Security Technology For Smart Grid Networks: Anthony R. Metke and Randy L. Ekl
Security Technology For Smart Grid Networks: Anthony R. Metke and Randy L. Ekl
Security Technology For Smart Grid Networks: Anthony R. Metke and Randy L. Ekl
1, JUNE 2010 99
TABLE I
LAYER 2 WIRELESS SECURITY CAPABILITIES
ican Electrical Reliability Corporation—Critical Infrastructure Working with standards bodies, such as NIST and others, will
Protection (NERC CIP), the International Society of Automa- be extremely important to ensure a highly secure, scalable, con-
tion (ISA), IEEE (1402), the National Infrastructure Protection sistently deployed smart grid system, as these standards bodies
Plan (NIPP), and the National Institute of Standards and Tech- will drive the security requirements of the system.
nology (NIST), which has a number of programs. One thing is consistent among the various standards bodies:
One prominent source of requirements is the Smart Grid the security of the grid will strongly depend on authentication,
Interoperability Panel (SGiP) Cyber Security Working Group authorization, and privacy technologies. Privacy technologies
[previously the NIST Cyber Security Coordination Task Group are well matured. Federal Information Processing Standard
(CSCTG)]. The NIST CSCTG was established to ensure con- (FIPS) approved Advanced Encryption Standard (AES) and
sistency in the cybersecurity requirements across all the smart Triple Data Encryption Algorithm (3DES) solutions, offering
grid domains and components. The latest draft document from strong security and high performance, are readily available.
the Cyber Security Working Group, NIST Interagency Report The specific privacy solution required will depend on the type
(NISTIR) 7628, entitled “Smart Grid Cyber Security Strategy of communication resource being protected.
and Requirements,” continues to evolve at the time of this As a specific example, NIST has determined that 3DES solu-
writing. NIST and the DOE GridWise Architecture Council tions will likely become insecure by the year 2030. Considering
(GWAC) have established Domain Expert Working Groups that utility components are expected to have long lifetimes, AES
(DEWGs): Home-to-Grid (H2G), Building-to-Grid (B2G), would be the preferred solution for new components. However,
Industrial-to-Grid (I2G), Transmission and Distribution (T&D) it is reasonable to expect that under certain circumstances where
and Business and Policy (B&P). legacy functionality must be supported and the risk of compro-
Cleary there are many groups working on requirements that mise is acceptable, 3DES could be used.
will be applicable to smart grid. Further, many other standards Wireless links will be secured with technologies from well
may apply, including ISO 17799, FIPS 201, other NIST SPs, known standards such as 802.11i and 802.16e. Different wire-
and DISA Security Technical Implementation Guides (STIGs). less protocols have varying degrees of security mechanisms. A
METKE AND EKL: SECURITY TECHNOLOGY FOR SMART GRID NETWORKS 101
Independent System Operators (ISOs), etc.) as well as smart These standards rightfully leave these details to the organiza-
grid device manufacturers. Standards will include such items as tions implementing the PKI, and working out these details is
acceptable security policies (e.g., PKI certificate policies used where a great deal of the expense is incurred.
for issuing each type of certificate in the system), certificate for- Some industries (such as the financial services industry) have
mats, and PKI practices. standardized a model PKI policy. The purpose of a model policy
Trust anchor security is the basis for all subsequent trust rela- is to define the naming conventions, constraints, policies, and
tionships. But often trust anchor management mechanisms are many operational aspects of a PKI for an entire industry. Not
as simple as trusting the IT administrators to install the cor- only will this have great benefits for interoperability, but just as
rect certificate for the root CA in all RP devices, with little or significantly, it will ease the burden of implementation, as each
no means of efficiently verifying the correctness of this oper- organization will not have to independently research PKI and
ation. For systems with thousands or hundreds of thousands of determine policies and practices for themselves. They will have
nodes, an efficient and comprehensive trust anchor management been determined by the industry, and they will be known to have
system is needed. desired levels of security.
Certificate attributes provide an important component to We therefore propose the development of PKI standards for
achieving the high availability needed for the power grid. use by the critical infrastructure industry. The standards would
We need to ensure that incorporation of security and device be used to establish requirements on the PKI operations of en-
authentication does not unnecessarily impose or extend service ergy service providers (e.g., utilities, generators, ISO) as well as
outages, due to unreachability of a security server (e.g., AAA). smart grid device manufacturers. Standards could include such
This is why entities must “carry” their complete credential items as acceptable security policies (e.g., PKI certificate poli-
with them in the form of an attribute certificate, or a certificate cies used for issuing each type of certificate in the system), cer-
contains sufficiently detailed policy information to allow an RP tificate formats, and PKI practices.
to determine the applicability of the certificate holder to a given
service. B. Trust Anchor Security
PKI tools are needed to ease the process of managing the PKI One major component of a secure PKI enabled system is the
components used to support the smart grid application. These requirement that each RP (any device that uses the certificate
tools will be knowledgeable of the appropriate smart grid certifi- of a second party to authenticate the second party) must have
cate policy and certificate format standards, and will be used to secure methods to load and store the root of trust or trust anchor
programmatically enforce compliance to those standards. Such (TA). The TA is typically a CA at the top of a CA hierarchy.
tools will enhance interoperability, reduce the burden of running RPs trust certificate holders because they trust the TA, which
the PKI, and ensure that appropriate security requirements are trusts a CA, which trusts the end certificate holders. This trust is
adhered to. evidenced by a chain of certificates rooted at the trust anchor. If
With these elements in place, it will be possible for a smart an adversary could change the root of trust for any RP, that RP
grid owner or operator to purchase equipment, such as remote could be easily compromised.
terminal units (RTUs), intelligent electronic devices (IEDs), and We propose that each operator will support its own PKI hi-
various forms of communication equipment, from an accredited erarchy with its TA at the top. The challenge for the operator is
manufacturer, install these components into their fielded system, to ensure that each secure device obtains the correct TA infor-
and establish high assurance security associations (SAs) with mation. One method of doing this without needing to manually
these devices without having to preload shared keys into the preload the TA certificate into every device is as follows. Each
device. Such mechanisms will provide highly secure key and accredited manufacture will factory preload the device with a
trust management in an affordable manner. manufactures certificate, identifying the make, model, and se-
We therefore believe that only by including these PKI el- rial number of the device, as well as a preprovisioned TA certifi-
ements into an overall security architecture, a comprehensive cate. After a smart grid operator purchases a smart grid device,
and cost-effective solution for security of the smart grid can be the manufacturer would issue the operator a TA transfer certifi-
achieved. cate, which would instruct the device to accept the operator’s
root CA certificate as the new trust anchor, and only the oper-
A. Smart Grid PKI Standards ator’s root CA certificate. The TA transfer certificate would be
constrained to specific devices (based on serial number). Tools
PKI is a powerful tool that can be used to provide secure au- would automate the entire TA transfer process, reducing the ef-
thentication and authorization for security association (SA) and fort to potentially be as simple as turning the device on in the
key establishment. PKI can, however, be notoriously difficult operator’s network, sending it the address of the TA transfer
to deploy and operate. This is primarily because PKI standards repository [possibly via a domain name server (DNS)], and al-
(such as X.509 and IETF RFC 5280) only provide a high level lowing it to automatically request the TA transfer certificate and
framework for digital certificate usage and for implementing a new TA certificate. For highly critical devices it is recommended
PKI. For example, they do not specify how a particular organi- that the device must have a FIPS HSM to securely store the TA
zation should vet certificate signing requests, or how the organ- certificate.
ization should protect each CA. They provide a mechanism for In addition to secure TA management, each PKI enabled
defining naming conventions, certificate constraints, and certifi- smart grid device should have the ability to securely load and
cate policies, but they do not specify how these should be used. store a local policy database (LPD). This LPD is a set of rules
METKE AND EKL: SECURITY TECHNOLOGY FOR SMART GRID NETWORKS 103
that define how the device can use its certificate, and what types to those standards. Such tools will enhance interoperability, re-
of certificates it should accept when acting as an RP. The LPD duce the burden of running the PKI, and ensure that appropriate
would be a signed object, stored in the HSM, and signed by a security requirements are adhered to.
policy signing server trusted by the TA. It would be possible Smart grid PKI tools comprise a set of enhanced functions for
for the same PKI tools to automate the management of the LPD PKI components (such as RAs, CAs, and repositories) devel-
as the TA certificate. oped specially for the smart grid industry. The tools could both
automate and enforce the appropriate requirements for each PKI
C. Certificate Attributes
operation such as vetting CSRs, or certificate revocation. For ex-
In order for portions of the smart grid to continue to function ample, the tools would know the different requirements for han-
while other portions of the grid infrastructure are unreachable, dling CSRs for IED and human system administrators. The tools
it will be essential for smart grid devices to be able to authen- would aid with system deployment, PKI operations, and system
ticate and determine the authorization status for each other (as auditing, all in accordance with the standard model policy. Most
well as human system administrators) without the need to reach importantly, these tools will eliminate the need for symmetric
a back-end security server (i.e., AAA). In order to do this, two key configuration, which is an inherently insecure and expen-
additional capabilities would be required. First, smart grid cer- sive process.
tificates will require policy attributes to indicate the applicability The cost of building these tools will not be prohibitive, as they
of the certificate to a given application. will be similar to tools which already exist for PKI operations,
Second, a local source of performing certificate status will be and simply modified for smart grid use.
required. This can be accomplished in a number of ways. For
example, it would not be difficult or costly to distribute local IV. PROPOSED SOLUTION PART II—TRUSTED COMPUTING
certificate status servers throughout the grid. A possibly better The North American power grid is currently undergoing a
method involves having each certificate subject periodically ob- major transformation. By adding significant new functionality,
tain a signed certificate status for his own certificate. The cer- distributed intelligence, and state-of-the-art broadband commu-
tificate subject would store this status and provide it to an RP nication capabilities, the grid can be made more efficient, more
when authenticating to the RP. The RP would determine, based resilient, and more affordable to manage and operate. Unfor-
on local policy, if this status was new enough to accept, and if tunately, these very same capabilities will greatly increase the
so, the associated certificate could then be evaluated. It would number and type of threats to which the grid will be exposed.
also be recommended that all certificate subjects were loaded Considering the vast size, scope, and breath of the smart grid,
with the chain of certificates between themselves and their TA, it is reasonable to expect that the cumulative vulnerability of
and select chains of certificates between the subjects’ TA and the system may also be vast. Virtually all parties agree that the
the TAs of other agencies with which the local agency has cross consequences of a smart grid cybersecurity breach can be enor-
signed or otherwise trusts. Management of these chains of cer- mous. New functions such as demand response introduce sig-
tificates, and ensuring that devices receive the proper set, would nificant new attack vectors such as a malware that initiates a
again be automated by tools. massive coordinated and instantaneous drop in demand, poten-
tially causing substantial damage to distribution, transmission,
D. Smart Grid PKI Tools
and even generation facilities.
Even with the above standards, smart grid operators would Considering the incredible size of the threat and wide-ranging
have to familiarize themselves with PKI concepts, terminology, potential consequences from cyberattacks, the smart grid cyber-
risks, best practices, and the above-mentioned standards. Stan- security protection requirements must be extreme. The grid will
dards alone may not necessarily provide a cost-effective solu- require a comprehensive security plan that encompasses virtu-
tion. However, given such a set of standards, it would be possible ally all aspects of grid operations. One component of such a
for vendors to develop smart grid PKI tools which are based on plan includes trusted computing platforms. Fig. 3 shows a basic
these standards. Such tools would greatly ease the process of trusted computing model [1]. Such platforms and associated
managing the PKI components needed to support the smart grid mechanisms are used to ensure that malware is not introduced
application. These tools will be knowledgeable of the appro- into software processing devices.
priate smart grid certificate policy and certificate format stan- There are two categories of devices for which the malware
dards, and will be used to programmatically enforce compliance protection problems should be considered: embedded computer
104 IEEE TRANSACTIONS ON SMART GRID, VOL. 1, NO. 1, JUNE 2010
systems and general purpose computer systems. Embedded sys- For general purpose computing devices, such mechanisms
tems are computer systems that are designed to perform a spe- that only allow software approved by the manufacture to run
cific task or set of tasks. They are intended to run only software have not been popular. Consumers of PCs typically feel that
that is supplied by the manufacture. By contrast, general pur- they should not be restricted by the manufacture from loading
pose systems are intended to support third party software pur- any software that they want, even if it means having to put up
chased by the specific consumer who purchased the system. A with malware attacks. The predominant means of protecting net-
PC is an excellent example of a general purpose system. A mi- worked PCs has been to use malware detection and removal soft-
crowave oven, or cable television set-top box, are examples of ware typically referred to as antivirus software. One of the most
embedded systems. This problem of malware protection should
effective tools that the antivirus software uses to detect malware
be considered separately for each category.
is a “signature” dictionary. The term “signature” is being used
For embedded systems the problem of protecting the system
here to refer to a pattern of known recognizable code, as op-
against the installation of malware can be solved with high de-
grees of assurance. First and foremost the manufacturer must posed to the cryptographic signature used above. With the sig-
implement secure software development processes; many stan- nature dictionary, only known viruses can be discovered and re-
dard models for such processes are defined in [8]. Second, if the moved. Such methods are not helpful in protecting against new
device is intend to be field upgradable, the manufacturer must or unknown viruses. Clearly with the stakes so high, the smart
provide a secure software upgrade solution. The predominant grid needs a better solution than the reactive antivirus dictionary
method of doing this is to manufacture the embedded systems approach.
hardware with secure storage containing keying material for a To make matters worse, the rapid adoption of cloud com-
software validation. Typically the hardware is configured with puting and sophisticated Internet based applications has resulted
the public key of a secure signing server operated by the manu- in the widespread deployment of a number of “mobile code”
facturer. With this key, the device can validate any newly down- technologies. Mobile code is code that is downloaded and run
loaded software prior to running it. Such a proactive approach on your PC, typically by your browser, without the user’s knowl-
can provide higher levels of assurance than can be obtained with edge. Examples of mobile code include ActiveX, Flash anima-
a reactive approach such as a virus checker. tion, Java, JavaScript, PDF, Postscript, and Shockwave. The De-
Additional security can be obtained by validating the software partment of Homeland Security (DHS) Control System Security
each time the device boots up. Such techniques are referred to as Program [10] recommends tight controls on mobile code in crit-
high assurance boot (HAB). HAB techniques typically rely on
ical control systems for the nation’s critical infrastructure and
core software in secure hardware to validate boot-block code.
key resources (CIKR).
The boot-block code then validates the operating system (OS),
To address this concern we propose the adoption of, and ad-
and the OS in turn validates the higher level applications. Each
validation step is performed with public key or keys preinstalled herence to, strict code signing standards by smart grid suppliers
in the secure hardware. and operators. Mechanisms for enforcing such standards on gen-
For devices which are intended to run for long periods of eral purpose computers, such as PCs, have been put forth by
time (e.g., years) without booting, it is useful to have a method the Trusted Computing Group and are well documented [11].
of performing secure software validation on running code. It is Such standards should cover all critical devices including field
possible to have background tasks that can periodically perform deployed units, such as RTU and IED, network devices, such
such functions without disrupting the operations of the device. as router, switches, and firewalls, and control center equipment,
It is further possible to couple such background validation steps such as servers and user consoles. The standards should cover
with other operational aspects of the device, such that if the de- embedded systems, as well as general purpose computers, their
vice is found to be compromised, secure hardware on the device operating systems, drivers, and applications, as well as all mo-
(needed to bring up and maintain security associations with re- bile code. That is, no mobile code should be allowed to run on
mote entities) will prevent the local device from establishing a critical PC or server that has not been signed by an authority
and maintaining security associations with the remote entities. that is able to determine the trustworthiness of the code. Con-
Many papers, such as [9], are available on methods to provide sidering that it is certain that hardware and software elements
remote device attestation. for critical components of the grid will come from many dif-
Device attestation is needed to ascertain, for the devices on
ferent providers, it is likely that a trust management framework
the network, their true identities, ahead of any manual or auto-
will have to be established for smart grid. This framework will
mated provisioning at the site.
likely require the establishment of a set of criteria that are to be
With device attestation techniques, accredited manufacturers
can factory install device attestation certificates in each smart meet by vendors who wish to sell critical components to smart
grid device. These device attestation certificates are used only to grid operators. Additionally it is likely that one or more accredi-
assert the device manufacturer, model, serial number, and that tation organizations will need to be established to audit suppliers
the device has not been tampered with. These certificates cou- to determine they are meeting the specified criteria.
pled with the appropriate authentication protocol can be used by To some, these measures may seem somewhat extreme, but
the energy service provider to ensure that the device is exactly when we consider what is at stake, and the large potential for
what it claims to be. In order to support device attestation, the vulnerabilities related to malware in the smart grid, it is hard to
device will need a FIPS 140 hardware security module (HSM), imagine any other practical way of providing complete malware
and will need HAB functionality. protection in the grid.
METKE AND EKL: SECURITY TECHNOLOGY FOR SMART GRID NETWORKS 105
V. OTHER ARCHITECTURAL COMPONENTS computers in the back offices, monitored and/or controllable
PKI and trusted computing techniques can provide a very firm substation devices), and overlays (such as distributed security
basis for a strong and comprehensive security architecture for functions and elements).
smart grid. However these technologies alone are only the be- The diagram in Fig. 4 shows an example of the possible in-
ginning of the story. A complete architecture will include many terconnection of a subset of the various networks, with a WAN
other components such as firewalls, strong user and device au- wireless network as the backbone of the entire system. Note that
thentication, and message privacy and integrity. Listed below the wireless interfaces between similar devices is shown as a
are a few more components that should be take into account dashed, double-hashed line.
when developing the smart grid architecture.
B. Wireless Networks
A. Overall Architecture The smart grid communications network will be comprised
There are many views of the overall architecture for smart of several different subsystems—it is truly a network of net-
grid, depending on what the intent is of viewing or analyzing the works. These networks include WiMax, WLAN, land mobile
architecture. We present two architecture views—a high-level radio (LMR), cellular, microwave, fiber optic, dedicated or
conceptual model and a detailed logical model. switched wirelines, RS-232/RS-485 serial links, wired LANs,
High-Level Conceptual Model: The high-level conceptual or a versatile data network combining these media.
model (Fig. 1) has been developed by NIST and picked up across Different areas of the smart grid network require different
the smart grid and utility industry. It simply shows that seven wireless networking solutions. Advanced metering infrastruc-
main conceptual entities, along with the intercommunications ture (AMI) solutions can be meshed or point-to-point, with local
between them. The blue lines in the diagram are the informa- coverage or long range communications. Options for backhaul
tion flows, and the dotted yellow lines are the energy flows. solutions are fiber, wireless broadband, or broadband over pow-
Detailed Logical Model: The detailed logical model is com- erline, to name a few. Workforce mobility solutions possibili-
prised of several key elements: networks (wireless and wired), ties include WiMax, WLAN, cellular, and LMR, depending on
functional subsystems (such as SCADA), endpoints (e.g., the reliability, throughput, and coverage desired by the utility.
106 IEEE TRANSACTIONS ON SMART GRID, VOL. 1, NO. 1, JUNE 2010