Title: Cybersecurity for Distance Relay Protection

This project is a DOE follow-up effort on the CREDC workshop held on September 13, 2018 in Cambridge, MA to discuss cybersecurity of distance relays, which considered the benefits, vulnerabilities and risk mitigations for the use of communication systems in power system protection. The objectives of this project are to define the taxonomy of relay protection and associated communications; define use cases describing approaches to reduce the cyber-attack surface on those protective relays; and evaluate the loss of operational functional capability from changes to communication coverage. Mitigating controls will also be evaluated to understand if there are other approaches to reduce attack surfaces while maintaining communications or partial communications. Distance relays are used to protect transmission lines of approximately 10 to 300 miles in length, by detecting short circuits (i.e., faults) on the lines and then tripping circuit breakers in the substation. Such protection systems are a subset of the power system and they incorporate sensing, logic and communication functions. Protection system exposure to cyberattack could be drastically limited by disconnecting relays from all vulnerable communication systems, but this may adversely impact overall power system performance in the absence of cyberattack. This project began with a use case analysis of protection systems with communications, as summarized in this report. It continued with modeling, testing and evaluation in a miniature power system (MPS), located in the Western Area Power Administration (WAPA) Electric Power Training Center (EPTC). The project also incorporated feedback from two industry meetings held in February and September 2019. The suggested next steps account for and complement the work already underway with DOE/CESER funding: 1. Study the performance of LCD and PC vs. PUTT, which is less reliant on communication system performance and GPS timing references. The PUTT scheme could prove to be more resilient to cyberattack or communications-related disruption. It could also be more tolerant of message re-routing with SDN/SDR communication systems. On the other hand, it will be more vulnerable to false tripping during dynamic events or to loss of the voltage signal. The optimum choice of scheme may depend on the specific power system and risk assessment. This study could provide a new template for evaluation based on business functions. 2. Research and develop new methods to detect and monitor distributed physical attacks, possibly using drones, video sensors, thermal sensors, machine learning and other advanced techniques. This will help mitigate the impact of cyberattack on the protection system, and will also help mitigate the impact of wild fires. 3. Implement a scalable PKI for use in electric utility protection systems. This will encourage widespread adoption of secure authentication methods that are already available, but not widely used at present. This will help secure engineering access to the relays. 4. Investigate the use of SDN in combination with SDR to achieve better cybersecurity and electromagnetic security of the network, incorporating path variability. This would help secure both engineering access and peer-to-peer GOOSE messaging. 5. Perform additional testing, with operator evaluation of “red button” scenarios, PUTT vs. LCD, relay mis-operations, and other cyberattacks in the EPTC. This is an important advantage of testing in the EPTC rather than by computer simulation or even hardware-in-the-loop simulation; the EPTC is already dedicated to managing the situational awareness, operator response times and other human impacts. One of the project objectives was to settle on a common nomenclature for this problem space. We have concluded that the OSI layer model, supplemented by ANSI device numbers and other IEEE standards, is already well-accepted by the industry. The IEEE PSRC knowledge base provides a great deal of public information