A Midwest-based electric utility was looking to add a security layer to its communications network, primarily to achieve compliance with new, broader NERC CIP v6 requirements for Low Impact Cyber Security Assets.
In addition to implementing LERC/LEAP initiatives for the purpose of compliance, the utility took the opportunity to leverage the project and further upgrade the existing substations networks with the latest security technology. After researching and testing multiple systems, the utility finally chose Radiflow.
Several requirements needed to be met to support the network project:
- Mechanism to control and monitor access to sub-station assets, according to NERC CIP v6 requirements
- Mechanism for creating specific firewall rules at BES Asset Boundaries for a variety of substation topologies, as per new CIP requirements
- Compliance with upcoming NERC CIP requirements for transient assets
- Serial connectivity, which is still required at several substations for legacy applications
- Environmental hardening was an imperative, as the power supply to hundreds of thousands of customers would be controlled and monitored by this technology
- User-friendly configuration and management
For this project the utility chose Radiflow’s 3180 Ruggedized Security Gateway. It has the capability to monitor traffic and send syslog connection data messages back to a central server. This allows the operator to examine traffic patterns and create specific firewall rules that can be loaded back into the 3180.
For secure remote access the 3180 offers a unique, highly granular feature called APA (Authentication Proxy Access). APA allows the operator to define specific date/time/user/device/protocol parameters for remote IED access. Once a technician has authenticated into a 3180 successfully, a PCAP record is generated and stored for future network forensics.
The 3180’s DIN-rail mounting and compact size make it perfect for small enclosures, while supporting a variety of interfaces – Copper and Fiber Ethernet, serial and even dual-cellular ports. Support for multiple 3G/4G networks assures continuous connectivity without overloading the limited microwave links.
The Radiflow 3180 gateway can be ordered with serial RS232 or RS485 interfaces to support legacy applications via terminal server application.
The 3180 switch meets and exceeds the rigorous requirements for IEEE1613 and IEC61850-3 certifications, which define the benchmark standards for communication devices within power utility environments.
In addition to the 3180 Gateway, the project included Radiflow’s iSIM management tool, as well as the iSID Industrial Cyber Security & Intrusion Detection System.
Radiflow’s iSIM is a powerful centralized management tool for provisioning all the features on the 3180, including ACL management. It presents a network topology map in both logical tree structure and graphical map. Additionally, it supports pre-scheduled software updates and database backups for Radiflow switch products.
Radiflow’s iSID Industrial Cyber Security & Intrusion Detection System enables mapping application flows in sub-stations, which in turn allows writing more accurate and more secure firewall rules, in preparation for firewall deployment. Furthermore, used as a passive monitoring tool, iSID can further detect and alert on any anomalies in the sub-stations using its six security engines. It continuously checks for known vulnerabilities (signatures) and anomalies and is able to alert SIEM systems of potential attacks.
Factors that pushed Radiflow into the winner circle included:
- Numerous security features, all contained within one compact device (firewall, APA, VPN, etc.)
- Ability to monitor connections and provide relevant data back to a central site
- Radiflow Engineering and Technical Support Services
- A comprehensive cybersecurity solution and associated management capabilities
Installing the Radiflow 3180 Ruggedized Gateway at one of the Utility’s substations
One of the remote substations included in the project