Avoiding “SmartGridLock”: Smart Grid Informatics and Security Challenges Alfonso Valdes

Senior Computer Scientist SRI International

Collaborating to Advance Control System Security

SRI International

Breakthrough ideas…real-world solutions

© 2008 SRI International – All rights reserved

SRI International

History of world-changing technical innovations

• •

Silicon Valley independent nonprofit

– – Founded by Stanford University in 1946 2,200 staff members: $0.5 billion per year

What we do

– Innovation: R&D and new products for commercial and gov’t clients – • • Info, bio, and nano Education, health, and economic development Form new ventures and license technology Menlo Park, CA Princeton, NJ Washington , DC

Bangalore … Taipei … Belgium … Middle East … 12 US cities

Tokyo, Japan © 2009 SRI International – All rights reserved

A Few of SRI’s Innovations

Hundreds of billions of dollars of economic value

Computer mouse First Internet logon .com .org .gov

HDTV, color TV, … Address reading Electronic Banking Low cost solar-grade silicon Digital film distribution Cognitive Assistant that Learns and Organizes © 2009 SRI International – All rights reserved

Our Focus Areas

Multidisciplinary teams in all major technology areas

Information Technology Health, Education, and Economic Policy Five Disciplines of Innovation Biotechnology Engineering and Systems Advanced Materials

(Microsystems and Nanotechnology) © 2009 SRI International – All rights reserved

Outline

• • • • • • •

Current State Smart Grid Goals Aspects of Smart Grid Role of Digital Technology Secure Interoperability Security concerns

– New Attack Surfaces – Monitoring for generation, Transmission, Distribution

Summary

© 2009 SRI International – All rights reserved

Current State

•

Original AC grids were designed to connect demands in cities to coal-powered generation

•

Large-scale hydro and rural electrification motivated long-range transmission

•

Regional grids became more interconnected over time

•

Digital controls have evolved from proprietary serial to commodity HW and TCP/IP

•

The grid is considered brittle and operating near capacity. It will likely fall short of future power demands (quantity and quality)

© 2009 SRI International – All rights reserved

Where We Want to Go

Situational Awareness

Traditional source

Demand function

Renewables

Storage

© 2009 SRI International – All rights reserved

Smart Grid Drivers

•

Reliability

– Technology to support self-awareness, self-healing, islanding, and microgrids •

Integration of non-traditional sources and renewables to reduce GHG

•

Demand Side Response

– 10% of reserve to meet 1% peak demand •

Distributed Generation and storage

•

Business Models

– – Wholesale markets Outsourced customer-side energy management (privacy?)

We may say SmartGrid will make power generation, transmission, and distribution the next big e-business, operating mostly under autonomous control.

© 2009 SRI International – All rights reserved

Smart Grid Features

•

Ubiquitous Smart Devices: Smart meters, inverters for solar, etc. al have a computational core. Security, communications, transaction integrity are all essential

•

Agent and Reasoning Framework: A framework of distributed, autonomous agents continually optimizing simultaneous local objective functions within a global context. Security, reliability, quality, continuity of supply, islanding decisions, etc. are just some of the objectives.

•

Secure Organization and Interoperability: We can envision these having relationships: A rooftop panel is a generator for a house which is a demand and has a plug hybrid which travels and is a storage device...a microgrid is a collection of {generators demand storage}....

•

Market Mechanism: Demand bids for supply from generators and storage and transmission. Security ensures integrity of transactions and prices.

•

We can also consider this as an "object oriented grid" in the sense that anything on the grid has a public "API" which lets other entities know its capabilities and characteristics.

Digital Technology makes smart grid work: Data Moves Power

© 2009 SRI International – All rights reserved

Role of Digital Technology

• • • • •

DCS/SCADA, Smart Meters, Access Points, Data Concentrators Appropriate response to tariffs fluctuating in real time (supply and demand side)

– – Financial (decisions to buy or sell power) Computerized controls to ramp generators up or down, store or withdraw from storage, etc.

Multi-scale views of the system to maintain stability and contain adverse events Massive data volume at time scales from milliseconds to human time The grid must reason about its state in a distributed fashion and take control action to maintain stability, reliability, efficiency, quality, and security

Actions and transactions taken by humans, or autonomous agents, must be optimal, trustworthy, and auditable

© 2009 SRI International – All rights reserved

Security is a Critical, Cross-Cutting Need for Smart Grid

•

Process Control Systems

– – DCS and SCADA Essential to safe, reliable operation of generation, transmission, and distribution •

Unsecured Field Assets

– – – Smart meters, data concentrators (embedded system security?) Many more points: Large Attack Surface Issues of networking, authentication, key management, compute power, etc •

Numerous commercial and R&D efforts underway to improve security

– – SRI DATES project explores anomaly and model-based monitoring to protect against new exploits AMISEC, ASAP © 2009 SRI International – All rights reserved

Emerging Security Challenges in Smart Grid

• • • •

DCS, SCADA, EMS

– Essential to safe, reliable operation of generation, transmission, and distribution – Numerous commercial and R&D efforts underway to improve security

Security in the Advanced Metering Initiative (AMI)

– Millions of devices at residences and businesses – – – Embedded system security has received comparatively little attention Secure networking, Authentication, Key Management Tamper proof or at least “Tamper evident” • Traditionally “hardware only” issue and specific to a single unit • Attacker can compromise a copy of the device off line and develop an attack for many units Auditable, but privacy-preserving –

Trust in Distributed Generation

– A supplier’s claim to have sold a quantity of power back to the grid must be trustworthy and auditable – Trusted two-way metering (AMI++)

Trusted real-time markets

– Prevent spoofing of demand and supply announcements – Transaction Integrity © 2009 SRI International – All rights reserved

Security Issues at Multiple Resolutions

• • • • • •

Home (Unsecured)

– – – – Smart appliances Home Area Network (HAN) Advanced meters AMI/HAN interface and inter-operation

Field (Unmanned, Secured by fence)

– – – Data Concentrators Distributed Generation Legacy Distribution

Transmission Generation Complex interaction of logical and physical Large number of new attack surfaces

Home Continent

© 2009 SRI International – All rights reserved

Some of the Market Players and Information Flows

Distributed Generation Real Time Price Supplied Power Legacy Generation/Transmission/Distribution Real Time Price Usage Real Time Price Home Energy Management Service Usage Real Time Control Real Time Price Usage (Aggregate?) Wholesale Markets Consumer/AMI/Endpoint © 2009 SRI International – All rights reserved

Secure Interoperability is Essential

•

Multiple domains: Generation, Transmission, Distribution, Consumer, RTO, ISO

•

What are the interfaces between the domains?

– – – What information passes across the respective interfaces? Do price signals suffice?

What information is hidden?

How do we ensure each (human or autonomous) agent sees only the information it needs for its role?

NIST and IEEE have undertaken SmartGrid Interoperability Standards activities

© 2009 SRI International – All rights reserved

Information Exchange

• •

Layered Protocol Stack

– – OSI: Physical, data link, network, transport, session, presentation, application Gridwise Architecture Council “Gwac Stack” adds levels of interoperability: syntactic, semantic, business procedures, policy

Object Model

– – – An entity publishes its capabilities, maintains implementation details private Example: • Storage device publishes how much power it has and at what price it will pump power into the grid, or buy power from the grid • It may be current-generation rechargeable, PHEV, some future technology The entity monitors published parameters on the grid and optimizes its actions accordingly •

Correctly implemented, these promote secure interoperability

© 2009 SRI International – All rights reserved

Smart Meters Being Deployed Now

•

Motivators:

– – – – Allow utility to remotely read a meter Enable Demand Management/Response Allow remote disconnect Two-way metering: Customer can sell power back to the grid •

Issues

– – – A smart device with encryption technology for authentication, out in the field • Some attacks already described Mesh network with access points for wireless comms: Eavesdropping, DOS?

Securing transactions • Common issues with financial POS terminals?

© 2009 SRI International – All rights reserved

Securing Distributed Generation

•

Distributed storage, small-scale wind, home-scale solar will likely play a part in Smart Grid

•

All of these will connect to smart grid via a computerized interface

•

The object model is once again relevant: The component is a node that can supply power, with the transaction mediated via a published (logical) interface, analogous to an API

Secure interoperability, transaction integrity, two-way metering, and trusted monitoring are essential

© 2009 SRI International – All rights reserved

20

Monitoring as Part of Defense in Depth



Control Systems use perimeter defenses

  Firewalls, switches Network segmentation  DMZ between control and business networks 

Why monitor?

 Ensure perimeter defenses are still effective (Configuration Drift)  Ensure perimeter defenses are not bypassed (Out of band connections, dual ported devices)  Ensure perimeter defenses are not compromised (Attack on the firewall itself)  Be aware of unsuccessful attempts to penetrate  What perimeter?

21

Detection and Event Management



Control System aware IDS at the Device, Control LAN, and Host



Event Correlation integrates new detection data sources into ArcSight



Result:

 Correlate attack steps  Follow an attack across LAN segments

22

Test System Diagram (SRI/Invensys)

Control LAN Field LAN

23

MODBUS (Normal Pattern)

24

MODBUS (Nessus Scan)

Summary

•

Smartgrid will use ubiquitous digital technology to achieve efficiency, reliability, resiliency

•

Digital technology presents many new attack surfaces

– – Prevention, Detection, Operation Through Attack, and Remediation are critical security questions Devices unattended and in the field for long periods pose challenges •

Technology is outpacing standards

•

Secure interoperability of a large number of autonomous agents is essential

•

“Future-proof”

•

Get it right from the start

© 2009 SRI International – All rights reserved