Communications, Data Hardening, and the Smart Grid

10
Feb
2020
10.02.2020 Articles & Papers

Author: Dominic Iadonisi, Senior Field Application Engineer, iS5 Communications

The Smart Grid continues to expand and gather new functions as needs expand. Automated metering, relay operation, RTU operation, electric management systems, remedial action schemes, SCADA, field reclosers, Synchrophasors, remote access, weather, and earthquake monitoring and future needs still yet to be identified. All these operations require low latency, low jitter communications network. The data being transported and the devices functioning on the network require a secure, authenticated and guarded system to operate. Data hardening implies that the data moving across the system is protected and monitored to ensure transmission of mission critical operational information.

There are three primary communications protocols, Modbus, DNP3, and IEC61850, with numerous secondaries. Modbus is primarily poll based and not real-time. DNP3 operates in near real time while using TCP messaging as it requires an acknowledgment and real time if exceptions are used.  IEC61850 is a real-time protocol that requires high time accuracy. IEEE 1588 Precision time protocol is the current high accuracy time protocol that utilizes IP networks. It uses Ethernet networks primarily as the transport conduit and requires hardware enhancements to the network switches and routers to perform optimally, producing time accuracy down to the low nanoseconds. IRIG is another common high accuracy time system that is supported out of band using coax and serial connections to reach the relays, RTUs, and other end devices in substations. Precision time protocol uses the Ethernet network to reach those same end devices.

The Smart Grid has moved toward the use of IP networks and away from serial and other slower connectivity technologies. This has created the potential for issues with hacking, viruses, malware, ransomware, denial of service and other devious activities that can be performed externally and internally. Control systems of all types, whether Electric, Industrial, Manufacturing, and even Transportation are focused on SIA- Safety, Integrity, and Availability. The sacred operational triad. What you don’t see here is Security. Another acronym, CIA, is also very valid; Confidentiality of the data, Integrity of the data and the Authentication of the data. Looking at current security tools there are technologies available that can help create a security perimeter around and within assets that are part of the SIA triad. Stateful firewalls utilizing tested/validated rulesets control data access to only identified source and destination devices/systems. Intrusion Detection (IDS) monitors that data as it is passing and looks for data behavior that can result in system misbehavior and failure. Virtual Private Networks encrypt data that is passing across networks that you may not control and may be exposed to bad actors. Access Proxy operations control access to end devices and manage who can access these systems and monitor what they are doing and log it for later analysis in case of issues/outages.

Adding security to control systems is necessary but it requires a detailed understanding of potential control system interactions which may not be either an IT or OT area of expertise. This requires training and understanding of both control system operation and communication network operation. IEC62443 and NERC CIP are security standards that provide guidance for communications networks and control system operators (NERC CIP for Electric Utilities, IEC62443 for Industrial systems).

iS5 Communications has created a platform that incorporates the standard communications functions for Layer 2 and Layer 3 environments as well as incorporating the needed security applications to create more secure IP based systems. High speed Ethernet switching, VLANs, aggressive redundancy support (with Rapid Spanning Tree, HSRP, and PRP), multicast handling (with IGMP), IP routing with redundancy, MPLS, and aggressing QOS/COS. Couple that with stateful Firewall, Intrusion Detection, Virtual Private Networking, Role Based Authentication (RBAC), and Access Proxy functions that protect the network, protect the data, define user access and watch for bad IP data behavior. The RAPTOR® is the next step in integrated network communications/security appliances designed for harsh operating environments.

Translate »