Are IEC 61850 based Systems Cyber-Secure?

Often you hear arguments that IEC 61850 based systems are not cyber-secure ... is that true?

The truth is: The standards series IEC 61850 refers to the standard series IEC 62351. Example:

Power Systems Management and Associated Information Exchange – Communication network and system security – Part 4: Profiles including MMS and derivatives

IEC 61850-8-1 (Mapping to MMS) requires to use TLS ... as defined in IEC 62351-6 !!

Click HERE to access the preview of IEC 61850-8-1 (referring to IEC 62351) and HERE for the preview of IEC 62351-6.

Another issue to protect your IEC 61850 based system is to monitor the traffic and compare it with the configured communication relations and contents:

Click HERE to watch a brief video from Omicron that shows some means to support cyber-security in IEC 61850 based systems. 

There is a lot of activities going on to increase the cyber-security in automation systems.

How To Bring Plant Engineers To The Table When Cyber Issues Are Discussed?

In my career as electrical and IT engineer I have experienced that engineers are quite often not invited to discuss the measures and plans for critical infrastructure protection with IT personnel.

It is completely different compared to the world of electric power system protection - I mean the applications of protection relays. Protection engineers are (in my understanding) the most crucial engineers. They are very important for the reliable delivery of electric power. Protection engineers are likely to attend any meeting when it comes to the reliability of the power flows. Protection engineers know what to do ... software people may help to implement the "what" and the IT personnel may help to solve the communication issues ... but the crucial parts are dominated by protection engineers!

Mr. Vytautas Butrimas, a globally well known engineer involved in cyber security of control systems has briefly discussed the "Berlin wall" between IT personnel and plant engineers.  

Click HERE for the four page paper written by Mr. Butrimas.

Either of the groups involved believes that his or her group is the center of universe. There is little communication between the IT personnel and the engineers. 

There are so many semipermeable walls between, e.g., politicians, company lawyers, economists, IT experts, and plant engineers. There is usually no way that experts from any layer are allowed to talk to the experts from the other layers. In the end: Each layer feels independent of the other layers ... which leads to what we see these days ... and may be even more in the future. Have you heard of a discussion between a power protection engineer and a lawyer or even a medical doctor?

It would help medical doctors to understand the basics of electric power system reliability ... and so on. Because medical doctors (and all other people of a society) depend 100% on available power.

So in the end: (Electrical) Engineers should be honored by the society ... the problem may be that the engineers are not wearing white coats but wear safety boots, safety helmets, goggles,  protective gloves, ... a single doctor may harm a few people ... a protection engineer may harm millions of people during a blackout caused by a misconfiguration of protection equipment.

Ethernet Comes with a Brand New Easy Solution: Single Pair Ethernet (SPE)

Ethernet is well known globally as solution for communication. Ethernet was hated and liked for the last 40 years or so ... there have been alternative solutions developed that were marketed as much easier, faster, deterministic, ... think of Tokenbus (IEEE 804), Profibus, ... and many others.

Now we see a new version: Single Pair Ethernet (SPE). SPE can bring fast Ethernet (up to 1 GBit/s) and power to the field level using just one twisted wire pair ... enabling application of protocols using TCP/IP.

Click HERE for a general description.

Click HERE for a nice presentation by IEEE experts (January 2019)

SPE is a new technology to replace CANbus in automobiles (cars, trucks, busses, ... trains) and fieldbusses. SPE is a layer 1 standard ... so it can be used for Profinet, Ethercat, ... and it could run TCP/IP.

SPE is more intended to replace fieldbus systems ... here my dream of the late 80s becomes true:

Fieldbus Standardization - Another Way to Go

http://blog.nettedautomation.com/2017/05/tsn-fieldbus-standardization-another.html

additional posts related to the topic:

http://blog.nettedautomation.com/search?q=another+way

The use of SPE for connecting sensors to the cloud is to follow a trend ... it may increase the sales of component manufacturers.

When I wrote my Diploma Thesis in 1982 (at Siemens) I was asked to analyze Ethernet ... the idea was cancelled because of the very very expensive MAU ... needed two ... each for 23,000 USD ... total of 46,000 USD ... no way to get approval to spend that amount for a "standard" Diploma Thesis ... 

It took some 40 years to get to SPE - likely the real Ethernet ... ;-)

Too late for me ... just retired this year with 67 ... 

One crucial challenge is here: HOW to SECURE a huge number of end nodes (sensors, actuators ...) directly connected to the clouds or data lakes? Compare the situation with Smart(er) Grids: In Smart(er) Grids it is intended to connect millions of smart meters to the entities (clouds!?) that use the data for billing and further applications like controlling millions of inverters or power users. 

In the German power system there is a requirement to use the so-called Smart Meter Gateway (SMG) to provide highly secure communication channels! 

Click HERE to check what has to be implemented ... many published Megabyte pdf documentation of the required specification like: "Protection Profile for the Gateway of a Smart Metering System (Smart-Meter-Gateway PP)" ... by the German BSI.

It took many years before we have seen the first certified Smart Meter Gateway offered at the market. And be aware: The Administration of this infrastructure is very complex and ... far away from cheap and affordable by "everyone".

Many similar huge "security systems" would be required to connect the billions of smart sensors and actuators through Single Pair Ethernet to some centralized entities ... 

SPE is nice - BUT to build secure distributed systems it is required to develop also new security solutions that are as simple as Single Pair Ethernet!!

We have to look at the complete SYSTEM COST - not just at the possibilities of a new physical layers ... the SPE increases the problems of implementing secure systems, because it is easier and cheap to build a huge mashed network of millions of end nodes ... that may not perfectly secured!

Ten Years After Stuxnet Went Public - And Now?

One of the senior experts in cyber security wrote today:

"Recently many of us noted the 10th Anniversary of when Stuxnet went public. Some commentators think it was for cyberspace a “Hiroshima” type of event. Some have been saying that there have been no other events like it since and this puzzled me. So I wrote my thoughts down to share."

http://scadamag.infracritical.com/index.php/2020/07/31/perhaps-we-are-missing-a-lesson-from-stuxnet/

Another senior expert is wondering why there is little information disclosed and lack of guidance about control system cyber security incidents that can affect multiple facilities in multiple industries:

https://www.controlglobal.com/blogs/unfettered/information-sharing-on-control-system-cyber-incidents-is-not-working-and-that-can-be-deadly

Both are worth to read!

PhD Student Working On Cyber Security In Critical Infrastructures

Fredrik Heiding (PhD Student) wrote the other day:

Fredrik Heiding, PhD StudentNetwork and Systems Engineering
KTH, Royal Institute of Technology

I am doing a PhD on cyber security in critical infrastructure. Currently I study the security trends for critical infrastructures in Europe, analyzing where it is heading and how it is developing. To strengthen the study I have identified seven general questions, they are general in nature so they can be answered by people in critical positions without revealing sensitive information.

Here are the Questions from Fredrik and Answers from a very senior expert:

Vytautas Butrimas

Cybersecurity consulting

See also: http://blog.nettedautomation.com/2020/06/scada-security-matters-should-matter.html
Vytautas Butrimas wrote in the introduction to his answers:

This a particularly interesting time in CIP. I come from and IT background and have focused mostly on the cybersecurity of industrial control systems in the past 10 years. This has been a long learning curve for I found that my IT knowledge did not provide enough to understand the engineering and laws of physics that are dominant in the monitor and control of physical processes found in the pumps and compressors on fuel pipelines, treatment of drinking water, routing of trains, and the generation and distribution of electricity. One needs to know the implications and peculiarities between working IT office time and real time to work in this field.
I looked at your questions and will give brief answers.  If you wish to further discuss them with me then we can do so offline.

---------------------------------

Question 1:

What concerns for the future do you have regarding cyber security in critical infrastructure?

Answer 1:

How the introduction of increased complexity of systems (systems of systems, adding more sensors, increased connectivity) will be managed without taking away from safety, reliability and performance.

Question 2:

Over the past decade, digital attacks have become more central to the security of critical infrastructure. Do you think the trend will continue to increase or culminate?

Answer 2:

There are some signs that things will get better but at the same time they will get more complicated.  Security practitioners need to realize that much more attention is needed where the physical process is taking place and the devices closest to it that are monitoring and controlling it, not where they are being monitored by humans in a remote location or control room.  ** One more thing we should not just be focused  on „ATTACKS“.  We also have to consider unintended actions or accidents. As the complexity of systems and connectivity of devices increases so will the unintended or „why did that happen?“ incidents.***

Question 3:

What relevant research or technological advances do you find most interesting for the future?

Answer 3:

Have to think about this one.  It feels we are all trying to keep afloat in a tsunami of technological advances.  The ones that worry me the most are the new features which also come with vulnerabilities that need to be addressed before a malicious group decides to exploit them.

Question 4:

Do you see IIoT (Industrial Internet of Things) as an opportunity or a concern, if both, which part is greatest (positive or negative)?

Answer 4:

I see it mostly as a concern (see my earlier answers). I suggest watching a video available on youtube called "Brave New Internet 4.0 " by one of your famous countrymen, Ralph Langner.  The questions and concerns he raised in that lecture IMHO have not been addressed.

Question 5:

Do you have plans to, or do you think that you will expand the cyber security department in the coming years?

Answer 5:

I am currently working my out of "mandatory retirement" and am not in position in expand anything (perhaps later this year I will change my answer).  If I was in a position of influence at an operator of CI (energy sector for example) I would do my best to set up some support for the senior engineer of the plant.  When he sees something unusual going in the operation he should be able assign this problem to an security operation center. Could be at least one person or a small team that understands cyber threats and how they could be applied to the engineering side of the operation.  The senior plant engineer has to keep things running and does not have time to stop and investigate something.  He needs someone to help him and a ICS SOC could be a good solution is management is willing to spend the money for the positions and training.

Question 6:

Can you share anything about past attacks/intrusion attempts, both successful and unsuccessful attempts are interesting?

Answer 6:

Look at the freely available information on line. Look up Ralph Langer to learn about STUXNET. It happened 10 years ago and this is probably the most analyzed and documented incident we have today that is publicaly  available.  Much can still be learned for the methods continued to be applied today. In 2014 in Germany your government (BSI) published its yearly report on cyber incidents.  There is a section devoted to a cyber attack on a steel mill that had an uncontrolled shutdown and resulted in damage. Look at Triton/Trisis/Hatman incident of 2017 where the safety systems of a petrochemical plant tripped not one but twice. Look for video lectures on this from Dale Pedersons S4 conferences in 2018/2019 (see lecture by Julian Gustmanis and by Schneider Electric)

Question 7:

Has the attitude towards cyber security changed in the last 5 years, why and in which way/

Answer 7:

The attitude is changing and for the better. Much better in the engineering community who have  understood how threats from cyberspace can get into their operations. On the other hand as far as government policy makers go they still have a long way to go. Much technical expertise has left government for the private sector leaving some governments blind to some issues. The 3 Little Pigs problem is evident where one thinks one has taken the appropriate measures and build a house of straw or of sticks to protect from the wind and the rain but the possibility of their being a wolf is somehow missed.  You would be surprise at how many government policy makers do not know what scada is and yet think they are doing a great job at protecting critical infrastructure.

--------------------------------

Cyber Security for Industrial Control Systems (ICS) is Going Where?

Cyber Security for Industrial Control Systems (ICS) has been discussed over many years - and it will be discussed forever. There seems to be no end of discussions and solutions ... the end may come when electric power will be switched off - caused by insecure systems.

As long as we have ICS in operation - which is very crucial! - we will see products being developed and offered that are marketed to safe the world of ICS.

Dale Peterson wrote a very nice and interesting article about "The Future of the ICS Cyber Security Detection Market" (23 July 2018).

Dale seems to expect that the ICS Cyber Security Detection Market will completely change in a few years. He may be right. My expectations is that the change will happen for ever - and ever faster.

So, you may decide to wait! This would be the worst decision you can make.

Whatever is available for your system today - use it! The wait for getting started with, e.g., encrypted ICS protocols is over - use TLS wrapper as much as possible - as soon as possible.

Click HERE for the complete article - worth to read.

Our power system highly depend on ICS - ICS highly depend on power systems. The two can live together only. Non of the two will survive without the other!!

I hope we have enough people to understand that we need more smart people to keep power flowing: means electrical engineers and IT experts ... and ...

My recommendation is that we need to get a better holistic understanding how power systems and ICS are interdependent ... we should not isolate one from the other ... already understood some hundred years ago:

"Hence we must believe that all the sciences are so interconnected, that it is much easier to study them all together than to isolate one from all others. If, therefore, anyone wishes to search out the truth of things in serious ernest, he ought not to select one special science, for all the sciences are cojoined with each other and interdependent."
Rene Descartes (1596-1650)

Finally we will have to accept that reliable electric power will be more expensive soon - moderate increased price in case we care about ICS Cyber Security - extremely expensive if we fail to protect the power system.

Are Devices Using IEC 61850 Vulnerable?

Devices that implement IEC 61850 may be vulnerable - depending on the measures (not) implemented to protect your SYSTEM! There are many layers of security that can be build into the system to make is less vulnerable. IEC 61850 needs special security measures to hide the semantics of the information being exchanged in a system.

IEC 61850 has well defined models for controlling switch gears: Logical Node CSWI.Pos for operating any kind of switchgears liek circuit breaker, dis-connector or earthing switches. If a client (SCADA, RTU, Proxy, ...) has "open" access to an IED, it could use the self-description and figure out which CSWI instances are available ... and could try to use MMS Write to open or close a switch gear. In a bad system design, this may work.

A high level of security would not (easily) allow other clients (except those that are designed to operate) to operate a switch gear.

Security measures have to be implemented to prevent misuse of the self-description. Even without the self-description, it may be possible that somebody gets access to the SCL file of the system to "read" the models from an XML file. As a consequence: XML files need to be secured as well ...!

You will find solutions for many of the known security problems in the standard series IEC 62351!

The definitions have to be implemented - the paper standards do not protect your systems!

A very new, comprehensive and up-to-date report on security has been published the other day:

THREAT INTELLIGENCE REPORT
CYBERATTACKS AGAINST
UKRAINIAN ICS

Click HERE for the report [pdf, 20 pages].

By the way, the report mentions IEC 60870-5-101/104, IEC 61850 and OPC UA.
Worth to read.

The Cassandra Coefficient and ICS Cyper - Some Thoughts

Do you have a idea what "The Cassandra Coefficient" is all about and how it relates to ICS cyber security? Joe Weiss discusses the issues in a recent publication:

Cassandra coefficient and ICS cyber – is this why the system is broken

Brief extract from the publication:
Joe Weiss writes: " ... What I have found is that each time another IT cyber event occurs more attention goes to the IT at the expense of ICS cyber security. The other common theme is “wait until something big happens or something happens to me, then we can take action”. Because there are minimal ICS cyber forensics and appropriate training at the control system layer (not just the network), there are very few publicly documented ICS cyber cases. However, I have been able to document more than 950 actual cases resulting in more than 1,000 deaths and more than $50 Billion in direct damages. I was recently at a major end-user where I was to give a seminar. The evening before I had dinner with their OT cyber security expert who mentioned he had been involved in an actual malicious ICS cyber security event that affected their facilities. For various reasons the event was not documented. Consequently, everyone from the end-user, other that the OT cyber expert involved, were unaware of a major ICS cyber event that occurred in their own company. So much for information sharing."

My personal experience in this and in many other areas is: People tend to hide information instead of sharing information. I found many times that SCADA experts do not really talk to RTU people, substation automation or protection engineers ... and not at all to the people that are responsible for the communication infrastructure. Most engineers likely tend to focus on their (restricted) tasks and not looking at the SYSTEM and its lifetime. Am I contributing to solve the challenges to build a quite secure system - or am I part of the problem?

I repeat what I have said many times: Teamwork makes the dream work! Become a team player!

Click HERE for the publication.

This publication is worth to read ... some definition of what Cassandra Coefficient is could be found HERE.

ICS-Security Für Kleine Unternehmen Machbar Machen

Industrielle Automatisierungssysteme (Industrial Automation and Control Systeme, IACS) durchdringen viele Bereiche der kritischen Infrastrukturen wie Versorgungssysteme für Strom, Gas, Wasser, Abwasser, ...).

Mittlerweile wächst so langsam das Bewußtsein, dass viele dieser Systeme aus vielerlei Gründen nur unzureichend (im Sinne von Informationssicherheit) geschützt sind. Gründe können sein, dass Verantwortliche noch nicht die Notwendigkeit für mehr Schutzanforderungen sehen oder dass die installierten Systeme "altersschwach" sind und nur durch Austausch geschützt werden können, und und ...

Wasserversorgungsunternehmen zusammen mit dem BSI und der RWTH Aachen haben eine Masterarbeit begleitet, die besonders kleinen Versogungsunternehmen den Blick für mehr Sicherheit in der Informations- und Automatisierungstechnik öffnen könnte:

Sarah Fluchs hat die folgende Masterarbeit geschrieben:

Erstellung eines IT-Grundschutz-Profils für ein Referenzunternehmen (kleines/mittelständisches Unternehmen, KMU) mit automatisierter Prozesssteuerung (Industrial Control System, ICS)

Oder:

ICS-Security für kleine Unternehmen machbar machen

Die Arbeit und ein Anhang sind öffentlich zugänglich:

HIER für den Hauptteil der Arbeit klicken.
HIER für den Anhang "IT-Grundschutz-Pilotprofil bzw. IT-Grundschutz-Profil für die Wasserwirtschaft

Diese Masterarbeit ist absolut lesens- und beachtenswert!

Die Einleitung beginnt mit einer Aussage von Ralph Langer:

„For many complex IACS networks, there is no longer any single person who fully understands the system, […] and neither is there accurate documentation.“

Dieser Aussage stelle ich eine viel ältere von Rene Descartes (1596-1650) voran:

"Hence we must believe that all the sciences [all the aspects of a distributed Automation System; vom Verfasser des Blogposts eingefügt] are so interconnected, that it is much easier to study them all together than to isolate one from all others. If, therefore, anyone wishes to search out the truth of things in serious ernest, he ought not to select one special science (aspect), for all the sciences (aspects) are cojoined with each other and interdependent."

Die Herausforderungen der heutigen und zukünftigen Generationen bestehen darin, ganzheitlich zu denken und zu handeln sowie die vielen überlieferten und damit auch vielfältigen Erfahrungen von unseren Vorfahren, besonders aber von solchen Menschen zu berücksichtigen, die unmittelbar in der Praxis tätig waren und gegenwärtig sind! [Aussage wurde von einem guten Freund ergänzt].

Teamwork makes the dream work.

In diesem Sinne geht mein Dank an Frau Fluchs, die mit ihrer Masterarbeit einen Grundstein gelegt hat. Symptomatisch ist, dass oft grundlegende Arbeiten "nur" von Studenten durchgeführt werden. Schade! Die angesprochenen Themen betreffen uns ALLE!

Eine Aussage in ihrem Fazit und Ausblick würde ich gerne korrigieren:

"Die übergeordnete Thematik der vorliegenden Arbeit ist die ICS-Security. Das Thema besetzt im Vergleich zu der „gewöhnlichen“ IT-Security bislang eine Nische. Vor allen produzierende Unternehmen und Betreiber kritischer Infrastrukturen müssen sich damit befassen – Otto Nor-malverbraucher bekäme zwar die Auswirkungen eines Security Incidents potenziell zu spüren, hat aber keinen direkten Einfluss auf die ICS-Netze und deren Sicherheit."

Wir als Otto-Normalverbraucher haben einen sehr großen direkten Einfluss auf die Sicherheit unserer Infrastrukturen: Indem wir bereit sind, mehr für unsere Grund-Versorgung zu bezahlen!!

IEC 61850, Sensors, and Cyber Threats

Sensors all over will be more important in the future: First to automate processes and second to monitor the automation systems.
The other day I found a very serious report on compromising automation systems under the title:

ICS cyber threats are morphing into compromise of plant functionality – do we have the right tools? 

The report by Joe Weiss is worth to read.

Click HERE for reading the complete report.

The discussion is about compromising an actuator (Valve, ...)  and let the physics do the damage!

Joe resumes: "Without sensor monitoring, it is NOT possible to see the precursor to these kinds of conditions until it is too late."

I have discussed the reported issues with an expert of valves in industrial process control applications. He confirmed that the cavitation (bubble or Wasserblasen) effect is known for long. But there are only a relatively few applications of (vibration) sensors installed to measure the noise produced by cavitation (see video at Youtube) to figure out that something is going wrong.

IEC 61850 has a bunch of models and services to support sensors:



and event reporting:



The quality attributes that come with all values could be used to flag that the value is valid or not. Additionally the sensor may have a health problem (figured out by a diagnosis routine) that can be reported using the TTMP.EEHealth.stVal attribute (EE - external equipment).

All models and services have to rely on good hardware and software! Or we get: Garbage in - Garbage out!

In our seminars and hands-on training courses we discuss these and many other topics in detail.

IEC-61850-Hands-On-Training in Deutsch in Karlsruhe (Dezember 2017 und Mai 2018)

NettedAutomation GmbH bietet zwei IEC-61850 Hands-On-Trainingskurse zu unschlagbar günstigen Preisen in Deutsch in Karlsruhe an:

05.-08. Dezember 2017 
14.-17. Mai 2018
04.-07. Dezember 2018

NEU: Zusätzlicher Schwerpunkt wird das Thema "Sicherheitsanforderungen" (BDEW White Paper, ...) für die Energieversorgung sein.
Die drei (3) Blöcke (1 Tag + 2 Tage + 1 Tag) können einzeln oder in Kombination gebucht werden. Sie entscheiden selbst, ob Sie nur einen Tag von Ihrem Arbeitsplatz fern bleiben möchten oder zwei, drei oder vier. Je nachdem, wieviel Zeit Sie investieren wollen oder können und welchen Bedarf Sie haben.

Lernen Sie, wie über 4.300 Teilnehmer vor Ihnen, was IEC 61850 und andere Normen wie IEC 60870-5-10x oder IEC 62351 (Security) bedeuten. Gewinnen Sie einen Einblick in relevante Realisierungen wie die FNN-Steuerbox oder VHPready, die auf IEC 61850 aufbauen. Verstehen Sie, wie Feldbusse (Profibus, Profinet, Modbus, ...) über lostengünstige Gateways in die Anlagen eingebunden werden können.

Im Hands-On-Training lernen Sie die wesentlichen Konzepte der Normenreihe praktisch kennen. Die umfangreiche Trainings-Software dürfen Sie behalten und weiterhin nutzen!


Copyright, 2017-07, Michael Hüter

Der Kurs ist für alle geeignet, die mehr über IEC 61850 erfahren wollen.

HIER klicken, um zur Beschreibung und den Anmeldeunterlagen zu gelangen [pdf, 430 KB].

Beachten Sie auch, dass die meisten Seminare als Inhouse-Kurse stattfinden! Falls Sie Interesse an einem Inhouse-Kurs (in deutsch, englisch, italienisch oder schwedisch) haben sollten kontaktieren Sie uns bitte!