Cyber Security

Security Framework for an Active Distribution Network

We have put security mechanisms into place to ensure that the ICT infrastructure is resilient to insider and outsider cyber-attacks. The security mechanisms we implement guarantee that access to all devices in the ADN is limited only to authorized personnel. Each authorized personnel is assigned separate user credentials; everyone is held accountable for their activities in the network. Accountability is enforced by implementing a logging mechanism to record each and every activity a user performs and by analyzing the log data to identify suspicious activities.

We have also implemented network access control mechanisms to prevent an rogue device from gaining access to the ADN communication infrastructure. All devices directly connected to the ADN are authenticated using their credentials (digital certificates) before they start any sort of communication with any device in the network. The digital certificates are also used to secure communication between the field devices (PMU’s) and the PDC. DTLS (Datagram Transport Layer Security) is used to guarantee end-to-end security for Phasor and control data communication. Moreover, we are currently implementing MACSec for hop-by-hop security in order to ensure that bogus traffic injected by a rogue device is discarded at the next switch. This prevents DoS attacks because such traffic does not propagate beyond the first link where the traffic is injected.

The ADN’s communication infrastructure is also physically separate from the rest of the campus’ public communication infrastructure. There is only minimal communication with the public network in order to publish the synchrophasor data, as well as the SE output for public access for research purposes. A proxy server at the DMZ (Demilitarized Zone) that censors any incoming and outgoing traffic serves as the only interface between private smart grid network and the outside world. The DMZ with the help of the firewalls and the proxy server serves as a protective barrier by effectively shielding the smart grid from any incoming attacks from the public network.

MPLS-TP Security

[SECADN] T. T. Tesfay, J.-P. Hubaux, J.-Y. Le Boudec and P. Oechslin, "Cyber-secure Communication Architecture for Active Power Distribution Networks," 29th ACM Symposium on Applied Computing, Gyeongju, South Korea, Mar. 24-28, 2014.