From: Load balancing of renewable energy: a cyber security analysis
# | Name | From | To | Initiator | Protocols | Auth | Comment |
---|---|---|---|---|---|---|---|
RTU & IED Maintenance Data | |||||||
1 | RTU&IED Maintenance data | DSO Element Manager | Primary RTUs | DSO Element Manager | Unknown protocol over fiber WAN | LI | This for changing parameters of RTUs and IED from central office and download to RTUs, examples are allocation of signals to input board channels. |
2 | RTU&IED Maintenance data | DSO Element Manager | Secondary RTUs | DSO Element Manager | Unknown protocol over GPRS WAN | LI | Same as above |
3 | RTU&IED Maintenance data | Substation workstation | Primary RTUs | Substation workstation | Internal format, over LAN | LI | Local update of RTU Maintenance Data in Primary Substation from local workstation |
4 | RTU&IED Maintenance data | Substation Mobile workstation | Secondary RTUs | Substation mobile workstation | Internal format, over LAN | LI | Local update of RTU Maintenance Data in Secondary Substation from local mobile workstation |
RTU&IED Maintenance data | Energy Supplier Element Manager | DER RTUs | Energy Supplier Element Manager | Some type of WEB service and VPN over Internet | LI | This for changing parameters of the DER RTUs and IEDs from Energy Supplier and download to RTUs, examples are allocation of signals to input board channels. | |
5 | RTU&IED Maintenance data | Substation mobile workstation | DER RTU | Substation mobile workstation | Internal format, over LAN | LI | Local update of RTU and IED Maintenance Data in DER Substation from local mobile workstation |
SCADA Maintenance Data | |||||||
6 | SCADA Maintenance data | DE HMI | Data Engineering | DE HMI | SQL commands | LI | Maintenance data for SCADA, examples are static topology, limits, etc. Data Engineering users enter data from HMI to Data Engineering database (Oracle) |
7 | SCADA Maintenance data | Data Engineering | SCADA | Data Engineering | Internal propriety protocols | FS | SCADA maintenance data loaded into the SCADA real-time database from Data Engineering |
FrontEnd Maintenance Data | |||||||
8 | Front End Maintenance Data | SCADA | Front End | SCADA | RSP | FS | Maintenance data to the Front End from SCADA. The Front-End Maintenance Data is a subset of the SCADA Maintenance data from Data Engineering. IEC -104 does not support maintenance data so this can only be sent with proprietary protocols like RSP |
9 | Meter Configuration Data | Meter Firmware and Key Server | Smart Meter | Meter Firmware and Key Server | DLMS | HLS5 | This is for sending down new software updates to the Smart Meters. |
10 | Meter Configuration Data | Meter Firmware and Key Server | Smart Meter | Meter Firmware and Key Server | DLMS | Same as DF49 | Same counts for the update of the encryption keys (EK) as for updating of meter firmware. Where the EK is also encrypted by the so-called master key (KEK) which is unique for every meter (also unique EK per meter) |
Process Data | |||||||
11 | Process data | Primary RTU | SCADA Front End | SCADA Front End | IEC 60870-5-101 | FS | Collection of measurands, indication and pulse counters from RTUs over Process WAN and sending of commands and setpoints. This is a polled system where the Front Ends takes the initiative in both directions |
IEC 60870-5-104 | |||||||
DNP 3.0 | |||||||
(bidirectional) | Modbus | ||||||
Proprietary protocols | |||||||
12 | Process data | Secondary RTU | SCADA Front End | SCADA Front End | Same as above | FS | Same as above |
(bidirectional) | |||||||
13 | Process data | DER RTUs | SCADA Front End | SCADA Front End | Same as above | FS | Same as above |
(bidirectional) | |||||||
14 | Process data | SCADA Front End | SCADA | SCADA Front End | RSP | FS | Process data from Front End to SCADA and commands and setpoints from SCADA to Front-Ends |
(inflow) | IEC 60870-5-104 | ||||||
15 | Process data (commands) | SCADA | SCADA Front End | SCADA | RSP | FS | Commands from SCADA to Front End |
IEC 60870-5-104 | |||||||
16 | Process data (inflow) | SCADA | HMI | HMI | Internal proprietary protocols | FS/LI | HMI asks for process data from SCADA server real-time database to present process displays. |
When the operator starts his session, he has to login to define his authorities. After login, there is an established connection. | |||||||
17 | Process data (commands) | HMI | SCADA | HMI | Internal proprietary protocols | FS/LI | Operator via HMI requests commands to be sent to RTUs |
18 | Process data (inflow) | SCADA | Replicated SCADA | SCADA | Internal proprietary protocols | FS | SCADA replicates process data to Replicated Scada |
19 | Process data (inflow) | Replicated HMI | Replicated SCADA | Replicated HMI | Internal proprietary protocols | FS/LI | Replicated HMI asks for process data from Replicated SCADA server real-time database to present process displays. |
20 | Process Data (inflow) | SCADA HMI | Office Station | Office Station | Internal format | FS/LI | Possibility for an Office station to remotely use the SCADA HMI over VPN to look on Process data. This is possible in many existing system and is implemented to give office user, e.g. manager, the possibility to look on SCADA displays. |
VPN | |||||||
20b | Process Data (inflow) | Replicated SCADA HMI | Office Station | Office Station | Internal format | FS/LI | Same as above |
VPN | |||||||
21 | Process Data (commands) | Office Station | SCADA HMI | Office Station | Internal format | FS/LI | Possibility for an Office station to remote remotely use the SCADA HMI over VPN and send Process Data commands, e.g. open breakers. This is possible in many existing systems. This is the main vulnerability used in the Ukrainian blackout |
VPN | |||||||
21B | Process Data (commands) | Office Station | Replicated SCADA HMI | Office Station | Internal format | FS/LI | Same as above |
VPN | |||||||
Remote Substation Login | |||||||
22 | Remote substation login | Office Station | Substation workstation | DSO Office Station, Engineering zone | CITRIX format for remote desktop RDP | LI | Remote login to Substation workstation from office network. Uses a remote desktop connection (CITRIX). Normal login procedures to access the RTU. |
23 | Historic data | SCADA | Historian | SCADA | SQL commands | FS | SCADA logs process data from real-time database and inserts in historical database using Oracle SQL commands. |
24 | Historic data | Historian | Replicated Historian | Historian | SQL commands | FS | Historian replicates historic data to Replicated Historian in DMZ using standard features by Oracle to duplicate |
25 | Historic Data | Historian | HMI | HMI | SQL commands | FS/LI | Historic data from Historian is presented on SCADA HMI. |
26 | Historic Data | Replicated Historian | Office station | Office station | VPN | LI | Office user picks up historic data from the Replicated Historian in the DMZ to be used in office applications |
Software/Hardware Data | |||||||
27 | RTU&IED Software | DSO Update server | Primary RTU | DSO Update server | Protocol unknown, over fiber WAN | LI | Software/firmware updates from DSO Engineering Zone to RTUs and IEDs in primary substations |
28 | RTU&IED Software | DSO Update server | Secondary RTU | DSO Update server | Same as above | LI | Same as above |
Over GPRS | |||||||
29 | RTU&IED Software | DSO File transfer | DSO Update server | DSO Update server | Protocol unknown over LAN | ? | RTU&IED software updates pulled from DSO File Transfer server to Update server on the Engineering zone |
29a | RTU&IED Software | Vendor Server | DSO File Transfer | DSO File Transfer | Protocol unknown, over Internet | LI | This is transferring RTU&IED software updates pulled from the vendor server to the DSO File Transfer server |
30 | SCADA Software | Vendor Server | File transfer server | File transfer server | Protocol unknown, over Internet | LI | SCADA software updates and bug fixes from vendor to File transfer server in DMZ |
31 | SCADA Software | File transfer server (DMZ) | SCADA | SCADA | Protocol unknown, over LAN | FS | SCADA software updates from DMZ to SCADA |
32 | RTU&IED Software | Substation workstation | Primary RTUs | Substation workstation | Internal format, over LAN | LI | Local software/hardware update of RTU Software Data in Primary Substation from local workstation |
33 | RTU&IED Software | Substation mobile workstation | Secondary RTUs | Substation workstation | Internal format, over LAN | LI | Local software/hardware update of RTU Software Data in Secondary Substation from local mobile workstation |
34 | RTU&IED Software | Substation mobile workstation | DER RTU | Substation mobile workstation | Internal format, over LAN | LI | Local update of RTU and IED software data from local mobile substation in the DER RTU |
35 | Time Synch Data | Time Server | SCADA | SCADA | NTP | FS | Standard format for synchronizing clocks. This is done over the SCADA LAN |
36 | Time Synch Data | Time Server | SCADA Front End | SCADA | NTP | FS | Same as above |
37 | Time Synch Data | SCADA Front End | Primary RTU | SCADA Front End | IEC 60870-5-101 | FS | Time synch data from SCADA Frontend to Primary RTUs in order to synchronize the clocks of the RTUs. Uses special telegrams for time synchronization |
IEC 60870-5-104 | |||||||
DNP 3.0 | |||||||
Modbus | |||||||
38 | Time Synch Data | SCADA Front End | Secondary RTU | SCADA Front End | IEC 60870-5-101 | FS | Same as above |
Same as above | |||||||
DNP 3.0 | |||||||
Modbus | |||||||
39 | Time Synch Data | SCADA Front End | DER RTU | SCADA Front End | IEC 60870-5-101 | FS | Same as above |
IEC 60870-5-104 | |||||||
DNP 3.0 | |||||||
Modbus | |||||||
Load Forecast Data | |||||||
40 | Load Forecast Data | TSO | File Transfer server | TSO | FTP format over Internet / VPN | ? | TSO Load Forecast data to SCADA File Transfer Server. |
41 | Load Forecast Data | File Transfer server, DMZ | SCADA | SCADA | FTP format | FS | SCADA picks up Load Forecast Data from File transfer server in the DMZ and use this to predict loads and balance against local generation in the DER |
Meter Data | |||||||
42 | Meter Data | Smart Meters | Meter Data Concentrator | Meter Data Concentrator | DLMS | FS? | Collection of Meter Data from Smart Meters to Meter Data Concentrators using PLC. We do not model alarms from meters so here only the Meter Data Concentrator is Initiator. |
43 | Meter Data | Meter Data Concentrator | AMI Private Houses | AMI Private Houses | DLMS, FTP, Web-based | FS? | Collection of Meter Data from the Meter Data Concentrator to the AMI system for private customers. Communication protocol depends on the solution, it might be DLMS, a web server or (s)FTP based. |
44 | Meter Data | Smart Meters | AMI Private Houses | AMI Private Houses | DLMS, VPN over GPRS | FS? | Collection of Meter Data from the Smart Meters directly to the AMI system for private customers. The HE-system periodically contacts the meter to check if any alarms are available, meter is alive, clock sync of the e-meter, performing maintenance. Etc. |
45 | Meter Data | AMI Private Houses | Office station | Office station | Internal format | LI | Possibility for an office station to look at Meter Data from AMI Private Houses, to look at power quality data in profiles in the meter. E.g. 10-minute average power, voltage level, currents etc, for grid analysis. This dataflow is highly unlikely for obvious privacy reasons (Power and current can help deduce the behavior of consumers) |
S | |||||||
46 | KWh Meter Data | KWh Meter | Meter Data Concentrator | KWH Meter | Internal Format | FS? | Collection of KWh Data from Smart Meters to Meter Data Concentrators using PLC. In Holland, the consumer has the right to refuse kWh or privacy related data being read out. All other data needed for maintenance is always allowed to read out the meter. |
47 | KWh Meter Data | Meter Data Concentrator | AMI Industrial Customers | AMI Industrial Customers | Internal format | FS? | Collection of KWh Data from the Meter Data Concentrator to the AMI system for Industrial customers. |
48 | KWH Meter Data | AMI Industrial Customers | Data Hub | AMI Industrial Customers | transfer over Internet | FS? | This is sending KWH Data from the DSO AMI system for industrial customers to the Data Hub for further distribution to the Energy Suppliers so that the Energy Supplier know how much he has produced in the DER. |
49 | KWh Meter Data | Data Hub | Energy Supplier System | Energy Supplier System | transfer over Internet | FS? | This is sending KWh data from the Data Hub to the Energy Supplier System so the Energy Supplier knows how much he has produced in his DER. |
Internet Data | |||||||
50 | Internet Data | Office stations | Public Internet | Office Station | Internet format | LI | Possibility of DSO office user to access Internet, e.g. for sending and receiving emails. This is the phishing mechanism used in the Ukrainian blackout to get access to the Office LAN |