SA-303-2021: Security requirements for procuring HMI software [DRAFT]

This document gives security requirements that grid operators can use directly in their procurement documents for new Human Machine Interface (HMI) software for use in substation automation systems.

Substations are being more and more automated. Not only are they remotely monitored and controlled through a SCADA system. But local protection functions are also being implemented in software.

The automation means that cyber-attacks can have a large impact. Through remote switching, it is possible to create blackouts. Attacks that can disable the software protection functions can lead to permanent damage to transformers, lines, and busbars, and endanger the safety of engineers.

Untargeted attacks can already be harmful. Many legacy Windows systems are still in use in substations. Viruses or ransomware can spread to them, for instance, through infected USB sticks. Recovering from such incidents can have significant costs.

In 2015 and 2016, the cyber-attacks in Ukraine were the first case of a targeted attack against the grid. They show that there are groups that can perform such attacks and are willing to do so. The Industroyer malware that was probably used in the 2016 attack targets the IEC 60870-5-104 and IEC 61850 protocols, used primarily by grid operators. It includes a denial-of-service attack that can disable protection functions on SIPROTEC 4 protection relays.

To counter such threats, grid operators are improving the cyber-security of their substations. To help procure secure HMI software for new substation automation systems, this document provides a harmonized set of security requirements that can be used directly in their procurement documents.

The security requirements consist of a set of mandatory requirements that the HMI software should fulfill to be used securely in a substation, and optional requirements that allow the HMI to use centralized access control and communicate with IEDs over secure protocols.

The requirements have been thoroughly reviewed by ENCS members. They are are designed to fit into the processes and procedures already in place in the organizations and to find a good balance between the security and the operational impact.

Download this document (members only)

Download document

"*" geeft vereiste velden aan

Dit veld is bedoeld voor validatiedoeleinden en moet niet worden gewijzigd.