Security Architecture for NASPI
Download
Report
Transcript Security Architecture for NASPI
Trustworthy Wide Area Measurement
Systems
Presented by:
Himanshu Khurana, University of Illinois
ACM CCS 2009 Tutorial on Cyber
Security for the Power Grid
University of Illinois Urbana-Champaign • Information Trust Institute
Outline
• Wide area transmission systems
• August 2003 blackout
– Analysis and recommendations
• North American SynchrPhasor Initiative (NASPI)
• NASPInet Wide Area Network
• Challenges: distributed networking, quality of service, cyber
security
University of Illinois Urbana-Champaign • Information Trust Institute
Background: Power Grid Control Center Networks
and Applications
Control Communication Architecture
From a presentation by D. Whitehead, “Communication and Control in Power Systems”, tcip summer school, June, 2008
University of Illinois Urbana-Champaign • Information Trust Institute
Background: Power Grid Control Center Networks
and Applications
Control centers
University of Illinois Urbana-Champaign • Information Trust Institute
Who’s in charge?
• Federal Energy Regulatory Commission (FERC)
• North American Electric Reliability Corp. (NERC)
• State legislatures
• Regional reliability councils
• ISOs and RTOs
• State commerce commissions
• Control area operators
University of Illinois Urbana-Champaign • Information Trust Institute
5
NERC Regions
University of Illinois Urbana-Champaign • Information Trust Institute
6
Balancing Authorities (Control Areas)
University of Illinois Urbana-Champaign • Information Trust Institute
7
Current Control Strategy and Hierarchy
Control Strategy
Control Hierarchy
• Centralized Control Center
(Balancing Area)
• Balancing Authorities (BAs)
– Open loop control
– Telemetry through SCADA
• Polls data ~ 2 seconds
• Local control (Power plants,
Substations)
– Real-time generation, load
and interchange balance
• Reliability Coordinators
(RCs)
– Wide area coordination and
reliability
– Feedback control
– Protection
University of Illinois Urbana-Champaign • Information Trust Institute
NERC Interconnections
University of Illinois Urbana-Champaign • Information Trust Institute
9
Independent System Operators
Regional Transmission Operations
University of Illinois Urbana-Champaign • Information Trust Institute
10
Major North American Blackouts
Date
Location
Load Interrupted
November 9, 1965
Northeast
20,000 MW
July 13, 1977
New York
6,000 MW
December 22, 1982
West Coast
January 17, 1994
California
7,500 MW
December 14, 1994
Wyoming, Idaho
9,336 MW
July 2, 1996
Wyoming, Idaho
11,743 MW
August 10, 1996
Western Interconnection
30,489 MW
June 25, 1998
Midwest
August 14, 2003
Northeast
University of Illinois Urbana-Champaign • Information Trust Institute
12,350 MW
950 MW
61,800 MW
11
Blackout of August 14, 2003
Credit: Jeff Dagle
University of Illinois Urbana-Champaign • Information Trust Institute
12
August 14, 2003 Blackout Investigation
Investigate the
cascading electrical
failure.
Review performance
of plants and assess
possibility of damage.
Determine if failures
were caused with
malicious intent.
• Phase I
– Investigate the outage to determine
its causes and why it was not contained
– Interim report released November 19, 2003
• Phase II
– Develop recommendations to reduce the
possibility of future outages and minimize
the scope of any that occur
– Final report released April 5, 2004
Credit: Jeff Dagle
University of Illinois Urbana-Champaign • Information Trust Institute
Blackout Root Causes
• Situational Awareness: lack of effective
– contingency analysis capability
– procedures to ensure operators were aware
of the status of critical monitoring tools
– procedures to test monitoring tools after
repairs
– monitoring tools after alarm system failed
• Vegetation management
• Reliability Coordinator Diagnostics
– Lack of wide area visibility, monitoring,
coordination
University of Illinois Urbana-Champaign • Information Trust Institute
14
Select Blackout Report Recommendations
• Use better real-time tools for grid monitoring and
operation
• Establish physical and cyber-security capabilities
University of Illinois Urbana-Champaign • Information Trust Institute
Wide Area Situational Awareness
• A FERC/NIST Priority Area
– Monitoring and display of power system components and
performance across interconnections and wide geographic
areas in real time
– Enable understanding, optimized management, performance,
prevent/respond to problem
•
•
•
Other relevant priorities
Cyber Security: “Measures to ensure the confidentiality, integrity and
availability of the electronic information communication systems,
necessary for the management and protection of the Smart Grid’s energy,
information technology, and telecommunications these infrastructures”
Network Communications: “Encompassing public and non-public
networks, the Smart Grid will require implementation and maintenance of
appropriate security and access controls tailored to the networking and
communication requirements of different applications, actors and domains”
University of Illinois Urbana-Champaign • Information Trust Institute
Wide Area Measurement System
• A Wide Area Measurement System (WAMS) is
crucial for the Grid
• One very promising data source for WAMS:
Synchrophasors
– GPS clock synchronized; Fast data rate > 30
samples/sec
– Phasor Measurement Unit (PMU)
• Future applications will rely on large number
of PMUs envisioned across Grid (>100k)
• WAMS Design and Deployment underway:
North American Synchrophasor Initiative (www.naspi.org)
– Collaboration - DOE, NERC, Utilities, Vendors,
Consultants and Researchers
– NASPInet – distributed, wide-area network
University of Illinois Urbana-Champaign • Information Trust Institute
PMUs and Synchrophasors
•
•
Traditional SCADA data since the 1960’s
– Voltage & Current Magnitudes
– Frequency
– Every 2-4 seconds
Future data from Phasor Measurement
Units (PMU’s)
– Voltage & current phase angles
– Rate of change of frequency
– Time synchronized using GPS and 30 120 times per second
University of Illinois Urbana-Champaign • Information Trust Institute
18
Why do Phase Angles Matter?
Wide-area visibility could have helped prevent August
14, 2003 Northeast blackout
Source: www. nerc.com
Angles are based on data from blackout analysis.
Angle reference is Browns Ferry.
University of Illinois Urbana-Champaign • Information Trust Institute
Why do Phase Angles Matter?
Entergy and Hurricane Gustav -- a separate electrical island
formed on Sept 1, 2008, identified with phasor data
Island kept intact and resynchronized 33 hours later
Source: Entergy
University of Illinois Urbana-Champaign • Information Trust Institute
Phasor Application Taxonomy
University of Illinois Urbana-Champaign • Information Trust Institute
PMU Applications and Deployment
Source – Chakrabarti, Kyriakides, Bi, Cai and Terzija, “Measurements Get Together,” IEEE
Power & Energy, January-February 2009
University of Illinois Urbana-Champaign • Information Trust Institute
Source: NASPI
Current Architecture for PMU Data Sharing
Secure
Network
Apps
Source: NASPI
University of Illinois Urbana-Champaign • Information Trust Institute
Envisioned PMU Data Flow in NASPInet
University of Illinois Urbana-Champaign • Information Trust Institute
Opportunities and Challenges
•
Opportunities
– Important applications emerging that require data sharing
• Research into new applications needed
– Smart Grid Investment Program to fund deployment of 800+ PMUs
nation-wide
•
Challenges in data sharing
– Distributed network for data delivery
– Tradeoffs between operational, regulatory and business aspects
•
Challenges in realizing NASPInet
– Distributed wide-area network design
– Network management
– Quality of Service and real-time delivery
– Cyber security
– Progress on these topics made in recently released NASPInet
specification document (Quanta Technologies)
University of Illinois Urbana-Champaign • Information Trust Institute
Wide Area Networking
Source: NASPInet Specification
University of Illinois Urbana-Champaign • Information Trust Institute
Network Management
• Network management functions
– Performance
– Configuration
– Accounting
– Fault management
– Security management
• Need for appropriate services in NASPInet and means to
coordinate between organizations
University of Illinois Urbana-Champaign • Information Trust Institute
Quality of Service
• QoS goals per data flow are to minimize latency, delay, jitter, loss,
error
• Overall QoS goals are to support dedicated bandwidth, resource
provisioning and allocation, avoiding and managing network
congestion, shaping network traffic and managing priorities
• A suggested approach: class-based QOS
University of Illinois Urbana-Champaign • Information Trust Institute
Cyber Security
• Authentication and Integrity
– Essential to ensure reliable and trustworthy decisions
– Tools: cryptographic protocols leveraging digital signatures,
HMACs, etc.
– Challenges: efficiency, supporting one-to-many data exchanges
• Availability
– Essential due to the critical nature of underlying power system
– Specific requirements may vary by application classes
– Tools: redundancy, security monitoring, attack detection and
response, fail-safe design
– Challenges: scalability and cost-effective design
• Confidentiality
– Needed to provide data privacy
– Tools: encryption protocols, access control
– Challenges: efficiency for streaming data, supporting one-tomany data exchanges
University of Illinois Urbana-Champaign • Information Trust Institute
Cyber Security
• Key Management
– Distribution and management of key material and
credentials
– Revocation
– Tools: Public Key Infrastructure, on-line credential
distribution/verification services
– Challenges: scalability, trust establishment
• Monitoring and compliance
– Intrusion detection and response services
– Future regulations may apply; e.g., NERC CIP
– Tools: IDS, firewalls, etc.
– Challenges: multi-organization coordination
University of Illinois Urbana-Champaign • Information Trust Institute
Authentication Protocols for Power Grid
• Authentication is a widely recognized problem for power grid.
– Currently, there is a focus on developing authentication
protocols; e.g., DNP3 Secure Authentication and IEC’s
62351-5.
• Designing security protocols is hard and error-prone
– Literature has many examples of security protocols that
were considered secure but were broken later
Protocols
Attacks
Cause/Vulnerability
Authentication Protocol by Woo
& Lam
Impersonation
attacks
Lack of explicit names
STS by Diffie, Oorschot & Wiener Impersonation
attacks
Change in environmental
conditions
Kerberos V4 by Steve & Clifford
Replay attacks
Incorrect use of
timestamps
TMN by Tatebayashi, Matsuzaki,
& Newman
Oracle attacks
Information flow
University of Illinois Urbana-Champaign • Information Trust Institute
Design Principles for Power Grid CyberInfrastructure Authentication Protocols
Principle
Attacks Mitigated
Applicability to Power Grid
Authentication Protocols
Explicit
Names
Impersonation attacks.
Need for explicit names for each entity
in power grid.
Unique
Encoding
Interleaving and parsing
ambiguity attacks.
Insufficiency of legacy protocols to build
security on them due to no protocol
identifiers in them.
Explicit
Trust
Assumptions
Prevents errors due to unclear
or ambiguous trust
assumptions
Need to clearly state all trusted entities
in power grid protocols and the extent of
trust in them.
Use of
Timestamps
Prevents replay attacks.
Need for high granularity for time
synchronization.
Protocol
Boundaries
Prevents incorrect function of
protocol in it’s environment.
Need for thorough analysis of the power
grid environment.
Release of
Secrets
Prevents blinding attacks and
compromise of old keys.
Need to ensure that compromise of some
remote devices should not compromise
large number of keys.
Explicit
Security
Parameters
Prevents errors due to
exceeding the limitations of
cryptographic primitives.
Reduction in maintenance overhead by
explicitly mentioning security parameters
in remote devices.
University of Illinois Urbana-Champaign • Information Trust Institute
Questions?
[email protected]
University of Illinois Urbana-Champaign • Information Trust Institute