- Electrical infrastructure complying to the IEC 61850 needs to be protected from cyber attacks
- New release of Rhebo next generation OT intrusion and threat detection combines .scd-file-based whitelisting with OT anomaly detection
- Incorporation of IEC 61850 digital twin capabilities reduces anomaly detection training to zero
The update adds whitelisting capabilities, provided by exploiting the IEC 61850 substation description, to the solution’s established OT anomaly detection.
The IEC 61850 standard defines communication protocols for intelligent electronic devices (IED) in substations. Thus, the standard ensures interoperability between different IEDs at the protocol and data model levels. The heart of the standard is the so-called substation configuration description file, short .scd. This file functions as a digital twin of a substation and its related electrical infrastructure documenting all permitted communication between IEDs.
Detecting attacks in no time
From version 3.3 onwards, Rhebo supports IEC 61850 .scd files as means of configuring its OT monitoring and anomaly detection component Rhebo Industrial Protector. Since the .scd describes all legitimate communications in a substation, once the digital twin file is imported the anomaly detection will only report any IEC 61850 traffic (e.g. via protocols MMS and GOOSE) that is not described in the file. All documented communications are whitelisted as legitimate and devices or hosts defined in the .scd file are added to the host whitelist.
As a result, the operator does not have to manually clear normal substation events during the learning phase of the anomaly and intrusion detection system. »This update to our OT anomaly detection saves operators of critical infrastructure valuable time,« Rhebo Product Manager Jérome Arnaud explains. »Moreover, utilizing the substation digital twin file ensures the reduction of false-positive event notifications to a minimum, because what is reported is definitely a deviation that requires attention.«
Typical examples of deviating communications that are reported in real time can be unknown host communication or invalid GOOSE or MMS datasets packages. Both can indicate potential cyber-attacks or misconfigurations that threaten the critical services. GOOSE and MMS are industrial protocols prone to manipulation and in particular man-in-the-middle attacks.
Anomaly detection remains vital despite whitelisting feature
The IEC61850-specific feature is an add-on to the fundamental OT monitoring and anomaly detection component of Rhebo. »Whitelisting alone is not sufficient for a seamless security architecture of the most critical infrastructure,« Jérome Arnaud warns. »For critical infrastructure operators it’s not only a challenge to ensure the actuality of the referenced .scd file but also to prevent configuration inconsistencies due to the complex IEC 61850 configuration workflow.«
The first challenge reflects the reality in industrial infrastructure where OT system updates are commonly delayed due to the prioritization of process stability over security concerns.
The second challenge refers to the complex IEC 61850 modeling workflow, involving multiple round trips of hundreds of IEDs configuration files between various configuration tools to finally obtain the substation configuration description file. Due to the complexity of this recurrent process, inconsistencies are likely to happen that threaten the error-free operation of the critical infrastructure. Both update delays and inconsistencies can lead to security gaps that attackers are willing to exploit as well as technical error states that threaten process stability. »The anomaly detection ensures that any inconsistency or malicious behavior within the IEC 61850 infrastructure not covered by the whitelisting is detected in real time,« Arnaud adds.
The combination of the IEC 61850 whitelisting feature and OT anomaly detection helps operators to defend their electrical infrastructure against cyber-attacks and operational threats efficiently and effectively. For more information visit https://rhebo.com.