This project aims to enhance Role-Based Access Control (RBAC) within Intelligent Electronic Devices (IEDs) across a defined segment of the network. By addressing traditional access control limitations, the initiative will establish a scalable framework that improves security, operational efficiency, and compliance with industry standards. Key objectives include assessing existing IEDs for necessary upgrades, launching a pilot project for real-world testing, and collaborating with technology partners and cybersecurity experts. The project will also involve implementing a robust monitoring system to evaluate effectiveness. Ultimately, this initiative will fortify the security of the National Grid, ensure reliable service delivery and contributing to the energy sector's stability.
Benefits
The project will deliver significant benefits by enhancing the security and operational efficiency of Intelligent Electronic Devices (IEDs) within the electricity transmission network. By implementing a tailored Role-Based Access Control (RBAC) framework, the initiative will ensure that users are granted appropriate access rights, thereby reducing the risk of unauthorized access and potential vulnerabilities. The comprehensive assessment and upgrade of IEDs will not only improve compliance with industry standards and regulations but also streamline access management processes, leading to increased reliability and performance of the energy network. Furthermore, engaging multiple stakeholders and providing targeted training for staff will foster a culture of security awareness, ultimately benefiting all consumers, particularly those in vulnerable situations, by ensuring a more secure and resilient energy supply.
Learnings
Outcomes
FY25/26
Centralised RBAC and directory: A central authentication and authorisation server has been established, providing a single point of control for user credentials and permissions across the in-scope IEDs.
Multi-vendor and legacy integration: Bridging software has been developed that allows select modern and legacy IEDs from in-scope manufacturers to be secured through a common role-based model without hardware replacement, addressing the access-control limitations identified at project registration.
Resilience: Local repositories support continued access during degraded or islanded network conditions.
Vendor and IED landscape knowledge: Understanding gained of how each manufacturer implements access control compounds across the project, as lessons from integrating one device accelerate and de-risk the next.
TRL and net benefit: The project currently sits at approximately TRL 4 against a target of TRL 6 on completion and is expected to deliver net benefits through improved security, reduced risk of unauthorised access and stronger alignment with industry standards; quantified benefits will follow the testing outcomes in WP6.
The project has made strong progress in developing and demonstrating a centralised, resilient RBAC framework that secures access across both modern and legacy IEDs without requiring hardware replacement, while building valuable cross-vendor integration expertise. This work is reducing cyber risk and supporting alignment with industry standards, with further validation and quantified benefits to be confirmed as the project advances towards TRL 6.
Lessons Learnt
FY25/26
A key interim learning is that access-control implementations differ markedly between IED vendors, which directly informed the decision to use the bridging software as a common enforcement point and is relevant to the project's interoperability objective.
A second learning is that substation network conditions cannot be assumed to be continuously available, making offline-capable authentication essential; this drove the resilience approach validated against the project's objectives.
A third learning concerns the integration of standard authentication protocols with modern IEDs: although each in-scope device supports these protocols in principle, each integration required vendor collaboration and technical support to make it viable. There is no one-size-fits-all approach between vendors even when using the same protocol, and each new integration should be expected to require its own learning and integration period.
Aligning the design to recognised industry security standards early in the design phase also simplified the later integration work.
Dissemination
FY25/26
No external resources created or shared so far during this phase of the project.