Cyber Security Practical considerations for implementing IEC 62351 Frank Hohlbaum, Markus Braendle, Fernando Alvarez ABB [email protected] Switzerland 1. Introduction Two trends are currently changing substation automation systems: IEC 61850 and the need for increased cyber security. IEC 61850 has gained global acceptance by both vendors as well as customers. Cyber security on the other hand has quickly become one of the most dominant topics for control systems in general and electrical utilities in particular. The combination of the two, securing IEC 61850 based communications, has been one of the goals of the recently published technical specification IEC 62351. In the authors‟ view IEC 62351 is overall a good starting point and will be the future standard to help secure IEC 61850 communication. However, there are some shortcomings of the current standard and some challenges that need to be addressed before IEC 62351 can be implemented and gain wide acceptance. This paper will highlight the challenge of addressing secure communication in the substation real-time environment, complying with the IEC 61850 real-time specifications. The major difficulties are to reach the performance defined in IEC 61850 for GOOSE and SV data with today‟s proposed technical specification defined for IEC 62351 part 6. In chapter 2, we will give a short overview about the structure of IEC 61850 as well as the detailed performance requirements for the various data types. Chapter 3 will present an introduction of the IEC 62351 standard including the used methods to secure the IEC 61850 communication. Chapter 4 will then show the major implementation issues of IEC 62351 part 6. Chapters 5 and 6 highlight two of the main remaining challenges: interoperability and manageability of security solutions. This paper focuses on IEC61850 based systems, security, however, must be addressed for all computer systems and communication. Most of the challenges mentioned in this paper are not limited to IEC61850 based systems, but are general in nature. Even system based on serial communications can not work properly without any security measures. 2. IEC 61850 Overview IEC 61850 is the first and only global standard that considers all communication needs within the substation automation environment. The standard defines strict interoperability rules between functions and devices, independent of the device manufacturer, providing protection, monitoring, control and automation. IEC 61850 was published as a standard by IEC in fourteen parts between 2003 and 2005 [1]. In the meantime this standard has gained global acceptance and several thousands of substations worldwide have been energized. The standardization activity has reached a next step and the Edition II of IEC 61850 should be available by end of 2010. Due to the fact that the technical specification IEC 62351 is not jet finalized, security is not finally addressed in IEC 61850 Edition II but it will come in a later step. A key feature of IEC 61850 is that it separates the application from the communication by means of an abstract interface. A domain-specific, object oriented function and device model describes the application data with all services needed. The functions can be allocated freely to different devices. As shown in Figure 1 the stack, selected from mainstream communication technology, comprises MMS (Manufacturing Message Specification) over TCP/IP and Ethernet. The object model is mapped in a standardized way to the MMS application layer, but time critical messages pass directly to the link layer of Ethernet. Specific performance classes are defined for the different communication methods. Figure 1: IEC61850 Communication Services Overview Goose messages like trip, interlocking and inter-trip signals belong to the fast messages which should be transmitted within 10ms (Performance Class P1). For some signals event within 3ms (Performance Class P2/3) are specified. For Sampled Values (SV) the IEC61850-5 standard defines several performance classes for raw data messages from digitizing transducers and digital instrument transformers. Figure 2: Performance classes for raw data messages used for metering As show in Figure 2 the performance classes starts with class M1 (sample rate of 1,5 kHz) refers to revenue metering with accuracy class 0.5, performance class M2 (sample rate of 4 kHz) refers to revenue metering with accuracy class 0.2 and performance class M3 (sample rate of 12 kHz) refers to quality metering . Therefore the devices have to process the raw data each 666 us in performance class M1, each 250 us in performance class M2 and each 83 us in performance class M3. For Client - Server communication there are no explicit timing requirements defined but nevertheless IEC 61850 clients have to receive several hundreds of event from the various protection and control IED‟s. Any security standard that attempts to secure IEC 61850 based traffic must take these performance requirements into account. The fast response times that are required for some of the communication types coupled with the limited processing capabilities of some of the device (e.g. IEDs) present a clear challenge. We will look at these challenges in the following sections and analyze if and how IEC 62351 addresses them. 3. Introduction to IEC 62351 The scope of the IEC 62351 series is information security for power system control operations. Its primary objective is to undertake the development of standards for security of the communication protocols defined by IEC TC 57, specifically the IEC 60870-5 series, the IEC 60870-6 series, the IEC 61850 series, the IEC 61970 series, and the IEC 61968 series. The IEC 62351 standard is currently divided into 8 parts. As shown in Table 1 parts 1 - 6 are officially categorized as TS (technical specification) and released by IEC. Parts 7 and 8 are currently under development, with the current state of part 7 being “Circulated Draft Technical Specification” (CDTS) and Part 8 being “Draft approved for Committee Draft with Vote” (ACDV). In addition two new work item proposals (NWP) exist to address "Key management (certificate handling)” and “Security Architecture”. Part Title Status 1 Communication network and system security – TS Introduction to security issues 2 Glossary of terms TS 3 Security for profiles including TCP/IP TS 4 Profiles including MMS TS 5 Security for IEC 60870-5 and derivatives TS 6 Security for IEC 61850 TS 7 Network and system management (NSM) data object CDTS models 8 Role-Based Access Control ACDV Key Management (Certificate Handling) NWP Security Architecture NWP Table 1: Overview of IEC 62351 standard series In this paper we will focus mainly on parts 3, 4, and 6, with an emphasis on part 6 because it defines specific requirements for IEC 61850 based communications. As discussed in the previous section IEC 61850 communications can be divided into client server (i.e. MMS) and real time (i.e. GOOSE and Sample Values) communications. IEC 62351 provides different methods for securing the different communication types: MMS (IEC 61850-8-1): securing MMS traffic is done on the application and the transport level. Peer authentication is performed on the application level by carrying authentication information in the ACSE AARQ and AARE PDUs [2]. Authentication information comprises a X.509 encoded certificate, a time stamp and the digitally signed time value. For security on the transport layer IEC 62351 refers to TLS [4]. It specifies to us port 3782 for secure communications instead of standard port 102. It also specifies a set of mandatory and recommended cipher suites to be used, at a minimum TLS_DH_DSS_WITH_AES_256_SHA1 and TLS_DH_RSA_WITH_AES_128_SHA2 must be supported. GOOSE / Sampled Values: security of real-time traffic is limited to message authentication, i.e. use encryption is not specified. Message authentication is defined by extending the GOOSE / SV PDUs with an authentication value that is calculated by signing a SHA256 hash using RSA [3]. Certificate exchange is not done as part of the messages; X.509 encoded certificates must be pre-installed on the receiving nodes. 1 Specified in IEC 62351-4 2 Specified in IEC 62315-6 Protocol extensions to the affected communication standards are required in order to actually be able to implement IEC 62351. IEC 61850 does not yet include these necessary extensions in its current release. The upcoming Edition II will also not completely cover this because IEC 62351 is not yet finalized. 4. Performance issues in IEC 62351 Part 6 Performance impacts should always be considered for any communication infrastructure before introducing encryption and / or message authentication. This is particularly true if asymmetric cryptography, real-time traffic or systems with limited resources are involved. In case of securing GOOSE and SV using IEC 62315 all three constraints apply: Embedded devices such as Protection & Control IEDs or RTUs typically have little computational power (as compared to personal computers or servers) and only a (small) portion can be made available to functionality other than protection and control. In addition, changing or upgrading hardware is not an easy task for embedded devices that potentially have a very long lifetime. Security solutions for embedded devices should therefore not require major hardware changes. For both GOOSE and SV strict real-time constraints exist – 3ms response time for GOOSE and sampling rates up to 12 kHz for Sampled Values. IEC 62351, as of today, specifies the use of digital signatures (asymmetric cryptography using RSA) to authenticate broadcast GOOSE and SV packets We focus our attention in this discussion on the performance impact on securing real-time traffic as specified in IEC 62351 part 6, in particular the signing of the hash value using the RSA algorithm. The calculation of the SHA256 hash value as well as the verification of the digital signature is considerably less CPU intense and therefore omitted for the moment. In a first step implementing digital signatures in software was analyzed.