Guaranteeing the Security of an Increasingly Stressed Grid
- Written by Massoud Amin
Grid communications and control systems are often thought to be much more securely firewalled than is actually the case. An effective remedial program begins with a thorough and clear-eyed assessment of all vulnerabilities; especially to intrusion via the Internet. Creation of an adequate security system requires a management culture that demands and respects attentiveness to security among all employees.
Both the importance and difficulty of protecting power systems have long been recognized, as noted in the January 2011 issue of this newsletter. The critical assets that must be accounted for include thousands of transformers, line reactors, series capacitors, and transmission lines. Physical protection of these widely diverse and dispersed assets is impractical and command control layers yield new benefits only if designed correctly and securely, posing additional challenges.
As a practical matter, electrical systems must be structured to withstand temporary loss of physical components, just as they must operate through spontaneous local outages; but that depends on defending control and communications against cyber attacks, be they terroristic, military, or criminal.
At the end of the 1990s, partly in reaction to cyber attacks in Brazil’s power system and partly in anticipation of Y2K, the Electric Power Research Institute launched a two-year Infrastructure Security Initiative. Before and after 9/11 (when I became responsible for research and development on infrastructure security at EPRI), we reached out to utilities and their vendors to share relevant information and develop action plans. We conducted "red team" studies of simulated cyber attacks on a variety of grid assets and developed protocols for secure communications between control centers, substations, and power plants.
Electric power utilities typically own and operate at least parts of their own telecommunications system—oftentimes backbone fiber optic or microwave networks connecting major substations with spurs to smaller sites. We found that this can give rise to a false sense of security. PCs, for example, can be a vulnerable point when they link dedicated communications with operations control. And sometimes modem access could be readily attained using obvious passwords. Yet we saw reports and files claiming that systems were bulletproof.
Consider the following conversation with two operators at a typical, multi-screen layout we had a couple of years ago concerning a five-year-old, gas-fired combined cycle power plant of 200–250 MW:
Do you worry about cyber threats?
No, we are completely disconnected from the Internet.
That’s great! But this is a peaking unit. How do you know how much power to make?
The office receives an order from the ISO, then sends it over to us. We get the message here on this screen.
Isn’t that message coming in over the Internet?
Sure, we can see all the ISO to company traffic… Oh! That’s not good, is it?
Any telecommunications link that is even partly outside the control of the organization that owns and operates power plants, supervisory control and data acquisition (SCADA) systems, or energy management systems represents a potential pathway into the business operations of the company and a threat to the larger transmission grid. And as the number of documented intrusions and their level of sophistication continue to rise, it has become apparent that human response is often neither fast enough nor smart enough to effectively counter malicious code and denial-of-service attacks.
A vivid example of just how insidious such attacks can be came last year with the Stuxnet malware, which evidently targeted Iran’s uranium enrichment operations. It did so by infiltrating standard SCADA and industrial control systems widely used in power systems and manufacturing facilities. Constructed in nested shells like a Russian doll, Stuxnet’s innermost "payload" ultimately took over logic controllers, so as to modify the way equipment ran, while remaining completely invisible to system operators. Control room screens would indicate normal operations, while machines spun wildly out of control and self-destructed.
Before Stuxnet had been fully analyzed, first by German cyber security experts, then by others who largely confirmed their conclusions, its outer shells had showed up in power systems and plants around the world. Though it appears to have done no damage (as intended), it showed just how vulnerable widely used control systems can be to highly sophisticated malware.
Like any complex, dynamic infrastructure system, the electricity grid has many layers and is vulnerable to many different types of disturbances. While strong centralized control is essential to reliable operations, this requires multiple, high-data-rate, two-way communication links, a powerful central computing facility and an elaborate operations control center, all of which are especially vulnerable when they are needed most—during serious system stresses or power disruptions. For deeper protection, intelligent, distributed, secure control is also required, which would enable parts of the network to remain operational and even automatically reconfigure in the event of local failures or threats of failure.
Accordingly, protection of the system requires a multi-layered effort. At the highest level of generality there needs to be a corporate culture that insists on adherence to procedures, visibly promotes better security, and sees that management is well informed. The security program must be up-to-date, complete, closely supervised, and must include vulnerability and risk assessments. Of course, employees must be screened and trained and emergency procedures must be rehearsed and drilled.
Physical assets need to be evaluated in terms of criticality and vulnerability to intrusion. IT security must include protection of wired and wireless networks and assessment of firewalls and process control systems, among other things. Very high-level mathematical modeling is required to guard against false data injection, detection of stealth attacks, risk estimation and impact analysis.
At the same time, as security programs are built and protections put into place, difficult choices will have to be made about how to handle a number of trade-offs.
- Security versus efficiency. The specter of future sophisticated terrorist attacks raises a profound dilemma for the electric power industry, which must make the electricity infrastructure more secure, while being careful not to compromise productivity. Resolving this dilemma will require both short-term and long-term technology development and deployment that will affect fundamental power system characteristics.
- Centralization versus decentralization of control. For several years, there has been a trend toward centralizing control of electric power systems. The emergence of regional transmission organizations, for example, promises to greatly increase efficiency and improve customer service. But we also know that terrorists can exploit the weaknesses of centralized control; therefore, smaller and local would seem to be the system configuration of choice. In fact, strength and resilience in the face of attack will increasingly require the ability to bridge simultaneous top-down and bottom-up decision-making in real time—fast-acting and totally distributed at the local level, coordinated at the mid-level.
- Wider grid integration and increasing complexity. System integration helps move power more efficiently over long distances and provides redundancy to ensure reliable service but it also makes the system more complex and harder to operate. We will need new mathematical approaches to simplify the operation of complex power systems and make them more robust in the face of natural or manmade interruptions.
- Dependence on Internet communications. Today’s power systems could not operate without tightly knit communications capabilities—ranging from high-speed data transfer among control centers to the interpretation of intermittent signals from remote sensors. But due to the vulnerability of Internet-linked communications, protecting the electricity supply system will require new technology to improve the security of power-system command, control and communications, including both hardware and software.
- Investments in security. Although hardening some key components—such as power plants and critical substations—is highly desirable, providing comprehensive physical protection for all components is simply not feasible or economical. Dynamic, probabilistic risk assessments have provided strategic guidance on allocating security resources to greatest advantage.
Fortunately, the same core technologies that were developed to address other system vulnerabilities can strategically improve system security as well. But the electricity infrastructure will also require power system-specific advanced technology. Assuming that individual utilities are already taking prudent steps to improve their physical security, technology can help by increasing the inherent resilience and flexibility of power systems to withstand terrorist attacks as well as natural disasters.