IEC TR 62210:2003

TECHNICAL IEC
REPORT
TR 62210
First edition
2003-05
Power system control and
associated communications –
Data and communication security
Reference number
IEC/TR 62210:2003(E)
Publication numbering
As from 1 January 1997 all IEC publications are issued with a designation in the
60000 series. For example, IEC 34-1 is now referred to as IEC 60034-1.
Consolidated editions
The IEC is now publishing consolidated versions of its publications. For example,
edition numbers 1.0, 1.1 and 1.2 refer, respectively, to the base publication, the
base publication incorporating amendment 1 and the base publication incorporating
amendments 1 and 2.
Further information on IEC publications
The technical content of IEC publications is kept under constant review by the IEC,
thus ensuring that the content reflects current technology. Information relating to
this publication, including its validity, is available in the IEC Catalogue of
publications (see below) in addition to new editions, amendments and corrigenda.
Information on the subjects under consideration and work in progress undertaken
by the technical committee which has prepared this publication, as well as the list
of publications issued, is also available from the following:
• IEC Web Site (www.iec.ch)
• Catalogue of IEC publications
The on-line catalogue on the IEC web site (http://www.iec.ch/searchpub/cur_fut.htm)
enables you to search by a variety of criteria including text searches, technical
committees and date of publication. On-line information is also available on
recently issued publications, withdrawn and replaced publications, as well as
corrigenda.
• IEC Just Published
This summary of recently issued publications (http://www.iec.ch/online_news/
justpub/jp_entry.htm) is also available by email. Please contact the Customer
Service Centre (see below) for further information.
• Customer Service Centre
If you have any questions regarding this publication or need further assistance,
please contact the Customer Service Centre:
Email: custserv@iec.ch
Tel: +41 22 919 02 11
Fax: +41 22 919 03 00
TECHNICAL IEC
REPORT
TR 62210
First edition
2003-05
Power system control and
associated communications –
Data and communication security
 IEC 2003  Copyright - all rights reserved
No part of this publication may be reproduced or utilized in any form or by any means, electronic or
mechanical, including photocopying and microfilm, without permission in writing from the publisher.
International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland
Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch  Web: www.iec.ch
PRICE CODE
Commission Electrotechnique Internationale
X
International Electrotechnical Commission
Международная Электротехническая Комиссия
For price, see current catalogue

– 2 – TR 62210  IEC:2003(E)
CONTENTS
FOREWORD . 4
1 Scope and object . 5
2 Overview . 5
3 Reference documents . 6
4 Terms, definitions and abbreviations. 6
4.1 Terms and definitions . 6
4.2 Abbreviations.10
5 Introduction to security.11
5.1 How to use this report.11
6 The security analysis process .12
6.1 Network topologies .14
6.2 User consequence based analysis.16
6.2.1 Stakeholders.16
6.3 Consequences to be considered .18
6.3.1 Financial.18
6.3.2 Asset destruction/degradation.19
6.3.3 Inability to restore service .20
6.4 Consequences and security threats .20
7 Focus of security work within this report .22
7.1 Justification of application level security focus .22
7.2 Security analysis technique .23
7.2.1 Security objectives.23
7.2.2 General threats.24
7.2.3 Specific threats to be considered in PP.24
8 Vulnerabilities .27
8.1 Threats to topologies .27
8.2 Current IEC Technical Committee 57 protocols.29
8.2.1 TASE.1 .29
8.2.2 TASE.2 .30
8.2.3 IEC 60870-5 .30
8.2.4 IEC 61334.30
8.2.5 IEC 61850.31
9 Recommendations for future IEC Technical Committee 57 security work .32
Annex A (informative) What is a protection profile? .35
Annex B (informative) Protection profile for TASE.2 .37
Annex C (Informative) Example of consequence diagrams .43
Figure 1 – Normal corporate security process .12
Figure 2 – Business information flow.14
Figure 3 – General communication topology.16
Figure 4 – Consequence diagram: inability to restore service .21

TR 62210  IEC:2003(E) – 3 –
Figure 5 – WAN/LAN topology.27
Figure 6 – Levels of vulnerability.28
Table 1 – Matrix to determine business process importance.17
Table 2 – Asset to business process relationships .20
Table 3 – Communication model security matrix.22

– 4 – TR 62210  IEC:2003(E)
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
POWER SYSTEM CONTROL AND ASSOCIATED COMMUNICATIONS –
Data and communication security
FOREWORD
1) The IEC (International Electrotechnical Commission) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of the IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, the IEC publishes International Standards. Their preparation is
entrusted to technical committees; any IEC National Committee interested in the subject dealt with may
participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. The IEC collaborates closely with the International
Organization for Standardization (ISO) in accordance with conditions determined by agreement between the
two organizations.
2) The formal decisions or agreements of the IEC on technical matters express, as nearly as possible, an
international consensus of opinion on the relevant subjects since each technical committee has representation
from all interested National Committees.
3) The documents produced have the form of recommendations for international use and are published in the form
of standards, technical specifications, technical reports or guides and they are accepted by the National
Committees in that sense.
4) In order to promote international unification, IEC National Committees undertake to apply IEC International
Standards transparently to the maximum extent possible in their national and regional standards. Any
divergence between the IEC Standard and the corresponding national or regional standard shall be clearly
indicated in the latter.
5) The IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with one of its standards.
6) Attention is drawn to the possibility that some of the elements of this technical report may be the subject of
patent rights. The IEC shall not be held responsible for identifying any or all such patent rights.
The main task of IEC technical committees is to prepare International Standards. However,
a technical committee may propose the publication of a technical report when it has collected
data of a different kind from that which is normally published as an International Standard,
for example “state of the art”.
IEC 62210, which is a technical report, has been prepared by IEC technical committee 57:
Power system control and associated communications.
The text of this technical report is based on the following documents:
Enquiry draft Report on voting
57/613/DTR 57/630/RVC
Full information on the voting for the approval of this technical report can be found in the
report on voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
The committee has decided that the contents of this publication will remain unchanged until 2006.
At this date, the publication will be
• reconfirmed;
• withdrawn;
• replaced by a revised edition, or
• amended.
A bilingual version of this technical report may be issued at a later date.

TR 62210  IEC:2003(E) – 5 –
POWER SYSTEM CONTROL AND ASSOCIATED COMMUNICATIONS –
Data and communication security
1 Scope and object
This Technical Report applies to computerised supervision, control, metering, and protection
systems in electrical utilities. It deals with security aspects related to communication protocols
used within and between such systems, the access to, and use of the systems.
NOTE This report does not include recommendations or criteria development associated with physical security
issues.
Realistic threats to the system and its operation are discussed. The vulnerability and the
consequences of intrusion are exemplified. Actions and countermeasures to improve
the current situation are discussed but solutions are to be considered issues for future
work items.
2 Overview
Safety, security, and reliability have always been important issues in the design and operation
of systems in electrical utilities. Supervision, protection, and control system have been
designed with the highest possible level of safety, security, and reliability. The communication
protocols have been developed with a residual error rate approaching zero. All these
measures have been taken to minimise the risk of danger for personnel and equipment and to
promote an efficient operation of the power network.
Physical threats on vulnerable objects have been handled in the classical ways by locked
buildings, fences and guards but the quite possible terrorist threat of tripping a critical breaker
by a faked SCADA command on a tapped communication link has been neglected. There is
no function in the currently used protocols that ensure that the control command comes from
an authorised source.
The deregulated electricity market has imposed new threats: knowledge of the assets of a
competitor and the operation of his system can be beneficial and acquisition of such
information is a possible reality.
The communication protocols and systems need protection from advertent and inadvertent
intruders, the more the protocols are open and standardised and the more the communication
system is integrated in the corporate and world-wide communication network.
This Technical Report discusses the security process of the electrical utility. The security
process involves the corporate security policy, the communication network security, and the
(end-to-end) application security.
The security of the total system depends on secure network devices, i.e. the security of any
device that can communicate. A secure network device has to be capable of performing ‘safe’
communication and of authenticating the access level of the user. Intrusive attacks have to be
efficiently detected, recorded and prosecuted as part of an active audit system.
The threats are analysed based on possible consequences to a system, i.e. what is the worst
that could happen if an illicit intruder has ambition and resources? The vulnerability of a utility
and its assets are analysed together with the threats.

– 6 – TR 62210  IEC:2003(E)
Having shown that there exists threats to vulnerable points in the systems of electrical utilities
the countermeasures are discussed with special focus on the communication protocols
defined by IEC Technical Committee 57: the IEC 60870-5 series, the IEC 61334 series, the
IEC 60870-6 series and the IEC 61850 series.
Proposals on new work items to include security aspects in these protocols are given.
3 Reference documents
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60870-5 (all parts), Telecontrol equipment and systems – Part 5: Transmission protocols
IEC 60870-6 (all parts), Telecontrol equipment and systems – Part 6: Telecontrol protocols
compatible with ISO standards and ITU-T recommendations
IEC 61334 (all parts), Distribution automation using distribution line carrier systems
IEC 61850 (all parts), Communication networks and systems in substations
ISO/IEC 7498-1, Information technology – Open Systems Interconnection – Basic Reference
Model: The Basic Model
ISO 7498-2:1989, Information processing systems – Open Systems Interconnection – Basic
Reference Model – Part 2: Security Architecture
ISO/IEC 10181-1:1996, Information technology – Open Systems Interconnection – Security
frameworks for open systems: Overview
ISO/IEC 10181-7:1996, Information technology – Open Systems Interconnection – Security
frameworks for open systems: Security audit and alarms framework
ISO/IEC 15408-1, Information technology – Security techniques – Evaluation criteria for IT
Security – Part 1: Introduction and general model
ISO/IEC 15408-2, Information technology – Security techniques – Evaluation criteria for
IT Security – Part 2: Security functional requirements
ISO/IEC 15408-3, Information technology – Security techniques – Evaluation criteria for IT
Security – Part 3: Security assurance requirements
4 Terms, definitions and abbreviations
4.1 Terms and definitions
4.1.1
accountability
property that ensures that the actions of an entity may be traced uniquely to the entity
4.1.2
asset
Anything that has value to the organisation
[ISO/IEC TR 13335-1:1997]
TR 62210  IEC:2003(E) – 7 –
4.1.3
authenticity
property that ensures that the identity of a subject or resource is the one claimed. Authenticity
applies to entities such as users, processes, systems and information
4.1.4
authorisation violation
entity authorised to use a system for one purpose uses it for another, unauthorised purpose
4.1.5
availability
property of being accessible and usable upon demand by an authorised entity
[ISO 7498-2: 1989]
4.1.6
baseline controls
minimum set of safeguards established for a system or organisation
[ISO/IEC TR 13335-1:1997]
4.1.7
confidentiality
property that information is not made available or disclosed to unauthorised individuals,
entities, or processes
[ISO 7498-2:1989]
4.1.8
data integrity
property that data has not been altered or destroyed in an unauthorised manner
[ISO 7498-2:1989]
4.1.9
denial of service
authorised communications flow is intentionally impeded
4.1.10
eavesdropping
information is revealed to an unauthorised person monitoring communication traffic
4.1.11
hack
threat that may be a combination of one or more of the following threats: authorisation
violation; information leakage; integrity violation; and masquerade
4.1.12
hash function
(mathematical) function that maps values from a (possibly very) large set of values into
a smaller range of values
4.1.13
information leakage
unauthorised entity obtains secure/restricted information
4.1.14
integrity violation
information is created or modified by an unauthorised entity

– 8 – TR 62210  IEC:2003(E)
4.1.15
intercept/alter
communication packet is intercepted, modified, and then forwarded as if it were the original
packet
4.1.16
masquerade
unauthorised entity attempts to assume the identity of a trusted party
4.1.17
reliability
property of consistent intended behaviour and results
[ISO/IEC TR 13335-1:1997]
4.1.18
replay
communication packet is recorded and then retransmitted at an inopportune time
4.1.19
repudiation
exchange of information occurs and one of the two entities in the exchange later denies the
exchange or contents of the exchange
4.1.20
residual risk
risk that remains after safeguards have been implemented
[ISO/IEC TR 13335-1:1997]
4.1.21
resource exhaustion
see denial of service
4.1.22
risk
potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause
loss or damage to the assets
[ISO/IEC TR 13335-1:1997]
4.1.23
security auditor
individual or a process allowed to have access to the security audit trail and to build audit
reports
[ISO/IEC 10181-7:1996]
4.1.24
security authority
entity that is responsible for the definition, implementation or enforcement of security policy

TR 62210  IEC:2003(E) – 9 –
4.1.25
security domain
set of elements, a security policy, a security authority, and a set of security-relevant activities
in which the set of elements are subject to the security policy for the specified activities, and
the security policy is administered by the security authority for the security domain
4.1.26
security domain authority
security authority that is responsible for the implementation of a security policy for a security
domain
4.1.27
security token
set of data protected by one or more security services, together with security information used
in the provision of those security services, that is transferred between communicating entities
4.1.28
security-related event
any event that has been defined by security policy to be a potential breach of security, or to
have possible security relevance. Reaching a pre-defined threshold value is an example
of a security-related event
4.1.29
spoof
combination of one or more of the following threats: eavesdropping; information leakage;
integrity violation; intercept/alter; and masquerade
4.1.30
system integrity
property that a system performs its intended functions in an unimpaired manner, free from
deliberate or accidental unauthorised manipulation of the system
[ISO/IEC TR 13335-1:1997]
4.1.31
threat
potential cause of an unwanted incident which may result in harm to a system or organisation
[ISO/IEC TR 13335-1:1997]
4.1.32
trust
entity X is said to trust entity Y for a set of activities if and only if entity X relies upon entity Y
behaving in a particular way with respect to the activities
4.1.33
trusted entity
entity which is assumed to appropriately enforce security policies. Because of this
assumption, the entity may cause other security policies to be obviated.
EXAMPLE A trusted authorisation entity declares a user to be authorised for control thereby
challenges authentication procedures, that would normally be applied, are not invoked.
Entity that can violate a security policy, either by performing actions which it is not supposed
to do, or by failing to perform actions which it is supposed to do

– 10 – TR 62210  IEC:2003(E)
4.1.34
vulnerability
includes a weakness of an asset, or group of assets, which can be explained by a threat
[ISO/IEC TR 13335-1:1997]
4.1.35
developed technology
software code/algorithms that are developed within the configuration and guidelines for quality
and security assurance set forth as EAL-5, or greater, as specified in ISO/IEC 15408-3
4.2 Abbreviations
AMR Automatic Meter Reading
CC Common Criteria
COTS Commercial off the shelf software
DISCO Distribution Company
DLC Distribution Line Carrier
DLMS Distribution Line Messaging System
DMS Distribution Management System
EAL Evaluation Assurance Level
EMS Energy Management System
GENCO Generation Company
HMI Human – Machine Interface (for example: operator workstation)
HV High Voltage
IED Intelligent Electronic Device
IT Information Technology
LAN Local Area Network
LV Low Voltage
MMS Manufacturing Message Specification
MV Medium Voltage
NT
Windows NT is a Microsoft Windows personal computer operating system
designed for users and businesses needing advanced capabilities
OASIS Open Access Same-Time Information System
PLC (user) Programmable Logic Controller
POTS Plain Old Telephone System
PP Protection Profile
RTU Remote Terminal Unit
SCADA Supervisory Control And Data Acquisition
ST Security Target
TASE Telecontrol Application Service Element
TCP/IP Transmission Control Protocol/ Internetworking Protocol
TOE Target of Evaluation
TRANSCO Transmission Company
VAA Virtual Application Association
VDE Virtual Distribution Equipment
WAN Wide Area Network
TR 62210  IEC:2003(E) – 11 –
5 Introduction to security
Communication and information security is becoming an essential requirement for information
networks in the commercial/private sector. This is particularly true for communication and
information technologies employed as part of critical service infrastructures/services. Disrup-
tion of these services (for example gas, water, and electric service deliveries) can have
impact over a wide geographical area and upon a large number of individuals and companies.
Communication networking and information exchange, within and between companies, is
becoming more prevalent within the electrical infrastructure. Whereas, in the past, utilities
held their information tightly and controlled most of their communication infrastructure, this is
no longer the case. Shared communication networks and information exchanges over public
networks are becoming more prevalent. This trend allows for systemic attacks to be
considered by non trusted parties (for example hackers, downsized employees, or terrorists).
This trend, and the large amount of technology available to be employed in an attack,
portends an increased probability for more numbers of attacks with several being successful.
NOTE There is little publicly available information on which to derive models of threats and attacks for the future.
However, the lack of this information does not mean that attacks are not occurring but rather that the utilities either
do not have the processes in place to detect the attack or that the information of such attacks are not publicly
disclosed. Additionally, the trend towards increased probability of attacks can be projected due to increased
financial motivation (for example due to deregulation) and the ease of conducting attacks (for example due to
technology advances).
Unlike the military, most users of computer/utility information systems and protocols are
largely unaware of the potential threats to their information and infrastructure. Worse yet, the
users are sometimes aware but do not place importance on addressing the known security
risks. Currently, the number of incidents (detected attacks) is relatively low. However, there is
an increase in detected attacks and critical infrastructures (for example gas, water, and
electric) have been proven to be extremely vulnerable.
There are several ways in which to view security issues, and this document deals with
communication security only. It does not deal with aspects of security relating to informational
security within a computer system, but rather with only informational security aspects when
information is being transferred via a protocol specified within IEC Technical Committee 57.
5.1 How to use this report
This report is intended to present recommendations to IEC Technical Committee 57 and its
working groups. The work should be viewed as the foundation upon which new work items
may need to be commissioned. The work should not be viewed as complete.
Additional consideration should be given to establishing strong liaisons with other IEC
Technical Committees so that the work and recommendations set forth in this report can be
considered.
– 12 – TR 62210  IEC:2003(E)
6 The security analysis process
The recommendations in this report will have a direct impact on the normal corporate security
processes and must be constructed in a manner consistent with this process. Therefore it is
important to understand the typical corporate security process requirements and their impact
on the scope of this report.
Start here
Network security
Corporate
security
policy
IT, others.
Application
Active audit security
Developers
IT,
and
developers,
vendors
vendors
Secure network
devices
Vendors
IEC  1447/03
Figure 1 – Normal corporate security process
Figure 1 depicts what is typically considered to be the normal corporate security policy that
should be implemented in order to create a relatively “secure” corporate infrastructure. The
figure clearly shows that in order to create a secure corporate infrastructure, corporate
security policy must be developed and adopted by the management of the corporation first.
The corporate security policy rules will deal with a definition and assignments of the security
domains, security domain authority(s), security auditor, and accountability. Additionally, these
policies typically dictate the acceptable residual risk once the corporate policies are translated
into actions and implementation. It is clear that corporations will develop policies, which may
or may not rely upon the recommendations within this report.
However, it is within the scope of this report to inform corporate management as to threats
and consequences that are relevant to protocols being addressed by this report. Therefore,
corporate security policy should review the following parts of this report:
a) Definitions (see 4.1): this will be useful in constructing a consistent vocabulary.
b) Specific threats to be considered in PP (see 7.2.3): this lists the set of threats, and their
definitions, that are being addressed within the scope of this report.

TR 62210  IEC:2003(E) – 13 –
c) Vulnerabilities (see Clause 8): this deals with the set of communication system vulner-
abilities that are known to exist in the communication protocols addressed within the
scope of this report.
d) The security analysis process (see Clause 6): this may prove of interest to the corporate
policy writers; however it is more typically of interest to other parts of the corporate
security policy team.
Corporate policies tend to be at an objective level and therefore the clauses of interest should
be used to help formulate objectives and to inform corporate management. However, such
corporate objectives are translated into implementation strategy and policies in the network
security, application security, and secure network devices processes.
Application security deals with the end-to-end application level security issues. There needs
to be strong and clear guidance on security procedures such that usage of host computer
applications is appropriately restricted, maintained, and audited. This report is neutral in
regards to the technologies and methodologies used to secure host based applications.
Network security, within the corporate security process, typically deals with firewalls and sub-
network access. Security policies in this domain must address the issues of access privileges
from one sub-network to another. This report has no direct impact on the network security
corporate policy process.
However, there is a strong relationship between the user of applications and the privileges
that are granted through remote communications to end devices/applications. Therefore it is
important in developing security policies, to consider the following issues:
a) Certain applications may need to have security privileges determined based upon which
host computer/terminal is being used for the execution of the application.
EXAMPLE In the case of a SCADA master, it may be allowed that any authenticated
terminal/user is able to view SCADA information. However, only terminals located within
a physically secure (for example control centre) environment may have privileges to
actually control remote devices/applications or change configurations.
In the above example, even if the user of the application has appropriate privilege, the
user’s privileges are further restricted based upon the terminal/application execution host.
b) It is rare, but applications may need their own security policies established.
This is particularly true for shared applications (for example such as NT services) which
may or may not be able to determine the user of the application.
Therefore, the recommended hierarchy to be considered in constructing an application
security policy is:
a) Can user authentication be achieved and translated into usable information by remote
applications?
b) Can the location of the user authentication be determined?
c) Can the network location of the application execution be determined?
The most secure (from a communication perspective) is to have application security policies
developed in which the remote device/application authenticates the application user and not
only the node used for the connection.
Secure network devices: This Technical Report deals with issues, technologies, and recom-
mendations that may allow increased security on utility “networked” devices. For the purposes
of this report, “networked” is defined as any device that can communicate.
It is imperative that the reader of this report be advised that the overall security of the
communication system will be determined by the degree of security in the networked device.
This is in a large part due to the fact that the device is the source of most information and is
the entity that can directly impact the utility business operations (for example opening a
breaker causing a power outage). It is therefore important that these devices be capable of

– 14 – TR 62210  IEC:2003(E)
authenticating the access level of users. Additionally, it is even more important that these
devices be able to be part of an audit process so that attacks can be detected, countered, and
prosecuted in an expeditious manner.
This is also the area where most utilities will not desire to spend any additional money.
However, education and this report will address many of the issues and make a compelling
statement as to why the current implementations are not sufficient.
Active audit: any set of security policies and implementations must be continuously
monitored and adapted as part of the continuous corporate security process. Without the
ability to audit and analyse security attacks and system operations and weaknesses, a secure
system will eventually become non-secure.
In order to have an active audit process and a continuous corporate security process,
personnel must be dedicated to this task. Therefore, utilities will need to be educated as to
the risks associated if such action is taken. It is difficult, if not impossible, to prove cost
benefit of such a process until there has been a successful attack. Justifications will need to
be based upon the potential “risked” costs if a security process is not implemented.
All parts of the process need to be closely looked at and tailored to a particular environment.
But all aspects need to be analysed and addressed in some regards.
6.1 Network topologies
There are many different ways in which to view the communication topologies. From a high
level, an analysis of the information flow between sources and consumers of information is
needed.
Utility
Third parties
business
functions
Power-brokers
Metering
services
Others
Customer
Account and
business
activities
Utility
control
functions
Measure and
control
Distribution
Transmission
Quality
Generation
IEC  1448/03
Figure 2 – Business information flow

TR 62210  IEC:2003(E) – 15 –
There are several major business entities shown in Figure 2. These are:
a) Customer – this business entity represents the consumer of electrical power and
services. There are several aspects to the types of services that the customer expects
to have delivered as part of power delivery ranging from billing to power quality control.
The customer typically expects the following services:
1) Account and business activities: These include customer service, billing, and power
procurement (brokering). The current method by which information is exchanged
between these activities is typically by telephone, fax, or email. However, the trend in
the industry is to provide these through the use of Internet technologies or other e-
commerce type of mechanisms.
Additionally, these are now not only provided by utility business functions but also may
be provided by third parties. In many situations, these two competing organisations
may be exchanging information with the same customer over the same information
infrastructure.
2) Measurement and control activities: these activities are mainly concerned with
communication that allows control of the supply and quality of power delivered to the
end customer. This activity is the responsibility of the local distribution utility even
though third parties may be mandated to monitor revenue-metering information.
b) Third parties – the trend towards deregulation of the utility industry has given rise to
business entities that broker power, perform third party meter reading and billing, and
offer other services. These third parties exchange information with the customer, utility
business functions, and potentially monitor revenue meters and power quality directly.
c) Utility business functions – these provide information to customers and to third parties
(as required by law). In a deregulated environment, portions of these activities may need
to be viewed as if they are the equivalent to third parties.
d) Utility control functions – these are the typical SCADA, EMS, and DMS functions that
are provided today. The control functions encompass any activities that determine the
generation, distribution, or quality of the power product. The communication activities
span distribute automation, utility to utility, utility to substation, utility to generation, and
others.
It is a subject of this report to determine the types of communications used (within the scope
of IEC Technical Committee 57), and the impact of threats upon this technology. However,
many of the threats deal with weaknesses in the communication architecture and topology. At
the highest level, shown in Figure 2, any interface point directly or indirectly between
business entities offers a high probability for a security-related event to occur. However, in
order to protect the information available at such points, and in order to recommend
appropriate security policy rules, the actual communication topologies of such interfaces
needs to be discussed.
The customer, as shown in Figure 2, actually has two major interface points to potentially
three different business entities. However, the topologies employed for the account and
business activities function will typically be based upon e-commerce or Internet
technologies/topologies. However, the measure and control function represents a topology
that is similar to the quality, distribution, transmission, generation, and substation topologies
used by utilities.
– 16 – TR 62210  IEC:2003(E)
1 Interface: n devices
Devices
Interface point
Secondary
communication
paths
IEC  1449/03
Figure 3 – General communication topology
Figure 3 shows a primary communication path to one or more devices/sources of data and
optional secondary communication paths. Any of these paths may be interfaces where
security threats may be introduced. Each interface point, even to the actual device, needs to
be evaluated for its risk. As part of the security analysis, protocols and communication media
also tend to impact the risk. It is the scope of this report to determine the exposure to major
threats, based upon these factors, and to develop recommendations for baseline controls
based upon this analysis.
6.2 User consequence based analysis
It is clear that the importance of the information, and thereby the amount of effort that a
company is willing to expend to protect that information, is an extremely subjective view. The
importance is determined by the entity or stakeholder based upon the consequences to the
stakeholder's business or interests of a successful attack. Therefore, a methodology of
security analysis based upon stakeholders and consequences has been developed.
6.2.1 Stakeholders
The definition of a stakeholder is any entity whose business processes can be impacted
through a successful security attack. The stakeholder categories, for the purposes of this
Technical Report , which can be identified in Figure 2, are:
a) Generation company (GENCO) – these are business entities whose end product is electric
power. These stakeholders typically have large capital investments in generation facilities.
b) Transmission company (TRANSCO) – these are business entities whose end product is
the delivery of electric energy, produced by a GENCO. The delivery of the energy is
typically to a DISCO. A TRANSCO is typically a customer of a GENCO.
c) Distribution company (DISCO) – these are business entities whose end product is the
delivery of electric energy to the customer. These stakeholders have assets and
communication requirements that span large geographic areas and service multiple
customers. A DISCO is a customer is a TRANSCO.
d) Data aggregator – these are business entities that process customer metering data in bulk
by aggregating it for each supplier so that it may be used to calculate payments owed to
each GenCo, TransCo, and DisCo for the use of their energy and transport facilities.
e) Meter service provider – these are business entities that provide services to install and
maintain (meter operation) and also read (data collection) customer’s meters.
———————
The definition and delineation of stakeholders and business processes may be region specific. Check with the
appropriate regional regulatory authority for details.

TR 62210  IEC:2003(E) – 17 –
f) Supplier – these are business entities which purchase electricity on the wholesale market
and sell it to end customers. They operate without the geographical restriction of owning a
network and pay a use-of-system charge to distribution companies.
g) Risk management market participant – these are business entities that sell, trade, broker
or otherwise participate in markets for derivative financial instruments. Examples of these
are futures, options, hedging, options on futures, swaps, or other securities that are
created and traded. The objective of these is to manage the risk of price fluctuation and
other contingencies of electric energy associated with forward contracts for purchase and
sale of electric energy.
h) End customer – is a business entity or individual that purchases energy or utility services
and needs to verify that contractual commitments are being fulfilled.
Each stakeholder may require information from one or more business activities. Therefore, a
matrix of such activities has been developed in order to determine the areas of analysis that
this report should focus upon.
Table 1 shows the considered matrix of generic stakeholders and business processes. The ‘x’
indicates that a specific stakeholder requires or provides information relevant to a particular
business process. Regional variations of stakeholders or business processes may be formed
through a combination of these categories.
The fact that stakeholders do not map one-to-one to business organisations is critical to the
understanding of Table 1. For example, it might appear that an ‘x’ should be placed in the box
at the intersection of the tertiary asset leveraging row and the DISCO column, since a
business organisation serving as a DISCO would be interested in leveraging its distribution
lines (for example, by carrying message traffic). However, the activity of serving a message-
transfer market is a supplier activity rather than a DISCO activity. Thus, the ‘x’ is placed in the
supplier column rather than the DISCO column, even though the business organisation might
be thought of as a DISCO rather than a supplier.
Table 1 – Matrix to determine business process importance
Stakeholders
Business process
Buying and/or selling of energy
xxxx
Generation of power (includes power quality)
xx x x x x x x
Transmission of energy (includes power quality)
xx x x x x
Distribution of energy (includes power quality)
xx x x x x
Measurement of trading (revenue metering)
xx x x x x x
Asset management
xx x x
Energy conservation
xx x x x
Information mining
xxx
a
Tertiary asset leveraging
xx
Risk management
xxxx
a
An example of this is offering internet connectivity over the resources used for other business processes.
GENCO
DISCO
TRANSCO
DATA
METER
SUPPLIER
RISK MNGT.
END CUST.
– 18 – TR 62210  IEC:2003(E)
Based upon an analysis of stakeholder concerns and business processes, the most important
business processes to secure are:
– generation of power,
– transmission of power,
– distribution of power,
– measurement of trading,
– asset management,
– energy conservation.
6.3 Consequences to be considered
In order to perform a consequence based security analysis, the major consequences of
concern to the stakeholders and their respective business practices need to be determined. In
regards to the set of business processes, which are recommended to be the focus of further
security work withi
...