Critical infrastructure protection for the smart grid Enabling high-performance utilities By Sharon Allan, Eric Trapp and Anthony “David” Scott Cyber incidents proliferate Smart grids offer many benefits, including reduced energy consumption and costs and increased reliability and transparency. But as utilities increase their capabilities by transforming their analog, one-way digital power grids to bi-directional, digital smart grids, certain risks increase and utilities will have to devote more resources and attention to protecting the reliability of the grid. The issue of cyber attacks is not Risks arise along many fronts, including: academic; breaches in the U.S. grid fraud, by corrupting data in order to have been detected and documented, avoid paying for electricity; privacy, and others have possibly gone by accessing customer accounts; and undetected, leaving backdoors open for disruption, by corrupting assets on the an intruder to attack at will. The US network in an attempt to make all or Department of Energy recently warned part of the grid behave incorrectly. that computer networks controlling Since the smart grid is both a commercial the electric grid are plagued with asset and a national security target, security holes that could allow robust security is critical to prevent intruders to redirect power delivery disgruntled employees, foreign agents, and steal data.1 The report’s release and others from compromising the grid. came on the heels of news from an This paper lays out the smart grid cyber European engineering firm that it security challenges for utilities. It offers detected an attack targeting electric principles that will be useful to utility grids, subways, and air-traffic control. executives as they design, build, and Cyber attacks in other countries have monitor their piece of this national actually disabled the grid (see sidebar, security asset. “Attacks large and small”). 2 Attacks large and small • The Central Intelligence cyber attack dubbed “Aurora”. people in dozens of cities over Agency has issued alerts about The simulated attack caused a a two-day period, causing the threat of cyber warfare, generator to self-destruct by major disruptions. In Vitoria, including forays by agents exploiting vulnerabilities found the world's largest iron ore in China and Russia that in the grid. producer had seven plants penetrated and thus “owned” knocked offline, costing the American utility networks. • CBS’s “60 Minutes” reported company $7 million. The Many of these intrusions were that a series of cyber attacks perpetrators were never detected not by utilities but by occurred in Brazil: one north discovered.3 intelligence agencies.2 of Rio de Janeiro in January 2005 that affected three cities • A recent survey of utility • Concerned about inadequate and tens of thousands of executives by LogLogic security, in 2007 the U.S. Dept. people, and another, much reported that half of utilities of Energy researchers in larger event beginning on experience more than 150 partnership with the U.S. Dept. Sept. 26, 2007. That one, in attacks per week.4 of Homeland Security launched the state of Espirito Santo, an experimental, yet realistic, affected more than 3 million 3 The perimeter of risk is expanding The smart grid consists of two-way communication from the point of generation to the point of consumption. Examples of grid networks include substation local area networks (LANs), home area networks (HANs), transmission operations LANs, business area networks (BANs), and bulk power control system LANs. Grid components include master terminal units (MTUs), wired and wireless wide area network components, feeders, capacitor bank controllers, photovoltaic hybrid electric vehicles (PHEVs), and advanced metering infrastructure (AMI). Think of the smart grid as an intelligent ecosystem that exchanges data and energy throughout the bulk generation plants, transmission centers, distribution centers, and customer premises. Development of the U.S. smart grid Organization for Standardization (ISO) security procedures, or acceptable stems largely from the Energy 27000 series are helping to steer the use procedures.” An example of an Independence and Security Act (EISA) direction of smart grid security. In accidental occurrence is the 2003 of 2007, which directs the National the United States, two major federal blackout that left 45 million people Institute of Standards and Technology coordination efforts are helping to in eight Northeast U.S. states without (NIST) to “coordinate the development guide the direction of smart grid electric power. The effects of the of a framework that includes protocols security: the North American Electric blackout and the risk of other cyber and model standards for information Reliability Corporation (NERC) Critical incidents, intentional or unintentional, management to achieve interoperability Infrastructure Protection (CIP) underline the importance of critical of smart grid devices and systems.” regulations and the NIST Interagency infrastructure protection for the grid. Reports (NISTIR) 7628 recommendations. Spurred in part by federal stimulus Because the smart grid is a “system of funding and state and federal mandates, NISTIR 7628 references the Federal systems” across generation, transmission, many utilities now are aggressively Information Processing Standard distribution, and consumption, the rolling out AMI. Other utilities are (FIPS) publication 200, which defines expanded power system boundary deploying networked communications a cyber incident as “an occurrence that creates additional points of exposure. and control to large scale storage, feeder actually or potentially jeopardizes the This raises concerns around switches, as well as clean generation confidentiality, integrity, or availability confidentiality, availability, privacy, sources such as wind and solar. of an information system or the access, anonymity, and integrity. information the system stores, In the European Union, the European Privacy advocates, for example, paint processes, or transmits or that Programme for Critical Infrastructure the scenario of rogue marketers using constitutes a violation or imminent Protection (EPCIP) and the International meter information to determine energy threat of violations of security policies, 4 consumption habits or how many industrial control systems (ICS) such as This diversity of governance complicates people live at a particular address. supervisory control and data acquisition matters as much as it advances the Consumers will be reluctant to embrace (SCADA), and physical security such as cause because compliance with one smart metering if their privacy concerns cameras, badge access, and perimeter regulation may not be sufficient to about access to billing, personal security. meet—and in some cases may even identity, and power consumption data conflict with—other regulations or Advanced metering will add hundreds are not adequately addressed. guidance. of thousands or even millions of An end-to-end, layered security two-way communication devices to Even the best legislation can fall short approach should ensure that end the utility’s responsibility in the form of addressing all of the risks. Utilities, user communication is encrypted, of smart meters, data collectors, and suppliers, and other private sector and that the system features strong theft detection sensors. To avoid players have to map out and implement authentication in the interfaces potential misuse of these devices or a much higher level of security in their between equipment and data. Figure 1 introduction of rogue devices to the own systems. They’ll have to collaborate depicts a high-level overview of the network, utilities will have to implement as well—particularly on the smart grid followed by a list that controls such as automated asset interoperability of individual vendor details recommended security controls management, intrusion detection and devices and solutions—in order to to have in place at the various points device authentication. improve security for the entire along the grid. interconnected grid. Industry IT departments, moreover, Traditional enterprise IT controls alone have a diverse set of standards, won’t suffice for the smart grid; tight regulations, recommendations, and security must also be in place for legislative requirements to adhere to.5 5 Figure 1: Smart grid critical infrastructure protection architecture details points of exposure and options for placement of security controls Neighborhood Area Network (NAN) SCADA, Operations and Enterprise • Logging and audit features • Monitoring of data integrity features In Home Display (IHD) Local Area Network (LAN) • Server security • Pairing 1-1 relationship between meters, End-to-end unique IDs • Rouge device identification Portal • AES 128 - 256 encryption for secure data • Critical data-like readings will be encrypted • User authentication using LDAP transmission with AES 256 • Account and access management • Certificate-based authentication between • Use of IPSec and SSL/TLS for communications • Encrypted communication (SSL) IHD and meter with access points, TGBs, WAN access points • Data protected during transit and store HAN • Physical security to protect access points • Data pull from MDM and data repositories • Web services and application level security • Wireless Personal Area Network (WPAN) Egress/Ingress • PCI compliant for use of credit card with integrated wireless or wired • Firewalls to protect network communications communication