OT-204-2020: Security architecture for engineering laptops (draft)

Every day, engineers from grid operators or their vendors use engineering laptops in their work. They use the laptops to configure and maintain equipment in critical OT systems, such as distribution or substation automation systems, the SCADA system, or the smart metering system. If a laptop would get compromised or infected by malware, it can be used to gain access to any of these critical systems.

But the engineering laptops are also exposed to a wide range of threats. They can be infected by malware through the many network connections engineers need to make: to corporate IT systems to get configuration files or data from repositories, to the internet to get firmware, software and manuals from vendors, and to colleagues or contacts at vendors to get remote support. They can also be infected through the USB drives that are used to be transfer data to field equipment. Or the laptops can be stolen or physically tampered with, as engineers take them wherever they go for their work.

So, as the laptops are exposed to many threats and the impact of a compromise could be high, it is important to secure them well. This document presents a security architecture to protect engineering laptops. It is intended to be used together with an information security management system (ISMS) based on ISO/IEC 27001:2013 or similar.


DA/SA-401-2021: Security test plan for RTUs and gateways (draft)

This document provides a plan to test remote terminal units (RTUs) and gateways against the security requirements in DA/SA-301-2021 Security requirements for RTUs and gateways.

When the requirements are used, the need arises to evaluate the RTU or gateway against the requirements. Most procurement processes include acceptance testing to make sure that the selected RTU or gateway meets all requirements. This document provides a standardized test plan to evaluate the RTU or gateway against the RTU and gateway security requirements.

By standardizing the test plan, the test results can be more easily shared between grid operators. The vendor of the RTU or gateway can perform security tests according to the test plan and then use the test report to show compliance in all tenders that use the security requirements. This reduces the cost of testing and can give grid operators assurance in advance that there are RTUs and gateways meeting the requirements.

The test plan consists of three phases:

  1. Functional tests and a vulnerability assessment by the vendor, usually performed during development;
  2. A review of development processes and security design by the grid operator, usually performed during selection;
  3. A penetration test by an external lab, usually performed after the RTU has been selected.

DA/SA-301-2021: Security requirements for procuring RTUs and gateways (draft)

This document gives security requirements that grid operators can use directly in their procurement documents for new remote terminal units (RTUs) and gateways for distribution automation and substation automation.

Grid operators are increasingly automating their medium voltage substations and lines with distribution automation and high voltage substation with substation automation. They use these systems to get power measurements to reliably integrate renewables and electric vehicles, and to remotely control the grid to recover from power outages more quickly.

The automation increases the possible impact of cyber-attacks. Many grid operators already have thousands of substations and lines automated. If attackers succeed in switching off power in a large part of those, it can take a lot of time to recover.

Making sure the distribution and substation automation systems are secure is hence critical. Grid operators need to set good security requirements when procuring RTUs and gateways. The requirements should not lead to excessive cost when procuring thousands of RTUs, while still ensuring all security risks can be mitigated.

This document provides a harmonized set of security requirements that grid operators use directly in their procurement documents. The requirements have been thoroughly reviewed by both grid operators and vendors. They are designed to fit into the processes and procedures already in place in the organizations, and to find a good balance between the security and the operational impact.

Harmonizing the requirements allows grid operators to more cost-effectively get secure automation equipment. It saves time and effort in developing requirements, as they are already freely available. It ensures the requirements are feasible, as they have been tested in a market survey, and in previous tenders by other operators. And it saves on implementation costs, as vendors get a common baseline to aim at. Grid operators are therefore encouraged to use these requirements when procuring new RTUs or gateways.


DA-201-2021: Security architecture for distribution automation systems (draft)

This document provides a recommended security architecture for distribution automation (DA) systems. It gives a set of technical measures that those designing and maintaining DA systems can use to mitigate security risks.

The medium voltage (MV) parts of the electricity grids are being more and more automated through DA. Grid operators use DA systems to measure the flow of electricity to allow the increasing use of renewable energy and electric vehicles. They use DA systems to remotely control switchgear to recover more quickly from outages.

But the increasing automation also increases the possible impact of cyber-attacks. If hackers gain access to the DA system, they may switch off the power in the MV grid. If they can also block the grid operator’s own access, it may take a long time to restore power. As the impact of such incidents is large, their likelihood should be minimized.

The security architecture gives technical measures to reduce the likelihoods. It implements a defense-in-depth strategy. Unauthorized access is prevented by multiple measures and can be detected through logging.

The architecture is intended to be used together with an information security management system (ISMS) that provides the organizational measures. The architecture is aligned with the ISO/IEC 27001:2013 [1] standard, commonly used for ISMSs.


SA-201-2021: Security architecture for substation automation systems (draft)

This document describes a recommended security architecture for substation automation systems. It gives a set of technical measures that those designing and maintaining such systems can use to mitigate security risks.

Substations are being more and more automated. Not only are they remotely monitored and controlled through a SCADA system. But local protection functions are also being implemented in software.

The automation means that cyber-attacks can have a large impact. Through remote switching, it is possible to create blackouts. Attacks that can disable the software protection functions can lead to permanent damage to transformers, lines, and busbars, and endanger the safety of engineers.

Untargeted attacks can already be harmful. Many legacy Windows systems are still in use in substations. Viruses or ransomware can spread to them, for instance through infected USB sticks. Recovering from such incidents can have significant costs.

In 2015 and 2016, the cyber-attacks in Ukraine were the first case of a targeted attack against the grid. They show that there are groups that can perform such attacks and are willing to do so. The Industroyer malware that was probably used in the 2016 attack targets the IEC 60870-5-104 and IEC 61850 protocols, widely used in substation automation. It includes a denial-of-service attack that can disable protection functions.

To counter such threats, grid operators are improving the cyber-security of their substations. But they are limited by the technical capabilities of the equipment. Equipment will stay in substations for sometimes fifteen or twenty years. So, there is much legacy equipment without security capabilities. And even on modern equipment, some capabilities are still missing. Communication within the substation can, for instance, not yet be properly secured, and not all equipment can be easily patched. This document provides a recommended security architecture that allows the major security risks to be mitigated with current technology.


SA-303-2021: Security requirements for procuring HMI software (draft)

This document gives security requirements that grid operators can use directly in their procurement documents for new Human Machine Interface (HMI) software for use in substation automation systems.

Substations are being more and more automated. Not only are they remotely monitored and controlled through a SCADA system. But local protection functions are also being implemented in software.

The automation means that cyber-attacks can have a large impact. Through remote switching, it is possible to create blackouts. Attacks that can disable the software protection functions can lead to permanent damage to transformers, lines, and busbars, and endanger the safety of engineers.

Untargeted attacks can already be harmful. Many legacy Windows systems are still in use in substations. Viruses or ransomware can spread to them, for instance, through infected USB sticks. Recovering from such incidents can have significant costs.

In 2015 and 2016, the cyber-attacks in Ukraine were the first case of a targeted attack against the grid. They show that there are groups that can perform such attacks and are willing to do so. The Industroyer malware that was probably used in the 2016 attack targets the IEC 60870-5-104 and IEC 61850 protocols, used primarily by grid operators. It includes a denial-of-service attack that can disable protection functions on SIPROTEC 4 protection relays.

To counter such threats, grid operators are improving the cyber-security of their substations. To help procure secure HMI software for new substation automation systems, this document provides a harmonized set of security requirements that can be used directly in their procurement documents.

The security requirements consist of a set of mandatory requirements that the HMI software should fulfill to be used securely in a substation, and optional requirements that allow the HMI to use centralized access control and communicate with IEDs over secure protocols.

The requirements have been thoroughly reviewed by ENCS members. They are are designed to fit into the processes and procedures already in place in the organizations and to find a good balance between the security and the operational impact.


SA-302-2021: Security requirements for procuring IEDs and protection relays (draft)

This document gives security requirements that grid operators can use directly in their procurement documents for new Intelligent Electronic Devices (IEDs) and protection relays, used, for example, in substation automation systems.

Substations are being more and more automated. Not only are they remotely monitored and controlled through a SCADA system. But local protection functions are also being implemented in software.

The automation means that cyber-attacks can have a large impact. Through remote switching, it is possible to create blackouts. Attacks that can disable the software protection functions can lead to permanent damage to transformers, lines, and busbars, and endanger the safety of engineers.

Untargeted attacks can already be harmful. Many legacy Windows systems are still in use in substations. Viruses or ransomware can spread to them, for instance, through infected USB sticks. Recovering from such incidents can have significant costs.

In 2015 and 2016, the cyber-attacks in Ukraine were the first case of a targeted attack against the grid. They show that there are groups that can perform such attacks and are willing to do so. The Industroyer malware that was probably used in the 2016 attack targets the IEC 60870-5-104 and IEC 61850 protocols, used primarily by grid operators. It includes a denial-of-service attack that can disable protection functions on SIPROTEC 4 protection relays.

To counter such threats, grid operators are improving the cyber-security of their substations. To help procure secure IEDs for new substation automation systems, this document provides a harmonized set of security requirements that can be used directly in their procurement documents.

The security requirements consist of a set of mandatory requirements that an IED should fulfill to be used securely in a substation without connections to the central systems, and three sets of optional requirements that allow the IED to be accessed remotely for different purposes.

The requirements have been thoroughly reviewed by ENCS members. They are designed to fit into the processes and procedures already in place in the organizations and to find a good balance between the security and the operational impact.


GO-201-2021: ENCS security program plans for 2021 (member version)

This document describes the plan for the ENCS security programs for 2021. ENCS is running three long term programs on policy, architecture and operations. The programs gather, develop and share knowledge on common security problems that ENCS members face. They aim to address the needs of different groups of security experts working at grid operators.


WP-032-2020: Centralized access control for field devices

This whitepaper recommends methods to implement centralized access control for field devices.

Centralized access control would allow grid operators to greatly improve the security of field devices, such as Remote Terminal Units (RTU), gateways, and even IEDs and protection relays. They can set a strong password policy with individual passwords for engineers and rules for password strengths and lifetimes. They can use role-based access control with engineers receiving only the access rights needed for their work. And they can assign log events to individual engineers to allow easier investigation of incidents.

Solutions for centralized authentication are now on the market. In an ENCS market survey on distribution automation RTUs [1] conducted November 2019, eight of the nine vendors surveyed supported centralized access control. Most supported RADIUS (6 vendors) or LDAP (5 vendors). Moreover, a standard for access control is emerging in IEC 62351-8 [2]. All surveyed vendors said they were considering this standard. A new version was just released in 2020, adding RADIUS as an authentication option.

But when using centralized authentication on field devices, there is a risk that credentials get compromised through physical attacks (see [3]). Many devices are placed at locations that are difficult to protect, such as substations or pole tops. They are usually not designed to resist physical attacks, lacking measures such as secure boot and protection of stored data. So, with a bit of skill and effort, attackers can take full control of a device. If credentials are then sent to the device, attackers can capture these and reuse them on other field devices or even other part of the OT environment to gain the same access the engineer has.

To mitigate this risk, grid operators should use an authentication method that does not give credentials to the field device in a reusable form. This whitepaper recommends two concrete methods.


WP-026-2020: Zero-trust SCADA systems

This whitepaper analyzes what would be needed to implement zero trust for SCADA system.

SCADA systems are probably the most critical systems for most grid operators. A successful cyber-attack on a SCADA system could disrupt the electricity supply in grid operator’s entire region, and possibly even further.

Up to now, SCADA systems have been protected against cyber-attack at the perimeter. Through firewalls, demilitarized zones, jump servers, and physical security measures, the goal was to keep attackers out of the core SCADA networks.

If attackers would get into the core networks, most gird operators assume the SCADA system is fully compromised. The SCADA servers, workstations, and applications are not designed to resist attacks. Security updates are applied infrequently, weak passwords are used, and communication between servers is not protected.

SCADA systems would be more resilient against attacks if they would be designed with a zero trust philosophy. Instead of trusting on the perimeter for defense, it is assumed that any part of the system can be compromised. Endpoints and applications should therefore not trust each other. They should be designed to keep working as well as possible even when other parts are compromised.

This document analyzes what additional measures would be needed to implement zero trust on top of the measures in the ENCS Security architecture for SCADA systems.