The Many Faces of Smart Grid Security
A critical consideration in the development of smarter electrical grids is to ensure best security practices. Few terms in the smart grid vocabulary, however, are as overworked and overloaded (i.e., assigned multiple definitions) as the word security. Such definitions range all the way from ensuring reliability—keeping the lights on—to protecting the confidentiality of customer information. This article will attempt to explore these multiple definitions and find some common thread that can help ensure the success of the pursuit of a smarter electrical grid while maintaining security—in all of its various meanings.
The Dictionary Definition
Merriam-Webster defines security as follows:
- the quality or state of being secure, as in freedom from danger, freedom from fear or anxiety, or freedom from the prospect of being laid off, as in job security
- something given, deposited, or pledged to make certain the fulfillment of an obligation
- an instrument of investment in the form of a document (as a stock certificate or bond) providing evidence of its ownership
- something that secures, as in measures taken to guard against espionage or sabotage, crime, attack, or escape, or an organization or department whose task is security.
These definitions give some insight into the core meaning of the term in the English language as having to do in some sense with freedom from danger or uncertainty. As we will see, this identifies a common thread among the various ways the word is used in the context of the smart grid.
Security as Reliability
Traditional electric utility engineering practice has sought to preserve and enhance the reliability of service to power system customers. In fact, one of the early reasons for developing an interconnected electric utility system was precisely to improve the reliability of service to customers when individual generating plant reliability was (and still is) much less than 100%. Power engineers came to use the term security to describe the ability of the bulk power system to withstand unexpected disturbances such as short circuits or unanticipated loss of system elements due to natural causes. In today’s world, the security focus of the industry has expanded to include withstanding disturbances caused by man-made physical or cyberattacks. (See the list of frequently asked questions at www.nerc.com, under the heading “Company Overview.”) It is critical, as we consider cybersecurity measures, that we do not inadvertently impair system reliability. This places a constraint on the acceptable complexity and computational intensiveness of the cybersecurity measures to be adopted.
Security as Communication Reliability
Just as we use the word security to describe power system reliability, we can use the same term to describe the reliability of the communication systems put in place to serve the power system. Reliability for power system communication has several facets, including the probability that a given message will be lost entirely, the use of redundant communication paths and automatic failover to protect against message loss, the expected time delay (latency) in delivering a message, and the expected variability of that time delay (jitter). It also includes considering how competing messages may (or may not) be given priority when communication channels are saturated. This latter parameter is known as quality of service (QoS) and has long been practiced in the world of telephony, but it is a relatively new concept for power system engineers.
Each of these parameters, together with the provisioning of alternate communication paths and automatic failover, can be engineered into a communication service to ensure that it meets the needs of any given power system application. These needs range from the low bandwidth and high latency required for automated metering infrastructure (AMI) applications to the high bandwidth and moderate latency needed for human-interface applications to the low bandwidth, low latency, and low jitter required for power system communication protection. The particular communication requirements of each application need to be clearly understood so they can be met by the communication infrastructure.
Security as Information Protection
Information protection involves measures taken to ensure the anonymity of electronic information, both in transit and when stored on digital systems. Of primary importance is information related to protecting personal information related to utility customers and information about the electric power system that may be of interest to parties who wish to harm the utility or its customers. The value of this information, both to the utility and to potential intruders, increases as it progresses from the end user to the system level of the utility operation. Customer-level information is typically not as time-critical as information related to system reliability, so slower and more computationally intensive mechanisms can typically be used to secure this information. It must also be recognized, however, that many of the processors and communication paths that handle this information are constrained in both processor power and communication speed.
An equally critical facet of information protection is protection of information and commands used to control the power system. It is important to ensure that such communications are protected from outside intrusion, particularly when the communication path is exposed to possible outside eavesdropping and malicious intervention.
Given that power systems cover a large geographic area (the utility’s service territory) and that area is physically shared with other entities and organizations, all communications to, from, and between power system components will be exposed to such potential outside influences and must be appropriately protected consistent with their value to both the utility and to potential intruders. Consequently, critical power system monitoring and control actions, as well as confidential customer information, demand a higher level of cybersecurity than, for example, information related to voltage levels on any particular feeder.
Who Cares About Security?
The short answer is that we all do. Successful communication signifies a level of reliability and confidentiality consistent with the needs of the particular application. Those needs must be identified in the corresponding business requirements when that application is designed.
The Energy Independence and Security Act (EISA) of 2007 passed by the U.S. Congress brought the term smart grid into the public vocabulary. The EISA mandate assumes that our existing electrical system is antiquated and in disrepair and needs urgent help to meet emerging demands. In fact, the creation of the smart grid really began more than 100 years ago with the early development of interconnected power systems. There is ample opportunity, however, under the EISA mandate to make our power systems “smarter,” and this must be done in a way that ensures both power system reliability and protection of sensitive information and control from ill-intentioned third parties.
The EISA assigned the National Institute of Standards and Technology (NIST) “primary responsibility to coordinate development of a framework that includes protocols and model standards for information management to achieve interoperability of Smart Grid devices and systems…” (see EISA Title XIII, Section 1305). To carry out its EISA-assigned responsibilities, NIST devised a three-phase plan to rapidly identify an initial set of standards while providing a robust process for the continued development and implementation of standards as needs and opportunities arise and as technology advances, as follows:
- Engage stakeholders in a participatory public process to identify applicable standards and requirements, gaps in currently available standards, and priorities for additional standardization activities: With the support of outside technical experts working under contract, NIST has compiled and incorporated stakeholder inputs from three public workshops, as well as technical contributions from working groups and a cybersecurity -coordination task group, into the NIST-coordinated standards road-mapping effort.
- Establish a smart grid interoperability panel (SGIP) forum to drive longer-term progress: A representative, reliable, and responsive organizational forum is needed to sustain continued development of interoperability standards. On 19 November 2009, the Smart Grid Interoperability Panel was launched to serve this function.
- Develop and implement a framework for conformity testing and certification: Testing and certification of how standards are implemented in smart grid devices, systems, and processes are essential to ensure interoperability and security under realistic operating conditions. NIST, in consultation with stakeholders, planned to develop an overall framework for testing and certification, whose initial steps were to be completed by early 2010.
Significant SGIP deliverables to date include the following:
- “NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0” (Release 2.0 is under review at the time of this writing)
- NIST IR 7628, “Guidelines for Smart Grid Cyber Security”
The framework document establishes a conceptual smart grid communication framework and identifies numbered communication interfaces for further study, while NIST IR 7628 provides recommendations in three volumes for establishing a secure communication environment.
Work continues on producing a series of priority action plans (PAPs) that contain recommendations for enhancements to existing standards work that will fill gaps in their interoperability. Finally, the SGIP is publishing a list of “recommended” interoperable standards.
Automatic meter reading (AMR) has progressed from the early efforts nearly 50 years ago to simply retrieve total energy consumption information to today’s AMI systems, which add to that original functionality a whole host of new features. Today’s smart meters are capable of detailed reporting of energy consumption patterns, monitoring power quality, supporting customer-owned home area networks (HANs) that can automate load response to system conditions, downloading new firmware and configurations, managing prepay functions, and performing service connects and disconnects. AMI systems are also providing both direct functionality and communication services to distribution automation applications, which improves the efficiency and reliability of the delivery system.
Some present and all future AMI deployments will use Internet Protocol (IP) addressing to allow messages to travel over multiple media and both public and private networks. IPv6 will provide virtually unlimited address space, QoS, and unique device addressability.
The communication media for AMI systems include a variety of proprietary radio systems, common-carrier digital cellular services, and communication using the power line itself, in the form of broadband over power lines (BPL). Of these, the industry is converging on the use of wireless IEEE 802.15.4g, which is part of the standard series that includes the popular Ethernet (802.3), Wi-Fi (802.11), WiMAX (802.16), and ZigBee (802.15.4) specifications. Several AMI vendors are converging on IEEE 802.15.4g as a physical layer that promises to deliver interoperable wireless mesh communication under the Smart Utility Network (SUN) profile.
With increased functionality and wireless connectivity comes a heightened need not only to protect system and message integrity but also to preserve the confidential information of customers. The AMI Security Task Force of the UCA International Users Group (UCAIug), the NIST SGIP, and in particular NIST IR 7628 are providing “best practice” guidelines for securing future AMI systems.
The remaining paragraphs of this article briefly explore techniques that can be used to enhance the cybersecurity of a modern communications infrastructure.
Techniques Used to Achieve Cybersecurity
Modern communication protocols are “layered,” as in the Open Systems Interconnection (OSI) Model and the Internet Engineering Task Force (IETF) Transmission Control Protocol (TCP) RFC 1122 and RFC 1123 communication models. This allows the separation of physical media, addressing, security features, and application specification. Importantly, such a network can mix multiple physical media to meet application needs without sacrificing interoperability. It can also share common addressing methods to simultaneously transport messages from multiple application layer protocols.
The conceptual model reflects how messages are sent in the traditional mail service, with a message being placed in an envelope, an address added, and the envelope entrusted to the post office system, which transports the envelope over a variety of physical media before eventually delivering the envelope to the addressee.
Such messages may be protected in a variety of ways. One might guard each step of the postal worker, seal the envelope with an “official” seal to detect tampering, or encrypt the message itself with a code known only to the sender and receiver. While each of these techniques has merit, the most secure of these is encryption of the message itself. With appropriate encryption codes, tampering with such a message is nearly impossible without detection (see Figure 1). Known as “upper-layer security,” such security is not only less complex and easier to administer than other forms of security, but it also preserves an “open” communication architecture that can carry messages for a variety of applications without the need to configure the communication network itself for each specific application.
In Figure 2, upper-layer security is contrasted with lower-layer security in a traditional communication “stack” diagram.
Security Must Be Built In
While it is tempting to say, “Let’s get it working—then we’ll add security,” such attempts at security implementation will result in systems that are both unreliable and insecure. Good security implementation starts with a thorough analysis of the security requirements of a particular application, based on the business needs and environment in which it will reside. Such requirements might range all the way from “no security” to “extreme security.” The design should then employ publicly vetted security techniques designed to meet the needs for performance, reliability, computation, and the communications attributes of the systems on which it is deployed while achieving appropriate levels of confidentiality, integrity, and availability (CIA). These are defined by NIST as follows:
- Confidentiality: The property that sensitive information is not disclosed to unauthorized individuals, entities, or processes.
- Integrity: The property that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
- Availability: The property of being accessible and usable upon demand by an authorized entity.
System designers will sometimes create clever proprietary security schemes that are not exposed to the scrutiny of the security community. This is considered bad practice and leads to systems that are not interoperable with other systems and often have hidden security flaws. To implement the best security, all the details of the security system should be published and well known, but the keys should be kept secret. This is, in fact, the model with which most of the locks on our buildings are constructed. Most people understand how a lock functions, but only the owner or another authorized party has the key.
In this brief survey, we have seen that each of the meanings attributed to the term security in the electric utility world is consistent with the dictionary definition of the word in the sense that properly designed security contributes to the well-being and freedom from anxiety of utilities and their customers. Security must be properly applied and designed in from the beginning of a project. If this is properly done, even sensitive systems can share infrastructure with other applications.
For Further Reading
Daniel E. Nordell is with Xcel Energy.