Aspects of the concept of cyber-protected objects of a digital electrical network with elements of Zero Trust Architecture in Russia

. Modern trends in the development of the electric power industry declare the widespread use of information and communication technologies and digital services to improve the operation of relay protection and automation (RPA) subsystems, Industrial Control Systems (ICS), commercial electricity metering systems, etc. However, it is associated with an increase in the number of cyber threats and risks of disrupting the stable functioning of electric power facilities due to destructive information influences. The report presents aspects of a holistic concept of building cyber-protected digital substations with elements of Zero Trust Architecture. Based on the results of the theoretical investigation the authors assume the possibility of technical testing of the proposed approaches to build a cyber-protected digital substation as a part of the emerging Research and Development (R&D) programs for the practical implementation of the zero-trust policy.


Introduction
The electric power industry of the Russian Federation is entering a new decade with the urgent tasks requiring the selection and adoption of optimal organizational and technical decisions in the process of modernization of electric power facilities which were set before it.
The tasks set for the industry are reflected in the number of strategic planning documents in the field of ensuring Russia's national security: • The Doctrine of Energy Security of the Russian Federation approved by the Decree of the President of the Russian Federation on May 13, 2019 No. 216 [1]; • The Doctrine of information security of the Russian Federation approved by the Decree of the President of the Russian Federation dated December 05, 2016 No. 646 [2]; • Adopted in pursuance of doctrinal documents of regulatory legal acts including the Federal Law (FL) "On the Security of Critical Information Infrastructure of the Russian Federation" dated July 26, 2017 No. 187-FL [3].
Summarizing the provisions of the above documents, we can draw the following conclusions: • In the Russian Federation, FL-187 becomes the main catalyst for accelerating the process of import substitution leading to the predominant use of microprocessors and microcontrollers as well as system and application software of domestic production in intelligent electronic devices installed at power facilities; • The tasks were set to reduce the identified risks of energy and information security of the Russian Federation: modernization of the industry, overcoming the aging of fixed assets, development of domestic information and communication technologies (ICT), reducing the vulnerability of critical information infrastructure facilities (CIIF) of the fuel and energy complex ensuring the safe operation of CIIF.

Types of cyber threats to digital power facilities
In the context of this work it is important to focus on the transboundary threats to the energy security of the Russian Federation recorded in [1], the threats of computer attacks on CIIF operating in the fuel and energy complex of the Russian Federation (FEC RF) in companies of the electric power industry, in particular.
Over the past decade issues related to ensuring cybersecurity in the implementation of digital substation technologies have been raised in scientific discussions [4][5][6]. In the works attention is paid to the following aspects: • Threats to the reliability of electric power systems and even threats to the energy security of Russia; • The need to test the elements of a digital substation for resilience to cyberattacks; • The need for certification of intelligent electronic devices (IED).
It was emphasized that in the implementation of any cyber threat in practice, functional failures of control systems of digital substations can lead to shutdown or damage to electric power equipment. As a result, there are general threats to reduce the reliability and disrupt the stability of power systems which, in turn, is a threat to the energy security of entire regions [4]. The authors support these and several other statements about the need to improve the cybersecurity of digital substations (DS) and the technologies used in their construction.
In recent years analytical work has been carried out to consider the existing threats and risks of disruption to the functioning of digital power facilities as well as work to assess the possibility of unacceptable negative consequences. For example, in the initiative research work (R&D) implemented in 2019 by the ICS cybersecurity laboratory of Rostelecom Solar an assessment was made of some cyber-physical consequences, the occurrence of which is possible on the "digital facilities" of the electric power complex [7,8] including the reason for the implementation of successful targeted computer attacks.
Within the framework of the national research-type table-top cyber exercises, which took place on December 23, 2019 at the Rostelecom Solar office, 5 reference scenarios for the disruption of functioning of electric power facilities of different voltage classes of 10/0.4 kV -500 kV substations were considered. Techniques and tactics of offenders with different potentials from low to high were considered. The analysis of the proposed scenarios and the assessment of possible consequences force us to look for new approaches to the methodology for threat modelling (TM) to information security. There are assumptions that methodological approaches should be based on the assessment of consequences including cyber-physical consequences for a separate power facility, a group of facilities, or a part of the power system [9].
The organizational and technical measures taken to ensure the safety of the CIIF functioning of the electric power industry subjects (ICS, RPA, etc.) should reflect the adopted and implemented security policy (information security) of the company, the formed threat model (assessment of consequences, hybrid threat model) including threats to information security assessing the potential and motivation of the offender.
Considering the non-triviality of the task of developing a practically applicable TM, knowledgebased systems can become a tool for implementation. For example, knowledge-based systems can vary: decision support systems or expert systems with the "core of knowledge" which is based on ontology of cyber threats (nowadays ontology is being developed).

Relevance of the application of new security models
On the basis of the mentioned above the authors consider it an important practical and research task to discuss and determine the directions for the development of security models and implemented security mechanisms for information and control systems of newly created and undergoing deep modernization of electric power facilities of the digital electrical network.
The decisions made will directly concern the requirements for the developed IEDs for digital substations, for the issues of the practical implementation of DS software and hardware complexes and for the operation of power facilities.
In the emerging situation of increasing requirements for ensuring the safe operation of the CIIF and the growing risks of targeted computer attacks, "zero trust" approach deserves attention.
The model of "zero trust" provides a set of concepts and ideas designed to reduce the uncertainty while making accurate decisions about on-demand access in information systems and services in the network considered as compromised [10].
According to the authors, at the current level of the development, the concept of "zero trust" is a reflection of the accepted abstract-level threat model, the main provisions of which are: • Within any logical perimeter, a computer, technological telecommunications network (environment) is untrusted by default [10].
This thesis actually captures: • relevance of the presence of a malicious insider in any information, information control, automated, automatic system; • acceptance of a potentially possible compromise of infrastructure and overcoming the "protection perimeter" "fixing" intruders within the "trusted" security perimeter and the development of a computer attack.
In fact, acceptance by default, the possibility of implementing certain stages of the computer attack, which are fixed in the Kill Chain framework, and implementing in practice the techniques and tactics, which are presented in the MITRE matrix.
The authors note that the specified level of the intruder's model for digital relay protection and automation systems is fixed in the document of Rosseti holding [11] in section 6.2. "Possible threats to information security". In the document [11] it is proposed that the sources of threats to the security of relay protection devices can be as follows: intelligence services of foreign states, terrorist organizations, representatives of competing firms and organizations. The accepted rules in the information security industry indicate that these types of attackers have the potential to carry out the attacks outlined above.
On fig. 1 the main possible vectors of a computer attack on secondary systems of digital substation are shown. The relevance of choosing an adequate security policy increases with the accumulation of practical experience in the implementation of projects for the organization of remote technological and dispatch control of power facilities of voltage classes 110 kV -500 kV, for the implementation of which distributed control systems are used, consisting of products from a number of manufacturers using heterogeneous data transmission channels.
One of the lingering problems of Russian and international vendors is the lack of complex regulatory and technical requirements formed within national boundaries that impose requirements for the implementation of safety functions in IEDs, software and hardware complexes and distributed systems in general.
The sources [12,13]   The authors suggest the following practical steps to support the policy of "zero trust" that could be practically implemented.
The following mechanisms should be implemented at the level of applications and services: • Identification, authentication, authorization of the following user roles: relay protection engineer, operating personnel, contractors; • Identification, authentication devices in network: IED, Programming logic controller (PLC) etc.; • Providing cryptographic protection of network traffic; (reports [14,15] are devoted to particular issues of cryptographic methods of protection in RPA system of the digital substation); • Collection and analysis of log files including security logs from the IED of all technological subsystems of the digital substation.
In software and hardware complexes IEDs can be used, which are implemented on a Russian microprocessor basis under the control of an operating system developed with taking into account a set of requirements for its reliable and safe operation. Conceptual issues of creating protected IEDs were covered in one of the reports at the conference of "ICS CIIF 2020" [12]. The use of modern microprocessors and real-time operating systems should allow the development of advanced protection scenarios based on built-in security mechanisms. This approach is the global trend in the development of embedded systems.
Operation systems (OS) with a monolithic kernel (based on the Linux kernel) and security extensions (Security Extensions) as well as OS based on a microkernel architecture using the MILS (Multiple Independent Levels of Security) concept (VxWorks, Pike OS, Kaspersky OS, etc.) can be used to develop IEDs in a protected design. In general, it is necessary to use an OS that can provide guarantees for the safe operation of devices under their control.
The use of embedded operating systems with the implementation of security functions should be facilitated by the protection profiles issued by Federal Service of Technic and Export Control (FSTEC) of Russia on the operating system including real-time operating systems [16] and embedded operating systems.
The implementation of these functions is possible in newly designed IEDs with close interaction between the group of vendors of information security tools (IST) and IEDs that is the way to creating an IED in a secure design (practical implementation of the principle of secure by design).
The authors propose to consider the possibility of using the standards of the IEC 62351 and IEC 62443-4-2, IEC 62443-4-1 series in the formation of requirements for newly created IEDs and technical specifications for newly created digital substations. • LDAP catalogue for workstations and servers; • RADIUS-server for all network equipment which are used on digital substation; • LDAP catalogue and RADIUS-server for IEDs, merging units etc.
LDAP catalogue, RADIUS-server can be implemented using a secure operating system, for example, Linux which has the potential for development in the Russian Federation on the basis of domestic microprocessors. The authors addressed this topic in the article in the journal Relayshchik [23]. The authors also note that operator access to an automated control system or individual IEDs should be provided with the least privileges necessary to perform his professional duties.
In the current regulatory and technical requirements of Federal Grid Company of United Power System (FGC UPS) of Russia [24] individual elements of the security system are proposed. The introduction of them should increase the security of the LAN of digital substation. However, these requirements were formed only for digital substations of FGC UPS. In fact, these requirements cannot be considered integral for newly designed digital substations.

Conclusions
The paper presents aspects of building a cyber-protected DS with elements of Zero Trust Architecture concept. Based on the results of the analytical investigation the authors propose to consider: • The possibility of technical testing of the proposed approaches to building a cyber-protected digital substation in new R&D programs for the practical implementation of "zero trust" policy; •