StationGuard-Functional Security Monitoring for Substations
16Pages

StationGuard Functional Security Monitoring for Substations

IT security in substations There has been an increase in recent years in the number of cyber attacks against critical control systems in production facilities and energy supply companies. Many utilities are, therefore, introducing processes to reduce the risk of cyber attacks. Until now, these measures mainly concentrate on IT networks and control centers. However, substations and their station and process bus networks also represent critical attack vectors. As a consequence, the operation and maintenance processes of substations must also be included in the cyber security risk assessment....

Firewalls do not provide in-depth protection There are many ways of circumventing a firewall. Many substations employ remote access to retrieve fault records or to adapt settings in IEDs. These connections provide a route by which malware can find its way into the devices in the substation. Maintenance and testing PCs provide another channel of infection. These PCs may be either permanently installed or be brought into the substation temporarily. These PCs are either connected to the entire network, or directly to individual protection or control devices. Files transferred to such PCs can...

How intrusion detection systems (IDS) work To detect threats in the network, there are various approaches in terms of technology and usage. In most cases, these approaches are based on one of the following two technologies or a combination of both. Signature-based approach (blacklist) The IDS scans for patterns of known attacks, an approach that is often used by virus scanners. It allows known viruses and attack behavior to be identified and only throws up the occasional false positive. The disadvantage is that if the attacker modifies the pattern, it may not be detected anymore. Another...

StationGuard knows all communication paths by evaluating the SCL files. In the case of IEC 61850 substations, the entire automation system, with all its IEDs, data models, and communication parameters, is described in a standardized format known as the SCL (Substation Configuration Language). This also includes the primary assets and frequently even the single-line diagram of the substation. This information can be utilized to develop a completely new approach for detecting cyber attacks. StationGuard creates a complete system model of the automation system and the substation and then...

The Whitelist Approach of StationGuard Security down to the minutest detail The fact that all traffic is monitored and validated in such detail means that it detects not just threats to IT security, such as illegal encodings and unauthorized control operations. StationGuard also identifies communication errors, time synchronization problems, and hence different kinds of malfunctions in the substation. If the IDS also knows the single-line diagram, then there is virtually no limit to the depths to which monitoring can be carried out. For example: StationGuard currently recognizes 35...

What about MMS communication? The IEC 61850 standard provides information about which data points control which items of equipment. For example, the same sequence (Select-Before-Operate) is used in the MMS protocol to control a circuit breaker or to change the IEC 61850 test mode setting. The effect in the installation is markedly different in each case. StationGuard is able to make this distinction and knows which device should be allowed to control what and in which situation. What‘s the situation with other protocols? StationGuard analyzes several protocols right down to the minutest...

Tailor-made for substations Setup The protection system and the substation automation system (SAS) are part of the critical infrastructure of the power grid. To set up, operate, and maintain conventional Intrusion Detection Systems (IDS), IT specialists and substation engineers are needed. Both types of specialists must be on call around the clock to be able to respond when an alarm occurs. The costs involved with this are unacceptable for many utilities. StationGuard offers substation operators a new, low maintenance alternative. After connecting StationGuard to the mirror ports of the...

Normal operation Behavior during routine testing StationGuard analyzes all communication and knows precisely which information may or may not be transmitted at any given moment in time. It is also aware of the workflows and conditions during normal operations: Which devices are allowed to be active now? Which control commands are permitted and does the response to them make sense? Which measured values are being transmitted? Is the timing of the messages correct? This enables any likely problems with the IEDs or the network to be detected at an early stage or before they fail. Testing and...

Easily understandable alarm messages Reliably identify anomalies Analyzing and forwarding alarms The reports triggered by a security system should assist the operator, not cause further confusion. This is why the alarms of StationGuard not only appear in an event list, as it is the case with firewalls, but are shown graphically in the overview diagram. The language and terms used in the alarm messages are understandable – special IT terminology is avoided. When an alarm occurs, it is output via the binary outputs on the RBX1 hardware platform which enables easy forwarding to the control...

„It was important for us in development that the logbook cannot be modified. Events can be archived, but not deleted." Logbook In addition to the graphical view, alarms are also recorded in an event log, the logbook. If an authorized user makes configuration changes or acknowledges alarms, this is recorded there. In the logbook, for example, all past events relating to a particular device can be accessed. With that, trends can also be detected even for events only occurring sporadically. Bekannte Gerate Detailed alarm display: Clearly understandable alarm messages, attributed to operations...