By Chee-Wooi Ten
The current form of supervisory control and data acquisition (SCADA) system remains in a hierarchical structure where power substation networks under each control area constantly report any physical system abnormality to the energy control center. Deployment of microprocessor-based instrumentation connected to the switchgear has been the norm and the IP-based communication technologies will be the economic driver for the future integration and automation. Remote access to (unmanned) substations in the geographically-dispersed locations is the routine maintenance by utilities in which they must carefully restrict the cross-network access to the critical cyber assets from remote sites. These substation devices are part of the automation where it can be compromised and reached by unauthorized users.
More than 10 years ago, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) compliance was initiated to set a guideline for potential cyber risks in control center and substation control systems. As evident in recent years, the root cause of physical “abnormality” has gradually shifted to cyber “anomaly” which emphasizes the rare event of electronic sabotage through compromised units. However, the underlying physics of grid operation remains, i.e., reliability is still the most important part of the grid. Therefore, the energy delivery system is at risk of potential cyberattacks. A roadmap to achieve energy systems cybersecurity has been envisioned and promoted by the National Electric Sector Cybersecurity Organization Resource (NESCOR) to strengthen the security posture of the electric sector with the Department of Energy (DOE) for collaboration and cooperation.
In defining new security measures of resilience, NERC CIP version 5 has been established with a general guideline based on low, medium, and high impacts of cyber-physical attack events. The severity is based on the averaged amount of power impacted, i.e., 3,000MW as the reference to each control area, in terms of generating units associated with the asset owners. The North America Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) has listed that the Special Protection System (SPS), also known as Remedial Action Schemes (RAS), or large automatic load shedding without system operators' involvement as critical parts of medium impact rating can impact grid stability if these substations are under attack. FERC exercise drills demonstrated that a combination of 9 pivotal substations from the eastern interconnection can lead to widespread cascading complications and large-scale outage. One combination out of many cases implies that the impact on substations may not necessarily depend on the degree of a substation's connectivity and size. A few low-impact substations can also be significant.
The primary security technologies deployed in substations and control centers are firewalls and multi-factor authentication (password strings) with encryption. Deficiencies exist in deployed password management platforms across thousands of modern substation digital relays. The deployed security technologies and measures do not adequately address compromised endpoints in cases where passwords are compromised. The current substation automation framework does not interrupt or defer access by unauthorized users (could be either insiders or/and outsiders) to execute a critical tripping command that can be inferred as a manipulative event. The existing protective relaying framework should include an additional oversight against cyber manipulation via coordination within a Wide-Area Monitoring, Protection, and Control (WAMPAC) network.
In more recent developments, substation automation has introduced IEC61850, which has raised security concerns. Traditionally, protective relaying schemes have been embedded in the devices where all parameter settings are configured and stored locally. There are limited permissive schemes that require coordination with other substations. While “hidden failure” may be propagating factors for a disturbance that may lead to a large-scale outage, tripping commands can be improved locally. Such multiple substation compromises would enable attackers to plot for a detrimental attack that can push beyond the system operating limits. This might initiate potential cascading effects that lead to a brownout/blackout.
With the new normal observed in recent years, asset owners should expect attackers would plot for an impactful attack that would maximize their global adversity objective, which could be either initiate cascading effects or cause immediate equipment damage by creating electrical short circuits. Remedies include understanding technologies and identifying the cyber-physical relationship in a cost-effective manner.
This article was edited by Jose Medina.
Chee-Wooi Ten, IEEE Senior Member, is an associate professor of electrical and computer engineering at Michigan Technological University. He is currently a visiting professor of electrical and computer engineering at Carnegie Mellon University for the year of 2018/2019. He received BSEE and MSEE degrees from Iowa State University, Ames, in 1999 and 2001, respectively, and later received a Ph.D. in 2009 from University College Dublin (UCD), National University of Ireland. Dr. Ten was a power application engineer in project development for EMS/DMS with Siemens Energy Management and Information System (SEMIS) in Singapore from 2002 to 2006. His primary research interests are modeling for interdependent critical cyberinfrastructures and SCADA automation applications for a power grid. He is an active reviewer for IEEE PES transactions and has been the member of IEEE PES computer and analytical method for cybersecurity task force. Dr. Ten is currently serving as an editor for IEEE Transactions on Smart Grid and Sustainable Energy, Grids and Networks (SEGAN) (Elsevier).