The threat of cyber attack is very real, as energy utilities rapidly move to digitise their operations. As part of the digitisation process, it’s imperative that every precaution possible is taken when it comes to cyber security.
Substations provide potential attack vectors for cyber attacks. If an attacker is able to influence one or more substations, this can have severe consequences to the grid.
Multiple layers are therefore necessary to ensure the cyber security of substations.
Unfortunately, cryptography, firewalls or ‘air gaps’ cannot prevent all types of attacks to a substation. Measures are thus needed to detect threats not only in the control centres, but also within the substation, to enable a quick response.
Cybersecurity with OMICRON
For IEC 61850 substations, the whole automation system, including all devices, their data models, and their communication patterns is described in a standardised format – the SCL.
System Configuration Description (SCD) files normally also contain information about primary assets and, for an ever-increasing number of substations, even the single-line diagram is present.
This information allows a different approach to be used for detecting intrusions. The monitoring system can create a full system model of the automation and power system and it can compare each and every packet on the network against the live system model.
Even the variables contained in the communicated (GOOSE, MMS, SV) messages can be evaluated against the expectations derived from the system model. This process is possible without the need for a learning phase, just by configuration from SCL.
This approach is implemented in the new functional security monitoring system StationGuard.
StationGuard: The intrusion detection system
StationGuard is easily configured by importing the plant’s SCD file. The IT equipment that was not included in the SCL can be assigned a respective role such as engineering PC or test PC. Alarm messages are not listed in IT jargon, but are summarised and traced back to the causal processes in the substation.
The alarm display and descriptions allow protection and control technicians to work together with the IT security officers in the analysis of alarms.
StationGuard’s maintenance mode feature allows you to avoid false alarms during maintenance and routine protection tests, while still providing full security.
For all data traffic over IEC 61850 communication protocols, not only is the protocol structure analysed, but all transmitted signal values and their time stamps are also analysed.
This also permits more complex measurements, such as the transmission times of telegrams, synchronisation errors or critical states of the IEC 61850 quality bits.
The IDS works with a crypto-chip that protects against software manipulation. It uses a secure boot chain, full encryption of all data and communication, and a specially hardened Linux operating system.
StationGuard not only detects security threats, but functional problems of IEC 61850 communication and of the IEDs are also detected – which is also helpful in the FAT and SAT phase.
Intrusion detection systems that display detected events in the language of protection, automation and control engineers have the advantage that PAC and security engineers can work together to find the cause of events.