The reliable and efficient delivery of electric power increasingly depends on information technology (IT) and communication infrastructures. This information infrastructure supports the control of operational assets and the monitoring of electric grid and equipment health. As more IP-based networks and devices are deployed, managing the information infrastructure will become crucial to providing high levels of security and reliability in power system operations.

Management of this information infrastructure layer requires connectivity and analytics to support both IT and operational technology (OT) assets in a unified manner. For example, once you have established a centralized network operations center (NOC) and substation local area networks (LANs), how do you monitor/ manage the intelligent electronic devices (IEDs) on the LAN? Tools are currently available to manage the network equipment of power delivery systems, but there is a distinct gap in the field in which the tools are unable to gather system health or alarms from the field devices, remote terminal units (RTUs), and IEDs. A scalable, vendor-neutral solution is needed for integrated network, system, and security management of operations systems.

Network and system management (NSM) provides a solution to this challenge. It typically is viewed as having two functional components – monitoring and management:

• NSM monitoring provides the capability to acquire information related to the operational aspects of a communication infrastructure. This information can be used for network design optimizations, security event detection, communication anomaly detection, and other purposes.
• NSM management provides the capability to control key aspects of the communication infrastructure and to resolve detected problems. An example of management is the ability to remotely disable a communications port on a switch.

NSM data objects provide the metrics, granularity and visibility for managing and monitoring both the network and the field devices. A standardized set of objects enables interoperability and proliferation of applications that can use the objects. Figure 1 shows the proposed NSM architecture for operations systems.

Applying NSM objects to power delivery systems would support several key operational objectives:

1. Integrated awareness of network activity, state and health within electrical utility networks
2. Uniform and logically consistent packet prioritization, service segmentation, and processing internally (Substation LAN) and externally (Substation-to-Substation Area Network, Substation WAN)
3. Effective monitoring, maintenance, traffic control, and logging for the electronic security perimeter
4. Security monitoring, control and management of end devices

To support these objectives, the International Electrotechnical Commission (IEC) developed part 7 of the 62351 standards series titled Security through network and system management. Within IEC 62351-7, the objects include both monitoring and management aspects. This is well aligned with typical IT network environment and network technologies that utilize both monitoring and management capabilities. These capabilities include the monitoring and management of:

• Servers used as general purpose computational platforms that are used for widely accessed applications such as web portals/pages, FTP, mail, etc.
• Hosts used as general purpose office/backend computers that are used by local applications as well as SCADA and EMS systems
• Intermediate systems such as firewalls, routers, and Ethernet switches, and
• Field devices such as IEDs and RTUs

Figure 1: NSM for Power Delivery Systems
 

In 2012, EPRI began a multi-year research project to assist utilities and vendors in employing this standard. At the end of 2013, EPRI released report 3002000373 Network Security Management for Transmission Systems, which analyzed the potential for implementing IEC 62351-7 in a standardized and interoperable manner. As part of this research, an initial Simple Network Management Protocol (SNMP) Management Information Base (MIB) and information models were developed. These were used to validate the semantics of the standard.

The electric sector is beginning to recognize the advantages of applying NMS technology to power systems. This is especially true in the domain of substation LANs, where multiple vendors are developing NMS tools. While this is a step in the right direction, these tools are still limited in their capabilities and not interoperable. However, interoperability will be the key to realizing the operational benefits of NSM technology. The potential of NSM is not in the objects themselves, but in the applications that are built to manage these objects. These applications may be deployed in the substation network components, gateway devices, IEDs, or in the control center. Supporting interoperability avoids vendor lock-in and ensures that best of breed components can be utilized throughout a deployment.

A prototype tool currently being developed by EPRI demonstrates the value of this approach. The Substation Network Explorer (SNE) uses the IEC 62351-7 NMS objects to display:

Substation Network Visualization

• Network topology
• IED configuration

Asset Security Monitoring

• Key system resources
• CPU/memory/temperature
• Power supply
• Device clock

Network Performance Analysis

• Substation network bandwidth
• Protocol traffic statistics
• Network latency statistics
• Switch/router status

Deep Packet Inspection of Substation Traffic

• Protocol error detection
• Excess idle time and DOS detection
• Package loss or illegal header detection

IEC 62351-7 SNMP Gateway

• Report all substation security in IEC 62351-7 MIBs
• Convert vendor-specific MIBs to 62351-7 MIBs
• Supports multiple NSM masters

Figure 2 shows the SNE architecture. Objects and alerts from the SNE can be directed to a control center NSM as well as a utility’s security information and event management (SIEM) system.

Figure 2: EPRI SNE Architecture
 

The IEC 62351-7 Edition 1 standard provides a first draft of abstract object models for performing network and system management functions to enable security architecture guidelines advancing secure access, reliability and network confidence. EPRI continues to engage with the IEC working group to refine the standard to support clearer semantics and interoperability. Additionally, ongoing lab testing of utility use cases is helping to identify any gaps in the current set of objects.
As more IP-based networks and devices are deployed in the field, managing these systems will become an increasing challenge for utilities. Applying NSM to power delivery systems can provide much greater situational awareness for utilities in both the operation and security of field systems, as well as fine-grained control over their networks and assets.

About the Author

Galen Rasche is a Senior Program Manager in the Power Delivery and Utilization (PDU) Sector at the Electric Power Research Institute (EPRI) and the program manager for the PDU Cyber Security and Privacy Program. He is experienced in the areas of cyber security, Smart Grid security and the penetration testing of embedded systems.