Detecting cyber intrusions in the digital substation

Author: Andreas Klien, OMICRON electronics GmbH, Austria

Attack vectors of a substation:

Let us define a cyber-attack on a substation as an event where an adversary modifies, degrades, or disables a service of at least one protection, automation, or control device within the substation. Looking at Figure 1, a typical substation can be attacked through all paths marked with a number. An attacker could enter through the control center connection (1), as it happened in one of the cyber-attacks in Ukraine, where the firmware of gateway devices was modified (causing their destruction).

Another entry point is through engineering PCs (2) connected to substation equipment. When a protection engineer connects his PC to a relay to modify (protection) settings, malware on the PC could in turn install malware on the relay in a comparable way as to what happened with PLCs in the Stuxnet cyber-attack. Laptops used for testing the IEC 61850 system are often directly connected to the station bus which is also a potential way to infect IEDs (3). For this reason, new IEC 61850 testing tools are available which provide a cyber-secure separation between Test PC and substation network. This leaves the testing device itself (4) as a potential entry path. It is important that test set vendors invest in hardening their devices to make sure that this entry path is not feasible for an attacker to exploit.
The storage of settings (2a) and test documents (3a) could also be an attack vector. This storage server thus also belongs to the critical perimeter. Therefore, it also makes sense to introduce a separate, isolated and protected data management solution for such data.

Let?s start with organization in protection testing