Using IEC 62351 to Secure IEC 61850

Kudrat Kaur, SunSpec Alliance, presenter Ifeoma Onunkwo, Sandia, “Data In Flight” task co-leader Nicolas Manka, GridSME, “Data In Flight” task co-leader Tom Tansy, SunSpec Alliance, moderator

SunSpec/Sandia Cybersecurity Workgroup June 6, 2019 SunSpec/Sandia Cybersecurity Workgroup Charter

• Bring together DER interoperability and cybersecurity experts to discuss security for DER devices, gateways, aggregators, utilities and the US power system

• Primary goal: generate a collection of best practices that act as basis for national or international DER cyber security standards

• Secondary goal: facilitate DER cyber security discussions between stakeholders to exchange perspectives and gain broad buy-in from the industry

June 06 2019 Copyright SunSpec Alliance 2019 Slide 2 Antitrust and Intellectual Property

• All SunSpec meetings are conducted in accordance with the SunSpec Antitrust Policy and Intellectual Property Provisions defined in the SunSpec Member Agreement. This agreement can be found at https://sunspec.org/sunspec- membership-agreement/

• SunSpec strictly prohibits market participants, and their employees who participate in SunSpec activities, from using their participation in these activities as a forum for engaging in practices or communications that violate antitrust laws

• Confidential or proprietary information should not be discussed in open session. Please contact SunSpec management if you have any questions

June 06 2019 Copyright SunSpec Alliance 2019 Slide 3 Housekeeping

• Slides will be sent to you • Ask questions any time in the chat window • Mute yourself if not speaking • Please consider joining this workgroup

https://sunspec.org/sunspec-cybersecurity-workgroup/

June 06 2019 Copyright SunSpec Alliance 2019 Slide 4 SunSpec/Sandia DER Cybersecurity Workgroup

Sign up at http://sunspec.org/sunspec-cybersecurity-workgroup/

June 06 2019 Copyright SunSpec Alliance 2019 Slide 5 Today’s Agenda

• “Using IEC 62351 to Secure IEC 61850 Communications in Distributed Energy Resources”

• Questions and answers

• Upcoming DER cybersecurity events and programs

June 06 2019 Copyright SunSpec Alliance 2019 Slide 6 Using IEC 62351 to Secure IEC 61850 Communications in Distributed Energy Resources

Kudrat Kaur, SunSpec Alliance June 6, 2019 IEC 62351

• IEC 62351 is a standard created by the WG 15 (Data & Communication Security) of IEC TC57. This standard is responsible to provide security to the protocols in series: IEC 60870-5, 60870-6, 61850, 61970, and 61968.

• The standard consists of 11 parts, each referencing different security mechanisms. The parts are:

June 06 2019 Copyright SunSpec Alliance 2019 8 Slide 8 Cyber Security in Electric Grids

June 06 2019 Copyright SunSpec Alliance 2019 Slide 9 IEC 62351 • IEC 62351-1 gives an overview on the standard and introduces the security aspects for the operations of power supply systems. • IEC 62351-2 goes over the glossary of the terms and abbreviations used in the document. • IEC 62351-3 focuses on end-to-end TCP/IP connections. These connections are set up over TLS where the authentication of client and server takes place based on X.509 certificates. The TLS encryption protects against the eavesdropping and replay attacks while the message authentication prevents man-in-the-middle attacks. Spoofing is prevented through Security Certificates. • IEC 62351-4 defines the security measures for MMS protocol along with TASE.2 (ICCP). It uses TLS to authenticate the two entities that are communicating. The security of control center-to-substation communication is categorized as A-Profile. It also utilizes the part 3 to secure the TCP based communication which is known as T-Profile.

June 06 2019 Copyright SunSpec Alliance 2019 Slide 10 IEC 62351 • IEC 62351-5 focuses on serial versions (IEC 60870-5-101) and network versions (IEC 60870-5-104 and DNP3) of communications. While the network versions that run over TCP/IP are addressed using the TLS in part 3, the serial versions have authentication mechanisms such as VPNs or “Bump-in-the-wire” technologies.

June 06 2019 Copyright SunSpec Alliance 2019 Slide 11 IEC 62351 • IEC 62351-6 provides security mechanisms for GOOSE protocol which sends multicast protective relay messages every 4 milliseconds between controllers. In order to not affect the transmission rates, encryption is not a suitable security mechanism. Therefore, authentication is ensured using mechanisms with minimal computation requirements to digitally sign the packets. Part 3 and 4 are used for other IEC 61850 profiles.

June 06 2019 Copyright SunSpec Alliance 2019 Slide 12 IEC 62351

• IEC 62351-7 emphasizes on the network and System Management (NSM) of information infrastructure which encompasses communication networks, Intelligent Electronic Devices, and the communication protocols. The NSM data objects highlight what information is required to manage the infrastructure reliably.

• IEC 62351-8 uses Role-Based Access Control (RBAC) to regulate the access control of users and automated agents to the data objects in the power systems. RBAC follows the security principle of lease privilege which enables a number of security policies, networking, firewall, back-ups, and system operations.

• IEC 62351-9 specifies the generation, distribution, revocation and handling of digital certificates and cryptographic keys to protect the data and communication. It addresses the management of certificates and corresponding private keys, which are utilized in almost every part of IEC 62351. The standard allows for the handling of symmetric as well as asymmetric keys. It also defines group based communication security for multicast messages.

June 06 2019 Copyright SunSpec Alliance 2019 Slide 13 IEC 62351

• IEC 62351-10 focuses on the description of the security architecture guidelines that define relations and mapping between the security components, functions, and their interactions to the power system. This is intended to help deploy the power generation, transmission, and distribution systems securely.

• IEC 62351-11 defines the security of XML files. It provides mechanisms to authenticate and ensure the integrity of IEC 61850 SCL files and other XML format files. This protection can be enhanced using the RBAC elements.

June 06 2019 Copyright SunSpec Alliance 2019 Slide 14 Security for DERs Using IEC 61850 Communications and IEC 62351

June 06 2019 Copyright SunSpec Alliance 2019 Slide 15 Questions and Answers

June 06 2019 Copyright SunSpec Alliance 2019 Slide 16 Upcoming Public Cybersecurity Sessions

Register June for 12 2019 Webinar https://sunspec.org/webinar-three-implement-strong-cybersecurity- pki-distributed-energy-resource-industry/

June 06 2019 Copyright SunSpec Alliance 2019 Slide 17 Opportunities to Learn & Contribute In Cybersecurity

Register Now for July 2 2019 Course Cybersecurity Work Group https://extension.ucsd.edu/courses-and- https://sunspec.org/sunspec-cybersecurity- programs/secure-communication-networking-for- workgroup/ distributed-energy-resources

June 06 2019 Copyright SunSpec Alliance 2019 Slide 18 Contact SunSpec Alliance

Phone 408-217-9110

Web www.SunSpec.org

Email [email protected]

Social

June 06 2019 Copyright SunSpec Alliance 2019 Slide 19