Cybersecurity For Balancing Authorities
Secure Communications With Partner Utility Iccp Servers
North American Balancing Authority.
Protect Energy Management System (EMS) control systems from potential attacks emanating from partner utility networks.
Waterfall’s Unidirectional Solution:
Physically secures Balancing Authority and Transmission System Operators EMS networks from remote cyber attacks, ensuring safe ICCP connections to partner utilities.
The Growing Challenge Of Securing The Power Grid
Balancing Authorities (BA) and Transmission System Operators (TSO) rely on continuous communications with partner utilities to balance power generation against load in real time. Central authorities have no way to be confident of the cyber security posture at any of their connected partner sites, yet these authorities are required to protect their Energy Management Systems against cyber attacks. It is vital to the reliable operation of the power grid that Balancing Authority and Transmission System Operator EMS and SCADA systems are protected from attacks originating in wide-area networks and in potentially-compromised partner networks.
Protect BA and TSO EMS and SCADA systems from potential attacks originating in wide-area networks and in compromised partner utilities.
Waterfall Unidirectional Gateways were installed to protect the control system servers at the Balancing Authority control center. Two independent channels of unidirectional communications were deployed, one replicating ICCP servers from partner utilities into the EMS network, and one replicating the EMS ICCP servers to partner utilities. The gateways physically protect EMS networks, and are configured in multiply-redundant, high-availability sets.
Results & benefits
100% Security: The Balancing Authority EMS is now physically protected from threats emanating from partner utilities and any intervening ICCP WAN infrastructure.
100% Visibility: Partner utilities can now interact normally and bi-directionally with BA replica ICCP servers without introducing cyber risk to the BA SCADA system network.
100% Compliance: Unidirectional Gateways simplify compliance with NERC CIP, ANSSI, ISA, IEC 62443, NIST 82-800 and other global best practices and regulations.
Theory of Operation
Two sets of Unidirectional Security Gateways were installed to address continuous communications needs: one set of gateways replicating partner ICCP servers into the EMS networks, and one replicating EMS ICCP servers to the partner utilities. Each set of servers was multiply redundant, to provide the High Availability functionality demanded of the highest levels of coordination in the electric grid. This solution replicates ICCP servers rather than forwarding ICCP messages. The central EMS exchanges ICCP messages only with unidirectional replicas of the partner servers. Two independent channels of hardware-enforced, unidirectional communications, each of which replicate and emulate ICCP servers – rather than forwarding messages – provide unprecedented levels of cyber protection to Balancing Authorities and Transmission System Operators. Unidirectional Gateway technology represents a plug-and-play replacement for firewalls, without the vulnerabilities and maintenance issues that accompany firewall deployments.
Unidirectional Security Gateways Benefits:
Safe, continuous monitoring of partner utility generation,
load and other status information
Stronger than firewall protection for Balancing Authorities
and Transmission System Operators
Accurate and timely replication of ICCP servers
Multiply-redundant High Availability configurations
consistent with the demands of the highest level of
coordination in the electric grid
Global Cybersecurity Standards Recommend Unidirectional Security Gateways
Waterfall Security is the market leader in Unidirectional Gateway technology with installations at critical infrastructure sites across
the globe. The enhanced level of protection provided by Waterfall’s Unidirectional Security Gateway technology is recognized as best
practice by many leading industry standards bodies, including NIST, ANSSI, NERC CIP, the ISA, the US DHS, ENISA and many more.
Stay up to date
Subscribe to our blog and receive insights straight to your inbox