Practical Smart Grid Security• Skipping “why security is important” • The state of smart grid security now• Standards set, standards coming• General Templates & Helpful Docs• Making decisions without standards

The Smart Grid Security Problem• Large AMI projects are being prematurely deployed “live” onto the grid without

adequate security technologies in place, putting national infrastructure (and consumers) at risk.– Utilities may face liability claims and possibly regulatory fines if inadequate security enables hackers

or terrorists to use smart grid vulnerabilities to interrupt service or steal customer data.– Consumers who believe a utility has not secured their information will resist smart grid rollouts

politically in the future.

• Security problems are impacting active deployments (San Diego Gas & Electric 2Q09 missed deadline)

• The required cryptography expertise is often simply not present in these organizations

• Mature security standards and best practices (from other disciplines) already exist that could facilitate secure smart grid deployment – but SG designers often unaware of them.

Why Securing the Smart Grid is Hard• Problem space is poorly defined

– No universally agreed-upon objectives or desired outcomes for security (SG Security Blueprint, currently in version 0.2, is trying to address this)

• Cutting edge networking technology invading a

“slow-tech” industry– Utilities not usually rapid adopters of new technologies– Cultural issues between conservative engineers and “agile” IT/VC types– Technological, best-practices chasms between IP-based IT community and

“Babel” of traditional industrial control systems

• Multiple stakeholders with different agendae– Utilities, regulators, consumers, integrators, IT companies, software co’s,

network providers, maintenance co’s, entrenched equipment providers… and security experts.

Technologies in the SmartGrid Value Chain

Individual domains often developed independently without regard for requirements of other layers

Source: Enernex

Case in Point: Communications Standards in Different Smart Grid Domains

Source: Enernex

Pervasive Enablement

Connectivity• Arch Rock• Digi International• Echelon• Ember• Enfora• Garrettcom• Lantronix•Moxa• Opto-22• Ruggedcom• Sierra Wireless• B&B Electronics• Perle

IT Infrastructure• HP• IBM• OSIsoft• Cisco• Oracle• EMC• Sun Microsystems• Google•Microsoft

Carriers• Verizon• ATT• Orange• Sprint/Nextel• T Mobile

Product/Device OEMs

Power Generation• GE Energy• Siemens• Alstom • ABB• Areva• Hitachi• Toshiba•Mitsubishi

Power Gen – Dist Wind:• Gamesa• GE Energy• Vestas• Suzlon• Enercon• Clipper

PV:• SunPower• First Solar•Q-Cells• Sharp• Suntech

DG:• Smart Fuel Cells• Capstone• EnerFuel• infinia• Cummins Power Gen.• Rolld-Royce• Caterpillar• UTC Fuel Cells•Whisper Tech

Services

Energy Services• Ameresco • EnergySolve• Power System Eng’ng• Horizon Energy Group• Summit Energy• Chevron Energy Sol.• Constellation Energy•NORESCO• AECOM• Pepco• KEMA

Integrators• Accenture• CapGemini• EDS / HP• Enspiria• IBM • Logica CMG

Energy Traders• Sempra

Arch/Engineers• Black & Veatch• Sargent & Lundy• Power System Eng’ng•URS Corp• Jacobs Engineering• Flour

Electrical Distributors• Rexel• Sonepar•Graybar Electric•WESCO Electric

Utilities

Investor Owned • Duke Energy• Xcel• PG&E• Con Edison• Sempra Energy• FPL• AEP• Northeast Utilities• Exelon

Global• Enel • Hydro One• Elektromed• Vattenfall• Fortum• E.ON

Software•Mocana• Cimetrics• eMeter• Gridagents/Infotility• GridLogix/JCI• SmartSignal• Tendril• Tridium• Ventyx• Optimal Tech• Positive Energy• BPL Global

Networks• Arcadian Networks• Ambient Networks• Tropos• SkyTel

Managed Services• Aeris.net• Qualcomm• Kore Telematics

Home Energy• Energate• Radio Thermostat• Sequentric• ONZO• Greenbox Tech• Powermand• 4Home• LS Research

Premise Equip- Meters• Elster• GE Energy• Itron• Sensus• Landis & Gyr• Tantalus• Transdata

Power Dist Equip• ABB• Schneider Elec• Eaton• GE• Hitachi• Siemens• Cooper • EDMI• Nova Tech• S&C Electric• SEL• Fuji

Batteries

End Use

Commercial

Institutional

Industrial

Residential

AMI Infrastructure• Silver Spring• Trilliant• Current Group• Elster• Itron• Sensus• SmartSync• Tantalus• Cellnet & Hunt• Aclara• Eka Systems

Demand Response Systems• Enernoc• Comverge• Advanced Telemetry• GridPoint• Cpower• DeepStream

SmartGrid Segments & Players

SmartGrid Security Now:Dozens of non-interoperable pilot implementations across the country.

California – PG&E is on track to deploy nearly 10 million electric and gas meters by end of 2011, currently at 2.3 million installed. GE, Silver Spring Networks.

Austin, Texas – Austin Energy to roll out Phase 1 smart-grid project of 500k smart meter devices by July-09. The utility has also installed 86,000 smart thermostats and 2,500 distribution grid sensors across its service territory. GE Energy, IBM, Oracle, GridPoint.

Ontario, Canada – The province mandated to install 1.3 million smart meters in every home and small business by 2010. Trilliant to provide communication infrastructure and software applications.

Enel of Italy –over 27 million installed smart meters, largest in world at cost of >€2.1b. Enel estimates savings at 500 million Euros/yr, suggesting an astonishingly short 4 year payback time.

These projects are very large in scale, typically ~$1b per. EPRI estimates the spend on these projects in the US at ~$8b annually for the next 20 years!

Security Challenges in AMI

Template: Smart Grid Security Lifecycle

Source: Southern California Edison

Security StandardsGroups to Keep an Eye On: UCA International Users Group (UCAIug - SG Security Working Group) AMI-SEC Task Force NIST Cyber Security Coordination Task Group Advanced Security Acceleration Project (ASAP-SG)

Interim SmartGrid Roadmap published by the National Institute of Standards & Technology (NIST) in Sept’09… covers >100 standards. Already announced:

• UtilSec Working Group of UCAIug; AMI-SEC System Security Requirements– SECURITY PROFILE BLUEPRINT 0.20 (Dec’09)– Associated, application-specific Security Profile (SP) documents

• IEC standard for “Information security for power system control operations,”• IEEE 1686 “Security for intelligent electronic devices,”• North American rd for “Information security for power system control operationsrd for “Information

security for power system control”• NIST “Cyber security standards and guidelines for federal information systems, including those for the bulk

power system.”– OTHERS: OpenHAN, Zigbee, Z-Wave, Homeplug, IEC 62351, OpenADR– IEC 61850, international standard for electric power device communication interoperability.

Security StandardsAnnounced Two Days Ago: NIST Framework and Roadmap for

Smart Grid Interoperability Standards, Release 1.0 http://www.nist.gov/public_affairs/releases/smartgrid_interoperability_final.pdf

a conceptual reference model to facilitate design of an architecture for the Smart Grid overall and for its networked domains;

an initial set of 75 standards identified as applicable to the Smart Grid; priorities for additional standards – revised or new – to resolve important gaps; action plans under which designated standards-setting organizations will address these

priorities; and an initial Smart Grid cyber security strategy and associated requirements.

A companion draft document, NISTIR 7628, Smart Grid Cyber Security Strategy and Requirements, also underwent public review. A subsequent draft of the cyber security strategy, will be issued in February. NIST intends to finalize the Smart Grid cyber security stds in late spring (!)

Some Individuals to Watch“Moving the Needle” on SmartGrid Security

George Arnold

Bobby Brown

Kevin Brown

Matthew Carpenter

Darren Highfill

Erfan Ibrahim

James Ivers

Teja Kuruganti

Annabelle Lee

Howard Lipson

Jim Nutaro

Justin Searle

Vishant Shah

Brian Smith

Adrian Turner

Andrew Wright

What We’re All Waiting For• Smart Grid Security Blueprint 1.0 from UCAIug• Associated “Security Profiles” for specific

applications.– provide prescriptive, actionable guidance for how

to implement security for smart grid functionality.– Vendor agnostic

What to do in the meantime• Read the draft blueprint from UCAIug and any security

profiles you can get your hands on.• Seek out crypto and security expertise for your project (in

house or outside), and assign a lead – don’t wing it.• Design for the Future = “All IP”.• Be especially wary of vendor lock-in at this stage.• Design for Flexibility = secure remote updating capabilities –

and PKI keying approaches are crucial.• Ask lots of questions!!• Get a third-party security evaluation when your architecture is

defined, and when you’re in Beta.

Other Docs to Reference• Electric Power Research Institute (EPRI). 2009, June. Report to NIST on the Smart Grid

Interoperability Standards Roadmap.• National Institute of Standards and Technology. 2009, September. NISTIR 7628 – Smart Grid Cyber

Security Requirements (Draft 1). • Department of Homeland Security, National Cyber Security Division. 2009, September. Catalog of

Control Systems Security: Recommendations for Standards Developers. • National Institute of Standards and Technology. 2007, December. NIST SP 800-18 Rev. 1 – Guide

for Developing Security Plans for Federal Information Systems. • National Institute of Standards and Technology. 2007, December. NIST SP 800-39 (second public

draft) – Managing Risk from Information Systems. • National Institute of Standards and Technology. 2007, December. NIST SP 800-53 Rev. 2 -

Recommended Security Controls for Federal Information Systems. • National Institute of Standards and Technology. 2007, September 28. NIST SP 800-82 - Guide to

Industrial Control Systems (ICS) Security (2nd DRAFT). • The Common Criteria. 2007, September. Common Criteria v3.1 – Part 2: Security Functional

Requirements Release 2 and Part 3: Security Assurance Requirements Release 2. The Common Criteria.

• UCA International Users Group – SG Security Working Group. 2009, October. Security Profile for Advanced Metering Infrastructure (Draft 0.49).

Summary• Smart Grid security is a big problem with a

big surface area, it’s not limited to a few poorly-implemented products or rollouts.

• Be mindful that security for embedded environments and sensor networks is its own discipline – can’t directly map traditional PC/IT security over to the Grid.

• Security expertise isn’t readily available within Utilities or the equipment companies that supply it – you must seek it out.

• Realize that vendors will try hard to lock you into proprietary solutions at this stage.

• are coming, but not fast enough – that means you’ll need to improvise, and try to keep your options open for the future.

Slides or Docs?

• Send me an email at kurt@mocana.com and I’ll send you the current standards blueprint and these slides.