Tecnalia's Smart Grid Facilities



Functional Components Description

The Laboratory of Cybersecurity in the Smart Grid emulates a Software - Hardware real time communications environment of a Primary Distribution Substation, in which the electronic equipment (IEDs) that control and supervise the electrical equipment (switches, transformers, ...) have been deployed. It also simulates a Control Center, with basic functionalities, to which the Substation equipment is connected.

The laboratory allows to:

  • Simulate the real communications between the different equipment and systems of the control center and the substation.

  • Play a set of cyber-attacks through tools for generating penetration tests (ethical hacking).

  • Test the response of equipment (RTU, SCU, protection relays, ...) and information systems (SCADA, LDAP server, ...) from external manufacturers to those attacks.

  • Test the effectiveness of attack detection tools developed by external manufacturers.

The two environments (substation and control center) are connected through an Ethernet network established between two routers. This allows the management of external access to the laboratory. Both routers establish a VPN connection.

The laboratory is composed of two environments, the Control Center environment in which a SCADA has been installed that simulates the operation of the electric grid (reduced to a substation), and the Substation environment in which the electronic equipment is installed (SCU and relays of Protection).

Other complementary elements of the laboratory are:

  • SECUREGRID HACKING TOOLBOX

SecureGrid Hacking Tool Box (HTB) is a tool box that allows to configure and perform different penetration tests to electronic devices of an electric substation. SecureGrid HTB is thought to be used by the equipment manufacturers to check the security level of their equipment.

  • WHITEZONE

WHITEZONE prevents malware presence at the operational zone of industrial plants, restricting the access to the delimited area designed as operational zone, only to the authorised users carrying safe and identified software. This is a way of securing the industrial zone and improving the update process of the industrial production control (ICS) devices. It offers the following functionalities:

  • Ensures that the information that is to be used within the operational zone by means of a USB key is secure, i.e. there is no virus or malware.

  • Authenticates users manually or via an NFC card.

  • Allows to choose the data that is going to be used in the protected zone and analyzes it to search for any virus or malware or any data not allowed through a multi-virus service in the cloud. If this verification is exceeded, it ejects a key "USB Whitezone ©" where the encrypted and signed data will be copied, to avoid modifications. These USB Whitezone © will be the only valid one within the protected operational zone. In addition, this component sends, in real time, all its activity to the BackEnd software.

  • The Software Agent is an element that controls all USB port activity on the computer on which it is installed. If a non-Whitezone © USB device is inserted, it will be ejected immediately, making it impossible to use. If a USB Whitezone © is connected, it verifies that its contents have not been altered. If it has been altered, ejects the USB and otherwise decrypt the information contained so that the data is available. The software agent can communicate, in real time, all its activity to the BackEnd.


Services provided

Support platform for R + D + i projects

This platform will be used to develop R+D+i projects with a cooperative approach. Participants may use their own nodes, both individually or with third parties, in order to carry out other R+D+I projects of a different nature in relevant conditions. These projects should be mainly conducted by researchers and in a one-off case private projects may be developed. In the latter case, pay-per-use models may be contemplated for using the testbed for the aim of financing the projects amortization or maintenance.

Benchmarking, evaluation and / or certification of products and / or services

The testbed may be used to support benchmarking, evaluation or certification of goods and services. For instance, provided that Basque authorities issued a certificate, the evaluation of the products or services could be conducted on the testbed.

Training

The asset may be used as a platform for offering and developing a wide-range of training activities, as for instance, cyber-ranges. In other words, enabling access to the testbed to end users, companies offering cybersecurity training or researchers, so they can prepare and provide training or sophisticated simulation environments.

Support for awareness actions or generation of cybersecurity culture in the Smart Grid

In the event that public-private partnerships are encouraged, the testbed will enable conducting activities in order to support international events, to create scenarios for attracting talent or to promote the local companies as leaders in industrial cybersecurity.


Keywords

OT Cybersecurity, Machine Learning, Honeypots


Services

  • Support platform for R + D + I projects: Participants may use their own nodes, both individually or with third parties, in order to carry out other R+D+I projects of a different nature in relevant conditions.

  • Benchmarking, evaluation and / or certification of products and / or services: The testbed may be used to support benchmarking, evaluation or certification of goods and services.

  • Training: enabling access to the testbed to end users, companies offering cybersecurity training or researchers, so they can prepare and provide training or sophisticated simulation environments.

  • Support for awareness actions or generation of cybersecurity culture in the Smart Grid: the testbed will enable conducting activities in order to support international events, to create scenarios for attracting talent or to promote the local companies as leaders in industrial cybersecurity.


Technical equipment

  • Control center:

    • Router: allows to establish a VPN connection with the router of the substation.

    • Internal Switch: connects all computers in the control center.

    • SCADA equipment: it contains the monitoring and control software (SCADA) of the substation. It also allows to modify the configuration on the IEDs from the Control Center.

    • Computer LDAP and NTP servers: this equipment houses the different servers that are accessed from the IEDs of the substation.

    • Server running the services:

      • LDAP: performs management of the control, access (authentication and authorization) of users and information systems to the IEDS.

      • NTP: provides the time synchronization service.

  • Substation:

    • Router: allows to establish a VPN connection with the router of the control center.

    • Substation Control Unit (SCU): it makes the functions of a remote unit by stablishing the communication with the SCADA of the control center through the Telecontrol IEC 60870-5-104 Telecontrol protocol. Other protocols that are accepted are the Modbus TCP and the DNP3-TCP. On the other hand, it also makes the client functions 61850 of the protection relays through the protocol IEC-61850.

    • Industrial Switch: connects all IEDs by setting up the substation Bus.

    • Protection relays: perform the protection functions of the electrical equipment (switches, transformers, ...). These relays implement the Protocol IEC-61850, which allows them to receive the electrical signals generated by the team OMICRON.

    • CMC 850, communicate with the SCU, and launch GOOSE between them.

    • Power supplies: those relays whose power supply is in continuous (VCC) are equipped with their corresponding power supply.

    • SCADA equipment. It contains the monitoring and control software (SCADA) of the substation. It also allows to modify the configuration of the IEDs from the Control Center.

    • OMICRON - CMC 850: allows to simulate up to 3 merging units, electrical data acquisition equipment of the substation. This equipment is connected to the TCP/IP protection relays via the substation Bus.

    • OMICRON - CMC 256: alllows to simulate electrical signals and connect them directly to the protection relays through the digital input and output connections. In addition, it allows to simulate the activity of switches.


Use request

Non profit