CHPCOM project CHPCOM Combined Heat and Power Communication IEC 61850 baseret datakommunikation i dansk kontekst Securing Critical Infrastructure Communication Søren Peter Nielsen – Rump session at Modern Identity Management Solutions 2. december 2014 2. december 2014 Modern Identity Management Solutions 1 Søren Peter Nielsen – Rump session – 2. december 2014 CHPCOM • Securing Critical Infrastructure Communication – Context • Moving from software to cyber-physical systems – Examples of things that are different 2. december 2014 Modern Identity Management Solutions 2 Danish Electricity Producers with growing communications demands 2. december 2014 Modern Identity Management Solutions 3 CHPCOM Solar heat Accumulator Electric Boiler Power Power plant ~ Power sale 2. december 2014 buy TSO Supply of services Balance responsible Control Data Generator Power Market District heat Data Internet Supplying the grid with ancillary services Modern Identity Management Solutions 4 CHPCOM Concept CHPCOM Solar heat Accumulator Electric Boiler ~ Power sale 2. december 2014 Supply of services buy Balance responsible Control Supplying the grid with ancillary services Data Generator TSO Power Power plant Power Market District heat Data Internet Measurement Technical control Open standard IEC 61850 New COM Flexibility Market Aggregator Local resources for local grid management DSO/DNO New Role Modern Identity Management Solutions 5 The SKIES landscape CHPCOM SCADA PKI Components SCADA CA 61850 GW SCADA DB 61850 DB Directory SCADA frontend RA RTU MMS MMS ”SecureMMS Komponent” RBAC s/MMS Firewall INTERNET s/MMS 2. december 2014 Modern Identity Management Solutions s/MMS 6 The SKIES landscape – Basic flow CHPCOM RA CA Server security gateway 2. december 2014 s/MMS s/MMS Modern Identity Management Solutions Client security gateway 7 Special CIP requirements in relation to PKI • Safety considerations • High Availability • Real-Time Operation • Upgradeable CHPCOM – Smart Grid PKI must consider the risk associated with a security protocol failing. This can include protocols such as password lockouts, certificate expiration, or time-stamp mismatch. The PKI should still notify operators of these failures, but it may not be appropriate to fail the protocol, especially for critical power grid equipment. – PKI should avoid having a single point of failure – The various components of the PKI must also be able to operate independently for extended lengths of time when regular communications are disrupted. – E.g. a local cache of authentication information will allow the PKI to operate disconnected from the authentication server for an extended period of time – Security protocol behaviors should be defined in the event that the system does not meet a real-time requirement – need to be designed with local information stores and use of caching – must be able to update the technologies used in the PKI with minimal impact on the (long life HW) system Source: “Adapting PKI for the Smart Grid” by Todd Baumeister, 2011 2. december 2014 Modern Identity Management Solutions 8 One implication CHPCOM – Examples of failures that must NOT be met with a HARD STOP in this case Unable to build trust path to a trusted root CA Certificate not yet valid or expired Certificate revoked Certificate or subject in certificate not on trusted whitelist Missing mandatory certificate extensions Invalid certificate extension (e.g. CA=false in basicConstraints-extension of a intermediate certificate) • Unknown or wrong CP reference in certificate • Unknown critical extensions • Unaccepted use of cryptographic algorithms (e.g. small RSA pairs, MD5 hashing) • • • • • • 2. december 2014 Modern Identity Management Solutions 9 Roles CHPCOM • Communication is from machine to machine • IEC standard says use RBAC with predefined roles on server side to supply privileges to client 2. december 2014 Modern Identity Management Solutions 10 Roles CHPCOM • Ways to transfer client role info: – Embedded in Client M2M certificate – Embedded in separate Attribute Certificate to be transferred together with Client M2M certificate 2. december 2014 Modern Identity Management Solutions 11 Roles CHPCOM • Ways to transfer client role info: – Embedded in Client M2M certificate – Embedded in separate Attribute Certificate to be transferred together with Client M2M certificate • HMM? – No (SAML-like) envelope to transfer role info in? – Every time a role assignment is updated new certificates must be issued? – Mixing Authentication and Authorization ! 2. december 2014 Modern Identity Management Solutions 12 Roles CHPCOM • WELL – Role is not attached to a person, but to a Device in an Organisation – much more stable assignment – Of the predefined roles only two are relevant for the Operations communication – manageable granularity • Viewer – Read • Operator – Read/Write – High Availability is required – If role info is transferred via an alternate channel and this is not available what to do? 2. december 2014 Modern Identity Management Solutions 13 Søren Peter Nielsen – Rump session – 2. december 2014 CHPCOM • Think different about – PKI requirements – Role based access control • When dealing with critical cyber-physical infrastructure Contact info: Søren Peter Nielsen dk.linkedin.com/in/sorenp twitter.com/sorenp spn@nine.dk 2. december 2014 Modern Identity Management Solutions 14