Tuesday, August 8, 2017

Draft for Role Based Access Control (RBAC) Published (IEC 62351-90-1)

IEC TC 57 published the IEC TR 62351-90-1 Draft for Role Based Access Control (RBAC) [57/1905/DTR]:

IEC 62351 Data and communications security –
Part 90-1: Guidelines for handling role-based access control in power systems

The voting period closes on 2017-09-29.

"The power system sector is adopting security measures to ensure the reliable delivery of energy. One of these measures comprises Role-based Access Control (RBAC), allowing utility operators, energy brokers and end-users to utilize roles to restrict the access to equipment and energy automation functionalities on a need-to-handle basis. The specific measures to realize this functionality have been defined in the context of IEC 62351-8. It defines 3 profiles for the transmission of RBAC related information. This information is, but not limited to, being contained in public key certificates, attribute certificates, or software tokens. Moreover, especially for IEC 61850, it defines a set of mandatory roles and associated rights. The standard itself also allows the definition of custom roles and associated rights, but this is not specified in a way to ensure interoperability."

Data and communication security is a crucial issue in the communication between multiple IEC 61850 clients and an IED with a single IEC 61850 Server. The administration of the roles and further behavior requires a highly complex (centralized!?) administration and a complex functionality in each IED implementing RBAC.

The following aspects have a big impact on implementations:
  1. TCP/IP Networking,
  2. General security measures like TLS,
  3. RBAC, 
  4. MMS,
  5. IEC 61850 Services, Models and Configuration, and
  6. Power system functionalities (key for the power delivery system) on top
The bulk of resources needed are mainly independent of the MMS protocol and services. People that want to use other protocols cannot really expect that the cost for getting secure communication and data will be lowered - the most efforts are related to non-protocol issues.
The second, third, fifth, and sixth bullet are most crucial.
In addition to the cost of implementing RBAC (including the other required parts of the series IEC 62351) one has to understand that the operation, management, engineering, and configuration of RBAC consumes a relatively huge amount of resources of the embedded controllers or other platforms.
That is one of the crucial reasons why many IEDs installed today cannot (and likely will not) be upgraded for measures defined in the IEC 62351 series.

Recommendation: As soon as possible get started to understand the impact of the measures defined in IEC 62351 and how to implement some or many of these measures.

Related documents of the series IEC 62351 IEC/TS 62351, Power systems management and associated information exchange – Data and communications security – are:

Part 1: Communication network and system security – Introduction to security issues
Part 3: Communication network and system security – Profiles including TCP/IP
Part 4: Profiles including MMS
Part 5: Security for IEC 60870-5 and derivatives
Part 8: Role-based Access Control

No comments: