www.efacec.

com

CYBERSECURITY
for Substation Automation Systems

Cybersecurity in the utility is about managing risk and taking
appropriate mitigation measures to ensure system operation under
economic efficiency and, if applicable, also meeting required
regulation and standards compliance. As a dynamic and evolving
threat, managing cybersecurity requires a mix of different aspects,
not only technological but also organizational. Depending on the
required deployment level ascertained by the risk assessment
initiatives, cybersecurity measures to be applied may include,
among others, skillset improvement, changes to process and
organization, revision of system architecture and specifications,
and, monitoring and management.
Cybersecurity adoption must further consider SAS requirements
regarding reliability, availability, performance, long-term
maintenance, migration and legacy management, as well as
integration of multisourced and multigenerational technologies.
Not less relevant is the fact the cybersecurity challenges need to
be addressed by multiple stakeholder and entails cost. The impact
of cybersecurity measures is multifaceted, potentially wide and
deep, hence measure deployment must be balanced with cost,
determined risk level and the benefits of enhanced connectivity
to the substation.

PRODUCT AND SYSTEM

DEVELOPMENT PROCESSES

CYBERSECURITY VERIFICATION
VULNERABILITY IDENTIFICATION,
IN SAT, FAT OR SIMILAR SETTING
RESOLUTION AND CORRECTION

SUPPORT FOR
SECURE REMOTE ACCESS PRODUCT AND SYSTEM

IMPACT SECURITY HARDENING

MONITORING
AREAS
DATA/INFORMATION
PROTECTION

RECOVERY MECHANISMS SUCH AS

BACKUP AND RESTORATION
AUTHENTICATION AND USER
ACTIVITY MONITORING
System Cybersecurity Deployment Levels

Understanding that the adequate level of cybersecurity measure deployment is

highly dependent on the specific requirements of each customer, Efacec establishes
three distinct cumulative levels to be considered for securing the SAS.
L0 are considered the fundamental requirement for any system with TCP/IP
connectivity from the substation to the control room through a privately-owned
and secure WAN, and can be deployed with limited impact even to legacy systems.
The principle is to isolate a given perimeter with security measures (ex: the whole
SAS) and be able to recover from security incidents with limited unavailability.
L1 includes the general recommended practice considering substations today,
enabling higher benefits with initial support for remote access for engineering as
well as cybersecurity management. It can be realistically implemented in many
scenarios today, either in new SAS or updates to existing systems. In addition to
perimeter security additional security zones isolate different P&C subsystems with
enhanced hardening of station level subsystems.
L2 includes the anticipated future evolution of SAS cybersecurity, but one that
requires significant investment including the replacement of existing devices,
availability of new products and establishment of new architectures. Furthermore,
strong cybersecurity processes and capabilities within the utility organization must
be in place for such measures to be effective. Readers need also to be aware that
critical technical standards are not yet fully in place for several of L2 measures, for
example related RBAC and end-to-end security. L2 measures are applicable in case
of TCP/IP connectivity between substations, SIPS/WAMS or full remote engineering/
management capabilities are to be introduced.

Figure 1. Example Secure Architecture Overview: Cybersecurity Perimeter and Zones

Level Measures
Physical security and access limitations to site and equipment
Single perimeter “bump-in-the-wire” protection through external firewalling, secured tunnelling (VPN) with
L0
possibly separate channels to gateway and maintenance/engineering computer (with remote access through
Entry-level
terminal services, if required)
Disaster recovery mechanisms/procedures
Enhanced security for station-level functions and devices:
• User Authentication and RBAC
• Remote user management
• Host security hardening
• Different security perimeters within the SAS for station level functions and SAS LAN
L1 • Antivirus and malware protection
Basic • Patch management
• Protection against portable media and mobile devices
Cybersecurity monitoring
Version management
Use of secure protocols for engineering/maintenance tasks (ex: SSH)
Patch management for all devices
IDS and IPS
Centralized User Account Management
Extended RBAC for operation, maintenance and engineering at all SAS functional levels
L2 Nodal identification and authentication certificates, protocol encryption and secure exchange of keys and other
Enhanced critical cyber-security elements based on IEC 62351
Extended Layer 2 and 3 security measures within the SAS LAN
Host security hardening for all devices
Configuration management
Specialized data/information management and asset/system management software

Figure 2. Example Secure Achitecture Overview: Applications and Data Flows

Cybersecurity Lifecycle Support
Efacec is aware of the cybersecurity lifecycle issues concerning Substation
Automation and currently provides issue identification, remediation, product
bug/flaw fixes and issue reporting through its product and system technical support
process.
During the entire product lifecycle Efacec monitors issue reporting and evolution
related to the OS subsystems as well as any third-party and open source components
included in the products. Efacec product development process includes feature
traceability supported by issue tracking software as well as work item, source
code and documentation control. Updates and patches are fully versioned and
documented with relevant functionality impacts addressed.
Cybersecurity procedures and methods adopted during the system engineering stages
and delivery are coordinated with the final user according to project requirements.
Efacec is able to provide cybersecurity testing of systems (including vulnerability
scanning and penetration testing) in line with the recommended cybersecurity
architectures and according to agreed project requirements.
Efacec is strongly committed to improving the cybersecurity level of both its
products and systems offer for substation automation. As part of Efacec open
systems and standards compliance policies, product development is driven by SAS-
applicable international standard clauses namely those included in the IEC 61850 and
IEC 62351 family of TC 57 standards.

Due to our policy of continuous development, specifications may change whithout notice. Not valid as a contractual item.
View the product on our website.

Efacec Energia, Máquinas e Equipamentos Eléctricos, S.A.

Automation Business Unit mod. CS426I1808A1
Rua Eng. Frederico Ulrich - Ap. 3078 | 4471-907 Moreira Maia | Portugal | Tel: +351 229 402 000 | Fax: +351 229 485 428 | ase.eng@efacec.com | www.efacec.com/automation