SC-301-2020: Security requirements for procuring SCADA applications [PUBLIC]

This document gives security requirements that grid operators can use directly in their procurement documents for SCADA application software.

The supervisory control and data acquisition (SCADA) system is the core of a grid operation infrastructure for both transmission system operators (TSOs) and distribution system operator (DSOs). The SCADA system is critical to the business continuity of grid operators.

At the same time, the SCADA system’s core position also makes it attractive to anyone trying to sabotage the electricity grid. Through the SCADA system, they can control thousands of field devices. So, SCADA systems should be strongly secured.

But securing these systems is becoming more difficult as they are becoming more connected. The time that SCADA systems were stand-alone, air-gapped systems has long passed. Most grid operators have now connected them to their enterprise IT systems to export data for grid planning and to import geographic information. The vendor of the SCADA system often has remote access for maintenance. Control center of other grid operators are connected. Field equipment from distributed energy resources (DER) or customer feeding in gas are being connected. And field engineers are getting remote access to get a better view of the system and give feedback about executing switching actions. Each connection creates a possibility for attackers to get into the SCADA system.

This document provides a harmonized set of security requirements that grid operators can use directly in their procurement documents. The requirements have been thoroughly reviewed by both grid operators and SCADA vendors. They are designed to fit into the processes and procedures already in place in the organizations, and to find a good balance between security and operational impact.