Professional Documents
Culture Documents
Webinar Presentation Cybersecurity4ProtectionEngineers
Webinar Presentation Cybersecurity4ProtectionEngineers
SIPROTEC 5
What a protection engineer should know
about cybersecurity!
Merging Units
Secure Protocols
RBAC with central user
Security Logging
management • Secure IEC 61850
Non-volatile persistence of Centrally manage users and according IEC62351-3
TLS
security audit trail and assign roles for authorization
transfer over Syslog (based on IEC 62351-8) • Engineering Tool and
WebUI
with LDAPS
• EST Automatic certificate
Page 5 Unrestricted | © Siemens 2023| Smart Infrastructure |
enrolment
Security event logging –
Syslog
Environment :
• Syslog „Freeware“ :
VPN
• „Visual syslog server“ for windows: Syslog Server collect the syslog
messages via UDP
Syslog
Client
• SYSLOG is
• simple to activate in our devices only need the IP of the Syslog
server
Syslog
Server • easy to test
• SYSLOG basic for cyber security for substation and automation
system
• In case of attack : quickly analyze Who/What/What
Syslog
Client
• Attacker will work invisible : syslog is the light to see what happens
• Highly recommended in IEC 62443
• Can be encrypted via TLS as recommended in IEC 62351
Page 14 Unrestricted | © Siemens 2023| Smart Infrastructure |
Basics “encryption” with TLS
• used every day whenever you connect in internet to a web server i.e. HTTPS : S stands for TLS
Envelope
with Seal
Pattern of Seals
A→G
B→K
Pattern
of Seals
Envelope
with Seal
Envelope
with Seal
TLS in SIPROTEC5 :
• DIGSI 5 Protocol
• WebUI over Https
DIGSI 5 Browser Syslog LDAP 61850 EST
• Syslog over TLS
client Server Server Client Server
• RBAC with LDAPs
• Secure IEC 61850 MMS
• EST (automated Cert.
Management)
TLS is basic for cyber security for substation and automation system
TLS is recommended in IEC 62443 and IEC 62351
Name: Engi
Password: secret
RBAC protocols :
“Primary”
AD server
3 Configure Name: Engi
emergency users Password: secret
(all permissions)
1
“Secondary”
No responses !
AD server
(Or “RODC”)
List of “cached” user
already authorized by
2 the central server
1. Secondary AD server
0 = VIEWER
1 = OPERATOR
2 = ENGINEER
3 = INSTALLER
4 = SECADM
Access Token 5 = SECAUD
6 = RBACMNT
• userRole = 2
• aor = “*” local, remote, *
OU=IEC62351 Group,
DC=siprotectest,
DC=com
Role : SECADM
• Activate one time with DIGSI 5 in our devices (IP Address + CA of the LDAP
server)
• RBAC with LDAPS is basic for cyber security for substation and automation
system
• Attacker : access blocked after certain number of unsuccessful login
• High availably, fall back measures (back-up server, cached users, emergency
users)
• => that is why it is recommended in IEC 62443 and
• IEC62351-9 define the protocols (LDAPS) and the roles to improve the
interoperability
„Application Security“ :
A (ACSE)-Profile secured with Certificate
„Transport Security“
recommended to be secured via TLS, using port 3782
SIPROTEC 5
implement „TLS“
Source : Noris
Page 68 Unrestricted | © Siemens 2023| Smart Infrastructure |
Cybersecurity in the Power Grid
SIPROTEC 5 Secure Communication– Practical part
SICAM GridPass will act as “EST Server” to create the certificates for
- SIPROTEC 5 as MMS secure Server (manually or automatically)
- SICAM PAS as MMS secure Client (automatically only)
PKI: create CA
DIGSI5: Configure and load and export pattern (pem)
IEC61850 MMS
Server
CA store CSR
MMS.csr
SIPROTEC 5 WebUI
->Certificates
->Certificate authorities
->SecureMMS Port J:
CA as selected in DIGSI5 is visible
MMS.csr
SIPROTEC 5 WebUI
->Certificates IEC61850 MMS
->Requested certificates Server
->Secure MMS Port J
CA store CSR
->click on export :
file .csr is created MMS.csr
MMS.pem MMS.csr
-> Certificates (.pem) file created by SICAM GridPass
IEC61850 MMS
Server
CA store Cert.
MMS.pem
IEC61850 MMS
Server
CA store Cert
SICAM GridPass: via EST generated certificate for Device as MMS client EST Client
IEC61850 MMS
Client
CA store Cert CA store Cert
IEC61850 MMS
Server
CA store Cert
TLS is basic for cyber security for substation and automation system
TLS is recommended in IEC 62443 outside secure zone
and IEC 62351 select the best practice from IT world for the OT
Smart Infrastructure
Electrification & Automation
Mozartstraße 31 C
91052 Erlangen
Germany
Smart Infrastructure
Electrification & Automation
Mozartstraße 31 C
91052 Erlangen
Germany
For the U.S. published by
Siemens Industry Inc.
100 Technology Drive
Alpharetta, GA 30005
United States
© Siemens 2023
Subject to changes and errors. The information given in this
document/video only contains general descriptions and/or performance
features which may not always specifically reflect those described, or which
may undergo modification in the course of further development of the
products. The requested performance features are binding only when they
are expressly agreed upon in the concluded contract.
All product designations may be trademarks or other rights of Siemens, its
affiliated companies or other companies whose use by third parties for their
own purposes could violate the rights of the respective owner.