IEC 61850: cybersecurity for electrical substations | Stormshield

The International Electrotechnical Commission writes the standards that govern how the electrical industry works. And among this proliferation of standards – which sometimes come with rather forbidding abbreviations – one has a very special role to play, as it specifies communications for electricity distribution infrastructure. We explain IEC 61850 and the cyber risks it faces.


Riding on public transport, watching TV, listening to the radio and even boiling the kettle may seem completely straightforward, but that’s because the entire energy sector – and the electrical industry in particular – is hard at work to ensure continuous distribution and access to energy. This sector is highly standardised, and must satisfy the requirements of many international standards. These include the IEC 61850 standard, governing the operation of smart grids. And “smart grids” are synonymous with networks connected to the outside world, and also with interoperability. In both cases, such communications introduce an additional aspect for this industry, which is as a result also required to address the question of cybersecurity in electricity distribution infrastructures. However, cyber players – with software publishers at the forefront – are there to facilitate the transition towards the adoption of cybersecurity, considering not only the constraints imposed by the IEC 61850 standard but also security issues.


IEC 61850: the issues behind the acronym

What is the IEC 61850 standard? This international standard is dedicated to the world of energy in general, and the electrical industry in particular. Although hardware requirements for electrical environments are also part of this standard, we will be concerned mainly with the protocols it specifies. More specifically, these protocols related to “IEDs” (Intelligent Electronic Devices) – intelligent network components located in electrical substations. And what is the purpose of these protocols? To scope and ensure the operation of these smart grids, covering the specification of communications, the connections between energy production sources and electrical networks, etc. “IEC 61850 provides a structure for communications and interaction between equipment, making it possible to specify a template for exchanged data and the level of abstraction: who does what in an electrical environment? Etc. This provides a route from design through to operation,”, explains Simon Dansette, Product Manager at Stormshield.

The purpose of the IEC 61850 standard is therefore to simplify the management and control of electrical substations, and to ensure their integrity and availability. For example, the tasks performed by these substations are subject to very short latency times, and IEC 61850 satisfies this constraint by recommending that system operations are monitored in real time. In order to properly fulfil the specifications inherent in electrical substations, this standard therefore includes several protocols which play a regulatory role and guarantee the running of the electrical grid. Among these, three major communication protocols for IEDs should be borne in mind: the MMS (Manufacturing Message Specification) protocol, which sends configuration actions; the GOOSE (Generic Object Oriented Substation Event) protocol – a real-time protocol that provides meaningful interoperability between equipment of different brands and very low latency times for decision-making – and lastly, the SV (Sampled Values) protocol, which is also a real-time protocol, dealing with the transmission of values to the IEDs. This all provides an orderly framework to ensure the smooth running of electrical substations.

Electrical substation infrastructures were not originally connected to external grids, which means they were not designed with cybersecurity issues in mind. However, with the arrival of smart grids, that paradigm has been changed.

Simon Dansette, Product Manager Stormshield

Although the IEC 61850 standard imposes a very standardised and formalised framework, all communications being conveyed via the various protocols appear vulnerable from a cyber point of view. The data carried via these communications are in plain (i.e. unencrypted) format, and there is no mechanism for verifying message authenticity (which is particularly true of the “SPAC” system protection, automation and control system). “Electrical substation infrastructures were not originally connected to external grids, which means they were not designed with cybersecurity issues in mind. However, with the arrival of smart grids, that paradigm has been changed,” explains Simon Dansette. To address business and environmental requirements, electricity production and transmission optimisation work needs to take the form of greater interconnectedness. And that means facing cyber risks.

Although it was already possible for electrical grids to be targeted by cyberattacks, such as bounce attacks (in which, for example, a workstation could be infected in order to gain access to the heart of an electrical grid and compromise its communications), smart grids clearly raise the question of cybersecurity in electrical substations.


Smart grids: a target for cyber attackers

Consequently, the IEC 61850 standard has little or nothing to say about communications security and the question of cybersecurity (these concepts are covered by a different standard, IEC 62351). And yet electrical substations are key points in the entire energy distribution process, where the shutdown or sabotage of the electrical system could prove to be extremely critical. “An attack on the electrical industry is an attack on the heart of how society operates. For example, if a cyberattack causes a blackout, this could have dramatic consequences and cause a wide range of human and material damage,” warns Nebras Alqurashi, Business and Technical Development Manager for the Middle East and Africa at Stormshield.


Because of the interconnection between all the points which comprise it, the entire electrical industry's infrastructure is fragile and sensitive. And whether the issue is the failure of an electrical line, an energy overload or a total blackout, the electrical industry needs to have the ability to react quickly to limit potential impacts. Italy still remembers its largest blackout back in 2003, caused not by a cyberattack but by a tree falling on an electrical line. Most of the country was then unable to function normally and, among other problems, trains running at that time were stopped in their tracks, affecting 30,000 passengers. “You have to start from the assumption that if the electricity stops, pretty much everything stops working and there are immediate consequences: for example, traffic lights stop working, causing a cascade of accidents, or the water supply to remote regions runs dry…”, Nebras Alqurashi explains. Obviously, then a failure in the energy sector is bound to cause a domino effect that impacts a number of dependent sectors – backup systems notwithstanding. In 2011, Germany produced a report listing the potential material consequences of a blackout: a reduction in telecommunications, paralysis of water treatment plants, shutdown of cold chains, etc.; and in 2015, British insurer Lloyd’s produced a calculation of economic damage, taking the example of a blackout that simultaneously hit 15 US states: the potential bill to the United States was a modest sum ranging from 243 billion to 1,000 billion dollars.

An attack on the electrical industry is an attack on the heart of how society operates. For example, if a cyberattack causes a blackout, this could have dramatic consequences and cause a wide range of human and material damage

Nebras Alqurashi, Business and Technical Development Manager for the Middle East and Africa Stormshield 

 A successful cyberattack on an electrical industry will therefore have a phenomenal impact. However, an excellent knowledge of electrical grids’ protocols, systems and infrastructure would be required to deliver such an attack. And attackers who engage in such practices are often groups sponsored by state actors. Indeed, the energy sector in general, and the electricity industry in particular, are targets for cyberattacks of geopolitical scope. Ukraine and its electricity network have already been hit several times. In 2016, BlackEnergy malware was used to knock out a portion of the country's electricity resources, affecting around 1.5 million people. The attackers targeted an electricity supplier in western Ukraine, bringing down a number of lines. According to researchers, the attackers’ modus operandi was as follows: use of BlackEnergy malware functions to erase part of the power station's hard drive and prevent operating systems from restarting prior to the remote hijacking of computers infected by the malware. It is suspected that Russia was behind the attack.

In 2017, another attack targeted the Ukrainian capital, aimed at energy supplier Ukrenergo and plunging part of the city of Kiev into darkness. Although Russia was once again suspected of having sponsored the attack, the attackers’ MO was different, this time using the Industroyer malware, known for its ability to take control of electrical substations by adapting to the communication protocols they use. “An attacker will be able to take advantage of these protocols’ functions to conduct their attack, explains Marco Genovese, Pre-Sales Engineer at Stormshield. In the case of the IEC 61850 standard, the GOOSE protocol's role is to provide high-speed communications, which means it does not have time to wait for confirmation that packets have been successfully received. An attacker could take advantage of this weakness to inject malicious packets into the network.”

In 2018, following the Ukraine, it was the turn of the United States, which – via the country's Department of Homeland Security – reported that it had been targeted by cyberattacks against energy infrastructure since 2016. The attacks were thought to have been conducted by the Energetic Bear group (also known as Dragonfly), with links to Russia. According to US authorities, Energetic Bear had first infected the networks of small production facilities, then conducted targeted spear phishing campaigns in a gradual move towards the largest industries in order to remotely hijack the networks of companies in the energy sector.

The electrical industry is therefore one of the most critical sectors in terms of cyberattacks, and, although awareness is rising as the cyber risk increases, systems and infrastructure remain complex. And change is coming in small steps. This means that software publishers have a key role to play in supporting these industries by offering solutions that meet the operational constraints of the IEC 61850 standard while ensuring that IT infrastructures remain secure.


What’s the right balance between cybersecurity and the requirements of the IEC 61850 standard?

The task of taking the requirements of both information security and the IEC 61850 standard into consideration poses a sizeable challenge to publishers. Because if publishers do not provide a response to the business requirements of this industry, it is difficult (or impossible) to see them responding to the cyber requirements: within the context of IEC 61850, the three protocols mapped by the standard – GOOSE, MMS and SMV – are among the few that can be used, even though other protocols such as IEC 104 can also sometimes provide a solution to this security requirement. The standard thus imposes stringent hardware requirements, while the protocols have business implications to which cybersecurity solutions must adapt. The task facing publishers is therefore to place a cybersecurity layer over existing infrastructure. “It must be possible to integrate solutions transparently within electrical networks and check the compliance of messages for all three protocols,”, Dansette points out. Another important aspect: given that the electrical industry operates with very short latency times, there is a need to avoid presenting solutions that would impact the speed at which electrical substations operate, if at all possible. Lastly, a small additional difficulty: publishers need to consider security problems at electricity substations outside the world of the OT. For example, because the GOOSE protocol runs on Ethernet networks, all successful attacks against this network will work equally well with the GOOSE protocol.

If publishers do not provide a response to the business requirements of this industry, it is difficult or impossible to see them responding to the cyber issues

Khobeib Ben Boubaker, Head of Industrial Business Line Stormshield

But what solutions will satisfy IEC 61850 requirements while also providing the cybersecurity layer that the electrical industry needs? Several options are possible, following an essential first stage of network segmentation for the various electricity network infrastructures in order to minimise the risks of intrusion into the systems. IPS (Intrusion Prevention System) functions in some industrial firewalls are based on signature detection as a countermeasure against attacks or anomalies. However, this system is insufficient on its own to ensure the security of electricity networks because, as Marco Genovese explains, “Signature-based IPS can only detect what is already known and listed. But it's difficult to make advance predictions about cyberattacks and the forms they may take.” Some publishers have also developed solutions with integrated plugins that can strengthen compliance checks on communications for electrical substations, and ensure that these communications meet the requirements of IEC 61850. “By implementing industrial firewalls, this approach enables deep packet monitoring and inspection that takes the communication context into consideration (Stateful DPI), with a simple goal: to allow only what is deemed to be legitimate,” says Nebras Alqurashi. The electrical energy sector needs to have access to systems capable of analysing and reconstructing traffic to recontextualise it and establish whether it is legitimate, or whether (for example) there has been an attempt to inject packets with a malicious payload into the communications.


In the electricity industry, a consideration of cyber risks needs to be viewed in the same way as the IEC 61850 standard is in the world of electrical substations: as an essential component!

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Through its support for the various protocols specified in the IEC 61850 standard – GOOSE, MMS and SV – while performing Stateful DPI contextual packet analysis, our SNi20 industrial firewall enhances the cybersecurity of electrical substations. And the hardware characteristics of this industrial firewall also comply with the IEC 61850-3 standard.
About the author
Khobeib Ben Boubaker Head of D.M.I. Business Line, Stormshield

A graduate of CESI engineering school and holder of an ESCP Europe MBA, Khobeib began his career at Alcatel Lucent in the Submarine Network entity. His first love was the design of fibre optic systems for intercommunication between countries and operators. R&D engineer, international trainer, business engineer, then Business Unit Director: Khobeib wore many technical and business hats for a decade before coming to Stormshield. And following an initial post as Business Developer for the industrial security offering, he is now at Head of DMI (Defence, Ministries, Industry) Business Line to support the company's strategic ambitions for IT/OT cybersecurity.