Addressing Cybersecurity in Distribution Network SCADA Systems

Press Release

November 2019
NOJA Power Recloser

For the electricity distribution grid operator, for much time the control systems of the grid were protected by “Security by Obscurity”. The SCADA protocols and communications infrastructure that was (and in most cases still is) used to control the electricity distribution grid is based on essentially insecure protocols with no inherent design to handle the threat of adverse action by internal players or third parties.

It isn’t the inherent fault of the existing systems, they are designed to operate reliably and robustly under challenging environments, providing control and data in an era before data management was the science that it is today, enabled by advances in information processing technology. But with the global democratization of knowledge and information, the validity of SCADA systems that purport “Security by Obscurity” or claim immunity to cybersecurity threat through use of serial communications are losing credibility. Fortunately, much work has been completed by the technical working groups associated with energy network SCADA communications protocols. With the release of the Distributed Network Protocol Secure Authentication Version 5 (DNP3-SA v5), legacy systems, even those based on serial communications, can deploy cost effective strategies to raise the technical bar for would-be assailants.

Threat Modelling:

Foundational knowledge in the school of cybersecurity cites the “Security Triad” as the bedrock of understanding the discipline. Whilst commonly known in the information technology profession, the core tenets of Availability, Integrity and Confidentiality have extended implied meanings in application to the electricity distribution networks explored in table 1.



Triad

Description

Electricity Network Examples

Attack Type

Availability

Is the asset available for service

Is the relay still operational or is it being occupied by responding to messages

Denial of Service

Integrity

Are messages authentic, unaltered from what was originally sent, or genuinely originates from the source which it claims

Is this command to trip the breaker legitimate? Did my circuit breaker really close onto the worksite? Did the control room really issue a command to close the bus-tie?

Spoofing
Man-In-The-Middle
Replay Attacks

Confidentiality

Whether messages can be read by unauthorised viewers

External parties knowing power system parameter information

Eavesdropping
Traffic Analysis (forms of data leakage)



Through understanding the security triad in the context of the electricity distribution grid, we can build a comprehension of the threats facing the DNSP. Using a risk likelihood/impact matrix, it is possible to ascertain the impacts for which a technical mitigation strategy should be implemented, or those for which insurance policy should be sought.

For Distribution networks, credible threats include:

  • Spoofing (pretending to be authorised to send commands such as “trip” or close to a circuit breaker)
  • Modification (editing messages in transit to change data reports or control operations)
  • Replay (Capturing messages on open links, such as a radio network, and replaying them again to cause network havoc)

Ironically, the immediate non-technical reaction is the request for encryption of communications to improve security. The reality is, in the case of a replay attack, the attacker doesn’t need to know what the message says, but if they replay it, the receiving device will simply unencrypt the message and act on its contents. Encryption is not the only answer – it only addresses part of the problem, which is often only a small portion of a DNSP’s attack surface.

Authentication however, is a far more effective mitigation strategy. If only authorised actors in the network are allowed to send commands, and remote devices are equipped to differentiate between legitimate and bogus instructions, the network resilience to cyberattack grows exponentially. Fortunately, the DNP3-SA v5 implementation available in switchgear assets charged with controlling and protecting the distribution networks today such as NOJA Power’s OSM Recloser system give DNPS’s a cost-effective credible method for deploying a cybersecurity hardening program. When remote network Intelligent Electronic Devices (IEDs) such as reclosers can tell the difference between genuine and faked commands, cybersecurity is greatly improved.

Essentially, DNP3-SA v5 is a backwards compatible upgrade of the standard DNP3 protocol used throughout DNSPs today, which provides Application Layer user Authentication. In doing so, DNP3-SA ensures that messages that are communicated through SCADA were indeed sent by authorised users, and remote devices or the master station can confirm that they have not been tampered with. DNP3-SA was developed on the basis of IEC 63251-5’s standard for cybersecurity, informed by various other ISO, IETF and NIST standards.

In the security triad, DNP3-SA resolves Integrity of the system, which addresses the major threats to electricity distribution. This technique provides a technical mitigation for Spoofing, Man-In-The-Middle and Replay attacks, all of which pose significant threat to DNSPs. The use of DNP3-SA effectively removes these threats from DNSP networks, and with the availability of compliant assets such as NOJA Power’s OSM Recloser system, utilities can address cybersecurity standards such as IEC 62351 with their existing asset base.

Version 5 of DNP3 Secure Authentication solves some of the organisation challenges in taking on the operational overhead of raising security levels. V5 adds the ability to remotely change keys, and configurable options to use pre-shared authority certification keys or a security certificate. Better protection against Denial of Service attacks is also included along with better logging capabilities, along with support for additional cryptographic algorithms and security statistics objects.

“Most of our electricity utility customers globally today are focused on improving the security in their communications systems. A reasonably easy first step is to add DNP3 secure authentication capability to their master station,” reports NOJA Power Group Managing Director Neil O’Sullivan. “Our recloser controls have had DNP3 secure authentication available since 2015. To enable secure authentication in our RC10 DNP3 devices installed in the field it is simply a matter of turning it on once the master station supports DNP3 secure authentication.”

As the information barriers around the operating technology of the distribution grid continue to collapse, both IP and serial based control networks have growing vulnerability to cyberattack. DNP3- Secure Authentication provides utilities with a cost-effective method to greatly reduce the attack surface of their electricity network and is included as standard as a feature in the NOJA Power OSM Recloser System. To find out more, visit www.nojapower.com.au or contact your local NOJA Power Distributor.