Browse Prior Art Database

AGENT-BASED SYSTEM FOR PROTECTING CONTROL DEVICES FROM MALWARE

IP.com Disclosure Number: IPCOM000246689D
Publication Date: 2016-Jun-28
Document File: 3 page(s) / 42K

Publishing Venue

The IP.com Prior Art Database

Related People

Maik Seewald: AUTHOR

Abstract

Presented herein are a system and method for Advanced Malware Protection (AMP) based on an assessment of the posture and condition of embedded devices (e.g., controllers) used in electrical grid automation. Examples of embedded devices include IED's (Intelligent Electronic Devices) or RTU's (Remote Terminal Units) using the standard IEC 62351-7. The techniques utilized by the system and method monitor the status of domain specific device parameters and react to attacks or security breaches. For example, domain specific information is used to enrich information for an Intrusion Prevention/Detection Systems (IPS/IDS) that may be integrated into firewall devices. For example, when implemented in a power automation environment, the techniques presented herein may provide a mechanism that provides status and health information of IED's and RTU's as a service and immediately triggers countermeasures when faults are detected in the status or health information.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 48% of the total text.

Page 01 of 3

AGENT-BASED SYSTEM FOR PROTECTING CONTROL DEVICES FROM MALWARE

 AUTHOR: Maik Seewald

CISCO SYSTEMS, INC.

ABSTRACT

    Presented herein are a system and method for Advanced Malware Protection (AMP) based on an assessment of the posture and condition of embedded devices (e.g., controllers) used in electrical grid automation. Examples of embedded devices include IED's (Intelligent Electronic Devices) or RTU's (Remote Terminal Units) using the standard IEC 62351-7. The techniques utilized by the system and method monitor the status of domain specific device parameters and react to attacks or security breaches. For example, domain specific information is used to enrich information for an Intrusion Prevention/Detection Systems (IPS/IDS) that may be integrated into firewall devices. For example, when implemented in a power automation environment, the techniques presented herein may provide a mechanism that provides status and health information of IED's and RTU's as a service and immediately triggers countermeasures when faults are detected in the status or health information.

DETAILED DESCRIPTION

     Security is an essential requirement in grid and substation automation. Modern controller devices fulfil crucial functions in energy automation to protect and control the electrical grid and, thus, a compromised (e.g., hacked) or malfunctioning device may pose a threat to both primary and secondary grid equipment. Consequently, a system and method that provide immediate detection of a critical status beyond existing network or standard software monitoring would increase the level of security within energy automation systems. A system and method that alert an IPS/IDS capable system in order to trigger countermeasures only further increases the level of security.

Copyright 2016 Cisco Systems, Inc.

1


Page 02 of 3

    Today's embedded control devices (e.g., RTU's, IED's, etc.) in the electrical grid are using domain specific protocols such as IEC 60870-5-104, DNP3, and IEC 61850. These protocols include both communication semantics and configuration data. Furthermore, IEC 61850 provides a comprehensive object model which describes the capabilities of a controlling device. Objects contain attributes that store different information about measurements and status. A related security standard, IEC 62351-7, specifies network and system management (NSM) data objects that are specific to power system operations. NSM data objects may be used to monitor the status and conditions of networks and systems in order to discover possible security intrusions and manage the performance and reliability of the information infrastructure.

    The defined objects contain information from two domain specific sources: applications and protocol stack within a controller device. The granular information about the condition and posture contains data such as: buffer overflow, refused connections, hardware failover, PDU formatting issues, open ports, running services, revoked certificate...