Tropos GridCom™ A secure distribution area network

Transcription

Tropos GridCom™ A secure distribution area network
Tropos GridCom™
A secure distribution area network architecture
for smart grids
The essence of the smart grid vision is “a fully-automated
power delivery network that can ensure a two-way flow of
electricity and information between the power plants and
appliances and all points in between.” This next evolution of
the power grid will involve the expansion and integration of
advanced communications and information technology into
all aspects of utility operations. The increased functionality
associated with the integration into information systems also
comes with increased exposure, and a key consideration
is to ensure cybersecurity, especially as systems that have
traditionally been physically-isolated, closed and proprietary
evolve towards more networked, open architectures based
on IP standards. This white paper lays out some of the key
drivers of a sharpened focus on security in the context of
the smart grid and presents the functional requirements for
system security in the distribution area networks used as the
platform for smart grid communications. It then outlines the
underlying design principles of the GridCom security architecture and explains how GridCom addresses these functional requirements for distribution area network security.
Focus on security: Key drivers
As the grid evolves to an IP-based system of systems, there is a growing
focus on system security driven by the following trends and drivers:
2 | Tropos GridCom
-
Migration to IP-based network architectures: Much as telecom
systems have been migrating over the last several years from
proprietary TDM-based systems to all-IP architectures, a similar
move is afoot within utility communications. The migration to
IP brings several benefits including the greater ability to share
information across systems, simplified communications and
control and improved end-to-end visibility. On the other hand,
the shift from physically-isolated, closed proprietary systems to
networked, open standard IP-based architectures necessitates a
careful rethinking of security assumptions and system design to
ensure the proper identification of cyber assets, enforcement of
intra-system boundaries, traffic segmentation across user groups
and applications, data privacy and infrastructure protection while
assuring reliability, maintainability and availability.
-
More stakeholders: The smart grid will promote much wider
information sharing within the utility than was previously possible,
but this comes with the need to effectively impose policies across
divisional and functional boundaries for access to varying levels of
data. This includes data sharing across multiple departments and
entities, but also with end-customers and other third-party energy
management application providers.
-
More numerous and diverse endpoints: The smart grid will tie
together a plethora of devices, from power quality sensors and
distribution automation devices that are utility-owned and –controlled
to residential meters and smart appliances that are customerowned and –operated. The smart grid will result in several orders of
magnitude increases in the volume of data transferred as well as in
the sheer number of devices that participate in the network.
-
Growing cyber attack threats: Since the grid is critical
infrastructure and increasingly central to the daily lives of individuals
and businesses, it is of growing importance to ensure cybersecurity
of the grid against the threat of cyber attacks by malicious entities.
Unlike the majority of the failure risks associated with the power
system today that can be modeled probabilistically, cybersecurity
requires a shift in thinking to accommodate the possibility of a
coordinated attack on multiple facilities by an intelligent attacker
over a network. As NERC’s Chief Security Officer points out, “One
of the more significant elements of a cyber threat, contributing to
the uniqueness of cyber risk, is the cross-cutting and horizontal
nature of networked technology that provides the means for an
intelligent cyber attacker to impact multiple assets at once, and from
a distance.”1 He argues that in identifying critical assets, a “rule-out”
approach (assuming every asset is a critical asset until demonstrated
otherwise) may be more appropriate than an “add-in” approach
(starting with the assumption that no assets are critical).
-
Regulatory compliance requirements: While security standards
for the smart grid are still being developed, it is increasingly clear
that protection of critical cyber assets and of the interests of
stakeholders will place regulatory compliance requirements on
utilities and system operators. As an early example, the NERC CIP
standards were issued for the identification and protection of critical
cyber assets to maintain the operational integrity of the bulk power
system.
Functional requirements for distribution area network security
The smart grid is a system of systems, with different security requirements
specific to individual systems, though there is also a great degree of commonality of requirements across systems. One of the systems comprising
the smart grid is the wireless distribution area network that sits between
the devices on the distribution system (home area networks, meters, meter
collectors, DA devices, etc.) and the distribution substations which typically
connect back to the utility core network over fiber or microwave links.
Bandwidth
Required
Scale of
Coverage
10-100 Mbps
Core
1000s sq mi
1-10 sq mi
1000 of sq ft
Distribution
Area Network
500 Kbps – 10 Mbps
Neighborhood Area Network
Home Area Network
10-100 Kbps
1-10 Kbps
Communications
Technologies
Fiber
3G/802.11/WiMax
900 MHz
Zigbee
Figure 1: Tiered communications architecture of smart grids
Security requirements for specific sub-systems of the smart grid, such as
AMI, tend to be more application-specific, but in looking at a common distribution area networking infrastructure to be used to securely transport data
across a wide range of applications, it is important to consider a broader set
of requirements that align well with the application-specific requirements, but
also go beyond them to create a generically secure framework for multiple
applications. We can breakdown the functional requirements for security of
the wireless distribution network into the following areas:
3 | Tropos GridCom
Availability and performance
Availability and performance are unique security requirements for critical systems that differentiate them from traditional information processing systems,
stemming from the fact that critical systems need to be able to continue to
operate and satisfy business and mission needs under diverse operating
conditions. The overall system architecture needs to be designed to this
requirement to ensure that system integrity and availability are maintained
even under adverse conditions such as external attacks or peak loads. For
example, a mesh architecture that is capable of self-organizing and selfhealing in response to local disturbances is preferable to a star topology
with central points of failure.
Network access control
The distribution area network needs to be able to impose strong authentication and authorization requirements on devices and users that seek to access the network, ranging from mobile devices carried by utility field crews
to sensors on the distribution plant and potentially end-consumers. Access
control needs to be enforced at the network level as well as at the level of
individual devices. Control needs to be exercised over physical access as
well as networked access to systems and strict authorization policies are
needed to enforce user access privileges.
Network resource and end-point protection
The distribution area network serves to aggregate and distribute missioncritical data and, as such, needs to be capable of protecting itself from
attacks and unauthorized access. In addition, since the network mediates
access between other networked resources (e.g., meters and meter data
management systems), it needs to provide the capabilities to protect those
networked resources from attackers. For example, techniques such firewalls
need to be employed to ensure that only those ports and services that are
required are enabled and accessible.
Secure end-to-end data transmission
The distribution area network must support secure end-to-end data transmission in addition to ensuring that there are no violations of confidentiality,
privacy and data integrity within the transport component of the distribution
area network itself.
Traffic segmentation across application boundaries
Since the distribution area network is a common infrastructure used to
transport data from multiple applications (e.g., meter data as well as distribution automation application data) and multiple kinds of endpoints (SCADA
RTUs as well as utility mobile workforce handhelds), it needs to provide
mechanisms to effectively segregate these different classes of traffic to
maintain inter-subsystem security and privacy. In addition, the mechanisms
used need to be flexible enough to accommodate the differing security capabilities and requirements for different services and application or classes
of endpoints.
4 | Tropos GridCom
Secure network configuration, operation and management
In addition to securing data transmission, it is also crucial to secure the
configuration and management of the network infrastructure and safeguard
its operation. Only authorized network operators must be able to alter the
operation of the network elements comprising the distribution area network.
Detailed logging and audit trails are needed to monitor and trace back system configuration changes.
Tropos GridCom system security characteristics
Tropos’ GridCom security solution incorporates and extends industry best
practices for securing wireless networks, resources and data. The design
principles used to craft this security approach include:
-
Open standards-based – The solution should leverage well-known
open-standard security techniques that have undergone extensive
scrutiny by the security community. These include IPsec, IEEE
802.1x, IEEE 802.11i, AES encryption, SSL/TLS, and FIPS 140-2 as
well as support for emerging smart grid standards such as NERCCIP 002-0092, NISTIR 76283, etc.
-
Multi-layer security – The solution should utilize multiple security
mechanisms operating at multiple layers of the protocol stack to
provide layered defenses.
-
Multi-application security – Since different applications running
over the common infrastructure have different application
characteristics as well as differing security requirements, the
security solution needs to be flexible enough to accommodate these
differences while ensuring the logical separation of these traffic flows
as well as the integrity of the overall system.
-
Adaptable – The security framework needs to be upgradeable in
order to be able to adapt to the evolving threat landscape and to
conform to evolving security standards and requirements over a 10+
year operating time horizon.
Open standards-based
Tropos’ approach leverages and builds on open-standard security techniques that have undergone extensive review by the security community.
This includes such standards as AES, IEEE 802.1x, IEEE 802.11i, IPsec,
SSL/TLS, and FIPS 140-2. These standards comprise requirements for
authentication, authorization and access control; encryption; key generation,
distribution, management and storage; physical security; and the detection
and mitigation of attacks and include approaches ranging from the physical
layer all the way up to the application layer.
There are several security standards being developed to address
the security requirements pertinent to various aspects of smart grid
development including the NERC CIP standards for the bulk electric system
and NISTIR 7628 for comprehensive smart grid cybersecurity. Security
standards that are developed to address specific applications and subsystems of the smart grid, such as substation automation, tend to be more
5 | Tropos GridCom
Figure 2: Some applicable security standards and their scope
application-specific. In contrast, when developing the requirements for a
common distribution area networking infrastructure to securely transport
data for a wide range of applications, it is important to consider more general
standards that address a broader set of requirements creating a generically
secure framework for multiple applications while also supporting the
application-specific security mechanisms.
One of the most encompassing of these standards is FIPS 140-24, which is
a federal information processing standard specifying requirements for the
secure design and implementation of cryptographic modules and products for
both hardware and software. It covers a wide range of requirements ranging
from physical security, encryption algorithms, cryptographic key generation,
management and storage, algorithm implementation and validation and
the detection and mitigation of various kinds of attacks (see Appendix
B for an overview of FIPS 140-2 security requirements). The security
requirementsspecified in FIPS 140-2 are quite general and well aligned with
the security goals and objectives being currently pursued in the context of
various smart grid cybersecurity standards efforts. Certification of FIPS 140-2
compliant products is overseen by NIST and Tropos’ products are FIPS 140-2
certified.
Tropos is tracking the development of all applicable security standards,
both application-specific and general varieties, and is building in support for
these evolving standards, consistent with the commitment to security based
on open standards. As an example, Appendix A presents a tabular view of
Tropos products’ compliance with NERC-CIP 002-009. Tropos products meet
NERC-CIP requirements.
6 | Tropos GridCom
Multi-layer security
Tropos’ approach utilizes multiple security mechanisms operating at
multiple layers of the protocol stack applying a defense-in-depth strategy
that provides layered defense mechanisms such that the impact of failure
in any one mechanism is minimized and so that the adversary’s probability
of success is reduced. To illustrate this principle, suppose, for example,
that there are 3 independent layers of defense, each with a 1% probability
of being penetrated – then the probability that all 3 layers are penetrated
successfully is 0.0001%.
The defense mechanisms employed in the Tropos system range from
physical security (ruggedized enclosures with tamper-evident seals), linklayer security (IEEE 802.1x, IEEE 802.11i, AES encryption, authentication
using IEEE 802.11i EAP/RADIUS, MAC ACLs, MAC address-based whitelists
and blacklists, Denial of Service detection and mitigation, etc.), networklayer security (IPsec, VPN/firewall packet filtering, IP ACLs), transport-layer
security (SSL/TLS) and application-layer security (HTTPS, support for endto-end VPNs).
APPLICATION
TRANSPORT
NETWORK
LINK
PHYSICAL
Figure 3: Multi-layer security
7 | Tropos GridCom
HTTPS
SSL/TLS
IPSec
Packet filtering firewall
IP ACLs
802.1x access control
802.11i authentication
AES encryption
MAC ACLs and whitelists/blacklists
DoS detection and mitigation
Hardened outdoor enclosure
Tamper-detection
Encrypted filesystem
Protection of critical security parameters
Multi-application security
Tropos’ network constitutes a common physical infrastructure supporting
a range of applications that often have different data characteristics as
well as security requirements. The Tropos security solution is designed to
be flexible enough to accommodate these differences while ensuring the
logical separation of these traffic flows as well as the integrity of the overall
system.
AMI & De
Dema
Demand
mand
ma
nd Man
M
Management
anag
an
ag
gem
emen
entt
Billing/DSM
ibu
buti
tion
on Aut
A
utom
oma
a ion
atio
at
n
Distribution
Automation
DMS
e
Mobile Workforce
Mobile GIS/
Workforce Apps
ati
tion
Substation Automation
Security
Substation Security
Separate VLANs
Traffic separation and application-based prioritization
Figure 4: Multi-application security
To illustrate the differing application characteristics with regard to security,
consider first an AMI collector that is directly wired in (via ethernet) to a
Tropos router. Access control and authentication at the link layer may be
enforced through IEEE 802.1x tied to a RADIUS server and the application
traffic (metering data and commands) is secured end-to-end back to a
meter data management system through an IPsec tunnel. Consider next a
mobile utility worker with a PDA connecting wirelessly to the Tropos router.
The authentication method is based on IEEE 802.11i with AES link-layer
encryption, with perhaps a VPN session overlaid on top.
Since the authorization levels and privileges of the users and devices
associated these different applications are distinct, and since these
are logically distinct services, the network needs to be able to maintain
separation of the corresponding flows. This is done using separate
802.11 ESSIDs (Service Set Identifiers) and VLANs that are mapped
to different queues. Each SSID/service has separate (dynamicallygenerated) encryption keys and direct communication between endpoints
corresponding to different services can be prohibited by default. In
addition, different quality of service parameters (for example, DiffServ
or 802.1p classifiers) are assigned to different flows ensuring that, for
example, delay-sensitive distribution automation traffic is accorded priority
over more delay-tolerant metering data.
8 | Tropos GridCom
Adaptable
The threat landscape is continually evolving and new cybersecurity threats
targeting critical infrastructure are expected to emerge as the smart grid is
implemented. In addition, the security standards for the smart grid are themselves evolving on a number of fronts, including NISTIR 7628 targeted at
smart grid cybersecurity and the NERC CIP standards aimed at securing the
operation of the bulk power system. Furthermore, in view of the long (10+
year) operating lifetimes of grid systems, it is critical to establish an evolvable
framework that supports software upgrades, patch management and critical
fixes over time. Tropos’ software-based approach is designed to be upgradeable to meet the evolving threat landscape as well as to meet the security
requirements of new security standards as they are developed.
GridCom: Meeting the functional requirements for smart grid security
The GridCom security architecture, based on the principles of robust and
evolvable multi-layer standards-based security, provides a secure framework
for multiple applications while meeting the functional requirements for distribution area network security articulated earlier. Below, we provide a more
detailed description of the security features and functionality implemented in
GridCom and show how they map to the key functional requirements.
Availability and performance
Critical systems need to be able to continue to operate and satisfy business
and mission needs under diverse operating conditions. The overall system
architecture needs to be designed to this requirement to ensure that system
integrity and availability are maintained even under adverse conditions such
as external attacks or peak loads.
Resilient and fault-tolerant mesh architecture
The GridCom network architecture is a self-organizing and self-healing mesh
network that can dynamically adapt its operating parameters to optimize
itself around local changes and disturbances. The underlying distributed
routing protocol continually monitors all available routing paths and ensures
that each router dynamically selects the best path that minimizes end-to-end
mesh latency while maximizing the overall reliability. Advanced radio resource
management techniques such as dynamic channel selection and per-packet
data rate and transmit power control result in a highly adaptive wireless mesh
network that can route around interference and frequency jammers as well as
adverse environmental conditions, with minimal impact to network and system
availability. In existing field deployments, Tropos networks have achieved
99.999% system availability in extremely challenging network environments.
9 | Tropos GridCom
Hardened physical router hardware
Tropos routers are ruggedized outdoor-optimized routers capable of
withstanding and continuing to operate in the face of a wide range of
challenging outdoor environmental conditions including high winds and
tornadoes, Category-5 hurricanes, high levels of humidity and salt/fog
conditions, extreme temperatures, lightning strikes and power surges. Tropos
router hardware has a demonstrated mean time between failure (MTBF) of
over 30 years.
Network access control
Wireless network security begins with prohibiting network access to
unauthorized devices while ensuring that authorized devices can connect
reliably. The dist-ribution area network needs to be able to impose strong
authentication and authorization requirements on devices that seek to access
the network, ranging from mobile devices carried by utility field crews to
sensors on the distribution plant. Tropos routers support a wide variety of
network access control mechanisms that can be tailored to meet a broad
range of access control requirements.
IEEE 802.11i authentication
IEEE 802.11i defines access control, authentication and encryption
mechanisms within an interoperable framework. 802.11i uses port-based
access control built on IEEE 802.1x. Tropos networks supports 802.1x
authentication using the extensible authentication protocol (EAP) and RADIUS.
EAP supports multiple methods including PEAP, EAP-TLS and EAP-TTLS.
Additionally (and optionally), authentication and access control can be based
on the use of pre-shared keys (PSK), though it is not recommended for
enterprise-level security configurations.
MAC address access control lists (ACLs)
MAC address accesscControl lists (ACLs) provide additional protection
when used in conjunction with other layer 2 security mechanisms. Tropos
routers support the creation and administration of ACLs based on endpoint
MAC addresses. These ACLs can be whitelists and/or blacklists. A whitelist
implementation denies access by default except to those devices whose
MAC addresses are specified in the whitelist. By contrast, a blacklist
implementation has a “default allow” policy with exceptions specified in the
blacklist.
MAC address whitelists and blacklists can be created and administered from
the Tropos Control network management system. Tropos Control centrally
manages whitelists and blacklists and provisions them onto Tropos routers.
Because hackers can spoof the MAC address of a valid endpoint, MAC
address-based authentication should not be the only mechanism used, but
can be an effective element in a layered security architecture.
IP address, protocol and TCP/UDP port filtering for access control
Packet filtering firewalls have long been used in conventional wired network
security architectures. Tropos has extended the concept to metro-scale
wireless mesh networks with packet filtering capabilities that enhance wireless
network security.
10 | Tropos GridCom
Tropos routers can filter traffic at the edge of the wireless networks using
filters based on IP source and destination addresses, protocol and TCP/
UDP ports. This means that access can be controlled by application and by
protocol, as well as by endpoint. These policies are enforced at the edge of
the wireless network.
Virtual private networks (VPNs) combined with filtering for access
control
To provide the highest levels of security, Tropos recommends the use of
industry-tested virtual private networks (VPNs). While the main function of
a VPN is to provide secure end-to-end data transmission, VPNs also play
a role in network access control. When a VPN is used, only clients with the
appropriate VPN software or hardware/software and valid login credentials
can access the network, especially when combined with intelligent traffic
filtering that permits only VPN traffic to traverse the network.
SSID suppression
IEEE 802.11 access points typically broadcast their service set identifier
(SSID) (their network name) to allow client devices to discover the network.
However, for a private network, that is, one where access is limited to a
specified set of users who already know of its existence, SSID broadcast is
undesirable because it announces the network’s availability to unauthorized
persons.
Tropos routers allow network administrators to optionally suppress SSID
broadcasts. In a private network, this does not hamper user access because
endpoint devices can be configured to attach to the network even though
the SSID is suppressed. Suppressing the SSID broadcasts means that
unauthorized persons will not know the network is available unless they use
sniffing tools.
SSID suppression has been shown to be vulnerable to passive attacks, and
is therefore considered inadequate if used alone. However, it is useful as
a deterrent because it prevents a casual hacker from quickly discovering
the existence of the wireless network, even though he would still need to
successfully authenticate prior to obtaining network access.
Network resource and end-point protection
The distribution area network serves to aggregate and distribute missioncritical data and, as such, needs to be capable of protecting itself from
attacks and unauthorized access. In addition, since the network mediates
access between other network resources (e.g., meters and meter data
management systems), it needs to provide the capabilities to protect those
network resources from attackers.
Physical deterrents
Tropos routers are physically hardened and contained within an opaque
commercial-grade environmental casing. They are equipped with indicators
that provide evidence of tampering if any occurs. Further, a variety of
software alarms sent to the Tropos Control Network Management System
can alert network operators if any physical tampering takes place. Tropos
routers also include additional protections such as an encrypted file-system
to guard and protect sensitive stored data.
11 | Tropos GridCom
Tropos 7320
Tropos 6320/6310
Tropos 4210
Figure 5: Tropos broadband mesh routers
Address, protocol and TCP port filtering for network resource
protection
In addition to playing a role in network access control, packet filtering on
Tropos routers also plays a part in protecting shared assets.
For example, destination IP address filtering can be configured on Tropos
routers, in addition to IP source address and TCP port filtering. In this
manner, endpoints associated with a particular application or services can
be limited to connecting to only specific backend servers. Crafting filters that
disallow traffic to unprotected/unauthorized wired or wireless hosts helps
protect those assets. These policies can be enforced at the very edge of the
wireless network.
Address filtering to block peer-to-peer traffic flows
In the same manner that filtering can be used to protect shared network
resources, it can also be used to protect endpoints (wired or wireless). In
par-ticular, IP destination address filtering on Tropos routers can be used to
prohibit endpoints (even within a given VLAN) from sending traffic to other
devices on that VLAN.
FIPS 140-2
Tropos routers are FIPS 140-2 compliant. FIPS-approved cryptographic
algorithms are used including AES CBC, AES CCM, SHA-1, RSA, and
Triple-DES CBC Auth-entication techniques used include strong passwords,
WPA-PSK and EAP-TLS, all with a less than 1/1014 probability of success
for a random password/key guess. Cryptographic keys are stored securely
on an encrypted filesystem on-board the routers and all management
of the routers including key generation, distribution and management is
performed using FIPS-approved techniques. The routers comply with FIPS
requirements for zeroization of keys and other critical security parameters
and various self-tests including software and firmware integrity checks.
Secure end-to-end data transmission
The distribution area network must support secure end-to-end data
transmission in addition to ensuring that there are no violations of
confidentiality, privacy and data integrity within the transport component of
the distribution area network itself.
12 | Tropos GridCom
WPA2 encryption for client-to-mesh router links
In addition to providing access control via standardized authentication
mechanisms, WPA2 also defines encryption between wireless endpoints
and the access point or mesh router using AES ciphers. These provide for
dynamic per-user encryption keys that are derived per-session as part of a
key negotiation process. Tropos routers support 128-bit AES encryption.
WPA2 is necessary but not sufficient to ensure secure end-to-end
transmission. Encryption of mesh traffic is also required (see below)
AES encryption for mesh links
AES-encrypted mesh links contribute to secure data transmission. Tropos
routers use AES to encrypt all data traffic through the mesh, across multiple
hops, until the traffic reaches a wired gateway. AES is recommended by the
national institute of standards and technology (NIST) as the most robust
private key encryption technique.
End-to-end VPNs
To provide the highest levels of security, Tropos recommends the use
of industry-tested VPNs and end-to-end security mechanisms including
those based on SSL and IPsec. VPNs are very challenging or impossible to
overcome even when attacked by serious and sophisticated adversaries.
Building on the lower layer methods we’ve already discussed, Tropos routers
combine unique VPN compatibility and traffic filtering with industry-leading
VPNs.
Traffic segmentation across application boundaries
Since the distribution area network is used as a common infrastructure
to transport data from multiple applications (e.g., meter data as well as
distribution automation application data) and multiple kinds of endpoints
(SCADA RTUs as well as utility mobile workforce handhelds), it needs to
provide mechanisms to effectively segregate these different classes of traffic
from each other to maintain inter-subsystem security and privacy. In
addition, the mechanisms used need to be flexible enough to accommodate
the differing security capabilities and requirements for different services and
application or classes of endpoints.
Multiple VLAN support for secure transmission
Tropos routers support multiple VLANs with per-VLAN security configuration.
Using this functionality, a single physical infrastructure can support different
user communities with the traffic for each user community effectively
segregated from that of all other user communities.
Per-user group or per-application authentication policies using multiple
VLANs and SSIDs
To provide operators the flexibility to accommodate multiple classes or groups
of users or applications with differing wireless settings and security needs,
Tropos routers support multiple virtual LANs (VLANs) and SSIDs with perVLAN/SSID security configuration support.
13 | Tropos GridCom
Using this functionality, a single physical infrastructure can be used to set
up multiple virtual network infrastructures offering different authentication
methods and policies for different applications and user groups. Each SSID/
VLAN combination acts as a separate virtual network that is segregated
from the other SSID/VLAN combinations through an amalgam of physical
and network layer separation mechanisms, including distinct authentication
profiles.
The use of multiple SSIDs mapped to distinct VLANs is one of the most
prevalent and industry-standard building blocks for a secure multi-use
wireless IP mesh network. Beyond security, QoS policies implemented
across multiple VLANs/SSIDs can also be used to ensure that delay-sensitive
applications such as distribution automation receive access precedence and
reserved bandwidth.
Multiple VLANs for end-point protection
Segregating different groups of endpoints onto different VLANs protects
the end-points corresponding to different applications or groups because
(by default) only members of a given group can send traffic directly to other
members of that group.
Secure network configuration, operation and management
In addition to securing data transmission, it is also crucial to secure the
configuration and management of the network infrastructure and safeguard
its operation. Only authorized network operators must be able to alter the
operation of the network elements comprising the distribution area network.
AES encryption of mesh links
In addition to the role AES encryption plays in securing data transmission,
Tropos also uses AES to encrypt PWRP, the routing protocol used by Tropos
routers to transmit node identification and path selection information to each
other, as well as to encrypt all management information sent wirelessly from
nodes to their associated gateways.
Tiered access rights and auditing for Tropos Control
To provide both the flexibility and security required for effective and efficient
network management and administration, Tropos Control offers tiered access
rights based on user type or function. Four levels of access have been defined
for Tropos Control – root, admin, read/write and read-only. Authorization can
be done locally on the management system or remotely using RADIUS.
Logging and audits trails
All configuration changes made to the routers or to the Tropos Control
network management system are logged on Tropos Control, including
timestamps and user information. This provides an audit trail detailing who
made what configuration changes and when they were made.
14 | Tropos GridCom
Secure mesh router configuration
In addition to configuration via Tropos Control, Tropos routers can be
configured and monitored by a web-based configurator. All configurator
traffic is protected with HTTPS. Network administrators can securely monitor
and configure individual routers from anywhere on the core network. Login is
provided by a certificate-based authentication scheme that can support up
to 20 authorized users. As with Tropos Control, all changes made using the
configurator are logged, providing an audit trail.
FIPS 140-2
The Tropos Control network management system is FIPS 140-2 Level
1 certified, and meets the FIPS requirements for secure storage and
transmission of critical security parameters, identity-based and role-based
authentication of network management users, etc. TLS with AES and RSA
key generation is used to secure communications between Tropos Control
and Tropos routers.
Conclusion
The evolution of the power grid of today into a smart grid will involve the
expansion and integration of advanced communications and information
technology into all aspects of utility operations. One of the key considerations in pursuing this goal is ensuring cybersecurity. Tropos’ GridCom security architecture based on the principles of adaptability, open standards and
multi-layer defense strategies provides granular and flexible security policies
to support multiple classes of applications and endpoints and allows the
creation of a highly secure common distribution area networking infrastructure to support diverse smart grid applications.
15 | Tropos GridCom
Appendix A: NERC CIP 002-009 compliance table (applicable
requirements)
NERC CIP Category
Applicable Requirements
Features for Compliance
CIP-002-2
Critical Cyber Asset
Identification
CIP-003-2
Security Management
Controls
R4: Information protection (R4.1)
R5: Access control (R5.1, R5.2)
R6: Change control and configuration management
Asset inventory and management
Individual user accounts and password
Role-based authentication
Secure configuration and network management and version
management
CIP-004-2
Personnel and Training
R4: Access (R4.1, R4.2)
Individual user accounts and passwords
Role-based authentication tied to RADIUS
Access allowance and revocation controls
CIP-005-2
Electronic Security
Perimeter(s)
R2: Electronic access controls
(R2.1, R2.2, R2.4, R2.6)
R3: Monitoring electronic access
(R3.2)
Secure configuration
Firewall/VPN packet filtering rulesets to block/permit specific
ports and services
MAC and IP address-based ACLs
Individual user accounts and passwords
Role-based authentication tied to RADIUS
Appropriate use banner
Monitoring and logging of authorized access and unauthorized
access attempts
Automated alerts after a configurable number of unauthorized
access attempts
CIP-007-2
Systems Security
Management
R2: Ports and services (R2.1, R2.2)
R3: Security patch management
R5: Account management
(R5.12, R3)
R6: Security status monitoring
(R6.1, R6.2, R6.3)
Firewall/VPN packet filtering rulesets to block/permit specific
ports and services
Security Advisories and Fixes released
Secure remote upgrade capability
Role-based authentication tied to RADIUS
Monitoring and logging of authorized access and unauthorized
access attempts
Audit trails of user account access activity and configuration changes
Enforcement of strong passwords
Detection and reporting of security-related events (failed
login attempts, denial of service attacks, evil twins, etc.)
Automated alerts on security-related events
CIP-008-2
Incident Reporting
and Response Planning
R2: Cyber security incident
documentation
Monitoring and logging of authorized access and
unauthorized login attempts
Detection and reporting of security-related events (failed
login attempts, denial of service attacks, evil twins, etc.)
Audit trails of user account access activity and configuration changes
CIP-006-2
Physical Security of
Critical Cyber Assets
CIP-009-2
Cyber Security — Recovery
Plans for Critical Cyber
Assets
16 | Tropos GridCom
Appendix B: Summary of FIPS 140-2 security requirements
Security Level 1
Security Level 2
Security Level 4
Cryptographic
Module
Specifications
Specifications of cryptographic module, cryptographic boundary, Approved algorithms, and
Approved modes of operation. Description of cryptographic module, including all hardware, software,
and firmware components. Statement of module security policy.
Cryptographic
Module Ports
and Interface
Required and optional interfaces. Specifications
of all interfaces and of all input and out
data paths.
Roles, Services,
and Authentication
Logical separation of
required and optional
roles and services.
Finite State Model
Specification of finite state model. Required states and optional states. State transition diagram and
specification of state transitions.
Physical Security
Production grade
equipment.
Locks or tamper
evidence.
Tamper detection and
reponse for covers and
doors.
Tamper detection and
envelope. EFP or
EFT.
Operational
Environment
Single operator. Executble code. Approved
integrity technique.
Referenced PPs evaluated at EAL2 with
specified discretionary
access control mechanisms and auditing.
Referenced PPs plus
trusted path evaluated
at EAL3 plus security
policy modeling.
Referenced PPs plus
trusted path evaluated
at EAL4.
Cryptographic
Key Management
Key management mechanisms: random number and key gereation, key establishment, key
distribution, key entry/output, key storage, and key zeroization.
Data ports for unprotected critical security
parameters logically or physically separated from
other data ports.
Role-based or
Identity-based operator authentication.
identity-based
operator authentication.
Secret and private keys established using manual
methods may be entered or output in plaintext
form.
17 | Tropos GridCom
Security Level 3
Secret and private keys established using manual
methods shall be entered or output encrypted
or with split knowledge procedures.
EMI/EMC
47 CFR FCC Part 15, Subpart B, Class A (Business use). 47 CFR FCC Part 15, Subpart B, Class B (Home use).
Applicable FCC requirements (for radio).
Self-Tests
Power-up tests: cryptographic algorithm test, software/firmware integrity tests, critical functions tests.
Conditional tests.
Design Assurance
Configuration management (CM). Secure
installation and generation. Design and
policy correspondence.
Guidance documents.
Mitigation of
Other Attacks
Specification of mitigation of attacks for which no testable requirements are currently available.
CM system. Secure
distribution. Functional
specification.
High-level language
implementation.
Formal model. Detailed
explanation (informal
proofs). Preconditions
and postconditions.
References
2. NERC Critical Infrastructure Protection Standards CIP 002-009,
http://www.nerc.com/page.php?cid=2|20
3. Guidelines for Smart Grid Cybersecurity, NIST Internal Report 7628,
http://csrc.nist.gov/publications/PubsNISTIRs.html
4. ‘Security Requirements for Cryptographic Modules’, Federal Information Processing Standards Publication FIPS 140-2,
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
For more information please contact:
ABB Inc.
Wireless Communication Systems
555 Del Rey Avenue
Sunnyvale, CA 94085
Phone: +1 408.331.6800
E-Mail:[email protected]
www.abb.com/tropos
1KHA - 001 242 - SEN - 1000 - 08.2012 © Copyright 2012 ABB. All rights reserved.
1. Michael Assante, Vice President and Chief Security Officer, NERC, Letter
to Industry Stakeholders,
http://www.nerc.com/fileUploads/File/News/CIP-002-Identification-Letter-040709.pdf