This document describes a recommended security architecture for substation automation systems. It gives a set of technical measures that those designing and maintaining such systems can use to mitigate security risks.
Substations are being more and more automated. Not only are they remotely monitored and controlled through a SCADA system. But local protection functions are also being implemented in software.
The automation means that cyber-attacks can have a large impact. Through remote switching, it is possible to create blackouts. Attacks that can disable the software protection functions can lead to permanent damage to transformers, lines, and busbars, and endanger the safety of engineers.
Untargeted attacks can already be harmful. Many legacy Windows systems are still in use in substations. Viruses or ransomware can spread to them, for instance through infected USB sticks. Recovering from such incidents can have significant costs.
In 2015 and 2016, the cyber-attacks in Ukraine were the first case of a targeted attack against the grid. They show that there are groups that can perform such attacks and are willing to do so. The Industroyer malware that was probably used in the 2016 attack targets the IEC 60870-5-104 and IEC 61850 protocols, widely used in substation automation. It includes a denial-of-service attack that can disable protection functions.
To counter such threats, grid operators are improving the cyber-security of their substations. But they are limited by the technical capabilities of the equipment. Equipment will stay in substations for sometimes fifteen or twenty years. So, there is much legacy equipment without security capabilities. And even on modern equipment, some capabilities are still missing. Communication within the substation can, for instance, not yet be properly secured, and not all equipment can be easily patched. This document provides a recommended security architecture that allows the major security risks to be mitigated with current technology.