ENCS has published a new set of security requirements for distribution automation (DA) RTUs. The requirements were developed in the ENCS member project on procuring secure equipment. They update the requirements produced in the member project on distribution automation in 2016.

The requirements have been split into two parts:

The requirements are based on a risk assessment for distribution automation systems.

Market survey on distribution automation security

ENCS verified the feasibility of the requirements in a market survey among RTU vendors. The survey shows that the RTUs now in the market can meet the new security requirements. Most of the RTUs surveyed fully support the more advanced features included:

  • centralized, role-based access control for maintenance engineers using for instance RADIUS or LDAP;
  • modern cryptographic algorithms with keys long enough for the next ten years;
  • digital signatures to verify the authenticity of firmware before installation;
  • secure communication to the SCADA system using TLS or an IPsec tunnel terminating at the RTU.

Roadmap for 2020

ENCS plans to publish a minor update to the distribution automation security requirements at the end of 2020. The goal is to standardize how centralized access control, communication security, and key management are implemented. In the standardization, the IEC 62351 standard will be followed were possible. ENCS expects the following more specific requirements:

  • For access control, both LDAP as in IEC 62351-8 and RADIUS will be required;
  • For communication security, both TLS as in IEC 62351-3 and IPsec will be required
  • For key management, the Simple Certificate Enrollment Protocol (SCEP) as in IEC 62351-9 will be requried. Enrollment over Secure Transport (EST) will be optional.

Additionally, ENCS will explore solutions to standardize the maintenance of large numbers of RTUs. Draft requirements will be shared with ENCS members and RTU vendors for comments in the second half of 2020.