substation cyber security
DESCRIPTION
The electric power grid has changed significantly over the past decade and continues to change as technology evolves. More and more, new-generation substation control systems are based on open standards and commercial technology, including Ethernet and TCP/IP based communication protocols such as IEC 60870-5-104, DNP 3.0 or IEC 61850. While this change in technology has brought about huge operational benefits, it has introduced cyber security concerns and a potential challenge to network reliability. Electronic intrusion into a substation can misdirect or terminate service, and this intrusion can be from internal individuals or external hackers or organizations. Many substation control and diagnostic systems in deployment were not designed for real-time security functionality and centralized system administration with robust access control. Utilities must implement policies to protect their substation systems against intrusion from within and from outside the corporate network. Further, they must be able to detect intrusion when it does occur to eliminate future untoward effects. Finally, they need to be prepared with planned response and restoration that not only returns targeted functionality but can improve system security. The global power industry has stepped up its focus on cyber security for control and automation systems, and standards are in place identifying the functionalities required for secure substation operation. Utilities looking to protect against cyber attack on their substation automation systems must implement the SCADA, RTU and IED solutions that incorporate proven-technology and the security mechanisms meeting these standards.TRANSCRIPT
Substation Cyber SecurityProtecting the automated control system
June 2012
Make the most of your energySM
Summary
Executive Summary .................................................................................... p 1
Introduction ................................................................................................ p 2
Substation systems: security threat targets .................................................. p 4
Vulnerability of the substation automation system ........................................ p 6
Measures to enhance substation automation system ................................... p 9
Addressing cyber security for the substation automation system ................. p 13
Conclusion .................................................................................................. p 15
Executive summary
Substation Cyber Security
White paper | 01
The electric power grid has changed significantly over the past decade and
continues to change as technology evolves. More and more, new-generation
substation control systems are based on open standards and commercial
technology, including Ethernet and TCP/IP based communication protocols such
as IEC 60870-5-104, DNP 3.0 or IEC 61850. While this change in technology
has brought about huge operational benefits, it has introduced cyber security
concerns and a potential challenge to network reliability. Electronic intrusion into
a substation can misdirect or terminate service, and this intrusion can be from
internal individuals or external hackers or organizations.
Many substation control and diagnostic systems in deployment were not designed
for real-time security functionality and centralized system administration with
robust access control. Utilities must implement policies to protect their substation
systems against intrusion from within and from outside the corporate network.
Further, they must be able to detect intrusion when it does occur to eliminate
future untoward effects. Finally, they need to be prepared with planned response
and restoration that not only returns targeted functionality but can improve system
security.
The global power industry has stepped up its focus on cyber security for control
and automation systems, and standards are in place identifying the functionalities
required for secure substation operation. Utilities looking to protect against cyber
attack on their substation automation systems must implement the SCADA,
RTU and IED solutions that incorporate proven-technology and the security
mechanisms meeting these standards.
Introduction
White paper | 02
Substation Cyber Security
Traditionally, an electric utility’s concerns regarding substation asset security
centered on physical threats, both natural and human. In locations other than
those experiencing civil strife, the primary human threat was considered to be
a single, disgruntled employee; an angry customer; or a politically motivated
vandal. In any of these cases, the malfeasant had to be within, or physically
close to, the substation to cause damage. To protect assets from these human
threats, the utility used fences, locked gates, security cameras, SCADA-
monitored intrusion alarms and occasional onsite monitoring visits by utility
security staff.
More recently, both the nature and magnitude of the threat to substation assets
have changed. Now, the equipment for monitoring and controlling substation
devices is usually connected by communication lines to wide-area networks
potentially accessible by the general public. Consequently, an individual seeking
to damage utility assets can do so from places hundreds or thousands of
kilometers distant and potentially impact multiple substations simultaneously.
The magnitude of the threat also has changed. Organized and well-funded
groups have publicly stated their goal of damaging key elements of society’s
critical infrastructure. Evidence shows that some organizations have been
gathering information about public utilities and investigating the electronic
defenses of corporate computing networks. Probes specifically targeting the
business systems of electric utilities have been documented. However, because
substations generally do not have firewalls or intrusion detection systems, it is
not possible to know if they are being targeted.
This paper addresses the nature of cyber threats, their potential to damage utility
assets and the means to detect and recover from them.
Substation Cyber Security
White paper | 04
Substation systems: security threat targets
The IEEE 1402 standard refers to cyber intrusions as
‘electronic intrusions’ and defines them as “Entry into
the substation via telephone lines or other electronic-
based media for the manipulation or disturbance
of electronic devices. These devices include digital
relays, fault recorders, equipment diagnostic
packages, automation equipment, computers,
programmable logic controllers, and communication
interfaces.”
Power substation security threats are primarily
related to the ability to remotely access protection,
control, automation and SCADA equipment. Through
a power substation’s communications vulnerability,
an electronic intruder could access the substation
SCADA system. Inappropriate circuit breaker
operation sequence would result in an electric arc
between the contacts of the disconnector and high-
rate optic and acoustic phenomena. Manifesting as
an explosion, the event would spray melted metal
and result in an inter-phase short circuit.
Such a failure would lead to complete destruction of
the disconnector and partial or complete destruction
of other components in the substation, along with
disturbance in substation operation and interruption
of energy supply to consumers. Personnel can be
seriously injured. Depending on the state of the
power system at the moment of switching operation,
the incorrect switching sequence could also cause
a large power system failure and compromise the
safety of the electric power system.
Internal attackers. Investigations of threats to
corporate computer hardware and software systems
typically reveal that the majority of attacks come from
internal sources. Substation control systems and
intelligent electronic devices (IEDs) are different from
those at work in corporations, in that information
about their computer hardware and software systems
is not well known to the general public. However,
other utilities, as well as industry equipment suppliers,
contractors and consultants, are well acquainted
with the hardware, software, architecture and
communication protocols implemented in substation
operations. Often, the suppliers of hardware,
software, and services to the utility industry are
granted the same level of trust and access as the
utility individuals themselves – making the definition of
an ‘insider’ much more broad.
Further, a utility employee who has access keys
and passwords can be motivated by the prospect
of financial gain from making that information
available. Computer-based systems at substations
contain data of value to a utility’s competitors as
well as information – such as the electric load of a
customer industrial plant – that might be of value to
that customer’s competitors. Certainly, corporate
employees are approached to provide interested
parties with valuable information; it can’t be ruled
out that a similar situation could occur with utility
employees who have access to substation systems.
Further, the possibility exists of an employee being
bribed or blackmailed to cause physical damage or
to disclose privileged information that would enable
other parties to cause damage.
Substation Cyber Security
White paper | 05
Suppliers. A potential threat exists with employees
of substation equipment suppliers, who also have
access to – or the knowledge that enables access
to or damage of – substation assets. One access
path is through the diagnostic port of the substation
monitoring and control equipment. It is common
that the manufacturer of a substation device has
the ability to establish an Internet link or telephone
connection with the device for the purpose of
performing diagnostics. An unscrupulous employee
of the manufacturer could use this link to cause
damage or gather confidential information, as has
happened many times in other industries. Employees
of the utility or equipment supplier also can illicitly
access computer-based substation equipment via the
communications paths into the substation.
Hackers. Other potential intruders include the hacker
who is simply browsing and probing for weak links to
penetrate corporate defenses and the individual who
is motivated to cause damage by a grievance against
the utility or against society in general.
Criminals. Another potential security problem
lies with those who threaten to do damage, in the
attempt to extort money, or attempt to access
confidential corporate records, such as the customer
database, for sale or use.
Terrorists. The most serious security concern is
with those antagonists, domestic or foreign, who
have the resources to mount a serious attack. They
can be quite knowledgeable, since the computer-
based systems that outfit a substation are sold with
minimal export restrictions worldwide – complete with
documentation and operational training. The danger
from an attack mounted by an organized hostile
power is increased by the fact it can occur in many
places simultaneously and would likely be coupled
with other cyber, physical, or biological attacks aimed
at crippling response capabilities.
Substation Cyber Security
White paper | 06
Vulnerability of the substation automation systemConventional computer systems have always been
susceptible to those exploiting programming errors
in operating systems and application software;
cracking user passwords; taking advantage of
system installations that leave extraneous services
and open ports susceptible; and penetrating
improperly configured firewalls that do guard against
unauthorized communications.
In addition to these common vulnerabilities, the
control and diagnostic systems in substations
have a number of system-related cyber security
vulnerabilities –
Slow processorsOne way to strengthen the privacy and authenticity
of messages transmitted across insecure channels
is to use encryption. However, encryption technique
often is too resource-intensive for most current IEDs
and many existing substation automation systems.
Further, many substation communications channels
do not have sufficient bandwidth for the transmission
of longer, block-encrypted messages.
The remote terminal units (RTUs) and IEDs in some
substation systems use early microprocessor
technology. They have limited memory and often
have to meet stringent time constraints on their
communications. With microprocessors that do not
have the processing capability to support additional
computational burden, it is not feasible to enhance
communications security through data message
encryption.
Real-time operating systemsDesign of the real-time operating systems embedded
within many IEDs poses another security risk. Some
suppliers of these embedded operating systems
have not had to meet the requirements for secure
communications. Their software systems were
designed to operate in an environment focusing on
deterministic response to events; information security
was a lower priority.
Substation Cyber Security
White paper | 07
Communications mediaThe data messages that substation IEDs exchange
with the outside world are often transmitted over
media that are potentially open to eavesdropping
or active intrusion. Dial-in lines are common, and
the IED will accept phone calls from anyone who
knows its phone number. Many IEDs are IP (Internet
protocol)-enabled, which means they can be
addressed by computers connected to the Internet.
In addition, much of the data traffic to and from a
substation travels over wireless networks. Intruders
with the proper equipment can record and interpret
data exchanges and can insert their own messages
to control power system devices.
Open protocolsMany protocols have been used for communications
between the substation and the utility control center.
In the past, these protocols typically were vendor-
specific and proprietary. However, in recent years
the majority of communications implementations
have been executed to the IEC 60870-5 standard
(in Europe), the DNP3 standard (in North America),
or – to much less extent – the IEC 60870-6 TASE.2
standard, also called ICCP. These protocols are non-
proprietary, well documented and available to the
general public. When these protocols were designed,
security was not a key issue.
An RTU test set usually involves a portable device
and communications port with a user interface that
interprets the messages being sent to and from the
RTU or IED, allowing the user to define and issue
commands to the substation device. An intruder
can patch into the communications channel to a
substation and use a test set to operate devices at
the substation.
Lack of authenticationCommunication protocols in current use do not
provide a means for confirming each other’s identity
and securing data exchange. An intruder with access
to a communications line to a controllable device
can execute a control in the same manner as an
authorized user. Intruders can also mimic a data
source and substitute invalid data. In most cases,
the program receiving the data does not perform
validation that would detect this kind of interference.
Substation Cyber Security
White paper | 08
Lack of centralized system administrationUnlike the IT domain, where there is a central system
administrator to designate and track authorized users,
substation automation system users often are their
own system administrators and have the authority to
perform all security functions. This situation can make
access to substation automation systems available to
personnel who have no reason for access. They would
be able to perform critical functions such as assigning
passwords, assigning log-in IDs, configuring the
system and adding or deleting software.
Large numbers of remote devicesA typical utility has from several dozen to several
hundred substations at geographically dispersed
locations, and each automated substation typically
has many IEDs. Therefore, there is a high cost to
implement any solution that requires upgrading,
reprogramming or replacing the IEDs.
Substation Cyber Security
Addressing cyber security for the substation automation system
Protecting Substation SystemsIntrusion from inside the corporate network. With
substation control and monitoring systems connected
to the utility’s corporate wide-area network, a
large potential threat to these systems exists from
unauthorized users on that corporate network. The
corporate network should be made as secure as
possible –
• The most important measure is one of the simplest:
ensuring that all default passwords have been
removed from all substation systems and that there
are no accounts without any password.
• User passwords should not be simplistic.
However, passwords that are difficult to guess
are also difficult to remember. Procedures should
discourage users from posting their passwords on
the terminal of the system being protected.
• Passwords should be immediately terminated as
soon as its owner leaves employment or changes
job assignments.
• Different sets of privileges should be established for
different classes of users. For example, some users
should be allowed only to view historical substation
data. Other users might be permitted to view only
real-time data. Operators should be given only
control privileges, and relay engineers’ authority
should be limited to changing relay settings.
Intrusion from outside the corporate network.
The possibility of intrusion by outsiders who have
gained direct access to substation devices through
unprotected communications channels poses
new challenges to the cyber security of substation
systems.
The SCADA communication line links the utility
control center and the substation. This line carries
The strategies for enhancing cyber security of control and diagnostic systems at substations are the same as
those that would be applied for other corporate computer systems: (1) prevent cyber intrusion where possible;
(2) detect intrusion where it could not be prevented; (3) recover from an intrusion after detection; and (4) use
the experience to improve preventive measures.
White paper | 09
Substation Cyber Security
White paper | 10
real-time data from substation devices to
dispatchers at the control center and controls
messages from the dispatchers back to the
substation. In the case of substation automation, a
data concentrator or a substation automation host
processor serves as the RTU in sending substation
data to the control center and in responding to the
dispatcher’s control commands.
A variety of media, such as power line, leased
lines, microwave, multiple-address radio, satellite-
based communications, fiber optic cable and
others, are used to connect the substation
RTU with the control center. It is quite common
for communications from control center to
substation to use different media along different
segments of the path. Some of these media,
especially the wireless ones, are subject to
eavesdropping or active intrusion. At least one
case has been reported in which an intruder
used radio technology to commandeer SCADA
communications and sabotage the system. Of
the many alternatives, using fiber optics offers the
most security against SCADA communications
intrusion.
In substation integration and automation
systems, IEDs intrinsically support two-way
communications. Once the user has logged on to
the IED, the user can use the connection to:
• Acquire data that the IED has stored
• Change the parameters of the IED, such as the
settings of a protective relay
• Perform diagnostics on the IED
• Control the power system device connected to
the IED; that is, operate a circuit breaker
There are two lines of defense that a utility can
take –
• Strengthening the authentication of the user
confirms the identity of the prospective IED user.
As the very first step, the utility should ensure
that the default passwords originally supplied
with the IEDs are changed and that a set of
strong passwords are implemented.
• Encrypting communications between the
user and the IED to ensure that only users in
possession of the secret key would be able
to interpret data from the IED and change IED
parameters.
Note: once the industry has agreed on a
standard technique for encrypting messages,
IED manufacturers can plan for economies of
scale. If there is a demand for encryption of IED
communications, and industry-wide consensus
on the approach, IED manufacturers will develop
an effective way to embed the algorithm in the
processor of IEDs at little incremental cost.
Substation Cyber Security
White paper | 11
Detecting IntrusionWhile it is extremely important to prevent intrusions
into one’s systems and databases, an axiom of cyber
security is that any intrusions must be detected,
because an intruder who gains control of a substation
computer can gather data – including the log-on
passwords of legitimate users – and use that data at
a later time to operate power system devices. Further,
the intruder can set up a mechanism, sometimes
referred to as a ‘backdoor’, that will allow easy
access at a future time.
If no obvious damage was done at the time of the
intrusion, it can be very difficult to detect that the
software has been modified. For example, if the goal
of the intrusion was to gain unauthorized access
to utility data, the fact that another party is reading
confidential data might never be noticed. Even when
the intrusion does intentionally open a circuit breaker
on a critical circuit or cause other damage, it might
not be at all obvious that the false operation was due
to a security breach instead of some other failure
such as a voltage transient, relay failure or software
bug.
For these reasons, it is important to make every
effort to detect intrusions when they occur and derail
future data manipulation by the intruder. To this
end, a number of IT security system manufacturers
have developed intrusion detection systems (IDS).
These systems are designed to recognize intrusions,
based on parameters such as communications
attempted from unauthorized or unusual addresses
and an unusual pattern of activity, and generate logs
of suspicious events. This response allows system
administrators, control engineers and operators
to apply solutions powered by security event
management technology to quickly recognize and
respond to events impacting security, compliance
and operational efficiency.
Responding to IntrusionThe ‘three Rs’ of response to cyber intrusion are
recording, reporting, and restoring –
Theoretically, it would be desirable to record all
data communications into and out of all substation
devices. If an intruder successfully attacks the
system, the recordings could be used to determine
what technique the intruder used to modify the
system and then close that particular vulnerability.
Recording would be invaluable in helping identify
the intruder. Further, a recording made in a way
that is demonstrably inalterable can be admissible
as evidence in court in the event the intruder is
apprehended. However, due to the high frequency of
SCADA communications, the low cost of substation
communications equipment, and the fact that
substations are distant from corporate security staff,
it might be impractical to record all communications.
System owners will probably defer any attempts
to record substation data communications until
(a) storage media are developed that are fast,
voluminous and inexpensive, or (b) SCADA-oriented
intrusion detection systems are developed that can
filter out usual traffic and record only the deviant
patterns.
Substation Cyber Security
White paper | 12
But even if the communications sequence
responsible for an intrusion is neither detected
nor recorded when it occurs, it is essential that
procedures be developed for the restoration of
service after a cyber attack. It is extremely important
that the utility maintain backups of the software of all
programmable substation units and documentation of
all IED standard parameters and settings.
After the utility suspects an intrusion or determines
that a particular programmable device has been
compromised, the software should be reloaded
from the secure backup. If the settings on an IED
had been illicitly changed, the original settings must
be restored. Unless the nature of the breach of
security is known and can be repaired, the utility
should seriously consider taking the device off line or
otherwise making it inaccessible to prevent a future
exploitation of the same vulnerability.
Substation Cyber Security
Addressing cyber security for the substation automation systemCyber security risks were inherited when open IT
standards were adopted. Fortunately, this movement
also inspired the development of cyber security
mechanisms in a large number of enterprise
environments to address these risks. Substation
automation system providers are taking a systematic,
global approach, continuously adapting to meet
changing demand through standardization and
proactive R&D efforts.
Standards activity addresses cyber security
requirements both at the system level and the
product level and includes –
• NIST SGIP-CSWG Smart Grid Interoperability Panel
– Cyber Security Working Group
• NERC CIP Cyber Security regulation for North
American power utilities
• IEC 62351 Data and Communications Security
• IEEE PSRC/H13 Cyber Security Requirements for
Substation & SUB/C10 Automation, Protection and
Control Systems
• IEEE 1686 IEEE Standard for Substation
Intelligent Electronic Devices (IEDs) Cyber Security
Capabilities
• ISA S99 Industrial Automation and Control System
Security
Verified antivirus software protects station
computers from attacks and viruses. Cyber security
also can be improved by limiting the use of removable
media in the station computers.
Security mechanisms designed and developed
specifically for substation automation systems use
proven technology to support advanced account
management and detailed security audit trails in
RTUs/IEDs and SCADA. Utilities should look for cyber
security solutions that enable:
• User account management – Supports user
authentication and authorization at the individual-
user level. User authentication is required and
authorization is enforced for all interactive access to
the device.
• User accounts – Allows full management of user
accounts, including creating, editing and deleting.
User names and passwords can be configured
according to user‘s requirements.
White paper | 13
Substation Cyber Security
White paper | 14
• Role-based access control – Enables each
user account to be assigned a specific role, and
user roles can be added, removed and changed
as needed.
• Password complexity – Enforces password
policies with minimum password length,
maximum password lifetime and use of
lower case, upper case, numeric and special
characters.
• HTTPS support – Permits encrypted
communication between the web browser and
the RTU. A standard browser can be utilized
such as Internet Explorer or Firefox. In addition,
self-signed certificates, pre-installed at web
client, can be used.
• Local logging – Creates audit trails (log files)
of all security-relevant user activities. Security
events logged include user login, logout, change
of parameters, configurations and updates of
firmware. For each event, the date and time,
user, event ID, outcome and source of event is
logged. Access to the audit trail is available to
authorized users only.
• External security clients – Sends security
events to external security log clients such
as the Security Event Manager, which uses a
monitoring and response device for visibility of
real time security events.
• Security events to control system – Sends
security events and alarms via host protocol to
the control systems. User configures settings for
security alarms.
• VPN function – Offers one encrypted channel
between the SCADA or RTU and the IPsec
Router on the user’s side. The VPN tunnel
provides confidentiality, integrity and authenticity.
A secure communication via public networks
with fixed IP addresses is possible. The
authentication is managed with pre-shared keys.
Conclusion
White paper | 15
Substation Cyber Security
The electric utility’s concern about cyber security of its substation automation
systems is well founded. These systems are, in several ways, even more subject
to intrusion than conventional computer systems. Yet, the utility has many options
for preventing and detecting electronic intrusion from within its organization and
from outside the corporate network. Substation automation system providers have
identified cyber security as a key requirement and are designing and developing
solutions, using proven technology, to provide advanced account management
and detailed security audit trails for their network RTUs, IEDs and SCADA.