Data re-transmission request

During data transmission between a PMU and a substation PDC, or between a substation PDC and a control center PDC, it is possible that the data never arrives at the destination. This could easily happen with UDP frames. It is also known to happen with TCP frames, when the data connection is dropped after a reaching a timeout and has to be re-established.

The data source (e.g., a PMU or a PDC) may support data storage to handle this situation. This storage need affects PDC memory requirements.

The data source needs to be made aware that the data has not reached its destination. A PDC may implement a data retrieval mechanism to request the data source to re-transmit the data that failed to arrive.

Such a mechanism is not supported by the synchrophasor protocols IEEE Std C37.118-2005, IEEE C37.118.2-2011, and IEC 61850-90-5. However, there is a need for the implementation of such a function to recover data. While presently there is no standard, proprietary mechanisms exist in the industry. Until standards are developed for this function, the mechanism may be developed by an implementation agreement between different vendors.

5.17 Cyber security

Cyber security may be governed by the application, regulatory compliance, or best practices. At a high level, cyber security for information technology (IT) focuses on three aspects of the electronic information communication systems:

 Availability

 Integrity and authenticity

 Confidentiality

Availability is typically addressed by redundancy and security measures to prevent denial of service attacks.

Integrity is the validity of the data and authenticity ensures the correct source. Integrity and authenticity are accomplished through means such as digital signatures or various types of authentication codes (e.g., message authentication code [MAC], or hash-based message authentication code [HMAC]).

Confidentiality is achieved by preventing inadvertent disclosure of information and is accomplished through the use of encryption, access control, and the appropriate processes and procedures.

When applied to PDCs, cyber security should evaluate all PDC interfaces while maintaining the reliability of the PDC. PDC cyber security likely goes beyond simply securing synchrophasor communications, but any communications and access to the PDC. Security practices that are poorly applied to PDCs may degrade PDC performance and/or functionality.

A PDC may be connected to “untrusted networks” as well as PMU(s). Securing those network connections is more than just securing synchrophasors and is beyond the scope of this guide.

The PDC may need to implement access controls, firewalls, intrusion detection functions, and more. Several standards help cyber security practices and programs. The following standards specify functions relevant to cyber security beyond synchrophasors: IEEE Std 1686 [B9], IEEE PC37.240, D13.0, March, 2013 [B17] and IEEE Std 1711 [B10].

IEEE Std 1686 specifies:

 Electronic access control (password defeat mechanisms, number of passwords supported, password construction, role-based access control)

 Audit trail/logging (capacity, information to be stored, events, alarms)

 Supervisory monitoring and control (events, alarms, permissive control)

 Configuration software (access, permission, version control)

 Communications port access (port control, data transmission encryption)

 Firmware quality assurance

PDCs may be required to support centralized access control protocols (such as Lightweight Directory Access Protocol [LDAP]), and to implement firewall and intrusion detection functions. PDCs may be capable of interrogation by security monitoring tools that identify the running state, firmware, configurations, and other relevant information. Logging capabilities to track system states and changes for forensic examination will probably be provided.

Proposed IEEE PC37.240 Draft D13.0, March, 2013, Draft Standard for Cyber Security Requirements for Substation Automation, Protection, and Control Systems, is one standard presently under development which specifically addresses technical requirements for substation cyber security and presents sound engineering practices.

IEEE PC37.240 Draft D13.0 presents the minimum requirements and best practices for a substation cyber security program, keeping in perspective the technical, economic, and operational feasibility of deployment. A utility deploying a cyber security program which meets the requirements of this standard will have developed a program which considers all of the above elements, and represents the best practices as employed by the industry.

IEEE Std 1711-2010 defines a cryptographic protocol known as Substation Serial Protection Protocol (SSPP). SSPP provides for the integrity and optional confidentiality of asynchronous serial communications. SSPP assures serial message integrity, that messages are not modified, forged, spliced, reordered, or replayed. SSPP provides this assurance by encapsulating each message in a cryptographic envelope. When an integrity problem arises in an incoming SSPP message, whether due to communications errors or malicious actions of an adversary, SSPP simply ignores the message. Detection and retry of ignored messages is left to the application. SSPP supports several cipher suites that provide differing security properties. All cipher suites assure integrity. Some suites also provide confidentiality, although this property is a secondary goal of the design. SSPP is largely independent of the underlying communications and is suitable for implementation in end devices or bump-in-the-wire devices. Using IEEE Std 1711-2010 comes with a price in bandwidth requirements, adding significant overhead depending upon the existing channel bandwidth and IEEE Std 1711-2010 implementation.

IEC 61850-90-5 refers to IEC 62351-5 and IEC 62351-6 [B4] and specifies:

 Information integrity and authenticity is required (authentication)

 Confidentiality is optional (encryption)

IEC 61850-90-5 provides for application-layer protocol data unit (APDU) authentication by the use of a digital signature code. Although it is desirable to provide end-to-end authentication and integrity protection, such protection cannot be assured if the contents of multiple APDUs are repackaged into another APDU. Such repackaging may occur within the PDC and the new packets should include the digital signature of the original packets.

IEEE Std C37.118.2-2011 is a data transfer standard covering messaging and message contents. It can be used with any communication protocol and consequently does not include cyber security requirements. The most common implementations use raw TCP and UDP without cyber security. For cyber security other security methods such as virtual private networks (VPNs) and secure socket layer (SSL) should be followed.

As cyber security standards and practices evolve, care should be given to addressing synchrophasor latency that may be introduced by applying security measures to a PDC.