Substation Communications Design
Transcription
Substation Communications Design
Substation Communications Design Legacy to IEC 61850 Part 3/3: Reliability & Security Tim Wallaert Chris Jenkins Agenda • Substation to the Control Room Communications − − − − • ? How to Build a Redundant Network − − − − − − • Legacy networks Networking today CIP Hardened equipment RSTP MRP Routing Router Cellular PRP/HSR How to Lock it Down − Firewalls − VPN Port Security Authentication − − © 2014 Belden Inc. | belden.com | @BeldenInc 2 Legacy Utility Networks 1200 baud SCADA Master Administration Modem Bank Dial-in Leased Lines IED RTU IED IED RTU IED IED Distributed Substations © 2014 Belden Inc. | belden.com | @BeldenInc 3 RTU IED Today’s Digital Networks RTU Management & Provisioning Master Site SCADA/ EMS PBX GW HMI Switch Term Server Video Monitoring Video Storage PoE HMI Wide Area Network PoE VOIP Enet IED SerialSerial Serial IED IED IED VOIP HMI PoE Enet IED SerialSerial Serial IED IED IED Sub A Sub C VOIP Enet IED SerialSerial Serial IED IED IED Sub B © 2014 Belden Inc. | belden.com | @BeldenInc 4 New networks have to be compliant… What does “compliance” mean? • FERC/NERC-CIP − Federal Energy Regulatory Commission − North American Electric Reliability Corporation • http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx • Critical Infrastructure Protection (CIP) • Version 1 enforced in 2008 • Currently enforcing Version 3 • Version 4 has been approved, April 2014 deadline • Still to be approved Version 5 is being pushed to replace Version 4 • Version 5 has MANY changes including: • Encryption • Multi-Factor Authentication • © 2014 Belden Inc. | belden.com | @BeldenInc 5 Federal Regulation • Critical Infrastructure Protection (CIP) is a group of standards enforced by NERC • NERC does not certify equipment • There is no such thing as a “CIP certified router” • Belden provides equipment that enables customers to design and implement networks that are CIP compliant • Constantly monitoring NERC for changes in standards and listening to feedback from our customers © 2014 Belden Inc. | belden.com | @BeldenInc 6 “I need to upgrade my network and stay compliant, but how?” © 2014 Belden Inc. | belden.com | @BeldenInc 7 Turn to a Trusted Leader © 2014 Belden Inc. | belden.com | @BeldenInc 8 Solutions Portfolio © 2014 Belden Inc. | belden.com | @BeldenInc 9 Important Specs to Consider • Experienced, Reliable Vendor • Standards Based Equipment • Environment Extended Temp ranges Noise Immunity IEEE1613 IEEE61850-3 © 2014 Belden Inc. | belden.com | @BeldenInc 10 Important Specs to Consider IEEE 1613 IEC 61850-3 Contact 8kV Air 15kV ESD Radiated RF 35V/M I/O ports Fast Transient Oscillatory Dielectric Strength Operating Temperature 4kV Power ports (HV and LV) 4kV I/O ports 2.5kV Power ports (HV and LV) 2.5kV HV power ports 3kV LV power ports 2kV -40 to +85+ C ESD (61000-4-2) Contact 8kV Air 15kV Radiated RF (61000-4-3) Fast Transient (61000-4-4) Surge (61000-4-5) Conducted RF (61000-4-6) 20V/M I/O ports 4kV Power ports (HV and LV) 4kV I/O ports 4kV Power ports (HV and LV) 4kV I/O ports 10V Power ports (HV and LV) 10V Magnetic Field (61000-4-8) Voltage Dips & Interrupts (61000-4-11) © 2014 Belden Inc. | belden.com | @BeldenInc 30A/m HV power ports 11 Pass Important Specs to Consider • Redundant Power options − Low and High voltage options − Dual power supply features − Hot Swappable PS1 PS2 © 2014 Belden Inc. | belden.com | @BeldenInc 12 Important Specs to Consider • Redundancy features - Serial Port - RSTP - MRP - RIP, OSPF, BGP - VRRP - Cellular redundancy - PRP/HSR • Security - Encryption - Authentication - Firewalls - Detection © 2014 Belden Inc. | belden.com | @BeldenInc 13 Redundancy Features © 2014 Belden Inc. | belden.com | @BeldenInc 14 Serial Redundancy RTU Management & Provisioning Master Site SCADA/ EMS PBX GW HMI Switch Term Server Video Monitoring Video Storage PoE HMI Wide Area Network PoE VOIP Enet IED SerialSerial Serial IED IED IED VOIP HMI PoE Enet IED Sub A Sub C VOIP Enet IED SerialSerial Serial IED IED IED SerialSerial Serial IED IED IED Sub B © 2014 Belden Inc. | belden.com | @BeldenInc 15 Serial Redundancy Poll Master Site SCADA/ EMS SCADA/ EMS HMI PoE HMI Wide Area Network VOIP Enet IED Term Server Term Server Video Monitoring HMI PoE SerialSerial Serial IED IED IED VOIP Sub B RESP RESP SerialSerial PoE RESP © 2014 Belden Inc. | belden.com | @BeldenInc SerialSerial Serial IED IED IED Sub C Serial IED IED IED Enet IED Video Monitoring VOIP Enet IED Sub A Backup Site 16 Ethernet Redundancy Protocols Protocol Parallel Redundancy Protocol (PRP) Current Standard Typical Re-Config Topology Available since IEC 62439-3:2012-07 0mS Any topology/mesh 2010 IEC 62439-3:2012-07 0mS Pure Ring Only 2010 IEEE 802.1D-2004 5-20mS per switch Any topology/mesh 2004 Media Redundancy Protocol (MRP) IEC 62439-2:2010 200mS worst case, 50 switches max Pure Ring Only 1998/2007 Routing Information Protocol (RIP & RIP 2) RFC 1723 ~30sec small networks 1988/1994 Open Shortest Path First (OSPF) RFC 2328 seamless Any topology/mesh 1987/1998 Border Gateway Protocol (BGP) RFC 4271 seamless Any topology/mesh 1989/2006 High-Availability Seamless Redundancy (HSR) Rapid Spanning Tree Protocol (RSTP) © 2014 Belden Inc. | belden.com | @BeldenInc 17 RSTP Redundancy © 2014 Belden Inc. | belden.com | @BeldenInc 18 Rapid Spanning Tree Protocol (RSTP) Bridging RTU Management & Provisioning Master Site SCADA/ EMS Video Monitoring PBX GW Switch Term Server Video Storage BPDU HMI HMI PoE HMI PoE VOIP Enet IED SerialSerial Serial IED IED IED Sub A VOIP IED BPDU Enet IED SerialSerial Serial IED IED IED SerialSerial Serial IED IED IED Sub C Sub B © 2014 Belden Inc. | belden.com | @BeldenInc PoE 19 Rapid Spanning Tree Protocol (RSTP) Bridging RTU Management & Provisioning Master Site SCADA/ EMS Video Monitoring DATA DATA DATA PBX GW Switch Term Server Video Storage BPDU BPDU HMI PoE ~5 -15ms recovery HMI PoE VOIP Enet IED SerialSerial Serial IED IED IED Sub A HMI VOIP IED BPDU BPDU Enet IED SerialSerial Serial IED IED IED SerialSerial Serial IED IED IED Sub C Sub B © 2014 Belden Inc. | belden.com | @BeldenInc PoE 20 MRP Redundancy © 2014 Belden Inc. | belden.com | @BeldenInc 21 Media Redundancy Protocol (MRP) RTU Management & Provisioning Master Site SCADA/ EMS PBX GW Video Storage HELLO HELLO HELLO Ring Switch HMI Switch Term Server Video Monitoring Ring Manager PoE *10mS recovery VOIP HMI Ring Switch HMI PoE PoE VOIP VOIP IED IED SerialSerial Serial IED IED IED Sub C IED SerialSerial Serial IED IED IED Term Server IED IED Sub C Sub B * 50 switches per ring max © 2014 Belden Inc. | belden.com | @BeldenInc 22 Routing Protocol Redundancy © 2014 Belden Inc. | belden.com | @BeldenInc 23 Routing Protocols RIP, OSPF, BGP Master Site SCADA/ EMS PBX GW Switch Term Server Video Monitoring HMI RTU Management & Provisioning Video Storage PoE HMI Wide Area Network PoE VOIP Enet IED SerialSerial Serial IED IED IED HMI PoE VOIP Enet IED Sub A SerialSerial Serial IED IED IED Sub C Enet IED SerialSerial Serial IED IED IED Sub B © 2014 Belden Inc. | belden.com | @BeldenInc 24 Routing Protocols RIP, OSPF, BGP SCADA/ EMS PBX GW Master HMI Substation C is over here Video Term Server Video Monitoring Substation A is over here RTU Mgmt Storage PoE PoE HMI HMI PoE PoE VOIP Enet IED SerialSerial Serial IED IED IED HMI PoE VOIP Enet IED Sub A SerialSerial Serial IED IED IED Sub C Enet IED SerialSerial B is Substation Serial IED IED IED over here Sub B © 2014 Belden Inc. | belden.com | @BeldenInc 25 Routing Protocols RIP, OSPF, BGP Master Site SCADA/ EMS PBX GW Term Server Video Monitoring HMI RTU Mgmt PoE Video Storage Wide Area Network HMI PoE VOIP Enet IED SerialSerial Serial IED IED IED HMI PoE VOIP Enet IED Sub A SerialSerial Serial IED IED IED Sub C Enet IED SerialSerial Serial IED IED IED Sub B © 2014 Belden Inc. | belden.com | @BeldenInc 26 Router Redundancy © 2014 Belden Inc. | belden.com | @BeldenInc 27 Virtual Router Redundancy Protocol (VRRP) RTU Management & Provisioning Master Site SCADA/ EMS Video Monitoring PBX GW Term Server Switch Video Storage Slave Router(s) Master Router Wide Area Network © 2014 Belden Inc. | belden.com | @BeldenInc 28 Virtual Router Redundancy Protocol (VRRP) RTU Management & Provisioning Master Site SCADA/ EMS Video Monitoring PBX GW Term Server Switch Video Storage Slave Router(s) Master Router Wide Area Network © 2014 Belden Inc. | belden.com | @BeldenInc 29 Virtual Router Redundancy Protocol (VRRP) RTU Management & Provisioning Master Site SCADA/ EMS Video Monitoring DATA PBX GW Term Server Switch Video Storage Slave Router(s) Master Router Wide Area Network © 2014 Belden Inc. | belden.com | @BeldenInc 30 Virtual Router Redundancy Protocol (VRRP) RTU Management & Provisioning Master Site SCADA/ EMS Video Monitoring DATA PBX GW Term Server Switch Video Storage Slave Router(s) Master Router Wide Area Network © 2014 Belden Inc. | belden.com | @BeldenInc 31 Cellular Redundancy © 2014 Belden Inc. | belden.com | @BeldenInc 32 Before Cellular RTU Management & Provisioning Master Site SCADA/ EMS Video Monitoring PBX DATA ATA GW Switch Term Server Video Storage Wide Area Network HMI PoE DATA VOIP Enet IED SerialSerial Serial IED IED IED Sub A © 2014 Belden Inc. | belden.com | @BeldenInc 33 Before Cellular RTU Management & Provisioning Master Site SCADA/ EMS PBX ATA GW Switch Term Server Video Monitoring Video Storage Wide Area Network HMI PoE VOIP Enet IED SerialSerial Serial IED IED IED Sub A © 2014 Belden Inc. | belden.com | @BeldenInc 34 Cellular Backup RTU Management & Provisioning Master Site SCADA/ EMS PBX DATA DATA GW Switch Term Server Video Monitoring Video Storage Verizon Wireless Internet Wide Area Network HMI VOIP Enet IED PoE DATA DATA SerialSerial Serial IED IED IED Sub A © 2014 Belden Inc. | belden.com | @BeldenInc 35 PRP/HSR Redundancy © 2014 Belden Inc. | belden.com | @BeldenInc 36 Parallel Redundancy Protocol (PRP)Protocol) Zero failover with Network Redundancy “0ms” recovery DAN Dual Attached Node SAN Single Attached Node SAN SAN SAN SAN DAN DAN SAN SAN Two redundant networks By doubling the packets no data loss if one packet fails PRP-Redundancy-Box = bidirectional splitter and combiner © 2014 Belden Inc. | belden.com | @BeldenInc 37 High-Available Seamless Redundancy (HSR) HSR Packet HSR Packet No packet loss © 2014 Belden Inc. | belden.com | @BeldenInc 38 Security © 2014 Belden Inc. | belden.com | @BeldenInc 39 Today’s Networks RTU Management & Provisioning Master Site SCADA/ EMS PBX GW HMI Switch Term Server Video Monitoring Video Storage PoE HMI Wide Area Network PoE VOIP Enet IED SerialSerial Serial IED IED IED HMI PoE VOIP Enet IED Sub A SerialSerial Serial IED IED IED Sub C Enet IED SerialSerial Serial IED IED IED Sub B © 2014 Belden Inc. | belden.com | @BeldenInc 40 Defense in Depth Wide Area Network HMI PoE Enet IED Enet IED Serial Serial Serial IED IEDIED SCADA VOIP Enet IED Serial Serial Serial IED IEDIED Serial Serial Serial IED IEDIED Enet IED IT Engineering Sub © 2014 Belden Inc. | belden.com | @BeldenInc 41 Firewalls Public NonSecured Network Private Secured Network • Integrated or standalone device that can be configured to allow or block specific traffic and users • DX/10Series Routers offer integrated Firewall features • Eagles are standalone devices © 2014 Belden Inc. | belden.com | @BeldenInc 42 Firewalls • Firewall with Stateful Packet Inspection (SPI) − Both IP and MAC address filtering supported • Network Address Translation (NAT) • VPN support 10XTS, 10ETS, 10RX DX Eagle © 2014 Belden Inc. | belden.com | @BeldenInc 43 Eagle 20 Tofino – Firewall + DPI • Firewall with Stateful Packet Inspection (SPI) • Layer 2 Bridge with No IP Address − No disruption to existing network design − VERY • secure Content Inspection filters traffic at the protocol level (Deep Packet Inspection) − Modbus/TCP − others • to follow Simple deployment, configuration and management © 2014 Belden Inc. | belden.com | @BeldenInc 44 Tofino™ Modbus TCP Enforcer LSM: Content Inspector for Modbus • Protocol ‘Sanity Check’ blocks any traffic not conforming to the Modbus standard • Control engineer defines list of allowed Modbus commands, registers and coils • Automatically blocks and reports any Modbus traffic that does not match your rules © 2014 Belden Inc. | belden.com | @BeldenInc 45 VPN © 2014 Belden Inc. | belden.com | @BeldenInc 46 Virtual Private Networks RTU Management & Provisioning Master Site SCADA/ EMS PBX GW Switch Term Server Video Monitoring Video Storage Encrypted using IPSec HMI PoE Wide Area Network HMI PoE VOIP Enet IED SerialSerial Serial IED IED IED HMI PoE Enet IED SerialSerial Serial IED IED IED Sub A Sub C Enet IED SerialSerial Serial IED IED IED Sub B © 2014 Belden Inc. | belden.com | @BeldenInc 47 Security - VPN • Hardware and software encryption • Multiple tunnel support • Pre-Shared Key (PSK) or X.509 Certificates • IPSec • DX/10Series Routers offer integrated VPN features • Eagles are standalone devices © 2014 Belden Inc. | belden.com | @BeldenInc 48 Port Security © 2014 Belden Inc. | belden.com | @BeldenInc 49 Port Security • Default with all ports “administratively set to DOWN” • Some devices support “no tail ending”. Port is locked after being unplugged. Must be enabled by administrator • Physical port security devices • Unusual port connectors provide a small level of security © 2014 Belden Inc. | belden.com | @BeldenInc 50 MAC Based Port Security • Secures physical ports by applying a MAC based filter on a per port basis which allows only the authorized MAC address to forward traffic from the given port. © 2014 Belden Inc. | belden.com | @BeldenInc 51 IP Based Port Security • Secures physical ports by applying a IP based filter on a per port basis which allows only the authorized IP address to forward traffic from the given port. © 2014 Belden Inc. | belden.com | @BeldenInc 52 Authentication © 2014 Belden Inc. | belden.com | @BeldenInc 53 Authentication • Switches and Routers support RADIUS Authentication − Protects access to the 1 console ports − Authenticates 4 users to Network the network - Helps satisfy CIP authentication requirements 2 3 Radius Server © 2014 Belden Inc. | belden.com | @BeldenInc 54 Authentication • Secure Access Servers − Subnet Control Center Engineering Access Solutions Secure Access Manager − CrossBow − Cooper Power RSA • Satisfies CIP access record keeping requirements Network Communications Gateway IED IED RTU IED IED RTU © 2014 Belden Inc. | belden.com | @BeldenInc 55 Summary • Substation to the Control Room Communications − − − − • ? How to Build a Redundant Network − − − − − − • Legacy networks Networking today CIP Hardened equipment RSTP MRP Routing Router Cellular PRP/HSR How to Lock it Down − Firewalls − VPN Port Security Authentication − − © 2014 Belden Inc. | belden.com | @BeldenInc 56 Top Three Takeaways • Multiple Redundant protection schemes to pick from when designing/upgrading a network • Security Features that support CIP compliant networking requirements • Belden - Industry Leading Product Depth and Experience © 2014 Belden Inc. | belden.com | @BeldenInc 57 Additional Resources & Assistance Obtain further Substation Communication resources from our website: 1. www.belden.com/power-td/ This webpage includes substation communication diagrams and other useful tools Contact a Belden representative for assistance: 2. Call 510-438-9071 if you are in the U.S. or Canada Or complete the form at www.belden.com/contact/ Thank you for your interest in this presentation! © 2014 Belden Inc. | belden.com | @BeldenInc 58 Belden.com | @BeldenInc © 2014 Belden