Introduction This guideline identifies best practices for securing automated distribution management (DM) functions in a smart grid environment, including steady state operations and optimization. This security profile addresses concerns related to using communications and automation in field equipment that controls the configuration and operation of the electric distribution system. Other electric system operation scenarios may also be addressed using this profile, as the various roles defined herein have been abstracted in such a way as to support mapping to different environments. This document defines a set of use cases and a corresponding set of security controls for systems and components that implement the use cases. The security controls in this document are based in part on the controls from the Department of Homeland Security Catalog of Control Systems Security (U.S. Department of Homeland Security, March 2010). The underlying approach is to study real-world DM systems; define the function of DM systems by presenting a reference architecture that defines abstract roles and use cases; map the architecture's roles to real-world DM systems; define broad security objectives for DM systems; identify potential failures for each role in the context of the use cases; define security controls to address the failures; and assign controls to the roles. An understanding of the roles is essential to applying the security controls defined in this document. Roles have been designed abstractly to ensure applicability across a range of DM applications. The key roles are those of a sensor, an actuator, and an application—each of which represents functionality that may be implemented by physical devices. A sensor is able to gather data about physical equipment in a DM system. An actuator is able to take action on physical equipment in a DM system. An application is able to make decisions, with or without human supervision, about what actions should be taken in a DM system. These roles are elaborated and decomposed (e.g., distinguishing between field applications and centrally deployed applications) in section . It is important to note that a single device or product may implement multiple roles. Moreover, each role could be implemented in different ways, using different technologies, and by different vendors. By assigning security controls to the abstract roles, no bias is expressed in any of these dimensions. This document address security concerns by requiring that products implementing the functionality of a given role satisfy all security controls associated with that role. If a product implements the functionality of multiple roles, it must implement all of the security controls assigned to each of the roles. Scope This security profile addresses automated distribution management (DM) functions including steady state operations and optimization. The document considers “distribution automation” to refer to a specific portion of distribution management related to automated system reconfiguration such as SCADA, and therefore within scope for this security profile. Field Equipment From a field equipment perspective, the scope is bounded on the utility end by the distribution substation. While the transition from distribution to transmission may vary from one organization to another, distribution management field equipment lies primarily between the last substation and the point of service for the customer. In general, the substation fence serves as a scoping boundary with at least two notable exceptions: Substation feeder breakers are considered in scope as they often need to be managed in conjunction with distribution feeder devices for system protection coordination and system reconfiguration. Equipment in the substation that is part of overall voltage and volt-ampere reactive (VAR) control applications is also considered in scope. This may include on-load tap changers, voltage regulators, and capacitor controls in the substation. The boundary on the customer end is defined logically as some distribution management functions will inherently involve communication with customer-owned equipment. Distribution management and control functions in direct communication with appropriate customer equipment are considered in scope. Some examples: Distributed generation equipment (including photovoltaics and distributed wind): Customer-owned distributed generation equipment is in scope insofar as it comprises part of distribution voltage control applications and requires coordination for protection functions. Energy storage: Customer-owned energy storage is in scope insofar as it comprises part of distribution management functions for reconfiguration, islanding, and voltage control. Direct load control: Direct communication with customer loads is in scope insofar as load control comprises part of distribution management functions. This includes direct communication with devices managing load control functions and may include verification of the load response if appropriate (e.g., an energy services manager device, meter, or controller directly on the load). Applications At an application level, many distribution functions can be implemented with a range of different architectures involving varying degrees of distributed control. Some functions may be primarily enterprise applications while other functions involve a combination of enterprise functionality with distributed controls that operate relatively autonomously (although coordinated). The distinction between enterprise level functionality and distributed control systems is addressed for the specific categories of functions in terms of how this influences the security requirements. Specific functions that were considered in the development of this security profile include: Function | Purpose | Examples | Distribution Protection and Configuration Management | Monitoring and Elective Control of Primary Switchgear | System Protection Fault Isolation Reconfiguration | Outage Management System | Fault Location, Isolation, and Service Restoration | Mobile Workforce Management | Dynamic Management of Protection Coordination Settings | Faulted Circuit Indicator Management and Integration | Predictive Fault Location | Distribution System Management and Optimization | Changes to System Variables or Equipment | Optimize System Performance Manage System Performance Energy Savings Demand Response | Load Control | Voltage Optimization and Control | VAR Management | Integrated Volt-VAR Control | Power Quality Control | Integration with Distributed Resources | Electric Vehicle Management and Control | Distribution System Monitoring | Monitoring Conditions and System Performance | Contract Fulfillment Asset Preservation Billing Planning | Power Quality Monitoring | Equipment Condition Monitoring and Assessment | Metering | Maintaining the Electrical Model | Load Forecasting and Load model Maintenance | On-Line Power Flow and State Estimation | Topology Analysis | Contingency Analysis | Explicit Exclusions While closely related to distribution management for some organizations, this document explicitly considers the functions of system protection (high speed response to a fault condition) and advanced metering to be out of scope for this profile. Advanced metering is covered under the Security Profile for Advanced Metering Infrastructure. System protection (i.e. automated high-speed response to a fault condition) will be covered under its own security profile under the topic of substation automation. However, management of protection settings for coordination within and configuration of protection equipment is within scope of this security profile. |