This week, the largest electric utility trade show and conference in the U.S., DistribuTECH, is being held. One of the tracks in the conference portion of the event is “Defending the Grid.” The prominence of the topic at this show is due in part to new NERC CIP requirements designed to strengthen reliability and security. Another reason grid protection is a hot topic is high-profile cyberattacks such as the recent one on the Ukraine power system.

It adds up to one thing – it’s time to review the state of cyber defenses at your transmission substations. What then is the right approach to secure substations? It starts with the best practice of Defense in Depth.

Electrical substations are vulnerable to both intentional and accidental cyber incidentsElectrical substations are vulnerable to both intentional and accidental cyber incidents. 

Defense in Depth – Multiple Layers of Protection

If you are an engineer in North America, you are familiar with NERC (the North American Electric Reliability Corporation), which sets standards for the operation of power systems across the U.S., Canada and parts of Mexico. It has a standard called NERC CIP (CIP standing for Critical Infrastructure Protection) that mandates compliance with minimum security requirements.

Unfortunately, for many years a core NERC CIP concept was an electronic security perimeter (ESP) philosophy based on hiding all critical assets behind a monolithic boundary. For example, a single firewall could be installed on the boundary between all critical control assets and the business network, with the hope that it would prevent all unauthorized access to the critical assets.

Industry experience has shown that monolithic designs present a single point of failure in a complex system. Few systems are so simple as to have a single point of entry. With the help of Murphy’s Law, eventually all single-point solutions are either bypassed or experience some sort of malfunction, leaving the system open to attack.

A more realistic strategy is based on Defense in Depth (DiD) – multiple layers of defense distributed throughout the control network.

DiD maintains an ESP firewall between the business and control networks, but adds security solutions inside the control system that protect the substations if the main firewall is bypassed. The solutions work in parallel, with one technology often overlapping with others, to form a significant safeguard against either attack or human error.

The techniques used should be based on doing a risk assessment for critical assets and processes. Then, a multi-layer defense model, which includes protection technology and other items, is developed. The other items include things like physical security, policies, procedures and more.

Defense in Depth means using multiple, overlapping layers of protection to secure critical infrastructureDefense in Depth means using multiple, overlapping layers of protection to secure critical infrastructure.

A network protected using a Defense in Depth strategy responds to threats, such as a traffic storm (caused by device failures) or a USB-based virus, by limiting the impact to the zone where the problem started. Alarm messages from the firewalls would pinpoint the zone and even the source of the problem.

Routing Firewalls Guarding the Substation Perimeter

To create a security perimeter for the substation, a security control point needs to be established  to restrict and monitor traffic flowing into and out of the substation.

Typically, this will be a dedicated firewall, but in some cases a router or terminal server can be used. These need to be able to filter large amounts of traffic and interface transparently to IT systems using security protocols, such as RADIUS and TACACS+. It is critical that this device is both security hardened and monitored for indication of attacks.

There are two primary options for implementing network security technologies for a substation:

  • Industrial firewalls that control and monitor traffic; comparing the traffic passing through to a predefined security policy, and discarding messages that do not meet the policy’s requirements. Firewalls can be installed both at the ESP boundary and between internal zones.
  • VPNs (Virtual Private Networks) are networks that are layered onto a more general network using specific protocols or methods to ensure “private” transmission of data. VPN sessions tunnel across the transport network in an encrypted format, making them “invisible” for all practical purposes.

Transparent Firewalls to Protect Core Processes

Transparent firewalls, such as the Tofino Xenon Security Appliance, are security devices with special features for industrial use. At first glance, they function on the network like a traditional Ethernet switch, but they can actually inspect network messages in great detail.

The “transparent” feature allows them to be dropped into existing systems without requiring readdressing of the station devices. This means that organizations can retrofit security zones into live environments without a shutdown. They also allow the installation of security controls within a single subnetwork, for example within a large process bus.

The “firewall” feature provides detailed “stateful” inspection of all network protocols so inappropriate traffic can be blocked. For example, rate limits can be set to prevent “traffic storms” while deep packet inspection rules can be set to prevent inappropriate commands from being sent to IEDs or controllers.

For an overview of Belden’s complete portfolio for substation communications, view the video below. 

How Belden and Tripwire Can Help

In addition to our substation communications products, Belden’s offerings now include advanced threat, security and compliance software solutions from Tripwire. This includes Tripwire’s market leading NERC CIP Solution Suite, which is used by more than 100 NERC-registered entities. Nine out of the top ten utilities in the United States use Tripwire, and jointly, Belden solutions can deliver state-of-the-art cyber security solutions that meet the needs of both ICS operations and Enterprise IT.

If you would like assistance, in North America, Belden offers a no-charge Industrial Ethernet Infrastructure Design Check-Up that includes a high level security review. This process evaluates your network based on best practices that have been learned across our development and deployment of hundreds of systems. (To reach a sales representative who can arrange a Design Check-Up, call 1-855-400-9071 or email

In Europe and other parts of the world, the Belden Competence Center employs network design engineers who can work with your technical team to design the most cost-effective solution for implementing Defense in Depth cyber security. (To reach a sales representative, obtain contact information from this  webpage.)

Where are you on the path to implementing Defense in Depth? I look forward to hearing from you.

Related Links

Substation Communications

Belden and Tripwire Products for Substation Communications