Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Digital Substation Automation Solution Overview

Available Languages

Download Options

  • PDF
    (1.8 MB)
    View with Adobe Reader on a variety of devices
Updated:April 20, 2022

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (1.8 MB)
    View with Adobe Reader on a variety of devices
Updated:April 20, 2022


Digitizing substation operations

Modernize grid operations with secure, enhanced substation networks

Utilities are facing greater challenges than ever before. Their grids are being asked to handle more sustainable, distributed, and variable energy sources. At the same time, they are being buffeted by environmental impacts such as fires and extreme weather conditions. Their business models are evolving as they serve a greater variety of customers. In more developed countries, much of the utility workforce is retiring, creating skill and resource gaps. And they are being asked to expand electrical capacity as the world reduces carbon emissions. All this while their operations are under constant threat from ever-evolving cybersecurity risks.

The Cisco® Substation Automation solution enables utilities to support new business models, meet regulatory requirements, expand capacity, integrate renewable energy sources, reduce operational costs, and reduce risks to grid operations. The solution supports more than just the core supervisory control and data acquisition (SCADA) systems, adding key use cases involving protection of key assets and power management. Its technology upgrades and network management capabilities reduce operational costs by reducing the network footprint and automating key tasks. The network infrastructure is capable of supporting more devices and handling more bandwidth with more resiliency and capabilities, such as time synchronization and hosting applications. The Substation Automation solution builds on the visibility and security of our Grid Security solution. The portfolio meets the needs of a wide range of transmission and distribution substations. The updated solution helps utilities overcome the following challenges:

     Growing number of process and station bus devices with higher bandwidth requirements

     Limited space in substations for equipment

     Need to reduce cybersecurity risks by providing visibility into and segmentation of substation devices and communication

     Lack of networking skills in grid operations

     Requirements to Integrate and monitor legacy devices

     Regulatory requirements, especially NERC-CIP security

     Need to scale to support more substations

The Substation Automation solution helps utilities overcome these challenges and lays the foundation for more reliable, sustainable, efficient grid operations at a lower cost. Key features of this solution include:

     More ports and faster speeds: Introduction of the IEC 61850-3 and IEEE 1613 compliant Cisco Catalyst® IE9300 Rugged Series switches with 28 Gigabit Ethernet fiber ports for secure, reliable, low-latency station and process bus communication

    Higher density: Backplane is stackable up to eight units

     Multifunctional router: Introduction of IEC 61850-3 and IEEE 1613 certified Cisco Catalyst IR8340 and IR1101 rugged routers for a combination of scalable WAN connectivity, firewall security, and application hosting in a variety of substations

    Greater security: Supports a range of features: Zone-Based Firewall and Universal Threat Defense (UTD), including IPS/IDS, Cisco Trustsec, IEEE 802.1x Network Access Control, Cisco Trust Anchor, visibility of Substation Automation devices and communication and MACsec

     Flexibility: Highly modular platforms to support switching, routing, synchronization, and edge compute needs

     High Availability: Support for lossless network topologies and protocols such as High-Availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP), as well as Resilient Ethernet Protocol (REP)

     Precision: Support for substation-wide time synchronization, such as 2017 IEEE Precision Time Protocol - Power Profile

     Critical functions: Support for substation communications such as IEC 61850, Modbus and Distributed Network Protocol 3 (DNP3)

     Simplicity: Range of management options, including Cisco DNA Center for switching and Cisco vManage for SD-WAN routing capabilities

     Enhanced grid security: Updates to the Grid Security solution with MACsec support

The following sections provide an overview of the key additions to the solution: the new infrastructure, new network management options (Cisco DNA Center and vManage for SD-WAN), cybersecurity updates, and a review of the new Substation Automation reference architecture.


Digital Substation solution:

     Improves grid reliability and safety

     Supports the move to sustainable energy sources

     Reduces operational costs and improves efficiency

     Manages power quality

     Protects critical grid assets

     Reduces risk and meets regulatory compliance

     Enhances security

New infrastructure: More capability, higher performance, smaller footprint

The Substation Automation solution includes an enhanced network infrastructure for modern grid and substation automation. The addition of new industrial routers and switches will help utilities improve grid operations and security as well as reduce costs. The new infrastructure supports more features, more connectivity, higher performance, and more management options than the previous network infrastructure, in a similar or smaller footprint and with fewer boxes. This will enable utilities to connect more devices with higher bandwidth requirements, support more resilient topologies, improve cybersecurity, and more easily deploy and manage their networks—at scale and with lower operating costs.

The key additions to the network infrastructure include the IE9300 switches and IR8340 router for primary substation networks. Each supports utility-specific features, including:

     IEC 61850-3, IEEE 1613, and IEC 62443 certifications

     Support for the IEEE Precision Time Protocol – Power Profile (2017)

     Support for the HSR and PRP lossless resiliency protocols on both the IE9300 switch and the IR8340 integrated switch

The solution also introduces the IR1100 Rugged Series router to interconnect secondary substations and monitor distributed critical assets.

Cisco Catalyst IE9300 Rugged Series rack-mount, stackable industrial switches

The IE9300 was designed as an industrial edge switch for substation station and process bus networks. Key capabilities include:

     Industrial rack-mount, high-density switch with 28 fiber and SFP Gigabit Ethernet ports to securely and reliably connect substation devices and assets

     Ability to stack up to eight units and manage them as one device for increased density and resiliency

     Rich cybersecurity, with support for MACsec, TrustSec, IEEE 802.1X, and Cisco Trust Anchor, and the ability to operate Cisco Cyber Vision sensors

     Improved visibility and telemetry, with support for full Flexible NetFlow and Next-Generation Network-Based Application Recognition (NBAR2)

     Range of management options, including Cisco DNA Center, running the software-defined Cisco IOS® XE operating system, and support for SD-Access fabric edge

IE9300 Rugged Series switch models

Figure 1.               

IE9300 Rugged Series switch models

Cisco Catalyst IR8340 Rugged rack-mount industrial router

The IR8340 is a high-end, flexible substation router to securely interconnect substation networks to the utility WAN and eventually the operations center. Its range of functions (switch, router, compute, timing, and firewall) allows for consolidation of network and security infrastructure devices, saving critical space and cost in tight substation designs. Its key features include:

     Modular design to support a range of connectivity, with modules for LTE and 5G, GPS, WAN (E1/T1) lines, and serial ports

     Timing module to handle a variety of timing inputs and outputs

     Integrated switch with 14 (mixed fiber and copper) Gigabit Ethernet ports to connect process and station bus and multiservice networks with Power over Ethernet (PoE) on four copper ports

     Integrated compute and storage to support edge (Cisco IOx) applications

     Cybersecurity support for Zone-Based Firewall, Universal Threat Defense (UTD) with IPS/IDS, various VPN technologies, MACsec, TrustSec, IEEE 802.1X, Cisco Trust Anchor, and the ability to operate Cyber Vision sensors to support the electronic security perimeter role, reducing the need for a separate firewall

     Range of management options, including Cisco DNA Center, vManage for SD-WAN, and the software-defined Cisco IOS XE operating system

Features of the IR8340 router

Figure 2.               

Features of the IR8340 router

Cisco Catalyst IR1100 Rugged Series DIN-rail-mount industrial router

The Cisco Catalyst IR1101 Rugged Router is a compact, flexible industrial router for secure connectivity of secondary substations and remote monitoring of distributed assets. Its range of functions (switch, router, compute, and security) allows for consolidation of network and security infrastructure devices, saving critical space and cost in tight designs. Its key features include:

     Modular design to support a range of connectivity, with modules for LTE and 5G, GPS, WAN, and serial ports

     Expansion modules to add switch ports, serial ports, local storage, and WAN redundancy

     Integrated switch with four copper Fast Ethernet ports and one Gigabit Ethernet WAN port to connect secondary substation and remote asset devices

     Support for raw socket, which can be used to transport SCADA data from Remote Terminal Units (RTUs)

     Support for DNP3 and IEC 60870 substation protocol translations

     Integrated compute and storage to support edge (Cisco IOx) applications

     Cybersecurity support for zone-based firewall, MACsec, various VPN technologies, TrustSec, IEEE 802.1X, Cisco Trust Anchor, and the ability to operate Cyber Vision sensors to support the electronic security perimeter role, reducing the need for a separate firewall

     Range of management options, including Cisco DNA Center, vManage for SD-WAN, and the software-defined Cisco IOS XE operating system

Features of the IR1101 router

Figure 3.               

Features of the IR1101 router


Cisco DNA Center and vManage improve industrial operations by:

     Increasing grid uptime and asset utilization

     Lowering operational costs

     Simplifying network management for IT and OT

     Increasing security

     Helping ensure network performance

Automated, scalable network management

A key challenge facing utilities in their digitization initiatives is the ability to deploy and manage at scale the substations in their network. Often a substation automation system may cover hundreds or thousands of substations with thousands of switches, routers, and firewalls, all interconnected via large WANs. Deploying and managing these networks is a very significant challenge, especially given the lack of networking expertise in field personnel. The substation and network equipment is located in unmanned substations and therefore must be remotely managed. The network and its reliable operation is critical to grid operations.

Our Substation Automation solution applies the best of Cisco’s management tools and capabilities to help utilities manage large deployments of substation network infrastructure. Cisco DNA Center manages substation switches, routers, and wireless infrastructure. Cisco vManage focuses on the WAN network and substation routers and enables SD-WAN to fully automate the WAN operations, using a software-defined WAN controller.

Cisco DNA Center for the digital substation

Adding Cisco DNA Center to the Substation Automation solution brings new capabilities to manage and operate the network infrastructure in and around the substation. It adds the ability to centrally (on-premises) configure and manage the various networks in the substations as part of the substation operations. Key challenges Cisco DNA Center helps overcome include:

     Reducing manual operations and simplifying activities with automated workflows and templates to streamline the configuration and maintenance of network deployments

     Reducing network and grid downtime with network assurance that provides proactive monitoring, predictive maintenance, and guided remediation of network issues

     Reducing discrepancies in network and security configurations with compliance checks on network operating system and configurations

Cisco DNA Center has two key capabilities that are valuable to the operations of a digital substation.

First, the Automation features allow utilities to consistently and securely configure and maintain the networks in the substations, at scale. From the start of the transition to standards-based networking for substation networks, the operations teams have lacked the skills and expertise typically found in IT networking organizations. The Industrial Ethernet infrastructure is often installed and maintained by personnel with minimal networking background. Cisco DNA Center focuses on deploying and maintaining network infrastructure with automation, bringing consistency, reduced effort, and reliance on simplified workflows for both IT and OT personnel.

Key use cases supported by Cisco DNA Center Automation features include:

     Discovers existing network infrastructure devices, adds devices to the inventory, and establishes telemetry (for example, Simple Network Management Protocol [SNMP], syslog, and end-device tracking)

     Provides a network topology view with key status information

     Automatically detects and provisions new network infrastructure with Network Plug and Play

     Backs up network configurations and replaces malfunctioning network infrastructure (RMA process)

     Checks for inconsistent configurations and deploys updates consistently and at scale

     Deploys Quality-of-Service (QoS) values based on templates

     Deploys network software images and patches automatically and at scale

     Performs compliance checks for configurations and software images

     Deploys applications onto the edge-capable network infrastructure

     Prepares the network infrastructure for deployment of Cyber Vision sensors

     Maintains an audit log for all network changes for accountability

Cisco DNA Center network automation functions

Figure 4.               

Cisco DNA Center network automation functions

Second, Cisco DNA Center Assurance features allow IT and OT teams to monitor the network infrastructure and connectivity status of end devices. Outages and downtime in production environments result in significant loss, whether caused by network failures, human error, or equipment failure. Bringing production networks back online quickly reduces the impact. Cisco DNA Center Assurance features and functions help IT and OT quickly identify network outages or performance issues and resolve them quickly. The key use cases this solution incorporates include:

     Discovering the network infrastructure and network topology and visualizing them in easy-to-configure views

     Collecting and analyzing network telemetry information, including SNMP, syslog, and IPFIX and NetFlow data

     Identifying and profiling end devices connected to the network and their connectivity status, including substation devices, sensors, Intelligent Electronic Devices (IEDs) and RTUs, as identified by Cyber Vision and communicated via Cisco Identity Services Engine (ISE)

     Proactively identifying issues in the network that impact grid operations

     Collecting contextual information for accurate root-cause analysis without the need to re-create the issue

     Helping step through remediation options to speed issue resolution

     Examining VLAN settings to solve reachability issues

     Providing network and device health monitoring status and history

     Using a machine reasoning engine to accelerate remediation of issues

     Providing security compliance views to indicate potential risks

     Providing tools such as path trace and packet capture to aid in problem resolution

     Enabling customization to allow OT- and IT-specific roles based on feature set and location or site

Overview of key Cisco DNA Center Assurance processes

Figure 5.               

Overview of key Cisco DNA Center Assurance processes

vManage and SD-WAN for the digital substation

With Cisco SD-WAN, IT can deliver routing, threat protection, efficient offloading of expensive circuits, and simplification of WAN network management. SD-WAN features include:

     High availability, with predictable service, for all critical applications and multiple hybrid active-active links for all network scenarios

     Dynamically routed application traffic with application-aware routing, for efficient delivery and improved experience

     Improved OpEx, replacing or augmenting expensive Multiprotocol Label Switching (MPLS) services with more economical and flexible broadband (including secure VPN connections)

     Security focus, with application-aware policies and end-to-end segmentation (both macro and micro) and real-time access control

     Secure traffic across broadband internet and into the cloud, with automatic certificate-based VPN and zero-touch secure onboarding

     Integrated threat protection enforced at the right place, with distributed security to the substation and remote endpoints with Cisco Secure Firewall, DNS security, and next-generation antivirus

Cybersecurity for the substation

Cisco introduced the Cisco Validated Design (CVD) for Grid Security in 2020. The Grid Security CVD provides a holistic cybersecurity architecture to protect utility networks and processes while addressing the key security and compliance concerns of utility grid operators. The solution is applicable to substation and distribution automation. The updated Substation Automation solution reflects and enhances the concepts and models of the Grid Security CVD. The Substation Automation solution incorporates the new network infrastructure and tools into the Grid Security reference architecture, including:

     Incorporating the IR8340 substation router as the firewall to establish the electronic security perimeter for critical substation process and control networks and systems

     Incorporating the IR8340 router and IE9300 switch, which are capable of running Cyber Vision sensors to provide visibility into and monitoring of substation devices and communication from a cybersecurity perspective, as well as supporting a range of network security features such as Cisco TrustSec, MACsec encryption, full Flexible NetFlow, 802.1X network access control, and IEC 62443 4-1 and 4-2 certification

     Easy and simple support for macro- and micro-segmentation and advanced security with vManage and SD-WAN

     Cisco DNA Center, interfacing with Cyber Vision and ISE, to help secure your operations by:

    Establishing a security profile to manage the industrial network

    Creating authentication and authorization policies in ISE

    Visualizing connected industrial assets in Cisco DNA Center as discovered and profiled by Cyber Vision and grouped in ISE

    Monitoring communications patterns between asset groups using NetFlow traffic and helping define and validate access policies

    Creating and managing cybersecurity segmentation policy (TrustSec and Scalable Group Tags [SGTs]) for the substation network

    Enabling deployment of policies with confidence and segmenting the network to restrict unnecessary access

    Allowing the use of other Cisco security applications such as Cisco Umbrella®, Secure Network Analytics (Stealthwatch), and SecureX for further enterprise security integrations

Cisco Cyber Vision integration with Cisco DNA Center and Identity Services Engine

Figure 6.               

Cisco Cyber Vision integration with Cisco DNA Center and Identity Services Engine

Grid Security CVD


     Builds a dynamic inventory of substation devices and their communication patterns

     Segments communications within the Industrial Zone and Industrial Demilitarized Zone (IDMZ)

     Monitors and detects abnormal substation behaviors

     Contains malware and other attacks

     Integrates operational and enterprise security

Substation Automation reference architecture

The Substation Automation reference architecture depicts the core network and security infrastructure needed for reliable, secure substation automation.

Substation Automation reference architecture

Figure 7.               

Substation Automation reference architecture

Key design and implementation considerations

The Substation Automation reference architecture represents a significant update to substation automation operations, including:

     Added the Catalyst IE9300 ruggedized, rack-mount switch as an industrial access switch to the architecture, along with the IE2000, IE3x00, IE4000, and IE5000 platforms

     Added the IR8340 ruggedized, rack-mount modular router and integrated switch for primary substation interconnection with WAN and the operations center

     Added the new IR1100 ruggedized, DIN-rail modular router as the WAN connectivity for secondary substations and critical asset monitoring

     Enabled deployment of the Cisco DNA Center on-premises appliance and software as part of the operations center to monitor and manage network infrastructure in the substation

     Enabled an SD-WAN option for the utility WAN

     Added the ability to interface Cisco DNA Center with ISE and integrate substation device information discovered by Cyber Vision into ISE

The solution is designed to meet the demanding requirements of substation operations. The solution guidance provides customers, partners, and system implementers with design and implementation guidance to successfully deploy a Cisco network infrastructure and technologies. It supports key substation automation requirements, including

     Support for a range of substations: Transmission and distribution

     Support for process and station bus communications; IEC 61850 Manufacturing Message Specification (MMS), sample values and Generic Object-Oriented Substation Events (GOOSE); Wide-Area Monitoring Systems (WAMS); DNP3; Modbus/TCP; etc.

     Resilient network topologies supporting a range of lossless (HSR, PRP) and fast ring (Resilient Ethernet Protocol [REP]) resiliency protocols

     Power Profile based precise timing distribution across the substation network based on a variety of timing inputs

     Legacy device interconnectivity via serial ports and backhauled to operations centers

     Support for legacy SCADA devices – transition from serial/Time Division Multiplexing (TDM) to IP

     Support for teleprotection and power management (synchrophasor/Phasor Measurement Unit [PMU], volt-VAR) applications

     Cybersecurity support for NERC Critical Infrastructure Protection (CIP) compliance, including:

    Provides visibility into substation devices and communications

    Protects and segments substation devices and communications, including establishment of electronic security perimeter

    Detects and responds to security and network anomalies

    Provides data privacy and protection

    Enables secure remote access

     Ability to proactively identify WAN/LAN network issues and receive remediation suggestions and consistently configure and maintain network infrastructure

     Guidance on refreshing legacy networking equipment

Digital Substation CVD

Key use cases:

     Secure and resilient connectivity for process and station bus equipment in primary substations

     Support for connectivity of secondary substation and multiservice networks

     Automated and proactive network management

     Visibility of substation end devices and communications

     WAN interconnectivity via cellular, MPLS, or SD-WAN

     Secure remote access to production assets

     Availability of Industrial Automation and Control System (IACS) devices and data for IoT applications


Cisco’s Substation Automation solution helps utilities overcome key challenges, such as increased demand for electricity and integration of variable and distributed “sustainable” sources of energy while being buffeted by ever more extreme environmental conditions and evolving business models. Our solution significantly improves grid operations while reducing operational costs and improving the cybersecurity of the substation. It meets the demanding requirements of the harsh substation conditions in process and station bus systems, such as lossless, no-single-point-of-failure resiliency and Power Profile timing synchronization. The solution provides design and implementation guidance to help customers, implementers, and partners to confidently deploy networking solutions for critical infrastructure. We test the solution with substation equipment and applications from a range of vendors and a wide variety of substation protocols. We introduce new network infrastructure and technology, including switches and routers, with unparalleled performance at scale, leveraging Cisco’s cybersecurity technology and simple, scalable management options to reduce operational effort and increase uptime. It’s time to refresh the substation network and provide a platform

Learn more

For more on the Substation Automation solution, visit the Cisco Utilities Solution page. For more on the Grid Security CVD, please read the Design Guide and Implementation Guide.




Learn more