Tropos GridCom™ A secure distribution area network
Transcription
Tropos GridCom™ A secure distribution area network
Tropos GridCom™ A secure distribution area network architecture for smart grids The essence of the smart grid vision is “a fully-automated power delivery network that can ensure a two-way flow of electricity and information between the power plants and appliances and all points in between.” This next evolution of the power grid will involve the expansion and integration of advanced communications and information technology into all aspects of utility operations. The increased functionality associated with the integration into information systems also comes with increased exposure, and a key consideration is to ensure cybersecurity, especially as systems that have traditionally been physically-isolated, closed and proprietary evolve towards more networked, open architectures based on IP standards. This white paper lays out some of the key drivers of a sharpened focus on security in the context of the smart grid and presents the functional requirements for system security in the distribution area networks used as the platform for smart grid communications. It then outlines the underlying design principles of the GridCom security architecture and explains how GridCom addresses these functional requirements for distribution area network security. Focus on security: Key drivers As the grid evolves to an IP-based system of systems, there is a growing focus on system security driven by the following trends and drivers: 2 | Tropos GridCom - Migration to IP-based network architectures: Much as telecom systems have been migrating over the last several years from proprietary TDM-based systems to all-IP architectures, a similar move is afoot within utility communications. The migration to IP brings several benefits including the greater ability to share information across systems, simplified communications and control and improved end-to-end visibility. On the other hand, the shift from physically-isolated, closed proprietary systems to networked, open standard IP-based architectures necessitates a careful rethinking of security assumptions and system design to ensure the proper identification of cyber assets, enforcement of intra-system boundaries, traffic segmentation across user groups and applications, data privacy and infrastructure protection while assuring reliability, maintainability and availability. - More stakeholders: The smart grid will promote much wider information sharing within the utility than was previously possible, but this comes with the need to effectively impose policies across divisional and functional boundaries for access to varying levels of data. This includes data sharing across multiple departments and entities, but also with end-customers and other third-party energy management application providers. - More numerous and diverse endpoints: The smart grid will tie together a plethora of devices, from power quality sensors and distribution automation devices that are utility-owned and –controlled to residential meters and smart appliances that are customerowned and –operated. The smart grid will result in several orders of magnitude increases in the volume of data transferred as well as in the sheer number of devices that participate in the network. - Growing cyber attack threats: Since the grid is critical infrastructure and increasingly central to the daily lives of individuals and businesses, it is of growing importance to ensure cybersecurity of the grid against the threat of cyber attacks by malicious entities. Unlike the majority of the failure risks associated with the power system today that can be modeled probabilistically, cybersecurity requires a shift in thinking to accommodate the possibility of a coordinated attack on multiple facilities by an intelligent attacker over a network. As NERC’s Chief Security Officer points out, “One of the more significant elements of a cyber threat, contributing to the uniqueness of cyber risk, is the cross-cutting and horizontal nature of networked technology that provides the means for an intelligent cyber attacker to impact multiple assets at once, and from a distance.”1 He argues that in identifying critical assets, a “rule-out” approach (assuming every asset is a critical asset until demonstrated otherwise) may be more appropriate than an “add-in” approach (starting with the assumption that no assets are critical). - Regulatory compliance requirements: While security standards for the smart grid are still being developed, it is increasingly clear that protection of critical cyber assets and of the interests of stakeholders will place regulatory compliance requirements on utilities and system operators. As an early example, the NERC CIP standards were issued for the identification and protection of critical cyber assets to maintain the operational integrity of the bulk power system. Functional requirements for distribution area network security The smart grid is a system of systems, with different security requirements specific to individual systems, though there is also a great degree of commonality of requirements across systems. One of the systems comprising the smart grid is the wireless distribution area network that sits between the devices on the distribution system (home area networks, meters, meter collectors, DA devices, etc.) and the distribution substations which typically connect back to the utility core network over fiber or microwave links. Bandwidth Required Scale of Coverage 10-100 Mbps Core 1000s sq mi 1-10 sq mi 1000 of sq ft Distribution Area Network 500 Kbps – 10 Mbps Neighborhood Area Network Home Area Network 10-100 Kbps 1-10 Kbps Communications Technologies Fiber 3G/802.11/WiMax 900 MHz Zigbee Figure 1: Tiered communications architecture of smart grids Security requirements for specific sub-systems of the smart grid, such as AMI, tend to be more application-specific, but in looking at a common distribution area networking infrastructure to be used to securely transport data across a wide range of applications, it is important to consider a broader set of requirements that align well with the application-specific requirements, but also go beyond them to create a generically secure framework for multiple applications. We can breakdown the functional requirements for security of the wireless distribution network into the following areas: 3 | Tropos GridCom Availability and performance Availability and performance are unique security requirements for critical systems that differentiate them from traditional information processing systems, stemming from the fact that critical systems need to be able to continue to operate and satisfy business and mission needs under diverse operating conditions. The overall system architecture needs to be designed to this requirement to ensure that system integrity and availability are maintained even under adverse conditions such as external attacks or peak loads. For example, a mesh architecture that is capable of self-organizing and selfhealing in response to local disturbances is preferable to a star topology with central points of failure. Network access control The distribution area network needs to be able to impose strong authentication and authorization requirements on devices and users that seek to access the network, ranging from mobile devices carried by utility field crews to sensors on the distribution plant and potentially end-consumers. Access control needs to be enforced at the network level as well as at the level of individual devices. Control needs to be exercised over physical access as well as networked access to systems and strict authorization policies are needed to enforce user access privileges. Network resource and end-point protection The distribution area network serves to aggregate and distribute missioncritical data and, as such, needs to be capable of protecting itself from attacks and unauthorized access. In addition, since the network mediates access between other networked resources (e.g., meters and meter data management systems), it needs to provide the capabilities to protect those networked resources from attackers. For example, techniques such firewalls need to be employed to ensure that only those ports and services that are required are enabled and accessible. Secure end-to-end data transmission The distribution area network must support secure end-to-end data transmission in addition to ensuring that there are no violations of confidentiality, privacy and data integrity within the transport component of the distribution area network itself. Traffic segmentation across application boundaries Since the distribution area network is a common infrastructure used to transport data from multiple applications (e.g., meter data as well as distribution automation application data) and multiple kinds of endpoints (SCADA RTUs as well as utility mobile workforce handhelds), it needs to provide mechanisms to effectively segregate these different classes of traffic to maintain inter-subsystem security and privacy. In addition, the mechanisms used need to be flexible enough to accommodate the differing security capabilities and requirements for different services and application or classes of endpoints. 4 | Tropos GridCom Secure network configuration, operation and management In addition to securing data transmission, it is also crucial to secure the configuration and management of the network infrastructure and safeguard its operation. Only authorized network operators must be able to alter the operation of the network elements comprising the distribution area network. Detailed logging and audit trails are needed to monitor and trace back system configuration changes. Tropos GridCom system security characteristics Tropos’ GridCom security solution incorporates and extends industry best practices for securing wireless networks, resources and data. The design principles used to craft this security approach include: - Open standards-based – The solution should leverage well-known open-standard security techniques that have undergone extensive scrutiny by the security community. These include IPsec, IEEE 802.1x, IEEE 802.11i, AES encryption, SSL/TLS, and FIPS 140-2 as well as support for emerging smart grid standards such as NERCCIP 002-0092, NISTIR 76283, etc. - Multi-layer security – The solution should utilize multiple security mechanisms operating at multiple layers of the protocol stack to provide layered defenses. - Multi-application security – Since different applications running over the common infrastructure have different application characteristics as well as differing security requirements, the security solution needs to be flexible enough to accommodate these differences while ensuring the logical separation of these traffic flows as well as the integrity of the overall system. - Adaptable – The security framework needs to be upgradeable in order to be able to adapt to the evolving threat landscape and to conform to evolving security standards and requirements over a 10+ year operating time horizon. Open standards-based Tropos’ approach leverages and builds on open-standard security techniques that have undergone extensive review by the security community. This includes such standards as AES, IEEE 802.1x, IEEE 802.11i, IPsec, SSL/TLS, and FIPS 140-2. These standards comprise requirements for authentication, authorization and access control; encryption; key generation, distribution, management and storage; physical security; and the detection and mitigation of attacks and include approaches ranging from the physical layer all the way up to the application layer. There are several security standards being developed to address the security requirements pertinent to various aspects of smart grid development including the NERC CIP standards for the bulk electric system and NISTIR 7628 for comprehensive smart grid cybersecurity. Security standards that are developed to address specific applications and subsystems of the smart grid, such as substation automation, tend to be more 5 | Tropos GridCom Figure 2: Some applicable security standards and their scope application-specific. In contrast, when developing the requirements for a common distribution area networking infrastructure to securely transport data for a wide range of applications, it is important to consider more general standards that address a broader set of requirements creating a generically secure framework for multiple applications while also supporting the application-specific security mechanisms. One of the most encompassing of these standards is FIPS 140-24, which is a federal information processing standard specifying requirements for the secure design and implementation of cryptographic modules and products for both hardware and software. It covers a wide range of requirements ranging from physical security, encryption algorithms, cryptographic key generation, management and storage, algorithm implementation and validation and the detection and mitigation of various kinds of attacks (see Appendix B for an overview of FIPS 140-2 security requirements). The security requirementsspecified in FIPS 140-2 are quite general and well aligned with the security goals and objectives being currently pursued in the context of various smart grid cybersecurity standards efforts. Certification of FIPS 140-2 compliant products is overseen by NIST and Tropos’ products are FIPS 140-2 certified. Tropos is tracking the development of all applicable security standards, both application-specific and general varieties, and is building in support for these evolving standards, consistent with the commitment to security based on open standards. As an example, Appendix A presents a tabular view of Tropos products’ compliance with NERC-CIP 002-009. Tropos products meet NERC-CIP requirements. 6 | Tropos GridCom Multi-layer security Tropos’ approach utilizes multiple security mechanisms operating at multiple layers of the protocol stack applying a defense-in-depth strategy that provides layered defense mechanisms such that the impact of failure in any one mechanism is minimized and so that the adversary’s probability of success is reduced. To illustrate this principle, suppose, for example, that there are 3 independent layers of defense, each with a 1% probability of being penetrated – then the probability that all 3 layers are penetrated successfully is 0.0001%. The defense mechanisms employed in the Tropos system range from physical security (ruggedized enclosures with tamper-evident seals), linklayer security (IEEE 802.1x, IEEE 802.11i, AES encryption, authentication using IEEE 802.11i EAP/RADIUS, MAC ACLs, MAC address-based whitelists and blacklists, Denial of Service detection and mitigation, etc.), networklayer security (IPsec, VPN/firewall packet filtering, IP ACLs), transport-layer security (SSL/TLS) and application-layer security (HTTPS, support for endto-end VPNs). APPLICATION TRANSPORT NETWORK LINK PHYSICAL Figure 3: Multi-layer security 7 | Tropos GridCom HTTPS SSL/TLS IPSec Packet filtering firewall IP ACLs 802.1x access control 802.11i authentication AES encryption MAC ACLs and whitelists/blacklists DoS detection and mitigation Hardened outdoor enclosure Tamper-detection Encrypted filesystem Protection of critical security parameters Multi-application security Tropos’ network constitutes a common physical infrastructure supporting a range of applications that often have different data characteristics as well as security requirements. The Tropos security solution is designed to be flexible enough to accommodate these differences while ensuring the logical separation of these traffic flows as well as the integrity of the overall system. AMI & De Dema Demand mand ma nd Man M Management anag an ag gem emen entt Billing/DSM ibu buti tion on Aut A utom oma a ion atio at n Distribution Automation DMS e Mobile Workforce Mobile GIS/ Workforce Apps ati tion Substation Automation Security Substation Security Separate VLANs Traffic separation and application-based prioritization Figure 4: Multi-application security To illustrate the differing application characteristics with regard to security, consider first an AMI collector that is directly wired in (via ethernet) to a Tropos router. Access control and authentication at the link layer may be enforced through IEEE 802.1x tied to a RADIUS server and the application traffic (metering data and commands) is secured end-to-end back to a meter data management system through an IPsec tunnel. Consider next a mobile utility worker with a PDA connecting wirelessly to the Tropos router. The authentication method is based on IEEE 802.11i with AES link-layer encryption, with perhaps a VPN session overlaid on top. Since the authorization levels and privileges of the users and devices associated these different applications are distinct, and since these are logically distinct services, the network needs to be able to maintain separation of the corresponding flows. This is done using separate 802.11 ESSIDs (Service Set Identifiers) and VLANs that are mapped to different queues. Each SSID/service has separate (dynamicallygenerated) encryption keys and direct communication between endpoints corresponding to different services can be prohibited by default. In addition, different quality of service parameters (for example, DiffServ or 802.1p classifiers) are assigned to different flows ensuring that, for example, delay-sensitive distribution automation traffic is accorded priority over more delay-tolerant metering data. 8 | Tropos GridCom Adaptable The threat landscape is continually evolving and new cybersecurity threats targeting critical infrastructure are expected to emerge as the smart grid is implemented. In addition, the security standards for the smart grid are themselves evolving on a number of fronts, including NISTIR 7628 targeted at smart grid cybersecurity and the NERC CIP standards aimed at securing the operation of the bulk power system. Furthermore, in view of the long (10+ year) operating lifetimes of grid systems, it is critical to establish an evolvable framework that supports software upgrades, patch management and critical fixes over time. Tropos’ software-based approach is designed to be upgradeable to meet the evolving threat landscape as well as to meet the security requirements of new security standards as they are developed. GridCom: Meeting the functional requirements for smart grid security The GridCom security architecture, based on the principles of robust and evolvable multi-layer standards-based security, provides a secure framework for multiple applications while meeting the functional requirements for distribution area network security articulated earlier. Below, we provide a more detailed description of the security features and functionality implemented in GridCom and show how they map to the key functional requirements. Availability and performance Critical systems need to be able to continue to operate and satisfy business and mission needs under diverse operating conditions. The overall system architecture needs to be designed to this requirement to ensure that system integrity and availability are maintained even under adverse conditions such as external attacks or peak loads. Resilient and fault-tolerant mesh architecture The GridCom network architecture is a self-organizing and self-healing mesh network that can dynamically adapt its operating parameters to optimize itself around local changes and disturbances. The underlying distributed routing protocol continually monitors all available routing paths and ensures that each router dynamically selects the best path that minimizes end-to-end mesh latency while maximizing the overall reliability. Advanced radio resource management techniques such as dynamic channel selection and per-packet data rate and transmit power control result in a highly adaptive wireless mesh network that can route around interference and frequency jammers as well as adverse environmental conditions, with minimal impact to network and system availability. In existing field deployments, Tropos networks have achieved 99.999% system availability in extremely challenging network environments. 9 | Tropos GridCom Hardened physical router hardware Tropos routers are ruggedized outdoor-optimized routers capable of withstanding and continuing to operate in the face of a wide range of challenging outdoor environmental conditions including high winds and tornadoes, Category-5 hurricanes, high levels of humidity and salt/fog conditions, extreme temperatures, lightning strikes and power surges. Tropos router hardware has a demonstrated mean time between failure (MTBF) of over 30 years. Network access control Wireless network security begins with prohibiting network access to unauthorized devices while ensuring that authorized devices can connect reliably. The dist-ribution area network needs to be able to impose strong authentication and authorization requirements on devices that seek to access the network, ranging from mobile devices carried by utility field crews to sensors on the distribution plant. Tropos routers support a wide variety of network access control mechanisms that can be tailored to meet a broad range of access control requirements. IEEE 802.11i authentication IEEE 802.11i defines access control, authentication and encryption mechanisms within an interoperable framework. 802.11i uses port-based access control built on IEEE 802.1x. Tropos networks supports 802.1x authentication using the extensible authentication protocol (EAP) and RADIUS. EAP supports multiple methods including PEAP, EAP-TLS and EAP-TTLS. Additionally (and optionally), authentication and access control can be based on the use of pre-shared keys (PSK), though it is not recommended for enterprise-level security configurations. MAC address access control lists (ACLs) MAC address accesscControl lists (ACLs) provide additional protection when used in conjunction with other layer 2 security mechanisms. Tropos routers support the creation and administration of ACLs based on endpoint MAC addresses. These ACLs can be whitelists and/or blacklists. A whitelist implementation denies access by default except to those devices whose MAC addresses are specified in the whitelist. By contrast, a blacklist implementation has a “default allow” policy with exceptions specified in the blacklist. MAC address whitelists and blacklists can be created and administered from the Tropos Control network management system. Tropos Control centrally manages whitelists and blacklists and provisions them onto Tropos routers. Because hackers can spoof the MAC address of a valid endpoint, MAC address-based authentication should not be the only mechanism used, but can be an effective element in a layered security architecture. IP address, protocol and TCP/UDP port filtering for access control Packet filtering firewalls have long been used in conventional wired network security architectures. Tropos has extended the concept to metro-scale wireless mesh networks with packet filtering capabilities that enhance wireless network security. 10 | Tropos GridCom Tropos routers can filter traffic at the edge of the wireless networks using filters based on IP source and destination addresses, protocol and TCP/ UDP ports. This means that access can be controlled by application and by protocol, as well as by endpoint. These policies are enforced at the edge of the wireless network. Virtual private networks (VPNs) combined with filtering for access control To provide the highest levels of security, Tropos recommends the use of industry-tested virtual private networks (VPNs). While the main function of a VPN is to provide secure end-to-end data transmission, VPNs also play a role in network access control. When a VPN is used, only clients with the appropriate VPN software or hardware/software and valid login credentials can access the network, especially when combined with intelligent traffic filtering that permits only VPN traffic to traverse the network. SSID suppression IEEE 802.11 access points typically broadcast their service set identifier (SSID) (their network name) to allow client devices to discover the network. However, for a private network, that is, one where access is limited to a specified set of users who already know of its existence, SSID broadcast is undesirable because it announces the network’s availability to unauthorized persons. Tropos routers allow network administrators to optionally suppress SSID broadcasts. In a private network, this does not hamper user access because endpoint devices can be configured to attach to the network even though the SSID is suppressed. Suppressing the SSID broadcasts means that unauthorized persons will not know the network is available unless they use sniffing tools. SSID suppression has been shown to be vulnerable to passive attacks, and is therefore considered inadequate if used alone. However, it is useful as a deterrent because it prevents a casual hacker from quickly discovering the existence of the wireless network, even though he would still need to successfully authenticate prior to obtaining network access. Network resource and end-point protection The distribution area network serves to aggregate and distribute missioncritical data and, as such, needs to be capable of protecting itself from attacks and unauthorized access. In addition, since the network mediates access between other network resources (e.g., meters and meter data management systems), it needs to provide the capabilities to protect those network resources from attackers. Physical deterrents Tropos routers are physically hardened and contained within an opaque commercial-grade environmental casing. They are equipped with indicators that provide evidence of tampering if any occurs. Further, a variety of software alarms sent to the Tropos Control Network Management System can alert network operators if any physical tampering takes place. Tropos routers also include additional protections such as an encrypted file-system to guard and protect sensitive stored data. 11 | Tropos GridCom Tropos 7320 Tropos 6320/6310 Tropos 4210 Figure 5: Tropos broadband mesh routers Address, protocol and TCP port filtering for network resource protection In addition to playing a role in network access control, packet filtering on Tropos routers also plays a part in protecting shared assets. For example, destination IP address filtering can be configured on Tropos routers, in addition to IP source address and TCP port filtering. In this manner, endpoints associated with a particular application or services can be limited to connecting to only specific backend servers. Crafting filters that disallow traffic to unprotected/unauthorized wired or wireless hosts helps protect those assets. These policies can be enforced at the very edge of the wireless network. Address filtering to block peer-to-peer traffic flows In the same manner that filtering can be used to protect shared network resources, it can also be used to protect endpoints (wired or wireless). In par-ticular, IP destination address filtering on Tropos routers can be used to prohibit endpoints (even within a given VLAN) from sending traffic to other devices on that VLAN. FIPS 140-2 Tropos routers are FIPS 140-2 compliant. FIPS-approved cryptographic algorithms are used including AES CBC, AES CCM, SHA-1, RSA, and Triple-DES CBC Auth-entication techniques used include strong passwords, WPA-PSK and EAP-TLS, all with a less than 1/1014 probability of success for a random password/key guess. Cryptographic keys are stored securely on an encrypted filesystem on-board the routers and all management of the routers including key generation, distribution and management is performed using FIPS-approved techniques. The routers comply with FIPS requirements for zeroization of keys and other critical security parameters and various self-tests including software and firmware integrity checks. Secure end-to-end data transmission The distribution area network must support secure end-to-end data transmission in addition to ensuring that there are no violations of confidentiality, privacy and data integrity within the transport component of the distribution area network itself. 12 | Tropos GridCom WPA2 encryption for client-to-mesh router links In addition to providing access control via standardized authentication mechanisms, WPA2 also defines encryption between wireless endpoints and the access point or mesh router using AES ciphers. These provide for dynamic per-user encryption keys that are derived per-session as part of a key negotiation process. Tropos routers support 128-bit AES encryption. WPA2 is necessary but not sufficient to ensure secure end-to-end transmission. Encryption of mesh traffic is also required (see below) AES encryption for mesh links AES-encrypted mesh links contribute to secure data transmission. Tropos routers use AES to encrypt all data traffic through the mesh, across multiple hops, until the traffic reaches a wired gateway. AES is recommended by the national institute of standards and technology (NIST) as the most robust private key encryption technique. End-to-end VPNs To provide the highest levels of security, Tropos recommends the use of industry-tested VPNs and end-to-end security mechanisms including those based on SSL and IPsec. VPNs are very challenging or impossible to overcome even when attacked by serious and sophisticated adversaries. Building on the lower layer methods we’ve already discussed, Tropos routers combine unique VPN compatibility and traffic filtering with industry-leading VPNs. Traffic segmentation across application boundaries Since the distribution area network is used as a common infrastructure to transport data from multiple applications (e.g., meter data as well as distribution automation application data) and multiple kinds of endpoints (SCADA RTUs as well as utility mobile workforce handhelds), it needs to provide mechanisms to effectively segregate these different classes of traffic from each other to maintain inter-subsystem security and privacy. In addition, the mechanisms used need to be flexible enough to accommodate the differing security capabilities and requirements for different services and application or classes of endpoints. Multiple VLAN support for secure transmission Tropos routers support multiple VLANs with per-VLAN security configuration. Using this functionality, a single physical infrastructure can support different user communities with the traffic for each user community effectively segregated from that of all other user communities. Per-user group or per-application authentication policies using multiple VLANs and SSIDs To provide operators the flexibility to accommodate multiple classes or groups of users or applications with differing wireless settings and security needs, Tropos routers support multiple virtual LANs (VLANs) and SSIDs with perVLAN/SSID security configuration support. 13 | Tropos GridCom Using this functionality, a single physical infrastructure can be used to set up multiple virtual network infrastructures offering different authentication methods and policies for different applications and user groups. Each SSID/ VLAN combination acts as a separate virtual network that is segregated from the other SSID/VLAN combinations through an amalgam of physical and network layer separation mechanisms, including distinct authentication profiles. The use of multiple SSIDs mapped to distinct VLANs is one of the most prevalent and industry-standard building blocks for a secure multi-use wireless IP mesh network. Beyond security, QoS policies implemented across multiple VLANs/SSIDs can also be used to ensure that delay-sensitive applications such as distribution automation receive access precedence and reserved bandwidth. Multiple VLANs for end-point protection Segregating different groups of endpoints onto different VLANs protects the end-points corresponding to different applications or groups because (by default) only members of a given group can send traffic directly to other members of that group. Secure network configuration, operation and management In addition to securing data transmission, it is also crucial to secure the configuration and management of the network infrastructure and safeguard its operation. Only authorized network operators must be able to alter the operation of the network elements comprising the distribution area network. AES encryption of mesh links In addition to the role AES encryption plays in securing data transmission, Tropos also uses AES to encrypt PWRP, the routing protocol used by Tropos routers to transmit node identification and path selection information to each other, as well as to encrypt all management information sent wirelessly from nodes to their associated gateways. Tiered access rights and auditing for Tropos Control To provide both the flexibility and security required for effective and efficient network management and administration, Tropos Control offers tiered access rights based on user type or function. Four levels of access have been defined for Tropos Control – root, admin, read/write and read-only. Authorization can be done locally on the management system or remotely using RADIUS. Logging and audits trails All configuration changes made to the routers or to the Tropos Control network management system are logged on Tropos Control, including timestamps and user information. This provides an audit trail detailing who made what configuration changes and when they were made. 14 | Tropos GridCom Secure mesh router configuration In addition to configuration via Tropos Control, Tropos routers can be configured and monitored by a web-based configurator. All configurator traffic is protected with HTTPS. Network administrators can securely monitor and configure individual routers from anywhere on the core network. Login is provided by a certificate-based authentication scheme that can support up to 20 authorized users. As with Tropos Control, all changes made using the configurator are logged, providing an audit trail. FIPS 140-2 The Tropos Control network management system is FIPS 140-2 Level 1 certified, and meets the FIPS requirements for secure storage and transmission of critical security parameters, identity-based and role-based authentication of network management users, etc. TLS with AES and RSA key generation is used to secure communications between Tropos Control and Tropos routers. Conclusion The evolution of the power grid of today into a smart grid will involve the expansion and integration of advanced communications and information technology into all aspects of utility operations. One of the key considerations in pursuing this goal is ensuring cybersecurity. Tropos’ GridCom security architecture based on the principles of adaptability, open standards and multi-layer defense strategies provides granular and flexible security policies to support multiple classes of applications and endpoints and allows the creation of a highly secure common distribution area networking infrastructure to support diverse smart grid applications. 15 | Tropos GridCom Appendix A: NERC CIP 002-009 compliance table (applicable requirements) NERC CIP Category Applicable Requirements Features for Compliance CIP-002-2 Critical Cyber Asset Identification CIP-003-2 Security Management Controls R4: Information protection (R4.1) R5: Access control (R5.1, R5.2) R6: Change control and configuration management Asset inventory and management Individual user accounts and password Role-based authentication Secure configuration and network management and version management CIP-004-2 Personnel and Training R4: Access (R4.1, R4.2) Individual user accounts and passwords Role-based authentication tied to RADIUS Access allowance and revocation controls CIP-005-2 Electronic Security Perimeter(s) R2: Electronic access controls (R2.1, R2.2, R2.4, R2.6) R3: Monitoring electronic access (R3.2) Secure configuration Firewall/VPN packet filtering rulesets to block/permit specific ports and services MAC and IP address-based ACLs Individual user accounts and passwords Role-based authentication tied to RADIUS Appropriate use banner Monitoring and logging of authorized access and unauthorized access attempts Automated alerts after a configurable number of unauthorized access attempts CIP-007-2 Systems Security Management R2: Ports and services (R2.1, R2.2) R3: Security patch management R5: Account management (R5.12, R3) R6: Security status monitoring (R6.1, R6.2, R6.3) Firewall/VPN packet filtering rulesets to block/permit specific ports and services Security Advisories and Fixes released Secure remote upgrade capability Role-based authentication tied to RADIUS Monitoring and logging of authorized access and unauthorized access attempts Audit trails of user account access activity and configuration changes Enforcement of strong passwords Detection and reporting of security-related events (failed login attempts, denial of service attacks, evil twins, etc.) Automated alerts on security-related events CIP-008-2 Incident Reporting and Response Planning R2: Cyber security incident documentation Monitoring and logging of authorized access and unauthorized login attempts Detection and reporting of security-related events (failed login attempts, denial of service attacks, evil twins, etc.) Audit trails of user account access activity and configuration changes CIP-006-2 Physical Security of Critical Cyber Assets CIP-009-2 Cyber Security — Recovery Plans for Critical Cyber Assets 16 | Tropos GridCom Appendix B: Summary of FIPS 140-2 security requirements Security Level 1 Security Level 2 Security Level 4 Cryptographic Module Specifications Specifications of cryptographic module, cryptographic boundary, Approved algorithms, and Approved modes of operation. Description of cryptographic module, including all hardware, software, and firmware components. Statement of module security policy. Cryptographic Module Ports and Interface Required and optional interfaces. Specifications of all interfaces and of all input and out data paths. Roles, Services, and Authentication Logical separation of required and optional roles and services. Finite State Model Specification of finite state model. Required states and optional states. State transition diagram and specification of state transitions. Physical Security Production grade equipment. Locks or tamper evidence. Tamper detection and reponse for covers and doors. Tamper detection and envelope. EFP or EFT. Operational Environment Single operator. Executble code. Approved integrity technique. Referenced PPs evaluated at EAL2 with specified discretionary access control mechanisms and auditing. Referenced PPs plus trusted path evaluated at EAL3 plus security policy modeling. Referenced PPs plus trusted path evaluated at EAL4. Cryptographic Key Management Key management mechanisms: random number and key gereation, key establishment, key distribution, key entry/output, key storage, and key zeroization. Data ports for unprotected critical security parameters logically or physically separated from other data ports. Role-based or Identity-based operator authentication. identity-based operator authentication. Secret and private keys established using manual methods may be entered or output in plaintext form. 17 | Tropos GridCom Security Level 3 Secret and private keys established using manual methods shall be entered or output encrypted or with split knowledge procedures. EMI/EMC 47 CFR FCC Part 15, Subpart B, Class A (Business use). 47 CFR FCC Part 15, Subpart B, Class B (Home use). Applicable FCC requirements (for radio). Self-Tests Power-up tests: cryptographic algorithm test, software/firmware integrity tests, critical functions tests. Conditional tests. Design Assurance Configuration management (CM). Secure installation and generation. Design and policy correspondence. Guidance documents. Mitigation of Other Attacks Specification of mitigation of attacks for which no testable requirements are currently available. CM system. Secure distribution. Functional specification. High-level language implementation. Formal model. Detailed explanation (informal proofs). Preconditions and postconditions. References 2. NERC Critical Infrastructure Protection Standards CIP 002-009, http://www.nerc.com/page.php?cid=2|20 3. Guidelines for Smart Grid Cybersecurity, NIST Internal Report 7628, http://csrc.nist.gov/publications/PubsNISTIRs.html 4. ‘Security Requirements for Cryptographic Modules’, Federal Information Processing Standards Publication FIPS 140-2, http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf For more information please contact: ABB Inc. Wireless Communication Systems 555 Del Rey Avenue Sunnyvale, CA 94085 Phone: +1 408.331.6800 E-Mail:sales@tropos.com www.abb.com/tropos 1KHA - 001 242 - SEN - 1000 - 08.2012 © Copyright 2012 ABB. All rights reserved. 1. Michael Assante, Vice President and Chief Security Officer, NERC, Letter to Industry Stakeholders, http://www.nerc.com/fileUploads/File/News/CIP-002-Identification-Letter-040709.pdf