substation cyber security

Substation Cyber SecurityProtecting the automated control system

June 2012

Make the most of your energySM

Summary

Executive Summary .................................................................................... p 1

Introduction ................................................................................................ p 2

Substation systems: security threat targets .................................................. p 4

Vulnerability of the substation automation system ........................................ p 6

Measures to enhance substation automation system ................................... p 9

Addressing cyber security for the substation automation system ................. p 13

Conclusion .................................................................................................. p 15

Executive summary

Substation Cyber Security

White paper | 01

The electric power grid has changed significantly over the past decade and

continues to change as technology evolves. More and more, new-generation

substation control systems are based on open standards and commercial

technology, including Ethernet and TCP/IP based communication protocols such

as IEC 60870-5-104, DNP 3.0 or IEC 61850. While this change in technology

has brought about huge operational benefits, it has introduced cyber security

concerns and a potential challenge to network reliability. Electronic intrusion into

a substation can misdirect or terminate service, and this intrusion can be from

internal individuals or external hackers or organizations.

Many substation control and diagnostic systems in deployment were not designed

for real-time security functionality and centralized system administration with

robust access control. Utilities must implement policies to protect their substation

systems against intrusion from within and from outside the corporate network.

Further, they must be able to detect intrusion when it does occur to eliminate

future untoward effects. Finally, they need to be prepared with planned response

and restoration that not only returns targeted functionality but can improve system

security.

The global power industry has stepped up its focus on cyber security for control

and automation systems, and standards are in place identifying the functionalities

required for secure substation operation. Utilities looking to protect against cyber

attack on their substation automation systems must implement the SCADA,

RTU and IED solutions that incorporate proven-technology and the security

mechanisms meeting these standards.

Introduction

White paper | 02


Traditionally, an electric utility’s concerns regarding substation asset security

centered on physical threats, both natural and human. In locations other than

those experiencing civil strife, the primary human threat was considered to be

a single, disgruntled employee; an angry customer; or a politically motivated

vandal. In any of these cases, the malfeasant had to be within, or physically

close to, the substation to cause damage. To protect assets from these human

threats, the utility used fences, locked gates, security cameras, SCADA-

monitored intrusion alarms and occasional onsite monitoring visits by utility

security staff.

More recently, both the nature and magnitude of the threat to substation assets

have changed. Now, the equipment for monitoring and controlling substation

devices is usually connected by communication lines to wide-area networks

potentially accessible by the general public. Consequently, an individual seeking

to damage utility assets can do so from places hundreds or thousands of

kilometers distant and potentially impact multiple substations simultaneously.

The magnitude of the threat also has changed. Organized and well-funded

groups have publicly stated their goal of damaging key elements of society’s

critical infrastructure. Evidence shows that some organizations have been

gathering information about public utilities and investigating the electronic

defenses of corporate computing networks. Probes specifically targeting the

business systems of electric utilities have been documented. However, because

substations generally do not have firewalls or intrusion detection systems, it is

not possible to know if they are being targeted.

This paper addresses the nature of cyber threats, their potential to damage utility

assets and the means to detect and recover from them.


White paper | 04

Substation systems: security threat targets

The IEEE 1402 standard refers to cyber intrusions as

‘electronic intrusions’ and defines them as “Entry into

the substation via telephone lines or other electronic-

based media for the manipulation or disturbance

of electronic devices. These devices include digital

relays, fault recorders, equipment diagnostic

packages, automation equipment, computers,

programmable logic controllers, and communication

interfaces.”

Power substation security threats are primarily

related to the ability to remotely access protection,

control, automation and SCADA equipment. Through

a power substation’s communications vulnerability,

an electronic intruder could access the substation

SCADA system. Inappropriate circuit breaker

operation sequence would result in an electric arc

between the contacts of the disconnector and high-

rate optic and acoustic phenomena. Manifesting as

an explosion, the event would spray melted metal

and result in an inter-phase short circuit.

Such a failure would lead to complete destruction of

the disconnector and partial or complete destruction

of other components in the substation, along with

disturbance in substation operation and interruption

of energy supply to consumers. Personnel can be

seriously injured. Depending on the state of the

power system at the moment of switching operation,

the incorrect switching sequence could also cause

a large power system failure and compromise the

safety of the electric power system.

Internal attackers. Investigations of threats to

corporate computer hardware and software systems

typically reveal that the majority of attacks come from

internal sources. Substation control systems and

intelligent electronic devices (IEDs) are different from

those at work in corporations, in that information

about their computer hardware and software systems

is not well known to the general public. However,

other utilities, as well as industry equipment suppliers,

contractors and consultants, are well acquainted

with the hardware, software, architecture and

communication protocols implemented in substation

operations. Often, the suppliers of hardware,

software, and services to the utility industry are

granted the same level of trust and access as the

utility individuals themselves – making the definition of

an ‘insider’ much more broad.

Further, a utility employee who has access keys

and passwords can be motivated by the prospect

of financial gain from making that information

available. Computer-based systems at substations

contain data of value to a utility’s competitors as

well as information – such as the electric load of a

customer industrial plant – that might be of value to

that customer’s competitors. Certainly, corporate

employees are approached to provide interested

parties with valuable information; it can’t be ruled

out that a similar situation could occur with utility

employees who have access to substation systems.

Further, the possibility exists of an employee being

bribed or blackmailed to cause physical damage or

to disclose privileged information that would enable

other parties to cause damage.


White paper | 05

Suppliers. A potential threat exists with employees

of substation equipment suppliers, who also have

access to – or the knowledge that enables access

to or damage of – substation assets. One access

path is through the diagnostic port of the substation

monitoring and control equipment. It is common

that the manufacturer of a substation device has

the ability to establish an Internet link or telephone

connection with the device for the purpose of

performing diagnostics. An unscrupulous employee

of the manufacturer could use this link to cause

damage or gather confidential information, as has

happened many times in other industries. Employees

of the utility or equipment supplier also can illicitly

access computer-based substation equipment via the

communications paths into the substation.

Hackers. Other potential intruders include the hacker

who is simply browsing and probing for weak links to

penetrate corporate defenses and the individual who

is motivated to cause damage by a grievance against

the utility or against society in general.

Criminals. Another potential security problem

lies with those who threaten to do damage, in the

attempt to extort money, or attempt to access

confidential corporate records, such as the customer

database, for sale or use.

Terrorists. The most serious security concern is

with those antagonists, domestic or foreign, who

have the resources to mount a serious attack. They

can be quite knowledgeable, since the computer-

based systems that outfit a substation are sold with

minimal export restrictions worldwide – complete with

documentation and operational training. The danger

from an attack mounted by an organized hostile

power is increased by the fact it can occur in many

places simultaneously and would likely be coupled

with other cyber, physical, or biological attacks aimed

at crippling response capabilities.


White paper | 06

Vulnerability of the substation automation systemConventional computer systems have always been

susceptible to those exploiting programming errors

in operating systems and application software;

cracking user passwords; taking advantage of

system installations that leave extraneous services

and open ports susceptible; and penetrating

improperly configured firewalls that do guard against

unauthorized communications.

In addition to these common vulnerabilities, the

control and diagnostic systems in substations

have a number of system-related cyber security

vulnerabilities –

Slow processorsOne way to strengthen the privacy and authenticity

of messages transmitted across insecure channels

is to use encryption. However, encryption technique

often is too resource-intensive for most current IEDs

and many existing substation automation systems.

Further, many substation communications channels

do not have sufficient bandwidth for the transmission

of longer, block-encrypted messages.

The remote terminal units (RTUs) and IEDs in some

substation systems use early microprocessor

technology. They have limited memory and often

have to meet stringent time constraints on their

communications. With microprocessors that do not

have the processing capability to support additional

computational burden, it is not feasible to enhance

communications security through data message

encryption.

Real-time operating systemsDesign of the real-time operating systems embedded

within many IEDs poses another security risk. Some

suppliers of these embedded operating systems

have not had to meet the requirements for secure

communications. Their software systems were

designed to operate in an environment focusing on

deterministic response to events; information security

was a lower priority.


White paper | 07

Communications mediaThe data messages that substation IEDs exchange

with the outside world are often transmitted over

media that are potentially open to eavesdropping

or active intrusion. Dial-in lines are common, and

the IED will accept phone calls from anyone who

knows its phone number. Many IEDs are IP (Internet

protocol)-enabled, which means they can be

addressed by computers connected to the Internet.

In addition, much of the data traffic to and from a

substation travels over wireless networks. Intruders

with the proper equipment can record and interpret

data exchanges and can insert their own messages

to control power system devices.

Open protocolsMany protocols have been used for communications

between the substation and the utility control center.

In the past, these protocols typically were vendor-

specific and proprietary. However, in recent years

the majority of communications implementations

have been executed to the IEC 60870-5 standard

(in Europe), the DNP3 standard (in North America),

or – to much less extent – the IEC 60870-6 TASE.2

standard, also called ICCP. These protocols are non-

proprietary, well documented and available to the

general public. When these protocols were designed,

security was not a key issue.

An RTU test set usually involves a portable device

and communications port with a user interface that

interprets the messages being sent to and from the

RTU or IED, allowing the user to define and issue

commands to the substation device. An intruder

can patch into the communications channel to a

substation and use a test set to operate devices at

the substation.

Lack of authenticationCommunication protocols in current use do not

provide a means for confirming each other’s identity

and securing data exchange. An intruder with access

to a communications line to a controllable device

can execute a control in the same manner as an

authorized user. Intruders can also mimic a data

source and substitute invalid data. In most cases,

the program receiving the data does not perform

validation that would detect this kind of interference.


White paper | 08

Lack of centralized system administrationUnlike the IT domain, where there is a central system

administrator to designate and track authorized users,

substation automation system users often are their

own system administrators and have the authority to

perform all security functions. This situation can make

access to substation automation systems available to

personnel who have no reason for access. They would

be able to perform critical functions such as assigning

passwords, assigning log-in IDs, configuring the

system and adding or deleting software.

Large numbers of remote devicesA typical utility has from several dozen to several

hundred substations at geographically dispersed

locations, and each automated substation typically

has many IEDs. Therefore, there is a high cost to

implement any solution that requires upgrading,

reprogramming or replacing the IEDs.


Addressing cyber security for the substation automation system

Protecting Substation SystemsIntrusion from inside the corporate network. With

substation control and monitoring systems connected

to the utility’s corporate wide-area network, a

large potential threat to these systems exists from

unauthorized users on that corporate network. The

corporate network should be made as secure as

possible –

• The most important measure is one of the simplest:

ensuring that all default passwords have been

removed from all substation systems and that there

are no accounts without any password.

• User passwords should not be simplistic.

However, passwords that are difficult to guess

are also difficult to remember. Procedures should

discourage users from posting their passwords on

the terminal of the system being protected.

• Passwords should be immediately terminated as

soon as its owner leaves employment or changes

job assignments.

• Different sets of privileges should be established for

different classes of users. For example, some users

should be allowed only to view historical substation

data. Other users might be permitted to view only

real-time data. Operators should be given only

control privileges, and relay engineers’ authority

should be limited to changing relay settings.

Intrusion from outside the corporate network.

The possibility of intrusion by outsiders who have

gained direct access to substation devices through

unprotected communications channels poses

new challenges to the cyber security of substation

systems.

The SCADA communication line links the utility

control center and the substation. This line carries

The strategies for enhancing cyber security of control and diagnostic systems at substations are the same as

those that would be applied for other corporate computer systems: (1) prevent cyber intrusion where possible;

(2) detect intrusion where it could not be prevented; (3) recover from an intrusion after detection; and (4) use

the experience to improve preventive measures.

White paper | 09


White paper | 10

real-time data from substation devices to

dispatchers at the control center and controls

messages from the dispatchers back to the

substation. In the case of substation automation, a

data concentrator or a substation automation host

processor serves as the RTU in sending substation

data to the control center and in responding to the

dispatcher’s control commands.

A variety of media, such as power line, leased

lines, microwave, multiple-address radio, satellite-

based communications, fiber optic cable and

others, are used to connect the substation

RTU with the control center. It is quite common

for communications from control center to

substation to use different media along different

segments of the path. Some of these media,

especially the wireless ones, are subject to

eavesdropping or active intrusion. At least one

case has been reported in which an intruder

used radio technology to commandeer SCADA

communications and sabotage the system. Of

the many alternatives, using fiber optics offers the

most security against SCADA communications

intrusion.

In substation integration and automation

systems, IEDs intrinsically support two-way

communications. Once the user has logged on to

the IED, the user can use the connection to:

• Acquire data that the IED has stored

• Change the parameters of the IED, such as the

settings of a protective relay

• Perform diagnostics on the IED

• Control the power system device connected to

the IED; that is, operate a circuit breaker

There are two lines of defense that a utility can

take –

• Strengthening the authentication of the user

confirms the identity of the prospective IED user.

As the very first step, the utility should ensure

that the default passwords originally supplied

with the IEDs are changed and that a set of

strong passwords are implemented.

• Encrypting communications between the

user and the IED to ensure that only users in

possession of the secret key would be able

to interpret data from the IED and change IED

parameters.

Note: once the industry has agreed on a

standard technique for encrypting messages,

IED manufacturers can plan for economies of

scale. If there is a demand for encryption of IED

communications, and industry-wide consensus

on the approach, IED manufacturers will develop

an effective way to embed the algorithm in the

processor of IEDs at little incremental cost.


White paper | 11

Detecting IntrusionWhile it is extremely important to prevent intrusions

into one’s systems and databases, an axiom of cyber

security is that any intrusions must be detected,

because an intruder who gains control of a substation

computer can gather data – including the log-on

passwords of legitimate users – and use that data at

a later time to operate power system devices. Further,

the intruder can set up a mechanism, sometimes

referred to as a ‘backdoor’, that will allow easy

access at a future time.

If no obvious damage was done at the time of the

intrusion, it can be very difficult to detect that the

software has been modified. For example, if the goal

of the intrusion was to gain unauthorized access

to utility data, the fact that another party is reading

confidential data might never be noticed. Even when

the intrusion does intentionally open a circuit breaker

on a critical circuit or cause other damage, it might

not be at all obvious that the false operation was due

to a security breach instead of some other failure

such as a voltage transient, relay failure or software

bug.

For these reasons, it is important to make every

effort to detect intrusions when they occur and derail

future data manipulation by the intruder. To this

end, a number of IT security system manufacturers

have developed intrusion detection systems (IDS).

These systems are designed to recognize intrusions,

based on parameters such as communications

attempted from unauthorized or unusual addresses

and an unusual pattern of activity, and generate logs

of suspicious events. This response allows system

administrators, control engineers and operators

to apply solutions powered by security event

management technology to quickly recognize and

respond to events impacting security, compliance

and operational efficiency.

Responding to IntrusionThe ‘three Rs’ of response to cyber intrusion are

recording, reporting, and restoring –

Theoretically, it would be desirable to record all

data communications into and out of all substation

devices. If an intruder successfully attacks the

system, the recordings could be used to determine

what technique the intruder used to modify the

system and then close that particular vulnerability.

Recording would be invaluable in helping identify

the intruder. Further, a recording made in a way

that is demonstrably inalterable can be admissible

as evidence in court in the event the intruder is

apprehended. However, due to the high frequency of

SCADA communications, the low cost of substation

communications equipment, and the fact that

substations are distant from corporate security staff,

it might be impractical to record all communications.

System owners will probably defer any attempts

to record substation data communications until

(a) storage media are developed that are fast,

voluminous and inexpensive, or (b) SCADA-oriented

intrusion detection systems are developed that can

filter out usual traffic and record only the deviant

patterns.


White paper | 12

But even if the communications sequence

responsible for an intrusion is neither detected

nor recorded when it occurs, it is essential that

procedures be developed for the restoration of

service after a cyber attack. It is extremely important

that the utility maintain backups of the software of all

programmable substation units and documentation of

all IED standard parameters and settings.

After the utility suspects an intrusion or determines

that a particular programmable device has been

compromised, the software should be reloaded

from the secure backup. If the settings on an IED

had been illicitly changed, the original settings must

be restored. Unless the nature of the breach of

security is known and can be repaired, the utility

should seriously consider taking the device off line or

otherwise making it inaccessible to prevent a future

exploitation of the same vulnerability.


Addressing cyber security for the substation automation systemCyber security risks were inherited when open IT

standards were adopted. Fortunately, this movement

also inspired the development of cyber security

mechanisms in a large number of enterprise

environments to address these risks. Substation

automation system providers are taking a systematic,

global approach, continuously adapting to meet

changing demand through standardization and

proactive R&D efforts.

Standards activity addresses cyber security

requirements both at the system level and the

product level and includes –

• NIST SGIP-CSWG Smart Grid Interoperability Panel

– Cyber Security Working Group

• NERC CIP Cyber Security regulation for North

American power utilities

• IEC 62351 Data and Communications Security

• IEEE PSRC/H13 Cyber Security Requirements for

Substation & SUB/C10 Automation, Protection and

Control Systems

• IEEE 1686 IEEE Standard for Substation

Intelligent Electronic Devices (IEDs) Cyber Security

Capabilities

• ISA S99 Industrial Automation and Control System

Security

Verified antivirus software protects station

computers from attacks and viruses. Cyber security

also can be improved by limiting the use of removable

media in the station computers.

Security mechanisms designed and developed

specifically for substation automation systems use

proven technology to support advanced account

management and detailed security audit trails in

RTUs/IEDs and SCADA. Utilities should look for cyber

security solutions that enable:

• User account management – Supports user

authentication and authorization at the individual-

user level. User authentication is required and

authorization is enforced for all interactive access to

the device.

• User accounts – Allows full management of user

accounts, including creating, editing and deleting.

User names and passwords can be configured

according to user‘s requirements.

White paper | 13


White paper | 14

• Role-based access control – Enables each

user account to be assigned a specific role, and

user roles can be added, removed and changed

as needed.

• Password complexity – Enforces password

policies with minimum password length,

maximum password lifetime and use of

lower case, upper case, numeric and special

characters.

• HTTPS support – Permits encrypted

communication between the web browser and

the RTU. A standard browser can be utilized

such as Internet Explorer or Firefox. In addition,

self-signed certificates, pre-installed at web

client, can be used.

• Local logging – Creates audit trails (log files)

of all security-relevant user activities. Security

events logged include user login, logout, change

of parameters, configurations and updates of

firmware. For each event, the date and time,

user, event ID, outcome and source of event is

logged. Access to the audit trail is available to

authorized users only.

• External security clients – Sends security

events to external security log clients such

as the Security Event Manager, which uses a

monitoring and response device for visibility of

real time security events.

• Security events to control system – Sends

security events and alarms via host protocol to

the control systems. User configures settings for

security alarms.

• VPN function – Offers one encrypted channel

between the SCADA or RTU and the IPsec

Router on the user’s side. The VPN tunnel

provides confidentiality, integrity and authenticity.

A secure communication via public networks

with fixed IP addresses is possible. The

authentication is managed with pre-shared keys.

Conclusion

White paper | 15


The electric utility’s concern about cyber security of its substation automation

systems is well founded. These systems are, in several ways, even more subject

to intrusion than conventional computer systems. Yet, the utility has many options

for preventing and detecting electronic intrusion from within its organization and

from outside the corporate network. Substation automation system providers have

identified cyber security as a key requirement and are designing and developing

solutions, using proven technology, to provide advanced account management

and detailed security audit trails for their network RTUs, IEDs and SCADA.

Schneider Electric USA, Inc.

4701 Royal Vista CircleFort Collins, CO 80528Phone: 1-866-537-1091 + (34) 9-17-14-70-02Fax: 1-970-223-5577www.schneider-electric.com/us

July 2012

©20

12 S

chne

ider

Ele

ctric

. All

right

s re

serv

ed.

substation cyber security

Technology