The invention relates generally to an application layer security proxy. More specifically, the invention relates to a strategy to protect against a Man-In-The-Middle (MITM) type of cyber attack at the application layer.
America's electrical power industry, in conjunction with its government, is developing Smart Grid technologies to improve electrical power efficiency and reliability. This move is creating challenges in transitioning originally isolated, proprietary systems to more open ones, connecting them to enterprise-level and other networks without compromising their original control performance.
There is an immediate need to solve cyber security issues prior to the occurrence of a U.S. energy catastrophe. More and more new components with great variety and complexity are being added to power grid automation systems. Components such as new protection equipment, Plug-in Electric Vehicle (PEV) adapters, and distributed generation and distribution, especially with the inclusion of greater amounts of renewable energy. In addition, enabling active participation by consumers in Demand Response (DR) will lead to a greater integration of Supervisory Control And Data Acquisition (SCADA) systems with Advanced Metering Infrastructures (AMI). The combination of these factors will increase the susceptibility of power grid automation systems to cyber attacks from many different sources.
The secure communications solutions deployed in the Information Technology (IT) world will not be applicable for Smart Grid systems. The reasons include: 1) heterogeneous communication protocols and platforms are used in the Smart Grid automation systems, 2) legacy systems without enough computational power or memory to perform security functionalities, 3) Smart Grid applications require different Quality-of-Service (QoS) in terms of delay, bandwidth, packet loss rate, etc., for data exchange, and 4) Smart Grid technologies are still rapidly evolving, new requirements for communication and cyber security will come together with new Smart Grid applications.
The application layer (layer 7) is the Open Systems Interconnection (OSI) layer closest to the end user, which means that both the application layer and the user interact directly with a software application. The application layer communication is the weakest link in terms of security.
The application layer supports many different protocols. Many of the protocols were not designed with security as a priority. Therefore, application layer protocols have vulnerabilities and provide many access points for attackers that make protection difficult. Additionally, application layer cyber attacks are attractive to attackers because the information they seek resides within the application itself and maximizes the impact of an attack.
Although application layer security issues have been addressed in the IT world, especially for web services and database applications, the unique challenges of Smart Grid applications have not been addressed.
FIG. 1 shows a current security solution used for substation 101 automation such as a Remote Terminal Unit (RTU) 103 and a Programmable Logic Controller (PLC) 105. Other ancillary devices may include a substation automation system 107, a log server 109 and a Human Machine Interface (HMI) 111 that communicate over a substation network 113 using an application layer communication protocol such as International Electrotechnical Commission (IEC) 61850 or Distributed Network Protocol 3 (DNP3). IEC 61850 is a reference architecture for electric power systems and DNP3 is a set of communication protocols used between components in process automation systems. The security solution is a firewall and Virtual Private Network (VPN) 115, 117 placed in the substation 101 to isolate the substation devices from the communications network 119. The firewall and VPN 115, 117 operate at the data link layer (layer 2), the network layer (layer 3) and the transport layer (layer 4). Security issues at the application layer are not addressed.
For example, for an operator in a control center 121 who is authorized to remotely access transmission protection relays at the substation 101 to read diagnostic information, the current security solution inspects data packets at layers 2, 3 and 4 by checking Internet Protocol (IP) addresses, port numbers, and protocols. The firewall and VPN 115, 117 do not prevent the operator from changing a protection relay setting which he is not authorized to perform.
FIG. 2 shows an Application-Level Gateway (ALG) 201 security solution. The ALG 201 resides in the substation 101 and separates the control devices from devices in other substations or in the control center 121. This solution assumes that the exposure point for potential hackers is not in the substation 101.
There are three shortcomings with the ALG 201 solution. First, internal cyber attacks, also called behind-the-firewall issues, (including “friendly fire”) are ignored. For example, an automation engineer in the substation 101 that connects to the substation network is allowed access to the PLC 105 and HMI 111, but is not allowed to change any protection relay settings in the RTU 103. The automation engineer would be able to bypass the security ALG 201 and access the protection relays and change their settings since he is connecting to the substation network 113 internally. Second, there are scalability and performance issues. If there are thousands of Intelligent Electronic Devices (IEDs) in the substation 101, the access control list (white list), which lists which IEDs may be accessed by an individual in the substation 101 is large. Each data packet the substation 101 ALG 201 receives from an outside source has to be examined against the white list and would lead to large time delays which may degrade real-time control performance. And third, a single point of failure issue. The entire substation 101 automation system would be compromised if the ALG 201 were compromised.
There is a need for a distributed application layer security proxy to provide a security solution for substation automation.