Wireless Smart Grid Security Final · PDF fileCyber Security for Process Control Systems Summer School June 16-20, ... CIP-004 Personnel and Training ... • Track and Report Access

GE Energy © 2008 Page 1 All Rights Reserved

Smart Grid Security

2008

Cyber Security for Process Control Systems Summer School

June 16-20, 2008 At the Abbey Resort on Lake Geneva

Fontana, Wisconsin

Author: Byron Flynn GE Energy Technical Director, Smart Grid GE Energy Transmission and Distribution [email protected] (208) 336-3886


I. Tables of Contents & Figures

Smart Grid Security.......................................................................................................... 1

I. Tables of Contents & Figures....................................................................... 2

II. Abstract............................................................................................................ 3

III. Smart Grid Architecture................................................................................. 4

IV. Security Requirements .................................................................................. 6

V. Security and Functional Analysis................................................................. 8

VI. Smart Grid Functions..................................................................................... 9

VII. Understanding the Threat ........................................................................... 11

VIII. Types of Attacks ........................................................................................... 14

IX. Understanding Consequences................................................................... 16

X. Security Techniques .................................................................................... 17

XI. Applying Techniques to Smart Grid .......................................................... 21

XII. Conclusions................................................................................................... 26

XIII. Endnotes........................................................................................................ 27

Figure 1: Simplified Smart Grid Architecture ............................................................... 4

Figure 2: Representation of Smart Grid Network ........................................................ 9

Figure 3: One-Way Asymmetric Authentication ........................................................ 19

Figure 4: Establishing Secure Connections ............................................................... 21

Figure 5: Establishing Security Perimeters ................................................................ 22

Figure 6: Secure End Devices ..................................................................................... 23

Figure 7: Physical Security ........................................................................................... 24


II. Abstract

Smart Grid Security

This presentation will review security functionality necessary for a Smart Grid. It will include a discussion of security functionality, secure metering and DA requirements, secure configuration and updates, access control and management, network management and performance, device security management techniques. This presentation will focus on the high level operation of these requirements and the unique functional needs of an open Smart Grid communications infrastructure.


III. Smart Grid Architecture

The traditional definition of a Smart Grid from EPRI’s Intelligrid Initiative Self-Healing and Adaptive to correct problems before they become emergencies

• Interactive with consumers and markets

• Optimized to make best use of resources and equipment

• Predictive rather than reactive, to prevent emergencies ahead rather than solve after

• Distributed assets and information across geographical and organizational boundaries

• Integrated to merge all critical information

• More Secure from threats from all hazards1

Figure 1 below contains a simplified example block diagram of a Smart Grid that fits this definition.

Backhaul

Networks

MetersSwitches &

Reclosers

Monitoring &Diagnostics

T&D

Sub-Stations

Distribution

Devices

Caps

Mobile

Workforce

Renewable

Generation

Smart Homes

I/OProtection

Station LAN

Home LAN

DistributionNetworksDistributionNetworks

Customer

Portal

DSMDist. Gen.

Operational Bus

Non-Operational

Systems

Operational

Systems

CorporateSecurity

Server

Merging

Unit

Utility Offices

Figure 1: Simplified Smart Grid Architecture


The Typical Smart Grid consists of

• Operational and Non-Operational (e.g. non-SCADA data) Utility Systems being fed data from various intelligent devices throughout the network.

• A number of high speed backhaul networks that communicate data from various gateways or data concentrators.

• A substation network usually consisting of at least two real or virtual Local Area Networks (LAN) – Operational and Non-Operational.

• The Backhaul networks also connect to various Distribution networks that communicate with intelligent devices throughout the distribution system including the meters.

• The Home LAN – also called a Home Area Network (HAN) consists of multiple IG communications solutions to interface with the customer’s home LAN, including smart thermostats, personal computers, DSM devices, distributed generation. This connection is sometimes made through the communications portion of the meter or directly to the Distribution Network.

• Intelligent Electrical Devices (IEDs) – These are the smart devices located in the Substation, the pole or pad switches, transformers, capacitor, residential meters, etc.


IV. Security Requirements

As of January 16, 2006, the current version of the document is Draft 4.2 The section headings are:

CIP-002 Critical Cyber Asset Identification

CIP-003 Security Management Controls

CIP-004 Personnel and Training

CIP-005 Electronic Security Perimeter(s)

CIP-006 Physical Security

CIP-007 Systems Security Management

CIP-008 Incident Reporting and Response Planning

CIP-009 Recovery Plans for Critical Cyber Assets

According to NERC:

Bulk Electric Systems are “defined by the Regional Reliability Organization, the electrical generation resources, transmission lines, interconnections with neighboring systems, and associated equipment, generally operated at voltages of 100 kV or higher. Radial transmission facilities serving only load with one transmission source are generally not included in this definition.” 3

Critical Assets are those “facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.”4

Critical Cyber Assets are “Programmable electronic devices and communication networks including hardware, software, and data.” “Critical Cyber Assets are further qualified to be those having at least one of the following characteristics:

R3.1. The Cyber Asset uses a routable protocol to communicate outside the Electronic Security Perimeter; or,

R3.2. The Cyber Asset uses a routable protocol within a Control Center; or,

R3.3. The Cyber Asset is dial-up accessible.” 5

The following NERC CIP requirements have been summarized below:

Key NERC Cyber Security Requirements:

• Define Critical Cyber Assets

• Define & Create Electronic Security Perimeters

• Support Dial-up and/or Wide Area Networks


• Track and Report Access by User with Audit Trail of Success or Failure

• Remove User Access (in 24 hours) for Termination for Cause

• Provide for User Access Rights – Gateway & IEDs

• Strong Two Factor User Authentication for Interactive Access

• Disable Unused Ports And Services

• Appropriate Use Banner

• Malicious Software Prevention

Other Common Security Requirements, not required by NERC:

• Support access to SCADA and Non-SCADA Data

• Communication Line Encryption

• Support Centralized Security Management

As stated earlier, NERC’s jurisdiction does not apply to lower voltage systems. However, some have raised the concern that if a significant number of residential meters are installed with remote disconnect capabilities, a successful Cyber attack where the switches were commanded to open would result in a significant loss of load. This cyber attack would create a correspondingly significant response from customers, regulators, utility management and other stakeholders. Consequently, many utilities are following the CIP security guidelines throughout in their systems.


V. Security and Functional Analysis

To deal with the seemingly overwhelming task of securing a complex Smart Grid, many utilities are adapting the Failure Modes and Effect Analysis6 (FMEA) technique to help prioritize various security solutions. An FMEA analysis can be adapted to analyze a security function as follows:

1. Function: Describe the function to be analyzed to secure against a specific cyber incident.

2. Failure Mode: Understanding the threat

3. Failure Causes: Understanding the types of attacks

4. Identify Failure Effects and Criticality: How serious are the consequences

5. Understand Solutions: What are the current methods of securing against the attack?

6. Match solution to analysis: Establish a Security system to match the analysis


VI. Smart Grid Functions

It is important to review the various types of Smart Grid functionality to begin the analysis of security methodology. For this discussion, a simplified Smart Grid block diagram is shown.

Figure 2: Representation of Smart Grid Network

The network above has been simplified by characterizing the two types of data into two blocks typically based on the response time of real-time for the Operational Data and other Non-Operating data which is often characterized as “near real-time”. Operating Data consists primarily of SCADA data for the system master stations. Non-Operating data consists of all other types of data needed for maintenance, engineering, planning, metering, asset management, outage management, etc.

While it may be virtually impossible to predict all the future functionality that Smart Grid systems may provide, it is possible to categorize the various functions. The functions are shown below:

o Cyber Security

o Physical Security

o Information Access


o Device Control

o System or End Device Configuration

o Network Management and Performance

o Automation System

o Database Processing

o Data Calculations


VII. Understanding the Threat

Applying the appropriate level of security to a complex system is one of the biggest challenges utilities are facing today. These challenges are amplified because for security reasons, it is very difficult for utilities to share security best practices outside of the personnel directly responsible with that security. While this paper does not reveal specific architectures being used by any utility, it attempts to outline several typical architectures with various levels of security.

By its nature, security will always be a “cat and mouse” game where new threats require new security methods. Establishing a security strategy also requires a balancing act where any method of restricting access must be balanced with the critical nature of the asset and the limitations placed on employees with substation cyber access rights.

It is important and useful to review the various threats to a security system. Each type of attacker can be characterized by three factors: Expertise, Funding and Time7. The biggest threat being the expert, patient, well funded attacker. The primary threats are8:

• The Hacker. The proverbial teenager just looking to break into things. May not even want to do any damage. They often have a lot of computing power and expertise in corporate networking, but typically will not know anything about power systems or utility protocols.

• The Vandal. Indistinguishable from the Hacker except for motive. Wants to break things, and doesn’t really care what. Less common than the Hacker, but more dangerous.

• The Terrorist. This is the attacker people are most afraid of, but is actually less likely to occur than many others. Wants to do specific damage and will probably research the target’s network and operations. Would need to know something about power systems and utility protocols. To get this information, could enlist the help of…

• The Disgruntled Employee. This is one of the most dangerous of potential attackers because they already know the utility’s security systems, procedures and weaknesses.

• A Nation State: A threat to security could originate from a Nation State which can consist of organized terrorists attacking under a state of war. These types of threats could pose a significant threat given the potential highly motivated attacker supported by a nation full of resources.

• The Competitor. Utilities are required to communicate with, and therefore share networks with, their competitors. The competitor is probably an uncommon but extremely dangerous threat to the utility network because:


o Utilities cannot simply prohibit all access, but must limit what data competitors can see.

o Competitors already know about power systems and probably quite a bit about their target’s network.

o Their attack, if it occurs, will likely be subtle, i.e. eavesdropping rather than denial of service, and therefore harder to detect.

• The Customer. Several key capabilities of modern Smart Grid systems require more cyber communications with the Utility Customer. Unfortunately, some of these customers may also be a threat. This is an especially dangerous threat because the objectives of these attacks are to commit fraud rather than to simply damage or disrupt the electrical network. As noted with competitors, the customer’s attack may be harder to detect since their only goal may be to change a few key values.

• The Cyber Security System. A potential, but often unexpected, source of system problems and disruption is the very system designed to prevent these problems. Examples of these challenges are:

o Problems introduced through the integration of a security system into an existing legacy system which can decrease system reliability

o Inherent cyber security system problems, such as challenges associated with the system’s authentication, authorization and accounting (AAA) process, could reduce data availability to authorized personnel

o The overhead introduced by the security system can create additional latency and reduce effective bandwidth which could cause operational problems the equivalent of a “denial of service” attack.

The types of data being attacked can be classified into four types each requiring different security protection. In general, these areas can be categorized into:

o Information – this includes critical operational and maintenance data and includes customer data in the meter or accessible in the HAN.

o Control – this includes the ability to affect a change to the end devices such as operate a breaker, switch, or customer load management device.

o Network and Device Management – This includes management of the communications network and the end devices connected to the


network. This includes making changes to the settings in devices such as network routers, residential meters, substation protection relays or automation devices.

o Safety – This includes the ability to compromise the safety of utility personnel, the public, utility customers, or physical equipment damage.


VIII. Types of Attacks

An attacker can pose a variety of threats to your network. Some of them are very highly sophisticated while others are very subtle9.

o Eavesdropping. Listening to the utility network traffic and trying to understand the messages that devices send. However, as discussed below, the attacker may not need to actually understand the messages to be able to do damage to your network.

o Traffic Analysis. Without trying to understand individual messages, the attacker compares real-world events with the messages seen on the network. If a certain message or type of message always precedes a given action, it may give the attacker a clue to where the utility is vulnerable.

o Replaying. Again without understanding what a message is, the attacker captures a message and retransmits it later, either to gain access or just to cause havoc. Fortunately, even simple protocols tend to have sequence numbers that make it difficult for the attacker to insert the duplicate message at the right moment.

o Spoofing. The attacker pretends to be a valid user, often at a very low layer of the protocol. Sometimes an attacker can hijack the existing connection of a valid user if the attacker can be physically located between the user and the server. Hijacking, sometimes known as a “man in the middle” attack, is therefore a special variation of spoofing, in which the attacker need not prove its identity. Such an attack often takes the form of modification, in which the attacker modifies the message so it suits the attacker’s purposes.

o Cracking. The “trial-and-error” methods made famous in the movies for finding out passwords. You can make cracking more difficult by choosing passwords that are difficult to crack. It also helps if the system will automatically notify someone of repeated failure attempts. Some systems will “shut down” after repeated attempts, but sometimes that is exactly what the attacker wants…

o Social Engineering. The attacker uses various psychological methods to trick a user into providing passwords or otherwise permitting access to their system. For example, putting “I love you” in the subject of an email made a lot of people run an executable that they normally would never have touched, and spread a virus. Trojan horse is the general term for any attack that tricks the user into compromising security by appearing harmless or even desirable.


o Denial of Service. Possibly the most frustrating type of attack, because the attacker is not trying to gain access to the system. The attacker just wants to prevent the system from operating. Usually the attacker simply attempts some valid operation – like logging in and being rejected – rapidly and repeatedly until the system either fails or simply cannot service anyone but the attacker. An attacker may initiate a Denial of Service (DoS) from a single site, or more commonly these days, may use a number of computers. The owners of these computers may not even be aware they are participating in the attack. The best way to deal with a denial of service attack is to find a way to filter the attacking traffic before it arrives at the target. However, such filtering may also filter out valid traffic, again giving the attacker what he/she wants.

o Destruction. An attack which is intent on destruction of data or to damage equipment or personnel. An attacker intent on destruction can be particularly dangerous especially if they are able to operate devices which could put personnel at risk. The risk of this type of attack can be reduced through following proper operation practices and procedures.

o Reconfigure. With this type of attack, the attacker reconfigures the devices in the system. The intent could be to change the security settings to permit future action, to cause a piece of equipment to malfunction or facilitate another type of future attack. For example, a customer intent on fraud could attempt to reconfigure the settings in an electric meter.

o Malware. This includes the various types of malicious software intended to do harm to the system or devices on the system. These include computer viruses, spyware, software worms, Trojan horse attacks, etc.


IX. Understanding Consequences

The next step in the FMEA analysis is to understand the consequences of attack including ancillary consequences. Any type of cyber attack could result in a compromise of public trust and that could create a significant reaction resulting in many new regulations. These new regulations could lead to a resulting loss of functionality or increased capital and maintenance costs.

Control – this includes the ability to affect a change to the end devices such as operate a breaker, switch, or customer load management device.

An attack on the controls of the system can be the most publicly visible. These attacks include the opening of a remote disconnect from a single meter or many meters, a single breaker or many breakers. This interruption of load can have economic and public relations impacts on the utility.

Information – this includes critical operational and maintenance data and includes customer data in the meter or accessible in the HAN.

An attack on the information in the system can range from changing the values in a meter to disrupting the ability to operate and maintain the entire system. The consequences of each level of attack can have obvious economic ramifications and a potential violation of trust. The ramifications on the utility’s ability to reclaim that trust can be very difficult depending on the level of public visibility of the violation.

Network and Device Management – This includes management of the communications network and the end devices connected to the network. This includes making changes to the settings in devices such as network routers, residential meters, substation protection relays or automation devices.

An attack on the Network and Devices can often be hidden. This type of attack can often be done to facilitate a future attack on the network opening connections or enabling access to future more destructive attacks.

Safety – This includes the ability to compromise the safety of utility personnel, the public, utility customers, or physical equipment damage. This includes operating or preventing the operation of switches or devices. This can result in equipment damage or personnel harm.


X. Security Techniques

There are several standard based techniques available to secure Smart Grid systems. Since NERC requires strong authentication for interactive access, it is important to understand that strong authentication requires two or more of the following factors of authentication:

1. What You Know – Passwords are widely used to identify a User, but only verify that somebody knows the password.

2. What You Have – Digital certificates in the User's computer add more security than a password, and smart cards verify that Users have a physical token in their possession, but either can be stolen.

3. What You Are – Biometrics such as fingerprints and iris recognition are more difficult but not impossible to forge.

4. What You Do – Dynamic biometrics such as hand writing a signature and voice recognition are the most secure; however, replay attacks can fool the system. This factor is most commonly used for authentication of credit card payments.

Most security systems utilize an Authentication, Authorization and Accounting (AAA) server. AAA is an architectural framework for configuring a set of three independent security functions in a consistent manner. AAA provides a modular way of performing the following services10:

1. Authentication – Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption. Strong Authentication would use two or more factors.

2. Authorization – Provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of access methodology. Authorization also includes a set of attributes that describe what the user is authorized to perform.

3. Accounting – Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed protocol commands, number of packets, and number of bytes.

There are several standard security techniques available to smart grid networks. Many of these techniques are described in the following section. Extensible Authentication Protocol, or EAP, is a universal authentication framework frequently used in wireless networks.11 Several EAP methods describe how to


provide secure authentication techniques used to establish and control a secure connection between two authenticated devices.

A common EAP security method is called Transport Layer Security (TLS) also know as Secure Sockets Layer (SSL). TLS is commonly used in wireless systems and provides a methodology to authenticate and encrypt data. It is specifically designed to prevent eavesdropping, replaying and spoofing. In a smart grid system both the IED and the server should be authenticated requiring mutual authentication technique.

One of the most common methods of cyber security is the use of certificates between devices. Each cyber device in the system to be secured will need a digital certificate issued either by a Certificate Authority (CA) which would be a trusted third party or generated by another trusted means. The Certificate contains a public key the can be used to securely verify the message sender. This digital certificate based system is defined by X.509.12 X.509 is a standard for Public Key Infrastructure (PKI) and Privilege Management Infrastructure (PMI).13

Strong authentication, required by CIP for interactive access to bulk power systems, employs at least two factors of authentication. This technique sometimes employs a user name, password with a secure token or certificate providing something you know (password) and something you have (token or certificate). For communication between two devices, a public key infrastructure (PKI) system is often utilized. With PKI systems, the IED and server first communicate to determine the appropriate algorithm and cipher to be used and then the systems exchange keys and authenticate one to another with the AAA server. Once the systems have been authenticated the devices begin to communicate. The following diagram illustrates the normal exchange of information between Alice and Bob using Asymmetric Authentication.


3. Alice sends message and signature to Bob

3. Alice sends message and signature to Bob

1. Alice hashes

the Message

1. Alice hashes

the Message

Hash

5. Bob hashes the message, too.

Hash


Hash


2. Alice signs with her

PRIVATE Key

2. Alice signs with her

PRIVATE Key

4. Only her PUBLIC key

can decrypt the hash

4. Only her PUBLIC key

can decrypt the hash

If Bob’s hashed value matches Alice’s, it’s the same message

Alice signed

If Bob’s hashed value matches Alice’s, it’s the same message

Alice signed

Hash

Encrypt Decrypt

Private Key Public Key

Figure 3: One-Way Asymmetric Authentication

In the previous figure, Alice and Bob have exchanged public keys and have selected the appropriate cipher. Alice starts the process by hashing the message and using her private key to sign the hash. She then sends the message and signed hash to Bob along with her public key. In this method, maintaining the security of private keys is very important to prevent spoofing. When Bob receives the message from Alice he uses Alice’s public key to decrypt the signed hash and then compares the results with a new hash of the message. If the two hashed data match he knows that the message was sent by someone using Alice’s private key.

Since this paper is intended to be an introduction of methodology to secure a smart grid, further details pertaining to security standards will be left to the reader to research further. A simple search of the internet can yield a mountain of reference material. Since, the number of standards associated with security is very significant, a summary of common security techniques are included:

For key exchange: RSA, Diffie-Hellman, ECDH, SRP, PSK

For authentication: RSA, DSA, ECDSA

Symmetric ciphers: RC4, Triple DES, AES 128, 192 or 256 bits, IDEA, DES, or Camellia. In older versions of SSL, RC2 was also used.

For cryptographic hash function: HMAC-MD5 or HMAC-SHA are used for TLS, MD5 and SHA for SSL, while older versions of SSL also used MD2 and MD4.

Ephemeral Cryptographic Key Management: DHE-DSS Diffie-Hellman Key Exchange - Digital Security Standard


For SCADA operational protocols: DNP 3.0 Security with authentication using the application layer. It is based on IEC, ISO, IETF and NIST standards; it operates in both directions using challenge reply and pre-shared keys. 14

It is important to note, that the progress and investment into each of these techniques has been substantial, however some smart grid systems have developed new security standards to fit the limitations of their proprietary systems. This security non-standard security technique, while pragmatic for the system involved, is usually not as robust as today’s security methods. These types of systems usually rely on a bit of “security through obscurity”. However, the application of the NERC CIP requirements against these proprietary techniques will result in many security weaknesses.


XI. Applying Techniques to Smart Grid

The application of these security techniques against the smart grid architecture as described earlier is divided into various levels of security. Security techniques described earlier need to be applied to help secure the communications channels as shown below.

Figure 4: Establishing Secure Connections

Using the security techniques described earlier, a secure channel can be created between the various servers and remote Intelligent Electrical Devices. Once a user or system enters the end of the secure connection, the transport from end-to-end is considered secure. This type of security provides protection from many of the attacks described above that occur somewhere in the middle of the channel. However, simply creating a secure channel isn’t enough to prevent an unauthorized user to access the system from one of the end points.

The next level of security requires securing the end points of the system. This means establishing a Security Perimeter at end device as highlighted in the following figure.


Figure 5: Establishing Security Perimeters

Establishing a Security Perimeter at the end device prevents users from accessing the system from one of the ends. When a User reaches a security perimeter the AAA server determines if the user is authorized to access the system, what level of access the user is granted, and logs into an account the User’s successful or failed access attempts into the system.

The next item to secure is the end devices. The IEDs in the station, poletop, pad mount, vehicle, DG site, or meter or gateway at the end customer premises as shown below.


Figure 6: Secure End Devices

The figure above illustrates the requirement to secure the end devices from access by unauthorized users. This level of security assumes that the user has been authorized through the Security Perimeter. These Users are then allowed to access the data in the IED according to the access rights that the AAA server has indicated. It is important to note that many of the devices in the Smart Home are not part of the security of a Smart Grid. They are secured by the customer’s own network practices. This makes the Security Perimeters outside the customer’s home to be very critical and a potential significant source of attack. It must prevent attackers inside and outside the customer’s premises attempting to gain access to the Smart Grid.

To be compliant with NERC and common company security procedures, two additional capabilities must be implemented in the end devices and security perimeters. These are implementing “appropriate use banners” or standard unauthorized use warnings and protection against Malware. Periodic updates to prevent Malware attacks should become part of the routine part of the system.


Figure 7: Physical Security

The final level of security is an application of security around the physical devices. This includes physical security alarms on the physical substation and Utility Offices and could also include secure video monitoring. The physical access extends to monitoring the physical box mounted on the pole/pad and physically monitoring the meter against tampering. Many of these devices and rooms/buildings are being secured and monitored today. Meters are secured against tampering and Distribution Devices are in locked enclosures. This same care will need to be extended to other IEDs and gateway including distribution automation devices, smart grid capacitor controls and home area network gateways.

Additional security methods should be applied to the Smart Grid communications boards on the IED, meter or gateway. This could include utilizing secure private keys stored on secure memory chips. These memory chips must be secured to detect tampering or unauthorized access attempts to prevent a remote user from a spoof attack of the system.

The final and most critical part of an effective security system is training. The NERC CIP requires several aspects related to training. They are15:

Awareness – The Responsible Entity shall establish, maintain, and document a security awareness program to ensure personnel having authorized cyber or


authorized unescorted physical access receive on-going reinforcement in sound security practices.

Training – The Responsible Entity shall establish, maintain, and document an annual cyber security training program for personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, and review the program annually and update as necessary.

Personnel Risk Assessment —The Responsible Entity shall have a documented personnel risk assessment program, in accordance with federal, state, provincial, and local laws, and subject to existing collective bargaining unit agreements, for personnel having authorized cyber or authorized unescorted physical access. A personnel risk assessment shall be conducted pursuant to that program within thirty days of such personnel being granted such access.

The Responsible Entity shall revoke such access to Critical Cyber Assets within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access to Critical Cyber Assets. This NERC requirement makes a AAA server even more essential as User access can be managed from one central server and not changing the access in each the hundreds, thousands, or millions of potential end devices.


XII. Conclusions

Today’s Utilities’ communication systems are now required by regulation and by company internal policies to be secure. The growth of a Smart Grid across the Utilities infrastructure and eventually into the end customer’s facilities has significantly expanded the need for good security systems.

Utilities can no longer rely on “security through obscurity” or by the fact that most hackers don’t know the default user name and password of protection relay systems or other IEDs on the network. An effective and secure smart grid requires the system security personnel to understand the:

o Function: To describe the function to be secured against a specific cyber incident.

o Failure Mode: Understand the cyber threats to those functions.

o Failure Causes: Understand the various types of cyber attacks.

o Identify Failure Effects and Criticality: Determine the consequences of an attack.

o Understand Solutions: Determine the appropriate cyber standards to protect against the attack?

o Match solution to analysis: Establish a Security system to match the analysis

Through the prudent implementation of security techniques Utilities and their customers can safely realize the real promise of a Smart Grid.


XIII. Endnotes

1 “IntelliGrid: Enabling The Power Delivery System of the Future” Don Von Dollen, EPRI IntelliGrid Program, April 6, 2005 http://conferences.ece.ubc.ca/isplc2005/Panel1_VonDollen.ppt

2 http://www.nerc.com/~filez/standards/Cyber-Security-Permanent.html

3 ftp://www.nerc.com/pub/sys/all_updl/standards/sar/Glossary_Clean_1-07-05.pdf “Glossary of Terms Used in Reliability Standards”, Page 2, Adopted by NERC Board of Trustees: February 8, 2005, Effective Date: April 1, 2005

4 Standard CIP–002–1 — Cyber Security — Critical Cyber Asset Identification Page 2

5 Standard CIP–002–1 — Cyber Security — Critical Cyber Asset Identification, Part B – R3, Page 4

6 http://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis

7 Advanced Metering Security Threat Model (DRAFT); R Robinson, J McDonald, B Singletary, D Highfill, N Greenfield, M Gillmore

8 Network Security Basics, Product Information, PRPI-039-001-1, GE Energy 01/08/2002 Part 1.1 Page 2

9 Network Security Basics, Product Information, PRPI-039-001-1, GE Energy 01/08/2002 Part 1.3 Page 3

10 “AAA Overview” taken from Cisco IOS Security Configuration Guide, Release 12.2 http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfaaa.html

11 http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol

12 http://en.wikipedia.org/wiki/X.509

13 http://en.wikipedia.org/wiki/Public_key_infrastructure

14 “Securing DNP Communications” Grant Gilchrist, EnerNex Corporation, GE Automation Forum, October 2008

15 Standard CIP–004–1 — Cyber Security — Personnel and Training; Page 3-4, http://www.nerc.com/~filez/standards/Cyber-Security-Permanent.html

Documents

Wireless Smart Grid Security Final · PDF fileCyber Security for Process Control Systems Summer School June 16-20, ... CIP-004 Personnel and Training ... • Track and Report Access