Download Cyber Security Issues for Protective Relays PDF

TitleCyber Security Issues for Protective Relays
File Size502.0 KB
Total Pages27
Document Text Contents
Page 1


Abstract—This report covers issues concerning the security of

electronic communication paths to protective relays.
It is the goal of this paper to present the reader with some

background material and discussions by which they can become
more aware of the concerns associated with electronic
communications in the power industry.

Index Terms—cyber security, protective relaying, relay,
relaying communications.


HIS report is focusing on communications with
protective relays. However, with the multifunction

character of microprocessor relays, these devices might also
provide services for and therefore will be accessed by other
groups in the power utility.

A. Devices

In addition to the relays themselves, devices used to access
relays such as substation computers, switches, routers as well
as Local Area Network security are discussed.

The discussions in the report are not limited to transmission
relaying equipment in substations. The concerns and
recommendations can be equally valid for distribution
substations and distributed relaying devices such as pole
mounted reclosers.


Over time words tend to change meaning as culture and
perceptions change and new ideologies are adapted. The
word “security” has in the past conjured up images of
comfort, the physical protection offered by family and friends,
stable financial prospects, and peace of mind. However in
recent years our image of the word security has changed into
something more likely to do with locks and gates, portable
alarm devices, missile defense systems, and space shields.
Change has also occurred in terms of the use of the word with
respect to the area of computers - what is commonly known as
cyber security. Security was not an issue of concern when
computers were in their infancy and the Internet’s
predecessor, ARPANET, was developed for use by the
scientific and academic community. However computers are
no longer the technical amusement of a select group with
trusted network access to any and all, but are now a
commonplace and integral part of everyday life in our society

and, unfortunately, now subject to frequent malicious attacks
and electronic vandalism.

Initially when computers became networked electronic
information in the form of data and applications was
commonly exchanged via the use of FTP, or file transfer
protocol. A user could typically log into a computer site using
their email address and the password “anonymous” and be
greeted with a “welcome” message. The guest would then
have easy access to desired information, including oftentimes
system files. Soon this technology became subversively
exploited and the industry was told not to expect to prosecute
violators when an open door and a welcome mat were laid out
for common use. Security gradually took on a new meaning
as the hosts of computer data sites became increasingly aware
of issues surrounding the vulnerability and protection of their
information and networks. Today it is not uncommon to have
networked computer sites visited and attacked on a regular
basis (1000’s of times per day) by subversive forces for
reasons ranging from espionage, extortion, “cyber protests”,
revenge, and sport. Not only are computer sites vulnerable to
direct and focused attack, but they are also vulnerable to
indirect, or indiscriminate, attacks from viruses, worms and
Trojan horses.

As technology has increased, the use of computers and
network access has also increased. Computers, or
microprocessor-based devices with computing capability, are
now commonly used for control and automation functions in
addition to traditional data archival and processing.
Computers preside over a plethora of daily activities from
financial, manufacturing, scientific, and safety-rated issues.
Millions of computers are connected to the Internet and now
form a vast interconnection of devices used by corporations,
individual, and government agencies. As can be imagined
with this convenient and widespread use, the opportunity for
misuse has also burgeoned.

Technological misuse and/or abuse has become a serious
concern in all areas where computers are used and networked.
The ability of seditious individuals to disrupt the national
power supply, discharge harmful chemicals or waste into the
environment, or upset production facilities, has become an
unwelcome verity. Not only are there financial and safety
concerns associated with this, but also issues relating to legal
liability where individuals or corporations can be sued for
mismanagement of technological resources. Other issues
arising from compromised computing facilities are loss of

C1 Working Group Members of Power System Relaying Committee

Solveig Ward (chair); Jim O’Brien (co-chair), Bob Beresh, Gabriel Benmouyal, Dennis Holstein, John T.
Tengdin, Ken Fodero, Mark Simon, Matt Carden, Murty V.V.S. Yalla, Tim Tibbals, Veselin Skendzic,

Scott Mix, Richard Young, Tarlochan Sidhu, Stan Klein, Joe Weiss, Alex Apostolov, Dac-Phuoc Bui, Sam
Sciacca, Joe Weiss, Craig Preuss, Steven Hodder

Cyber Security Issues for Protective Relays


Page 2


customer confidence, information confidentiality, and the
ability to conduct business. Computer security has now
become the focus of national consideration.

The electric power industry, as the rest of society, has been
taking advantage of the tremendous power provided by
computer and microprocessor-based technology. Protection
and control equipment, SCADA, remote control and
monitoring, and many other applications are routinely
implemented with this technology. Recent experience has
shown that security related issues must be addressed by the
power industry. Government regulation will soon legislate the
need for proactive measures to be taken in terms of securing
the computer network infrastructure within the power grid.
The electrical supply is too important to be left in a state of
vulnerability and neglect.

Utility personnel require remote access to the protection,

control, and monitoring devices located in substations
scattered throughout the system. This access is required to:
continuously assess the health of the system; recognize
developing problems that may adversely affect the ability of
the system to remain operational; identify the location of
faults and failures to facilitate the dispatch of repair crews;
analyze the operation of protective devices to ensure
correctness and maintain coordination to prevent cascading
outages; identify possible improvements to protective
schemes; verify the accuracy of system models to facilitate
planning studies. Some of the devices for which access is
needed are:

Microprocessor-based protective relays
Digital fault recorders
Dynamic disturbance monitors
Phasor measurement units
Power system stabilizers
Geo-magnetically-induced current monitors
Remote terminal units (RTU) of system control and

data acquisition (SCADA) systems
Substation Computers
Data Historians
SCADA systems
Security systems (fire, intrusion, etc.)

The level of access required depends on job function.
System control operators need to know what happened and
where (breaker status changes, system element loading, relay
target data and fault locations, intrusion alarms, etc.)
Protection engineers typically need to read the stored data
(relay, fault recorder, and disturbance monitor event records
and setting records) in order to analyze system disturbances,
support operations personnel, coordinate protection schemes,
and ensure compliance with NERC standards. Protection
Engineers can also make settings changes as required due to
changes in system configuration. Field relay technicians need
read/write access to all levels of the devices in order to apply
the settings determined by the protection engineers and set up
the devices for proper operation and communication with

those that need access.
Access needs to be available within the substation and

corporate offices. A limited number of personnel will require
full access at non-company locations. The expectation of
round the clock analysis capabilities and the quantity of data
available often requires access via the Internet. A dial up
connection may also be used for less demanding requirements.
Access to the corporate “Data” network via the Internet raises
the highest level of concern for cybersecurity.

A. Relay Access and Settings Considerations
Relays are critical to the power system. The settings in a

relay determines the response (or non-response) of the device
and incorrect settings may have serious effect on the power
system operation.

Typically, relay settings are allowed to be changed by
Protection Personnel only, but the multi-function nature of
microprocessor relays have extended use of protection devices
to other groups as well. A modern relay may replace a
traditional RTU and provide metering data and control
functions for opening and closing breakers and other switches.
A relay may also be connected to a substation computer that
performs automation and control functions.

The multi-function nature of the relay device may generate
the need to extend ‘setting-change-privileges’ to others than
protection engineers which creates an added challenge for the
protection engineer to track, document and verify relay

Modern relay designs recognize the need for increased
access to the device and provide some means to help the relay
engineer with regards to setting changes. Some examples are:

Passwords. Most relays have the ability of
password protection for settings changes.

A relay log for setting changes, and to issue an
alarm when a setting change has been made.

Multiple levels of access, with different passwords
for each level. Typically, there is a read-only level
that may be accessed by a larger number of users
while the higher level for setting changes can be
accessed by the relay engineer only.

A relay with multiple settings groups where a
switch to another per-verified group may be
allowed by non-relay personnel, while change of
individual parameters is not.

While procedures for access restriction to the substation are
well established, the increased remote access to
microprocessor relays is less regulated.

Typically, a utility utilizes the extended capability of
microprocessor relays to provide status, control and metering
functions to a station RTU via a serial communication link.
This functionality has replaced traditional analog transducer
and hard-wired alarm connections to a central station RTU in
all new installations and many retrofit locations. Any settings
required for these extended functions should be
communicated to the protection engineer during the schematic
and/or relay setting development phase. The automation

Page 13


• Status of access: numbers, times, and types of
unauthorized attempts to access data or issue controls

• Anomalies in data access (e.g. individual request when
normally reported periodically)

4) System Management: Control Actions within Intelligent

Electronic Devices (IEDs):
• Start or stop reporting
• Restart IED
• Kill and/or restart application
• Re-establish connection to another IED
• Shut down another IED
• Provide event log of information events
• Change password
• Change backup or failover options
• Providing audit logs and records

D. Password and Key Management

The following discussions are an extract from FIPS PUB 112,
Appendix A.
1) Password Usage
a) Introduction

This appendix contains background information, a
discussion of the factors specified in the Password Usage
Standard and the rationale for the minimum criteria specified
in the Standard. It also provides guidance in selecting
parameters of password systems based on increasing security
requirements. Examples of three password systems meeting
increasing levels of security requirements are included.
b) Background

Passwords are the most common method of personal
identification used in conjunction with remote terminals to
deter unauthorized access to computer systems and networks.
The effectiveness of passwords has often been questioned,
primarily because they can be easily forgotten or given to
another person. However, passwords can provide reasonable
deterrence to unauthorized access if properly handled by
people authorized to use them and if properly stored and
processed in the password verification system. Within its
Computer Security and Risk Management Program, the
Institute for Computer Sciences and Technology of the
National Bureau of Standards developed this Standard for
secure password usage to assure reasonable handling, storage
and processing of passwords.

Shortly after issuing FIPS PUB 48, NIST published Special
Publication 500-9, The Use of Passwords for Controlled
Access to Computer Resources. This publication considered
the generation of passwords and their effective application to
the problem of controlling access to computer resources.
Following analysis and use of this document, a project was
initiated to establish a fundamental performance standard for
the use of passwords and a guideline on how to use this
Standard to achieve the degree of protection that passwords
were intended to provide.

The Password Usage Standard was developed within the
Computer Security and Risk Management Program of the
Institute for Computer Sciences and Technology with

considerable assistance from representatives of Federal
organizations and private industry. In 1980, NIST developed
and distributed a draft Password Usage Standard to
government and industry representatives for comments and
then held a workshop to discuss the benefits and impact of the
draft Standard. The draft Standard identified 10 factors to be
considered in the implementation of password systems and
quantified security criteria in a hierarchical manner for each of
the 10 factors. It also proposed five levels of security and
specified minimum criteria for each level. The workshop
participants felt that the 10 factors were useful in structuring
the design of password systems, but that the proposed five
levels were unworkable as a basis of a password Standard. As
a result of the workshop recommendations, the Standard was
revised to specify minimum criteria for the factors of a
password system. An Appendix was drafted which provided
guidelines for achieving higher levels of security. This
revised Standard and the draft guidelines were published for
public comment and for agency comment in July, 1981. The
received comments were used in revising the proposed
Standard and draft guidelines in preparing the published
Standard and guidelines.
c) Factors

Ten factors of an automated password system are specified
in the Standard. These factors constitute the fundamental
elements which must be considered, specified and controlled
when designing and operating a password system. The
rationale for the factors and for the minimum acceptable
criteria for the factors specified in the Standard are provided
in the following discussion. Guidance on how to meet the
minimum criteria and reasons for exceeding the minimum
criteria are also provided.
d) Composition

A password is a sequence of characters obtained by a
selection or generation process from a set of acceptable
passwords. A good password system has a very large set of
acceptable passwords in order to prevent an unauthorized
person (or intruder) from determining a valid password in
some way other than learning it from an authorized person
(i.e., owner). The set of acceptable passwords should be large
enough to assure protection against searching and testing
threats to the password system (and hence the data or
resources that it protects) commensurate with the value of the
data or resources that are being protected. The set of
acceptable passwords must be such that it can be specified
easily, that acceptable passwords can be generated or selected
easily, that a valid password can be remembered, can be
stored reasonably, and can be entered easily. Composition is
defined as the set of characters which may comprise a valid

The composition of a password depends in part on the
device from which the password is going to be entered. It also
depends on how and where the password is going to be stored
and how the stored password will be compared with the
entered password. Federal Information Processing Standards
Publication 1-2 (FIPS PUB 1-2) incorporates the American

Page 14


Standard Code for Information Interchange (ASCII) which
specifies a set of characters for interchanging information
between computers. Federal Information Processing Standards
Publication 1-2 (FIPS PUB 1-2) defines several proper subsets
of this set to be used for special applications. The 95-
character graphics subset specified in FIPS PUB 1-2 is the set
from which the System Manager and Security Officer should
select the acceptable composition for a particular system.
While backspaces can be used effectively to mask printed
passwords, several comments on the draft guidelines
described the special use of backspace in many computer
systems and recommended that it not be allowed.

The minimum composition contains 10 characters because
some systems (e.g., financial transaction systems) use a 10-
digit PIN PAD (Personal Identification Number entry device)
for entering the password which is called a PIN. The PIN
PAD looks very similar to the keyboard of a push button
telephone. Some systems being developed use the push
button telephone for data entry and retrieval. Users of these
systems stated their desire to use the Standard. A better
composition contains 16 characters which includes the 10
digits plus (A, B, C, D, E, F). This set can represent
hexadecimal characters, each of which is a four-bit (binary
digit) code. For example, 16 hexadecimal characters are used
to represent a Data Encryption Standard key (see FIPS PUB
46) which can be used as a personal key in a cryptographic
system. Many passwords are composed only of the 26 lower
case letters (a-z) or the 26 upper case letters (A-Z). However,
using either of these sets often encourages the selection of a
person's initials, name, nickname, relative, hometown, or
common word easily associated with the person. Even
allowing all possible 4-letter, 5-letter or 6-letter English words
greatly restricts the number of passwords when compared to
all possible passwords of length range 4-6 with the same
composition. Totally alphabetic password composition should
be discouraged. The best password composition is the 95-
character graphic set as specified in FIPS PUB 1-2.
e) Length

Length is closely associated with composition in assessing
the potential security of a password system against an intruder
willing to try exhaustively all possible passwords. The length
of a password provides bounds on the potential security of a
system. A length of exactly 1 reduces the potential number of
valid passwords to the number of characters in the acceptable
composition set. A length of 2 squares this number; a length
of 3 cubes this number; a composition of 10 and a length of
exactly 4 provides for 10- (read 10 raised to the fourth power)
or 10,000 possible passwords. PINs are typically four digits
because of low security requirements, for ease of
remembering by a large customer base and for speed and
accuracy of entry. A PIN verification system generally
prevents a person from quickly trying all 10,000 possible
PIN's for a particular valid financial account in order to find
the valid PIN. If the trial and error process can be automated,
even on a small home computer, the valid PIN can be found in
a few minutes. Having a length range of 4-6 increases the

possible number of PIN's to 1,110,000 (106+105+104).
If all other factors are temporarily ignored, the security

provided by a password is directly proportional to the allowed
length of the password. In other words, longer passwords are
more secure. However, other factors cannot be ignored in
practical password systems. Long passwords take longer to
enter, have more chance of error when being entered, and are
generally more difficult to remember (the latter may not be
true unless the password consists of random characters).
Sixteen random hexadecimal characters are very difficult to
remember and are very difficult to enter quickly and
accurately. For this reason, DES keys are usually not personal
passwords and vice versa. However, long passphrases can be
transformed to virtual passwords of exactly 64 bits (or 56 bits
with the other 8 bits recomputed to be parity bits). Long
passphrases can be easy to remember but still take longer to

The length range should include a number of lengths,
probably from 5-8 characters, and the composition should be a
large set so that a high level of security can be provided

A passphrase is an understandable sequence of words
(sentence, sentence segment, phrase) that can be transformed
and stored as 64 bits, and which is used as a password. A
passphrase is generally easy to remember by the owner of the
passphrase, and hence is allowed on some systems because of
this characteristic. Since the number of distinct possibilities
of understandable passphrases is considerably smaller than for
a random sequence of characters of the same length, a longer
passphrase is preferable to a shorter one. For example, the
number of understandable 64-character long passphrases
composed using the 27-character set A-Z and space, is
considerably less than 2764, which is the number of
possibilities if the characters are selected randomly.

A passphrase may be used that is equivalent to a password
as specified in the Standard. A passphrase may be
transformed into a virtual password by using a transformation
such as a hashing function or a cryptographic function. These
functions should compute a value using the entire passphrase
as input such that any change in the passphrase should result
in a different computed value (within some probability). The
value that is computed is the virtual password and must be 64
bits as specified in the Standard. This allows all password
systems to allocate a maximum of 64 bits for storing each
password, and therefore allows up to 264 possible passwords
(many thousands of years of security against exhaustive
searching attacks). Such a passphrase thus provides the
benefits of being easily remembered at the added cost of
additional time to enter the longer passphrase and the time
needed to compute the virtual password. The Data Encryption
Standard (FIPS PUB 46) and the cipher block chaining mode
specified in the DES Modes of Operation Standard (FIPS
PUB 81) are suggested as the transformation.
f) Lifetime

The security provided by a password depends on its
composition, its length, and its protection from disclosure and

Page 26


traffic in the absence of actual message traffic, or by taking
other steps to avoid allowing patterns to be correlated with
operational conditions.

One issue is how to decide what needs to be secured within

a security policy. Some contend that every asset needs to be
secured. However, this approach makes security
deployment/adoption costly and could prevent entities from
even attempting to deploy security. Therefore, all assets do
not need to be secured, although all assets could be secured.
However, all assets should be analyzed in regards to the need
of security.

Protection and securing of networked communications,
intelligent equipment, and the data and information vital to the
operation of the future energy system is one of the key drivers
behind developing an industry-level architecture. Cyber
security faces substantial challenges both institutional and
technical from the following major trends:

• Need for greater levels of integration with a variety of
business entities

• Increased use of open systems based infrastructures that
will comprise the future energy system

• The need for appropriate integration of existing or
“legacy” systems with future systems

• Growing sophistication and complexity of integrated
distributed computing systems

• Growing sophistication and threats from hostile

Security must be planned and designed into systems from
the start. Security functions are integral to the designs of
systems. Planning for security, in advance of deployment,
will provide a more complete and cost effective solution.
Additionally, advanced planning will ensure that security
services are supportable (may be cost prohibitive to retrofit
into non-planned environments. This means that security
needs to be addressed at all levels of the architecture.

Security is an ever evolving process and is not static. It
takes continual work and education to help the security
processes keep up with the demands that will be placed on the
systems. Security will continue to be a race between
corporate security policies/security infrastructure and hostile
entities. The security processes and systems will continue to
evolve in the future. By definition there are no
communication connected systems that are 100% secure.
There will be always be residual risks that must be taken into
account and managed. Thus, in order to maintain security,
constant vigilance and monitoring are needed as well as
adaptation to changes in the overall environment.

Security assessment is the process of assessing assets for
their security requirements, based on probable risks of attack,
liability related to successful attacks, and costs for
ameliorating the risks and liabilities. The recommendations
stemming from the security requirements analysis leads to the
creation of security policies, the procurement of security
related products and services, and the implementation of

security procedures.
Security re-assessment is required periodically. The re-

evaluation period needs to be prescribed for periodic review
via policy. However, the policy needs to continuously
evaluate the technological and political changes that may
require immediate re-assessment.

Security policy generation is the process of creating
policies on managing, implementing, and deploying security
within a Security Domain. The recommendations produced
by security assessment are reviewed, and policies are
developed to ensure that the security recommendations are
implemented and maintained over time.

Security deployment is a combination of purchasing and
installing security products and services as well as the
implementation of the security policies and procedures
developed during the security policy process. As part of the
deployment aspect of the Security Policies, management
procedures need to be implemented that allow intrusion
detection and audit capabilities, to name a few.

Security Training on security threats, security technologies,
corporate and legal policies that impact security, Security
measures analysis is a periodic, and best practices is needed. It
is this training in the security process that will allow the
security infrastructure to evolve.

Security audit is the process responsible for the detection of
security attacks, detection of security breaches, and the
performance assessment of the installed security
infrastructure. However, the concept of an audit is typically
applied to postevent/incursion. The Security Domain model,
as with active security infrastructures, requires constant
monitoring. Thus the audit process needs to be enhanced.

When attempting to evaluate the security process on an
enterprise basis, it is impossible to account for all of the
business entities, politics, and technological choices that could
be chosen by the various entities that aggregate into the
enterprise. Thus to discuss security on an enterprise level is
often a daunting task that may never come to closure. In order
to simplify the discussion, allow for various entities to control
their own resources and to enable the discussion to focus on
the important aspects.

NERC Standards CIP-002-1 through CIP-009-1 were

approved in May, 2006. The purpose of the standard is “To
reduce the risk to the reliability of the bulk electric system
from any compromise of critical cyber assets (computers,
software and communication networks) that support these


Requirement Implication for Relays

Page 27


Requirement Implication for Relays
CIP002 R1 and R2 require responsible
entities to identify their critical assets
using methodology based on risk

The methodology must
consider substations
and “special protection
systems” that support
reliable operation of the
bulk power system and
critical to automatic
load shedding of 300
MW or more.

CIP002 R3 requires identification of
critical cyber assets, defined as being
essential to operation of critical assets.

Relays would be
included if related to
critical assets.

CIP003 R1 and R2 require a cyber
security policy with senior management
leadership covering all cyber critical

Relays identified under
CIP002 would be
covered under the

CIP003 R4 and R5 require a program to
identify, classify, and protect
information associated with cyber
critical assets and to provide access
control to that information.

Relays identified under
CIP002 would be
covered under the

CIP003 R6 requires a configuration
management program to control any
changes in hardware or software
associated with cyber critical assets

Relays identified under
CIP002 would be
included in this
management and
change control.

CIP004 R1, R2, and R3 require cyber
security awareness training, cyber
security policy/procedure/access
training, and personnel risk assessment
(i.e., a background investigation and
clearance process) for all personnel
having physical or cyber access to
critical assets.

Personnel having
physical or cyber
access to critical relays
would be included.

CIP004 R4 requires revocation (within
specified time periods) of cyber access
to critical cyber assets when personnel
no longer require access.

For relays, this would
require either
individual log-ins or
systems to change
common passwords on
all relays accessed by a
revoked individual.

CIP005 R1 and R2 require establishment
of electronic security perimeters
covering all cyber critical assets and
access controls at all points of entry to
those perimeters.

Relays are included, if
identified as cyber

CIP005 R3 and R4 require electronic
monitoring and logging of security
perimeters, and annual vulnerability
assessment of cyber critical assets.

Relays are included, if
identified as cyber

CIP006 requires physical security for all
cyber critical assets

Relays are included, if
identified as cyber

Requirement Implication for Relays
CIP007 places a number of detailed
requirements, including test procedures
for security-relevant software changes,
disabling of unneeded ports and
services, management of security
patches, malware prevention, access
authentication and account management,
control of shared accounts and
privileges, password construction,
security event monitoring, and others.

Relays are included, if
identified as cyber

CIP008 requires a cyber security
incident response plan

The plan would have to
include incidents
affecting relays, if
identified as cyber

CIP009 requires a recovery plan for
cyber critical assets.

Cyber critical relays
would have to be
included in recovery

[1] NETL Project M63SNL34 “Cyber Security for Utility Operations” Final

report of this project is available from DoE Office of Energy Assurance
or from Sandia National Laboratories

[2] AGA 12 Part 1 “Cryptographic Protection of SCADA Communications
Part 1 Background, Policies and Test Plan” available from Gas
Technology Institute

[3] Security Guidelines for the Electricity Sector. Version 1.0 June 14, 2002
[4] PSRC C3 Processes, Issues, Trends and Quality Control of Relay

[5] Pilot Protection Communications Channel Requirement, S. Ward et. al.,

Georgia Tech, May 2003
[6] Electronic Security of Real-Time Protection and SCADA

Communications. Allen Risley, et al. Schweitzer Engineering
Laboratories, Inc. WPDAC, April 2003

[7] Shea, Dana, “Critical Infrastructure: Control Systems and the Terrorist
Threat” Updated February 21, 2003, Report For Congress, Order Code

[8] IEC TC57 WG15 Security Standards – White paper by Xanthus
Consulting International

[9] NERC – Security Guidelines for the Electricity Sector: Securing Remote
Access to Electronic Control and Protection Systems. Version 1.0.
Effective Date: June 10, 2003

[10] FIPS_PUB_112–AppendixA

[11] Role Based Access, a proposed standard for RBAC prepared by NIST,
available at

[12] The requirements for SE-Linux are discussed in a paper “The
Inevitability of Failure: The Flawed Assumption of Security in Modern
Computing Environments” by Peter A. Loscocco, Stephen D. Smalley,
and others, published in Proceedings of the 21st National Information
Systems Security Conference, pages 303-314, October 1998, available at

[13] SE Linux software, documentation, and related publications are
available for download from the NSA web site

Similer Documents