Escolar Documentos
Profissional Documentos
Cultura Documentos
2 | Tropos GridCom
More numerous and diverse endpoints: The smart grid will tie
together a plethora of devices, from power quality sensors and
distribution automation devices that are utility-owned and controlled
to residential meters and smart appliances that are customerowned and operated. The smart grid will result in several orders of
magnitude increases in the volume of data transferred as well as in
the sheer number of devices that participate in the network.
Scale of
coverage
Bandwidth
required
Core
Field
area wireless
aggregation network
10 - 100 Mbps
Neighborhood
area network
1 - 110 Kbps
10 -100 Kbps
Communications
technologies
Fiber
802.11/PTMP/LTE
900 MHz
ZigBee
Number of nodes
Figure 1: Tiered communications architecture of smart grids
3 | Tropos GridCom
4 | Tropos GridCom
Open standards-based
Tropos approach leverages and builds on open-standard security techniques that have undergone extensive review by the security community.
This includes such standards as AES, IEEE 802.1x, IEEE 802.11i, IPsec,
SSL/TLS, and FIPS 140-2. These standards comprise requirements for
authentication, authorization and access control; encryption; key generation,
distribution, management and storage; physical security; and the detection
and mitigation of attacks and include approaches ranging from the physical
layer all the way up to the application layer.
There are several security standards being developed to address
the security requirements pertinent to various aspects of smart grid
development including the NERC CIP standards for the bulk electric system
and NISTIR 7628 for comprehensive smart grid cybersecurity. Security
standards that are developed to address specific applications and subsystems of the smart grid, such as substation automation, tend to be more
5 | Tropos GridCom
distribution
Home Area
Network
Neighborhood
Area Network
transmission
Field Area
Network
Core
Network
Utility core
systems
FAN
NISTIR 7628
ZigBee
Smart
Energy
IEC 62351
NERC CIP
FIPS 140-2
6 | Tropos GridCom
Multi-layer security
Tropos approach utilizes multiple security mechanisms operating at
multiple layers of the protocol stack applying a defense-in-depth strategy
that provides layered defense mechanisms such that the impact of failure
in any one mechanism is minimized and so that the adversarys probability
of success is reduced. To illustrate this principle, suppose, for example,
that there are 3 independent layers of defense, each with a 1% probability
of being penetrated then the probability that all 3 layers are penetrated
successfully is 0.0001%.
The defense mechanisms employed in the Tropos system range from
physical security (ruggedized enclosures with tamper-evident seals), linklayer security (IEEE 802.1x, IEEE 802.11i, AES encryption, authentication
using IEEE 802.11i EAP/RADIUS, MAC ACLs, MAC address-based whitelists
and blacklists, Denial of Service detection and mitigation, etc.), networklayer security (IPsec, VPN/firewall packet filtering, IP ACLs), transport-layer
security (SSL/TLS) and application-layer security (HTTPS, support for endto-end VPNs).
Application
Transport
Network
Link
Physical
7 | Tropos GridCom
HTTPS
SSL/TLS
IPsec
Packet filtering firewall
IP ACLs
802.1x access control
802.11i authentication
AES encryption
MAC ACLs and whitelists/blacklists
DoS dectection and mitigation
Hardened outdoor enclosure
Tamper-detection
Encrypted filesystem
Protection of critical security parameters
Multi-application security
Tropos network constitutes a common physical infrastructure supporting
a range of applications that often have different data characteristics as
well as security requirements. The Tropos security solution is designed to
be flexible enough to accommodate these differences while ensuring the
logical separation of these traffic flows as well as the integrity of the overall
system.
Billing/DSM
Distribution automation
DMS
Mobile workforce
Mobile GIS/
workforce applications
Substation automation
Security
Substation security
Separate VLANs
Since the authorization levels and privileges of the users and devices
associated these different applications are distinct, and since these
are logically distinct services, the network needs to be able to maintain
separation of the corresponding flows. This is done using separate
802.11 ESSIDs (Service Set Identifiers) and VLANs that are mapped
to different queues. Each SSID/service has separate (dynamicallygenerated) encryption keys and direct communication between endpoints
corresponding to different services can be prohibited by default. In
addition, different quality of service parameters (for example, DiffServ
or 802.1p classifiers) are assigned to different flows ensuring that, for
example, delay-sensitive distribution automation traffic is accorded priority
over more delay-tolerant metering data.
8 | Tropos GridCom
Adaptable
The threat landscape is continually evolving and new cybersecurity threats
targeting critical infrastructure are expected to emerge as the smart grid is
implemented. In addition, the security standards for the smart grid are themselves evolving on a number of fronts, including NISTIR 7628 targeted at
smart grid cybersecurity and the NERC CIP standards aimed at securing the
operation of the bulk power system. Furthermore, in view of the long (10+
year) operating lifetimes of grid systems, it is critical to establish an evolvable
framework that supports software upgrades, patch management and critical
fixes over time. Tropos software-based approach is designed to be upgradeable to meet the evolving threat landscape as well as to meet the security
requirements of new security standards as they are developed.
GridCom: Meeting the functional requirements for smart grid security
The GridCom security architecture, based on the principles of robust and
evolvable multi-layer standards-based security, provides a secure framework
for multiple applications while meeting the functional requirements for distribution area network security articulated earlier. Below, we provide a more
detailed description of the security features and functionality implemented in
GridCom and show how they map to the key functional requirements.
Availability and performance
Critical systems need to be able to continue to operate and satisfy business
and mission needs under diverse operating conditions. The overall system
architecture needs to be designed to this requirement to ensure that system
integrity and availability are maintained even under adverse conditions such
as external attacks or peak loads.
Resilient and fault-tolerant mesh architecture
The GridCom network architecture is a self-organizing and self-healing mesh
network that can dynamically adapt its operating parameters to optimize
itself around local changes and disturbances. The underlying distributed
routing protocol continually monitors all available routing paths and ensures
that each router dynamically selects the best path that minimizes end-to-end
mesh latency while maximizing the overall reliability. Advanced radio resource
management techniques such as dynamic channel selection and per-packet
data rate and transmit power control result in a highly adaptive wireless mesh
network that can route around interference and frequency jammers as well as
adverse environmental conditions, with minimal impact to network and system
availability. In existing field deployments, Tropos networks have achieved
99.999% system availability in extremely challenging network environments.
9 | Tropos GridCom
10 | Tropos GridCom
Tropos routers can filter traffic at the edge of the wireless networks using
filters based on IP source and destination addresses, protocol and TCP/
UDP ports. This means that access can be controlled by application and by
protocol, as well as by endpoint. These policies are enforced at the edge of
the wireless network.
Virtual private networks (VPNs) combined with filtering for access
control
To provide the highest levels of security, Tropos recommends the use of
industry-tested virtual private networks (VPNs). While the main function of
a VPN is to provide secure end-to-end data transmission, VPNs also play
a role in network access control. When a VPN is used, only clients with the
appropriate VPN software or hardware/software and valid login credentials
can access the network, especially when combined with intelligent traffic
filtering that permits only VPN traffic to traverse the network.
SSID suppression
IEEE 802.11 access points typically broadcast their service set identifier
(SSID) (their network name) to allow client devices to discover the network.
However, for a private network, that is, one where access is limited to a
specified set of users who already know of its existence, SSID broadcast is
undesirable because it announces the networks availability to unauthorized
persons.
Tropos routers allow network administrators to optionally suppress SSID
broadcasts. In a private network, this does not hamper user access because
endpoint devices can be configured to attach to the network even though
the SSID is suppressed. Suppressing the SSID broadcasts means that
unauthorized persons will not know the network is available unless they use
sniffing tools.
SSID suppression has been shown to be vulnerable to passive attacks, and
is therefore considered inadequate if used alone. However, it is useful as
a deterrent because it prevents a casual hacker from quickly discovering
the existence of the wireless network, even though he would still need to
successfully authenticate prior to obtaining network access.
Network resource and end-point protection
The distribution area network serves to aggregate and distribute missioncritical data and, as such, needs to be capable of protecting itself from
attacks and unauthorized access. In addition, since the network mediates
access between other network resources (e.g., meters and meter data
management systems), it needs to provide the capabilities to protect those
network resources from attackers.
Physical deterrents
Tropos routers are physically hardened and contained within an opaque
commercial-grade environmental casing. They are equipped with indicators
that provide evidence of tampering if any occurs. Further, a variety of
software alarms sent to the Tropos Control Network Management System
can alert network operators if any physical tampering takes place. Tropos
routers also include additional protections such as an encrypted file-system
to guard and protect sensitive stored data.
11 | Tropos GridCom
Tropos 7320
Tropos 6320/6310
Tropos 4210
12 | Tropos GridCom
13 | Tropos GridCom
14 | Tropos GridCom
15 | Tropos GridCom
Applicable Requirements
CIP-002-2
Critical Cyber Asset
Identification
CIP-003-2
Security Management
Controls
CIP-004-2
Personnel and Training
CIP-005-2
Electronic Security
Perimeter(s)
Secure configuration
Firewall/VPN packet filtering rulesets to block/permit specific
ports and services
MAC and IP address-based ACLs
Individual user accounts and passwords
Role-based authentication tied to RADIUS
Appropriate use banner
Monitoring and logging of authorized access and unauthorized
access attempts
Automated alerts after a configurable number of unauthorized
access attempts
CIP-007-2
Systems Security
Management
CIP-008-2
Incident Reporting
and Response Planning
CIP-006-2
Physical Security of
Critical Cyber Assets
CIP-009-2
Cyber Security Recovery
Plans for Critical Cyber
Assets
16 | Tropos GridCom
Security Level 1
Security Level 2
Security Level 4
Cryptographic
Module
Specifications
Cryptographic
Module Ports
and Interface
Roles, Services,
and Authentication
Logical separation of
required and optional
roles and services.
Specification of finite state model. Required states and optional states. State transition diagram and
specification of state transitions.
Physical Security
Production grade
equipment.
Locks or tamper
evidence.
Operational
Environment
Cryptographic
Key Management
Key management mechanisms: random number and key gereation, key establishment, key
distribution, key entry/output, key storage, and key zeroization.
Role-based or
Identity-based operator authentication.
identity-based
operator authentication.
17 | Tropos GridCom
Security Level 3
EMI/EMC
47 CFR FCC Part 15, Subpart B, Class A (Business use). 47 CFR FCC Part 15, Subpart B, Class B (Home use).
Applicable FCC requirements (for radio).
Self-Tests
Power-up tests: cryptographic algorithm test, software/firmware integrity tests, critical functions tests.
Conditional tests.
Design Assurance
Mitigation of
Other Attacks
Specification of mitigation of attacks for which no testable requirements are currently available.
CM system. Secure
distribution. Functional
specification.
High-level language
implementation.
References
1KHA - 001 242 - SEN - 1001 - 10.2012 Copyright 2012 ABB. All rights reserved.
1. Michael Assante, Vice President and Chief Security Officer, NERC, Letter
to Industry Stakeholders,
http://www.nerc.com/fileUploads/File/News/CIP-002-Identification-Letter-040709.pdf