Skip to main content

Advertisement

Table 6 List of the dataflows happening in the Smart Grid for Load Balancing of Renewable Energy

From: Load balancing of renewable energy: a cyber security analysis

# Name From To Initiator Protocols Auth Comment
RTU & IED Maintenance Data
1 RTU&IED Maintenance data DSO Element Manager Primary RTUs DSO Element Manager Unknown protocol over fiber WAN LI This for changing parameters of RTUs and IED from central office and download to RTUs, examples are allocation of signals to input board channels.
2 RTU&IED Maintenance data DSO Element Manager Secondary RTUs DSO Element Manager Unknown protocol over GPRS WAN LI Same as above
3 RTU&IED Maintenance data Substation workstation Primary RTUs Substation workstation Internal format, over LAN LI Local update of RTU Maintenance Data in Primary Substation from local workstation
4 RTU&IED Maintenance data Substation Mobile workstation Secondary RTUs Substation mobile workstation Internal format, over LAN LI Local update of RTU Maintenance Data in Secondary Substation from local mobile workstation
  RTU&IED Maintenance data Energy Supplier Element Manager DER RTUs Energy Supplier Element Manager Some type of WEB service and VPN over Internet LI This for changing parameters of the DER RTUs and IEDs from Energy Supplier and download to RTUs, examples are allocation of signals to input board channels.
5 RTU&IED Maintenance data Substation mobile workstation DER RTU Substation mobile workstation Internal format, over LAN LI Local update of RTU and IED Maintenance Data in DER Substation from local mobile workstation
SCADA Maintenance Data
6 SCADA Maintenance data DE HMI Data Engineering DE HMI SQL commands LI Maintenance data for SCADA, examples are static topology, limits, etc. Data Engineering users enter data from HMI to Data Engineering database (Oracle)
7 SCADA Maintenance data Data Engineering SCADA Data Engineering Internal propriety protocols FS SCADA maintenance data loaded into the SCADA real-time database from Data Engineering
FrontEnd Maintenance Data
8 Front End Maintenance Data SCADA Front End SCADA RSP FS Maintenance data to the Front End from SCADA. The Front-End Maintenance Data is a subset of the SCADA Maintenance data from Data Engineering. IEC -104 does not support maintenance data so this can only be sent with proprietary protocols like RSP
9 Meter Configuration Data Meter Firmware and Key Server Smart Meter Meter Firmware and Key Server DLMS HLS5 This is for sending down new software updates to the Smart Meters.
10 Meter Configuration Data Meter Firmware and Key Server Smart Meter Meter Firmware and Key Server DLMS Same as DF49 Same counts for the update of the encryption keys (EK) as for updating of meter firmware. Where the EK is also encrypted by the so-called master key (KEK) which is unique for every meter (also unique EK per meter)
Process Data  
11 Process data Primary RTU SCADA Front End SCADA Front End IEC 60870-5-101 FS Collection of measurands, indication and pulse counters from RTUs over Process WAN and sending of commands and setpoints. This is a polled system where the Front Ends takes the initiative in both directions
      IEC 60870-5-104   
      DNP 3.0   
  (bidirectional)     Modbus   
      Proprietary protocols   
12 Process data Secondary RTU SCADA Front End SCADA Front End Same as above FS Same as above
  (bidirectional)       
13 Process data DER RTUs SCADA Front End SCADA Front End Same as above FS Same as above
  (bidirectional)       
14 Process data SCADA Front End SCADA SCADA Front End RSP FS Process data from Front End to SCADA and commands and setpoints from SCADA to Front-Ends
  (inflow)     IEC 60870-5-104   
15 Process data (commands) SCADA SCADA Front End SCADA RSP FS Commands from SCADA to Front End
      IEC 60870-5-104   
16 Process data (inflow) SCADA HMI HMI Internal proprietary protocols FS/LI HMI asks for process data from SCADA server real-time database to present process displays.
        When the operator starts his session, he has to login to define his authorities. After login, there is an established connection.
17 Process data (commands) HMI SCADA HMI Internal proprietary protocols FS/LI Operator via HMI requests commands to be sent to RTUs
18 Process data (inflow) SCADA Replicated SCADA SCADA Internal proprietary protocols FS SCADA replicates process data to Replicated Scada
19 Process data (inflow) Replicated HMI Replicated SCADA Replicated HMI Internal proprietary protocols FS/LI Replicated HMI asks for process data from Replicated SCADA server real-time database to present process displays.
20 Process Data (inflow) SCADA HMI Office Station Office Station Internal format FS/LI Possibility for an Office station to remotely use the SCADA HMI over VPN to look on Process data. This is possible in many existing system and is implemented to give office user, e.g. manager, the possibility to look on SCADA displays.
      VPN   
20b Process Data (inflow) Replicated SCADA HMI Office Station Office Station Internal format FS/LI Same as above
      VPN   
21 Process Data (commands) Office Station SCADA HMI Office Station Internal format FS/LI Possibility for an Office station to remote remotely use the SCADA HMI over VPN and send Process Data commands, e.g. open breakers. This is possible in many existing systems. This is the main vulnerability used in the Ukrainian blackout
      VPN   
21B Process Data (commands) Office Station Replicated SCADA HMI Office Station Internal format FS/LI Same as above
      VPN   
Remote Substation Login  
22 Remote substation login Office Station Substation workstation DSO Office Station, Engineering zone CITRIX format for remote desktop RDP LI Remote login to Substation workstation from office network. Uses a remote desktop connection (CITRIX). Normal login procedures to access the RTU.
23 Historic data SCADA Historian SCADA SQL commands FS SCADA logs process data from real-time database and inserts in historical database using Oracle SQL commands.
24 Historic data Historian Replicated Historian Historian SQL commands FS Historian replicates historic data to Replicated Historian in DMZ using standard features by Oracle to duplicate
25 Historic Data Historian HMI HMI SQL commands FS/LI Historic data from Historian is presented on SCADA HMI.
26 Historic Data Replicated Historian Office station Office station VPN LI Office user picks up historic data from the Replicated Historian in the DMZ to be used in office applications
Software/Hardware Data  
27 RTU&IED Software DSO Update server Primary RTU DSO Update server Protocol unknown, over fiber WAN LI Software/firmware updates from DSO Engineering Zone to RTUs and IEDs in primary substations
28 RTU&IED Software DSO Update server Secondary RTU DSO Update server Same as above LI Same as above
      Over GPRS   
29 RTU&IED Software DSO File transfer DSO Update server DSO Update server Protocol unknown over LAN ? RTU&IED software updates pulled from DSO File Transfer server to Update server on the Engineering zone
29a RTU&IED Software Vendor Server DSO File Transfer DSO File Transfer Protocol unknown, over Internet LI This is transferring RTU&IED software updates pulled from the vendor server to the DSO File Transfer server
30 SCADA Software Vendor Server File transfer server File transfer server Protocol unknown, over Internet LI SCADA software updates and bug fixes from vendor to File transfer server in DMZ
31 SCADA Software File transfer server (DMZ) SCADA SCADA Protocol unknown, over LAN FS SCADA software updates from DMZ to SCADA
32 RTU&IED Software Substation workstation Primary RTUs Substation workstation Internal format, over LAN LI Local software/hardware update of RTU Software Data in Primary Substation from local workstation
33 RTU&IED Software Substation mobile workstation Secondary RTUs Substation workstation Internal format, over LAN LI Local software/hardware update of RTU Software Data in Secondary Substation from local mobile workstation
34 RTU&IED Software Substation mobile workstation DER RTU Substation mobile workstation Internal format, over LAN LI Local update of RTU and IED software data from local mobile substation in the DER RTU
35 Time Synch Data Time Server SCADA SCADA NTP FS Standard format for synchronizing clocks. This is done over the SCADA LAN
36 Time Synch Data Time Server SCADA Front End SCADA NTP FS Same as above
37 Time Synch Data SCADA Front End Primary RTU SCADA Front End IEC 60870-5-101 FS Time synch data from SCADA Frontend to Primary RTUs in order to synchronize the clocks of the RTUs. Uses special telegrams for time synchronization
      IEC 60870-5-104   
      DNP 3.0   
      Modbus   
38 Time Synch Data SCADA Front End Secondary RTU SCADA Front End IEC 60870-5-101 FS Same as above
      Same as above   
      DNP 3.0   
      Modbus   
39 Time Synch Data SCADA Front End DER RTU SCADA Front End IEC 60870-5-101 FS Same as above
      IEC 60870-5-104   
      DNP 3.0   
      Modbus   
Load Forecast Data  
40 Load Forecast Data TSO File Transfer server TSO FTP format over Internet / VPN ? TSO Load Forecast data to SCADA File Transfer Server.
41 Load Forecast Data File Transfer server, DMZ SCADA SCADA FTP format FS SCADA picks up Load Forecast Data from File transfer server in the DMZ and use this to predict loads and balance against local generation in the DER
Meter Data  
42 Meter Data Smart Meters Meter Data Concentrator Meter Data Concentrator DLMS FS? Collection of Meter Data from Smart Meters to Meter Data Concentrators using PLC. We do not model alarms from meters so here only the Meter Data Concentrator is Initiator.
43 Meter Data Meter Data Concentrator AMI Private Houses AMI Private Houses DLMS, FTP, Web-based FS? Collection of Meter Data from the Meter Data Concentrator to the AMI system for private customers. Communication protocol depends on the solution, it might be DLMS, a web server or (s)FTP based.
44 Meter Data Smart Meters AMI Private Houses AMI Private Houses DLMS, VPN over GPRS FS? Collection of Meter Data from the Smart Meters directly to the AMI system for private customers. The HE-system periodically contacts the meter to check if any alarms are available, meter is alive, clock sync of the e-meter, performing maintenance. Etc.
45 Meter Data AMI Private Houses Office station Office station Internal format LI Possibility for an office station to look at Meter Data from AMI Private Houses, to look at power quality data in profiles in the meter. E.g. 10-minute average power, voltage level, currents etc, for grid analysis. This dataflow is highly unlikely for obvious privacy reasons (Power and current can help deduce the behavior of consumers)
S  
46 KWh Meter Data KWh Meter Meter Data Concentrator KWH Meter Internal Format FS? Collection of KWh Data from Smart Meters to Meter Data Concentrators using PLC. In Holland, the consumer has the right to refuse kWh or privacy related data being read out. All other data needed for maintenance is always allowed to read out the meter.
47 KWh Meter Data Meter Data Concentrator AMI Industrial Customers AMI Industrial Customers Internal format FS? Collection of KWh Data from the Meter Data Concentrator to the AMI system for Industrial customers.
48 KWH Meter Data AMI Industrial Customers Data Hub AMI Industrial Customers transfer over Internet FS? This is sending KWH Data from the DSO AMI system for industrial customers to the Data Hub for further distribution to the Energy Suppliers so that the Energy Supplier know how much he has produced in the DER.
49 KWh Meter Data Data Hub Energy Supplier System Energy Supplier System transfer over Internet FS? This is sending KWh data from the Data Hub to the Energy Supplier System so the Energy Supplier knows how much he has produced in his DER.
Internet Data  
50 Internet Data Office stations Public Internet Office Station Internet format LI Possibility of DSO office user to access Internet, e.g. for sending and receiving emails. This is the phishing mechanism used in the Ukrainian blackout to get access to the Office LAN
  1. Initiator refers to the host that is initiating the dataflow, whether it is for sending or receiving data. For authentication, LI refers to LogIn (credentials are required) and FS refers Fixed Setup (the receiver is not filtrating who is initiating the request)). When authentication is uncertain, LI has usually been preferred to FS. Grey rows represent dataflows that are only present in the model with a SCADA DMZ, and red rows represent dataflows that are only present in the model without SCADA DMZ