Generation of Firewall Configurations for a Large Scale Synthetic Power System

Supervisory Control and Data Acquisition (SCADA) systems play an important role in modern power grid operations. Interactions of interest include the numerous application layer protocols, from industrial control systems (ICS) protocols such as the Distributed Network Protocol-3 (DNP3) to traditional information technology (IT) protocols such as Web-based applications. All these protocols are vulnerable to cyber threats, against which power grid control systems must be protected. For this reason, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP-005-5) exists and requires an electronic security perimeter. This paper presents how these electronic security perimeters can be configured in an automated way. First, a set of firewall rules are described, translated to iptables, and evaluated in the emulation environment in the Resilient Energy System Laboratory (RESLab) cyber-physical testbed. To configure the firewall rules for a large scale power system model, this paper presents an automatic firewall configuration generator that is implemented as a prototype software tool that can streamline configuration of firewalls for utilities. Using this tool, firewall policies are configured for all the utilities and substations within the Texas 2000-bus model, assuming a star network topology plus one balancing authority. The resulting number of firewalls, object groups, and access control lists for this large power system model are also presented.