Security Profile for Wide-Area Monitoring, Protection, and Control
| |
| Prepared for: The UCAIug SG Security Working Group |
|
| Prepared by: The Advanced Security Acceleration Project for the Smart Grid (ASAP-SG) |
|
| Managed by: EnerNex Corporation 620 Mabry Hood Road Knoxville, TN 37923 USA (865) 218-4600 www.enernex.com |
|
 |
|
|
Version 0.08 |
Revision History Rev | Date | Summary | Marked | 0.01 | 20110510 | Outline established. Section 1 content complete. | N | 0.02 | 20110510 | Section 2 content complete. | N | 0.03 | 20110511 | Section 3 through failure definitions content complete. | N | 0.04 | 20110512 | Section 4 draft content and template tables | N | 0.05 | 20110513 | Content complete excepting Glossary, Acronyms, & References | N | 0.06 | 20110515 | Content complete + 1st team editing pass. | N | 0.07 | 20110516 | First public draft. | N | 0.08 | 20110516 | Table of Contents update. | N |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Executive Summary This document presents the security profile for wide-area monitoring, protection, and control (WAMPAC) of the electric grid, specifically leveraging synchrophasor technology. This profile addresses security concerns associated with the use of phasor measurements in electric system operational decisions, whether these decisions are made off-line, real-time but manually, or through automated processes. The recommendations made herein are based on stated system architectural and functional assumptions, and offer a singular security baseline for overall use of synchrophasor technology with tailored subsets of recommendations where variations in system deployment or usage occur. This document defines a reference architecture, a set of use cases to define system functionality, and a set of security controls for systems and components that implement the use cases. The security controls in this document are inspired by and intended to cover the application of technical requirements found in NIST Interagency Report (IR) 7628: Guidelines for Smart Grid Cyber Security to synchrophasor systems and technology. The underlying approach behind this document was therefore to (1) study real-world use of synchrophasor systems, (2) define the function of these systems by presenting a reference architecture that defines abstract roles and use cases, (3) map the architecture's roles to real-world synchrophasor systems, (4) define broad security objectives for synchrophasor systems, (5) identify potential failures for each role in the context of the use cases, (6) define security controls to address the failures, and (7) assign controls to the roles. The primary audience for this document is organizations that are developing or implementing solutions requiring or providing WAMPAC functionality through the use of synchrophasor technology. This document is written for system owners, system implementers, and security engineers with at least a year of experience in securing electric utility field operations. Table of Contents Security Profile for Wide-Area Monitoring, Protection, and Control 1 1 Introduction 11 1.1 Scope 12 1.1.1 Equipment 13 1.1.2 Processing 14 1.1.3 Applications 14 1.1.4 Explicit Exclusions 15 1.2 Approach 15 1.3 Audience & Recommended Use 18 1.3.1 Electric Utility 18 1.3.2 Reliability Coordinator 19 1.3.3 Synchrophasor (and Derivative Technology) Vendors 19 2 Functional Analysis 20 2.1 Logical Architecture 21 2.2 Role Definitions 23 2.2.1 Alignment 23 2.2.2 Field Alignment 23 2.2.3 Application 24 2.2.4 Field Application 24 2.2.5 Data Store 24 2.2.6 Environmental Data Interface 24 2.2.7 External Data Source 25 2.2.8 Non-WAMPAC Data Store 25 2.2.9 Phasor Gateway 25 2.2.10 Phasor Measurement Unit (PMU) 25 2.2.11 Registry 26 2.2.12 Phasor Manager 26 2.2.13 Device Control 27 2.3 Role Mappings 27 2.3.1 Application of Logical Architecture: Wide Area Stability and Voltage Control 27 2.3.2 Application of Logical Architecture: Post-event Analysis 29 2.3.3 Application of Logical Architecture: Distributed Voltage Stability Control 31 2.4 Use Cases 32 Use Case 1: PMU Generates New Data 34 Use Case 2: Alignment Processes PMU Data 36 Use Case 3: Alignment Aggregates Data and Sends Super Packet 38 Use Case 4: Environmental Data Interface Forwards Data to an Application 40 Use Case 5: Data Store Records Information 42 Use Case 6: An Application Processes New Data 44 Use Case 7: Operator Configures Alignment (or Phasor Gateway) for a Data Stream 46 Use Case 8: Operator Sends Command Affecting Data Stream to Alignment (or Phasor Gateway) 49 Use Case 9: Operator Advertises Initial Availability of Data from Local PMU via Registry 51 Use Case 10: Operator Modifies Registry Information for a PMU 54 Use Case 11: Operator Searches for PMU in Registry 56 Use Case 12: Operator Advertises Initial Availability of Data from Local PMU via Point-to-Point 58 Use Case 13: Operator Receives Notification of Availability of a Remote PMU (Push) 60 Use Case 14: Operator Initiates a Data Stream to a Remote Organization 62 Use Case 15: Operator Terminates a Data Stream to Remote Organization(s) 64 Use Case 16: Operator Terminates a Data Stream from a Remote Organization 66 3 Failure Analysis 68 3.1 Failure Analysis Process 68 3.2 Security and Operational Objectives 69 3.2.1 Contextual Assumptions 69 3.2.2 Core Operational Assumptions 70 3.2.3 Security Principles 71 3.3 Failures 72 3.3.1 Generic Failures 72 3.3.2 Clock Failures 76 3.3.3 Specific Failures 77 4 Security Controls 79 4.1 Network Segmentation 79 4.1.1 Network Segment Descriptions 81 4.1.2 “Public” vs. “Private” Networks 82 4.2 Control Definitions 83 4.2.1 Access Control 85 4.2.2 Audit & Accountability 87 4.2.3 Configuration Management 88 4.2.4 Continuity of Operations 89 4.2.5 Identification & Authorization 90 4.2.6 Network 92 4.2.7 Physical & Environmental 93 4.2.8 System & Communication Protection 95 4.2.9 System & Information Integrity 99 4.3 Security Controls Mapping 101 4.3.1 Controls Mapped to Roles 102 4.3.2 Controls Mapped to Network Segments 110 Appendix A: Relation to the NIST Interagency Report 7628 111 Appendix A: Relation to the NIST Interagency Report 7628 111 A.1 Traceability 111 A.2 NIST IR 7628 Actors to WAMPAC Roles Mapping 112 A.3 NIST IR 7628 and WAMPAC Use Case Mapping 114 A.4 NIST IR 7628 Security Objectives to WAMPAC Security Principles Mapping 116 A.5 NIST IR 7628 Technical Requirements Mapped to WAMPAC Controls 118 A.6 NIST IR 7628 Relationship Summary 124 Appendix B: Use Case Notation Guide 125 Appendix B: Use Case Notation Guide 125 Appendix C: Evaluating a Wide-Area Monitoring, Protection, & Control System 127 Appendix C: Evaluating a Wide-Area Monitoring, Protection, & Control System 127 Appendix D: Glossary and Acronyms 129 Appendix D: Glossary and Acronyms 129 Appendix E: References 137 Appendix E: References 137
Table of Figures Figure 1 – Overview of Security Profile Development Approach 16 Figure 2 – WAMPAC SP Artifact Relationships 17 Figure 3 – WAMPAC Logical Architecture 22 Figure 4 – Wide Area Stability and Voltage Control 28 Figure 5 – Post-event Analysis 30 Figure 6 – Distributed Voltage Stability Control 31 Figure 7 – Network Segmentation 80 Figure 8 – Role Assignments to Network Segments 81 Figure 9 – Security Profile Workflow NIST-IR 7628 Mapping 112 Figure 10 – An Annotated Activity Diagram 125
Diagram: Use Case 1: PMU Generates New Data 34 Diagram: Use Case 2: Alignment Processes PMU Data 37 Diagram: Use Case 3: Alignment Aggregates Data and Sends Super Packet 39 Diagram: Use Case 4: Environmental Data Interface Forwards Data to an Application 41 Diagram: Use Case 5: Data Store Records Information 43 Diagram: Use Case 6: An Application Processes New Data 44 Diagram: Use Case 7: Operator Configures Alignment (or Phasor Gateway) for a Data Stream 47 Diagram: Use Case 8: Operator Sends Command Affecting Data Stream to Alignment (or Phasor Gateway) 50 Diagram: Use Case 9: Operator Advertises Initial Availability of Data from Local PMU via Registry 52 Diagram: Use Case 10: Operator Modifies Registry Information for a PMU 55 Diagram: Use Case 11: Operator Searches for PMU in Registry 57 Diagram: Use Case 12: Operator Advertises Initial Availability of Data from Local PMU via Point-to-Point 59 Diagram: Use Case 13: Operator is Notified of Availability of a Remote PMU (Push) 60 Diagram: Use Case 14: Operator Initiates a Data Stream to a Remote Organization 63 Diagram: Use Case 15: Operator Terminates a Data Stream to Remote Organization(s) 65 Diagram: Use Case 16: Operator Terminates a Data Stream to a Remote Organization 67 Table of Tables Table 1 – NASPI Data Classes in Scope for this Security Profile 14 Table 2 – WAMPAC Failures 72 Table 3 – Clock Failures 76 Table 4 – Specific Failures 77 Table 5 – Network Segment Descriptions 81 Table 6 – Controls: Access Control 85 Table 7 – Controls: Audit & Accountability 87 Table 8 – Controls: Configuration Management 88 Table 9 – Controls: Continuity of Operations 89 Table 10 – Controls: Identification & Authorization 90 Table 11 – Controls: Network 92 Table 12 – Controls: Physical & Environmental 93 Table 13 – Controls: System & Communication Protection 95 Table 14 – Controls: System & Information Integrity 99 Table 15 – Controls Mapped to Roles 102 Table 16 – Controls Mapped to Network Segments 110 Table 17 – NIST IR 7628 Actor to WAMPAC Role Mapping 113 Table 18 – NIST IR 7628 Use Cases to WAMPAC Use Cases 115 Table 19 – NIST IR 7628 Use Case Objectives to WAMPAC Security Principles 116 Table 20 – Security Attributes to WAMPAC Security Principles 117 Table 21 – NIST IR 7628 Requirements to WAMPAC Controls 118
Acknowledgements The Advanced Security Acceleration Project for Smart Grid (ASAP-SG) would like to thank: Supporting utilities, including Pacific Gas & Electric and Southern California Edison. Supporting organizations, including: The United States Department of Energy, the Electric Power Research Institute, and InGuardians. The utility and vendor representatives that provided ASAP-SG with essential foundational knowledge and insight into the Wide Area Monitoring, Protection, and Control problem space, with a special thanks to the Grid Protection Alliance, Florida Power & Light, University of Illinois at Urbana/Champagne, Oncor, PJM, Pacific Northwest National Laboratory, SISCO, Southern California Edison, and WECC. ASAP-SG would also like to thank the National Institute of Standards and Technology (NIST) Computer Security Division, the North American Reliability Corporation (NERC), and the North American Synchrophasor Initiative (NASPI) Data & Network Management Task Team (DNMTT) for the works that they have produced that served as reference material for the Security Profile for Wide Area Monitoring, Protection, and Control. The ASAP-SG Architecture Team included resources from EnerNex Corporation, InGuardians, Oak Ridge National Laboratory, the Software Engineering Institute at Carnegie Mellon University, and Southern California Edison. Authors Glenn Allgood Len Bass Bobby Brown Kevin Brown Slade Griffin James Ivers Teja Kuruganti Joe Lake Howard Lipson Jim Nutaro Justin Searle Brian Smith
Edited by: Darren Highfill |