Security for Substation Communications
Security for Substation Communications

Until recently the term “security,” when applied to SCADA communication systems, meant only the process of ensuring message integrity in the face of electrical noise and other disturbances to the communications. But, in fact, “security” also has a much broader meaning. Security, in the broader sense, is concerned with anything that threatens to interfere with the integrity of the business.

Our focus here will be to examine issues related more narrowly to SCADA security.

In an earlier section we discussed the role of the OSI reference model (ISO 7498-1) in defining a communications architecture. In similar fashion, ISO 7498-2, Information Processing Systems, Open Systems Interconnection, Basic Reference Model – Part 2: Security Architecture, issued in 1989, provides a general description of security services and related mechanisms that fit into the reference model, and it defines the positions within the reference model where they can be provided.

It also provides useful standard definitions for security terms.

ISO 7498-2 defines the following five categories of security service:

  1. Authentication: the corroboration that an entity is the one claimed
  2. Access control: the prevention of unauthorized use of a resource
  3. Data confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processes
  4. Data integrity: the property that data has not been altered or destroyed in an unauthorized manner
  5. Nonrepudiation: data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the unit and protect against forgery, e.g., by the recipient

Note that ISO 7498-2 provides standard definitions and an architecture for security services but leaves it to other standards to define the details of such services. It also provides recommendations on where the requisite security services should fit in the seven-layer reference model in order to achieve successful, secure interoperability between open systems.

Security functions can generally be provided alternatively at more than one layer of the OSI model. Communication channels that are strictly point-to-point – and for which no externally visible device addresses need to be observable — can employ encryption and other security techniques at the physical and data-link layers. If the packets need to be routable, messages either need to be encrypted at or above the network layer (the OSI recommendation), or the security wrapper needs to be applied and removed at each node of the interconnected network.

This is a bad idea because of the resultant complexities of security key management and the resultant probability of security leaks.

SOURCE: Daniel E. Nordell

About Author //


Edvard Csanyi

Edvard - Electrical engineer, programmer and founder of EEP. Highly specialized for design of LV high power busbar trunking (<6300A) in power substations, buildings and industry fascilities. Designing of LV/MV switchgears.Professional in AutoCAD programming and web-design.Present on


  1. […] IEC 61850As in an actual project, the standard includes parts describing the requirements needed in substation communication, as well as parts describing the specification itself.SIPROTEC 5 – IEC 61850 is more than a […]

  2. […] it would be desirable to record all data communications into and out of all substation devices.In that manner, if an intruder successfully attacks the system, the recordings could be used to […]

  3. […] communications (Maxim, electricity grid without adequate communications is simply a power “broadcaster.” It is through the addition of two-way communications that the […]

  4. […] iFIX SCADA servers support replication and failover of database and alarms between the primary and backup SCADA servers – ensuring that you have high […]

  5. […] clearly it did – Siemens reports that it is aware of at least 22 sites that experienced infected control systems and certainly there were other sites, such as sites with other vendors’ products, who would have […]

  6. […] discussed is how the worm might have migrated from the outside world to supposedly isolated and secure industrial control systems (ICS). Understanding the routes that a directed worm takes as it targets an ICS is critical if […]

  7. […] SCADA systemsPolicy/Procedure/Configuration ManagementThe SCADA system has no specific documented security policy or security plan.There is no formal configuration management and no official documented […]

  8. […] users with a secure, reliable control environment and built-in security features that prevent unauthorized system access.NALCO’s Angul smelter produces up to 345,000 tons of aluminum a year, an increase of 50 percent […]

  9. […] This post was mentioned on Twitter by Electric Engineering, Electric Engineering. Electric Engineering said: Security for Substation Communications […]

Leave a Comment

Tell us what you're thinking... we care about your opinion!

Time limit is exhausted. Please reload CAPTCHA.