Role-based Access Control in the Digital Grid – A Review of Requirements and Discussion of Solution Approaches

Critical infrastructures are increasingly under investigation regarding the reliable operation and resilience to ensure their provisioning of essential services to the citizens. One example for such critical infrastructures is the digital energy grid. It targets the control of increasingly fluctuating demand and generation of energy. Besides generation also the path to the final consumer has to be taken into account, resulting in the need for securing the reliable transmission and distribution of centrally and decentrally generated energy. Control is accomplished by utilizing a communication infrastructure in parallel to the actual power system infrastructure. The connection between both worlds is provided by sensors and actuators. In the past, this control communication network was mostly isolated from other communication networks, but today it is getting connected increasingly with external systems to support innovative crosssystem services. This surge in connectivity also exposes the digital grid to cyber attacks. Therefore, access to resources like accumulated measurement information or control data needs to be protected to ensure a reliable operation. Legislation and operational best practice guideline activities have taken this into account and meanwhile provide the necessary framework for defining specific communication security requirements. From the technical perspective, different security counter measures exist to cope with the given requirements. However, it has to be ensured that these technical means are not only provided technically, but are in fact applied correctly in operation. This paper reviews the requirements for role-based access control (RBAC), as well as currently targeted technical approaches to achieve RBAC in the digital grid. The goal is to provide more insight into the existing application of RBAC mechanisms and to identify gaps for future enhancements. Proposals to address the identified gaps are described, which are intended to be brought to the International Electrotechnical Commission (IEC) to enhance the security standard IEC 62351 for power system automation. Keywords–security; user and device authentication; rolebased access control; substation automation; digital grid; cyber security; critical infrastructure; IEC 62351