisationtravaillent à l'élaboration de nouvellesnormes capablesde faire face à ces problèmes. Il exis- te cependant un besoin pressant de méthodologies spécifiques d'évaluation des risques qui permettent une meilleure compré- hension des systèmes, de leur vulnérabilité, des menaces qui pèsent sur eux et des attaquespotentiellesqu'ils pourraientsubir. SYNOPSIS Electricpower systems are making intensive use of information and communicationtechnologies, including theremote control of installations.The expansionof functional and operationalcapabili- ties is accompaniedby an increaseon security risks. New stan- dards are emerging for coping with this situation. But proper assessmentmethodologiesarerequiredfor understanding the vul- nerabilities,threats and potentialattacksto the systems. REE No 8 Septembre 2005 Dossier INFRASTRUCTURES CRITIQUES organised by the International Institute for Critical Infrastructures (CRIS, http ://, October 25-27, 2004, Grenoble. For information on the conference see the site : http :// 2. Security analysis of Power Systems : The work of emerging standards The application of computer and communication sys- tems for the control and protection of power installations requires the assurance that, in addition to their intended operation, they will not induce failures or allow the intru- sion of malicious agents (e.g. hackers, virus). In this contexte until recently information and communication security analyses were concentrated on internal causes (technical components and human operators), and almost exclusively on accidental faults. The increasing use of public information networks requires the systematic consideration of deliberate threats, and as a consequence a more comprehensive view of security encompassing ail relevant elements (organisational, technical, etc.) of an electric utility. The new risks that can be incurred due to the poten- tial violation of the integrity, confidentiality and availabi- lity of information, need to be analysed for ensuring pro- per countermeasures. These analyses need to examine : . The stakeholders involved in the business and technical processes, and the business processes that interconnect them . The physical and logical assets to be assured . The threats that might produce the risks. A threat is as la potential cause of an unwanted incident which iiia result in harm to a systein or organisa- tion " [2]. A thorough analysis need to consider ail potential threats : from terrorists to hackers, from business espionage to unfaithful employees, from failures in own equipment to failures in public infrastructures . The vulnerabilities of the system, which are the faults that might result in accidental events or that might give place to the materialization of the threats. An attack is the malicious exploitation of vulnerabilities for provoking a deliberate failure . The loss that can be produced by the occurrence of accidental or malicious threats. Losses manifest as direct consequences on the technical system, or as secondary effects at the business level (including e.g. financial losses) . The security actions and counternieaslires put in place for protecting the system. These issues, which are normal elements in the secu- rity analysis of information systems, have not been typi- cally applied in industrial settings - therefore the need to develop specific methodologies that could provide appro- priate answers. In the power sector, WG15 specifically addresses those needs. In IEC TR 62210, WG15 proposes an approach for the security analysis with special focus on the communi- cation protocols defined by that committee, including the series IEC 60870-5 (transmission protocols)/-6 (telecon- trol protocols compatible with ISO standards and ITU-T recommendations), IEC 61334 (distribution automation using distribution line carrier systems), and IEC 61850 (communication networks and systems in substations). Having developed a conceptual framework and a methodology for the security analysis of power control systems [5], we carried out a constructive review of that report. The comments proposed in this section should be intended as a contribution for a mutual enhancement of both approaches. The expected result is to support the attainment of the best possible standards linked to appro- priate security analysis methodologies. 2.1. Comments and suggestions The report IEC TR 62210, issued in May 2003, applies to computerised supervision, control, metering, and protection systems in electrical utilities. It deals with the security aspects related to communication protocols used within and between such systems, the access to, and use of the systems. The report is intended to present recommendations to IEC TC57 and, consequently ail its WGs, but clearly indicates that the work is not complete and should be viewed as the foundation for future work. From the conceptual side, the start point is that secu- rity is an integral part of corporate processes, and that the security processes of an electric utility " involves the cor- porate security policy, the communication network secu- rity and the (ead-to-end) application security ". Therefore, the results of a security analysis have an influence on ail elements of what is called the " Corporate security process ". This goes beyond the company's boundaries, as it also includes, for instance, the developers and vendors of computing and network components. The reference to the corporate security policy exceeds the normal contents of this kind of technical standards- related report. But the loop between policy decisions (e.g. acceptable residual security risks, threats considered, assignments and responsibilities, etc.) and technical deci- sions (means for restricting access to hosts, authentica- tion, etc.) cannot be ignored. There is a strong mutual influence that is decisive for the resultant security, influence that is evident, for instance, in the privileges for remotely accessing applications. About information network topologies and architec- tures, whose weaknesses relates to the main malicious REE N 8 Septembre 2005 Security Analysis of Power Control Systems : Emerging Standards and Methodologicallssues and accidental threats, it asserts that " at the highest level, any interface point... between business entities oftèrs a high probability for a sectiriry-related event to occur ". This further expands the context of the security conside- rations, taking into account the relationships between the utility control functions and the utility business functions, and their links with customers (for business and technical activities) and third parties (e.g. power brokers, metering services). This point, crucial for the future power indus- try, has to be the object of further detailed considerations. The approach to analysis of security is denominated " user consequence based ". This is explained on the basis that the importance of security risks, and therefore the effort and resources that a corporation will invest for countering them, is proportional to the consequences that they might cause to the users'business or related inter- ests. Although this statement is irrefutable, we consider that an analysis "based upon stakeholders and conse- qttences ", has to be completed with a consideration of the vulnerabilities of organisational and technical systems. 3. CESI-JRC approach The methodological approach presented hereafter is a revision of a previous work [5, 61, takiner up ideas expres- sed in the technical report IEC TR 62210, and taking into account the more commonly applied security standards : Common Criteria [3] and ISO/IEC 17799 [2]. Our methodological approach aims at setting a solid conceptual framework for the security assessment of power systems. At the same time it is methodologically- oriented, as the final objective is to develop techniques and procedures for the analysis of security vulnerabilities and threats, and the evaluation of potential consequences and losses caused by security breaches. The methodolo- gy applied to a particular system produces a list of system failures and aims at the definition of security require- ments which could prevent the system from security breaches. The object of our approach is power systems as users of information and communication technologies. In a first phase, we are concentrating our effort on SCADA and Distribution Management Systems. 3.1. A risk-oriented view The main motivation for power companies being concerned with security events is that information-related breaches could bring about intolerable risks such as safe- ty-related accidents, or damages to business elements (properties, image, customer relations). A second reason is that some of those events could yield negative conse- quences to society at large, in which case governments will require an adequate protection as for other major hazard risks. Risk assessment can provide a systematic way for understanding ail the factors that might contribute to an unacceptable failure, and the consequences that might be engendered. Risk can be defined as "An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerabi/ity with a particular harmful result " [14]. The scope for a security risk analysis in the energy sector is inadequately understood. Currently there is no standard of reference for dealing with this situation, and practices that are normal in the field of information sys- tems cannot be fully extrapolated to cover the technical part. There are many differences that demand a specific treatment : functional and safety concerns, continuity of operations, IT practice (e.g. with respect to patching), etc. t Therefore there is the need to link the corporate secu- rity policy with the security of the technical components, by considering both the electric power security [8] and the electronic security, [5], [6], [7], [9], [10], [11]. The framework for this can be given by the standard ISO 17799 [2], vastly used for information systems. According to this standard, the links between securi- ty policy, security management and risk assessment are represented in Figure 1. C'orporatc policics amiculture Contracts Legal requirements Security Policy Risk Assessment i Poenuat IOSS -. ! css loss Policy evaiuauon Securitv Management Technicaand ornanisationa) 1 measures ITl ( ;i1S171-OS Event prubabilily TliieLits Figure 1. Security Polic3, Maiiagenieiit and Risk Assessnient. For the technical components, the more convenient frame of reference is offered by the Common Criteria - CC standard [3], which sets principles for the security evaluation in the light of systems procurement. It requires the identification of threats and risks but does not give a precise definition of these concepts. It characterises a threat in terms of a threat agent, a presumed attack method, any vulnerabilities that are the foundation for the attack, and the identification of the asset under attack. Figure 2 illustrates the position of our approach with respect to the standard security analysis process, and the links with the standards 17799 and Common Criteria. REE N 8 Septembre 2005 Dossier INFRASTRUCTURES CRITIQUES The approach considers potential risky situations affec- ting the system under study and derives the security fai- lures that are significant. This is a central step required by both standards. Our risk-oriented approach consents to deal concur- rently with both safety and security concerns. Six risk attributes are proposed to be used for guiding the risk analysis. The three traditional security attributes availabi- lity, confidentiality and integrity are amended with the attributes privacy and accountability plus safety, provi- ding a comprehensive view of dependability issues [4] : . Availability : Readiness for usage of the assets . Confidentiality : Avoidance of disclosure of assets to unauthorised persons or systems . Integrity : Avoidance of malicious or other inad- vertent modification or destruction of assets by unauthorised persons, programs or systems . Privacy : Avoidance of abuse of personal informa- tion of a single individual . Accountability : Avoidance of the denial of res- ponsibilities for tasks or actions on assets . Safety : Avoidance of physical harm to persons. Assets Vulnerabilities Threats Loss Security Failures Security Objectives & Requirements System Architecture -rabilities/f_ \=J Data Sources Sourccs Corporate Attacks Security Policy (7799) I I rcs Security [71 M. WILIKENS, M. MASERA, A. EL ABJANI, " Phase 2 : Security technologies ", Attachment to the Report " Infrastrutture di Prova per le Funzioni di Affidabilità e Sicurezza " of the Project COMUNICA, COMUNICA/VUL- NERA/2003/04, June 30, 2003, Ricerca di Sistema [8] G. VIMERCATI " Identificazione di eventi e fenomeni critici per la sicurezza della rete : strategie di controllo del sistema elettrico nel contesto del/'accesso liberallzzato alla rete di trasmissione ", Report of the Project SICURE (in Italianl, SICURE/SICURE/2002/14, June 30, 2003., Ricerca di Sistema [9] R. CARLSON " Sandia SCADA Program High-Security SCADA LDRD Final Report " Sandia National Laboratones Report SAND2002-0729, April 2002. [101 A. RISLEY, J. ROBERTS, P. LADOW, " Electronicsecurityof real-time protection and SCADA communications ", Schweitzer Engineering Laboratories, SEL 2003 Inc. Pullman WA USA. [111 J. FALCO, K. STOUFFER, A. WAVERING, F. PROCTOR Security for Industrial Control Systems " Intelligent Systems Division, National Institute of Standards and Technology (N ! ST) Gaithersburg, MD, ln coordination with the Process Control Security Requirements Forum (PCSRF) http :// R. SHIREY, " Internet Security Glossary ", RFC 2828, The Internet Society (http ://www.isoc.orgl, 2000. Ei Ed L'I Giovanna Dondossola is senior researcher at the Automation and Information Department of CESI, Milan, Italy. Since 90 she has been working for research companies of the ENEL group in the field of specification and development of advanced control systems for power stations. Currently she leads European Projects and National activities on dependability and cyber secu- rity of power network control Systems. She is author of about 30 papers published in international conferences proceedings. She is member of the Cigré Working Group D2/B3/C2-01 on Security for Information Systems and Intraneis in Electric Power Systems. Olivier Lamquet received the French Certified Engineer degree from ENSMN, Mines de Nancy, in 1998. Formerly R&D Engineer in a French Electric company, he was interested in the develop- ment of models to simulate processes and controls of large power plant. He joined CESI in 2001 as an external consultani in processes and controls In 2004 he was inserted into CESI orga- nisation in the Automation & Information Technology Department. His current interest is for renewable energy sys- tems, distributed generation and storage, methodologies for electric infrastructure security analysis. Marcelo Masera is a research officer of the European Commission, working for the Institute for the Security and Protection of the Citizen of the Joint Research Centre, Ispra, Italy, since November 2000. His background is on Electrical and Electronics Engineering, and he has 25 years of professional experience in dependability engineering. REE Nn 8 Septembre2005