SC-301-2020: Security requirements for procuring SCADA applications

This document gives security requirements that grid operators can use directly in their procurement documents for SCADA application software.

The supervisory control and data acquisition (SCADA) system is the core of a grid operation infrastructure for both transmission system operators (TSOs) and distribution system operator (DSOs). The SCADA system is critical to the business continuity of grid operators.

At the same time, the SCADA system’s core position also makes it attractive to anyone trying to sabotage the electricity grid. Through the SCADA system, they can control thousands of field devices. So, SCADA systems should be strongly secured.

But securing these systems is becoming more difficult as they are becoming more connected. The time that SCADA systems were stand-alone, air-gapped systems has long passed. Most grid operators have now connected them to their enterprise IT systems to export data for grid planning and to import geographic information. The vendor of the SCADA system often has remote access for maintenance. Control center of other grid operators are connected. Field equipment from distributed energy resources (DER) or customer feeding in gas are being connected. And field engineers are getting remote access to get a better view of the system and give feedback about executing switching actions. Each connection creates a possibility for attackers to get into the SCADA system.

This document provides a harmonized set of security requirements that grid operators can use directly in their procurement documents. The requirements have been thoroughly reviewed by both grid operators and SCADA vendors. They are designed to fit into the processes and procedures already in place in the organizations, and to find a good balance between security and operational impact.


SA-201-2020 Security architecture for substation automation systems

This document provides a recommended security architecture for substation automation (SA) systems. It gives a set of technical measures that those designing and maintaining SA systems can use to mitigate security risks.

Substations are being more and more automated. Not only are they remotely monitored and controlled through a SCADA system. But local protection functions are also being implemented in software.

The automation means that cyber-attacks can have a large impact. Through remote switching it is possible to create blackouts. Attacks that can disable the software protection functions can lead to permanent damage to transformers, lines, and busbars, and endanger the safety of engineers.

Untargeted attacks can already be harmful. Many legacy Windows systems are still in use in substations. Viruses or ransomware can spread to them, for instance through infected USB sticks. Recovering from such incidents can have significant costs.

In 2015 and 2016, the cyber-attacks in Ukraine were the first case of a targeted attack against the grid. They show that there are groups that can perform such attacks and are willing to do so. The Industroyer malware that was probably used in the 2016 attack targets the IEC 60870-5-104 and IEC 61850 protocols, used primarily by grid operators. It includes a denial-of-service attack that can disable protection functions on SIPROTEC 4 protection relays.

To counter such threats, grid operators are improving the cyber-security of their substations. But they are hampered by the technical capabilities of the equipment. Equipment will stay in substations for sometimes fifteen or twenty years. So, there is much legacy equipment without security capabilities. And even on modern equipment some capabilities are still missing. Communication within the substation can for instance not yet be properly secured, and not all equipment can be easily patched.

The security of substations therefore relies on the security architecture of the substation as a whole. This document provides a recommended architecture,


WP-026-2020: Zero-trust SCADA systems

This whitepaper analyzes what would be needed to implement zero trust for SCADA system.

SCADA systems are probably the most critical systems for most grid operators. A successful cyber-attack on a SCADA system could disrupt the electricity supply in grid operator’s entire region, and possibly even further.

Up to now, SCADA systems have been protected against cyber-attack at the perimeter. Through firewalls, demilitarized zones, jump servers, and physical security measures, the goal was to keep attackers out of the core SCADA networks.

If attackers would get into the core networks, most gird operators assume the SCADA system is fully compromised. The SCADA servers, workstations, and applications are not designed to resist attacks. Security updates are applied infrequently, weak passwords are used, and communication between servers is not protected.

SCADA systems would be more resilient against attacks if they would be designed with a zero trust philosophy. Instead of trusting on the perimeter for defense, it is assumed that any part of the system can be compromised. Endpoints and applications should therefore not trust each other. They should be designed to keep working as well as possible even when other parts are compromised.

This document analyzes what additional measures would be needed to implement zero trust on top of the measures in the ENCS Security architecture for SCADA systems.


SC-201-2020: Security architecture for SCADA systems

This document provides are recommended security architecture for SCADA systems. The document is a draft shared with ENCS members for review.

The supervisory control and data acquisition (SCADA) system is the core of a grid operation infrastructure for both transmission system operators (TSOs) and distribution system operator (DSOs). The SCADA system is critical to the business continuity of grid operators.

The core position of SCADA system also makes them attractive to anyone trying to sabotage the electricity grid. Through the SCADA system, they can control thousands of field devices. So, SCADA systems should be strongly secured.

But securing these systems is becoming more difficult as they are becoming more connected. The time that SCADA systems were stand-alone, air-gapped systems is long past. Most grid operators have now connected them to their enterprise IT systems to export data for grid planning and import geographic information. The vendor of the SCADA system often has remote access for maintenance. Control center of other grid operators are connected. Field equipment from distributed energy resources (DER) or customer feeding in gas are being connected. And field engineers are getting remote access to get a better view of the system and give feedback about executing switching actions.

Each connection creates a possibility for attackers to get into the SCADA system. This document describes a security architecture for SCADA systems to mitigate these risks. It specifies the technical security measures grid operators can implement to secure the SCADA system.


SM-402-2020: Security test plan for data concentrators (draft)

Plan to test a data concentrator against the ENCS security requirements.

ENCS has developed a set of security requirements for procuring smart meters and data concentrators. The requirements are based on a risk assessment and a security architecture for the whole smart metering system. The security requirements can be used directly in the procurement process.

This document provides a standardized test plan to evaluate the data concentrator against the security requirements. By standardizing the test plan, the test results can be shared between grid operators. The vendor of the data concentrator can order a security test according to the test plan. If the grid operator passes the tests, the vendor can use the test report to show compliance in all tenders that use the security requirements. This reduces the cost of testing and can give grid operators assurance in advance that there are data concentrator meeting the requirements.

The test plan consists of three phases:

  1. Functional tests and a vulnerability assessment by the vendor, usually performed during development;
  2. A review of development processes and security design and OCPP security conformance testing by an external lab;
  3. A penetration test by an external lab.

Draft version 0.3 for review.


SM-401-2020: Security test plan for smart meters (draft)

Plan to test a smart meter against the ENCS security requirements.

ENCS has developed a set of security requirement for smart meters and data concentrators. The requirements are based on a risk assessment and a security architecture for the smart metering infrastructure. The security requirements can be used directly in the procurement process.

This document provides a standardized test plan to evaluate the smart meters against the security requirements. By standardizing the test plan, the test results can be shared between grid operators. The vendor of the smart meter can order a security test according to the test plan. If the smart meter passes the tests, the vendor can use the test report to show compliance in all tenders that use the security requirements. This reduces the cost of testing and can give grid operators assurance in advance that there are smart meters meeting the requirements.

For a smart meter that uses the DLMS communication protocol, most security measures will be implemented through this protocol. They can therefore be effectively tested by an independent test lab with the tools needed to test DLMS. The lab should perform the following five test steps:

  • A review of security of the vendor development processes;
  • A technical review of the security design and implementation;
  • Functional tests of the security requirements implemented through DLMS;
  • Robustness testing of the network stacks;
  • A test of the physical tamper detection measures.

Draft version 0.3 for review.


SM-301-2020: Security requirements for procuring smart meters (draft)

This document provides functional and quality requirements for the security of smart meters, including requirements for secure development processes at the vendor. The requirements cover secure communication between the smart meters and the data concentrators and central system. They do not cover the security of the central systems themselves.

The requirements are meant for procuring new smart meters. Data concentrators are addressed separately. The requirements are not meant for legacy systems, although a selection of them can be used to improve the latter.

This document aims to help grid operators to set procurement requirements. It includes requirements that ENCS has developed for members in Austria, Czech Republic, the Netherlands and Portugal, which have been used in different tenders. They are set up to allow independent testing, and more than 30 smart meters have already been successfully tested against them. By using these requirements in their tender process, grid operators can benefit from their already high maturity level.

The measures are aligned with ISO 27001:2013. They are designed to fit as much as possible into the processes and procedures already in place in the organizations, and to find the needed balance between the assured security level, feasibility by vendors and the operational impact.

Draft version 2.6 for review.


SM-302-2020: Security requirements for procuring data concentrators (draft)

This document provides functional and quality requirements for the security of data concentrators, including requirements for secure development processes at the vendor. The requirements cover secure communication between the smart meters and the data concentrators and central system. They do not cover the security of the central systems themselves.

The requirements are meant for procuring new data concentrators. Smart meters are addressed separately. The requirements are not meant for legacy systems, although a selection of them can be used to improve the latter.

This document aims to help grid operators to set procurement requirements. It includes requirements that ENCS has developed for members in Austria, Czech Republic, the Netherlands and Portugal, which have been used in different tenders. They are set up to allow independent testing, and more than 15 data concentrators have already been successfully tested against them. By using these requirements in their tender process, grid operators can benefit from their already high maturity level.

The measures are aligned with ISO 27001:2013. They are designed to fit as much as possible into the processes and procedures already in place in the organizations, and to find the needed balance between the assured security level, feasibility by vendors and the operational impact.

Draft version 2.6 for review.


SM-201-2020: Security architecture for smart metering (draft)

This document provides a recommended security architecture for smart metering systems. The architecture can act as a blueprint for system integrators and the departments maintaining the system. Measures are chosen for the entire system, as this is usually more effective than choosing measures per component. It can be used as a reference by operators who are seeking to implement or to improve the security of a smart metering system, and can be complemented with the smart meter and data concentrator procurement requirements. The architecture is intended to be used together with an information security management system (ISMS) based on ISO 27001:2013 or similar, with each subsection of the document providing the relevant technical security measures to each objective in the ISO 27001 Annex A.

The architecture covers the complete chain from smart meters to central systems, including data concentrators, if these are used.

Draft version 0.3 for review.