Substation Automation (SA) systems supervise, monitor, protect and control substations in high and medium-voltage electrical power networks. This is done by protection and control devices allocated to the bays and/or to the primary equipment of the substation, as well as by station level devices including gateways and Human Machine Interfaces (HMI). Protection and control devices of the SA system close to the process generate events, including warnings and alarm signals, related to primary equipment or secondary equipment, or related to protection or control functions. Corresponding reporting messages are formatted according to a suitable protocol and transmitted on a SA communication network of the SA system to the station level devices for logging, archiving and/or evaluation. Furthermore, alarms may be provided for imminent graphical representation in an operator HMI, for example, for optical display in a single line overview picture, for an operator to investigate the origin of a disturbance.
Recently introduced security standards directed to the utilities operating distributed systems such as transmission and distribution systems for electrical power, water, or gas, specify that security relevant events are likewise stored and available for later retrieval. In the context of the present disclosure, security relevant events relate to cyber security or Information Technology (IT) security and as such are not directly linked to the operational aspects of the substation. Regulations, such as SOX (Sarbanes-Oxley Act), NERC-CIP (North American Electric Reliability Corporation-Critical Infrastructure Protection), and others are requiring organizations to implement comprehensive security measures, which may include collecting and analyzing logs, for example, the basic security event reports stored in a log archive and originating from many different sources.
Event logging was originally done locally and later centralized storage and central viewing of events became a standard feature in distributed systems. In this context, the Syslog protocol (including a simple communication protocol and a rudimentary data format definition) as documented in the Request for Comments (RFC) 3164 and 5424 of the Internet Engineering Task Force (IETF) is the de facto standard in the IT area for logging event data for later retrieval. Syslog allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. The Syslog protocol is used to convey event notification messages, and includes a message format that allows vendor-specific extensions to be provided in a structured way.
A communication standard for communication between the secondary devices of a substation has been introduced by the International Electrotechnical Committee (IEC) as part of the standard IEC 61850, entitled “Communication Networks and Systems in Substations”. For non-time critical messages, IEC 61850-8-1 specifies the Manufacturing Message Specification (MMS, ISO/IEC 9506) protocol based on a reduced Open Systems Interconnection (OSI) protocol stack with the Transmission Control Protocol (TCP) and Internet Protocol (IP) in the transport and network layer, respectively, and Ethernet as physical media. As any other process automation protocol with standardized application semantics, IEC 61850 provides for process related events, with a special format for security related events.
SA systems based on IEC 61850 are configured and described by means of a standardized configuration representation or formal system description called Substation Configuration Description (SCD). An SCD file includes the logical data flow between the Intelligent Electronic Devices (IEDs) and the relation between the IEDs as well as the functionality which the IEDs execute on behalf of the substation. In addition to SA systems for substations in high and medium-voltage electrical power systems, other Process Control systems for, for example, hydro power plants, wind power systems, and Distributed Energy Resources (DER), may likewise be described by a formal system description at least partly identical to the IEC 61850 SA description.
Despite the existence of the standard IEC 61850 protocols, SA devices such as sensors, communication network equipment, and general purpose computers exist that do not adhere to the IEC 61850 standard yet are included in a SA system along with the IEC 61850 compliant IEDs. These SA devices implement a number of formerly used transmission protocols for exchanging operational data, collectively referred to as pre-IEC 61850 protocols. According to EP-A 1976218, a proxy IED is configured as a gateway device for converting data between pre-IEC 61850 and IEC 61850 communication protocols. The proxy IED is configured, based on a set of mappings, which are coded in the SA configuration description (SCD) file.