Thursday, March 14, 2013

Security and IEC 61850: Is it about Bug Fixes or Systematic Issues?

These days experts discuss the future of more secure IEDs and systems in the world of Industrial Control Systems (ICS). Note: ICS is also used in power systems – no question.

There are people that focus on single bugs and how to solve them by patching et cetera. Other experts are more looking at the systematic security problems in control systems.

Eric Byres, CTO and vice president of Tofino Security, a division of Belden, says “It will take major players like Exxon, Duke Energy, for instance, and other corporations with the ICS purchasing power, he says, to force vendors to step up and fix the systemic security issues."

Read a comprehensive discussion about the two positions – quite crucial and interesting.

What do you think about translating this statement into the issues we have with IEC 61850 Interoperability?

It will take major players like AEP, SCE, E.ON, EDF, RWE, Duke Energy, for instance, and other corporations with the ICS purchasing power, to force vendors to step up and fix the systemic interoperability issues with regard to IEC 61850."

This would help to prevent a lot of frustrations during factory and site acceptance tests.

Why do we see just a few major players from the utility domain using their force to improve interoperability? There are several reasons I see:

  • Wall Street, Frankfurter Börse, …
  • Ignorance of issues
  • Not enough experts
  • Attitude: just fix what brakes

Recommendation from my side: Vendors and users should cooperate more in Teamwork and agree on writing documents like “How to profile IEC 61850, IEC 60870-5, …” to get specific profile specifications for a specific application that have (hopefully) not left options to ignore or to chose from.

A good example is the Vattenfall VHP Ready specification (Virtual Heat an Power). This spec defines the IOA for signals according to IEC 60870-5-104 and the Logical Device, Logical Node and Data Object Names.

Example 104:

image

Example IEC 61850:

image

image

If utilities do not specify what they want, they may experience a big surprise when they get the system delivered and installed. They may get much less or much more than what they expected.

And note this: When we get more standard conformant and interoperable IEDs installed, they are definitely linked to the Security issues discussed at the beginning!

What we are looking for is: Interoperable and Secure IEDs and Systems. We should not separate these two requirements! They are highly interrelated.

No comments: