DOCSLIB.ORG

Secure ICCP Integration Considerations and Recommendations

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Secure ICCP Integration Considerations and Recommendations SANDIA REPORT SAND2007-3345 Unlimited Release Printed June 2007 Secure ICCP Integration Considerations and Recommendations John T. Michalski, Andrew Lanzone, Jason Trent, and Sammy Smith Prepared by Sandia National Laboratories Albuquerque, New Mexico 87185 and Livermore, California 94550 Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under Contract DE-AC04-94AL85000. Approved for public release; further dissemination unlimited. Secure ICCP Integration Considerations and Recommendations Issued by Sandia National Laboratories, operated for the United States Department of Energy by Sandia Corporation. NOTICE: This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government, nor any agency thereof, nor any of their employees, nor any of their contractors, subcontractors, or their employees, make any warranty, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represent that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government, any agency thereof, or any of their contractors or subcontractors. The views and opinions expressed herein do not necessarily state or reflect those of the United States Government, any agency thereof, or any of their contractors. Printed in the United States of America. This report has been reproduced directly from the best available copy. Available to DOE and DOE contractors from U.S. Department of Energy Office of Scientific and Technical Information P.O. Box 62 Oak Ridge, TN 37831 Telephone: (865) 576-8401 Facsimile: (865) 576-5728 E-Mail: [email protected] Online ordering: http://www.osti.gov/bridge Available to the public from U.S. Department of Commerce National Technical Information Service 5285 Port Royal Rd. Springfield, VA 22161 Telephone: (800) 553-6847 Facsimile: (703) 605-6900 E-Mail: [email protected] Online order: http://www.ntis.gov/help/ordermethods.asp?loc=7-4-0#online 2 Secure ICCP Integration Considerations and Recommendations SAND3345 Unlimited Release Secure ICCP Integration Considerations and Recommendations John Michalski, Jason Trent, and Sammy Smith Critical Infrastructure Systems Andrew Lanzone Cryptography and Information Systems Surety Sandia National Laboratories P.O. Box 5800 Albuquerque, New Mexico 87185-0672 Abstract The goal of this report is to identify the operation and implementation issues associated with the introduction of the secure form of the Inter-control Center Communications Protocol, or ICCP, formally referred to as IEC 60870-6-TASE.2, into the utility infrastructure. The report provides considerations and recommendations to assist a utility owner to advance the security of the utility’s data exchange operations. The report starts with a description of information assurance, and then discusses end node authentication and Public Key Infrastructures (PKI) using Certificate Authority (CA) certificates. Network infrastructures and protocols associated with ICCP are reviewed, assessed, and modeled to identify the impact of these structures and protocols to the efficient delivery of ICCP data. The report highlights certificate management and implementation issues and discusses some of the transitional issues and strategies to overcome security limitations during the introduction phase of Secure ICCP. Finally the report provides some performance measurement data of the configuration impacts of using security layers to provide Secure ICCP implementations. 3 Secure ICCP Integration Considerations and Recommendations Acknowledgements The author would like to acknowledge that the work that produced the results presented in this paper was funded by the U.S. Department of Energy/Office of Electricity Delivery and Energy Reliability (DOE/OE) as part of the National SCADA Test Bed (NSTB) Program. 4 Secure ICCP Integration Considerations and Recommendations Executive Summary The Inter-control Center Communications Protocol (ICCP) was developed to enable data exchange over Wide Area Networks between utility control centers, Independent System Operators (ISOs), Regional Transmission Operators (RTOs), and other Generators. This document describes the intent, operation, and behavior of the ICCP and technological means by which ICCP transmission can be secured, discussing both the built-in protection of Secure ICCP (a version of ICCP that has some built-in security elements) and several independent technologies that can be added to ICCP, such as Internet Protocol Security (IPSec). Recommendations for using the ICCP are provided throughout, especially regarding effective use of its secure form. This document also describes the impact of Wide Area Network (WAN) design on the transport of ICCP data streams. The importance of using appropriate quality of service (QoS) on the supporting WAN links is demonstrated by including the results of the modeling and simulation of WAN link congestion. Overall, using Secure ICCP and other secure protocols has minimal effect on end-to-end performance, although certain situations with respect to traffic congestion described within the report can cause exceptional delays and should be avoided. Also management complexity increases with each layer of protection added to the ICCP environment. The primary objectives of the research activity described in this report were to provide insight into the security enhancements of the new ICCP protocol and to identify the integration impact of this emerging standard when implemented within the utility industry infrastructure control system. These were accomplished by investigating and interpreting documentation of ICCP, Secure ICCP, and related technology including relevant standards, implementation guidelines, and descriptive material; and by implementing and performance testing a Secure ICCP testbed. Section 4 of this report provides the observations and conclusions of the investigation. Section 5 is a summary of recommendations that appear throughout the report on introducing Secure ICCP into Utilities networks. These recommendations include: • Network administrators should negotiate Service-Level Agreements (SLAs) that provide appropriate Quality of Service (QoS) for ICCP data streams. • Utility sites that will not transition rapidly to Secure ICCP should consider using OpenSSL, IPSec, and data link encryption to provide inter-node data security for standard ICCP communication. • Use a flat PKI Certificate Heirarchy for single-company domains and a tiered hierarchy for multiple-company domains. 5 Secure ICCP Integration Considerations and Recommendations Table of Contents 1 Introduction..........................................................................................................................9 1.1 Background...................................................................................................................9 1.1.1 Description........................................................................................................9 1.1.2 Historical Information ......................................................................................9 1.1.3 Significance ......................................................................................................9 1.1.4 Literature Review...........................................................................................10 1.2 Purpose .......................................................................................................................10 1.2.1 Reason for Investigation.................................................................................10 1.2.2 Roadmap Challenges......................................................................................10 1.2.3 Audience.........................................................................................................11 1.2.4 Desired Response............................................................................................11 1.3 Scope...........................................................................................................................11 1.3.1 Extent and Limits of Investigation .................................................................11 1.3.2 Goals...............................................................................................................11 1.3.3 Objectives .......................................................................................................12 1.3.4 Organization ...................................................................................................12 2 Approach............................................................................................................................13 2.1 Methods ......................................................................................................................13 2.2 Assumptions ...............................................................................................................13 2.3 Procedures...................................................................................................................13 3
Load more

Recommended publications
  • Enhanced Fast Rerouting Mechanisms for Protected Traffic in Mpls Networks
    ENHANCED FAST REROUTING MECHANISMS FOR PROTECTED TRAFFIC IN MPLS NETWORKS Lemma Hundessa Gonfa UPC. Universitat Polit`ecnica de Catalunya Barcelona (Spain). February, 2003 Thesis Advisor: Prof. Jordi Domingo-Pascual A THESIS SUBMITTED IN FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE Doctor en Inform`atica ENHANCED FAST REROUTING MECHANISMS FOR PROTECTED TRAFFIC IN MPLS NETWORKS Lemma Hundessa Gonfa Thesis Advisor: Prof. Jordi Domingo-Pascual vi To my wife Dr. Truwork whose patience, love, support and encouragement enabled me to complete this thesis and was of great help in difficult times. To my parents for their interest and encouragement of my academic success since a very early age. Finally, to great Samson Gobena and Begashaw, in memory. viii ABSTRACT Multiprotocol Label Switching (MPLS) fuses the intelligence of routing with the per- formance of switching and provides significant benefits to networks with a pure IP architecture as well as those with IP and ATM or a mix of other Layer 2 technologies. MPLS technology is key to scalable virtual private networks (VPNs) and end-to-end quality of service (QoS), enabling efficient utilization of existing networks to meet future growth. The technology also helps to deliver highly scalable, differentiated end-to-end IP services with simpler configuration, management, and provisioning for both Internet providers and end-users. However, MPLS is a connection-oriented ar- chitecture. In case of failure MPLS first has to establish a new label switched path (LSP) and then forward the packets to the newly established LSP. For this reason MPLS has a slow restoration response to a link or node failure on the LSP.
    [Show full text]
  • MPLS Traffic Engineering Path, Link, and Node Protection Configuration Guide, Cisco IOS Release 12.4T
    MPLS Traffic Engineering Path, Link, and Node Protection Configuration Guide, Cisco IOS Release 12.4T Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]
  • MPLS Traffic Engineering Path Link and Node Protection Configuration Guide, Cisco IOS XE Release 3S First Published: 2014-03-28
    MPLS Traffic Engineering Path Link and Node Protection Configuration Guide, Cisco IOS XE Release 3S First Published: 2014-03-28 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]
  • Packet-Optical the Infinera Way Ebook
    PACKET-OPTICAL THE INFINERA WAY INFINERA 1 OPTICAL FIBER PROVIDES almost lossless telephone service) to cover a wide range of We hope you find Packet-Optical the PREFACE transmission of signals at an ultra-wide solutions and networks with varying degrees Infinera Way informative and useful, whether range of frequencies. Packet switching, of capabilities and functionality. you use it to research a particular subject or implemented using the Ethernet family read the complete volume from beginning Packet-optical integration has some great of protocols and interfaces, offers one of to end. advantages in terms of cost and service the most efficient ways to sort and direct differentiation. Infinera´s technologies take The descriptions are kept independent streams of digital data. Packet-optical this one step further, with benefits including of product releases as much as possible. networking combines these two outstanding reduced equipment, lower operational costs Current details of the Infinera product technologies, positioning them to dominate and key capabilities such as low latency portfolio are available at www.infinera.com. the next generation of transport networks. and excellent synchronization, outlined Packet-Optical the Infinera Way was written in Chapter 2. Chapter 3 describes how Features of Infinera’s packet-optical solutions to help Infinera’s customers, prospects packet-optical networks are best managed that we believe to be unique are highlighted and partners, and anyone else who needs and how to take advantage of current and with this marker throughout the text. to have a better understanding of the future software-defined networking (SDN) packet-optical world. This book focuses on developments.
    [Show full text]
  • Improving Double Link Failure Tolerance in Optical Networks Using P-Cycles
    Improving Double Link Failure Tolerance in Optical Networks using p-Cycles A Thesis Submitted in Partial Fulfilment of the Requirements for the Degree of DOCTOR OF PHILOSOPHY by PALLAVI ATHE to the DEPARTMENT OF ELECTRICAL ENGINEERING INDIAN INSTITUTE OF TECHNOLOGY KANPUR January, 2018 CERTIFICATE It is certified that the work contained in the thesis entitled " Improving Double Link Failure Tolerance in Optical Networks using p-Cycles,, being submitted by Pallavi Athe has been carried out under my supervision. In my opinion, the thesis has reached the standard fulfilling the requirement of regulation of the Ph.D. degree. The results embodied in this thesis have not been submitted elsewhere for the award of any degree or diploma. Professor Department of Electrical Engineering Indian Institute of Technology Kanpur January,2018 Kanpur, INDIA Synopsis Name of the Student : Pallavi Athe Roll Number : 10204070 Degree for which submitted : Ph.D. Department : Electrical Engineering Thesis Title : Improving Double Link Failure Tolerance in Optical Networks using p-Cycles Thesis Supervisor : Dr. Yatindra Nath Singh Month and year of submission : Jan, 2018 Optical networks are high speed networks, built using fiber optic communication systems and dense wave division multiplexing(DWDM) technology and are capable of using huge bandwidth available in optical fiber. Optical network forms the major part of Internet backbone and carries enormous information. A link or node failure even for a few minutes can cause huge loss of data and hence the revenue. After such failure, the ability of network to maintain service is known as its survivability. Designing a sur- vivable optical network having fast recovery from failures with least possible redundant resources has been an area of extensive research.
    [Show full text]