Replacing Fear with Knowledge - Standards can be Your Friend

Author: Steven Kunsman, ABB, USA

Understanding the drivers behind compliance and requirements is paramount for the adoption and embracing cyber security as a key enabler to advanced monitoring and control systems and a utility's digital transformation journey. The fact exists that substation automation, protection and control systems have changed significantly over the two past decades and will continue to change with technology advancements. Systems have become more interconnected and provide users with much more information to allow for higher reliability and greater levels of control. Interoperability between different vendor products and systems has been achieved by products and solutions implementation based on open standards and by leveraging commercial technology like industrial Ethernet technology. This change in technology enables huge benefits from an operational asset performance management perspective.  It also permits substation automation, protection and control systems to address cyber security issues like other traditional, enterprise systems and industrial control systems. 

Tightly integrating the control system components and allowing accessibility of these systems with the enterprise systems allows for increased and faster information exchange. Exposure at the enterprise level creates additional system entry points and larger attack surfaces increasing requirements and protection against cyber-attacks. The need for secure substation automation protection and control systems as well as the entire utility Information Technology infrastructure is being driven largely by regulations to ensure national security. The potential impact of a coordinated cyber-attack on the electric utility control system could lead to system wide outage.

Understanding cyber security requirements to secure substation automation protection and control systems and the interfaces into the utility enterprise is essential.  Digitalization often leads to concerns this introduction of new technology will expose the system to cyber security risk.  However, the answer is clearly should not be block technology advancements enabling grid reliability and overall power system performance improvements.  Education and awareness of the benefits are paramount in the organizational adoption and embracing cyber security as an enabler to advanced monitoring and control systems.  Industry standards are our friend and establish the blueprint to cyber posture maturity supporting the utility's digital transformation.

 Industry Standards
The goal with industry standards and best practices is to leverage expert knowledge base and review evolving frameworks to improve and mature the cybersecurity posture of the entire utility organization.  Standards and best practices provide the answers to what assets require protection, how to protect them and why it is important. Utility best practices should also promote awareness and the institutionalization of policies and practices based on regulatory standards, technical standards and risk management.  It is important to change the mindset when mentioning of regulatory compliance to a substation engineer leads to the wrong behavior due to unawareness or resistance from organizational divides.

Utility enterprise, automation and control systems have changed significantly over the two past decades and will continue evolution as technology advancements and organizational priorities rely more on the system's information. These systems have become more interconnected providing users with information enabling higher reliability but at the cost of exposing critical operational or confidential data to threats from outsiders.  The industry is moving digital as an example, the conventional substation is transitioning from electro-mechanical controls with limited communications to highly integrated primary equipment with digital interfaces utilizing high speed Ethernet connectivity. Through industry collaboration to gain a deep understanding of their best practices, new technical standards are being developed, adapted or outright adopted to serve the disruptive change in the utility sector.
Overall, the demands for cyber security knowledge build up and solutions, both from a technical as well as from process perspective, will increase as our control systems are scrutinized and subjected to various threats. Cyber threats and exploits will continue to make the headlines and the utility control system must be improved to fend off the different adversaries.

Reference Architecture

A reference architecture is important to define key functions and identify their critical interfaces for the overall system. The cybersecurity architecture is the fundamental blueprint for the system designers where key requirements are mapped to system functions and interfaces to define the cyber security requirements. The NIST Cyber Security Working Group developed the NISTIR 7628, "Smart Grid Cyber Security Strategy and Requirements." Below is an extract from the Second Draft of NISTIR 7628 defining the domain and actors and their relationship in Figure 1 of the Smart Grid system architecture. "A Smart Grid domain is a high-level grouping of organizations, buildings, individuals, systems, devices or other actors with similar objectives and relying on - or participating in - similar types of applications. Communications among actors in the same domain may have similar characteristics and requirements. Domains may contain sub-domains. Moreover, domains have much overlapping functionality, as in the case of the transmission and distribution domains. An actor is a device, computer system, software program, or the individual or organization that participates in the Smart Grid. Actors have the capability to make decisions and to exchange information with other actors. Organizations may have actors in more than one domain. The actors illustrated here are representative examples and are not all the actors in the Smart Grid. Each of the actors may exist in several different varieties and may contain many other actors within them."
One important aspect is to clearly define the role and function of an actor to be able to map the cyber security requirements to this role as well as the interface between two actors.

As the NIST work focused on the overall Smart Grid architecture, the IEEE Power and Energy Society (PES) Power System Communications and Cybersecurity Committee (PSCCC) was chartered to define the cybersecurity requirements for the power system. The PES reorganized in 2017 and formed the new PSCCC combining the former Power System Communication Committee with work from the Substations and Power System Relaying and Control Committees to address grid communications and cybersecurity.  The new committee covers aspects of communications including the physical layer, protocols, interoperability, profiles and mapping, architecture, and security - both physical and cyber.  This PSCCC is responsible for:

  • Studying and reviewing engineering (including information technology and operation technology), operational, and testing aspects of cybersecurity related to the Electric Power System.  The PSCC scope includes cybersecurity for the entire electric power system.
  • Developing and maintaining related standards, recommended practices and guides for such aspects
  • Coordinating with other technical committees, groups, societies and associations as required
  • Preparing and arranging for publication technical reports related to the Subcommittee's scope

Reference architectures for substation automation systems are being defined such that all functions and interfaces related to the applications within the protection and control system are identified and cyber security requirements mapped onto these components and interfaces. The following is an overview of the key actors from a functional and feature perspective for a substation automation protection and control system components:

  • System / Protection Engineering & Maintenance (local and external)
  • Station Human Machine Interface / Engineering Workstation
  • Substation Control System (SCS)
  • Intelligent Electronic Device (IED) / Protection and Control Relay
  • Breaker IED
  • Remote Terminal Unit (RTU) / Gateway
  • Distribution Management System (DMS) / Gateway
  • Asset Monitoring System
  • Merging Unit / Sensor
  • Intelligent Current / Potential Transformer / Non-Conventional Instrument Transformer (NCIT)
  • Phasor Measurement Unit (PMU) / Phasor Data Concentrator
  • Security Management System (external and internal)
  • Tele-protection / Inter station control (external)
  • Supervisor Control and Data Acquisition (SCADA) (external)
  • System Integrity Protection System (SIPS) (external)
  • Wide Area Protection System (WAPS) / Wide Area Measurement System (WAMS) (external)
  • GPS and Time Server (external)
  • Distribution Sensor (external)

The reference architecture in Figure 2 is a Single Boundary Protection Architecture where perimeter protection is defined by the electronic security perimeter (ESP). The cyber security requirements are defined on the actors and interfaces inside the substation as well the interfaces that are extending outside of the security perimeter. In this example, the key actors are the RTU/gateway, station computer/HMI and engineering workplace, protection and control IEDs, remote maintenance modem where cyber security solutions include adherence to device level features, firewall and VPN protection, anti-virus protection, user access and device management.
In addition to the cyber security requirements on the actor and interfaces, the system architect needs to also consider other characteristics in the design such as system performance, availability and reliability. Overall system design and the security solutions can have an impact on performance if the architecture has constraints like limited bandwidth, small CPUs or restrictive computational capability in some system components, highly distributed systems, slow response times, high sampling rates, etc. It is very important for these characteristics and constraints to be identified as part of the system architecture design and known while implementing the security solutions. 

Additional architectures are also possible for advanced applications like Process Bus architectures for the protection and control devices utilizing IEC 61850-9-2 process bus interfacing to non-conventional instrument transformers.  For this application, separate security zones are defined to provide a layered defense in depth architecture. The goal of the various layers is to ensure the entire communication infrastructure is not in a flat network or single Local Area Network. The security layers with interfaces extending beyond the ESP can also be supported by a Demilitarized Zone (DMZ) to restrict direct access from the outside network to the system inside the ESP.

Let?s start with organization in protection testing