This document gives security requirements that grid operators can use directly in their procurement documents for new sensors, in particular sensors based on internet-of-things (IoT) technologies.
Grid operators depend on grid information for effective and efficient operation, maintenance and planning. This information is traditionally collected by the SCADA system through remote terminal units (RTUs) or gateways placed at substations.
But in this way grid operators are only monitoring part of the grid. For many use cases, information cannot be collected in the traditional way. Examples are oil quality monitoring in the transformers, hot spot temperature monitoring in transformers and lines, copper theft detection, and fault passage indication in overhead lines. Sensors collecting information for these cases can often not easily be connected to substation RTUs or gateways, because they are physically too far, or it is too costly to logically integrate them into the systems.
New sensors, often based on IoT technologies, are used to fill this gap. These sensors allow grid operators to get more data about the grid, at a lower cost.
But because of the goal of low cost, it is often not clear what security requirements can be set for the sensor systems. To keep the cost of sensors down, they have less computing power than RTUs or gateways. To reduce installation cost, the sensors are sometimes battery powered. So, some measures may not be feasible on the sensors. Also, to minimize the cost of installation and maintenance, security configuration and key management should take as little time as possible from engineers. So, these functions should be automated where possible.
This document provides a harmonized set of security requirements that grid operators use directly in their procurement documents for sensors. The requirements have been reviewed by both grid operators and sensor vendors. They are designed to fit into existing processes and procedures.