Terms of Protection: The Many Faces of Smart Grid Security Presenter: Hongwei Li References Main Reference Nordell, D.E., “Terms of Protection: The Many Faces of Smart Grid Security,” IEEE Power & Energy Magazine, Jan./Feb. 2012. In Brief Massoud Amin, S. and Giacomoni, A.M., “Smart Grid—Safe, Secure, Self-Healing ,” IEEE Power & Energy Magazine, Jan./Feb. 2012. 2 Outline The Dictionary Definition for Security Who Cares About Security? Key Smart Grid Security Challenges Advanced Metering Infrastructure (AMI) Security Techniques used to Achieve Cyber security Security Must Be Built IN 3 The Dictionary Definition for Security Security as Reliability Security as Communication Reliability Security as Information Protection 4 The Dictionary Definition for Security: Security as Reliability Traditional electric utility Power engineers used the term Security to describe the ability of the bulk power system to withstand unexpected disturbances such as short circuits or unanticipated loss of system elements due to natural causes. In today’s world The security focus of the industry has expanded to include withstanding disturbances caused by man-made physical or cyber attacks. http://www.nerc.com , under the heading “Company Overview” 5 The Dictionary Definition for Security: Security as Communication Reliability Reliability for power system communication has several facets. The probability that a given message will be lost entirely The use of redundant communication paths and automatic failover to protect against message loss The expected time delay (latency) in delivering a message The expected variability of that time delay (jitter) How competing messages may (or may not) be given priority when communication channels are saturated. 6 The Dictionary Definition for Security: Security as Information Protection Information protection involves measures taken to ensure the anonymity of electricity information, both in transit and when stored on digital systems. Of primary importance is information related to utility customers and information about the electric power system that may be of interest to parties who wish to harm the utility and to potential intruders. An equally critical facet of information protection is protection of information and commands used to control the power system. Ensure that such communications are protected from outside intrusion, particularly when the communication path is exposed to possible outside eavesdropping and malicious intervention. 7 Outline The Dictionary Definition for Security Who Cares About Security? Key Smart Grid Security Challenges AMI Security Techniques used to Achieve Cybersecurtiy Security Must Be Built IN 8 Who Cares About Security? The Energy Independence and Security Act (EISA) of 2007 passed by the US. Congress brought the term “Smart grid “ into the public vocabulary. The EISA considered both power system reliability and protection of sensitive information. The EISA assigned the National Institute of Standards and Technology (NIST) “primary responsibility to coordinate development of a framework that includes protocols and model standards for information management to achieve interoperability of Smart Grid devices and systems…” (see EISA Title XIII, Section 1305) 9 Outline The Dictionary Definition for Security Who Cares About Security? Key Smart Grid Security Challenges AMI Security Techniques used to Achieve Cybersecurtiy Security Must Be Built IN 10 Key Smart Grid Security Challenges Physical Challenges Cyber Challenges 11 Key Smart Grid Security Challenges Physical Challenges Figure 1. Electric terrorism: grid component targets, 1994–2004 12 Key Smart Grid Security Challenges Physical Challenges One possible means of increasing the physical security of the power lines is to bury them. A 2006 study by the Edison Electric Institute (EEI) calculated that putting power lines underground would cost about US $1 million per mile, compared with US $100,000 per mile for overhead lines, making the idea financially infeasible. 13 Key Smart Grid Security Challenges Cyber Challenges The number of documented cyber attacks and intrusions worldwide has been rising rapidly in recent years. The results of a 2007 McAfee survey highlight the pervasiveness of such attacks. For example,,,, 14 Key Smart Grid Security Challenges Cyber Challenges Figure 2. Percentage of critical infrastructure enterprise executives reporting large-scale DDoS attacks and their frequency 15 Key Smart Grid Security Challenges Cyber Challenges Figure 3. Cyber threat evolution 16 Outline The Dictionary Definition for Security Who Cares About Security? Key Smart Grid Security Challenges AMI Security Techniques used to Achieve Cybersecurtiy Security Must Be Built IN 17 Advanced Metering Infrastructure (AMI) Security The implementation of AMI is widely seen as one of the first steps in the digitization of the smart grid’s control systems. Some present and all future AMI deployments will use Internet Protocol (IP) addressing to allow messages to travel over multiple media and both public and private networks. The communication media for AMI systems include a variety of proprietary radio systems, common-carrier digital cellular services, and communication using the power line itself, in the form of broadband over power lines (BPL). Of these, the industry is converging on the use of wireless IEEE 802.15.4g. 18 Automated Metering Infrastructure (AMI) Security With increasing functionality and wireless connectivity comes a heightened need not only to protect system and message integrity but also to preserve the confidential information of customers. The AMI Security Task Force of the UCA International Users Group (UCAIug), the NIST SGIP, and in particular NIST IR 7628 are providing “best practice” guidelines for securing future AMI systems. 19 Automated Metering Infrastructure (AMI) Security Possible threats to the smart grid, introduced by the use of AMI include: Fabricating generated energy meter readings Manipulating energy costs Disrupting the load balance of local systems by suddenly increasing or decreasing the demand for power Gaining control of millions of meters and simultaneously shutting them down Sending false control signals 20 Automated Metering Infrastructure (AMI) Security Several key privacy concerns need to be addressed, including: Personal profiling: using personal energy data to determine consumer energy behavioral patterns for commercial purposes. Real-time remote surveillance: using live energy data to determine whether people are in a specific facility or residence or what they are doing. Identity theft and home invasions: protecting personal energy data from criminals who could use the information to harm consumers. 21 Automated Metering Infrastructure (AMI) Security Activity censorship: preventing the use of energy for certain activities or taxing those activities at a higher rate. Decisions based on inaccurate data: shutting off power to life-sustaining electrical devices or providing inaccurate information to government and creditreporting agencies. 22 Outline The Dictionary Definition for Security Who Cares About Security? Key Smart Grid Security Challenges AMI Security Techniques used to Achieve Cyber Securtiy Security Must Be Built IN 23 Techniques Used to Achieve Cyber Security? Modern communication protocols are “layered”, as in the Open Systems Interconnection (OSI) Model. The model reflects how messages are sent in the traditional mail service, with a message being placed in an envelope, an address added, and the envelope entrusted to the post office system, which transports the envelope over a variety of physical media before eventually delivering the envelope to the addressee. Such messages may be protected in a variety of ways. One way might guard each step of the postal worker, seal the envelope with an “official” seal to detect tampering, the other way might encrypt the message itself with a code known only to the sender and receiver. Which way is better? 24 Techniques Used to Achieve Cyber Security? Figure 4. Communication security options 25 Techniques Used to Achieve Cyber Security? Figure 5. Upper-layer security contrasted with lower-layer security 26 Outline The Dictionary Definition for Security Who Cares About Security? Key Smart Grid Security Challenges AMI Security Techniques used to Achieve Cyber Security Security Must Be Built IN 27 Security Must Be Built In Confidentiality, integrity and availability (CIA) are defined by NIST as follows: Confidentiality: the property that sensitive information is not disclosed to unauthorized individuals, entities, or processes. Integrity: the property that sensitive data has not been modified or detected in an unauthorized and undetected manner. Availability: the property of being accessible and usable upon demand by an authorized entity. 28