DA/SA-301-2022: Security requirements for procuring RTUs and gateways [DRAFT]

This document gives security requirements that grid operators can use in their procurement documents for new remote terminal units (RTUs) and gateways for distribution automation or substation automation.

Grid operators are increasingly automating their medium voltage substations and lines with distribution automation and high voltage substation with substation automation. They use these systems to get power measurements to reliably integrate renewables and electric vehicles, and to remotely control the grid to recover from power outages more quickly.

The automation increases the possible impact of cyber-attacks. Many grid operators already have thousands of substations and lines automated. If attackers succeed in switching off the power in a large part of those, it can take a lot of time to recover.

This document provides a harmonized set of security requirements that grid operators use directly in their procurement documents. The requirements have been thoroughly reviewed by both grid operators and vendors. They are designed to fit into the processes and procedures already in place in the organizations and to find a good balance between security and the operational impact.