Grid Security 3.1 Implementation Guide October 2020 i THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS DESCRIBED IN THIS DOCUMENT ARE SUBJECT TO CHANGE WITHOUT NOTICE. THIS DOCUMENT IS PROVIDED “AS IS.” ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS DOCUMENT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS, IMPLIED, OR STATUTORY INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR INCIDENTAL DAMAGES UNDER ANY THEORY OF LIABILITY, INCLUDING WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OF OR INABILITY TO USE THIS DOCUMENT, EVEN IF CISCO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version. Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. ©2020 CISCO SYSTEMS, INC. ALL RIGHTS RESERVED ii Contents Introduction . 1 Navigator . 1 Audience. 2 Document Objective and Scope . 2 Implementation Workflow . 2 Grid Security Requirements and Use cases . 3 NERC-CIP . 3 Asset Discovery and Identification . 6 Segmentation and Access Control . 6 Threat Detection and mitigation . 7 Substation design . 7 Network Resiliency . 8 Electronic Security Perimeter (ESP) zone . 9 Corporate Substation (CORPSS) zone. 9 Critical Infrastructure Perimeter (CIP) zone . 9 Outside zone. 9 Traffic segmentation within the Substation . 10 Access Control . 10 Bandwidth Control . 11 Threat Detection . 11 Distribution Automation design . 11 Network Resiliency in Distribution Automation . 13 System Overview . 13 Topology. 13 IP Addressing/VLAN . 15 Hardware Software Matrix. 17 Licensing. 18 Grid Security Implementation . 20 Segmentation . 20 Segmentation in Substation Automation LAN . 20 Segmentation in Distribution Automation - Secondary Substation Gateway . 24 IP Network Encryption . 28 Site to Site VPN in Substation LAN . 28 Site to Site VPN in Distribution Automation . 32 Access Control . 32 Cisco Systems, Inc. www.cisco.com 1 Access control for different users . 33 Port Security for different devices . 34 Grid Visibility . 35 Sensors in Substation LAN . 37 IC3000. 37 IE3400 . 45 Sensors in Distribution Automation . 52 IR1101. 52 OT Asset Visibility . 58 T104 . 58 DNP3 . 61 IEC61850 MMS and GOOSE . 66 Modbus . 71 Legacy SCADA . 76 Protocol Translation . 79 OT Assets Anomaly Detection-Monitoring . 83 Threat Detection . 87 SCADA Modbus Preprocessor on ISA3000 . 87 SCADA DNP3 Preprocessor on ISA3000. 94 Deep Packet inspection of Modbus using ISA3000 . 102 Deep Packet inspection of DNP3 using ISA3000 . 107 Appendix A – Running configuration . 114 IE3400. 114 IE5000. 117 IE4010. 127 IR1101 . 134 Distribution Automation HER asr1000 . 145 2 Grid Security 3.1 Implementation Guide Introduction Smart Grid is an electricity delivery system that is integrated with communications and information technology to enhance grid operations, improve customer service, lower costs, and enable new environmental benefits. This document describes the overall use of the network to monitor and manage the electrical system from power generation, through transmission and distribution, to end users in smart buildings, smart homes, and other sites connected to the utilities network. As the OT world collides with the traditional IT world, security is becoming increasingly important for utilities customers. Today’s news includes many stories about hackers and terrorists that seek to gain access to critical networks in order to steal money, information, or even to disrupt service. This solution seeks to address many of these concerns by providing a holistic approach to restricting access, protecting data, logging events and changes, and monitoring activity in the substation. The Substation Security solution addresses the NERC-CIPv5 CIP requirements. While only applicable in North America, much of the world is looking to NERC-CIP as the standard to secure their utility and other industrial operations. The substation network must be protected from unauthorized access and cyberattacks. The substation network security services must guarantee the integrity of telemetry data and control commands to ensure confidentiality, integrity and availability of the electronic information communication system. These security services must be deployed at each networking protocol layer whenever it is applicable. For more details please refer to Grid Security Design Guide that can be found at the following URL: https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/Distributed-Automation/Grid_Security/DG/DA-GS-DG.ht ml Navigator This document includes the following: Section Description Implementation Workflow page 2 Describes Solution Overview and Implementation Flow. Grid Security Requirements and Use This section discusses the various grid security cases page 3 requirements and detailed explanation of use cases. Substation design page 7 Discusses the various Grid Security Solution network topologies, and IP addressing used at every layer of the topologies. System Overview page 13 Discusses the Grid Solution Components Hardware Model and Software Versions validated and required licenses. Grid Security Implementation page 20 Discusses the ICT implementation with various network resiliency protocols. Electronic Security Perimeter (ESP) zone Discusses the steps to implement network segmentation page 9 tools to Protect critical assets against cyber-attacks and insider threats. IP Network Encryption page 28 Discusses the steps to implement network encryption. Cisco Systems, Inc..