The present invention generally relates to cryptographic systems, and more specifically, to a method and apparatus for reducing communication system downtime when configuring a cryptographic system of the communication system.
Supervisory Control and Data Acquisition (SCADA) systems are used in virtually every industry, but especially in utility industries such as gas delivery, electric power, sewage treatment, water supply, transportation, etc. A SCADA system is one type of communication system and includes, among other things, a control center having an operator display/control panel and a SCADA master operatively coupled to the operator display/control panel. A typical SCADA system is configured to measure key operating aspects of a process or system, and then to transmit via a SCADA communication network, the associated measurement data to a central control center. Operators, either human or machine at the control center, make decisions based on the measurement data. The SCADA system is also configured to transmit commands from the operators to the process or system via the SCADA communication network.
As is known, the SCADA communication network may include one of any number of suitable communication network links, depending on the process or system monitored by the SCADA system. For example, the SCADA communication network may include radio, analog and/or digital microwave links, fiber optic links, analog or digital modems on utility owned or leased telephone circuit links, or even the public switched telephone network.
In the electric utility industry a SCADA system may be configured to measure the voltages associated with a power system substation bus (i.e., bus voltages), to measure the current coming into the bus from a power transmission line (i.e., a line current), and to measure the status or position of numerous switches in the substation. The status measurements may include indications of circuit breaker positions and electrical power routing switch positions (e.g., open position, closed position). The SCADA system may also be configured to transmit the current, voltage and switch position measurements to a central control center (CC) via a SCADA communication network for review by an operator. The operator can then make decisions such as closing a circuit breaker to enable additional electric power to a particular load. In that case, a command from the operator delivered via the SCADA communication network results in closure of the circuit breaker.
“Intelligent” devices of the SCADA system that measure the current, voltage and switch positions, and that cause actions to be taken based on commands from the operator are often referred to as intelligent electronic devices (IEDs). The IEDs may include an electric power meter, a programmable controller, a Remote Terminal Unit (RTU), a communications processor, a protective relay, or any number of other suitable intelligent devices configured to take measurements, transmit those measurements over the SCADA communication network to the SCADA master and the operator display/control panel, and respond to commands sent via the operator display/control panel over the SCADA communication network.
As previously mentioned, the SCADA communication network may include any one of a number of suitable communication network links. A typical SCADA communication network may also span long distances of many miles. Unfortunately, due to their sheer expanse, SCADA communication networks are vulnerable to electronic intrusions thereby putting associated IEDs and other SCADA system components at risk for compromise by an eavesdropper (e.g., adversary, attacker, interceptor, interloper, intruder, opponent, enemy). For example, if an eavesdropper gains access to a telephone, circuit used to transmit switch position measurements from a power system substation to a CC and used to transmit circuit breaker control commands from the CC to the substation, the eavesdropper could launch numerous attacks on the power system. Such an attack may include altering settings on a protective relay thereby rendering the relay useless in the event of a short circuit, IED damage, operator confusion causing unnecessary power system blackouts, etc. Further, for systems other than power systems, the eavesdropper may cause havoc to any SCADA-monitored critical infrastructure including natural gas delivery systems, transportation or communications systems, waste water treatment and fresh water delivery, etc. The US government has recognized this growing threat. In a report created by the U.S. Department of Energy titled “21 Steps to Improve Cyber Security of SCADA communication networks” published jointly by the President's Critical Infrastructure Protection Board, and the Office of Energy Assurance, the authors concluded:                “Supervisory control and data acquisition (SCADA) networks contain computers and applications that perform key functions in providing essential services and commodities (e.g., electricity, natural gas, gasoline, water, waste treatment, transportation) to all Americans. As such, they are part of the nation's critical infrastructure and require protection from a variety of threats that exists in cyber space today. By allowing the collection and analysis of data and control of equipment, such as pumps and valves from remote locations, SCADA communication networks provide great efficiency and are widely used. However, they also present a security risk: SCADA communication networks were initially designed to maximize functionality, with little attention paid to security. As a result, performance, reliability, flexibility and safety of distributed control/SCADA systems are robust, while the security of these systems is often weak. This makes some SCADA communication networks potentially vulnerable to disruption of service, process redirection or manipulation of operational data that could result in public safety concerns and/or serious disruptions to the nation's critical infrastructure. Action is required by all organizations, government or commercial, to secure their SCADA communication networks as part of the effort to adequately protect the nation's critical infrastructure”.        
To address the SCADA communication network security issue, numerous types of cryptographic devices are used to encrypt, decrypt and authenticate the data transmitted by a SCADA communication network. Unfortunately, current cryptographic devices require manual installation, manual cryptographic setting changes and manual commissioning; a time consuming effort for a typical SCADA communication network spanning many miles. As a result, IEDs in need of cryptographic protection remain unprotected for unacceptable time periods until all of the cryptographic devices associated with the individual IEDs and the SCADA master have been installed, commissioned or had settings changed. As each cryptographic device is installed, the SCADA master loses communication with the IED's connected to the SCADA communication network segment associated with that cryptographic device. As installation of new cryptographic devices progress, the SCADA master loses communication with more of the IEDs until all cryptographic devices have been installed, including the cryptographic device for the SCADA master. Such a lack of complete SCADA communications may continue for days or even weeks, depending on how long it takes an operator(s) to visit all of the sites of the SCADA system 10 requiring cryptographic device installation.
Moreover, if the cryptographic device is installed on the SCADA master first, then the SCADA master will lose communications with all equipment on the SCADA communication network until cryptographic devices are installed at the various IEDs. The best a cryptographic device installer can do is to install cryptographic devices at about half of the IEDs, and then install the cryptographic device at the SCADA master. The SCADA master will lose communications with the half of the equipment not connected to cryptographic devices until the installer completes installing cryptographic devices at all of the intended sites.
When installed, each of the cryptographic devices may be manually placed in a “pass-through mode”, making the cryptographic device transparent to the SCADA communication network. Unlike encryption/decryption operation or “secure mode operation”, a cryptographic device in the pass-though mode performs no encryption, decryption, or authentication functions for data transmitted via the SCADA communication network. Unfortunately, cryptographic devices are placed in and removed from pass-through mode via either a hardware switch or button, or via an electronic command received via a maintenance interface of the cryptographic device. As a result, an installer has to travel from cryptographic device location to cryptographic device location to place the cryptographic devices in, or remove them from, pass-through mode. During that time, the SCADA system remains unprotected from eavesdropper activity.
Similarly, as each installed cryptographic device is undergoing a parameter value change (e.g., an encryption key change, an initialization vector size change, a synchronization mode change, a network architecture parameter change, a max allowable frame length parameter change), the SCADA master loses communication with the SCADA communication with the IEDs connected to the network segment associated with that cryptographic device. As each of the installed cryptographic devices are visited by an operator to change parameter values, the SCADA master loses communication with more of the IEDs until all cryptographic devices have undergone parameter value changes. Again, the lack of complete SCADA communications may continue for days or even weeks, depending on how long it takes an operator(s) to visit all of the sites of the SCADA system 10 requiring parameter value updates or changes. Moreover, if the parameter value(s) of the cryptographic device associated with the SCADA master are updated first, then the SCADA master will lose communications with all equipment on the SCADA communication network until all of the parameters values of the remaining cryptographic devices are similarly updated.