Security Implications of the Electric Smart Grid

The United States is in the process of upgrading its electrical power infrastructure. The patchwork nature of the current electric grid, which consists of more than 9,200 electric generating units with more than one million megawatts of generating capacity connected to more than 300,000 miles of transmission lines (U.S. Department of Energy, 2013, What Is the Smart Grid?), has been stretched to its capacity.

Steps to transform the nation’s power grid into a smart grid – an advanced, digital infrastructure with two-way capabilities for communicating information, controlling equipment, and distributing energy – are being implemented from the bottom up and will take place over many years (NIST, 2010a). Intelligent, bi-directional communication devices are being incorporated in the industrial control systems (ICS) used by the electric industry.

These ICS include supervisory control and data acquisition (SCADA) systems used to monitor and control widely dispersed operations (Energy Sector Control Systems Working Group/ESGSWG, 2011, Roadmap to achieve systems cybersecurity) in electricity transmission and distribution; energy management systems (EMS) used with SCADA systems to optimize energy delivery system performance; distributed control systems used in bulk generation plants for load control; and other components such as remote terminal units (RTUs), programmable logic controllers (PLCs), and intelligent electronic devices (IEDs) that monitor system data and initiate programmed control activities in response to input data and alerts (ESCSWG, 2011). Integrating information technology (IT) within the power grid is central to realizing the benefits of the smart grid, among them: increasing energy efficiency and reliability; transitioning to renewable sources of energy; reducing greenhouse gas emissions; and building a sustainable economy that ensures future prosperity (ESCSWG, 2011).

Throughout this transition, the electric industry must address increasingly complex power system operations while accommodating greater demands for electricity and maintaining grid stability. Availability (reliability) of power system delivery is critical, with varying time latency needs: no more than 4 milliseconds for protective relaying; sub-seconds for transmission of wide area situational awareness monitoring; seconds for substation and feeder SCADA system data; minutes for monitoring noncritical equipment and some market pricing information; hours for meter reading and longer-term market pricing information; and days/weeks/months for collecting long-term data, such as power quality information (NIST, 2010b). In addition, regardless of events, power system operations must continue 24/7, with 99.99-percent availability for SCADA systems and higher for protective relaying (National Institute of Standards and Technology/NIST, 2010, Guidelines for Smart Grid Cyber Security: Vol 3, Supportive analyses and references).

Increasing Threats and More Vulnerabilities

ICS used by the electric sector are transitioning from isolated systems running proprietary industry control protocols that use specialized hardware and software (NIST, 2011, NIST Special Publication 800-82: Guide to Industrial Control Systems (ISC) Security), to Internet Protocol (IP)-based communications and commercial off-the-shelf technologies. While these reduce costs and increase compatibility between different vendors’ components, they also increase the likelihood of successful IP-based network attacks, such as IP spoofing and distributed denial of service attacks. Blocked or delayed data transmission could disrupt ICS operations, degrading power system reliability.

As systems become more interconnected, the implicit trust that exists between ICS devices makes them vulnerable to data spoofing, which could cause false control signals to be transmitted, readings from smart meters to be fabricated, protective relays to be disabled, and load balances to become disrupted by abrupt increases or decreases in the demand for electricity.

Greater interconnectedness means less physical isolation from external, remote threats. Many of the systems and components that were once located in physically secured areas are now in unsecured locations that are not under electric utility control. Among those components most vulnerable to physical access are digital meters used in the Advanced Metering Infrastructure (AMI), distributed energy resources equipment, distribution automation field equipment, home area network (HAN) devices, and energy services interface (ESI)/HAN gateways.

In addition, the increasing use of mobile devices and wireless communications puts control systems at higher risk from adversaries who do not have physical access. Remotely transmitted, unauthorized changes to instructions, commands, or alarm thresholds could damage, disable, or shut down equipment or interfere with the operation of safety systems, causing environmental catastrophes or endangering human life (NIST, 2011). Malware can be inserted and transmitted to add or modify device functions or to alter ICS software or configuration settings, with equally adverse outcomes.

Sources of Threats

Threats to the smart grid can come from many sources, the most likely being customers, insiders, and terrorists/nation-states. The basis of most customer attacks is fraud.  Some customers will almost certainly attempt to steal electrical power by falsifying smart meter data. Attacks against smart meters will probably be similar to existing attacks against broadband modems. For years, subscribers have been able to “uncap” their cable modems: using open source software to edit the configuration files of their DOCSIS (Data Over Cable Service Interface Specification)-compliant modems, allowing them to control the modem’s upload and download speeds, thereby overriding the bandwidth caps put in place by cable service providers (R.C. Parks, 2007, Advanced Metering Infrastructure Security Considerations).

Just as cable modems are physically accessible to Internet service subscribers, smart modems are accessible to utility customers. In a similar manner, utility customers could modify the firmware controlling the operation of the smart meters, causing them to underreport electric usage, and therefore lower the customers’ cost of electric use (Parks, 2007). Impact on the smart grid will be negligible if only a few customers alter their smart meters; however, reliability and security problems will arise when smart meter hacking tools become readily accessible. In the long term, the electric utility may not plan infrastructure that will meet loads because the data show the loads to be less than actual. During large outages due to weather or ground fault conditions, crews may not be able to pinpoint problems because customer-hacked meters are unable to provide the necessary outage information, delaying power restoration and increasing utility operating costs (Parks, 2007).

Insider attacks also can be financially motivated. Targeted smart grid systems include the AMI and either the EMS or the Inter-Control center Communications Protocol (ICCP) server to an independent system operator or generation entity. These are the systems through which pricing information flows. An insider in collusion with a generation provider could use the AMI to increase peak usage, thereby creating increased demand for power generation at a higher price point than would otherwise occur. The generation provider would earn significantly higher profits, which would be shared with the insider. The impacts on the power system from such an attack include higher peak usage of electricity and artificially high usage reporting for planning (Parks, 2007).

Terrorist/nation-state attacks are enabled by the size and complexity of the smart grid, the trust relationships between the many systems and devices involved, and the vulnerabilities in IT used by the smart grid. A declassified report from the National Research Council found that physical damage by terrorists to large transformers could disrupt power to large regions of the country and could take months to repair, and that such attacks could be carried out by knowledgeable attackers with little risk of detection (National Research Council/NRC, 2012, Terrorism and the Electric Power Delivery System). Only a limited number of spare transformers are available within the U.S., and the replacement of large transformers essential to the reliable operation of the grid could require twenty months or longer (U.S. Department of Energy, 2012, Large Power Transformers and the U.S. Electric Grid). Impacts on the power system could include instability of the bulk electric grid, widespread and lengthy outages, and equipment damage.

Security Strategies

Certain methods and technologies that have been developed to address physical and logical security issues in traditional IT systems have the potential to introduce serious operational problems in the smart grid. Some IT solutions can disable or shut down power delivery systems, and poorly configured security tools can slow critical data communications to the point where electricity delivery becomes inoperable (ESCSWG, 2011). Problems arise because the operating performance requirements are very different.  Reliability and safety are of paramount importance in electric power systems (NIST, 2010a, Guidelines for Smart Grid Security: Vol 1, Smart grid cyber security strategy, architecture, and high-level requirements), and as a result, their ICS have different objectives than typical IT systems. These include ensuring the health and safety of human lives, minimizing damage to the environment, limiting economic losses, and avoiding the compromise of proprietary information (NIST, 2011). Because the goals of reliability and safety can sometimes conflict with the IT perspective of control system design and operation, ICS often use operating systems and applications that are considered unconventional to typical IT personnel (NIST, 2011). It is important that the security technologies that are implemented respect the real-time operation imperative of the power delivery system, and do not introduce unacceptable latency or degrade or disrupt service (ESCSWG, 2011).

Read more on smart grid security strategies, including four areas of focus, after the break.

As the nation transitions to the smart grid, the electrical power industry will likely find the most efficient security solutions to be those that supplement already existing standards, controls, and best practices. Following are different categories of technologies that can be modified to better mitigate the risks associated with the smart grid: (NIST, 2010a):

1)      Power System Configurations and Engineering Strategies

Today’s power system has carefully planned and thoroughly evaluated responses to n-1 contingencies, such as the loss of a generator or transmission component, so that the power grid remains resilient and continues to operate when the function of a physical component has been compromised (ESCSWG, 2011). The existing power grid has extensive component, system, and network redundancies. Redundant power system equipment (e.g., power supplies, generators, transmission lines, transformers, and switching devices) exist for power system generation, control, and communication. There are redundant communication networks, including fiber optic networks and power line carriers between substations, as well as communication head-ends – control devices required by some networks to provide certain centralized functions, such as remodulation, retiming, message accountability, contention control, diagnostic control, and access to a gateway (NIST, 2010a). There also are redundant automation systems (e.g., additional substation protective relays) and redundant power system configurations (e.g., networked grids and multiple feeds to customer sites from different substations).

As the electrical power delivery system evolves, similar response processes and supporting advanced technologies must be in place so that the power infrastructure remains resilient and continues to operate when IT components have been compromised (ESCSWG, 2011). Each critical component must have a redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary network traffic or cause another problem elsewhere, such as a cascading failure (NIST, 2011). Redundant information sources (e.g., redundant sensors and voltage measurements from different substation equipment or from different substations), must be fully automated for true smart grid interconnectivity. Many of our current grid system pathways have been closely paralleled with additional lines to provide additional capacity; however, these are not true alternate pathways. Obstacles pertaining to property law have been encountered, and must be resolved, to develop the multiple pathways necessary for the smart grid.

2)      Power System Analysis and Control

The existing power system operates with an EMS-enabled transmission grid, which can provide real-time information on the grid’s status and allow various grid functions to be automated remotely. Power flow models of the transmission system, generators, and loads can simulate real-time or future power system scenarios; redundant measurements from the field are used to estimate real measurements from missing or inaccurate sensor data; and contingency analysis capabilities use electrical sign wave analyses to assess the power flow models for single points of failure (n-1), as well as any linked types of failures, and can flag possible problems (NIST, 2010a).

Existing distribution management systems can simulate real-time and possible future power system scenarios, as well as three-phase unbalanced distribution power flow analysis, contingency analysis, switch order management, short-circuit analysis, volt/ampere reactive (VAR)/watt optimization, and loss analysis (NIST, 2010a). These systems, however, do not yet have smart grid automation technology that provides real-time information about the distribution network or allows switches in the grid to be controlled remotely (General Electric Company, 2013, An Energy Internet).

To achieve real-time situational awareness and establish appropriate responses in the smart grid, advanced technologies are needed that identify, acquire, correlate, analyze, and display IT and physical security-related data from all levels of the power system architecture (device, system, and network) and across all domains. These capabilities can lead to techniques that show the impact of IT and communication failures on electricity delivery, the potential effects of electricity disruptions on digital communications, and how a simultaneous combination of failures in each of the systems might impact the smart grid as a whole (ESCSWG, 2011).

3)      Monitoring and Control

 Current SCADA systems continuously monitor generators, substations, and feeder equipment, can perform remote control actions in response to operator or software application commands, and operate with approximately 99.99% availability. Other control systems, such as Under-Frequency Load Shedding (UFLS) and Under-Voltage Load Shedding (UVLS), are common industry practices to maintain power system availability. UFLS and UVLS commands can drop large loads rapidly in case of emergencies, and are used to protect systems from prolonged low frequency or low voltage operations (North American Electric Reliability Corporation/NERC, 2010, Reliability Considerations from the Integration of Smart Grid).

Stronger network security technologies are needed that can implement rules to enforce the behavior of power delivery system traffic, examine the details of system packets at the application level, and/or offer proxy services for these protocols, in order to protect sensitive communications between devices across all domains and at all levels of the electrical power system (ESCSWG, 2011). Encryption and cryptographic hashes also must be used, but more efficient algorithms are needed to address the challenge of securely exchanging tens of millions of keys used to protect data transmitted between millions of remote field devices, substations, and smart meters, using devices that have limited computational power (ESCSWG, 2011). In addition, stronger access controls, including those for remote field devices, are necessary to prevent unauthorized users from accessing and controlling equipment in the power delivery environment. A viable approach could use role-based access control, configuring each role on the principle of least privilege.

4)      Testing

Testing is extremely important for human safety as well as for the safety and reliability of the equipment. The power industry routinely conducts lab and field tests of all power system equipment to minimize failure rates. It also conducts relay coordination testing and network testing for near power system faults, as well as rollback capabilities for database updates.

As changes are made to the power grid, security patches must be tested under field conditions and deployed as quickly as possible to prevent and detect the introduction and propagation of malware. Security tools, procedures, and patches for fixing known security flaws and retrofitting security technologies must be introduced in such a way that they do not diminish power system performance. Hardening legacy systems will require the implementation of a patch management program to mitigate the risk of known vulnerabilities (ESCSWG, 2011), and hot patching techniques that do not impact reliability must be deployed throughout the smart grid.

The size and complexity of the smart grid make security a cross-cutting challenge. Increased reliance on IT introduces greater threats and additional vulnerabilities that could lead to a degradation of power system reliability and safety. Existing standards, controls, and best practices within the electrical power industry form a convenient framework upon which security enhancements and improvements can be based.