Summer Workshop on Cyber Security
Smart Grid Cyber Security (Part 2)
Dr. Hamed Mohsenian-Rad
University of California at Riverside and Texas Tech University
August 12- 16, 2013
Supported by National Science Foundation
Smart Grid Cyber Security
• IT technologies can make the grid smart!
– Real time monitoring (PMUs, Smart Meters)
– Advanced information analysis (Big Data)
– Automated control (Self-healing, Smart Actuators)
• Can these technologies can the grid vulnerable!
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
2
Smart Grid Cyber Security
• USA TODAY on July 11, 2013:
Spooked by NSA, Russia reverts to paper documents!
… officials at Kremlin recently ordered 20 typewriters.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
3
Smart Grid Cyber Security
• In smart grid, we are doing the opposite:
• Can the 2003 blackout happen again, intentionally?
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
4
Privacy and Security Concerns
• For the rest of this workshop we will study
“Privacy”
and
“Security”
• These are different but related smart grid issues.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
5
Smart Meters and Privacy
• Q: What is the difference between these two?
– Traditional Meter
– Smart Meter
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
6
Smart Meters and Privacy
• Q: What is the difference between these two?
– Traditional Meter
Total Load
– Smart Meter
Load Profile
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
7
Smart Meters and Privacy
• Residential load profile:
www.nist.org
Power Consumption (kW)
Peak: 7.18 kW
Mean: 0.49 kW
Total Consumption: 11.8 kWh
Time of Day
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
8
Smart Meters and Privacy
• Residential load profile:
Hob Heaters
Over Preheating
Heating Cycles
Toaster
Kettle
Washing
Machine
Kettle
www.nist.org
Power Consumption (kW)
Peak: 7.18 kW
Mean: 0.49 kW
Total Consumption: 11.8 kWh
refrigerator
Time of Day
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
9
Smart Meters and Privacy
• Every home appliance has a load signature.
• The load profile can reveal your life style.
• Q: Does it concern you?
• See: http://www.youtube.com/watch?v=8JNFr_j6kdI
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
10
Smart Meters and Privacy
• Example 1: Criminals can use the data
• To schedule burglary
• They can figure out if you are not at home.
• House alarm systems have their own signature
• Pre-identify what items they want to steal.
• Plasma TVs have their own signature.
• Laptop computers have their own signature
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
11
Smart Meters and Privacy
• Example 2: Privacy violation
• Your living pattern can be revealed
• When you wake up.
• When you take shower
• When you watch TV
• You can even tell what TV program / movie is watched!
• Fluctuations at brightness of movies  Load changes!
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
12
Smart Meters and Privacy
• Example 3: Healthcare companies can
• Determine which medical devices you used.
• Pre-existing conditions
• Different insurance rate
• Example 4: Your landlord can tell
• How many people live here. When you have a party!
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
13
Smart Meters and Privacy
• Here we are facing two problems:
Network
Utility Servers
Smart Meter
Hacker
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
14
Smart Meters and Privacy
• To avoid third party access to the metering data:
– Data encryption at smart meters.
– Message authentication at utility servers.
• Typical security solutions, just like Credit Card data!
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
15
Smart Meters and Privacy
• Q: How about protection against utilities?
– You may not want the utilities to know your life style.
• They may sell your information!
– But they do need to know your load profile!
• Q: Can you think of any cyber security solution?
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
16
Smart Meters and Privacy
• Local renewable generation can help mask data
Rest of the AMI
Network
Smart
Meter
Meter reading = Load – Local Renewable Generation
Stochastic Nature
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
17
Smart Meters and Privacy
• Another solution is to use local batteries
Meter reading = Load – Battery Discharge + Battery Charge
• Set the charging schedules to hide signatures!
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
18
Smart Meters and Privacy
• Q: Any other “power systems” solution?
• Our key message so far:
Combine Power Systems and Information Systems Solutions.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
19
Cyber Security Concerns
• Privacy is a valid concern for consumers.
• But there are also some serious security concerns:
– What if hackers alter Smart Meter and PMU data?
– What if hackers take control of automation system?
–…
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
20
Cyber Attacks against Smart Grid
Communications Infrastructure
• In smart grid, all sectors interact via two-way communications:
Generation
Distribution
& Control
Consumption
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
21
Cyber Attacks against Smart Grid
Cyber Attack
(Type I)
Cyber Attack
(Type II)
Cyber Attack
(Type III)
Communications Infrastructure
• In smart grid, all sectors interact via two-way communications:
Generation
Distribution
& Control
Consumption
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
22
Cyber Attacks against Smart Grid
Cyber Attack
(Type I)
Easier to
Hack
Cyber Attack
(Type II)
Cyber Attack
(Type III)
Communications Infrastructure
• In smart grid, all sectors interact via two-way communications:
Generation
Distribution
& Control
Consumption
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
23
Cyber Attacks against Smart Grid
Cyber Attack
(Type I)
Cyber Attack
(Type II)
Cyber Attack
(Type III)
Communications Infrastructure
• In smart grid, all sectors interact via two-way communications:
Generation
Distribution
& Control
Larger
Scale
to be
Effective
Consumption
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
24
Cyber Attacks against Smart Grid
Cyber Attack
(Type I)
Cyber Attack
(Type II)
Cyber Attack
(Type III)
Communications Infrastructure
• In smart grid, all sectors interact via two-way communications:
Generation
Distribution
& Control
Consumption
Hacking a Power Plant = Hacking Multiple Thousands of Meters
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
25
Type I Cyber Attacks
• This type of attacks affect the operation of generators.
• Turning off/on a generator can imbalance supply and demand.
• Generally speaking:
– Supply < Demand
Frequency < Nominal
– Supply > Demand
Frequency > Nominal
• Ripple effect is usually a major problem in such cases.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
26
Type I Cyber Attacks
• Although such attacks are complex and need resources:
In January 2008, the Central Intelligence Agency reported
knowledge of four disruptions, or threatened disruptions,
by hackers of the power plants for four cities [Amin 2010].
• We need to highly protect access to power plants:
– Physical Access
– Cyber Access
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
27
Type I Cyber Attacks
• Any remote access should be controlled by firewalls:
• Consider both remote data and local measurements.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
28
Type I Cyber Attacks
• Q: How about distributed generators (DGs)?
– Smaller generation units such as wind farms.
– They may use market or weather information for planning.
• Smaller generation units are typically less protected.
• A distributed attack may target a group of DGs.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
29
Type I Cyber Attacks
• This type of attacks affect the operation of generators.
• Turning off/on a generator can imbalance supply and demand.
• Generally speaking:
– Supply < Demand
Frequency < Nominal
– Supply > Demand
Frequency > Nominal
• Ripple effect is usually a major problem in such cases.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
30
Type II Cyber Attacks
• Attacks against distribution and control systems.
Sensors
Control & Monitoring
Centers
Actuators
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
31
Type II Cyber Attacks
• Attacks against distribution and control systems.
Sensors
Control & Monitoring
Centers
Actuators
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
32
Type II Cyber Attacks
• Attacks against distribution and control systems.
Sensors
Control & Monitoring
Centers
Actuators
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
33
Type II Cyber Attacks
• Attacks against distribution and control systems.
Sensors
Control & Monitoring
Centers
Actuators
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
34
Type II Cyber Attacks
• Attacks against distribution and control systems.
Sensors
Control & Monitoring
Centers
Actuators
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
35
Type II Cyber Attacks
• Attacks against distribution and control systems.
Sensors
Control & Monitoring
Centers
Actuators
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
36
Hacking PMUs
• Q: Any suggestion on hacking a PMU?
GPS Satellite
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
37
Hacking PMUs
• Q: Any suggestion on hacking a PMU?
GPS Satellite
• Department of Homeland Security released a report in July
2013 about GPS Systems vulnerabilities to jamming attacks.
* Example: Newark Airport Incident in 2010.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
38
Hacking PMUs
• Q: Any suggestion on hacking a PMU?
PMU 1
t
t+∆
PDC
PMU 2
t
PMU 3
• With invalid time-stamp, GPS data is useless or misleading.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
39
Hacking PMUs
• A typical GPS jamming attack only enters a random time error.
• A more advanced attack may inject a specific false data.
Compromised
PMU Reading
True
PMU Reading
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
40
Hacking Network Devices
• A similar attack can be designed against network equipment.
Sensors
Control Center
Source Spoofing
Content Spoofing
• We need to do source and message authentication.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
41
Denial of Service Attack
• A similar attack can be designed against network equipment.
Sensors
Control Center
DoS Attack
• A cyber attack can be as simple as
– Congesting the routers or overloading the PMU servers!
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
42
False Data Injection Attacks
• We need to do our best to protect sensor data.
• But what if an attack goes through? Are we done?
• Power Systems Solution:
PMUs readings should add up!
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
43
False Data Injection Attacks
• The power grid is a circuit governed by rules of physics!
Bus 1 ϴ 1
L1
P31  P32  L3  0
P31
L3
P32
G2 ~
Bus 2
Bus 3
ϴ3
P31  B31  3  1 
P32  B32  3   2 
ϴ2
• What you observe at different locations should be consistent!
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
44
False Data Injection Attacks
• Example: It is not enough to just hack PMU 1:
(2)
– PMUs 4 and 6 need to be hacked too.
– Or the attack will be detected!
(3)
(1)
(4)
(6)
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
(5)
45
False Data Injection Attacks
• Operator’s Viewpoint: Operator has limited resources.
(2)
– Only 5 PMUs can be protected.
– Which ones?
– This is a “hot” problem.
(3)
(1)
(4)
(6)
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
(5)
46
False Data Injection Attacks
• Attacker’s Viewpoint: Attacker has limited resources.
(2)
– Only 2 PMUs can be hacked at a time.
– Which ones?
– This is a “hot” problem.
(3)
(1)
(4)
(6)
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
(5)
47
False Data Injection Attacks
• Attacker’s Viewpoint: Attacker has limited resources.
(2)
– Only 2 PMUs can be hacked at a time.
– Which ones?
– This is a “hot” problem.
(3)
(1)
(4)
Combine Power Systems &
Information Systems Solutions.
(6)
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
(5)
48
Hacking Control Centers
• Any remote access should be controlled by firewalls:
• This would be as complicated as hacking a power plant!
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
49
Hacking Actuators
• Actuators or commands sent to actuators can be hacked:
Control Centers
Actuators
Source Spoofing
Content Spoofing
• We need to do source and message authentication.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
50
Type III Cyber Attacks
• Q: If someone hacks his own smart meter to pay less, then
– Is it a Type II or Type III cyber attack?
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
51
Type III Cyber Attacks
• Q: If someone hacks his own smart meter to pay less, then
– Is it a Type II or Type III cyber attack?
• A: Type II. Because smart meters are a class of sensors and
altering the reading of a sensor is by definition a Type II attack.
• Q: Then what is a Type III attack?
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
52
Type III Cyber Attacks
• A Type III attack actually affects the load sector.
– One of the standard Type III attacks is “load altering attack”.
• Load altering attack is an attack against demand response.
• Q: Can you guess how this attack may work?
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
53
Load Altering Attacks
• There is a growing interest towards using automated energy
management systems that respond to time-varying prices:
Communications Infrastructure
Power Infrastructure
User’s Energy
Needs
xa : Energy consumption schedule for appliance a.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
54
Load Altering Attacks
• There is a growing interest towards using automated energy
management systems that respond to time-varying prices:
Price Information
Communications Infrastructure
Power Infrastructure
User’s Energy
Needs
xa : Energy consumption schedule for appliance a.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
55
Load Altering Attacks
• There is a growing interest towards using automated energy
management systems that respond to time-varying prices:
Communications Infrastructure
Power Infrastructure
User’s Energy
Needs
xa : Energy consumption schedule for appliance a.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
56
Load Altering Attacks
• There is a growing interest towards using automated energy
management systems that respond to time-varying prices:
Communications Infrastructure
Power Infrastructure
User’s Energy
Needs
xa : Energy consumption schedule for appliance a.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
57
Load Altering Attacks
• There is a growing interest towards using automated energy
management systems that respond to time-varying prices:
Communications Infrastructure
Power Infrastructure
User’s Energy
Needs
xa : Energy consumption schedule for appliance a.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
58
Load Altering Attacks
• Q: What if the price signal is compromised?
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
59
Load Altering Attacks
• Q: What if the price signal is compromised?
Reduced price will encourage increasing load at that hour.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
60
Load Altering Attacks
• Changes in price can change the load scheduled by ECS:
Load Concentration
at 6:00 PM
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
61
Load Altering Attacks
• Assume that a hacker compromises the price data:
• Sent to hundreds of thousands of ECS devices.
• A large number of users jump into the low price hour.
• This can cause a load spike at an already peak hour.
• Price signals have to be source authenticated.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
62
Load Altering Attacks
• A sudden spike in load demand for 1 million users
=
• A sudden shot down of multiple generation units!
• It resembles Denial of Service attacks with botnets!
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
63
Combined Cyber Physical Attacks
• Having a mix of
• Type I
• Type II
• Type III
Needs a lot of Resources
Can cause major damage
Cyber attacks combined with
• Physical attacks.
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
64
Conclusions and Summary
• Smart Grid is a cyber physical system:
• IT Technologies in
– Generation
– Distribution and Transmission
– Control and Monitoring
– Consumption
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
65
Conclusions and Summary
• All these sectors become vulnerable to cyber attacks.
• Type I to Type III Cyber Attacks
• Attacks can involve both
• Cyber elements.
• Physical elements
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
66
Conclusions and Summary
• Most effective security solutions are combined:
• Power Systems: Understanding Power Grid
• Information Systems:
– Message Encryption
– Message Authentication
– Source Authentication
– …
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
67
References
• Please refer to the references at the end of these files:
•
•
•
•
•
•
•
http://www.ee.ucr.edu/~hamed/Smart_Grid_Topic_1_Power_Systems.pdf
http://www.ee.ucr.edu/~hamed/Smart_Grid_Topic_2_Smart_Grid.pdf
http://www.ee.ucr.edu/~hamed/Smart_Grid_Topic_3_Communications.pdf
http://www.ee.ucr.edu/~hamed/Smart_Grid_Topic_4_Demand_Response.pdf
http://www.ee.ucr.edu/~hamed/Smart_Grid_Topic_5_Renewable_Power.pdf
http://www.ee.ucr.edu/~hamed/Smart_Grid_Topic_6_Wide_Area_Measurement.pdf
http://www.ee.ucr.edu/~hamed/Smart_Grid_Topic_7_Security.pdf
Summer Workshop on Cyber Security August 12- 16 , 2013 – Smart Grid Security, Part 2, UCR & TTU
68