JOnline: Evolving Perimeter Information Security Models in Smart Grids and Utilities 

 
Download Article

In September 2012, Telvent, the smart-grid giant owned by Schneider Electric, reported that hackers broke through its firewall and security systems with breaches on OASyS SCADA. Telvent uses the same system to control various power grids, oil and gas pipelines, and industrial controls around the world and integrate with utility enterprise systems and new smart-grid platforms.1 Incidents such as this, the Stuxnet worm, the night dragon attacks and cyberhacking for sport are being highly monetized and targeted toward the power and utility industry’s assets.

In this case, a major part of the existing electric grid architecture and infrastructure components in the operations of the distribution electric networks are relatively basic without advanced information analytics and resultant self-healing capabilities for power redistribution. However, as these grid infrastructure components are fitted with information and communications technology (ICT) for analytics and self-healing capabilities, the entire grid becomes even more susceptible to malicious attacks. Further, a recent survey of 213 utility and smart-grid professionals revealed that 65 percent of executives believe that the technology most vulnerable to cyberattacks is grid operations and information technologies. It is estimated that cumulative investments in smart-grid cybersecurity alone will total US $14 billion through 2018. This is notwithstanding the US $200 billion investment in global smart grids, which includes a US $53 billion investment in the US alone by 2015.2, 3

The existing electric-grid architecture is relatively a linear model with clear boundaries among generation, transmission and distribution of power. However, the smart-grid architecture brings about a paradigm shift from the linear to a distributed energy-generation model. Therefore, to devise a conceptual smart-grid security architecture, it is necessary to contextualize the smart-grid business with respect to the value network and the stakeholders.

This article introduces and puts into perspective the last-mile InfoSec Frames framework for smart-grid perimeter (network edge) devices, with an eye for adapting the lessons learned from other information sensitive industries. At the same time, the article presents and compares the evolving last-mile information security models to the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards (CIP-002-4 through CIP-009-4). This contextualization provides the specific boundaries for the treatment of information security for the value players in the last-mile transmission and distribution operations of a smart grid.

The Smart-grid Value Network

The National Institute of Standards and Technology (NIST) has developed the NIST Smart Grid Framework 1.0 as a reference model for all other smart-grid architectures.

Figure 1 reveals the stakeholders and illustrates a high-level landscape of the interplay among the various players of the value network. The value network players are the various technical equipment manufacturers that develop control, communications, monitoring and analytics products within and across domains. Additionally, the technology standards committees and regulatory bodies are the other stakeholders. Interestingly, the demands in the 21st century for cleaner energy have given rise to new stakeholders who normally tap renewable energy sources such as wind and solar energy to generate power. The industry terms these stakeholders distributed energy generators (DG). The DGs are incentivized by government programs such as feed-in-traffic (FIT) programs that sell and supply energy to consumers (and utilities) using the existing power- grid infrastructure. Depending on the size, DGs normally tap into transmission and distribution networks. The consumer is the ultimate stakeholder with demands for efficient and smarter power consumption, including charging electric vehicles.

Figure 1

Enterprise Network and Smart-grid Network Security

Unlike traditional information security in enterprise networks, which has as its primary objective the protection of data, the key objective of information security in smart-grid networks is to protect human life and ensure system reliability during power generation, transmission and distribution. In general, power and electricity encompass every aspect of human society and nations; the very critical nature of generating and delivering power establishes a business objective that requires 100 percent reliable availability and delivery of power at any cost.

Consequently, the business precedence for human safety and reliability is set for utilities and normally overrides other attributes such as efficiency, economics and, in some instances, quality of power. This simple, critical fact clearly differentiates the utilities from other enterprise business networks such as retail, manufacturing and banking, which emphasize economics and efficiency. Furthermore, unlike the systems of enterprise networks where the information security is primarily focused on protecting data, the focus of information security in the smart-grid network is multifaceted. In smart-grid networks, information security has to primarily address what will happen to the electrical state of the grid when one of its devices is compromised. The smart-grid perimeter devices generate the less important analytical data (such as for metering and efficiency purposes) and the more important control data for the transmission and distribution of power within the grid. Compromises to the control data and signals can significantly alter the state of the grid and negatively affect the reliable delivery of power. Additionally, the smart-grid network asset has a higher value than the information it generates because the asset is critical for the reliable operation of the grid; therefore, the information security tenets of confidentiality, integrity and availability must ensure protection of data for safe and reliable grid operation.4

In addition to the general enterprise networks, with systems such as enterprise resource planning (ERP) systems and high-availability networks, electric grids have a variety of critical energy storage and switching devices and systems such as electrical isolation and protection relays, bus-bars, feeders, switchgears, power transformers, pole-mounted transformers, flexible alternating current transmission systems (FACTS), capacitor banks, and auxiliaries. With the smart grid, these devices and systems become numerous active perimeter devices of the smart-grid network and leverage ICT for analytics, command and control, representing dynamic and intelligent machine-to-machine communications for reliable grid operation. Therefore, developing a balance between information security and reliable grid operation is a unique challenge for establishing system-to-system trust models, data modeling and treatment, and asset management because of the scale and scope of the large number of active devices.

Finally, unlike enterprise networks, the smart-grid network (especially for perimeter devices) is in its infancy; as such, no corroboration and/or benchmark frameworks exist for system-to-system trust models, data modeling and treatment, and asset management that pose practical implementation challenges for all of the players in the value network.

NERC Critical Information Protection Standards

NERC has developed the CIP standards to set the compliance requirements, definitions and frameworks for the protection of cyberassets in support of reliable operation of the bulk electric system (BES). Analyses of these standards reveal that they are generally accepted principles of confidentiality, integrity and availability of information during transit and residency. Furthermore, when the information criteria have been established, these compliance requirements can be easily mapped to COBIT and, for the purposes of this article’s focus, to models of information security architecture. The requirements from pertinent standards are listed in figure 2.5

Figure 2

Interoperability with Existing Grid Technologies

The current communication and control of the devices that make up the existing grid and BES are localized and operate as independent networks. The existing intelligent electronic devices (IEDs), the remote terminal units (RTUs), and the supervisory control and data acquisition (SCADA) systems in substations and automation controls are networked together over Ethernet or serial communication ports using protocols such as IEC 61850 communications standards,6 Distributed Network Protocol (DNP 3) and Modbus. In addition, the current power grid wide area networks (WANs) also utilize power line communication and dark fiber.

As these devices and systems begin to evolve into active devices in the smart grid, numerous challenges can be foreseen with respect to creating efficient and optimized data and system-to-system trust models for analytics as well as control. These technical challenges are in addition to the management of the huge amount of data that could be generated for meaningful warehousing and mining purposes. However, the opportunities are huge in terms of improved efficiency and effectiveness of reliable power generation, distribution and transmission when these systems can be interconnected. Examples of such effectiveness are self-healing power networks realized by redistribution of power through alternative paths, grid asset maintenance and advanced asset monitoring. Consequently, numerous equipment manufacturers either have attempted or are attempting to evolve BES by leveraging the technical flexibility of the Internet Protocol (IP) and WAN technologies.

The Transmission Control Protocol/Internet Protocol (TCP/IP) stack and the widely available WAN technologies are technically flexible with capabilities to encapsulate or tunnel existing grid communication protocols such as IEC 61850 communication standards, DNP3 and Modbus.7, 8, 9, 10, 11 Furthermore, they provide a uniform abstraction of the network that hides the differences among various network technologies,12, 13 facilitating enhanced interoperability. This evolution has led to the creation of communication network setups (see figure 3).

Figure 3

Although, on the surface, such network setups seem chaotic and amorphous, organization of the network and communication architectures based on criticality (electrical switching and control), generation and consumption is emerging. The emergence and organization of smart- grid networks is also evidenced by the NIST- and the US Department of Energy-led GridWise Domain Expert Working Groups of Building to Grid (B2G), Home to Grid (H2G) and Industrial to Grid (I2G).14

Security Architecture in Smart Grids

As the smart-grid models evolve, different conceptual architectural models are beginning to emerge. The architectures of networks of devices are evolving in accordance to the NERC CIP Reliability Standards.

Figure 4InfoSec Frames is an information security framework for the information security treatment of the perimeter devices that fits into the subnetwork architectures of the smart-grid network. InfoSec Frames (figure 4) specifically describes the security treatment for the subnetwork architectures for home area networks (HANs), field area networks (FANs) and control networks (CNs). In addition, the framework facilitates abstraction with a common set of security attributes.

Concept of NANs, HANs and SUNs
Numerous devices such as smart energy meters (advanced metering infrastructure [AMI]), water heaters, home energy controls, HVAC and plug-in hybrid electric vehicles (PHEV) are leveraging TCP/IP smart objects with capabilities of machine-to-machine (M2M) communications. In essence, these devices are networked together with utilities demand-response and energy-forecasting systems and, ultimately, form subnetworks of neighborhood area networks (NANs), HANs or smart-utility networks (SUNs). To further put into perspective, the devices in subnetworks of NANs and HANs of the smart grid network have information security characteristics similar to point of sale (POS) in the retail industry, with slightly heightened security (to protect individual power consumption profiles) and extensive useful-device life. The data from these devices typically involve power consumption and feed as analytics for energy-demand forecasting (demand-response systems). Furthermore, these devices typically attach to the power distribution networks, and the grouping of these devices is in accordance with CIP-005-4a and CIP-002-4a. However, each device’s criticality for the safe operation of the grid is relatively low, with low asset value. The security risk for the reliable operation of the grid is normally confined to the data and not the device. Nevertheless, the data are quite critical for customer billing and in-direct outage monitoring. Therefore, confidentiality, integrity and nonrepudiation of data are important compared to availability.

Concept of FANs
FANs essentially comprise energy-transformation and switching devices with intelligence. Generally, these devices (also known as IEDs) are localized to electrical substations and, to an extent, are directly deployed along the electrical grid.15, 16 Examples of IEDs are electrical isolation and protection relays, bus-bars, feeders, switchgears, power transformers, pole-mounted transformers, a FACTS, capacitor banks, and auxiliaries. Just as in the case of HAN/SUN network elements, the FAN elements of the smart grid are networked together and leverage the TCP/IP stack for communications and control. Typically, such devices are part of power transmission and distribution networks. The data from these devices typically involve, for example, control of switching operation of devices (systems) and status parameters such as oil temperature levels in transformers. Furthermore, the evolution of renewable, distributed energy generation and storage make their respective IEDs suitable candidates for FAN classification because their criticality is higher on the grid. The security risk for the reliable operation of the grid is normally the communication and control of the device and the device itself, because they are directly involved in energy transformation and switching. Finally, measurement of electrical characteristics of voltage, current and phase from high voltage devices such as transformers is an indirect process, which is normally carried out using instruments such as potential transformers (PT) and current transformers (CT). These instruments transmit critical data about the state and analytical information of the transformers. Therefore, due diligence has to be afforded to all securing data (analytical, control and communication). Grouping of these devices into FANs is a consequence of CIP-002-4a and CIP-002-5, in which confidentiality, integrity and availability on communication networks are all important for reliable operation.

Concept of CNs
Control of transmission and distribution devices of transformers and relays along the electric grid is normally accomplished using SCADA systems and programmable logic controllers (PLCs). SCADA systems normally have associated systems for human machine interfacing (HMI) and trending (e.g., Historian). They can control and operate a large number of devices. Depending on the technical goals and requirements, they can be distributed in substations or centrally control multiple substations. SCADA systems, no matter how they are deployed, form some of the most important critical assets in a bulk energy system because of their ability to directly control, transform and redistribute power.17 Consequently, they normally have to be highly available and highly secure. The security risk for the reliable operation of the grid is not just the control system but the entire control subnetwork of the smart grid, which includes analytics, control, communications and devices. CNs essentially control large subnetworks of the smart grid, and compromises to them could seriously alter the state of the entire grid. SCADA systems are advance systems and can be deployed using wireless technology built on private microwave radios, cellular and satellite communications.

Technology Threats and Considerations in Smart Grids

Smart-grid information security should be established on the foundations of confidentiality, integrity and availability of data for safe and reliable operation of the grid. Therefore, it is critical to identify and rationalize:

  1. The type of data being transmitted such as device control, device status monitoring or analytical. That is, identify device management traffic and data traffic (including communications and control).
  2. Individuals/systems that have access to the data
  3. The origin and destination of the data
  4. The intention for capturing and transmitting data

Once these are clearly established, precedence is set to establish system-to-system and user-to-system trust models. Furthermore, as shown in figure 3, data are being transmitted over conventional WAN/LAN technologies on the TCP/IP stack. Consequently, the common range of attacks and vulnerabilities apply. However, these attacks and vulnerabilities can be mitigated with existing security features already specified by the protocol or by leveraging the security services offered by other Internet Engineering Task Force (IETF) protocols.18, 19, 20 Just as in the traditional Open Systems Interconnect (OSI) seven-layer models, the vulnerabilities of IP for the smart grid are grouped as follows:

  • Physical and data link layer security—The IEDs in FANs and, to an extent, substation CNs are deployed in harsh environmental conditions, and the devices generate strong electromagnetic fields. This has particular electromagnetic interference (EMI) implications when the communication channel is established wirelessly (i.e., microwave, cellular, satellite). Another vulnerability with wireless is eavesdropping. Furthermore, as most of the devices in FANs leverage Ethernet technology, they are subject to MAC address spoofing. Consideration must be given to securing wireless links (Wi-Fi and WiMax). Additionally, just as in other information-sensitive systems, consideration must be given for:
    1. Separating management traffic from data traffic to separate VLANs, especially in FAN devices and CN systems
    2. Alternative paths for physical and logical redundancy such as sourcing services from different telecommunications service providers
    3. Avoidance of single-point-of-communication link failure These three points become extremely important when wireless SCADA systems are deployed.
  • Network and transport layer security—As the devices in FANs, NANs and CNs run on the TCP/IP stack, threats at the network and transport layer are denial-of-service (DoS) attacks by TCP SYN flooding, IP spoofing, threats on well-known TCP and UDP ports, and threats to IP routing protocols. The intent in all these cases is to either alter the routing table database or overload the processor. In accordance with NERC CIP-005-4a requirements, firewalls and next-generation firewalls provide mitigation techniques to detect DoS attacks and IP spoofing with capabilities to block TCP/UDP ports and ensure TCP session state integrity using stateful firewalls. In FAN and CN devices, consideration must be given to routing traffic through firewalls.
  • Application layer security—Application layer security is specifically relevant to CN systems (such as SCADA) and NAN devices (such as Smart Meters). NAN devices—much like smartphones and tablets—have operating systems, embedded databases for storage, forward functions and web applications. These devices typically connect to the distribution and transmission networks and other analytic systems in the service provider utility through a gateway on the HTTPS service over the Internet or, in some instances, they may utilize power-line communications. The primary threat with NANs is exploiting vulnerabilities to determine end-user power consumption profiles. Therefore, due consideration must be given to ensure that the application gateways are within the utility provider’s enterprise network DMZ and protected by firewalls. SCADA systems in general are highly critical systems. When these systems are deployed wirelessly through private microwave radios, cellular and satellite communications, due consideration must be taken to prevent exposure to eavesdropping, especially of the application data in transit, without compromising performance.
  • Network services, access and authentication—As the smart grid evolves, the devices on FANs, NANs and CNs will align to the Internet of Things running on the TCP/IP stack. Therefore, they will utilize enterprise network services such as Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), Simple Network Management Protocol (SNMP), and access and authentication. For all these network services, the guiding principle as per the NERC CIP requirements is, “The processes and mechanisms shall use an access control model that denies access by default, such that explicit access permissions must be specified.” This requirement sets the precedent for establishing information security trust models for user access to systems and system-to-system access. Efforts must be made to extend the established security principles of authentication (dual-factor), traceability and logging—from the enterprise networks to these devices.

Conclusion

As smart grids evolve, they are experiencing the proliferation of perimeter devices with uncontrolled intelligence along the power grid, resulting in information security issues for safe and reliable distribution of power. This article outlines the threats to information security practitioners and assurance professionals and suggests the use of InfoSec Frames to contain the threats.

NANs, HANs, SUNs, CNs and FANs are architectural illustrations of role-based groupings of devices as they align with the Internet of Things for smart-grid networks. The security risk profiles in smart grids are different from those of traditional businesses and enterprise networks because of the nature of devices in critical infrastructure and the role they play in generating, transmitting and distributing power.

Furthermore, the reliable operation of the electric grid has traditionally been a discipline within electrical engineering and power systems engineering. However, as the existing electric grid evolves into the smart grid, the secure and reliable operation of the electric grid becomes interdisciplinary between information security practitioners and power engineers. This article puts the regulatory and technical bodies of knowledge for power-grid infrastructure into perspective for information security and audit professionals.

References

Endnotes

1 Zetter, K.; “Maker of Smart-Grid Control Software Hacked,” Wired, 26 September 2012, www.wired.com/threatlevel/2012/09/scada-vendor-telvent-hacked
2 Navigant Research, “Investments in Smart Grid Cyber Security to Total $14 Billion Through 2018,” 1 March 2012, www.pikeresearch.com/newsroom/investments-in-smart-grid-cyber-security-to-total-14-billion-through-2018
3 Roney, Michael; “Building the Smart Grid Promise, Challenge and Transformation,” Alcatel-Lucent, http://enterprise.alcatel-lucent.com/private/images/public/si/pdf_smartBuilding.pdf
4 Yan, Y.; Y. Qian; H. Sharif; D. Tipper; “A Survey on Cyber Security for Smart Grid Communications,” IEEE Communications Surveys & Tutorials, vol. 14, no. 4, fourth quarter 2012, 1 March 2012, p. 998
5 For a comprehensive list of the NERC compliance requirements of standards, refer to www.nerc.com/page.php?cid=2|20.
6 Adamiak, M.; D. Baigent; R. Mackiewicz; “IEC 61850 Communication Networks and Systems in Substations: An Overview for Users,” GE Digital Energy
7 National Institute for Standards and Technology, NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0, NIST Special Publication 1108, January 2010, www.nist.gov/public_affairs/releases/upload/smartgrid_interoperability_final.pdf
8 Cisco Systems Inc., Cisco Connected Grid Security for Field Area Network, 2012, www.cisco.com/web/strategy/docs/energy/C11-696279-00_cgs_fan_white_paper.pdf
9 Cisco Systems Inc., A Standardized and Flexible IPv6 Architecture for Field Area Networks Smart: Grid Last Mile Infrastructure, 2011, www.cisco.com/web/strategy/docs/energy/ip_arch_sg_wp.pdf
10 Baker, F.; D. Meyer; “Internet Protocols for the Smart Grid,” Cisco Systems
11 Rugged.com, “KONCAR-KET Chooses Rugged.com for Refurbishment of MEPSO High Voltage Substation in Macedonia,” case study, www.ruggedcom.com/support/case-studies/mepso/mepso.php
12 Op cit, Baker and Meyer
13 Op cit, Yan, et al
14 GridWise Architecture Council (GWAC), “Ensuring Smart Grid Interoperability,” proceedings, 11-13 November 2008, www.gridwiseac.org/pdfs/grid_interop_08_proceedings.pdf
15 Op cit, Cisco Systems Inc., 2012
16 Op cit, Cisco Systems Inc., 2011
17 Bentek Systems SCADA & Telemetry Solutions, “An Introduction to SCADA,” www.scadalink.com/support/scada.html
18 Op cit, Cisco Systems Inc., 2012
19 Op cit, Cisco Systems Inc., 2011
20 Op cit, Baker and Meyer

Naresh Kurada, CISA, MSEE, P.Eng., is a senior consultant at KPMG LLP, Toronto, Canada. Kurada can be reached at nkurada@kpmg.ca.

A. Alex Dhanjal, P.Eng., is a partner at KPMG Canada. Dhanjal can be reached at adhanjal@kpmg.ca.

Bala Venkatesh, Ph.D., P.Eng., is an associate professor and academic director for the Center for Urban Energy, Ryerson University (Toronto, Ontario, Canada). Venkatesh can be reached at bala@ryerson.ca.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2013 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.