This document discusses cyber security for substation automation systems. It notes that substation systems are now increasingly connected via Ethernet and IP-based protocols, introducing cyber security risks. The document outlines various potential threats including internal attackers, suppliers, hackers, criminals, and terrorists. It examines vulnerabilities in substation systems like slow processors, real-time operating systems, communications media, open protocols, lack of authentication, and centralized administration. The document proposes measures to enhance security such as access control, encryption, authentication, and intrusion detection. Overall, the document analyzes cyber security risks for substation automation and proposes strategies to protect, detect, and recover from potential intrusions or attacks.
2. Summary
Executive Summary . ................................................................................... p 1
Introduction ................................................................................................. p 2
Substation systems: security threat targets................................................... p 4
Vulnerability of the substation automation system ........................................ p 6
Measures to enhance substation automation system.................................... p 9
Addressing cyber security for the substation automation system . ................ p 13
Conclusion................................................................................................... p 15
3. Substation Cyber Security
Executive summary
The electric power grid has changed significantly over the past decade and
continues to change as technology evolves. More and more, new-generation
substation control systems are based on open standards and commercial
technology, including Ethernet and TCP/IP based communication protocols such
as IEC 60870-5-104, DNP 3.0 or IEC 61850. While this change in technology
has brought about huge operational benefits, it has introduced cyber security
concerns and a potential challenge to network reliability. Electronic intrusion into
a substation can misdirect or terminate service, and this intrusion can be from
internal individuals or external hackers or organizations.
Many substation control and diagnostic systems in deployment were not designed
for real-time security functionality and centralized system administration with
robust access control. Utilities must implement policies to protect their substation
systems against intrusion from within and from outside the corporate network.
Further, they must be able to detect intrusion when it does occur to eliminate
future untoward effects. Finally, they need to be prepared with planned response
and restoration that not only returns targeted functionality but can improve system
security.
The global power industry has stepped up its focus on cyber security for control
and automation systems, and standards are in place identifying the functionalities
required for secure substation operation. Utilities looking to protect against cyber
attack on their substation automation systems must implement the SCADA,
RTU and IED solutions that incorporate proven-technology and the security
mechanisms meeting these standards.
White paper | 01
4. Substation Cyber Security
Introduction
Traditionally, an electric utility’s concerns regarding substation asset security
centered on physical threats, both natural and human. In locations other than
those experiencing civil strife, the primary human threat was considered to be
a single, disgruntled employee; an angry customer; or a politically motivated
vandal. In any of these cases, the malfeasant had to be within, or physically
close to, the substation to cause damage. To protect assets from these human
threats, the utility used fences, locked gates, security cameras, SCADA-
monitored intrusion alarms and occasional onsite monitoring visits by utility
security staff.
More recently, both the nature and magnitude of the threat to substation assets
have changed. Now, the equipment for monitoring and controlling substation
devices is usually connected by communication lines to wide-area networks
potentially accessible by the general public. Consequently, an individual seeking
to damage utility assets can do so from places hundreds or thousands of
kilometers distant and potentially impact multiple substations simultaneously.
The magnitude of the threat also has changed. Organized and well-funded
groups have publicly stated their goal of damaging key elements of society’s
critical infrastructure. Evidence shows that some organizations have been
gathering information about public utilities and investigating the electronic
defenses of corporate computing networks. Probes specifically targeting the
business systems of electric utilities have been documented. However, because
substations generally do not have firewalls or intrusion detection systems, it is
not possible to know if they are being targeted.
This paper addresses the nature of cyber threats, their potential to damage utility
assets and the means to detect and recover from them.
White paper | 02
6. Substation Cyber Security
Substation systems: security threat targets
The IEEE 1402 standard refers to cyber intrusions as
‘electronic intrusions’ and defines them as “Entry into
the substation via telephone lines or other electronic-
based media for the manipulation or disturbance
of electronic devices. These devices include digital
relays, fault recorders, equipment diagnostic
packages, automation equipment, computers,
programmable logic controllers, and communication
interfaces.”
Power substation security threats are primarily
related to the ability to remotely access protection,
control, automation and SCADA equipment. Through
a power substation’s communications vulnerability,
an electronic intruder could access the substation
SCADA system. Inappropriate circuit breaker other utilities, as well as industry equipment suppliers,
operation sequence would result in an electric arc contractors and consultants, are well acquainted
between the contacts of the disconnector and high- with the hardware, software, architecture and
rate optic and acoustic phenomena. Manifesting as communication protocols implemented in substation
an explosion, the event would spray melted metal operations. Often, the suppliers of hardware,
and result in an inter-phase short circuit. software, and services to the utility industry are
granted the same level of trust and access as the
Such a failure would lead to complete destruction of utility individuals themselves – making the definition of
the disconnector and partial or complete destruction an ‘insider’ much more broad.
of other components in the substation, along with
disturbance in substation operation and interruption Further, a utility employee who has access keys
of energy supply to consumers. Personnel can be and passwords can be motivated by the prospect
seriously injured. Depending on the state of the of financial gain from making that information
power system at the moment of switching operation, available. Computer-based systems at substations
the incorrect switching sequence could also cause contain data of value to a utility’s competitors as
a large power system failure and compromise the well as information – such as the electric load of a
safety of the electric power system. customer industrial plant – that might be of value to
that customer’s competitors. Certainly, corporate
Internal attackers. Investigations of threats to employees are approached to provide interested
corporate computer hardware and software systems parties with valuable information; it can’t be ruled
typically reveal that the majority of attacks come from out that a similar situation could occur with utility
internal sources. Substation control systems and employees who have access to substation systems.
intelligent electronic devices (IEDs) are different from Further, the possibility exists of an employee being
those at work in corporations, in that information bribed or blackmailed to cause physical damage or
about their computer hardware and software systems to disclose privileged information that would enable
is not well known to the general public. However, other parties to cause damage.
White paper | 04
7. Substation Cyber Security
Suppliers. A potential threat exists with employees Terrorists. The most serious security concern is
of substation equipment suppliers, who also have with those antagonists, domestic or foreign, who
access to – or the knowledge that enables access have the resources to mount a serious attack. They
to or damage of – substation assets. One access can be quite knowledgeable, since the computer-
path is through the diagnostic port of the substation based systems that outfit a substation are sold with
monitoring and control equipment. It is common minimal export restrictions worldwide – complete with
that the manufacturer of a substation device has documentation and operational training. The danger
the ability to establish an Internet link or telephone from an attack mounted by an organized hostile
connection with the device for the purpose of power is increased by the fact it can occur in many
performing diagnostics. An unscrupulous employee places simultaneously and would likely be coupled
of the manufacturer could use this link to cause with other cyber, physical, or biological attacks aimed
damage or gather confidential information, as has at crippling response capabilities.
happened many times in other industries. Employees
of the utility or equipment supplier also can illicitly
access computer-based substation equipment via the
communications paths into the substation.
Hackers. Other potential intruders include the hacker
who is simply browsing and probing for weak links to
penetrate corporate defenses and the individual who
is motivated to cause damage by a grievance against
the utility or against society in general.
Criminals. Another potential security problem
lies with those who threaten to do damage, in the
attempt to extort money, or attempt to access
confidential corporate records, such as the customer
database, for sale or use.
White paper | 05
8. Substation Cyber Security
Vulnerability of the substation automation
system
Conventional computer systems have always been
susceptible to those exploiting programming errors
in operating systems and application software;
cracking user passwords; taking advantage of
system installations that leave extraneous services
and open ports susceptible; and penetrating
improperly configured firewalls that do guard against
unauthorized communications.
In addition to these common vulnerabilities, the
control and diagnostic systems in substations
have a number of system-related cyber security
vulnerabilities –
Slow processors
One way to strengthen the privacy and authenticity The remote terminal units (RTUs) and IEDs in some
of messages transmitted across insecure channels substation systems use early microprocessor
is to use encryption. However, encryption technique technology. They have limited memory and often
often is too resource-intensive for most current IEDs have to meet stringent time constraints on their
and many existing substation automation systems. communications. With microprocessors that do not
Further, many substation communications channels have the processing capability to support additional
do not have sufficient bandwidth for the transmission computational burden, it is not feasible to enhance
of longer, block-encrypted messages. communications security through data message
encryption.
Real-time operating systems
Design of the real-time operating systems embedded
within many IEDs poses another security risk. Some
suppliers of these embedded operating systems
have not had to meet the requirements for secure
communications. Their software systems were
designed to operate in an environment focusing on
deterministic response to events; information security
was a lower priority.
White paper | 06
9. Substation Cyber Security
Communications media
The data messages that substation IEDs exchange In addition, much of the data traffic to and from a
with the outside world are often transmitted over substation travels over wireless networks. Intruders
media that are potentially open to eavesdropping with the proper equipment can record and interpret
or active intrusion. Dial-in lines are common, and data exchanges and can insert their own messages
the IED will accept phone calls from anyone who to control power system devices.
knows its phone number. Many IEDs are IP (Internet
protocol)-enabled, which means they can be
addressed by computers connected to the Internet.
Open protocols
Many protocols have been used for communications An RTU test set usually involves a portable device
between the substation and the utility control center. and communications port with a user interface that
In the past, these protocols typically were vendor- interprets the messages being sent to and from the
specific and proprietary. However, in recent years RTU or IED, allowing the user to define and issue
the majority of communications implementations commands to the substation device. An intruder
have been executed to the IEC 60870-5 standard can patch into the communications channel to a
(in Europe), the DNP3 standard (in North America), substation and use a test set to operate devices at
or – to much less extent – the IEC 60870-6 TASE.2 the substation.
standard, also called ICCP. These protocols are non-
proprietary, well documented and available to the
general public. When these protocols were designed,
security was not a key issue.
Lack of authentication
Communication protocols in current use do not
provide a means for confirming each other’s identity
and securing data exchange. An intruder with access
to a communications line to a controllable device
can execute a control in the same manner as an
authorized user. Intruders can also mimic a data
source and substitute invalid data. In most cases,
the program receiving the data does not perform
validation that would detect this kind of interference.
White paper | 07
10. Substation Cyber Security
Lack of centralized system administration
Unlike the IT domain, where there is a central system personnel who have no reason for access. They would
administrator to designate and track authorized users, be able to perform critical functions such as assigning
substation automation system users often are their passwords, assigning log-in IDs, configuring the
own system administrators and have the authority to system and adding or deleting software.
perform all security functions. This situation can make
access to substation automation systems available to
Large numbers of remote devices
A typical utility has from several dozen to several
hundred substations at geographically dispersed
locations, and each automated substation typically
has many IEDs. Therefore, there is a high cost to
implement any solution that requires upgrading,
reprogramming or replacing the IEDs.
White paper | 08
11. Substation Cyber Security
Addressing cyber security for the substation
automation system
The strategies for enhancing cyber security of control and diagnostic systems at substations are the same as
those that would be applied for other corporate computer systems: (1) prevent cyber intrusion where possible;
(2) detect intrusion where it could not be prevented; (3) recover from an intrusion after detection; and (4) use
the experience to improve preventive measures.
Protecting Substation Systems
Intrusion from inside the corporate network. With
substation control and monitoring systems connected
to the utility’s corporate wide-area network, a
large potential threat to these systems exists from
unauthorized users on that corporate network. The
corporate network should be made as secure as
possible –
• he most important measure is one of the simplest:
T
ensuring that all default passwords have been
removed from all substation systems and that there
are no accounts without any password.
• ser passwords should not be simplistic.
U
However, passwords that are difficult to guess
are also difficult to remember. Procedures should
discourage users from posting their passwords on
the terminal of the system being protected.
• asswords should be immediately terminated as
P
soon as its owner leaves employment or changes
job assignments.
Intrusion from outside the corporate network.
• ifferent sets of privileges should be established for
D The possibility of intrusion by outsiders who have
different classes of users. For example, some users gained direct access to substation devices through
should be allowed only to view historical substation unprotected communications channels poses
data. Other users might be permitted to view only new challenges to the cyber security of substation
real-time data. Operators should be given only systems.
control privileges, and relay engineers’ authority
The SCADA communication line links the utility
should be limited to changing relay settings.
control center and the substation. This line carries
White paper | 09
12. Substation Cyber Security
real-time data from substation devices to
dispatchers at the control center and controls
messages from the dispatchers back to the
substation. In the case of substation automation, a
data concentrator or a substation automation host
processor serves as the RTU in sending substation
data to the control center and in responding to the
dispatcher’s control commands.
A variety of media, such as power line, leased
lines, microwave, multiple-address radio, satellite-
based communications, fiber optic cable and
others, are used to connect the substation
RTU with the control center. It is quite common
for communications from control center to
substation to use different media along different There are two lines of defense that a utility can
segments of the path. Some of these media, take –
especially the wireless ones, are subject to
eavesdropping or active intrusion. At least one • trengthening the authentication of the user
S
case has been reported in which an intruder confirms the identity of the prospective IED user.
used radio technology to commandeer SCADA As the very first step, the utility should ensure
communications and sabotage the system. Of that the default passwords originally supplied
the many alternatives, using fiber optics offers the with the IEDs are changed and that a set of
most security against SCADA communications strong passwords are implemented.
intrusion.
• Encrypting communications between the
In substation integration and automation user and the IED to ensure that only users in
systems, IEDs intrinsically support two-way possession of the secret key would be able
communications. Once the user has logged on to to interpret data from the IED and change IED
the IED, the user can use the connection to: parameters.
• Acquire data that the IED has stored Note: once the industry has agreed on a
standard technique for encrypting messages,
• hange the parameters of the IED, such as the
C IED manufacturers can plan for economies of
settings of a protective relay scale. If there is a demand for encryption of IED
communications, and industry-wide consensus
• Perform diagnostics on the IED on the approach, IED manufacturers will develop
an effective way to embed the algorithm in the
• ontrol the power system device connected to
C processor of IEDs at little incremental cost.
the IED; that is, operate a circuit breaker
White paper | 10
13. Substation Cyber Security
Detecting Intrusion
While it is extremely important to prevent intrusions to a security breach instead of some other failure
into one’s systems and databases, an axiom of cyber such as a voltage transient, relay failure or software
security is that any intrusions must be detected, bug.
because an intruder who gains control of a substation
computer can gather data – including the log-on For these reasons, it is important to make every
passwords of legitimate users – and use that data at effort to detect intrusions when they occur and derail
a later time to operate power system devices. Further, future data manipulation by the intruder. To this
the intruder can set up a mechanism, sometimes end, a number of IT security system manufacturers
referred to as a ‘backdoor’, that will allow easy have developed intrusion detection systems (IDS).
access at a future time. These systems are designed to recognize intrusions,
based on parameters such as communications
If no obvious damage was done at the time of the attempted from unauthorized or unusual addresses
intrusion, it can be very difficult to detect that the and an unusual pattern of activity, and generate logs
software has been modified. For example, if the goal of suspicious events. This response allows system
of the intrusion was to gain unauthorized access administrators, control engineers and operators
to utility data, the fact that another party is reading to apply solutions powered by security event
confidential data might never be noticed. Even when management technology to quickly recognize and
the intrusion does intentionally open a circuit breaker respond to events impacting security, compliance
on a critical circuit or cause other damage, it might and operational efficiency.
not be at all obvious that the false operation was due
Responding to Intrusion
The ‘three Rs’ of response to cyber intrusion are as evidence in court in the event the intruder is
recording, reporting, and restoring – apprehended. However, due to the high frequency of
SCADA communications, the low cost of substation
Theoretically, it would be desirable to record all communications equipment, and the fact that
data communications into and out of all substation substations are distant from corporate security staff,
devices. If an intruder successfully attacks the it might be impractical to record all communications.
system, the recordings could be used to determine System owners will probably defer any attempts
what technique the intruder used to modify the to record substation data communications until
system and then close that particular vulnerability. (a) storage media are developed that are fast,
voluminous and inexpensive, or (b) SCADA-oriented
Recording would be invaluable in helping identify intrusion detection systems are developed that can
the intruder. Further, a recording made in a way filter out usual traffic and record only the deviant
that is demonstrably inalterable can be admissible patterns.
White paper | 11
14. Substation Cyber Security
But even if the communications sequence
responsible for an intrusion is neither detected
nor recorded when it occurs, it is essential that
procedures be developed for the restoration of
service after a cyber attack. It is extremely important
that the utility maintain backups of the software of all
programmable substation units and documentation of
all IED standard parameters and settings.
After the utility suspects an intrusion or determines
that a particular programmable device has been
compromised, the software should be reloaded
from the secure backup. If the settings on an IED
had been illicitly changed, the original settings must
be restored. Unless the nature of the breach of
security is known and can be repaired, the utility
should seriously consider taking the device off line or
otherwise making it inaccessible to prevent a future
exploitation of the same vulnerability.
White paper | 12
15. Substation Cyber Security
Addressing cyber security for the substation
automation system
Cyber security risks were inherited when open IT
standards were adopted. Fortunately, this movement
also inspired the development of cyber security
mechanisms in a large number of enterprise
environments to address these risks. Substation
automation system providers are taking a systematic,
global approach, continuously adapting to meet
changing demand through standardization and
proactive RD efforts.
Standards activity addresses cyber security
requirements both at the system level and the
product level and includes –
• IST SGIP-CSWG Smart Grid Interoperability Panel
N
– Cyber Security Working Group
• ERC CIP Cyber Security regulation for North
N
Security mechanisms designed and developed
American power utilities
specifically for substation automation systems use
proven technology to support advanced account
• EC 62351 Data and Communications Security
I
management and detailed security audit trails in
RTUs/IEDs and SCADA. Utilities should look for cyber
• EEE PSRC/H13 Cyber Security Requirements for
I
security solutions that enable:
Substation SUB/C10 Automation, Protection and
Control Systems
• ser account management – Supports user
U
authentication and authorization at the individual-
• EEE 1686 IEEE Standard for Substation
I
user level. User authentication is required and
Intelligent Electronic Devices (IEDs) Cyber Security
authorization is enforced for all interactive access to
Capabilities
the device.
• SA S99 Industrial Automation and Control System
I
• ser accounts – Allows full management of user
U
Security
accounts, including creating, editing and deleting.
User names and passwords can be configured
Verified antivirus software protects station
according to user‘s requirements.
computers from attacks and viruses. Cyber security
also can be improved by limiting the use of removable
media in the station computers.
White paper | 13
16. Substation Cyber Security
• Role-based access control – Enables each
• External security clients – Sends security
user account to be assigned a specific role, and events to external security log clients such
user roles can be added, removed and changed as the Security Event Manager, which uses a
as needed. monitoring and response device for visibility of
real time security events.
• assword complexity – Enforces password
P
policies with minimum password length, • ecurity events to control system – Sends
S
maximum password lifetime and use of security events and alarms via host protocol to
lower case, upper case, numeric and special the control systems. User configures settings for
characters. security alarms.
• HTTPS support – Permits encrypted
• VPN function – Offers one encrypted channel
communication between the web browser and between the SCADA or RTU and the IPsec
the RTU. A standard browser can be utilized Router on the user’s side. The VPN tunnel
such as Internet Explorer or Firefox. In addition, provides confidentiality, integrity and authenticity.
self-signed certificates, pre-installed at web A secure communication via public networks
client, can be used. with fixed IP addresses is possible. The
authentication is managed with pre-shared keys.
• ocal logging – Creates audit trails (log files)
L
of all security-relevant user activities. Security
events logged include user login, logout, change
of parameters, configurations and updates of
firmware. For each event, the date and time,
user, event ID, outcome and source of event is
logged. Access to the audit trail is available to
authorized users only.
White paper | 14
17. Substation Cyber Security
Conclusion
The electric utility’s concern about cyber security of its substation automation
systems is well founded. These systems are, in several ways, even more subject
to intrusion than conventional computer systems. Yet, the utility has many options
for preventing and detecting electronic intrusion from within its organization and
from outside the corporate network. Substation automation system providers have
identified cyber security as a key requirement and are designing and developing
solutions, using proven technology, to provide advanced account management
and detailed security audit trails for their network RTUs, IEDs and SCADA.
White paper | 15