IEEE P1686
From SCADApedia
The Substation Committee of the IEEE Power Engineering Society is writing P1686 Draft Standard for Substation Intelligent Electronic Devices(IED) Cyber Security Standards. The purpose of the standard is to "establish a baseline of security requirements and features to be provided in substation IEDs." So the standard does not make claims to be a best practice or recommended practice. Rather it is a minimum set of requirements "designed to provide the tools and features for a user to implement an IED security effort in accordance with NERC CIP requirements".
Contents |
Requirements Overview and Examples
Section 5.1 Electronic Access Control
The Electronic Access Control section enumerates the required authentication and authorization security controls. The standard requires user authentication prior to gaining access and prohibits methods to circumvent user authentication such as an embedded master password.
Minimum authorization levels are defined as View Data, View Configuration Settings, Force Values, Configuration Change, Firmware Change, ID/Password Management and Audit Log. The IED must have a way of assigning one or more of authorization levels to each userID.
Some of the requirements are arbitrary thresholds determined by the Working Group. For example, the standard requires an IED support at least ten unique userID/password combinations. Another arbitrary threshold is the minimum password complexity settings in Section 5.1.3.
Section 5.2 Audit Trail
P1686 requires a set of security events must be logged and available in an audit trail. Each security event must include the event record number, time/date, userID of the user logged in at the time, and event type.
Twelve different security events are required. They span the range of login events, configuration events, and administration events.
This section also includes arbitrary thresholds such as the ability of an audit trail to store up to 2048 events and a FIFO retention policy.
Section 5.3 Supervisory Monitoring and Control
Three required alarms are defined in this section.
The security events described in Section 5.2 and the alarms described in Section 5.3 must be transmitted to a SCADA or other monitoring system.
Section 5.3.5 Supervisory Permissive Control addresses security requirements for local and dial-up control. Support for three levels of permissions are required, and the SCADA system must be able to enable and disable local and dial-up access.
Section 5.4 Configuration Software
Requirements related to the IED, such as the ten userID/password are repeated in this section for the configuration software.
Section 5.5 Port Access
A two sentence section that requires all ports, other than the diagnostic port, be capable of being disabled.
Section 5.6 Firmware Quality Assurance
As of Draft (Dec 2006) this section is a single sentence that requires compliance with IEEE 37.231, Recommended Practice for Microprocessor-Based Protection Equipment Firmware Control.
Table of Compliance
The standard introduces a new concept to IEEE standards: a Table of Compliance. Vendors and other suppliers that claim to comply with P1686 must generate a Table of Compliance that indicates a 'level of compliance' with the requirements in every numbered paragraph. For each numbered paragraph the standard specified four possible responses:
- Acknowledge (no requirement in the numbered paragraph)
- Exception
- Comply
- Exceed
A Table of Compliance example is available in Appendix A.
Exclusions
Encyption to protect the privacy of the data in transit to and at rest in the IED is not addressed in P1686.
Status
P1686 was approved by Working Group in August 2007.
IEEE 1686 was issued on 11 Feb 2008.
