Recently, a client came to us with a new piece of equipment they wanted to put in their distribution system. A decent way to describe the new protection equipment is transmission relay technology, scaled down to distribution level and combined into a single package. It’s pretty cool stuff, and will allow operations and protection engineers to prevent, detect, and respond to varying electrical situations so that the lights stay on. It has good SCADA functionality as well, which will increase the control center capabilities when installed at sub-transmission and distribution level.
The way client engineers will interact with the new equipment is with the standard technician laptop. The laptop will contain some unique keys, part of how a technician gets permission to access the new equipment, the other part being a username/password. Loss of the keys could compromise any new equipment that uses those keys. The client’s question for us was “What do we do if this laptop is stolen or lost?”
First off, we can’t be sure of why a laptop is stolen. It could be a nice laptop, someone wants to do bad things to the company, or a technician just doesn’t want to accept responsibility for losing it. This is the typical ‘What’s the threat?” dilemma that many organizations, especially utilities, face. The threat part of the equation for many entities is not solvable, while we can’t always assume the worst case, we also can’t assume the best case.
So, we’re left with gauging the potential impact if unauthorized access to the protective equipment is successful. We looked at the protective system, and how it was installed, and how it could communicate. In this case, the direct impact of a compromised laptop was to simply disconnect power to downstream customers. However, the distribution system in the install area is a ‘looped’ feeder design, which allows power to be fed from two separate sources. This was designed to increase the reliability in that area from a feeder trip or cut, but also has increases resilience to some cyber related issues.
We also identified an ancillary impact that the protection and control capabilities of the equipment could no longer be trusted to operate reliably. Overcurrent, undervoltage, and other protection to downstream customers could be impacted if someone were to clear or alter the settings. The feed from the other side of the loop would help, but not completely mitigate the issue. Consequences here were equipment damage, but were mitigated by upstream protection at the feeder source.
We then identified what could be done to prevent, detect, and respond to a potential compromise. First, the equipment had capability for monitoring and controlling access by the laptop to the protective equipment. Basically, the control center could set a process point within the device that would disable the capability to change settings. This would certainly limit the capability of an attacker to compromise the equipment, and action was taken enable the point and educate individuals on its use. The recommendation was to ensure that all reconfiguration attempts require a call-in to the control center, which would enable access to reconfigure. Additionally, the equipment had some limited capability to report back when attempts were made to reconfigure, regardless of whether or not it was allowed by the control center. We recommended enabling this as well.
In both cases, a lineman would need to be dispatched to fix the issue, most likely temporarily bypassing the new equipment and installing a replacement set of control hardware. This, and the potential loss of power to downstream customers, were used as the cost benefit analysis to justify development of response procedures and the configuration change for the point limitation.
All in all, it was an interesting experience to go through with the client. I could see though that as the equipment gets larger, and it gets more hierarchical (i.e. control centers that control hundreds of pieces of protective equipment vs a single piece of protective equipment) the consequences become much more murky. Any questions or conversations, don’t hesitate in the comments.
title image by NathanielRobertson