Learnings

Outcomes

Key outputs from the project are summarised in the reports and will be made available as part of the final project report. The project has provided a better understanding of best practise in terms of protection of communication networks and devices in a fully digital substation. It has also provided details on how to apply and implement international cyber security standards effectively and how to test cyber security tools for operational cyber security. These outcomes have been shared in the various dissemination events and are discussed in the final report. 

1. Literature review and tools

Literature review:

The cyber security literature on substation secondary systems identifies a number of key steps to consider:

• Risk and vulnerability assessment
• Establishing zones and conduits
• Exception, anomaly and threat detection
• Security monitoring

Several recent cyber-attacks on industrial control systems were analysed and the common patterns were highlighted:

1. Adversaries gain access to IT network;
2. Use access to infiltrate SCADA systems (OT network);
3. Search the network for targets;
4. Use connection to controllers (IED or PLC) to perform the attack;
5. Destroy infrastructure to delay recovery.

There is a growing set of tools now available to PAC system designers that help implement best practise measures as mentioned above. These include Intrusion Detection Systems (IDS), Software Defined Networking (SDN) and flow controllers, Role Based Access Control (RBAC) as well as message signing and encryption tools.

Several different IDS tools were tested including white listing, signature based and AI/ML based tools. Due to the unique nature of PAC data flows, tools that are aware of IEC61850 configurations seem to be very effective. The same was found for network traffic flow control (SDN) and RBAC however the design needs to consider single points of failure and secure the configuration tools. Encryption can also be very effective but can add processing time and is therefore less suited to time critical PB networks.

2. Investigate cyber security tools, strategies and assess IEC 61850 network vulnerability:

The IEC 62443 standard really emphasizes zones and conduits as the paramount security concept. It even relates other concepts like firewall, and RBAC as extensions of zone policies. The standard describes security plans as the strategy to improve security in a reproducible manner. The security plan has the following parts: Organisational security measures; Configuration management; Network and communications security; Component security; Protection of data; User access control; Event and incident management; and System integrity and availability.

The last item comprises the recovery strategy where each site must have a disaster recovery plan (DRP). It is also highlighting the importance of record keeping regarding the installed software and system configurations.

IEC 62351 is a series of standards that define procedures and processes that enhance the information exchange in PAC systems. It describes the necessary steps to enhance the security of network traffic described in IEC 61850.

Having the focus on power systems Protection, Automation and Control (PAC) allows this standard to be much more detailed. It defines several strategies to secure substation communications including by encrypting or signing the network traffic, it has documents specifically designed to secure standard messages:

• IEC 62351-4 describes MMS security. These messages can be encrypted since it does not share the same time-critical nature of GOOSE and SV.
• IEC 62351-5 describes the application of security to 60870-5-(101 to 104) and DNP3 telecontrol and derivatives which are related to supervisory control and data acquisition (SCADA).
• IEC 62351-6 Describes GOOSE and SV message security, preferably message signing using a Hash-based Message Authentication Code (HMAC) in the extended message PDU.
• IEC 62351-7 Describes the utilization of IDS and how Network and System Management (NSM) should be implemented to secure assets.
• IEC 62351-8 Provides guideline to apply RBAC in substation PAC systems.
• IEC 62351-9 Details the Group Domain Of Interpretations (GDOI) which is a group of devices that share the same multicast communication (i.e. GOOSE or SV) and which should use the same symmetric cryptographic key.

The standard also contains requirements for strategies described in IEC 62443 to promote interoperability between devices aimed at substation application and general recommendations for utilities. Whilst not aiming at the same technical detail ISO27001 and the NIS directive are essential for developing best cyber security practise at the management and procedural level.

Risks associated with IEC 61850:

Due to the time critical nature and the security zoning, it is expected that Process Bus traffic will be in the most secure zone. As an additional security measure message signing can be deployed. The testing showed that unless security measures are deployed, these systems may be vulnerable in some instances when valid messages are injected onto the network. For station bus MMS traffic there is also a risk that valid messages from unauthorised devices are accepted however this would either require connecting a device to the network or compromising the SCADA HMI. This can be prevented by using client authentication, however adequately protecting the boundary of the PAC security zone is a key factor for overall risk reduction.

3. Assess resilience issues for digital solutions:

The impacts of modified, delayed or blocked network traffic can vary dependent on the relevant devices used, however in many cases tampered GOOSE messages represent the highest risk. Message signing and flow control are most effective in these instances.

Impacts of lost/spoofed/modified GPS time reference in line differential protection was also a key concern, however it could be demonstrated that echo or ping-pong mode configurations can be successfully applied as long as local timing between MU and IED is consistent and differential delay on the communication network is controlled and limited.

4. Investigate methods and strategies relating to improving resilience for digital substations

Collaborative defence mechanisms:

Based on the literature survey, it can be concluded that one of the most feasible approaches for developing cooperative defence mechanisms in digital substations is multi-agent technology where each agent, as a software function, can carry out one specific task to detect cyber-attacks or prevent PAC systems to make false operations in the event of a cyber-attack. A cooperative defence mechanism can be developed based on various information exchanges from these agents to protect the system.

Software defined networks (SDN) allow detailed flow control based on a white listing approach and have been found to enhance cyber security significantly. As a trade-off this requires the management of flow controller settings however the configuration tools offer improving support with this task.

5. Standardise I/O interfaces to primary equipment;

One of the objectives of digitalisation in PAC systems is the reduction of primary outage requirements and commissioning tests when replacing failed or end of life equipment. As part of this work we developed a prototype standardised interface that allows switching the primary interface from one merging unit to another whilst retaining the primary equipment in service. It also includes a standardised interface plug.

6. Station-wide functions and commissioning.

Current digital substation designs can be integrated into conventional solutions by determining clear interfaces between legacy technology and new equipment. We investigated in more detail how to integrate the synchronising function and how to create a bridge between contact logic and GOOSE messages.

Recommendations for further work
Cyber security for Protection Automation and Control is an evolving area and we suggest that more work will be required on securely implementing centralised device management, self-healing features and automated cyber response. There is also a need for further work on the automation of configuration, engineering and testing including data flow control.

Lessons Learnt

During 2019/20 the project made good progress in line with the updated project plan. The onset of the COVID-19 lockdown had started to pose some challenges with regards to access to the research laboratory. We expected that there would be some impact on the project however it was possible to advance tasks that did not require lab access and establish which tasks could be carried out with a remote connection to the lab.

Managing the uncertainties of the PDRA recruitment process will be built into future projects and managed as part of the risk register.

The learning from the project has been summarised in the relevant reports associated with each work package and in the final project report. The key learning points and outcomes are also summarised in this report under “The outcomes of the project”.

Dissemination of the learning from the project has been delivered via a CIGRE webinar to a wide range of stakeholders and also via several publications and presentations, as mentioned under “Project Progress” above.