Question no 3.06: What are your experiences to monitoring of IEC 61850 based PACS and how you secure the operation of critical infrastructure and resp
Paulo Sergio Pereira Junior
PACS network must incorporate monitoring functions, considering cybersecurity aspects, able to:
1) Detect and point out anomalies or lacking of messages, like GOOSE or SV, or yet unforeseen messages;
2) Detect lacking of synchronism signal;
3) Verify and point out abnormal propagation time, i.e. latency, and asymmetry or excessive variation, i.e. jitter, of messages propagation times;
4) Be implemented in a independent way of protection devices or local teleprotection devices;
5) Have resources for storing event records of detected anomalies. Figure 1 exemplifies a monitoring system setup:
Considering Sampled Values, the goal is to verify propagation delay, processing time and time between frames. The first one is the time that a message takes to leave one device′s Ethernet port and enter another device′s Ethernet port, i.e. the network latency time. It is important for the monitoring system to verify the propagation delay and to analyze if there is a network overload.
The processing time is the time a MU/SAMU takes to sample the signals that are coming from instrument transformers, to encapsulate them into the standard frame and to publish them, plus the network latency time. Thus, the users can analyze if it is going out of the ordinary time of processing. Also, the number of SV frames errors in the network and the synchronism flag can be verified.
The time between frames indicates if the MU/SAMU is sampling properly according to what was set. This functionality can be implemented by the monitoring system just marking the frame’s incoming time on the network board and getting the difference between them.
Figure 2 exemplifies these statistical analysis of SV frames.
In the case of GOOSE, the goal is to calculate the transfer time and to verify if it was under the limits defined by the IEC 61850-5 according to the performance classes defined in IEC 61850-8-1.
Based on item 11.1.1.4 of IEC 61850-5 Ed.2, the transfer time is defined as the complete frame′s transmission time including the processing of publisher and subscriber. In details, it is the sum of three times: ta, tb and tc , where:
- ta is the time counted from the moment the publisher puts the frame on top of its transmission stack (coding) to the moment it is sent to the network;
- tb is the network latency time;
- tc is the time counted from the frame′s incoming moment at the subscriber to the frame is extracted from the receiving stack.
Figure 3 illustrates the transfer time′s concept and Figure 4 gives an example of Transfer Time statistics.
领英推荐
Besides GOOSE Transfer Time, the monitoring system must verify if all the frames are running on the network according to SCL file, if the retransmission time is correct and if the frames are not out of order through State Number and Sequence Number analysis. Considering PTP synchronism, it is important to verify if the Grand Master frames are running on the network through Announce and Sync frames analysis. Also, the monitoring system must be a PTP slave in order to verify if the slave clock jitter is increasing in relation to master clock.
It is imperative that PACS network incorporates mechanisms that offer cybersecurity to prevent incidents and to ensure the following topics:
1) Confidentiality: to limit data access to authorized users only;
2) Integrity: to ensure that are no unauthorized modifications of messages data or information steals;
3) Availability: to ensure authorized access to data or services;
4) Authenticity: to ensure that the data comes from a legitimate source. So, a cybernetic incident in PACS can be defined as an event that compromises really or potentially the availability, integrity, confidentiality or authenticity of the PACS network.
This way, cybersecurity devices must be configured to set an alarm in case of threat:
- Alarm configurations rules must be periodically reviewed;
- All the alarms must be logged and sent immediately to the cybersecurity staff;
- All the alarms must be analyzed and treated in the correct deadline defined by the security policy.
The NIST (National Institute of Standards and Technology) SP (Special Publication) 800 – series comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities.
NIST SP 800 – 61 rev. 2 provides guidelines for detecting, analyzing, prioritizing and handling incidents to respond to them effectively and efficiently. Item 3 - “Handling an Incident” - describes the 4 main phases of the incident response process: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.
In the Preparation phase, the incident response team must be established and trained; the necessary tools and resources must be acquired; the organization must select and implement a set of controls based on the results of risk assessment. This way, the company must try to limit the number of incidents that will occur.
In the Detection and Analysis step, the organization must be alerted about detection of security breaches whenever an incident occurs. Regarding this, there are some manners to implement security incident alert and timely inform the operator and the maintainer, through: publishing of GOOSE frames, MMS reports, binary outputs, emails, panel LEDs and etc. This way, each network monitoring and cybersecurity vendor can choose one or more manner to implement this solution. So, after analyse the threat′s gravity, the company can mitigate the impact of the incident by containing it and ultimately recovering from it. This phase, consisting of these two steps, is cyclical until the threat is eradicated.
Finally, in the Post-Incident Activity phase, the organization must issue a report that details the cause and cost of the incident and the steps the company must take to prevent future incidents, returning, this way, to the first phase.
Figure 5 exemplifies the phases of the incident response process.