Confidentiality. Integrity. Availability. These three supreme goals of information system security apply across all industries. So it’s no surprise that the benchmarks of smart meter and smart grid security are:
- Ensuring that authorized people have access to specific information and others do not (confidentiality)
- Certifying the validity and reliability of information resources (data integrity)
- Preserving the ongoing functionality of the system (availability)
Just what does your utility need to know to be confident that these goals have been accomplished and your Advanced Metering Infrastructure (AMI) systems are protected? In a world where technology is advancing at breakneck speed and standards are continually evolving to keep pace, perhaps the key to assuring long-term AMI security lies more in asking the right questions than in seeking particular answers. That’s why this chapter focuses on probing queries that smart utilities can ask themselves, and their technology providers, to better understand their security needs and how to meet them.
Three Important Questions for You
- What are you protecting?
When it comes to the smart grid, precisely what needs protecting depends largely on whom you ask.
Energy consumers want to know that any personally identifiable information (PII) stored in the system is used only by authorized agents for authorized purposes.
Technology providers, on the other hand, are most interested in securing intellectual property and trade secrets embedded within the system’s software and hardware.
Regulatory agencies are invested in protecting the bulk electric system and in safeguarding the integrity and accuracy of billing data.
And, finally, utilities are concerned with ensuring that only authorized agents have access to – and can read and control – system components.
In short, there are multiple constituents with investments in the smart grid, all of whom have their own perspectives as to what needs protection. If you don’t know (or don’t agree with your technology provider about) your priorities, it’s unlikely that you’ll know (or agree) that the protection is adequate. Have a conversation with your vendor to be sure your views are in sync and that the parts of your system that need protection get the care and attention required.
- From what (or whom) does it need protection?
If you want to keep a cookie jar from a two-year-old, storing it on a high shelf should suffice. But to protect a multimillion-dollar, 14th century Ming dynasty vase from art thieves, a high shelf alone won’t be adequate—you’ll need far more advanced and expensive measures. All of which is to say both the value of the object being protected and the sophistication of the threat dictate the degree – and cost – of required security. The same principle applies to smart grid protection. Talk to your vendor about the expected level of threat to your system so that corresponding protective mechanisms can be put into place.
- What policies, procedures and/or practices do you have in place to ensure that your people protect your system?
The best technology in the world can be undermined by avoidable human error. Ask yourself if training is adequate, policies are enforced and your people are part of the security solution and NOT part of the problem.
Seven Critical Queries for your Vendors
- What security measures does your system employ?
Don’t settle for vague or imprecise answers to this question. Any reputable vendor will be able to give you a clear and detailed answer. Furthermore, don’t accept the excuse that the security measures are proprietary and top secret. As any security expert can attest, in modern systems, it is not a secret algorithm, but a secret key, that ensures security.
- How do you know that your system is secure?
Though we intuitively think of security as a binary value (e.g., the cookie jar is either secure or insecure on the high shelf), when it comes to the smart grid, security should be understood as a non- linear continuum of postures. This, of course, makes it tricky to determine whether or not a system is sufficiently secure. What you’re looking for from a vendor is evidence of testing, design validation and quality assurance to give you the confidence that “security” isn’t just a buzzword but a real and integral facet of the delivered system.
- Has your system been evaluated by third parties?
Unlike the last question, this one has a simple answer: “yes.” Security evaluation can discover issues that would only occur when devices are in operation. It is important that third-party evaluations become more comparable and consistent over time, leading to the need to have industry standards for security evaluations. This consistency will enable security certifications instead of security audits.
- How would you react if a new threat were discovered tomorrow?
No one can predict the future, and it would be unreasonable to expect your vendor to have a detailed response plan for every possible threat on the horizon. However, it is fair to ask your technology providers if they’ve considered potential future threats and how they’re working to stay one step ahead of them. And if they did discover something, you will probably want to make sure that they have a system by which they could and would inform you.
- Are you using encryption?
The simple acceptable answer to this question is also “yes.” Note, however, that not every communication link or storage medium requires encryption, and different uses often dictate different encryption mechanisms. Consequently, it is far better to determine where and why encryption is used – and where it isn’t – than to simply prescribe one mechanism for all parts of a system.
Furthermore, using encryption doesn’t necessarily guarantee that you will receive the intended benefit. It must be used correctly. For this reason, a simple “yes, we’re using encryption” is only a start; more detailed analysis of how the encryption is used and implemented is required to assure adequate security in a new system.
- How do you store passwords and encryption keys?
Most new systems employ encryption keys, passwords or both. To preserve the integrity of the system, these must be carefully stored and securely accessed. This means passwords and encryption keys should not be easily extracted from the system, especially by remote means.
It also means that technology providers shouldn’t ship devices with factory default passwords that must be re-set by the utility. Ask if your vendor can pre-program specific devices with unique passwords rather than relying on its customers to change the default. Deploying devices with default (and often well-known) passwords is a common mistake and frequent cause of security audit findings.
- How do you manage encryption keys?
While the complex mathematics involved in data encryption is well understood, how to manage all of these keys is not. The reason is simple: logistics. Imagine a utility that has two million devices in one territory, each of which needs a unique encryption key and pairs of which must be able to communicate with each other. Devising a system for distributing these keys, preventing duplication, changing them and revoking them is extremely complex and difficult. However, it’s also critical. So be sure to ask your vendors how they are managing encryption keys. If the answer is detailed and thorough, you’re in good hands. If it’s short and simple, you should look deeper and may need to consider alternative solutions.
Ensuring smart grid security is a complex and difficult process. And so is evaluating a vendor’s security measures. Choosing any system “because NIST said we have to” or “because our security guy said we should” may be the easiest course, but in the long term, it’s unlikely to be the wisest. Start with the questions above, and you’re sure to finish with the confidentiality, integrity and availability that are the essential attributes of a secure AMI solution—and a smart utility.
About the Author
Ed Beroset has been working with computers and software for over 35 years and has been with Elster for more than 15 years. In his career, he has worked with a number of communications technologies, including fiber optics and microwave radio. Ed has served as a designated US technical expert on IEC Technical Committee 13, Working Group 14, since 1999, and has been involved with ANSI Subcommittee 17 since 1997. He also currently serves as chairman for both ANSI SC 17, WG1, which created the ANSI C12.22 standard, and for the IEEE P1703 working group. He has participated in the AEIC guidelines work, NEMA standards activities and in IETF activities.
He has also been involved with the NIST Standards activities from before the inception of the SGIP to the present. He wrote significant portions of the text that was ultimately published as NISTIR 7628. He has taught at a number of meter schools throughout the country and has been an invited speaker at a number of venues, including GridWeek, EEI, the Smart Grid Cybersecurity Summit, the Applied Control Solutions Cybersecurity Conference and others.
Security by Obscurity is No Security
By: Nate Kube
Chief Technology Officer Wurldtech Security Technologies
One case study of a failure of security by obscurity is that of an unnamed distributed systems vendor. This vendor created its own wireless communications protocol, which was complex and proprietary to the vendor.
The vendor assumed that since its own proprietary modulation was being used, along with its own error correction and interleaving format, no attacker would be able to intercept communications, let alone forge them.
To prove the vendor wrong, we reverse engineered the entire protocol stack from RF captures. With modern RF communications tools such as software radios combined with signal processing and analysis tools, one can quickly make sense and perform data recovery on even the strongest proprietary modulation.
Once the RF signals have been translated back to 1s and 0s, the task of turning a bit stream back into the information it represents begins. By observing differences between a number of similar packets, we were then able to identify the error correction and interleaving mechanisms in place.
After removing the error correction and interleaving from the messages, we were then left with only the task of understanding the vendor’s message formats and checksums.
Message formats are typically straightforward to understand: messages typically have a ‘to’ address and sometimes a ‘from,’ along with a command to execute or data to convey. By examining multiple messages, an analyst can easily discern the structure of the messages.
Checksums are a bit harder, but mathematical analysis techniques can easily be used to determine parameters for common checksum routines such as CRCs.
When all was said and done, we were a b l e t o completely intercept and forge the vendor’s proprietary communications protocol. Making proper use of strong cryptography would have prevented the entire attack.
Security Gives Me the Willies
By: Paul Pauesick
Director of Information Technology KC Board of Public Utilities
William (Willie) Sutton was a creative American bank robber during the early-20th century. During his 40-year criminal career he stole an estimated $2 million, and he spent more than half of his adult life in prison. Sutton is known for the urban legend that he said that he robbed banks “because that’s where the money is.”
Willie Sutton, Source: http://www.fbi.gov/
Today, information is the currency of choice. The customer energy usage information that is being unleashed by the digital technologies of the smart grid is “where the money is.” This information is valuable to electric customers, the electric utility and to the utility’s partners – but it is also valuable to people, like Willy, that could use it to disrupt the power grids, or steal personal information for personal gain. Utilities need to embrace data protection and privacy safeguards concerning meter data because of the Willy Suttons.
Willy would have liked the smart grid because robbery can happen anywhere on the grid. Attacks can be made at endpoints and interfaces at any location along the smart grid, for example, customer meters, switches, gatekeepers, applications, data bases - including phishing your smart grid personnel. Each point along the system is an opportunity for exposure and exploitation.
Training utility staff is a critical element of smart grid security. The best security technology in the world can’t help you defeat the Willies unless employees understand their roles and responsibilities in safeguarding sensitive customer data and protecting company resources and coworker information. They also need a basic knowledge of other risks and how to make good judgments about operating and maintaining the smart grid.
For the smart grid to be a viable solution, utility staff must guarantee that data is kept confidential, that data integrity is maintained and that data availability can be sustained. The maintenance and operation of the smart grid requires smart (like the grid), trained personnel who understand the implications of their work on the security of and protection of customer data. Also, training and educating customers can greatly help your overall security posture. In essence, security of the smart grid is everyone’s job, and both smart grid staff and customers need to be trained to understand their roles in keeping the smart grid Willy-free.
Content brought to you by: