Protecting telemetry data in state-wide critical infrastructure network

Business requirements

[REDACTED] is a country-wide transmission system operator that operates across a wide range of legacy and modern hardware. Due to various technological constraints, the availability of telemetry data in the central dispatch system is limited.

Our customer had the requirement to rapidly collect and securely utilise the telemetry data from hundreds of power distribution stations, generators, and large consumers to enable dispatch system functionality impossible with a current SCADA system.

Industry

  • Power grid operator

  • Critical infrastructure

Regulations

  • Internal security policies and IEC standards

Technology stack

  • Telemetry hardware

  • IEC-104 compliant meters

  • TSO Central Dispatch system

Products and services involved

We used cryptographic library Themis as a building block for transport layer encryption on application level, relying on its interoperability among required platforms and OSs.

Acra's cryptographic design allows to separate encryption and decryption to different parts of the system while storing data in encrypted format and providing easy-to-maintain key managements procedures.

Security advisory and security engineering

We've designed telemetry data protection system, assisted with its integration and support.

Technology requirements

Secure data flow: normalisation, accumulation, and transmission of sensitive telemetry signals to the core dispatch systems.

Data availability: it's crucial to to have a backup “source of truth” system capable of accumulating all the data.

Data delivery to SCADA/dispatch systems within central network in a secure and controlled fashion.

Problem

Most of the hardware emitting telesignals is heavily outdated legacy equipment, typically compatible only with a limited number of devices gathering and transmitting telemetry data signals.

There is no direct communication link between power distribution stations and central dispatch system, so hybrid GSM/private/transit network combinations are used.

Telemetry data signals are sensitive data and must be transmitted securely.

Available public cellular networks are unreliable in some areas.

Physical devices cannot be trusted to hold data in plaintext or decryption keys.

Solution

We have designed secure data flow architecture based on our products, applicable security standards, and security considerations.


We’ve built a rugged ARM-based device that implements several functions:

Parsing of telemetry signal data and unification of its format to be understood by central SCADA system (IEC 60870-5-104).

Encryption of normalized IEC-104 packages, storing them locally and putting into the outgoing queue.

Transmission of queue contents via encrypted session with central TSO datacenter.

Extended synchronization capabilities to ensure consistent delivery.


We’ve deployed Acra cluster in central TSO datacenter, enabling:

Central aggregation of all encrypted blobs that come from each peripheral station.

Providing convenient SQL access to the encrypted blobs for all analytical queries.

Emitting data over IEC-104 to central SCADA systems where needed while providing end-to-end confidentiality, access control, enforcement of SQL filtering policy and data leakage prevention functions.

Result

Our solution fulfilled the expectation of building robust data aggregation system, along with improving general security of data stored, preventing insider risks and enabling easy integration between various legacy systems. It has made telemetry data instantly available for dispatch requirements and securely stored for further analysis.

Working along with classic power grid management software, our solution provided efficient security on problematic segment, extended availability of previously unreachable data under strict security policy.

Integrating data protection into legacy system

Updating legacy systems to comply with data security regulations is a laborious process. We already worked with state-owned TSOs, ICS/SCADA systems, and can help you too.