Tuesday, July 24, 2018

Cyber Security for Industrial Control Systems (ICS) is Going Where?

Cyber Security for Industrial Control Systems (ICS) has been discussed over many years - and it will be discussed forever. There seems to be no end of discussions and solutions ... the end may come when electric power will be switched off - caused by insecure systems.

As long as we have ICS in operation - which is very crucial! - we will see products being developed and offered that are marketed to safe the world of ICS.

Dale Peterson wrote a very nice and interesting article about "The Future of the ICS Cyber Security Detection Market" (23 July 2018).

Dale seems to expect that the ICS Cyber Security Detection Market will completely change in a few years. He may be right. My expectations is that the change will happen for ever - and ever faster.

So, you may decide to wait! This would be the worst decision you can make.

Whatever is available for your system today - use it! The wait for getting started with, e.g., encrypted ICS protocols is over - use TLS wrapper as much as possible - as soon as possible.

Click HERE for the complete article - worth to read.

Our power system highly depend on ICS - ICS highly depend on power systems. The two can live together only. Non of the two will survive without the other!!

I hope we have enough people to understand that we need more smart people to keep power flowing: means electrical engineers and IT experts ... and ...

My recommendation is that we need to get a better holistic understanding how power systems and ICS are interdependent ... we should not isolate one from the other ... already understood some hundred years ago:

"Hence we must believe that all the sciences are so interconnected, that it is much easier to study them all together than to isolate one from all others. If, therefore, anyone wishes to search out the truth of things in serious ernest, he ought not to select one special science, for all the sciences are cojoined with each other and interdependent."
Rene Descartes (1596-1650)

Finally we will have to accept that reliable electric power will be more expensive soon - moderate increased price in case we care about ICS Cyber Security - extremely expensive if we fail to protect the power system.


New Smart Grid Controller with IEC 61850, IEC 61850-5-104, and DNP3

System Corp (Perth/Australia) offers a new very powerful Smart Grid Controller for applications in:

  1. Secondary Substation Control
  2. Transformer and Asset Management
  3. Micro Grid Control and Automation
  4. Data Gateway Application
  5. IoT and Cloud Service Interfacing




Click HERE for more details.

Thursday, July 19, 2018

HMS Networks AB takes over Beck IPC

HMS has taken over the German based company Beck IPC. Beck IPC has a range of products providing IEC 61850, IEC 60870-5, and DNP3 connectivity - I have reported about their products from time to time ... just search for Beck on the blog.

Click HERE for the HMS press release.

HMS (IXXAT) sells some of the Beck com.tom (as Gateways):

Click HERE for Beck com.tom products with above standards implemented.
Click HERE for HMS Gateway products with above standards implemented.

Saturday, July 14, 2018

IEC TC 57 just published FDIS IEC 61850-8-2 (Mapping to XMPP)


IEC TC 57 just published FDIS IEC 61850-8-2 (Mapping to XMPP) - 253 pages !

(57/2020/FDIS)

Voting ends: 2018-08-24

Part 8-2: Specific communication service mapping (SCSM)
– Mapping to Extensible Messaging Presence Protocol (XMPP)

The long wait for a second SCSM is over!

The new mapping of IEC 61850 describes a specific communication service mapping
(SCSM) over the Extensible Messaging and Presence Protocol (XMPP), providing detailed
information on how to create and exchange concrete communication messages that
implement abstract services and models specified in IEC 61850-7-4, IEC 61850-7-3, and
IEC 61850-7-2.

Note that the MMS messages (defined using ASN.1) are used in IEC 61850-8-1 AND -8-2 ! The only crucial difference between the two message and model mappings (in 8-1 and 8-2) is this:

8-1 uses BER (Basic Encoding Rule) for the messages on the wire, while 8-2 uses (XER (XML Encoding Rule). The complexity of the MMS messages is the same in both mappings - because the structure and how to build messages and how to carry the 7-2 services and 7-x models are the same!

The challenges to implement 8-2 message mapping are more or less the same as with 8-1. Note that the messages in XER are far longer than with BER.

There is - of course - a difference between the two: The transport of messages in 8-2 uses XMPP.

Some may argue, that there are more tools available for XER than for BER. Ok.

IEC 61850-8-2 is far away from something simple and easy to implement and use - especially when you need only a few simple services and models.


WOW -- IEC 61850 Models Publically Available for Download

After long time, IEC has accepted to provide free online access to the IEC 61850 Models!!

Congratulation!

Excerpt from 57/2023/INF (2018-07-13):

"With IEC 61850-7-7, a machine processable format for the distribution of IEC 61850 data models has been defined. Based on that, in the future, all IEC 61850 models will be as well available in this format as namespace files (NSD files).
The namespace files are code components, that are intended to be directly processed by a computer. The purchase of the associated IEC standard carries a copyright license for the purchaser to sell software containing Code Components from this standard to end users either directly or via distributors, subject to IEC software licensing conditions, which can be found at: http://www.iec.ch/CCv1. ..."

Screenshot from the TC 57 Supporting Documents page:



Click HERE to get to the above page.

Sunday, July 8, 2018

First Draft IEC 61850-90-16 Requirements for System Management for IEC 61850

The first Draft on IEC 61850-90-16 (97 pages) has been published (57/2014/DC):

Requirements for System Management for IEC 61850

"The distribution grid is facing a massive roll out and refurbishment of automation equipment to
implement deeper monitoring and new smart grid applications. The new equipment to be deployed in order to solve today’s issues (MV voltage and reactive power regulation for example) will necessarily have to be adjustable and upgradeable in order to face challenges of tomorrow (for example massive electric vehicles fleets, low voltage automation, …) which will arrive long before the end of its 20 years’ service life. Furthermore, there is a necessity for the equipment to adapt to the evolving and growing cybersecurity threats.
The equipment will therefore need to be patched, updated and reconfigured, and this has to be done remotely due to the great number of equipment. This is a cornerstone of the System Management (SM), which refers to functionalities that are not directly linked to the operational role of the equipment but allow it to perform its operational functions in the best conditions possible. Smart Grid Devices Management also includes other functions such as asset management or supervision.
These functionalities need to be managed by the grid operator and address multiple devices from different vendors through independent Information Systems and thus the requirements and exchanges need to be standardized. As these are to be applied to IEC 61850 compliant equipment, these mechanisms need to be integrated in the standard. ..."

Comments are due by 2018-09-28

Role-based Access Control - On its way to become Standard

IEC 62351-8 is on its way to become an IEC Standard (57/2017/CD):

Power systems management and associated information exchange – Data and communications security –
Part 8: Role-based access control

The part 8 is currently a Technical Specification. This will change in the next step.

The 62 page CD has been published for commenting until 2018-09-28

"This document provides standard for access control in power systems. The power system
environment supported by this standard is enterprise-wide and extends beyond traditional
borders to include external providers, suppliers, and other energy partners. ...

The following interactions are in scope:

  • local (direct wired) access to the object by a human user;
  • local (direct wired) access to the object by a local and automated computer agent, e.g. another object at the field site;
  • direct access by a user to the object using the objects’ built-in HMI or panel;
  • remote (via dial-up or wireless media) access to the object by a human user;
  • remote (via dial-up or wireless media) access to the object by a remote automated computer agent, e.g. another object at another substation, a distributed energy resource at an end-user’s facility, or a control centre application."

Wednesday, July 4, 2018

IEEE Spectrum July 2018: 6 WAYS IoT IS VULNERABLE

IEEE Spectrum 2018-07 publishes an opinion by Stacey Higginbotham about the vulnerability of IoT devices and systems:

6 WAYS IoT IS VULNERABLE

Here is an excerpt of the six reasons why security for the Internet of Things (IoT) is different from—and more difficult to tackle than—traditional IT security:

  1. We’ve raised the stakes by connecting more physical systems and facilities to wireless networks -> Consequences of failure are more dire.
  2. IoT security is a special challenge:The adversaries are unlike any we’ve seen before.
  3. For traditional IT system, one can count on the software company’s support for a
    set amount of time. What we see: it could be 10 years, 7, 3, 2, or even 0 ...
  4. A connected product that generates a small profit may require years of updates, patches, and security evaluations.
  5. Many connected devices are built with software, hardware, and firmware that are created
    by different companies and pieced together at the end. It takes only one weak link to create a vulnerability ...
  6. Many connected devices live in environments unlike any IT system. In a home, there’s no IT manager to push patches to a connected fridge. And in an industrial setting, patching one machine might cause it to stop working with other equipment on the line.

I would summarize the challenge as follows:

IoT devices and systems require in principle the same attention, efforts and resources like traditional IT systems. The sheer unlimited number of interconnected IoT devices will work securely only if we except to spend much more money than what the market expects!

Or: Today´s solutions will be the problems of tomorrow.

Click HERE for the complete document (1 page).



Real-time Access to German Generation and Consumption of Electricity


You have real-time access to the German generation and consumption of electricity:




Click HERE for the real-time data access.



Monday, July 2, 2018

Version 2 des OE/BDEW-Whitepaper Anforderungen an sichere Steuerungs - und Telekommunikationssysteme


Version 2 des OE/BDEW-Whitepaper (komplett überarbeitete Version!; 80 Seiten):

Anforderungen an sichere Steuerungs - und Telekommunikationssysteme
(Requirements for Secure Control and Telecommunication Systems)

verfügbar

Click HIER für den Zugriff auf das gesamte Dokument.

"Das vorliegende Dokument definiert grundsätzliche Sicherheitsanforderungen für Steuerungs- und
Telekommunikationssysteme für die Prozesssteuerung in der Energieversorgung und gibt
Ausführungshinweise zu deren Umsetzung. Hierzu werden von Fachexperten zusammengestellte,
aktuelle und branchenspezifische Empfehlungen zur Sicherstellung der Informationssicherheit
aufgeführt.
Das Whitepaper definiert Anforderungen an Einzelkomponenten und für aus diesen Komponenten
zusammengesetzte Systeme und Anwendungen. Ergänzend werden auch Sicherheitsanforderungen
an Wartungsprozesse, Projektorganisation und Entwicklungsprozesse behandelt.
Fokus dieses Dokuments sind die im Rahmen der Beschaffung zu berücksichtigenden Anforderungen
an technische Komponenten und Systeme und für die Projektabwicklung relevanten Prozesse.
Ebenso wichtig sind organisatorische Sicherheitsmaßnahmen im Unternehmen, wie der
Aufbau einer Sicherheitsorganisation, ein angemessenes Risikomanagement oder die Schaffung
eines umfassenden Sicherheitsbewusstseins bei den Mitarbeitern (Security Awareness). Diese
organisatorischen Anforderungen stehen nicht im Fokus des Whitepapers, hierzu sei insbesondere
auf die Normen ISO/IEC 27001 und ISO/IEC 27019 verwiesen.
Das vorliegende Dokument ist eine vollständig überarbeitete Neuauflage des BDEW Whitepapers
und der zugehörigen Ausführungshinweise von Oesterreichs Energie und BDEW. Beide Dokumente
wurden zusammengeführt und die Inhalte gemäß aktuellen Technologienentwicklungen
umfassend aktualisiert und ergänzt."

Die englische Version wird in Kürze erscheinen.

Die hier beschriebenen Anforderungen haben erheblichen Einfluss auf Unternehmen im Kontext der Energieversorgung: mehr Mitarbeiter und mehr technische Hilfsmittel, mit denen die Anforderungen erfüllt werden könnten - und damit höhere Kosten!