Previous Page  9 / 56 Next Page
Information
Show Menu
Previous Page 9 / 56 Next Page
Page Background

7

Electricity

+

Control

SEPTEMBER 2017

<<Author>>

Tim Craven, H3iSquared

Trading CC

+27 (0)11 454 6025

tim@h3isquared.com www.h3isquared.com

ment and commissioning time, as well as deeper

technical knowledge. The trade-off includes both

increased security that is completely under your

control, as well as better auditing, monitoring and

ease/speed of maintenance as you are not reliant

on a third party solution.

VPNs to consider

Host-to-site

The next question then becomes what type of VPN

to use and what protocol/s to use to establish the

tunnels. In response to the first question there are

two major types of VPNs that can be considered.

The first is known as a host-to-site and is the more

commonly referred to option when users speak

about a VPN. This option involves a single user (the

host) connecting from a remote location to a secure

network (the site) via an unsecure network (normal-

ly the Internet). The user runs software on a laptop

that speaks to the VPN server hardware/software

on site to establish the VPN tunnel. From this point

it will be as if the user is directly connected to the

LAN, and the actual VPN tunnel will be transparent

to other software on the laptop. This is the most

common VPN tunnel type that is used to allow en-

gineers to connect to the network from home or a

hotel in another country and perform maintenance,

configuration or troubleshooting remotely.

Site-to-site tunnel

The second type of VPN is known as a site-to-site

tunnel. In this case, as you may expect, the tun-

nel is established between two secure networks

via an unsecure network, such as in the case of

connecting a remote substation to a control room

via the company corporate network. The tunnels

can be temporary created as required, but are

more often left open as permanent tunnels which

effectively are used to semi-permanently expand

the network across geographical locations. Once

again in these set-ups the VPN tunnel will be trans-

parent to end users and devices, which will simply

see a standard routed network infrastructure.

Protocol/s for VPN tunnel establishment

The final decision to make is to determine which

protocol/s to use for the VPN tunnel establishment.

Once again a variety of options exist, however by

far the most secure currently is IPSec (Internet Pro-

tocol SECurity), which is a VPN protocol that works

over a two phase tunnel establishment. Without

going into too much detail this involves first an au-

thentication phase where the end devices perform

a back-and-forth handshaking process that ensures

they are both who

they claim to be. This

authentication can be done

using a few different methods,

including just standard PSK (Pre-

Shared Key, basically a password ex-

change) or by using secure certificates

(digital files that are used to uniquely identify end

devices). Once this phase is complete phase 2

establishes the cryptographic set-up to ensure

proper encryption of the traffic. IPSec caters for a

variety of different authentication and crypto stand-

ards that can be used depending on the end de-

vices capabilities. By using external authentication

and crypto standards it makes the protocol suite

more future proof as hopefully future changes and

improvements can be included without requiring a

complete overhaul of the IPSec standard.

Conclusion

We have glanced at some of the most salient

points to consider when planning, designing and

implementing security on Mission Critical Net-

works, however this is a field with just as much

depth as it has breadth, and which could be dis-

cussed for months without scratching the surface.

Network security is without a doubt one of the

most important aspects to consider when plan-

ning Mission Critical Networks and should not be

approached lightly. A final thought to keep in mind

is that no network will ever be completely secure

from outside attacks, especially when the network

is connected to an external network. The process

of implementing network security rather becomes

a case of deterrence. This means that one must

think like a potential attacker, and determine if the

payoff is worth the security, or if more security is

needed as a proper deterrence. A single firewall

may be more than enough to protect most home

networks, but a lot more security layers are need-

ed when considering a country-wide smart power

grid network, for instance. Always ask the ques-

tion: ‘Will the cost/time saved by not imple-

menting a certain level of security outweigh

the potential loss if the security is breached?’

Reference

[1] IEC 61850. Power utility automation.

1 4 5 6 7 8 9 10 11 12 13 14 15 56  FlippingBook