While it is well recognised that IEC61850 based fully digital substation technologies can deliver great benefits to power utilities and their customers, the existing legacy equipment will continue to play a crucial role to support the critical power infrastructure for the remainder of its service lifetime, especially substation protection and control systems. Since legacy equipment was originally designed for use on dedicated or closed networks and therefore contains little or no cyber security features.
Even though they perform critical functions managing power grid and communication networks, most are lacking crucial features for access control and device hardening. Many of these devices cannot be easily updated with new firmware to include security and replacing them with new secure versions will take years. Hence a risk assessment and detailed review of options for improved cyber security for legacy equipment to stop any cyber-attack are urgently required. In this context, we consider legacy equipment all assets that have been delivered prior to the implementation of our architecture for secondary substation systems.
Benefits
A widely-recognised framework for monetised risk for cyber security has not been developed yet for our industry. This project will develop a risk model and framework that can contribute to a robust methodology for CBA for cyber security. The risk of compromised cyber security can range up to a country-wide blackout which would cost potentially several days of GDP. Mitigating this huge risk will deliver large benefits to consumers
The project will generate new learning for utilities with guidance on how to secure older assets that can not be cyber hardened in the same way as new equipment. The types of existing legacy equipment managed by network licensees is to a large extent similar and the learning will be transferrable to other networks.
Learnings
Outcomes
The project has achieved its objectives and delivered important insights into the challenges and opportunities with regards to securing legacy PAC equipment. Some of these are confidential for security reasons and therefore a subset of the outcomes will be shared below:
The literature research has shown that several solutions are available to improve the security posture specifically where legacy equipment is concerned. Equipment that is not currently communicating on any network is generally regarded as a low cyber security risk compared to networked devices due to the reduced attack surface. A policy of retaining these unchanged could be adopted. Devices that are networked, but are using bespoke legacy protocols may be secured by a suitable middleware solution that can provide appropriate security features.
Several firewall solutions are available that can likewise be used to protect devices that can not easily be updated. More extensive security offerings are also available including advanced features such as
- intelligent policy creation based on machine learning to suggest policy based on recorded traffic
- OT protocol inspection engine - reads OT packets to the command and parameter levels
Several risk assessment frameworks were reviewed as follows:
- CAF 3.0: consists of four main categories/objectives, i.e. managing security risk, protecting against cyber-attack, detecting cyber security events minimising the impact of cyber security incidents; it has a clear definition of each item but does not have clearly defined processes and flexibility
- NIST: similar to CAF 3.0 but offers more flexibility and detailed information and process flow.
- EPRI: a quantitative cyber security framework to assess protection, detection and response of a target system. The assessment is based on repeatable data (hardware, software, and flow of the system). EPRI has a clear and detailed cybersecurity assessment framework.
A general categorisation of different approaches taken to risk monitoring and modelling is shown in the attached risk monitoring and modelling overview table.
A risk assessment methodology based on a Markov Decision Process has been developed and configured using open source software tools. This can be used to model cyber security risk but requires significant configuration effort.
It is recommended to protect the legacy equipment in terms of three aspects, i.e., secure endpoint, secure network and monitor networks and endpoints. Several products that can be used to achieve this were evaluated by operation type (AI based or definition based – note that AI usually does not require frequent updates), complexity of implementation, cost, compatibility with IEC standards, service delivered and residual risk. Whilst the analysis provides a snapshot valid at the time of the project the methodology is repeatable for future deployment.
Recommendations for further work
Cyber security technology is developing rapidly and new opportunities to apply new products or transfer learning from other industries are likely to become available. It is therefore recommended to keep observing the industry for further improvements in this field and also to apply the learning from this project on current assets.
Lessons Learnt
The delivery of this work was improved due to the fact that the supplier had significant experience with the application of cyber security solutions to digital Protection, Automation and Control systems and could therefore transfer the learning from ongoing and previous projects. Developing longer term capability within the innovation supply chain was a success factor that should be considered on future projects.
More details about the lessons learnt and the outcomes of the projects are included under ”The outcomes of the project” below.
Dissemination
The learning from this project has been summarised in this report and to a greater extent in the final report (WP4). We also held a webinar to engage with stakeholders and disseminate the experience from this project.
