Ameen Hamdon SUBNET Solutions Inc COMMUNICATION AND INTEROPERABILITY

Start the Day • Yesterday discussion about Compliance Vs Security reminds me of this

Communication and Interoperability Standards Update • SCADA Protocols – Back to the Future: Protocols in 2001 – IEC-61850 Update – DNP 3 SA (Secure Authentication) Update with EPRI – Other Protocols • Open. ADR, Sunspec Modbus, Other www. SUBNET. com © Copyright 2016 SUBNET Solutions Inc.

Communication and Interoperability Standards Update • Other OT Interoperability Needs – Beyond Current OT Standards Today – Access Management – Password Management – Event File Collection – Configuration Management – Firmware Update Management www. SUBNET. com © Copyright 2016 SUBNET Solutions Inc.

DNP 3 vs UCA (Back in the Day = 2001) www. SUBNET. com ©

www. SUBNET. com © Copyright 2016 SUBNET Solutions Inc.

The 3 -D Perspective on DNP 3 & UCA 2. 0 Ameen H. Hamdon, P. Eng President, DNP 3. 0 Users Group President, SUBNET Solutions Inc. Distribu. TECH 2001

The 1 Protocol Solution When will the proliferation of protocols stop? I want 1 protocol that does everything I need. www. DNP. org www. subnetsolutions. com

The 1 Vehicle Solutions I want 1 vehicle that does everything I need? www. DNP. org www. subnetsolutions. com

Answer Probably Never! (to both) www. DNP. org www. subnetsolutions. com

Planes, Trains and Automobiles • Physical Transportation – – – Sidewalks Roads Off Road Rail Air Sea www. DNP. org • Data Transmission – – – Dialup Telephone Leased Line Radio Microwave Cellular Satellitte www. subnetsolutions. com

Physical Transportation • Trails/Sidewalks – Walking shoes, Running shoes • Roads – Compact car, Sports cars, Truck • Rail – Subway, Train • Air – Glider, Propeller, Jets • Sea – Row, Outboard, Yacht, Cruise Ship, Cargo Ship www. DNP. org www. subnetsolutions. com

Data Transmission • Data Transfer Protocols (Modbus type) – Basic Read/Write of Database Data • Traditional SCADA Protocols (L&G, CDC) – Transfer of SCADA INFORMATION (SOE, COS) • Advance Utility Protocols (DNP, UCA/MMS) – Transfer of SCADA EVENT INFORMATION – Support for advanced applications beyond SCADA www. DNP. org www. subnetsolutions. com

Properties to get from A to B • People/Cargo – – – Volume Speed of delivery Distance Price Availability Criticality www. DNP. org • Data/Information – – – Volume Data Transfer Rates Distance Price Availability Criticality www. subnetsolutions. com

Same Questions • Questions – How Much? – How Fast? – How Far? – How Expensive? – How Realistic? – How Reliable? www. DNP. org www. subnetsolutions. com

Different Answers • Each Transportation or Transmission method has Pros and Cons • Each is well suited of certain applications • None will ever be the BEST solution for ALL applications www. DNP. org www. subnetsolutions. com

Car Salesman • If a car salesman said his vehicle is – most affordable, fuel efficient, powerful, fastest, luxurious car for land, air and sea travel in the world You would know not to believe him! www. DNP. org www. subnetsolutions. com

Protocol Salesman • If someone tells you one protocol is – The most affordable, efficient, powerful, fastest, intelligent protocol for best for any and all utility applications www. DNP. org www. subnetsolutions. com

Specifying systems and finding the gaps that needs to be filled STANDARDS, PROFILES &

What is Interoperability? Interoperability: ability of two or more devices from the same vendor, or different vendors, to exchange information and use that information for correct execution of specified functions (definition from IEC 61850. 1 clause 3. 1. 8, IEEE definition is similar) System comp. B System comp. A Information exchange Function www. SUBNET. com © Copyright 2016 SUBNET Solutions Inc.

Interoperability between devices • An example: This computer and projector are interoperable – They both conform to the same “standards” • The standards define a set of specific functions and how they are performed • The standards cover many aspects of physical and electrical compatibility, timing sequences, signal interpretation, etc. – What are the limits of this interoperability? • Can these devices operate together to perform functions other than display text and graphics? www. SUBNET. com © Copyright 2016 SUBNET Solutions Inc.

Interoperability between devices Everyone: Please stand up for two seconds www. SUBNET. com ©

Assertion • All systems are interoperable • Interoperability is a matter of effort – There is a trade off between integration effort and standardization effort www. SUBNET. com © Copyright 2016 SUBNET Solutions Inc.

Plug ’n play • Definition of Pn. P – “The ability to add a new component to a system and have it work automatically without having to do any technical analysis or manual configuration. ” – Think of this as “Auto-configuration” • Required Ingredients – Specific Communication standard (“device driver”) – Auxiliary Services (e. g. : Addressing, Discovery, Self-description) • Pn. P may require post-configuration for a user-specific adaption of an application www. SUBNET. com © Copyright 2016 SUBNET Solutions Inc.

Exchangeability • Definition – “The ability to replace a device supplied by one manufacturer with a device supplied by another manufacturer, without making changes to the other elements in the system” – Think of this as a “hot plug” capability • Requires “Profiling” – Pre-determined configuration to meet functional requirements • “Plug ‘n play” capability is not necessary (since preconfiguration is sufficient) www. SUBNET. com © Copyright 2016 SUBNET Solutions Inc.

Role of profiles – definition & objective • A profile defines a subset of a entity (e. g. standard) – It may contain a selection of • Data models • Services – Furthermore a profile may define • Instances (e. g. specific device types) • Procedures (e. g. programmable logics) • Objective of profiles: profiles are used to reduce complexity (e. g. of the Model or Integration Effort) www. SUBNET. com © Copyright 2016 SUBNET Solutions Inc.

Example of IEC 61850 profiles Note: Profiles should overlap for high project interoperability IEC 61850 Data Model Services Domain profile domain specific (E. g. Substation Automation) rough www. SUBNET. com Device profile Vendor / function specific medium Profile specification degree Instances Procedures Application profile User / regional specific detailed © Copyright 2016 SUBNET Solutions Inc.

Recent IEC 61850 Interoperability Panels # 1 2 3 4 5 Date April, 2011 October, 2013 August, 2014 September, 2015 August, 2016 www. SUBNET. com Event Name UCA IEC 61850 IOP Cigre Paris 2014 IEC 61850 IOP UCA IEC 61850 IOP Cigre Paris 2016 IEC 61850 IOP © Copyright 2016 SUBNET Solutions Inc.

IEC 61850 Interoperability 2013 Issues • “Engineering efforts required to implement the standard in a substation are huge” • “Grid operators are forced to use specific vendor tools that are not optimal in a multi-vendor environment and train staff to use a wide range of tools to configure the system” • “A clear move by the market to a top-down approach using standardized third-party tools is needed” www. SUBNET. com © Copyright 2016 SUBNET Solutions Inc.

IEC 61850 IOP 2013 • 61850 Standard Issues from the report: – SCL • • “ED. 1/ED. 2 co-existence in a single SCD file” “Client reporting subscription” “GOOSE subscription” “SV subscription” – Networking • “VLAN Tag 0 support in switches” www. SUBNET. com © Copyright 2016 SUBNET Solutions Inc.

IEC 61850 IOP 2013 www. SUBNET. com © Copyright 2016 SUBNET Solutions Inc.

CIGRE 2014: Incorrect SCD/CID File Formats • Problem: Vendor tools create incorrect CID file formats – Issue: Found several instances of missing DOType, DAType, ENUM, and Connected. AP definitions – Issue: Point IDs created to be too long and incompatible with certain 61850 server driver implementations • Solution: Vendor enhancement requests www. SUBNET. com © Copyright 2016 SUBNET Solutions Inc.

IEC 61850 2015 IOP Event Details • • Brussels, Belgium 7 days Sep 26

IEC 61850 2015 IOP Participating Companies 1. ABB 2. Alstom 3. CG Global 4. Efacec 5. ERLPhase 6. GE 7. Megger 8. Omicron 9. Schneider Electric 10. SEL www. SUBNET. com 11. Arc Info 12. Copa Data 13. EDF France 14. Elia 15. Epri 16. Kalkitech 17. Koncar 18. Novatech 19. Ren 20. RTE France 21. SUBNET Solutions Inc. 22. SAE 23. SISCO 24. Sprecher Automation 25. Tesco Group 26. Toshiba 27. Triangle Microworks 28. TUEV 29. Xelas 30. Zamiren © Copyright 2016 SUBNET Solutions Inc.

IEC 61850 2015 IOP Preparation & Planning • Preparation and planning – Bi-Weekly web meeting – Started March 18 for a total of 14 meetings – 114 people – Equals 1, 596 man hours in prep www. SUBNET. com © Copyright 2016 SUBNET Solutions Inc.

The Reality of 61580 Interoperability Maturity of IEC 68150 Component MMS/GOOSE Semantic Model Engineering Tools Maturity Level HIGH MEDIUM LOW What does Interoperability mean? Vendors want…Co-existence Utilities want… Interchangeability www. SUBNET. com © Copyright 2016 SUBNET Solutions Inc.

Result of IEC-61850 Issues IEC-61850 is Complex, Self Description ≠ Pn. P Many Utilities concerned about doing their own integration Thus many seek turnkey integration solutions from Device Vendors typically supply their Single Vendor solutions vs Multi-Vendor • Current Bottom Line: • • – Ongoing Interoperability and Vendor Specific issues still a challenge for Utilities • Users continue to drive IEC-61850 Enhancements: ENTSO-E – European Network of Transmission System Operators for Electricity www. SUBNET. com © Copyright 2016 SUBNET Solutions Inc.

IEEE C 12 January 11, 2016 DNP Technical Committee 2015 Activities Summary www. dnp. org

Standards Associated with DNP 3 -SA Edition 2 passed ballot IEC 62351 -5 Edition 1 Released Vendors beginning to implement Version 5 IEC 60870 -5 -7 Std. 1815 IEEE Std. 1815 -2012 Released DNP 3 Secure Authentication Test Procedures Reviewed by Tech Committee – Under Revision 43

Publications – Technical Bulletins/App Notes § § TB 2015 -001 (Extended Octet Strings and New Object Groups) TB 2015 -002 (Clarification of Unsolicited Response Behaviour) TB 2015 -003 (Updated Event Reporting Requirements) AN 2015 -001 (Guidelines for Default Configuration Parameters)

Work in Progress § Rewriting of the Subset Parsing Tables § § Update and Clean up of current parsing tables (1815) to make them easier to interpret and understand. DNP 3 Key Management Protocol (DKMP) Update of IEEE 1815 (DNP 3) Update of IED Conformance Tests § § Update of Level 1 & Level 2 tests Addition of Level 3 tests

2015 Events § 2 nd Annual Secure Authentication Plugfest (October, 2015) § § § Sponsored by EPRI Purpose: Test the newly-drafted DNP 3 Secure Authentication Test Procedures DNP Technical Committee Conference (November, 2015) § Very productive; work advanced on: § § New Subset Parsing Tables Updates to Secure Authentication & DNP 3 Key Management Protocol Updates to Device Profile DNP Technical Committee Conference (October, 2016) § Location: Calgary/Banff Alberta

Why use DNP 3 -SA? • VPN Routers, link encryptors, etc. don’t address: – Security at the local site – Security of serial DNP over unencrypted radios – Security of serial DNP over terminal servers – Security from “rogue applications” at master stations – Linking role-based authentication to the remote site Site-to-Site Security Device-to-Device Security Application-to-Application Security © 2015 Electric Power Research Institute, Inc. All rights reserved. 47

What is DNP 3 -SA? • An addition to the DNP 3 (IEEE Std 1815) protocol • DNP 3 is used at over 75% of North American utilities • SA authenticates the sender of the message • Detects whether the message has been modified • Does NOT encrypt data • Co-developed with IEC 62351 Part 5 • Minimizes processor, bandwidth impact • Based on NIST-approved cryptography – (Although it still permits some deprecated algorithms) • Standardized by UK Water Industry (UK-WITS) • DNP-SA provides Application to Application Security vs “Site to Site” or “Device to Device” security © 2015 Electric Power Research Institute, Inc. All rights reserved. 48