Cyber Security for Smart
Grids
Seemita Pal
Department of Electrical, Computer and Systems Engineering
Rensselaer Polytechnic Institute, Troy, NY
28th October, 2015
Outline
 Motivation
 Impacts and Challenges
 Computer networks
 Network security



Cryptography
Hash function
Intrusion Detection
 Cyber security threats for smart grids
 Defense strategies
1-2
Motivation
Generation
Transmission
Distribution
GEN1 - Operational Information
TOP1 – Operational Information
DIST1 - Operational Information
GENx - Operational Information
TOPx – Operational Information
DISTx – Operational Information
Customers
Source: n-Dimension solutions
1-3
Motivation
End-to-End Communications and Intelligence
Transmission
Generation
Distribution
Customers
AMI
System
Conservation
Operators
Authorities
Source: n-Dimension solutions
DSM
1-4
Smart Grids
“an upgraded electricity network to which two-way
digital communication between supplier and consumer,
intelligent metering and monitoring have been added”
1-5
 One of the most critical
infrastructures
 Increased deployment of
sensors and devices
 Continuous streaming of
sensitive data via
Internet
 Attractive target for
nation-state actors,
disgruntled insiders or
casual hackers
Incident reports (energy sector)
Why is the Smart Grid Vulnerable?
Matter of national security and economic vitality
1-6
Possible Impacts and Challenges
 Impacts
 Loss of system
observability
 Uneconomic dispatch
choices
 Equipment damage
 Monetary loss
 BLACKOUT!!!
BLACKOUT!!!
 Challenges
 Legacy systems
 Limited processing
capabilities
 Low bandwidth connections
 Minimum network feedback
 Elimination of false alarms
 Low detection delay
1-7
Today’s Computer Networks



Packet: Data chopped up into small blocks
(e.g., ~ 500 bytes)
Header: Each packet carries extra information
to allow it to reach its destination
Route: Each intermediate node processes the
packet and forward it to the next node
Packet-Switched Networks
1-8
What is a Computer Network?
Packet
Server
Client
Mobile Client
Hosts are computers
and other devices
such as cellphones, TVs etc.
Server
1-9
What is a Computer Network?
Application
Application
Packet
Networks connect applications
on different stations
1-10
What is a Computer Network?
Packet
Server
Client
Mobile Client
Hosts communicate by
sending messages called
packets
Server
1-11
What is a Computer Network?
Packet
Router
Router
Router
Router
Packets may pass
through multiple routers;
Each switch reads the packet
header and passes it on
1-12
What is a Computer Network?

A collection of computers (PCs, workstations) and other
devices (e.g. printers, smart meters) that are all
interconnected

Goal: provide connectivity and ubiquitous access to
resources (e.g., database servers, Web), allow remote
users to communicate (e.g., email)

Components:
 Hosts (computers)
 Links (coaxial cable, twisted pair, optical fiber, radio,
satellite)
 Switches/routers (intermediate systems)
1-13
Networking Issues
 Resource sharing: accommodate many users
over the same link or through the same router
 Addressing and routing: how does an email
message find its way to the receiver
 Reliability and recovery: guarantee end-to-end
delivery
 Traffic management: monitoring and regulating
the traffic in the network
1-14
Solution: Layering
 Layering to deal with complex systems:



Conceptual simplicity
modularization eases maintenance, updating of system
change of implementation of layer’s service transparent to
rest of system
TCP/IP Model
Application
Transport
TCP/IP Protocols
FTP
SMTP HTTP
TCP
UDP
Internetwork
IP
Host to
Ether
Point-toWiFi
Network
net
Point
1-15
Network Performance
 There are a number of measures that
characterize and capture the performance of a
network
 It is not enough that networks work

They must work well
 Quality of service (QoS) defines quantitative
measures of service quality



Data rate or throughput
Delay (Latency)
Reliability
 Security (not a QoS measure but crucial)
1-16
Network Security: Introduction
 Bob and Alice want to communicate “securely”
 Trudy (intruder) may intercept, delete, add
messages
Alice
Bob
channel
data
secure
sender
data
secure
receiver
data
Trudy
1-17
Who might Bob, Alice be?
 well, real-life Bobs and Alices!
 Phasor measurement units sending synchrophasor
data
 Web browser/server for electronic transactions (e.g.,
on-line purchases)
 Information exchange between power distribution
networks and power generators
 on-line banking client/server
 routers exchanging routing table updates
1-18
Who might Trudy be?
 Disgruntled insider
 Nation-state actor
 Contracted employee
 Professional hacker
 Casual hacker
1-19
Types of Security Breaches
Q: What can a “bad guy” do?
A: A lot





eavesdrop: intercept messages
actively insert messages into connection
impersonation: can fake (spoof) source address
in packet (or any field in packet)
hijacking: “take over” ongoing connection by
removing sender or receiver, inserting himself in
place
denial of service: prevent service from being used
by others (e.g., by overloading resources)
1-20
Security for Smart Grids: Example 1
Cyber
Penetration
Attacker
Controls
Performs
the
Head
Remote
End
AMCC
Disconnect
(Advanced
Metering
Attacker
Communications
Network
(WAN)
Communications
Network
(WAN)
Control Computer)
AMI WAN
AMI WAN
Retailers
3rd Parties
AMI WAN
Data Management
Systems
(MDM/R)
UNIVERSITY
Example from AMRA Webinar, Nov ’06 “The Active Attacker”,
Source: n-dimension solutions
1-21
Security for Smart Grids: Example 2
Admin
Admin
Perform
SQL
ARP
EXEC
Scan
Operator
Opens Email
with Malware
Send e-mail
with malware
Internet
Acct
4. 1.Hacker
performs
ARPwith
(Address
Hacker
sends anan
e-mail
malware
Resolution Protocol) Scan
Master
DB
2.
E-mail recipient opens the e-mail and the
malware
gets installed
quietly
5. Once
the Slave
Database
is found, hacker
anthe
SQL
EXEC command
3.sends
Using
information
that malware gets,
hacker is able to take control of the e-mail
6. Performs another ARP Scan
recipient’s PC!
Operator
Slave Database
RTU
7. Takes control of RTU
Example from 2006 SANS SCADA Security Summit, Source: n-dimension solutions
1-22
Common Security Attacks
 Finding a way into the network

Firewalls
 Exploiting software bugs, buffer overflows

Intrusion Detection Systems
 Denial of Service

Ingress filtering, IDS
 TCP hijacking

IPSec
 Packet sniffing

Encryption (SSH, SSL, HTTPS)
 Social problems

Education
Source: J. Weisz, CMU
1-23
Network Security
 Confidentiality: only sender, intended receiver should
“understand” message contents
 Authentication: sender, receiver want to confirm identity
of each other
 Message integrity: sender, receiver want to ensure
message not altered (in transit, or afterwards) without
detection
 Access and availability: services must be accessible and
available to users
1-24
Security Mechanisms
• Prevention: (Proactive Mechanisms)
Protect the resource so that attacks will fail
• Detection: (Reactive Mechanisms)
Determines that attack is underway
• Recovery: First stop the attack and then assess and
repair any damage caused
1-25
The language of cryptography
Alice’s
K encryption
A
key
plaintext
encryption
algorithm
ciphertext
Bob’s
K decryption
B key
decryption plaintext
algorithm
m plaintext message
KA(m) ciphertext, encrypted with key KA
m = KB(KA(m))
1-26
Simple encryption scheme
substitution cipher: substituting one thing for another
 monoalphabetic cipher: substitute one letter for
another
plaintext:
abcdefghijklmnopqrstuvwxyz
ciphertext:
mnbvcxzasdfghjklpoiuytrewq
E.g.: Plaintext: bob. how are you. alice
ciphertext: nkn. akr moc wky. mgsbc
Key: mapping from the set of 26 letters to the set of 26
letters
1-27
Message Integrity
 allows communicating parties to verify that
received messages are authentic.



Content of message has not been altered
Source of message is who/what you think it is
Sequence of messages is maintained
 let’s first talk about message digests
1-28
Message Digests
large
message
m
 function H( ) that takes as
input an arbitrary length
message and outputs a
fixed-length string:
“message signature”
 note that H( ) is a manyto-1 function
 H( ) is often called a
“hash function”
H: Hash
Function
H(m)
desirable properties:



 Example: H(SEEMITA)=
19+5+5+13+9+20+1=72
•
easy to calculate
irreversibility: Can’t
determine m from H(m)
collision resistance:
computationally difficult to
produce m and m’ such
that H(m) = H(m’)
seemingly random output
1-29
Message Authentication Code (MAC)
s = shared secret
message
s
message
message
s
H( )
•
•
•
•
H( )
compare
Authenticates sender
Verifies message integrity
Also called “keyed hash”
Notation: MDm = H(s||m) ; send m||MDm
1-30
Hash Function Algorithms
 MD5 hash function widely used (RFC 1321)
 computes 128-bit message digest in 4-step process.
 SHA-1 is also used
 US standard [NIST, FIPS PUB 180-1]
 160-bit message digest
1-31
Firewalls
 Many network applications and protocols
have security problems, fixed over time


Difficult for users to keep up with changes and
keep host secure
Solution
 Administrators limit access to end hosts by using a
firewall
 Firewall is kept up-to-date by administrators
 Can be hardware or software


Ex. Some routers come with firewall functionality
ipfw, ipchains, pf on Unix systems, Windows XP
and Mac OS X have built in firewalls
Source: J. Weisz, CMU
1-32
Firewalls
Internet
DMZ
Firewall
Firewall
Web server, email
server, web proxy,
etc
Intranet
Source: J. Weisz, CMU
1-33
Firewalls
 Used to filter packets based on a combination of
features



These are called packet filtering firewalls
Ex. Drop packets with destination port of 23 (Telnet)
Can use any combination of IP/UDP/TCP header
information
Source: J. Weisz, CMU
1-34
Intrusion Detection
 Used to monitor for “suspicious activity” on a network
 Can protect against known software exploits, like
buffer overflows
 Uses “intrusion signatures”

Well known patterns of behavior
 Example

IRIX vulnerability in webdist.cgi

Can make a rule to drop packets containing the line
 “/cgi-bin/webdist.cgi?distloc=?;cat%20/etc/passwd”
 However, IDS is only useful if contingency plans are in
place to curb attacks as they are occurring
Source: J. Weisz, CMU
1-35
Network Security (Recap)
• Confidentiality: only sender, intended receiver should
“understand” message contents
• Authentication: sender, receiver want to confirm identity
of each other
• Message integrity: sender, receiver want to ensure
message not altered (in transit, or afterwards) without
detection
• Access and availability: services must be accessible and
available to users
1-36
Of Primary Interest to Utilities
 Attacks on timely delivery

AVAILABILITY
Gray hole attacks
 Attacks on measurement data

False data injection attacks
INTEGRITY
 Attacks on access control

Switching attacks
AUTHENTICATION
 Meter data privacy

Attacks on smart meters
CONFIDENTIALITY
1-37
Background: Synchrophasor Network
Input to power system
applications
Super PDC* /
Control Center
System-wide
Regional
Substations
Measurements
generated
PDC
PMU
PMU
PDC
…
PMU
PMU
…
PMU
* PDC: Phasor Data Concentrator
1-38
Cyber Solutions
- Defense
Gray Hole
Attackssin Depth
Receiver ‘k’
Sender ‘k’
(TCP)
Router 2
Router 3
(TCP)
Receiver 1
Sender 1
(TCP)
PMU
(UDP)




Router 1
(TCP)
Router `n’
PDC
(UDP)
Attacker drops packets at any node
Data is lost forever
Difficult to detect
Attacker controls packet-drop percentage
1-39
False Data Injection Attacks
PMU data (z)
SCADA data (z)
Topology,
parameters,
relay data (H)
State
Estimator
(MMSE)
Estimated
system
states (𝑥)
 Conventional bad data detection algorithm:

Presence of bad measurements inferred if, 𝑧 − 𝐻𝑥 > 𝜏
 Liu et al. introduced concept of false data injection
attacks


Corruption of measurements: 𝑧𝑎 = 𝑧 + 𝑎 for 𝑎 = 𝐻𝑐
System states bias = 𝑥𝑎 − 𝑥
1-40
CyberFalse
Solutions
Defense inAttacks
Depth
Data- Injection
N
O
D
E
1
N
O
D
E
2
Node
voltage
Current 1
PMU 1
Router
1a
Router
1b
…
Router
1n
…
Current k
Node
voltage
Current 1
…
Current p
PDC
Packet data
modified
PMU 2
Router
2a
Router
2b
…
Router
2m
Control
Center
 One or more routers/ PMUs compromised
 Adversary intends to perform maximum
possible manipulation
 Weak or no encryption
1-41
Cyber Solutions
- Defense
in Depth
Switching
Attacks
 Smart grid envisions remote access of circuit
breakers and switches
 Breaker control signals corrupted or a particular
switching sequence applied
 Destabilization of system occurs
1-42
Cyber Solutions
- Defense
in Depth
Privacy
Issues
 Types and usage of
electrical equipments
 Daily routines
 Changes in routines
What if a bad guy determines that you are not at home
and planned a burglary?
What if a criminal took control of a good number of
smart meters and simultaneously sent a general
shutdown command?
1-43
Cyber Solutions
Security Solutions
Smart Grids
Cyber
- Defensefor
in Depth
 Perimeter Protection



Firewall, IPS, VPN, AV
Host IDS, Host AV
Physical Security
 Interior Security





Firewall, IDS, VPN, AV
Host IDS, Host AV
IEEE P1711 (Serial Connections)
Network admission control
Scanning
 Monitoring
 Management
1-44
Questions?
1-45