White Paper

Balancing the Demands of Reliability and Security

Cyber Security for Substation Automation, Protection and
Control Systems

1. Introduction
automation, protection and control systems to cyber
In the past decade, substation automation,
security issues similar to those faced for years by
protection and control systems have changed
other traditional enterprise systems.
significantly, and this transformation promises to
continue as increasing demands on the utility
Tightly integrating the control system components
infrastructure mandate continued technology
and inter-connecting control systems with external
advancements. Systems have become more
systems not only allows for more and faster
interconnected, providing end users with much more
information exchange, it also provides entry points
information and enabling higher reliability and
for hackers, thereby increasing the need to protect
greater levels of control. Interoperability between
against cyber-attacks. The use of Ethernet and
different vendor products and systems has been
TCP/IP based communications not only makes
achieved through product and solution development
systems more interoperable, but also opens the
based on open standards, and by leveraging
door for trojans, worms, viruses and Internet based
commercial technologies like standard Ethernet.
attacks. The mandate for secure substation
These technological advances have not only
automation protection and control systems, as well
delivered significant operational benefits, but have
as security of the entire utility Information
also increased the exposure of substation
Technology infrastructure, is being pushed in many
markets with regulations intended to preserve of government organizations on securing critical
national security by protecting an electric utility infrastructure, resulting in local regulations and
control system from a coordinated cyber-attack with guidelines.
the potential to cause wide scale outages. However,
security challenges notwithstanding, the answer is Overall the demand for cyber security, both from a
clearly not to block advancements in technology technical as well as from a process perspective, will
which, from a reliability perspective, will continue to increase in the near future. Cyber security will
greatly improve the overall power system become a mandatory requirement in products,
performance. systems, solutions, and processes as industry
standards are developed and regulations are
2. Drivers and Trends adopted as law.

Cyber security for automation and control systems 3. Reference Architecture

in the electric sector has consistently gained
attention and importance over the last couple of The reference architecture in this section is
years. While in the past, cyber security was not important in order to define key functions and their
considered an issue, or even a nice-to-have, it has critical interfaces from the overall system
more and more become a must-have, and its perspective. The architecture is the fundamental
importance continues to grow. There are different blueprint for the system architect where key
drivers and trends that affect the industry as a requirements are mapped onto system functions
whole, e.g. how vendors must continue to address and interfaces, as well as where cyber security
cyber security in their products, systems, processes, requirements are identified.
procedures, and services, or how end users must
A Smart Grid domain is a high-level grouping of
address security in procurement, installation, and
organizations, buildings, individuals, systems,
operation through both technical and non-technical
devices or other actors with similar objectives that
means.
rely on, or participate in, similar types of
The level of attention and the drivers for cyber applications. Actors have the capability to make
security differ around the world. Currently North decisions and to exchange information with other
America has the strongest focus on cyber security, actors. Communication among actors in the same
with Europe being a fast-follower. South America, domain may have similar characteristics and
the Middle East, and Asia are steadily increasing requirements. Domains may contain sub-domains.
their focus. One can expect that in the near future Moreover, domains may have much overlapping
the global interest will reach a similar level. functionality, as is the case of the transmission and
distribution domains. Organizations may have actors
One of the two main drivers in North America is the in more than one domain. Each of the actors may
NERC CIP (Critical Infrastructure Protection) exist in several different varieties, and may contain
regulation, for which compliance is mandatory for all many other actors within them.
utilities that are part of the bulk electric systems. The
second main driver is the security requirement Common terms and language are important when
associated with Smart Grid stimulus funding and the reviewing the various works of industry experts and
clear statement by the US government that no standardization bodies. The NIST Cyber Security
funding would be allocated to projects unless cyber Working Group is presently developing NISTIR
security was properly addressed. Outside North 7628, Smart Grid Cyber Security Strategy and
America other countries will likely increase the focus

2 Cyber Security| ABB White Paper

Figure 1 Smart Grid Architecture Source: Second Draft NISTIR 7628, Smart Grid Cyber Security Strategy and Requirements Feb.

Requirements. Figure 1 is an extract from the related to the applications within the protection and
Second Draft of NISTIR 7628 defining the domain control system are identified and cyber security
and actors and their relationship in the Smart Grid requirements mapped onto these components and
system architecture. An important aspect of the interfaces. The following is an overview of the key
strategy is to clearly define the role and function of actors from a functional and feature perspective for
an actor and the interface between actors in order to substation automation, protection and control
map the cyber security require-ments for each actor. system components:
The actors illustrated here are representative
System / Protection Engineering & Maintenance
examples, and are not all the actors in the Smart
(local and external)
Grid. Station Human Machine Interface / Engineering
Workstation
Just as the NIST work focuses on the overall Smart
Substation Control System (SCS)
Grid architecture, work has started in the IEEE Intelligent Electronic Device (IED) / Protection
Power and Energy Society, Power System Relaying and Control Relay
and Substations Committees to define the cyber Breaker IED
security requirements for substation automation, Remote Terminal Unit (RTU) / Gateway
protection and control system. Reference Distribution Management System (DMS) /
architectures for substation automation systems are Gateway
being defined such that all functions and interfaces Asset Monitoring System

3 Cyber Security| ABB White Paper

 Merging Unit / Sensor In addition to the cyber security requirements on the
Intelligent Current / Potential Transformer / Non actor and interfaces, the system architects need to
Conventional Instrument Transformer (NCIT) also consider other characteristics in the system
Phasor Measurement Unit (PMU) / Phasor Data design such as system performance, availability and
Concentrator reliability. Overall system design and the security
Security Management System (external and
solutions can have an impact on system perform-
internal)
Tele-protection / Inter station control (external) ance if the architecture has constraints like limited
Supervisor Control and Data Acquisition bandwidth, small CPUs or restrictive computational
(SCADA) (external) capability in some system components, highly
System Integrity Protection System (SIPS) distributed systems, slow response times, high
(external) sampling rates, etc. It is very important for these
Wide Area Protection System (WAPS) / Wide characteristics and constraints to be identified as
Area Measurement System (WAMS) (external) part of the system architecture design and while
GPS and Time Server (external) implementing the security solutions.
Distribution Sensor (external)
Additional architectures, such as Process Bus, are
The reference architecture in Figure 2 is a Single
also possible for advanced applications such as
Boundary Protection Architecture where perimeter
extending protection and control outside the single
protection is deployed and cyber security
perimeter for IEC 61850-9-2 interface to non-
requirements can be defined on the actors inside the
conventional instrument transformers. For this
substation as well the interfaces that extend outside
application, special consideration is required and the
of the security perimeter. In this example, the key
use of Multiple Boundary Protection, where two or
actors are the RTU/gateway, station computer/HMI
more separate perimeters are established and cyber
and engineering workplace, protection and control
security requirements are defined for each boundary
IEDs, remote maintenance modem where cyber
interface as well as the functional components, or
security solutions include adherence to device level
actors, within the boundary, is recommended. In
standards, firewall and VPN protection, anti-virus
addition to the process bus, other extension inside
protection, user access and device management.
the substation can consider wireless interfaces for
Antivirus New Security Features
Firewall/Router/VPN
asset monitoring sensors and other types of
Cyber Security Concept
Deployment Guideline
monitoring equipment that can provide key
Perimeter Protection information in the operation of the power system
apparatus, planning, or control system. Likewise,
Substation to Substation architectures including tele-
protection, SIPS and WAPS, and downstream
connections for distribution automation equipment
pose additional considerations related to cyber
security requirements. Each of these applications
should have an associated reference architecture
such that all actors and interfaces are defined, roles
User Management Ethernet Switch Configuration identified and cyber security requirements mapped
to ensure safe and reliable operation of the power
Figure 2: Example Substation Automation System system.
Reference Architecture

4 Cyber Security| ABB White Paper

Cyber security architectures should be developed happen while others predict doomsday tomorrow.
not only for the bulk power system, but also as a Cyber terrorism might be a real threat -- it might also
utility generic policy and guide for achieving higher not be, there just is not enough data to confirm or
levels of security in protection and control systems. deny it. The truth lies somewhere in the middle;
The architecture should be deployed independent of cyber security is a real issue, threat agents do exists
voltage level or criticality of cyber assets. It is and threats are a reality.
expected that the US government will put additional
regulations in place to help secure the Smart Grid, Second, the potential impact of cyber-attacks on
expanding mandatory security requirements to all automation and control systems is fast and HUGE.
voltage levels in the power system. Loss of electricity, even only to a small residential
area, can have significant detrimental impact. Loss
4. Understanding the Risk of heating in a cold winter or loss of air conditioning
in a hot summer brings physical discomfort in the
Cyber security for automation and control systems
best case but can result in loss of life in the worst
has become a huge topic and everyone seems to
case. In traditional enterprise environments,
have an opinion about it. However, the one thing
potential impact of cyber security incidents is
that seems to be missing is a true understanding of
typically measured in financial damage caused by
the actual risks. Detailed information on real
loss of productivity, downtime, costs to replace and
incidents is still a rarity and solutions are usually
restore systems, or disclosure of proprietary
based on technology decisions rather than a risk
information. Potential damage for enterprise
based approach. Many standards, regulations and
environments does not typically include loss of life.
guidelines exist today (see section 7), but few of
them contain a rationale based on risk assessment So how does one then come up with a risk
or threat modeling. The driver and deciding factor for assessment of what to do if, in most cases, the
developing, purchasing and deploying security attacker is not known, the likelihood is uncertain,
mechanisms is too often based on compliance - and the potential impact is extremely high? The
compliance to regulations, compliance to standards answer is simple, protect what is most important.
or compliance to industry best practices. Identify what is most important by answering the
what if question. What if I cannot control this
The situation today is not due to a lack of risk
device anymore? What if somebody else can control
assessment methodologies, or because cyber
this device? These questions must to be answered
security is not regarded as important. The problem
without considering any external influence at first,
is that risk assessment methodologies use the
i.e. without looking at potential attackers and threats.
probability of a threat and its potential impact as a
If a certain device, certain system or certain piece of
means to calculate overall risk. While there are
data is essential to the reliable operation of the
enough statistical data in enterprise IT environments
primary equipment then it must be protected
for both, this statistical information is lacking for
appropriately. It is important to point out another
automation and control systems.
difference to enterprise IT security here. In a
First, potential threat agents span from script kiddies traditional enterprise the main target of protection is
to organized crime to nation states posing threats usually data, either from disclosure or from
ranging from malware, to targeted attacks, to cyber manipulation. For automation and control systems
terrorism. Opinions on how real all these threats are, the main target of protection is the physical process
and how likely an attack really is, seem to be as and the primary equipment. The what if question
different as the people talking about them. Some must therefore not only be asked for the cyber
say it is all just myth and nothing bad is going to assets but also, and maybe more importantly, for the

5 Cyber Security| ABB White Paper

primary equipment, e.g. what if someone opens this 5. Back to the Basics
breaker? or what if this breaker does not open in
an emergency? Before any specific solutions should be discussed,
there are a couple of ground rules that must be
Two common misconceptions that still wrongly understood. They are the basics for any successful
influence decisions with respect to cyber security security program and should be committed to first.
solutions are underrating the risk of non TCP/IP
based protocols and overrating the risk of physical Accept responsibility
attacks. Use of serial protocols is often thought of as Anyone involved with critical infrastructure and
a secure solution that does not require protection. automation and control systems has to accept
This belief is sometimes so strong that existing responsibility for improving and maintaining security:
TCP/IP based solutions are replaced with serial
Owner / operator: In the end, the owner /
protocols for security reasons. Unfortunately this
operator is responsible for security, cyber and
misconception is strengthened by the current NERC
physical, of any running control system. Of
CIP regulation which excludes serial protocols as a
course the various functions, processes,
potential threat vector. However, any communication
technologies etc. that are needed to fulfill this
link can be used for a cyber-attack. Serial protocols
responsibility depend to some extend on the
might be less prone to attacks but the risk of attacks
work and support of others. But, making sure
using serial communication links should by no
that the overall system security level is adequate
means be neglected. This fact will likely be reflected
at any point in time is the responsibility of the
by the changes in the upcoming 4th revision of the
owner / operator. This responsibility also
NERC CIP regulation and is also reflected by
includes putting pressure on vendors and
ongoing standardization efforts (e.g. IEEE 1711).
system integrators and making sure they have
Another argument that is often made when clear requirements.
discussing the risk of cyber-attacks is the System integrator: The system integrator is
comparison to physical attacks: if an attacker is responsible for ensuring that the security
physically present in the control environment, e.g. in capabilities of all system components are used
the substation, it would be much easier to physically and configured properly. This includes, but is not
damage the equipment than to launch a cyber- limited to, properly setting up network
attack. While this statement is not false, it presents architectures, properly configuring firewall rule
too simplistic a view. Yes, physically damaging the sets, and/or following hardening guidelines
equipment is much easier and does not require provided by the vendors.
much know-how, but physically damaging the
equipment is also discovered very quickly and the Vendor: The main responsibilities of a vendor
impact is limited locally. A cyber-attack, on the other are threefold: quality, functionality and
hand, could be much more sophisticated, e.g. processes. First, the vendors must take every
forcing the system to run inefficiently for a long time step possible to increase the security quality, i.e.
without notice, or changing protection settings to reduce the attack surface and remove as many
force unexpected behavior in an emergency. In vulnerabilities and weaknesses as possible. This
addition, a cyber-attack on the local substation might is mainly done by having a well-defined
only be used as an entry point to gain access to development process that embeds security
other systems. artifacts such as threat modeling, security
reviews, and/or security testing. Secondly, the
vendors must develop security functionality to

6 Cyber Security| ABB White Paper

 support customer and system integrator From this it should also be clear that security is not a
requirements. Security functionality includes one-time investment or purchasing task where
things like proper access control, security buying a secure control system or buying security
logging, and/or support for protected add-ons will solve anything. Of course the
communications. The biggest challenge here technology foundation must be there, but security
might just be the different and sometimes must be continuously addressed throughout the
contradictory requirements of the many utility whole system lifecycle. Technology solutions must
users, regulators, and various industry working be maintained, updated, and controlled regularly.
groups and standards. Last but not least,
vendors must put processes in place to support Ignore compliance - at least at first
customers throughout the system lifecycle, e.g. Anyone who has compliance as their main security
for patch management or vulnerability handling. goal might just as well stop. Compliance or
certification should never, NEVER be the main goal
Security is about processes of ANY security activity. Any security expert will
Technology alone cant address security, or, as agree that there is no single solution that fits all -- so
Bruce Schneier put it, security is a process, not a why would compliance to a single requirement set
product (www.schneier.com/crypto-gram- be any different? The only exception to this might be
0005.html). Thus, some of the biggest challenges in a regulation or standard that has three simple
making substation automation, protection and requirements:
control systems more secure relate to human
behavior and organizational processes. The first 1. Perform a risk assessment according to a well-
defined and vetted process
step in any security program should be the
development of a security policy a document 2. Eliminate all risks that exceed an acceptable risk
identifying the overall security goals and objectives level
and defining what valuable assets need to be 3. Redo everything at least annually
protected. The security policy is the basis for any For anything else, compliance or certification should
technical, procedural, or organizational security be an ancillary effort. If the regulation or standard is
mechanism. Yet, clearly defined security policies reasonable, then compliance should be a natural
dont exist for many control systems today. Creating, step of any sound security program. As a vendor we
communicating, and enforcing a security policy is have chosen to follow this principle. We analyze,
managements responsibility and should no longer and contribute to, all major standards and
be neglected. After developing a security policy, the regulations. However, we defined our own security
next step is to build in processes to help establish strategy and goals several years ago under the
and enforce it. These processes, for example, would assumption that, if we do a good job, any
include employee hiring and separation, but should reasonable security standard or regulation will be
also describe incident handling and disaster accommodated.
recovery. Additionally, the security policy should
offer a well-documented plan about how to deal with Standards, or regulations, and compliance to them
possible security incidents or breaches and address can be a good thing. They can provide guidelines
questions such as what should be done, who must when setting up a security program and allow
be involved, and how to restore the system. Just as external entities to get an impression of a companys
important as having these processes documented is security activities. Certification can provide
exercising them regularly to ensure they work. assurance both within a company but also for
external customers. But as stated, compliance and

7 Cyber Security| ABB White Paper

certification should be a natural side effect of any 6. High Level Security Approaches
reasonable, serious security program. Security for substation automation, protection and
There is no such thing as 100% security control systems must cover both physical and cyber
Security is not perfect and it never will be. aspects. Physical protection includes setting up
Vulnerabilities are part of any computer system that physical boundaries, e.g. a fence, a closed control
was not developed without economic reasoning, i.e. house, locked cabinets, or installing video cameras
unlimited funds for security. Stakeholders need to for monitoring purposes. Both physical and cyber
accept that automation and control systems are protection are necessary, but, for the purpose of this
complex IT solutions that will have vulnerabilities discussion, we will focus on cyber aspects.
and that 100% security is not possible. So instead of A typical, modern substation automation, protection
condemning a vendor that openly acknowledges a and control system will have at least bay level
vulnerability, users should recognize thist as a sign devices that use real-time communication protocols
of accepting responsibility. Instead of hiding and are responsible for providing protection. As well,
instances of vulnerabilities, vendors should accept station level computers are used as HMI or
them, and do anything to mitigate the associated gateways to external entities or remote terminal
risk even if that means publicly admitting there is a units that connect to network control centers.
problem. Likewise, owners and operators should not
try to hide actual incidents but should share them Defense in depth
with others - not only so that everyone can learn and The most important principle for any security
improve their security approach, but also so that a architecture is defense-in-depth. Having a single
discussion based on facts, i.e. real incidents can layer of defense is rarely enough as any security
begin. mechanism may be overcome by an attacker, It is
therefore recommended to architect the system in a
The fact that there is no such thing as 100% security way that the most sensitive parts of the system are
also means that there will always be security protected by multiple rings of defense that all must
breaches and incidents. It is therefore extremely be breached by an attacker in order to get to the
important to not only put protection mechanisms in crown jewels.
place but also mechanisms to quickly detect
incidents and to be able to effectively react to, and In addition, not only should protection mechanisms
isolate, security breaches. be deployed, but also the means of detecting
attacks. This includes both technical measures,
Security is not free such as intrusion detection systems, as well as
Another area where a reality check needs to occur is procedural measures, such as review of log files or
when looking at the cost of security. Achieving and access rights.
maintaining an adequate level of security is not free.
This is again true for all stakeholders involved in Least-privileges
critical infrastructure and automation and control A second very important principle to follow in any
systems. Everyone must be willing to make security security program is the principle of least privileges.
investments for the long run, and include the costs No user or process should be able to do more in the
in their business models. It would be nave to think system than what is needed for the job. This
that anyone can increase or provide security without principle is not only key to preventing malicious
costs, and that cyber security does not follow normal attacks but also very important in preventing
economic principles. accidents. For instance, spreading of a virus that
sits on the laptop of an authorized user can be

8 Cyber Security| ABB White Paper

limited if the user only has minimal access to the security built-in. There are currently several ongoing
system and network. industry security initiatives, e.g. DNPv2 or IEC
60870-5-104, but until products are available to
Network separation support these new protocols the use of VPN
Any computer network should be divided into technology can bridge the gap.
different zones depending on the criticality of the
nodes within each zone. In a typical substation Within a substation the situation is similar. For
automation environment, separate zones could be engineering and maintenance access, security
envisioned for bay level devices and for the station protocols such as HTTPS or SSH should be used if
level devices and computers. Depending on the size available (even if the accessing engineer is
of the substation, having separate zones for bay physically within the substation).
level devices for each bay might make sense. Zones
should be separated by a firewall application System hardening
gateway or similar. Relying on network separation and protected
communication is not enough. The defense-in-depth
In addition, the substation automation, protection principle also demands protecting each individual
and control network should be clearly separated system component, this includes system hardening.
from any external network. This can be achieved by Every single device or computer within the
using firewalls to control data access to the control substation automation, protection and control
network. In order to authenticate accessing entities, system must be hardened to minimize its attack
the combination of a firewall with a VPN gateway is surface. Hardening includes restricting applications
a good solution. A more secure architecture is to and open ports and services to an absolute
work with a so-called DMZ (demilitarized zone); a minimum. System hardening must also look at user
zone that serves as a proxy between external accounts and ensure that only needed accounts are
networks and the control system. installed, e.g. no guest accounts, and that strong
authentication is enforced. This step is best done by
The single electronic security perimeter required by asking vendors to provide information on ports or
NERC CIP will often not be enough and is a good applications that are needed for normal operations,
example of why security for compliance sake is not as well as security hardening guidelines for their
sufficient. products and systems.
Protected communications Dealing with portable media
Communication, both within a substation automation Besides static, direct connections between the
system and with external networks, should be control network and external networks there also
protected using encryption and/or message integrity exists temporary, indirect connections that are often
protection, if possible. However, before doing so, not considered when securing substation
one must look at the performance requirements of automation, protection and control systems.
the communication links to be protected and take Examples of such temporary, indirect connections
into account the impact of cryptographic algorithms. are mobile devices such as service laptops or
For external connections, the use of VPN (virtual portable media such as USB sticks or CDs that are
private networks) is recommended for both connected to computers within the control network.
operational as well as maintenance and engineering Because these mobile devices and portable media
connections. This is especially recommended until are rarely used only within the substation (even
electric industry specific protocols, and the though they should in an optimal case) they must be
communication gateways supporting them, have

9 Cyber Security| ABB White Paper

considered a security risk and the control network an all or nothing fashion. If a cyber-asset is
must be protected accordingly. classified as critical all NERC CIP requirements
apply. If it is not classified as critical then it need not
Protecting from risk associated with portable media, be protected at all (unless it is within the electronic
e.g. an infected USB stick, is best done by disabling security perimeter). This all or nothing approach
such media on all hosts. If the use of such portable does not take into account different levels of
media is really needed then this should only be criticality and does not allow for different levels of
permitted at dedicated points within a dedicated security, which is a common best practice for
zone that is separated from the control network by at security of computer based systems. However, the
least a firewall and has malware protection running. current ongoing revision is looking at different levels
A more secure solution would be to first scan the of criticality, which will hopefully lead to a more
portable media on a dedicated malware scanning realistic and more granular approach to cyber
station that is not directly connected to the control security.
network and has up-to-date malware detection
software running. NIST Smart Grid
Cyber security has been identified as a key enabler
7. Overview of Security Standards, for the NIST Smart Grid activities and has therefore
Regulations, and Working Groups received much attention within NIST. NIST has
With the increased importance for cyber security of released their Guidelines for Smart Grid Cyber
automation and control systems, in addition to Security a three volume, 577 page document. The
government driven efforts various working groups document attempts to take a holistic view of cyber
have taken on the topic in an attempt to provide security for Smart Grid, i.e. looking at all applications
standards, regulations, guidelines, or best practice of Smart Grid. The document acknowledges the
documents. The focus, level of detail, and maturity reality that not all systems can be equally secured
of these documents is quite broad and not all of and defines different levels of security (low,
them are equally applicable for substation moderate, and high) and the different requirements
automation, protection and control systems. At the for each.
moment, the following five initiatives discussed
IEEE PES Substation C10 /PSRC H13 (IEEE
below seem to be the most advanced.
C37.240)
NERC CIP Within IEEE PES Substations and PSRC, a joint
To date, the NERC CIP regulations have had the working group has been formed to look at the
biggest impact on electric utilities and have been the applicability and the technical implementation of the
focal point of most security programs. The regulation NERC CIP and NIST Smart Grid security efforts for
makes a clear statement that the main responsibility substation automation, protection and control
for securing the electric grid lies with the utilities and systems. The goal of the joint WG is to prepare a
that it is not just about technology but also about standard on Cyber Security Requirements for
processes. There are some shortcomings of the Substation Automation, Protection and Control
current version, i.e. the exclusion of serial protocols Systems which provides technical requirements for
or the focus on a single electronic security substation cyber security. It presents sound
perimeter. An additional area for improvement is the engineering practices that can be applied to achieve
definition of critical assets and critical cyber assets. high levels of cyber security of automation,
While the definition of what is deemed critical and protection and control systems independent of
what is not has been made a bit clearer with version voltage level or criticality of cyber assets. Cyber
4, protection of critical (cyber) assets is still done in

10 Cyber Security| ABB White Paper

security includes trust and assurance of data in creating a security architecture and philosophy
motion, data at rest and incident response. improving the overall security of the Substation
Automation System as well as the entire utility IT
IEC 62351 infrastructure.
IEC 62351 is a technical security standard that aims
to secure power system specific communication As discussed earlier, advanced power system
protocols such as IEC 61850 or IEC 60870-5-104. applications like SIPS and WAMS are in
While most parts of the standard were released in development. While their benefit can greatly improve
2009, more work is needed before systems overall system performance and reliability, the
compliant with IEC 62351 can be released to the reconciliation between system cyber security and
market. First, all the affected communication system reliability can be extreme. From a system
standards must be changed to support IEC 62351. cyber security perspective, a restrictive utility IT
Additionally, some technical challenges with infrastructure with limited access will certainly make
securing real time traffic must be addressed by the a breach more difficult and combat against external
working group of IEC 62351. [1] provides a more threats. The present NERC/CIP standard is
detailed introduction of the IEC 62351 standard applicable to communications infrastructures using
series and provides insights on technical limitations routable protocols (e.g. Ethernet TCP/IP).
as they relate to substation automation, protection Adherence to the CIP standards can be achieved by
and control systems. deploying serial non-routable protocols. However,
the system reliability consequence of this is readily
IEEE 1686 observed due to the inability to support advanced
Security of intelligent electronic devices is the scope power system applications requiring substation-to-
of IEEE 1686. The document defines in technical substation exchange of real-time phasor information,
detail security requirements for IEDs, e.g. for user as this is not possible via a DNP 3,0 serial interface
authentication or security event logging. The due to bandwidth limitations.
standard very nicely points out that a) adherence to
the standard does not ensure adequate cyber To return to the discussion from the architecture
security, i.e. that adherence to the standard is only section above, understanding the system
one piece in the overall puzzle, and that b) performance requirements is critical in being able to
adherence to every clause in the standard may not deploy a cyber security solution that will meet the
be required for every cyber security program. With utilitys security policies. The overall architecture
this, the standard gives vendors clear technical must support the intended application goals and in
requirements for product features but at the same the example of SIPS, it is improving the overall
time leaves room for specific, tailored system system reliability which is the ultimate goal of both
solutions at the customer site. security and power system performance.

Critical
8. Security Impact on System Reliability Power System Infrastructure
Reliability Protection (CIP)
Evolving technologies like Ethernet and SA
Reliability Security
standards like IEC 61850 are enablers for
information exchange necessary to provide higher
Communications
system reliability. These commercial and open Infrastructure
technologies are much different than the traditional
vendor/utility proprietary systems. The key is to take Therefore, the optimal system architecture has the
advantage of the open technology at the same time communications infrastructure necessary to protect

11 Cyber Security| ABB White Paper

mission critical assets while permitting the informa- the industrial control system security community.
tion flow that enables the advanced applications Markus holds a doctoral and a masters degree in
required to improve system reliability. It is a balance Computer Science from the Federal Institute of
between reliability vs. cyber security. Technology in Zurich, Switzerland.

9. Summary Steven A. Kunsman

Vice-President and General
When we look at the organizations involved in
Manager, ABB Power Systems -
maintaining utility system securityvendors, Substation Automation Products
integrators, end usersits fair to say that security is North America
everybodys business. To the extent these groups
cooperate with one another throughout the system Steve joined ABB Inc. in 1984 and
lifecycle, security will be enhanced. At the same has 27 years of experience in
time, perhaps the most important aspect of security Substation Automation, Protection and Control. He
for the various players to keep in mind is that it is a graduated from Lafayette College with a BS in
journey and not a destination. There will always be Electrical Engineering and Lehigh University with an
new threats. Likewise, there will be new methods MBA concentrated in Management of Technology.
and technologies for meeting those threats. Today, Steve is responsible for ABB North American
Vigilance, cooperation and technical expertise, when Power Systems Substation Automation Products
applied in unison, offer the best defense. business. He is an active member of the IEEE
Power Engineering Society PSRC including working
group chairperson for H13, an IEC TC57 US
Literature delegate in the development of the IEC61850
[1] F. Hohlbaum, M. Braendle, F. Alvarez, Cyber communication standard and UCA International
Security - Practical considerations for implementing Users Group Executive Committee co-chairperson.
IEC 62351, PAC Conference 2010

Authors Information

Markus Braendle
Head of Cyber Security, ABB
Group

Markus is globally responsible for

all aspects of cyber security for the
ABB Group. He heads the ABB
Group Cyber Security Council a cross-divisional and
cross-functional effort to ensure that ABB offerings
fully support customers' cyber security requirements.
Prior he was the Head of Cyber Security for the
Power Systems division and held a number of
specialist and management roles within Corporate
Research. Markus is a member of several
international cyber security standardization efforts
and working groups and a recognized member in

12 Cyber Security| ABB White Paper

Contact us
ABB Inc.
North America Corporate Headquarters
12040 Regency Parkway
Suite 200
Cary, NC 27518
www.abb.com/substationautomation