Getting IEC 61850 Events into OSIsoft's PI Server
From SCADApedia
IEC 61850 for industrial control communications is becoming widely adopted around the world in new power substations and is being considered for other uses. IEC 61850 is a model rather than a protocol, and must be sent over a protocol such as MMS, DNP3 or Modbus. This makes getting IEC 61850 security events into OSIsoft's PI server more complicated, and there currently is not a PI interface to accomplish this. Fortunately gateway products exist that will extract IEC 61850 events and send them to the OPC PI interface.
Contents |
Prominent IEC 61850 Security Events
One of the key factors behind employing a PI system for collection, storage, and management of IEC 61850 security events is to identify what data to collect from intelligent electronic devices (IEDs). Among the first candidates in this regard could be data that IEC 61850 considers as being explicitly related to security, namely the data attributes of generic security application logical nodes (GSAL). IEC 61850 provides an identity-based view of data objects in logical nodes referred to as virtual access view. When establishing an association with a server, a client is required to provide proof of identity, namely send authentication parameters such as its user identifier, a definition of the access view it is requesting, and access credentials. If the server successfully authenticates the client and is authorized to access the view, then the client is provided with the requested virtual access view.
GSAL logical nodes are entirely dedicated to monitoring of violations of access control schemes in IEC 61850. GSAL logical nodes hold instances of the controllable integer status (INC) common data class, such as security violation counters and number of counter resets, and instances of the security violation counting (SEC) common data class, such as authorization failures, access control failures, service privilege violations, and inactive associations. Thus, attributes of all these data objects would be useful for cyber attack correlation in a PI server or other SEM. Another type of event which could be of interest for attack correlation could be the transition of a logical node into a degraded mode. A logical node transitions into degraded mode upon reception of corrupted data. While in this mode a logical node cannot operate properly.
Violations of data attributes could also be evidence of an attack. For example, if the type of a given data attribute is CODED ENUM in which only intermediate-state, off, on, and bad-state are permissible values, then any value of the data attribute in question which is not among the aforementioned values could be potentially collected. As another example, if the value of a given data attribute is supposed to be always in the range 0-255, then any value of the data attribute in question which falls outside this range could be potentially collected.
Violations of functional constraints could also be of interest in attack identification and correlation. A functional constraint unequivocally defines the set of abstract communication service interface (ACSI) services that may be issued on a given data attribute. Common data classes specify functional constraints for their data attributes. Thus, the PI system could collect and store an event in which an ACSI service is issued on a data attribute while not belonging to its functional constraint.
Creating PI Tags for IEC 61850 data sources
A system manager would normally create a PI tag in a PI server for each source of IEC 61850 events. Various implementations of the data model may result in events at various levels of granularity. A source of IEC 61850 events may be a physical device, usually an IED. System managers may also treat IEC 61850 logical devices as sources of IEC 61850 events. The process of defining a PI tag for a source of IEC 61850 events does not differ from the way in which PI tags for any other kind of sources of data are generally defined. Thus, a PI tag for a source of IEC 61850 events is comprised of attributes which are defined by a system manager and which the PI base subsystem stores in a dedicated database.
Interfacing PI Interface Nodes with IEC 61850 Data Sources
Although OSIsoft provides over 300 different PI interface applications, as of this writing there are no IEC 61850 PI interface applications available that could enable a PI interface node to gather IEC 61850 events from a source of data via IEC 61850 profiles. Under these conditions a viable option could be that of having a PI system acquire IEC 61850 events from a source of data via protocols for which OSIsoft has already developed a PI interface application. Examples of protocols usable for getting IEC 61850 events include byte-oriented protocols such as DNP3 and Modbus. In this case it is necessary to deploy some industrial protocol gateway application either in a source of data itself or in some intermediate device. The protocol gateway is needed to convert communications from IEC 61850 into a byte oriented protocol, and vice versa.
A concrete example of software which has the potential for enabling a PI interface node to gather IEC 61850 events from a source of data is Sisco's AX-S4 MMS. A deployment scenario may be one in which AX-S4 MMS is run on a Windows-based device such as a SEL-3351, i.e. a system computing platform by Schweitzer Engineering Laboratories (SEL). Through AX-S4 MMS a SEL-3351 may communicate via IEC 61850 profiles with IEDs and collect data from them. Since AX-S4 MMS provides an OPC server interface, a PI interface node may use a PI OPC interface application to acquire IEC 61850 events from the SEL-3351 device in question via OPC.
External Links
IEC 61850: Communication Networks and Systems in Substations, Parts 1 through 10, August 2007.
