Nenad Andrejević

Comtrade Solutions Engineering

Security in Smart Grid / IoT

Why is security important

Introduction

With so much of our lives connected to the Internet – from our critical infrastructure andnational security systems to our cars and bank accounts – we know the urgency ofaddressing these new and growing cyber threats.

Traditional power grid

• The present infrastructure is overstrained and inter region bulk transfer is limited

• Cannot fully support the integration of renewable energy

• Low reliability of Power - Outage

• Fluctuating quality of Power

• Major source is fossil fuel

• Efficiency of Power transmission

• Almost zero customer participation

• Low Billing and collecting efficiency

Smart Grid v3

• Decentralization of Generating resources

• Integration of all sources of energy, mainly renewable

• Continuous monitoring and feedback from the network

• Anticipation of faults and helps in fault prevention

• Establishes a two-way communication between the utilities and the consumers

• Reduces the stress on the power system infrastructure

• Reduces and shifts the peak demand

• Continuous self-learning

SECURITY THREATS TO THE ENERGY NETWORK

• CYBER-ATTACKS: • MALWARE INJECTIONS,

• “DENIAL OF SERVICE”,

• REMOTE CONNECT / DISCONNECT COMMANDS

• ATTACKS ON PRIVACY

• REVENUE PROTECTION – THE THEFT OF DATA AND ENERGY

Landscape of attack

• Oil pipeline explosion in Turkey 2008

• Stuxnet Virus

• Ukraine Attack

• U.S. grid was successfully hacked 2015

Privacy concern #1

Privacy concern #2

Risk Levels

UTILITY

Back office

HEAD END SYSTEM

Collection system

WAN

Wide Area Network

FAN

Field Area Network

HAN

Home Area Network

Smart Meter

More Secure

Least Secure

Highest Risk

Least Risk

CiscoNMS

Network Options

Billing/CIS

OMSDMS SCADA

Utility Systems and Back Office

Business Outcomes

Consumer Engagement

EV SmartCharging

Smart Payment

EnergyEfficiency

Meter-to-Cash

RevenueAssurance

RenewablesIntegration

DemandResponse

OutageManagement

DistributionAutomation

Analytics

» Transformer Load Management» Power Quality (Voltage/Outage)» Energy Diversion Detection» Energy Efficiency & Demand Response

WAN Backhaul

Security Manager MDMHead-End

Head End System

Substation

DRMS/DLC

More Secure

Least Secure

Highest Risk

Least Risk

Open Standards

IPv6/IPv4

UDP/TCP

IEEE 802.15.4e MAC enhancements

IPv6 RPL

Web Services, EXI, SOAP, RestFul,HTTPS/CoAP

802.1x / EAP-TLS & IEEE 802.11i based Access Control

Physical Layer

IEEE 802.15.4g2.4GHz, 915, 868MHzDSSS, FSK, OFDM

IEEE 1901.2 NB-PLCOFDM

IEEE 802.11 Wi-Fi

2.4, 5 GHz, Sub-GHz

IEEE 802.3 Ethernet UTP, FO

2G, 3G, LTECellular

IEEE 802.16WiMAX

1.x, 3.xGHz

Data Link Layer

IEEE 802.15.4including FHSS

IEEE 1901.2 802.15.4 frame

format

IEEE 802.11 Wi-Fi

IEEE 802.3 Ethernet

2G, 3G, LTECellular

IEEE 802.16WiMAX

6LoWPAN (RFC 6282) IPv6 over Ethernet (RFC 2464)IPv6 over PPP

(RFC 5072)IP or Ethernet

Convergence SubL.

NetworkLayer

TransportLayer

ApplicationLayer

Addressing, Routing, Multicast,

QoS, Security

Security (DTLS/TLS)

DNS, NTP, IPfix/Netflow, SSHRADIUS, AAA, LDAP, SNMP,…

(RFC 6272 IP in Smart Grid)

MeteringIEC 61968 CIM, ANSI C12.22,

DLMS/COSEM,…

SCADAIEC 61850, 60870

DNP3/IP, Modbus/TCP,…

LLC

MAC

Mgmt

Smart Grid Key AttributesStandards and Conformance• Standards are critical to enabling interoperable systems and

components.

• Mature, robust standards are the foundation of mass markets for the millions of components that will have a role in the future smart grid.

• Standards enable innovation where thousands of companies may construct individual components.

IoT

[ WIKIPEDIA ] The Internet of Things (IoT) is the network of physical objects or "things" embedded with electronics, software, sensors and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator and/or other connected devices.

[ OXFORD ] A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data

Challenge of Securing the IoT

• Manufacturers, energy and transportation providers, and smart cities are gaining a competitive advantage by harnessing the Internet of Things (IoT).

• Connecting more things in more places creates new security challenges. Mitigating risk requires a combination of cybersecurity and physical security.

• The IoT is expected to grow to 50 billion by 2020. Each device is a potential entry point for a network attack by insiders, hackers, or criminals

How to process

• IoT is one of the “new” areas where the new innovative solutions are created every day, for business and eco systems.

• We still have no complete – standard security measures.

• We use threat modeling to find out all relevant threats and risk model to find out best suite security

• European Union Agency for Network and Information Security• Smart Grid Threat Landscape and Good Practice Guide

• NIST • Cyber security framework for critical infrastructure

• OWASP Top 10 IoT

Top 10 IoT Vulnerabilities OWASP

Top 10 IoT Vulnerabilities Project The OWASP Top 10 IoT Vulnerabilities are as follows:

Rank Title

I1 •Insecure Web Interface

I2 •Insufficient Authentication/Authorization

I3 •Insecure Network Services

I4 •Lack of Transport Encryption/Integrity Verification

I5 •Privacy Concerns

I6 •Insecure Cloud Interface

I7 •Insecure Mobile Interface

I8 •Insufficient Security Configurability

I9 •Insecure Software/Firmware

I10 •Poor Physical Security

• 10/10 security systems accept ‘123456’

• 10/10 security systems with no lockout

• 10/10 security systems with enumeration

• SSH listeners with root/“” access

• 6/10 web interfaces with XSS/SQLi

• 70% of devices not using encryption

• 8/10 collected personal information

• 9/10 had no two-factor options

• Unauthenticated video streaming

• Completely flawed software update systems

Why COMTRADE?

• Comtrade firmly believes that the best way to ensure reliable security for the entire smart grid /IoT is to integrate security directly into the design process.

• Our „Security by Design‟ methodology involves the security team working hand in hand with Comtrade architecture team to ensure its products are created with security in mind right from the start.

• Security is not an afterthought; it evolves with the product and needs to be continually developed.

COMTRADE „SECURITY BY DESIGN‟ METHODOLOGY The „Security by Design‟ methodology is a simple, iterative process. It was decided at Comtrade that in the manufacturing of applications for utilities and IoT

An Iterative Approach

1. Assess the security vulnerabilities applicable to the system and all components

2. Conduct a risk evaluation with an impact analysis

3. Design defensive counter measures for mitigating impact

4. Perform penetration tests against each component and then the entire system

5. Iterate - if there are any gaps identified in step

Secure by design

Pre poduction

Production

Being knowledgeable about what can be achieved is one thing. The other is to reduce the impact. In cyber-security – an environment with asymmetric approaches - this can be achieved through common effort and coordination.

Conclusion

“That which depends on me, I can do; that which depends on the enemy cannot be certain. Therefore it is said that one may know how to win, but cannot necessarily do so” (Sun Tzu).

Q&A

Have a nice day!

Thanks for coming