Control | Blog Outlines Cyber Risks to Protective Relays in Power Grids

July 26, 2016

Digital Protective Relays Play Crucial Role in Power Grids & Other Industrial Applications

MSi Demonstrates Industry Leading Relay Easily Compromised by Cyber Attack

Joe Weiss, a cyber security and controls systems veteran of the power industry and MSi Advisory Board member, recently published a blog highlighting the vulnerabilities of protective relays within the electric grid. The blog appears in Control Global, a control systems industry trade publication, and features recent work conducted by MSi to address the risks to protective relays.

As many of you know, MSi has been working with control systems in defense and energy for several years. Since the Ukraine attacks in December, we’ve accelerated our research efforts around power industry components, placing particular emphasis on protective relays. These important physical assets play a critical role in utility operations. They also support the operations of a host of other industries that rely on power to run various processes, equipment and more.

Our research involves hands-on work to help us:

• Fully understand the fundamental systems and components of the asset;

• Determine potential cyber vulnerabilities;

• Develop and implement realistic cyber attacks within controlled test environments; and,

• Develop potential protective measures against cyber attacks using the MSi Secure Sentinel Platform.

Based on this research, MSi is developing various solutions to help shield protective relays and the operations they support from cyber attacks. Joe touches on some of our work in his blog below. We believe Joe’s insights regarding the current risks to protective relays are important for control system and security leaders in the power industry to read and fully consider. However, the information contained also applies to operations in oil and gas, chemicals, defense and a wealth of other industries that depend on safe and reliable performance.

We encourage you to look for us at upcoming events throughout the remainder of year, including the 2016 ICS Cyber Security Conference in October. The MSi Team will showcase the attacks we’ve identified as well as the protection measures we’ve created to shield protective relays. You can also contact us directly for a demonstration of our next generation cyber defense solutions.

We look forward to hearing from you soon!

David Drescher

Chief Executive Officer

The use of protective relays as an attack vector – the cyber vulnerability of the electric grid

Submitted by Joe Weiss on Fri, 07/22/2016 - 14:58

Protective relays are used to protect electric equipment such as motors and generators from electric faults. As an analogy, they are the circuit breakers in your house. Digital protective relays provide a higher level of reliability, more functionality, and the ability to provide direct integration into multiple devices including SCADA compared to the older mechanical protective relays. Consequently, digital protective relays are an integral part of Smart Grid, grid modernization, use of renewables, etc.

When a relay fails to operate as designed, major equipment damage or failure can occur with little opportunity to prevent the event because it was the protection that was compromised. Aurora was an example of using the relays as the attack vector to damage all alternating current (AC) equipment connected to the substation using those relays. Because of the importance of digital protective relays, DOE has spent large sums of money on R&D to make digital protective relays more cyber secure.

Mission Secure, Inc (MSI) is working with a number of control systems and devices to understand their cyber vulnerabilities in order to develop appropriate mitigation. When looking at the electric grid, MSI recognized that a weak link was the protective relays. Consequently, MSI procured a modern digital protective relay to analyze. They chose an SEL relay (in this case, the SEL751A) as SEL relays are prevalent throughout the US electric system and other industries and the SEL relays have very powerful computational capability including the ability to program the relays. The SEL 751A is a feeder protection relay that is also used for Aurora protection. While the SEL is a well-designed piece of equipment and important across the power sector and beyond, it was not designed to defend against a cyber attack. The members of the MSI attack team were neither nation-state actors nor even familiar with electric grid operations or protective relays. Yet, within a short period of time, MSI was able to take complete control of the HMI, the box, etc. MSI developed a variety of attack scenarios including locking out the operators and administrators, removing the ability to trip, removing the ability to use any of the buttons as a manual override and more. MSI did this to show how these devices, as with most all control devices, are not designed for cyber threats and can be easily compromised. MSI demonstrated these various attacks at an electric industry conference in early July. It garnered great interest from various people in the utility space.

The implications of the cyber vulnerabilities of digital protective relays have great importance for Smart Grid, grid modernization, NERC CIP, large plant electric equipment protection, and even nuclear plant safety. There will be a discussion of the ease of hacking relays and potential mitigation at the October ICS Cyber Security Conference in Atlanta. Full disclosure- I am on MSI’s Technical Advisory Board.

Joe Weiss