The Laboratory of Cybersecurity in the Smart Grid emulates a Software - Hardware real time communications environment of a Primary Distribution Substation, in which the electronic equipment (IEDs) that control and supervise the electrical equipment (switches, transformers, ...) have been deployed. It also simulates a Control Center, with basic functionalities, to which the Substation equipment is connected. The laboratory allows to: - Simulate the real communications between the different equipment and systems of the control center and the substation. - Play a set of cyber attacks through tools for generating penetration tests (ethical hacking) - Test the response of equipment (RTU, SCU, protection relays, ...) and information systems (SCADA, LDAP server, ...) from external manufacturers to those attacks. - Test the effectiveness of attack detection tools developed by external manufacturers. The two environments (substation and control center) are connected through an Ethernet network established between two routers. This allows the management of external access to the laboratory. Both routers establish a VPN connection.
Asset protection
Attack detection
Attack response
Identification of threats and risks
CONTROL CENTER
The laboratory is composed of two environments, the Control Center environment in which a SCADA has been installed and that simulates the operation of the electric grid (reduced to a substation), and the substation environment in which the electronic equipment is installed (SCU and relays of Protection).
CONTROL CENTER COMPONENTS:
The components of the Control Center environment are:
-Router: Allows to establish a VPN connection with the router of the substation.
-Internal Switch: Connects all computers in the control center.
-SCADA equipment. It contains the monitoring and control software (SCADA) of the substation. It also allows to modify the configuration of the IEDs from the Control Center.
-Computer LDAP and NTP servers: This equipment houses the different servers that are accessed from the IEDs of the substation:
-Server running the services:
* LDAP: Performs management of the control, access (authentication and authorization) of users and information systems to the IEDS.
* NTP — provides the time synchronization service.
SecureGrid Hacking Tool Box (HTB)
SecureGrid Hacking Tool Box (HTB) is a tool box that allows to configure and perform different penetration tests to electronic devices of an electric substation.
SecureGrid HTB is thought to be used by the equipment manufacturers to check the security level of their equipment.
SOTER
Monitoring of anomalies in electrical substations and industrial plants
SUBSTATION
The laboratory is composed of two environments, the Control Center environment in which a SCADA has been installed and that simulates the operation of the electric grid (reduced to a substation), and the substation environment in which the electronic equipment is installed (SCU and relays of Protection).
SUBSTATION COMPONENTS:
-Router: Allows to establish a VPN connection with the router of the control center.
-Substation Control Unit (SCU): It makes the functions of a remote unit by establishing the communication with the SCADA of the control center through the Telecontrol IEC 60870-5-104 Telecontrol protocol. Other protocols that are accepted are the Modbus TCP and the DNP3-TCP. On the other hand, it also makes the client functions 61850 of the protection relays through the protocol IEC-61850.
-Industrial Switch: Connects all IEDs by setting up the substation Bus.
-Protection relays: Perform the protection functions of the electrical equipment (switches, transformers,...). These relays implement the Protocol IEC-61850, which allows them to receive the electrical signals generated by the team OMICRON – CMC 850, communicate with the SCU, and launch GOOSE between them.
-Power supplies: Those relays whose power supply is in continuous (VCC) are equipped with their corresponding power supply.
-SCADA equipment. It contains the monitoring and control software (SCADA) of the substation. It also allows to modify the configuration of the IEDs from the Control Center.
-OMICRON – CMC 850: Allows to simulate up to 3 Merging units, electrical data acquisition equipment of the substation. This equipment is connected to the TCP/IP protection relays via the substation Bus.
-OMICRON – CMC 256: Allows to simulate electrical signals and connect them directly to the protection relays through the digital input and output connections. In addition, it allows to simulate the activity of switches.
WHITEZONE
WHITEZONE prevents malware presence at the operational zone of industrial plants, restricting the access to the delimeted area designed as operational zone, only to the authorised users carrying safe and identified software. This is a way of securing the industrial zone and improving the update process of the industrial production control (ICS) devices. It offers the following functionalities:
• Ensures that the information that is to be used within the operational zone by means of a USB key is secure, i.e. there is no virus or malware.
• Authenticates users manually or via an NFC card.
• Allows to choose the data that is going to be used in the protected zone and analyzes it to search for any virus or malware or any data not allowed through a multi-virus service in the cloud. If this verification is exceeded, it ejects a key "USB Whitezone ©" where the encrypted and signed data will be copied, to avoid modifications. These USB Whitezone © will be the only valid one within the protected operational zone. In addition, this component sends, in real time, all its activity to the BackEnd software.
• The Software Agent is an element that controls all USB port activity on the computer on which it is installed. If a non-Whitezone © USB device is inserted, it will be ejected immediately, making it impossible to use. If a USB Whitezone © is connected, it verifies that its contents have not been altered. If it has been altered, ejects the USB and otherwise decrypt the information contained so that the data is available. The software agent can communicate, in real time, all its activity to the BackEnd.
Validation of the new cybersecurity capabilities required by current cybersecurity standards such as IEC 62351, IEE 1686 and/or IEC 62443.
Use of a set of tools to perform ethical hacking that simulates different types of cyber-attacks (DoS, Man in the Middle and/or credential theft, among others).
Simulation of real communications between the different equipment and systems in control centres and electrical substations in order to carry out cyber-attack tests to test the response that the equipment (RTU, SCU, protection relays, …) and information systems (SCADA, LDAP server, …) developed by different manufacturers offer to these attacks.
Simulation of real communications between the different equipment and systems in control centres and electrical substations to carry out cyber-defence tests that allow to test the effectiveness of the attack detection tools developed by different manufacturers.