Security Technology For Smart Grid Networks: Anthony R. Metke and Randy L. Ekl

Download as pdf or txt
Download as pdf or txt
You are on page 1of 9

IEEE TRANSACTIONS ON SMART GRID, VOL. 1, NO.

1, JUNE 2010 99

Security Technology for Smart Grid Networks


Anthony R. Metke and Randy L. Ekl

Abstract—There is virtually universal agreement that it is nec-


essary to upgrade the electric grid to increase overall system effi-
ciency and reliability. Much of the technology currently in use by
the grid is outdated and in many cases unreliable. There have been
three major blackouts in the past ten years. The reliance on old
technology leads to inefficient systems, costing unnecessary money
to the utilities, consumers, and taxpayers. To upgrade the grid, and
to operate an improved grid, will require significant dependence on
distributed intelligence and broadband communication capabili-
ties. The access and communications capabilities require the latest
in proven security technology for extremely large, wide-area com-
munications networks. This paper discusses key security technolo-
gies for a smart grid system, including public key infrastructures
and trusted computing.
Fig. 1. Smart grid conceptual model.
Index Terms—Attestation, public key infrastructure (PKI), Su-
pervisory
. Control And Data Acquisition (SCADA), security, smart
grid, trusted computing tocol 3 (DNP3), Generic Object Oriented Substations Events
(GOOSE), IEC 61850, and IEC 60870-5, there is still a need to
I. INTRODUCTION make more consistent the security solutions applied to SCADA
deployments.
A second component, key to smart grid systems, is a number

N EW capabilities for smart grid systems and networks,


such as distributed intelligence and broadband capabil-
ities, can greatly enhance efficiency and reliability, but they
of secure, highly available wireless networks. These would in-
clude wide area, land mobile radio (LMR) systems, as well as
broadband networks, such as WLAN and WiMax.
may also create many new vulnerabilities if not deployed with A third key element is a comprehensive security solution.
the appropriate security controls. Providing security for such This paper presents a security solution for smart grid which
a large system may seem an unfathomable task, and if done heavily leverages public key infrastructure (PKI) technology
incorrectly, can leave utilities open to cyberattacks. and trusted computing techniques.
By building on knowledge, solutions, and standards from
other systems and industries, the best security solutions can
II. SECURITY REQUIREMENTS
be utilized for each portion of the smart grid communications
network. Clearly, Internet-based protocols, such as IPv4 and The availability of electric power in North America depends
IPv6, which have been developed over many years, and which in part on the availability of the power grid control systems. As
have widespread use, will provide a cost-effective baseline part of the development of smart grid, these control systems
transport. Layering the suite of security protocols developed are becoming more sophisticated, allowing for better control
for IP [such as IPSec and Transport Layer Security (TLS)] on and higher reliability. Smart grid will require higher degrees of
this baseline transport capitalizes on the vast work done in this network connectivity to support the new sophisticated features.
area by protocol and industry experts. This higher degree of connectivity also has the potential to open
While the smart grid system is made up of a number of “en- up new vulnerabilities.
ergy” subsystems (Fig. 1), many of the communications and se- According to the Electric Power Research Institute (EPRI)
curity components, as listed below, are common between these [2], one of the biggest challenges facing the smart grid devel-
energy subsystems. opment is related to cybersecurity of systems. According to the
One subsystem which is at the core of smart grid systems is EPRI Report, “Cyber security is a critical issue due to the in-
the Supervisory Control And Data Acquisition (SCADA) so- creasing potential of cyber attacks and incidents against this crit-
lution. Multiple vendors offer SCADA solutions, which have ical sector as it becomes more and more interconnected. Cyber
varying capabilities and security mechanisms. While some stan- security must address not only deliberate attacks, such as from
dards exist around SCADA, such as Distributed Network Pro- disgruntled employees, industrial espionage, and terrorists, but
inadvertent compromises of the information infrastructure due
Manuscript received February 22, 2010. Date of publication May 06, 2010;
to user errors, equipment failures, and natural disasters. Vulner-
date of current version May 21, 2010. Paper no. TSG-00032-2010. abilities might allow an attacker to penetrate a network, gain
The authors are with Motorola, Inc., Schaumburg, IL 60196 USA (e-mail: access to control software, and alter load conditions to destabi-
Tony.Metke@Motorola.com; Randy.Ekl@Motorola.com). lize the grid in unpredictable ways.”
Color versions of one or more of the figures in this paper are available online
at http://ieeexplore.ieee.org. There are many organizations working on the development of
Digital Object Identifier 10.1109/TSG.2010.2046347 smart grid security requirements [3] including the North Amer-
1949-3053/$26.00 © 2010 IEEE
100 IEEE TRANSACTIONS ON SMART GRID, VOL. 1, NO. 1, JUNE 2010

TABLE I
LAYER 2 WIRELESS SECURITY CAPABILITIES

ican Electrical Reliability Corporation—Critical Infrastructure Working with standards bodies, such as NIST and others, will
Protection (NERC CIP), the International Society of Automa- be extremely important to ensure a highly secure, scalable, con-
tion (ISA), IEEE (1402), the National Infrastructure Protection sistently deployed smart grid system, as these standards bodies
Plan (NIPP), and the National Institute of Standards and Tech- will drive the security requirements of the system.
nology (NIST), which has a number of programs. One thing is consistent among the various standards bodies:
One prominent source of requirements is the Smart Grid the security of the grid will strongly depend on authentication,
Interoperability Panel (SGiP) Cyber Security Working Group authorization, and privacy technologies. Privacy technologies
[previously the NIST Cyber Security Coordination Task Group are well matured. Federal Information Processing Standard
(CSCTG)]. The NIST CSCTG was established to ensure con- (FIPS) approved Advanced Encryption Standard (AES) and
sistency in the cybersecurity requirements across all the smart Triple Data Encryption Algorithm (3DES) solutions, offering
grid domains and components. The latest draft document from strong security and high performance, are readily available.
the Cyber Security Working Group, NIST Interagency Report The specific privacy solution required will depend on the type
(NISTIR) 7628, entitled “Smart Grid Cyber Security Strategy of communication resource being protected.
and Requirements,” continues to evolve at the time of this As a specific example, NIST has determined that 3DES solu-
writing. NIST and the DOE GridWise Architecture Council tions will likely become insecure by the year 2030. Considering
(GWAC) have established Domain Expert Working Groups that utility components are expected to have long lifetimes, AES
(DEWGs): Home-to-Grid (H2G), Building-to-Grid (B2G), would be the preferred solution for new components. However,
Industrial-to-Grid (I2G), Transmission and Distribution (T&D) it is reasonable to expect that under certain circumstances where
and Business and Policy (B&P). legacy functionality must be supported and the risk of compro-
Cleary there are many groups working on requirements that mise is acceptable, 3DES could be used.
will be applicable to smart grid. Further, many other standards Wireless links will be secured with technologies from well
may apply, including ISO 17799, FIPS 201, other NIST SPs, known standards such as 802.11i and 802.16e. Different wire-
and DISA Security Technical Implementation Guides (STIGs). less protocols have varying degrees of security mechanisms. A
METKE AND EKL: SECURITY TECHNOLOGY FOR SMART GRID NETWORKS 101

representative sample of these capabilities and mechanisms are


shown in Table I. Wired links will be secured with firewalls
and virtual private network (VPN) technologies such as IPSec.
Higher layer security mechanism such as Secure Shell (SSH)
and SSL/TLS should also be used.
System architects and designers often identify the need for
and specify the use of secure protocols, such as SSH and IPSec,
but then skirt over the details associated with establishing secu-
rity associations between end points of communications. Such
an approach is likely to result in a system where the neces-
sary procedures for secure key management can quickly be-
come an operational nightmare. This is due to the fact that, when
system architects do not develop an integrated and comprehen-
sive key management system, customers may be provided with
few key management options, and often resort to manually pre- Fig. 2. Basic PKI procedure.
configuring symmetric keys. This approach is simple for the
system designers, but it can be very expensive for the system the correctness of the binding, the certificate authority (CA) is-
owner/operator. sues the certificate to the user. Users or devices can authenticate
What has been learned from years of deploying and oper- each other via the digital certificates, establish symmetric ses-
ating large secure network communications systems is that the sion keys, and subsequently encrypt and decrypt messages be-
effort required to provision symmetric keys into thousands of tween each other.
devices can be too expensive or insecure. The development of The basic steps in utilizing a PKI are shown in Fig. 2. The cer-
key and trust management systems for large network deploy- tificate subject, desiring communication with a secure resource
ments is required; these systems can be leveraged from other [aka relying party (RP)] begins by sending a certificate signing
industries, such as land mobile radio systems and Association request (CSR) to the RA. The RA performs a vetting function
of Public-Safety Communications Officials (APCO) radio sys- which determines if the requested bindings are correct, and if so
tems. Several APCO-deployed systems provide statewide wire- signs the CSR and forwards it to the CA, which then issues the
less coverage, with tens of thousands of secure devices. Trust certificate. Later when the certificate subject wishes to access a
management systems, based on PKI infrastructure technology, secure resource, it sends the certificate to the RP. The RP vali-
could be customized specifically for smart grid operators, easing dates the certificate typically by requesting the certificate status
the burden of providing security which adheres to the standards from a validation authority (VA), who replies in the positive if
and guidelines that are known to be secure. the certificate is valid.
All of the above technologies rely on some sort of key man- PKI allows for a chain of trust, where a first CAs extends trust
agement. Considering that the smart grid will contain millions of to a second CAs by simply issuing a CA-certificate to the second
devices, spread across hundreds of organizations, the key man- CAs. This enables RPs that trusts the first CA to also trust sub-
agement systems used must be scalable to extraordinary levels. jects with certificates issued by the second CA. When two CAs
Further, key management must offer strong security (authenti- issue each other certificates it is referred to as cross signing. In
cation and authorization), interorganization interoperability, and this way, CAs from one organization can extend trust to the CAs
the highest possible levels of efficiency to ensure that unneces- from other organizations, thus enabling secure interoperability
sary cost due to overhead, provisioning, and maintenance are across domains. CA certificates can contain various constraints
minimized. It is likely that new key management systems (spe- to limit the trust being extended by the issuing CA to the subject
cialized to meet the requirements of smart grid) will be needed. CA.
In very large systems PKI could be significantly more effi-
III. PROPOSED SOLUTION PART I—PKI cient than shared keys in terms of setting up and maintaining
Based on the security requirements for smart grid, as well as operational credential. This is due to the fact that each entity
the scale of the system and availability required, we believe uti- needs to be configured with its own certificate. This is as com-
lizing public key infrastructure (PKI) technologies along with pared to symmetric key provisioning where each device may
trusted computing elements, supported by other architectural need to be configured with a unique key pair for every secure
components, is the best overall solution for smart grid. link.
We believe that the most effective key management solution While PKI is known for being complex, many of the items
for securing the smart grid will be based on PKI technologies. responsible for the complexity can be significantly reduced by
PKI is more than just the hardware and software in the system. including the following four main technical elements:
It also includes the policies and procedures which describe the • PKI standards
set up, management, updating, and revocation of the certificates • automated trust anchor security;
that are at the heart of PKI [4]. • certificate attributes;
A PKI binds public keys with user identities through use of • smart grid PKI tools.
digital certificates. The binding is established through a regis- Standards are used to establish requirements on the security
tration process, where after a registration authority (RA) assures operations of energy service providers (e.g., utilities, generators,
102 IEEE TRANSACTIONS ON SMART GRID, VOL. 1, NO. 1, JUNE 2010

Independent System Operators (ISOs), etc.) as well as smart These standards rightfully leave these details to the organiza-
grid device manufacturers. Standards will include such items as tions implementing the PKI, and working out these details is
acceptable security policies (e.g., PKI certificate policies used where a great deal of the expense is incurred.
for issuing each type of certificate in the system), certificate for- Some industries (such as the financial services industry) have
mats, and PKI practices. standardized a model PKI policy. The purpose of a model policy
Trust anchor security is the basis for all subsequent trust rela- is to define the naming conventions, constraints, policies, and
tionships. But often trust anchor management mechanisms are many operational aspects of a PKI for an entire industry. Not
as simple as trusting the IT administrators to install the cor- only will this have great benefits for interoperability, but just as
rect certificate for the root CA in all RP devices, with little or significantly, it will ease the burden of implementation, as each
no means of efficiently verifying the correctness of this oper- organization will not have to independently research PKI and
ation. For systems with thousands or hundreds of thousands of determine policies and practices for themselves. They will have
nodes, an efficient and comprehensive trust anchor management been determined by the industry, and they will be known to have
system is needed. desired levels of security.
Certificate attributes provide an important component to We therefore propose the development of PKI standards for
achieving the high availability needed for the power grid. use by the critical infrastructure industry. The standards would
We need to ensure that incorporation of security and device be used to establish requirements on the PKI operations of en-
authentication does not unnecessarily impose or extend service ergy service providers (e.g., utilities, generators, ISO) as well as
outages, due to unreachability of a security server (e.g., AAA). smart grid device manufacturers. Standards could include such
This is why entities must “carry” their complete credential items as acceptable security policies (e.g., PKI certificate poli-
with them in the form of an attribute certificate, or a certificate cies used for issuing each type of certificate in the system), cer-
contains sufficiently detailed policy information to allow an RP tificate formats, and PKI practices.
to determine the applicability of the certificate holder to a given
service. B. Trust Anchor Security
PKI tools are needed to ease the process of managing the PKI One major component of a secure PKI enabled system is the
components used to support the smart grid application. These requirement that each RP (any device that uses the certificate
tools will be knowledgeable of the appropriate smart grid certifi- of a second party to authenticate the second party) must have
cate policy and certificate format standards, and will be used to secure methods to load and store the root of trust or trust anchor
programmatically enforce compliance to those standards. Such (TA). The TA is typically a CA at the top of a CA hierarchy.
tools will enhance interoperability, reduce the burden of running RPs trust certificate holders because they trust the TA, which
the PKI, and ensure that appropriate security requirements are trusts a CA, which trusts the end certificate holders. This trust is
adhered to. evidenced by a chain of certificates rooted at the trust anchor. If
With these elements in place, it will be possible for a smart an adversary could change the root of trust for any RP, that RP
grid owner or operator to purchase equipment, such as remote could be easily compromised.
terminal units (RTUs), intelligent electronic devices (IEDs), and We propose that each operator will support its own PKI hi-
various forms of communication equipment, from an accredited erarchy with its TA at the top. The challenge for the operator is
manufacturer, install these components into their fielded system, to ensure that each secure device obtains the correct TA infor-
and establish high assurance security associations (SAs) with mation. One method of doing this without needing to manually
these devices without having to preload shared keys into the preload the TA certificate into every device is as follows. Each
device. Such mechanisms will provide highly secure key and accredited manufacture will factory preload the device with a
trust management in an affordable manner. manufactures certificate, identifying the make, model, and se-
We therefore believe that only by including these PKI el- rial number of the device, as well as a preprovisioned TA certifi-
ements into an overall security architecture, a comprehensive cate. After a smart grid operator purchases a smart grid device,
and cost-effective solution for security of the smart grid can be the manufacturer would issue the operator a TA transfer certifi-
achieved. cate, which would instruct the device to accept the operator’s
root CA certificate as the new trust anchor, and only the oper-
A. Smart Grid PKI Standards ator’s root CA certificate. The TA transfer certificate would be
constrained to specific devices (based on serial number). Tools
PKI is a powerful tool that can be used to provide secure au- would automate the entire TA transfer process, reducing the ef-
thentication and authorization for security association (SA) and fort to potentially be as simple as turning the device on in the
key establishment. PKI can, however, be notoriously difficult operator’s network, sending it the address of the TA transfer
to deploy and operate. This is primarily because PKI standards repository [possibly via a domain name server (DNS)], and al-
(such as X.509 and IETF RFC 5280) only provide a high level lowing it to automatically request the TA transfer certificate and
framework for digital certificate usage and for implementing a new TA certificate. For highly critical devices it is recommended
PKI. For example, they do not specify how a particular organi- that the device must have a FIPS HSM to securely store the TA
zation should vet certificate signing requests, or how the organ- certificate.
ization should protect each CA. They provide a mechanism for In addition to secure TA management, each PKI enabled
defining naming conventions, certificate constraints, and certifi- smart grid device should have the ability to securely load and
cate policies, but they do not specify how these should be used. store a local policy database (LPD). This LPD is a set of rules
METKE AND EKL: SECURITY TECHNOLOGY FOR SMART GRID NETWORKS 103

Fig. 3. Trusted computing model.

that define how the device can use its certificate, and what types to those standards. Such tools will enhance interoperability, re-
of certificates it should accept when acting as an RP. The LPD duce the burden of running the PKI, and ensure that appropriate
would be a signed object, stored in the HSM, and signed by a security requirements are adhered to.
policy signing server trusted by the TA. It would be possible Smart grid PKI tools comprise a set of enhanced functions for
for the same PKI tools to automate the management of the LPD PKI components (such as RAs, CAs, and repositories) devel-
as the TA certificate. oped specially for the smart grid industry. The tools could both
automate and enforce the appropriate requirements for each PKI
C. Certificate Attributes
operation such as vetting CSRs, or certificate revocation. For ex-
In order for portions of the smart grid to continue to function ample, the tools would know the different requirements for han-
while other portions of the grid infrastructure are unreachable, dling CSRs for IED and human system administrators. The tools
it will be essential for smart grid devices to be able to authen- would aid with system deployment, PKI operations, and system
ticate and determine the authorization status for each other (as auditing, all in accordance with the standard model policy. Most
well as human system administrators) without the need to reach importantly, these tools will eliminate the need for symmetric
a back-end security server (i.e., AAA). In order to do this, two key configuration, which is an inherently insecure and expen-
additional capabilities would be required. First, smart grid cer- sive process.
tificates will require policy attributes to indicate the applicability The cost of building these tools will not be prohibitive, as they
of the certificate to a given application. will be similar to tools which already exist for PKI operations,
Second, a local source of performing certificate status will be and simply modified for smart grid use.
required. This can be accomplished in a number of ways. For
example, it would not be difficult or costly to distribute local IV. PROPOSED SOLUTION PART II—TRUSTED COMPUTING
certificate status servers throughout the grid. A possibly better The North American power grid is currently undergoing a
method involves having each certificate subject periodically ob- major transformation. By adding significant new functionality,
tain a signed certificate status for his own certificate. The cer- distributed intelligence, and state-of-the-art broadband commu-
tificate subject would store this status and provide it to an RP nication capabilities, the grid can be made more efficient, more
when authenticating to the RP. The RP would determine, based resilient, and more affordable to manage and operate. Unfor-
on local policy, if this status was new enough to accept, and if tunately, these very same capabilities will greatly increase the
so, the associated certificate could then be evaluated. It would number and type of threats to which the grid will be exposed.
also be recommended that all certificate subjects were loaded Considering the vast size, scope, and breath of the smart grid,
with the chain of certificates between themselves and their TA, it is reasonable to expect that the cumulative vulnerability of
and select chains of certificates between the subjects’ TA and the system may also be vast. Virtually all parties agree that the
the TAs of other agencies with which the local agency has cross consequences of a smart grid cybersecurity breach can be enor-
signed or otherwise trusts. Management of these chains of cer- mous. New functions such as demand response introduce sig-
tificates, and ensuring that devices receive the proper set, would nificant new attack vectors such as a malware that initiates a
again be automated by tools. massive coordinated and instantaneous drop in demand, poten-
tially causing substantial damage to distribution, transmission,
D. Smart Grid PKI Tools
and even generation facilities.
Even with the above standards, smart grid operators would Considering the incredible size of the threat and wide-ranging
have to familiarize themselves with PKI concepts, terminology, potential consequences from cyberattacks, the smart grid cyber-
risks, best practices, and the above-mentioned standards. Stan- security protection requirements must be extreme. The grid will
dards alone may not necessarily provide a cost-effective solu- require a comprehensive security plan that encompasses virtu-
tion. However, given such a set of standards, it would be possible ally all aspects of grid operations. One component of such a
for vendors to develop smart grid PKI tools which are based on plan includes trusted computing platforms. Fig. 3 shows a basic
these standards. Such tools would greatly ease the process of trusted computing model [1]. Such platforms and associated
managing the PKI components needed to support the smart grid mechanisms are used to ensure that malware is not introduced
application. These tools will be knowledgeable of the appro- into software processing devices.
priate smart grid certificate policy and certificate format stan- There are two categories of devices for which the malware
dards, and will be used to programmatically enforce compliance protection problems should be considered: embedded computer
104 IEEE TRANSACTIONS ON SMART GRID, VOL. 1, NO. 1, JUNE 2010

systems and general purpose computer systems. Embedded sys- For general purpose computing devices, such mechanisms
tems are computer systems that are designed to perform a spe- that only allow software approved by the manufacture to run
cific task or set of tasks. They are intended to run only software have not been popular. Consumers of PCs typically feel that
that is supplied by the manufacture. By contrast, general pur- they should not be restricted by the manufacture from loading
pose systems are intended to support third party software pur- any software that they want, even if it means having to put up
chased by the specific consumer who purchased the system. A with malware attacks. The predominant means of protecting net-
PC is an excellent example of a general purpose system. A mi- worked PCs has been to use malware detection and removal soft-
crowave oven, or cable television set-top box, are examples of ware typically referred to as antivirus software. One of the most
embedded systems. This problem of malware protection should
effective tools that the antivirus software uses to detect malware
be considered separately for each category.
is a “signature” dictionary. The term “signature” is being used
For embedded systems the problem of protecting the system
here to refer to a pattern of known recognizable code, as op-
against the installation of malware can be solved with high de-
grees of assurance. First and foremost the manufacturer must posed to the cryptographic signature used above. With the sig-
implement secure software development processes; many stan- nature dictionary, only known viruses can be discovered and re-
dard models for such processes are defined in [8]. Second, if the moved. Such methods are not helpful in protecting against new
device is intend to be field upgradable, the manufacturer must or unknown viruses. Clearly with the stakes so high, the smart
provide a secure software upgrade solution. The predominant grid needs a better solution than the reactive antivirus dictionary
method of doing this is to manufacture the embedded systems approach.
hardware with secure storage containing keying material for a To make matters worse, the rapid adoption of cloud com-
software validation. Typically the hardware is configured with puting and sophisticated Internet based applications has resulted
the public key of a secure signing server operated by the manu- in the widespread deployment of a number of “mobile code”
facturer. With this key, the device can validate any newly down- technologies. Mobile code is code that is downloaded and run
loaded software prior to running it. Such a proactive approach on your PC, typically by your browser, without the user’s knowl-
can provide higher levels of assurance than can be obtained with edge. Examples of mobile code include ActiveX, Flash anima-
a reactive approach such as a virus checker. tion, Java, JavaScript, PDF, Postscript, and Shockwave. The De-
Additional security can be obtained by validating the software partment of Homeland Security (DHS) Control System Security
each time the device boots up. Such techniques are referred to as Program [10] recommends tight controls on mobile code in crit-
high assurance boot (HAB). HAB techniques typically rely on
ical control systems for the nation’s critical infrastructure and
core software in secure hardware to validate boot-block code.
key resources (CIKR).
The boot-block code then validates the operating system (OS),
To address this concern we propose the adoption of, and ad-
and the OS in turn validates the higher level applications. Each
validation step is performed with public key or keys preinstalled herence to, strict code signing standards by smart grid suppliers
in the secure hardware. and operators. Mechanisms for enforcing such standards on gen-
For devices which are intended to run for long periods of eral purpose computers, such as PCs, have been put forth by
time (e.g., years) without booting, it is useful to have a method the Trusted Computing Group and are well documented [11].
of performing secure software validation on running code. It is Such standards should cover all critical devices including field
possible to have background tasks that can periodically perform deployed units, such as RTU and IED, network devices, such
such functions without disrupting the operations of the device. as router, switches, and firewalls, and control center equipment,
It is further possible to couple such background validation steps such as servers and user consoles. The standards should cover
with other operational aspects of the device, such that if the de- embedded systems, as well as general purpose computers, their
vice is found to be compromised, secure hardware on the device operating systems, drivers, and applications, as well as all mo-
(needed to bring up and maintain security associations with re- bile code. That is, no mobile code should be allowed to run on
mote entities) will prevent the local device from establishing a critical PC or server that has not been signed by an authority
and maintaining security associations with the remote entities. that is able to determine the trustworthiness of the code. Con-
Many papers, such as [9], are available on methods to provide sidering that it is certain that hardware and software elements
remote device attestation. for critical components of the grid will come from many dif-
Device attestation is needed to ascertain, for the devices on
ferent providers, it is likely that a trust management framework
the network, their true identities, ahead of any manual or auto-
will have to be established for smart grid. This framework will
mated provisioning at the site.
likely require the establishment of a set of criteria that are to be
With device attestation techniques, accredited manufacturers
can factory install device attestation certificates in each smart meet by vendors who wish to sell critical components to smart
grid device. These device attestation certificates are used only to grid operators. Additionally it is likely that one or more accredi-
assert the device manufacturer, model, serial number, and that tation organizations will need to be established to audit suppliers
the device has not been tampered with. These certificates cou- to determine they are meeting the specified criteria.
pled with the appropriate authentication protocol can be used by To some, these measures may seem somewhat extreme, but
the energy service provider to ensure that the device is exactly when we consider what is at stake, and the large potential for
what it claims to be. In order to support device attestation, the vulnerabilities related to malware in the smart grid, it is hard to
device will need a FIPS 140 hardware security module (HSM), imagine any other practical way of providing complete malware
and will need HAB functionality. protection in the grid.
METKE AND EKL: SECURITY TECHNOLOGY FOR SMART GRID NETWORKS 105

Fig. 4. Smart grid detailed logical model.

V. OTHER ARCHITECTURAL COMPONENTS computers in the back offices, monitored and/or controllable
PKI and trusted computing techniques can provide a very firm substation devices), and overlays (such as distributed security
basis for a strong and comprehensive security architecture for functions and elements).
smart grid. However these technologies alone are only the be- The diagram in Fig. 4 shows an example of the possible in-
ginning of the story. A complete architecture will include many terconnection of a subset of the various networks, with a WAN
other components such as firewalls, strong user and device au- wireless network as the backbone of the entire system. Note that
thentication, and message privacy and integrity. Listed below the wireless interfaces between similar devices is shown as a
are a few more components that should be take into account dashed, double-hashed line.
when developing the smart grid architecture.
B. Wireless Networks
A. Overall Architecture The smart grid communications network will be comprised
There are many views of the overall architecture for smart of several different subsystems—it is truly a network of net-
grid, depending on what the intent is of viewing or analyzing the works. These networks include WiMax, WLAN, land mobile
architecture. We present two architecture views—a high-level radio (LMR), cellular, microwave, fiber optic, dedicated or
conceptual model and a detailed logical model. switched wirelines, RS-232/RS-485 serial links, wired LANs,
High-Level Conceptual Model: The high-level conceptual or a versatile data network combining these media.
model (Fig. 1) has been developed by NIST and picked up across Different areas of the smart grid network require different
the smart grid and utility industry. It simply shows that seven wireless networking solutions. Advanced metering infrastruc-
main conceptual entities, along with the intercommunications ture (AMI) solutions can be meshed or point-to-point, with local
between them. The blue lines in the diagram are the informa- coverage or long range communications. Options for backhaul
tion flows, and the dotted yellow lines are the energy flows. solutions are fiber, wireless broadband, or broadband over pow-
Detailed Logical Model: The detailed logical model is com- erline, to name a few. Workforce mobility solutions possibili-
prised of several key elements: networks (wireless and wired), ties include WiMax, WLAN, cellular, and LMR, depending on
functional subsystems (such as SCADA), endpoints (e.g., the reliability, throughput, and coverage desired by the utility.
106 IEEE TRANSACTIONS ON SMART GRID, VOL. 1, NO. 1, JUNE 2010

D. Device’s Scope of Influence


The system must be designed such that if an adversary can
impersonate a meter, the scope of his influence is limited to af-
fecting the monthly bill associated with that meter. Many have
cited the potential that an adversary may take down the grid by
impersonating or hacking into a meter as reason for upgrad-
able cryptographic implementations in the meter. A better ap-
proach would be architect a system that would inherently pro-
tect against such an attack. A meter should only be able to send
packets to a “meter data collection point” and a “meter man-
ager,” which in turn can only communicate with specific desig-
nated devices for specific designated services. A meter should
never be able to send packets to arbitrary components in the
system such as IED or distributed control processors located in
a substation.
Several methods must be put into place to accomplish this.
First, all devices must know who they are communicating with,
and who they are supposed to communicate with. This is accom-
plished through mutual authentication techniques such as TLS
Fig. 5. Incident response plan. or IPSec. During mutual authentication, symmetric session keys
are derived which are used to provide message authenticity and
The wireless communications solutions can be either licensed integrity for subsequent traffic. Second, logical network seg-
or unlicensed, again depending on the needs of the utility. For ments must be isolated. Controls must be in place within the
the highest reliability, licensed should be chosen. Each of the AMI network to assure that meter traffic cannot make its way
above options has their advantages and disadvantages, but what into a substation, or some arbitrary network address. Also in
is consistently true of any and all of the solutions is the need to the substation or control center, controls must also be in place
have a scalable security solution. to ensure that traffic is only admitted from authorized sources.
Such a defense-in-depth approach has been the standard in en-
terprise networks for years. It is tempting to say the best solution
C. Incident Response Plan is to physically isolate the AMI network from other networks.
However, we need to recognize that operational expense will put
The components, systems, networks, and architecture are pressures on utilities to use shared network resources for various
all important to the security design and reliability of the smart purposes. It is therefore incumbent to ensure that the smart grid
grid communications solution. But it is inevitable that an architecture can support logical isolation of logically disparate
incident will occur at some point and one must be prepared networks that share common resources.
with the proper incident response plan (Fig. 5). Steps in the
incident response plan go from prevention to containment, VI. CONCLUSION
followed by detection and notification, and finally recovery and As a critical infrastructure element, smart grid requires
restoration [12]. A feedback/process improvement loop can the highest levels of security. A comprehensive architecture
make the system even more secure, and subsequent attacks less with security built in from the beginning is necessary. The
damaging, by adding additional prevention and containment smart grid security solution requires a holistic approach in-
checks. cluding PKI technology elements based on industry standards,
The incident response plan and its implementation can vary and trusted computing elements. Clearly, securing the North
between commercial providers and private utility networks. A American power grid will require the use of standards-based
private utility network is likely to provide better consistency state-of-the-art security protocols. PKI technical elements, such
of the incident response plan in the event of a security inci- as certificate lifecycle management tools, trust anchor security,
dent, assuming the private network is build upon a standardized and attribute certificates, are known technologies that can be
framework of hardware and software. The speed of the response tailored specifically to smart grid networks, resulting in an
decreases exponentially as the number of parties involved in- efficient and effective solution. The PKI solution supports the
creases. Conversely, a private network would ideally depend trusted computing elements, including device attestation.
on fewer parties; therefore, a more efficient incident response To achieve the vision put forth in this paper, there are many
process would provide for more rapid response and resolution. steps which need to be taken. Primary among them is the need
The rapidity of the response is critical during situations that in- for a cohesive set of requirements and standards for smart grid
volve a blackout. security. We urge the industry and other participants to continue
Criticalness of the device or system also determines how the work that has begun under the direction of NIST to accom-
prone it will be to attacks. History has shown that private plish these foundational steps quickly. However, the proper at-
networks by their inherent nature are less prone to attacks, and tention must be paid to creating these requirements and stan-
as a result are recommended as the best approach in situations dards, as they will be utilized for many years, given the lifecycle
where security is paramount. of utility components.
METKE AND EKL: SECURITY TECHNOLOGY FOR SMART GRID NETWORKS 107

REFERENCES Anthony R. Metke received the B.S. degree in


electrical engineering and computer science from
[1] Towards trustworthy systems with open standards and trusted com- the University of Illinois, Urbana–Champaign.
puting European Multilaterally Secure Computing Base, 2005 [On- He is a Distinguished Member of the Technical
line]. Available: http://www.emscb.com/content/pages/49373.htm
Staff in the Advanced Technology and Research or-
[2] Report to NIST on Smart Grid Interoperability Standards Roadmap
EPRI, Jun. 17, 2009 [Online]. Available: http://www.nist.gov/smart- ganization, part of the Enterprise Mobility Solutions
grid/InterimSmartGridRoadmapNISTRestructure.pdf business of Motorola Inc., Schaumburg, IL. Areas of
[3] Draft smart grid cyber security strategy and requirements, NIST IR responsibility include security for smart grid and mis-
7628, Sep. 2009 [Online]. Available: http://csrc.nist.gov/publications/ sion critical broadband systems. His employment ex-
drafts/nistir-7628/draft-nistir-7628.pdf perience also includes serving as Director of Network
[4] “Public key infrastructure,” Wikipedia Feb. 18, 2010 [Online]. Avail- Development for Midway Games, System Architect
able: http://en.wikipedia.org/wiki/Public_key_infrastructure for US Robotics, and Senior Engineer for GTE. Previous work included PKI,
[5] WiMax Security 2010 [Online]. Available: http://www.top- QOS, bandwidth management, WLAN, ad hoc networking, multicast, and IP
bits.com/wimax-security.html network design. He has received six U.S. patents.
[6] 802.16e Notes—Mitchell Group, Stanford Univ.. Stanford, CA, pp.
94305–9045, Jun. 6, 2005 [Online]. Available: http://www.iab.org/
liaisons/ieee/EAP/802.16eNotes.pdf
[7] L. Cuilan, “A simple encryption scheme based on WiMAX,” presented Randy L. Ekl received the B.S. degree with a triple
at the Int. Conf. E-Business and Information System Security, Wuhan,
major in electrical engineering, computer science
China, 2009.
[8] N. Davis, Secure software development life cycle processes Software and mathematics from Rose-Hulman Institute of
Eng. Inst., Carnegie Mellon Univ., 2009. Technology, Terre Haute, IN, and the M.S. degree
[9] Shaneck, K. Mahadevan, V. Kher, and Y. Kim, Remote software- with a double major in electrical engineering and
based attestation for wireless sensors Comput. Sci. Eng., Univ. Min- computer science from the University of Illinois,
nesota—Twin Cities, 2005, . : , . Chicago.
[10] Catalog of Control Systems Security: Recommendations for Standards He is a Distinguished Member of the Technical
Developers, DHS Sep. 2009. Staff and manager in the Advanced Technology
[11] D. Challener et al., A Practical Guide to Trusted Computing. Upper and Research organization, part of the Enterprise
Saddle River, NJ: IBM Press. Mobility Solutions business of Motorola Inc.,
[12] J. Sherwood, A. Clark, and D. Lynas, Enterprise Security Architecture: Schaumburg, IL. Areas of responsibility include aspects of smart grid and
A Business-Driven Approach. New York: CMP Books, 2005. mission critical broadband systems. Previous work included cognitive radio for
TV white space, WLAN, and performance modeling and simulation. He has 22
granted patents, and many pending, making him a distinguished innovator. He
has a number of published papers in IEEE journals as well as other publications,
such as Mathematics of Computation.
Mr. Ekl is an Associate Member of Motorola’s Science Advisory Board and
has been elected a Dan Noble Fellow, Motorola’s highest honorary technical
award.

You might also like