Security for Power System Operations
The need for physical security of substations
is becoming more urgent as power systems are operated closer to
their limits, as information systems become increasingly important
to power system operations, and as sophisticated substation
equipment becomes more vulnerable to physical threats due not only
to deliberate attacks but also to inadvertent mistakes, failures,
and natural catastrophes.
This requirement for physical security
affects all substation assets to one degree or another. The key is
the tradeoff between the costs (monetary and some reduced
efficiency) of implementing security measures and the probabilistic
benefits associated with avoided costs (monetary, social, political,
and legal). There is no direct monetary return from security
measures. Also, this tradeoff has no single answer and no single
solution, and certainly one size does not fit all. However, remote
monitoring of assets can bring benefits both by increased security
and by decreased costs in implementing security measures. These
include:
-
Synergies between primary system
monitoring and security monitoring. Health and operational
data from the primary system equipment and the communications
system devices can provide significant security information.
Vice versa, security equipment such as video cameras and heat
sensors can provide maintenance information.
-
Economies of scale in combining
system monitoring. As a result of these synergies, combining
the remote monitoring of the three systems: the primary power
system, the secondary communications system, and the systems
used for physical security, can increase the reliability and
effectiveness of all three, while also minimizing the direct
costs associated with implementing the security measures.
-
Security solutions can be enhanced
by increased monitoring. One critical substation might
warrant electronic locks on the gates, while a less important
one remains with padlocks. However, if that less important
substation is “almost” critical or might become critical under
certain conditions, additional security monitoring could be
added, such as a “gate-open-status” sensor for alarming the
operator.
The objective of this report was to assess
the benefits of including remote monitoring with the various
security technologies used for providing physical security to
substation facilities and equipment. This remote monitoring provides
near-real-time security information on the access points to
substation facilities as well as the status and health of equipment
to determine if the equipment has been tampered with or is otherwise
not functioning correctly. The types of security technologies
include locks at gates and doors, video/audio surveillance, motion
detection, infrared detectors, vibration sensors, pressure sensors,
and other methods for deterring, delaying, assessing, communicating,
and responding to potential security threats. In addition, power
system equipment and communications equipment provide equipment
“health” and “tampering” information that could be used to determine
if anomalous events, either deliberate or inadvertent, have
occurred. These technologies also provide detailed logs of these
events for forensic audits and legal analysis.
The Tennessee Valley Authority (TVA) has
recently placed a new 161 kV switching station into service in
Tiptonville, Tennessee. Internally, this facility uses a
state-of-the-art communications infrastructure based on networked
communications (i.e. a fiber optic Ethernet LAN) and the Utility
Communications Architecture (UCA™). Interconnecting a complement of
‘smart’ devices and subsystems in the control house and switchyard,
it provides a flexible and timely means to exchange data and perform
control, supporting all SCADA and protection applications in an open
(i.e. non-proprietary) environment.
TVA is currently implementing the Bradley
Substation using IEC 61850 for all protective relaying
communications, and for many other devices. This intelligent
equipment has the potential to provide significant amounts of
information to enterprise users and systems, but a viable, secure
Wide Area Network communications infrastructure for TVA’s
operational business environment is required. Until this is
realized, the real promise of substation automation and enterprise
access at TVA will remain unfulfilled.
To combat this limitation and to take
advantage of current and emerging information technology within the
transmission system, the Transmission / Power Supply Group within
TVA has conceived a plan to build a Wide Area Network capability
called PowerWAN. PowerWAN will be a real-time operating network,
constituting a separate security perimeter within TVA. The PowerWAN
goal is to provide secure, reliable access to information from
transmission assets, making it available to enterprise users and
systems. It will use both private (TVA) and public infrastructure as
it is deployed across TVA’s 80,000 square mile service territory.
The first phase of the project, currently under way, focuses on the
backbone network infrastructure and tie points to other TVA
networks, where the end users and systems reside. These users and
systems will be enabled by PowerWAN to meet the increasing demands
brought about by a competitive market.
For TVA and other utilities, these increasing
demands can be seen as opportunities, not headaches: opportunities,
through automation, to improve maintenance productivity, to minimize
the number and severity of equipment failures, to utilize the power
system more efficiently while not exceeding critical limits, to
minimize the cost and time for implementing new substations, and to
provide high-quality power to customers. Along with these
opportunities, however, comes the challenge of cyber security, since
the sources of much of this data are devices and systems that are
critical to the operation of the power system.
Cyber security has undoubtedly become a major
issue for almost all electric utilities. This is partly due to the
competitive environment, where crucial information (gathered legally
or illegally) can translate into millions of dollars, but mainly due
to the increased vulnerability brought about by the integration of
networking technologies within the systems and equipment used on the
power system. This threat is even more credible, because of the
terrorist attacks on September 11th. It is particularly true for
the United States that a loss of electrical power for any extended
time and over a large area can have serious consequences for the
economy, for the safety of people, and for the legal and financial
status of the utilities affected.
PowerWAN will be a vital part of TVA’s
future. Physical infrastructure alone is not enough to meet the
challenge. To be successful, sound security policy, practices, and
procedures must be developed.
Xanthus staff, as a part of EPRI’s
Electric Infrastructure Security (EIS) program, is undertaking a
scoping study on security policies and secure communication
alternatives for utility operations. The primary objective of
this scoping study is the assessment of the financial and
societal costs of implementing security measures in utility
operations. Financial costs include the costs for developing
security policies and implementing security countermeasure
technologies. Societal costs include the impact of security
policies and technologies on the efficiency of personnel and
systems.
A second objective of this scoping study
is twofold: (a) to assess whether or not the Internet can
provide adequate security for the different utility control
center functions, including power operations and market
operations, and (b) are there viable alternatives to the
Internet for this purpose. This assessment would include
determining what alternative communication means are possible
and what the impact would be to move functions using the
Internet to using these alternative communications methods. As a
part of this assessment, the communication security needs of
different functions would be addressed, along with possible
alternative communications methods, such as privately owned
media, private access to media owned by telecommunications
providers, and secure access to more public media.
Xanthus staff assessed the “end-to-end”
security requirements for utility operations, addressing not
only information security measures (such as encryption of
protocols), but also security policy requirements for meeting
overall security. Xanthus staff focused on the key security
concerns in utility operations (illustrated below for the
exchange of information using ICCP):
|
Priority
|
Security Concerns |
|
Non-Secure ICCP
Profile |
Entire Set of
Secure ICCP Profile when Security Recommendations
have been Implemented |
|
1 |
Bypassing Controls |
Bypassing Controls |
|
2 |
Integrity Violation |
Indiscretion |
|
3 |
Authorization Violation |
Illegitimate Use |
|
4 |
Indiscretion |
Information Leakage |
|
5 |
Intercept/Alter |
Availability (e.g.
Prevention of Denial of Service) |
|
6 |
Illegitimate Use |
Data Validity |
|
7 |
Information Leakage |
Performance |
|
8 |
Spoof |
Local Security
Administration and Procedures |
|
9 |
Masquerade |
Remote Security
Procedures |
|
10 |
Availability (e.g.
Prevention of Denial of Service) |
Certificate and
Authentication Management |
|
11 |
Eavesdropping (e.g. Data
Confidentiality) |
Certificate Authority
Privacy and Security Procedures |
Xanthus staff also assessed the impacts
on performance of possible security measures (encryption, IPSec,
SSL/TLS, and other security technologies) for remote digital
control. Specifically, Xanthus staff evaluated the impacts of
adding security on ICCP, UCA, and DNP.
Xanthus staff developed a “Security
Primer on Transmission and Distribution Operational Systems”,
and presented this primer at an EPRI EIS Workshop to raise the
awareness of utilities as to the real threat of cyber security
attacks on power system operations.
|
