Protecting critical infrastructure: the importance of making power grids secure-by-design

IEC 62351 standards for secure-by-design power systems communications

For the second year in a row the World Economic Forum has listed cyber attacks as one of the top five global risks, and highlights that an attack on a country’s electricity system could potentially have devastating effects. Power grid risk has increased due to expanded connectivity to IT and other systems, exposing them to more threats. As the same time, threat actors are focusing more on critical infrastructure attacks, and benefiting from the availability of malware toolsets on the internet.

Power grids must be secure-by-design

Unfortunately, defending today’s power systems is challenging because they typically use communication protocols optimized for bandwidth and efficiency, with zero or simple security protections. Furthermore, many grids have received little to no security enhancements post deployment.

To help counter this problem, in the early 2000s IEC Technical Committee (TC) 57, a group devoted to power system management standards, started working on how to make power grids secure-by-design. Working Group (WG) 15 was formed to evaluate the requirements from a technology perspective, and define a standard way to implement them.

I’ve been a member of WG15 since 2015, and led the Nozomi Networks hosting of the WG15 Winter ’17 meeting in Lugano, Switzerland. As we approach the group’s next meeting this spring, I thought it might be helpful to inform you about these standards and provide an update on their status.

Overview of WG15

First a brief overview of WG15. The group is made up of ICS operators, SCADA engineers, security specialists, and networking experts from 90 organizations worldwide. Members include ABB, Siemens, Schneider Electric, General Electric, Enel, IREQ, Nozomi Networks and others.

Together we have identified the components needed for a secure-by-design power system. These include the end-to-end encryption principle, the definition of roles for all users and identity management, and pervasive monitoring of the system itself.

Another duty of WG15 is to review other Working Group’s documents to assess and validate cyber security aspects.

Status of the IEC 62351 Standards

Currently, the 62351 family of standards (see IEC 62351-1: Introduction for an in-depth overview) depicts the architecture of a secure power system and standardizes its protocols and components. An interesting read for a better overview of it is: IEC 62351-10: Security Architecture Guidelines for TC57 Systems.

To truly obtain effective end-to-end security, secure protocols must:

  1. establish secure connections based on some trusted private key of the actors, and
  2. have a repository of actors allowed to act inside the system.

The former is standardized in IEC 62351-9: Key Management, while the latter is standardized in IEC 62351-8: Role-based Access Control (RBAC), and further reviewed and explained in IEC TR 62351-90-1: RBAC Guidelines.

Communication protocols play a key role when it comes to resolving “common OT protocol issues”, such as the lack of authentication, integrity checks, confidentiality, etc. Although some OT protocols already address these areas, it is very common within the OT world to have very low “protocol security”, that is insecurity-by-design. For this reason, the whole set of power system protocols designed under the IEC umbrella has been extended to provide end-to-end encryption, identity management and RBAC.

Of course, the role of existing secure protocols like TLS (Transport Layer Security) play a big role, but many other aspects have been tackled to define all possible facets of a secure architecture. These include:

  • Using certificates for all devices
  • Standardizing how to behave with rare long-standing TLS sessions
  • Creating completely new encryption sub-protocols for specific use cases

Monitoring Power Systems with IEC 62351 Standards

In the IEC 62351 family of standards, end-to-end encryption is certainly an important feature, but system monitoring plays a key role as well. Several parts are in fact devoted to monitoring the healthy status of a power system:

  • Part 7 (IS, International Standard) is focused on the active monitoring of IEDs and other power system components. A generic approach (via UML) has been used in the standard to define what needs to be monitored. Additionally, a pragmatic SNMPv3 mapping profile is provided for monitoring a dedicated set of MIBs (Management Information Bases).
  • Part 14 (in draft right now) is focused on the logs that power system components should generate. Standardizing the format and the semantics helps lower the cost of implementation and maintenance of power grid log management solutions.
  • Part 90-2 (TR, Technical Report) is focused on how Deep Packet Inspection (DPI) of IEC 62351 encrypted channels can be carried out. The document explains the state of the art of existing DPI techniques and how they can be applied to monitor IEC 62351 channels today. It is also the reference work for analyzing changes to apply to protocols and technologies to enable easier and more secure DPI of communications.

A lot of discussion has occurred on this topic because of its controversial nature. Nonetheless, deep monitoring of encrypted communications in a machine-to-machine framework offers more advantages than not, including full visibility of ongoing activities.

  • Part 90-3 (in draft right now) is focused on putting the three parts above together. It aims to provide practical examples of how to monitor a power system in order to obtain deep visibility and support forensic analysis, consequently enabling a more dependable and resilient system.

Moreno Carullo is a member of IEC TC 57/WG 15. He is co-founder and Chief Technical Officer at Nozomi Networks. A version of this article originally appeared in the Nozomi Networks Blog.