外文翻译原文-一个混合溶液为负载整流逆变器控制感应电机驱动器

EnhancingtheReliabilityandSecurityoftheInformationInfrastructureUsedtoManagethePowerSystemFrancesCleveland,IEEEMember,PES-PSCCAbstractInthepowerindustry,thefocushasbeenalmostexclusivelyonimplementingequipmentthatcankeepthepowersystemreliable.Untilrecently,communicationsandinformationflowshavebeenconsideredofperipheralimportance.However,increasinglytheInformationInfrastructurethatsupportsthemonitoringandcontrolofthepowersystemhascometobecriticaltothereliabilityofthepowersystem.Communicationprotocolsareoneofthemostcriticalpartsofpowersystemoperations,responsibleforretrievinginformationfromfieldequipmentand,viceversa,forsendingcontrolcommands.Despitetheirkeyfunction,to-datethesecommunicationprotocolshaverarelyincorporatedanysecuritymeasures,includingsecurityagainstinadvertenterrors,powersystemequipmentmalfunctions,communicationsequipmentfailures,ordeliberatesabotage.Sincetheseprotocolswereveryspecialized,“SecuritybyObscurity”hasbeentheprimaryapproach.However,securitybyobscurityisnolongeravalidconcept.Inparticular,theelectricitymarketispressuringmarketparticipantstogainanyedgetheycan.Atinyamountofinformationcanturnalosingbidintoawinningbidorwithholdingthatinformationfromyourcompetitorcanmaketheirwinningbidintoalosingbid.Andthedesiretodisruptpowersystemoperationscanstemfromcarelessmistakes,tosimpleteenagerbravado,tocompetitivegame-playingintheelectricalmarketplace,andeventoactualterrorism.Asthepowerindustryreliesincreasinglyoninformationtooperatethepowersystem,twoinfrastructuresmustnowbemanaged:notonlythePowerSystemInfrastructure,butalsotheInformationInfrastructure.Themanagementofthepowersysteminfrastructurehasbecomereliantontheinformationinfrastructureasautomationcontinuestoreplacemanualoperations,asmarketforcesdemandmoreaccurateandtimelyinformation,andasthepowersystemequipmentages.Therefore,thereliabilityofthepowersystemisincreasinglyaffectedbyanyproblemsthattheinformationinfrastructuremightsuffer.ThispaperfocusesonIECTC57WG15securitystandardsworkwhichisaddressingthereliabilityandsecurityoftheinformationinfrastructure.IndexSecurity,reliability,informationinfrastructure,communications,IEC,powersystemoperations,IEC61850,DNP,ICCP,IEC60870-5.I.DualInfrastructures:thePowerSystemandtheInformationSystemInthepowerindustry,thefocushasbeenalmostexclusivelyonimplementingequipmentthatcankeepthepowersystemreliable.Untilrecently,communicationsandinformationflowshavebeenconsideredofperipheralimportance.However,increasinglytheInformationInfrastructurethatsupportsthemonitoringandcontrolofthepowersystemhascometobecriticaltothereliabilityofthepowersystem.WiththeexceptionoftheinitialpowerequipmentproblemsintheAugust14,2003blackout,theon-goingandcascadingfailureswerealmostexclusivelyduetoproblemsinprovidingtherightinformationtotherightplacewithintherighttime.Figure1:August14,2003Blackout(NOAAprocessedthedatafromtheDefenseMeteorologicalSatelliteProgram.PleasecreditNOAA/DMSP)Communicationprotocolsareoneofthemostcriticalpartsofpowersystemoperations,responsibleforretrievinginformationfromfieldequipmentand,viceversa,forsendingcontrolcommands.Despitetheirkeyfunction,to-datethesecommunicationprotocolshaverarelyincorporatedanysecuritymeasures,includingsecurityagainstinadvertenterrors,powersystemequipmentmalfunctions,communicationsequipmentfailures,ordeliberatesabotage.Sincetheseprotocolswereveryspecialized,“SecuritybyObscurity”hasbeentheprimaryapproach.Afterall,onlyoperatorsareallowedtocontrolbreakersfromhighlyprotectedcontrolcenter.Whocouldpossiblycareaboutthemegawattsonaline,orhavetheknowledgeofhowtoreadtheidiosyncraticbitsandbytestheappropriateone-out-of-a-hundredcommunicationprotocols.Andwhywouldanyonewanttodisruptpowersystems?1-4244-1298-6/07/$25.002007IEEE.However,securitybyobscurityisnolongeravalidconcept.Inparticular,theelectricitymarketispressuringmarketparticipantstogainanyedgetheycan.Atinyamountofinformationcanturnalosingbidintoawinningbidorwithholdingthatinformationfromyourcompetitorcanmaketheirwinningbidintoalosingbid.Andthedesiretodisruptpowersystemoperationscanstemfromsimpleteenagerbravadotocompetitivegame-playingintheelectricalmarketplacetoactualterrorism.Itisnotonlythemarketforcesthataremakingsecuritycrucial.Thesheercomplexityofoperatingapowersystemhasincreasedovertheyears,makingequipmentfailuresandoperationalmistakesmorelikelyandtheirimpactgreaterinscopeandcost.Inaddition,theolder,“obscure”communicationsprotocolsarebeingreplacedbystandardized,well-documentedprotocolsthataremoresusceptibletohackersandindustrialspies.Asthepowerindustryreliesincreasinglyoninformationtooperatethepowersystem,twoinfrastructuresmustnowbemanaged:notonlythePowerSystemInfrastructure,butalsotheInformationInfrastructure.Themanagementofthepowersysteminfrastructurehasbecomereliantontheinformationinfrastructureasautomationcontinuestoreplacemanualoperations,asmarketforcesdemandmoreaccurateandtimelyinformation,andasthepowersystemequipmentages.Therefore,thereliabilityofthepowersystemisincreasinglyaffectedbyanyproblemsthattheinformationinfrastructuremightsuffer.Figure2:TwoInfrastructuresMustBeManaged,NotJustOneII.IECTC57asDeveloperofInternationalStandardsforSCADAProtocolsTheInternationalElectrotechnicalCommission(IEC)TechnicalCouncil(TC)57PowerSystemsManagementAndAssociatedInformationExchangeisresponsiblefordevelopinginternationalstandardsforpowersystemdatacommunicationsprotocols.Itsscopeis“ToprepareinternationalstandardsforpowersystemscontrolequipmentandsystemsincludingEMS(EnergyManagementSystems),SCADA(SupervisoryControlAndDataAcquisition),distributionautomation,teleprotection,andassociatedinformationexchangeforreal-timeandnon-real-timeinformation,usedintheplanning,operationandmaintenanceofpowersystems.Powersystemsmanagementcomprisescontrolwithincontrolcentres,substations,andindividualpiecesofprimaryequipmentincludingtelecontrolandinterfacestoequipment,systems,anddatabases,whichmaybeoutsidethescopeofTC57.Thespecialconditionsinahighvoltageenvironmenthavetobetakenintoconsideration.”IECTC57hasdevelopedthreewidelyacceptedprotocols,andhasbeenthesourceofafourth.Theseprotocolsare:IEC60870-5whichiswidelyusedinEuropeandothernon-UScountriesforSCADAsystemtoRTUdatacommunications.Itisusedbothinseriallinks(Part101)andovernetworks(Part104).DNP3.0whichwasderivedfromIEC60870-5andisinuseintheUSandnowiswidelyusedinmanyothercountriesaswell,primarilyforSCADAsystemtoRTUdatacommunicationsIEC60870-6(alsoknownasTASE.2orICCP)whichisusedinternationallyforcommunicationsbetweencontrolcentersandoftenforcommunicationsbetweenSCADAsystemsandotherengineeringsystemswithincontrolcenters.IEC61850whichisusedforprotectiverelaying,substationautomation,distributionautomation,powerquality,distributedenergyresources,substationtocontrolcenter,andotherpowerindustryoperationalfunctions.Itincludesprofilestomeettheultrafastresponsetimesofprotectiverelayingandforthesamplingofmeasuredvalues,aswellasprofilesfocusedonthemonitoringandcontrolofsubstationandfieldequipment.IEC61334(DLMS)Alltogether,theseinternationalstandardsaccountforcloseto90%ofthedatacommunicationsprotocolsinnewlyimplementedandupgradedpowerindustrySCADAsystemsandsubstationautomation(Modbus,Fieldbus,andotherproprietaryprotocolsarestillusedinoldersystemsandinotherindustries).III.ApplyingSecuritytoPowerSystemOperationsA.UnderstandingtheSecurityRequirementsandImpactofSecurityMeasuresonPowerSystemOperationsPowersystemoperationsposemanysecuritychallengesthataredifferentfrommostotherindustries.Forinstance,mostsecuritymeasuresweredevelopedtocounterhackersontheInternet.TheInternetenvironmentisvastlydifferentfromthepowersystemoperationsenvironment.Therefore,inthesecurityindustrythereistypicallyalackofunderstandingofthesecurityrequirementsandthepotentialimpactofsecuritymeasuresonthecommunicationrequirementsofpowersystemoperations.Inparticular,thesecurityservicesandtechnologieshavebeendevelopedprimarilyforindustriesthatdonothavemanyofthestrictperformanceandreliabilityrequirementsthatareneededbypowersystemoperations.Forinstance:Preventinganauthorizeddispatcherfromaccessingpowersystemsubstationcontrolscouldhavemoreseriousconsequencesthanpreventinganauthorizedcustomerfromaccessinghisbankingaccount.Therefore,denial-of-serviceisfarmoreimportantthaninmanytypicalInternettransactions.Manycommunicationchannelsusedinthepowerindustryarenarrowband,thusnotpermittingsomeoftheoverheadneededforcertainsecuritymeasures,suchasencryptionandkeyexchanges.Mostsystemsandequipmentarelocatedinwide-spread,unmanned,remotesiteswithnoaccesstotheInternet.Thismakeskeymanagementandsomeothersecuritymeasuresdifficulttoimplement.Manysystemsareconnectedbymulti-dropcommunicationchannels,sonormalnetworksecuritymeasurescannotwork.Althoughwirelesscommunicationsarebecomingwidelyusedformanyapplications,utilitieswillneedtobeverycarefulwheretheyimplementthesewirelesstechnologies,partlybecauseofthenoisyelectricalenvironmentofsubstations,andpartlybecauseoftheveryrapidandextremelyreliableresponserequiredbysomeapplications.B.SecurityMeasuresImportanttoPowerSystemOperationsBecauseofthelargevarietyofcommunicationmethodsandperformancecharacteristics,aswellasbecausenosinglesecuritymeasurecancounteralltypesofthreats,itisexpectedthanmultiplelayersofsecuritymeasureswillbeimplemented.Forinstance,VPNsonlysecurethetransportlevelprotocols,butdonotsecuretheapplicationlevelprotocols,sothatadditionalsecuritymeasures,suchasIEC62351-4,providetheapplicationlevelsecurity,possiblyrunningoverVPNs.Inaddition,role-basedaccesspasswords,intrusiondetection,accesscontrollists,lockeddoors,andothersecuritymeasuresarenecessarytoprovideadditionallevelsofsecurity.ItisclearfromFigures5-9thatauthenticationplaysalargeroleinmanysecuritymeasures.Infact,formostpowersystemoperations,authenticationofcontrolactionsisfarmoreimportantthat“hiding”thedatathroughencryption.AlsobecauseconnectiontotheInternetis(shouldnotbe)afactor,sincepowersystemoperationsshouldbewell-protectedbyisolationand/orfirewalls,someofthecommonthreatsarelesscritical,whileothersaremorecritical.Althoughimportanceofspecificthreatscanvarygreatlydependingupontheassetsbeingsecured,someofthemorecriticalthreatsare:Indiscretionsbypersonnelemployeessticktheirpasswordsontheircomputermonitorsorleavedoorsunlocked.Bypasscontrolsemployeesturnoffsecuritymeasures,donotchangedefaultpasswords,oreveryoneusesthesamepasswordtoaccessallsubstationequipment.Orasoftwareapplicationisassumedtobeinasecureenvironment,sodoesnotauthenticateitsactions.Authorizationviolationsomeoneundertakesactionsforwhichtheyarenotauthorized,sometimesbecauseofcarelessenforcementofauthorizationrules,orduetomasquerade,theft,orotherillegalmeans.Man-in-the-middleagateway,dataserver,communicationschannel,orothernon-endequipmentiscompromised,sothedatawhichissupposedtoflowthroughthismiddleequipmentisreadormodifiedbeforeitissentonitsway.Resourceexhaustionequipmentisinadvertently(ordeliberately)overloadedandcannotthereforeperformitsfunctions.Oracertificateexpiresandpreventsaccesstoequipment.Thisdenialofservicecanseriouslyimpactapowersystemoperatortryingtocontrolthepowersystem.IV.IECTC57ResponsetoSecurityRequirementsBy1997,IECTC57recognizedthatsecuritywouldbenecessaryfortheseprotocols.Itthereforefirstestablishedatemporarygroup(AdHocWG06)tostudytheissuesofsecurity.ThisgrouppublishedaTechnicalReportIEC62210onthesecurityrequirements.OneoftherecommendationsofthisTechnicalReportwastoformaWorkingGrouptodevelopsecuritystandardsfortheIECTC57protocolsandtheirderivatives(i.e.DNP).Therefore,IECTC57WG15wasformedin1999,andhasundertakenthiswork.TheWG15titleis“Powersystemcontrolandassociatedcommunications-Dataandcommunicationsecurity”anditsscopeandpurposeareto“UndertakethedevelopmentofstandardsforsecurityofthecommunicationprotocolsdefinedbytheIECTC57,specificallytheIEC60870-5series,theIEC60870-6series,theIEC61850series,theIEC61970series,andtheIEC61968series.Undertakethedevelopmentofstandardsand/ortechnicalreportsonend-to-endsecurityissues.”ThescopeoftheworkofWG15istodevelopstandardsthatincreasetheinformationalsecurityassuranceaspectsoftheprotocolsspecifiedwithinTC57.Aspartofthiswork,concreteandimplementable,standardsareintendedtobedeveloped.Thesestandardsareintendedtobespecified,asneeded,byutilitiesandimplementedbyrespondingvendors.WG15iscommittedtodeveloprelevantstandardsthatincreasetheoverallinformationalsecurityassuranceaspectsofutilityinfrastructures.Thejustificationwasthatsafety,security,andreliabilityhavealwaysbeenimportantissuesinthedesignandoperationofsystemsinthepowerindustry,andcybersecurityisbecomingincreasinglyimportantinthisindustryasitreliesmoreandmoreonaninformationinfrastructure.Thederegulatedmarkethasimposednewthreatsasknowledgeofassetsofacompetitorandtheoperationofhissystemcanbebeneficialandacquisitionofsuchinformationisapossiblereality.Since9/11theadditionalthreatofterrorismhasbecomemorevisible.Thefinalsentenceinthescope/purposestatementisveryimportant:itwasrecognizedthattheadditionofjustsimpleencryptionoftheprotocols,forinstancebyadding“bump-in-the-wire”encryptionboxesorevenvirtualprivatenetwork(VPN)technologieswouldnotbeadequateformanysituations.Securitytrulyisan“end-to-end”requirementtoensureauthenticatedaccesstosensitivepowersystemequipment,reliableandtimelyinformationonequipmentfunctioningandfailures,backupofcriticalsystems,andauditcapabilitiesthatpermitreconstructionofcrucialevents.ThisworkistobepublishedbytheIECasIEC62351,Parts1-7,titled:IEC62351-1:DataandCommunicationSecurityIntroductionIEC62351-2:DataandCommunicationSecurityGlossaryofTermsIEC62351-3:DataandCommunicationSecurityProfilesIncludingTCP/IPIEC62351-4:DataandCommunicationSecurityProfilesIncludingMMSIEC62351-5:DataandCommunicationSecuritySecurityforIEC60870-5andDerivatives(i.e.DNP3.0)IEC62351-6:DataandCommunicationSecuritySecurityforIEC61850ProfilesIEC62351-7:DataandCommunicationSecuritySecurityThroughNetworkandSystemManagementV.IEC62351-1:IntroductionThisfirstpartofthestandardcoversthebackgroundonsecurityforpowersystemoperations,andintroductoryinformationontheseriesofIEC62351securitystandards.VI.IEC62351-2:GlossaryofTermsThispartincludesthedefinitionoftermsandacronymsusedintheIEC62351standards.Thesedefinitionsarebasedonexistingsecurityandcommunicationsindustrystandarddefinitionsasmuchaspossible,giventhatsecuritytermsarewidelyusedinotherindustriesaswellasinthepowersystemindustry.VII.IEC62351Parts3-6SecurityStandardsforIECTC57ProtocolsA.OverviewSinceitwasformed,WG15hasundertakenthedevelopmentofsecuritystandardsforthefourcommunicationprotocolslistedabove:IEC60870-5,itsderivativeDNP,IEC60870-6(ICCP),andIEC61850.Thesesecuritystandardsmustmeetdifferentsecurityobjectivesforthedifferentprotocols,whichvarydependinguponhowtheyareused.Someofthesecuritystandardscanbeusedacrossafewoftheprotocols,whileothersareveryspecifictoaparticularprofile.Thedifferentsecurityobjectivesincludeauthenticationofentitiesthroughdigitalsignatures,ensuringonlyauthorizedaccess,preventionofeavesdropping,preventionofplaybackandspoofing,andsomedegreeofintrusiondetection.Forsomeprofiles,alloftheseobjectivesareimportant;forothers,onlysomearefeasiblegiventhecomputationconstraintsofcertainfielddevices,themediaspeedconstraints,therapidresponserequirementsforprotectiverelaying,andtheneedtoallowbothsecureandnon-secureddevicesonthesamenetwork.ThisworkwillbepublishedbytheIECasIEC62351,Parts3-6,titled:IEC62351-3:DataandCommunicationSecurityProfilesIncludingTCP/IP(thesesecuritystandardscoverthoseprofilesusedbyICCP,IEC60870-5Part104,DNP3.0overTCP/IP,andIEC61850overTCP/IP)IEC62351-4:DataandCommunicationSecurityProfilesIncludingMMS(thesesecuritystandardscoverthoseprofilesusedbyICCPandIEC61850)IEC62351-5:DataandCommunicationSecuritySecurityforIEC60870-5andDerivatives(i.e.DNP3.0)(thesesecuritystandardscoverbothserialandnetworkedprofilesusedbyIEC60870-5andDNP)IEC62351-6:DataandCommunicationSecuritySecurityforIEC61850Peer-to-PeerProfiles(thesesecuritystandardscoverthoseprofilesinIEC61850thatarenotbasedonTCP/IPGOOSE,GSSE,andSMV)TheinterrelationshipofthesesecuritystandardsandtheprotocolsareillustratedinFigure3.IEC62351Part1:IntroductionIEC62351SecurityStandards:CorrelationstoTC57StandardsIEC62351Part2:GlossaryIEC62351Part3:ProfilesIncludingTCP/IPIEC62351Part4:ProfilesIncludingMMSIEC62351Part5:IEC60870-5andDerivativesIEC62351Part6:IEC61850IEC60870-6TASE.2IEC60870-5-104TCP/IPIEC60870-5-101,102,&103IEC61850-8-1GOOSEProfileIEC61850-8-1MMSProfileIEC62351Part7:MIBsforNetworkManagementIEC61850-9-2SMVProfileIEC62351Part7:MIBsforNetworkManagementIEC62351Part7:MIBsforNetworkManagementFigure3:InterrelationshipofIEC62351SecurityStandardsandtheTC57ProtocolsB.IEC62351-3:SecurityforProfilesThatIncludeTCP/IPIEC62351-3providessecurityforanyprofilethatincludesTCP/IP,includingIEC60870-6TASE.2,IEC61850ACSIoverTCP/IP,andIEC60870-5-104.Ratherthanre-inventingthewheel,itspecifiestheuseofTLSwhichiscommonlyusedovertheInternetforsecureinteractions,coveringauthentication,confidentiality,andintegrity.ThispartdescribestheparametersandsettingsforTLSthatshouldbeusedforutilityoperations.Specifically,IEC62351-3protectsagainsteavesdroppingthroughTLSencryption,man-in-the-middlesecurityriskthroughmessageauthentication,spoofingthroughSecurityCertificates(NodeAuthentication),andreplay,againthroughTLSencryption.However,TLSdoesnotprotectagainstdenialofservice.Thissecurityattackshouldbeguardedagainstthroughimplementation-specificmeasures.C.IEC62351-4:SecurityforProfilesThatIncludeMMSIEC62351-4providessecurityforprofilesthatincludetheManufacturingMessageSpecification(MMS)(ISO9506),includingTASE.2(ICCP)andIEC61850.ItprimarilyworkswithTLStoconfigureandmakeuseofitssecuritymeasures,inparticular,authentication:thetwoentitiesinteractingwitheachotherarewhotheysaytheyare.ItrequiresadditionalsecuritymeasuresinACSE.Italsoallowsbothsecureandnon-secureprofilestobeusedsimultaneously,sothatnotallsystemsneedtobeupgradedwiththesecuritymeasuresatthesametime.D.IEC62351-5:SecurityforIEC60870-5andDerivatives(i.e.DNP3)IEC62351-5providesdifferentsolutionsfortheserialversion(primarilyIEC60870-5-101,aswellasparts102and103)andforthenetworkedversions(IEC60870-5-104