ITU Workshop on “ICT Security Standardization for Developing Countries” (Geneva, Switzerland, 15-16 September 2014) Smart Grid cyber security within IEC TC57 WG15 Fernando Alvarez, Cyber Security Technical PM ABB Switzerland Geneva, Switzerland, 15-16 September 2014 Topics Industrial Cyber Security Essentials Mission and Scope of TC57 WG15 Members IEC 62351 Parts & Status IEC 62351 Roadmap About IEC 62351 Parts 7, 8 and 9 Liaisons and Coordination Standardization Issues Geneva, Switzerland, 15-16 September 2014 2 Cyber Security – Essentials without / before IEC 62351 Physical perimeter protection Fences, gates, motion sensors, cameras Electronic perimeter protection Firewalls, VPN Antivirus and IDS Unused ports & services disabled Debug services, USB ports, etc. Robustness tested releases No device crashes due DOS attacks Geneva, Switzerland, 15-16 September 2014 3 Cyber Security – Essentials Is all this enough? Geneva, Switzerland, 15-16 September 2014 4 IEC 62351 – Even more essential Geneva, Switzerland, 15-16 September 2014 5 IEC 62351 – Even more essential Secure the protocols w/authentication+ Distributed Energy Resources (DER) Electric Vehicle Back Office Market System DER Generator IEC 61850-7-420 DMS EMS Apps. Apps. IEC 61970 IEC 61968 Communication Bus IEC 61970 IEC 60870-6 TASE.2/ICCP IEC 62351 Cybersecurity SS-CC IEC 61850 60870-5-101/104 IEEE 1815 (DNP3) IEC 60870-5-102 IEC 61850-7-410 SCADA Hydro systems Hydroelectric/ Gas Turbine Power Plants Substations / Field Devices IEC 6185090-5 Turbine and electric systems IEC 61850 Control Center B IEC 61968 DER Storage Control Center A IEC 62325 IEC 61850-90-7, 8, 9, 10, 15 RTUs Substation Automation Systems IEC 60870-5-103 PMUs IEC 61850 Protection, Control, Metering SS-SS IEC 61850 GOOSE, SV IEC 61850 Switchgear, Transformers, Instrumental Transformers Geneva, Switzerland, 15-16 September 2014 6 Topics Industrial Cyber Security Essentials Mission and Scope of TC57 WG15 Members IEC 62351 Parts & Status IEC 62351 Roadmap About IEC 62351 Parts 7, 8 and 9 Liaisons and Coordination Standardization Issues Geneva, Switzerland, 15-16 September 2014 7 Mission and Scope of TC57 WG15 on Cyber Security Undertake the development of standards for security of the communication protocols defined by the IEC TC 57 Specifically the IEC 60870-5 series, the IEC 60870-6 series, the IEC 61850 series, the IEC 61970 series, and the IEC 61968 series. Undertake the development of standards and/or technical reports on end-to-end security issues. IEC 62351 Geneva, Switzerland, 15-16 September 2014 8 Topics Industrial Cyber Security Essentials Mission and Scope of TC57 WG15 Members IEC 62351 Parts & Status IEC 62351 Roadmap About IEC 62351 Parts 7, 8 and 9 Liaisons and Coordination Standardization Issues Geneva, Switzerland, 15-16 September 2014 9 TC57 WG15 Members 76 members Participants from 22 countries Argentina Canada China Croatia Czech Republic Denmark Finland France Germany Great Britain India Japan Geneva, Switzerland, 15-16 September 2014 10 Topics Industrial Cyber Security Essentials Mission and Scope of TC57 WG15 Members IEC 62351 Parts & Status IEC 62351 Roadmap About IEC 62351 Parts 7, 8 and 9 Liaisons and Coordination Standardization Issues Geneva, Switzerland, 15-16 September 2014 11 Mapping of TC57 Communication Standards to IEC 62351 Security Standards IEC TC57 Communication Standards IEC 62351 Security Standards IEC 62351 Part 1: Introduction IEC 62351 Part 2: Glossary IEC 62351 Part 4: Profiles including MMS IEC 61850 over MMS IEC 62351 Part 5: IEC 60870-5 & Derivatives IEC 61850 GOOSE & SV IEC 62351 Part 6: IEC 61850 Profiles IEC 61970 & IEC 61968 CIM IEC 62351 Part 9: Cybersecurity Key Management IEC 60870-5-101 & Serial DNP3 IEC 62351 Part 8: Role-Based Access Control (RBAC) IEC 60870-5-104 & DNP3 IEC 62351 Part 7 Object Models for Network Management IEC 62351 Part 3: Profiles including TCP/IP IEC 62351 Part 11: Security for XML Files IEC 60870-6: TASE.2 (ICCP) IEC 62351 Part10: Security Architecture Guidelines for TC57 Systems Geneva, Switzerland, 15-16 September 2014 12 IEC 62351 Parts & Status IEC 62351 Part Released Activities (by May 2014) IEC/TS 62351-1: Introduction IEC/TS 62351-2: Glossary of terms 2007 2008 Review Report pending IEC/TS 62351-3: Security for profiles including TCP/IP IEC/TS 62351-4: Security for profiles including MMS 2007 Ed. 2: Responses to Comments on CDV being developed Starting Edition 2 After amendment process was rejected, the decision was made to start Edition 2 IEC/TS 62351-5: Security for IEC 60870-5 and derivatives 2009 IEC/TS 62351-6: Security for IEC 61850 profiles: GOOSE & SV 2007 IEC/TS 62351-7: Objects for Network Management IEC/TS 62351-8: Role-Based Access Control : RBAC IEC/TS 62351-9: Key Management 2010 IEC/TR 62351-10: Security Architecture IEC/TS 62351-11: Security for XML Files PWI: Resiliency and Security for power systems with DER PWI: Conformance Testing for IEC 62351 2007 2011 Pending 2012 Pending DC Pending NWIP Pending PWI: IEC 62351-90-1: Guidelines TR Pending Geneva, Switzerland, 15-16 September 2014 for Using Part 8 RBAC Ed. 2 released April 2013 Ed. 2 planed: Updates underway, based on security requirements in IEC 61850-90-5 Working on Ed. 2: Responded to comments on RR changing TS to IS Working on Ed. 2: Discussions on developing categories of roles Working on Ed. 1: 1st CD issued August 2013; Responses submitted Feb 2014. 2 nd CD planned TR published Oct 2012 No further work planed. Working on Ed. 1: Developing CD for WG15 review by May 2014 Need broader review by WG17 & 21 before submittal as TR as 62351-12 Pending Work in progress Planned Release Pending Submitted as CDV by Dec 2012, FDIS Dec 2013, IS Ed. 2 by 2014? Comments on Q rec’d Dec 2013 Ed. 2: CD 6/2015, CDV 3/2016, FDIS 6/2016, IS Jun 2017 TS Released April 2013 Possible clarifications RR to be issued mid-2014, to be released in parallel with Part 4 CD 9/2014, CDV 6/2015, FDIS 3/2016, IS 9/2016 Planning IS in 2014/15 after TR 90-1 issued 2nd CD August 2014, CDV in (early) 2015 and IS in (late) 2015 Done CD 6/2014, CDV 2/2015, FDIS 12/2015, IS 6/2016 Review in WG17 and WG21, Circulated in WG19 early 2014 Pending Pending 13 Topics Industrial Cyber Security Essentials Mission and Scope of TC57 WG15 Members IEC 62351 Parts & Status IEC 62351 Roadmap About IEC 62351 Parts 7, 8 and 9 Liaisons and Coordination Standardization Issues Geneva, Switzerland, 15-16 September 2014 14 TC57 Security (IEC 62351) Roadmap Completed • Ed. 1 of Parts: 1, 2, 3, 4, 5, 6, 7, 8, and 10 – finalized as TRs or TS • Ed. 2 of Part 5 Updates in Process Potential New Work • Part 2 Glossary: adding amendments probably update in 2014 • Part 3 Security using TLS: Submitted as FDIS Dec 2013 as IS by 2014 • Part 4 Security for MMS: Edition 2 started • Part 6 on IEC 61850: GOOSE & SVs. Updates to equivalent to IEC 61850-90-5 • Part 7 Network and System Management: update process to Ed 2 started in 2013 • Part 8 developing TR 62351-90-1 as Guidelines for using RBAC • Part 9 Key Management: CD issued in August 2013; comments being addressed • Part 11 Security for XML Files: in progress • Resilience and Security for DER systems and other field devices (collaborate with WG17 and WG21 as appropriate) • Conformance Testing TR Geneva, Switzerland, 15-16 September 2014 • Profiles for web services including XMPP (once the requirements are determined in the IEC 61850-8-2 development) • Metering (collaborate with TC13) • Explore customer premises security issues with WG21 15 Topics Industrial Cyber Security Essentials Mission and Scope of TC57 WG15 Members IEC 62351 Parts & Status IEC 62351 Roadmap About IEC 62351 Parts 7, 8 and 9 Liaisons and Coordination Standardization Issues Geneva, Switzerland, 15-16 September 2014 16 Topics Industrial Cyber Security Essentials Mission and Scope of TC57 WG15 Members IEC 62351 Parts & Status IEC 62351 Roadmap About IEC 62351 Parts 7, 8 and 9 Liaisons and Coordination Standardization Issues Geneva, Switzerland, 15-16 September 2014 17 IEC 62351-7 ~ Standardized Network and System Management Network and system management (NSM) data object models Using Simple Network Management Protocol (SNMP) Coherent status and monitoring data of the power infrastructure/grid Different grid areas, diff. comm. channels, network segments, different protocols, etc. Geneva, Switzerland, 15-16 September 2014 18 IEC 62351-7 Network and System Management S e c u r ity M o n ito r in g A r c h ite c tu r e , U s in g N S M D a ta O b je c ts C o n tro l C e n te r T A S E . 2 lin k t o E x te rn a l S y s te m s E n g in e e r in g S y s te m s H is t o r ic a l D a t a b a s e a n d D a ta In te rfa c e ID S F ir e w a ll F ir e w a ll S e c u r it y C lie n t O p e ra to r U s e r In te rfa c e S C A D A S y s te m ID S W AN Legend: S u b s t a t io n F ir e w a ll C lie n t s ID S S e c u r it y S e rv e r S e rv e rs S u b s t a t io n M a s te r C a p a c it o r B a n k C o n t r o lle r O th e r F ir e w a ll PT N S M D a t a O b je c t s C ir c u it B re a k e r I n t r u s io n D e t e c t io n S y s te m (ID S ) Geneva, Switzerland, 15-16 September 2014 CT P r o t e c t io n R e la y Load Tap C hanger A u to m a te d S w it c h V o lt a g e R e g u la t o r F e e d e rs 19 Topics Industrial Cyber Security Essentials Mission and Scope of TC57 WG15 Members IEC 62351 Parts & Status IEC 62351 Roadmap About IEC 62351 Parts 7, 8 and 9 Liaisons and Coordination Standardization Issues Geneva, Switzerland, 15-16 September 2014 20 IEC 62351-8 ~ Standardized Role-Based Access Control Standardized Central User Account Management in the automation, industrial, embedded world Standardized RBAC (Role Based Access Control) User tokens : X.509 certificates User certificates specify user’s roles, roles grouped in AoRs Pull (e.g. LDAP) & Push (e.g. SmartCards) methods supported Geneva, Switzerland, 15-16 September 2014 21 Topics Industrial Cyber Security Essentials Mission and Scope of TC57 WG15 Members IEC 62351 Parts & Status IEC 62351 Roadmap About IEC 62351 Parts 7, 8 and 9 Liaisons and Coordination Standardization Issues Geneva, Switzerland, 15-16 September 2014 22 IEC 62351-9 ~ Standardized Key Management Methods Device/user X.509 digital certificates PKI methods and protocols Full key life cycle : from Creation until the end-of-life GDOI (distribution of symmetrical keys) Geneva, Switzerland, 15-16 September 2014 23 Topics Industrial Cyber Security Essentials Mission and Scope of TC57 WG15 Members IEC 62351 Parts & Status IEC 62351 Roadmap About IEC 62351 Parts 7, 8 and 9 Liaisons and Coordination Standardization Issues Geneva, Switzerland, 15-16 September 2014 24 Liaisons with Other Security Activities Liaison with ISO JTC 1 / SC 27 IT Security: WG15 has provided lists of Smart Grid security standards & documents to SC27. WG15 has reviewed documents of the 270xx series on general cyber security. WG15 welcomes the publication of ISO/IEC TR 27019. SC27 liaison : SC27 expects to attend additional WG15 meetings Liaison D with M/490 SGIS: WG15 is exchanging information with SGIS Liaison D with UCAIug: Discussions with SG-Security in UCAIug are underway. Liaison A with IEC TC65C which is standardizing the work of the ISA SP99 Security Standards. Some WG15 members have reviewed and commented on IEC 62443 drafts Liaison D with the IEEE PES PSCC Security Subcommittee Working with IEEE Substations on Cybersecurity Standard IEEE 1686 Geneva, Switzerland, 15-16 September 2014 25 Coordination with Security Groups Coordination mostly through common membership: NIST’s Smart Grid Interoperability Panel (SGIP) Smart Grid Cybersecurity Committee (SGCC) (used to be called CSWG) SGIS NERC CIPs Cigré D2.34 MultiSpeak Security / Security for Web Services (e.g. WS-Security) NESCOR IEC TC13 ITU-T Geneva, Switzerland, 15-16 September 2014 26 Topics Industrial Cyber Security Essentials Mission and Scope of TC57 WG15 Members IEC 62351 Parts & Status IEC 62351 Roadmap About IEC 62351 Parts 7, 8 and 9 Liaisons and Coordination Standardization Issues Geneva, Switzerland, 15-16 September 2014 27 Cyber Security Standardization Issues Although we have cybersecurity experts, they are very busy Cybersecurity is a very dynamic, rapidly changing field which is quite new for the power & automation industries Need to coordinate with other industries and standards groups Need rapid development of new standards and updates to existing standards Need guidelines for end-to-end security, but only for very specific aspects Need both standards and technical reports Need input from power system domain experts on security requirements Need conformance and/or interoperability testing for IEC 62351 Abstract conformance test cases should be in each Part, with IEC 61850-10 providing specifics for 61850 Interoperability testing? Geneva, Switzerland, 15-16 September 2014 28 Questions? Comments? Geneva, Switzerland, 15-16 September 2014 29 Thanks Geneva, Switzerland, 15-16 September 2014 30 Geneva, Switzerland, 15-16 September 2014 31