IEEE Smart Grid Cyber Security Round Up
Discussion of cyber security and the connected, modernized grid is trending very high right now and, as can be expected with a topic this important, there is much Fear, Uncertainty, and Doubt (FUD). IEEE’s Smart Grid subject matter experts cut through the FUD and give us their reasoned responses to the questions:
Will a connected grid will be more vulnerable to attack? Can we keep a connected grid more secure than the Internet itself?
Steven E Collier, IEEE Member, and Vice President of Business Development, Milsoft Utility Solutions
The Internet is the Solution, Not the Problem! Weather events of increasing frequency and severity in the US and abroad have revealed that the tightly physically interconnected grids we have in the developed countries are increasingly insecure and unreliable. Monolithic, centralized grids with huge central station generation delivering power to distant load centers through a few bulk transmission corridors concentrate the risk of extended, prolonged outages resulting from equipment failure, weather, accidents, vandalism, terrorism, war. The capital investment and labor required to physically "harden" the grids would be staggering if it were even possible to do so.
The cyber security bogeyman for the Smart Grid is the possibility that having a centralized grid tightly interconnected with and controlled by two-way digital communications will make it susceptible to hackers who could severely adversely affect operations and/or compromise corporate and consumer confidential information and financial accounts. The latter concern is endemic to the Internet and is being managed acceptably today and will continue to be. Civilization is even less likely to abandon the benefits of the Internet than the benefits of readily available electric power and energy so the access and information security issues will be resolved.
The Internet is actually more reliable than the electric grid because it is: 1) decentralized, patterned after the starfish rather than the spider, 2) asynchronous, meaning that sources do not have to be exactly matched to loads in time, and 3) redundant, being a mesh of many possible paths rather than a few serial connections. The Internet is a smart grid, a resilient grid, a self-healing grid that really never goes down. A last mile connection to the grid may fail, or a particular destination on the grid may fail (often through a DDOS), but the Internet itself remains hardened to all but broad geographical physical destruction or EMP events.
But what about the physical security of a grid for which the Internet is the control plane? The Internet will actually make it possible to have a substantially more secure grid. How? In the first place, what better way to mitigate both the existing physical and the emerging cyber risks of the grid than to be able to reliably monitor and control every part of the grid in real time? Furthermore, the new smart grid will be a less centralized grid because: 1) the traditional economies of scale that supported it have been eliminated by risk and uncertainty of siting, construction, operation, fuel supply, environmental impact and cost recovery, 2) there will be penetration of distributed generation, storage, PHEVs/EVs as well as customer premises energy management systems, and 3) there will be an increasing penetration of stochastic, non-dispatchable energy sources like wind, solar and consumer dispatched generation. This will be a much more complex grid with many more points that will have to be automatically monitored and controlled. Only The Internet of Things will make it possible to do so successfully.
John D. McDonald, P.E., IEEE Fellow, and Director, Technical Strategy & Policy Development, GE Energy Management - Digital Energy
The connected grid is more vulnerable today than 15 to 20 years ago. Previously, our communications was primarily serial, point-to-point, and our communications protocols were proprietary. If a hacker was able to penetrate this system, they would be limited to the grid between two communication points, and would be limited to what they were able to do, since the communications protocol (bit pattern) to operate a device (e.g., open a breaker to cause an outage) was proprietary and very difficult to obtain. Today, new installations have moved to network communications (TCP/IP) using industry standard communications protocols (e.g., DNP3 which is now IEEE 1815). If a hacker is able to penetrate this system, they would have extensive reach on the grid (the network) and be able to operate a device using an industry standard bit pattern to communicate. In other words, the advances in communications have brought significant benefits but have made the grid more vulnerable to cyber attack.
Cyber security functionality must be implemented in devices and systems at the beginning of their development, not "bolted on" in mid-development or after development. The choice of location of the cyber security functionality in the system architecture is critical for both the supplier and customer. If the functionality is implemented at the device level, the lowest level of the architecture, it will cost more to the customer. If implemented at the next level up, the data concentrator level, it will cost less to the customer, since there are less data concentrators purchased than devices. In other words, the total price premium paid for the cyber security functionality is less. A second consideration is the performance tradeoff with the addition of cyber security functionality. For example, adding digital encryption to wireless communications can add latency. There is a performance tradeoff with additional cyber security functionality.
In summary, for the supplier, determine what cyber security functionality is necessary and determine the best point in the architecture to implement, to maintain the price and performance needed to have a competitive offering. For the customer, be reasonable with cyber security requirements and understand that there may be a price premium and a performance hit.
Sam Sciacca, IEEE Member, and President, SCS Consulting, LLC
I think the growing interconnection of systems, which comprise the Smart Grid will not be more vulnerable than existing systems. In fact, the growing concern for cyber security throughout the digital world will benefit the grid, with new cyber security safeguards and techniques becoming available and cost effective for nearly every aspect of electric power generation, transmission and consumption. What is a growing concern is the extent of the impact to the grid in the event of a successful cyber attack. As the systems of the smart grid continue to intertwine and allow operation of the grid closer to practical limits, a successful cyber attack has the potential create a more far-reaching effect. Unfortunately, the possibility of having a more far-reaching effect also creates a more attractive target for cyber attacks than a fragmented grid system where the effects of an attack would be intrinsically limited by functional and geographical boundaries.
Also, the possibility of acquiring massive amounts of proprietary customer data (usage patterns, payment terms) generated by AMI systems will increase the potential for cyber attacks which seek to compromise data bases and data transmissions for financial motives.
Can we keep a connected grid more secure than the Internet itself?
Because the Internet is such a target-rich environment, it will remain a greater attraction for generic cyber attacks than the Smart Grid. Successful attacks of the connected grid also need knowledge of the critical aspects of the grid under attack, which limits the number of potential attackers to those who are familiar with grid concepts such as stability, voltage control, spinning reserve, etc. Additionally, there is a mandate for the grid to operate in an N-1 contingency state, meaning that the loss or mis-operation of any single asset (power plant, transmission line, substation, communications link) will not cause widespread grid instability. From this respect, the grid will remain more secure than the Internet.
Doug Housman, IEEE member, Power and Energy Society, Intelligent Grid Coordinating Committee and Vice President of Innovation and Technology, Enernex
As is pointed out by my colleague Slade Griffon, in the comment below, there are issues that come with adding more sensors and controls to the grid.
“In any system with two-way communications the more devices, services, and functions you make available the greater your potential attack surface becomes. Particularly the addition of new functionality may increase the risk to that system if not properly evaluated and tested for weaknesses prior to being placed into production. New systems, and their associated functionality, can be implemented and utilized with some degree of assurance when the security of those systems is reviewed in the design phase, tested in a pre-production phase, and the re-tested in production or a sandbox environment that closely mirrors the production environment. In addition to active testing, risk analysis should be performed with the end goal in mind which examines the system in light of current standards, guidelines, and regulations which are applicable to the solution’s application and environment.”
The difference between the Internet and the control systems for the grid include but are not limited to:
1) Fewer owners with more resources available, most utilities are large enough to have a dedicated staff to support security on the grid and smaller ones can hire outside resources to help with security
2) The grid is the “money machine” for these companies, much of the Internet is not to the people who use it. When your revenue comes from a specific asset or assets, people tend to be willing to invest in that asset to keep it whole and healthy. This means that we should see enough investment both at the utility level and at the level that IEEE, EPRI, and other organizations exist at to fund significant research and investment in proactive defenses.
3) People will know. If a home or business user makes a mistake or two and gets infected almost no one knows, and it is so common that it is not news. On the other hand, if a utility asset is infected, it will make news, even if there was no interruption or damage. This “fear of publicity” will keep many executives in the industry asking, “are we doing enough” and keep executive focus on the security issue.
4) The grid does not have to be connected to the Internet. Using Internet Protocols does not mean physical connection to the Internet has to exist, this physical separation adds another level of work for anyone who wants to gain access to the grid, while it can be done, it means that the likelihood of people who are casually interested taking the time and effort to connect is low. That leaves only the serious attackers, and while they are dangerous, it is a smaller community of people and organizations to worry about.
5) The grid is being designed from the ground up with security in mind. While there will be many innovations by the attackers and they will find holes, ARPANet was never designed with the level of security that is needed today. Because of that all of the security has had to be added after the fact by the various owners and users of the Internet, it was not designed in. Even today Virus Protection is not an automatic inclusion on every new node added to the Internet, nor is the right to update the virus protection, it takes active user investment to have that protection and keep it current. The grid is being designed from the ground up with that level of security being built in. There are legacy components that will need security upgrades and it will take significant work to add the security, but at least the investment is understood and there is executive buy in in most companies.
6) Devices are being designed to “fail safe” – if the devices observe traffic or commands that violate their internal sensor information or they lose connection to higher authority, or they can’t validate their commands from higher authority, most grid devices are designed to “fail” to a normal operating position and go passive. This means in most cases the power will continue to flow as if the device was not there or as if were an older generation device without out the modern intelligence.
These six differences will not make the grid invulnerable, nor even secure, but they will give the grid a much better chance of closing gaps quickly when they are identified and provide a platform that has fewer embedded vulnerabilities. There is hard work ahead, the industry working groups are critical and they need support from the stakeholders in the grid. Security by Fiat, or regulation does not work, it makes the industry too slow to react, only active stakeholder participation and constant vigilance will keep the grid safer, more resilient, and more effective than the grid it will replace.
Cheri Warren, Division VII Director, IEEE, and VP, Asset Management, National Grid
Security is a big area of concern today and, while cyber security is a large part of that, the greatest vulnerability is in people and passwords. That's why National Grid is making a culture of security a very high priority. One of the ways in which we take on cyber security is through our Business Resiliency Committee, which is led by Dr. Robert Coles, an energy expert who came to us from Oxford. The Business Resiliency Committee takes on issue and concerns around grid resiliency relative to weather events as well as digital risk security. Utilities such as National Grid are becoming a huge target of cyber security threats and hackers, and this is evolving quickly. Assessing the cyber security threat we must look at the forest and the trees. National Grid has the unique trait of being a provider of energy in the United Kingdom as well as the Northeastern United States so our security management takes on a more global approach. And, yet, we also have to consider in greater depth simple things like devices – chips within various devices are sourced from literally everywhere. So, how secure is any given device? And, anything connected can be hacked. At the same time, we have to give our people the access to do their work. So, we have to look at security in a new way, what does it look like, what does the footprint look like? We look in detail and depth at encryption and handshaking as well as at what is going on within and outside of the firewall. I think this is going to be about getting centralized vs. distributed protection right. We can’t protect everything, so we need to be smart about how we protect the pieces that are most important.
Dr. Alan Mantooth, IEEE Fellow, Vice President Operations for IEEE Power Electronics Society, and Distinguished Professor and 21st Century Chair in Mixed-Signal IC Design and CAD, Electrical Engineering, University of Arkansas
Grid modernization is all about making electricity delivery more efficient and reliable. In response to the question of whether a cyber-enabled grid is more vulnerable, you can’t say that it’s not. It’s the price we pay for increasing efficiency and being more resilient with our resources. A grid is more resilient the better we can monitor it and use resources more efficiently to respond to what we monitor. However, the more digital and communicative we want to be, we do make ourselves more vulnerable.
We are already vulnerable to outages from Mother Nature, but we can’t ignore that there are bad people out there. Smart grid technologies and cyber sensing are not ubiquitous today and people are already launching attacks, so that horse has left the barn. You don’t have to Google very hard to come up with reports of cyber attacks. It’s the world we live in. It demands diligence. Technology goes forward not backward, so we must continue to pursue new technologies and roll them out.
We have no choice. To use a military analogy, when people try to take over, one of the first things they try to do is control the communications. Why wouldn’t they also want to control the power and energy supply? Vulnerability and risk are probabilistic things. Security must be a first order specification in the design of software and equipment. Still, the worst that can happen is a loss of power and that already happens with Mother Nature. As consumers, we take the same steps in planning for outages due to a cyber aware grid that we do in dealing with Mother Nature. Simply put, we must be persistent and diligent as consumers and as electric power providers.