IntelliGrid Architecture

HV Generation Plant Environment

This environment captures the requirements for communications within the electrical and physical site of the generating plant up to the point of common coupling with the area power system.

Typical Applications:  Frequency and Volt/VAR control, load shedding under emergency conditions, cold start of generation, local displays on graphical user interfaces. Also involves plant management systems for other plant equipment, such as fuel systems, burners, boilers, turbines, cooling systems, historical records, market operations, etc.

Characteristics:  Critical data in a real-time, process-control environment, but security attacks may be limited by very strong physical security.

Similar Environments:  Very similar to Critical Operations Intra-Substation, with slightly lower quality of service and security requirements due to a more secure and stable physical environment.

Definition:  This environment is defined by the following requirements:

Communication and Information Requirements that Define this Environment

Configuration Requirements

• Support interactions within a contained environment (e.g. substation or control center)

Quality of Service Requirements

• Provide high speed messaging of less than 1 second
• Support high availability of information flows of 99.9+ (~9 hours)

Security Requirements

• Provide Identity Establishment Service (you are who you say you are)
• Provide Authorization Service for Access Control (resolving a policy-based access control decision to ensure authorized entities have appropriate access rights and authorized access is not denied)
• Provide Information Integrity Service (data has not been subject to unauthorized changes or these unauthorized changes are detected)
• Provide Audit Service (responsible for producing records, which track security relevant events)
• Provide Security Policy Service (concerned with the management of security policies)
• Provide User Profile and User Management (combination of several other security services)
• Provide Security Discovery (the ability to determine what security services are available for use)

Network and System Management Requirements

• Provide Network Management (management of media, transport, and communication nodes)
• Provide System Management (management of end devices and applications)

Data Management Requirements

• Support extensive data validation procedures
• Support keeping data consistent and synchronized across systems and/or databases
• Support the exchange of unstructured or special-format data (e.g. text, documents, oscillographic data)
• Provide discovery service (discovering available services and their characteristics)
• Provide conversion and protocol mapping

Recommended Technologies

Energy Industry-Specific Technologies

    Utility Field Device Related Data Exchange Technologies

• IEC61850 Part 7-2 - Abstract Common Services Interface (ACSI) - Configuration, Quality of Service, Data Management
• IEC61850 Parts 7-3 and 7-4 - Substation Object Modeling - Network Management, Data Management
• IEC61850 Part 6 - Substation Configuration Language - Network Management, Data Management
• IEC61850 Power Quality Object Models - Data Management
• IEC62350 - Object Models for Distributed Energy Resources (DER) - Network Management, Data Management
• IEC62349 - Hydro Power Plant Object Models - Network Management, Data Management
• IEC61400-25 for Wind Power Object Models - Network Management, Data Management

    Utility Control Center Related Data Management Technologies

• IEC 60870-6 (ICCP) - Quality of Service,
• IEC 61970 Part 4 - Generic Interface Definition (GID) - Configuration, Quality of Service, Data Management

Communications Industry Technologies

    Access Technologies

• Private Intranet - Configuration,

    Networking Technologies

• Internet Protocol Version V4 (IPV4) - Configuration,

    IP-based Transport Protocols

• Transmission Control Protocol (TCP) - Configuration,

    Application Layer Protocols

• SNTP (Network Time Protocol) - Data Management

    Link Layer and Physical Technologies

• Asynchronous Transfer Mode (ATM) - Configuration,

    Wireless Technologies

• Global Positioning System (GPS) - Data Management

    Computer Systems Related Technologies

• GUID - Data Management

    General Internet and De Facto Data Management Technologies

• ANSI/ISO/IEC 9075 - Structured Query Language (SQL) - Data Management

Security Technologies

    Policy and Framework Related Technologies

• ISO/IEC 10164-8:1993 Security Audit Trail Function - Information technology - Open Systems Interconnection - Systems Management - Security,
• ISO/IEC 18014-1:2002 Time-Stamping Services - Information technology - Security Techniques - Part 1: Framework - Security, Data Management
• ISO/IEC 10181-7:1996 Security Audit and Alarms Framework - Information technology - Open Systems Interconnection -- Security Frameworks for Open Systems - Security,
• FIPS PUB 112 Password Usage - Security,
• FIPS PUB 113 Computer Data Authentication - Security,
• RFC 2196 Site Security Handbook - Security,
• RFC 2401 Security Architecture for the Internet Protocol - Security,
• RFC 2527 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework - Security,

    General Security Technologies

• FIPS 197 for Advanced Encryption Standard (AES) - Security,
• FIPS 186 Digital Signatures Standard (DSS) - Security,
• Intrusion Detection Technologies - Security, Network Management,
• Intrusion Prevention Systems (IPS) - Security, Network Management,
• Service Level Agreements (SLA) - Security,

    Media and Network Layer Technologies

• Secure IP Architecture (IPSec) - Security,
• IEEE 802.11i Security for Wireless Networks - Security,
• Remote Authentication Dial In User Service (RADIUS) - Security,
• ATM Security - Security,
• AGA-12 Cryptographic Protection of SCADA Communications General Recommendations - Security,

    Application Layer Security Technologies

• RFC 2228 FTP Security Extensions - Security,
• Internet Mail Extensions - Security,
• RFC 2086 IMAP4 ACL extension - Security,
• SNMP Security - Security, Network Management,
• RFC 1305 Network Time Protocol (Version 3) Specification, Implementation - Security, Data Management
• IEC 62351-4 Security for Profiles including MMS (ISO-9506) - Security,
• IEC 62351-5 Security for IEC 60870-5 and Derivatives - Security,
• IEC 62351-6 Security for IEC 61850 GOOSE, GSSE, and SMV Profiles - Security,

    XML Related Technologies

• OASIS Security Assertion Markup Language (SAML) - Security,
• Secure XML - Security,

Network and Enterprise Management Technologies

    Network Management Technologies

• Simple Network Management Protocol (SNMP) - Network Management,
• IEC 62351-7 Objects for Network Management - Quality of Service, Network Management,

    Web-based Network Management

• Web-based Enterprise Management (WBEM) - Network Management,

 

---

Recommended Common Services

Security Services

    Common Security Services

• Audit Common Service - Security,
• Authorization for Access Control - Security,
• Identity Establishment Service - Security,
• Information Integrity Service - Security,
• Security Policies - Security,
• Quality of Identity Service - Security,
• Security Service Availability Discovery Service - Security,
• User and Group Management - Security,

Network and System Management Services

    Enterprise Management Services

• Inventory Management - Network Management,
• Communication System/Network Discovery - Network Management,
• Routing Management - Network Management,
• Traffic Management - Network Management,
• Traffic Engineering - Network Management,
• System/Network Health-Check Analysis - Network Management,
• System/Network Fault Diagnosis - Network Management,
• System/Network Fault Correcting - Network Management,
• Service Level Agreement (SLA) Determination and Maintenance - Network Management,
• System/Network Performance Analysis - Network Management,
• System/Network Performance Diagnosis - Network Management,
• Performance Tuning/Correction - Network Management,
• Accounting and/or Billing - Network Management,

Data Management Common Services

    Data Management Common Services

• Distributed Data Management Service - Data Management
• Object Management Service - Data Management
• Address and Naming Management - Network Management, Data Management
• Generic Eventing And Subscription - Network Management, Data Management
• Alarm Detection/Reporting - Network Management, Data Management
• Instrumentation and Monitoring Service - Network Management, Data Management
• Measurement Data Logging Service - Security, Network Management,
• Remote Control - Network Management,
• Network Time - Data Management
• File Transfer - Data Management

Common Platform Services

    Common Platform Services

• Component Registry Service - Data Management
• Component Lookup Service - Data Management
• Component Discovery Service - Data Management
• Component Initialization and Termination - Network Management,
• Resource Management - Network Management,
• Checkpoint and Recovery - Network Management,
• Workflow Service - Network Management,

 

---

Recommended Best Practices

Data Management Best Practices

    Data Management

• Backup Databases - Quality of Service,
• Metadata Files and Databases - Network Management, Data Management
• Quality Flagging - Network Management, Data Management
• Time Stamping - Security, Network Management, Data Management
• Validation of Source Data and Data Exchanges - Data Management
• Data Update Management - Data Management
• Management of Time-Sensitive Data Flows and Timely Access to Data by Multiple Different Users - Quality of Service, Data Management
• Management of Data Consistency and Synchronization across Systems - Data Management
• Management of Data Formats in Data Exchanges - Data Management
• Management of Data Accuracy - Data Management
• Management of Data Acquisition - Data Management
• Management of Manual Data Entry - Data Management
• Data Consistency across Multiple Systems - Data Management
• Data Backup and Logging - Quality of Service, Security, Data Management
• Application Management - Network Management,

Security Best Practices

    Security Frameworks and Policy Documents

• ISO/IEC Security Best Practices - Security,
• ISO/IEC 10164-8:1993 Information technology -- Open Systems Interconnection -- Systems Management: Security audit trail function - Data Management
• ISO/IEC 18014-3:2004 Information technology -- Security techniques -- Time-stamping services -- Part 3: Mechanisms producing linked tokens - Security,
• Federal Security Best Practices - Security,
• CICSI 6731.01 Global Command and Control System Security Policy - Security,
• FIPS PUB 112 Password Usage - Security,
• IETF Security Best Practices Internet Requests for Comments (RFCs) - Network Management,
• RFC 1102 Policy routing in Internet protocols - Network Management,
• RFC 1322 A Unified Approach to Inter-Domain Routing - Network Management,
• RFC 1351 SNMP Administrative Model - Network Management,
• RFC 2008 Implications of Various Address Allocation Policies for Internet Routing - Network Management,
• RFC 2196 Site Security Handbook - Network Management,
• RFC 2276 Architectural Principles of Uniform Resource Name Resolution - Security,
• RFC 2386 A Framework for QoS-based Routing in the Internet - Network Management,
• RFC 2505 Anti-Spam Recommendations for SMTP - Security,
• RFC 2518 HTTP Extensions for Distributed Authoring - WEBDAV - Network Management,
• RFC 2527 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework - Network Management,

Security Technology Documents

Alternative Technologies

    Utility Field Device Related Data Exchange Technologies

• IEC60870-5 Part 104 - Telecontrol Protocol over TCP/IP - Configuration, Quality of Service,
• DNP3 Protocol over TCP/IP - Configuration, Quality of Service,
• ISO 9506 MMS - Manufacturing Messaging Specification - Configuration, Quality of Service,
• C37.111-1999 IEEE COMTRADE Standard (Common Format for Transient Data Exchange) for Power Systems - Data Management
• IEEE 1159.3 - Power Quality Data Interchange Format (PQDIF) - Data Management

    Networking Technologies

• Internet Protocol Version 6 (IPV6) - Configuration,
• Open Shortest Path First (OSPF) Routing Protocol - Configuration,
• Border Gateway Protocol (BGP) - Configuration,
• Internet Group Management Protocol (IGMP) - Configuration,
• Distance Vector Multicast Routing Protocol (DVMRP) - Configuration,
• Multicast Open Shortest Path (MOSPF) routing protocol - Configuration,
• Protocol Independent Multicast-Sparse Mode (PIM-SM) - Configuration,
• Core-Based Tree (CBT) multicast routing - Configuration,

    IP-based Transport Protocols

• Stream Control Transmission Protocol (SCTP) - Configuration,
• Datagram Congestion Control Protocol (DCCP) - Configuration,
• Real-Time Transport Protocol (RTP) - Configuration,

    Application Layer Protocols

• Microsoft COM+ - Data Management

    Link Layer and Physical Technologies

• IEEE 802.1d Spanning Tree Protocol (STP) - Network Management,
• IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) - Network Management,
• Hubs/Repeaters - Configuration,
• Bridges/Switches - Configuration,
• Routers - Configuration,

    Wireless Technologies

• IEEE 802.11 Wireless Local Area Network (WLAN) - Configuration,
• IEEE 802.15 Wireless Personal Area Network (PAN) - Configuration,
• Bluetooth Special - Configuration,
• Radio Frequency Identification (RFID) - Data Management

    Virtual Private Networking Technologies

• Layer 3 VPNs - Security,
• Layer 2 VPNs - Security,
• PPTP - Security,

    Computer Systems Related Technologies

• CORBA and CORBA Services - Data Management
• Web Services - Data Management
• Universal Description, Discovery, and Integration (UDDI) - Data Management
• XML Protocol/Simple Object Access Protocol (SOAP) - Data Management

    eCommerce Related Data Management Technologies

• EAN.UCC Identification Numbers - Data Management
• EAN.UCC Universal Bar Codes - Data Management
• 10303 Standard Exchange for Product Data (STEP) - Data Management

    Network Management Technologies

• Remote Network Monitor (RMON) - Network Management,
• OSI Network Management Model - Network Management,

    Web-based Network Management

• Policy-based Management Technologies - Network Management,

Alternative Best Practices

    Data Management

• Backup Sites - Quality of Service,

    Security Frameworks and Policy Documents

• ISO/IEC 10181-7:1996 Information technology -- Open Systems Interconnection -- Security frameworks for open systems: Security audit and alarms framework - Security,

    ISO/IEC Documents on Security Technologies

• ISO/IEC 7816-1:1998 Identification cards -- Integrated circuit(s) cards with contacts -- Part 1: Physical characteristics - Security,
• ISO/IEC 7816-3:1997 Information technology -- Identification cards -- Integrated circuit(s) cards with contacts -- Part 3: Electronic signals and transmission protocols - Security,
• ISO/IEC 7816-3:1997/Amd 1:2002 Electrical characteristics and class indication for integrated circuit(s) cards operating at 5 V, 3 V and 1,8 V - Security,
• ISO/IEC 7816-4:1995 Information technology -- Identification cards -- Integrated circuit(s) cards with contacts -- Part 4: Inter-industry commands for interchange - Security,
• ISO/IEC 7816-4:1995/Amd 1:1997 secure messaging on the structures of APDU messages - Security,
• ISO/IEC 7816-5:1994 Identification cards -- Integrated circuit(s) cards with contacts -- Part 5: Numbering system and registration procedure for application identifiers - Security,
• ISO/IEC 7816-7:1999 Identification cards -- Integrated circuit(s) cards with contacts -- Part 7: - Security,
• ISO/IEC 7816-8:1999 Identification cards -- Integrated circuit(s) cards with contacts -- Part 8: Security related - Security,
• ISO/IEC 7816-9:2000 Identification cards -- Integrated circuit(s) cards with contacts -- Part 9: Additional - Security,
• ISO/IEC 7816-10:1999 Identification cards -- Integrated circuit(s) cards with contacts -- Part 10: Electronic signals and answer to reset for synchronous cards - Security,
• ISO/IEC 7816-11:2004 Identification cards -- Integrated circuit cards -- Part 11: Personal verification through biometric methods - Security,
• ISO/IEC 7816-15:2004 Identification cards -- Integrated circuit cards with contacts -- Part 15: Cryptographic information application - Security,
• ISO/IEC 9594-8:1998 Information technology -- Open Systems Interconnection -- The Directory: Authentication framework - Security,
• ISO 9735-5:2002 Electronic data interchange for administration, commerce and transport (EDIFACT) -- Application level syntax rules (Syntax version number: 4, Syntax release number: 1) -- Part 5: Security rul - Security,
• ISO/IEC 10164-9:1995 Information technology -- Open Systems Interconnection -- Systems Management: Objects and attributes for access control - Security,
• ISO/IEC 10181-1:1996 Information technology -- Open Systems Interconnection -- Security frameworks for open systems: Overview - Security,
• ISO/IEC 10181-2:1996 Information technology -- Open Systems Interconnection -- Security frameworks for open systems: Authentication framework - Security,
• ISO/IEC 10181-3:1996 Information technology -- Open Systems Interconnection -- Security frameworks for open systems: Access control framework - Security,
• ISO 10202-1:1991 Financial transaction cards -- Security architecture of financial transaction systems using integrated circuit cards -- Part 1: Card life cycle - Security,
• ISO 10202-7:1998 Financial transaction cards -- Security architecture of financial transaction systems using integrated circuit cards -- Part 7: Key management - Security,
• ISO 10202-8:1998 Financial transaction cards -- Security architecture of financial transaction systems - Security,
• ISO/IEC TR 13335-1:1996 Information technology -- Guidelines for the management of IT Security -- Part 1: Concepts and models for IT Security - Security,
• ISO/IEC TR 13335-2:1997 Information technology -- Guidelines for the management of IT Security -- Part 2: Managing and planning IT Security - Security,
• ISO/IEC TR 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security - Security,
• ISO/IEC 15408-1:1999 Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 1: Introduction and general mode - Security,
• ISO/IEC 15408-2:1999 Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 2: Security functional requirements - Security,
• ISO/IEC 17799:2000 Information technology -- Code of practice for information security management - Security,
• ISO JTC1 SC37 1.37.19784.1 BioAPI - Biometric Application Programming Interface - Security,
• ISO JTC1 SC37 1.37.19794 - Biometric Data Interchange Format - Security,
• ISO JTC1 SC37 1.37.19794.3 Biometric Data Interchange Format - Part 3: Finger Pattern Spectral Data - Security,
• ISO JTC1 SC37 1.37.19794.4 Biometric Data Interchange Format - Part 4: Finger Image Data - Security,
• ISO JTC1 SC37 1.37.1974.5 Biometric Data Interchange Format - Part 5: Face Image Data - Security,

    Federal Documents on Security Technologies

• - Security,
• FIPS 197 Federal Information Processing Standards Publication 197, Specification for the Advanced Encryption Standard (AES) - Security,

    IETF Internet Requests for Comments (RFCs) on Security Technologies

• RFC 1004 Distributed-protocol authentication scheme - Security,
• RFC 1352 SNMP Security Protocols - Network Management,
• RFC 1507 DASS - Distributed Authentication Security Service - Security,
• RFC 1826 IP Authentication Header - Security,
• RFC 1827 IP Encapsulating Security Payload (ESP) - Security,
• RFC 1940 Source Demand Routing: Packet Format and Forwarding Specification (Version 1) - Network Management,
• RFC 1968 The PPP Encryption Control Protocol (ECP) - Security,
• RFC 2040 The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms - Security,
• RFC 2045 Multi-Purpose Internet Mail Extensions (MIME) and Secure/MIME - Security,
• RFC 2086 IMAP4 ACL extension - Security,
• RFC 2093 Group Key Management Protocol (GKMP) Specification - Security,
• RFC 2228 FTP Security Extensions - Security,
• RFC 2230 Key Exchange Delegation Record for the DNS - Security,
• RFC 2244 ACAP -- Application Configuration Access Protocol - Security,
• RFC 2246 The TLS Protocol Version 1.0 - Security,
• RFC 2313 PKCS #1: RSA Encryption Version 1.5 - Security,
• RFC 2315 PKCS #7: Cryptographic Message Syntax Version 1.5 - Security,
• RFC 2406 IP Encapsulating Security Payload (ESP) - Security,
• RFC 2437 PKCS #1: RSA Cryptography Specifications Version 2.0 - Security,
• RFC 2440 OpenPGP Message Format - Security,
• RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP) - Security,
• RFC 2409 The Internet Key Exchange (IKE) - Security,
• RFC 2459 Internet X.509 Public Key Infrastructure Certificate and CRL Profile - Security,
• RFC 2510 Internet X.509 Public Key Infrastructure Certificate Management Protocols - Security,
• RFC 2511 Internet X.509 Certificate Request Message Format - Security,
• RFC 2527 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework - Security,
• RFC 2547 BGP/MPLS VPNs - Security, Network Management,
• RFC 2560 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP - Security,
• RFC 2764 A Framework for IP Based Virtual Private Networks - Security, Network Management,
• RFC 2753 A Framework for Policy-based Admission Control - Security,
• RFC 2797 Certificate Management Messages over CMS - Security,
• RFC 2817 Upgrades to TLS within HTTP/1.1 - Security,
• RFC 2818 HTTP over TLS (HTTPS) - Security,
• RFC 2865 Remote Authentication Dial In User Service (RADIUS) - Security,
• RFC 2869 RADIUS Extensions - Security,
• RFC 2874 DNS Extensions to Support IPv6 Address Aggregation and Renumbering - Security,
• RFC 2875 - Security,
• RFC 2898 PKCS #5: Password-Based Cryptography Specification Version 2.0 - Security,
• RFC 2946 Telnet Data Encryption Option - Security,
• RFC 2977 Mobile IP Authentication, Authorization, and Accounting Requirements - Security,
• RFC 2985 PKCS #9: Selected Object Classes and Attribute Types Version 2.0 - Security,
• RFC 3053 IPv6 Tunnel Broker - Network Management,
• RFC 3268 Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS) - Security,
• RFC 3280 Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile - Security,
• RFC 3369 Cryptographic Message Syntax (CMS) - Security,
• RFC 3370 Cryptographic Message Syntax (CMS) Algorithms - Security,
• RFC 3414 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) - Network Management,
• RFC 3447 Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 - Security,
• RFC 3647 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework - Security,

    Other Security Technolog

• IEEE 802.11b Web Encryption Protocol - Security,
• IEEE 802.11i Security for Wireless Networks - Security,
• RSA Documents on Security Technologies - Security,
• RSA PKCS #8 Private-Key Information Syntax Standard - Security,
• RSA PKCS #12 Personal Information Exchange Syntax Standard, version 1.0. - Security,
• OASIS Documents on Security Technologies - Security,
• WC3 XML Key Management Specification (XKMS 2.0) Bindings - Security,
• AGA-12 Cryptographic Protection of SCADA Communications General Recommendations. - Security,
• ANSI INCITS 359-2004 Role Based Access Control (RBAC) - Security,
• EPRI 1002596 ICCP TASE.2 Security Enhancements - Security,
• NERC Certificate Policy for the Energy Market Access and Reliability Certificate (e MARC) Program Version 2.4 - Security,
• NIST GSC-IS The NIST Interagency Report 6887 - 2003 edition (Government Smart Card-Interoperability Specification) Version 2.1 - Security,
• NISTIR 6529 Common Biometric File Format (CBEFF) - Security,
• Smart Card Alliance Smart Card Primer - Security,
• Smart Card Alliance Privacy and Secure Identification Systems: The Role of Smart Cards as a Privacy-Enabling Technology - Security,
• Smart Card Alliance Government Smart Card Handbook - Security,
• WebDAV Access Control Extensions to WebDAV - Security,
• WPA WI-FI Protected Access - Security,
• WPA2 WI-FI Protected Access Version 2 - Security,
• TMN PKI - Digital certificates and certificate revocation lists profiles - Security,

Possible Technologies

    Utility Field Device Related Data Exchange Technologies

• Fieldbus - Configuration, Quality of Service,
• PROFIBUS - Configuration, Quality of Service,
• ModBus - Configuration, Quality of Service,
• ModBus TCP/IP - Configuration, Quality of Service,
• ModBus Plus - Configuration, Quality of Service,

    Networking Technologies

• Intermediate System to Intermediate System (ISIS) Routing Protocol - Configuration,
• Routing Information Protocol (RIP) - Configuration,

    Application Layer Protocols

• CSV files - Data Management