1. Field of the Invention
The present invention relates to systems and methods for the cybersecurity of wired and wireless communication networks, intelligent electronic devices, and communication nodes contained within industrial control systems, specifically those utilized in the generation, transmission, and distribution of electric power.
2. Description of Related Art
The electrical power grid ensures the safe and reliable generation, transmission, and distribution of electrical power to the receiving loads. With the proliferation of inexpensive digital processing and communication devices allowing for increased monitoring and control, these devices are becoming integrated into all levels of the power grid, which relies on a class of technologies known as industrial control systems (ICS). Each ICS is comprised of one or more intelligent electronic device(s) (IED) and communication node(s) (CN). Examples of power system IEDs include protective relays, voltage controllers, automation controllers, and revenue meters. Examples of power system CNs include power line carrier technologies, remote terminal units (RTUs), managed switches, and security gateways. These technologies are often times manufactured, integrated, and supported by different entities over the lifespan of the device and of the physical system being controlled. Systems that utilize cyber mechanisms for the supervisory control and data acquisition (SCADA) of a physical system have more recently become known as cyber-physical systems (CPS).
Because some SCADA functionality is acquired through the utilization of information technology (IT), current CPS security solutions and network security devices (NSDs) rely on solutions that were originally designed for pure IT based environments where there was no control of physical devices. Consequently, the information utilized for the execution of a network security action may be derived from an incomplete picture of the physical system contained within the CPS. For instance, the network security action may not include the specific roll or function of the devices as it relates to the physical application (e.g. a meter vs a master controller).
IT based security technologies that are entering power system SCADA/CPS environments include: managed switches, firewalls, software defined networks (SDN), intrusion detection systems (IDS), and intrusion prevention systems (IPS). One or more of these technologies can be used independently or in combination to perform network security monitoring (NSM); where, the security of the communication links are monitored for violations against a set of signatures or rules. Such rules can be statically generated or behaviorally generated using techniques of knowledge discovery and datamining.
NSM can be performed using TCP/IP based communication. Some instances of NSM look at only the metadata of the communication packet; e.g. source and destination address, source and destination port, and timestamp. Other instances of NSM, such as deep packet inspection (DPI), will examine the information contained within the payload of the captured communication.
To ensure SCADA functionality, power system IEDs and CNs are designed to allow for formatted styles of communication via industry standard protocols including: Distributed Network Protocol (DNP3), Modbus, IEC 61850, and SEL amongst others.