Substations

Cyber security considerations for Substations

14 min readMar 27, 2023

Substations — the often large steel installations with, what look to be way too many cables, right? Surely we just need to connect all of the cables together at one central point? Well, not quite, which is exactly what we will be exploring in this post. In this post, we will explore some of the fundamental concepts related to Substations and consider what the critical processes may be.

Feel free to explore some of the other topics we have covered in this series including Process Control, Coal Power Stations, and Open Cycle Gas Turbines.

Security consideration: throughout this post you will find these security 
considerations. These are used to highlight some of the important processes
that may be worth considering from a security perspective. This is not an 
all-encompasing analysis, though, so try and keep the following questions 
in mind when reading the post - 
[1] Is this a critical process that may be worth protecting?
[2] What should we do to protect the system?
* Disclaimer: this information should not be used for nefarious or unauthorised
purposes but rather as an educational tool (see the Welcome post of this
blog).

Overview

From the outside, a substation often just looks like a mess of wires and some other components with wires sticking out of them. However, a substation is a carefully designed network of components that allows it to fulfill its purpose of switching and distributing electricity.

A substation is mainly comprised of the following equipment: switchgears, transformers, and capacitors. Oftentimes, a substation will also have a control house that contains the following equipment: protective relays, communication equipment, alarms, and meters (monitoring equipment). A substation will contain a ground mat which in most cases is a grid of conductors below the surface (it may look like the rebar which is used in a foundation) and then connected to the equipment to provide a grounding point in the case of short circuits. However, there is a lot more to a substation, so let us explore it below:

Switchgears

A switchgear is a general term used for equipment that switches and interrupts electricity. A switchgear can be used to disconnect equipment for maintenance purposes. However, a switchgear can also perform a preventative function i.e. to isolate equipment when a fault occurs. Essentially, a switchgear is simply a piece of equipment that disconnects two conductors. Switchgears can take various forms:

Circuit breakers: a circuit breaker's primary purpose is to disconnect equipment when under load due to some fault condition (substation circuit breakers are simply larger versions of the circuit breakers you will find in your house). Circuit breakers contain equipment that is used to sense the conditions on the line. When a fault is detected, the trip coils of the circuit breaker are activated triggering the disconnect process.

Some circuit breakers will include reclosing relays that close the breaker after a pre-determined amount of time after which the line condition is verified again. Figure 1, below, provides a schematic of an Oil Circuit Breaker (OCB). The contacts move down to interrupt the connection between the conductors after which an arc is generated which is extinguished by the dielectric mineral oil along with the arc control device.

Figure 1: Oil Circuit Breaker (OCB) components.

Side Note: it may also occur that the trip circuit contains a fault (in which case the breaker will not trip when it needs to). A lamp is commonly connected in series with the trip circuit i.e. if the lamp is shining, the circuit is working correctly. More modern equipment may also be in use, especially for remote substations.

Security consideration: damage could occur if a circuit breaker is tripped
without a use case or not tripped when a use case is present. Both conditions, 
under-/overload respectively, could cause damage.

Figure 2, below, shows what an OCB may look like in real life. Various other types of circuit breakers are available including, but not limited to:

Air blast: uses a pressurised blast of air to stretch the arc and cool it down.
Gas blast: uses a blast of SF6 gas along with compressed air to perform the same function as the air blast type described above.
Vacuum: since there is no conducting material, the arc is extinguished.

Circuit breakers are rated according to various parameters including maximum continuous current and voltage (the maximum conditions under which a circuit breaker can be expected to operate for continuous periods of time). The maximum interrupting current defines the maximum current under which a circuit breaker can be expected to trip. If the current exceeds this rating, the arc may be too large to extinguish resulting in the inability to interrupt the current i.e. the circuit breaker fails and equipment may be damaged.

There are a number of additional parameters that are considered to be out-of-scope. However, the purpose of these parameters is to stimulate the imagination with regard to the operating limits of circuit breakers.

Load break switches: these components can be used to interrupt current but do not contain fault detection capabilities. Load break switches are typically less expensive than circuit breakers and are subsequently installed in such a way that they can be used for maintenance but are not critical in the sense that they are needed for emergency isolation. Load break switches are mechanical devices that essentially contain an arm (blade) that needs to be moved away from the other conductor (resulting in an arc in the air). Figure 3, below, highlights the arm that, in this case, moves vertically to disrupt the current.

Disconnect switches: disconnect switches are used for safety purposes once a circuit breaker or load break switch has been opened. Disconnect switches are subsequently used to isolate components. They can take a similar form to load break switches including a horizontal or vertical blade that physically disconnects two conductors. They can be operated manually, automatically, or by a protective relay. A special type of disconnect switch is the ground switch which provides a good connection to ground when equipment needs to be worked on. Another special type is a circuit switcher which can be used to switch capacitors and reactors.

Side Note: when switchgears perform the function of disconnecting two conductors, an arc typically occurs which simply looks like sparks between the two conductors. Whilst arcs may look cool, they can lead to very dangerous conditions which is why switchgears often make use of a form of dielectric (e.g. air or oil) to extinguish the arc as quickly as possible. The video below highlights what an arc may look like:

Disconnect switch arcing.

Security consideration: halting of an autmatic circuit breaker before the
arc has been extinguished could cause the arc to continue to flow potentially
damageing equipment.

Reactive Power

Before we get to the rest of the interesting components, we are going to make use of the term VARs, frequently, so it may be worthwhile getting a bit of theory out of the way. Without going into too much detail, we have previously discussed how electricity is often transmitted in three phases. In this case, we were describing voltage phases. However, the current can also be out of phase and when this occurs, we get reactive power. Reactive power is measured in Volt-Amperes Reactive (VAR) as opposed to real power which is measured in Watts (W).

How is reactive power realised? Well if we consider a motor (inductive load), the power that magnetises the coil but does no actual work is called reactive power (the real power is the power that turns the motor). The magnet field that is generated is later broken down again (during a power cycle) and is returned to the grid.

Side note: since VARs are returned to the grid, they need to be monitored and managed as well, using the techniques discussed below. Extra VARs result in more current traversing the grid and so to dissuade consumers from presenting high-VAR loads to the system, power companies may enforce penalties if the VAR limits are exceeded. Excessive VARs on the network may damage equipment which is why they need to be monitored/managed.

Non-Switchgear components

Capacitors: at a high level, capacitors are devices that store charge. This can be used for voltage regulation (maintaining the voltage) and power factor correction. Capacitors store and release reactive power at opposite cycles to the load which means that they can absorb and provide VARs if need be. Additionally, they can be used to couple high-frequency communication signals with low-frequency voltage signals and to remove them again (filter).
Reactors: reactors are devices (coils) that are connected between a conductor and ground in order to absorb VARs (shunt inductors/ reactors). Shunt reactors are often connected to the ends of long transmission lines to reduce the voltage rise produced by the shunt capacitance of long transmission lines. Reactors can also be placed in series with lines to limit fault current magnitude. Figure 5 highlights what a shunt reactor may look like.

Synchronous condenser: “a synchronous condenser changes the power factor of a system by generating or absorbing VARs”. If the voltage increases above a certain threshold, the synchronous condenser will act like a reactor to absorb VARs. If the voltage decreases below a certain threshold, the synchronous condenser will act like a capacitor and supply VARs.

Security consideration: if the sensors/systems which measure VARs output the 
incorrect values, equipment may be damaged. This could including (1) 
indicating more VARS than are present or (2) indicating less VARs than are 
present both of which could cause systems to under-/overcompensate 
respectively.

Lightning arresters: lightning arresters protect a substation from large spikes in voltage (e.g. from a lightning strike). These are components that have a direct connection to ground and a high enough resistance that under normal operating conditions, current does not flow to ground. Figure 6, below, highlights a range of lightning arresters. Typically lightning arrestors will contain an air gap (to allow high voltage surges to reach ground), resistance (to prevent normal line voltages from short-ciruiting to ground), and a connection to ground.

Figure 6: A range of lightning arresters.

Side Note: sometimes substations will have long wires that span across the top. These are also used to catch lightning and divert it to ground before it reaches the equipment.

Wave Trap: wave traps have the primary purpose of blocking high-frequency signals (> 50 Hz/60Hz). As discussed further below, communication signals are often superimposed on the normal voltage signal, which if allowed to reach the substation components, could damage them. Figure 7, highlights what a typical wave trap may look like.

Transformers: we discussed transformers in a sufficient amount of detail in the Fundamentals of the Electrical Grid post.

Bus

Now that we have discussed various components in the substation, the question that may come to mind is: how do we connect these components together? Well, we can do this by means of buses.

The bus(es) of a substation are synonymous with a highway (motorway) with onramps and offramps signifying the connections of the bus where electricity is added or tapped off. Figures 8 and 9, highlight what a bus may look like in practice and from a schematic perspective respectively. Five general bus configurations exist, namely (1) single bus, (2) main and transfer bus, (3) ring bus, (4) breaker-and-a-half, and finally, (5) double bus-double breaker.

If we consider the different bus configurations:

Single Bus: each line is connected to the bus with one circuit breaker as shown in Figure 10. If the circuit breaker trips, electricity does not flow to the line. This configuration is the least reliable as the maintenance of a breaker, for example, results in the line having to be disconnected.

Main and transfer bus: this configuration attempts to increase reliability by providing a ‘bypass’ bus which can be used for maintenance purposes as seen in Figure 11.

Figure 11: Main and transfer bus configuration.

Ring bus: synonymous with a rink network (in computer networking) except that multiple breakers are employed so that if one is unavailable, the network can continue to operate. This configuration is highlighted in Figure 12. In this case, only one circuit should be connected between two breakers. During a fault, the two breakers connected to the circuit trip, isolating the circuit.

Breaker-and-a-half: as opposed to the ring configuration, each circuit is only protected by 1 1/2 breakers and not two as seen in Figure 13. Maintenance can be performed on any single breaker without affecting the electricity supplied to the individual circuits.

Figure 13: Breaker-and-a-half configuration.

Double bus — double breaker: each circuit is connected to two buses via two breakers as seen in Figure 14. If a fault occurs, both circuit breakers trip and the reliability of the bus is preserved.

Figure 14: Double bus-double breaker configuration.

Security consideration: opening circuit breakers without a use case may either
disrupt service for clients or cause an overload condition potentially
damaging equipment. In the Double bus - double breaker configuration, for
example, if the buses have not been designed to handle all circuits, an 
attacker may attempt to trip all top breakers to force all of the load onto
the lower bus.

Control House

Alright, so now that we have covered a lot of the technical equipment that a substation is comprised of, we can get to the more exciting themes, namely, the control surfaces. Here again, we have a number of different components/systems:

Control Panels: some equipment needs to be operated/monitored manually. This can be done with the use of control panels. Control panels may include the following functionality: switches to operate circuit breakers, status lamps (breaker and trip circuit position), alarms, and meters. Figure 15, below, highlights a transmission line relay panel.

Figure 15: Transmission line relay panel.

Station Battery: a station battery is a DC source that is used to power the control surfaces including components like the trip circuits. The batteries are, in turn, charged through a charging circuit by the AC power supplied to the substation. Figure 16, below, highlights what these substation batteries may look like.

RTUs: Remote Terminal Units are devices that can be used to read/write data from/to remote sources. If a substation does not have personnel on site 24/7 they can use RTUs to communicate with the larger Supervisory Control And Data Acquisition (SCADA) system. Operators can view critical values such as voltage and current and provide commands to change conditions.

Security consideration: processes could be manipulated through the 
changing of information that is transmitted to/received from the RTU.

PLCs / HMIs: Programmable Logic Controllers are often used to control larger equipment such as circuit breakers. Instead of traditional electro/mechanical line reclosers, PLCs can be used to add more logic to the process e.g. the circuit breaker only closes after it senses the line has been re-energized. The Human Machine Interface (HMI) is simply an interface system for PLCs and RTUs. Figure 17, highlights what an HMI screen may look like even though it should be noted that they can also just be displayed on a normal computer screen.

Side Note: the difference between PLCs and RTUs generally lies in their application. RTUs are specifically used for remote use cases and are subsequently often low-power devices and are only used to perform limited input/output operations. Furthermore, RTUs often communicate wirelessly with a SCADA system. PLCs, in turn, are generally high-powered computing devices that are physically wired to a SCADA system. They do not focus on low power consumption and are used to perform larger I/O operations such as controlling valves/pumps.

Security consideration: the switching of switchgears without a use case could
result in unintended consequences. These consequences could include over-/
underload conditions and damage equipment or cause service disruptions.

Fault recorders: fault recorders log critical system values such as voltage/current when a fault occurs. Sequences-Of-Event recorders record (often down to the millisecond) the order in which events occurred.

Side Note: whilst we have only covered components such as PLCs and RTUs in a couple of sentences, these are highly critical components since they provide us with an interface between the mechanical and electronic realms.

Advanced Components

The US Occupational Safety and Health Administration (OSHA) provides us with a pretty comprehensive overview of the components we can expect in a substation. We have already covered a few but as one can imagine, a substation contains many more components than circuit breakers and transformers:

Bus support insulators: the bus needs to be supported by a structure but cannot be directly connected to this structure. Ceramic insulators ensure that the bus is not permanently grounded (these are similar in function to the ones used in transmission lines).
Converter stations: converter stations convert AC to DC and can be used to interface with the battery bank among other uses.
Frequency converter: a frequency converter is used to change the frequency of an AC signal whilst, in general, keeping the voltage and phase the same. This is performed by a motor-generator set e.g. the incoming electricity powers a motor which in turn powers a generator.
Grounding transformer: provides a ground point for three-phase systems in either wye or delta configuration.
Potheads: these devices, as seen in Figure 17, below, are used to connect ground wires with overhead lines.

Power-line carrier: communication equipment is used to superimpose a high-frequency signal on top of the normal voltage signal to allow for the transmission of information.

Security consideration: the national grid centre could, for example, 
request more generation capacity from a power plant. If the message to 
increase the requested generation amount is incorrect, the supply/demand 
balance could be disrupted potentially resulting in damage to equipment.

Relays: relays are low-power devices that are used to switch high-power devices such as circuit-breakers. The output of a PLC, for example, does not supply enough current to switch a circuit breaker so a relay is used instead.

Conclusion

Figure 18, below, provides a labeled diagram of a very basic substation. Hopefully, with the information we have learned in this post, we can identify most of the components.

This post contained a lot of information about substations, their components, and how they operate. You may be asking yourself: how is this relevant to cyber security? Well, remember that in contrast to generation components, substations are often unmanned and find themselves in remote locations. Furthermore, nowadays, substations can be configured remotely. Finally, since they are essentially single points of failure, they could be a prime target for an attack.

Based on the information we have learned today, which systems do you think an attacker may target and how? Can we use this information to better protect our Substations?

Security consideration: we managed to identify several security 
considerations throughout this post. Nevertheless, we may have missed 
something. Feel free to leave a comment with additional considerations!

Side Note: whilst writing this post I noticed that terms are occasionally used interchangeably (especially in the switchgear literature). Feel free to let me know if I have not described a component correctly.