This document gives security requirements that grid operators can use directly in their procurement documents for new Intelligent Electronic Devices (IEDs) and protection relays, used, for example, in substation automation systems.
Substations are being more and more automated. Not only are they remotely monitored and controlled through a SCADA system. But local protection functions are also being implemented in software.
The automation means that cyber-attacks can have a large impact. Through remote switching, it is possible to create blackouts. Attacks that can disable the software protection functions can lead to permanent damage to transformers, lines, and busbars, and endanger the safety of engineers.
Untargeted attacks can already be harmful. Many legacy Windows systems are still in use in substations. Viruses or ransomware can spread to them, for instance, through infected USB sticks. Recovering from such incidents can have significant costs.
In 2015 and 2016, the cyber-attacks in Ukraine were the first case of a targeted attack against the grid. They show that there are groups that can perform such attacks and are willing to do so. The Industroyer malware that was probably used in the 2016 attack targets the IEC 60870-5-104 and IEC 61850 protocols, used primarily by grid operators. It includes a denial-of-service attack that can disable protection functions on SIPROTEC 4 protection relays.
To counter such threats, grid operators are improving the cyber-security of their substations. To help procure secure IEDs for new substation automation systems, this document provides a harmonized set of security requirements that can be used directly in their procurement documents.
The security requirements consist of a set of mandatory requirements that an IED should fulfill to be used securely in a substation without connections to the central systems, and three sets of optional requirements that allow the IED to be accessed remotely for different purposes.
The requirements have been thoroughly reviewed by ENCS members. They are designed to fit into the processes and procedures already in place in the organizations and to find a good balance between the security and the operational impact.