Data Encryption for Substations

Encryption has become standard practice in other verticals that depend on online data transfers, such as online banking and shopping.

01/15/2013


The consulting-specifying engineer should be familiar with encryption schemes for all devices connected to the substation. Encryption has become standard practice in other verticals that depend on online data transfers, such as online banking and shopping. In fact, due to the ease with which encryption can be accomplished and the low cost of the semiconductors that enable it, encryption will become a universal expectation. So it is today with power.

The substation owner and/or utility involved may be presented with an operational liability if encryption isn’t applied to data generated by sensors and controls. The use of “clear text” is simply too risky. (That operational liability could well become a legal one if operational data was breached by a malevolent actor and used to damage property or inflict harm on human life.) The encryption of information output from or to intelligent electronic devices (IEDs) or traveling between them falls under IEEE 1711™ “Trial-Use Standard for a Cryptographic Protocol for Cyber Security of Substation Serial Links.”

Encryption, fundamentally, is a cyber security issue. Encryption is applied specifically to avoid the unauthorized access to data, which could thwart an intentional attack or protect against the unintended consequences of mistakes made by authorized personnel.

Be aware, however, that encryption of data adds “overhead,” or latency, to its transmission over the substation communication network.

And the CSE should be aware of technical solutions which are available, such as the encryption of data on serial links, such as RS-232 and RS-485 communication channels. These are non-network channels are commonly used for remote access to a substation by operations engineers or the interconnected utility tapping into the SCADA system and/or an energy management system (EMS). (IEEE 1711 provides cryptographic protocols for the addition of cyber security on serial links.)

Today we’re seeing a vast number of these communication links on the grid for protective relays and remote monitoring systems, via a “bump in the wire” retrofit, rather than the impractical swap-out of existing IEDs for the sole purpose of adding encryption to heighten security.    

This works in the following manner: unencrypted data is sent from a device out a serial port where that “bump in the wire” really is a box that applies encryption. Another such “bump”/box is placed at the recipient’s end to decrypt the data.

This application is particularly useful when communications must use public infrastructure such as a leased line from a local telco or a radio system – whenever the client does not have complete control over both ends of the data exchange.

Whenever two of anything – in this case, “boxes” – are involved, multiple vendors are likely, and those boxes must play well together. The U.S. Department of Energy has completed work on a three-year project, which ended last fall, known as the Lemnos Interoperability Security Program. Lemnos sought to define a set of configuration parameters to ensure a standard approach for the encryption and decryption of networked data by different devices. (Lemnos also provides an interoperability and testing framework for other security protocols.) 

Various IEEE groups are now considering Lemnos’ results for an IEEE standard. The IEEE Power & Energy Society Substation Group would be a logical choice and it may in fact end up being the lead on this effort. It might conceivably become part of IEEE 1711, like 1711.1 or something like that.

The consulting-specifying engineer would be well-advised to keep tabs on these efforts, as the CSE may be called upon to evaluate encryption boxes as they determine the appropriate level of encryption (and thus security) needed in any given circumstance.

Although with the growth of the encryption industry, these “bumps in the wire” boxes don’t add much if any latency, there are exceptions to keep in mind. This is particularly true in the case of the high-speed communications needed for protective relays, where the CSE must take into consideration the timeframes needed for the function in question. Latency must not interfere with response time, for instance, in the case of protection devices.


Sam Sciacca is an active senior member in the IEEE and the International Electrotechnical Commission (IEC) in the area of utility automation. He has more than 25 years of experience in the domestic and international electrical utility industries. Sciacca serves as the chair of two IEEE working groups that focus on cyber security for electric utilities: the Substations Working Group C1 (P1686) and the Power System Relay Committee Working Group H13 (PC37.240). Sciacca also is president of SCS Consulting.



No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Save energy with automation; Process control system upgrades; Dispelling controll myths; Time-sensitive networking; Control system integration; Road to IANA
Additive manufacturing advancements; Machine vision enhances robotics; Fieldbus evolution; Process safety; Advice from System Integrators of the Year; Road to IANA
Salary and career survey: Benchmarks and advice; Designing controls; Remote data collection, historians; Control valve advances; Hannover Messe; Control Engineering International
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

The digital oilfield: Utilizing Big Data can yield big savings; Virtualization a real solution; Tracking SIS performance
Getting to the bottom of subsea repairs: Older pipelines need more attention, and operators need a repair strategy; OTC preview; Offshore production difficult - and crucial
Digital oilfields: Integrated HMI/SCADA systems enable smarter data acquisition; Real-world impact of simulation; Electric actuator technology prospers in production fields
click me