Robert I. Williams, P.E.
Governments and industries worldwide are evaluating and researching security options for critical infrastructure, and this ongoing review especially applies to the electric power distribution industry.
Power distribution lines and substations cover long distances and are especially vulnerable to physical damage, but their repair could also be fairly rapid. A single terrorist attack would be likely to affect only a specific location, but a coordinated multi-site attack could create a long-term power loss for large urban areas.
Power distribution grids and substations are highly dependent on supervisory control and data acquisition (SCADA) systems for automation and for remote monitoring and control. For that reason, utility SCADA systems are another likely target of attack. It’s important to note that SCADA systems are also integral to the recovery effort should an attack on the distribution infrastructure occur. SCADA provides the necessary power measurement data and equipment status information necessary when coordinating emergency responses.
Most distribution automation and SCADA systems depend on leased telephone lines, microwave or UHF/VHF radio systems, with fiber optic cable used extensively within the distribution stations due to its interference-free design.
Electric utility substations are generally unmanned with maintenance personnel visiting during daytime hours only, unless there are some critical repairs to be done. Personnel on-site may be local operators, technicians, engineers or managers—none of whom would be expected to or be equipped to aggressively respond to a determined terrorist attack. Dependency is on the substation automation system and the SCADA systems to remotely monitor and control the facility and provide the necessary automatic protection should a serious fault condition occur.
Substations are generally equipped with a local control center that is usually in a normal building or an extension of the electrical control equipment building. Generally, no extra security features are included at the substation or the control center—only the perimeter fencing and locked doors and gates. Highly vulnerable power transformers are located within this perimeter fencing but with no additional or particular security considerations.
SCADA systems maintenance personnel are equipped with portable diagnostic equipment that can simulate the data protocol to communicate with remote terminal units (RTUs), or they can function as an RTU relaying information to the master station. They, therefore, possess the capability to initiate control actions that could adversely affect substation operation. Consequently, internal security vulnerability exists if a trained maintenance technician can utilize this RTU diagnostic computer to interfere with substation operations.
SCADA systems can operate independently of any data interface to management information systems or other networking computer systems. This isolation could provide the required defense against any external terrorist hacking attack to prevent the SCADA system from operating normally. However, there is a trend toward “opening” SCADA system data to wider dissemination in various parts of the utility enterprise. Corporate policy makers will have to evaluate the need to disseminate real-time data for customer and corporate access against the threat of an external attack. Computer technology utilizing firewalls and other intrusion detection means can reduce this risk to a tolerable level. Database access restrictions and disk mirroring techniques also can be used to mitigate these security vulnerabilities.
Combined computer intrusion detection and firewall software systems require an initial investment in installation and configuration as well as ongoing management commitment to ensure overall security protection efficiency.
Telephone lines at these sites are generally leased lines and are considered a potential security problem. Radio communications are also vulnerable from the respect that antennae and towers are highly prominent and, thus, susceptible to physical attack.
External electronic transmissions at the same SCADA system radio frequencies could possibly interfere with SCADA scan sequences and disable the remote monitoring, control and alarming features for the duration of the interference. A fiber optic-based substation automation system would not be affected by such a radio interference attack and would continue to provide automatic protection for the facility but without the capability to alarm any supply interruption to the distribution control center.
Radio signal interference could potentially inundate a SCADA system with communication errors to such an extent that normal operations would be disrupted. In a multiple-drop polling mode, the SCADA system will attempt a number of re-tries, typically three, before it continues scanning the next RTU. It will generally attempt to scan an affected RTU two or three more times before it will flag a communication failure at an RTU and effectively remove that RTU from the scanning program. Operator or maintenance engineer intervention is generally required to return the RTU into the scan sequence. In the meantime, substation control and electrical protection systems remain unaffected and, allowing that overall power monitoring conditions are normal, then operations could continue for a company-defined period of time.
Fiber optics in this security respect has a higher degree of protection since it is not easily intercepted and interfered with during transmission. Fiber optic cables are being utilized as a basis for SCADA and communication networks within power distribution utilities. With fiber optics, any physical or electronic damage would be immediately diagnosed and reported, and maintenance diagnostic capability could identify the location of the damage.
However, electromagnetic pulse (EMP) transmission, as generated by a nuclear device, would effectively destroy all electronic equipment within the substation if they were not totally enclosed and isolated within an EMP-protected area. EMP damage could be extensive, requiring replacement of all electronic components. Without a very high degree of spare parts availability, it would involve negotiating with the original SCADA system supplier for rapid delivery of replacement parts. A more mature installation may not be able to recover due to the unavailability of these key electronic components in a suitable time frame.
Additionally, utility operations control centers are locations where terrorist attacks can have a significant effect on power distribution. The SCADA master station is located in one, or sometimes two, key locations. Communication availability is the only restriction to the ultimate operations control center locations. In some SCADA networks, regional control centers are available to take over local operations in the event of a major calamity affecting the main SCADA master station location(s).
It is not absolutely necessary to continuously man more than one control center, and some utility companies may wish to alternate between their control centers on a frequent basis, e.g. monthly. Alternatively, operational responsibilities can be partitioned to two or more locations providing continuous and trained backup if such a contingency occurred. This is a recommended security consideration for implementation on new facilities and for upgrading consideration for other facilities. Any such physically diverse arrangements should carefully analyze the communication requirements and their associated vulnerability to terrorist attacks.
The need for heightened security shall make VIP visits to SCADA operations control centers and observation windows in control rooms things of the past. Heightened security at control centers is a must.
A theoretical high-security, self-contained Operations Control Complex could conceivably consist of the following:
- Operations control center (OCC)
- Emergency response center (ERC)
- Security control center (SCC)
- Computer and communications equipment (CCE)
- Uninterruptible power systems, including backup batteries
- Standby generator and fuel supply.
- Offices, meeting rooms, etc.
- Accommodation, restaurant and recreational facility
- Nuclear, bacteriological & chemical (NBC) air filtering equipment
- NBC purging and isolating entrance chambers.
This concept is not entirely hypothetical; it is based on the author’s experience designing and commissioning high-security facilities for strategic petroleum products storage in a Middle Eastern country. Figure 1 shows an outline of such a high-security underground facility.
During an NBC scenario all air supplied to the facility is filtered by specially designed micro-filtration equipment to remove chemical and/or bacteriological elements. A separate pure water storage system is also provided.
Fiber optic Open Transport Network (OTN) is one of the evolving technological solutions for communication networks that cover wide geographical areas. OTN’s main requirements are: high availability, security, redundant network configurations, high network resilience, voice/data interfaces, and overall network monitoring and configuration management.
Typical power distribution facilities user equipment could be connected to each of the OTN nodes, N1 through N6 shown in Figure 2, through one of a number of interface card slots. The Figure 2 Inset shows a typical node equipment connection. Available interface modules include SCADA, management information, PABX telephones, mobile radio/paging systems and security surveillance video cameras.
In a self-healing backup mode, each node is programmed to loop back the data when it detects failure in the network as shown in Figure 2. When the fault shown in Figure 2 involves the complete node or fiber cable, the adjacent nodes respond with data loop back without involving the network management system. Detected failures, such as cable breaks, can be corrected within 50 to 120 ms, without the intervention of the Network Management System. Optionally, nodes can be equipped with an optical bypass relay that can take the node into and out of the ring.
In summary, power distribution SCADA systems are a basic requirement and have been economically evaluated and justified as an integral part of the installed facilities. These economic evaluations, however, did not include the additional expenditures necessary to provide security enhancements for all these monitored and controlled facilities. Implementation of military-type security facilities may not be economically justifiable but may become necessary to provide a higher degree of physical and electronic protection.
Emergency or contingency plans exist for substation emergencies, such as transformer or breaker failures, fires, storms, floods, hurricanes, tornados or earthquakes. Terrorism should now be added to this risk category, and utility emergency preparedness must be expanded accordingly along with the fiscal budgets to meet these additional requirements. SCADA systems are a critical requirement for establishing ongoing data acquisition and control during these emergency scenarios.
This article outlined an ultra-secure operation control center location, which is not a norm for power distribution control centers in countries that were previously assumed to be safe. This secure OCC is designed to be self-contained during terrorist or military activity and would therefore be protected from other threats that might affect other “normal” control centers, such as extended power cuts, water contamination or other conceivable terrorist threats.
New facilities such as these will need to be much more secure and robust if they are to provide protection from terrorist attacks.
Robert I. Williams, Ph.D., C.Eng., P.E. (California), has more than 30 years oil/gas, water and electric utility SCADA systems engineering experience in the United Kingdom, United States, Far East, Middle East and Eastern Europe. Robert is the author of the “Handbook of SCADA Systems, First Edition” published in 1992 by Elsevier Publications and is currently preparing the Second Edition for publication on CD via his website www.scada-online.co.uk. Since SCADA security considerations are included in the Second Edition, Robert would appreciate any comments regarding this article to firstname.lastname@example.org.