Smart Grid Handbook Cybersecurity of SCADA Within Substations

Cybersecurity of SCADA within
Substations
Adam Hahn, Chih-Che Sun, and Chen-Ching Liu
Washington State University, Pullman, WA, USA
1 Overview
Substations provide the main interface between the physical grid and the cyber control of bulk power
systems. Recent innovations have substantially changed how substations are monitored and controlled,
increasingly relying on digital communication and computation. Unfortunately, these technologies signifi-
cantly increase the grid’s risk of cyber attack. Advanced cyber-based threats, such as terrorists and nation
states, are increasingly focusing on the power grid as a target of attack (U.S. Government Accountability
Office (GAO), 2015). Therefore, substations must implement strong cybersecurity protections to ensure the
reliability of the bulk power system.
This chapter provides an overview of the communications and control architectures found in modern sub-
stations, including the network protocols and devices commonly used to support these functions. It then
explores cyber threats to each of these components, emphasizing the various power system control applica-
tions that could be manipulated by the attacker. The chapter then identifies security mechanisms that can be
used to protect substations, including encryption, authentication, firewalls, and intrusion detection systems
(IDSs). It also reviews current cybersecurity standards that influence the security posture of the grid, such as
NERC CIP (North American Electric Reliability Corporation critical infrastructure protection), IEC 62351,
and IEEE C37.240.
2 Substation Architectures, Threats, and Vulnerabilities

Recent advancements in information and communications technology (ICT) have greatly influenced the
design of modern substations. In the past, substations have heavily depended on electromagnetic analog
(static) and technologies; however, digital control and communication are becoming increasingly prevalent.
Most of the power grid state information is obtained through substations (e.g., current, voltage, power flow,
Smart Grid Handbook, Online © 2016 John Wiley & Sons, Ltd.
This article is © 2016 John Wiley & Sons, Ltd.
This article was published in the Smart Grid Handbook in 2016 by John Wiley & Sons, Ltd.
DOI: 10.1002/9781118755471.sgd055
2 Smart Grid Handbook
Table 1 Common substation components
Physical Components Cyber Components
Busbar Intelligent electronic devices (IEDs)

Lines Human–machine interfaces (HMIs)
Circuit breaker Substation gateway
VTs/PTs Routers/switches
FACTS devices GPS receivers
Reclosers Firewalls
frequency, power angle, protection settings, and fault records). A basic understanding of common substation
power applications is important to understanding how a cyber attack against various systems could perturb
the power grid.
Table 1 identifies some key substation components that are described and referenced throughout this
chapter. The table differentiates the physical components (also called primary plant) that are used to control
and monitor the physical power flow in the grid, along with the cyber components (also called elements
belonging to substation automation, i.e., secondary plant) used to manage and support the substation com-
munication and digital control functions. Figure 1 provides an overview of the physical and cyber com-
ponents within a digital substation architecture. The architecture can be viewed as a layered approach,
comprised of the station, bay, and process layers.
The station level incorporates all of the central systems that are used to support the various processes
throughout the substation. The substation usually has a wide-area supervisory control and data acquisition
(SCADA) network to the control center, which is used for measurements, control, and other system
management functions. This communication often occurs over an array of physical networks, including
fiber, leased lines, wireless, or even power line carrier (PLC) communication. The substation may often
have another remote access point that can be accessed for management and administrative connections.
The substation will generally have a substation gateway, or remote terminal unit (RTU), to aggregate
communications between all the various low-level devices in the substation. The station level will also
have some human–machine interface (HMI), GPS (global positioning system) timing devices, and security
devices.
The bay level incorporates devices that are used to control and monitor the grid. This includes various
types of intelligent electronic devices (IEDs) including phasor measurement units (PMUs), digital fault
recorders (DFRs), and protection relays. Much of the distributed control functions of the substation occur
at this level. These devices commonly communicate over fiber Ethernet to both the station level and process
level.
The process level contains the lower level devices that directly measure and manipulate the grid. Merging
units can collect measurements from voltage and current transformers (CTs/PTs) and send those measure-
ments to the bay level. In addition, this level contains intelligent control units that can control actuators,
such as circuit breakers and reclosers.
2.1 Substation Functions

Substations perform a number of monitoring, protection, and control applications for the power grid. Some
of the key applications include supporting SCADA and PMU measurements, enabling control over various
substation components [e.g., circuit breakers, transformer tap positions, and FACTS (flexible alternative
DOI: 10.1002/9781118755471.sgd055
Cybersecurity of SCADA within Substations 3
Control center
Firewall Server User interface

SCADA
Wide area network

Remote access
Substation User point
gateway/RTU interface GPS
Firewall/ Firewall
Station level router
Metering PMU Protection

Bay level
IED
Intelligent Merging
Process level
control unit unit
3-Phase
transmission line
Circuit Electronic
breakers CT/PT
Figure 1 Modern digital substation architecture
current transmission system) devices], and supporting the grid’s various protection schemes. Understanding
the criticality of the substation components and their need for security depends heavily on the various power
applications supported by the devices.
2.1.1 Substation Measurement Devices

Many digital components within a substation are used to remotely monitor the grid’s state so that operators
can acquire the critical information and operate the power system from the control center. SCADA systems
are generally used to poll important data from substation devices, to make critical control decisions within
the substation based on the state of the grid. Moreover, much of this data is used by utilities to support
market transactions or other operational decisions. Therefore, if an attacker can manipulate the data it is
possible to influence various grid control decisions and consequently influence the stability and economic
DOI: 10.1002/9781118755471.sgd055
system operations. SCADA measurements and PMUs are two of the main techniques used to collect system
measurements from substations.
• SCADA measurements commonly include data about the grid’s currents and voltages from CTs and PTs.
This data is obtained by periodically polling the IEDs that monitor these devices, typically on a 2- to 4-s
interval. Timing for SCADA measurements is usually poorly correlated because the clocks for the various
measurements are not synchronized, often resulting in measurements errors.
• PMUs collect synchronized real-time measurements (e.g., voltage, current, power flow, frequency, and
power angle) from power grids and align them with granular time reference data obtained from GPS
signals, or any other reliable timing source. PMUs are able to provide accurate measurements with time
stamps up to 60 samples per second (North American Electric Reliability Corporation, 2010). The place-
ment of PMUs should be determined carefully since PMUs and their installation are expensive. Very often,
a criterion for optimal PMU placement determines optimal PMU locations in the grid. The primary task
of PMU deployment is to determine the minimum number of strategic locations for PMUs that provide
sufficient observability of the power system.
2.1.2 Substation Control Devices

Substations have numerous components that can be used to control power flow through various mechanisms.
Operators utilize circuit breakers, transformer taps, and FACTS devices to manage a wide array of grid
stability and security properties. A variety of control mechanisms that could be used by an attacker to perturb
grid operations are given below.
• Circuit breakers are deployed within substations at both terminals of a transmission line. Their functions
include isolating transmission lines and transformers during a fault or during line maintenance to protect
workers. Operators can remotely send commands to modern IEDs to directly control circuit breakers.
• Transformer taps can be used to help regulate appropriate bus or line voltage by adjusting the number of
windings to raise or reduce the voltage. Operators can remotely specify the transformer tap positions to
regulate the voltage.
• FACTS implement power electronic components in substations so that operators can remotely control
voltage and power flow in transmission systems.
2.2 Communication Protocols

A variety of networking protocols are used to support inter-substation communications and remote com-
munication to the control center. These protocols are generally tailored to communicate measurement and
control data; therefore, they have strong error detection capabilities (e.g., cyclic redundancy checks) to detect
and recover from faults, such as bit flips. This ensures that common errors do not result in the communi-
cation of incorrect measurements or commands. However, most protocols were developed decades ago and
do not provide adequate security protections from modern threats. Common protocols used for substation
communication include DNP3 and IEC 61850; each of these protocols is briefly explained in this section.
2.2.1 Distributed Network Protocol (DNP3)

Distributed network protocol (DNP3) is defined in the IEEE-1815 standard and is commonly used to com-
municate SCADA data between control centers and substations (IEEE-1815, 2012). DNP3 operates either
DOI: 10.1002/9781118755471.sgd055
over a serial connection (RS-232) for non-routable communication or over TCP/IP (Transmission Con-
trol Protocol/Internet Protocol) for routable communications. DNP3 utilizes a master/slave communication
paradigm. The master is commonly the control center and the slave is the RTU or substation gateway. There-
fore, the master sends commands and receives measurements from the substation. The type of measurement
or control data transmitted by a DNP3 message is indicated by the message’s application service data unit
(ASDU). The ASDU’s type is dictated by the function code; each function code is associated with a set
of objects for the binary or analog values associated with that function code. Some ASDU types that can
be used to control substation functions include (i) write and (ii) operate, while those used to monitor data
values include (iii) read, and (iv) confirm. Function codes then have associated data objects that specify the
types of data associated with them, including analog values (e.g., current and voltage) or binary values (e.g.,
breaker status).
2.2.2 IEC 61850

IEC 61850 is an emerging set of protocols to meet the smart grid’s increased requirements for fast and
reliable communication within substations (Thomas and Ali, 2010). Three primary protocols within IEC
61850 are used for substation communications, that is, Generic Object Oriented Substation Event (GOOSE),
Sample Values (SVs), and Manufacturing Message Specification (MMS). The GOOSE protocol is designed
to send intra-substation events with low latency to support substation control functions, such as protection
operations. The protocol operates directly over Ethernet to reduce the latency introduced by processing upper
level TCP/IP. It is also based on a publisher/subscriber architecture, where devices send out multicast status
messages to subscribing neighboring devices. The SV protocol is used to continually send measurements
from devices at the process level to those at the bay level. Similar to GOOSE, SV messages are transmitted
directly over Ethernet to reduce communication latency. Unlike GOOSE and SV, MMS is a client–server
communication protocol that operates over TCP/IP. This means that the protocol is routable and can perform
inter-substation communication or communication to the control center. Therefore, MMS can be used to
send control and measurement data outside the substation network to other substations or control centers.
2.3 Cyber Vulnerabilities within Substations

There are many potential cyber vulnerabilities within the networks and devices of a modern substation.
Attackers can exploit these vulnerabilities to degrade the confidentiality, availability, or integrity of sub-
station systems and their data. Understanding these potential vulnerabilities is imperative to determining
which security mechanisms are needed to protect the substation from attack. This section identifies key
vulnerabilities within substations, while further exploring where they are found and their potential impact.
Unauthorized Access. Substations rely on remote communications for the maintenance, administration,
monitoring, and control functions since they are geographically dispersed. Physical access is also needed
occasionally for field engineers who work in the substation. Both remote and physical access functionality
provides opportunities for the attackers to gain substation access. The substation must be able to authen-
ticate both physical and remote users to ensure that malicious actors cannot log in to send malicious
commands, measurements, or perform other system manipulations.
Denial of Services (DoS). The communications with the substation often require that messages be received
within a fixed timeframe. If an attacker can either delay to drop authorized communications they can
disrupt various substation applications. This attack would be especially impactful if the grid is in an
emergency or alerted state, where timely information is needed to prevent a grid outage. The denial of
DOI: 10.1002/9781118755471.sgd055
services (DoS) attack could target the WAN (wide area network) communication between the control
center and substations, or potentially affect inter-substation communication if the attacker previously
gained access to the substation.
Malware. An attacker could potentially leverage software vulnerabilities or missing authentication to
install malicious software on various substation systems (e.g., IEDs, HMIs, RTUs). This would allow
the attacker to perform complex manipulations of the various control functions used for substation
operations. Substation-specific functions performed by the malware include injection of malicious
control commands or grid measurements.
Eavesdropping. Many of the substation communications could include sensitive information, such as authen-
tication data (e.g., username and passwords) or data about the grid’s status (e.g., SCADA measurements).
If attackers can view this data, they could potentially use this information to gain further access to sub-
station components.
Cyber Physical Attack. Because substations have geographically remote locations, they are also vulnerable
to coordinated cyber physical attacks. In this attack, cyber attacks can be launched in coordination with a
physical attack to cause increased damage. An example occurred in San Jose, California, in 2013 where
multiple attackers damaged the communication system and physical system sequentially. First, the attack-
ers cut off the AT&T communication line near the targeted substation to paralyze the cell phone service.
After the first attack, the snipers shot several transformers at a distance. It took 27 days to repair the
targeted substation since 17 major transformers had been damaged. The area faced an increased danger
of power outage during the attack as the damage in communication system delayed the response time for
operators (Smith, 2014).
3 Security Standards and Compliance Requirements

Multiple security standards have been developed to help protect the grid from a cyber attack. Some standards
(e.g., IEEE C37.240-2014) provide guidance to vendors on the security features and capabilities that should
be supported on devices commonly used in substations. Other standards (e.g., NERC CIP) identify the
security features that should be used by utilities when they design, implement, and operate their systems.
This section explores key standards and identifies how these requirements apply to modern substations.
3.1 NERC Critical Infrastructure Protection (CIP) for Substations

NERC CIP provides baseline security requirements for the cyber assets used to support the bulk power
system, including many of the assets located within substations (North American Electric Reliability
Corporation (NERC), 2013). The set of protection mechanisms required to protect a substation depends on
how critical the cyber components are to supporting bulk power system operations. NERC requires that
utilities meet the CIP standards and has the authority to impose financial penalties for standards that are
not appropriately met.
NERC CIP is an evolving standard that originally only applied to systems classified as “critical cyber
assets,” based on whether they met certain criteria regarding whether they could potentially impact the grid.
However, version 5, which was approved by the Federal Energy Regulatory Commission (FERC) in 2013,
introduces a risk-based approach to the application of the standards. In this approach, systems are cate-
gorized as low, medium, or high, depending on their ability to impact the bulk power system if attacked.
Table 2 provides an overview of substation attributes that are used to categorize substation components based
on guidance from standard CIP-002-5.1. Systems with higher risk categorizations require the application of
DOI: 10.1002/9781118755471.sgd055
Table 2 NERC CIP substation impact categorization
Impact Level Categorization Criteria
High No substation attributes are categorized as high impact

Medium “Transmission facilities operated at 500 kV or higher”
“200 and 499 kV at a single station or substation, where the station or substation is connected at
200 kV or higher voltages to three or more transmission stations or substations and has an
‘aggregate weighted value’ exceeding 3000”; the aggregate weight value parameters are defined
so that each 200–299 kV line is assigned 700 points and each 300–499 kV line is assigned 1300
points
Transmission facilities identified as “critical to the derivation of interconnection reliability operating
limits (IROLs)”
“Transmission facilities identified as essential to meeting nuclear plant interface requirements”
“Special protection schemes, remedial action schemes, or automated switching, which if degraded,
would cause an IROLs violation”
“Each system or group of elements that performs automatic load shedding under a common control
system, without human operator initiation, of 300 MW or more, implementing undervoltage load
shedding (UVLS) or underfrequency load shedding (UFLS)”
Low All other substation components
more stringent security controls, which is discussed later in the chapter. Note that no substation system is cat-
egorized as high, while systems that meet a certain voltage level or could impact interconnection reliability
operating limits (IROLs) are categorized as medium.
The remainder of the section explores various NERC CIP technical controls that apply to substations,
specifically those identified in CIP-007-7 “Systems Security Management” and CIP-005-5 “Electronic Secu-
rity Perimeter (ESP).”
NERC CIP-007-7 provides requirements on how systems are configured and managed to help reduce the
system’s attack surface and prevent vulnerabilities. It also identifies various security technologies that should
be incorporated within various systems to provide additional security. Key requirements include (i) restrict-
ing the network’s TCP/UDP (Transmission Control Protocol/User Datagram Protocol) ports and services,
(ii) implementing patch management procedures on all systems, (iii) employing mechanisms to monitor
for malicious code on systems, (iv) implementing logging and monitoring techniques for security-related
events, and (v) authenticating remote connections and limiting access to authenticated users.
Another key NERC CIP technical requirement for substations is CIP-005-5, 3.1.1, “ESP.” This standard
mandates the deployment of an ESP to secure devices, such as those within a substation. The ESP is a
concept to protect critical cyber assets by encapsulating them behind an electronic access point (EAP). The
EAP should provide various security features that can help protect the devices within the perimeter. This
helps address security concerns resulting in the substation’s dependencies on legacy devices that often lack
the necessary security protections. The EAPs should filter both inbound and outbound traffic, authenticate
and encrypt remote connections to the ESP, and perform intrusion detection on remote communication.
3.2 IEEE C37.240

The IEEE C37.240-2014, “Standard Cybersecurity Requirements for Substation Automation, Protec-
tion, and Control Systems,” provides cybersecurity requirement, desired capabilities, and configuration
DOI: 10.1002/9781118755471.sgd055
guidance for substations components (e.g., switches, routers, wireless base stations, IEDs) (IEEE Std
C37.240TM-2014, 2014). The following list identifies some key requirements from this document.
• A minimum of 128-bit encryption should be used on communications, especially on VPNs.

• Network connections should support transport layer security (TLS) for encryption and authentications.
• Serial communications should implement IEEE Standard 1711 for bump-in-the-wire encryption.
• Devices should support multifactor authentication.
• Accounts should be blocked after failed attempts.
• All authentication attempts should be logged.
• Password policies should enforce complexity and refresh periods.
• Role-based access control (RBAC) approaches should be implemented on the basis of the IEC 62351
standard.
In addition, the document describes high-level guidance relating to security testing incident response, and
configuration management.
3.3 IEC 62351

IEC 62351 is a standard that identifies cybersecurity protections necessary to protect various substation
communication protocols (e.g., IEC 60870-5, IEC 61850) and devices. It provides recommendations for
access control mechanisms, key management, and security management techniques (Cleveland, 2012). It
also identifies cryptographic functions that should be used to protect the confidentiality and integrity of net-
work communications. The security mechanisms proposed in this standard are further explored throughout
this chapter as they form a strong basis for the requirements needed to secure a modern substation.
4 Encryption and Authentication

The various communications used to support modern substations are vulnerable to numerous attacks such
as spoofing, denial-of-service, and man-in-the-middle. These attacks could be used to inject malicious sub-
station commands or to provide an attacker with direct control over the various substation devices. The
use of authentication and encryption can protect data and communications from many of these attacks.
This section explores the various authentication and encryption techniques used to support both wide area
communications between control center and substations and communication within a substation.
4.1 Encryption
As identified in Section 3.1, NERC CIP requires the use of encryption on all remote connections to the sub-
station. Remote communications typically include both SCADA data protocols (e.g., DNP3 and Modbus)
and administrative/management data [e.g., SNMP (simple network management protocol), HTTP (hyper-
text transfer protocol), SSH (secure shell), FTP (file transfer protocol)]. In general, the latter has stronger
confidentiality requirements since it could include user passwords or other authentication information that
could be used by an attacker to directly gain additional access to substation devices. While being able to read
SCADA data could give an attacker an understanding of the system’s state, it will not provide the attacker
with the direct ability to control devices. Substations usually have physical protections, such as locked gates
and cabinets, so it is assumed that communications within the substation cannot be easily eavesdropped.
DOI: 10.1002/9781118755471.sgd055
Table 3 IEC 61850 message latency requirements
Functions Message Type Delay (ms)
Fault isolation and protection Type 1A/P1 3

Type 1A/P2 10
Routine automation functions Type 1B/P1 100
Type 1B/P1 20
Measurement readings Type 2 100
Type3 500
Therefore, encryption is required for remote communications, but not for intra-substation communication.
In addition, inter-substation communications are often used for near real-time control with low latency
requirements. Table 3 provides an overview of the message types and acceptable latencies for substation
functions as defined in IEC 61850 (Mohagheghi, Stoupis, and Wang, 2009). Notice that fault isolation and
protection functions have very small allowable latency, and therefore, introduce performance constraints
during authentication and encryption.
While there are techniques and protocols that can perform encryption at each layer of the TCP/IP model
(e.g., network, Internet, transport, application), this chapter highlights approaches at the Internet and trans-
port layers. NERC CIP identifies both TLS and Internet protocol security (IPSec) as prominent options
for protecting remote communications to substations (North American Electric Reliability Corporation
(NERC), 2011).
At the transport layer, TLS is the predominant method for providing both encryption and authentication for
communications. Multiple standards such as IEC 62351 and NERC CIP identify TLS as an acceptable proto-
col to protect substation communications. IEC 62351 suggests that TLS should be used to protect the MMS
protocol since it is commonly used to support communication outside of the substation, unlike GOOSE
and SV. While the TLS protocol supports a wide array of cryptographic ciphers, IEC 62351 recommends
that devices should utilize either 128- or 256-bit Advanced Encryption Standard (AES) for encryption,
Diffie–Hellman-based key exchange, and either RSA or Digital Signature Algorithm (DSA) for authentica-
tion (Cleveland, 2012). Additional SCADA protocols, such as IEC 60870-5-104, DNP3, and Modbus, can
also operate over TLS to provide the necessary security.
4.2 Message Authentication

Message authentication will ensure that systems do not accept unauthorized messages from malicious
systems or users. Message authentication is crucial to protect the communication between multiple
devices. Messages containing SCADA measurement, PMU measurements, or commands to breakers and
other devices require authentication because a spoofed message could perturb the operation of the grid.
Multiple techniques are used to authenticate messages within substation communications, including digital
signatures, challenge–response, and message authentication codes (MAC). The authentication approach
is generally dependent on the network protocol used to communicate between systems. Multiple network
protocols for substations support some authentication mechanisms, including DNP3 and IEC 62351. Some
of the previously explained cryptographic protocols, such as TLS and IPSec, provide authentication in
addition to encryption. Examples of each technology are explored in this section.
While authentication is important to protect messages, the operational requirements of the grid intro-
duce constraints on the latency of certain communications. Unfortunately, authentication presents challenges
DOI: 10.1002/9781118755471.sgd055
Table 4 Benchmark authentication latency results
Algorithm Pub (ms) Sub (ms) Total (ms)
SHA-256 0.01 0.01 0.02

2048 bit RSA 59 2.04 61.04
1024 bit DSA 4.10 9.80 14.90
Table 5 DNP3 SA ASDU criticality
Critical ASDU Related Substation Functions
Mandatory Write, Select, Operate Operate circuit breakers

Change transformer tap position
FACTS devices
Optional Read, Confirm Current/voltage measurements

Breaker status
within substations because of computational overhead. Table 4 explores the latency introduced by popular
cryptographic algorithms based on work performed by Hauser, Manivannan, and Bakken (2012). These
results were computed on a 2.8 GHz processor in publisher/subscriber architecture. Notice that RSA and
DSA algorithms may introduce excessive delay for any control application that requires millisecond-level
latencies, such as those described for protection and fault isolation functions in Table 3.
4.2.1 DNP3 Secure Authentication (SA)

While original versions of DNP3 did not have any security features, version 5 added the concept of secure
authentication to messages (IEEE 1815-2010, 2010). Within the standard, only a set of ASDUs is considered
critical, and therefore authenticated. Those that are non-critical have an optional authentication requirement.
Table 5 provides an overview of common DNP substation ASDUs and whether they are identified as critical
or optional. Notice that critical ASDUs typically address control of a device, while non-critical ASDUs
generally send measurement data.
DNP SA provides two authentication methods based on how much time is available to perform the authen-
tication. A challenge–response approach is used when the message does not have a hard latency constraint.
When message latency has a strict bound, an “aggressive” mode can be used that sends the authentication
data in the same DNP message. DNP3 SA can utilize both symmetric and asymmetric keys to perform the
authentication. The actual authentication of the message is based on two symmetric session keys (one for
the monitoring direction and one for the control direction). The message authentication recommends either
the SHA-HMAC or AES-GMAC algorithms.
Figure 2a demonstrates how the DNP SA challenge–response approach works. First, the responder sends
the critical ASDU to the challenger. Then the challenger will initiate the challenge by sending a challenge
message that includes a random string, sequence number, and the algorithm for the challenge. The responder
will utilize the proposed challenge to compute the proposed MAC based on their preshared session key; the
response will then be sent back to the challenger with the MAC and the original command to prevent relay
attacks. The receiver can then verify the response based on the shared session key and MAC algorithm.
DOI: 10.1002/9781118755471.sgd055
Responder Challenger Responder Challenger
Critical ASDU Aggressive critical

ASDU
Auth. challenge
ASDU response
Auth. response
ASDU response
(a) (b)
Figure 2 (a) DNP SA challenge–responses and (b) aggressive authentication
The challenge–response algorithm can introduce additional overhead as it essentially doubles the round
trip latency of the message. This may not be acceptable in certain substation operations with either long com-
munication latencies or with very fast communication requirements (e.g., protection operations). Therefore,
DNP3 SA also provides an aggressive authentication approach that does not use the challenge–response.
With the aggressive approach (Figure 2b), the responder computes the MAC before sending the original
ASDU and then transmits the MAC in the same transmission as the ASDU. The challenger can then imme-
diately verify the message and send its response.
The session keys are only used for actual authentication during the length of a DNP session. An update key
is also used to support the generation of new session keys for each new session. This means that if a session
is compromised the attacker cannot manipulate later session keys. The protocol also supports changing the
update key so that it can be refreshed periodically to prevent a compromise. This can be done with both
symmetric and asymmetric approaches. With a symmetric key approach, both ends of the connections must
utilize a trusted third party that they share keys with. Then the trusted third party can distribute keys to
each DNP3 client. Asymmetric keys can be used in place of the trusted third party. In this approach, each
device has a public/private key pair that they can use to encrypt and transmit new update keys between
systems.
4.2.2 IEC 62351 Authentication

In addition to the encryption recommendations discussed in Section 3.3, IEC 62351 also identifies various
authentication techniques. While the recommended security techniques differ on the basis of the IEC 61850
protocol, the standard utilizes x509 certificates and asymmetric cryptography to authenticate devices, along
with trusted third parties to exchange symmetric keys between systems (Weis, Seewald, and Falk, 2013).
For TCP/IP-based authentication, TLS is recommended to prove both encryption and authentication, with
the usage of x509 certificates for both client and server (Cleveland, 2012).
While this approach provides strong security, the TLS connection establishment provides some overhead
that is not considered acceptable for communications that require low latency. Therefore, IEC 62351 pro-
vides additional security mechanisms when low latency is required. For GOOSE and SV communication,
the standard specifies that RSA-based digital signatures using a 256-bit secure hash algorithm (SHA) mes-
sage digest should be used for the communication. No encryption of the message is performed, primarily
because these protocols are transmitted directly over Ethernet and are non-routable.
DOI: 10.1002/9781118755471.sgd055
4.3 User Authentication

Substation devices must also authenticate users, such as operators and engineers, who may need either
remote or physical access to perform maintenance functions. Within the electric power grid, authentication
mechanisms must introduce limited communication and computational overhead due to the system’s high
availability requirements (Khurana et al., 2010). This presents additional challenges because there may be
a large number of personnel that potentially need to access a system. Moreover, the large number of field
devices (e.g., IEDs) must each be able to authenticate all possible individuals who may need to manage
those systems. This creates a need for authentication protocols that can run on each field device to commu-
nicate authentication data back to a central server, often in the control center. For example, if a utility has
j substations with an average of n devices that need to be accessed by m employees, the number of stored
credentials (e.g., usernames and passwords) would be (j × n × m). This creates tremendous overhead every
time credentials need to be updated or employees are added/removed.
This problem can be addressed by utilizing authentication servers (e.g., active directory and lightweight
directory access protocol) and protocols (e.g., RADIUS and TACACS+) to enable distributed authentication.
Each device must then be able to use the authentication protocol to query the authentication server for
each login. While this approach reduces the managerial overhead for credentials, it also creates a strong
dependency on the network communication and authentication server. It will not be possible for the user to
authenticate to a device if either of the authentication server or network is unavailable. This could present a
serious problem if a substation needs to be remotely accessed in an emergency scenario.
4.4 Access Control

As discussed in the previous section, a wide variety of users and devices may need to access various sub-
station devices. However, each user may require unique privileges to read and manipulate information on
those devices. Access control mechanisms are used to limit access to substation control functions and data,
ensuring that users do not have any access outside of what is required to perform their specific job func-
tion. Moreover, access to network resources should also be limited to ensure that systems cannot access
unnecessary devices and services. This section explores both user and network access control mechanisms
necessary to protect substations.
4.4.1 User Access Control

Employees that need to access substation devices require a wide array of privileges due to their different
job functions. For example, operators may need to control and monitor the grid, while engineers should be
able to reconfigure devices and do not need the ability to operate commands. With traditional access control
approaches (e.g., discretionary access control), the permissions for each employee must be configured indi-
vidually, which can be time consuming. In addition, employees may be hired, terminated, or may change
job responsibilities; each of these functions will require time spent reconfiguring the access control policies
on each device.
IEC 62351 recommends that a RBAC approach be supported by substation systems (Lee et al., 2015).
In RBAC, the privileges of a user are directly based on their roles within the organization and each role is
configured to have some set of privileges based on the role’s job functions. When an employee changes jobs,
joins, or leaves, the appropriate permissions can be assigned by adding that employee to the appropriate role.
IEC 62351 identifies numerous roles that should be supported by substation devices and it also identifies the
privileges that each role should have on substation operational data. Table 6 displays a subset of the roles
defined in IEC 62351, along with the required privileges for the role.
DOI: 10.1002/9781118755471.sgd055
Table 6 IEC 62351 RBAC roles and permissions
Privileges
Roles View Read Control Reporting Dataset
Viewer ✓ – – – –
Operator ✓ ✓ ✓ – –
Engineer – ✓ – ✓ ✓
4.4.2 Network Access Control

Network access control is the process of verifying that only authorized devices, services, and users should
be able to access substation systems by enforcing traffic flows and network access policies. Firewalls are
commonly used devices to enforce network access control. Often, firewall approaches are categorized on the
basis of the TCP/IP layer where the filtering occurs. Two primary approaches are packet-filtering firewalls
and application-level firewalls.
Packet-filtering firewalls can be deployed to enforce rules concerning the systems and services that should
be allowed to communicate over a network. For example, substation devices should only allow remote access
to the SCADA server and engineering workstations, blocking all other traffic coming from any external IP
address. While packet-filtering approaches provide a layer of protection against a system sending malicious
data, they do not totally stop all potential malicious traffic.
Application-level firewalls provide additional protection by enforcing network access control policies at
the application layer. By configuring the firewall with the information on the application-layer protocol
and message types used to send measurements and control packets, the system can determine if incor-
rect or potentially malicious control data is transmitted. Work by Mander, Cheung, and Nabhani (2010)
explores potentially malicious DNP3 object codes that could cause damage to power systems. Applica-
tion firewalls can have rules to monitor and analyze the DNP3 object codes for each message and then
ensure that only valid messages are allowed through the firewall. The work by Wu, Liu, and Stefanov
(2014) identifies key filtering parameters for substations firewalls including (i) MAC addresses, (ii) source
and destination IP address, (iii) transport protocol (e.g., TCP/UDP), (iv) TCP port number, and (v) DNP
function code.
Figure 3 provides an example substation firewall configuration for a substation. This example illustrates a
demilitarized zone (DMZ) as recommended by NERC for remote accesses sessions to ESPs, such as substa-
tions (North American Electric Reliability Corporation (NERC), 2011). The DMZ provides an additional
layer of security so that remote users who need to access the substation cannot directly access the opera-
tional components of the substation. Users can authenticate into the DMZ in order to access a remote access
server. From this point, they can then remotely access the operational substation components. The substa-
tion firewalls must be able to quickly forward SCADA data between the operational substation LAN and
the control center.
4.5 Intrusions Detection Systems

While the previous sections identified that security protections can be used to protect networks from attacks,
a failure in the design or implementation of these techniques may still allow an attacker to access the sub-
station. IDSs can identify and alert system operators about any malicious activity within a substation. While
there are many different generalized intrusion detection approaches, the specific protocols, devices, and
DOI: 10.1002/9781118755471.sgd055
Corporate Control center

SCADA
Remote access
WAN
DMZ
Firewall
Remote
access server
VPN Firewall
Substation Operational LAN
Figure 3 Substation DMZ architecture
performance requirements within substations require more tailored technologies. Numerous IDS meth-
ods have been explored for their applications to modern substations, including signature, anomaly, and
specification-based approaches. Each approach has trade-offs in the ease of use, along with the propensities
to false negatives (type-I) and false negative (type-II) errors.
Signature-based IDS techniques, such as Snort (Roesch, 1999), work by comparing all network activity
against a database of known attack patterns (or “signatures”). This approach is extremely common in tra-
ditional IT environments because it generally produces low false-positive rates. However, in order to use
signature-based approaches within a substation, new signatures need to be developed specific to the substa-
tion communication protocols and devices. Some initial work has been done exploring special signatures
for common substation protocols, such as DNP3 and Modbus (QuickDraw SCADA IDS. DigitalBond Inc.,
2011). While this work provides initial protocol signatures, they are not directly tailored toward common
substation implementations. The following list provides examples of DNP3 protocol misuses that can be
detected by these signatures.
• Unsolicited response messages

• Stop applications
• Function code scans
• Unauthorized requests
While signature-based approaches provide low-false positives, they are largely ineffective against new
attacks that do not yet have a signature. Anomaly-based approaches, which monitor unusual system behav-
iors in an attempt to categorize attacks, have been explored as a means to overcoming the limitations of
signature-based approaches. The detection of anomalies is often done through some statistical analysis or
machine learning approach (e.g., clustering, neural networks, support vector machines). This technique
could be very useful in substations environments, which often see fewer anomalies than traditional IT
environments.
DOI: 10.1002/9781118755471.sgd055
Table 7 Host and network indicator
Host Indicator Network Indicator
Intrusion attempt Packet frequency threshold

File system change Sequence/state number
Change of IED setting Timestamps
Breaker status change Data values
Work by Hong, Liu, and Govindarasu (2014) explored anomaly detection techniques for substations
based on device and network events. Network-specific properties incorporated in the IDS include common
substation protocols (e.g., GOOSE, SV), along with the communication patterns used to change breaker
status or update voltage and current measurements. This approach collects indicator information across
a wide array of host and network parameters, which are identified in Table 7. The work then computes
substation vulnerability indices and alerts on the basis of the anomalies observed from the indicator
data sets.
Specification-based IDS approaches have also been explored to protect substation communication. This
approach differs from anomaly and signature-based approaches as its functionality is based on the design of
a specification for the intended system behavior. This specification is then used as a basis to compare all new
network events. For example, work by Lin et al. (2013) demonstrated a specification-based IDS for DNP3
SCADA communications based on the Bro platform. The security policies defined in this work explore both
the structure and the temporal sequences of packets. First, a parser validates the packet when it is initially
received to ensure it does not have any structural violations. The policy also then specifies some temporal
sequences of packets based on the DNP3 function codes and objects.
5 Conclusions and Further Reading

Modern substations are becoming increasingly interconnected and are continuing to expand their depen-
dency on information and communications technology. Numerous vulnerabilities have been discovered in
the devices and communications commonly found within these environments. This chapter provides an
overview of modern substation information architectures, cyber vulnerabilities within substations, and vari-
ous security mechanisms that can be used to protect these systems. It also addresses current standards that are
used to guide the implementation of these systems in industry. Key substation protection measures include
encryption, authentication, access control, firewalls, and IDSs.
While the chapter identifies many of the current technologies used to protect substations, there is a strong
need for additional research and development in this area. Utilities encounter many economic, technical, and
operational challenges when securing substations. Specific areas that have strong needs for future research
include the following:
• Authentication and encryption techniques with reduced communication latency

• IDS approaches with bounded false-positives and false-negatives that are verifiably proven to meet sub-
station operational requirements
• Methods to deploy and protect the various cryptographic keys used to perform the various authentication
and encryption functions
• Tools to help verify that substations designs and devices meet the requirements of the various standards.
DOI: 10.1002/9781118755471.sgd055
While this chapter provides a brief overview of substation cybersecurity, much more information is avail-
able on this topic. Here is a list of additional reading material that can provide a more in-depth overview of
the various topics addressed in the chapter.
• A Survey on Cyber Security for Smart Grid Communications (Yan et al., 2012)
• Cyber Security in the Smart Grid: Survey and Challenges (Wang and Lu, 2013)
• Authentication and Authorization Mechanisms for Substation Automation in Smart Grid Network
(Vaidya, Makrakis, and Mouftah, 2013)
• NISTIR 7628, Guidelines for Smart Grid Cybersecurity (NISTIR 7628, 2010)
References
Cleveland, F. (2012) IEC TC57 WG15: IEC 62351 Security Standards for the Power System Information Infrastructure.
Hauser, C., Manivannan, T., and Bakken, D. (2012) Evaluating Multicast Message Authentication Protocols for Use in Wide Area
Power Grid Data Delivery Services. 2012 45th Hawaii International Conference on System Science (HICSS), pp. 2151–2158, 4–7
Jan.
Hong, J., Liu, C.-C., and Govindarasu, M. (2014) Integrated anomaly detection for cyber security of the substations. IEEE Transactions
on Smart Grid, 5 (4), 1643–1653.
IEEE 1815-2010 (2010) DNP3 Version 5, Secure Authentications. Institute of Electrical and Electronics Engineers (IEEE), https://www
.dnp.org/Lists/Announcements/Attachments/7/Secure%20Authentication%20v5%202011-11-08.pdf (accessed 24 October 2015).
IEEE-1815 (2012) Standard for Electric Power Systems Communications Distributed Network Protocol (DNP).
IEEE Std C37.240TM-2014 (2014) Standard Cybersecurity Requirements for Substation Automation, Protection, and Control Systems.
IEEE Power and Energy Society.
Khurana, H., Bobba, R., Yardley, T., et al. (2010) Design Principles for Power Grid Cyber-Infrastructure Authentication Protocols.
Proceeding of the 43rd Hawaii International Conference on System Sciences.
Lee, B., Kim, D.-K., Yang, H., et al. (2015) Role-based access control for substation automation systems using XACML. Information
Systems, 53, 237–249, ISSN 0306-4379, 10.1016/j.is.2015.01.007.
Lin, H., Slagell, A., Di Martin, C., et al. (2013) Adapting Bro into SCADA: Building a Specification-Based Intrusion Detection Sys-
tem for the DNP3 Protocol. Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop
(CSIIRW ’13), 4 pages.
Mander, T., Cheung, R., and Nabhani, F. (2010) Power system DNP3 data object security using data sets. Computers & Security, 29 (4),
487–500, ISSN 0167-4048.
Mohagheghi, S., Stoupis, J., and Wang, Z. (2009) Communication Protocols and Networks for Power Systems – Current Status and
Future Trends. Proceedings of Power Systems Conference and Exposition (PES ’09).
NISTIR 7628 (2010) Guidelines for Smart Grid Cybersecurity. National Institute of Standards and Technology (NIST), September.
North American Electric Reliability Corporation (2010) Real-Time Application of Synchrophasors for Improving Reliability, http://
www.nerc.com/docs/oc/rapirtf/RAPIR%20final%20101710.pdf (accessed 24 October 2015).
North American Electric Reliability Corporation (NERC) (2011) Guidance for Secure Interactive Remote Access, http://www.nerc
.com/fileUploads/File/Events%20Analysis/FINAL-Guidance_for_Secure_Interactive_Remote_Access.pdf (accessed 24 October
2015).
North American Electric Reliability Corporation (NERC) (2013) Critical Infrastructure Protection (CIP) Standards, http://www.nerc
.com/pa/Stand/Pages/CIPStandards.aspx (accessed 24 October 2015).
QuickDraw SCADA IDS. DigitalBond Inc. (2011) http://www.digitalbond.com/?s=quickdraw (accessed 24 October 2015).
Roesch, M. (1999) Snort – Lightweight Intrusion Detection for Networks. Proceedings of the 13th USENIX conference on System
administration (LISA ’99). USENIX Association, Berkeley, CA, pp. 229–238.
Smith, R. (2014) Assault on California Power Station Raises Alarm on Potential for Terrorism. Wall Street Journal (Feb 5).
Thomas, M.S. and Ali, I. (2010) Reliable, fast, and deterministic substation communication network architecture and its performance
simulation. IEEE Transactions on Power Delivery, 25, 2364–2370.
U.S. Government Accountability Office (GAO) (2015) Defense Infrastructure: Improvements in DoD Reporting and Cybersecurity
Implementation Needed to Enhance Utility Resilience Planning.
Vaidya, B., Makrakis, D., and Mouftah, H.T. (2013) Authentication and authorization mechanisms for substation automation in smart
grid network. IEEE Network, 27 (1), 5–11.
Wang, W. and Lu, Z. (2013) Survey cyber security in the smart grid: survey and challenges. Computer Networks, 57 (5), 1344–1371.
DOI: 10.1002/9781118755471.sgd055
Weis, B., Seewald, M., and Falk, H. (2013) IEC 62351 Security Protocol support for GDOI. Internet Engineering Task Force (IETF)
June, https://tools.ietf.org/html/draft-weis-gdoi-iec62351-9-00 (accessed 24 October 2015).
Wu, S.-S., Liu, C.-C., and Stefanov, A. (2014) Distributed Specification-Based Firewalls for Power Grid Substations. Innovative Smart
Grid Technologies Conference Europe (ISGT-Europe), 2014 IEEE PES, pp. 1–6, 12–15 Oct.
Yan, Y., Qian, Y., Sharif, H., et al. (2012) A survey on cyber security for smart grid communications. IEEE Communications Surveys
& Tutorials, 14 (4), 998–1010, Fourth Quarter.
DOI: 10.1002/9781118755471.sgd055

Smart Grid Handbook Cybersecurity of SCADA Within Substations

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Smart Grid Handbook Cybersecurity of SCADA Within Substations

Uploaded by

Copyright:

Available Formats

Cybersecurity of SCADA within

2 Substation Architectures, Threats, and Vulnerabilities

Table 1 Common substation components

Physical Components Cyber Components

Busbar Intelligent electronic devices (IEDs)

2.1 Substation Functions

Firewall Server User interface

Wide area network

Metering PMU Protection

Figure 1 Modern digital substation architecture

2.1.1 Substation Measurement Devices

2.1.2 Substation Control Devices

2.2 Communication Protocols

2.2.1 Distributed Network Protocol (DNP3)

2.2.2 IEC 61850

2.3 Cyber Vulnerabilities within Substations

3 Security Standards and Compliance Requirements

3.1 NERC Critical Infrastructure Protection (CIP) for Substations

Table 2 NERC CIP substation impact categorization

Impact Level Categorization Criteria

High No substation attributes are categorized as high impact

3.2 IEEE C37.240

• A minimum of 128-bit encryption should be used on communications, especially on VPNs.

3.3 IEC 62351

4 Encryption and Authentication

Table 3 IEC 61850 message latency requirements

Functions Message Type Delay (ms)

Fault isolation and protection Type 1A/P1 3

4.2 Message Authentication

Table 4 Benchmark authentication latency results

Algorithm Pub (ms) Sub (ms) Total (ms)

SHA-256 0.01 0.01 0.02

Table 5 DNP3 SA ASDU criticality

Critical ASDU Related Substation Functions

Mandatory Write, Select, Operate Operate circuit breakers

Optional Read, Confirm Current/voltage measurements

4.2.1 DNP3 Secure Authentication (SA)

Responder Challenger Responder Challenger

Critical ASDU Aggressive critical

Figure 2 (a) DNP SA challenge–responses and (b) aggressive authentication

4.2.2 IEC 62351 Authentication

4.3 User Authentication

4.4 Access Control

4.4.1 User Access Control

Table 6 IEC 62351 RBAC roles and permissions

4.4.2 Network Access Control

4.5 Intrusions Detection Systems

Corporate Control center

Substation Operational LAN

Figure 3 Substation DMZ architecture

• Unsolicited response messages

Table 7 Host and network indicator

Host Indicator Network Indicator

Intrusion attempt Packet frequency threshold

5 Conclusions and Further Reading

• Authentication and encryption techniques with reduced communication latency

You might also like