Home // INTERNET 2014, The Sixth International Conference on Evolving Internet // View article

Purpose-bound Certificate Enrollment in Automation Environments

Authors:
Steffen Fries
Rainer Falk

Keywords: device authentication; certificate enrollment; real-time; network access authentication; firewall; substation automation; smart grid; IEC 61850, IEC 60870-5, IEC 62351

Abstract:
Information security is gaining increasing importance for networked control systems. Examples are industrial automation, process automation, and energy automation systems. Characteristic for all these systems is the data exchange between intelligent electronic devices – IEDs, which are used to monitor and control the operation. In energy automation these IEDs provide the data for a obtaining a system view of connected decentralized energy resources – DER. Based on the system view, a set of DER building a virtual power plant (VPP) can be managed reliably. The communication is realized through domain-specific protocols like IEC 61850 or IEC 60870-5. The communication is performed increasingly also over public networks. Therefore IT security is a necessary prerequisite to prevent intentional manipulations, thereby ensuring the reliable operation of the energy grid. Basis for protecting metering and control communication are cryptographic security credentials, which need to be managed not only during operation, but most importantly during installation (initial enrollment). This process needs to be as simple as possible to not increase the overall effort and to not introduce additional sources for failures. Hence, automatic credential management is needed to ensure an efficient management for a huge number of devices. This paper describes a new approach for the automatic initial security credential enrollment process during the installation phase of IEDs. The approach targets the binding of the installed IEDs to the operational environment and also to the intended utilization of the IED by embedding specific information into the enrollment communication, which is then reflected in the issued X.509 certificates.

Pages: 28 to 33

Copyright: Copyright (c) IARIA, 2014

Publication date: June 22, 2014

Published in: conference

ISSN: 2308-443X

ISBN: 978-1-61208-349-0

Location: Seville, Spain

Dates: from June 22, 2014 to June 26, 2014