IEEE P1689
From SCADApedia
The Substation Committee of the IEEE Power Engineering Society is writing P1689 Trial Use Standard for Retrofit Cyber Security of Serial SCADA Links and IED Remote Access. The standard defines the requirements for a retrofit, or bump-in-the-line, device to protect serial communication "in such a manner as to minimize the changes needed to existing equipment and software".
P1689 lists general requirements and P1711 defines a specific serial security protocol for two types of cryptographic modules (CM's). SCADA Cryptographic Modules (SCM's) protect the serial SCADA channel. Maintenance Cryptographic Modules (MCM's) protect the maintenance channel, which is typically a dial-up connection.
The P1689 retrofit devices operate in pairs with one unit at a substation or other field site and the other unit typically at a control center.
Contents |
Security Requirements and Protection
The standard defines the following security requirements:
- User Authentication: The retrofit device must support unique userID/password credentials.
- Strong Authentication: Authentication and communication to a MCM requires a "hardware authentication key(such as a USB or smart card)". If the physical device is removed, access must be terminated.
- Encryption: Encryption is required for an MCM and optional for an SCM. If encryption is implemented the encryption must support point-to-point, multidrop and broadcast communication scenarios. Additionally, the retrofit device must support a mixed mode where communication simultaneous encrypted and cleartext communication to different endpoints. The encryption algorithm is specified as AES with at least a 128-bit key.
- User Authorization: The retrofit device must support role based access control.
- FIPS 140 Certification: P1689 retrofit devices must be certified to meet the requirements of FIPS 140-2 under NIST's Crypto Module Validation Program. FIPS 140-2 validation tests the proper implementation of crypto algorithms, key management, authentication and authorization features, and physical security including tamper evidence and EMI/EMC. There are four levels of rigor to FIPS 140-2 certification (1=lowest, 4=highest). P1689 requires level 2 for most requirements.
The FIPS 140-2 requirement may be the most onerous for vendors as this process often takes more than one year to complete and has commensurate costs.
Performance Requirements
The performance requirements are less specific and use the terminology "shall not significantly degrade" but no numbers or other measures. The retrofit device "shall not significantly degrade" scalability, reliability, availability, maintainability, flexibility, expandability, and system response time.
Test Plan
The standard identifies the elements that should be part of a functional and performance test plan for a retrofit device. Certain sections of the test plan provide information on a test process and recommended test report details. Most of these sections use the word "should" so they are not mandatory elements of a test plan.
Comparison with AGA 12 Part 1
The 38 page P1689 is, for the most part, a subset of the 123 page AGA 12 Part 1. The most substantive difference is an encryption capability is mandatory for SCM's in AGA 12 Part 1 and optional in P1689.
A few terms have changed and some editing has occurred, but the essential parts of the standard map as follows:
- Section 3 Definitions, acronyms, abbreviations and word usage com from Appendix B in AGA 12 Part 1
- Section 5 Retrofit System Requirements in P1689 comes from Section 4 in AGA 12 Part 1
- Section 6 Cryptographic System Test Plan in P1689 comes from Appendix H in AGA 12 Part 1
Entire Appendices from AGA 12 Part 1 were omitted from P1689. The omitted Appendices are primarily background information, such as Appendix C SCADA Fundamentals and Appendix D Cryptography Fundamentals, that do not affect any of the requirements in the standard.
P1689 is attempting to add key management to the document with functional requirements in Section 5 and more detail, primarily as a normative annex. The key management text is in an early draft form.
Status
In Development.
Draft 5 was issued in July 2007. The major addition is a section on Key Management.
