Cybersecurity Intrusion Detection for Station and Process Bus Applications in Substations: Challenges and Experiences

Abstract

Numerous cyber-attacks on critical infrastructure triggered utilities to implement sophisticated cyber security measures to protect the electrical grid. For example, firewalls and “air gaps” are currently used to safeguard substations. However, these can be evaded through remote access tunnels or computers directly attached to the station network. Therefore, measures are needed to detect cyber threats in substation networks to respond quickly and minimize consequences.This document describes how to apply the different NIST Cybersecurity Framework (CSF) functions: Identity, Protect, Detect, Respond, and Recover to substations and which benefits emerge from utilizing what IEC 61850 standard offers. The frequently used attack vector on industrial control systems is the connections to services in corporate IT and control centers or temporary maintenance connections.Another entry point is engineering workstations connected to substation networks. Finally, the storage of settings and test documents could also be an entry point for attackers and malware.