SAS Cyber Security Technical requirements

1. Electronic perimeter protection and defence in depth

The substation automation system perimeter shall be protected by Firewalls. Firewalls shall be
placed on network boundaries (places where traffic enters/leaves the SAS network)

2. System architecture.
The substation automation system shall allow network segmentation or creation of several zones
in order to minimize any adverse impact in case one zone is compromised

3. Product & System hardening

All components of the system shall harden according to well-known tools and best-practice
guides. For example, unused services and unused ports shall be closed. The products shall be
tested using state-of-the-art commercial and open-source security robustness testing tools.
Furthermore the latest security patches and service packs shall be installed upon hand over of the
system. Unnecessary user accounts, default users, programs, network protocols and services shall
be removed.

4. Logging and alarming

4.1. Security event logging
Products in a substation automation environment shall have the possibility to log all security-
relevant user activity such as user log-in, log-out, change of parameters or configurations, and
updates to software or firmware. For each event, date and time, user, event ID, outcome and
source of event shall be logged logged. Access to the audit trail shall only be available for
authorized users only.
4.2. Security Event Collection
Security Event shall be collected using standard IEC61850 mechanism or similar de factor
standard such as Syslog. On the central place it should be possible to analyse the security
events and a report shall be generated.

5. Secure Communication
Communication from outside to the substation automation system shall use secure protocols such
as https or VPN.

6. Authentication and authorization (User Account Management)

The system shall allow user authentication and authorization on an individual user level. User
authentication shall be required and authorization shall be enforced for all interactive access to the
products.
User accounts shall be managed freely, allowing creating, editing and deleting user accounts, and
defining usernames and passwords according to the policies.

7. Central User Account Management (Role Based Access Control)

Centralizing user account management will reduce management effort. The substation automation
equipment shall support Role Based Access Control (RBAC) using LDAP protocol based on the
existing international standard IEC 62351-8. Networks equipment such as routers and firewall
shall support IEC62351-8 or the defacto standard Radius.

8. Malware Protection
Anti-virus or other malicious software prevention tools (such as Application Whitelisting) shall
detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware.

9. Patch Management Process

A Patch Management process shall be in place which verifies the compatibility between SCADA
application and security patches released for 3rd party software.

10. Backup and Disaster recovery

Backup and Restore copies of the most important files shall be stored, to be always prepared for
the worst. Back up shall be stored to another drive, a DVD or to a network.