Top 10 Security Practices for Substation Relays

A coordinated attack against multiple critical relays can lead to a cascading failure across the grid, potentially causing a large-scale blackout.

With global tensions remaining high, critical national infrastructure owners are being warned to stay on the alert for signs of active intrusion into OT networks.

Power generation companies and national grid operators remain high profile targets for threat actors seeking to cause widespread disruption through blackouts.

In recent weeks, ISACs and US authorities including CISA, the FBI and NSA have warned about vulnerable systems and networks being attacked.

Securing protection relays

With these energy sector concerns in mind, Google's Mandiant threat intelligence and incident response experts have published a highly detailed look into protecting core power infrastructure assets titled 'Securing Protection Relays in Modern Substations'.

Initially exploring the TTPs used to attack the Ukraine power grid with Industroyer malware, the Google blog dives deep into modern substations which are "cyber-physical environments where IEDs, deterministic networking, and real-time data exchange work in concert to deliver grid reliability, protection, and control."

The team document highly segmented network architectures, topologies and zoning before documenting recon techniques from the public internet and how attackers gain a foothold in IT before traversing into OT systems.

Interestingly, physical access to tamper with key generation hardware is also considered.

Protecting power assets

Despite increasing awareness, training, and incident response playbooks, many substations and critical infrastructure sites continue to exhibit foundational security weaknesses.

Off the back of this extensive analysis, fundamental security practices are documented in the form of Mandiant's "Top 10 Security Practices for Substation Relays."

1. Authentication & Role Separation
2. Secure Firmware & Configuration Updates
3. Network & Protocol Hardening
4. Time Synchronization & Logging Protection
5. Custom Logic Integrity Protection
6. Physical Interface Hardening
7. Redundancy and Failover Readiness
8. Remote Access Restrictions & Monitoring
9. Command Supervision & Breaker Output Controls
10. Centralized Log Forwarding & SIEM Integration

For those experienced in OT engineering, physical security and cyber security practices, this list won't contain many surprises. But given heightened concerns about OT security threats, it's great to see this level of expertise applied to various threat vectors and a new contribution made to ICS security.