Substation installations offer several potential attack vectors for cyber-attacks. Effective cybersecurity measures therefore have to be implemented in the substation itself, not just in the control centre. Taking up the challenge, OMICRON introduced an innovative industry security system offering decentralised, hybrid 24/7 monitoring.
The Austrian supplier OMICRON has been looking into this requirement for many years and in 2015 added the DANEO 400 analysis device to its portfolio as a decentralised and hybrid solution for the 24/7 monitoring of sampled values, GOOSE and PTP time synchronisation.
“It so happened that we were approached by engineers from the Centralschweizer Kraftwerke AG (CKW), who were looking for an appropriate solution for their substation installations,” recalls Andreas Klien, a cybersecurity expert and head of the power utility communications division at OMICRON. A period of close cooperation with the protection and process control engineers at CKW followed this inquiry and led to the development of StationGuard, the functional security monitoring system.
The experiences from a number of proof-of-concept installations of other energy suppliers around the world have meanwhile been absorbed into the development process.
Essentially, the package uses the Substation Configuration Language (SCL) files, in which the entire automation system, with all its devices, data models, and the communication parameters of the IEC 61850 installations, is described in a standardised format. These files also contain information about the primary equipment and in many cases even the single-line equivalent circuit diagram for the substation. IEC 61850 addresses the new Ethernet-based international standard for communication in power generation facilities and substations.
“This information can be used to develop a completely new approach to the detection of cyber-attacks,” explains Klien. The monitoring system can create a complete model of the automation system and the substation and compare every single packet in the network with the live system model. Even the data contained in the telegrams (GOOSE, MMS, SV) can be assessed on the basis of what the system model is expecting. “This process requires no learning phase and is only possible because of the configuration of the SCL,” stresses Klien. With StationGuard, the company has introduced an innovative approach for IEC 61850 installations.
To detect any cyber threats in the network, StationGuard basically carries out a highly detailed functional verification of all data traffic. It possesses a detailed model of all anticipated communications, which it compares with the network packages. The fact that the data traffic is continuously monitored means it is not only threats to IT security, such as unauthorised packets and control operations that are recognised.
Communication faults, problems with time synchronisation and the various types of malfunction that can occur in the substation are also detected. “If the system has access to the installation’s circuit diagram and is able to monitor the measured values in the MMS communication, then there are practically no limits to what we can monitor,” explains Klien. He cites as an example the 33 different alarm codes that StationGuard maintains just for GOOSE – from simple status and sequence number faults to more complex problems, such as unusually long telegram transmission times.
The latter are detected by the precise measurement of the difference between the EntryTime stamp in the telegram and its actual arrival time. If the transmission time of the network for a GOOSE (as per IEC 61850-5) is longer than 3 ms, this will indicate a problem in the transmitting IED, in the network or at the very least in the time synchronisation.
The concept can also be applied to MMS communication. The system model shows which logical nodes are controlling which items of equipment. This enables a distinction to be made between correct/ incorrect (or critical/non-critical) actions. “The same sequence in the MMS protocol is used whenever a circuit breaker trips or IEC 61850 test mode is activated. The effect in the installation is however markedly different in each case,” states Klien, adding: “If a test PC switches the IEC 61850 test mode of a relay, this may well be a justified action as part of a protection test. However, what would most likely not be permitted is if the test PC were to trip a breaker.”
Besides avoiding false alarms, it is also vital that the displayed alarm messages are easily understood by protection and process control engineers alike. This not only speeds up response times, it also means that IT security experts and the protection and process control engineers can work closely together. To enable alarms to be allocated more accurately to bays and devices, they are represented in StationGuard not just as an alarm list that a firewall might provide, but are also displayed graphically in a zero-line diagram – an overview display introduced with OMICRON StationScout.
To reduce false alarms even further, the routine testing and maintenance operations are also represented in the system model of the installation in StationGuard. This means that the system model can also contain the testing equipment, including the protection test sets.
Configuring the IDS system
“Monitoring begins as soon as the device is switched on and cannot, for security reasons, be disabled,” says Klien. All IEDs are shown as unknown devices until the installation’s SCD file is loaded, after which the IEDs and the structure of the installation are displayed in the zero-line diagram.
“The configuration can also be prepared in the office and quickly installed on-site,” he notes. In situations where the SCD file does not contain all the IEDs, additional ones can be imported individually. After importing, the user can then assign roles such as Test PC or Engineering PC, etc. to the remaining unknown devices.
If an action is “not permitted”, an alarm is raised. This alarm can be passed to the control centre via the gateway/ RTU (Remote Terminal Unit). Alternatively, alarms can also be sent to a separate system known as a Security Incident Event Management System (SIEM) that collates security warnings. Depending on the version of the hardware in use, binary outputs will be available that can be used to transmit alarms to an RTU very easily. In this case, alarm messaging takes place without any network communication and the alarms can be integrated into the signal list of the control centre just like any other hard-wired signal.
Cybersecurity of the IDS
“We’ve all seen it in Hollywood films: the intruders always go for the alarm system first,” says Klien. An important security feature of StationGuard is that it uses autonomous, secure hardware rather than a virtual machine. In both hardware versions of StationGuard, i.e. the 19-inch version (RBX1) for permanent installation in substation systems and the mobile version (MBX1), both platforms are hardened to the same extent and both use a secure cryptochip that conforms to ISO/IEC 11889. This ensures that the cryptographic keys are not stored in flash memory but on a separate chip that is protected against manipulation.
The OMICRON certificates are installed on this chip during the production process to provide a secure, mutually verifiable boot chain. The signatures of the next module or driver to be loaded are therefore checked at every stage of the firmware boot process. As a result, only software with an OMICRON signature can be installed and executed. The device’s memory is encrypted using a key that is unique to this hardware and is protected on the cryptochip.
Additional mechanisms ensure that the processes on the device cannot be attacked or misused; the philosophy of “defence in depth” thus extends deep into the software running on the device. ESI