CHPCOM
project
CHPCOM
Combined Heat and Power Communication
IEC 61850 baseret datakommunikation
i dansk kontekst
Securing Critical Infrastructure Communication
Søren Peter Nielsen – Rump session at
Modern Identity Management Solutions 2. december 2014
2. december 2014
Modern Identity Management Solutions
1
Søren Peter Nielsen – Rump session – 2. december 2014
CHPCOM
• Securing Critical Infrastructure
Communication
– Context
• Moving from software to cyber-physical
systems
– Examples of things that are different
2. december 2014
Modern Identity Management Solutions
2
Danish Electricity Producers with
growing communications demands
2. december 2014
Modern Identity Management
Solutions
3
CHPCOM
Solar heat
Accumulator
Electric Boiler
Power
Power plant
~ 

Power
sale
2. december 2014
buy
TSO
Supply of services
Balance responsible
Control
Data
Generator
Power Market
District heat
Data
Internet
Supplying the grid
with ancillary
services
Modern Identity Management Solutions
4
CHPCOM Concept
CHPCOM
Solar heat
Accumulator
Electric Boiler
~ 

Power
sale
2. december 2014
Supply of services
buy
Balance responsible
Control
Supplying the grid
with ancillary
services
Data
Generator
TSO
Power
Power plant
Power Market
District heat
Data
Internet
Measurement
Technical control
Open standard
IEC 61850
New COM
Flexibility Market
Aggregator
Local resources for
local grid management
DSO/DNO
New Role
Modern Identity Management Solutions
5
The SKIES landscape
CHPCOM
SCADA
PKI
Components
SCADA
CA
61850 GW
SCADA
DB
61850
DB
Directory
SCADA
frontend
RA
RTU
MMS
MMS
”SecureMMS
Komponent”
RBAC
s/MMS
Firewall
INTERNET
s/MMS
2. december 2014
Modern Identity Management Solutions
s/MMS
6
The SKIES landscape – Basic flow
CHPCOM
RA
CA
Server security gateway
2. december 2014
s/MMS
s/MMS
Modern Identity Management Solutions
Client security gateway
7
Special CIP requirements in relation to PKI
•
Safety considerations
•
High Availability
•
Real-Time Operation
•
Upgradeable
CHPCOM
– Smart Grid PKI must consider the risk associated with a security
protocol failing. This can include protocols such as password lockouts,
certificate expiration, or time-stamp mismatch. The PKI should still
notify operators of these failures, but it may not be appropriate to fail
the protocol, especially for critical power grid equipment.
– PKI should avoid having a single point of failure
– The various components of the PKI must also be able to operate
independently for extended lengths of time when regular
communications are disrupted.
– E.g. a local cache of authentication information will allow the PKI to
operate disconnected from the authentication server for an extended
period of time
– Security protocol behaviors should be defined in the event that the
system does not meet a real-time requirement
– need to be designed with local information stores and use of caching
– must be able to update the technologies used in the PKI with minimal
impact on the (long life HW) system
Source: “Adapting PKI for the Smart Grid” by Todd Baumeister, 2011
2. december 2014
Modern Identity Management Solutions
8
One implication
CHPCOM
– Examples of failures that must NOT be met with a HARD
STOP in this case
Unable to build trust path to a trusted root CA
Certificate not yet valid or expired
Certificate revoked
Certificate or subject in certificate not on trusted whitelist
Missing mandatory certificate extensions
Invalid certificate extension (e.g. CA=false in
basicConstraints-extension of a intermediate certificate)
• Unknown or wrong CP reference in certificate
• Unknown critical extensions
• Unaccepted use of cryptographic algorithms (e.g. small
RSA pairs, MD5 hashing)
•
•
•
•
•
•
2. december 2014
Modern Identity Management Solutions
9
Roles
CHPCOM
• Communication is from machine to machine
• IEC standard says use RBAC with predefined
roles on server side to supply privileges to
client
2. december 2014
Modern Identity Management Solutions
10
Roles
CHPCOM
• Ways to transfer client role info:
– Embedded in Client M2M certificate
– Embedded in separate Attribute Certificate to be
transferred together with Client M2M certificate
2. december 2014
Modern Identity Management Solutions
11
Roles
CHPCOM
• Ways to transfer client role info:
– Embedded in Client M2M certificate
– Embedded in separate Attribute Certificate to be
transferred together with Client M2M certificate
• HMM?
– No (SAML-like) envelope to transfer role info in?
– Every time a role assignment is updated new certificates
must be issued?
– Mixing Authentication and Authorization !
2. december 2014
Modern Identity Management Solutions
12
Roles
CHPCOM
• WELL
– Role is not attached to a person, but to a Device in an
Organisation – much more stable assignment
– Of the predefined roles only two are relevant for the
Operations communication – manageable granularity
• Viewer – Read
• Operator – Read/Write
– High Availability is required – If role info is transferred
via an alternate channel and this is not available what to
do?
2. december 2014
Modern Identity Management Solutions
13
Søren Peter Nielsen – Rump session – 2. december 2014
CHPCOM
• Think different about
– PKI requirements
– Role based access control
• When dealing with critical cyber-physical
infrastructure
Contact info:
Søren Peter Nielsen
dk.linkedin.com/in/sorenp
twitter.com/sorenp
spn@nine.dk
2. december 2014
Modern Identity Management Solutions
14