Within a substation context, there are multiple types of configuration. One type is specific to a device, such as the number of boards and the configuration of each board. This type of configuration is generally static and defined during commissioning.
Another type of configuration relates to the functionality of the device. Here, the settings, thresholds, and the different logic are each accounted for. This type of configuration is more dynamic and can change over time in response to operational conditions or system changes.
Operators can access configuration in several ways:
- From the device’s settings tool, which can be accessed locally or remotely
- Via the front panel of the device, where some parameters can be adjusted
- Using the local Human Machine Interface (HMI)
When the system aligns to the IEC 61850 standard, these options are clearly defined.
Because configuration is dynamic, it has a strong impact on system security. It’s also an important tool for restoring the system to a normal operating state after a system component failure. Most standards and regulations, such as NERC CIP, require the management of configuration data. Configuration management is quite complex because in each instance the information is different from one device to another, as well as from one manufacturer to another, even if the function is identical. Regardless of the configuration method used to manage OT equipment, the means to manage device configuration on a regular basis is a key issue and mandatory from the cyber security perspective.
But there’s a problem. No standard has yet been developed to address the configuration management issue. There are two primary functions of most OT substation security systems in place today:
- Store configuration information so it can be retrieved following a security incident
- Provide an alert when device configuration changes
While the comparison between two different configurations coming from the same device is simple, the comparison of the same function coming from different vendor devices remains almost impossible.
Because of this fact, standardization efforts are still required in this area. A common set of ground rules must be established in order to define objects that can be compared. That will allow better management of those objects. For example, security log event definitions are not yet defined as a configuration parameter. A powerful tool is therefore needed to correlate information coming from different assets, which, in turn, have been produced by different manufacturers.
To learn more, read the white paper titled A Framework for Developing and Evaluating Utility Substation Cybersecurity and let me know what you think. Or have a look at the previous posts in this series: