Secure Smart Grid Visibility and Control
By Kash Nodehi, David Heim, Erik Amundson and Ebrahim Vaahedi
Historically, the primary benefits associated with controlling grid-edge devices have been load control and other forms of Demand Response (DR). With new communication and control technologies, it is becoming increasingly possible for utilities to deploy distribution controls and grid-edge devices to address the challenges of an ever-more distributed system.
Tomorrow’s Smart Grid will be much more than just networked meters and sensors. To achieve the full promise of an interconnected power distribution system, utilities have to be able to securely connect with and control end-use devices and other distribution grid assets. Doing so will give them the ability to optimize power supply portfolios, achieve grid visibility from the end-use consumers to distribution substations, and use DR and Distributed Energy Resources (DERs) to strategically manage system load and distribution grid operating conditions.
Security of Smart Grid Communication
The North American energy sector is already one of the most targeted industries in the world for cyber-attacks, which show no signs of slowing down. In 2014, more than 30 percent of malware attacks reported to the Department of Homeland Security were reported by energy companies. Connecting myriad end-use devices and grid assets to modern IP networks will open up a number of amazing possibilities — including improved grid reliability. However, exposure to compromise is also increased, and the odds increase dramatically when Smart Grid systems are poorly protected.
Generally, Smart Grid communications have not used sufficient levels of security. In many cases, in fact, Smart Grid devices send and receive messages using insecure web services — a method of communication that allows two software systems to exchange data over the Internet.
Some organizations use a proprietary network for their communications, trusting in “security through obscurity.” These networks have some level of implied security simply because they are a little-known method of contacting end-devices. Since mainstream attackers don’t use the technology, proprietary networks don’t experience so-called “nuisance” hacks. However, for an attacker who is targeting the system specifically (a directed attack), getting access to the network method is often not technically difficult. Proprietary networks also lack the broad scale end connectivity to connect a true Smart Grid system.
So how can utilities bring high-level security to their Smart Grid initiatives and feel confident in integrating grid-edge devices into their critical operations over the public Internet? The “simple” answer is to close the loop: ensure valid authentication of every device connected to the network, fully encrypt the data communicated to and from devices, and monitor the behavior of the devices to better detect compromise. Easy to say, but not so easy to implement.
Issuing Digital Certificates to desktop and laptop client users has become relatively commonplace in many large organizations, but the same cannot be said for residential and commercial devices. Devices such as digital thermostats and water heaters need to securely connect to utility operations. Given a wide diversity of device platforms, it would be virtually impossible for a Certificate Authority (CA) to efficiently issue client-side Digital Certificates for all of the devices utilities want to measure and control. (A DC verifies the identity of a device and encrypts data traffic between devices.) If any CA was able to maneuver the technological hurdles, uncertain device manufacturing processes (as well as the varying levels of tamper-resistance from device to device) would make connecting those devices a dubious proposition for the utilities.
One way around the issue of connecting with so many unknown devices is for utilities to instead connect with a trusted node at each geographically-distinct customer site. Each node would then interact with the grid-edge devices via local network connection protocols. These nodal grid-edge devices must be resistant to physical tampering and have limited device-to-node interactions, where data that do not meet the specified formatting standard are detected and prevented from action.
Open Access to Distributed Assets
Implementing a security system that protects both utilities and their customers from the increasing threat of cyber-attacks, while fully harnessing the reliability and economic value of end-use devices, will require utilities to invest in advanced networking and communication technologies. This kind of high-level, adaptable security system is a necessity to ensure grid-edge devices are protected, profitable, and present in tomorrow’s Smart Grid.
Utilities should look for solutions that provide complete and secure control of all their distributed energy resources, generation assets, and electrical grid equipment. Such solutions should also combine deployable nodal devices that integrate grid-edge devices and grid assets with a security process for authentication, data encryption, and behavioral monitoring, as well as a modern architecture for seamless connections to other Smart Grid applications.
For a downloadable copy of April 2016 eNewsletter which includes this article, please visit the IEEE Smart Grid Resource Center.
Kash Nodehi has more than 25 years of experience in the energy industry. Dr. Nodehi is an executive vice president at Open Access Technology International, Inc. (OATI). He has been in various OATI product life cycles and has been involved in the design and development of system architecture for OATI products, as well as the initial design of the system architecture and user interface for NERC Interchange Distribution Calculator (IDC). Dr. Nodehi worked on the design, development and deployment of Mid-Continent Area Power Pool (MAPP) back-end Available Transfer Capacity (ATC) calculation methodology at OATI. He led the technical team in product delivery and worked on the design and deployment of OATI webAccounting and GridControl. After earning a B.S. in Electrical Engineering, and an M.S. in Electrical Engineering Power Systems, he went on to get a Ph.D. in Electrical Engineering Power Systems, all from Iowa State University.
David Heim is Chief Strategy Officer at OATI. He has more than 12 years of experience and is responsible for overseeing OATI’s Strategic Initiatives department, which includes development of new and emerging hardware and software technologies, development and construction of the new OATI South Campus and Data Center, oversight of OATI’s existing data centers and infrastructure, and coordinating compliance with IT-related industry and regulatory standards. Mr. Heim began his career as an IT professional for a major international consulting firm. After obtaining his law degree, he joined OATI in the Office of General Counsel, and served as OATI’s Chief Information Officer. Mr. Heim now combines his IT and legal backgrounds to uniquely and successfully carry out responsibilities. He received a B.A. degree in International Relations and Chinese from the University of Minnesota and, later, a J.D., Magna Cum Laude, from William Mitchell College of Law.
Erik Amundson has more than 17 years of experience in virtually all areas of Information Technology. As Chief Technology Officer, Advanced Systems Design, Mr. Amundson works closely with product development teams and consults all teams on system design and infrastructure. He has extensive experience in technologies and support of advanced data centers such as the OATI Active/Active Private Cloud, OATI GridControl, and OATI GridSafe. Mr. Amundson received EMC Clarion Training from the EMC Training Facility and is a Cisco Certified Networking Professional (CCNP) and Networking Associate (CCNA).
Ebrahim Vaahedi has over 30 years of experience in different segments of the energy industry specializing in the development and execution of technology strategies for the utility industry. He obtained his MSc and PhD degrees from Imperial College, University of London in the area of decision support systems for security and economic operation of power systems. He joined BCTC in 2003 as the Chief Technology Officer where he was accountable for developing and executing a consolidated technology plan including the delivery of a $140 million Control Center project. He joined OATI in December 2014 as a senior director where he leads smart grid solution development and delivery.
To have the Bulletin delivered monthly to your inbox, join the IEEE Smart Grid Community.
To view archived articles, and issues, which deliver rich insight into the forces shaping the future of the smart grid. Older Bulletins (formerly eNewsletter) can be found here. To download full issues, visit the publications section of the IEEE Smart Grid Resource Center.