IntelliGrid Architecture

Intra-Customer Site Environment - #16

This environment encompasses communications that are local to customer sites.

Typical Applications:  A customer bringing processes online or offline in response to real-time pricing decisions; A customer locally managing distributed energy resources in response to emissions, environmental conditions, fuel availability, or regulations; building automation for environmental control.

Characteristics:  Critical data, but with a local scope and limited impact on the overall grid.  Types of possible security attacks somewhat limited thanks to physical security. Data is real-time, possibly peer-to-peer, with response times potentially measured in milliseconds if process control is involved.  Available communications technologies and devices tend to be less “hardened” or redundant because of a less harsh physical environment and have corresponding lower quality of service requirements.

Similar Environments:  This environment is similar to Critical Operations Intra-Substation or the Deterministic Rapid Response environments.  However, failures in this environment have a more limited range of effect on the overall power network, and it is generally a less harsh physical environment with lower required quality of service.

Definition:  This environment is defined by the following requirements:

Communication and Information Requirements that Define this Environment

Configuration Requirements

• Support interactions within a contained environment (e.g. substation or control center)

Security Requirements

• Provide Identity Establishment Service (you are who you say you are)
• Provide Authorization Service for Access Control (resolving a policy-based access control decision to ensure authorized entities have appropriate access rights and authorized access is not denied)
• Provide Information Integrity Service (data has not been subject to unauthorized changes or these unauthorized changes are detected)
• Provide Audit Service (responsible for producing records, which track security relevant events)
• Provide Security Policy Service (concerned with the management of security policies)
• Provide User Profile and User Management (combination of several other security services)

Network and System Management Requirements

• Provide Network Management (management of media, transport, and communication nodes)
• Provide System Management (management of end devices and applications)

Data Management Requirements

• Support extensive data validation procedures
• Support keeping data consistent and synchronized across systems and/or databases
• Support frequent changes in types of data exchanged
• Support management of data whose types can vary significantly in different implementations
• Support specific standardized or de facto object models of data
• Provide conversion and protocol mapping

Recommended Technologies

Energy Industry-Specific Technologies

    Utility Field Device Related Data Exchange Technologies

• IEC61850 Part 7-2 - Abstract Common Services Interface (ACSI) - Configuration,
• IEC61850 Power Quality Object Models - Data Management
• IEC62350 - Object Models for Distributed Energy Resources (DER) - Network Management, Data Management
• IEC61400-25 for Wind Power Object Models - Network Management, Data Management

    Utility Control Center Related Data Management Technologies

• NERC e-tagging - Data Management
• NAESB OASIS for Market Transactions - Data Management
• OPEN GIS - Data Management
• OAG - Data Management
• MultiSpeak - Data Management

    Customer Interface Data Management Technologies

• IEC62056 - Data Exchange for Meter Reading, Tariff, and Load Control - Data Management
• ANSI C12.19 (Meter Tables) - Data Management
• AEIC Guidelines - Data Management

Communications Industry Technologies

    Access Technologies

• Private Intranet - Configuration,

    IP-based Transport Protocols

• Transmission Control Protocol (TCP) - Configuration,

    Application Layer Protocols

• SNTP (Network Time Protocol) - Data Management

    Link Layer and Physical Technologies

• Asynchronous Transfer Mode (ATM) - Configuration,

    Wireless Technologies

• Global Positioning System (GPS) - Data Management

    Computer Systems Related Technologies

• CORBA and CORBA Services - Data Management
• Web Services - Data Management
• XML Protocol/Simple Object Access Protocol (SOAP) - Data Management
• Enterprise Java Beans (EJB) - Data Management
• GUID - Data Management

    General Internet and De Facto Data Management Technologies

• ANSI/ISO/IEC 8632-1, 2, 3, 4 - Computer Graphics Metafile (CGM) - Data Management
• ISO/IEC 11179 Parts 1 - 6 Metadata Registries - Data Management
• Meta Object Facility (MOF) - Data Management
• XML Metadata Interchange (XMI) - Data Management
• eXtensible Markup Language (XML) - Data Management
• XML Schema (xls) - Data Management

Security Technologies

    Policy and Framework Related Technologies

• ISO/IEC 10164-8:1993 Security Audit Trail Function - Information technology - Open Systems Interconnection - Systems Management - Security,
• ISO/IEC 18014-1:2002 Time-Stamping Services - Information technology - Security Techniques - Part 1: Framework - Security, Data Management
• ISO/IEC 10181-7:1996 Security Audit and Alarms Framework - Information technology - Open Systems Interconnection -- Security Frameworks for Open Systems - Security,
• FIPS PUB 112 Password Usage - Security,
• FIPS PUB 113 Computer Data Authentication - Security,
• RFC 2196 Site Security Handbook - Security,
• RFC 2401 Security Architecture for the Internet Protocol - Security,
• RFC 2527 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework - Security,

    General Security Technologies

• FIPS 197 for Advanced Encryption Standard (AES) - Security,
• FIPS 186 Digital Signatures Standard (DSS) - Security,
• Intrusion Detection Technologies - Security, Network Management,
• Intrusion Prevention Systems (IPS) - Security, Network Management,
• Service Level Agreements (SLA) - Security,

    Media and Network Layer Technologies

• Secure IP Architecture (IPSec) - Security,
• IEEE 802.11i Security for Wireless Networks - Security,
• Remote Authentication Dial In User Service (RADIUS) - Security,
• ATM Security - Security,
• AGA-12 Cryptographic Protection of SCADA Communications General Recommendations - Security,

    Application Layer Security Technologies

• RFC 2228 FTP Security Extensions - Security,
• Internet Mail Extensions - Security,
• RFC 2086 IMAP4 ACL extension - Security,
• SNMP Security - Security, Network Management,
• RFC 1305 Network Time Protocol (Version 3) Specification, Implementation - Security, Data Management
• IEC 62351-4 Security for Profiles including MMS (ISO-9506) - Security,
• IEC 62351-5 Security for IEC 60870-5 and Derivatives - Security,
• IEC 62351-6 Security for IEC 61850 GOOSE, GSSE, and SMV Profiles - Security,

    XML Related Technologies

• OASIS Security Assertion Markup Language (SAML) - Security,
• Secure XML - Security,

Network and Enterprise Management Technologies

    Network Management Technologies

• Simple Network Management Protocol (SNMP) - Network Management,
• IEC 62351-7 Objects for Network Management - Network Management, Data Management

    Web-based Network Management

• Web-based Enterprise Management (WBEM) - Network Management,

 

---

Recommended Common Services

Security Services

    Common Security Services

• Audit Common Service - Security,
• Authorization for Access Control - Security,
• Identity Establishment Service - Security,
• Information Integrity Service - Security,
• Security Policies - Security,
• Quality of Identity Service - Security,
• User and Group Management - Security,

Network and System Management Services

    Enterprise Management Services

• Inventory Management - Network Management,
• Communication System/Network Discovery - Network Management,
• Routing Management - Network Management,
• Traffic Management - Network Management,
• Traffic Engineering - Network Management,
• System/Network Health-Check Analysis - Network Management,
• System/Network Fault Diagnosis - Network Management,
• System/Network Fault Correcting - Network Management,
• Service Level Agreement (SLA) Determination and Maintenance - Network Management,
• System/Network Performance Analysis - Network Management,
• System/Network Performance Diagnosis - Network Management,
• Performance Tuning/Correction - Network Management,
• Accounting and/or Billing - Network Management,

Data Management Common Services

    Data Management Common Services

• Distributed Data Management Service - Data Management
• Object Management Service - Data Management
• Address and Naming Management - Network Management, Data Management
• Generic Eventing And Subscription - Network Management, Data Management
• Alarm Detection/Reporting - Network Management, Data Management
• Instrumentation and Monitoring Service - Network Management, Data Management
• Measurement Data Logging Service - Security, Network Management,
• Remote Control - Network Management,
• Network Time - Data Management

Common Platform Services

    Common Platform Services

• Component Initialization and Termination - Network Management,
• Resource Management - Network Management,
• Checkpoint and Recovery - Network Management,
• Workflow Service - Network Management,

 

---

Recommended Best Practices

Data Management Best Practices

    Data Management

• Metadata Files and Databases - Network Management, Data Management
• Object Modeling Techniques - Data Management
• Quality Flagging - Network Management, Data Management
• Time Stamping - Security, Network Management, Data Management
• Validation of Source Data and Data Exchanges - Data Management
• Data Update Management - Data Management
• Management of Time-Sensitive Data Flows and Timely Access to Data by Multiple Different Users - Data Management
• Management of Data Consistency and Synchronization across Systems - Data Management
• Management of Data and Object Naming - Data Management
• Management of Data Formats in Data Exchanges - Data Management
• Management of Data Accuracy - Data Management
• Management of Data Acquisition - Data Management
• Management of Manual Data Entry - Data Management
• Data Consistency across Multiple Systems - Data Management
• Database Maintenance Management - Data Management
• Data Backup and Logging - Security, Data Management
• Application Management - Network Management,

Security Best Practices

    Security Frameworks and Policy Documents

• ISO/IEC Security Best Practices - Security,
• ISO/IEC 10164-8:1993 Information technology -- Open Systems Interconnection -- Systems Management: Security audit trail function - Data Management
• ISO/IEC 18014-3:2004 Information technology -- Security techniques -- Time-stamping services -- Part 3: Mechanisms producing linked tokens - Security,
• Federal Security Best Practices - Security,
• CICSI 6731.01 Global Command and Control System Security Policy - Security,
• FIPS PUB 112 Password Usage - Security,
• IETF Security Best Practices Internet Requests for Comments (RFCs) - Network Management,
• RFC 1102 Policy routing in Internet protocols - Network Management,
• RFC 1322 A Unified Approach to Inter-Domain Routing - Network Management,
• RFC 1351 SNMP Administrative Model - Network Management,
• RFC 2008 Implications of Various Address Allocation Policies for Internet Routing - Network Management,
• RFC 2196 Site Security Handbook - Network Management,
• RFC 2276 Architectural Principles of Uniform Resource Name Resolution - Security,
• RFC 2386 A Framework for QoS-based Routing in the Internet - Network Management,
• RFC 2505 Anti-Spam Recommendations for SMTP - Security,
• RFC 2518 HTTP Extensions for Distributed Authoring - WEBDAV - Network Management,
• RFC 2527 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework - Network Management,

Security Technology Documents

Alternative Technologies

    Utility Field Device Related Data Exchange Technologies

• IEC61850 Part 7-2 - GSE (GOOSE and GSSE - Configuration,

    Customer Interface Data Management Technologies

• ASHRAE SSPC135 BACnet - Configuration,
• GPC-20 XML Modeling for HVAC - Configuration, Data Management
• CEBus® based on EIA 600 - Configuration,
• UPnP - Configuration,

    Networking Technologies

• Open Shortest Path First (OSPF) Routing Protocol - Configuration,
• Border Gateway Protocol (BGP) - Configuration,
• Internet Group Management Protocol (IGMP) - Configuration,
• Distance Vector Multicast Routing Protocol (DVMRP) - Configuration,
• Multicast Open Shortest Path (MOSPF) routing protocol - Configuration,
• Protocol Independent Multicast-Sparse Mode (PIM-SM) - Configuration,
• Core-Based Tree (CBT) multicast routing - Configuration,

    IP-based Transport Protocols

• Stream Control Transmission Protocol (SCTP) - Configuration,
• Datagram Congestion Control Protocol (DCCP) - Configuration,
• Real-Time Transport Protocol (RTP) - Configuration,

    Application Layer Protocols

• Microsoft COM+ - Data Management

    Link Layer and Physical Technologies

• IEEE 802.1d Spanning Tree Protocol (STP) - Network Management,
• IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) - Network Management,
• Hubs/Repeaters - Configuration,
• Bridges/Switches - Configuration,
• Routers - Configuration,

    Wireless Technologies

• IEEE 802.11 Wireless Local Area Network (WLAN) - Configuration,
• IEEE 802.15 Wireless Personal Area Network (PAN) - Configuration,
• Bluetooth Special - Configuration,
• Radio Frequency Identification (RFID) - Data Management

    Virtual Private Networking Technologies

• Layer 3 VPNs - Security,
• Layer 2 VPNs - Security,
• PPTP - Security,

    Computer Systems Related Technologies

• Web Services Description Language (WSDL) - Data Management

    General Internet and De Facto Data Management Technologies

• Common Warehouse Model (CWM) - Data Management
• American Standard Code for Information Interchange (ASCII) - Data Management
• Hypertext Markup Language (HTML) - Data Management
• RDF - Data Management

    Network Management Technologies

• Remote Network Monitor (RMON) - Network Management,
• OSI Network Management Model - Network Management,

    Web-based Network Management

• Policy-based Management Technologies - Network Management,

Alternative Best Practices

    Security Frameworks and Policy Documents

• ISO/IEC 10181-7:1996 Information technology -- Open Systems Interconnection -- Security frameworks for open systems: Security audit and alarms framework - Security,

    ISO/IEC Documents on Security Technologies

• ISO/IEC 7816-1:1998 Identification cards -- Integrated circuit(s) cards with contacts -- Part 1: Physical characteristics - Security,
• ISO/IEC 7816-3:1997 Information technology -- Identification cards -- Integrated circuit(s) cards with contacts -- Part 3: Electronic signals and transmission protocols - Security,
• ISO/IEC 7816-3:1997/Amd 1:2002 Electrical characteristics and class indication for integrated circuit(s) cards operating at 5 V, 3 V and 1,8 V - Security,
• ISO/IEC 7816-4:1995 Information technology -- Identification cards -- Integrated circuit(s) cards with contacts -- Part 4: Inter-industry commands for interchange - Security,
• ISO/IEC 7816-4:1995/Amd 1:1997 secure messaging on the structures of APDU messages - Security,
• ISO/IEC 7816-5:1994 Identification cards -- Integrated circuit(s) cards with contacts -- Part 5: Numbering system and registration procedure for application identifiers - Security,
• ISO/IEC 7816-7:1999 Identification cards -- Integrated circuit(s) cards with contacts -- Part 7: - Security,
• ISO/IEC 7816-8:1999 Identification cards -- Integrated circuit(s) cards with contacts -- Part 8: Security related - Security,
• ISO/IEC 7816-9:2000 Identification cards -- Integrated circuit(s) cards with contacts -- Part 9: Additional - Security,
• ISO/IEC 7816-10:1999 Identification cards -- Integrated circuit(s) cards with contacts -- Part 10: Electronic signals and answer to reset for synchronous cards - Security,
• ISO/IEC 7816-11:2004 Identification cards -- Integrated circuit cards -- Part 11: Personal verification through biometric methods - Security,
• ISO/IEC 7816-15:2004 Identification cards -- Integrated circuit cards with contacts -- Part 15: Cryptographic information application - Security,
• ISO/IEC 9594-8:1998 Information technology -- Open Systems Interconnection -- The Directory: Authentication framework - Security,
• ISO 9735-5:2002 Electronic data interchange for administration, commerce and transport (EDIFACT) -- Application level syntax rules (Syntax version number: 4, Syntax release number: 1) -- Part 5: Security rul - Security,
• ISO/IEC 10164-9:1995 Information technology -- Open Systems Interconnection -- Systems Management: Objects and attributes for access control - Security,
• ISO/IEC 10181-1:1996 Information technology -- Open Systems Interconnection -- Security frameworks for open systems: Overview - Security,
• ISO/IEC 10181-2:1996 Information technology -- Open Systems Interconnection -- Security frameworks for open systems: Authentication framework - Security,
• ISO/IEC 10181-3:1996 Information technology -- Open Systems Interconnection -- Security frameworks for open systems: Access control framework - Security,
• ISO 10202-1:1991 Financial transaction cards -- Security architecture of financial transaction systems using integrated circuit cards -- Part 1: Card life cycle - Security,
• ISO 10202-7:1998 Financial transaction cards -- Security architecture of financial transaction systems using integrated circuit cards -- Part 7: Key management - Security,
• ISO 10202-8:1998 Financial transaction cards -- Security architecture of financial transaction systems - Security,
• ISO/IEC TR 13335-1:1996 Information technology -- Guidelines for the management of IT Security -- Part 1: Concepts and models for IT Security - Security,
• ISO/IEC TR 13335-2:1997 Information technology -- Guidelines for the management of IT Security -- Part 2: Managing and planning IT Security - Security,
• ISO/IEC TR 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security - Security,
• ISO/IEC 15408-1:1999 Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 1: Introduction and general mode - Security,
• ISO/IEC 15408-2:1999 Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 2: Security functional requirements - Security,
• ISO/IEC 17799:2000 Information technology -- Code of practice for information security management - Security,
• ISO JTC1 SC37 1.37.19784.1 BioAPI - Biometric Application Programming Interface - Security,
• ISO JTC1 SC37 1.37.19794 - Biometric Data Interchange Format - Security,
• ISO JTC1 SC37 1.37.19794.3 Biometric Data Interchange Format - Part 3: Finger Pattern Spectral Data - Security,
• ISO JTC1 SC37 1.37.19794.4 Biometric Data Interchange Format - Part 4: Finger Image Data - Security,
• ISO JTC1 SC37 1.37.1974.5 Biometric Data Interchange Format - Part 5: Face Image Data - Security,

    Federal Documents on Security Technologies

• - Security,
• FIPS 197 Federal Information Processing Standards Publication 197, Specification for the Advanced Encryption Standard (AES) - Security,

    IETF Internet Requests for Comments (RFCs) on Security Technologies

• RFC 1004 Distributed-protocol authentication scheme - Security,
• RFC 1352 SNMP Security Protocols - Network Management,
• RFC 1507 DASS - Distributed Authentication Security Service - Security,
• RFC 1826 IP Authentication Header - Security,
• RFC 1827 IP Encapsulating Security Payload (ESP) - Security,
• RFC 1940 Source Demand Routing: Packet Format and Forwarding Specification (Version 1) - Network Management,
• RFC 1968 The PPP Encryption Control Protocol (ECP) - Security,
• RFC 2040 The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms - Security,
• RFC 2045 Multi-Purpose Internet Mail Extensions (MIME) and Secure/MIME - Security,
• RFC 2086 IMAP4 ACL extension - Security,
• RFC 2093 Group Key Management Protocol (GKMP) Specification - Security,
• RFC 2228 FTP Security Extensions - Security,
• RFC 2230 Key Exchange Delegation Record for the DNS - Security,
• RFC 2244 ACAP -- Application Configuration Access Protocol - Security,
• RFC 2246 The TLS Protocol Version 1.0 - Security,
• RFC 2313 PKCS #1: RSA Encryption Version 1.5 - Security,
• RFC 2315 PKCS #7: Cryptographic Message Syntax Version 1.5 - Security,
• RFC 2406 IP Encapsulating Security Payload (ESP) - Security,
• RFC 2437 PKCS #1: RSA Cryptography Specifications Version 2.0 - Security,
• RFC 2440 OpenPGP Message Format - Security,
• RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP) - Security,
• RFC 2409 The Internet Key Exchange (IKE) - Security,
• RFC 2459 Internet X.509 Public Key Infrastructure Certificate and CRL Profile - Security,
• RFC 2510 Internet X.509 Public Key Infrastructure Certificate Management Protocols - Security,
• RFC 2511 Internet X.509 Certificate Request Message Format - Security,
• RFC 2527 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework - Security,
• RFC 2547 BGP/MPLS VPNs - Security, Network Management,
• RFC 2560 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP - Security,
• RFC 2764 A Framework for IP Based Virtual Private Networks - Security, Network Management,
• RFC 2753 A Framework for Policy-based Admission Control - Security,
• RFC 2797 Certificate Management Messages over CMS - Security,
• RFC 2817 Upgrades to TLS within HTTP/1.1 - Security,
• RFC 2818 HTTP over TLS (HTTPS) - Security,
• RFC 2865 Remote Authentication Dial In User Service (RADIUS) - Security,
• RFC 2869 RADIUS Extensions - Security,
• RFC 2874 DNS Extensions to Support IPv6 Address Aggregation and Renumbering - Security,
• RFC 2875 - Security,
• RFC 2898 PKCS #5: Password-Based Cryptography Specification Version 2.0 - Security,
• RFC 2946 Telnet Data Encryption Option - Security,
• RFC 2977 Mobile IP Authentication, Authorization, and Accounting Requirements - Security,
• RFC 2985 PKCS #9: Selected Object Classes and Attribute Types Version 2.0 - Security,
• RFC 3053 IPv6 Tunnel Broker - Network Management,
• RFC 3268 Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS) - Security,
• RFC 3280 Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile - Security,
• RFC 3369 Cryptographic Message Syntax (CMS) - Security,
• RFC 3370 Cryptographic Message Syntax (CMS) Algorithms - Security,
• RFC 3414 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) - Network Management,
• RFC 3447 Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 - Security,
• RFC 3647 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework - Security,

    Other Security Technolog

• IEEE 802.11b Web Encryption Protocol - Security,
• IEEE 802.11i Security for Wireless Networks - Security,
• RSA Documents on Security Technologies - Security,
• RSA PKCS #8 Private-Key Information Syntax Standard - Security,
• RSA PKCS #12 Personal Information Exchange Syntax Standard, version 1.0. - Security,
• OASIS Documents on Security Technologies - Security,
• WC3 XML Key Management Specification (XKMS 2.0) Bindings - Security,
• AGA-12 Cryptographic Protection of SCADA Communications General Recommendations. - Security,
• ANSI INCITS 359-2004 Role Based Access Control (RBAC) - Security,
• EPRI 1002596 ICCP TASE.2 Security Enhancements - Security,
• NERC Certificate Policy for the Energy Market Access and Reliability Certificate (e MARC) Program Version 2.4 - Security,
• NIST GSC-IS The NIST Interagency Report 6887 - 2003 edition (Government Smart Card-Interoperability Specification) Version 2.1 - Security,
• NISTIR 6529 Common Biometric File Format (CBEFF) - Security,
• Smart Card Alliance Smart Card Primer - Security,
• Smart Card Alliance Privacy and Secure Identification Systems: The Role of Smart Cards as a Privacy-Enabling Technology - Security,
• Smart Card Alliance Government Smart Card Handbook - Security,
• WebDAV Access Control Extensions to WebDAV - Security,
• WPA WI-FI Protected Access - Security,
• WPA2 WI-FI Protected Access Version 2 - Security,
• TMN PKI - Digital certificates and certificate revocation lists profiles - Security,

Possible Technologies

    Utility Field Device Related Data Exchange Technologies

• Fieldbus - Configuration,
• PROFIBUS - Configuration,
• ModBus - Configuration,
• ModBus TCP/IP - Configuration,
• ModBus Plus - Configuration,

    Customer Site In-Building Technologies

• Home PNA - Configuration,
• HomePlug - Configuration,
• Zigbee Spec - Configuration,

    Networking Technologies

• Intermediate System to Intermediate System (ISIS) Routing Protocol - Configuration,
• Routing Information Protocol (RIP) - Configuration,