Connecting, Securing Substations to Smart Grid

Friday, May 1, 2015 @ 04:05 PM gHale

By Heather MacKenzie and Howard Linton
North American power utilities have large numbers of electrical substations that operate well but end up not connected to a central Energy Management System (EMS).

These islands of critical infrastructure come equipped with legacy devices running on proprietary protocols. Impossible to monitor without someone physically visiting them, these substations prevent utilities from delivering on the promise of the smart grid.

Security Plan for Electric Substations
Securing Network Access
Defense in Depth: Substation Communications
Defending ICS Against Dragonfly Attacks

The smart grid vision is to transform the traditional electrical grid from a reliable but inflexible system to one that is adaptable and efficient. Benefits such as being able to reroute power transmission quickly when there is a problem and incorporating non-traditional energy sources are just some of its aims.

Imagine you run a utility with hundreds of legacy substations that you cannot connect to from a central location. The longer you have this problem the longer your network is going to be out-of-step with an important capability.

Now imagine there is an easy way to connect legacy substations to a central system. “Fantastic,” you think, “What is it?” And “Does it bring with it any new problems? There can be a cost-effective solution for this dilemma that connects substations to the smart grid and secures them.

SCADA Challenge
The key piece of legacy equipment preventing the two-way communication of data with older power substations is the Remote Terminal Unit or RTU. RTUs control these substations and they perform critical duties, for example, measuring the power transported and protecting the crown jewel of the site, the transformer.

If a transformer goes down, it can cost two million dollars and take two years to replace. RTUs protect the transformer by breaking the circuits to it if anything abnormal occurs such as shorts, faults or a tree falling.

Older RTUs connect analog and digital inputs in electrical substations using out-of-date serial communication standards like CDC and GETAC. While it is inexpensive to exchange the RTU itself to one that supports IP and modern serial communications, the replacement triggers a domino effect of other changes. The total cost can easily add up to a $100,000 per substation.

The reason for the high cost is the substation needs to end up rewired to support the new RTU and, once upgraded, ICS security comes into play. This makes each upgrade a project that involves taking the substation off-line and requires proper planning, scheduling and documentation. All-in-all, replacing those old RTUs, and perhaps moving to IEC 61850 compliant networks, requires a very significant expense and time commitment.

OT tools over IT
The equipment of typical IT networking vendors cannot function with the old substation protocols. However, there is a solution available in devices that are a combination router and firewall.

The cost-effective device can end up deployed by simply connecting it via a serial port to the legacy RTU and also to an IP-based external network, or frame relay network via T1 or DDS circuits. The installation is simple, and there is no need for other substation upgrades.

The device can communicate with older RTUs by encapsulating the old protocol messages in a number of wrapper options to include TCP/IP, directly in Frame Relay or Ethernet, without the use of IP. These products support legacy substation protocols rarely supported.

Once two-way communication with the substation initiates, a security control point needs to end up established to restrict and monitor traffic flowing into and out of the substation. These devices can control and monitor traffic into the substation by comparing it to a predefined security policy and discarding messages that do not meet the policy’s requirements. External to the substation the devices interface transparently with IT systems, using security protocols such as RADIUS and TACACS+.

Having a device in place is a great thing, but a Defense in Depth approach to industrial cyber security and more measures could help you strengthen overall security.

Utility Benefits
Power utilities immediately benefit from installations of the router/firewall devices with access to real-time data from previously isolated substations. Instead of having to send someone to a substation to get the fault records when something goes wrong, now they can see, diagnose and address problems from a central location.

One case in point is an installation at a West Coast utility that is installing two-in-one routing and security solutions in 55 substations to remotely manage them. In another case, an East Coast power company is installing 300 devices to communicate with its substations. Both of these organizations benefit by being able to incorporate legacy substations into their smart grids now and migrate their overall network to a new generation backbone over time.
Heather MacKenzie is with Tofino Security, a Belden company. Howard Linton, a field application engineer with more than 25 years of experience working with power utilities. Click here to view Heather’s blog.

Leave a Reply

You must be logged in to post a comment.