Cyber Security in Power Systems

This article provides a brief commentary on cyber security in a power system with a focus on Australia and New Zealand aspects and covers telecommunications, information systems, protection, and automation.  A number of Technical Brochures are referenced, including one from B5 and one from D2 that have just been published. The article also refers to surveys recently conducted by AP B5 and AP D2 and to some of the papers on this subject that were presented at the 2020 CIGRE e-session.

 Cyber security commonly refers to the safeguards and actions that can be used to protect the cyber (computer network) domain, both in the civilian and military fields, from those threats that are associated with or that may harm its interdependent networks and information infrastructure. Cyber security strives to preserve the availability and integrity of the networks and infrastructure and the confidentiality of the information contained therein.  Power system utilities utilise cyber connected computer networks for different purposes such as administration, management, operational control, data communication and protection systems. 

The era of digitalisation has improved power system performance and productivity but has also introduced challenges to the reliability of electricity supply, due to the introduction and exposure of vulnerabilities in digital systems, architectures, and communications. This situation calls for new security requirements for digital systems and the underlying architecture used in power system utilities. Security requirements have to be derived from appropriate risk assessments and general architectural decisions.

Guidance and standards recommend that a number of technologies, system processes, policies and practices be employed to deal with the overlapping domains illustrated in Figure 1. 

Figure 1: Concept of Overlapping IT Domains

In the CIGRE 2020 e-session this year, D2 had a total of 14 papers covering various aspects of cyber security, including Security Operations Centre, threat modeling, role based access control and cyber security issues in Electric Vehicle infrastructure.  A paper by our Australian member addressed the use of machine learning in threat detection and prevention.

The AU D2 Panel was recently surveyed about the cyber security standards and frameworks used amongst the 23 utility panel members in Australia and New Zealand.

The results showed that the following standards and frameworks are used extensively in Australia / New Zealand utilities:

• Australian Energy Sector Cyber Security Framework (AESCSF) for Australian Utilities
• Voluntary Cyber Security Standard for Control Systems Operators (VCSS-CSO) for NZ utilities
• ASD publications and guidelines
• IEC62443
• ISO 27001
• CIS 20
• NIST publications (including SP 800-82, 800-30)

It is encouraging to see that over the past 5 years, the Australian and New Zealand utilities have embarked on significant efforts to uplift their cyber security capabilities, by adopting these standards and frameworks and being involved in local and international cyber security forums. 

The AU B5 panel has also noted and discussed the increased application of more configurable and flexible digital protection and associated interconnecting LAN networks. This has enabled innovative protection and automation schemes to be developed within Australia and New Zealand to deal with the changing power systems.   Remote access to protection devices has greatly assisted in analysing protection operations and aided power system restoration.  To deal with associated cyber security risks, the developing local and international best practice use on device password management and architectures that separate data streams has been shared, along with other wider measures. Technical Brochure 790 discusses issues, approaches, capabilities, techniques and solutions particularly based on the emerging threat landscape. In addition to referencing relevant standards and tools, it also makes recommendations for improvements.

At the 2020 CIGRE e-session, some B5 papers touched on cyber security.   In particular, a paper on human resource aspects in protection asset management highlighted cyber security awareness and knowledge development as a key new required skill when moving from legacy to digital Protection, Automation and Control Systems (PACS).  This is illustrated in Figure 2. The paper also highlighted the need for human resources (including protection and automation engineers) to learn more about emerging cyber security aspects.  Particularly relevant papers were 108, 117, 216 and 220.

Fig 2: The changing skills required to deal with the digital evolution of PACS

The following are the Technical Brochures published by CIGRE in the last 6 years relating to cyber security. These can be accessed on e-cigre and are free to CIGRE members:

• TB790 Cyber security requirements for PACS and resilience of PAC architecture (2020)
• TB796 Cyber security: Future threats and impact on electric power utility organizations and operations (2020)
• TB762 Remote service security requirement objectives (2019)
• TB 615 “Security architecture principles for digital systems in Electric Power Utilities”(2015)
• TB603 Application and Management of Cyber Security Measures for Protection and Control (2014)
• Electra Number 276 'Status of cyber security' article (October 2014)

Papers from the 2020 e-session are available on the CIGRE website to all who registered.  If you did not register for the event, access to all the papers and recordings of the session will be available until December 31 to all new registrants at a fee of  €100 for members and €200 for non members.