Cigre Australia

global know-how


In the Loop

WG D2.50 – TB 840 - Electric Power Utilities’ Cybersecurity for Contingency Operations

During all stages of disaster recovery and reconstitution, access to critical information is needed by all players. They include external utilities providing emergency field crews and federal, state, and local government support agencies. Emergency response teams seconded from outside the system perimeter need access to critical system information, but will find cyber security barriers to entry.

The rapidly evolving data management systems and associated risks require constant attention.  In recognition of this, WG D2.50 has produced Technical Brochure 840, Electric Power Utilities’ Cybersecurity for Contingency Operations.  The Australian members on the Working Group were Chris Worrad (who produced this article) and Liz Williams.

Technical Brochure 840 proposes a two-step process:

  • During the initial stages of disaster recovery, selected players need operational access to substation communication networks, and power system automation and control devices. Access control mechanisms within these devices need to be disabled, allowing temporary access until the system is restored.
  • Prior to restoring service to the customers, operationally secure access device control, and use, privileges need to be reinstated and, where necessary, improved.

Temporary emergency roles necessitate a change of cyber physical access to sites. TB 840 contemplates four disaster scenarios to adapt NERC CIP-006-6 (Physical Security of Bulk Electrical Cyber Systems) general visitor requirements and logging methods, to an emergency situation. They are:

  1. No power at the field site, but emergency communications are available.
  2. No emergency communications are available, but temporary power is available at the field site, (viz. standby generators/batteries, or mobile generators transported with the field crew).
  3. No emergency communication or power is available at the field site.
  4. Redundant system with power and emergency communications is available.

 Through the analysis of these 4 scenarios, TB 840 pre-empts the difficulty in recognising a legitimate new player with access and use control privileges. It sees this being accomplished by implementing agreements establishing a centralised management authority, and decentralising execution responsibility.

TB 840 includes an Annex describing the arrangements established by the Australian Market Energy Operator (AEMO) for the centralised coordination of multi-jurisdiction emergencies across the National Electricity Market (NEM). AEMO’s emergency responsibilities are outlined in its Power System Emergency Management Plan (PSEMP).

The PSEMP creates some specific official roles under emergency arrangements including a NEM officer and several jurisdictional officials. In future it may designate a cyber duty manager. Consideration of international practice within Working Group D2.50 confirmed that the AEMO emergency planning model typifies international utility emergency planning, in that external players are often added into the response team.

The research of Technical Brochure 698, Annex C, and Working Groups D2.46 and B5.66 introduced the use of model-based system engineering (MBSE) to describe the logical architecture of the power system of interest. MBSE is well suited to address the issues of balancing normal cyber physical security requirements, and the secondment of external disaster recovery services/participants.

TB 840 utilises MBSE methodology to model role-based access control (RBAC), and attribute-based access control (ABAC), guiding the configuration and settings of the system Intelligent Electronic Devices and Normal/Emergency Communication System devices during a crisis.

ABAC exposes several use requirements that should be explicitly required by the centralised management authority’s implementation procedures. For example, only approved locations and client devices should be authorised for use by the cyber duty manager. Furthermore, there may be a restriction on the time of the authorisation.

CIGRE plays an important role in sharing member’s knowledge and experience via its Technical Brochures, and TB 840 forms part of, and is informed by, that technical library.

Future working groups could develop the scenarios/processes described in TB840 to address how utilities generally manage digital certification, whilst supporting cross-certificate signing between utilities and external agencies during a crisis.

TB 840 will be useful to central authorities wanting to use a consistent and systematic approach (viz. MBSE) to incorporate cyber physical security ‘trust’ processes within power system emergency management plans.

The Technical Brochure is free to members and 170€ for non-members