Cerca nel sito per parola chiave

pubblicazioni - Memoria

Application of Monitoring Standards for enhancing Smart Grids Security

pubblicazioni - Memoria

Application of Monitoring Standards for enhancing Smart Grids Security

Il paper descrive l’applicazione della serie di standard di sicurezza IEC 62351 per proteggere le comunicazioni IEC 60870-5-104 e IEC 61850 per il controllo delle centrali idroelettriche e le risorse energetiche distribuite, per poi concentrarsi sugli oggetti di dati per il monitoraggio ICT attualmente in fase di specifica da parte dello standard IEC 62351-7, la cui emissione come standard internazionale è attesa per l’inizio del 2017.

The technical context of this paper covers the cyber security requirements of smart grid control systems in the globally evolving smart grid landscape characterised by the deployment of open information and communication infrastructures for connecting Distributed Energy Resources (DER) to the power grids and by the exposure to a dynamic threat environment.

Within the general smart grid security context, the paper specifically addresses two main cyber security needs of smart grid control applications, i.e. the security of the communication protocols implementing the control data exchanges and the monitoring of the corresponding information flows. The choice of the two security functionalities covered by paper founds its motivation on the need of adopting an approach to the treatment of cyber risks combining protective measures for avoiding unauthorised accesses and communication eavesdropping with the continuous monitoring of the residual risks that may occur during the smart grid operation.

The security functionalities are deployed in control system environments using the emerging standards in smart grid communication and security. The application of the security standard series IEC 62351 (Power systems management and associated information exchange – Data and communications security) for protecting the IEC 60870-5-104 and IEC 61850 communications in the hydro power plants and renewable energy sources control is explained first, by then focussing on the data objects currently under specification by IEC 62351-7 (Network and System Management (NSM) data object models), to be issued as international standard on early 2017.

The application of IEC 62351 in a remote control system for hydroelectric generation will explain briefly how it has been implemented the entire stack of security required by this IEC standard for systems based on IEC 60870-5-104 protocol. The end to end security for remote control systems that employ the IEC 60870-5-104 protocol involves the implementation of 62351-3 (Profiles Including TCP/IP), of 62351-5 (Security for IEC 60870-5 and Derivatives), the implementation of which has required the development of a new part IEC 60870-5-7 (Security extensions to IEC 60870-5-101 and IEC 60870-5-104 protocols) and also the developments required in 62351-8 (Role-Based Access Control for Power System Management) and 62351-9 (Key Management). The main systems involved are the SCADA (Supervisory Control and Data Acquisition) side of the Control Center, the RTU (Remote Terminal Unit), i.e. the specific IED for the remote control based on IEC 60870, and a PKI (Public Key Infrastructure) dedicated to the telecontrol system.

The cyber security testbed for DER control deploys IEC 61850 over MMS (Manufacturing Message Specification) for collecting measurements from DER to substations and for sending setpoints elaborated from the substation to DER. Even in this environment the TLS (Transport Layer Security) profile specified in IEC 61351-3, (issued as international standard in end-2014), is implemented in the testbed in order to protect the end-to-end communications from potential intrusions in the control network. Some attack processes to the ICT management and DER control networks are injected in the testbed in order to trace the behaviour of the monitoring functions in presence of attacks targeting some communication or control devices.

In both hydro plants and DER control environments the monitoring functions are implemented in the ICT (Information and Communication Technology) management infrastructure via SNMP (Simple Network Management Protocol) deploying a separate network interface of the control devices, using a communication link logically and physically decoupled from the control network.

The IEC 62351 application to the DER control communications will allow to show the advantages of deploying the monitoring features during cyber attacks in terms of fault detection capabilities and following recovery actions. As the results from the experimental activity will show, the advancements in the security effectiveness are supported by the implementation of standard monitoring functions in both the communication and control devices of the smart grids. They will also support the specification of an adaptive monitoring infrastructure capable of changing the configuration of the monitoring architecture in order to reduce the impact on the monitoring overhead on the controllability of the control device.

The experimental results presented in the paper will provide a concrete contribution to the specification of the standardisation of the monitoring functions, their implementation in the commercial products, their deployment in the operational infrastructures and organisational processes of energy utilities.