Water and Energy International
SCOPUS
  • Year: 2013
  • Volume: 70
  • Issue: 11

Cyber security – secure communication design for protection and control ieds in sub-station

  • Author:
  • T. Sukumara, Janne Starck, S.G. Kishan, G. Harish, Eashwar Kumar
  • Total Page Count: 8
  • Page Number: 17 to 24

ABB GISL Ltd, Bhoruka Tech Park, Whitefield Road, Mahadevapura, Bangalore, India

ABB Oy, Vaasa, Finland

Online published on 20 January, 2014.

Abstract

The evolution of smart grid concepts is creating considerable public attention and interest in substation automation/power systems. Smart grid deployments require data to flow seamlessly from various devices like protection relays, smart meters, controllers, gateways in a substation to enterprise level control centres over private and public communication networks.

Protection and control IEDs (Intelligent Electronic Devices), which are the first level intelligent devices in substations, play a critical role in substation protection, control and monitoring functionalities. They aid the optimized management of substation devices, as well as the overall transmission and distribution power network, which is integral to the smart grid vision and framework.

Concepts such as remote configuration/parameterization, remote SCADA communication, remote diagnostics and firmware updates are becoming important requirements for IEDs. This leads to inherent requirements for secure communication, strong user authentication and authorization to be considered in the design and development of protection and control IEDs.

Changes in the communication technology have brought huge benefits from an operational perspective, but they have also introduced cyber security concerns previously associated only with office or enterprise IT systems. Cyber security risks are inherited once an IED is connected on to the Ethernet network. Securing IED communication is part of the Defense-In-Depth strategy which is a layered security approach that uses multiple layers of network security to protect the power system/substation automation network against intrusion from physical and cyber borne attacks.

This paper covers the development of security architecture design for IEDs, the selection and adaptation of correct security protocol modules and interfacing them with application (protocol) modules/functionalities within the IED architecture to ensure secure communication and exchange of information via external and internal networks. It also highlights the need for maintaining the architecture design in-line with current and upcoming cyber security standards like NERC CIP regulations, IEEE 1686, IEC 62351 etc. as parts of these standards define the cyber security capabilities to be adapted by IEDs in the substation and distribution systems.

The SSL handshake and session set-up in a IED is a CPU intensive operation with activities such as client authentication, certification handling and key exchange involved during the hand-shaking process. For SCADA protocol modules like DNP and IEC 61850, the hand-shake process takes place only at the beginning of the connection, as the session is expected to be continuous. On the other hand, in the configuration/engineering of protocol modules like FTPS and HTTPS, the hand-shake process could take place more often as the data transfer is not continuous and is only based on user request/operation. The SSL hand-shaking process is an independent activity and each application module/session will have a separate hand-shake process within the IED.

This paper covers ABB's experiences in prototype design and implementation of a secured communication layer to the existing application protocols in the IED architecture. It evaluates available security technologies and shows how they can be used effectively for seamless integration to the IED architecture to realize certain cyber security requirements.

Keywords

Cyber Security, Substation Automation, Protection and control, IED Architecture, SSL, Secure Communication