Sep 2020
Electricity Transmission
Cyber Security Solutions for Legacy Equipment
Sep 2020
Apr 2021
National Grid Electricity Transmission
Thomas Charton
Click here to send a question to the contact.
Network Innovation Allowance
ET - Network improvements and system operability
Cyber Security
While it is well recognised that IEC61850 based fully digital substation technologies can deliver great benefits to power utilities and their customers, the existing legacy equipment will continue to play a crucial role to support the critical power infrastructure for the remainder of its service lifetime, especially substation protection and control systems. Since legacy equipment was originally designed for use on dedicated or closed networks and therefore contains little or no cyber security features.


Even though they perform critical functions managing power grid and communication networks, most are lacking crucial features for access control and device hardening. Many of these devices cannot be easily updated with new firmware to include security and replacing them with new secure versions will take years. Hence a risk assessment and detailed review of options for improved cyber security for legacy equipment to stop any cyber-attack are urgently required. In this context, we consider legacy equipment all assets that have been delivered prior to the implementation of our architecture for secondary substation systems.
The aim of this project is to

·         investigate and develop methodologies for cyber risk assessment

·         assess risk levels for P&C equipment, in particular legacy equipment

·         understand the currently available options to improve security and develop new ideas and concepts capable of improving security for legacy equipment in a cost-effective way.

·         assess options and make recommendations based on a CBA


The investigation will refer to and build on the ongoing work in the CREST project (NGTO020) and in particular the cyber security requirements and implementation guidance for IEC standards 62351 and 62443. The project will provide guidance on how to apply these standards to the relevant vintages of P&C equipment.
A widely-recognised framework for monetised risk for cyber security has not been developed yet for our industry. This project will develop a risk model and framework that can contribute to a robust methodology for CBA for cyber security. The risk of compromised cyber security can range up to a country-wide blackout which would cost potentially several days of GDP. Mitigating this huge risk will deliver large benefits to consumers
The project will generate new learning for utilities with guidance on how to secure older assets that can not be cyber hardened in the same way as new equipment. The types of existing legacy equipment managed by network licensees is to a large extent similar and the learning will be transferrable to other networks.