SecureRTU: security on RTU configuration
management by Digital Signatures
Alessandro Distefano (lead author)
and Luciano Zaretti
and Giandomenico Lattuada
Terna Rete Italia - www.terna.it
[email protected]
Email:
[email protected]
[email protected]
[email protected]
[email protected]
Abstract—Security in energy and power industry is histori-
cally a hard-to-solve topic. In this paper, according to the current
security improvement trend, we describe a new architecture called
SecureRTU (SRTU) aiming at securing the management of the
RTUs configuration workflow. SRTU supports Integrity, Authen-
ticity and Non Repudiation leveraging on Digital Signatures and
can be combined with other security services and protocols (e.g.,
IEC 62351).
Keywords—Electricity supply industry, Security, Digital signa-
tures, Information security.
I. I NTRODUCTION
Historically, in the power industry, the focus has been
mainly on implementing equipments able to keep the power
system secure and reliable while, until recently, the communi-
cation and information flows have been considered less impor-
tant. However, since the Information Infrastructure supporting
the operation of the power system has become pervasive, it
has become critical to the reliability of the power system
itself. Hence it is fundamental to ensure the security and
the reliability of the Power System Infrastructure and of the
Information Infrastructure as well.
A. Information Security in Energy Industry
Regarding this topic, Information Security has gained
tremendous importance for energy production, transmission
and distribution over the last years. At the same time, a secure
grid operation and management causes new use cases which
the well-established standards and protocols (e.g., IEC 61850,
IEC 60870-5) do not address. Both the IEC 61850 and IEC
60870 are flanked by the IEC 62351 that addresses security
and specifies technical requirements which have to be met by
vendors and technology providers[1].
B. Cyber Security Threats in Electric Utilities
A sound security management entails a much larger scope
than just the authentication of users and the encryption of
communication protocols. In fact end-to-end security involves
security policies, access control mechanisms, key management,
audit logs, and other features related to critical infrastructure
protection[2]. In such scenario we can arrange the main
security threats into the two following groups:
978-1-4799-7736-9/15/$31.00 ©2015 IEEE
Stefano Zanin
and Danilo Dealberti
Selta spa - www.selta.it
Email:
• Inadvertent Threats: Safety Failures, Equipment Fail-
ures, Carelessness and Natural Disasters.
• Deliberate Threats: Disgruntled Employee, Industrial
Espionage, Vandalism, Cyber Hackers, Viruses and
Worms, Theft and Terrorism.
The key point is that the overall security of power systems
is hampered not only by espionage or terrorism but by many
other threats, deliberate or inadvertent, that can have very
serious consequences as well[4]. At the same time, it is
fundamental to note that additional security troubles are related
to the business and the business processes that large and small
utilities have (e.g., the relations with institutions, stakeholders
and service providers[3]).
C. Enforcing Security in Power Industry
Power system operations pose security challenges that are
different from other industries and, at the same time, in the
security industry there is typically a lack of understanding of
the security requirements and the potential impact of security
measures on power system operations. Often the security
services and technologies have been designed for industries
that do not have many of the strict performance and reliability
requirements needed by power system operations. We can cite
some differences as follows:
• Unauthorized access to power systems can be more
serious than others.
• Communication channels are often narrow-band so
limiting the implementation of security features.
• Equipments are located in wide-spread, unsupervised
and remote sites.
• Systems are connected by multi-drop channels.
• Limitations on wireless technologies due to the noisy
electrical environment.
1) Main Security Measures: Because of the large variety
of security requirements, communication methods and perfor-
mance characteristics and because no single security measure
can face all types of threats, often the best choice is to
implement multiple layers of security measures. Translating
356
requirements and needs into desired features and services, it
is possible to note that the main aspects to be addressed can
be the following:
• Identity Management: identities and the related appli-
ances must be uniquely identified and managed.
• Mutual Authentication: given a communication the
entities taking part can always mutually identify them-
selves.
• Authorization: the permissions provided to systems
and persons are specified and systematically enforced.
• Audit: each occurring event have to be recorded,
stored and protected.
• Confidentiality: only the authorized systems and per-
sons can access to each given information.
• Integrity: for each information the consistency and
accuracy must be ensured during the entire lifecycle.
• Availability: for each information must be defined a
proper set of measures in order to ensure the access
to the information and the quality (e.g., Service Level
Agreement) of such access.
2) Modularity and Interoperability: As introduced in the
previous section, implementing security often means to adopt
different levels of countermeasures hopefully belonging to well
known standards or products. For such reason modularity and
interoperability are very important for security products and
often determine their success and wide adoption. Modularity
refers to the possibility to customize a given security suite
in order to enable or disable the different features. While
interoperability is strongly related to the compatibility between
different security solutions, services and suites. The architec-
ture proposed in this paper is both customizable (e.g., security
suites, communication protocol) and interoperable with well
known standards (e.g., IEC 62351) and can use the bottom
layers security services and features (e.g., SSL, TLS).
3) Standards for Information Exchange and Cybersecurity:
The task of matching cybersecurity with information exchange
standards, functional requirements standards, object modeling
standards, and communication standards is very complex and
there is rarely a one-to-one correlation, with more often a one-
to-many or many-to-one correspondence.
1) Communication standards are designed to meet many
different requirements at many different “layers” in
the reference model. Two common reference models
are the ISO-OSI 7-layer reference model and the
GridWise Architecture Council (GWAC) Stack [5].
2) Regardless of used communications standards, cyber-
security must address all layers from the source to the
destination of the data.
3) The cybersecurity requirements must reflect the envi-
ronment where a standard is implemented while com-
munications standards do not address the importance
of specific data or how it might be used in systems.
4) Some standards are described using “shall” ,“should”
, “may” or “could” statements causing the whole
stardard to be vague.
357
Therefore, cybersecurity must be viewed as a stack or “profile”
of different security technologies and procedures, woven to-
gether to meet the security requirements of a particular imple-
mentation of policy, procedural, and communication standards
designed to provide specific services.
II. RTU S C ONFIGURATION M ANAGEMENT
Remote Terminal Units (RTUs) are the devices commonly
used in Supervisory Control And Data Acquisition (SCADA)
in order to support the communication between SCADA cen-
ters (typically servers) and the managed and controlled field
(e.g., power plants, electrical stations). Regarding the Terna
scenario, RTUs are used to exchange the following main kinds
of information:
• Commands: orders given from the SCADA center and
received by the field to perform modifications on the
arrangement of the electrical grid.
• Signals: information sent by the field and received by
the SCADA center (e.g., response to a given command
or alarms from the field).
• Measures: information sent by the field and received
by the SCADA center regarding levels of current,
power, voltage or energy.
The set of Commands, Signals and Measures of a given RTU
can be named as the RTU SCADA objects. The information
set composed by RTU SCADA objects and by information
strongly related to the network and configuration of the same
RTU (most often called RTU parameters) can be referred as
the RTU configuration. The configuration of a given RTU,
typically, evolves during time due to the addition and deletion
of SCADA objects and the modification of RTU parameters
and the proper management of RTU configuration is a crucial
element in order to securely and safely manage the correct
exercise of the given RTU.
A. Terna approach
Currently, Terna is completing the deploy of the new
system focused on the conduction and control of the Italian
grid; such system, named SCCT, will overcome a lot of
limitations and restrictions imposed by the previous system
(e.g., Data Engineering issues, complexity and capacity limits).
Relating SCCT, which is strictly related to RTU operation,
the implementation of a stronger, more secure, more accurate,
more efficient and semi-automated management of RTU con-
figurations has been a main requirement. In fact, the previous
overall workflow was leveraging on several and loosely auto-
mated tasks (e.g., usage of spare Excel spreadsheets) in order
to compose, load and maintain the RTU configurations. We
can depict a very simplified version of the current workflow
in Figure 1, where it is possible to note how the RTU
configuration is built from the information stored in the Terna
master database describing the whole electrical grid (Grid
Master Data - GMD). Such workflow, although is able to solve
several issues due to the manuality of the previous one, should
be hardened since the RTU is unable to validate the quality and
the reliability of a given configuration: in other words, given
a binary ready-to-load configuration the RTU cannot deny to
load it.

Fig. 1. The SCCT RTU configuration workflow.
Currently, the entire management of all the RTU configu-
rations is organized as follows. Both the GMD and the central
repository, in charge of maintaining all the source configura-
tions, are centralized within the team supporting all the Data
Engineering tasks related to the electrical grid. Each time a
given plant requires a reconfiguration (e.g., due to changes of
the surrounding grid) the new source configuration, stored as
XML file, is created and subsequently it is processed by the
RTU vendor-related tools (e.g., ABB or Selta manufacturer)
in order to build the binary and ready-to-load configuration
which is stored in a vendor-dependent format. When the binary
configuration is ready, it is required to obtain an agreement
between the teams responsible of the daily operation of the
grid and the central Data Engineering team in order to avoid
any kind of outages related to the update of RTU configuration.
Typically, if the given plant requires also other activities, is
frequent that the update is locally supervised by the Terna field
staff; anyway, the update is started and performed remotely,
while the field staff could attend if any issue occurs. When
the update is completed, and the RTU performs as expected,
the central Data Engineering team takes care of updating the
central repository storing the new official configuration in place
of the previous one.
B. Desired improvements and security requirements
Since the RTU is able to load any binary configuration, it is
possible that the central official repository could be disaligned
with respect to the one loaded into a single RTU at a given
time. Such tricky situations, which can lead to a lot of troubles,
could be caused by unofficial update eventually loaded directly
onto the RTU. Furthermore, since the RTU loads a binary
configuration, a change can be performed also directly on
the ready-to-load configuration without being replicated on
the XML source and/or in the GMD. In any situation, a
disalignment between the source information (GMD or XML),
the central repository and the configuration loaded into a given
RTU is hazardous. At the same time, until the RTU can load
any binary configuration it is impossible to implement an end-
to-end secure management because the final destination of the
digital data is the RTU itself. Hence the securization of the
end-point RTU is the final strategy in order to prevent any
358
disalignments. For such reasons, several security requirements
about the entire management of RTU configuration workflow,
arose. The main requirements can be summarized as follows:
• Integrity: means maintaining and assuring the ac-
curacy and consistency of data over its entire life-
cycle. This means that data cannot be modified in
an unauthorized or undetected manner. Integrity is
violated when a configuration is actively modified
between its creation and loading.
• Authenticity: means confirming the identity of a per-
son, tracing the origins of an artifact, ensuring that a
configuration is what its packaging and labeling claims
to be.
• Non-repudiation: means the guarantee that a given
configuration has been compiled by the part claim-
ing to have generated it. With non-repudiation it is
impossible that the entity which has compiled the
configuration can later deny its responsibility.
Such requirements matches the general security require-
ments of a common scenario where Digital Signatures can
be applied with success; hence we decided to explore the
possibility to use Digital Signatures on RTU configuration
management. The goal was to enhance RTU features in order
to allow the understanding and validation of a Digital Signature
applied to the configuration ready to be loaded as shown in
Figure 2.
Fig. 2. The Secured SCCT RTU configuration workflow based on SecureRTU.
C. Exploiting DS in RTUs Configurations Management
A typical Digital Signature (DS) schema is composed by
the following main entities:
• A digital content to be signed and lately verified.
• One or more pairs composed by a secret key, used to
sign the digital content, and a digital certificate used
to store the public information of a given identity.
• One or more entities able to generate signatures,
typically each one equipped with a pair as abovemen-
tioned.
 • One or more Certification Authorities (CA) issuing the
aforementioned pairs and ensuring the match between
the known identities and the issued certificates and
secret keys.
III. T ERNA S ECURE RTU
As described in Section I-C, when security must be de-
ployed in a real scenario, and in particular in Power Industry,
it is mandatory to perform several strategic choices (e.g.,
performance, usability).
A. Overall Architecture
Relating the Terna scenario, it has been enough to imple-
ment the following schema.
A single CA which is in charge of the issuing and man-
agement of all the secret keys and certificates storing all the
relevant information about the known entities (e.g., name,
staff unit, responsibilities, validity constraints). Each subject
designed as able to sign RTU configuration receives a pair
made by a certificate and a secret key which allows the entity
to sign configurations which can be lately verified.
The RTU (from now called SRTU) asked to load a signed
configuration, first check the correctness of the proposed signa-
ture, then asks to the CA to check the validity (e.g., temporal,
administrative) of the issuing signer of the configuration. The
signature of any configuration is stored in XML open format
allowing to anyone to open and read the signature information.
The choice to leave to CA the effort due to the check of
all the certificates presents both advantages (e.g., lightening of
SRTU effort, avoiding to distribute signer’s certificates) and
disadvantages (e.g., single point of failure). However, since
the CA is implemented by a fully redounded and load-balanced
central server with disaster recovery measures, it seems not to
be a limit for the overall architecture.
It is worth to note that Terna has a redundancy in the
RTU configurations repository as well (as described in Section
II-A). In fact, at a given time there are three hypothetically
valid configurations for a given RTU: the one stored by
the RTU itself, the one held by the Data Engineering team
and the one stored by the SCADA repository. Since these
three configurations must be always kept aligned, the same
validation of a signed configuration performed by a SRTU
must be performed when the same configuration is stored
into the SCADA repository. For such reason, the SCADA
repository has been equipped with the same validation features
deployed onto the SRTU and talk to the CA following the same
protocol being described in Section III-A3.
1) Certification Authority: CA is implemented as a server
running on Red Hat Enterprise Linux virtual machine which
can support the customized communication protocol being de-
scribed in Section III-A3. CA provides two different interfaces:
the SRTU interface supporting the communication between the
SRTUs and the CA, in order to validate the signatures related
to each candidate and signed configuration, and the User in-
terface supporting the management (e.g., release, modification,
examination) of the whole set of the known certificates.
The SRTU interface has been implemented by a simple
set of processes running on background and listening to a
359
given and fixed port where the SRTUs know the CA is up
and running. The IP address of the CA is stored in the
Distinguished Name of the digital certificate of the CA itself
which is shared with all the SRTUs.
The User interface has been implemented as a simplified
front end for the security suite used by the CA (OpenSSL
security library). Such interface provides support to remotely-
logged-in users in order to perform the examination and release
of certificates. We can state that the overall SRTU architecture
uses only two kinds of digital certificates. The first, which is
unique, is the digital certificate of the CA; while the second,
having multiple instances, is the set of certificates given to
users able to sign RTU configurations.
2) Security Suite: All the security features have been
implemented using the Elliptic Curves (ECs) asymmetric en-
cryption schema. ECs, currently, represent an efficient alterna-
tive to other schemas due to the mathematic features of the
computations it relies on. In fact, the problem of finding ECs
factors is computationally harder to solve if compared to other
common problems related to asymmetric encryption (e.g., big
integers factorization). For such reason, ECs are among the
desirable schemas when the high efficiency and reduced key
lengths are interesting requirements. For instance, the current
NIST recommendations on key to be used in cryptography
state that 224 bits-EC keys are comparable to 2048 bits-RSA
keys in terms of robustness and security [6]. Since we consider
the efficiency as a strongly desired feature, we choose to use
Elliptic Curve Digital Signature Algorithm (ECDSA) in order
to implement the whole SRTU architecture.
3) Communication Protocol: The entire communication
protocol between SRTUs and CA follows the Client-Server
paradigm and it is made by a restricted set of messages
exchanged through XML format in order to improve the
portability and standardization of the whole architecture. The
messages can be organized as follows:
• Requests from the SRTU: messages sent by the SRTU
to the CA. For instance, SRTUs contact CA in order
to identify the CA itself and further to obtain the
validation of a given SRTU configuration issuer.
• Responses from the CA: messages sent in response
to a given request and conveying the information
requested by the SRTU. For instance, CA answers to
a given SRTU when it is requested to be identified or
when the CA must check the validity of the signer of
a given RTU configuration.
The following XML fragment shows the request that is
made from SRTU to CA in every interrogation in order to
properly identify the CA:
<XML_CONF_VALIDATOR>
<ID>AUTH</ID>
<TIMESTAMP>21/11/2014 11:30:46</TIMESTAMP>
<NOUNCE>
30462841871428404886824718656270
</NOUNCE>
<SIGN>0</SIGN>
</XML_CONF_VALIDATOR>
The following XML fragment shows the identification
answer from CA to SRTU, the identification is ensured by
the element <SIGN> which stores the signature of the answer provides great flexibility as any upgrade can be carried out
itself signed with the private key of the CA: without any interference with standard telecontrol operations,
which is implemented by other segregated processes, and
<XML_CONF_VALIDATOR> without the need of a kernel change. Furthermore, it allows
<ID>ACK_AUTH</ID> to support in a very smart way any security upgrade as soon
<TIMESTAMP>2014-Nov-21 10:30:47</TIMESTAMP>
as a new fix or release is available for the OpenSSL library.
<NOUNCE>
The simplified flowchart of the SRTU process is depicted in
30462841871428404886824718656270
</NOUNCE> Figure 3.
<SIGN>
MEUCIQC8x7bwPpQZFPVuBpg545e3VFoe
62pQxSlmunkv8R7brQIgXeeo7PD1ZT5+
s88+x3tb623114kKmB3ZUOz91yNBnoo=
</SIGN>
</XML_CONF_VALIDATOR>

The following XML fragment shows the request that is

made from SRTU to CA in order to validate the issuer of a
given SRTU configuration signature, the issuer is identified by
the element <DN_PROD_CONF>:

<XML_CONF_VALIDATOR>
<ID>AUTH_CONF</ID>
<TIMESTAMP>21/11/2014 10:35:17</TIMESTAMP>
<NOUNCE>
65531244803860665766706221054113
</NOUNCE>
<DN_PROD_CONF>12345_John_Doe</DN_PROD_CONF>
<CERT_ID>01</CERT_ID>
<SIGN>0</SIGN>
</XML_CONF_VALIDATOR>

The following XML fragment shows the answer (which is

signed as well as the previous case) from CA to SRTU in order
to validate the issuer of a given SRTU configuration signature,
the result is shown by the element <ANSWER>:

<XML_CONF_VALIDATOR>
<ID>ACK_AUTH</ID>
<TIMESTAMP>2014-Nov-21 10:35:18</TIMESTAMP>
<NOUNCE>
65531244803860665766706221054113
</NOUNCE>
<ANSWER>OK</ANSWER>
<SIGN>
MEUCIBKnVV89WY8GqD9jx4wsSI3WIYD4
heGFcY5ID8Eu2qY1AiEAornSp6Z+aMzs
aVqAyCcNARyZW02YFC95rQYI3rj8daI=
</SIGN>
</XML_CONF_VALIDATOR> Fig. 3. The simplified flowchart of the SRTU firmware.

4) RTU Firmware: Selta RTUs are made by specialized
I/O cards (e.g., digital inputs, digital outputs, analog input,
analog outputs) and a communication and management central
processor unit equipped with a 32 bit MMU-capable pro-
cessor. In order to support a wide spectrum of features and
protocols, the central processor is equipped with a Linux
Operating System. Such central unit executes the whole RTU
software platform (commonly referred as the RTU firmware)
made by different processes, each one dedicated to a specific
function (e.g., supervision center communication, I/O cards
management). The SRTU has been implemented by one of
such specialized processes: this process, implemented in C++
language, supports the protocol described in Section III-A3 and
uses OpenSSL crypto library for every crypto-operation (e.g.,
verification, hash computation). This implementation strategy
5) SecureRTU Deploy: The whole SRTU architecture has
been designed and implemented keeping the deploy effort as
minor as possible. Hence, it has been fundamental to identify
the best-performing strategy in order to implement both the
CA and the new features the SRTU must support. Regarding
the CA, as already described, the choice was to implement it
as a standard fully redounded and disaster recovery resilient
centralized server while regarding the SRTU the chosen strat-
egy was to implement the SRTU features as an independent
and stand-alone process. Following such strategy, the benefits
are twofold:
• The deploy of SRTU onto a standard RTU means a
simple firmware update and such task can be per-
formed also remotely.

360
 • The SRTU features, being segregated on a different
process, cannot negatively affect the other standard
services of the SRTU.
Hence the massive deploy of SRTU can be performed by
updating only the RTU firmware, in order to support the new
features, without any need to change neither RTU hardware
nor other RTU software. Such item is strongly desirable since
Terna plans adopt the SRTU architecture for all the RTUs
currently used to control and conduct the Italian National Grid.

IV. C ONCLUSIONS
In this paper we present a new idea to manage, in a
more secure way, the workflow of compiling and installing
RTUs configurations. The proposed architecture, named Se-
cureRTU, is able to ensure the Integrity, Authenticity and
Non Repudiation security features as desired. Furthermore, the
technical and financial effort required to adopt the architecture
is reduced and very interesting if compared to more complex
configuration management systems. Moreover, the architecture
is fully compatible and interoperable with other standards (e.g.,
IEC 62351) each one focusing on specific and different aspects
of security in energy environments. Currently the solution has
been implemented as a prototype only for Selta RTUs. In the
near future, Terna plans to perform the following activities:
• Extend the prototype to other RTU manufacturers
(e.g., ABB).
• Perform a wide test of the entire architecture.
• Adopt and deploy the architecture for the Italian
national grid.

R EFERENCES
[1] IEC 62351 - International Electrotechnical Commission Power systems
management and associated information exchange Data and communi-
cations security,
[2] CLUSIF - Cyber Security of Industrial Control Systems: How to get
started?, September 2014.
[3] Frances Cleveland, IEC 62351 Security Standards for the power system
information infrastructure, IEC TC57 WG15 Security Standards, June
2012.
[4] Megan O’Connor, Mark A. Nicholas, Satoshi Nakamura and Tom Kacz-
marek Managing Cybersecurity Threats to the Smart Grid, Syracuse
University, June 2013.
[5] Smart Grid Interoperability Panel GridWise Architecture Council Stack,
http://www.sgip.org/Interoperability-and-the-GWAC-Stack, January 2015.
[6] National Institute for Standards and Technology Criptographic
Key Length Recommendation, http://www.keylength.com/en/4/, February
2015.

361

Powered by TCPDF (www.tcpdf.org)