In days gone by, activists flattened pylons to forcibly isolate smaller areas from the energy grid. Nowadays it’s hackers – whose motives range from political to purely financial – who are attempting to use digital means to remotely access our critical infrastructure.
The protection engineering and SCADA technology, or the Station Automation System (SAS), belong to the critical infrastructure of utilities. They make an essential contribution to maintaining the energy supply. These infrastructures must therefore be protected against unauthorised access or illogical switching actions that cause disruptions to the energy supply or destruction of equipment.
Andreas Klien, the Product Manager responsible for cyber security products at OMICRON, explains the challenges facing substation operators today.
“To get a better handle on this, we look at the possible attack vectors that might be utilised against the station control and protection technology. How could a hacker or malware get into the substation? Where is the path of least resistance as far as a potential hacker is concerned? What would make their job as easy as possible? This is the first thing an operator has to consider.”
StationGuard, OMICRON’s IDS (Intrusion Detection System), protects these critical infrastructures against almost all conceivable cyber attacks or unauthorised actions. It contains the accumulated know-how from many decades of worldwide engineering work in switchgear, as well as research on IEC 61850 network analysis.
With its unique approach – a combination of cyber security threat monitoring and functional monitoring – StationGuard not only detects unauthorised activity on the substation network, but also identifies problems in the IEC 61850 communication, enabling it to detect different types of malfunctions in the substation to allow a quick response.
To achieve this, StationGuard imports the SCL (Substation Configuration Language) file of the substation to create a complete system model of the automation system and the substation, and then compares each individual network packet with the live system model. This process works without a learning phase and independently through the SCL description, with just a few additional manual inputs.
An essential feature of StationGuard is its ease of use. Its user interface is adapted to the diagrams and terminology in substations and does not use special IT terminology. Therefore, all information is easily understood by protection and control engineers.
As verification of the network traffic contains such a high level of detail, both illegal packet encoding and unauthorised control commands are detected, as well as errors in the sequence numbers and more complex measurements such as message transmission times, or critical states of the IEC 61850 quality bits. StationGuard emits very few false alarms because it knows the typical maintenance operations and considers them in a specialised maintenance mode.
The IDS itself is protected by a secure measured boot chain (via a crypto chip), encryption of data and communication, and a specially hardened Linux operating system. In addition, OMICRON’s StationGuard experts assist users with questions about alarms reported by the IDS. To do this, they can analyse the network recordings of StationGuard to assess whether a potential threat situation exists.