Loading, processing, and managing device and tag configurations with support for IEC 61850 standard protocols

The technologies for analyzing industrial network traffic used in Kaspersky Industrial CyberSecurity for Networks provide basic information about the parameters and interactions of devices supporting protocols of the IEC 61850: IEC 61850-8-1 (GOOSE, MMS) standard. However, to get and save the most complete data about these devices, including tags in their original structured format, it is recommended to load the contents of files prepared in accordance with the IEC 61850-6 standard into the application. The contents of such files are loaded by importing projects for IEC 61850 devices.

When importing a project for IEC 61850 devices, Kaspersky Industrial CyberSecurity for Networks checks the syntax and format of the contents of the project files and analyzes the device configurations in the project for compliance with the requirements and recommendations of the IEC 61850 standard. After successfully importing a project, the application analyzes the traffic for compliance with the imported configuration. If the traffic displays interactions that deviate from the saved configuration (device interactions or transmitted settings do not match the descriptions in the configuration), the application registers events.

This way, the built-in tools for processing and managing configurations of IEC 61850 devices let you use Kaspersky Industrial CyberSecurity for Networks both as an application for protection against information security threats and as a tool for scanning files containing configuration descriptions. Based on the data from the files, the application allows you to detect errors and flaws in the design of sets of IEC 61850 devices. You can eliminate the identified errors and design flaws step by step.

Supported project types and protocol processing modules are updated along with updates to application modules and databases. You need to install updates to use all the features supported by the application for analyzing device configurations and analyzing traffic over IEC 61850 protocols.

The scenario for bringing a project into compliance with the IEC 61850 standard consists of the following steps:

1. Importing a project for IEC 61850 devices into Kaspersky Industrial CyberSecurity for Networks.

   At this step, you must import a project for IEC 61850 devices. Device configurations in the imported project must be described in SCL (System Configuration Language) and saved in one or several files used in accordance with the IEC 61850 standard. The SCL file types *.SCD, *.CID, and *.ICD are supported for importing this type of project.

   At the end of the import process, the application provides the capability to view a report on the results. To view the report, you must open the list of background operations by clicking the button in the application web interface menu and then click the Display report button after the import process completes.

   If errors or deficiencies (inconsistencies) are detected during the scan and analysis of the imported file, information about them is displayed in the report window under the following sections:

   • Syntax and formatting errors.
   • Non-conformity with the standard (no more than 100 detected non-conformities are displayed).

   If the report window does not contain any of the specified sections, you can proceed to step 3. Otherwise, carefully read the lists of errors and inconsistencies in the report window and proceed to step 2.

2. Resolving errors and inconsistencies according to the import report

   Errors and inconsistencies detected during an import may vary in their importance. Some errors (for example, syntax errors of different revisions) make it impossible to load the file and block the import of the entire contents of the project. Other errors and inconsistencies can be caused both by logical errors in the imported project and by the specific settings of the equipment being used (if the operational capabilities of the equipment let you set parameters for it without adhering to certain recommendations for using the IEC 61850 standard). The application displays the appropriate warnings for these errors and inconsistencies in the import report.

   After reviewing the lists of errors and inconsistencies found during the import, you need to decide on the necessary improvements to make in the project. Use the appropriate software tools to resolve the errors and inconsistencies.

   If you have made any revisions or additions to the project, save the project files and perform step 1 again to import the updated files. If project revisions are not required, skip to step 3.

3. Scanning objects that were created in Kaspersky Industrial CyberSecurity for Networks as a result of the project import

   At this step, you need to check the changes in the application after the import and perform additional actions with the objects in the application if necessary.

   If the imported project contains the relevant data, the application performs the following actions:

   • Adds new devices (or updates existing devices) while indicating the address information of the participants of network interactions.
   • Adds Process Control settings for devices and saves the following in these settings:
     • Monitored system commands
     • Subscriptions and data blocks for the MMS and GOOSE protocols
   • Adds tags of the MMS and GOOSE protocols in the original structured format of tags.
   • Generates Interaction Control rules based on information about devices in the imported configuration.

   For tags in structured format, it is not possible to define conditional Process Control rules to track values. If you want to check the values of tags using the application, you can use rules with Lua scripts for this purpose.

4. Tracking events registered upon detection of deviations from the saved configuration in traffic

   The application uses a saved configuration to analyze industrial network traffic. If the traffic displays interactions that deviate from the saved configuration (device interactions or transmitted settings do not match the descriptions in the configuration), the application registers events based on Network Integrity Control and Command Control technologies.

   When analyzing interactions over the IEC 61850: GOOSE protocol, the application registers events in the following cases:

   • Inconsistencies in the MAC addresses of the sources and recipients of messages are detected.
   • Factory configurations are detected (identical goID in GOOSE messages).
   • Duplicate names/addresses are detected.
   • Inconsistencies in ConfRev versions are detected.
   • Inconsistencies in the statuses of GOOSE messages are detected.
   • Inconsistencies in the main parameters of GOOSE message packets are detected.
   • Inconsistencies in signal quality settings are detected.
   • Inconsistencies in the message transmission sequence are found.
   • A GOOSE message from an undescribed device is detected.
   • An undescribed GOOSE message from a described device is detected.
   • Changes in the structure of a data packet in a GOOSE message are detected.
   • Inconsistencies in the use of the VLAN ID in GOOSE messages are detected.
   • Inconsistencies between tag values and created Process Control rules are detected.

   When analyzing interactions over the IEC 61850: MMS protocol, the application registers events in the following cases:

   • Inconsistencies in IP or MAC addresses are detected (taking into account the interactions through routers).
   • Duplicate names/addresses are detected.
   • Inconsistencies in ConfRev versions are detected.
   • Inconsistencies in the sequence of executed system commands are detected.
   • Inconsistencies between tag values and created Process Control rules are detected.
   • Inconsistencies in client-to-server connection methods (read/write or by subscription) are detected.

   The duration of the event tracking phase depends on the frequency of device interactions and changes in operating modes within the industrial process. If your assessments indicate that all monitored devices have performed their intended operations and the application does not register any events for the above reasons, the scenario for bringing the project into compliance with the IEC 61850 standard can be considered complete. Otherwise, if events are registered, go to step 5.

5. Fine-tuning the project to eliminate deviations from the saved configuration

   When investigating the reasons for event registration, first verify the absence of information security threats and the absence of industrial process violations.

   After you are convinced that the events were registered due to errors or inconsistencies in the saved configuration, you need to decide on the necessary improvements to make in the project. Use the appropriate software tools to resolve the errors and inconsistencies.

   If you have made any modifications to the project, save the project files and repeat the steps in this scenario starting with step 1.

After taking all the necessary actions to bring the project into compliance with the IEC 61850 standard, you can use all of the functions of Kaspersky Industrial CyberSecurity for Networks in monitoring mode. However, it is recommended to regularly assess the security and performance of the industrial network infrastructure by employing the following application features:

• Monitor network sessions and perform online monitoring to assess current network congestion (including by using the Traffic and Tags widgets).
• Use Asset Management, Interaction Control and Intrusion Detection to monitor the appearance of devices with new addresses on the network.
• Monitor events to track undescribed messages registered in events based on Command Control technology and to track faults and network errors registered in events based on Intrusion Detection technology (system event type codes 4000005100, 4000005101, 4000005102, 4000005103, and 4000002701) and in events based on Asset Management technology (system event type code 4000005005).

Page top