Naresh Kurada, CISA, MSEE, P.Eng., A. Alex Dhanjal, P.Eng. and Bala Venkatesh, Ph.D., P.Eng.
In September 2012, Telvent, the smart-grid giant owned by Schneider Electric, reported that hackers broke through its firewall and security systems with breaches on OASyS SCADA. Telvent uses the same system to control various power grids, oil and gas pipelines, and industrial controls around the world and integrate with utility enterprise systems and new smart-grid platforms.1 Incidents such as this, the Stuxnet worm, the night dragon attacks and cyberhacking for sport are being highly monetized and targeted toward the power and utility industry’s assets.
In this case, a major part of the existing electric grid architecture and infrastructure components in the operations of the distribution electric networks are relatively basic without advanced information analytics and resultant self-healing capabilities for power redistribution. However, as these grid infrastructure components are fitted with information and communications technology (ICT) for analytics and self-healing capabilities, the entire grid becomes even more susceptible to malicious attacks. Further, a recent survey of 213 utility and smart-grid professionals revealed that 65 percent of executives believe that the technology most vulnerable to cyberattacks is grid operations and information technologies. It is estimated that cumulative investments in smart-grid cybersecurity alone will total US $14 billion through 2018. This is notwithstanding the US $200 billion investment in global smart grids, which includes a US $53 billion investment in the US alone by 2015.2, 3
The existing electric-grid architecture is relatively a linear model with clear boundaries among generation, transmission and distribution of power. However, the smart-grid architecture brings about a paradigm shift from the linear to a distributed energy-generation model. Therefore, to devise a conceptual smart-grid security architecture, it is necessary to contextualize the smart-grid business with respect to the value network and the stakeholders.
This article introduces and puts into perspective the last-mile InfoSec Frames framework for smart-grid perimeter (network edge) devices, with an eye for adapting the lessons learned from other information sensitive industries. At the same time, the article presents and compares the evolving last-mile information security models to the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards (CIP-002-4 through CIP-009-4). This contextualization provides the specific boundaries for the treatment of information security for the value players in the last-mile transmission and distribution operations of a smart grid.
The National Institute of Standards and Technology (NIST) has developed the NIST Smart Grid Framework 1.0 as a reference model for all other smart-grid architectures.
Figure 1 reveals the stakeholders and illustrates a high-level landscape of the interplay among the various players of the value network. The value network players are the various technical equipment manufacturers that develop control, communications, monitoring and analytics products within and across domains. Additionally, the technology standards committees and regulatory bodies are the other stakeholders. Interestingly, the demands in the 21st century for cleaner energy have given rise to new stakeholders who normally tap renewable energy sources such as wind and solar energy to generate power. The industry terms these stakeholders distributed energy generators (DG). The DGs are incentivized by government programs such as feed-in-traffic (FIT) programs that sell and supply energy to consumers (and utilities) using the existing power- grid infrastructure. Depending on the size, DGs normally tap into transmission and distribution networks. The consumer is the ultimate stakeholder with demands for efficient and smarter power consumption, including charging electric vehicles.
Unlike traditional information security in enterprise networks, which has as its primary objective the protection of data, the key objective of information security in smart-grid networks is to protect human life and ensure system reliability during power generation, transmission and distribution. In general, power and electricity encompass every aspect of human society and nations; the very critical nature of generating and delivering power establishes a business objective that requires 100 percent reliable availability and delivery of power at any cost.
Consequently, the business precedence for human safety and reliability is set for utilities and normally overrides other attributes such as efficiency, economics and, in some instances, quality of power. This simple, critical fact clearly differentiates the utilities from other enterprise business networks such as retail, manufacturing and banking, which emphasize economics and efficiency. Furthermore, unlike the systems of enterprise networks where the information security is primarily focused on protecting data, the focus of information security in the smart-grid network is multifaceted. In smart-grid networks, information security has to primarily address what will happen to the electrical state of the grid when one of its devices is compromised. The smart-grid perimeter devices generate the less important analytical data (such as for metering and efficiency purposes) and the more important control data for the transmission and distribution of power within the grid. Compromises to the control data and signals can significantly alter the state of the grid and negatively affect the reliable delivery of power. Additionally, the smart-grid network asset has a higher value than the information it generates because the asset is critical for the reliable operation of the grid; therefore, the information security tenets of confidentiality, integrity and availability must ensure protection of data for safe and reliable grid operation.4
In addition to the general enterprise networks, with systems such as enterprise resource planning (ERP) systems and high-availability networks, electric grids have a variety of critical energy storage and switching devices and systems such as electrical isolation and protection relays, bus-bars, feeders, switchgears, power transformers, pole-mounted transformers, flexible alternating current transmission systems (FACTS), capacitor banks, and auxiliaries. With the smart grid, these devices and systems become numerous active perimeter devices of the smart-grid network and leverage ICT for analytics, command and control, representing dynamic and intelligent machine-to-machine communications for reliable grid operation. Therefore, developing a balance between information security and reliable grid operation is a unique challenge for establishing system-to-system trust models, data modeling and treatment, and asset management because of the scale and scope of the large number of active devices.
Finally, unlike enterprise networks, the smart-grid network (especially for perimeter devices) is in its infancy; as such, no corroboration and/or benchmark frameworks exist for system-to-system trust models, data modeling and treatment, and asset management that pose practical implementation challenges for all of the players in the value network.
NERC has developed the CIP standards to set the compliance requirements, definitions and frameworks for the protection of cyberassets in support of reliable operation of the bulk electric system (BES). Analyses of these standards reveal that they are generally accepted principles of confidentiality, integrity and availability of information during transit and residency. Furthermore, when the information criteria have been established, these compliance requirements can be easily mapped to COBIT and, for the purposes of this article’s focus, to models of information security architecture. The requirements from pertinent standards are listed in figure 2.5
The current communication and control of the devices that make up the existing grid and BES are localized and operate as independent networks. The existing intelligent electronic devices (IEDs), the remote terminal units (RTUs), and the supervisory control and data acquisition (SCADA) systems in substations and automation controls are networked together over Ethernet or serial communication ports using protocols such as IEC 61850 communications standards,6 Distributed Network Protocol (DNP 3) and Modbus. In addition, the current power grid wide area networks (WANs) also utilize power line communication and dark fiber.
As these devices and systems begin to evolve into active devices in the smart grid, numerous challenges can be foreseen with respect to creating efficient and optimized data and system-to-system trust models for analytics as well as control. These technical challenges are in addition to the management of the huge amount of data that could be generated for meaningful warehousing and mining purposes. However, the opportunities are huge in terms of improved efficiency and effectiveness of reliable power generation, distribution and transmission when these systems can be interconnected. Examples of such effectiveness are self-healing power networks realized by redistribution of power through alternative paths, grid asset maintenance and advanced asset monitoring. Consequently, numerous equipment manufacturers either have attempted or are attempting to evolve BES by leveraging the technical flexibility of the Internet Protocol (IP) and WAN technologies.
The Transmission Control Protocol/Internet Protocol (TCP/IP) stack and the widely available WAN technologies are technically flexible with capabilities to encapsulate or tunnel existing grid communication protocols such as IEC 61850 communication standards, DNP3 and Modbus.7, 8, 9, 10, 11 Furthermore, they provide a uniform abstraction of the network that hides the differences among various network technologies,12, 13 facilitating enhanced interoperability. This evolution has led to the creation of communication network setups (see figure 3).
Although, on the surface, such network setups seem chaotic and amorphous, organization of the network and communication architectures based on criticality (electrical switching and control), generation and consumption is emerging. The emergence and organization of smart- grid networks is also evidenced by the NIST- and the US Department of Energy-led GridWise Domain Expert Working Groups of Building to Grid (B2G), Home to Grid (H2G) and Industrial to Grid (I2G).14
As the smart-grid models evolve, different conceptual architectural models are beginning to emerge. The architectures of networks of devices are evolving in accordance to the NERC CIP Reliability Standards.
InfoSec Frames is an information security framework for the information security treatment of the perimeter devices that fits into the subnetwork architectures of the smart-grid network. InfoSec Frames (figure 4) specifically describes the security treatment for the subnetwork architectures for home area networks (HANs), field area networks (FANs) and control networks (CNs). In addition, the framework facilitates abstraction with a common set of security attributes.
Concept of NANs, HANs and SUNsNumerous devices such as smart energy meters (advanced metering infrastructure [AMI]), water heaters, home energy controls, HVAC and plug-in hybrid electric vehicles (PHEV) are leveraging TCP/IP smart objects with capabilities of machine-to-machine (M2M) communications. In essence, these devices are networked together with utilities demand-response and energy-forecasting systems and, ultimately, form subnetworks of neighborhood area networks (NANs), HANs or smart-utility networks (SUNs). To further put into perspective, the devices in subnetworks of NANs and HANs of the smart grid network have information security characteristics similar to point of sale (POS) in the retail industry, with slightly heightened security (to protect individual power consumption profiles) and extensive useful-device life. The data from these devices typically involve power consumption and feed as analytics for energy-demand forecasting (demand-response systems). Furthermore, these devices typically attach to the power distribution networks, and the grouping of these devices is in accordance with CIP-005-4a and CIP-002-4a. However, each device’s criticality for the safe operation of the grid is relatively low, with low asset value. The security risk for the reliable operation of the grid is normally confined to the data and not the device. Nevertheless, the data are quite critical for customer billing and in-direct outage monitoring. Therefore, confidentiality, integrity and nonrepudiation of data are important compared to availability.
Concept of FANsFANs essentially comprise energy-transformation and switching devices with intelligence. Generally, these devices (also known as IEDs) are localized to electrical substations and, to an extent, are directly deployed along the electrical grid.15, 16 Examples of IEDs are electrical isolation and protection relays, bus-bars, feeders, switchgears, power transformers, pole-mounted transformers, a FACTS, capacitor banks, and auxiliaries. Just as in the case of HAN/SUN network elements, the FAN elements of the smart grid are networked together and leverage the TCP/IP stack for communications and control. Typically, such devices are part of power transmission and distribution networks. The data from these devices typically involve, for example, control of switching operation of devices (systems) and status parameters such as oil temperature levels in transformers. Furthermore, the evolution of renewable, distributed energy generation and storage make their respective IEDs suitable candidates for FAN classification because their criticality is higher on the grid. The security risk for the reliable operation of the grid is normally the communication and control of the device and the device itself, because they are directly involved in energy transformation and switching. Finally, measurement of electrical characteristics of voltage, current and phase from high voltage devices such as transformers is an indirect process, which is normally carried out using instruments such as potential transformers (PT) and current transformers (CT). These instruments transmit critical data about the state and analytical information of the transformers. Therefore, due diligence has to be afforded to all securing data (analytical, control and communication). Grouping of these devices into FANs is a consequence of CIP-002-4a and CIP-002-5, in which confidentiality, integrity and availability on communication networks are all important for reliable operation.
Concept of CNsControl of transmission and distribution devices of transformers and relays along the electric grid is normally accomplished using SCADA systems and programmable logic controllers (PLCs). SCADA systems normally have associated systems for human machine interfacing (HMI) and trending (e.g., Historian). They can control and operate a large number of devices. Depending on the technical goals and requirements, they can be distributed in substations or centrally control multiple substations. SCADA systems, no matter how they are deployed, form some of the most important critical assets in a bulk energy system because of their ability to directly control, transform and redistribute power.17 Consequently, they normally have to be highly available and highly secure. The security risk for the reliable operation of the grid is not just the control system but the entire control subnetwork of the smart grid, which includes analytics, control, communications and devices. CNs essentially control large subnetworks of the smart grid, and compromises to them could seriously alter the state of the entire grid. SCADA systems are advance systems and can be deployed using wireless technology built on private microwave radios, cellular and satellite communications.
Smart-grid information security should be established on the foundations of confidentiality, integrity and availability of data for safe and reliable operation of the grid. Therefore, it is critical to identify and rationalize:
Once these are clearly established, precedence is set to establish system-to-system and user-to-system trust models. Furthermore, as shown in figure 3, data are being transmitted over conventional WAN/LAN technologies on the TCP/IP stack. Consequently, the common range of attacks and vulnerabilities apply. However, these attacks and vulnerabilities can be mitigated with existing security features already specified by the protocol or by leveraging the security services offered by other Internet Engineering Task Force (IETF) protocols.18, 19, 20 Just as in the traditional Open Systems Interconnect (OSI) seven-layer models, the vulnerabilities of IP for the smart grid are grouped as follows:
As smart grids evolve, they are experiencing the proliferation of perimeter devices with uncontrolled intelligence along the power grid, resulting in information security issues for safe and reliable distribution of power. This article outlines the threats to information security practitioners and assurance professionals and suggests the use of InfoSec Frames to contain the threats.
NANs, HANs, SUNs, CNs and FANs are architectural illustrations of role-based groupings of devices as they align with the Internet of Things for smart-grid networks. The security risk profiles in smart grids are different from those of traditional businesses and enterprise networks because of the nature of devices in critical infrastructure and the role they play in generating, transmitting and distributing power.
Furthermore, the reliable operation of the electric grid has traditionally been a discipline within electrical engineering and power systems engineering. However, as the existing electric grid evolves into the smart grid, the secure and reliable operation of the electric grid becomes interdisciplinary between information security practitioners and power engineers. This article puts the regulatory and technical bodies of knowledge for power-grid infrastructure into perspective for information security and audit professionals.
1 Zetter, K.; “Maker of Smart-Grid Control Software Hacked,” Wired, 26 September 2012, www.wired.com/threatlevel/2012/09/scada-vendor-telvent-hacked 2 Navigant Research, “Investments in Smart Grid Cyber Security to Total $14 Billion Through 2018,” 1 March 2012, www.pikeresearch.com/newsroom/investments-in-smart-grid-cyber-security-to-total-14-billion-through-20183 Roney, Michael; “Building the Smart Grid Promise, Challenge and Transformation,” Alcatel-Lucent, http://enterprise.alcatel-lucent.com/private/images/public/si/pdf_smartBuilding.pdf4 Yan, Y.; Y. Qian; H. Sharif; D. Tipper; “A Survey on Cyber Security for Smart Grid Communications,” IEEE Communications Surveys & Tutorials, vol. 14, no. 4, fourth quarter 2012, 1 March 2012, p. 9985 For a comprehensive list of the NERC compliance requirements of standards, refer to www.nerc.com/page.php?cid=2|20.6 Adamiak, M.; D. Baigent; R. Mackiewicz; “IEC 61850 Communication Networks and Systems in Substations: An Overview for Users,” GE Digital Energy7 National Institute for Standards and Technology, NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0, NIST Special Publication 1108, January 2010, www.nist.gov/public_affairs/releases/upload/smartgrid_interoperability_final.pdf8 Cisco Systems Inc., Cisco Connected Grid Security for Field Area Network, 2012, www.cisco.com/web/strategy/docs/energy/C11-696279-00_cgs_fan_white_paper.pdf9 Cisco Systems Inc., A Standardized and Flexible IPv6 Architecture for Field Area Networks Smart: Grid Last Mile Infrastructure, 2011, www.cisco.com/web/strategy/docs/energy/ip_arch_sg_wp.pdf10 Baker, F.; D. Meyer; “Internet Protocols for the Smart Grid,” Cisco Systems11 Rugged.com, “KONCAR-KET Chooses Rugged.com for Refurbishment of MEPSO High Voltage Substation in Macedonia,” case study, www.ruggedcom.com/support/case-studies/mepso/mepso.php12 Op cit, Baker and Meyer13 Op cit, Yan, et al14 GridWise Architecture Council (GWAC), “Ensuring Smart Grid Interoperability,” proceedings, 11-13 November 2008, www.gridwiseac.org/pdfs/grid_interop_08_proceedings.pdf15 Op cit, Cisco Systems Inc., 201216 Op cit, Cisco Systems Inc., 201117 Bentek Systems SCADA & Telemetry Solutions, “An Introduction to SCADA,” www.scadalink.com/support/scada.html18 Op cit, Cisco Systems Inc., 201219 Op cit, Cisco Systems Inc., 201120 Op cit, Baker and Meyer
Naresh Kurada, CISA, MSEE, P.Eng., is a senior consultant at KPMG LLP, Toronto, Canada. Kurada can be reached at firstname.lastname@example.org.
A. Alex Dhanjal, P.Eng., is a partner at KPMG Canada. Dhanjal can be reached at email@example.com.
Bala Venkatesh, Ph.D., P.Eng., is an associate professor and academic director for the Center for Urban Energy, Ryerson University (Toronto, Ontario, Canada). Venkatesh can be reached at firstname.lastname@example.org.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.