The power grid has been physically exposed and vulnerable to vandalism for decades, but a far more serious threat has emerged in recent years – cyberattacks that can shut down all or parts of a power network.
It is no coincidence that the vulnerability is a result of the grid’s increasing dependence on computers and data-sharing to operate more efficiently. This has made grids much more responsive to changes in power demand and integrating renewable energy sources, but it also means computerized grid control must be strongly protected from abuse by cyber attackers who may try to hack into the system.
Hitachi Energy’s customer is a national grid operator in Northern Europe controlling 15,000 kms of power lines, 160 substations, switching stations and 16 overseas power connections. Customer’s challenge was that they didn’t have the ownership of the substation buildings and therefore control of the physical access was not in their hands. This needed to be replaced by logical access control. Highest priority was to protect the network and access to the control center.
Secure RTU upgrade
The customer wanted to upgrade remote terminal units (RTUs) in all of its substations. The job started in 2014 and was completed in 2017.
A major focus of the update was to secure communication to all the substations together with enabling TCP/IP communication. In this project customer required standardized protocols and security mechanisms to protect communication.
Hitachi Energy fullfilled customer’s requirement with secure authentication of network equipment and TLS encryption of communication protocol to the control center.
Secure authentication of network equipment
A major requirement of the customer was secure authentication of all network equipment, based on the IEEE standard 802.1X. Authentication verifies the identity of a network device (RTU) and ensures that the RTU is owned by the company.
The IEEE 802.1X standard provides an authentication mechanism for devices that enables them to securely join a local area network (LAN).
The 802.1X standard utilizes an Extensible Authentication Protocol (EAP) to define how authentication messages are sent between devices. 802.1X protects against unauthorized network access and IP spoofing (creation of IP packets with false IP addresses, designed to hide the sender’s identity or impersonate another computing system).
- Client (supplicant) asks for authentication.
- The Switch (authenticator) forwards the authentication request to the authentication server.
- After successful authentication client gets access to the network.
- IEC 870-5-104 secure.
Customer had requested that all devices fulfill the standard as a part of their security strategy. ABB fulfilled customer’s demand by implementing and testing together with the customer in his laboratory. After successful testing the roll-out will be done throughout the whole network.
Secure control communications
Another major customer requirement was to provide secure communications with the control center. In the past only serial and proprietary protocols were used, but in this project the clear need was to use standardized protocols and security mechanisms.
A part of the strategy to enable TCP/IP communication, the customer specified IEC 60870- 5-104 as a communication protocol to the control center. Although IEC 60870-5-104 protocol includes no security features, it can be combined with TLS encryption based on the IEC 62351-3 protocol. The advantage in this kind of communication is the endto-end encryption between RTUs and network control centers. This implementation provides data integrity, supported by digital certificates (X.509) and mandatory mutual authentication of client and server.
Hitachi Energy’s successful implementation and configuration offers cost reductions for engineering and secures the customer’s network communications system providing protection against:
- Unauthorized network access (IEEE 802.1X)
- Unwanted cyber incrusions like eavesdropping (TLS encryption)
- Man-in-the-middle attacks (Message authentication)
- IP spoofing (Certificates)
- Replay attacks (TLS encryption).