Tuesday, September 2, 2014

Cyber Security in Industrial Control Systems – Is this enough?

Cyber security is more than a hype. Is this enough to reach a secure and stable power system? No!

I found a very good documentation on cyber security measure:

Since February 2013, industrial stakeholders (final users, vendors, integrators, professional organizations, etc.) and French governmental entities have been working together on elaborating concrete and practical proposals to improve the cyber security of critical infrastructures.

The first results of this working group are the following two documents:

  • The first document describes a classification method for industrial control systems and the key measures to improve their cyber security.
  • The second one gives a more in-depth description of applicable cyber security measures.

Click HERE for the website with the links to the two documents. Nice reading!

These measures (comparable to those listed by many other organizations and groups) will help to improve the cyber security of critical infrastructures. No question.

Do these measures help to keep the power flowing, help to keep a stable and highly available power system? To some extend these measures solve mainly issues that are caused by new control system solutions based on standards like Ethernet and TCP/IP.

But: What’s about the power system stability? Let’s assume that we have a 100 per cent cyber secure ICS managing the power generation, transmission, distribution, storages, and loads. This “secure” systems may be used in many different ways – taking the physical laws seriously into account or ignoring some basic requirements to keep the power system stable.

One very critical impact on the electrical system is the change of power flow. Each change (more or less generation or load) has to be controlled in a bunch of close loop control systems. If the amount of change in a short time (within seconds) is too high, then the systems is likely to black-out.

A highly secure ICS may be used to configure schedules for feeding power into the power system (generator or storage) or drawing power from the system. The power flow change caused by schedules may exceed the maximum value that can be automatically managed by primary power control systems … risking a power outage.

Who is now responsible that the maximum allowable power flow change in an interconnected power system will be taken into account when we have millions of such schedules? Maybe too may schedules are configured to draw power or feed in starting at 14:00 h today. As a consequence the power flow change could be far beyond the maximum amount that can automatically be managed by the primary power control system (as we have them today in all systems).

Cyber security of ICS is one aspect – system stability of the power system is another. Secure ICS’s are important. A high level of power systems stability is more important and requires secure information and communication systems AND the need of understanding of the power system physics

We have to make sure that any new ICS approach does not allow a huge sudden power flow change! This is true also for all solutions based on standards like IEC 60870-5-10x, DNP3, IEC 61850, or …

These standards would allow to disseminate immediate control commands or specify schedules.

WHO is in charge to have the big picture in mind – to configure power systems in a way that they do not blackout because of commands and settings communicated by highly secure ICS’s? The power system could not differentiate if these commands or settings are intended or caused by hackers.

It is highly recommended to keep an eye on the power system physics and prevent any ICS action (secure or insecure) to danger the stability of the power system!

No comments: