Critical Operations Intra-Substation Environment - #3
This environment encompasses the set of
requirements traditionally known as “substation automation” and
involve information exchanges within a substation that are critical to
legal, safe, and reliable power system operations. Devices within the
substation coordinate with each other to ensure the safety of
equipment and personnel while optimizing the operation of the network
and permitting operators to respond to emergencies.
Typical applications: Uses of this
environment may include voltage/VAR control, interlocking, removing
equipment for maintenance, updating configurations and settings,
responding to faults, load shedding, and manually or automatically
restoring service. These tasks were traditionally performed by
individual devices but are now are commonly distributed over local
area networks.
Characteristics: This environment
requires a high level of security because outages, equipment damage or
safety concerns can result from misoperated controls, either manually
or automatically generated. Similarly, maintenance of equipment by
unauthorized personnel could be disastrous.
Similar Environments: Quality of service
requirements are not as strict as with the Rapid Deterministic
environments, but response generally must be better than human
reaction time.
This environment differs from Critical
Operations DAC because it is limited to the substation. Some
utilities may find physical security adequate within the substation,
while electronic security is vital outside the substation. Quality of
service requirements may also be less vital between substation and
control center than within the substation itself, since the substation
automates many critical functions locally.
Definition: This environment is defined
by the following requirements:
Communication and Information Requirements that Define this Environment
Configuration Requirements
- Provide point-to-point interactions between two entities
- Support peer to peer interactions
- Support interactions within a contained environment (e.g. substation or control center)
Quality of Service Requirements
- Provide high speed messaging of less than 1 second
- Support very high availability of information flows of 99.99+ (~1 hour)
- Support time synchronization of data for age and time-skew information
Security Requirements
- Provide Authorization Service for Access Control (resolving a policy-based access control decision to ensure authorized entities have appropriate access rights and authorized access is not denied)
- Provide Information Integrity Service (data has not been subject to unauthorized changes or these unauthorized changes are detected)
- Provide Audit Service (responsible for producing records, which track security relevant events)
- Provide Credential Renewal Service (notify users prior to expiration of their credentials)
- Provide Security Policy Service (concerned with the management of security policies)
- Provide Single Sign-On Service (relieve an entity having successfully completed the act of authentication once from the need to participate in re-authentications upon subsequent accesses to managed resources for some reasonable period of time)
- Provide Security Discovery (the ability to determine what security services are available for use)
Network and System Management Requirements
- Provide Network Management (management of media, transport, and communication nodes)
- Provide System Management (management of end devices and applications)
Data Management Requirements
- Support the management of large volumes of data flows
- Support keeping the data up-to-date
- Support extensive data validation procedures
- Support specific standardized or de facto object models of data
- Provide discovery service (discovering available services and their characteristics)
- Provide conversion and protocol mapping
Recommended Technologies
Energy Industry-Specific Technologies
Utility Field Device Related Data Exchange Technologies
- ISO 9506 MMS - Manufacturing Messaging Specification
- Configuration, Quality of Service,
- IEC61850 - Substation Automation Communications
- Configuration,
- IEC61850 Part 7-2 - GSE (GOOSE and GSSE
- Configuration, Quality of Service,
- IEC61850 Part 7-2 - SMV (Sampled Measured Values)
- Configuration,
- IEC61850 Part 7-2 - Abstract Common Services Interface (ACSI)
- Configuration, Quality of Service, Data Management
- IEC61850 Parts 7-3 and 7-4 - Substation Object Modeling
- Network Management, Data Management
- IEC61850 Part 6 - Substation Configuration Language
- Network Management, Data Management
- IEC61850 Power Quality Object Models
- Data Management
- IEC62350 - Object Models for Distributed Energy Resources (DER)
- Network Management, Data Management
- IEC62349 - Hydro Power Plant Object Models
- Network Management, Data Management
- IEC61400-25 for Wind Power Object Models
- Network Management, Data Management
Communications Industry Technologies
Networking Technologies IP-based Transport Protocols Application Layer Protocols Link Layer and Physical Technologies Wireless Technologies Computer Systems Related TechnologiesSecurity Technologies
Policy and Framework Related Technologies General Security Technologies Media and Network Layer Technologies Transport Layer Security Technologies Application Layer Security Technologies
- SNMP Security
- Security, Network Management,
- RFC 1305 Network Time Protocol (Version 3) Specification, Implementation
- Quality of Service, Security,
- IEC 62351-3 Security for Profiles including TCP/IP
- Security,
- IEC 62351-4 Security for Profiles including MMS (ISO-9506)
- Security,
- IEC 62351-5 Security for IEC 60870-5 and Derivatives
- Security,
- IEC 62351-6 Security for IEC 61850 GOOSE, GSSE, and SMV Profiles
- Security,
XML Related TechnologiesNetwork and Enterprise Management Technologies
Network Management TechnologiesSecurity Services
Common Security ServicesNetwork and System Management Services
Enterprise Management Services
- Inventory Management
- Network Management,
- Communication System/Network Discovery
- Network Management,
- Routing Management
- Network Management,
- Traffic Management
- Network Management,
- Traffic Engineering
- Network Management,
- System/Network Health-Check Analysis
- Network Management,
- System/Network Fault Diagnosis
- Network Management,
- System/Network Fault Correcting
- Network Management,
- Service Level Agreement (SLA) Determination and Maintenance
- Network Management,
- System/Network Performance Analysis
- Network Management,
- System/Network Performance Diagnosis
- Network Management,
- Performance Tuning/Correction
- Network Management,
- Accounting and/or Billing
- Network Management,
Data Management Common Services
Data Management Common ServicesCommon Platform Services
Common Platform ServicesData Management Best Practices
Data Management
- Alternate Communication Channels
- Quality of Service,
- Backup Data Sources
- Quality of Service,
- Metadata Files and Databases
- Network Management, Data Management
- Object Modeling Techniques
- Data Management
- Quality Flagging
- Quality of Service, Network Management, Data Management
- Time Stamping
- Quality of Service, Security, Network Management, Data Management
- Validation of Source Data and Data Exchanges
- Data Management
- Data Update Management
- Data Management
- Management of Time-Sensitive Data Flows and Timely Access to Data by Multiple Different Users
- Quality of Service,
- Management of Data and Object Naming
- Data Management
- Management of Data Formats in Data Exchanges
- Data Management
- Management of Data Accuracy
- Data Management
- Management of Data Acquisition
- Data Management
- Management of Manual Data Entry
- Data Management
- Data Storage and Access Management
- Data Management
- Database Maintenance Management
- Data Management
- Application Management
- Network Management,
Security Best Practices
Security Frameworks and Policy Documents
- ISO/IEC Security Best Practices
- Security,
- ISO/IEC 10164-8:1993 Information technology -- Open Systems Interconnection -- Systems Management: Security audit trail function
- Quality of Service,
- ISO/IEC 18014-1:2002 Information technology -- Security techniques -- Time-stamping services -- Part 1: Framework
- Quality of Service,
- ISO/IEC 18014-2:2002 Information technology -- Security techniques -- Time-stamping services -- Part 2: Mechanisms producing independent tokens
- Quality of Service,
- ISO/IEC 18014-3:2004 Information technology -- Security techniques -- Time-stamping services -- Part 3: Mechanisms producing linked tokens
- Security,
- Federal Security Best Practices
- Security,
- CICSI 6731.01 Global Command and Control System Security Policy
- Security,
- FIPS PUB 112 Password Usage
- Security,
- IETF Security Best Practices Internet Requests for Comments (RFCs)
- Network Management,
- RFC 1102 Policy routing in Internet protocols
- Network Management,
- RFC 1322 A Unified Approach to Inter-Domain Routing
- Network Management,
- RFC 1351 SNMP Administrative Model
- Network Management,
- RFC 2008 Implications of Various Address Allocation Policies for Internet Routing
- Network Management,
- RFC 2196 Site Security Handbook
- Network Management,
- RFC 2276 Architectural Principles of Uniform Resource Name Resolution
- Security,
- RFC 2386 A Framework for QoS-based Routing in the Internet
- Network Management,
- RFC 2505 Anti-Spam Recommendations for SMTP
- Security,
- RFC 2518 HTTP Extensions for Distributed Authoring - WEBDAV
- Network Management,
- RFC 2527 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
- Network Management,
Security Technology Documents
Alternative Technologies
Utility Field Device Related Data Exchange Technologies
Networking Technologies IP-based Transport Protocols Wireless Technologies Virtual Private Networking Technologies Computer Systems Related Technologies
Network Management Technologies
Alternative Best Practices
Data Management
ISO/IEC Documents on Security Technologies
- ISO/IEC 7816-9:2000 Identification cards -- Integrated circuit(s) cards with contacts -- Part 9: Additional
- Security,
- ISO/IEC 9594-8:1998 Information technology -- Open Systems Interconnection -- The Directory: Authentication framework
- Security,
- ISO 9735-5:2002 Electronic data interchange for administration, commerce and transport (EDIFACT) -- Application level syntax rules (Syntax version number: 4, Syntax release number: 1) -- Part 5: Security rul
- Security,
- ISO/IEC 10164-9:1995 Information technology -- Open Systems Interconnection -- Systems Management: Objects and attributes for access control
- Security,
- ISO/IEC 10181-1:1996 Information technology -- Open Systems Interconnection -- Security frameworks for open systems: Overview
- Security,
- ISO/IEC 10181-3:1996 Information technology -- Open Systems Interconnection -- Security frameworks for open systems: Access control framework
- Security,
- ISO/IEC TR 13335-1:1996 Information technology -- Guidelines for the management of IT Security -- Part 1: Concepts and models for IT Security
- Security,
- ISO/IEC TR 13335-2:1997 Information technology -- Guidelines for the management of IT Security -- Part 2: Managing and planning IT Security
- Security,
- ISO/IEC TR 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security
- Security,
- ISO/IEC 15408-1:1999 Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 1: Introduction and general mode
- Security,
- ISO/IEC 15408-2:1999 Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 2: Security functional requirements
- Security,
- ISO/IEC 17799:2000 Information technology -- Code of practice for information security management
- Security,
Federal Documents on Security Technologies IETF Internet Requests for Comments (RFCs) on Security Technologies
- RFC 1305 Network Time Protocol (Version 3) Specification, Implementation
- Quality of Service,
- RFC 1352 SNMP Security Protocols
- Network Management,
- RFC 1827 IP Encapsulating Security Payload (ESP)
- Security,
- RFC 1940 Source Demand Routing: Packet Format and Forwarding Specification (Version 1)
- Network Management,
- RFC 1968 The PPP Encryption Control Protocol (ECP)
- Security,
- RFC 2040 The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms
- Security,
- RFC 2045 Multi-Purpose Internet Mail Extensions (MIME) and Secure/MIME
- Security,
- RFC 2086 IMAP4 ACL extension
- Security,
- RFC 2093 Group Key Management Protocol (GKMP) Specification
- Security,
- RFC 2228 FTP Security Extensions
- Security,
- RFC 2230 Key Exchange Delegation Record for the DNS
- Security,
- RFC 2244 ACAP -- Application Configuration Access Protocol
- Security,
- RFC 2246 The TLS Protocol Version 1.0
- Security,
- RFC 2313 PKCS #1: RSA Encryption Version 1.5
- Security,
- RFC 2315 PKCS #7: Cryptographic Message Syntax Version 1.5
- Security,
- RFC 2406 IP Encapsulating Security Payload (ESP)
- Security,
- RFC 2437 PKCS #1: RSA Cryptography Specifications Version 2.0
- Security,
- RFC 2440 OpenPGP Message Format
- Security,
- RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP)
- Security,
- RFC 2409 The Internet Key Exchange (IKE)
- Security,
- RFC 2459 Internet X.509 Public Key Infrastructure Certificate and CRL Profile
- Security,
- RFC 2510 Internet X.509 Public Key Infrastructure Certificate Management Protocols
- Security,
- RFC 2511 Internet X.509 Certificate Request Message Format
- Security,
- RFC 2527 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
- Security,
- RFC 2547 BGP/MPLS VPNs
- Security, Network Management,
- RFC 2560 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
- Security,
- RFC 2764 A Framework for IP Based Virtual Private Networks
- Security, Network Management,
- RFC 2753 A Framework for Policy-based Admission Control
- Security,
- RFC 2797 Certificate Management Messages over CMS
- Security,
- RFC 2817 Upgrades to TLS within HTTP/1.1
- Security,
- RFC 2818 HTTP over TLS (HTTPS)
- Security,
- RFC 2875
- Security,
- RFC 2898 PKCS #5: Password-Based Cryptography Specification Version 2.0
- Security,
- RFC 2946 Telnet Data Encryption Option
- Security,
- RFC 2977 Mobile IP Authentication, Authorization, and Accounting Requirements
- Security,
- RFC 2985 PKCS #9: Selected Object Classes and Attribute Types Version 2.0
- Security,
- RFC 2986 PKCS #10: Certification Request Syntax Specification Version 1.7
- Security,
- RFC 3053 IPv6 Tunnel Broker
- Network Management,
- RFC 3268 Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS)
- Security,
- RFC 3280 Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
- Security,
- RFC 3369 Cryptographic Message Syntax (CMS)
- Security,
- RFC 3370 Cryptographic Message Syntax (CMS) Algorithms
- Security,
- RFC 3414 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)
- Network Management,
- RFC 3447 Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1
- Security,
- RFC 3647 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
- Security,
Other Security Technolog
- IEEE 802.11b Web Encryption Protocol
- Security,
- IEEE 802.11i Security for Wireless Networks
- Security,
- RSA Documents on Security Technologies
- Security,
- RSA PKCS #8 Private-Key Information Syntax Standard
- Security,
- RSA PKCS #12 Personal Information Exchange Syntax Standard, version 1.0.
- Security,
- OASIS Documents on Security Technologies
- Security,
- WC3 XML Key Management Specification (XKMS 2.0) Bindings
- Security,
- AGA-12 Cryptographic Protection of SCADA Communications General Recommendations.
- Security,
- ANSI INCITS 359-2004 Role Based Access Control (RBAC)
- Security,
- EPRI 1002596 ICCP TASE.2 Security Enhancements
- Security,
- NERC Certificate Policy for the Energy Market Access and Reliability Certificate (e MARC) Program Version 2.4
- Security,
- WebDAV Access Control Extensions to WebDAV
- Security,
- WPA WI-FI Protected Access
- Security,
- WPA2 WI-FI Protected Access Version 2
- Security,
- TMN PKI - Digital certificates and certificate revocation lists profiles
- Security,
Possible Technologies
Utility Field Device Related Data Exchange Technologies
- Fieldbus
- Configuration, Quality of Service,
- PROFIBUS
- Configuration, Quality of Service,
- ModBus
- Configuration, Quality of Service,
- ModBus TCP/IP
- Configuration, Quality of Service,
- ModBus Plus
- Configuration, Quality of Service,
Link Layer and Physical Technologies
|