Cybersecurity For Balancing Authorities

Secure Communications With Partner Utility Iccp Servers
Cybersecurity For Balancing Authorities
Customer/ Partner:

North American Balancing Authority.

Customer Requirement:

Protect Energy Management System (EMS) control systems from potential attacks emanating from partner utility networks.

Waterfall’s Unidirectional Solution:

Physically secures Balancing Authority and Transmission System Operators EMS networks from remote cyber attacks, ensuring safe ICCP connections to partner utilities.

The Growing Challenge Of Securing The Power Grid

Balancing Authorities (BA) and Transmission System Operators (TSO) rely on continuous communications with partner utilities to balance power generation against load in real time. Central authorities have no way to be confident of the cyber security posture at any of their connected partner sites, yet these authorities are required to protect their Energy Management Systems against cyber attacks. It is vital to the reliable operation of the power grid that Balancing Authority and Transmission System Operator EMS and SCADA systems are protected from attacks originating in wide-area networks and in potentially-compromised partner networks.

The Challenge icon
The challenge

Protect BA and TSO EMS and SCADA systems from potential attacks originating in wide-area networks and in compromised partner utilities.

Waterfall solution - icon
Waterfall solution

Waterfall Unidirectional Gateways were installed to protect the control system servers at the Balancing Authority control center. Two independent channels of unidirectional communications were deployed, one replicating ICCP servers from partner utilities into the EMS network, and one replicating the EMS ICCP servers to partner utilities. The gateways physically protect EMS networks, and are configured in multiply-redundant, high-availability sets.

Results and benefits - icon
Results & benefits

100% Security: The Balancing Authority EMS is now physically protected from threats emanating from partner utilities and any intervening ICCP WAN infrastructure.

100% Visibility: Partner utilities can now interact normally and bi-directionally with BA replica ICCP servers without introducing cyber risk to the BA SCADA system network.

100% Compliance: Unidirectional Gateways simplify compliance with NERC CIP, ANSSI, ISA, IEC 62443, NIST 82-800 and other global best practices and regulations.

vertical red line
Theory of Operation
Click to enlarge

Two sets of Unidirectional Security Gateways were installed to address continuous communications needs: one set of gateways replicating partner ICCP servers into the EMS networks, and one replicating EMS ICCP servers to the partner utilities. Each set of servers was multiply redundant, to provide the High Availability functionality demanded of the highest levels of coordination in the electric grid. This solution replicates ICCP servers rather than forwarding ICCP messages. The central EMS exchanges ICCP messages only with unidirectional replicas of the partner servers. Two independent channels of hardware-enforced, unidirectional communications, each of which replicate and emulate ICCP servers – rather than forwarding messages – provide unprecedented levels of cyber protection to Balancing Authorities and Transmission System Operators. Unidirectional Gateway technology represents a plug-and-play replacement for firewalls, without the vulnerabilities and maintenance issues that accompany firewall deployments.

vertical red line
Unidirectional Security Gateways Benefits:

arrow red right Safe, continuous monitoring of partner utility generation,
load and other status information

arrow red right Stronger than firewall protection for Balancing Authorities
and Transmission System Operators

arrow red right Accurate and timely replication of ICCP servers

arrow red right Multiply-redundant High Availability configurations
consistent with the demands of the highest level of
coordination in the electric grid

vertical red line
Global Cybersecurity Standards Recommend Unidirectional Security Gateways

Waterfall Security is the market leader in Unidirectional Gateway technology with installations at critical infrastructure sites across
the globe. The enhanced level of protection provided by Waterfall’s Unidirectional Security Gateway technology is recognized as best
practice by many leading industry standards bodies, including NIST, ANSSI, NERC CIP, the ISA, the US DHS, ENISA and many more.


Stay up to date

Subscribe to our blog and receive insights straight to your inbox