Security Profile for Wide-Area Monitoring, Protection, and Control
|
|
|
Prepared for:
The UCAIug SG Security Working Group
|
|
|
Prepared by:
The Advanced Security Acceleration Project for the Smart Grid (ASAP-SG)
|
|
|
Managed by:
EnerNex Corporation
620 Mabry Hood Road
Knoxville, TN 37923
USA
(865) 218-4600
www.enernex.com
|
|
|
|
|
Version
0.08
|
Revision History
Rev
|
Date
|
Summary
|
Marked
|
0.01
|
20110510
|
Outline established. Section 1 content complete.
|
N
|
0.02
|
20110510
|
Section 2 content complete.
|
N
|
0.03
|
20110511
|
Section 3 through failure definitions content complete.
|
N
|
0.04
|
20110512
|
Section 4 draft content and template tables
|
N
|
0.05
|
20110513
|
Content complete excepting Glossary, Acronyms, & References
|
N
|
0.06
|
20110515
|
Content complete + 1st team editing pass.
|
N
|
0.07
|
20110516
|
First public draft.
|
N
|
0.08
|
20110516
|
Table of Contents update.
|
N
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Executive Summary
This document presents the security profile for wide-area monitoring, protection, and control (WAMPAC) of the electric grid, specifically leveraging synchrophasor technology. This profile addresses security concerns associated with the use of phasor measurements in electric system operational decisions, whether these decisions are made off-line, real-time but manually, or through automated processes. The recommendations made herein are based on stated system architectural and functional assumptions, and offer a singular security baseline for overall use of synchrophasor technology with tailored subsets of recommendations where variations in system deployment or usage occur.
This document defines a reference architecture, a set of use cases to define system functionality, and a set of security controls for systems and components that implement the use cases. The security controls in this document are inspired by and intended to cover the application of technical requirements found in NIST Interagency Report (IR) 7628: Guidelines for Smart Grid Cyber Security to synchrophasor systems and technology. The underlying approach behind this document was therefore to (1) study real-world use of synchrophasor systems, (2) define the function of these systems by presenting a reference architecture that defines abstract roles and use cases, (3) map the architecture's roles to real-world synchrophasor systems, (4) define broad security objectives for synchrophasor systems, (5) identify potential failures for each role in the context of the use cases, (6) define security controls to address the failures, and (7) assign controls to the roles.
The primary audience for this document is organizations that are developing or implementing solutions requiring or providing WAMPAC functionality through the use of synchrophasor technology. This document is written for system owners, system implementers, and security engineers with at least a year of experience in securing electric utility field operations.
Table of Contents
Security Profile for Wide-Area Monitoring, Protection, and Control 1
1 Introduction 11
1.1 Scope 12
1.1.1 Equipment 13
1.1.2 Processing 14
1.1.3 Applications 14
1.1.4 Explicit Exclusions 15
1.2 Approach 15
1.3 Audience & Recommended Use 18
1.3.1 Electric Utility 18
1.3.2 Reliability Coordinator 19
1.3.3 Synchrophasor (and Derivative Technology) Vendors 19
2 Functional Analysis 20
2.1 Logical Architecture 21
2.2 Role Definitions 23
2.2.1 Alignment 23
2.2.2 Field Alignment 23
2.2.3 Application 24
2.2.4 Field Application 24
2.2.5 Data Store 24
2.2.6 Environmental Data Interface 24
2.2.7 External Data Source 25
2.2.8 Non-WAMPAC Data Store 25
2.2.9 Phasor Gateway 25
2.2.10 Phasor Measurement Unit (PMU) 25
2.2.11 Registry 26
2.2.12 Phasor Manager 26
2.2.13 Device Control 27
2.3 Role Mappings 27
2.3.1 Application of Logical Architecture: Wide Area Stability and Voltage Control 27
2.3.2 Application of Logical Architecture: Post-event Analysis 29
2.3.3 Application of Logical Architecture: Distributed Voltage Stability Control 31
2.4 Use Cases 32
Use Case 1: PMU Generates New Data 34
Use Case 2: Alignment Processes PMU Data 36
Use Case 3: Alignment Aggregates Data and Sends Super Packet 38
Use Case 4: Environmental Data Interface Forwards Data to an Application 40
Use Case 5: Data Store Records Information 42
Use Case 6: An Application Processes New Data 44
Use Case 7: Operator Configures Alignment (or Phasor Gateway) for a Data Stream 46
Use Case 8: Operator Sends Command Affecting Data Stream to Alignment (or Phasor Gateway) 49
Use Case 9: Operator Advertises Initial Availability of Data from Local PMU via Registry 51
Use Case 10: Operator Modifies Registry Information for a PMU 54
Use Case 11: Operator Searches for PMU in Registry 56
Use Case 12: Operator Advertises Initial Availability of Data from Local PMU via Point-to-Point 58
Use Case 13: Operator Receives Notification of Availability of a Remote PMU (Push) 60
Use Case 14: Operator Initiates a Data Stream to a Remote Organization 62
Use Case 15: Operator Terminates a Data Stream to Remote Organization(s) 64
Use Case 16: Operator Terminates a Data Stream from a Remote Organization 66
3 Failure Analysis 68
3.1 Failure Analysis Process 68
3.2 Security and Operational Objectives 69
3.2.1 Contextual Assumptions 69
3.2.2 Core Operational Assumptions 70
3.2.3 Security Principles 71
3.3 Failures 72
3.3.1 Generic Failures 72
3.3.2 Clock Failures 76
3.3.3 Specific Failures 77
4 Security Controls 79
4.1 Network Segmentation 79
4.1.1 Network Segment Descriptions 81
4.1.2 “Public” vs. “Private” Networks 82
4.2 Control Definitions 83
4.2.1 Access Control 85
4.2.2 Audit & Accountability 87
4.2.3 Configuration Management 88
4.2.4 Continuity of Operations 89
4.2.5 Identification & Authorization 90
4.2.6 Network 92
4.2.7 Physical & Environmental 93
4.2.8 System & Communication Protection 95
4.2.9 System & Information Integrity 99
4.3 Security Controls Mapping 101
4.3.1 Controls Mapped to Roles 102
4.3.2 Controls Mapped to Network Segments 110
Appendix A: Relation to the NIST Interagency Report 7628 111
Appendix A: Relation to the NIST Interagency Report 7628 111
A.1 Traceability 111
A.2 NIST IR 7628 Actors to WAMPAC Roles Mapping 112
A.3 NIST IR 7628 and WAMPAC Use Case Mapping 114
A.4 NIST IR 7628 Security Objectives to WAMPAC Security Principles Mapping 116
A.5 NIST IR 7628 Technical Requirements Mapped to WAMPAC Controls 118
A.6 NIST IR 7628 Relationship Summary 124
Appendix B: Use Case Notation Guide 125
Appendix B: Use Case Notation Guide 125
Appendix C: Evaluating a Wide-Area Monitoring, Protection, & Control System 127
Appendix C: Evaluating a Wide-Area Monitoring, Protection, & Control System 127
Appendix D: Glossary and Acronyms 129
Appendix D: Glossary and Acronyms 129
Appendix E: References 137
Appendix E: References 137
Table of Figures
Figure 1 – Overview of Security Profile Development Approach 16
Figure 2 – WAMPAC SP Artifact Relationships 17
Figure 3 – WAMPAC Logical Architecture 22
Figure 4 – Wide Area Stability and Voltage Control 28
Figure 5 – Post-event Analysis 30
Figure 6 – Distributed Voltage Stability Control 31
Figure 7 – Network Segmentation 80
Figure 8 – Role Assignments to Network Segments 81
Figure 9 – Security Profile Workflow NIST-IR 7628 Mapping 112
Figure 10 – An Annotated Activity Diagram 125
Diagram: Use Case 1: PMU Generates New Data 34
Diagram: Use Case 2: Alignment Processes PMU Data 37
Diagram: Use Case 3: Alignment Aggregates Data and Sends Super Packet 39
Diagram: Use Case 4: Environmental Data Interface Forwards Data to an Application 41
Diagram: Use Case 5: Data Store Records Information 43
Diagram: Use Case 6: An Application Processes New Data 44
Diagram: Use Case 7: Operator Configures Alignment (or Phasor Gateway) for a Data Stream 47
Diagram: Use Case 8: Operator Sends Command Affecting Data Stream to Alignment (or Phasor Gateway) 50
Diagram: Use Case 9: Operator Advertises Initial Availability of Data from Local PMU via Registry 52
Diagram: Use Case 10: Operator Modifies Registry Information for a PMU 55
Diagram: Use Case 11: Operator Searches for PMU in Registry 57
Diagram: Use Case 12: Operator Advertises Initial Availability of Data from Local PMU via Point-to-Point 59
Diagram: Use Case 13: Operator is Notified of Availability of a Remote PMU (Push) 60
Diagram: Use Case 14: Operator Initiates a Data Stream to a Remote Organization 63
Diagram: Use Case 15: Operator Terminates a Data Stream to Remote Organization(s) 65
Diagram: Use Case 16: Operator Terminates a Data Stream to a Remote Organization 67
Table of Tables
Table 1 – NASPI Data Classes in Scope for this Security Profile 14
Table 2 – WAMPAC Failures 72
Table 3 – Clock Failures 76
Table 4 – Specific Failures 77
Table 5 – Network Segment Descriptions 81
Table 6 – Controls: Access Control 85
Table 7 – Controls: Audit & Accountability 87
Table 8 – Controls: Configuration Management 88
Table 9 – Controls: Continuity of Operations 89
Table 10 – Controls: Identification & Authorization 90
Table 11 – Controls: Network 92
Table 12 – Controls: Physical & Environmental 93
Table 13 – Controls: System & Communication Protection 95
Table 14 – Controls: System & Information Integrity 99
Table 15 – Controls Mapped to Roles 102
Table 16 – Controls Mapped to Network Segments 110
Table 17 – NIST IR 7628 Actor to WAMPAC Role Mapping 113
Table 18 – NIST IR 7628 Use Cases to WAMPAC Use Cases 115
Table 19 – NIST IR 7628 Use Case Objectives to WAMPAC Security Principles 116
Table 20 – Security Attributes to WAMPAC Security Principles 117
Table 21 – NIST IR 7628 Requirements to WAMPAC Controls 118
Acknowledgements
The Advanced Security Acceleration Project for Smart Grid (ASAP-SG) would like to thank:
Supporting utilities, including Pacific Gas & Electric and Southern California Edison.
Supporting organizations, including: The United States Department of Energy, the Electric Power Research Institute, and InGuardians.
The utility and vendor representatives that provided ASAP-SG with essential foundational knowledge and insight into the Wide Area Monitoring, Protection, and Control problem space, with a special thanks to the Grid Protection Alliance, Florida Power & Light, University of Illinois at Urbana/Champagne, Oncor, PJM, Pacific Northwest National Laboratory, SISCO, Southern California Edison, and WECC.
ASAP-SG would also like to thank the National Institute of Standards and Technology (NIST) Computer Security Division, the North American Reliability Corporation (NERC), and the North American Synchrophasor Initiative (NASPI) Data & Network Management Task Team (DNMTT) for the works that they have produced that served as reference material for the Security Profile for Wide Area Monitoring, Protection, and Control.
The ASAP-SG Architecture Team included resources from EnerNex Corporation, InGuardians, Oak Ridge National Laboratory, the Software Engineering Institute at Carnegie Mellon University, and Southern California Edison.
Authors
Glenn Allgood
Len Bass
Bobby Brown
Kevin Brown
Slade Griffin
James Ivers
Teja Kuruganti
Joe Lake
Howard Lipson
Jim Nutaro
Justin Searle
Brian Smith
Edited by: Darren Highfill
|
