Electricity + Control September 2017

they are both who they claim to be. This authentication can be done using a few different methods, including just standard PSK (Pre- Shared Key, basically a password ex- change) or by using secure certificates

ment and commissioning time, as well as deeper technical knowledge. The trade-off includes both increased security that is completely under your control, as well as better auditing, monitoring and ease/speed of maintenance as you are not reliant on a third party solution.

VPNs to consider Host-to-site

(digital files that are used to uniquely identify end devices). Once this phase is complete phase 2 establishes the cryptographic set-up to ensure proper encryption of the traffic. IPSec caters for a variety of different authentication and crypto stand- ards that can be used depending on the end de- vices capabilities. By using external authentication and crypto standards it makes the protocol suite more future proof as hopefully future changes and improvements can be included without requiring a complete overhaul of the IPSec standard. Conclusion We have glanced at some of the most salient points to consider when planning, designing and implementing security on Mission Critical Net- works, however this is a field with just as much depth as it has breadth, and which could be dis- cussed for months without scratching the surface. Network security is without a doubt one of the most important aspects to consider when plan- ning Mission Critical Networks and should not be approached lightly. A final thought to keep in mind is that no network will ever be completely secure from outside attacks, especially when the network is connected to an external network. The process of implementing network security rather becomes a case of deterrence. This means that one must think like a potential attacker, and determine if the payoff is worth the security, or if more security is needed as a proper deterrence. A single firewall may be more than enough to protect most home networks, but a lot more security layers are need- ed when considering a country-wide smart power grid network, for instance. Always ask the ques- tion: ‘Will the cost/time saved by not imple- menting a certain level of security outweigh the potential loss if the security is breached?’

The next question then becomes what type of VPN to use and what protocol/s to use to establish the tunnels. In response to the first question there are two major types of VPNs that can be considered. The first is known as a host-to-site and is the more commonly referred to option when users speak about a VPN. This option involves a single user (the host) connecting from a remote location to a secure network (the site) via an unsecure network (normal- ly the Internet). The user runs software on a laptop that speaks to the VPN server hardware/software on site to establish the VPN tunnel. From this point it will be as if the user is directly connected to the LAN, and the actual VPN tunnel will be transparent to other software on the laptop. This is the most common VPN tunnel type that is used to allow en- gineers to connect to the network from home or a hotel in another country and perform maintenance, configuration or troubleshooting remotely. Site-to-site tunnel The second type of VPN is known as a site-to-site tunnel. In this case, as you may expect, the tun- nel is established between two secure networks via an unsecure network, such as in the case of connecting a remote substation to a control room via the company corporate network. The tunnels can be temporary created as required, but are more often left open as permanent tunnels which effectively are used to semi-permanently expand the network across geographical locations. Once again in these set-ups the VPN tunnel will be trans- parent to end users and devices, which will simply see a standard routed network infrastructure. Protocol/s for VPN tunnel establishment The final decision to make is to determine which protocol/s to use for the VPN tunnel establishment. Once again a variety of options exist, however by far the most secure currently is IPSec (Internet Pro- tocol SECurity), which is a VPN protocol that works over a two phase tunnel establishment. Without going into too much detail this involves first an au- thentication phase where the end devices perform a back-and-forth handshaking process that ensures

Reference [1] IEC 61850. Power utility automation.

<>

Tim Craven, H3iSquared Trading CC

+27 (0)11 454 6025 tim@h3isquared.com www.h3isquared.com

Electricity + Control

SEPTEMBER 2017

7