Editor’s Note: This article was developed with expertise from Howard Linton, a field application engineer with more than 25 years of experience working with power utilities.
Many North American power utilities have large numbers of electrical substations that operate well but are not connected to a central Energy Management System (EMS). These islands of critical infrastructure are equipped with legacy devices running on proprietary protocols. Impossible to monitor without someone physically visiting them, such substations prevent utilities from delivering on the promise of the smart grid.
The smart grid vision is to transform the traditional electrical grid from a reliable but inflexible system to one that is adaptable and efficient. Benefits such as being able to reroute power transmission quickly when there is a problem and incorporating non-traditional energy sources are just some of its aims.
Imagine you run a utility with hundreds of legacy substations that you cannot connect to from a central location. The longer you have this problem the longer your network is going to be out-of-step with an important capability.
Now imagine there is an easy way to connect legacy substations to a central system. “Fantastic,” you think, “What is it?” And “Does it bring with it any new problems? (For example, security issues.) In today’s article, I look at a cost-effective solution for this dilemma that both connects substations to the smart grid and secures them.
Legacy substations and their RTUs do a good job of protecting transformers but cannot communicate with central systems.
The SCADA Challenge: Legacy Remote Terminal Units (RTUs)
The key piece of legacy equipment preventing the two-way communication of data with older power substations is the Remote Terminal Unit or RTU. RTUs control these substations and they perform critical duties, for example, measuring the power being transported and protecting the crown jewel of the site, the transformer.
If a transformer goes down, it can cost two million dollars and take two years to replace. RTUs protect the transformer by breaking the circuits to it if anything abnormal occurs such as shorts, faults or a tree falling.
Older RTUs connect analog and digital inputs in electrical substations using out-of-date serial communication standards like CDC and GETAC. While it is inexpensive to exchange the RTU itself to one that supports both IP and modern serial communications, the replacement triggers a domino effect of other changes. The total cost can easily add up to a $100,000 per substation.
The reason for the high cost is that the substation needs to be rewired to support the new RTU and, once upgraded, ICS security must be addressed. This makes each upgrade a project that involves taking the substation off-line and requires proper planning, scheduling and documentation. All-in-all, replacing those old RTUs, and perhaps moving to IEC 61850 compliant networks, requires a very significant expense and time commitment.
Two-in-One Routing and Security Solutions: GarrettCom Magnum 5RX and 10RX
The equipment of typical IT networking vendors cannot function with the old substation protocols. However, there is a solution available in devices that are a combination router/firewall: the GarrettCom Magnum 5RX/10RX Security Router product line.
The GarrettCom Magnum 5RX (5RX), for example, can be deployed by simply connecting it via a serial port to the legacy RTU and also to an IP-based external network, or frame relay network via T1 or DDS circuits. The installation is simple, and no other substation upgrades are required. It is a moderately priced device with a SRP of $4,500 in the U.S.
The 5RX communicates with older RTUs by encapsulating the old protocol messages in a number of wrapper options to include TCP/IP, directly in Frame Relay or Ethernet, without the use of IP. These products support legacy substation protocols that are rarely supported by other vendors.
Once two-way communication with the substation is initiated, a security control point needs to be established to restrict and monitor traffic flowing into and out of the substation. The beauty of the 5RX/10RX solution is that instead of requiring a separate dedicated firewall, the devices are complete security solutions themselves.
The 5RX/10RX controls and monitors traffic into the substation by comparing it to a predefined security policy and discarding messages that do not meet the policy’s requirements. External to the substation the devices interface transparently with IT systems, using security protocols such as RADIUS and TACACS+.
With a GarrettCom 5RX/10RX security perimeter in place, much of the ICS security job is done. However, Belden recommends a Defense in Depth approach to industrial cyber security and more measures could help you strengthen overall security. White papers that cover this topic in detail are available for download at the end of this article.
Isolated substations can be connected to central systems and secured using either the fixed configuration and cost effective Magnum 5RX (shown on top) or the more expensive but configurable Magnum 10RX (shown on the bottom).
Power utilities immediately benefit from 5RX/10RX installations with access to real-time data from previously isolated substations. Instead of having to send someone to a substation to get the fault records when something goes wrong, now they can see, diagnose and address problems from a central location.
An example installation is a West Coast utility that is installing GarrettCom two-in-one routing and security solutions in 55 substations to remotely manage them. In another case, a leading East Coast power company is installing 300 5RXs to communicate with its substations. Both of these organizations benefit by being able to incorporate legacy substations into their smart grids now and migrate their overall network to a new generation backbone over time.
Where is your organization on the path to integrating legacy substation into a smart grid? Would the solution discussed here help? I look forward to your comments.
- White paper:“Cyber Security in Electrical Substations”
Substation Design and ICS Security
- Blog: Implementing Cyber Security Measures in Electrical Substations
- Blog: Defense in Depth Cyber Security for Substation Communications
- Blog: New Cost Effective Industrial Ethernet Switches for Substations
- Blog: Substation Design – Integrating Serial Devices into the Smart Grid
- Webpage: Popular Network Configurations for Power Utilities
Belden Products for Cyber Security in Substations
- Press Release: Belden Dual-Purpose Router Streamlines Management of Industrial Networks
- Webpage: GarrettCom Magnum 5RX Fixed Configuration Security Router
- Product Bulletin: GarrettCom Magnum 5RX Fixed Configuration Security Router
- Webpage: GarrettCom Magnum 10RX Configurable Router and Security Appliance
- Product Bulletin: GarrettCom Magnum 10RX Configurable Router and Security Appliance
- Tripwire webpage: Energy & Utilities Cyber Threat Detection