Security Information Architecture for Automation and Control Networks

Eduardo Feitosa; Luis Oliveira; Bruno Lins; Ademir Junior; Rodrigo Melo; Djamel Sadok; Ubiratan Carmo

doi:10.5753/sbseg.2008.20885

Eduardo Feitosa UFPE / UFAM
Luis Oliveira UFPE
Bruno Lins UFPE
Ademir Junior UFPE
Rodrigo Melo UFPE
Djamel Sadok UFPE
Ubiratan Carmo CHESF

DOI: https://doi.org/10.5753/sbseg.2008.20885

Abstract

Ongoing automation and the open access implementation of critical systems are increasing security vulnerability in automation and control networks employed in the electric power sector. This work is of the view that the integration between policy-based management and access control mechanisms is necessary to take us closer to a more effective solution for the combat against security threats. This paper introduces a modular architecture based on the XACML framework and applies this to automation and control networks used in the electric power industry. This security architecture is described and its components are individually analyzed and tested in a real power production environment. This paper also describes relevant encountered difficulties, provides results and new insights into access control when applied to industrial critical network infrastructures.

References

Aboba, B., Bluck, L., Vollbercht, J., Carlson, J., Levkowetz, H. (2004) “Extensible Authentication protocol (EAP)”, RFC 3748, July.

CEPEL. (2004) “SAGE”, http://www.sage.cepel.br.

Cigré. (2008), http://www.cigre.org.

CHESF. (2008) “Companhia Hidro Elétrica do São Francisco”, http://www.chesf.gov.br.

CRUTIAL. (2008) “CRitical UTility InfrastructurAL resilience”, http://crutial.cesiricerca.it/

FreeRADIUS. (2008) “The FreeRADIUS Project”, http://www.freeradius.org.

IEC 61850. (2002) “Communication networks and systems in substations”, IEC, February.

IEC/TS 61850-6. (2007) “Power systems management and associated information exchange - Data and communications security - Part 6: Security for IEC 61850”, June.

IEEE. (2001) “Standards for Local and Metropolitan Area Networks: Port based Network Access Control”, IEEE Standard 802.1X-2001, June.

He X., Wang G., Zhao J. (2005) "Research on the SCADA /EMS System Data Warehouse Technology", In: Proceedings of Transmission and Distribution Conference and Exhibition: Asia and Pacific, IEEE Power Engineering Society, China.

Helfrich, D., Ronnau, L., Frazier, J., Forbes, P. (2006) “Cisco Network Admission Control, Volume I: NAC Framework Architecture and Design”, Cisco Press.

ITI. (2008) “TCIP: Trustworthy Cyber Infrastructure for the Power Grid Center”, http://www.iti.uiuc.edu/tcip/index.html.

JRadius. (2008) “The Open Source Java RADIUS”, http://coova.org/wiki/index.php/JRadius.

Kent, S., Atkinson, R. (1998) “Security Architecture for the Internet Protocol”, RFC 2401, November.

Microsoft. (2007) “Network Access Protection Platform Architecture”, http://microsoft.com/technet/network/nap/naparch.mspx.

OASIS. (2003) “LDAP profile for distribution of XACML policies (Working draft 01)”, October.

OASIS. (2005) “eXtensible Access Control Markup Language (XACML) Version 2.0”, February.

Open1x. (2008) “Open Source Implementation for 802.1X”, http://open1x.sourceforge.net.

OpenLDAP. (2008) “OpenLDAP community developed LDAP software”, http://www.openldap.org.

Rigney, C., Willens, S., Rubens, A., Simpsom, W. (2000) “Remote Authentication Dial in User Service (RADIUS)”, RFC 2865, June.

SUN. (2008) “XACML’s Implementation”, http://sunxacml.sourceforge.net.

Strassner, J. (2004) “Policy-Based Network Management: Solutions for the Next Generation”, Morgan Kaufmann Publishers.

Ward, S., O’Brien. J., et al. (2007) “Cyber Security Issues for Protective Relays”, In: Proceeding of IEEE Power Engineering Society General Meeting, June.

Westerinen, A., et al. (2001) “Terminology for Policy-Based Management”, RFC 3198, November.

Security Information Architecture for Automation and Control Networks

Abstract

References

Most read articles by the same author(s)