By Duane Gilbert
Electric utilities often have the same concerns: Security and North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) requirements. While the lion’s share of the compliance effort for NERC CIP involves documenting procedures and setting policies, the selection of a remote terminal unit (RTU) that offers the flexibility to be incorporated into those policies and procedures is important. Because an RTU can aid utilities in constructing security procedures, it is critical for utilities to understand the necessary RTU functionality and how it can be incorporated to help achieve business goals.
Physical security—CIP-006—is a key aspect of NERC CIP requirements and one of the easiest to use. While most Critical Cyber Assets (CCAs) are not located in completely unprotected areas, they are often accessible to people not explicitly authorized to access them. In the case of an RTU, a six-sided physical security barrier with a padlock on the enclosure door might be a quick and easy security solution, but, unfortunately, RTU equipment installed on open frame equipment racks does not lend itself to this method.
Most RTU equipment includes digital input points as a standard feature, and adding a door alarm is another simple way to meet NERC CIP requirements. Including the door alarm input as a sequence of events (SOE) point provides a means of meeting another aspect of the NERC CIP procedures—CIP-003—for logging data and maintaining historical records. Other features and functions of an RTU that help utilities meet NERC CIP procedures can involve cameras and keypad entry, both of which might be equipped with indicators that can be wired to the RTU to alert system operators of a physical security breach at a remote site.
User access is a key part of CIP-005 for electronic security perimeters, and there are many features of a good RTU solution that support this security requirement. There are obvious safeguards, such as requiring a user name and password for access, but it is also important that the device supports and enforces strong passwords. Allowing each user to have a unique set of credentials and supporting different classes of users—view only, admin, etc.—is also beneficial.
Obviously, limiting configuration access to “local only” can reduce or negate the need to implement passwords and supporting procedures to meet CIP standards, but this is often at the expense of more practical needs and concerns. Intelligent electronic devices (IEDs) implemented in the substation often become a moving target to desired data points and remote access, and modification can save hours of windshield time. Virtual points such as alarm generation for user login or failed password entry attempts are valuable. With Internet Protocol (IP), being able to control and limit the IP addresses the RTU will respond to can ensure that only intended users have access to the device.
Whenever security is mentioned, talk of encryption is sure to follow. While NERC CIP does not specifically address encryption, encrypted data makes RTUs more secure. It is obviously harder for the device to be manipulated if data sent and received appears to be gibberish to an unauthorized user. Encrypted data, however, has a downside. Most notably, it will impact the scan rate of the device. Encrypting and decrypting every message received and transmitted by the RTU amounts to a considerable increase in the message overhead and processing time. Many units being used in the field are already pushed to the upper limits without consideration for encryption.
Users who have attempted to implement data encryption over serial communications channels have found that the delays introduced are unacceptable to operations requiring real-time or near real-time updates of field data. IP or broadband communication is usually a necessity for implementation of encrypted data with Supervisory Control and Data Acquisition (SCADA). Another downside is that the data is encrypted and the user will need special tools to view it, as it is often important to examine the data exchanged between devices to ensure they operate properly. As more IEDs are integrated into the system, this can be a bigger issue.
In the case of a substation, one solution to the encryption issue is to only encrypt the channel exiting the security perimeter and define the perimeter as the control house. An advantage of this approach also comes into play with security patches and software updates. If the security/encryption/firewall is contained separately from the SCADA box, it is not necessary to consider the implications of performing a full station check when software is updated to take advantage of a recently issued security update.
In this scenario, the software update is applied to the security box; if communications inside and outside the substation appear to be working normally, the odds are high that they are unaffected. If the security box and SCADA box are one and the software update has an unexpected or undetected effect on the connectivity in the substation, the result might be undesirable. Point-to-point checkouts are time consuming, and the time frame in CIP for applying security patches and software updates is small.
An integral part of any CIP plan is the retention of an audit trail. An important RTU feature is its ability to provide logs of important occurrences. Many of the mentioned alarms need to be logged for time of occurrence and other pertinent information. Logging users who are making connections and configuration changes to the unit can be important for reconstructing a chain of events. Sequence-of-events logs, user logs and system logs can all be used to document events from the RTU’s point of view.
Perhaps the most critical information—aside from status of critical devices such as breakers and transformers—is the issuance of control commands. In the past, the major concern of issuing a control was allowing one to operate by mistake, but in this era of potential hackers and misfeasors, knowing the source of the control command can be a valuable piece of information. Knowing if a command originated from a trusted master station, a local interface or IED, or an outside source is critical. Even the absence of an operation being detected by a control log could be important information. Other aspects of logs that need to be considered are how they are being collected and archived, their format and usability beyond being just a list of data points.
Finally, it is important to remember that any feature or function is only as good as the procedure it is used with. The lion’s share of NERC CIP is the formation of procedures and plans, which need to be written with current and future capabilities in mind. In addition, there will probably be a wide technology range in place, and it will not be practical to replace or upgrade every device as quickly or as easily as procedures can be written. NERC CIP leadership is not a job for the faint of heart; it is a job that must be done and one that will take many hours of hard, thoughtful work. Determining the most secure policies and procedures that also allow operations to run as efficiently as possible will be just one of the many challenging areas to address.
About the author: Duane Gilbert leads Telvent’s North American RTU sales. He has been involved in the electric utility industry since 1983. He can be reached at firstname.lastname@example.org.