Open Grid Europe: IT Security in Telecontrol Systems

The German company Open Grid Europe (OGE) is in charge of natural gas transport across a 12,000 km pipeline network, thus operating one of Europe’s largest telecontrol networks. The SCADA system operates and monitors both long-distance gas transport and regional gas distribution networks. With the number of RTUs rising to more than 1,000 units, however, the current system reached its limits – after all, some components were by now 15 years old.

Redundant Gateways and an Intelligent Visualization System
The former front-end computers were replaced by two redundantly configured IDS ACOS gateways on a Linux basis. They act as a communication centre between the RTUs, OGE's own dispatching system DAISY, the visualization tool and, ultimately, the parameterization environment.

From Technical Specification to Security Tests
After installation of the telecontrol system, all central systems – i.e. the gateways, HIGH-LEIT NT, ACOS ET - , as well as a selection of new and old RTUs, were extensively tested by a third party. The test panel’s verdict was extremely positive. Final potentials for optimization elicited by the tests, e.g. with a view to firewall settings, were implemented by IDS as quickly as possible. The system is now optimally equipped for the future.

Encryption across the Complete System – in accordance with the Law
Formerly, communication in the network was done via an unencrypted IEC protocol. Meanwhile, Open Grid Europe have implemented the new IP-based encrypted data transfer in their new telecontrol network, as recommended by the BDEW white paper. Today, the entire communication in the new network is encrypted: All systems communicate exclusively via a secure VPN connection; telecontrol messages are transmitted via IEC 62351-3 and are additionally end-to-end encrypted. Furthermore, automation systems were connected to the RTUs via protocols 3664R/RK512, Modbus RTU and IEC 60870-5-101.

Less Trouble through brand-new Technology Remote Diagnosis of RTUs
In the course of the project, Open Grid Europe exchanged 500 of the currently 1,000 RTUs. The exchange of RTUs was done in several phases following a two-month test run. One of the most striking features of the new ACOS 750 RTUs is that they not only enable precise and accurate remote diagnostics but also the import of remote software updates.