Transcript SRI International

Avoiding
“SmartGridLock”: Smart
Grid Informatics and
Security Challenges
Alfonso Valdes
Senior Computer Scientist
SRI International
Collaborating to Advance Control System Security
SRI International
Breakthrough ideas…real-world solutions
© 2008 SRI International – All rights reserved
SRI International
History of world-changing technical innovations
• Silicon Valley independent nonprofit
– Founded by Stanford University in 1946
– 2,200 staff members: $0.5 billion per year
• What we do
– Innovation: R&D and new products for commercial and gov’t clients
• Info, bio, and nano
• Education, health, and economic development
– Form new ventures and license technology
Princeton, NJ
Menlo Park, CA
Washington, DC
Tokyo, Japan
Bangalore … Taipei … Belgium … Middle East … 12 US cities
© 2009 SRI International – All rights reserved
A Few of SRI’s Innovations
Hundreds of billions of dollars of economic value
Computer mouse
First Internet logon
.com .org .gov
Electronic Banking
Low cost solar-grade silicon
HDTV, color TV, …
Address reading
Digital film
distribution
Cognitive
Assistant that
Learns and
Organizes
© 2009 SRI International – All rights reserved
Our Focus Areas
Multidisciplinary teams in all major technology areas
Information Technology
Health,
Education,
and
Economic Policy
Biotechnology
Engineering
and Systems
Five
Disciplines
of Innovation
Advanced Materials
(Microsystems and
Nanotechnology)
© 2009 SRI International – All rights reserved
Outline
•
•
•
•
•
•
Current State
Smart Grid Goals
Aspects of Smart Grid
Role of Digital Technology
Secure Interoperability
Security concerns
– New Attack Surfaces
– Monitoring for generation, Transmission, Distribution
• Summary
© 2009 SRI International – All rights reserved
Current State
• Original AC grids were designed to connect demands in
cities to coal-powered generation
• Large-scale hydro and rural electrification motivated
long-range transmission
• Regional grids became more interconnected over time
• Digital controls have evolved from proprietary serial to
commodity HW and TCP/IP
• The grid is considered brittle and operating near
capacity. It will likely fall short of future power demands
(quantity and quality)
© 2009 SRI International – All rights reserved
Where We Want to Go
Situational Awareness
Demand
function
Traditional
source
Renewables
Storage
© 2009 SRI International – All rights reserved
Smart Grid Drivers
• Reliability
– Technology to support self-awareness, self-healing, islanding, and
microgrids
• Integration of non-traditional sources and renewables to
reduce GHG
• Demand Side Response
– 10% of reserve to meet 1% peak demand
• Distributed Generation and storage
• Business Models
– Wholesale markets
– Outsourced customer-side energy management (privacy?)
We may say SmartGrid will make power generation,
transmission, and distribution the next big e-business,
operating mostly under autonomous control.
© 2009 SRI International – All rights reserved
Smart Grid Features
• Ubiquitous Smart Devices: Smart meters, inverters for solar, etc. al have a
computational core. Security, communications, transaction integrity are all essential
• Agent and Reasoning Framework: A framework of distributed, autonomous agents
continually optimizing simultaneous local objective functions within a global context.
Security, reliability, quality, continuity of supply, islanding decisions, etc. are just some
of the objectives.
• Secure Organization and Interoperability: We can envision these having relationships: A
rooftop panel is a generator for a house which is a demand and has a plug hybrid which
travels and is a storage device...a microgrid is a collection of {generators demand
storage}....
• Market Mechanism: Demand bids for supply from generators and storage and
transmission. Security ensures integrity of transactions and prices.
• We can also consider this as an "object oriented grid" in the sense that anything on the
grid has a public "API" which lets other entities know its capabilities and characteristics.
Digital Technology makes smart grid work: Data Moves Power
© 2009 SRI International – All rights reserved
Role of Digital Technology
• DCS/SCADA, Smart Meters, Access Points, Data Concentrators
• Appropriate response to tariffs fluctuating in real time (supply and demand
side)
– Financial (decisions to buy or sell power)
– Computerized controls to ramp generators up or down, store or withdraw from storage, etc.
• Multi-scale views of the system to maintain stability and contain adverse events
• Massive data volume at time scales from milliseconds to human time
• The grid must reason about its state in a distributed fashion and take control
action to maintain stability, reliability, efficiency, quality, and security
Actions and transactions taken by humans, or autonomous agents,
must be optimal, trustworthy, and auditable
© 2009 SRI International – All rights reserved
Security is a Critical, Cross-Cutting Need for Smart Grid
• Process Control Systems
– DCS and SCADA
– Essential to safe, reliable operation of generation, transmission, and distribution
• Unsecured Field Assets
– Smart meters, data concentrators (embedded system security?)
– Many more points: Large Attack Surface
– Issues of networking, authentication, key management, compute power, etc
• Numerous commercial and R&D efforts underway to improve
security
– SRI DATES project explores anomaly and model-based monitoring to protect
against new exploits
– AMISEC, ASAP
© 2009 SRI International – All rights reserved
Emerging Security Challenges in Smart Grid
• DCS, SCADA, EMS
– Essential to safe, reliable operation of generation, transmission, and distribution
– Numerous commercial and R&D efforts underway to improve security
• Security in the Advanced Metering Initiative (AMI)
–
–
–
–
Millions of devices at residences and businesses
Embedded system security has received comparatively little attention
Secure networking, Authentication, Key Management
Tamper proof or at least “Tamper evident”
• Traditionally “hardware only” issue and specific to a single unit
• Attacker can compromise a copy of the device off line and develop an attack for many units
– Auditable, but privacy-preserving
• Trust in Distributed Generation
– A supplier’s claim to have sold a quantity of power back to the grid must be trustworthy and auditable
– Trusted two-way metering (AMI++)
• Trusted real-time markets
– Prevent spoofing of demand and supply announcements
– Transaction Integrity
© 2009 SRI International – All rights reserved
Security Issues at Multiple Resolutions
• Home (Unsecured)
–
–
–
–
Home
Smart appliances
Home Area Network (HAN)
Advanced meters
AMI/HAN interface and inter-operation
• Field (Unmanned, Secured by fence)
– Data Concentrators
– Distributed Generation
– Legacy Distribution
•
•
•
•
Transmission
Generation
Complex interaction of logical and physical
Large number of new attack surfaces
Continent
© 2009 SRI International – All rights reserved
Some of the Market Players and Information Flows
Distributed Generation
Real Time Price
Supplied
Power
Home Energy Management Service
Legacy Generation/Transmission/Distribution
Real Time Price
Real Time Price
Usage
Usage
Real Time Control
Real Time Price
Usage (Aggregate?)
Wholesale Markets
Consumer/AMI/Endpoint
© 2009 SRI International – All rights reserved
Secure Interoperability is Essential
• Multiple domains: Generation, Transmission,
Distribution, Consumer, RTO, ISO
• What are the interfaces between the domains?
– What information passes across the respective interfaces? Do price
signals suffice?
– What information is hidden?
– How do we ensure each (human or autonomous) agent sees only the
information it needs for its role?
NIST and IEEE have undertaken SmartGrid Interoperability
Standards activities
© 2009 SRI International – All rights reserved
Information Exchange
• Layered Protocol Stack
– OSI: Physical, data link, network, transport, session, presentation, application
– Gridwise Architecture Council “Gwac Stack” adds levels of interoperability:
syntactic, semantic, business procedures, policy
• Object Model
– An entity publishes its capabilities, maintains implementation details private
– Example:
• Storage device publishes how much power it has and at what price it will pump
power into the grid, or buy power from the grid
• It may be current-generation rechargeable, PHEV, some future technology
– The entity monitors published parameters on the grid and optimizes its actions
accordingly
• Correctly implemented, these promote secure
interoperability
© 2009 SRI International – All rights reserved
Smart Meters Being Deployed Now
• Motivators:
–
–
–
–
Allow utility to remotely read a meter
Enable Demand Management/Response
Allow remote disconnect
Two-way metering: Customer
can sell power back to the grid
• Issues
– A smart device with encryption technology
for authentication, out in the field
• Some attacks already described
– Mesh network with access points for
wireless comms: Eavesdropping, DOS?
– Securing transactions
• Common issues with financial POS terminals?
© 2009 SRI International – All rights reserved
Securing Distributed Generation
• Distributed storage, small-scale wind, home-scale solar
will likely play a part in Smart Grid
• All of these will connect to smart grid via a computerized
interface
• The object model is once again relevant: The component
is a node that can supply power, with the transaction
mediated via a published (logical) interface, analogous to
an API
Secure interoperability, transaction integrity, two-way
metering, and trusted monitoring are essential
© 2009 SRI International – All rights reserved
Monitoring as Part of Defense in Depth
 Control



Firewalls, switches
Network segmentation
DMZ between control and business networks
 Why





20
Systems use perimeter defenses
monitor?
Ensure perimeter defenses are still effective (Configuration Drift)
Ensure perimeter defenses are not bypassed (Out of band
connections, dual ported devices)
Ensure perimeter defenses are not compromised (Attack on the
firewall itself)
Be aware of unsuccessful attempts to penetrate
What perimeter?
Detection and Event Management
 Control
 Event
System aware IDS at the Device, Control LAN, and Host
Correlation integrates new detection data sources into ArcSight
 Result:

Correlate attack steps
 Follow an attack across
LAN segments
21
Test System Diagram (SRI/Invensys)
Control LAN
Field LAN
22
MODBUS (Normal Pattern)
23
MODBUS (Nessus Scan)
24
Summary
• Smartgrid will use ubiquitous digital technology to
achieve efficiency, reliability, resiliency
• Digital technology presents many new attack surfaces
– Prevention, Detection, Operation Through Attack, and Remediation
are critical security questions
– Devices unattended and in the field for long periods pose challenges
• Technology is outpacing standards
• Secure interoperability of a large number of autonomous
agents is essential
• “Future-proof”
• Get it right from the start
© 2009 SRI International – All rights reserved