This document provides a strategy for grid operators to protect distribution automation systems against physical attacks on field locations.
Grid operators rely on distribution automation to monitor and control their grid. Because of the increased use of renewables and electric vehicles, they need to understand what is going on in the medium and low voltage parts of the grid. So, they are placing remote terminal units (RTUs) at medium voltage substations or pole-top reclosers. The same RTUs can also allow quicker recovery from power outages by reconfiguring the grid.
But RTUs are difficult to protect against physical attacks. They are placed at medium voltage substations or pole-tops spread around a grid operator’s area. These cannot all be feasibly protected against break-ins. Yet, the RTUs do provide an entry point into the SCADA system to which they are connected.
Current RTUs are not designed to withstand physical attacks. On older RTUs, there may be accounts with default passwords or debug ports giving full access. On newer RTUs, these may be disabled. But determined attackers can obtain access by tampering with the boot process or programs stored in flash.
So, what can grid operators do to manage the risk of physical attacks on distribution automation RTUs? The best strategy is to harden the RTU itself as much as possible, while using the system architecture to limit the impact of determined attacks to a single location. This document describes this strategy. The strategy has been implemented in the 2020 version of the ENCS Security architecture for distribution automation systems and the Security requirements for procuring distribution automation RTUs