Crucial To Deployment
Ethernet switch technology plays key role in NERC CIP perimeter security requirements
- By Jim Krachenfels
- Mar 01, 2012
Common sense—and the North American Electric Reliability
Council’s cyber security standards (NERC CIP) for North
America—suggests that security in power stations is of utmost
importance. With the growth of IP-based network applications
throughout the power industry, power plants have increased their
ability to control and monitor both central utility operations and remote installations.
NERC identifies security concerns and lists out a set of requirements for
minimum security in the industry.
Physical security, as defined by NERC CIP, has an IP component to it. The standards-based flexibility of IP-compatible
products provides the bestknown
solution for the security and
surveillance of power plants.
At one nuclear power plant, thermal
imaging infrared cameras are installed
around the physical perimeter of the facility
to provide state-of-the-art threat
detection and assessment capability.
The plant is protected by a FLIR thermal
fence, which provides a full-integrated
perimeter alert system.
The perimeter protection solution
incorporates both thermal security
cameras and the FLIR sensors manager
control and management software to
create a full virtual fence solution, capable
of protecting critical infrastructure
sites.
Underlying Network Support
In order to connect the virtual fence
with staff in the plant and at central
operations, Ethernet switches that
can operate reliably under the harsh
conditions at the plant were required.
Because the perimeter security is integrated
with a single ring-based network
within the facility, which is required to
securely manage a variety of functions,
the switches need a variety of port
types to support various equipment requirements.
Externally located switches that
connect to components of the thermal
fence needed to be hardened to withstand
harsh temperatures (-40 to 85 degrees
C). In addition, they needed to be
outfitted with sealed cases that would
protect against rain, dirt and other contaminants.
While some designers attempt
to use commercial switches with
elaborate protection schemes or dramatically
reduced MTBF expectations,
industrially hardened switches—in this
case, Magnum 6K field switches—solve
the problem with a sealed, convectioncooled
model that features an advanced
thermal design that allows the case to
serve as a heat sink.
Magnum switches offer unique portconfiguration
capabilities that provide
the highest level of flexibility in specifying
port types. The outdoor units are
specified with a number of managed
PoE ports that enable both data and
power to run over a single cable to support
the cameras.
Video Data Management
Managing a high volume of security
data from the videos requires sophisticated
data management capabilities,
such as IGMP Snooping and IGMP-L2,
because of the high bandwidth requirements
of a video surveillance system.
For efficiency, it is important to develop
a way to selectively manage IP video
multicast traffic. The common approach
uses the standard Internet Group Management
Protocol (IGMP), which requires
routers in addition to switches.
GarrettCom’s IGMP-L2 is a switchbased
system that simplifies the network
and eliminates wasted bandwidth
consumption while still permitting large
numbers of multicast data streams to be
efficiently handled with video feeds delivered
to suit each viewing user’s needs.
Ring Topology
The switches are organized into interlocking ring configurations that provide rapid
fault recovery to meet the plant’s needs for highest reliability. The switches offer
fast link recovery using RSTP-2004.
The network topology requires a full range of fiber and copper port options,
as well as a variety of bandwidths. Switch capabilities range from server room
switches with up to 32 ports and gigabit bandwidth support for fiber backbones
to smaller field switches that can support connectivity to the security system components
and intelligent electronic devices (IED) within the plant. VLANs are used
to provide secure communication tunnels. Secure switch management software
can provide an extra level of reliability including functionality, such as SSH and
SSL access, Secure FTP connections for large file transfers, software downloads,
configuration files, scripts, support for up to 256 VLANs, Modbus protocol support
over TCP/IP, TACACS and RADIUS server authentication, and the ability
to have external events (Syslog) put into the switch’s Event Log to correlate with
local security events.
The use of IP for power utility perimeter security—and, in fact, for all utility
networking—adds a new level of flexibility and bandwidth. Although there is
concern among some in the industry that IP provides a new level of risk of cyber
attack, it is clear that even NERC recognizes that the benefits of
the increased functionality outweigh the concerns. Careful and
insightful development of security infrastructure can provide security
systems that are not only effective today but are futureproof
and scalable to meet future needs.
This article originally appeared in the March 2012 issue of Security Today.