Transcript 幻灯片 1 - University of Waterloo

Security in Smart Grid
Ning Zhang
Apr. 5.2012
1
outline
• Part I:
– Introduction to smart grid
– Cyber security
– Physical security
• Part II:
– A authenticate scheme in smart grid
• Summary
2
PART I
Cyber–Physical Security
of a Smart Grid Infrastructure [1]
[1] Y. Mo, T.H.-J. Kim, K. Brancik, D. Dickinson, H. Lee, A. Perrig, and B. Sinopoli,
"Cyber-physical security of a smart grid infrastructure," Proceedings of the IEEE,
vol. 100, no. 1, pp. 195-209, Jan. 2012.
3
Electric grid
Generation
produces electric
energy in different
manners, i.e.,
burning fossil fuels,
inducing nuclear
reaction, wind,
solar forces;
Transmission
moves electricity via
a very high voltage
infrastructure.
Distribution
steps down current
and spreads out for
consumption.
Consumption
industrial,commercial,
and residential,
uses the electric
energy in different
ways.
4
Electric grid
Shortcomings of Electric grid
1) Matching generation to demand is very challenging because utilities do
not have clear cut methods to predict demand and to request demand
reduction (load shedding).
As a consequence, they need to over-generate power for peak demand,
which is expensive and contributes to Green-house Gas (GhG) emissions.
2) There is a dearth of information available for consumers to determine
how and when to use energy.
The smart grid uses communications and information technologies to
provide better situational awareness to utilities regarding the state of the
grid.
5
Smart grid
• Using intelligent communications, load shedding can be implemented so
that peak demand can be flattened, which reduces the need to bring
additional (expensive) generation plants online.
• Using information systems to perform predictive analysis, including when
wind and solar resources will produce less power, the utilities can keep
power appropriately balanced.
• Dynamic pricing and distributed generation with local generators can
significantly reduce the electricity bill.
• With these approaches, the smart grid enables a drastic cost reduction for
both power generation and consumption.
6
Smart grid
(a) Power usage during off-peak time period.
(b) Power usage during peak time period.
During off-peak time periods, inexpensive electric power can be used without
restrictions (e.g., diverted to energy storage).
During peak time periods, some appliances will be temporarily turned off, and
stored energy is used.
7
Smart grid
8
Cyber Security Requirements
Three main security properties:
Confidentiality, integrity and availability.
Confidentiality:
Confidentiality of meter data is important, because power usage data
provides information about the usage patterns for individual appliances, which
can reveal personal activities.
Confidentiality of price information and control commands are not
important in cases where it is public knowledge.
9
Cyber Security Requirements
• Integrity :
Integrity of price information is critical, because negative prices injected by an
attacker can cause an electricity utilization spike as numerous devices would
simultaneously turn on to take advantage of the low price.
Integrity of meter data and commands is important, their impact is mostly limited
to revenue loss.
• Availability against DoS/DDoS attacks:
Availability of price information is critical due to serious financial and possibly legal
implications. Moreover, outdated price information can adversely affect demand.
Availability of commands is also important.
Availability of meter data (e.g., power usage) may not be as critical because the
data can usually be read at a later point.
10
Cyber Security in SG
• An adversary must first exploit entry points, and
upon successful entry, it can launch attacks on the
smart grid infrastructure.
11
Cyber Security in SG
Perform
SendSQL
e-mail
ARP
Scan
withEXEC
malware
Admin
Admin
Operator
Opens Email
with Malware
Internet
Acct
4. Hacker performs an ARP (Address Resolution
1. Hacker sends an e-mail with malware
Protocol) Scan
5.
2.
E-mail recipient opens the e-mail and the
Once
the Slave
is found, hacker sends
malware
getsDatabase
installed quietly
an SQL EXEC command
3.
6.
Using the information that malware gets, hacker
is able another
to take control
of the e-mail recipient’s
Performs
ARP Scan
PC!
Operator
Master
DB
Slave Database
RTU
7. Takes control of Remote Terminal Unit (RTU)
12
Cyber Security in SG
• Malicious actions
–
–
–
–
–
–
–
–
Malware spreading and controlling devices
Access through database links
Compromising communication equipments
Injecting false information on price and meter data
Eavesdropping
Malware targeting industrial control systems
DoS/DDoS attacks on networks and servers
Sending fake commands to smart meters in a region
13
Cyber Security in SG
• Countermeasures
1) Key Management
A fundamental approach for information security
2) Secure Communication Architecture
Secure routing protocol
Secure forwarding
End-to-end communication
3) System and Device Security
Software-based attacks: inject malicious code into the system
Design prevention and detection mechanisms against malware.
14
Physical Security
• Physical security: the stability and safety of the physical systems.
• System theoretic approaches (control theory or automation field)
– detect the attacks or abnormalities on physical systems and helps the system
operator actively mitigate the damage.
– It focuses on the physical interactions between each component in the grid,
while the cyber view focuses on the modeling of IT infrastructures.
• System-theoretic approaches encompasses two main parts:
– Contingency analysis (CA) and system monitoring.
•
Countermeasures
– 1) Contingency Analysis :
checks if the steady-state system is outside operating region.
– 2) Bad Data Detection: detects the corruption in measurement.
detects compromised sensors
15
Comparison Between Cyber and SystemTheoretic Security
In smart grid, cyber attacks can cause disruptions that transcend the cyber
realm and affect the physical world. e.g., DoS attacks can cause drops of
measurements data and control command, which leads to instability of
the grid.
Physical attacks can affect the cyber system, e.g, the integrity of a meter
can be compromised by using a shunt to bypass it. Secrecy can be broken
by placing a compromised sensor beside a legitimate one.
16
The Need For Cyber–Physical Security
A new approach to security, bringing together cyber security
and system theory under the name of cyber–physical security
(CPS), is needed to address the requirements of complex,
large-scale infrastructures like the smart grid.
1) The system and attack models of both approaches are incomplete.
2)The security requirements of both approaches are incomplete and the
security of the smart grid requiresboth of them.
3) The countermeasures of both approaches have drawbacks.
17
Cyber–Physical Security
• In the paper, two examples are represented to show how the
combination of cyber and system-theoretic approaches
together can provide better security level than traditional
methods.
• In the first example, they show how system theoretic
countermeasures can be used to defend against a replay
attack, which is a cyber attack on the integrity of the
measurement data.
• In the second example, they show how system theory can
guide and reduce cyber security investments.
18
PART II
An Authenticate Scheme
for Smart Grid Communications [2]
[2] M. Fouda, Z. Md. Fadlullah, N. Kato, R. Lu, and X. Shen, "A light-weight message
authentication scheme for smart grid communications," IEEE Trans. on Smart Grid, vol.
2, no. 4, pp. 675-685, Dec. 2011.
19
Transmission Substation(DS) delivers power from the power plant over high
voltage transmission lines to the distribution substations.
Distribution substations (TS) transform the electric power into medium
voltage level and then distribute it to the consumers.
NAN :Neighborhood Area Network
Smart meters in the SG enable an
BAN :Building Area Network
automated, two-way communication
20
HAN: Home Area Network
between the utility provider and consumers.
Authenticate scheme
• Assume that HAN GW i and BAN GW j have their private and
public key pairs
Let
be a group of large prime order q such that the
Computational Diffie-Hellman (CDH) assumption holds, i.e.,
given
, for unknown
, it is hard to compute
For integrity , Hash-based Message Authentication Code (MAC).
is generated using key Ki , message Mi and time stamp T.
21
Security analysis
• The proposed scheme can provide mutual authentication.
• The proposed scheme can establish a semantic-secure shared key.
• late transmission can achieve not only the confidentiality but also the
integrity. Meanwhile, the embedded timestamp Ti can also thwart the
possible replay attacks
22
Summary
• Cyber-physical security in SG.
– Cyber security
– physical security
– The need for cyber-physical security
• Authenticate scheme in SG.
23
Thank you !
24