PI System as SEM for IEC 61850 Security Events
From SCADApedia
IEC 61850 comes with a rich set of virtual representations of components and functions of electrical substations or power plants, i.e. logical nodes, along with advanced data reporting and logging models. Typical clients that are currently utilized to retrieve IEC 61850 data attributes include browsers, real-time graphical user interfaces (GUIs), data concentrator platforms, engineering stations, etc. Nevertheless, as of this writing no specialized security event managers (SEMs) exist for IEC 61850 profiles in particular, and probably for industrial control communications in general. A viable option in this regard could be the OSIsoft PI system further developed to include capabilities such as monitoring, detection, classification, storage, and analysis of security events. A small part of the factors which may form the rationale for employing the PI system as an IEC 61850 SEM may be the following:
Contents |
Thorough characterization of acquisition of events from data sources
A PI system provides a qualitative and quantitative concept for tracking events even at a logical device granularity, namely points, or tags as they're otherwise known in the OSIsoft jargon. PI points are created for each source of data, and each one of them may have over 50 attributes. PI point attributes exhaustively characterize the process of event acquisition from data sources. Examples of PI point attributes include string identifiers assigned to PI points, specification of what a point is for, data types of PI point values, etc. PI points may be created for tracking security events taking place in, or generated by, IEC 61850 logical devices.
Acquisition of relevant security events
A PI system uses protocol specific interface applications for the purpose of collecting events from sources of data. Since in environments such as large transmission or distribution electrical substations the number of events that may be received from logical devices by an interface application may be considerably high, it is necessary to filter the events which are to be sent to a PI server. With this regard a PI system provides what is referred to as Exception Reporting. In our context exception reporting may be used to forward to a PI server only those events which are deemed as being relevant from the security perspective. Examples of such events may comprise an increase of a security violation counter or an increase of an inactive associations counter. In a PI system exception reporting specifications are configured by setting a defined set of attributes for each PI point.
Selective Storage and Accurate Event Reconstruction
As security events are stored in an archive, they tend to grow with time. It is therefore necessary to store just enough events to be able to reconstruct the security events history for forensics, attack traceback, etc. With this regard a PI system provides what is referred to as compression testing. A PI system uses a sophisticated compression algorithm to determine which events are to be stored in an archive. These stored events are such that the data history may be reconstructed with a high level of accuracy.
