Cyber Security Issues for Protective Relays

Author: Solveig Ward, RFL, USA

Cyber Security Issues for Protective Relays

Cyber Security Issues for Protective Relays

In a major move toward ensuring the reliability of the electric grid, the Federal Energy Regulatory Commission (FERC) approved eight cyber security and critical infrastructure protection (CIP) standards proposed by NERC, CIP 002-1 to 009-1. The standards will require bulk power system users, owners, and operators in the U.S. to identify and document cyber risks and vulnerabilities, establish controls to secure critical cyber assets from physical and cyber sabotage, report security incidents, and establish plans for recovery in the event of an emergency.

Substantial compliance is required by 06/2008 and full compliance by 12/2008. Utilities that do not meet audit requirements will face stiff penalties for non-compliance when audits begin in 2009.

Because of the importance of this subject the IEEE Power Systems Relaying Committee Working Group CI studied the issues of cyber security related to different aspects of power system protection and produced a report "Cyber Security Issues for Protective Relays" that is available to the community.
Cyber security is the term commonly used with respect to the area of computers. Computers, or microprocessor-based devices with computing capability, are now commonly used for control and automation functions in addition to traditional data archival and processing.

Technological misuse and abuse has become a serious concern in all areas where computers are used and networked. The electric industry has embarked on the process to secure control systems. This requires risk assessment and review to determine what is vulnerable to cyber attacks. All assets should be analyzed in regards to the need for security.

Protection and securing of networked communications, intelligent equipment, and the data and information vital to the operation of the future energy system is one of the key drivers behind developing an industry level architecture. Cyber security faces substantial challenges, both institutional and technical, from the following major trends:

  • Need for greater levels of integration with a variety of business entities
  • Increased use o f open systems-based infrastructures
  • The need for integration of existing or "legacy" systems with future systems
  • Growing sophistication and complexity of integrated distributed computing systems
  • Growing sophistication and threats from hostile communities
    The report analyzes relay communications and the requirements covered in the different NERC standards. Two main groups of protection related communications applications are identified:
    • between protection IEDs and different substation and remote client applications
    • between protection IEDs with a substation or in different substations.

The requirements for the different cases are discussed in the report, followed by analysis of the impact of the communications media used on the security of the system.

In evaluating the security threat to substation equipment the report concludes that numerous people have physical contact with various devices within the substation.

These individuals include employees, contractors, vendors, manufacturers, etc. Of particular concern is the fact that the typical substation environment can provide a means to compromise the power system with a low probability of being detected or apprehended.

Threats may be caused by actions of authorized persons as well as malicious actions of authorized and unauthorized persons. Some of the threat sources to consider include:

  • Employees with criminal intent to profit or to damage others by the misappropriation of utility resources
  • Disgruntled employees or ex-employees who cause damage to satisfy a grudge
  • Hobbyist intruders who gain pleasure from unauthorized access to utility information systems
  • Criminal activity by both individuals and organizations directed against the utility, its employees, customers, suppliers, or others
  • Terrorists
  • Competing organizations searching for proprietary information of the utility, its suppliers, or customers
  • Unscrupulous participants in the markets for electric power or derivatives
  • Software providers who, in attempting to protect their intellectual property rights, create vulnerabilities or threaten to disable the software in contractual disputes

Communication protocols are one of the most critical parts of power system operations.

The International Electrotechnical Commission (IEC) Technical Council (TC) 57 Power Systems Management and Associated Information Exchange is responsible for developing international standards for power system data communications protocols. The international standards account for much of the data communications protocols in newly implemented and upgraded power industry SCADA systems, substation automation, and protection equipment.


By 1997, IEC TC57 recognized that security would be necessary for these protocols. It therefore established a working group to study the issues relating to security.

The work by IEC TD57, WG 15 is to be published by the IEC as IEC 62351, Parts 1-7. The IEEE PSRC report concludes with the following Recommendations :

  • Security must be planned and designed into systems from the start. Planning for security, in advance of deployment, will provide a more complete and cost effective solution. Advance planning will ensure that security services are supportable.
  • Establish a security policy tailored to the needs of protective relay systems and the access needs of protective relay engineers
  • Assess existing communications channels for vulnerabilities to intrusion
  • Implement and enforce policies regarding computer usage, remote access control, with frequent auditing of systems and policies. Emphasize that security is not a part time ad hoc function.
  • Where appropriate, add policies, procedures and hardware to vulnerable communications channels and access ports.
  • Where appropriate, implement authentication and/or encryption techniques based on individual risk assessments
  • Monitor logs and traffic.
  • Maintain and monitor a list of authorized personnel who have password or authenticated access.
  • Comply with industry and government regulations.
  • Maintain a backup of vital information.
  • Prepare a recovery procedure in the event of an attack
Relion advanced protection & control.
BeijingSifang June 2016