DA-301-2019: Security requirements for procuring DA RTUs [PUBLIC]

This document gives requirements for procuring secure RTUs for use in distribution automation systems, including:

  • medium to low voltage transformer substations;
  • medium voltage transport substations;
  • automatic circuit recloser controllers applied to overhead distribution lines.

The requirements concern the interfaces to the distribution automation system and the users on these interfaces. The measures are aligned with ISO/IEC 27001:2013. They are designed to fit as much as possible into the processes and procedures already in place in the organizations, and to find the needed balance between the assured security level, feasibility by vendors and the operational impact.

This harmonized set of requirements allows grid operators to get secure automation equipment more cost-effectively, saving their time and effort in developing requirements, as they are already freely available. It has been ensured that the requirements are feasible, as they have been tested in a market survey as well as in previous tenders by other operators. Lastly, these requirements save on implementation costs, as vendors get a common baseline to aim at, and only need to implement the security requirements once and then implement updates in their product roadmap.

The requirements are meant for procuring new RTUs, not for legacy systems, although grid operators may analyze which systems can be upgraded, updated or patched, once more, without disrupting the processes and procedures already in place.