Summary
The ongoing digitalization of power systems, particularly through the expansion of remote control and automation functions, has significantly increased the attack surface of protection systems. In Colombia, this growing exposure has driven regulatory actions such as the cybersecurity guide issued by the National Operation Council, aligned with NERC-CIP principles. This guide classifies protection systems as critical assets essential for ensuring grid reliability and operational resilience and identifies nine categories of critical cyber assets, including special protection schemes and supplementary control systems. Building on previous national assessments, ten cyberattack vectors have been identified that could compromise the integrity and operation of key assets such as rotating machinery, dam gates, digital relays,
Read more Read lessAutomatic Generation Control (AGC) platforms, SCADA control centers, and Advanced
Metering Infraestructures (AMI). Protection schemes require high levels of speed, security, selectivity, coordination, and redundancy, making their cybersecurity a key component of system reliability. This work proposes a cybersecurity architecture specifically designed to mitigate risks associated with cyberattacks targeting protection systems in the power grid.
The methodology integrates four core components: (1) a technical and functional assessment of protection systems and digital substation environments, including the use of IEC 61850 protocols and conventional relaying architectures; (2) a cybersecurity risk analysis based on the
ICS Cyber Kill Chain and MITRE ATT&CK for ICS, identifying six cyberattack techniques applicable to digital relays; (3) high-impact scenario characterization using the High Impact
Scenarios of Cybersecurity Incidents (ESCIM, by its Spanish acronym) tool, covering man-inthe-middle attacks, denial of service, false data injection, unauthorized command execution, and mode manipulation; and (4) the design of a secure network architecture using the Key platform for the identification of Industrial Cybersecurity requirements (RECIN, by its Spanish 1 acronym), applying zoning, segmentation, firewalls, and Intrusion Detection Systems (IDS) and
Intrusion Prevention Systems (IPS) to enhance integrity, confidentiality, and availability.
The analysis revealed multiple architectural weaknesses, including unsecured engineering workstations, weak credential policies, limited redundancy, insufficient segmentation, and the use of default configurations in IEDs. These vulnerabilities could enable unauthorized switching, relays mis-operations, or even cascading outages. To mitigate these risks, a layered cybersecurity architecture is proposed, incorporating ISA/IEC 62443 based zones and conduits, role based access control (RBAC), encrypted communication channels, secure remote access mechanisms, and real-time monitoring through OT Security Operations Centers. The architecture prioritizes monitoring of IEC 61850 MMS/GOOSE traffic, firmware integrity, and timing synchronization via IEEE 1588. The proposed architecture provides a standard based, replicable reference model to strengthen the cybersecurity posture of protection systems and supports the Colombian path toward a secure and resilient smart grid environment.
Additional informations
| Publication type | Session Materials |
|---|---|
| Reference | D2_12133_2026 |
| Publication year | |
| Publisher | CIGRE |
| Country | Colombia |
| Study committees | |
| File size | 1 MB |
| Price for non member | 30 € |
| Price for member | 30 € |
Authors
ZULUAGA Diego - crossdmz; CADENA Pedro - Escuela Superior de Guerra Colombia; VILLA Rubén - Intercolombia; MOLINA Juan - Colombia Inteligente; SALAZAR Ángelo - univalle; LUNA María - xm
