Binding of Security Credentials to a specific Environment on the Example of Energy Automation

Fries, Steffen; Falk, Rainer

Home // International Journal On Advances in Intelligent Systems, volume 8, numbers 1 and 2, 2015 // View article

Binding of Security Credentials to a specific Environment on the Example of Energy Automation

Authors:
Steffen Fries
Rainer Falk

Keywords: device authentication; automated certificate enrollment; real-time; network access authentication; firewall; substation automation; smart grid; smart energy; DER; PKI; IEC 61850; IEC 60870-5; IEC 62351

Abstract:
Information security in critical infrastructures is becoming an inevitable part of networked control systems. Examples are industrial automation, process automation, and energy automation systems. Characteristic for all these systems is the data exchange between intelligent electronic devices – IEDs, which are used to monitor and control the operation. In energy automation deployments these IEDs provide the data for a obtaining a system view of connected energy resources. This becomes increasingly important as the number of decentralized energy resources – DER – is constantly increasing. Based on the system view, a set of DER, building a virtual power plant, can be managed reliably. The communication is realized through domain-specific communication protocols like IEC 61850, or IEC 60870-5. This communication is performed over networks of different administrative domains, also over public networks. Therefore, IT security is a necessary prerequisite to prevent intentional manipulations, thereby supporting the reliable operation of the energy grid. Basis for protecting metering and control communication are cryptographic security credentials, which need to be managed not only during operation, but most importantly during installation (initial enrollment). This process needs to be as simple as possible to not increase the overall effort and to not introduce additional sources for failures. Hence, automatic credential management is needed to ensure an efficient management for a huge number of devices. This paper describes a new approach for the automatic initial security credential enrollment process during the installation phase of IEDs. The approach targets the binding of the security credentials of the installed IEDs to the operational environment and also to the intended utilization of the IED by embedding specific information into the enrollment communication, which is then reflected in the issued X.509 certificates.

Pages: 107 to 117

Publication date: June 30, 2015

Published in: journal

ISSN: 1942-2679