This document discusses cyber security threats to modern power substations. It begins by outlining features of information infrastructures that create opportunities for cyber threats, such as large networks of intelligent devices, lack of network segmentation, and use of unprotected default passwords. It then presents a system model and identifies vectors of potential attacks. Threats are classified into three levels based on their impact: decreasing functional safety and reliability, decreasing transmission efficiency, and violating security of the core transmission process. Examples of possible attacks from a competition are described, such as disabling information networks or reprogramming time servers. Finally, objects are ranked into three security classes based on their impact and influence if compromised.

1. CLASSIFICATION CYBER SECURITY THREATS
OF MODERN SUBSTATION
1
Maxim Nikandrov, Maxim Braguta
IGRIDSIGRIDSИнтеллектуальные СетиИнтеллектуальные Сети

2. 1. Information infrastructure Features
2. System Model
3. Vectors of attacks
4. Threats
5. Possible attacks – PHDays V experience
6. Our recommendations on objects classification
2
Contents

3. 3
1. Changing off infrastructure
Features (1/4)
• We build a favorable "environment" for the cyber
threats development ourselves
• The number of intelligent devices on one
management object is huge
• Total switch to Ethernet and, as a result, big local
networks
• Deficiency of network segmentation and traffic
control

4. 4
2. Network is not isolated
Features (2/4)
• Necessity to transmit real-time information to higher
levels of management
• Use off corporate or leased from providers of
communication lines
• External traffic is not controlled

5. 5
Switch
Device type
Signal Type
Source Device Destination Device
Features (3/4)
3. No protection
• No encryption and disclosure;
• Protection relay and controllers are not protected,
• Default passwords are used in 99% of situation

6. 6
Features (4/4)
4. Changing oа conditions
• “Cyberpunk“ culture
• Greater attention from hooligans, hacktivists and
criminals
• Greater attention from state security services

7. System Model
7
internet
Protection
relay
Protection
relay
Protection
relay
Protection
relay
Controlled object
Router
(main)
Operator's
Workstation
Switches
Data&Communication Server
(Reserve)
ВЛ 220 кВ
W2E
K2E
QSG3.2
QW2E QS3QS2
QSG 2 QSG3.1
Router (reserved)
Engineer's
Workstation
Data&Communication Server
(Main)
Ethernet network
In a corporate network
Supervisory Control
IED
1 12
3 4

8. Vector of attacks
8
• SCADA, Management System Servers
• Operator and engineer workstations
• Time servers and other supporting equipment
• Network equipment
• Communication lines
• IED (controllers and protection relays)
• Staff

9. Cybersecurity Threats
9
Three level classification
(Offered by Sergei Gordeychik)
1. Decrease of functional safety and reliability of
energy transfer network system
2. Decrease of efficiency of electric power
transmission process
3. Security violation of the basic process

10. Cybersecurity Threats (1/3)
10
• Temporal disability of components that are not responsible for electricity
transmission security (for example, communication equipment, time server,
secondary sensors, etc.)
• Temporary disability of remote control system and supervisory control
• False diagnostic display at
operating staff workstation
1. Decrease of functional safety and reliability of energy transfer network
system

11. Cybersecurity Threats (2/3)
11
• Long-term disabling of the remote control system and
supervisory control
• Unauthorized trip of consumers
• Deception of supervisory control
center
2. Decrease of efficiency of electric power transmission process

12. Cybersecurity Threats (3/3)
12
• Shutdown and/or modification of prompt
blocking
• False administration commands leading to
power equipment damage (for example,
turning on energized earthing switch)
• Unauthorized shutdown of large energy
generators
• Shutdown and/or removal of terminals of
relay protection and Emergency response
automatic equipment
3. Violation of the main process security

13. Possible attacks - PHDays V experience
13

14. Digital Substation Takeover Competition
14
Wind turbine
Transformer
500 kV Circuit Switch QS1
Circuit
Breaker Q1
Circuit
Breaker Q2
Circuit
Breaker Q3
Circuit
Breaker Q4
Circuit
Breaker Q8
Circuit
Breaker Q5
T1
Local Network
Trans Controller
Relay Protection
Crash
Crash
Crash
Crash
CrashGPS time server
Glonass time server
Crash
Firewall
Digital Substation Takeover
IGRIDSIGRIDSИнтеллектуальные СетиИнтеллектуальные Сети
Nuclear power plant
Circuit
Breaker Q6
Circuit
Breaker Q7
Water-power plant
Thermal Power Plant
earthing
switch
500kV
330kV

15. Competition results
15
• Disability of substation information
network - 6 times
• Reprogramming of time server - 1 time
• Impact on the terminal, which lead to the
unauthorized disconnection - 2 times

16. Objects Ranking (according security class)
16
Feature of object Security class
1) The object is constructed on IED, is equipped with full
industrial control system with remote control;
2) Work of the object that influences greatly the Integrated
power grid stability.
3) Federal and interregional influence of object work
violation.
First class (K1)
1) The object is constructed on IED, is equipped with full
industrial control system with remote control;
2) Work of the object that influences a little the Integrated
power grid stability.
3) Regional influence of object work violation.
Second class (K2)
1) The object is constructed on the basis of
electromechanical and semiconductor systems of relay
protection is equipped with telemechanics system without
of remote control;
Second class (K2)
1) Municipal (local) influence of object work violation.
Third class (K3)

17. Thank you!
17
iGRIDS, LLC
www.igrids.ru
NTC FSK EES
www.ntc-power.ru
IGRIDSIGRIDSИнтеллектуальные СетиИнтеллектуальные Сети