National Grid-Saudi Arabia Substation Automation Implementation Paves the Road Toward Smart Grid Application

Written by Gin Quesada for  Abdulaziz A. Sultan, Department Manager, Telecommunication Engineering and Substation Automation Department of National Grid – Saudi Arabia for presentation at International Society for Automation


This article describes how the initiatives of National Grid SA to adopt the IEC 61850 substation automation system (SAS) technology in its transmission grid is paving the way towards the application of Smart Grid. Since the Company implemented SAS in 2009 it has over 200 new HV and EHV substations have been initiated, some of them have already been commissioned and remaining ones in the long term plan are under various phases of implementation. As the IEC-61850-SAS-based substation is a major cluster of the Smart Grid (SG), the Company has taken the necessary initiatives to incorporate functionalities and technologies that align with the SG roadmap of standards, technologies and requirements. With IEC 61850 at the core, supporting technologies like PRP and HSR of the IEC 62439 standard and Ethernet technologies using IP Version 6 that enable the connection of all power system components are explained. Secure NMS based on SNMP Version 3 is described, along with next generation cyber security technologies to fend off Advanced Persistent Threats (APTs). Described, too in this article are subjects pertaining to integration of RTU, SOE, DFR, PQ, and AMR in the SAS-based substations. Future capabilities to integrate PMUs, substation to substation protection, substation to control centers, process bus employing precision time protocol IEEE 1855, are also described. As soon as IEC 61850- Edition 2 is released, plans for its incorporation is ready, as well as making the substation part of infrastructure for data mining, business intelligence and self-healing power system.


  • Ethernet-based LAN
  • Company WAN, SDH, and DWDM backbones
  • High Availability Seamless Recovery Network.
  • Use of redundancy boxes in IEC 61850 devices
  • Use of next-generation Cyber security solutions from North American and European frameworks
  • Legacy devices like RTU, SOE, DFR, and DSM
  • Integrating AMR infrastructure
  • Wide Area Monitoring System with PMUs
  • Internet Protocol Version 6
  • Migration to IEC 61850, Version 2
  • Use of IEC 62439 Version 2 in the future
  • Future Cyber Security plans
  • A  process bus based on IEEE 1588
  • Substation-to-substation protection
  • Incorporation of DERs and renewables
  • Enhancement of substation-to-control center and inter-control center communications
  • Data mining,  business intelligence practices and solutions and DSS


Current Company SAS Substation Design and Planned Future Functionalities

National Grid – Saudi Arabia (the ‘Company’) started implementing substation automation system (SAS) using IEC 61850 standard in 2009. In the evolution of the Company SAS-based substation, several functionalities had been incorporated, since construction of the first substation, that aligns the Company the substations design according to the objectives of the Smart Grid. Smart Grid (SG) had been the technology of choice dominating current grid infrastructure design.

The following lists down the functionalities added so far and the functionalities the Company intend to add in the near future to make the Company substation design SG-ready to pave the way for the Company’s construction of a Smart Grid infrastructure.

Functionalities already in place:

  1. Use of the Ethernet-based Local area network
  2. Use of Company WAN, SDH, and DWDM backbones.
  3. High Availability Seamless Recovery Network.
  4. Use of redundancy boxes (redbox) to accommodate non-IEC 61850 devices.
  5. Use of next-generation Cyber security solutions based from North American and European frameworks
  6. Incorporation of the legacy devices like RTU, SOE, DFR, and DSM
  7. Incorporation of AMR infrastructure
  8. Incorporation of PMUs
  9. List of secondary equipment in typical Company SAS architecture.

Functionalities Company plans to incorporate in the future

  1. Use of IP Ver. 6 in  the Ethernet networks
  2. Use of IEC 61850, Ver. 2
  3. Use of newer versions of redundancy protocols (IEC 62439 Ver 2)
  4. Cyber Security plans
  5. Incorporation of PMUs
  6. Use of the process bus according to IEEE 1855
  7. Substation-to-substation protection
  8. Enhancement of substation-to-control center communications and control
  9. Use of data mining and business intelligence practices and solutions.

IEC 61850 Beginnings in National Grid- Saudi Arabia

Construction of substation automation system (SAS) using IEC 61850 standard was first implemented in the Maaden 380 kV substation of National Grid – Saudi Arabia in 2009. Thereupon several substations consisting of multiple voltage levels (380, 230, 115, 132, 13.8 kVs) were constructed. Some were commissioned, others in construction, others in bidding stages. There were also a number of facilities added to the substations incorporating dynamic voltage compensation that are monitored with IEC 61850-based SAS. To date, there are ____380 kV on-going constructions, not to mention the quantity of substations of lower voltage levels throughout the Kingdom; 10 (?) are undergoing commissioning; and 10 (?) are on stream.

A SAS-based on IEC 61850 is the kind of substation the Smart Grid community of regulators, vendors, operators, and manufacturers have standardized as the protocol for the substation unit of the Smart Grid.

Ethernet-based SAS LAN

To align further the Company’s substation design to the Smart Grid’s requirements, advances in the internetworking world like the use of Ethernet in the local area network (LAN), had been utilized to inter-connect the various primary and secondary devices. The LAN technology also affords the versatility in creating network segregation for security and operational purposes. The network in the substation automation network is divided into station level, bay level, and process level. And the bay level is segregated into 380 kV, 230 kV, 115 kV, 13.8kV levels. Each network is duplicated to enable the use of parallel redundancy protocol, IEC 62439-3 PRP.

Company WAN, SDH, and DWDM Backbone

Communication between the Company substations and the control centers use IEC 101 and IEC 104 protocols. There are three Company-owned communication backbones, namely SDH, WAN, and DWDM, through which data interchanges take place between the control centers and the substations. The SDH backbone is the most matured of the three, and is used by IEC 101 protocol communication using modems. The reason for the use of IEC 101 protocol is due to the fact that in some areas of the Kingdom, the Company has not completed some segments of the complete WAN link between the substations and the control centers. Where there is complete WAN link, the packet based IEC 104 is used. The Company’s standard scope of work calls for the inclusion of two data exchange using both protocols, optionally chosen by operations personnel depending on availability and exigency.

High Availability Seamless Recovery Network

Reliability, availability and resiliency are most desired in a network, for which reasons the redundancy standards IEC 62439-3 PRP had been used in the Company substations as part of the SAS functionality. IEC 62439-3 affords a redundant network zero recovery times. That is, when a break occurs in a network, there is no time involved in recovering operational status as both redundant network signals are simultaneously present in a two-ported node of a network. The standby port in the node contains a ready signal that does not require time for activation when a break in the main port becomes unavailable. While the redundant network could be ring or bus networks, the Company opted to use ring network using fiber optic as the main medium.

The two LANs are completely separated and are assumed to be fail-independent. A source node sends simultaneously two copies of a frame, one over each port. The two frames travel through their respective LANs until they reach a destination node, in the fault-free case, with a certain time skew. The destination node accepts the first frame of a pair and discards the second, taking advantage of a sequence number in each frame that is incremented for each frame sent.

Therefore, as long as one LAN is operational, the destination always receives one frame. This protocol provides a zero-time recovery and allows to check the redundancy continuously to detect lurking failures.

Non-PRP nodes are either attached to one network only (and therefore can communicate only with other nodes attached to the same network), or are attached through aRedBox, a device that behaves like a doubly attached node.

Node failures are not covered by PRP, but duplicated nodes may be connected via a PRP network.

Each node in PRP has two Ethernet interfaces that use the same MAC address and present the same IP address(es). Therefore, PRP is a layer 2 redundancy, which allows higher network protocols to operate without modification

The IEC 62439-3 has two approaches to redundancy solution: (1) Parallel Redundancy Protocol (PRP), as described above, which uses two parallel networks (that could be ring or bus), and (2) Highly Available Seamless ring (HSR), which uses only one ring.

HSR is typically used in a ring topology, however redundant connections to other networks are possible (e.g. a mesh topology).

IEC 62439-3 PRP is applied in the high voltage level and low voltage level networks in the bay level of the SAS substation.

IEC 62439-3 PRP is also applied in the station level networks in lieu of various vendor that are proprietary, e.g. dual homing network and teaming network.

Such a redundant design makes the Company substation design more than meets a node required in a Smart grid.

Use of Redundancy Boxes (Redbox) to Accommodate Non-IEC 62439 Devices  

While the two-ported devices are still evolving for the IEC 62439-3 PRP applications, the use of redundancy boxes as defined in the IEC 62439-3 PRP has been allowed. The devices referred to in the bay level are the IEDs.

In the station level, the devices required to be two-ported are the computers, printers, and the time servers.

Use of next-generation Cyber security solutions based from North American and European frameworks

A SAS topology can be reliable from connectivity point-of-view but still remain unreliable. Security measures to enable the substation to operate unperturbed against cyber threats and attacks shall be in place for a substation cyber or LAN network to be considered reliable. Not to mention device reliability, the Company consider reliability in two parts: reliability with respect to connectivity for which redundancy is one solution; and cyber security reliability to maintain the confidentiality, integrity, and availability of information.

With unlimited available vector paths for attackers in a Smart Grid, cyber security is an issue given prominence in the Smart Grid design, of which the substation is the main Grid node. The Company has therefore prioritized cyber security in the design of SAS architecture, other substation networks, as well as the devices or network nodes that are used in the substation.

In the design of the cyber security aspect of the substation, the Company considered the cyber security standards and recommendations for Smart Grid design from European Network and Information Security Agency (ENISA), document,   “Smart Grid Security” and NIST’s 3-volume document, NISTIR 7628, “Guidelines for Smart Grid Cyber Security” and NIST Special Publication, SP1108, “NIST Framework and Roadmap for Smart Grid Interoperability Standards”. In all above documents, cyber security is a cross-cutting, critical issue that must be addressed in all standards developed for Smart Grid applications.

In general, the components of cyber security strategy contained in these documents consists of: prevention, detection, response,  and recovery.

The Company substation design also relies on cyber security frameworks for control facilities issued by the NIST, NERC-CIP, DHS, IEC, WIB, and ISA.

Cyber security before the advent of SAS

Before the advent of SAS (the RTU days), the major cyber security relies only on passwords for access and no clear cut policies on cyber security were in place. Operations and maintenance personnel were careless about cyber security and considered attack a remote possibility. The RTU can be accessed remotely from practically anywhere by operations and maintenance personnel. Based from this Company mindset, vendors incorporated only minimal and traditional network cyber security.

Vendors were caught unaware of the new requirements on cyber security with the first implementation of substation automation. Subsequent SAS scopes of work saw more stringent requirements on cyber security against insistence of vendors to stick to simple and traditional network security in industrial control systems.

Initially the vendors/contractors insist that the situations envisioned by the Company-imposed stringent requirements happen in movies only, but with the discovery of Stuxnet and prevalence worldwide of occurrence of similar incidents, Contractors and vendors alike begin committing to comply with Company requirements.

Company management, likewise, believe the threat conditions are remote possibilities, but a damaging attack on a local energy company on which the government relies heavily, prodded management to do introspection of current cyber security practices and gave instruction to make necessary solutions.

Current Cyber Security Solutions

The current SAS substation cyber security solutions evolved into one that is meant to combat so-called Advanced Persistent Threats (APTs). Stuxnet attack (on several power plants in Iran, Indonessia, India), the attacks on RSA (a foremost security company), Lockheed-Martin (a US-defense contractor), Google attacks, Sony attacks, to name a few, are examples of APT attacks.

What are APTs and what is the solution

Advanced Persistent Threat (APTs) is a term coined by the security community engaged in combating cyber security attacks to describe a sophisticated approach used by attackers to inflict damage to critical infrastructures.

Advanced Persistent Threats (APTs) are a cybercrime category directed at business and political targets. APTs require a high degree of stealthiness over a prolonged duration of operation in order to be successful. The attack objectives therefore typically extend beyond immediate financial gain, and compromised systems continue to be of service even after key systems have been breached and initial goals reached.

Advanced persistent threat (APT) usually refers to a group, such as a government, a sinister group with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information, but applies equally to other threats such as that of traditional espionage or attack.

Other recognized attack vectors include infected media, supply chain compromise, and social engineering. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.

Definitions of precisely what an APT is can vary widely, but can best be summarized by their named requirements:

Advanced – Criminal operators behind the threat utilize the full spectrum of computer intrusion technologies and techniques. While individual components of the attack may not be classed as particularly “advanced” (e.g. malware components generated from commonly available DIY construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They combine multiple attack methodologies and tools in order to reach and compromise their target.

Persistent – Criminal operators give priority to a specific task, rather than opportunistically seeking immediate financial gain. This distinction implies that the attackers are guided by external entities. The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful.

Threat – means that there is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. The criminal operators have a specific objective and are skilled, motivated, organized and well-funded.

How Advanced Persistent Threats Breach Enterprises

APTs breach enterprises through a wide variety of vectors, even in the presence of properly designed and maintained defense-in-depth strategies:

  • Internet-based malware infection
  • Physical malware infection
  • External exploitation
  • People involvement
  • Social media

The Stuxnet computer worm, which targeted the computer hardware of Iran’s nuclear program, is one example. In this case, the Iranian government might consider the Stuxnet creators to be an Advanced Persistent Threat.

Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated hacking attacks aimed at governments, companies, and political activists, and by extension, also to refer to the groups behind these attacks.[citation needed] Advanced persistent threat (APT) as a term may be shifting focus to computer based hacking due to the rising number of occurrences. PC World reported 81 percent increase from 2010 to 2011 of particularly advanced targeted computer hacking attacks.

A common misconception associated with the APT is that the APT only targets Western governments. While examples of technological APTs against Western governments may be more publicized in the West, actors in many nations have used cyberspace as a means to gather intelligence on individuals and groups of individuals of interest. The United States Cyber Command is tasked with coordinating the US military’s response to this cyber threat.

Numerous sources have alleged that some APT groups are affiliated with, or are agents of, nation-states.

APT life cycle

Actors behind advanced persistent threats create a growing and changing risk to organizations’ financial assets, intellectual property, and reputation by following a continuous process:

1. Target specific organizations for a singular

2. Attempt to gain a foothold in the environment,
common tactics include spear phishing  emails.

3. Use the compromised systems as access into the target network

4. Deploy additional tools that help fulfill the attack

5. Cover tracks to maintain access for future

The global landscape of APTs from all sources is sometimes referred to in the singular as “the” APT, as are references to the actor behind a specific incident or series of incidents.

Well-funded APT adversaries do not necessarily need to breach perimeter security controls from an external perspective. They can, and often do, leverage “insider threat” and “trusted connection” vectors to access and compromise targeted systems.

Abuse and compromise of “trusted connections” is a key ingredient for many APTs. While the targeted organization may employ sophisticated technologies in order to prevent infection and compromise of their digital systems, criminal operators often tunnel in to an organization using the hijacked credentials of employees or business partners, or via less-secured remote offices. As such, almost any organization or remote site may fall victim to an APT and be utilized as a soft entry or information harvesting point.

A key requirement for APTs (as opposed to an “every day” botnet) is to remain

invisible for as long as possible. As such, the criminal operators of APT technologies tend to focus on “low and slow” attacks – stealthily moving from one compromised host to the next, without generating regular or predictable network traffic – to hunt for their specific data or system objectives. Tremendous effort is invested to ensure that malicious actions cannot be observed by legitimate operators of the systems.

Malware is a key ingredient in successful APT operations. Modern “off-the-shelf” and commercial malware includes all of the features and functionality necessary to infect digital systems, hide from host-based detection systems, navigate networks, capture and extricate key data, provide video surveillance, along with silent and covert channels for remote control. If needed, APT operators can and will use custom developed malware tools to achieve specific objectives and harvest information from non-standard systems.

At the very heart of every APT lies remote control functionality. Criminal operators rely upon this capability in order to navigate to specific hosts within target organizations, exploit and manipulate local systems, and gain continuous access to critical information. If an APT cannot connect with its criminal operators, then it cannot transmit any intelligence it may have captured. In effect, it has been neutered. This characteristic makes APTs appear as a sub-category of botnets.

If an APT cannot connect with its criminal operators, then it cannot transmit any

intelligence it may have captured. In effect, it has been neutered. This characteristic makes APTs appear as a sub-category of botnets.

While APT malware can remain stealthy at the host level, the network activity associated with remote control is more easily identified. As such, APT’s are most effectively identified, contained and disrupted at the network level.

The Company solutions

Defense in depth is the solution the Company is applying to fend off  APT attacks. The solution is in line with the Smart Grid solution to cyber security. Such solution is imposed on Contractor and vendors contracting new substation projects.

For the existing and legacy facilities, the Company with the assistance of a Consultant, is retrofitting cyber security functionalities.

For new contractor applicants, the cyber security is paramount requirements in the prequalification process.

Incorporation of the legacy devices like RTU, SOE, DFR, and DSM

In the Company SAS-based substation, functionalities of some legacy standalone equipment like Dynamic System Monitoring (DSM), Sequence of Event (SOE), Digital Fault Recorder (DFR), and Remote Terminal Units (RTU) can be incorporated in the SAS LAN and devices. However, in some areas of the Kingdom, operations personnel prefer them to be standalone equipment. To be connected to the SAS LAN, the devices has to be dual ports operating according to the IEC 62439-3 PRP. Products having PRP ports are non-existent yet.

Incorporation of AMR infrastructure

Automatic Meter Reading (AMR) infrastructure had been built by the Company, and currently being incorporated Kingdom wide in the Company SAS-based substations. AMR is one of enabling functionalities in the Smart Grid. This initiative aligns all the Company substations to Smart Grid requirements.

Conceptual Diagram of the Company SAS Architecture, and List of Major Equipment

A conceptual diagram of the SAS architecture used in Company substations is shown in the Attachment 1 to this document. Attachment 2 shows a typical list of major equipment that usually make up the SAS architecture.

Functionalities Company Plans to Incorporate in the Future in its Substation Design

Technological developments continually evolved. The Company on its part, unceasingly keeps abreast of upcoming technological changes. This vigilance to global electrical developments is paramount to the Company, despite the fact that it is the sole electricity provider in the Kingdom and has no market competitor. In fact its advocacy of IEC 61850, IEC 62439-3 PRP, and ICS Cyber Security has made the Company the prime mover to many Vendor product developments.

The following list indicates the initiatives of the Company that are in the drawing board. They are being readied for the opportune time of implementation.

  1. Use of IP Ver. 6 in  the Ethernet networks
  2. Use of IEC 61850, Ver. 2
  3. Use of newer versions of redundancy protocols (IEC 62439 Ver 2)
  4. Cyber Security plans
  5. Incorporation of PMUs
  6. Use of the process bus according to IEEE 1855
  7. Substation-to-substation protection
  8. Incorporation of DERs to the grid
  9. Enhancement of substation-to-control center communications and inter- control center communications
  10. Use of data mining and business intelligence practices and solutions.

Use of IP Version 6 in  the Ethernet networks

With all the published benefits attributed to IP Version 6, and the inevitability of its global implementation, the Company has considered its deployment in all Company networks not only those in the substations. The Smart Grid community is also expected to deploy IP 6.

Benefits of IP 6 are highlighted by the following edges over IP 4:

  • More Efficient Routing
    IPv6 reduces the size of routing tables and makes routing more efficient and hierarchical. IPv6 allows ISPs to aggregate the prefixes of their customers’ networks into a single prefix and announce this one prefix to the IPv6 Internet. In addition, in IPv6 networks, fragmentation is handled by the source device, rather than the router, using a protocol for discovery of the path’s maximum transmission unit (MTU).
  • More Efficient Packet Processing
    IPv6’s simplified packet header makes packet processing more efficient. Compared with IPv4, IPv6 contains no IP-level checksum, so the checksum does not need to be recalculated at every router hop. Getting rid of the IP-level checksum was possible because most link-layer technologies already contain checksum and error-control capabilities. In addition, most transport layers, which handle end-to-end connectivity, have a checksum that enables error detection.
  • Directed Data Flows
    IPv6 supports multicast rather than broadcast. Multicast allows bandwidth-intensive packet flows (like multimedia streams) to be sent to multiple destinations simultaneously, saving network bandwidth. Disinterested hosts no longer must process broadcast packets. In addition, the IPv6 header has a new field, named Flow Label, that can identify packets belonging to the same flow.
  • Simplified Network Configuration
    Address auto-configuration (address assignment) is built in to IPv6. A router will send the prefix of the local link in its router advertisements. A host can generate its own IP address by appending its link-layer (MAC) address, converted into Extended Universal Identifier (EUI) 64-bit format, to the 64 bits of the local link prefix.
  • Support For New Services
    By eliminating Network Address Translation (NAT), true end-to-end connectivity at the IP layer is restored, enabling new and valuable services. Peer-to-peer networks are easier to create and maintain, and services such as VoIP and Quality of Service (QoS) become more robust.
  • Security
    IPSec, which provides confidentiality, authentication and data integrity, is baked into in IPv6. Because of their potential to carry malware, IPv4 ICMP packets are often blocked by corporate firewalls, but ICMPv6, the implementation of the Internet Control Message Protocol for IPv6, may be permitted because IPSec can be applied to the ICMPv6 packets.

Use of IEC 61850, Version 2

There are changes in the current version of the IEC 61850. Deployment of the new IEC 61850 Version 2  will be done by the Company after Vendors firm up their commitment roadmap for the deployment of the new version.

Use of newer versions of redundancy protocols, IEC 62439 Version 2

Currently, the Company is implementing the version 1 of the IEC 62439-3 PRP. As Vendors become ready with their devices and network design to deliver IEC 62439-3 PRP Version 2, the SAS-based substation will incorporate this new version of redundancy.

The original standard IEC 62439-3 (2010) was amended to align PRP with the High-availability Seamless Redundancy (HSR) protocol, which uses a ring topology instead of parallel networks. To achieve this, the original PRP was modified at the cost of a loss of compatibility with the PRP 2010 version.

The revised standard IEC 62439-3 (2012) describes both HSR and PRP. Many technical details are now aligned with HSR, which eases the implementation of multi-protocol nodes. In particular, a redundant transition between HSR and PRP networks is now possible.

The old PRP 2010 standard is sometimes referred to as PRP-0 (according to the protocol version), and PRP 2012 as PRP-1

Changes with respect to the previous edition as indicated in the Introduction section of IEC 62439-3 Edition 2.0 2012-07, High availability automation networks – Part 3: Parallel Redundancy Protocol (PRP) and High-availability Seamless Redundancy (HSR) is indicated in the ensuing paragraphs.

“The major changes with respect to IEC 62439-3:2010 are listed below.

Aligning the sequence number between PRP and HSR, to enable coupling of HSR and PRP networks and simplify the implementation of dual-mode nodes in hardware. At the same time,introduce a suffix in the PRP Redundancy Control Trailer to allow better identification, future extensions and coexistence with other protocols that also happen to use a trailer. This change is not backwards-compatible, so means are provided to identify the version and ensure that the networks are homogeneous.

Removing all implementation restrictions on the Duplicate Discard algorithm (especially references to the drop window algorithm and references to connection orientation) since other methods such as hash tables can be used. Removing the purging of the duplicate table. Replace this specific method by requiring that any Duplicate Discard algorithm provides a mechanism to remove old entries, thus ensuring that a node can properly reboot.

Making node tables optional for simple nodes to simplify hardware implementation.

Suppression of explicit mention of the HSR-PRP mode (PRP with HSR Tags), but allow it through the Mode N (no forwarding).

Introducing Mode T (forward through) to allow maintenance laptops to configure an open ring when attached to one end and Mode M (mixed) to allow forwarding of non-HSR-tagged frames in a closed ring.

Recommending the position of connectors, rather than impose it.

Defining the behaviour of an HSR node when non-HSR frames are encountered without requiring the recording of the source addresses and specify how IEEE 802.1D:2004, Table 7-10 frames are treated.

Prefixing the supervision frames on HSR by an HSR tag to simplify the hardware implementation and introduce a unique EtherType for HSR to simplify processing.

Changing the rule for the RedBox to allow more than one PRP network to be connected to an HSR ring, and introduce an identifier per RedBox pair.

Specifying tagging of IEC 61588 frames to follow IEEE C37.238 recommendations (informal).

Suppressing MAC address substitution.

Adapting the MIB to above changes. “

Cyber Security Future Plans

  • Company to widen scope of cyber security to other facilities other than the substation

Currently, the Company stringent cyber security is limited to networks and devices in the substation and Control Centers. The Company is now embarking on a project that will incorporate more hardened solutions in the communication backbone like the SDH, DWDM, NMS, AMR, PMU, IP telephony, and wireless  infrastructures.

This hardening also includes interfaces with other entities like customer-funded/ owned facilities and substations (e.g, Maaden substations, independent power producers), interconnection with other grids (e.g. GCC, Egypt grid, SARAMCO), other Saudi Electricity Company(SEC) subsidiaries’ facilities like the Generations and Distribution entities.

  • Defense in depth solutions to include policies

The defenses in depth solutions include people, process and technology. But in the people aspect the Company will develop a comprehensive policy incorporating security awareness and training.

  • Retrofitting or enhancement of cyber security in existing facilities

The retrofitting cyber security functionalities in existing legacy facilities will continue.

  • Use of new framework from NIST, that consolidates revised documents from NIST, NERC-CIP, DHS, IEC, ISA, WIB into one framework

There is an on-going discussion in the US to unify under one cyber security framework all documents, standards, best-practices published by NIST, NERC-CIP, DHS, IEC, ISA, WIB, ISACA, COBIT, GAO, DOE, Smart Grid Group. The program, coordinated by NIST, was started upon the instruction of the US President and the first workshop started in March 2013, involving all private, public, and government entities. Subsequent workshops followed. The framework is expected to be finalized in the first quarter of 2014.

By then, the Company will adopt applicable documents to Company facilities, which include among other facilities the SAS-based substations, the Smart Grid, and the communication-IT infrastructures.

Incorporation of PMUs

Currently, the Company is having its pilot project for the deployment of a Wide Area Monitoring System of which the Phasor Measuring Units (PMU) is the main device in various substations. The pilot project involves a few substations. When the experimentation is evaluated to be workable, the deployment will be done Kingdom-wide.

PMU calculates voltage and current phasors based on digital sampling of alternating current (AC) waveforms and a precise time signal provided by a GPS clock. A PMU provides output data in a standard protocol at rates of at least 30 samples per second for communication to remote locations. Since voltage and current measurements are time-stamped, synchro-phasor data collected across the country can be time synchronized conditions at distant locations can be accurately compared. Digital Fault Recorders, digital relays, and other devices that have PMU capability can also be considered PMUs.

Use of the process bus according to IEEE 1855

Sampled Value (SV) Process Bus concept was recently introduced in the IEC 61850-9-2 standard. This standard proposes that the Current and Voltage Transformer (CT, PT) outputs that are presently hard wired to various devices (relays, meters, IED, and SCADA) be digitized at the source and then communicated to those devices using an Ethernet-Based Local Area Network (LAN). The approach is  especially interesting for modern optical CT/PT devices that possess high quality information about the primary voltage/ current waveforms, but are often forced to degrade output signal accuracy in order to meet traditional analog interface requirements (5 A/120 V). While very promising, the SV-based process bus brings along a distinct set of issues regarding the overall reliability of the new Ethernet communications-based protection and control system.

While there are a number of issues yet being addressed by IEC working groups, as soon as an implementable standards and products become available in the market, the Company will immediately adopt IEC 61850 process bus.

Substation-to-substation protection

IEC has not come up yet with standard on substation-to-substation protection based on IEC 61850. As soon as it is ready the Company will be among the first to implement it.

Enhancement of substation-to-control center communications and inter- control center communications

Presently, the Company’s enhancement of the communications between the substation and control centers is encryption, for security reasons, of the messages using IEC 101 and IEC 104 protocols. For inter-control center communications, the Company use of enhanced communications is pending the issuance of new protocols from the IEC 61850 working groups.

Development of more distributed energy resources (DER)

Presently, there is only one DER resources connected to the Company grid, the solar power plant in Farasan Island which was inaugurated in October 2011. It is a 500kW expandable to 8 MW facility. Alongside the government, Company subsidiaries plans to develop more solar based resources and other DERs. The Company on the other hand plans to incorporate in the Kindom-wide grid these future DERs.

Use of data mining and business intelligence practices and solutions

Business Intelligence (BI), data mining, competitive intelligences, decision support systems and a host of other buzz words  are not new. The re-engineering or re-coining of the words as new computing technologies comes around to enhance the accomplishment of the goals. The computing-based technology started more than 50 years ago, but the idea dates back further during the time of Chinese General Hun Tzu, who wrote The Arts of War. The terminologies  all aim at ensuring a company’s survival, improving the bottom line, accomplishing its social objectives. They permeate all aspects or department of a company.

A definition of business intelligence (BI) has this to say: “BI is a business management term, which refers to applications and technologies that are used to gather, provide access to, and analyze data and information about company operations and performance. Business intelligence systems help companies have a more comprehensive knowledge of the factors affecting their business, such as metrics on sales, production, internal operations, and they can help companies to make better business decisions. Three main components are reporting, data mining, and predictive analytics.

“BI, is an umbrella term that refers to a variety of software applications used to analyze an organization’s raw data. BI as a discipline is made up of several related activities, including data mining, online analytical processing, querying and reporting.

Companies use BI to improve decision making, cut costs and identify new business opportunities. BI is more than just corporate reporting and more than a set of tools to coax data out of enterprise systems. CIOs use BI to identify inefficient business processes that are ripe for re-engineering.

With today’s BI tools, business folks can jump in and start analyzing data themselves, rather than wait for IT to run complex reports. This democratization of information access helps users back up—with hard numbers—business decisions that would otherwise be based only on gut feelings and anecdotes.

On the other hand, data mining (sometimes called data or knowledge discovery), generally, is the process of analyzing data from different perspectives and summarizing it into useful information – information that can be used to increase revenue, cuts costs, or both. Data mining software is one of a number of analytical tools for analyzing data. It allows users to analyze data from many different dimensions or angles, categorize it, and summarize the relationships identified. Technically, data mining is the process of finding correlations or patterns among dozens of fields in large relational databases.

Although data mining is a relatively new term, the technology is not. Companies have used powerful computers to sift through volumes of industry data and analyze market and industry research reports for years. However, continuous innovations in computer processing power, disk storage, and statistical software are dramatically increasing the accuracy of analysis while driving down the cost.

Substation automation and Smart Grid belongs to the production aspect or department of the Company. Executives or responsible persons in this department need to be able to make decision wisely to embark on major decisions, like implementing Smart Grid, enhancing cyber security, building a number of additional substations to service a certain area, implementing newer versions of IEC 61850 and 62439, creation of research and development. The technical people proposing the innovations need to justify their recommendations with analysis of past and present data, predictive analysis, and knowledge discovery brought about by data mining and business intelligence processes. The technical group of the Company need to show that an amount requested from the Company budget would yield returns to the Company in terms ROI, quality of customer service, social objectives, enhancement of the management of its chain of supply, accomplishment of the bigger goals, like climate change, support to avoid depletion of raw oil, green environment.

Business Intelligence/ data mining/ predictive analysis would also identify threats, like threats of increasing sophistication of attackers, threats from upcoming new technology that would bring obsolescence to the Companies current technology, threats from entities (government, or private, or its own co-subsidiaries) that would bring a new competitor, threats from development of new culture from the youth, threats from new concepts of management.

Considering all of the above, the Company intends to institutionalize Business Intelligence, data mining and Decision Support Systems solutions in the Company from the central management level down the technical level.


  1. NISTIR 7628, “Guidelines for Smart Grid Cyber Security”
  2. NIST Special Publication, SP1108, “NIST Framework and Roadmap for Smart Grid Interoperability Standards”
  3. ENISA document,   “Smart Grid Security”
  4. IEC 62439-3:2010
  5. NERC-CIP-001-010 Standards
  6. Advanced Persistent Threat by SEL
  7. Advance Persistent Threat by Wikipedia
  8. “A Brief History of Decision Support Systems” by D. J. Power
  9. “Business Intelligence as Decision Support in Business Processes – An Empirical Investigation” by Ari Riabacke, Aron Larsson, and Mats Danielson
  10. “Predictive Analytics and Data Mining” by
  11. “Decision Support Systems Or Business Intelligence: What Can Help In Decision Making?” by Hana Kopáčková, Markéta Škrobáčková
  12. IEC 61850 Version 2
  13. ISA-99 Security for Industrial Control Systems
  14. “Improving Industrial Control Systems with Defense-in-Depth Strategies” by US DHS
  15. “Managing Risk with Defense-in-Depth Solutions” by SANS Institute
  16. SP-800-53, Rev 4, “Security and Privacy Controls for Federal Information Systems and Organizations” by NIST
  17. SP-800-82, Rev 1, “Guide to Industrial Control Systems (ICS) Security”
  18. “IPv6: The security risks to business” by Warwick Ashford,
  19. “Benefits Of Ipv6 For Enterprises “ by Daniel O. Awduche, Verizon
  20. “Using Distributed Energy Resources A How-To Guide for Federal Facility Managers” by U.S. Department of Energy Office of Energy Efficiency and Renewable Energy
  21. Renewables to create quarter of world’s electricity by 2018-IEA BY Edward McAllister, Reuters
  22. “Smart Grid Requires Industrial Ethernet Infrastructure” By Jim Krachenfels, Marketing Manager
  23. “Network Infrastructure Considerations for Smart Grid Strategies” by Jim Krachenfels, GarrettCom, Inc.
  24. Substation Communication Architecture to Realize the Future Smart Grid” Ikbal Ali, Mini S. Thomas, Sunil Gupta; Department of Electrical Engineering, Jamia Millia Islamia, New Delhi, India; Department of Electrical Engineering, Maharaja Surajmal Institute of Technology, New Delhi, India
  25. “Smart Grid Demonstrations” by EPRI, Electric Power Research Institute
  26. “Smart Grid Demonstrations” by EPRI, Electric Power Research Institute
  27. “Synchrophasor Security Practices” John Stewart, Tennessee Valley Authority; Thomas Maufer, Mu Dynamics, Inc.;Rhett Smith, Chris Anderson, and Eren Ersonmez, Schweitzer Engineering Laboratories, Inc.
  28. “Securing Wide Area Measurement Systems” M.D. Hadley, J.B. McBride, T.W. Edgar, L.R. O’Neil, J.D. Johnson,  Prepared for U.S. Department of Energy, Office of Electricity Delivery and Energy Reliability under Contract DE-AC05-76RL01830 ; June 2007.
  29. “PMUs – A new approach to power network monitoring” by David G. Hart, David Uy, Vasudev Gharpure, Damir Novosel, Daniel Karlsson, Mehmet Kaba
  30. “Wide Area Measurement and Control Using Phasor Measurement Unit in Smart Grid” by Mrs. Chandarani Sutar (RRSIMT , CSJ Nagar, U.P. India),  Dr. K. S. Verma (KNIT , Sultanpur, U.P. India), Dr. Ajay Shekhar Pandey (RRSIMT , CSJ Nagar, U.P. India)
  31. Evaluation of the Vulnerability of Phasor Measurement Units to GPS Spoofing Attacks” Daniel P. Shepard and Todd E. Humphreys, The University of Texas at Austin; Aaron A. Fansler, Northrop Grumman Information Systems
  32. ” NIST Special Publication 800-82,Revision 1 “Guide to Industrial Control Systems (ICS) Security” by Keith Stouffer, Joe Falco, Karen Scarfone, NIST

(other references will be included in the final draft)                                             


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s