Premium Membership

Learn about power engineering and HV/MV/LV substations. Study specialized technical articles, electrical guides, and papers.

Home / Technical Articles / Security for Substation Communications
Security for Substation Communications
Security for Substation Communications

Until recently the term “security,” when applied to SCADA communication systems, meant only the process of ensuring message integrity in the face of electrical noise and other disturbances to the communications. But, in fact, “security” also has a much broader meaning. Security, in the broader sense, is concerned with anything that threatens to interfere with the integrity of the business.

Our focus here will be to examine issues related more narrowly to SCADA security.

In an earlier section we discussed the role of the OSI reference model (ISO 7498-1) in defining a communications architecture. In similar fashion, ISO 7498-2, Information Processing Systems, Open Systems Interconnection, Basic Reference Model – Part 2: Security Architecture, issued in 1989, provides a general description of security services and related mechanisms that fit into the reference model, and it defines the positions within the reference model where they can be provided.

It also provides useful standard definitions for security terms.

ISO 7498-2 defines the following five categories of security service:

  1. Authentication: the corroboration that an entity is the one claimed
  2. Access control: the prevention of unauthorized use of a resource
  3. Data confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processes
  4. Data integrity: the property that data has not been altered or destroyed in an unauthorized manner
  5. Nonrepudiation: data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the unit and protect against forgery, e.g., by the recipient

Note that ISO 7498-2 provides standard definitions and an architecture for security services but leaves it to other standards to define the details of such services. It also provides recommendations on where the requisite security services should fit in the seven-layer reference model in order to achieve successful, secure interoperability between open systems.

Security functions can generally be provided alternatively at more than one layer of the OSI model. Communication channels that are strictly point-to-point – and for which no externally visible device addresses need to be observable — can employ encryption and other security techniques at the physical and data-link layers. If the packets need to be routable, messages either need to be encrypted at or above the network layer (the OSI recommendation), or the security wrapper needs to be applied and removed at each node of the interconnected network.

This is a bad idea because of the resultant complexities of security key management and the resultant probability of security leaks.

SOURCE: Daniel E. Nordell

Premium Membership

Get access to premium HV/MV/LV technical articles, electrical engineering guides, research studies and much more! It helps you to shape up your technical skills in your everyday life as an electrical engineer.
More Information

Edvard Csanyi

Electrical engineer, programmer and founder of EEP. Highly specialized for design of LV/MV switchgears and LV high power busbar trunking (<6300A) in power substations, commercial buildings and industry facilities. Professional in AutoCAD programming.

Leave a Comment

Tell us what you're thinking... we care about your opinion!

EEP Academy | Video Courses

Learn from experienced engineers and sharpen up your knowledge.