WP-023-2020: Protecting distribution automation systems against physical attacks

This document provides a strategy for grid operators to protect distribution automation systems against physical attacks on field locations.

Grid operators rely on distribution automation to monitor and control their grid. Because of the increased use of renewables and electric vehicles, they need to understand what is going on in the medium and low voltage parts of the grid. So, they are placing remote terminal units (RTUs) at medium voltage substations or pole-top reclosers. The same RTUs can also allow quicker recovery from power outages by reconfiguring the grid.

But RTUs are difficult to protect against physical attacks. They are placed at medium voltage substations or pole-tops spread around a grid operator’s area. These cannot all be feasibly protected against break-ins. Yet, the RTUs do provide an entry point into the SCADA system to which they are connected.

Current RTUs are not designed to withstand physical attacks. On older RTUs, there may be accounts with default passwords or debug ports giving full access. On newer RTUs, these may be disabled. But determined attackers can obtain access by tampering with the boot process or programs stored in flash.

So, what can grid operators do to manage the risk of physical attacks on distribution automation RTUs? The best strategy is to harden the RTU itself as much as possible, while using the system architecture to limit the impact of determined attacks to a single location. This document describes this strategy. The strategy has been implemented in the 2020 version of the ENCS Security architecture for distribution automation systems and the Security requirements for procuring distribution automation RTUs

WP-021-2020: Security requirements for hardware security measures

This document gives requirements that grid operators can use to specify hardware security measures.

More vendors are including hardware security measures in smart grid field devices. For instance, some encrypt the external flash modules on smart meters. Some use hardware security modules to encrypt key databases on data concentrators. And others are implementing secure boot through specialized chips on RTUs and IEDs. Such measures are useful for field devices, as they are exposed to physical attacks.

But some measures may not mitigate the real security risks. Protecting keys stored on smart meters is not that important if meters have unique keys. Attackers can decrypt or use key databases on data concentrators if they gain access to a running device.

To get effective measures, grid operators should therefore include specific requirements. This document gives requirements for hardware security measures that grid operators can use tin their procurement documents.

WP-020-2020: Response to the EU consultation on network codes

In May 2020, the Directorate-General for Energy of the European Commission had a targeted stakeholder consultation for a priority list for the development of network codes and guidelines on electricity for the period 2020-2023 and on gas for 2020 (and beyond). In the consultation, they asked stakeholders to provide input on the need and adequate scope of new electricity network codes on cyber security.

ENCS considers a network code on cyber security as an important regulation to protect the internal market for electricity against cyber-attacks. This can be done by:

  • Ensuring that each party sufficiently mitigates risks to the common electricity grid
  • Protecting information shared between parties in the market
  • Set up means to detect and respond to cross-border cyber security incidents
  • Establishing a process to define minimum security requirements for products, systems, and services

WP-019-2019: Response to EU questionnaire on certification

On 2 December 2019, the EU commission held a meeting to assess the need for cyber-security certification of products, systems and services in the Energy sector under the Cybersecurity Act. In preparation to this meeting, they sent a questionnaire to the participants. This document contains the responses from ENCS to their questions.

WP-016-2019: Options for product certification

Whitepaper comparing different options for security certifications for products.

WP-015-2019: Security roadmap for substation automation

Many grid operators are considering new use cases for substation automation, such as direct IEC 61850 communication between the control center and IEDs, remote configuration of IEDs, and collecting disturbance data directly from IEDs. These use cases do not fit in the security architecture developed in the ENCS member project on substation automation. A key measure in this architecture is that IEDs cannot be accessed directly from central systems. This document describes the new security functions that would be needed in IEDs to allow direct access and keep them secure in future use cases.

WP-013-2019: Improving the security of legacy substations

This whitepaper describes a strategy to improve the security of legacy substations to which not all the security measures in the security architecture for substation automation can be applied.

WP-014-2020: Security monitoring for substation automation

This document present a strategy to monitor the security of substation. The strategy makes it difficult for advanced threats to execute controlled attacks. Advanced threats may be able to penetrate into substations. But this only has value for them if they can stay there, and control or disrupt the grid at a moment that is expedient for them. So, they somehow need to establish a permanent foothold in the substation, and establish communication with it. The strategy tries to detect such a foothold.

WP-010-2019: Security policy for substation automation

This document describes the recommended security policies for each of these roles. The policies cover:

  • Substation engineers configuring the equipment in the substation, including setting up the internal security measures
  • Other employees working at substations, but not configuring equipment
  • WAN network administrators configuring the perimeter firewalls
  • Team managers that need to enable the administrators and engineers to do their job securely
  • Security operations analysts responsible for coordinating vulnerability management and incident response
  • Procurement staff for buying new equipment with the right security capabilities

A concrete example policy is given aimed at each group. This policy is linked to the controls in ISO 27002. Guidance is given on implementing the example policy at a particular grid operator. The policies apply both to employees and contractors or service providers in the same role.