DR-101-2020: Risk assessment for DER security

This document presents a security risk assessment to distributed energy systems, wind farms, and solar parks.

The use of renewable energy in the European grid is increasing. In 2019 alone, renewables already generated 34,5% of Europe's electricity. Distributed systems contributed significantly: Photovoltaic systems led the way with under one megawatt of generation capacity. Their installed base has already reached 80,9 GW in the EU-27. Wind farms and solar parks contributed an additional 168,7 GW and 38 GW, respectively. Most of these systems connect to the medium voltage or low voltage distribution grids.

Each area of the European grid is prepared to support losses up to a certain amount. In Central Europe for example, this amounts to three gigawatts. This means that an attacker needs to target only a small number of installed systems to reach the critical amount. Thousands of distributed systems can be reached remotely. At the same time, there are already multiple wind farms and solar parks that have over 300 MW of installed capacity. This means that both remote and physical, targeted attacks may pay off on their own for a malicious actor.

During the last years, several attacks against electricity companies became public. The attacks in Ukraine in 2015 and 2016 significantly affected the grid. It is known that some nation-states are building offensive cybersecurity capabilities, and some have already been suspected of being involved in such attacks. That is why we can say with certainty that there are motivated and capable attackers out there who pose a significant risk to the grid. To them, distributed systems, wind farms, and solar parks could provide a simpler attack path than other systems.

Successful attacks can affect multiple parties differently. For owners, it can make it difficult to recover their investment. Manufacturers, installers, and O&M providers can incur unexpected costs, suffer reputational damage that affects future business, and be accused of failing in due care or due diligence. Grid operators can fail to meet their quality-of-service obligations, bringing legal implications or added costs. Cascading effects may hit society, leading to the failure of multiple critical infrastructures, and causing loss of life.

This document assess the security risks in distributed systems to confirm that the security measures proposed in DR-201-2020: Security architecture for DER systems sufficiently mitigate these risks.


SE-201-2020: Security architecture for sensor systems

Grid operators depend on grid information for effective and efficient operation, maintenance, and planning. This information is traditionally collected by the SCADA system through remote terminal units (RTUs) or gateways placed at substations.

But in this way grid operators are only monitoring part of the grid. For many use cases, information cannot be collected in the traditional way. Examples are oil quality monitoring in the transformers, hot spot temperature monitoring in transformers and lines, copper theft detection and fault passage indication in overhead lines. Sensors collecting information for these cases can often not easily be connected to substation RTUs or gateways, because they are physically too far, or it is too costly to logically integrate them into the systems.

New sensors, often based on internet-of-thing (IoT) technologies, are used to fill this gap. These sensors allow grid operators to get more data about the grid, at a lower cost.

But because of the goal of low cost, it is often not clear what security requirements can be set for the sensor systems. To keep the cost of sensors down, they have less computing power than RTUs or gateways. To reduce installation cost, the sensors are sometimes battery powered. So, some measures may not be feasible on the sensors. Also, to minimize the cost of installation and maintenance, security configuration and key management should take as little time as possible from engineers. So, these functions should be automated where possible.

This document provides a recommended security architecture for sensor system, particularly those based on IoT technologies. It gives a set of technical measures that those designing and maintaining the systems can use to mitigate security risks by reducing the likelihoods.


SE-301-2020: Security requirements for procuring sensors

This document gives security requirements that grid operators can use directly in their procurement documents for new sensors, in particular sensors based on internet-of-things (IoT) technologies.

Grid operators depend on grid information for effective and efficient operation, maintenance and planning. This information is traditionally collected by the SCADA system through remote terminal units (RTUs) or gateways placed at substations.

But in this way grid operators are only monitoring part of the grid. For many use cases, information cannot be collected in the traditional way. Examples are oil quality monitoring in the transformers, hot spot temperature monitoring in transformers and lines, copper theft detection, and fault passage indication in overhead lines. Sensors collecting information for these cases can often not easily be connected to substation RTUs or gateways, because they are physically too far, or it is too costly to logically integrate them into the systems.

New sensors, often based on IoT technologies, are used to fill this gap. These sensors allow grid operators to get more data about the grid, at a lower cost.

But because of the goal of low cost, it is often not clear what security requirements can be set for the sensor systems. To keep the cost of sensors down, they have less computing power than RTUs or gateways. To reduce installation cost, the sensors are sometimes battery powered. So, some measures may not be feasible on the sensors. Also, to minimize the cost of installation and maintenance, security configuration and key management should take as little time as possible from engineers. So, these functions should be automated where possible.

This document provides a harmonized set of security requirements that grid operators use directly in their procurement documents for sensors. The requirements have been reviewed by both grid operators and sensor vendors. They are designed to fit into existing processes and procedures.


DR-301-2020: Procurement requirements for DER controllers

This report recommends security requirements for procurement of distributed energy resources (DER) controllers.

As alternative energy sources, such as wind, solar or heat, have become sustainable for small scale use, they are being placed in a wide variety of locations. These DER can be connected to high, medium, or low voltage grid, contributing significantly to the electricity mix. A large loss of DER generation can severely disrupt the electrical grid.

DER are exposed to significant cyber risks. Their operations and maintenance are supported by information systems. Many activities are executed through remote access, especially in larger DER. Cyber criminals can attack the systems or communications to obtain money or information from some party. Nation states can damage the systems or cause a black-out by switching off enough locations.

A DER controller is the most critical architecture component in field locations. It is placed in the perimeter of a field location. It exchanges information with remote systems through untrusted networks. It uses that information to control the generation process. It exists in systems of all sizes. It can be called by another name or be integrated with other components.

This document recommends security requirements to procure DER controllers that are protected against these risks by design and by default. The requirements cover:

  • physical threats and threats from other components in the local network;
  • threats from the central systems and other threats in the external networks;
  • the development and support processes;
  • the relationship with the supplier.

WP-030-2020: Distribution automation RTU hardware security test report

This test report gives the results of testing a distribution automation remote terminal unit (RTU) against the hardware security requirements that ENCS has developes in its member project on hardware security. See:

The report gives a good overview of how the requirements can be tested, what vulnerabilities are typically found when RTU vendors first implement them, and how these vulnerabilities can be mitigated.

The test report is classified as TLP:AMBER. It is only shared with employees at ENCS members that need to know its contents for their work on distribution automation security.

To request a copy of the report, please contact info@encs.eu


DR-201-2020: Security measures for DER systems

This report recommends security measures for control systems of distributed energy resources (DER).

As alternative energy sources, such as wind, solar or heat, have become sustainable for small scale use, they are being placed in a wide variety of locations. These DER can be connected to high, medium, or low voltage grid, contributing significantly to the electricity mix. A large loss of DER generation can severely disrupt the electrical grid.

DER are exposed to significant cyber risks. Their operations and maintenance are supported by information systems. Many activities are executed through remote access, especially in larger DER. Cyber criminals can attack the systems or communications to obtain money or information from some party. Nation states can damage the systems or cause a black-out by switching off enough locations.

The operator role is vital to protect DER systems. A large system operator monitors and controls the systems in real time. A small system operator should acknowledge alarms on a daily basis and take necessary actions in the shortest delay. In many cases, an operator accesses the system remotely or receives the information he needs through untrusted networks. He can also provide access to the system to other parties. DER parties can accumulate the operator role with other roles.

This document recommends security measures for DER operators to protect their systems and mitigate these risks. The measures cover threats to the systems and communications through the central systems, field locations and communications.


SC-301-2020: Security requirements for procuring SCADA applications

This document gives security requirements that grid operators can use directly in their procurement documents for SCADA application software.

The supervisory control and data acquisition (SCADA) system is the core of a grid operation infrastructure for both transmission system operators (TSOs) and distribution system operator (DSOs). The SCADA system is critical to the business continuity of grid operators.

At the same time, the SCADA system’s core position also makes it attractive to anyone trying to sabotage the electricity grid. Through the SCADA system, they can control thousands of field devices. So, SCADA systems should be strongly secured.

But securing these systems is becoming more difficult as they are becoming more connected. The time that SCADA systems were stand-alone, air-gapped systems has long passed. Most grid operators have now connected them to their enterprise IT systems to export data for grid planning and to import geographic information. The vendor of the SCADA system often has remote access for maintenance. Control center of other grid operators are connected. Field equipment from distributed energy resources (DER) or customer feeding in gas are being connected. And field engineers are getting remote access to get a better view of the system and give feedback about executing switching actions. Each connection creates a possibility for attackers to get into the SCADA system.

This document provides a harmonized set of security requirements that grid operators can use directly in their procurement documents. The requirements have been thoroughly reviewed by both grid operators and SCADA vendors. They are designed to fit into the processes and procedures already in place in the organizations, and to find a good balance between security and operational impact.


EV-401-2020: Security test plan for EV charging stations (2017 requirements)

This document provides a plan to electric vehicle (EV) charging stations against the EV Charging System Security Requirements, version 1.01 of August 2017, developed by ElaadNL and ENCS.

When the requirements are used, the need arises to evaluate the charging station against the requirements. Most procurement processes include acceptance testing to make sure that the selected charging station does indeed meet all requirements. This document provides a standardized test plan to evaluate the charging stations against the security requirements developed by ElaadNL and ENCS in 2017.

By standardizing the test plan, the test results can be shared between charge point operators. The vendor of the charging station can order a security test according to the test plan. If the charging station passes the tests, the vendor can use the test report to show compliance in all tenders that use the security requirements. This is expected to reduce the cost of testing and can give charge point operators assurance in advance that there are charging stations meeting the requirements.

If the vendor’s equipment provides additional security features, then this plan can be extended to include specific testing steps for the corresponding requirements.

The test plan consists of three phases:

  1. Functional tests and a vulnerability assessment by the vendor, usually performed during development;
  2. A review of development processes and security design and OCPP security conformance testing by an external lab;
  3. A penetration test by an external lab.

 


SC-201-2020: Security architecture for SCADA systems

This document provides are recommended security architecture for SCADA systems. The document is a draft shared with ENCS members for review.

The supervisory control and data acquisition (SCADA) system is the core of a grid operation infrastructure for both transmission system operators (TSOs) and distribution system operator (DSOs). The SCADA system is critical to the business continuity of grid operators.

The core position of SCADA system also makes them attractive to anyone trying to sabotage the electricity grid. Through the SCADA system, they can control thousands of field devices. So, SCADA systems should be strongly secured.

But securing these systems is becoming more difficult as they are becoming more connected. The time that SCADA systems were stand-alone, air-gapped systems is long past. Most grid operators have now connected them to their enterprise IT systems to export data for grid planning and import geographic information. The vendor of the SCADA system often has remote access for maintenance. Control center of other grid operators are connected. Field equipment from distributed energy resources (DER) or customer feeding in gas are being connected. And field engineers are getting remote access to get a better view of the system and give feedback about executing switching actions.

Each connection creates a possibility for attackers to get into the SCADA system. This document describes a security architecture for SCADA systems to mitigate these risks. It specifies the technical security measures grid operators can implement to secure the SCADA system.


EV-101-2019: Security risk assessment for EV charging infrastructure

Assessment of the security risks for a typical EV charging infrastructure.

As part of the energy transition, there has been a large growth of electric vehicles on the streets. By June 2018, already one million electric cars were registered in Europe and almost a quarter of cars is expected to be electric in 2030.

The electric vehicle (EV) charging infrastructure is being expanded to keep up with this growth. Millions of charging stations will be placed throughout Europe. Many will be remotely controlled by Charge Point Operators (CPO).

These charging stations need to be protected against cyber-attacks. The electrical load that is controlled remotely by the CPOs, will soon be large enough to affect the stability of the European grid. If the power on a high number of charging stations would be switched off at the same time, this could lead to significant power outages.

ENCS has developed a security architecture for the EV charging infrastructure. The goal of this risk assessment is to show how the measures in this architecture sufficiently mitigate the security risks.