102 E L E C T R I C P E R S P E C T I V E S

By Kip Gering

While digitizing the grid will positively impact economies and the environment, the ad-

vanced interconnectivity creates a cyber security challenge for smart meters, intelligent grid devices and communica-tion networks. And whereas previous metering technology focused on pre-venting tampering, theft, and damage locally at a meter, smart grid networks must address threats that can come from across the globe.

Utilities and their vendors should make the smart grid their castle. To fos-ter interaction, but still be protected, the kings of old built moats around

TECHNOLOGY

A METEr PErsPECTivE ON CYbEr sECuriTY

Kip Gering is product line manager at Itron Inc.

their castles and installed heavy, locked gates and doors. Buildings and rooms within the castle are secured by more locks. The king’s quarters were under lock and key as well, with armed knights posted outside the door. Guards were stationed atop the castle walls, keep-ing an eye on activity both outside and within.

The castle represents the overall utility network and infrastructure. It’s

secured by a host of security measures, physical and technological—firewalls, private keys, sealed meters, cryptog-raphy, fenced substations, and policy-based processes and procedures. For the entire system to be secure, mea-sures must be in place at various levels of operations.

How Do Hackers Get In?Hackers may want to gain network ac-cess for many different purposes, such as disrupting service or availability with a variety of motives. Maybe they’re in it strictly for profit, with funding com-ing from foreign regimes. Disgruntled employees or customers may wish to cause damage to the utility network for revenge. Sometimes a hacker isn’t re-ally malicious at all, but rather someone who wants to see whether it’s possible to gain access—once inside, consider-able damage can be done without mali-cious intent. And sometimes, an attack can come from one of the most basic of human traits—ego.

m ay / j u n E 2 01 0 103

There also are variances in both the type and severity of attacks. Among other things, an attack can destroy or disclose data, block or hijack a service, or tamper with data, equipment, or software. A hacker could attempt to gain control of one or more parts of the over-all network, with the ultimate goal being to disconnect power to large popula-tions of meters. By hijacking a control system, hackers could initiate activities on behalf of a trusted system in the net-work and disrupt service, overwhelm the network with traffic, tamper with network and meter functionality, and steal sensi-tive data ranging from meter keys to the energy information associated with certain geographic areas.

With smart metering, cyber security must be considered. Smart metering collects more detailed information,

much more often, than a traditional meter. It also provides a pipeline to the utility, transferring data back to head-end systems at greater frequencies than before—and in many cases for the first time. But with this increased connectiv-ity, new security challenges arise.

Moreover, the two-way communica-tion and control options afforded by smart meters, such as initiating or dis-connecting electrical service or manipu-lating home area network devices, create new entry points and vulnerabilities that may be exploited to varying degrees of impact.

In a smart grid network, the utility is responsible for providing reliable power and a secure meter at the premise—but it is also responsible for securing the information exchanged between the me-ter and the back-office, as well as what commands these devices can receive. In a large smart grid environment, this can easily eclipse millions of endpoints throughout the service territory.

Cyber Security: A Working DefinitionAccording to a recently published “Smart Grid Cyber Security Strategy and Requirements” by the National Institute of Standards and Technology (nist)

cyber security coordination task group, “cyber security” is “the protection required to ensure confidentiality, in-tegrity, and availability of the electronic information communication system.”

“Confidentiality” is the assurance that sensitive data is not exposed to the wrong person or system and that it pro-tects against the disclosure of informa-tion. Confidentiality can extend to data such as personal identification, financial records, and system commands. Know-ing where commands have gone or will go on the network can give attackers an advantage. Ensuring confidentiality can thwart this advantage.

“Integrity” ensures that actions can be traced to initiators, which helps to protect against deception. Logging, tracking, and auditing actions are com-mon forms of maintaining data integrity. When analyzed, these activities can also help improve the system against future attacks. Replay prevention is a form of confirming the integrity of commands that ensures valid messages are used only at proper times within the network. It protects against communications be-ing captured and reused at a later time.

“Availability” ensures that data, com-mands, and communications are acces-sible and usable when desired. Design considerations must be undertaken to prevent denial of service methods of at-tack—this protects against a full-scale disruption of system operations.

Attacks on smart grid networks can material-ize for a variety of reasons and from across the globe.

Big

stoc

k

Big

stoc

k

104 E L E C T R I C P E R S P E C T I V E S

It is important for CenterPoint Energy to do

business with the companies that reflect the

communities we serve. After all, we deliver

electricity and natural gas in some of the most

diverse cities in America, and we realize that

business partners can bring unique perspectives

through different backgrounds. It’s not just

about business – it’s about our community.

We are always looking to recruit

new diverse suppliers. Log on to

CenterPointEnergy.com for more details.

Crypts and Keys: Security Control MethodsA variety of methods and technical controls can provide network protec-tion to ensure confidentiality, integrity, and availability of communications on the smart grid.

Encryption techniques help ensure confidentiality: triple data encryption algo-rithms, advanced encryption standards, elliptical curve cryptography, or rsa public-key cryptography, for example. (See the sidebar, “The Secrets of Data.”) The Federal Infor-mation Processing Standard Publication 140-2, released in May 2001, is a federal document that de-scribes the government’s technological and related procedural safeguards for cryptographic-based security systems.

Two prevalent forms of cryptography can be used to support grid security:

symmetric and asymmetric. Symmetric cryptography assumes both parties (in this case, the meter on one end and the utility software system on the other)

use the same key for deci-phering the messages sent between them. Symmetric cryptography is analogous to both parties writing notes in a special language and having a decoder translate the messages.

This method becomes problematic when you con-sider that every smart meter has the same decoding func-tion. It’s just not feasible to protect every single meter

in a deployment from physical tamper-ing—through which sophisticated hackers may obtain the key from a com-promised meter. In this scenario, once a shared key is compromised, the entire network can be compromised.

Asymmetric cryptography (also known as public key cryptography)

assumes each party has a different key—one a public key for everyone to use and the other kept private or secret by one of the parties.

In asymmetric cryptography, the private key is mathematically derived from the public key. When a message is encrypted with a public key, only the holder of a private key can decrypt the message. This method ensures confi-dentiality. By using digital signatures, the utility’s ability to ensure the integrity of the system is strengthened. The smart meter is assured that commands are indeed coming from the head-end sys-tem, not from an imposter who would not have access to the protected private keys ensuring authentication of com-mands.

In either cryptographic method, key management features and functions become important considerations for the network. Implementing secure commu-nication channels can affect the overall

When a message is encrypted with a public key, only the holder of a private key can decrypt the message.

m ay / j u n E 2 01 0 105

system performance; therefore, it’s vital that security measures be employed in a manner that does not prevent the system from meeting operational goals.

Smart metering systems require the ability to scale and manage millions of keys—each key on a meter should be unique so attackers cannot exploit all keys system-wide by gaining access to single meter. Key rollovers—the

process of updating the keys in use and archiving old ones—should be done in a manner that does not require firmware downloads to prevent the keys from being intercepted. Key roll-over processes should be implemented so that a situ-ation does not arise where the meter and head-end key states (old versus new) pre-vent communication.

While cyber security re-quirements are focused on network communications, field communications are

also part of the integrity of the smart grid. At the 2009 conference sponsored by Black Hat (an information security firm), hackers demonstrated ways to compromise and exploit smart meters by locally logging on to the meter first. Smart meters need to be safeguarded from attack to the greatest extent pos-sible because it is unreasonable to physically secure each meter.

The Secrets of Data

I n cryptography, according to SearchSecurity.com, a “key” is a variable value that is applied using an algorithm to a block of unencrypted text to produce encrypted text or to decipher it. The length of the key is a factor in considering how difficult

it will be to decipher the text in a given message.In the data encryption standard (des), there are 72 quadrillion or more possible

encryption keys to use. For each message, the key is chosen at random from among this enormous number of keys. des supports key sizes of 56 bits. The triple des is (es-sentially) des tripled, the downside of which is decreased computing speed.

The advanced encryption standard (aes), sponsored by the National Institute of Standards and Technology (nist), supports key sizes of 128, 192, and 256 bits. In 2001, nist announced that it would replace des with aes as a standard for classified government documents.

rsa is an internet encryption and authentication system that uses an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. It is the most commonly used of such algorithms and is included as part of the web browsers from Microsoft and Netscape. It involves multiplying two large prime numbers and then deriving a set of two numbers, one that is the public key and one the private key. Once the keys have been developed, the prime numbers are no longer important and can be discarded. Both the public and private keys are needed for encryption/decryption, but only the owner of a private key ever needs to know it.

According to SearchSecurity.com, elliptical curve cryptography can be used to cre-ate faster, smaller, and more efficient keys—ecc generates public and private keys through the properties of an elliptic curve equation instead of using prime numbers. Some researchers claim that ecc can yield a level of security with a 164-bit key where other systems would require a 1,024-bit key. Because ecc helps to establish equivalent security with lower computing power and therefore battery usage, it is popular in mo-bile applications.

Many smart meters adhere to the American National Standards Institute standard for field communications through an optical port. Meter access is granted by a password, which is gener-ally the same for all meters. Security controls, such as unique or temporal meter keys, should be implemented to prevent unwarranted meter access to gain information or to tamper with firm-ware code at the meter.

A Layered ApproachWhen developing policies and require-ments, utilities and vendors should take an in-depth, defensive approach to securing the system. Attackers and their methods may vary greatly, but the damage done by such an attack could cripple a utility’s network and cost vast amounts of time and money to rectify. Such an attack also could undermine public confidence in the smart grid—setting the efforts of the utility industry nationwide on its ear.

A defensive, in-depth approach involves multiple layers to secure the network. It prevents a single exploit from compromising the entire sys-tem. Security controls are deployed throughout the different layers, includ-ing infrastructure, hardware, firmware, and applications. This approach also takes into consideration monitoring and intrusion protection of the components themselves, as well as their entry point.

Attacks on smart grid networks can materialize for a variety of reasons and from across the globe. Securing the network does not mean that it will never be attacked, nor does it mean that the system will be impossible to compro-mise. It does mean addressing the most likely attack vectors to reduce both the likelihood of an attack’s success and the attacker’s desired result. Treating the system as a castle and deploying a variety of measures at layers throughout the infrastructure will help ensure that your cyber assets remain protected and vulnerabilities cannot be exploited in a significant manner. u

Big

stoc

k