The disclosure such as, relates to process control and substation automation systems, security aspects to be observed during configuration and parameterization of individual devices within a substation automation system.
Known Process Control (PC) systems, such as power network protection or Substation Automation (SA) systems perform mission-critical tasks. If one of the constituents of those systems fails, proper and safe operation of a particular industrial process or electrical power substation may be jeopardized. Exemplary mission-critical system constituents of SA systems include so-called Intelligent Electronic Devices (IED) such as protection relays executing protection functions based on data from sensors and issuing control commands such as circuit breaker trips in response thereto. These IEDs can be accessed either locally or remotely, as they can be connected with other devices in the power network protection system via various communication links, enabling, in addition to local access, remote monitoring, configuration and parameterization of those IEDs.
At the same time, through the use of TCP/IP-based and other wide area communication means, the IEDs are increasingly exposed to and vulnerable to unauthorized configuration and parameterization, whether intentional or not. In particular, cyber attacks that have breached the existing IT security layer can activate settings or configurations that are dangerous for a power system and could lead to an instantaneous tripping of some lines or a delayed break down of the power network as a consequence of a subsequent real fault situation. In order to protect mission-critical IEDs against local or remote attacks, a number of technologies have been developed.
A known approach for securing the configuration and setting parameters of an IED relies on access rights, in particular role based access (RBAC) where a certain role is entitled to make certain changes/modifications to the configuration of the mission critical devices. A role with assigned access rights is pre-defined and linked to some special users. Those special users have to identify themselves on the mission critical device by means of a password or some other security certificate, before they are allowed to act according to the role. Another approach is to link the right to modify settings and configurations directly to a user, which in turn has to identify himself by means of a password or certificate, generally referred to as a key. Therefore, limiting the right of modification to a small number of designated people, can form some protection for PC systems.
EP 1940075 describes an exemplary Role Based Access (RBAC) protocol for substation IEDs, with user roles built up from basic permissions, including e.g. the basic permission “Configuration” for a certain aspect, and assigned to multiple users of a same IED. Unique security keys for the users and a unique security file for each IED are generated. A requested action is executed following a positive check of a received user key against a security file confirming permission of the requested action based on the basic permissions of the user's role.
The problem with known approaches resides in the fact that they neglect the risks disgruntled employees knowing the appropriate keys, or due to stolen or misappropriated keys. People within the original security perimeter and having the necessary keys may easily tamper the configuration data. A known solution to this problem involves the stolen keys or the user identifications and keys of dismissed employees being disabled within the system as fast as possible. However, disabling this is not easy to achieve within a distributed system and may take some time to achieve.
Other known approaches already in use can avoid the above situation. For example, a “second opinion” or “four eyes” check may be configured on individual IEDs. In this case, an intended configuration modification or parameter change is accepted only if confirmed by two different users that in turn are authenticated based on two different keys. The probability that both keys have been stolen or are lost or belong to disgruntled employees is very low. Hence, a slower and less complex key management procedure may be sufficient.
U.S. Pat. No. 6,189,032 discloses a client-server system, wherein the server, upon identification of a first user and reception of a service supply request from the first user, determines if an approval by another user is specified for providing the service, and obtains such approval by sending an approval request to another user at a second client terminal.
In this system, the configuration modification proposed by a first user waits for a second user's approval. Sometimes, the delay caused by waiting for the second user's approval may be hours, or even days. For configurations that shall be deployed urgently, this can be a significant disadvantage.
A method of checking a configuration modification for an Intelligent Electronic Device (IED) in a Process Control (PC) or Substation Automation (SA) system is disclosed, the method comprising: receiving, by the IED, a configuration modification request from an authenticated requestor; approving or rejecting, by the IED, the configuration modification request based on an approval from an approver independent of the requestor; authenticating, by the IED and prior to receiving the request, the approver and storing, in a memory of the IED, a configuration modification plausibility check elaborated by the approver; and approving or rejecting the configuration modification request based on a result of the stored plausibility check when applied to specific circumstances of the configuration modification request.
An Intelligent Electronic Device (IED) in a Process Control (PC) or Substation Automation (SA) system is disclosed; the IED having a device functionality configurable during operation of the system and adapted to authenticate a requestor, receive a configuration modification request from the authenticated requestor, authenticate an approver independent of the requestor, and approve or reject the configuration modification request based on an approval from the approver, the IED comprising: memory means for storing a configuration modification plausibility check provided by the authenticated approver prior to receiving the request; and an approving unit for approving or rejecting the configuration modification request based on the stored plausibility check and specific circumstances of the configuration modification request.
A method of checking a configuration modification for an Intelligent Electronic Device (IED) in a control system is disclosed, the method comprising: at the IED: authenticating an approver through a first key or electronic signature; storing in memory, a configuration modification plausibility check input by the approver; receiving a configuration modification request from an authenticated requestor; and approving or rejecting the configuration modification request based on a result of the stored plausibility check when applied to specific circumstances of the configuration modification request.
A computer readable medium storing program code for a method of checking a configuration modification in an Intelligent Electronic Device (IED) is disclosed, which when in communicatible contact with a processor, the medium causes the processor to execute the method comprising: authenticating an approver through a first key or electronic signature; storing in memory, a configuration modification plausibility check input by the approver; receiving a configuration modification request from an authenticated requestor; and approving or rejecting the configuration modification request based on a result of the stored plausibility check when applied to specific circumstances of the configuration modification request.
Further embodiments, advantages and applications of the disclosure are disclosed in the following description and make reference to the accompanying drawings, wherein:
Exemplary embodiments of the present disclosure to check or verify, in a reliable, secure and delay-free way, intended changes to a configuration or to a parameter setting of an individual IED of a Process Control PC or Substation Automation SA system.
According to an exemplary embodiment of the present disclosure, there is provided a method of checking, during regular operation of a PC or SA system, an intended configuration modification for a mission-critical IED of the system. The IED receives, from a requestor, a modification request directed to IED configuration, parameter or setting data. An identity or role of the requestor is authenticated by the IED itself, based on a first key and in a standard way. The IED then checks the requested configuration modification, and rejects it in case no approval or confirmation is made by an approver independent of the requestor, and accepts and implements it otherwise. The IED authenticates the approver prior to receiving the request, and stores, in a local memory, a configuration modification plausibility check provided by the approver. The latter may either elaborate the check at the IED, via suitable input means, or load the pre-elaborated check in its entirety onto the IED. The stored plausibility check is then performed on, or applied to, the specific circumstances, or attributes, of the request, and the intended modification is rejected or approved depending on the result or outcome of the check. The particular circumstances of the intended modification include one or more of the proposed new configuration settings or parameter values; a time, location, requestor identity or history of the request; or status information about the controlled process and/or the controlling Process Control PC or Substation Automation SA system comprising the IED.
The proposed plausibility check can extend beyond a mere authentication of the requestor and his role, and further restricts any role-based permission based on a plausibility check involving the particular circumstances of the request in suit. Authenticating the approver days or hours in advance eliminates any delay that would otherwise incur when waiting for an on-line or real-time approval. Furthermore, the approver authentication resulting in a plausibility check being stored in executable form at the IED itself eliminates the need to repeatedly secure a communication link to a remote approver.
According to an exemplary embodiment of the present disclosure, the plausibility check for judging whether the modified configuration setting is acceptable or not is embodied as a maintenance schedule able to confirm that a configuration or setting change is presently foreseen for the IED, or as a coded set of rules to be executed as a sequence of program steps, or as an expert system which checks the consistency of the intended modification with respect to past and/or present settings of other IEDs and/or the power network, and which past and/or present settings are obtained and stored by the expert system autonomously.
In another exemplary embodiment of the present disclosure, the plausibility check involves primary information or knowledge about the PC or SA system, or about the controlled process or substation as a whole. The plausibility check does not just rely on an actual status of an individual piece of primary equipment of the substation as in interlocking, and thus extends beyond a mere check for technical consistency.
According to a exemplary embodiment of the disclosure, the plausibility check verifies conformance of the request with one or a combination of the following secondary criteria: when the modified configuration setting is received, where the modified configuration setting is sent from, what kind of IED is concerned, who is the requestor, what kind of modifications are requested, and whether the modified configuration setting is consistent with prior configurations.
The proposed configuration checking method involves an approver or second source which pre-authenticates itself on the mission-critical device (IED) to be subsequently re-configured. The IED can obtain the second source's approval before accepting a configuration modification request made to the IED by a requestor or first source. The second source identifies itself to the IED by a second key or electronic signature which is different from the key of the first source.
In step S11, an approver authenticates itself to the IED by presenting a second key or electronic signature. The IED verifies the second key, and qualifies the approver when the key has successfully passed verification. The approver may be an administrator or operator of a Process Control system or a Substation Automation system, or a processing unit with knowledge about the proper operation of those systems as e.g. instructed by the aforementioned administrator or operator.
In step S12, the authenticated approver uploads a plausibility check to the IED. The IED stores the plausibility check in its memory for subsequent use. The plausibility check can be input by the approver through a Human-Machine Interface (HMI) on the IED. Alternatively, the plausibility check can be transmitted from a remote location by use of available communication links.
In step S13, the requestor logs on to the IED and identifies itself by a first key. Successful verification of the first key authenticates or qualifies the requestor. The first key and second key are different from each other and may even belong to distinct key categories.
In step S14, the authenticated requestor uploads a modified configuration or parameter set to the IED, where it is temporarily stored for immediate plausibility checking.
In step S15, the IED runs the plausibility check provided by the approver for deciding whether the modified configuration or parameter set can be activated or deployed, or whether it has to be rejected. In the latter case, appropriate alarming schemes can be activated instead.
When elaborating the plausibility check, the approver is knowledgeable about the operation of the Process Control system and the role of the IED included in the process control system. In other words, the plausibility check is not only focusing on the proper operation of the IED itself, but verifies that the modified configuration is in conformance with the Process Control or Substation Automation system as a whole. If the intended configuration modification has any adverse influence on the whole system or any neighbouring critical device, such as an unmotivated trip of a power line, the plausibility check will reject the configuration and prohibit it from being deployed onto the target IED.
The plausibility check can be implemented as a plausibility checking procedure indicating whether the configuration modification is acceptable based on a fixed schedule or a set of rules elaborated by the approver. Alternatively, the plausibility check is performed by a modification checking expert system, which can generate new checking criteria or rules based on an automated learning. The expert system can collect and store dynamic configuration information from all or selected IEDs of the system in an automated manner. The plausibility checking procedure may then compare the modified configuration or parameter set with previous configurations of the target IED, or with previous and present configurations of any other IED of the system.
Furthermore, the checking procedure checks the configuration based on certain secondary criteria. Some exemplary criteria could be: the time elapsed since the last successful configuration modification; the physical location of the requestor; the scheduled modification time (e.g. normal working hours); the type or class of the parameter to be modified; and the value or range of the modified parameter. The checking procedure rejects the modified configuration if it does not meet the above criteria.
The above-listed features of the plausibility checking procedure may be combined arbitrarily, in order to achieve the object of present disclosure.
The approver does not need to frequently log on to the IED, but may have a regular schedule for maintaining the mission-critical IEDs, and may upload a new version of the plausibility check once the old version is outdated. The updated version of the plausibility check may include new standards of operation, new solutions for coping with problems, or changes in the underlying PC or SA system.
Since the modification plausibility check is stored in the IED, it is possible to approve or reject the modification request while the approver is off-line. A secure communication link needs to be established only when the plausibility check is updated. Moreover, since the checking procedure is already stored in the IED before receiving any modification request, it is not necessary to wait for the approver to log on and make a decision. Therefore, the time delay introduced by the checking procedure is minimized.
Thus, it will be appreciated by those skilled in the art that the present invention can be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The presently disclosed embodiments are therefore considered in all respects to be illustrative and not restricted. The scope of the invention is indicated by the appended claims rather than the foregoing description and all changes that come within the meaning and range and equivalence thereof are intended to be embraced therein.
Number | Date | Country | Kind |
---|---|---|---|
09 169 009.9 | Aug 2009 | EP | regional |
This application is a continuation application under 35 U.S.C. §120 to PCT/EP2010/061633 which was filed as an International application on Aug. 10, 2010 designating the U.S., and which claims priority to European Patent Application No. 09169009.9 filed in Europe on Aug. 31, 2009, the entire contents of which are hereby incorporated by reference in their entireties.
Number | Date | Country | |
---|---|---|---|
Parent | PCT/EP2010/061633 | Aug 2010 | US |
Child | 13408755 | US |