Energize Cyber-security in substations
- Advertisment -

Cyber-security in substations

- Advertisment -

Information from Alectrix  –  

Substation installations offer several potential attack vectors for cyber-attacks. Effective cyber-security measures therefore must be implemented in the substation itself, not just in the control centre. The Austrian supplier OMICRON has been studying this requirement for many years and in 2015 added the DANEO 400 analysis device to its portfolio as a decentralised and hybrid solution for the continuous monitoring of sampled values, GOOSE and PTP time synchronisation.

“It so happened that we were approached by engineers from the Centralschweizer Kraftwerke AG (CKW), who were looking for an appropriate solution for their substation installations”, says Andreas Klien, head of the power utility communications division at OMICRON. A period of close cooperation with the protection and process control engineers at CKW followed this enquiry and led to the development of StationGuard, the functional security monitoring system. The experiences from several proof-of-concept installations of other energy suppliers around the world have meanwhile been absorbed into the development process. With StationGuard, OMICRON has introduced an innovative approach for IEC 61850 installations.


Essentially, the package uses substation configuration language (SCL) files, in which the entire automation system, with all its devices, data models, and the communication parameters of the IEC 61850 installations, is described in a standardised format. These files also contain information about the primary equipment and in many cases even the single-line equivalent circuit diagram for the substation.

Figure 1: An IDS is integrated into an IEC 61850 installation in such a way that a copy of all network traffic is held on all the relevant switches to allow the traffic to be monitored.

“This information can be used to develop a completely new approach to the detection of cyber-attacks”, explains Klien. The monitoring system can create a complete model of the automation system and the substation and compare every single packet in the network with the live system model. Even the data contained in the protocol messages, be they GOOSE (Generic Object Oriented Substation Event), MMS (Manufacturing Message Specification), or SV (Sampled Values) can be assessed based on what the system model is expecting.

“This process requires no learning phase and is only possible because of the configuration of the SCL”, stresses Klien.

Functional monitoring

To detect any cyber threats in the network, StationGuard carries out a highly detailed functional verification of all data traffic. It possesses a detailed model of all anticipated communications, which it compares with the network packages. The fact that the data traffic is continuously monitored means that threats to IT security, such as unauthorised packets and control operations, can be identified. Communication faults, problems with time synchronisation and the various types of malfunction which can occur in the substation are also detected.

“If the system has access to the installation’s circuit diagram and is able to monitor the measured values in the MMS communication, then there are practically no limits to what we can monitor”, explains Klien and cites, as an example, the 33 different alarm codes that StationGuard maintains just for GOOSE – from simple status and sequence number faults to more complex problems, such as unusually long message transmission times. The latter are detected by the precise measurement of the difference between the EntryTime stamp in the message and its actual arrival time.

Figure 2: StationGuard uses a graphical alarm display instead of a cryptic event list and provides protection engineers with data about an alarm in a detailed yet comprehensible manner.

If the transmission time of the network for a GOOSE (as per IEC 61850-5) is longer than 3 ms, this will indicate a problem in the transmitting IED, in the network or at the very least in the time synchronisation. The concept can also be applied to MMS communication. The system model shows which logical nodes are controlling which items of equipment. This enables a distinction to be made between correct/incorrect (or critical/non-critical) actions.

“The same sequence in the MMS protocol is used whenever a circuit breaker trips, or IEC 61850 test mode is activated. The effect in the installation is however markedly different in each case”, says Klien. “If a test PC switches the IEC 61850 test mode of a relay, this may well be a justified action as part of a protection test. However, what would most likely not be permitted is if the test PC were to trip a breaker.”

Comprehensible messages

Besides avoiding false alarms, it is also vital that the displayed alarm messages are easily understood by protection and process control engineers alike. This not only speeds up response times, it also means that IT security experts and the protection and process control engineers can work closely together. To enable alarms to be allocated more accurately to bays and devices, they are represented in StationGuard not just as an alarm list that a firewall might provide, but are also displayed graphically in a zero-line diagram – an overview display introduced with OMICRON StationScout.

Maintenance mode

To reduce false alarms even further, the routine testing and maintenance operations are also represented in the system model of the installation in StationGuard. This means that the system model can also contain the testing equipment, including the protection test sets.

Configuring the IDS system

“Monitoring begins as soon as the device is switched on and cannot, for security reasons, be disabled”, says Klien. All IEDs are shown as unknown devices until the installation’s SCD file is loaded, after which the IEDs and the structure of the installation are displayed in the zero-line diagram. “The configuration can also be prepared in the office and quickly installed on site”, says Klien. In situations where the SCD file does not contain all the IEDs, additional ones can be imported individually. After importing, the user can then assign roles such as “test PC” or “engineering PC”, and so on, to the remaining unknown devices.

Alarm display

If an action is “not permitted”, an alarm is raised. This alarm can be passed to the control centre via the gateway/RTU (Remote Terminal Unit). Alternatively, alarms can also be sent to a separate system known as a Security Incident Event Management System (SIEM) which collates security warnings. Depending on the version of the hardware in use, binary outputs will be available which can be used to transmit alarms to an RTU very easily. In this case, alarm messaging takes place without any network communication and the alarms can be integrated into the signal list of the control centre just like any other hard-wired signal.

Cyber security of the IDS

“We’ve all seen it in Hollywood films: the intruders always go for the alarm system first”, says Klien. An important security feature of StationGuard is that it uses autonomous, secure hardware rather than a virtual machine. In both hardware versions of StationGuard, i.e. the 19” version (RBX1) for permanent installation in substation systems and the mobile version (MBX1), both platforms are hardened to the same extent and both use a secure cryptographic chip which conforms to ISO/IEC 11889. This ensures that the cryptographic keys are not stored in flash memory but on a separate chip which is protected against manipulation. The OMICRON certificates are installed on this chip during the production process to provide a secure, mutually verifiable boot chain. The signatures of the next module or driver to be loaded are therefore checked at every stage of the firmware boot process. As a result, only software with an OMICRON signature can be installed and executed. The device’s memory is encrypted using a key that is unique to this hardware and is protected on the cryptographic chip. Additional mechanisms ensure that the processes on the device cannot be attacked or misused; the philosophy of “defense in depth” thus extends deep into the software running on the device.

Contact Andre Huddlestone, Alectrix, Tel 021 790-1665, andre@alectrix.co.za


Please enter your comment!
Please enter your name here

Latest Articles

Cyber-security in substations

Information from Alectrix  -   Substation installations offer several potential attack vectors for cyber-attacks. Effective cyber-security measures therefore must be implemented in the substation itself, not...

Droogfontein 2 Solar Park begins full operation 

The Droogfontein 2 Solar Park situated near Kimberley in the Northern Cape, has reached full grid code compliance and commercial operation. The 179-hectare solar...

Power developments in Africa, August 2020

Compiled by Roger Lilley  -   Solar PV solution for ZSE The Zimbabwe Stock Exchange (ZSE) recently commissioned a 40 kVA solar power plant to ensure that...

Improved performance from solid-state distribution transformers

by Mike Rycroft, Now Media  -   Distribution transformers form the bulk of any electrical network, and both capital and operating costs are a major portion...

Smart temperature transmitter with Bluetooth

The new iTEMP TMT142B HART 7 temperature transmitters deliver highly accurate and reliable measurements, wireless communication via Bluetooth and user-friendly operation packaged in a...

August edition is now out

The August edition of Energize has been published. Click here to download your complimentary copy      

Tapping into public-private partnerships to fast-track development

Driving socio-economic development through public-private partnerships lies at the core of the Impact Catalyst initiative founded by Anglo American, the Council for Scientific and...

How to fill the tank, measure the level accurately 

When used with new Senix 90 Degree Adaptor, users can achieve the minimal working distance without raising the sensor for a more compact installation....

Success with Durban-based pulp and paper mill customer

The combination of a very long-standing relationship with a pulp and paper mill customer and Rand-Air Durban’s teamwork ensured that the company was top-of-mind...

Off-grid large hybrid power systems for mines

by Mike Rycroft, Now Media  -   Large hybrid systems (LHS) are common as power sources for remote mines and other installations. This has been brought...

Winners of Women in Construction Awards 2020

At a recently held hybrid physical-virtual awards ceremony, winners in the nine prestigious awards categories were named. This was the first time these awards...

Combined lightning current and surge arresters are easy, safe, robust

DEHN’s universal BLITZDUCTORconnect combined lightning current and surge arrestors protect measuring and control circuits as well as bus and telecommunication systems. The built-in indicator...

Babcock clears clinkers using Cardox technology

Babcock recently employed a safe and effective gas expansion technology to eliminate clinkers from two ash bunkers and a bottom ash hopper at a...

Nominated as finalist in engineering excellence awards

Switchgear engineering firm Noja Power has been nominated as a finalist in the Australian Engineering Excellence Awards for their ARENA supported Synchrophasor project executed...

Large investment in SA’s renewable energy sector

Mulilo Energy Holdings has announced the acquisition by STANLIB’s Infrastructure Investments unit of a 10% equity stake, in the R1,8-billion privately-owned renewable energy developer. This...
- Advertisement -