Utilities and cyber security auditors are increasingly considering not only the control centre as critical attack vector, but also substations as potential entry points for cyber attacks. Important risk factors are the processes, how the commissioning of the protection and control systems are realized and how remote maintenance access is implemented. Therefore, the architecture of the protection and control system must be reviewed for security.
To achieve this, the Centralschweizer Kraftwerke AG (CKW) started a project in 2016/2017 to develop a new reference architecture for their secondary systems. This paper shows the process and the results, starting with an enumeration of the most important attack vectors on substations, followed by a description of the security architecture implemented for the first time in a new greenfield 110kV substation project by CKW. It concludes with the experiences in selecting a suitable IDS for substations and the lessons learned in the factory acceptance test of this project.