whitepaper_mpls and nerc cip compliance belllab
Post on 11-Oct-2015
Embed Size (px)
DESCRIPTIONHow to achieve NERC CIP compliance with IP/MPLS network
T E C H N O L O G Y W H I T E P A P E R
Power utilities supporting bulk electric systems (BES) must comply with the Critical
Infrastructure Protection (CIP) requirements specified by the North American Electric
Reliability Corporation (NERC). Specifically, network endpoints, such as routers and
switches that access communications networks at BES locations, are critical cyber assets
(CCAs) and must be protected within electronic security perimeters (ESPs).
This paper shows that MPLS-based networks provide secure, reliable, efficient, flexible
and cost-effective communication between CCAs at different BES locations, as well as
between CCAs and other smart grid elements. Even if utilities decide to take advantage
of the currently available exemption that does not require systems using non-routable
protocols to be protected within ESPs, MPLS networks can be used to emulate all
necessary non-routable protocols over a single networking infrastructure.
We provide an analysis of the current state of the NIST Smart Grid Cyber Security Strategy
and Requirements and discuss how they can be applied to MPLS endpoints in order to
satisfy the NERC CIP cyber security requirements. We also demonstrate how the ITU-T
X.805 security standard can be used to depict the compliance level of a CCA, as well as
the entire ESP.
Alcatel-Lucent offers a family of MPLS routers with a broad range of security features necessary
to provide the defense-in-depth mandated by the NERC CIP cyber security requirements.
Achieving NERC CIP* Compliancewith Secure MPLS NetworksA Bell Labs Memorandum
Ahmet Akyamac, Ph.D., Jayant Deshpande, Ph.D., Andrew McGee, CISSP, GREM, GCIH
* Critical Infrastructure Protection (CIP) requirements from the North American Reliability Corporation (NERC) standards (SectionsCIP-001 through CIP-009). The NERC standards are available at www.nerc.com/files/Reliability_Standards_Complete_Set_2009Dec3.pdf
Table of contents
1 1. Introduction
2 2. Reference Architecture
2 2.1 Key Definitions
2 2.2 Basic Communication Architecture
3 2.3 Extended Reference Architecture
4 3. Communication over MPLS networks
4 3.1 MPLS Architecture
5 3.2 Converged MPLS Networks
6 3.3 Additional MPLS Features
6 4. Interim NERC CIP Compliance with MPLS-based Non-Routable Protocol
8 5. MPLS is the Right Choice with or without the Exemption
8 6. ESP Security Implementation
8 6.1 Requirements Overview
9 6.2 ESP Identification and Protection
9 6.3 System Security Management
9 6.4 Technical Guidance for Compliance with NERC CIP Requirements
10 7. Using ITU-Ts X.805 Security Standard to Secure the Smart Grid
11 8. Threats to the Electronic Security Perimeter
12 9. Potential Vulnerabilities in the ESP
12 10. Mitigations for ESP Vulnerabilities and NERC CIP Compliance
14 11. Conclusions
15 12. References
16 13. Acronyms
17 Appendix A. MPLS Architecture
19 Appendix B. Additional MPLS Features
21 Appendix C. Technical Guidance for Compliance with NERC CIP Requirements
24 Appendix D. The X.805 Security Dimensions
25 Appendix E. Potential Vulnerabilities in the Power Grid
1Achieving NERC CIP Compliance with Secure MPLS Networks | Technology White Paper
The Reliability Standards for the Bulk Electric Systems of North America1, specified by the NorthAmerican Electric Reliability Corporation (NERC), includes requirements for Critical InfrastructureProtection (CIP) for compliance by electric power utilities in protecting the critical cyber assets(CCA) of bulk electric systems (BES). All hardware, software, data systems, and network elementsat bulk generation stations, transmission substations, and utility data and control centers mustcomply with the NERC CIP requirements.
This paper shows that MPLS-based networks provide secure, reliable, efficient, flexible and cost-effective communication between the CCAs at different BES locations, as well as between theCCAs and other smart grid network elements.
NERC requirements  define the Electronic Security Perimeter (ESP) as a logical bordersurrounding a network to which CCAs are connected and access must be controlled. In most cases,an ESP will include CCAs at a single BES location connected over a LAN. Any system (e.g. arouter) that uses a routable protocol (such as IP) is, by definition, considered a CCA and must beincluded in an ESP. Consequently, a communication system in the BES that does not use a routableprotocol would not be considered a CCA. This loosened requirement is referred to as NERC CIPsnon-routable protocol exemption (Examples of non-routable protocols include PDH/SONET,Ethernet or Frame Relay). Therefore, networking systems providing connectivity with a non-routable protocol can reside outside of an ESP, and are not subject to NERC CIP requirements.We also show that MPLS networks can natively and effectively support communication over manynon-routable protocols; therefore a utility does not need to deploy multiple networks with differentnon-routable protocols.
It is believed by many that NERC CIPs non-routable protocol exemption (called the exemptionthroughout this paper) has been deliberately allowed by NERC to facilitate timely NERC CIPcompliance without substantial immediate investment. Future revisions of the NERC CIP requirementsmay require all communication systems at a BES location to be CCAs, removing the current (implied)exemption of systems with non-routable protocols.
In addition, this paper will show that MPLS networks facilitate secure implementation and NERCCIP compliance with or without the exemption.
The reference architecture relevant to the NERC CIP requirements is presented in Section 2.In Section 3, we describe key features of MPLS infrastructure and emulation of communicationprotocols and services. Section 4 establishes the applicability and advantages of supporting non-routable protocols over MPLS infrastructure, leading to compliance of the current requirementswith the exemption on non-routable protocols. Section 5 details MPLS network essentials thatsupport utility applications and NERC CIP compliance, even when the exemption is removed fromthe specifications.
The remainder of this paper discusses the impact of removing the non-routable protocol exemptionwould have on compliance requirements. An overview of the nine NERC CIP requirements isprovided in Section 6, along with guidance for satisfying the requirements technical aspects.Section 7 describes ITU-T Standard X.805  and how it can be used to measure compliance levelsof a cyber asset or entire ESP. Sections 8 and 9 lists locations, threat types, and potentialvulnerabilities to the bulk electric system. Section 10 describes countermeasures that can mitigatethose vulnerabilities. Finally, a summary and our conclusions are presented in Section 11.
For convenience, several Appendices at the end of the document present additional information onMPLS features, X.805, and other security aspects related to the main body of the document.
2. Reference Architecture
Before presenting the reference architecture, a few relevant terms from the NERC CIP standard are introduced.
2.1 Key DefinitionsThe NERC CIP requirements  (more correctly the Regional Reliability Organization) define aBulk Electric System (BES) as the electrical generation resources, transmission lines, interconnectionswith neighboring systems, and associated equipment, generally operated at voltages of 100 kV orhigher. Radial transmission facilities serving only load with one transmission source are generallynot included in this definition. Thus, cyber assets at most distribution substations, and thedistribution feeders, are not covered by NERC CIP requirements.
As defined in the standards, Critical Assets are defined as facilities, systems, and equipmentwhich, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability oroperability of the BES. Critical Cyber Assets (CCAs) are programmable electronic devices andcommunication networks including hardware, software, and data that are essential to reliableoperation of critical assets. Hardware, software, data systems, and networks at utility controlcenters, bulk power stations, and transmission substations are examples of CCAs2. Distributionsystems, AMI systems, and their interconnection networks are not.
The Electronic Security Perimeter (ESP) is a logical border surrounding a network to whichCritical Cyber Assets are connected and access is controlled. As a practical matter, an ESP will beconfined to a physically protected building or space within. Communication links/networksconnecting discrete ESPs are not considered part of the ESPs3, so routers and switches in theseconnecting networks are not CCAs. However, network endpoints on equipment within an ESPfunctioning as access points to the ESP are considered a CCA and must be secured.
2.2 Basic Communication ArchitectureThe network architecture in Figure 1 illustrates concepts applicable to NERC CIP requirements.
Figure 1. Example Reference - Communication Architecture for a Bulk Power System
2 Achieving NERC CIP Compliance with Secure MPLS Networks | Technology White Paper
(Utility) Data and Control Center
(Transmission) SubstationBulk Power Station
Routable Protocol ( ie, IP)
2 See Requirement CIP-002-B.R1.2 in 3 See Requirement CIP-005-B.R1.3 in