Save Article Instructions
Close 

Enhancing Powerhouse Security

Hydro plant owners can enhance powerhouse security by installing lock-out relays, multifunction generator protective relays, wireless ethernet radio technology, and surveillance cameras.

By Daniel L. Purzycki

Much emphasis is placed on security with respect to external attacks on hydroelectric facilities. However, for a hydro plant to be truly secure, the project owner needs to evaluate internal as well as external aspects. This includes not only taking into consideration the security of the plant itself, but ensuring the security of those who work in and around the facility.

Based on our experience, the most important security-related technologies and products available to protect hydro powerhouses include: lock-out relays, multifunction generator protective relays, enterprise-wide telephone/messaging systems, and security cameras.

Some of these enhancements are relatively inexpensive, such as the lock-out relays. Others, such as multifunction generator protective relays and security cameras, are more costly. Each enhancement has distinct merits and should be evaluated on a case-by-case basis.

Lock-out relays

One of the most effective protective devices is the lock-out relay (LOR). An LOR provides a critical protective function by causing multiple events to take place, such as tripping generator circuit breakers, tripping field circuit breakers, and closing wicket gates or deflectors. In a typical hydro plant, there are one or more LORs performing emergency shutdowns, normal shutdowns, and selective breaker tripping. This high-speed device is triggered by protective relays and/or other associated protective devices, such as bearing overtemperature devices and vibration relays.

Here is how the LOR is activated: A vibration relay initiates a contact closure, which then activates a coil within the LOR. Activation of this coil releases a set of spring-loaded contacts that change state (i.e., normally open to normally close or vice-versa).

We have seen several instances at hydro facilities where the LOR coil has failed, leaving a generating unit unprotected. Most often, the failure is caused by resetting of the LOR during a faulted condition. In 2002, a feature was added to LORs that can determine whether the coil is functioning. LORs can be purchased with a coil monitoring feature, or can be retrofitted to include such a feature. With this feature, a light-emitting diode (LED) is illuminated on the nameplate as long as the coil’s continuity is unbroken. In the event of a coil failure, the LED is extinguished and a contact closes. This closure, in turn, signals a supervisory control and data acquisition (SCADA) or other desired operation, such as an alarm annunciator.

However, many hydro project owners have not replaced their old LORs with new devices with this enhanced feature. This device costs $500, plus installation, and can provide some assurance that the plant will shut down as intended, avoiding catastrophic damage to the machinery.

Another recent enhancement to LORs is a warning LED that illuminates in the trip position during a fault. The LED warns against resetting this relay while a fault is still present and perhaps damaging the LOR coil.

For all the security upgrades or installations we performed at hydro facilities in 2006, we included LORs that offer these new enhancements. Electroswitch in Weymouth, Mass., provides the LORs we use.

Multifunction generator protective relays

Multifunction generator protective relays (MGPRs) incorporate most, if not all, of the generator protective features recommended in the Institute of Electrical and Electronics Engineers Inc.’s (IEEE) standard 242, “IEEE Recommended Practice for Protection and Coordination of Industrial and Commercial Power Systems.” MGPRs sequentially sample quantities of alternating current, then a microprocessor performs mathematical and/or logical operations on this data to make decisions regarding tripping of the unit. Although MGPRs have been around since the early 1990s, they became more widely used in the hydro industry in the early 2000s.

MGPRs have several distinct advantages over electromechanical or solid-state relays. Most notable are:

– Less complicated wiring;

– “Watchdog” timers, which monitor the time required to scan a particular program and notify if this time exceeds a predetermined value;

– More protective functionality;

– Circuit breaker trip coil monitors;

– Group settings, which allow more than one setting for each protective function; and

– Metering power parameters (such as frequency, real power, reactive power, kilowatt-hours, etc.).

Within the past five years, we have installed generator protective relaying at more than 50 hydro plants. We have used MGPRs at all of these. The MGPRs cost about $2,500 to $10,000 each, based on functionality.

When upgrading to MGPRs, the trip settings for the generator and unit operation, such as islanding and parallel operation to the grid, should be re-evaluated. There are cases where improvements can be made for better coordination and protection. For example, these MGPRs can add functionality, especially for small (1 MW or smaller, according to IEEE guidelines) hydroelectric units that originally had minimal protective relays (such as overcurrent) and, in some instances, were below IEEE standard 242.

For generators rated higher than 1,000 kilovolt amperes, the use of two MGPRs can be economically justified because it provides a degree of redundancy, and some features found on one model or manufacturer of MGPRs are not found on others. The cost of two MGPRs are typically less than replacing their electromechanical or solid-state single function equivalent – taking into consideration both labor and materials. The normal course of deployment would be to choose a different manufacturer or model for the second MGPR to eliminate the possibility of any software or hardware concerns.


Lock-out relays provide a critical protective function for hydro facilities. These relays can act to trip generator circuit breakers, trip field circuit breakers, or close wicket gates or deflectors.
Click here to enlarge image

The group setting feature available on several MGPRs can be implemented for special purposes. This feature allows the settings of selected protective functions to change based on an event. An example of this is when the generating station becomes isolated due to external power quality issues (voltage and frequency). When such an event occurs, the MGPR switches the over and under voltage and frequency parameters to wider margins, allowing all or selected units to recover the transient due to isolation and keep generator(s) on line.

Communication systems

Whether a plant is manned or unmanned, the importance of communicating alarms, status, and other data has become more prevalent than ever before not only for security reasons, but for better operations. Today, there are numerous methods of communication – ranging from hard-wired systems, telephone lines, radios, microwave, and fiber optics to satellites. With this technology, information can be disseminated via annunciators, human-machine interfaces (HMIs), e-mail, cellular telephones, and alphanumeric pagers – just to name a few.

North American Hydro sees ethernet radio technology as a valuable tool that many hydro facilities are not fully using. This technology has advanced to be a very secure and high-speed communication medium. The key to a secure radio modem is the use of adaptive frequency hopping, proprietary radio frequencies (RF) packets, two-way authentication, encryption, and data com- pression. Frequency hopping occurs in the 900 megaHertz (MHz) and 2.4 gigaHertz (GHz) bands. In the 900 MHz band, the RF band is divided into multiple operating channels from 902 to 928 MHz, which are hopped through one at a time in a pseudo-random pattern. The 2.4 GHz band (2.4 to 2.4835 GHz) is also divided into multiple channels. These radios typically use a large number of programmable hopping patterns and, with adaptive hopping, the pattern is further modified.

The choice to use either 900 MHz or 2.4 GHz typically is based on distance and data rates. Both bands are now relatively equal in noise immunity. The 900-MHz band has less RF loss than the 2.4-GHz band when passing through objects such as buildings and foliage. Weather conditions in either band are negligible, but weather-related communication interference with moisture penetrating coax cables, antennas flexing with wind, and ice-encased antennas are known to happen in the most severe weather conditions. Transmission ranges are about 20 miles with 900-MHz and 15 miles with 2.4-GHz radios in optimal conditions with line-of-sight and omni-directional antennas. With the use of repeaters, significantly greater distances can be achieved. The 2.4-GHz band is three times larger than the 900-MHz band, facilitating faster data rates. The low power requirements of these radios also make them ideal to be remotely situated and powered with batteries charged by solar panels.

Each time the frequency hops, an RF packet is constructed and transmitted. The packet is synchronous, bi-directional, encrypted, and cyclical redundancy checked. Because the packet size and clock rate are programmable, it has to be identical for all radios.

Manufacturers follow different techniques for data encryption, but all compress the data and use one or more 32-bit cyclical redundancy check words. With error detection and correction, the accuracy of the data is assured or it is rejected.

Radios and other devices that subscribe to the IEEE 802.11 standard for wireless communications are not considered suitable for secure data transmission. A common device that uses this standard is a wireless router. The open architecture of these devices makes them inherently vulnerable to hacking. Because of this shortcoming, 128-bit encryption is frequently used. However, with sophisticated decryption software, it becomes a matter of time before the code is cracked. Data-Linc Group, an industrial network communication company, has reported that at least 10 percent of universal encryption methods can be easily decrypted in less than 24 hours.


Installing surveillance cameras at a hydro project can provide a video record of events that are pertinent for security purposes. (Photo courtesy Longwatch, Inc.)
Click here to enlarge image

To keep a reasonable semblance of security, we recommend obtaining and installing the latest patches (software codes needed to fix a bug) from the manufacturer, as well as maintaining strict control over the codes that control the encryption (typically referred to as WEP keys). WEP, or wired equivalent privacy, is a protocol that adds security based on a cipher called RC4 that uses a combination of secret user keys and values generated using the system being protected. However, based on the standards set by cryptographers, RC4 falls short for a secure cipher in several ways and thus is not recommended for use in SCADA application.

If hydro project owners follow the recommendations above, wireless ethernet radios offer a secure and license-free environment with respectable transmission rates. The currently available data transmission systems offer users real-time performance for SCADA applications with sufficient bandwidth for Voice over Internet Protocol (VoIP) and video capabilities. In general, wireless ethernet radios are not being widely used in the hydro industry. But they are valuable for plants that lack an established infrastructure of copper and fiber cables for data transmission.

An alternative to wireless ethernet radio technology is a wireless remote terminal unit (RTU) called AlarmAgent, made by Raco Manufacturing and Engineering Co. It functions as an alarm, monitoring, and reporting device that uses the maintenance band operated by all cellular telephone providers. Upon an alarm event, the unit can be configured to provide notification by voice (landline or cell) or short message service (better known as text messaging, paging, or e-mail). The wireless RTU is Internet-based, allowing configuration, status, monitoring, control, and reporting to be available through most web browsers. A toll-free telephone number is also offered to retrieve data and control. The advantages of this technology include: the ability to go where land-based systems cannot; its low cost; battery backup; and no cellular provider contract. A limitation of this system is the limited input/output currently available. The unit I am familiar with has eight digital and two universal (4 to 20 milliamps or digital) inputs, and two relay outputs.

We have not yet used the Alarm Agent unit at a hydro facility but are looking into it for our own facilities. This unit is valuable for smaller facilities that do not have supervisory control and data acquisition (SCADA) systems.

Security cameras

A large selection of security cameras is available in a wide price range. For example, a color camera with pan, tilt, and zoom features ranges from less than $500 to thousands of dollars – based on whether it is indoor, conditioned outdoor, analog, IP, night vision, etc.

Typically, any video signal will require a high bandwidth (a high-speed network). However, many existing SCADA systems use low-speed networks (2,400 to 9,600 bits per second) with wireless or leased lines. The latest camera now offered uses scalable technology. With this technology, video images can operate as effectively on 2,400 bits per second networks as on high-speed networks. As the network infrastructure migrates to higher speeds, such as fiber optics, so too can the surveillance system.


Wireless ethernet radios offer a secure environment for transmission of sensitive data. Current systems offer sufficient bandwidth for Voice over Internet Protocol (VoIP) and video capabilities. (Photo courtesy John Stacy, TransTec Consulting Inc.)
Click here to enlarge image

This scalable technology records high-quality video images that can be configured to generate and transmit video event clips from remote locations with pre- and post-event video. Communication is accomplished by emulating the protocol of a programmable logic controller (PLC) or RTU. Therefore, video images can be displayed in the SCADA/HMI system or as a web page. The camera also can send a video image via a cellular telephone. The video enine can be programmed to send and/or record images by event triggers. These triggers – such as motion detectors, door switches, or PLC outputs – are tied to the video engine’s discrete inputs. The system also can perform video image analysis to make any analog camera act as a motion detector.

The key to video surveillance is to only record events that are pertinent for security purposes and to act quickly based on the activity displayed, whether it is attack, vandalism, or sabotage. Most instances that trigger an intrusion are false alarms caused by an animal, wind-blown foliage, etc. Therefore, having a video image triggered by an event provides an effective and efficient means of determining the proper response to a particular situation. Video images also can play a role in safeguarding personnel, especially roving operators or one-person-manned stations.

We have recommended security cameras for many hydro facilities, but many have chosen not to install this technology. We encourage hydro plant owners to revisit this option, as cost has dropped considerably while functionality has increased.

Advice for project owners

LORs provide inexpensive, effective insurance for your facility. MGPRs should be an integral part of the control system at any hydro plant.

Under the right conditions, wireless ethernet radio can be an effective means of communication where the infrastructure is marginal or does not exist.

Finally, although security cameras are not as widely used as we feel they should be, the facilities that do use them find them to be a very effective tool. n

Mr. Purzycki can be contacted at North American Hydro, LLC, 8310 Technology Drive, Schofield, WI 54476; (1) 715-359-0209, extension 15; E-mail: dan. purzycki@nahydro.com.

Dan Purzycki, P.E., is vice president of engineering for North American Hydro LLC. For the past 30 years, North American Hydro has provided security-related consulting and installation services to hundreds of hydro facilities across the U.S.


To access this Article, go to:
http://www.hydroworld.com/content/hydro/en/articles/hr/print/volume-26/issue-6/feature-articles/security/enhancing-powerhouse-security.html