Electric Power Research Institute About Us
The Institute
Office Locations

2016 Corporate Social Responsibility Report

EPRI completed a full corporate social responsibility assessment in 2015 culminating in release of its first Corporate Social Responsibility report. The report (and companion video) provides a comprehensive look at EPRI's social responsibility culture and actions around four focus areas: community, employees, operations, and research.

Our Work Events Newsroom Careers EPRI Journal

Product Abstract

Lemnos Implementation Guide for IPsec: Device Configuration Examples

Product ID:3002000375
Date Published:23-Dec-2013
Pages:62
Sector Name:Power Delivery & Utilization - Distribution & Utilization
Document Type:Technical Results
Price:No Charge

This Product is publicly available

   2.76 MB - Adobe PDF (.pdf)

Abstract

This Electric Power Research Institute (EPRI) technical update describes the efforts to validate changes to the original Department of Energy (DOE) Lemnos project IPsec Interoperable Configuration Profile (ICP) as a result of the IEEE standardization process. It provides the details of the specific device configurations used for this testing as a basis or guideline for utilities wishing to use the IPsec ICP on similar devices.

Background

The DOE-funded Lemnos project developed a concept referred to as Interoperable Configuration Profiles (ICPs) that describe a specific instantiation of a particular security-related protocol. The proposal is that if a vendor independently implements a security function based on an IEEE industry standard ICP, that product should interoperate with any other product that has implemented the same ICP.

To be a viable security solution for utilities and venders, long-term control, upkeep, and revision of the ICP is necessary. Without this formalization in place, the value to utilities would be reduced because of their limited visibility to the public.

EPRI is addressing this issue by working with the IEEE, which was identified as the most suitable standards development organization for long-term stewardship of the ICPs by the key stakeholders. IEEE represents one of the most widely recognized standards bodies in the energy sector. The first effort is focused on the IPsec ICP and will result in the development of IEEE P2030.102.1, “Interoperability of IPSEC Utilized Within Utility Control Systems.”

The process to produce IEEE P2030.102.1 included suggested enhancements to the original Lemnos IPsec ICP. The main difference between IEEE P2030.102.1 and the original Lemnos IPsec ICP is the migration from IKE version 1 to IKE version 2. Therefore, it was necessary to validate these changes and document the details on the configuration of the devices used in this validation testing. The device configuration examples outlined in this technical update are based on IKE version 2.

Objectives

The objectives of this work were 1) to validate any changes to the ICP as it is being developed as a formal standard and 2) to capture the device configuration examples used in this validation testing.

Approach

To develop the configuration examples contained in this technical update, a model system was created to represent various components of a utility network. Specific products and devices used in this modeling effort were chosen based on their potential use and location within the utility network. Creation of a secure tunnel between these endpoints then drove the configuration of each end device. Basic validation for the configurations included internal device diagnostics and passing traffic between hosts on the “trusted” side network of each device utilizing PING and TRACEROUTE.

After the proper operation of the IPsec tunnel between the endpoints had been validated, the basic steps to recreate the end device configuration were recorded.

Results

This technical update includes the relevant device configuration settings for both an SEL-3620 Ethernet security gateway and a Cisco model 5505 adaptive security appliance, using the updated Lemnos IPSec profile being proposed under IEEE P2030.102.1. The main difference between IEEE P2030.102.1 and the original Lemnos IPsec ICP is that of migrating from IKE version 1 to IKE version 2. The device configuration examples outlined in this technical update are based on IKE version 2. This technical update has been developed as a guide primarily for utility network engineering or supervisory control and data acquisition support personnel.

Applications, Value, and Use

Utilities wishing to deploy devices using the Lemnos ICPs can benefit by using the configuration examples contained in this technical update as a basis for their specific configurations.

Program
2013 Program 183   Cyber Security and Privacy
Keywords
  • Security
  • Interoperability
  • Cisco
  • IKE
  • SEL-3620
  • VPN
Report
000000003002000375
Note

For further information about EPRI, call the EPRI Customer Assistance Center at (800) 313-3774 or email askepri@epri.com

 Having Trouble Downloading?

Internet Explorer Information Bar

If using Internet Explorer the browser automatically blocks downloads by default, instead displaying an "Information Bar" at the top or bottom of the page.

Click "Download File" on Information Bar if using Internet Explorer 8 or older. If using version 9, click “Save” button on Information Bar and then select “Open” once downloaded.

Pop-up blocker software

You can hold down the CTRL key when selecting Download to bypass your pop-up blocker.

You may also configure your pop-up blocker to allow EPRI.com to open new windows.

Recommended Software

EPRI recommends using the latest version of Adobe Reader for best performance.

 Support Services

EPRI Customer Assistance Center (CAC):
800-313-3774 or 650-855-2121 Option 4
askepri@epri.com

Hours of Operation:
8:00 AM - 6:00 PM Eastern Time (GMT-5)

Order and Conference Center:
800-313-3774 or 650-855-2121 Option 2
orders@epri.com