The Special Security Challenges in Upgrading an Economy-Built Grid
- Written by Sandeep Agrawal and Manoj B. Daigavane
The smart grid implies automation of the electric power grid, involving analysis of energy usage patterns to achieve data-driven management in real time. But automation often implies computerization, bringing in new cyber security risks if proper thought is not given to system design at the very outset. Security issues and lessons to consider include source code security, security as risk management, and how to move beyond defensive behavior to proactive procedures.
Given certain inadequacies in India's power system infrastructure, it probably will not be possible to implement many of today's desirable IT security mechanisms without upgrading the system with smart grid technologies. A national Smart Grid India Task Force has designated eight pilot projects, covering residential and industrial advanced metering infrastructure (AMI), outage management, peak load and power quality management, microgrids, and distributed generation.
A pervasive difficulty found in India and in similar countries is that most of the devices in the electrical power system were purpose-built and do not have additional communications capacity to perform security functions. For the most part, utilities have wanted to own the communication systems they operated, and they have not wanted to own any more than was necessary.
For many individual distribution automation functions, the minimum communication system was implemented. Load management messages might be carried over power lines at a speed of a few bits per second. Other functions might take advantage of a few seconds per day of time on a customer telephone. Others could be done via signals buried in broadcast radio transmissions. None of these mechanisms had any headroom, and thus no new functions or new control points could be added.
Since the utility distribution communications world was perennially bandwidth limited, a rather basic data compression algorithm known as "report by exception" came into wide use. It allowed better use of a channel, but the channels that were built could not accommodate the extra information required for secure authentication.
What is more, the protocols and communication systems that controlled the electrical power grid of yesterday operated on implicit trust. The danger with that operating environment is that anyone can send any command to any device on the network, and the device will do what it is told whether or not the command is a valid command. There is no verification that the command came from a trusted entity.
An attacker could order breakers opened in all the substations on a network to which he or she has access, and all the breakers would open. Protocols do not have the capability to identify who issued such a command or any way to verify that the command was authorized.
Control systems are also vulnerable to spoofed data. Most communications are device-to-device, where the status of one device causes another device to act. If data concerning one system element is spoofed and a false status report is sent, a second device will act in a way that it should not. To take a very simple example, if a spoofed message from a reservoir to a pump says it is not full when it actually is, the pump will activate and the tank will overflow.
Damaging events like unintended power plant outages can arise from miscommunication and misunderstandings among pieces of legacy equipment, without malice playing a role. A machine on a company network that monitors and syncs with a system on the primary control network is patched and rebooted. The patch zeroes out some values of the system and then syncs with the control system. The system interprets the resulting message to mean that a reservoir is empty and shuts down the plant.
Broadly an IT professional uneducated in control systems would look at a control system and immediately want to set up a patching server and push out patches to all the hosts. The control systems engineer knows that with patching comes the necessity of rebooting the machine, but rebooting can be tantamount to a catastrophic unplanned outage.
On the other hand, control systems engineers often do not have sufficient expertise in implementing security solutions typically performed by IT personnel. So without understanding each other's need and capabilities, either side can introduce unintended vulnerabilities.
As observed earlier, many control devices in the power grid were purpose-built to perform one function and one function only, and many of the communications systems that were installed are also single-purpose. With changing economies, many multipurpose devices are now being used. For example, instead of a dedicated low-speed serial communication link, there is a TCP/IP network card connecting a device that has an FTP server, a telnet client and a web server embedded.
Consequences of a grid failure must be considered, such as the equipment damage that can result from loss of power when important cooling or heating functions depend on electricity. Asset misconfiguration—settings on equipment are changed, and normal operational protections are removed—can be more damaging than the wide scale blackouts that always get media attention.
Among the strategic issues to be resolved in such risk analysis is whether the AMI network should have any connection to the SCADA network. In any event, the vital parts of the smart grid need to be protected from any possibility of public access, so as to reduce the likelihood of an external security breach.