660 likes | 1.19k Views
IEC 62351. Power systems management and associated information exchange – Data and communications security Myongji univ. Sugwon Hong. Scope of IEC 63251. The scope of the IEC 62351 series is information security for power system control operations. The primary objective is to
E N D
IEC 62351 Power systems management and associated information exchange – Data and communications security Myongji univ. Sugwon Hong
Scope of IEC 63251 • The scope of the IEC 62351 series is information security for power system control operations. • The primary objective is to • Undertake the development of standards for security of the communication protocols defined by IEC TC 57, specifically the IEC 60870-5 series, the IEC 60870-6 series, the IEC 61850 series, the IEC 61970 series, and the IEC 61968 series. • Undertake the development of standards and/or technical reports on end-to-end security issues.
IEC TC 57standardization activities for security • In 1997IEC TC57established AdHoc WG6, recognizing the necessity for security forTC57 protocols. • In 2003, as a result, TC57 AdHoc WG 6 published TR 62210. • It proposed to establish WG 15 to security standards including DNP. • WG 15 • ”Power system control and associated communication – Data and communication security” • Scope and goal: • Undertake the development of standards for security of the communication protocols defined by the IEC TC57. • Undertake the development of standards and/or technical reports on end-to-end security issues.” • In 2007, Published IEC 62351, Parts 1-7as final documents
IEC TC 57 protocols • IEC 60870-5 • IEC 60870-5 derivative (DNP 3.0) • IEC 60870-6(TASE.2 orICCP) • IEC 61850 • IEC 61334(DLMS) • a standard for low-speed reliable power line comm. by electricity meters, water meters and SCADA.
securitysolutions IEC 62351에서는 새로운 보안 알고리즘을 만드는 것이 아니라 현재 IT에서 공인된 보안 알고리즘(프로토콜)들을 주어진 요구사항을 만족시킬 수 있는 최적의 solution을 찾는다.
NSA Suite B algorithms 자료: Cisco
Purpose to provide end-to-end transport security for the communications between software applications. Rather than re-inventing the wheel, it specifies the use of TLS which is commonly used over the Internet for secure interactions, covering authentication, confidentiality, and integrity. describes the mandatory and optional parameters and settings for TLS that should be used for utility operations.
IEC 62351-3 • provides security for any profile that includes TCP/IP. • IEC 61850 over TCP/IP • IEC 60870-5 part 104 (DNP over TCP/IP) • ICCP • Scope of protection • eavesdropping • Man-in-the-middle attack(message authentication) • Spoofing (node authentication) • Replay attack • Not DoS
Some of key aspects Use TLS 1.0 or higher (which is equivalent to Secure Sockets Layer (SSL) 3.1). Transparent key re-negotiation based upon time and number of packets, so that lightly loaded networks do not lose certification over long time periods, since most connections are long term. Both time and number are configurable, but the recommended parameters are time (10 min) and number of packets (5 000). The entity that was connected to is responsible for key negotiation. This avoids protocol deadlocking. Standardization for support for at least one common cipher suite, AES. Specification of TLS message authentication to avoid spoof and replay. Can request small certificates to minimize the burden.
Security measures • TLS • obliged to use encryption • MAC • Certificate support • Scope
HTTP Application TSL TCP TCP IP IP General application Application based on TLS TLSand TCP/IP
TSLprocedure • Handshake: A clientauthenticate aserverand they exchange values needed to compute keys. • Key derivation: A clientandserver compute keys using the values they share during exchange. • Data transmission: data is segmented into records and each encrypted record is sent with MAC. • termination: Special messages to securely close connection
SSL Handshake Protocol Client server client_hello Phase 1 server_hello certificate server_key_exchange Phase 2 certificate_request server_hello_done certificate client_key_exchange Phase 3 certificate_verify change_cipher_spec Blue: optinal messages finished Phase 4 change_cipher_spec finished
Handshake (1) goal • Server authentication • Negotiation of crypto algorithms • Key establishment • Client authentication (option)
Handshake (2) • C -> S: crypto algorithmslist, client nonce (Rc) • S -> C: chosen algorithm + certificate + server nonce (Rs) • C:verify certificate, extract a server’s public key, generate pre_master_secret(PMS), send PMS encrypted by aserver’s public key. • CandS:compute encryption and MAC keys by usingPMS andnonces. • C: send all handshake messages withMAC. • S: send all handshake messages withMAC.
Key computation • Not desirable to use a single key. • Use different keys for encryption and MAC. • 4keys: • Kc = client’s encryption key(symmetric key) • Mc = client’sMAC key • Ks = server’s encryption key(symmetric key) • Ms = server’sMAC key
IEC 62351-4 • Provide security for profiles that include MMS (Manufacturing Message Specification) (ISO 9506) including TASE.2(ICCP)andIEC 61850. • Security attacks • unauthorized access to information • unauthorized modification (tampering) or theft of information • Man-in-the-middle • Message replay
Security measure • TLS • authentication • confidentiality • data integrity • non-repudiation • allows both secure and non-secure profiles to be used simultaneously, so that not all systems need to be upgraded with the security measures at the same time.
IEC 62351-5 Provide two different solutions for the serial version(IEC 60870-5-101) and for the networked version(IEC 60870-5-104 and derivatives such as DNP over TCP/IP) provides application layer authentication which protects against spoofing, replay, modification, and some denial of service attacks. does not include encryption, so it does not protect against eavesdropping, traffic analysis, or repudiation.
Security measures • Networked version (TCP/IP) • Utilized the same measures described in IED62351-3 • TLS • Serial version • used with communications media that can only support low bit rates or with field equipment that is compute-constrained. • Provide simple authentication mechanism • Encryption is not mandatory. • Similar to the Secure DNP3
Secure DNP3 • Developed by DNP User group • Similar to IEC 62351-5(cooperated work by IEC andDNP UG) • Published in 2008 • goal • Authenticationand message integrity • Prove that messages are sent from trusted(authorized) users • Prove that messages are not modified • Low overhead • Remote key management
Security measures • Based on Challenge-Handshake Authentication Protocol (RFC 1994) • Challenge-Response mode • To prove the source(sender) authentication and message integrity, utilize the Hashed Message Authentication Method(HMAC)
Challenge-response • When a node receives a message which is considered to be critical, it requires authentication.(challenge) • The challenged node sends a random value and a sequence number with the hash value computed with them. • The challenge node verify the message authenticity by computing the hash value.
Initialization Master Field station User number Key challenge seq num User number Key wrap algorithm(AES-128) Key status HMAC algorithm pseudorandom challenge data
Challenge-response responder challenger non-critical message standard protocol response critical message challenge seq num authentication challenge User number HMAC algorithm challenge seq num authentication reply pseudorandom challenge data User number HMAC value standard protocol response
Aggressive mode • Avoid doing challenge every time, so simplify the challenge-response procedure. • Even in this case, at least one challenge must be done. • afterward the same challengevalue is kept using. • The node that sends a critical message sends a rand value, a sequence number, and a session key with the hash value to be computed. • A sequence number is generated by amaster station.
Aggressive mode responder challenger non-critical message standard protocol response critical message authentication challenge authentication reply standard protocol response critical message standard protocol response
Key management • Two keys • Session key • Used to compute HMAC • Updated periodically(10-15min interval, data transmission occurs every2sec in SCADA) • When send an updated session key, the key is encrypted by anupdate key. • Update key • Every node have this key permenently. • pre-shared at each node. • If any node loses this key, it must be reinstalled. (headache)
Session key update Field station Master Session key change challenge seq num User number HMAC value Key challenge seq num User number Session key status Key wrap algorithm(AES-128) Key status (OK) HMAC algorithm pseudorandom challenge data
IEC 62351-6 The target is the security for real-time messages (GOOSE, SMV) delivered in the substation LAN. characteristics of three messages
Main characteristics • The maingoal is authentication. • To provide source authentication and messag integrity at every node. • Do not require encryption • Hard to implement the encryption in processing GOOSE and SMV messages within 4ms and providing multicast at the same time. • Backward compatibility • Non-secure devices may disregard the security part of the GOOSE/SMV message.
Security measure • MAC • HMAC (SHA256) • or digital signature (RSA)
A function H( )inputs a message of arbitrary lengh and outputs a shorter, fixed message stream. H( ) : many-to-1 function H( )is called“hash function.” The output of the hash function is often called “message digest.” Requirements for hash function: Easy to compute one-way: not possible to compute m from H(m) Collision avoidance: not possible to compute m and m’ such as H(m) = H(m’)인 m과 m’ Output value should be random. large message m H: Hash Function H(m) Hash function
MD5 (RFC 1321) Widely used 4steps,128-bit message digest SHA-1 US standard [NIST, FIPS PUB 180-1] 160-bit message digest SHA-2 These days, SHA-2 becomes mandatory in Korea. Standard hash functions
s = shared secret s s message message message H( ) H( ) compare HMAC • Authenticate a sender • Prove message integrity • No encryption ! • Also called “keyed hash” • Notation: MDm = H(s||m) ; send m||MDm
HMAC (RFC 2104) • Widely used MAC standards • Any hash function can be used such as MD5andSHA-1. • Application example: OSPF • Attach types • Message insertion (spoofing) • Message elimination • Message modification • How can a router confirm that the message to be received is true?
Digital signature(public key encryp +hash) H: Hash function H: Hash function large message m large message m + - digital signature (decrypt) digital signature (encrypt) K K B B encrypted msg digest encrypted msg digest + - - KB(H(m)) KB(H(m)) H(m) H(m) Bobsends a message with digital signature. Alice verify the sender authenticity and message integrity by digital signature. H(m) Bob’s private key Bob’s public key equal ?
62351-6 problems • When digital signature is used, how do we implement RSA? • SW/FPGA/ASIC • Hard to meet 4ms delay • Also problem of the certificate use • interoperability • Backward compatibility