Digital Bond has been doing a lot of generation work lately, and I’ve found myself in plant clothes (safety shoes, hard hat, jeans, cotton shirt) more and more often. There has been a lot of interest in the cyber security of generation plants, and not all of it is due to criteria in the NERC CIP V4 Brightline. But, I’m not here to discuss what’s in and what’s out this time around…. I’m here to discuss what happens when your plant becomes a Critical Asset, and a very important initial activity.
Generation differs greatly from Control Centers and Substations. First, Generation is big, the kind of big that often requires 4 wheeled transportation to avoid hiking from place to place. Second, generation has cyber assets tucked away in hard to reach places, and out at the most remote corners of the plant. To see these places, you need to take a tour of the major mechanical and electrical systems at the plant in order to inventory these cyber assets so that you can determine if their function can affect the operation of the plant in a manner that effects a reliable Bulk Power System.
The first day of any initial cyber asset assessment is the plant tour. The purpose of this tour is to accurately record each control system and cyber asset you come across, noting it’s function. The ideal persons to have on this tour are the engineers responsible for the control system, involvement from operations personnel, and potentially IT resources that run the business network at the plant. A camera is a must have tool here, used to photograph systems, ethernet and serial connections, and physical locations.
When I’m on a tour, I ask to see each major plant function in person. While there are some differences between plants, you can be guaranteed that the following mechanical or electrical control systems are present, in some way shape or form:
- The Distributed Control System – The major control system at a generation plant is the DCS, which governs all ancillary systems and even some more advanced systems that don’t have a dedicated control system. Care must be taken at this stage to see what functions the DCS serves, and which ones are served by ancillary control systems.
- Switchyard systems – While often falling under the DCS due to ease of design, sometimes there are standalone switchyard systems. It just depends on the plant you are at.
- Fuel Handling and Transportation – These are the systems responsible for receiving fuel at site. They vary from conveyor belts, to pipeline systems, to the lake behind the dam. Yes, you can count water at a hydroelectric plant as fuel, it is finite, it is powerful, and without it no power is produced.
- Waste Removal – Ranges from ash collection and disposal facilities to the obvious exhaust stacks. No matter what, there are certain by products of the power generation process that must be accounted for, and removed from the process chain.
- Turbine Controls – At many plants, the DCS does not directly govern the turbine. This is done by a special purpose control system, and it will often interface to a DCS to exchange important process data.
- Protection Systems – While there are obvious electric power protection systems that we see at most substations, there are also protective mechanisms surrounding the turbines, pumps, valves, fans, etc. For instance, vibration protection schemes are often used on turbines, feedwater pumps and Induced Draft or Forced Draft fans, and often have a ‘trip’ capability. Having a trip capability means that a system can halt the process under configurable conditions. Not all of these systems are particularly interesting from NERC CIP perspective, so judgment is necessary on how deep to dig, as not all of these communicate over an IP channel, can affect the process in a meaningful way, or are even configurable.
- Environmental systems – Once again, these systems can be either part of the DCS or utilize a specific use control system as well. In this category, I place the precipitator controls, continuous emissions monitoring, flue gas desulpherization (FGD) systems. These systems vary in their influence on reliable operations. Some can directly affect production, while others are monitor only and are influences on policy based decisions to produce/not-produce.
- Automatic Dispatch/Generation Control – These are the systems responsible for receiving signals from some (often far-away) control center regarding their production levels. As these signals routinely come from external entities, they are often located at or near the access points to the control system.
- Maintenance Monitoring/Process Intelligence – These systems are involved with the analysis of the process for methods of improvement. They usually transport production information out of the control system and into a business system for analysis, but this isn’t always the case. The vendors involved in this transfer vary, but usually it’s Matrikon, OSI-PI, eDNA, or similar.
- IT Support Systems and Networks – There is usually some interplay (most often at the ‘border’ of the control systems) between the control system and a IT department. These systems are most often used for wide area communications between sites, and you’ll want to catalog those IT systems that seem most related to the control system. Usually, these are involved in transmitting signals for AGC, remote access, and process intelligence. No assessment is complete without reviewing IT based systems for their interaction with the control systems.
image from hughrocks