Narasimha Chari, Tropos Networks
The evolution of the power grid into the smart grid will involve the expansion and integration of advanced communications and information technology into all aspects of utility operations, from power generation to the point at which power is used. Utilities will have a whole new level of visibility and control of applications and devices that will help improve grid reliability and efficiency. Data will be available and will benefit customers and utilities. Centralized visibility and control of systems and devices will help increase overall grid reliability and enable more real-time decision-making. With the evolution of the smart grid, data volume is vastly increased and highly distributed, making a utility’s approach to security a new challenge that requires a new approach.
Several standards under active development address security as it relates to specific functional areas within the smart grid. These include the North American Electric Reliability Council (NERC) Critical Infrastructure Protection (CIP) standards for the bulk electric system and advanced metering infrastructure security (AMI-SEC) for AMI system security. Security standards for the smart grid communications infrastructure are essential because the network will be composed of multiple layers involving multiple technologies. In addition, vendors will support applications ranging from AMI and distribution automation to mobile work force tools for work orders, asset tracking, etc. Several mature security standards exist, such as FIPS 140-2 for the implementation of secure computer and telecommunication systems used by the federal government. Such existing standards can and should be leveraged as a building block of smart grid security.
Key Security Drivers
As grid communication evolves to an Internet protocol (IP)-based system of systems, there is a growing focus on system security of the network driven by the following trends:
- Migration to IP-based network architectures. Much as telecom systems have migrated during the past several years from proprietary time-division multiplexing (TDM)-based systems to all-IP architectures, a similar move is afoot within utility communications. The migration to IP brings several benefits including the greater ability to share information across systems boundaries, simplified communications and control, and improved end-to-end visibility. Conversely, the shift from physically isolated, closed proprietary systems to networked, open standard IP-based architectures necessitates reassessment of security assumptions. System design also must be considered to ensure the proper identification of cyberassets, enforcement of intra-system boundaries, traffic segmentation across user groups and applications, data privacy and infrastructure protection, while assuring reliability, maintainability and availability.
- More stakeholders. The smart grid will promote much wider information sharing within the utility than was previously possible. This benefit, however, comes with the need to effectively impose policies across divisional and functional boundaries for access to varying data levels. This includes data sharing across multiple departments and entities, but also with end customers and other third-party energy management application providers.
- More numerous and diverse endpoints. The smart grid will tie together a plethora of devices owned by the utility—from power quality sensors and distribution automation devices to customer-owned devices such as smart appliances. The smart grid will result in several orders of magnitude increases in the volume of data transferred, as well as in the number of devices connected to the smart grid communications network.
- Growing cyberattack threats. Because the grid is critical infrastructure and increasingly central to the daily lives of people and businesses, it is important to ensure grid cybersecurity against malicious cyberattacks. Unlike most power system failure risks that can be modeled probabilistically, cybersecurity requires a shift in thinking to accommodate the possibility of a coordinated attack on multiple facilities by an intelligent attacker over a network. As NERC’s chief security officer said, “One of the more significant elements of a cyberthreat, contributing to the uniqueness of cyberrisk, is the cross-cutting and horizontal nature of networked technology that provides the means for an intelligent cyberattacker to impact multiple assets at once, and from a distance.” He said that in identifying critical assets, a rule-out approach (assuming every asset is critical until demonstrated otherwise) might be more appropriate than an add-in approach (starting with the assumption that no assets are critical).
- Regulatory compliance requirements. While smart grid security standards are being developed, critical cyberasset protection and stakeholders’ interests will place regulatory compliance requirements on utilities and system operators. As an early example, the NERC CIP standards were issued for the identification and protection of critical cyberassets to maintain the bulk power system’s operational integrity.
Securing the Layers
A smart grid communications network will not be homogeneous but will be a network of networks with different networking technologies used at various layers based upon the requirements of the applications connecting at each. Security must exist at all network layers with different security considerations implemented at each layer based upon the applications.
The distribution area network layer represents one of the most challenging network layers to secure because multiple applications traverse and connect at this layer. It sits between the devices on the distribution system (home area networks, meters, meter collectors, data acquisition devices, etc.) and the distribution substations that typically connect back to the utility core network over fiber or microwave links.
The functional requirements for securing the distribution area network fall into the following basic areas.
- Availability and performance. Availability and performance are unique security requirements for critical systems that differentiate them from traditional information processing systems. Critical systems must continue to operate and satisfy business and mission needs under diverse operating conditions. Also, the overall system architecture must be designed to this requirement so system integrity and availability are maintained under adverse conditions such as external attacks or peak loads. For example, a mesh architecture capable of self-organizing and self-healing in response to local disturbances is preferable to a star topology with central failure points.
- Network access control. The distribution area network must impose strong authentication and authorization requirements on devices and users that seek to access the network, ranging from utility field crew mobile devices to sensors on the distribution plant and potentially end-consumers. Access control must be enforced at the network level and the level of individual devices. Control must be exercised over physical access and networked access to systems, and strict authorization policies are needed to enforce user-access privileges.
- Network resource and end point protection. The distribution area network aggregates and distributes mission-critical data and must protect itself from attacks and unauthorized access. In addition, because the network mediates access between other networked resources (e.g., meters and meter data management systems), it must provide the capabilities to protect those networked resources from attackers. For example, techniques such as firewalls must be employed to ensure that only those required ports and services are enabled and accessible.
- Secure end-to-end data transmission. The distribution area network also must support secure end-to-end data transmission in addition to ensuring no violations of confidentiality, privacy and data integrity exist within the transport component.
- Traffic isolation across application boundaries. Because the distribution area network aggregates data transport for multiple applications (e.g., meter data, as well as distribution automation application data) and multiple kinds of endpoints—supervisory control and data acquisition (SCADA) remote terminal units (RTUs), as well as utility mobile work force handhelds—it must provide mechanisms to effectively segregate these applications into traffic classes to maintain inter-subsystem security and privacy. In addition, the mechanisms used must be flexible enough to accommodate the differing security capabilities and requirements for different services and application or classes of end points.
Secure Network Configuration, Operation and Management
It is crucial to secure the configuration and management of the network infrastructure and safeguard its operation. Only authorized network operators should be able to alter the operation of the network elements of the distribution area network. Detailed logging and audit trails are needed to monitor and trace back system configuration changes.
When architecting smart grid security, one should incorporate and extend industry best practices for securing wireless networks, resources and data. The fundamental design principles used to craft this security approach include:
- Open standards-based. The solution should leverage well-known open-standard security techniques that have undergone extensive scrutiny by the security community. These include IPSec, IEEE 802.1x, IEEE 802.11i, AES encryption, SSL/TLS, and FIPS 140-2, as well as support for emerging smart grid standards such as NERC-CIP 002- 0092, AMI-SEC3, etc.
- Multilayer security. The solution should use multiple security mechanisms operating at multiple layers of the protocol stack to provide layered defenses.
- Multiapplication security. Different applications aggregated over a common infrastructure have different application characteristics and requirements. Therefore, the security solution must be flexible enough to accommodate these differences while ensuring the logical separation of these traffic flows and the overall system’s integrity.
- Adaptable. The threat landscape is continually evolving, and new cybersecurity threats targeting critical infrastructure are expected to emerge as smart grids are deployed. In addition, smart grid security standards are evolving. The security framework adopted must be flexible and expandable.
The evolution of the power grid of today into tomorrow’s smart grid involves the expansion and integration of advanced communications and information technology into all aspects of utility operations. The best approach to securing communications will be a standards-based, multilayered security architecture. Whichever smart grid communications and security architecture is selected must be flexible and able to evolve to meet the changing security standards and new security threats likely to emerge.
Narasimha Chari is co-founder and chief technology officer at Tropos Networks.
