PublicInterestEnergyResearch(PIER)Program

INTERIMPROJECTREPORT

SMARTGRIDCYBERSECURITY
POTENTIALTHREATS,
VULNERABILITIESANDRISKS

Preparedfor: CaliforniaEnergyCommission
Preparedby: CaliforniaStateUniversitySacramento

MA Y 2012
C EC 500 2012 047

Prepared by:
Primary Author:
Isaac Ghansah, Ph.D.
Center for Information Assurance and Security
College of Engineering and Computer Science
California State University Sacramento (CSUS)
6000 J Street
Sacramento, CA 95819-6021

Contract Number: 500-08-027

Prepared for:
California Energy Commission
David Chambers
Project Manager

Mike Gravely
Office Manager
Energy Systems Research Office

Laurie ten Hope

Deputy Director
RESEARCH AND DEVELOPMENT DIVISION

Robert P. Oglesby
Executive Director

DISCLAIMER
This report was prepared as the result of work sponsored by the California Energy Commission. It
does not necessarily represent the views of the Energy Commission, its employees or the State of
California. The Energy Commission, the State of California, its employees, contractors and
subcontractors make no warrant, express or implied, and assume no legal liability for the information
in this report; nor does any party represent that the uses of this information will not infringe upon
privately owned rights. This report has not been approved or disapproved by the California Energy
Commission nor has the California Energy Commission passed upon the accuracy or adequacy of
the information in this report.

Preface
TheCaliforniaEnergyCommissionsPublicInterestEnergyResearch(PIER)Programsupports
publicinterestenergyresearchanddevelopmentthatwillhelpimprovethequalityoflifein
Californiabybringingenvironmentallysafe,affordable,andreliableenergyservicesand
productstothemarketplace.
ThePIERProgramconductspublicinterestresearch,development,anddemonstration(RD&D)
projectstobenefitCalifornia.
ThePIERProgramstrivestoconductthemostpromisingpublicinterestenergyresearchby
partneringwithRD&Dentities,includingindividuals,businesses,utilities,andpublicor
privateresearchinstitutions.
PIERfundingeffortsarefocusedonthefollowingRD&Dprogramareas:

BuildingsEndUseEnergyEfficiency

EnergyInnovationsSmallGrants

EnergyRelatedEnvironmentalResearch

EnergySystemsIntegration

EnvironmentallyPreferredAdvancedGeneration

Industrial/Agricultural/WaterEndUseEnergyEfficiency

RenewableEnergyTechnologies

Transportation

SmartGridCyberSecurityPotentialThreats,VulnerabilitiesAndRisksistheinterimreportforthe
SmartGridInformationAssuranceandSecurityTechnologyAssessmentproject(Contract
Number50008027)conductedbyCenterforInformationAssuranceandSecurity(CIAS)at
CaliforniaStateUniversitySacramento(CSUS).Theinformationfromthisprojectcontributesto
PIERsEnergySystemsIntegrationProgram.
FormoreinformationaboutthePIERProgram,pleasevisittheEnergyCommissionswebsiteat
www.energy.ca.gov/research/orcontacttheEnergyCommissionat9166544878.

Pleasecitethisreportasfollows:

Ghansah,Isaac,2009.SmartGridCyberSecurityPotentialThreats,VulnerabilitiesAndRisks
CaliforniaEnergyCommission,PIEREnergyRelatedEnvironmentalResearchProgram.
CEC5002012047.
i

ii

TABLE OF CONTENTS
Preface ................................................................................................................................................i
Abstract...............................................................................................................................................vii
EXECUTIVESUMMARY..................................................................................................................1
INTRODUCTION................................................................................................................3

1.0
1.1.

WhatisSmartGrid?.......................................................................................................3

1.2.

ReportOrganization......................................................................................................7

2.0

REPORTEDVULNERABILITIESOFSMARTGRID.....................................................8

3.0

INFORMATIONASSURANCEANDSECURITYCONCEPTSANDPOLICIES.....12

3.1.

Confidentiality................................................................................................................12

3.2.

Integrity...........................................................................................................................12

3.3.

Availability......................................................................................................................12

3.4.

Accountability.................................................................................................................12

3.5.

SecurityConceptsandSmartGrid..............................................................................12
ADVANCEDMETERINGINFRASTRUCTURE(AMI)SECURITYISSUES..............15

4.0
4.1.

Introduction....................................................................................................................15

4.2.

AMISecurityThreats....................................................................................................16

5.0

DEMANDRESPONSESECURITYISSUES.....................................................................21

5.1.

Introduction....................................................................................................................21

5.2.

DemandResponseandSecurityConcerns.................................................................22

5.2.1.

Confidentiality...........................................................................................................23

5.2.2.

Authentication...........................................................................................................23

5.2.3.

DataIntegrity.............................................................................................................24

5.2.4.

Availability.................................................................................................................24

5.2.5.

Accountability...........................................................................................................24

5.3.

OpenAutomatedDemandResponse..........................................................................24

5.3.1.

OpenAutomatedDemandResponseCommunicationsInfrastructure............24

5.3.2.

DemandResponseAutomationServer(DRAS)...................................................26

5.3.3.

OpenADRandSecurityConcerns..........................................................................27

5.4.

DemandResponseatResidentialSitesandSecurityIssues.....................................32

5.4.1.
6.0

PossibleAttacksinPCT...........................................................................................32

CUSTOMER DOMAIN HOME AREA NETWORK, GATEWAY, AND

NEIGHBORHOODAREANETWORKSECURITYISSUES.........................................34

iii

6.1.

Introduction....................................................................................................................34

6.2.

HomeAreaNetwork(HAN)........................................................................................35

6.2.1.

ZigBee.........................................................................................................................35

6.2.2.

ZWave.......................................................................................................................36

6.3.

GatewayComponent.....................................................................................................36

6.4.

WirelessNeighborhoodAreaNetwork(WNAN).....................................................36

6.5.

PotentialSecurityIssues/Risks.....................................................................................37

6.5.1.

ZigBee.........................................................................................................................37

6.5.2.

ZWave.......................................................................................................................38

6.5.3.

Gateway......................................................................................................................38

6.5.4.

WNAN........................................................................................................................39

IEEE802.11..........................................................................................................................39
IEEE802.15.4.......................................................................................................................40
IEEE802.16..........................................................................................................................41
6.6.
7.0

ComprehensiveSecurityissueswithHAN/Gateway/NAN..................................42
SUPERVISORYCONTORLANDDATAACQUISITION(SCADA)SYSTEMSECURITY
ISSUES...................................................................................................................................43

7.1.

Introduction....................................................................................................................43

7.1.1.

SCADAArchitectureindetail.................................................................................45

7.1.2.

SecurityIssuesInSCADA.......................................................................................45

PublicInformationAvailability........................................................................................45
PlatformConfigurationVulnerabilities..........................................................................46
PlatformSoftwareVulnerabilities....................................................................................46
NetworkConfigurationVulnerabilities..........................................................................47
NetworkPerimeterVulnerabilities..................................................................................47
NetworkCommunication(DNP3)Vulnerabilities.......................................................48
8.0

PLUGINELECTRICVEHICLES(PEV)SECURITYISSUES........................................51

8.1.

Introduction....................................................................................................................51

8.2.

PrivacyofMovement.....................................................................................................52

8.3.

SecurePayment..............................................................................................................52

8.4.

SmartMetering...............................................................................................................53

8.5.

CriticalInfrastructure&PhysicalSecurity.................................................................53

8.6.

Communication..............................................................................................................54

9.0

GENERICSECURITYISSUESOFTHESMARTGRID.................................................55

iv

9.1.

Introduction....................................................................................................................55

9.2.

AuthenticatingandAuthorizingUsers(People)toSubstationIEDs.....................55

9.3.

AuthenticatingandAuthorizingMaintenancePersonneltoSmartMeters..........56

9.4.

Authenticating and Authorizing Users (People) to Outdoor Field Equipment (e.g.

PoleTopDevice)............................................................................................................56

9.5.

AuthenticatingandAuthorizingConsumerstoMeters...........................................56

9.6.

AuthenticatingMetersto/fromAMIHeadEnds(MutualAuthentication............57

9.7.

AuthenticatingHANDevicesto/fromHANGateways...........................................57

9.8.

SecuringSerialSCADACommunications..................................................................57

9.9.

ProtectionofRoutingProtocolsinAMILayer2/3Networks..................................57

9.10.

KeyManagementforMeters........................................................................................58

9.11.

InsecureFirmwareUpdates..........................................................................................58

9.12.

SideChannelAttacksonSmartGridFieldEquipment............................................58

9.13.

KeyManagementandPublicKeyInfrastructure(PKI)............................................58

9.14.

PatchManagement.........................................................................................................59

GLOSSARY.........................................................................................................................................60
REFERENCES.....................................................................................................................................64
APPENDIXA......................................................................................................................................67

List of Figures
Figure1.Smartgridnetwork...................................................................................................................4
Figure2.Smartgridworking...................................................................................................................5
Figure3.AMIcomponents.....................................................................................................................16
Figure4.Demandresponseusecaseshowstheinterfacesbetweeneachcomponent(fromNIST)
.....................................................................................................................................................23
Figure5.Genericopenautomateddemandresponseinterfacearchitecture..................................25
Figure6.DRASInterfaces.......................................................................................................................26
Figure7.PathofattackinPCT...............................................................................................................33
Figure8.HAN/Gateway.........................................................................................................................34
Figure9.SCADAgenerallayout...........................................................................................................43
Figure10.SCADAarchitecture..............................................................................................................45

List of Tables
Table1.SecuritythreatsonAMIwithrespecttosecuritygoals.......................................................19
Table2.Possibleattacksutility/ISOoperatorinterfaces.....................................................................28
Table3.PossibleattacksandimpactsofDRASclientinterfaces.......................................................29
Table4.Possibleattacksandimpactsofparticipantinterfaces.........................................................31
Table5.HANsecurityissues.................................................................................................................42
Table6.SCADAsecurityissues.............................................................................................................50

vi

Abstract
ThisreportisaboutpotentialSmartGridInformationAssuranceandSecurityIssues.Issues
specificallyaddressedarethreats,vulnerabilitiesandrisks.Mitigationandcountermeasuresto
addressthosevulnerabilitieswillbecoveredinsubsequentreports.
Thisreportisthefirstinaseriesofresearchtasksspecifiedinthestatementofworkforthe
CaliforniaEnergyCommissionasfollows(inbrief):
1) Identifythepotentialissuesaffectingtheconfidentiality,integrity,andavailabilityof

informationflowintheSmartGridsystem.Grouptheissueswithrespectto
confidentiality,integrity,andavailability.
2) Investigatewhichofinformationsecuritybestpractice(s)applytosmartgridandto

whatextentcantheybeapplied.Thesebestpracticesareintendedtomitigateactions
thatviolateconfidentiality,integrity,andavailabilityoftheinformationflow.
3) ExplorepossiblecybersecurityR&DissuesthatshouldbeaddressedinSmartGrid.

Someofthesecouldinvolvewirelesssensors,wirelesscommunicationsystems,
monitoring,and,incidentresponsesystems.
4) IdentifyandrecommendwhichpotentialR&Deffortsshouldandshouldnotbe

confidential.
5) Identifytechnicalandnontechnicalsolutionstoensuretheprivacyofenduser

information.
TheresearchersusedinformationfromvariousSmartGridworkinggroupsthataredealing
withCybersecurityissues.ThesegroupsincludedUtilitySecurity,OpenSmartGrid,National
InstituteofStandardsandTechnology,Intelligrid.Informationwasalsoobtainedfromweb
sources,journals,andmagazines.
TheresultsshowthatSmartGridhasanumberofpotentiallysignificantcybersecurityissues
thatmustbeaddressed.Theyincludeconfidentialityofuserinformation,integrityofdemand
responsesystems,integrityandavailabilityofSCADA(grid)systems,andintegrityand
availabilityofPlugInElectricVehicles.
BecausethesmartgridwillhaveextensiveInformationSystemscomponent,bestpracticesused
onthosesystemscanbeusedtomitigatethosevulnerabilities.Ontheotherhandbecauseofthe
uniquecharacteristicsofSmartGrid,especiallyasacriticalinfrastructurefurtherresearchwill
beneededtoaddresssecurityissuesinthoseuniquecases.Theresearchersplantoreporton
theminfuturedocuments.

Keywords:PublicInterestEnergyResearch,PIER,smartgrid,electricgrid,cybersecurity,
criticalinfrastructure,informationassurance.

vii

viii

EXECUTIVE SUMMARY
Introduction
AttherequestofCaliforniaEnergyCommissionPublicInterestEnergyResearch(PIER),the
CenterforInformationAssuranceandSecurity(CIAS)atSacramentoStateUniversityprovides
thisreportonCyberSecurityvulnerabilities,threats,andrisksoftheSmartGrid.
Themaingoaloftheagreementwastodetermineinformationassurance,security,andprivacy
issuesassociatedwithSmartGridinfrastructureandrecommendresearchanddevelopment
(R&D)prioritiesinthoseareas.Theprojectwillalsoidentifybestpracticesininformation
securitythatcanbeappliedtotheSmartGridsystem.
ThisreportisthefirstinaseriesofresearchdocumentscoveringCyberSecurityissuesofthe
SmartGridnamely:

Potentialthreats,vulnerabilitiesandrisks

Bestpracticestomitigatethoserisks

Researchissuestobeaddressedinsmartgridcybersecurity

Privacyissuesinsmartgridinfrastructure

TheresearchspecificallyfocusedonCyberSecurityissuesofthefollowingSmartGrid
components:AdvancedMeterInfrastructure,DemandResponseSystems,HomeAreaNetwork
(HAN),NeighborhoodAreaNetworks,whichconnectsthehometotheutilitysystems,
SupervisoryControlandDataAcquisition(SCADA)system,whichisusedforthecontrolling
generation,transmissionanddistributionsystems,andPluginElectricVehicles.
Toachievetheseobjectivestheresearchers:

ParticipatedinbothconferencecallsandfacetofacemeetingswithexpertsontheSmart
Grid

Performedliteraturesearchontheweb

Interviewedsomeutilityexpertsontheelectricitygeneration,transmission,and
distributionprocesses

Attendedworkshopsondemandresponseresearchandsmartgridinteroperability

Outcome:
Asisindicatedinthereport,theresultsshowthatSmartGridhasanumberofpotentially
significantcybersecurityissuesthatmustbeaddressed.Theyincludeconfidentialityofuser
information,integrityofdemandresponsesystems,integrityandavailabilityofSCADA(grid)
systems,andintegrityandavailabilityofPluginElectricVehicles.AdditionallyCyberSecurity
issuesofcommunicationsystemsareaddressed.Becausethesmartgridwillhaveanextensive
InformationSystemscomponent,bestpracticesusedonthosesystemscanbeusedtomitigate
thosevulnerabilities.Ontheotherhand,becauseoftheuniquecharacteristicsofSmartGrid,

oneofwhichisacriticalinfrastructure,furtherresearchwillbeneededtoaddresssecurity
issuesinthoseuniquecases.Theresearchersplantoreportontheminfuturedocuments.
BenefitsforCalifornia:

IncreasecustomertrustoftheSmartGrid.

IncreaseregulatorunderstandingofthesecurityissuesinSmartGridthatneedtobe
addressedbyManufacturersandUtilities.

IncreaseunderstandingoftheprivacyissuesinSmartGridandhowtheycanbe
addressed.

BecausetheprojectwillidentifysecurityandprivacyissuesintheSmartGrid
infrastructureandproposesolutionsandresearchareastobeexamined,itsresultswill
ultimatelyenableacceptanceofwidedeploymentoftheSmartGridresultinginincrease
energyefficiencyandlowenergycosts.

1.0 INTRODUCTION
ThisdocumentcontainstheComprehensiveSmartGridSecurityIssuesresearchedbySmart
GridResearchGroupwhichispartoftheCenterforInformationAssuranceandSecurity(CIAS)
atCaliforniaStateUniversitySacramento(CSUS).ThisreportisaboutpotentialSmartGrid
InformationAssuranceandSecurityissues.Issuesspecificallyaddressedinthisreportare
threats,vulnerabilitiesandrisks.Mitigationandcountermeasurestoaddressthose
vulnerabilitieswillbecoveredinsubsequentreports.
Thisreportisthefirstofaseriesofresearchtasksspecifiedinastatementofworkforthe
CaliforniaEnergycommissionasfollows:
1) Identifythepotentialissuesaffectingtheconfidentiality,integrity,andavailabilityof

informationflowintheSmartGridsystem.Forinstance,hacker/terroristuseof
malicioussoftwaretoperformdenialofserviceattacksoncriticalinfrastructuresuchas
theSmartGridwillbeexamined.Grouptheissueswithrespecttoconfidentiality,
integrity,andavailability.
2) Investigatewhichinformationsecuritybestpractice(s)applytosmartgridandtowhat

extentcantheybeapplied.Bestpracticessuchasuseoffirewallsforperimeterdefense,
intrusiondetection,incidentresponsehanding,defenseindepth,etcarewellknownin
theinformationsecurityarena.Thesebestpracticesareintendedtomitigateactionsthat
violateconfidentiality,integrity,andavailabilityoftheinformationflow.
3) ExplorepossiblecybersecurityR&DissuesthatshouldbeaddressedinSmartGrid.

Someofthesecouldinvolvewirelesssensors,wirelesscommunicationsystems,
monitoring,andincidentresponsesystems.
4) IdentifyandrecommendwhichpotentialR&Deffortsshouldandshouldnotbe

confidential.
5) Identifytechnicalandnontechnicalsolutionstoensuretheprivacyofenduser

information.BecauseSmartGridsystemswillcontainenduserinformation,privacyis
critical.
Thisreportisaboutthefirsttasklistedabove.Subsequentreportswilldiscussothertasks.

1.1.

What is Smart Grid?

Asmartgrid(SeeFigure1andFigure2)deliverselectricityfromsupplierstoconsumersusing
digitaltechnologytosaveenergy,reducecostandincreasereliabilityandtransparency.Itisa
modernizedelectricitynetworkwhichisbeingutilizedasawayofaddressingenergy
independence,globalwarmingandemergencyresilienceissues. 1
TheprimarycomponentsofSmartGridareshowninFigure1.Figure2explainshowtheSmart
Gridworks.

1.Wikipediahttp://en.wikipedia.org/wiki/Smart_grid.
3

Figure 1. Smart grid network.

Source: Federal Stimulus and Cleantech Infrastructure; Lee Bruno, Innovation Pipeline

SmartGridhasthefollowingcharacteristics 3

Selfhealingfrompowerdisturbanceevents

Enablingactiveparticipationbyconsumersindemandresponse

Operatingresilientlyagainstphysicalandcyberattack

Providingpowerqualityfor21stcenturyneeds

Accommodatingallgenerationandstorageoptions

Enablingnewproducts,services,andmarkets

Optimizingassetsandoperatingefficiently

2.http://www.larta.org/lartavox/articles/52009/FederalStimulusandCleantechInfrastructure.htm
3.NationalEnergyTechnologyLaboratory(20070727(pdf).AVisionfortheModernGrid.UnitedStates
DepartmentofEnergy.Page5
http://www.netl.doe.gov/moderngrid/docs/A%20Vision%20for%20the%20Modern%20Grid_Final_v1_0.p
df.Retrieved20081127
4

Figure 2. Smart grid working.

Source: The Smart Grid Frontier

4.TheSmartGridFrontier:WideOpen;DavidHeyerman;May3,2009
Available[Online]:tinycomb.com/2009/05/03/whatisthesmartgrid/
5

Technically,theSmartGridisuniqueinmanyrespects.FirstbyitsnaturetheSmartGridisa
complexsystem.Second,SmartGridisoneof18criticalinfrastructuresidentifiedbyDHS.
ThesesystemsaresovitaltotheUnitedStatesthattheirincapacitationordestructionwould
haveadebilitatingeffectonsecurity,nationaleconomicsecurity,publichealthorsafety,orany
combinationthereof. 5Third,smartgridisalargesystembecauseitisusedtocontrolelectricity
whichispresentisalmosteveryhome.Fourthsmartgridisaspecialcriticalinfrastructure
becausemanyofthe18criticalinfrastructuresdependonit.Forinstance,electricityisneeded
bybanks,emergencyservicessuchashospitals,telecommunications,computers,etc.Indeed,
theCyberSecurityStrategyforthe44thPresidentoftheUnitedStatescitesenergy,financial,
InformationTechnology(IT),andtelecommunicationsasthefourcriticalinfrastructureswith
themostcriticalcyberassets.
Theuniquecharacteristicsofsmartgridstatedabovearethereasonswhycybersecurityofthe
smartgridisimperative.Thesmartgridhasmanyanticipatedbenefits. 6

Improvespowerreliabilityandquality

Optimizesfacilityutilizationandavertsconstructionofbackup(peakload)power
plants

Enhancescapacityandefficiencyofexistingelectricpowernetworks

Improvesresiliencetodisruption

Enablespredictivemaintenanceandselfhealingresponsestosystemdisturbances

Facilitatesexpandeddeploymentofrenewableenergysources

Accommodatesdistributedpowersources

Automatesmaintenanceandoperation

Reducesgreenhousegasemissionsbyenablingelectricvehiclesandnewpowersources

Reducesoilconsumptionbyreducingtheneedforinefficientgenerationduringpeak
usageperiods

Improvescybersecurity

Enablestransitiontopluginelectricvehiclesandnewenergystorageoptions

Increasesconsumerchoice

Becauseofitsmanybenefitsthefederalgovernmentandmanyotherstategovernments
includingCalifornia,arefundingresearchanddemonstrationeffortsforthesmartgrid.BothUS
departmentsofcommerceandenergyarepushingforinteroperabilitystandardsforsmartgrid.
NIST,asabranchofthecommercedepartmentisleadingtheefforttocreatethosestandards.
Additionally,organizationsasdiverseasElectricUtilities,USDOE,NIST,Google,Microsoft,
GE,IEEE,NERC,FERC,IEC,andANSIhavepublisheddocumentsaboutSmartGrid.

5.DHSWebsitehttp://www.dhs.gov/files/programs/gc_1189168948944.shtmRetrieved20091014
6.NISTFrameworkandRoadmapforSmartGridInteroperabilityStandardsRelease1.0(Draft).
6

Majorreasonforthiscybersecurityresearchisbecauseofthecomplexityofthesmartgrid,the
importanceofthesmartgridasasupercriticalinfrastructure,andthefactthatmanyreportsof
potentialattacksonthegridhavebeendisseminatedinthemedia.Thisresearchshouldhelp
putsomethesemediareportsinperspective.However,theprimarypurposeofthiscurrent
reportistodiscussthreatsandvulnerabilities,andgeneralsecurityproblems.Subsequent
reportswilladdresscontrolstomitigatethoserisksandcountermeasures,usingbestpractices;
andwherebestpracticesarenotadequatetheresearcherswillsuggestresearchtopicsthatneed
tobeaddressedinthefuturetohelpsolvethoseproblems.

1.2.

Report Organization

Thisdocumentisorganizedasfollows:

ExamplesofreportedvulnerabilitiesofthesmartgridarefirstintroducedinChapter2.

Informationassuranceandsecurityconceptsandterminologythatareusedthroughout
thedocumentarediscussedinChapter3.

Securityissuesofimportantsmartgridcomponents,namelyAdvanceMetering
Infrastructure,DemandResponse,CustomerDomainSystems(i.e.HomeArea
Networks,Gateways,andNeighborhoodAreaNetworks),Grid(SupervisoryControl
andDataAcquisitionandDistributedNetworkProtocol),andPluginElectricVehicles
arediscussedinChapters4through8.

Importantsecurityissuesthatarecriticalinsmartgridbutthatdonotfitcleanlyinthe
abovesmartgridcomponentsareincludedinChapter9.Mostoftheissueslistedin
Chapter9willeventuallybecomeresearchtopicsthatwillbediscussedinmoredetailin
subsequentdocuments.

MostoftheinformationinthatchapteriscurrentlybeingdiscussedintheNISTBottomup
SecurityGroupwhichissubgroupwithintheNISTSmartGridCyberSecurityCoordination
TaskGroup(CSCTG)followedbyalistofReferences.
Finally,AppendixAisalistofUseCasesforthevariouscomponentsoftheSmartGridand
correspondingCybersecurityrequirements.ItispartofNISTIR7628. 7TheAppendixcanbe
viewedasanexcellentsummaryofmostofthecybersecurityissuesdiscussedinthisreport.

7.NISTFrameworkandRoadmapforSmartGridInteroperabilityStandardsRelease1.0(Draft).
7

2.0 REPORTED VULNERABILITIES OF SMART GRID

Thissectioncitesanumberofsmartgridvulnerabilitiesreportedinthemediaandelsewhere.
Theintentistobolsterthereasonforthisresearch.
Mostofthenationselectricitysystemwasbuiltwhenprimaryenergywasrelatively
inexpensive.Gridreliabilitywasmainlyassuredbyhavingexcesscapacityinthesystem,with
unidirectionalelectricityflowtoconsumersfromcentrallydispatched,coalfiredpowerplants.
Recognizingthesechallenges,theenergycommunityisstartingtocombineadvancementsin
informationtechnologywithelectricityinfrastructure,allowingtheelectricsystemtobecome
smart.Thissystemusesinterconnectedelementsthatoptimizethecommunicationsand
controlacrossthedifferentsegmentsofenergygeneration,distribution,andconsumption.But
theunfortunaterealityisthatbecauseofthecriticalnatureofthetechnologyandtheservices
thatitprovides,thegridbecomesaprimetargetforactsofterrorismandcyberattacks. 8
TheSmartGridhasseveralnetworklayersandeverynetworklayerandtechnologyused
representsapotentialavenueofattack.Thelegacygridalreadyusesmanydifferent
communicationpathsandprotocolstoconnectutilityoperationcenterswithsystemoperators
suchasIndependentServiceOperators(ISOs)andRegionalTransmissionOperators(RTOs).A
widevarietyofdatatransferprotocolsareused.Mostexistingprotocolshavesomeformof
vulnerabilityoranother.Advancedmeterinfrastructureanditsnetworkofsmartmeters
provideafoundationforsmartgrid.ResearchfirmParksAssociatesestimatesthat8.3million
smartmetershavebeeninstalledinUShomes,about6%penetration.Thesemetersmustbe
accessibleforongoingmaintenanceandoperations.Onceameteriscompromiseditcanbeused
toattackotherpartsofthenetwork.Smartthermostats,inhomedisplays,appliances,charging
stationsandvariousplugloadsareconnectedtogetherbyanEnergyManagementSystem
(EMS)applicationrunningontheHomeAreaNetwork(HAN).Eventhoughtheseareless
likelytobeusedinlargescaleassaultstheyrepresentvulnerabilityfortamperingwithmeter
dataandtherelatedcustomerbilling.Transmissionanddistributionsubstationscontainmany
powercontroldevicessuchascircuitbreakers,transformers,capacitors,andmonitoring
devices.Thesmartgridincreasesthelevelofautomationinsubstationsandwiththisincrease,
thenumberofelectroniccontrolelementsincreasesthepotentialvulnerabilities.SmartGrid
usesnewsensorswhichwillenhancethesituationalawarenessofthegridandenableoperators
toreacttopoweranomaliesmorequicklybutsensornetworkitselfopensupanadditionalline
ofattack.Theoperationscenterisoftenignoredindiscussionsofsmartgridsecurity,butitis
oneofthemostimportantelementsofthenetwork.Vulnerabilitiescanexistintheutility
enterprisefirewall,itsenterpriseapplications,and/oritsoperatorauthenticationandtraining
systems.Thismakestheoperationcentervulnerabletoatopdownattackfromanintruderorto
aninsiderattackfromadisgruntledemployee. 9

8.http://www.cisco.com/web/strategy/docs/energy/aag_c45_539956.pdf
9.http://carbonpros.com/blog1/2009/08/smart_grid_security_vulnerabil.html
8

EverydaywegetreportsfromdifferentsourcesregardingthepotentialattackstoSmartGrid.
TheDepartmentofHomelandSecurity(DHS)hasreportedthatcyberspies,likelyfromChina
andRussia,havemanagedtoinjectmalicioussoftwareintotheelectricgrid,water,sewage,and
otherinfrastructurecontrolsoftware.Thissoftwarecouldenablemalicioususerstotakecontrol
ofkeyfacilitiesornetworksviatheInternet,causingpoweroutagesandtremendousdamageto
allsectorsoftheeconomy. 10Asthegridbecomesmorecentraltoourenergyinfrastructure,it
willbecomemoreimportanttoensureitssecurity.SmartGridsystemscreatealinkbetween
physicalsystemsandsoftwaresystems,bothofwhichcanfail. 11IOActive,aprofessional
securityservicesfirm,determinedthatanattackerwith$500ofequipmentandmaterialsanda
backgroundinelectronicsandsoftwareengineeringcouldtakecommandandcontrolofthe
AMIallowingfortheenmassemanipulationofservicetohomesandbusinesses.TheReports
fromCNNquestionedthesmartnessofSmartGridtoforgeaheadwiththehightechnology,
digitallybasedelectricitydistributionandtransmissionsystem.Italsoreportedthatthetests
haveshownthatahackercanbreakintothesystem,andcybersecurityexpertssaidamassive
blackoutcouldresult. 12TheAmericanSocietyforIndustrialSecurity(ASIS)InternationalChief
SecurityOfficer(CSO)Roundtablereportedthattheelectricgridishighlydependenton
computerbasedcontrolsystems.Thesesystemsareincreasinglyconnectedtoopennetworks
suchastheinternet,exposingthemtocyberrisks.Anyfailureofourelectricgrid,whether
intentionalorunintentional,wouldhaveasignificantandpotentiallydevastatingimpactonour
nation.TheWallStreetJournalrecentlyreportedthatcyberspiesfromChina,Russia,andother
countriesmayhavepenetratedtheUSelectricalgridandimplantedsoftwareprogramsthat
couldbeusedtodisruptthesystem. 13
ThecommunicationsofAssociationforComputingMachinery(ACM)reportedthat
vulnerabilitiesinthesmartgridalsocanbecausedbyinadequatepatch,configuration,and
changemanagementprocesses,insufficientaccesscontrols,andthefailuretocreaterisk
assessment,audit,management,andincidentresponseplans.Therearealsoanumberof
privacyconcernsassociatedwiththerealtime,twowaycommunicationbetweenconsumers
andsuppliersthatthesmartgridwillallow.Oneimportantissuethatneedstobedealtwithis

10.http://www.smartgridnews.com/artman/publish/News_Blogs_News/Foreign_CyberSpies_Inject
_Spyware_into_U_S_Grid_with_Potential_for_Serious_Damage562.html
11.http://www.smartgridnews.com/artman/publish/Technologies_Security_News/SmartSecurityfora
SmartGridNewThreatsontheHorizon1226.html
12.http://www.cnn.com/2009/TECH/03/20/smartgrid.vulnerability/index.html
13.http://www.ensec.org/index.php?option=com_content&view=article&id=198:thesecurity
vulnerabilitiesofsmartgrid&catid=96:content&Itemid=345
9

thedatathatwillbecollectedautomaticallyfromsmartmetersandhowthatinformationwill
bedistributedandusedthroughoutthegrid. 14
TheSmartGridattackswerealsotestedinlaboratories.IOActivehavecreatedawormthat
couldquicklyspreadamongSmartGriddevices,smallcomputersconnectedtothepowergrid
thatgivecustomersandpowercompaniesbettercontrolovertheelectricitytheyuse. 15YaoLiu,
PengNingfromNorthCarolinaStateUniversityandMichaelK.ReiterfromUniversityof
NorthCarolina,ChapelHillhavereportedanewclassofattacks,calledfalsedatainjection
attacks,againststateestimationinelectricpowergridsandtheyshowthatanattackercantake
advantageoftheconfigurationofapowersystemtolaunchsuchattackstosuccessfullybypass
theexistingtechniquesforbadmeasurementdetectionanddemonstratedthesuccessofthese
attacksthroughsimulationusingtheIEEE9bus,14bus,30bus,118bus,and300bus
systems. 16
TheSmartGridandrelatedfieldshavebeenattackedintherealworld.CIAsreportfromthe
AssociatedPresshasreportedthathackersliterallyturnedoutthelightsinmultiplecitiesafter
breakingintoelectricalutilitiesanddemandingextortionpaymentsbeforedisruptingthe
power.ReportsfromWashingtonPostalsoclaimthattheCIAAnalystssaidcyberattackers
havehackedintothecomputersystemsofutilitycompaniesoutsidetheUnitedStatesandmade
demands,inatleastonecasecausingapoweroutagethataffectedmultiplecities.Theattackers
informationwasnotknownbuttheintrusioncamefromtheInternet. 17TheNationalJournal
MagazinereportedthatComputerhackersinChina,includingthoseworkingonbehalfofthe
Chinesegovernmentandmilitary,havepenetrateddeeplyintotheinformationsystemsofU.S.
companiesandgovernmentagencies,stolenproprietaryinformationfromAmericanexecutives
inadvanceoftheirbusinessmeetingsinChina,and,inafewcases,gainedaccesstoelectric
powerplantsintheUnitedStates,possiblytriggeringtworecentandwidespreadblackoutsin
FloridaandtheNortheast.Thehackertriggeredacascadeeffect,shuttingdownlargeportions
oftheFloridapowergridwhichcreatedtheFloridaBlackOut 18.Theinterconnectednatureof
thebulkelectricsystemrequiresallentitieswhoseoperationscanaffecttheoperationofthe
bulkelectricsystemtobeassecurefromcyberincidentsaspracticabletoensurebulkelectric
systemreliability.TheNorthAmericanElectricReliabilityCorporation(NERC)reportedthaton
January25,2003,theSQLSlammerWormwasreleasedbyanunknownsource.Theworm

14.http://cacm.acm.org/news/43974smartgridvulnerabilitiescouldcausewidespread
disruptions/fulltext
15.http://hardware.slashdot.org/article.pl?sid=09/03/22/082236
16.ftp://ftp.csc.ncsu.edu/pub/tech/2009/TR20095.pdf
17.http://www.cyberpunkreview.com/newsascyberpunk/theciaslatestclaimhackershaveattacked
foreignutilities/
18.http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php
10

significantlydisruptedmanyInternetservicesforseveralhours.Italsoadverselyaffectedthe
bulkelectricsystemcontrols. 19
SmartGridwillsimultaneouslyexpandtheinfrastructurefortransportingelectricityand
presentamorephysicallychallenginginfrastructuretoprotect.SmartGridsuseofinternet
technologiesshouldhavefullprotectionpriortoitsdeploymentasitisamatterofnational
security. 20

19.http://www.nerc.com/docs/standards/ChuckNobleRBBLetter.pdf
20.http://www.smartgridnews.com/artman/publish/News_Blogs_News/Foreign_CyberSpies_Inject
_Spyware_into_U_S_Grid_with_Potential_for_Serious_Damage562.html
11

3.0 INFORMATION ASSURANCE AND SECURITY

CONCEPTS AND POLICIES
InformationAssuranceandSecurityissuesultimatelyinvolveprotectionofinformation.
Informationprotectioncriteriaareusuallyspecifiedinpoliciessuchasconfidentiality,integrity,
andavailability.Theresearchersincludedaccountabilityasaseparatepolicyeventhoughitcan
beviewedasIntegrityissuebecauseitiscriticalforthesmartgrid.NISThasdefinedthese
securitypoliciesasfollows. 21

3.1.

Confidentiality

Preservingauthorizedrestrictionsoninformationaccessanddisclosure,includingmeansfor
protectingpersonalprivacyandproprietaryinformation.
Thepropertythatsensitiveinformationisnotdisclosedtounauthorizedindividuals,entitiesor
processes.

3.2.

Integrity

Guardingagainstimproperinformationmodificationordestruction,andincludesensuring
informationnonrepudiationandauthenticity.
Dataintegrityisthepropertythatdatahasnotbeenalteredinanunauthorizedmanner.It
coversdataintegritycoversdatainstorage,duringprocessing,andwhileintransitand
includesthepropertythatsensitivedatahasnotbeenmodifiedordeletedinanunauthorized
andundetectedmanner.

3.3.

Availability

Ensuringtherestimelyandreliableaccesstoanduseofinformation.

3.4.

Accountability

Isthesecuritygoalthatgeneratestherequirementforactionsofanentitytobetraceduniquely
tothatentity?Thissupportsnonrepudiation,deterrence,faultisolation,intrusiondetectionand
prevention,andafteractionrecoveryandlegalaction.

3.5.

Security Concepts and Smart Grid

WiththeSmartGridstransformationoftheelectricsystemtoatwowayflowofelectricityand
information,theInformationTechnology(IT)andtelecommunicationsinfrastructureshave
becomecriticaltotheenergysectorinfrastructure.Therefore,themanagementandprotection
ofsystemsandcomponentsoftheseinfrastructuresmustalsobeaddressedbyanincreasingly
diverseenergysector.
ITandtelecommunicationsectorshaveexistingcybersecuritystandardstoaddress
vulnerabilitiesandassessmentprogramstoidentifyknownvulnerabilitiesinthesesystems.

21.http://www.nerc.com/docs/standards/ChuckNobleRBBLetter.pdf
12

ThesesamevulnerabilitiesneedtobeassessedinthecontextoftheSmartGrid.Inaddition,the
SmartGridhasadditionalvulnerabilitiesduetoitscomplexity,largenumberofstakeholders,
andhighlytimesensitiveoperationalrequirements.
ThefollowingdefinitionsofcyberinfrastructureandcybersecurityfromtheNational
InfrastructureProtectionPlan(NIPP)andquotedinNISTIR7628areincludedtoensurea
commonunderstanding.

CyberInfrastructure:Includeselectronicinformationandcommunicationssystemsand
servicesandtheinformationcontainedinthesesystemsandservices.Informationand
communicationssystemsandservicesarecomposedofallhardwareandsoftwarethat
process,store,andcommunicateinformation,oranycombinationofallofthese
elements.Processingincludesthecreation,access,modification,anddestructionof
information.Storageincludespaper,magnetic,electronic,andallothermediatypes.
Communicationsincludesharinganddistributionofinformation.Forexample:
computersystems;controlsystems(e.g.,SCADA);networks,suchastheInternet;and
cyberservices(e.g.,managedsecurityservices)arepartofcyberinfrastructure.

Forthisdocument,cybersecurityisdefinedasfollows:

CyberSecuritytheprotectionrequiredtoensureconfidentiality,integrityand
availabilityoftheelectronicinformationcommunicationsystem.

Integrityisgenerallyconsideredthemostcriticalsecurityrequirementforpowersystem
operations,andincludesassurancethat:

Datahasnotbeenmodifiedwithoutauthorization

Sourceofdataisauthenticated

Timestampassociatedwiththedataisknownandauthenticated

Qualityofdataisknownandauthenticated

Availabilityisgenerallyconsideredthenextmostcriticalsecurityrequirement,
althoughthetimelatencyassociatedwithavailabilitycanvary:
o

4msforprotectiverelaying

Subsecondsfortransmissionwideareasituationalawarenessmonitoring

SecondsforsubstationandfeederSCADAdata

Minutesformonitoringnoncriticalequipmentandsomemarketpricing
information

Hoursformeterreadingandlongertermmarketpricinginformation

Days/weeks/monthsforcollectinglongtermdatasuchaspowerquality
information

13

Confidentialityisgenerallytheleastcriticalforactualpowersystemoperations,
althoughthisischangingforsomepartsofthepowersystem,ascustomerinformationis
moreeasilyavailableincyberform:
o

Privacyofcustomerinformationisthemostimportant

Electricmarketinformationhassomeconfidentialportions

Generalcorporateinformation,suchashumanresources,internaldecision
making,etc.

14

4.0 ADVANCED METERING INFRASTRUCTURE (AMI)

SECURITY ISSUES
4.1.

Introduction

AdvancedMeteringInfrastructure(AMI)referstosystemsthatmeasure,collectandanalyze
energyusage,fromadvanceddevicessuchaselectricitymeters,gasmeters,and/orwater
meters,throughvariouscommunicationmediaonrequestoronapredefinedschedule.This
infrastructureincludeshardware,software,communications,customerassociatedsystemsand
meterdatamanagement(MDM)software. 22
Thenetworkbetweenthemeasurementdevicesandbusinesssystemsallowscollectionand
distributionofinformationtocustomers,suppliers,utilitycompaniesandserviceproviders.
Thisenablesthesebusinessestoeitherparticipatein,orprovide,demandresponsesolutions,
productsandservices.Byprovidinginformationtocustomers,thesystemassistsachangein
energyusagefromtheirnormalconsumptionpatterns,eitherinresponsetochangesinpriceor
asincentivesdesignedtoencouragelowerenergyusageuseattimesofpeakdemandperiods
orhigherwholesalepricesorduringperiodsoflowoperationalsystemsreliability.
AMIsystemsareviewedasconsistingofthefollowingcomponents(seealsoFigure3): 23

SmartMeterThesmartmeteristhesourceofmetrologicaldataaswellasother
energyrelatedinformation.Thesesmartmeterscanprovideintervaldataforcustomer
loadsaswellasdistributedgeneration.

CustomerGatewayThecustomergatewayactsasaninterfacebetweentheAMI
networkandcustomersystemsandapplianceswithinthecustomerfacilities,suchasa
HomeAreaNetwork(HAN)orBuildingManagementSystem(BMS).Itmayormaynot
colocatewiththesmartmeter.

AMICommunicationsNetworkThisnetworkprovidesapathforinformationtoflow
fromthemetertotheAMIheadend.

AMIHeadEndThissystemmanagestheinformationexchangesbetweenexternal
systems,suchastheMeterDataManagement(MDM)systemandtheAMInetwork.

22.Wikipedia;AdvancedMeteringInfrastructure;Available[Online]:
http://en.wikipedia.org/wiki/Advanced_Metering_Infrastructure
23.OpenSmartGrid;SharedDocuments;Available[Online]:
http://osgug.ucaiug.org/Shared%20Documents/Forms/AllItems.aspx
15

Figure 3. AMI components.

Source: Open Smart Grid; Shared Documents

24

4.2.

AMI Security Threats

25

ThefollowingtypesofsecuritythreatsarepossibleonAMIofSmartGrid:

Eavesdropping:Itisunauthorizedrealtimeinterceptionofaprivatecommunication.

TrafficAnalysis:Itistheprocessofinterceptingandexaminingmessagesinorderto
deduceinformationfrompatternsincommunication.

EM/RFInterception:ElectroMagnetic/RadioFrequencyinterceptiontoperform
unauthorizedinterceptionofprivatecommunication.

IndiscretionsbyPersonnel:Lackofdiscretionofpersonnelcouldleadtounauthorized
interceptionofprivatecommunication.

24.http://osgug.ucaiug.org/Shared%20Documents/Forms/AllItems.aspx
25.CyberSecurityIssuesforAdvancedMeteringInfrastructure(AMI);F.M.ClevelandSeniorMember
IEEE,IEEET&DConference,April2008
AdvancedMeteringInfrastructureSecurityConsiderations;RaymondC.Parks;AssuranceTechnologies
andAssessments,SANDIAREPORT,SAND20077327;SandiaNationalLaboratories
16

MediaScavenging:Itinvolvesrummagingthroughdisposedmagneticmediafor
retrievingsensitivedatathatisleftbehindonit.

Intercept/Alter:UnauthorizedpeoplemayinterceptandaltertheAMIdata.

Repudiation:People,includingpublicauthorities,maymodifytheAMIdataandthus
refusetoacknowledgeanactionthattookplace.

Masquerade:Itisatypeofattackwheretheattackerpretendstobeanauthorizeduser
ofasysteminordertogainaccesstoitortogaingreaterprivilegesthantheyare
authorizedfor.

BypassingControls:Peoplemaybypasssecuritycontrolstogetaccesstothe
confidentialdataandmakeunauthorizedmodifications.

AuthorizationViolation:PeoplemayviolatetheauthorizationofAMIsystemto
performunauthorizedactions.

PhysicalIntrusion:PeoplemayphysicallyintrudeintoAMIsystemcomponentslike
SmartMetertoperformunauthorizedactions.

ManintheMiddle:Itisaformofactiveeavesdroppinginwhichtheattackermakes
independentconnectionswiththevictimsandrelaysmessagesbetweenthem,making
thembelievethattheyaretalkingdirectlytoeachotheroveraprivateconnectionwhen
infacttheentireconversationiscontrolledbytheattacker.

IntegrityViolations:Integrityisviolatedwhensomeoneaccidentallyorwithmalicious
intentmodifiestheAMIinteractiondata.

Theft:PhysicaltheftoftheAMIcomponentscouldleadtounauthorizedactionsbeing
performed.

Replay:Itisaformofnetworkattackinwhichavaliddatatransmissionismaliciously
orfraudulentlyrepeatedordelayed.

Virus/Worms:Acomputervirusisacomputerprogramthatcancopyitselfandinfecta
computer.Acomputerwormisaselfreplicatingcomputerprogram.Itusesanetwork
tosendcopiesofitselftoothernodes(computersonthenetwork)anditmaydoso
withoutanyuserintervention.

TrojanHorse:Itisatermusedtodescribemalwarethatappears,totheuser,toperform
adesirablefunctionbut,infact,facilitatesunauthorizedaccesstotheuserscomputer
system.

Trapdoor:Anundocumentedentrypointintoacomputerprogram,whichisgenerally
insertedbyaprogrammertoallowdiscreetaccesstotheprogram.

ServiceSpoofing:Itisasituationinwhichonepersonorprogramsuccessfully
masqueradesasanotherbyfalsifyingdataandtherebygaininganillegitimate
advantage.
17

ResourceExhaustion:Hackersmayuseupallavailablefacilitiessonorealworkcanbe
accomplishedandthusAMIsystemresourcesbecomeunavailabletotheintendedusers.

IntegrityViolations:Integrityisviolatedwhensomeoneaccidentallyorwithmalicious
intentmodifiestheAMIdataandthuspreventsintendedusersfromusingtheAMI
systemresources.

Stolen/Altered:TheAMIdatacouldbestolenoralteredandthatcouldleadtodenialof
actionthattookplaceorclaimofanactionthatdidnottakeplace.

Repudiation:People,includingpublicauthorities,mayrefusetoacknowledgeanaction
thattookplace.

InsiderAttack:Theinsiderattackwouldtakeadvantageofaccesstosystemsatthe
oppositeendoftheAMIsystemfromthecustomerendpoint.Thesystemsthatthe
insidermaybeabletoaccessincludetheAMIheadend,thesystemfromwhichitgets
pricinginformation(eitherEMSorICCPservertoanISOorgenerationentity),andthe
networkinfrastructuresupportingbothofthosesystems.Whichcybereffectaninsider
useswoulddependupontheiraccesstothesesystems.

UnauthorizedAccessfromCustomerEndpoint:ThereisapotentialforAMItoallow
accesstothebulkelectricgridfromtheresidentialorsmallbusinesscustomerendpoint.
Theadversarycansubornthecustomerendpoint,crackwirelesscommunications
betweentheAMImeterandotherendpointequipment,orcrackwireless
communicationsfromtheAMImetertothelocalconcentrator.Theseattackswillexpose
theheadendequipmentandsystemstowhichtheheadendareconnected.Theexact
detailsofthisattackaregreatlydependentontheimplementationofAMI,particularly
attheheadend.Certainconfigurationswouldallowanattackertoaffectthebulk
electricgrid.

CheatingCustomer:Thecustomeratanendpointwouldattacktoachievethegoalof
reducedcostofelectricand/ornaturalgasuse.Theywoulduseinformationfreely
availablefromtheAMImetervendororastandardassociatedwithAMImeterstoreset
themeterandreprogramittoreportfalseinformation.Iftheinformationisnotfreely
available,theattackerwouldreverseengineerametertodevelopawaytomodifyit.
Thisisverysimilartothemanycablemodemattacksthatareopenlyavailable.Either
theconfigurationsettingsfromtheutilityortheactualfirmwarecontrollingthe
operationofthemeterwouldbemodifiedinthisattack.

ThefollowingtablesummarizesthevarioussecuritythreatsonAMIwithrespecttosecurity
goalsandpotentialthreatlevel.

18

Table 1. Security threats on AMI with respect to security goals

Security Issue
Listening

Modification

Unauthorized people listening to the AMI

communication.
Eavesdropping

Traffic Analysis

EM/RF Interception

Indiscretions by Personnel

Media Scavenging

Unauthorized modification of the AMI data.

Intercept/ Alter

Interactions

Planted in
System

Security Goal
Compromised

Description

Security Threat
Level

Confidentiality

High

Integrity

High

Confidentiality
Integrity
Availability
Accountability

High

Confidentiality
Integrity
Availability
Accountability

High

Repudiation

Interactions of AMI components with the

environment could lead to unauthorized
access to AMI communication information,
modification of AMI data, denial of service
to authorized users, and non-repudiation.

Masquerade

Bypassing Controls

Authorization Violation

Physical Intrusion

Man-in-the-Middle

Integrity Violations

Theft

Replay

Malicious code/components planted in the

system could lead to unauthorized access
to AMI communication information,
modification of AMI data, denial of service
to authorized users, and non-repudiation.

Virus/Worms

Trojan Horse

Trapdoor

Service Spoofing

19

Security Issue
Denial of Service

After-the-Fact

Insider Attack

Unauthorized
Access from
Customer
Endpoint
Cheating
Customer

Security Goal
Compromised

Description
It is an attempt to make AMI system
resources unavailable to its intended
users.

Resource Exhaustion

Integrity Violations

Denial of action that took place or Claim of

the action that did not take place is
covered under this category.

Stolen/Altered

Repudiation

The insider attack would take advantage of

access to systems at the opposite end of
the AMI system from the customer
endpoint.
There is a potential for AMI to allow access
to the bulk electric grid from the residential
or small business customer endpoint
The customer at an endpoint would attack
to achieve the goal of reduced cost of
electric and/or natural gas use.

20

Security Threat
Level

Availability

High

Accountability

Medium

Confidentiality
Integrity
Availability
Accountability
Confidentiality
Integrity
Availability
Accountability
Confidentiality
Integrity
Availability
Accountability

Low to High

High

Low to High

5.0 DEMAND RESPONSE SECURITY ISSUES

5.1.

Introduction

Whenelectricitydemandispeak,particularlyinsummer,utilitiesandotherelectric
IndependentSystemsOperators(ISOs)keepelectricgeneratorsonlineinordertomeethigh
demand.Thissolutionwastesenergyandincreasesairpollution. 26Ifthedemandishighestin
mostregionsandexceedsavailablesupplies,brownoutsandblackoutscanhappen.Asaresult,
theelectricitygridsarenotreliableenough.Manyutilities,government,andothershavebeen
developingDemandResponse(DR)tomanagegrowthinpeakelectricitydemands,andto
providemorereliableelectricitygridsandmoreeconomicenergy.DemandResponseisan
actiontakentoreduceelectricitydemandinresponsetoprice,monetaryincentives,orutility
directivessoastomaintainreliableelectricservicesoravoidhighelectricityprices. 27During
thepeakhours,demandresponseprogramsortariffslowertheenergyuseinreturnfor
decreasingtotalsystemcostsandelectricloads.DemandResponsecanreduceenergy
consumptionduringpeaktimeorbasedonevents(ofwhichtheenergypricesarehigh),suchas
congestion,supplydemandbalanceand/ormarketconditionsthatraisetheenergysupply
costs.DemandResponseResearchCenter(DRRC)hasbeenputtingeffortstodevelop,
demonstrateanddeployactivitiesrelatedtoaframeworkwhichcanenableautomateddemand
response.ThedevelopmentofOpenAutomatedDemandResponse(OpenADRorOpenAuto
DR)hasbeencarriedoutinordertoimproveoptimizationbetweenelectricsupplyanddemand
whichcanimprovethereliabilityofelectronicgridandlowerthetotalcostofoverallsystems.
Thissectionwillmainlyfocusonsecurityissuesincommunicationsandinterfacesbetweenthe
entitiesinDRsystemandOpenADR.OpenADRisasetofstandard,continuous,open
communicationsignalsandsystemsprovidedovertheInternettoallowfacilitiestoautomate
theirdemandandresponsewithnohumanintheloop. 28Thisreportdoesnotintendtofocus
onthedetailsofhowtheDRandOpenADRsystemsoperate.ItmayaddresssomeofDemand
Responsesystems,butthemainfocusisonthesecurityissuesintheDRandOpenADR
systems.

26.CaliforniaEnergyCommissionsPublicInterestEnergyResearchProgram,PIERBuildingsProgram,
AutomatedDemandResponseCutsCommercialBuildingEnergyUseandPeakDemand,Technical
Brief,PublicInterestEnergyResearchProgram,2008[online].Available:
http://www.energy.ca.gov/2008publications/CEC5002008086/CEC5002008086FS.PDF.[Accessed
October15,2009]
27.U.S.FederalEnergyRegulatoryCommission(FERC),AssessmentofDemandResponseand
AdvancedMetering,2007[online].Available:
http://www.ferc.gov/legal/staffreports/0907demandresponse.pdf.[AccessedOctober17,2009]
28.S.Kiliccote,M.A.Piette,J.H.Dudley,LawrenceBerkeleyNationalLaboratory(LBNL);E.KochandD.
Hennage,Akuacom,OpenAutomatedDemandResponseforSmallCommercialBuildings,Lawrence
BerkeleyNationalLaboratory,July2009[online].Available:http://drrc.lbl.gov/pubs/lbnl2195e.pdf.
[AccessedOctober16,2009]
21

5.2.

Demand Response and Security Concerns

TheprimaryfocusontheDemandResponse(DR)istoprovidethecustomerswithpricing
informationsothatthecustomersortheenergymanagementandcontrolsystem(EMCS)atthe
customerssitesmayrespondbasedonthedemandsforelectricityandelectricitypricesduring
someperiodoftime.Forinstance,thecustomermaydecreasedemand(orshedload)during
higherpricedtimeperiodsorincreasedemand(orshiftload)duringlowerpricedtimeperiods.
Thepricinginformationcouldberealtimebased,tariffbasedorsomecombination.DRcould
beimplementedinmanydifferentwaysbasedonthetypeofpricingsignals.Therealtime
pricing(RTP)requirescomputerbasedresponse,whilethefixedtimeofusepricingmaybe
manuallyhandledbythecustomerbaseduponthetimeperiodsandthepricing.Sincethe
pricinginformationcouldbetransmittedelectronicallyorfixedforlongperiodandcouldbe
accessedbytheparticipantsoftheDRprogramthecustomerssecurityandprivacyshouldbe
addressed.Also,theintegrityofthepricingsignaliscriticalbecauseifitcanbemanipulated,it
couldleadtofinancialimpactsontheorganizationorcustomers.Thus,mostoftheDR
functionsinthesmartgrid,suchasloadshedding,timeofusepricing(ToU),dynamicpricing,
etc.requiredataintegrityand/orconfidentialitytomaintainthereliabilityofthegridand
preventadversariestomanipulatetheinformationinthesystem.Failuretoprovideintegrity
and/orconfidentialitycouldresultintheexposureofcustomersinformation,unauthorized
modificationandmanipulationoftheinformation.
Securityissuesareexplainedbelowbyfirstlookingatinterfacesofcomponentsthataffect
demandresponse.NextAutoDemandresponsesystemsareanalyzedwithrespecttosecurity.
Figure4showsthemajorcomponentsofSmartGridthataffectSmartGridandtheir
interactions.

22

Figure 4. Demand response use case shows the interfaces between each component (from NIST).
Source: Lawrence Berkeley National Laboratory/ Akuacom

29

5.2.1. Confidentiality
Theinformationsentbetweeneachentity,suchascontrolusageofthemeter,pricingand
meteringusageandbillinginformation,needstobeconfidentialandprotectedfrom
unauthorizedaccesstotheinformation,suchaseavesdroppingattacks,sinceitcanleadtothe
invasionofcustomerprivacyandtheleakingoftheinformationtoanadversary.

5.2.2. Authentication
ThecomponentsinDRsystem,suchasHomeAreaNetwork(HAN)Devices,Energy
ManagementSystem(EMS),DRservicesproviderandmetering,mustbeauthenticatedinorder
tocommunicatewitheachother.IftheyfailtoauthenticatewiththeDRcontrolservices,they
mustnotbeabletoconnectorrespondtotheDReventsignalsinordertoprotectfromthe
unauthorizeddevicestocommunicatewiththeDRsystem,suchashijackingofthemeter
connection.

29.A.Lee,T.Brewer,ComputerSecurityDivision,InformationTechnologyLaboratory,National
InstitutionofStandardsandTechnology(NIST)(Sept2009).SmartGridCyberStrategyand
Requirements(DraftNISTIR7628).Available:http://csrc.nist.gov/publications/drafts/nistir7628/draft
nistir7628.pdf.[AccessedOctober20,2009]
23

5.2.3. Data Integrity

Unauthorizedmanipulationofdemandinformation,controlsignalsfortheEMStomanage
devicesandcontrolusageofthemeterorsmartmeterbyinducinganinappropriateresponse,
suchasturningon/offelectricaldevicesatcustomersectionsorshuttingdownDRoperation,
coulddirectlydecreasepowerreliabilityandqualityofthegridandcausefinancialimpactsas
wellasannoyanceoncustomers.Also,manipulatingthepricingsignalcouldadverselyimpacts
thecustomerandmarketsectionsfinancially.

5.2.4. Availability
Pricingandmeteringusageinformationneedtobeconfidential,accurateandavailableallthe
time;otherwise,itwouldaffectDRcontrolbehavior.Thegridmaynotbeabletoresponse
basedonthesignalsandtakeawrongaction,leadingtofinancialimpactsoncustomersand
markets.RealtimeloaduseinformationtransmittedbetweenDRservicesproviderand
customerEMSneedstobeavailableinthetimelymannersinceitcanaffectthebehaviorofthe
grid.Legacydevicesatenduserandlowbandwidthofcommunicationchannelsmayresultin
thelossofavailability.

5.2.5. Accountability
Failuretoholdaccountoftheactionstakenbycommunicatingpartiesbecauseoftheinvalid
meter,EMS,orDRservicesproviderinformationwouldresultinthedisputebetweenparties
anddecreasecustomerconfidence.

5.3.

Open Automated Demand Response

OpenADRisacommunicationsdatamodeldesignedtointeractwithDemandResponsesignals
byautomatedDRactionsfromEnergyManagementandControlSystem(EMCS),whichare
preprogrammed,atelectricconsumerssites.InternetbasedelectricitypricingandDRsignals
areusedwithpreprogrammedcontrolstrategiestooptimizeenergyuseofasiteorbuilding
withnomanualintervention.OpenADRisusedtoexchangeinformationbetweenautilityor
IndependentSystemOperator(ISO)andtheendpointusersorcustomersystems.

5.3.1. Open Automated Demand Response Communications Infrastructure

OpenADRarchitecturedepictedinFigure5consistsofaDemandResponseAutomationServer
(DRAS)andaDRASClient.AserverprovidessignalscorrespondingtoDReventstonotify
customersandaclientatthecustomerssitelistenstothesignalsandautomatessignalstopre
programmedcontrolsystems(SeeFigure5).

24

Figure 5. Generic open automated demand response interface architecture.

Source: Lawrence Berkeley National Laboratory/ Akuacom

30

InformationflowintheOpenADRarchitectureisinfivesteps,asfollows:
1) TheutilityorISOdefinesDReventandpricesignalsthataresenttoDRAS.
2) DReventandpriceservicespublishedonaDRAS.
3) DRASclients,thatcanbeaclientandlogicwithintegratedrelay(CLIR)foralegacy

controlsystemorwebservicesoftwareforasophisticatedcontrolsystem,requestevent
informationfromtheDRASeveryminute.
4) PreprogrammedDRstrategiesdetermineactionbasedoneventandprice.
5) EMCScarriesoutloadshedbasedonDReventsandstrategies.

30.S.Kiliccote,M.A.Piette,J.H.Dudley,LawrenceBerkeleyNationalLaboratory(LBNL);E.KochandD.
Hennage,Akuacom,OpenAutomatedDemandResponseforSmallCommercialBuildings,Lawrence
BerkeleyNationalLaboratory,July2009[online].Available:http://drrc.lbl.gov/pubs/lbnl2195e.pdf.
[AccessedOctober16,2009]
25

5.3.2. Demand Response Automation Server (DRAS)

TheDRASisaninfrastructurecomponentinAutomatedDemandResponseprogramswhich
arebasedonaclientserverinfrastructure.Theautomationserverdistributesandreceives
informationamongitsentities,suchasutilitiesandISOs.ThepurposeoftheDRASisto
automatedynamicpricingandreliablerelatedmessagesandinformationreceivedfromutilities
orISOstooptimizetheconsumptionofelectricityduringpeakhours.TheDRASisan
integratorbetweenaUtility/ISOandDRparticipants.ThemajorrolesofDRASaretonotifythe
participantsregardingrealtimeprices(RTP),DReventsandDRrelatedmessagesincluding
dynamicpricing.
Figure6showsdetailsofDRASanditsinterfacetoutilityandparticipantsitesincludingthe
internetinterface.
TheDRASinterfacecanbeimplementedthroughWSDLorSOAP.XMLcanbeusedforthe
datamodelandtheentities.TheDRASinterfacefunctionsaredividedintothreegroupsas
follows:
1) UtilityandISOOperatorInterfaces
2) ParticipantOperatorinterfaces
3) DRASClientInterfaces

Figure 6. DRAS Interfaces.

Source: Lawrence Berkeley National Laboratory/Akuacom

31

31.M.A.Piette,G.Ghatikar,S.Kiliccote,E.Koch,D.Hennage,P.Palensky,andC.McParland,Open
AutomatedDemandResponseCommunicationsSpecification,DemandResponseResearchCenter,
26

5.3.3. OpenADR and Security Concerns

SincetheOpenADRsystemisbasedontheInternetcommunication,theinformation
transmittedineachDRASinterfacemustbeprotectedandpreventedfromanykindsofdata
manipulation,suchaschangingpricinginformationandDRevents.TheDRASandDRAS
clientsneedtobeauthenticatedinordertocommunicatewitheachother.Also,accesscontrolto
eachentityintheOpenADRsystemisneededinordertoprotectfromunauthorizedaccessto
thesystem.Ifthesecuritygoalsarebreached,potentiallyadverseimpactscouldoccur,suchas
theexcessiveloadsinthegridleadingtoblackoutsandthelargefinancialimpactsonboththe
utilityandparticipantsinDRprogram.
Thissectionisfocusingonthesecurityconcernsontheinformationtransmittedbetweenthe
utility/ISO,DRASandDRASclient.Table2belowdescribespossibleattacksandimpactsthat
couldhappenifeachsecuritygoaliscompromisedforeachoftheinformationtransmittedin
theOpenADRsystem.TheinformationtransmittedintheOpenADRiscategorizedintothree
groupsbasedontheDRASinterfaces.

April2009[online].Available:http://drrc.lbl.gov/openadr/pdf/cec5002009063.pdf.[AccessedOctober
20,2009]
27

Table 2. Possible attacks utility/ISO operator interfaces

Purpose
To initiate or update
DR event
information in DRAS

To initiate bid
request in DRAS

To set accepted bids

in DRAS

Utility/ISO Operator Interfaces

Information Transmitted
Security Concerns
Program type, date & time of Confidentiality (L):
Eavesdropping on this formation is not of concern
the event, date & time
since the information may not be sent regularly.
issued, geographic location,
However, the information needs to be protected from
customer list (account
unauthorized access.
numbers) and load shed
event information.
Integrity (H):
Attacker modifies configuration data in the DRAS,
such as DR program data, customer list and shed
event information, affecting the DR program behavior.
Attacker issues false or malicious DR events in DRAS,
causing blackouts and instability of the grid. Also, this
may lead to the financial impacts on customers.
Availability (L):
Failure in communication between utility and DRAS
Program type, date & time of Confidentiality (H):
Eavesdropping on this formation could result in the
the event, date & time
leaking of bidding and also pricing information to the
issued, geographic location,
attacker.
customer list (account
numbers), request for a bid
Integrity (H):
Unauthorized manipulation on this information could
(RFB) issue date & time,
affect the bidding program behavior.
RFB close time, price
offered for load reduction per Attacker issues false bidding information, causing the
false behavior of the bidding program and the financial
time block.
impacts on customer.
Availability (L):
Failure in communication between utility and DRAS.
Participant list (account
Confidentiality (H):
Eavesdropping on this formation could lead to the
numbers), accept or reject,
invasion of participants privacy.
load reduction bids per time
block (for verification)
Integrity (H):
Attacker modifies participant list or load reduction per
time block, accepted or rejected bid, causing instability
of the grid and having financial impacts on
participants.
Attacker issues accepted/rejected bids to DRAS
clients which may make an inappropriate response,
such as increase the loads, according to the false
accepted or rejected bids received.
Availability (L):
Failure in communication between utility and DRAS

28

Table 3. Possible attacks and impacts of DRAS client interfaces

Purpose
To send shed or
event information to
trigger the event
client to shed or shift
loads at participant
sites, facilities or
aggregator sites

DRAS Client Interfaces

Information transmitted
Overall Impacts
Utility event information for
Confidentiality (H):
smart DRAS clients, such as Attacker intercepts information sent between DRAS
and DRAS client to gain knowledge of DR events,
date & time of the event,
pricing information, customer information.
date & time issued mode
Loss of confidentiality on this information can lead to
and pending signals.
the exposure of customer data, unauthorized
Mode and pending signals
modification of information, manipulation of
for simple clients.
information, malicious attacks, etc. causing the
Event pending signals for
instability of grid and financial impacts on customers.
simple clients.
Integrity (H):
Attacker issues false/malicious DR events.
Attacker may be able to turn on air conditioning or
heater units in a large commercial building which can
cause excessive loads to the gird and blackouts may
take place, resulting in the instability of the grid and
financial impacts on customers.
Attacker may be able to shut down all air conditioning
units which can cause annoyance and possible health
concerns in some customers.
Attacker issues false time synchronization, causing
events to occur sooner or later than they normally
would have.
The signals need to be authenticated that they actually
came from the DRAS.
Inability to authenticate DRAS, DRAS client and UIS
can lead to a number of attacks, such as
authentication sniffing, denial of service (DoS), manin-the-middle attack, etc.
Attacker captures an authentic signal, prevents the
required reduction in load forcing utilities to take other
measures such as buying energy at higher costs, and
blackouts could occur.
Availability (H):
Attacker prevents the reduction of the load by
disabling DRAS clients from receiving the incoming
DR signals using denial of service attacks.
Attacker floods the DRAS communications channel
with non-DR related Internet traffic.
Failure in communication between DRAS and DRAS
clients.
Accountability (M):
Participant denies receiving DR events.

29

Purpose
To send request for
bid to participant or
facility manager or
aggregator

To notify the
acceptance or
rejection notification
to the participant or
facility manager or
aggregator

DRAS Client Interfaces

Information transmitted
Overall Impacts
Participant denies receiving bidding information.
This information comes in
Integrity (L):
the form of an email, phone
An adversary may manually send an email, make a
call or page.
phone call or submit a page to the participant or facility
manager so that the manager may respond to the
adversary instead of to DRAS or the manager may
take a wrong action in response to the bid request.
This information comes in
Integrity (L):
the form of an email, phone
An adversary may manually send an email, make a
call or page.
phone call or submit a page to the participant or facility
manager so that the manager may respond to the
adversary instead of to DRAS or the manager may
take a wrong action in response to the notification.

30

Table 4. Possible attacks and impacts of participant interfaces

Purpose
To set, adjust or
cancel standing
bids in the
DRAS.

To send the
system load
status
information to
DRAS from
DRAS clients.

Participant Interface
Information transmitted
Overall Impacts
Load reduction per time block
Confidentiality (M):
(price and load amount)
Attacker intercepts load reduction information sent
from participant to the DRAS in order to gain
knowledge of this information, causing the leak in the
electricity usage of the customer.
Integrity (H):
Attacker submits bids for participants, causing the
financial impacts on participants.
Availability (L):
Failure in communication between DRAS and DRAS
client.
Program identifier, facility or
Confidentiality (H):
participant identifier, date & time Eavesdropping on this formation could invade the
of the event (shed or shift), shed customer privacy.
data in kW/kWh, load reduction
Integrity (H):
Unauthorized manipulation on this information could
end uses (HVAC, lighting, etc.),
make DRAS not be able to record the actual response
event type (Day-Ahead or Dayof the DRAS client to the DR events received. The
Of)
DRAS may make an inappropriate response to the DR
program according to the false system load status.
This could lead to the unreliability of the grid.
Availability (L):
Failure in communication between DRAS and DRAS
client.

31

5.4.

Demand Response at Residential Sites and Security Issues

Demandresponseeventsarriveattheresidentialsitefromtheutilitytoadjusttheelectricity
price.Duringpeakhoursthepriceoftheelectricityrises;throughdemandresponsethe
customerscanadjusttheirresidentialtemperatureonthebasisofthedemandresponseevent
received.Duringnormalconditionsthebroadcastmessagesconsistingofpricesignalsaresent
toresidentialwhereasduringemergencycontrolsignalsareissued.TheProgrammable
CommunicatingThermostat(PCT)wouldbeusedinordertoreducetheelectricpoweratthe
residentialsite.Broadcastmessageswhichwillbesentouttothethermostatwhichcausesthe
thermostattoupdatethepowerconsumption.ThePCTwillbeprovidedtotheresidential
customersbytheIOUs.ThePCTwillcommunicatewiththeutilitythroughameter.The
connectionisdonethroughawideareanetwork.ThePCTallowsthecustomertosetthe
temperatureforheatingaswellascooling.Securityissuessuchasconfidentiality,integrity,
availabilityand,nonrepudiationcomeintoeffectforthePCTduringtheflowofeventsfrom
theutilitytotheresidentialsite.IntegrityplaysacrucialroleinPCT.Anattackercancause
annoyance,affecthealthandsafety,gridinstabilitybycarryingoutblackout,increasecostfor
thecustomerassomeformofthreats.

5.4.1. Possible Attacks in PCT

AnattackermayattempttoshutdowntheA/C,preventtheloadreduction,and
manipulatetheschedulingofeventsreceived.

AnattackertriestotamperwiththeincomingsignalsorPCTsystem.Theattacker
carriesouttheattacksbycarryingoutmasqueradingandmaninthemiddleattackby
shuttingorturningdowntheA/Cunitsinordertocausethegridinstability.

Anattackerblockstheincomingbroadcastsignalbycarryingoutdenialofservice
attack.Replayattackscanbecarriedoutinordertomanipulatetheincomingdemand
responsesignal.

AnattackercouldmanipulatethesystembydisablingthePCTantennaorchangingthe
PCTlocaltime.

AsummaryofattackpatternsinPCTisshowninFigure7.

32


Figure 7. Path of attack in PCT.
Source: Lawrence Berkeley National Laboratory/Akuacom

32

32.E.W.Gunther,ReferenceDesignforProgrammableCommunicatingThermostatsCompliantwith
Title242008,March2007[online].Available:
http://drrc.lbl.gov/pct/docs/ReferenceDesignTitle24PC_rev15.doc.[AccessedOctober22,2009]
33

6.0 CUSTOMER DOMAIN HOME AREA NETWORK,

GATEWAY, AND NEIGHBORHOOD AREA NETWORK
SECURITY ISSUES
6.1.

Introduction

ActorsintheCustomerdomainenablecustomerstomanagetheirenergyusageandgeneration.
Someactorsalsoprovidecontrolandinformationflowbetweenthecustomerandtheother
domains.Theboundariesofthecustomerdomainaretypicallyconsideredtobetheutility
meter.Thecustomerdomainiselectricallyconnectedtothedistributiondomain.It
communicateswiththeDistribution,Operations,Market,andServiceProviderdomains.The
reasonwhythissectionissubdividedintoHAN,gatewayandNeighborhoodareanetworkis
thateachactorcontributestomakingthecustomerinteractionwiththesmartgridapossibility.
Thereforewewillhandleeachofthedomainsinthesameorder
Figure8depictstheentirecustomerdomainwithcomponentssuchasUtility,AMIHAN
interface,GatewayandmultipleHANprotocolswhichhelpconnectvarioussmartappliances
intheHomeareanetwork.AlongwithHAN,gatewaythereexistWNANaswellwhichis
depictedinthefigurebelowascommunicationbetweensmartmeterandtheutility.Thetwo
communicationstandardsconsideredinthisfigureareWirelessNeighborhoodAreaNetwork
(WNAN)andLocalAreaNetwork(LAN).

Figure 8. HAN/Gateway.
Source: From the draft document on Residential Gateway Reference Design meeting held at UC Berkeley

34

6.2.

Home Area Network (HAN)

SmartGridprovidestwowaycommunicationsbetweenhomeownerspremisesandutility
companiesbackendITinfrastructure.ThisisdonebydeployingAdvancedMetering
Infrastructure(AMI)systemsthatcombineHomeAreaNetworks(HANs)andNeighborhood
AreaNetworks(NANs).AHANtypicallyconnectshomedevicestogetherwhereasaNAN
connectsthehomefortheUtilityNetwork.Thekeyenablingtechnologyforenergy
managementproductsinthehomeareprotocolssuchasZigBeeandZWave,ultralowpower
IEEE802.15.4basedwirelessnetworkingstandardthathasemergedasthekeytorobust,
reliableandsecureHANdeployments.AlthoughthereareseveralotherpotentialHAN
Protocols,ZigBeeistheonlyonediscussedindetail,sinceitisthemostpopularopenstandard
forHANs.

6.2.1. ZigBee
FollowingthestandardOSIreferencemodel,ZigBeesprotocolstackisstructuredinlayers.The
physicalandthemediaaccesslayerarebasedonthe802.15.4standard.Thelayersontopof
thesetwolayersarespecifictoZigbee.Theyarethenetworklayer,GeneralOperation
Framework(GOF)andtheapplicationlayer.IEEE802.15.4isastandardwhichspecifiesthe
physicallayerandmediaaccesscontrolforlowratewirelesspersonalareanetworks.Itfocuses
onlowcost,lowspeedubiquitouscommunicationbetweendevices(incontrastwithother,
moreenduserorientedapproaches,suchasWiFi).Theemphasisisonverylowcost
communicationofnearbydeviceswithlittletonounderlyinginfrastructure,soastoexploitthis
tolowerpowerconsumption. 33ItisthebasisforZigBee.
ZigBeemakesitpracticaltoembedwirelesscommunicationsintovirtuallyanyhome/building
automation/meteringproductwithouttheprohibitivecostanddisruptionofinstallinghard
wiring.ZigBeeallowsindividualdevicestoworkforlongperiodsoftime(approximately2+
years)onbatterypower. 34

33.K.Stouffer,J.Falco,K.Scarfone,GuidetoIndustrialControlSystems(ICS)Security,National
InstitutionofStandardsandTechnology(NIST),Sept2008[online].Available:
http://csrc.nist.gov/publications/drafts/80082/draft_sp80082fpd.pdf
34.A.Lee,T.Brewer,ComputerSecurityDivision,InformationTechnologyLaboratory,National
InstitutionofStandardsandTechnology(NIST),SmartGridCyberStrategyandRequirements,Draft
NISTIR7628,Sept2009[online].Available:http://csrc.nist.gov/publications/drafts/nistir7628/draftnistir
7628.pdf
35

6.2.2. Z-Wave
ZWaveisawirelesscommunicationsproprietarystandarddesignedforhomeautomation,
specificallytoremotecontrolapplicationsinresidentialandlightcommercialenvironments.
Thetechnology,whichisdevelopedbyZensys,usesalowpowerRFradioembeddedor
retrofittedintohomeelectronicsdevicesandsystems,suchaslighting,homeaccesscontrol,
entertainmentsystemsandhouseholdappliances.Sinceitisaproprietarystandard,notmuch
informationisavailableonZWave. 35

6.3.

Gateway Component

HomeGateway(HG),alsocalledResidentialGateway(RG)isadevicethatinterconnects
varioushomeelectronicdevicestooneanotheraswellasconnectstheseprivatehomenetwork
devicestoexteriorpublicnetwork.Inthesmartgridarchitecturethecurrentassumptionisthat
thereisanidentifiableunitperformingthegatewayfunction.Butwhetherthegatewaywillbe
anindependentfunctionalunitorwillitbeapartofothersmartgridcomponentisanopen
possibility.
Therearetwoimplementationtechniquesforthegateway:
1) ThegatewayispartofthePCT(ProgrammableCommunicatingThermostat),onesuch

exampleistheUSNAP(UtilitySmartNetworkAccessPort). 36Thisisahardware
solutiontotheinteroperabilityissuesbetweenthenativeAMInetworkandthehome
areanetwork.USNAPcardbringsaSerialinterfacebetweenthemodulethat
communicateswiththeUtilityAMInetworkandtheHANcontrolunit.
2) Agatewayasanindividualcomponent.Thisgatewayimplementationtechnique

involveshardwarecomponentwhichintegratesZigBeebasedhomeautomationsystem
withanexternalIPbasednetwork.Thegatewayprovidestwofunctionalities: 37
1) DatatranslationbetweentheIPbasednetworkandtheZigBeenetwork.
2) Toprovideasecureenvironmentforprocessingcommandreceivedfromthe

externalnetwork.
ThegatewayconsistsofWiFimodule,aZigBeeMicrocontrollerandapowersupply.

6.4.

Wireless Neighborhood Area Network (WNAN)

TheubiquitousnetworkrequirementsforSmartGridareidentifiedasfollows:reliable,secure,
powerefficient,lowlatency,lowcost,diversepath,scalabletechnology,abilitytosupportburst,

35.E.W.Gunther,ReferenceDesignforProgrammableCommunicatingThermostatsCompliantwith
Title242008March2007[online].Available:
http://drrc.lbl.gov/pct/docs/ReferenceDesignTitle24PC_rev15.doc
36.USNAPAllianceIndustryWhitePaperENABLINGTHEHOMEAREANETWORKMARKET.
March20,2009
37.KhusvinderGill,ShuangHuaYang,FangYao,andXinLuAZigBeeBasedHomeAutomation
System.LoughboroughUniversity,UK2009.
36

asynchronousupstreamtraffictonameafew.Wirelessneighborhoodareanetworks(WNAN)
areatypeofpacketswitchedwirelessmobiledatanetworks.WirelessNANsareflexiblepacket
switchednetworkswhosegeographicalcoverageareacouldbeanywherefromthecoverageare
ofaWirelessLocalAreaNetwork(WLAN),towirelessmetropolitanareanetwork(WMAN),to
WirelessWideAreaNetwork(WWAN).InSmartGrid,WNANhasaroletoplayintheHOME
toHOMEorHOMEtoGRIDcommunication.Thefollowingarethecommunicationprotocols
thatareunderconsiderationforwirelessneighborhoodareanetworkforSmartGrid:
1) IEEE802.11:IEEE802.11isasetofstandardsdefinedfortheimplementationof
wirelesslocalareanetworkcomputercommunication,whichoperatesinthe2.4
GHz,3GHzand5GHzfrequencybands.The802.11boperatesat2.4GHzwitha
datatransferrateintherangeof5Mbits/sto25Mbits/swithamaximumoutdoor
rangeof90meters,while802.11goperatesat2.4GHzaswell,withadatatransfer
rateintherange22Mbits/sto128Mbits/swithamaximumoutdoorrangeof90
meters. 38
2) IEEE802.15.4:802.15.4definesthephysicalandmediumaccesscontrollayersforlow
datarate,shortrangewirelesscommunication.Theoperationisdefinedinbothsub
1GHzand2.4GHzfrequencybands,supportingDirectSequenceSpreadSpectrum
signalingwitharawdatathroughputof250kbpsandcantransmitpointtopoint,
ranginganywherefromtenstohundredofmetersdependingontheoutputpower
andreceivesensitivityofthetransceiver. 39
3) IEEE802.16:WiMax(WorldwideInteroperabilityforMicrowaveAccess)that
provideswirelesstransmissionofdatainvarietyofmodesfromapointtomulti
pointlinks.ItisalsocalledastheLastMileConnectivityofBroadbandwireless
accesswitharangeofaround50kmandadatatransferrateofupto70Mbpswith
theabilitytosupportdata,voiceandvideo.ItdoesnotrequireLOS(LineOfSight)
andusespublickeycryptography. 40

6.5.

Potential Security Issues/Risks

6.5.1. ZigBee 41
1) PowerFailuresNonce 42valuesareinitializedtoastandardvalue,thusmakingthe

nonceaknownvalue.
2) FastDenialofserviceAttackonAESCTR(AdvancedEncryptionStandardCTRmode).

38.http://en.wikipedia.org/wiki/IEEE_802.11
39.NaveenShastry,DavidWagner,SecurityConsiderationsforIEEE802.15.4Networks.UCBerkeley.
YearofPublication2004.
40.http://en.wikipedia.org/wiki/WiMAX
41.Matera:SecurityIssuesonZigBeeBasilicataUniversity,Italy,January18,2006
42.Asideinputtotheencryptionalgorithm.
37

3) AcknowledgesForgerysincetheACKframereturnsonlytheDNS(DomainName

Server)value.IftheattackerknowstheDNSvaluehe/shecansendafalse
acknowledgementtothesendersayingthatthereceiverhasreceivedthemessagewhen
infactithasnt.
4) WeakIntegrityProtectiononAESCTR.
5) AllowstheuseofSameKeysonmultipleACL(AccessControlList)entries.Allowsthe

useofGroupKeys.

6.5.2. Z-Wave 43
Unsecureconnectionwhileestablishmentofthenetworkanddistributionofthenetworkkeyis
takingplace.Opentosnifferattacks.
Solution:Thenewdeviceandtheprimarycontrollermustbelessthanonemeterapartforset
up.Oncethenewdevicehasbeenincludedonthenetworkdatabaseitcanbeplacedanywhere
withinrangeofthenetwork.

6.5.3. Gateway
MediumAccessControl(MAC)addressspoofing:WhentheUSNAPcardispluggedinfor
thefirsttimeitregistersonthenetwork.Sincethenetworkoperatesinanunlicensedfrequency
bandanyeavesdroppercanlistentoongoingtrafficandspooftheMACaddress,thisMAC
addresstheUSNAPcardusesasanIDtouniquelyrecognizeacard.Thesecondscenario
occurswhenpricinginformationissentbytheutilitytotheconsumer,butastheMACaddress
ofthecardhasbeenspoofed.Inthiscasetheutilitywouldbesendingsensitivedatatoan
unauthorizedpersonwhichisbreachofconfidentialityofhighestsecuritylevel. 44
PublicKeyInfrastructuresecurityissues:TheUSNAPcardusesPublicKeyinfrastructureasa
securityfeature.WiththeuseofPKIemergestheproblemofdistributionofpublickeysandthe
addedresponsibilityofchoosingacertifyingauthoritytosignthekeys. 45Thisissueisaproblem
foranysystemwhichusesPKIandisdiscussedfurtherinchapter9.
VirtualHomeitssecurityfeaturesandloopholes:Inavirtualhome,whereinthegatewayhas
addedcomponentssuchasvirtualhome,networkcoordinatoranddevicedatabase.Every
commandwhichisreceivedfromtheexternalnetworkischeckedforitsauthenticitybythe
networkcoordinatorandthedevicedatabaseinthevirtualhomeenvironment.Oncethe

43.WirelesssecurityHowsafeisZwave?Knight,M
44.USNAPAllianceIndustryWhitePaperENABLINGTHEHOMEAREANETWORKMARKET.
March20,2009.
45.JohnLinn,RSALaboratories,Bedford,MA,USAMarcBranchaud,RSASecurityInc.,Vancouver,BC,
Canada.AnExaminationofAssertedPKIIssuesandProposedAlternatives.2004.
38

commandhasbeenverifieditsthenimplementedintherealhomesystem.Thesecurity
concernswithsuchasetupareasfollows: 46

ThegatewayacceptscommandsevenfromaZigBeebasedremotecontrolandthese
commandsarenotverifiedinthevirtualhomeenvironment.Amaliciousdevice
emittingZigBeesignalscouldbeinterpretedascommandstothehomeenvironment.

Sincethegatewayuseshardwarecomponentsdevicedriverupdatesisneeded.These
updatesshouldbedoneinacontrolledmanner;otherwisevirtualhomewhichistrusted
formanagingthesecurityofthehomeareanetworkwillbecompromised.

6.5.4. WNAN
IEEE 802.11 47

ConvenientAccess:Networksannouncetheirexistencewiththeaidofbeaconframes
whicharealsoinvitingthreats.SoftwareisusedbyWarDriverstologthese
appearancesofbeaconframesandfindthelocationsusingGPS.
RougeAccessPoints:Oneofthecommonsecurityrisksiswiththerougeaccesspoints
whichareeasytosetupanddoesnotevenrequireauthorization.
MACSpoofing:Themanagementframesarenotauthenticatedin802.11.Everyframe
hasasourceaddress.Theattackerstakeadvantageofthespoofedframetoredirectthe
trafficandcorrupttheARPtables.
DenialofServiceAttacks:
o PhysicalAttacks:Simpledevicesthatoperatein2.4GHzfrequencybandlike
cordlessphonesthatsupport802.11bcanbeusedtotakethenetworkoffline.
Thisisdonebyreducingthesignaltonoiseratioofthechanneltoanunusable
range,byinducingnoiseintothenetwork.
o

DatalinkAttacks:Fordevicesmanufacturedbefore2003withwiredequivalent
privacy(WEP)turnedon,theattackercanperformDoSattacksbyaccessingthe
userinformationonthelinklayer.Datalinkattacksaredifficultforpost2003
devicesthatsupportWPA2.

NetworkAttacks:AnattackercanfloodICMPpacketstothegateway,therebycreating
adifficulttimeforclientsassociatedtothesameAPtosendandreceivepacket.
ManintheMiddle(MITM)Attacks:TherearetwoversionsMITMattack.Theyare
o Eavesdropping
o

Manipulating

46.KhusvinderGill,ShuangHuaYang,FangYao,andXinLuAZigBeeBasedHomeAutomation
System.LoughboroughUniversity,UK2009.
47.BobFleck,BrucePotter.802.11Security.OReillyPublications,December2002,ISBN:0596002904
39

Solution:WiFiProtectedAccess(WPA)hasanimprovedencryptionalgorithmcalled
TemporalKeyIntegrityProtocol(TKIP)whichusesuniquekeyforeveryclientandalsouses
longerkeysthatarerotatedatconfigurableintervals.WPAalsoincludesanencryptedmessage
integritycheckfieldinthepackettopreventdenialofserviceandspoofingattacks.
IEEE 802.15.4 48
1. Confidentiality:Encryptionschememustbeusedtopreventfrommessagerecovery.
Theprocesssemanticsecurityistoencryptthemessagetwicetogettwociphertexts.But
ifthesameencryptionprocessisused,thenthesemanticsecurityisviolated.The
techniquetopreventthisviolationistousesauniquenonceforeachinvocationof
encryptionprocess.Thedecryptionusesthisnonceatthereceiverend,thenonceissent
clearinthesamepacketwiththeencrypteddataandhencethesecurityofencryptionis
notdependentonthenonce.Thenonceisintroducedtogivesomevariationstothe
messages.
2. LossofACLState:EachACLentryintheACLtableisusedtostoredifferentkeysand
theirassociatednonce.TherearechancesofACLtablegettingclearedwhenthereisa
powerfailureorwhenthedeviceoperatesinalowpoweredstate.
o PowerFailure:IncaseofpowerfailurestheACLentriesarecleared,however,
theACLtableisrepopulatedbythesoftwarewithappropriatekeys.But,the
issueiswiththenoncestates.Allthenoncestatesareresettoaknownvaluesay
0andtherebyreuseofnoncestateincurredthatcompromisessecurity.
o

Lowpoweredoperation:Againtheissueiswithhowtoretainthenoncestates
whenthedeviceentersthelowpoweredstate.

PossibleFix:Suitablefixtothisproblemcouldbesavingandstoringthenoncestatesin
flashmemorieswhichincursadditionalcost,powerconsumptionandalsoisslowand
energyinefficient.
3. KeyManagementProblems:ThisproblemarisesduetotheinabilityintheACLtables
tosupportdifferentkeyingmodels.
o GroupKeying:ThereisnosupportforusingthesamekeyformultipleACL
entries.IfattemptsaremadetocreateseparateACLentriesforeachnodethen
thereuseofnoncestateproblemarises.
PossibleFix:FixforthiscouldbecreatingasingleACLentryforaparticularkey.Before
sending,changingthedestinationaddressassociatedwiththatACLentryforamessage
wouldsufficetofixthisissue.
o

NetworkSharedKeying:Thenetworkcannotbeprotectedfromreplayattacks
whenusinganetworkwidesharedkey.Inordertousethenetworkshared
keyingmodeltheapplicationhastousethedefaultACLentrybutadefaultACL
entrycouldbeusedonlyifthereisnomatchingACLentry.

48.NaveenShastry,DavidWagner,SecurityConsiderationsforIEEE802.15.4Networks.UCBerkeley.
YearofPublication2004.
40

4. ConfidentialityandIntegrityProtection:Researcheshaveproventhatunauthenticated
encryptionmodescanintroducerisksofprotocollevelvulnerabilitiescompromisingnot
onlyintegritybutalsoconfidentiality.AnexampleforthiscouldbeAESCTRwhich
usescountermodewithoutaMAC.
5. DenialofServices:Asdiscussedpreviously,thereplayattackscouldcausethedeviceto
rejectpackets.
6. NoAcknowledgementPacketsIntegrity:Thereisanoptionforthesendertorequest
foranacknowledgementfromtherecipientforthesentpackets.Butthereisno
confidentialityorintegrityprovidedfortheacknowledgementpacketsthereby
attractingtheattackertoforgetheacknowledgementpackets.
IEEE 802.16 49

Authentication:ThedrawbackwithWiMaxisthatitdoesnothaveBaseStation
authenticationwhichmakesitpronetoManinthemiddleattacksexposingsubscribers
toconfidentialityandavailabilityattacks.SinceBSdoesnotauthenticateitself,theSS
cannotbeprotectedfromrougeBS.

Encryption:802.16esupportsforAdvancedEncryptionStandard(AES)cipher
providingstrongconfidentialityonuserdata.Againthedrawbackiswithencryption
notappliedonthemanagementframestherebysufficingtheattackertogather
informationaboutthesubscribersintheareaandalsoaboutthenetworkcharacteristics.

Availability:EventhoughWiMaxusesalicensedRFspectrum,attackerscanuseeasily
availablegadgetstojamthenetwork.Thisisanexampleforphysicallayerdenialof
serviceattackswhereasattackerscansendlegacymanagementframestodisconnect
legitimatestation,thisisnothingbutdeauthenticatefloodattacks.

WaterTortureAttack:Thisisaformofphysicallayerattackwhereintheattackersends
aseriesofframestoanynodetodrainthebatterylifeofthevictimnode.

49.http://www.networkworld.com/columnists/2006/121106wirelesssecurity.html?page=1
41

6.6.

Comprehensive Security issues with HAN/ Gateway/ NAN

High High Security Risk

Medium Medium Security Risk
Low Low Security Risk
Table 5. HAN security issues
Component
Involved
U-SNAP

ZigBee Gateway Module

ZigBee

IEEE 802.11

IEEE 802.16

IEEE 802.15.4

Threat Scenario Description

MAC address spoofing
Public Key Infrastructure security
issues
Virtual Home its security features and
loopholes
Power Failures
Fast Denial-Of-Service Attack on
AES-CTR
Acknowledges Forgery
Weak Integrity Protection on AESCTR
Allows the use of Same Keys on
multiple ACL entries
MAC Spoofing
Denial of Service Attacks
Man-in-the-Middle Attacks
Authentication
Encryption
Availability
Water Torture Attack
Confidentiality
Loss of ACL State
Key Management Problems
Encryption
Denial of Services
No Acknowledgement Packets
Integrity

42

Security Threat Level

High Confidentiality, Medium
availability
High Accountability
High Integrity
High Accountability
High Integrity
High Integrity
High Availability
High Accountability

High Confidentiality, High

Accountability
High Availability
High Confidentiality, Medium
Availability
Medium Integrity
High Confidentiality
High Integrity
High Availability

7.0 SUPERVISORY CONTORL AND DATA ACQUISITION

(SCADA) SYSTEM SECURITY ISSUES
7.1.

Introduction

SCADAsystemsarewidelydeployedinCriticalInfrastructureindustrieswheretheyprovide
remotesupervisoryandcontrol.IntheSmartGridSCADAsystemsareusedinautomation.
DespitetherelevantimportanceofSCADAsecurity,SCADAsystemsarereportedtobe
vulnerabletoelectronicattacks.Takingintoaccountthewidedeploymentofnetworking
technologiesinSCADAandahighconnectivityofSCADAnetworkswithothernetworkssuch
asthecorporateintranetoreventheinternet,SCADAsystemsareexposedtoelectronicattacks
nowadaysmorethanever.
ThissectiondiscussesSCADAsystemsecurityissuesforthepurposeofimplementingan
efficientdefenseofSCADAandProcessControlSystemsingeneralitisnecessarytoresearch
onnovelsecurityapproaches,implementthemandcarefullymeasuretheirsuitabilityinterms
ofefficiencyandoverhead.
Forinstance,tomonitorandcontrolgridequipmentsuchastransformers,customerequipment,
generationandtransmissionsystem,etc.ThegenerallayoutofaSCADAsystemisshownin
figures9and10.

Figure 9. SCADA general layout.

Source: Guide to Industrial Control Systems (ICS) Security, National Institute of standards and technology

ThefigureabovegivesagenerallayoutofaSCADA(SupervisoryControlandData
Acquisition)system.SCADAisacollectionofsystemsthatmeasure,report,andchangeinreal
timebothlocalandgeographicallyremotedistributedprocesses.Thefundamentalcomponents
intheabovefigurearethecontrolcenterusuallycomputerbased,referredtoasMTU(Master
TerminalUnit),RTU(RemoteTerminalUnit)oralsocalledasfieldsite,andthecommunication
linkbetweenthem.TheMTUissuescommandstodistantfacilitiesandgathersdatafromthem,
interactswithothersystemsinthecorporateintranetforadministrativepurposesandinterfaces
43

withhumanoperators.InaSCADAsystemitistheMTUwhichhasfullcontrolondistributed
remoteprocesses.AnoperatorcaninterfacewithaMTUthroughaninterfacedeviceconsisting
inavideodisplayunit,akeyboard,etc.ControlcommandssentbyaMTUtodistantfacilities
aretriggeredbyprogramsinthatMTUwhichareexecutedeithermanuallyorthrougha
programmablebuiltinscheduler.
RTUsaregenerallybasedonmicroprocessorsandarephysicallyplacedinremotelocations.
Theirtaskconsistsofcontrollingandacquiringdatafromdevicessuchassensors,actuators,
controllers,pulsegenerators,etc.AnMTUcommunicateswithoneormoreremoteRTUsby
sendingrequestsforinformationthatthoseRTUsgatherfromdevices,orinstructionstotakean
actionsuchasopenandclosevalves,turnswitchesonandoff,etc.Thecommunications
betweenaMTUandRTUsfollowamasterslaveschema,inwhichtheMTUisamasterand
RTUsareslaves,andonlytheMTUisallowedtoinitiateatransaction.50
TheSCADAsystemisacontrolsystemwhichwasoriginallydesignedtooperateinanisolated
environment.Todaytheyaretypicallyconnectedtothecorporatenetworkforbusiness
reasons.TheseControlSystemswerealsooriginallydesignedtobeefficientratherthansecure.
Communicationprotocols(e.g.DistributedNetworkProtocol(DNP3))whichallowremote
controloftheSCADAdevicesweredesignedwithlittlesecurityinmind.Impactofattackson
SCADAsystemscouldbephysical,economic,orsocietal.
ThefollowingsectionsdiscusssecurityissuesinSCADAsystems.

50.NationalInstituteofStandardsandTechnology,USdepartmentofCommerce(September2008).
GuidetoIndustrialControlSystems(ICS)Security(SpecialPublication80082FINALPUBLICDRAFT).
KeithStouffer,JoeFalco,KarenScarfone.
44

7.1.1. SCADA Architecture in detail

Figure 10. SCADA architecture. 51

Source: Critical Infrastructure Protection, Challenges in Securing Control Systems

7.1.2. Security Issues In SCADA

Public Information Availability
Often,toomuchinformationaboutautilitycompanycorporatenetworkiseasilyavailable
throughroutinepublicqueries.Thisinformationcanbeusedtoinitiateamorefocusedattack
againstthenetwork.Examplesofthisvulnerabilityarelistedbelow: 52

51.East,Samuel.Butts,Jonathan.Papa,Mauricio.AndShenoi,Sujeet.(2009).Ataxonomyofattackson
theDNP3Protocol.CriticalInfrastructureProtectionIII,IFIPAICT311,pp.6781,2009.IFIPInternational
FederationforInformationProcessing.
52.UnderstandingSCADASystemSecurityVulnerabilities,Riptech.
45

Websitesoftenprovidedatausefultonetworkintrudersaboutcompanystructure,
employeenames,emailaddresses,andevencorporatenetworksystemnames.

Domainnameservice(DNS)serverspermitzonetransfersprovidingIPaddresses,
servernames,andemailinformation.

Platform Configuration Vulnerabilities

OSandapplicationsecuritypatchesarenotmaintained.

InadequateAccesscontrols.Poorlyspecifiedaccesscontrolscanresultingivingan
SCADAusertoomanyortoofewprivileges.Thefollowingexemplifyeachcase:System
configuredwithdefaultaccesscontrolsettingsgivesoperatoradministrativeprivileges,
systemimproperlyconfigured,resultsinanoperatorbeingunabletotakecorrective
actionsinanemergencysituation.

Passwordpoliciesareneededtodefinewhenpasswordsmustbeused,howstrongthey
mustbe,andhowtheymustbemaintained.Withoutapasswordpolicy,systemsmight
nothaveappropriatepasswordcontrols,makingunauthorizedaccesstosystemsmore
likely. 53

Platform Software Vulnerabilities

Denialofservice(DoS):SCADAsoftwarecouldbevulnerabletoDoSattacks,resulting
inthepreventionofauthorizedaccesstoasystemresourceordelayingsystem
operationsandfunctions.Theycouldproactivelyexploitsoftwarebugsandother
vulnerabilitiesinvarioussystems,eitherinthecorporatenetworkortheSCADA
network,togainunauthorizedaccesstoplacessuchascontrolcenternetworks,SCADA
systems,interconnections,andaccesslinks.Cyberattacksthatarebasedondenialof
service(DoS)mechanisms,andothersthatspreadduetovirusesandwormsbycausing
atrafficavalancheinshortdurations,canpotentiallybringdownsystemsandcausea
disruptionofservicesandareknownasFloodbasedCyberAttackTypes.

Intrusiondetection/preventionsoftwarenotinstalled:Incidentscanresultinlossof
systemavailability;thecapture,modification,anddeletionofdata;andincorrect
executionofcontrolcommands.IDS/IPSsoftwaremaystoporpreventvarioustypesof
attacks,includingDoSattacks,andalsoidentifyattackedinternalhosts,suchasthose
infectedwithworms.IDS/IPSsoftwaremustbetestedpriortodeploymenttodetermine
thatitdoesnotcompromisenormaloperationoftheSCADA. 54

Malwareprotectionsoftwarenotinstalled,definitionsnotcurrent,implemented
withoutexhaustivetesting:Malicioussoftwarecanresultinperformancedegradation,
lossofsystemavailability,andthecapture,modification,ordeletionofdata.Malware
protectionsoftware,suchasantivirussoftware,isneededtopreventsystemsfrombeing

53,54.NationalInstituteofStandardsandTechnology,USdepartmentofCommerce(September2008).
GuidetoIndustrialControlSystems(ICS)Security(SpecialPublication80082FINALPUBLICDRAFT).
KeithStouffer,JoeFalco,KarenScarfone.

46

infectedbymalicioussoftware.Outdatedmalwareprotectionsoftwareanddefinitions
leavethesystemopentonewmalwarethreats.Malwareprotectionsoftwaredeployed
withouttestingcouldimpactnormaloperationoftheSCADA. 55
Network Configuration Vulnerabilities
Thenetworkarchitecturedesigniscriticalinofferingtheappropriateamountofsegmentation
betweentheInternet,thecompanyscorporatenetwork,andtheSCADAnetwork.Network
architectureweaknessescanincreasetheriskthatacompromisefromtheInternetcould
ultimatelyresultincompromiseoftheSCADAsystem.Somecommonarchitecturalweaknesses
includethefollowing: 56

Configurationoffiletransferprotocol(FTP),web,andemailserverssometimes
inadvertentlyandunnecessarilyprovidesinternalcorporatenetworkaccess

Networkconnectionswithcorporatepartnersarenotsecuredbyfirewall,IDS,orvirtual
privatenetwork(VPN)systemsconsistentwithothernetworks

Dialupmodemaccessisauthorizedunnecessarilyandmaintenancedialupsoftenfail
toimplementcorporatedialaccesspolicies

Firewallsandothernetworkaccesscontrolmechanismsarenotimplementedinternally,
leavinglittletonoseparationbetweendifferentnetworksegments

Network Perimeter Vulnerabilities 57

NetworkLeakVulnerabilities

TCP/IPnetworksbytheirverynaturepromoteopencommunicationsbetweensystems
andnetworks,unlessnetworksecuritymeasuresareimplemented.Impropernetwork
configurationoftenleadstoinboundandoutboundnetworkleaksbetweenSCADA
networks,corporatenetworks,businesspartners,regulatorsandoutsourcersandeven
theInternetwhichposeasignificantthreattonetworkreliability.Networkleakscan
allowworms,virusesorhackersdirectvisibilitytovulnerableSCADAsystems.

InsecureConnectionsExacerbateVulnerabilities

Potentialvulnerabilitiesincontrolsystemsareexacerbatedbyinsecureconnections.
Organizationsoftenleaveaccesslinkssuchasdialupmodemstoequipmentand
controlinformationopenforremotediagnosticSCADA,maintenance,and
examinationofsystemstatus.Suchlinksmaynotbeprotectedwithauthenticationor
encryption,whichincreasestheriskthathackerscouldusetheseinsecureconnectionsto
breakintoremotelycontrolledsystems.Also,controlsystemsoftenusewireless

55,56,57.NationalInstituteofStandardsandTechnology,USdepartmentofCommerce(September
2008).GuidetoIndustrialControlSystems(ICS)Security(SpecialPublication80082FINALPUBLIC
DRAFT).KeithStouffer,JoeFalco,KarenScarfone.

47

communicationssystems,whichareespeciallyvulnerabletoattack,orleasedlinesthat
passthroughcommercialtelecommunicationsfacilities.
Firewallsnonexistentorimproperlyconfigured

Alackofproperlyconfiguredfirewallscouldpermitunnecessarydatatopassbetween
networks,suchascontrolandcorporatenetworks.Thiscouldcauseseveralproblems,
includingallowingattacksandmalwaretospreadbetweennetworks,makingsensitive
datasusceptibletomonitoring/eavesdroppingontheothernetwork,andproviding
individualswithunauthorizedaccesstosystems.

Network Communication (DNP 3) Vulnerabilities 58

TheSCADAsystemsarebuiltusingpublicorproprietarycommunicationprotocolswhichare
usedforcommunicatingbetweenanMTUandoneormoreRTUs.TheSCADAprotocols
providetransmissionspecificationstointerconnectsubstationcomputers,RTUs,IEDs,andthe
masterstation.ThemostcommonprotocolisDNP3(DistributedNetworkProtocolVersion3.3).
Itwasdevelopedtoachieveinteroperabilityamongsystemsintheelectricutility.
ThefollowinglistpresentsfeaturesofDNP3thatprovidebenefitstotheuser:

Openstandard

Interoperabilitybetweenmultivendordevices

Aprotocolthatissupportedbyalargeandincreasingnumberofequipment
manufacturers

LayeredarchitectureconformingtoIECenhancedperformancearchitecturemodel

OptimizedforreliableandefficientSCADAcommunications

Supportedbycomprehensiveimplementationtestingstandards

Theabilitytoselectfrommultiplevendorsforfuturesystemexpansionand
modification

Herearesomeattackswhichexploittheprotocolspecifications:

PassiveNetworkReconnaissance:Anattackerwiththeappropriateaccesscapturesand
analyzesDNP3messages.Thisattackprovidestheattackerwithinformationabout
networktopology,devicefunctionality,memoryaddressesandotherdata.

BaselineResponseReplay:AnattackerwithknowledgeofnormalDNP3trafficpatterns
simulatesresponsestothemasterwhilesendingfabricatedmessagestooutstation
devices.

58.East,Samuel.Butts,Jonathan.Papa,Mauricio.AndShenoi,Sujeet.(2009).Ataxonomyofattackson
theDNP3Protocol.CriticalInfrastructureProtectionIII,IFIPAICT311,pp.6781,2009.IFIPInternational
FederationforInformationProcessing.
48

RogueInterloper:Anattackerinstallsamaninthemiddledevicebetweenthemaster
andoutstationsthatcanreadmodifyandfabricateDNP3messagesand/ornetwork
traffic.

LengthOverflowandDFCFlagAttack:Theseattackseitherinsertsanincorrectvaluein
theLengthfieldthataffectsmessageprocessingorsetstheDFCflag,whichcausesan
outstationdevicetoappearbusytothemaster.Theseattackscanresultindata
corruption,unexpectedactionsanddevicecrashes.

ResetFunctionandunavailablefunctionAttack:ThisattacksendsaDNP3messagewith
FunctionCode1(resetuserprocess)tothetargetedoutstation.Theattackcausesthe
targeteddevicetorestart,renderingitunavailableforaperiodoftimeandpossibly
restoringittoaninconsistentstate.Examplesareinterruptionofanoutstationand
modificationofanoutstation.Inunavailablefunctionattack,theattackersendsaDNP3
messagewithFunctionCode14or15,whichindicatesthataserviceisnotfunctioningor
isnotimplementedinanoutstationdevice.Theattackcausesthemasternottosend
requeststothetargetedoutstationbecauseitassumesthattheserviceisunavailable.

DestinationAddressAlteration:Bychangingthedestinationaddressfield,anattacker
canrerouterequestsorrepliestootherdevicescausingunexpectedresults.Anattacker
canalsousethebroadcastaddress0xFFFFtosenderroneousrequeststoallthe
outstationdevices;thisattackisdifficulttodetectbecause(bydefault)noresult
messagesarereturnedtoabroadcastrequest.

FragmentedMessageInterruption:TheFIRandFINflagsindicatethefirstandfinal
framesofafragmentedmessage,respectively.WhenamessagewiththeFIRflagarrives,
allpreviouslyreceivedincompletefragmentsarediscarded.Insertingamessagewith
theFIRflagsetafterthebeginningofatransmissionofafragmentedmessagecausesthe
reassemblyofavalidmessagetobedisrupted.InsertingamessagewiththeFINflagset
terminatesmessagereassemblyearly,resultinginanerrorduringtheprocessingofthe
partiallycompletedmessage.

TransportSequenceModification:TheSequencefieldisusedtoensureinorderdelivery
offragmentedmessages.Thesequencenumberincrementswitheachfragmentsent,so
predictingthenextvalueistrivial.Anattackerwhoinsertsfabricatedmessagesintoa
sequenceoffragmentscaninjectanydataand/orcauseprocessingerrors.

OutstationDataReset:ThisattacksendsaDNP3messagewithFunctionCode15.The
attackcausesanoutstationdevicetoreinitializedataobjectstovaluesinconsistentwith
thestateofthesystem.Examplesofthisattackareinterruptionandmodificationofan
outstation.

49

SecurityIssuesinSCADAandDNP3aresummarizedinTable6.
Table 6. SCADA security issues
Security Issue
Public Information
Availability
Policy and Procedure
Vulnerabilities

Platform Configuration
Vulnerabilities

Platform Software
Vulnerabilities

Network Configuration
Vulnerabilities
Network Perimeter
Vulnerabilities

Network Communication
Vulnerabilities

Description
Information available through
manuals, vendors, and through
routine public queries.
Inadequate security policies, without
the security architecture and design
pose a threat. Lack of security audits,
disaster recovery plan etc.
OS and application security patches
are not maintained. Inadequate
access control to systems,
inadequate password policies.
Buffer Overflow. Denial of Service,
Intrusion detection/prevention
software not installed, malware
protection not provided
Weak network security architecture,
data flow control not applied
Firewalls nonexistent or improperly
configured, Insecure Connections
Exacerbate Vulnerabilities, Network
Leak Vulnerabilities
Passive Network Reconnaissance
Baseline Response Replay
Rogue Interloper
Length Overflow and DFC Flag Attack
Reset Function and unavailable
function Attack
Destination Address Alteration
Fragmented Message Interruption
Transport Sequence Modification
Outstation Data Reset
Outstation Application Termination

Security Threat Levels

Confidentiality

Integrity

Confidentiality, Integrity, Availability

Confidentiality, Integrity, Availability,

Accountability

Availability, Integrity
Confidentiality, Integrity,
Accountability

Integrity
Accountability
Integrity
Integrity, Confidentiality
Availability
Availability
Integrity
Integrity
Integrity, Availability
Availability

ThereisarecentsecurityextensiontoDNP3buttheresearchersarenotawareoftheir
widespreadimplementation.

50

8.0 PLUG IN ELECTRIC VEHICLES (PEV) SECURITY ISSUES

8.1.

Introduction

Despitethecurrenthighcostofmaintainingelectricvehicles,theyaregenerallycheaperto
operateoverthelongrunbecausetheyreducedependencyonoilresourceswhichhavebeen
fluctuatinginpriceduetopoliticalinstabilityofthenationsthatsupplythenaturaloil.Electric
vehiclesalsoproducelessgreenhouseemissionsthangaspoweredvehicleswhichwillhelp
reducetheeffectsofglobalwarming.
ManytechnologicalandeconomicalchallengescomewiththecontinuedtrendofPEVs
becomingmoreprevalent.Inparticular,batterytechnology(e.g.,batterycapacityandcharge
time)andtheinfrastructure(e.g.,chargestationsandgrid),areessentialprerequisitesfora
massivedeployment. 59TheSmartGridwillutilizeVehicletoGrid(V2G)whichisoneofthe
technologicaladvancesthatwillbeusedinmakingelectricvehiclesaviablemainstreamoption
forprospectiveautomobilecustomers.V2Gwillbeavitalcomponentforboththevehicles
ownersandtheenergyprovidersbecauseitwillallowbothpartiestodrawpowerfromeach
otherasneeded.PeakloadlevelingisaconceptthatallowsV2Gvehiclestoprovidepowerto
helpbalanceloadsbyvalleyfilling(chargingatnightwhendemandislow)andpeak
shaving(sendingpowerbacktothegridwhendemandishigh). 60V2Gallowselectricvehicle
thecapabilitytochargetheirfuelcellswhenenergydemandislowwhileenergyenables
companiestodrawpowerfromthevehicleswhenthereisashortageofpower.Sincemost
vehiclesareparkedanaverageof95percentofthetime,theirbatteriescouldbeusedtolet
electricityflowfromthecartothepowerlinesandback,withavaluetotheutilitiesofupto
$4,000peryearpercar. 61SeeingthatV2Gfollowstheconceptofpeakloadleveling,power
consumersandproviderscanhelpeachotherreducecostandimproveoveralleffectivenessof
powerdistribution.
EventhoughtherehasbeensomeprogressinsolutionsforPEVtechnology,othersecurity
issuesassociatedwiththetechnologyandthedataitwilluseremain.Somepotentialfor
securityissuesrelatedtoPEVsincludeSecurePaymentandPrivacy,SmartMetering,andthe
CriticalInfrastructureandPhysicalSecurity. 62

59,61.Paar,Christof,AndyRupp,KaiSchramm,AndreWeimerskirch,andWayneBurleson.Securing
GreenCars:ITSecurityinNextGenerationElectricVehicleSystems.Tech.Amherst:ECEDepartment,
UniversityofMassachusettsatAmherst.
60,62.Vehicletogrid.VehicletogridWikipedia,thefreeencyclopedia.Wikipedia,2Oct.2009.

51

8.2.

Privacy of Movement

PHEVwilloverloadthesmartgridwhentheyarepluggedinforchargingbecausethePHEVs
moveforplacetoplacesothepowerrequirementstothelocationschange.Forexample,there
maybeacitylikeManhattanwheremoretrafficflowsinduringpeakofficehours.Ifmany
PHEVsarepluggedintothegridlocatedatthatpoint,atatime,itwilloverloadthegrid.To
solvethisproblemthepositionofthePHEVsshouldbemonitored.Theconstantmonitoringof
thePHEVlocationlendstoprivacyconcernstoonesindividualfreedom.Additionally,if
someonebreaksintothemonitoringsystem,theycouldgetaccesstothisinformation.

8.3.

Secure Payment

Averyimportantelementtothesmartgridisapaymentsystemwhichworksreliablyand
secure,andwhichprotectsboththeenduserandtheprovider.Therearegoodreasonstoprefer
electronicpaymentsystemsovercashpayments,suchasreducedrevenuecollectioncostsand
reduceoflosses;enhancecustomersatisfaction,improvedservicesandoperationalefficiencyas
wellasmoreflexiblepricingstrategies.Onetypeofsolutionistousecreditcards.However
creditcardsystemsdohaveproblemsaswell.Forexample,transactionneedstobeprotectedso
thatanindividualsinformationisnotrevealedtothirdparties.Anotherapproachwouldbeto
adoptIntegratedTransportationPaymentSystems(ITPS).Unfortunately,therearealso
examplesofseriousshortcomingsoftodaysITPS.Existingsystemsdonothavemechanisms
protectingtheirsecurityandespeciallytheprivacyoftheirusers.Oneproblemisthatsome
systemsdeploycryptographicallyweakproprietaryprimitives.Currentlyecashprotocolshave
beenextensivelystudied.Thestudyshowsthatitispossibletoconstructsecureoffline
paymentthatprotecttheanonymityofhonestusersbutisneverthelessabletodisclosetheir
identitiesassoonastheytrytocheatthesystem.
Potentialattackerscanbecategorizedasasmallsetofindividuals,commercialcompanies,and
governmentinstitutions.Typicallyregularindividualswillattackthesystemtoacquireprivate
sensitiveinformationinordertotrackindividualsorattackthesystembecausetheyarecurious.
Ontheotherhandcommercialcompanieswillgenerateuserprofilestoincreasetheirrevenue.
Theywillusuallyrespectlegalrestrictionsbuttheywillalsoexploitlegalloopholes.Finally,
governmentinstitutionswillhaveextensivepowerandtheymightevenbeabletodefinethe
legalenvironment.Thereforeitisimportanttodefinealegalframeworktoaccountfor
companiesandgovernmentinstitutions,anddefinetechnicalsolutionsthataccountfor
individualattackers.
Privacyisachallengingproblem,sinceitinvolvescryptographictheory,engineering,policy
andsociology.Inordertoenableadeployment,adequatesecurityandprivacymechanisms
mustbearequirement.TopreventmaliciousactionsbyattackerssomeformofITsecurityneed
tobeintroducedtosystems.Suchmethodsrangefromcryptographicmechanisms,tosecure
andprivacypreservingpaymentsystemstoacriticalinfrastructureinterpretationoftheelectric
carchargingnetwork.Thisshouldleadtowardsaddressingthesecurityproblems.

52

8.4.

Smart Metering

TheownerofthePEVmightwanttoreportlesselectricitythanwhatwasactuallydeliveredto
thePEVsbatteries,andtheenergyprovidermightwanttochargeformoreenergythanwhat
wasactuallydelivered.Evenworsethanthesetwowouldbeathirdpartyormiddleman,such
asachargingstation,whichwouldbeabletocheatboththeenergyprovidersandtheownersof
thePEV.Thiscanhappenifcareisnottakeninsecuringthesmartmeterfromtampering.
Therearebestpracticesthatcanbeappliedtoprovideprotection.

8.5.

Critical Infrastructure & Physical Security

WhenPEVsbecomesthenorm,thelinkbetweentheenergyandtransportationcritical
infrastructurewillbecometightlyintertwined.Anymaliciousattackmadeagainsteitheroneof
thesetwocriticalinfrastructurescouldpotentiallyposeathreattothesecurityofthesetwo
infrastructures,specificallyintheareasoftrafficmanagement,andpaymentsforservices
rendered,pertainingtochargingofaPEV.Sincethelinkbetweenthesetwocritical
infrastructuresisinunchartedterritoryforboththeenergyandtransportationcritical
infrastructuresectors,researchwillbeneededtobetterunderstandtheimpactsofsuchaclose
relationshipbetweenthetwosectors.Ifamaliciousattackweretopenetratethedefensesof
eithertheenergyorthetransportationcriticalinfrastructure,itwouldbedevastationtoboth
criticalinfrastructures,monetarilyandphysically.Manybusinesseswillnotbeabletooperate
withouttheabilitytochargetheirvehicles.Trafficmanagementwillalsobecomeaproblem,
andcanpotentiallyleadtophysicalharmtoindividuals.Becauseoftheseverityofthe
problemsthatcanbecausedbyamaliciousattack,theDepartmentofDefenseshouldbean
activeparticipantinthesecurityoftheenergyandtransportationssectorsofthecritical
infrastructures.
PhysicalSecurityoftheequipmentisalsoimportanttothesecurityofPEVs.Ifanindividualis
allowedtotakeelectricitywithoutpayingforit,mostofthetimethatindividualwilltakethe
opportunity.TheSmartchargerswillneedtobesecureenoughsothatapotentialattacker
cannothackthesmartchargerforaPEVtoprovidetheirPEVwithfreeelectricity.Therealso
mightbeattackersthatarenotonlylookingforfreeelectricity;butalsotoobtainsensitive
informationfromthesmartchargingofthecurrentownerorpreviousownersofthesmart
chargingdevice.
Sometimesattackersarenotonlylookingtostealinformationorenergy;butalsolookingto
causephysicalharmtotheownerofthePEV.Ifabatteryisoverchargedthereisapossibility
thatthebatterywillexplodeandcausephysicalharmtoanyoneinthevicinityoftheexplosion.
Thesolutiontosuchaproblemshouldbemultifaceted.Themanufacturesofthebattery
shouldincludecircuitrytonotallowoverchargingoftheirbatteriesandthesmartmetershould
makesurethatoverchargingofabatteryisnotallowed.Anotherplacethatanattackercan
causemischiefisatachargingstationforaPEVs,byeitherskewingtheamountofenergy
purchasedorbystealingcreditcardnumbersviacardskimmers.Particularcarehastotaken
whendealingwiththephysicalsecurityofthehardwarethatinvolvesPEVs.

53

SuccessfulintegrationofPEVsintotheSmartGriddependsonovercomingthesecurity
challengesofSecurePaymentandPrivacy,SmartMetering,andtheCriticalInfrastructureand
PhysicalSecurity. 63

8.6.

Communication

ThePHEVsmightusecellularnetworkforcommunicationbuttherearevulnerabilitiesinthis
networkthatcanbeusedasameansofgettingaccessintothesystem,sendingwrong
information,attackingthesystemetc.Thepotentialattacksthatcanbeperformedare,middle
manattack,spoofing,etc.

63.Paar,Christof,AndyRupp,KaiSchramm,AndreWeimerskirch,andWayneBurleson.SecuringGreen
Cars:ITSecurityinNextGenerationElectricVehicleSystems.Tech.Amherst:ECEDepartment,
UniversityofMassachusettsatAmherst.
54

9.0 GENERIC SECURITY ISSUES OF THE SMART GRID

9.1.

Introduction

Thesesecurityissuesarecriticalbuttheyarenotuniquelyassociatedwithaspecificsmartgrid
logicalcomponent.Theseissuescouldaffectanysmartgridcomponentandrefertoactual
fieldcases.Theresearchershavenotbeenabletoverifythesefieldcaseswithrelevant
CaliforniaUtilities.Whentheydosotheywilldocumentitinsubsequentreports.Mostofthese
issuesaddressedherecanbefoundinNISTsmartgridbottomupsecurityanalysisofsmart
griddocumentaswellassmartgridvulnerabilitylist.

9.2. Authenticating and Authorizing Users (People) to Substation

IEDs
Theproblemishowtoauthenticateandauthorizeusers(maintenancepersonnel)toIntelligent
ElectronicDevices(IEDs)insubstationsinsuchawaythataccessisspecifictoauser,
authenticationinformation(e.g.password)isspecifictoeachuser(i.e.notsharedbetween
users),andcontrolofauthenticationandauthorizationcanbecentrallymanagedacrossallIEDs
inthesubstationandacrossallsubstationsbelongingtotheutilityandupdatedreasonably
promptlytoensureonlyintendeduserscanauthenticatetointendeddevicesandperform
authorizedfunctions.
CurrentlymanysubstationIEDshaveanotionofrolebutnonotionofuser.Passwordsare
storedlocallyonthedeviceandseveraldifferentpasswordsallowdifferentauthorization
levels.Theserolepasswordsaresharedamongstallusersofthedevicewiththerolein
question,possiblyincludingnonutilityemployeessuchascontractorsandvendors.
Furthermore,duetothenumberofdevices,thesepasswordsareoftenthesameacrossall
devicesintheutility,andseldomchanged.
Usersmaybeutilityemployees,contractors,orvendorsupportengineers.Rolesmayinclude
audit(readonly),user(readwrite),administrator(add/remove/modifyusers),andsecurity
officer(changesecurityparameters).
Thedevicemaybeaccessedlocallyinthesensethattheuserisphysicallypresentinthe
substationandaccessestheIEDfromafrontpanelconnectionorwirednetworkconnection,or
possiblywireless.Thedevicemayalsobeaccessedremotelyoveralowspeed(dialup)orhigh
speed(network)connectionfromadifferentphysicallocation.
Aprovisiontoensurethatnecessaryaccessisavailableinemergencysituationsmaybe
important,evenifitmeansbypassingnormalaccesscontrol,butwithanaudittrail.

55

9.3. Authenticating and Authorizing Maintenance Personnel to

Smart Meters
LikeIEDequipmentinsubstations,currentsmartmeterdeploymentsusepasswordsinmeters
thatarenotassociatedwithusers.Passwordsaresharedbetweenusersandthesamepassword
istypicallyusedacrosstheentiremeterdeployment.ThesecurityproblemissimilartoIEDs.
Accessmaybelocalthroughtheopticalportofameter,orremotethroughtheAMI
infrastructure,orremotethroughtheHANgateway.
MetersgenerallyhavesomesortofconnectivitytoanAMIheadend,butthisconnectivitymay
beasslowas1200baud,orlower(e.g.somepowerlinecarrierdeviceshavedatarates
measuredinmillibaud).

9.4. Authenticating and Authorizing Users (People) to Outdoor Field

Equipment (e.g. Pole-Top Device)
Somenewerpoletopandotheroutdoorfieldequipmentsupports802.11orBluetoothfornear
localuseraccessfromamaintenancetruck.Theproblemishowtoauthenticateandauthorize
users(maintenancepersonnel)tosuchdevicesinsuchawaythataccessisspecifictoauser
(person),authenticationinformation(e.g.password)isspecifictoeachuser(notsharedbetween
users),andcontrolofauthenticationandauthorizationcanbecentrallymanagedacrossthe
utilityandupdatedreasonablypromptlytoensureonlyintendeduserscanauthenticateto
intendeddevicesandperformauthorizedfunctions.
Therearetwoproblems.Oneisthesecurityofthewirelesschannel.Thesecondishowusersare
authenticated.TheresearcherssuspectthatjustlikeIEDsandSmartMeters,thereare
passwordsinthefielddevice(e.g.poletoprecloser)thatwillbethesameacrosshundredsor
thousandsofdevicesandneverchanged,i.e.notspecifictotheuser.
Accesswillusuallybelocalviawiredconnections,ornearlocalviashortrangeradio,although
somedevicesmaysupporttrueremoteaccess.

9.5.

Authenticating and Authorizing Consumers to Meters

Incasemetersactashomeareanetworkgatewaysforprovidingenergyinformationto
consumersand/orcontrolfordemandresponseprograms,ifconsumerareauthenticatedto
meters,authorizationandaccesslevelsneedtobecarefullyconsidered,i.e.,aconsumercapable
ofsupplyingenergytothepowergridmayhavedifferentaccessrequirementsthanonewho
doesnot.

56

9.6. Authenticating Meters to/from AMI Head Ends (Mutual

Authentication
ItisimportantforametertoauthenticateanycommunicationfromanAMIheadend,inorder
toensurethatanadversarycannotissuecontrolcommandstothemeter,updatefirmware,etc.
ItisimportantforanAMIheadendtoauthenticatethemeter,sinceusageinformationretrieved
fromthemeterwillbeusedforbilling,andcommandsmustbeassuredofdeliverytothe
correctmeter.

9.7.

Authenticating HAN Devices to/from HAN Gateways

DemandresponseHANdevicesmustbesecurelyauthenticatedtotheHANgatewayandvice
versa.ItisimportantforaHANdevicetoauthenticateanydemandresponseorcommands
fromtheDRheadendtoordertopreventcontrolbyanadversary.Withoutsuchauthentication,
coordinatedfalsificationofcontrolcommandsacrossmanyHANdevicesand/oratrapidrates
couldleadtogridstabilityproblems.ItisimportantthattheDRheadendauthenticatethe
HANdevicebothtoensurethatcommandsaredeliveredtothecorrectdevice,andthat
responsesfromthatdevicearenotforged.
ShouldaHANdevicefailtoauthenticate,itwillpresumablybeunabletorespondtodemand
responsesignals.ItshouldnotbepossibleforabroadDOSattacktocausealargenumberof
HANdevicestofailtoauthenticateandtherebynotrespondtoaDRevent.

9.8.

Securing Serial SCADA Communications

Manysubstationsanddistributioncommunicationsystemsstillemployslowseriallinksfor
variouspurposesincludingSCADAcommunicationswithcontrolcentersanddistributionfield
equipment.Furthermore,manyoftheserialprotocolscurrentlyinusedoesnotofferany
mechanismtoprotecttheintegrityorconfidentialityofmessages,i.e.,messagesaretransmitted
incleartextform.SolutionsthatsimplywrapaseriallinkmessageintoprotocolslikeSSLor
IPSECoverPPPwillsufferfromtheoverheadimposedbysuchprotocols(bothinmessage
payloadsizeandcomputationalrequirements)andwouldundulyimpactlatencyand
bandwidthofcommunicationsonsuchconnections.Asolutionisneededtoaddressthe
securityandbandwidthconstraintsofthisenvironment.

9.9.

Protection of Routing Protocols in AMI Layer 2/3 Networks

IntheAMIspace,thereisincreasinglikelihoodthatmeshroutingprotocolswillbeusedon
wirelesslinks.Wirelesssuffersfromseveralwellknownandofteneasilyexploitableattacks
partlyduetothelackofcontroltothephysicalmedium(theradiowaves).Modernmechanisms
like802.11ihaveworkedtoclosesomeoftheseholesforstandardwirelessdeployments.
However,wirelessmeshtechnologypotentiallyopensthedoortosomenewattacksintheform
ofrouteinjection,nodeimpersonation,L2/L3/L4trafficinjection,trafficmodification,etc.Most
currentondemandandlinkstateroutingmechanismsdonotspecifyaschemetoprotectthe
dataortheroutesthedatatakes,primarilybecauseofthedistributednatureofthesystemitself.
Theyalsogenerallylackschemesforauthorizingandprovidingintegrityprotectionfor
adjacenciesintheroutingsystem.Withoutroutingsecurity,attackssuchaseavesdropping,
57

impersonation,maninthemiddle,anddenialofservicecouldbeeasilymountedonAMI
traffic.

9.10. Key Management for Meters

Wheremeterscontaincryptographickeysforauthentication,encryption,orothercryptographic
operations,akeymanagementschememustprovideforadequateprotectionofcryptographic
materialsaswellassufficientkeydiversity.Thatis,ameter,collector,orotherpowersystem
deviceshouldnotbesubjecttoabreakoncebreakeverywherescenarioduetooneshared
secretbeingusedacrosstheentireinfrastructure.Eachdeviceshouldhaveuniquecredentials
andkeymaterialsuchthatcompromiseofonedevicedoesnotimpactotherdeployeddevices.
Thekeymanagementsystemmustalsosupportanappropriatelifecycleofperiodicrekeying
andrevocation.
Thereareexistingcasesoflargedeployedmeterbasesusingthesamesymmetrickeyacrossall
meters,andevenindifferentStates.Inordertosharenetworkservices,adjacentutilitiesmay
evenshareanddeploythatkeyinformationthroughoutbothutilityAMInetworks.
Compromisingameterinonenetworkcouldcompromiseallmetersandcollectorsinboth
networks.

9.11. Insecure Firmware Updates

Theabilitytoperformfirmwareupdatesonmetersinthefieldallowsfortheevolutionof
applicationsandtheintroductionofpatcheswithoutexpensivephysicalvisitstoequipment.
However,itiscriticaltoassurethatfirmwareupdatemechanismsarenotusedtoinstall
malware.Bestpracticesexisttodealwiththeseissues.

9.12. Side Channel Attacks on Smart Grid Field Equipment

Theseattacksarebasedonphysicalaccessibility(Substation,PoleTop,SmartMeters,
Collectors,etc.).Asidechannelattackisbasedoninformationgainedfromthephysical
implementationofacryptosystem.Tempestattackssimilarlycanextractdatabyanalysisof
varioustypesofelectromagneticradiationemittedbyaCPU,display,keyboard,etc.Tempest
attacksarenearlyimpossibletodetect.Syringeattacksuseasyringeneedleasaprobetotap
extremelyfinewiretracesonprintedcircuitboards.
Smartgriddevicesthataredeployedinthefield,suchassubstationequipment,poletop
equipment,smartmetersandcollectors,andinhomedevices,areatriskofsidechannelattacks
duetotheiraccessibility.Extractionofencryptionkeysbysidechannelattacksfromsmartgrid
equipmentcouldleadtocompromiseofusageinformation,personalinformation,passwords,
etc.Extractionofauthenticationkeysbysidechannelattackscouldallowanattackerto
impersonatesmartgriddevicesand/orpersonnel,andpotentiallygainadministrativeaccessto
smartgridsystems.

9.13. Key Management and Public Key Infrastructure (PKI)

KeymanagementforSmartGriddevicesthatcontainsymmetricorasymmetriclonglivedkeys
isessential.StandardPKImaynotbeappropriatesincemanydeviceswillnothaveconnectivity
58

tokeyservers,certificateauthorities,OCSPservers,etc.Thescaleofthesystemsinvolvedand
theirdistributionisunprecedented,asitwillinvolvemillionsofdevices.Therewillalsobe
issuesofcrosscertificationacrossdifferentdomainsandcheckingforvalidityofcertificates
withinthecontextofthisunprecedentedscale.

9.14. Patch Management

SpecificdevicessuchasIEDs,PLCs,SmartMeters,etc.willbedeployedinavarietyof
environmentsandcriticalsystems.Theiraccessibilityforsoftwareupgradesorpatchesmaybea
complexactivitytoundertakebecauseofhowdistributedandisolatedequipmentcanbe.Also
therearemanyunforeseenconsequencesthatcanarisefromchangingfirmwareinadevicethat
ispartofalargerengineeredsystem.Controlsystemsrequireconsiderabletestingand
qualificationtomaintainreliabilityfactors.
Thepatch,testanddeploylifecycleisfundamentallydifferentintheelectricalsector.Itcantake
ayearormore(forgoodreason)togothroughaqualificationofapatchorupgrade.Thusthere
areuniquechallengestobeaddressedinhowsecurityupgradestofirmwareneedstobe
managed.

59

GLOSSARY
ACL

AccessControlList

ACM

AssociationforComputingMachinery(ACM)

AESCTR

AdvancedEncryptionStandardCounterMode

AMI

AdvancedMeteringInfrastructure

AMR

AutomatedMeterReading

ASIS

AmericanSocietyforIndustrialSecurity

AutoDR

AutomatedDemandResponse

BMS

BuildingManagementSystem

BPL

BroadbandoverPowerLine

CCSS

CenterforControlSystemSecurity

CEC

CaliforniaEnergyCommission

CHP

CombinedHeatandPower

C&I

CommercialandIndustrial

CIA

CentralIntelligenceAgency

CMMS

ComputerMaintenanceManagementSystem

CSO

ChiefSecurityOfficer

DA

DistributionAutomation

DER

DistributedEnergyResources

DFC

DynamicFlowConcept

DHS

USDepartmentofHomelandSecurity

DLC

DirectLoadControl

DNP

DistributedNetworkProtocol

DoE

USDepartmentofEnergy

DOS

DenialofService

DR

DemandResponse

DRAS

DemandResponseAutomationCenter

60

DRRC

DemandResponseResearchCenter

DSPF

DistributionSystemPowerFlow

DSM

DemandSideManagement

DSSS

DirectSequenceSpreadSpectrum

EEI

EdisonElectricInstitute

EM

ElectroMagnetic

EMS

EnergyManagementSystem

EMCS

EmergencyManagementControlCenter

EPRI

ElectricPowerResearchInstitute

HAN

HomeAreaNetwork

HG

HomeGateway

HVAC

HeatingVentilation&AirCondition

HTTP

HyperTransferTextProtocol

ICCP

InterControlcenterCommunicationsProtocol

ICS

IndustrialControlSystems

IDART

InformationDesignAssuranceRedTeam

IED

IntelligentElectronicDevices

IOU

InvestorOwnedUtility

IP

InternetProtocol

ISO

IndependentSystemOperator

IT

InformationTechnology

ITPS

IntegratedTransportationPaymentSystems

kW

Kilowatt

kWh

KilowattHour

LAN

LocalAreaNetwork

LOS

LineofSight

LSE

LoadServingEntity

LTC

LoadTapChanger

61

MAC

MediaAccessControl

MDM

MeterDataManagement

MDMS

MeterDataManagementSystem

MTU

MasterTerminalUnit

NAN

NeighborhoodAreaNetwork

NIST

NationalInstituteofStandardsandTechnology

NOC

NetworkOperatingCenter

OSCP

OnlineCertificateStatusProtocol

OpenADR

OpenAutomatedDemandResponseorOpenAutoDR

PCT

ProgrammableCommunicatingThermostat

PEV

PlugInElectricVehicle

PG&E

PacificGas&Electric

PHEV

PlugInHybridElectricVehicle

PIER

PublicInterestEnergyResearch

PKI

PublicKeyInfrastructure

PLA

PeoplesLiberationArmy

PLC

ProgrammableLogicControllers

RCD

ResidualCurrentDevice

RD&D

Research,DevelopmentandDemonstration

RF

RadioFrequency

RFB

RequestForBids

RG

ResidentialGateway

RTO

RegionalTransmissionOperators

RTP

RealTimePricing

RTU

RemoteTerminalUnit

SCADA

SupervisoryControlandDataAcquisition

SCE

SouthernCaliforniaEdison

SDLC

SystemsDevelopmentLifeCycle

62

SG

SmartGrid

SOAP

SimpleObjectAccessProtocol

T&D

TransmissionandDistribution

TDM

TimeDivisionMultiplexing

TLS

TransportLayerSecurity

TOU

TimetoUse

UIS

UtilityInformationSystem

USNAP

UtilitySmartNetworkAccessPort

V2G

VehicletoGrid

WNAN

WirelessNeighborhoodAreaNetwork

WiMax

WorldwideInteroperabilityforMicrowaveAccess

WSDL

WebServiceDescriptionLanguage

XML

ExtensibleMarkupLanguage

XSD

XMLSchemaDefinition

63

REFERENCES
http://www.cisco.com/web/strategy/docs/energy/white_paper_c11_539161.pdf
http://carbonpros.com/blog1/2009/08/smart_grid_security_vulnerabil.html
http://hardware.slashdot.org/article.pl?sid=09/03/22/082236
ftp://ftp.csc.ncsu.edu/pub/tech/2009/TR20095.pdf
http://www.industrialdefender.com/general_downloads/news_industry/2009.07.28_black_hat_s
mart_meter_worm_attack_planned.pdf
http://www.cyberpunkreview.com/newsascyberpunk/theciaslatestclaimhackershave
attackedforeignutilities/
http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php
http://www.nerc.com/docs/standards/ChuckNobleRBBLetter.pdf
http://www.smartgridnews.com/artman/publish/News_Blogs_News/Foreign_Cyber
Spies_Inject_Spyware_into_U_S_Grid_with_Potential_for_Serious_Damage562.html
http://www.smartgridnews.com/artman/publish/Technologies_Security_News/SmartSecurity
foraSmartGridNewThreatsontheHorizon1226.html
http://www.cnn.com/2009/TECH/03/20/smartgrid.vulnerability/index.html
https://www.csoroundtable.org/knowledge/securityvulnerabilitiessmartgrid
http://cacm.acm.org/news/43974smartgridvulnerabilitiescouldcausewidespread
disruptions/fulltext
CaliforniaEnergyCommissionsPublicInterestEnergyResearchProgram,PIERBuildings
Program,AutomatedDemandResponseCutsCommercialBuildingEnergyUseandPeak
Demand,TechnicalBrief,PublicInterestEnergyResearchProgram,2008[online].
Available:http://www.energy.ca.gov/2008publications/CEC5002008086/CEC500
2008086FS.PDF
U.S.FederalEnergyRegulatoryCommission(FERC),AssessmentofDemandResponseand
AdvancedMetering,2007[online].Available:
http://www.ferc.gov/legal/staffreports/0907demandresponse.pdf
S.Kiliccote,M.A.Piette,J.H.Dudley,LawrenceBerkeleyNationalLaboratory(LBNL);E.Koch
andD.Hennage,Akuacom,OpenAutomatedDemandResponseforSmallCommercial
Buildings,LawrenceBerkeleyNationalLaboratory,July2009[online].Available:
http://drrc.lbl.gov/pubs/lbnl2195e.pdf

64

M.A.Piette,G.Ghatikar,S.Kiliccote,E.Koch,D.Hennage,P.Palensky,andC.McParland,
OpenAutomatedDemandResponseCommunicationsSpecification,DemandResponse
ResearchCenter,April2009[online].Available:http://drrc.lbl.gov/openadr/pdf/cec500
2009063.pdf
E.Koch,Akuacom;M.A.Piette,LawrenceBerkeleyNationalLaboratory(LBNL),Architecture
ConceptsandTechnicalIssuesforanOpen,InteroperableAutomateDemandResponse
Infrastructure,2007[online].Available:
http://www.gridwiseac.org/pdfs/forum_papers/104_paper_final.pdf
A.Lee,T.Brewer,ComputerSecurityDivision,InformationTechnologyLaboratory,National
InstitutionofStandardsandTechnology(NIST),SmartGridCyberStrategyand
Requirements,DraftNISTIR7628,Sept2009[online].Available:
http://csrc.nist.gov/publications/drafts/nistir7628/draftnistir7628.pdf
K.Stouffer,J.Falco,K.Scarfone,GuidetoIndustrialControlSystems(ICS)Security,National
InstitutionofStandardsandTechnology(NIST),Sept2008[online].Available:
http://csrc.nist.gov/publications/drafts/80082/draft_sp80082fpd.pdf
E.W.Gunther,ReferenceDesignforProgrammableCommunicatingThermostatsCompliantwithTitle
242008,March2007[online].Available:
http://drrc.lbl.gov/pct/docs/ReferenceDesignTitle24PC_rev15.doc
R.Ramesh,CSCTGDemandResponseInterfacesNISTIR,Aug2008[online].Available:
http://collaborate.nist.gov/twikisggrid/pub/SmartGrid/CsCTGDR/CSCTGDR
Draft_082809.doc
KhusvinderGill,ShuangHuaYang,FangYao,andXinLuAZigBeeBasedHomeAutomation
System.LoughboroughUniversity,UK2009.
http://www.usnap.org/technical.aspx
Matera:SecurityIssuesonZigBeeBasilicataUniversity,Italy,January18,2006
KenMasica,RecommendedPracticesGuideForSecuringZigBeeWirelessNetworksinProcessControl
SystemEnvironments,LawrenceLivermoreNationalLaboratory
http://en.wikipedia.org/wiki/IEEE_802.15.42003
http://en.wikipedia.org/wiki/ZWave
http://en.wikipedia.org/wiki/IEEE_802.11
http://www.oreillynet.com/pub/a/wireless/2002/05/24/wlan.html
http://en.wikipedia.org/wiki/WiMAX
BobFleck,BrucePotter.802.11Security.OReillyPublications,December2002,ISBN:0596
002904

65

NaveenShastry,DavidWagner,SecurityConsiderationsforIEEE802.15.4Networks.UCBerkeley.
YearofPublication2004.
KeithStoufferJoeFalco,KarenScarfone.GuidetoIndustrialControlSystems(ICS)Security
(SpecialPublication80082FINALPUBLICDRAFT).NationalInstituteofStandardsand
Technology,USdepartmentofCommerce.
East,Samuel.Butts,Jonathan.Papa,Mauricio.AndShenoi,Sujeet.Ataxonomyofattacksonthe
DNP3Protocol.CriticalInfrastructureProtectionIII,IFIPAICT311,pp.6781,2009.IFIP
InternationalFederationforInformationProcessing(2009).
RobertF.Dacey,Director,InformationSecurityIssues.CriticalInfrastructureProtection,
ChallengesinSecuringControl.USGovernmentAccountabilityOffice,UnitedStates
GeneralAccountingOfficeOctober2003.
Chikuni,EdwardandDondo,Maxwell.InvestigatingthesecurityofElectricalPowerSystems
SCADA.(2007).
Paar,Christof,AndyRupp,KaiSchramm,AndreWeimerskirch,andWayneBurleson.Securing
GreenCars:ITSecurityinNextGenerationElectricVehicleSystems.Tech.Amherst:ECE
Department,UniversityofMassachusettsatAmherst.Print[PEV2]Vehicletogrid.
VehicletogridWikipedia,thefreeencyclopedia.Wikipedia,2Oct.2009.

66

APPENDIX A

1. Key Power System Use Cases and Cyber Security

Requirements
ThefollowingUseCaseswereobtainedfromtheNISTIR7628SmartGridCyberSecurity
StrategyandRequirements(Sept2009)presentedafullsetofUseCasestakenfrommany
sources,includingthefollowing:

IntelliGridUseCases,onlythepowersystemoperationsUseCasesandDemand
Response/AMIonesareofparticularinterestforsecurity.TheEPRIIntelliGridproject
developedthecompletelistofUseCases(700cases).

AMIBusinessFunctionswhichwereextractedfromAppendixBoftheAMISEC
SecurityRequirementsSpecification.

BenefitsandChallengesofDistributionAutomationUseCaseScenariosextractedfrom
CECdocumentwhichhas82UseCases.

EPRIUseCaseRepository,compilationofIntelliGridandSCEUseCases,plusothers.

SCEUseCasesdevelopedbySouthernCaliforniaEdison(SCE)withtheassistanceof
EnerNex.

TheUseCaseshasbeengroupedincategoriesthatfollowandtheyrepresentagoodsummary
ofmostoftheinformationdiscussedinthisreport.

1.1.

Category: AMI

Scenario1:MeterReadingServices(PeriodicMeterReading,OnDemandMeterReading,
NetMeteringforDERandPEV,FeedInTariffMeteringforDERandPEV,BillPaycheck
Matching)
CyberSecurityRequirements:
Integrityofmeterdataisimportant,buttheimpactofincorrectdataisnotlarge.
Availabilityofmeterdataisnotcriticalinrealtime.
Confidentiality(privacy)ofcustomermeteringdataovertheAMIsystem,meteringdatabase,
andbillingdatabase,toavoidseriousbreachesofprivacyandpotentiallegalrepercussions.
Scenario2:PrePaidMetering(LimitedEnergyUsageandLimitedDemand)
CyberSecurityRequirements:
Integrityofmeterdataiscritical,toavoidunwarranteddisconnectionsduetoperceivedlackof
prepayment.Securitycompromisescouldhavealargeimpactonthecustomerandcouldcause
legalrepercussions
Availabilitytoturnmeterbackonafterpaymentisimportant,butcouldbehandledbyatruck
rollifnecessary.
67

Confidentiality(privacy)ofcustomermeteringdataovertheAMIsystem,meteringdatabase,
andbillingdatabase
Scenario3:RevenueProtection(TamperDetection,AnomalousReadings,MeterStatusand
SuspiciousMeter)
CyberSecurityRequirements:
Integrityofmeterdataisimportant,butiftamperingisnotdetectedorifunwarranted
indicationsoftamperingaredetected,thereisnopowersystemimpact,justrevenueimpact.
Availabilitytoturnmeterbackonafterpaymentisimportant.
Confidentiality(privacy)ofcustomermeteringdataovertheAMIsystem,meteringdatabase,
andbillingdatabaseisimportant.
Scenario4:RemoteConnect/DisconnectofMeter(RemoteConnectforMoveIn,Remote
ConnectforReinstatementonPayment,RemoteDisconnectforMoveOut,RemoteDisconnect
forNonPayment,RemoteDisconnectforEmergencyLoadControlandUnsolicitedConnect/
DisconnectEvent)
CyberSecurityRequirements:
IntegrityofcontrolcommandstotheRCDswitchiscriticaltoavoidunwarranted
disconnectionsordangerous/unsafeconnections.Theimpactofinvalidswitchingcouldbevery
largeifmanymetersareinvolved.
Availabilitytoturnmeterbackonwhenneededisimportant.
ConfidentialityrequirementsoftheRCDcommandisgenerallynotveryimportant,except
relatedtononpayment.
Scenario5:OutageDetectionandRestoration(Smartmetersreportoneormorepowerlosses
e.g.lastgasp,Outagemanagementsystemcollectsmeteroutagereportsandcustomer
troublecalls,Outagemanagementsystemdetermineslocationofoutageandgeneratesoutage
troubletickets,Workmanagementsystemschedulesworkcrewstoresolveoutage,Interactive
utilitycustomersystemsinformthecustomersabouttheprogressofeventsandTroubletickets
areusedforstatisticalanalysisofoutages)
CyberSecurityRequirements:
Integrityisimportanttoensureoutagesarereportedcorrectly.
Availabilityisimportanttoensureoutagesarereportedinatimelymanner(afewseconds).
Confidentialityisnotveryimportant.
Scenario6:MeterMaintenance(Connectivityvalidation,GeolocationofmeterandSmartmeter
batterymanagement)

68

CyberSecurityRequirements:
Integrityofmetermaintenancerepairsandupdatesareessentialtopreventmalicious.
Intrusions
Availabilityisimportant,butonlyintermsofhoursormaybedays.
Confidentialityisnotimportantunlesssomemaintenanceactivityinvolvespersonal
information.
Scenario7:MeterDetectRemoval
ThisscenariodiscussestheAMImetersfunctionalitytodetectandreportunauthorized
removalandsimilarphysicaltampering.AMImetersrequireadditionalcapabilityover
traditionalmeterstopreventtheftandtamperingduetotheeliminationofregularvisual
inspectionprovidedbymeterreading.
Objective/Requirements:
Reduceenergytheft.Preventtheft/compromiseofpasswordsandkeymaterial.Prevent
installationofmalware.
Scenario8:UtilitiesdetectsProbablemeterBypass
AMImeterseliminatethepossibilityofsomeformsoftheft(i.e.meterreversal).Othertypesof
theftwillbemoredifficulttodetectduetotheeliminationofregularphysicalinspection
providedbymeterreading.Thisscenariodiscussestheanalysisofmeterdatatodiscover
potentialtheftoccurrences.
Objective/Requirements:
Reducetheft.Protectintegrityofreporting.Maintainavailabilityforreportingandbilling.

1.2.

Category: Demand Response

Scenario1:RealTimePricing(RTP)forCustomerLoadandDER/PEV
UseofRealTimePricingforelectricityiscommonforverylargecustomers,affordingtheman
abilitytodeterminewhentousepowerandminimizethecostsofenergyfortheirbusiness.The
extensionofrealtimepricingtosmallerindustrialandcommercialcustomersandeven
residentialcustomersispossiblewithsmartmeteringandinhomedisplays.Aggregatorsor
customerenergymanagementsystemsmustbeusedforthesesmallerconsumersduetothe
complexityand24x7natureofmanagingpowerconsumption.Pricingsignalsmaybesentvia
anAMIsystem,theInternet,orotherdatachannels.
CyberSecurityRequirements:
Integrity,includingnonrepudiation,ofpricinginformationiscritical,sincetherecouldbelarge
financialandpossiblylegalimplications.

69

Availability,includingnonrepudiation,forpricingsignalsiscriticalbecauseofthelarge
financialandpossiblylegalimplications.
Confidentialityisimportantmostlyfortheresponsesthatanycustomermightmaketothe
pricingsignals.
Scenario2:TimeofUse(TOU)Pricing
Timeofusepricingcreatesblocksoftimeandseasonaldifferencesthatallowsmallercustomers
withlesstimetomanagepowerconsumptiontogainsomeofthebenefitsofrealtimepricing.
Thisisthefavoredregulatorymethodinmostoftheworldfordealingwithglobalwarming
AlthoughRealTimePricingismoreflexiblethanTimeofUse,itislikelythatTOUwillstill
providemanycustomerswillallofthebenefitsthattheycanprofitablyuseormanage.
CyberSecurityRequirements:
IntegrityisnotcriticalsinceTOUpricingisfixedforlongperiodsandisnotgenerally
transmittedelectronically.
Availabilityisnotanissue.
Confidentialityisnotanissue,exceptwithrespecttometerreading.
Scenario3:NetMeteringforDERandPEV
Whencustomershavetheabilitytogenerateorstorepoweraswellasconsumepower,net
meteringisinstalledtomeasurenotonlytheflowofpowerineachdirection,butalsowhenthe
netpowerflowsoccurred.OftenTimeofUse(TOU)tariffsareemployed.
TodaylargerC&IcustomersandanincreasingnumberofresidentialandsmallerC&I
customershavenetmeteringinstalledfortheirphotovoltaicsystems,windturbines,combined
heatandpower(CHP),andotherDERdevices.Aspluginelectricvehicles(PEVs)become
available,netmeteringwillincreasinglybeimplementedinhomesandsmallbusinesses,even
parkinglots.
CyberSecurityRequirements:
Integrityisnotverycriticalsincenetmeteringpricingisfixedforlongperiodsandisnot
generallytransmittedelectronically.
Availabilityisnotanissue.
Confidentialityisnotanissue,exceptwithrespecttometerreading.
Scenario4:FeedInTariffPricingforDERandPEV
FeedintariffpricingissimilartonetmeteringexceptthatgenerationfromcustomerDER/PEV
hasadifferenttariffratethanthecustomerloadtariffrateduringspecifictimeperiods.
CyberSecurityRequirements:

70

Integrityisnotcritical,sincefeedintariffpricingisfixedforlongperiodsandisgenerallynot
transmittedelectronically.
Availabilityisnotanissue.
Confidentialityisnotanissue,exceptwithrespecttometerreading.
Scenario5:CriticalPeakPricing
CriticalPeakPricingbuildsonTimeofUsePricingbyselectingasmallnumberofdayseach
yearwheretheelectricdeliverysystemwillbeheavilystressedandincreasingthepeak(and
sometimeshoulderpeak)pricesbyupto10timesthenormalpeakprice.Thisisintendedto
reducethestressonthesystemduringthesedays.
CyberSecurityRequirements:
Integrityisnotcritical,sincefeedintariffpricingisfixedforlongperiodsandisgenerallynot
transmittedelectronically.
Availabilityisnotanissue.
Confidentialityisnotanissue,exceptwithrespecttometerreading.
Scenario6:MobilePlugInElectricVehicle(PEV)Functions
CustomerconnectsPEVatanotherhome.CustomerconnectsPEVoutsidehometerritory.
CustomerconnectsPEVatpubliclocation.CustomerchargesthePEV.
CyberSecurityRequirements:
Integrityisnotcritical,sincefeedintariffpricingisfixedforlongperiodsandisgenerallynot
transmittedelectronically.
Availabilityisnotanissue.
Confidentialityisnotanissue,exceptwithrespecttometerreading.

1.3.

Category: Customer Interfaces

Scenario1:CustomersInHomeDeviceisProvisionedtoCommunicatewiththeUtility.
Configurecustomersdevicetoreceiveandsenddatatoutilitysystems.Thedevicecouldbean
informationdisplay,communicatingthermostat,loadcontroldeviceorsmartappliance.
Objective/Requirements:
Protectpasswords.Protectkeymaterial.AuthenticatewithotherdevicesontheAMIsystem.
Scenario2:CustomerViewsPricingorEnergyDataonTheirInHomeDevice
Theinformationavailabletocustomersontheirinhomedevices.
Multiplecommunicationpathsanddevicefunctionswillbeconsidered.
71

Objective/Requirements:
Tovalidatethatinformationistrustworthy(integrity).
Scenario3:InHomeDeviceTroubleshooting
Theresolutionofcommunicationorothertypesoferrorsthatcouldoccurwithinhomedevices.
Therolesofthecustomer,devicevendorandutilitywillbediscussed.
Objective/Requirements:
Avoiddisclosingcustomerinformation.Avoiddisclosingkeymaterialand/orpasswords
Scenario4:CustomerViewsPricingorEnergyDataviatheInternet
Theinformationthatshouldbeavailabletothecustomerusingtheinternetandsomepossible
usesforthedata.
Objective/Requirements:
Protectcustomersinformation(privacy).Provideaccurateinformation
Scenario5:UtilityNotifiesCustomersofOutage
Whenanoutageoccurstheutilitycannotifyaffectedcustomersandprovideestimated
restorationtimesandreportwhenpowerhasbeenrestored.Smartgridtechnologiescan
improvetheutilitysaccuracyfordeterminationofaffectedareaandrestorationprogress.
Objective/Requirements:
Validatethatthenotificationislegitimate.Customersinformationiskeptprivate.
Scenario6:CustomerAccesstoEnergyRelatedInformation
Accesstorealtime(ornearrealtime)energyanddemandusageandbillinginformation
Requestingenergyservicessuchasmovein/moveoutrequests,prepayingforelectricity,
changingenergyplans(ifsuchtariffsbecomeavailable),etc.
Accesstoenergypricinginformation.
AccesstotheirownDERgeneration/storagestatus.
AccesstotheirownPEVcharging/dischargingstatus.
Establishingthermostatsettingsfordemandresponsepricinglevels.
Althoughdifferenttypesofenergyrelatedinformationaccessisinvolved,thesecurity
requirementsaresimilar.
CyberSecurityRequirements:
Integrity,includingnonrepudiation,iscriticalsinceenergyandpricingdatawillhavefinancial
impacts
72

Availabilityisimportanttotheindividualcustomer,butwillnothavewidespreadimpacts
Confidentialityiscriticalbecauseofcustomerprivacyissues

1.4.

Category: Electricity Market

Scenario1:BulkPowerElectricityMarket
Thebulkpowermarketvariesfromregiontoregion,andisconductedprimarilythrough
RegionalTransmissionOperators(RTO)andIndependentSystemOperators(ISO).Themarket
ishandledindependentlyfromactualoperations,althoughthebidsintothemarketobviously
affectwhichgeneratorsareusedforwhattimeperiodsandwhichfunctions(baseload,
regulation,reserve,etc.).
Thereforetherearenodirectoperationalsecurityimpacts,buttherearedefinitelyfinancial
securityimpacts.
CyberSecurityRequirements:
Integrityforpricingandgenerationinformationiscritical
Availabilityforpricingandgenerationinformationisimportantwithinminutestohours
Confidentialityforpricingandgenerationinformationiscritical
Scenario2:RetailPowerElectricityMarket
Theretailpowerelectricitymarketisstillminor,butgrowing,comparedtothebulkpower
market,buttypicallyinvolvesaggregatorsandenergyserviceprovidersbiddingcustomer
ownedgenerationorloadcontrolintobothenergyandancillaryservices.Againitishandled
independentlyfromactualpowersystemoperations.Thereforetherearenodirectoperational
securityimpacts,buttherearedefinitelyfinancialsecurityimpacts.
CyberSecurityRequirements:
Integrityforpricingandgenerationinformationiscritical
Availabilityforpricingandgenerationinformationisimportantwithinminutestohours
Confidentialityforpricingandgenerationinformationiscritical
Scenario3:CarbonTradingMarket
Thecarbontradingmarketdoesnotexistyet,butthesecurityrequirementswillprobablybe
similartotheretailelectricitymarket.
CyberSecurityRequirements:
Integrityforpricingandgenerationinformationiscritical
Availabilityforpricingandgenerationinformationisimportantwithinminutestohours
Confidentialityforpricingandgenerationinformationiscritical
73

1.5.

Category: Distribution Automation

Scenario1:DistributionAutomation(DA)withinSubstations
DistributionSCADASystemMonitorsDistributionEquipmentinSubstations
SupervisoryControlonSubstationDistributionEquipment
SubstationProtectionEquipmentPerformsSystemProtectionActions
ReclosersinSubstations
CyberSecurityRequirements:
Integrityofdistributioncontrolcommandsiscriticalfordistributionoperations,avoiding
outages,andprovidingpowertocustomersreliablyandefficiently
Availabilityforcontroliscritical,whilemonitoringindividualequipmentislesscritical
Confidentialityisnotveryimportant
Scenario2:DistributionAutomation(DA)UsingLocalAutomation
LocalAutomatedSwitchManagement
LocalVolt/VarControl
LocalFieldCrewCommunicationstoUndergroundNetworkEquipment
CyberSecurityRequirements:
Integrityofdistributioncontrolcommandsiscriticalfordistributionoperations,avoiding
outages,andprovidingpowertocustomersreliablyandefficiently.
Availabilityforcontroliscritical,whilemonitoringindividualequipmentislesscritical.
Confidentialityisnotveryimportant.
Scenario3:DistributionAutomation(DA)MonitoringandControllingFeederEquipment

Remotelyopenorcloseautomated
switches

Remotelyswitchcapacitorbanksin
andout

Remotelyraiseorlowervoltage
regulators

Blocklocalautomatedactions

AutomationofEmergency
Response

DynamicRatingofFeeders

Sendupdatedparameterstofeeder
equipment

Interactwithequipmentin
undergrounddistributionvaults

Retrievepowersysteminformation
fromSmartMeters

74

CyberSecurityRequirements:
Integrityofdistributioncontrolcommandsiscriticalfordistributionoperations,avoiding
outages,andprovidingpowertocustomersreliablyandefficiently.
Availabilityforcontroliscritical,whilemonitoringindividualequipmentislesscritical.
Confidentialityisnotveryimportant.
Scenario4:FaultDetection,Isolation,andRestoration

Theautomatedfaultlocation,isolation,andservicerestorationfunctionusesthe
combinationofthepowersystemmodelwiththeSCADAdatafromthefieldonreal
timeconditionstodeterminewhereafaultisprobablylocated,byundertakingthe
followingsteps:

Determinesthefaultsclearedbycontrollableprotectivedevices

DeterminesthefaultedsectionsbasedonSCADAfaultindicationsandprotection
lockoutsignals

Estimatestheprobablefaultlocations,basedonSCADAfaultcurrentmeasurementsand
realtimefaultanalysis

Determinesthefaultclearingnonmonitoredprotectivedevice

Usesclosedlooporadvisorymethodstoisolatethefaultedsegment

Oncethefaultisisolated,itdetermineshowbesttorestoreservicetounfaulted
segmentsthroughfeederreconfiguration

CyberSecurityRequirements:
Integrityofoutageinformationiscritical.
Availabilitytodetectlargescaleoutagesusuallyinvolvemultiplesourcesofinformation
Confidentialityisnotveryimportant.
Scenario5:LoadManagement
Loadmanagementprovidesactiveandpassivecontrolbytheutilityofcustomerappliances
(e.g.cyclingofairconditioner,waterheaters,andpoolpumps)andcertainC&Icustomer
systems(e.g.plenumprecooling,heatstoragemanagement).

Directloadcontrolandloadshedding

Demandsidemanagement

Loadshiftscheduling

Curtailmentplanning

SelectiveloadmanagementthroughHomeAreaNetworks

CyberSecurityRequirements:

75

Integrityofloadcontrolcommandsiscriticaltoavoidunwarrantedoutages
Availabilityforloadcontrolisimportantinaggregate(e.g.>300MW),itcanbecritical.
Confidentialityisnotveryimportant.
Scenario6:DistributionAnalysisusingDistributionPowerFlowModels
ThebrainsbehindthemonitoringandcontrollingoffielddevicesaretheDAanalysissoftware
applications.Theseapplicationsgenerallyusemodelsofthepowersystemtovalidatetheraw
data,assessrealtimeandfutureconditions,andissuetheappropriateactions.Theapplications
maybedistributedandlocatedinthefieldequipmentforlocalassessmentsandcontrol,and/or
maybecentralizedinaDistributionManagementSystemforglobalassessmentandcontrol.
Localpeertopeerinteractionsbetweenequipment.
NormaldistributionoperationsusingtheDistributionSystemPowerFlow(DSPF)model.
EmergencydistributionoperationsusingtheDSPFmodel.
StudyModeDistributionSystemPowerFlow(DSPF)model.
DSPF/DERModelofdistributionoperationswithsignificantDERgeneration/storage.
CyberSecurityRequirements:
Integrityiscriticaltooperatethedistributionpowersystemreliably,efficiently,andsafely.
Availabilityiscriticaltooperatethedistributionpowersystemreliably,efficiently,andsafely.
Confidentialityisnotimportant.
Scenario7:DistributedEnergyResource(DER)ManagementDistributionOperations
Inthefuture,moreandmoreofgenerationandstorageresourceswillbeconnectedtothe
distributionnetworkandwillsignificantlyincreasethecomplexityandsensitivityof
distributionoperations.Therefore,themanagementofDERgenerationwillbecomeincreasingly
importantintheoverallmanagementofthedistributionsystem,includingloadforecasts,real
timemonitoring,feederreconfiguration,virtualandlogicalmicrogrids,anddistribution
planning.
DirectmonitoringandcontrolofDER.
ShutdownorislandingverificationforDER.
PluginHybridVehicle(PEV)management,asload,storage,andgenerationresource.
Electricstoragefill/drawmanagement.
RenewableenergyDERwithvariablegeneration.
Smallfossilresourcemanagement,suchasbackupgeneratorstobeusedforpeakshifting.

76

CyberSecurityRequirements:
Integrityiscriticalforanymanagement/controlofgenerationandstorage.
Availabilityrequirementsmayvarydependingonthesize(individualoraggregate)oftheDER
plant.
ConfidentialitymayinvolvesomeprivacyissueswithcustomerownedDER.
Scenario8:DistributedEnergyResource(DER)ManagementControlCenters
Distributionplanningtypicallyusesengineeringsystemswithaccessonlytoprocessedpower
systemdatathatisavailablefromthecontrolcenter.Itisthereforerelativelyselfcontained.

Operationalplanning

AssessingPlannedOutages

StormConditionPlanning

Shorttermdistributionplanning

ShortTermLoadForecast

ShortTermDERGenerationand
StorageImpactStudies

Longtermdistributionplanning

LongTemLoadForecastsbyArea

DistributionFinancialPlanners

DistributionSystemUpgradesand
Extension

OptimalPlacementsofSwitches,Capacitors,Regulators,andDER

CyberSecurityRequirements:
Integritynotcriticalduetomultiplesourcesofdata.
Availabilityisnotimportant.
Confidentialityisnotimportant.

1.6.

Category: Plug In Hybrid Electric Vehicles (PHEV)

Scenario1:CustomerConnectsPluginHybridElectricVehicletoEnergyPortal
Acustomerplugginginanelectricvehicleattheirpremisetochargeitsbattery.Variationsof
thisscenariowillbeconsideredthataddcomplexity:acustomerchargingtheirvehicleat
anotherlocationandprovidingpaymentorchargingatanotherlocationwherethepremise
ownerpays.
Objective/Requirements:
Thecustomersinformationiskeptprivate.Billinginformationisaccurate
Scenario2:CustomerConnectsPluginHybridElectricVehicletoEnergyPortaland
ParticipatesinSmart(Optimized)Charging
Inadditiontosimplyplugginginanelectricvehicleforcharging,inthisscenariotheelectric
vehiclechargingisoptimizedtotakeadvantageoflowerratesorhelppreventexcessiveload
peaksontheelectricalsystem.
77

Objective/Requirements:
Customerinformationiskeptprivate.
Scenario3:PlugInHybridElectricVehicleorCustomerReceivesandRespondstoDiscrete
DemandResponseEvents

Anadvancedscenarioforelectricvehiclesistheuseofthevehicletoprovideenergy
storedinitsbatterybacktotheelectricalsystem.Customerscouldparticipateindemand
responseprogramswheretheyareprovidedanincentivetoallowtheutilitytorequest
powerfromthevehicleattimesofhighsystemload.

Objective/Requirements:

Improvedsystemstabilityandavailability.Tokeepcustomerinformationprivate.

ToinsureDRmessagesareaccurateandtrustworthy
Scenario4:PlugInHybridElectricVehicleorCustomerReceivesandRespondstoUtilityPrice
Signals
Theelectricvehicleisabletoreceiveandactonelectricitypricingdatasentfromtheutility.The
useofpricingdataforchargingisprimarilycoveredinanotherscenario.Thepricingdatacan
alsobeusedinsupportofadistributedresourceprogramwherethecustomerallowsthe
vehicletoprovidepowertotheelectricgridbasedonmarketconditions.
Objective/Requirements:
Improvedsystemstabilityandavailability.Pricingsignalsareaccurateandtrustworthy.
Customerinformationiskeptprivate.

1.7.

Category: Distributed Resources

Scenario1:CustomerProvidesDistributedResource
Theprocessofconnectingadistributedresourcetotheelectricpowersystemandthe
requirementsofnetmetering.
Objective/Requirements:
Customerinformationiskeptprivate.Netmeteringisaccurateandtimely.
Scenario2:UtilityControlsCustomersDistributedResource
Distributedgenerationandstoragecanbeusedasademandresponseresourcewheretheutility
canrequestorcontroldevicestoprovideenergybacktotheelectricalsystem.Customersenroll
inutilityprogramsthatallowtheirdistributedresourcetobeusedforloadsupportortoassist
inmaintainingpowerquality.Theutilityprogramscanbebasedondirectcontrolsignalsor
pricinginformation.

78

Objective/Requirements:
Commandsaretrustworthyandaccurate.Customersinformationiskeptprivate.
DRmessagesarereceivedtimely.

1.8.

Category: Transmission Operations

Scenario1:RealtimeNormalTransmissionOperationsUsingEMSApplicationsandSCADA
Data
Transmissionnormalrealtimeoperationsinvolvemonitoringandcontrollingthetransmission
systemusingtheSCADAandEnergyManagementSystem.Thetypesofinformation
exchangedinclude:
Monitoredequipmentstates(open/close),alarms(overheat,overload,batterylevel,capacity),
andmeasurements(current,voltage,frequency,energy)Operatorcommandandcontrol
actions,suchassupervisorycontrolofswitchingoperations,setup/optionsofEMSfunctions,
andpreparationforstormconditions.
Closedloopactions,suchasprotectiverelayingtrippingcircuitbreakersuponpowersystem
anomalies.
Automationsystemcontrolsvoltage,varandpowerflowbasedonalgorithms,realtimedata,
andnetworklinkedcapacitiveandreactivecomponents.
CyberSecurityRequirements:
Integrityisvitaltothesafetyandreliabilityofthetransmissionsystem.
Availabilityiscriticaltoprotectiverelaying(e.g.<4ms)andoperatorcommands(e.g.one
second).
Confidentialityisnotimportant.
Scenario2:EMSNetworkAnalysisBasedonTransmissionPowerFlowModels
EnergyManagementSystems(EMS)assessesthestateofthetransmissionpowersystemusing
thetransmissionpowersystemanalysismodelsandtheSCADAdatafromthetransmission
substations.
EMSperformsmodelupdate,stateestimation,busloadforecast.
EMSperformscontingencyanalysis,recommendspreventiveandcorrectiveactions.
EMSperformsoptimalpowerflowanalysis,recommendsoptimizationactions.
EMSorplannersperformstabilitystudyofnetwork.
ExchangepowersystemmodelinformationwithRTOs/ISOsand/orotherutilities.
CyberSecurityRequirements:

79

Integrityisvitaltothereliabilityofthetransmissionsystem.
Availabilityiscriticaltoreacttocontingencysituationsviaoperatorcommands(e.g.one
second).
Confidentialityisnotimportant.
Scenario3:RealTimeEmergencyTransmissionOperations
Duringemergencies,thepowersystemtakessomeautomatedactionsandtheoperatorscan
alsotakeactions:
PowerSystemProtection:Emergencyoperationshandlesunderfrequencyload/generation
shedding,undervoltageloadshedding,LTCcontrol/blocking,shuntcontrol,series
compensationcontrol,systemseparationdetection,andwidearearealtimeinstabilityrecovery.
Operatorsmanageemergencyalarms.
SCADAsystemrespondstoemergenciesbyrunningkeyapplicationssuchasdisturbance
monitoringanalysis(includingfaultlocation),dynamiclimitcalculationsfortransformersand
breakersbasedonrealtimedatafromequipmentmonitors,andprearmingoffastacting
emergencyautomationSCADA/EMSgeneratessignalsforemergencysupportbydistribution
utilities(accordingtotheT&Dcontracts):
Operatorsperformsystemrestorationsbasedonsystemrestorationplansprepared(authorized)
byoperationmanagement.
CyberSecurityRequirements:
Integrityisvitaltothesafetyandreliabilityofthetransmissionsystem.
Availabilityiscriticaltoprotectiverelaying(e.g.<4ms)andoperatorcommands(e.g.one
second).
Confidentialityisnotimportant.
Scenario4:WideAreaSynchroPhasorSystem
TheWideAreaSynchroPhasorsystemprovidessynchronizedandtimetaggedvoltageand
currentphasormeasurementstoanyprotection,control,ormonitoringfunctionthatrequires
measurementstakenfromseverallocations,whosephaseanglesaremeasuredagainsta
common,systemwidereference.Presentdayimplementationofmanyprotection,control,or
monitoringfunctionsishobbledbynothavingaccesstothephaseanglesbetweenlocaland
remotemeasurements.Withsystemwidephaseangleinformation,theycanbeimprovedand
extended.Theessentialconceptbehindthissystemisthesystemwidesynchronizationof
measurementsamplingclockstoacommontimereference.

80

CyberSecurityRequirements:
Integrityisvitaltothesafetyandreliabilityofthetransmissionsystem.
Availabilityiscriticaltoprotectiverelaying(e.g.<4ms)andoperatorcommands(e.g.one
second).
Confidentialityisnotimportant.

1.9.

Category: RTO/ISO Operations

Scenario1:RTO/ISOManagementofCentralandDERGeneratorsandStorage
RTOsandISOsmanagetheschedulinganddispatchofcentralanddistributedgenerationand
storage.
Thesefunctionsinclude:
RealtimeschedulingwiththeRTO/ISO(fornonmarketgeneration/storage)
RealtimecommitmenttoRTO/ISO
RealtimedispatchingbyRTO/ISOforenergyandancillaryservices
RealtimeplantoperationsinresponsetoRTO/ISOdispatchcommands
Realtimecontingencyandemergencyoperations.
BlackStart(systemrestorationafterblackout).
Emissionsmonitoringandcontrol.
CyberSecurityRequirements:
Integrityisvitaltothesafetyandreliabilityofthetransmissionsystem.
Availabilityiscriticaltooperatorcommands(e.g.onesecond).
Confidentialityisnotimportant.

1.10. Category: Asset Management

Scenario1:Utilitygatherscircuitand/ortransformerloadprofiles
Loadprofiledataisimportantfortheutilityplanningstaffandisalsousedbytheasset
managementteamthatismonitoringtheutilizationoftheassetsandbytheSCADA/EMSand
systemoperationsteam.Thisscenarioinvolvestheuseoffielddevicesthatmeasureloading,
thecommunicationsnetworkthatdeliversthedata,thehistoriandatabaseandtheloadprofile
applicationanddisplaycapabilitythatiseitherseparateoranintegratedpartofthe
SCADA/EMS.
Loadprofiledatamayalsobeusedbyautomaticswitchingapplicationsthatuseloaddatato
ensurenewsystemconfigurationsdonotcauseoverloads.

81

Objective/Requirements:
Dataisaccurate(integrity).
Dataisprovidedtimely.
Customerdataiskeptprivate.
Scenario2:Utilitymakesdecisionsonassetreplacementbasedonarangeofinputsincluding
comprehensiveofflineandonlineconditiondataandanalysisapplications.
Whendecisionsonassetreplacementbecomenecessarythesystemoperator,asset
management,apparatusengineeringandmaintenanceengineeringstaffworkcloselytogether
withtheobjectiveofmaximizingthelifeandutilizationoftheassetwhileavoidingan
unplannedoutageanddamagetotheequipment.
Thisscenarioinvolvestheuseofonlineconditionmonitoringdevicesfortherangeofassets
monitored,offlinetestresults,mobileworkforcetechnologies,thecommunicationsequipment
usedtocollecttheonlinedata,datamarts(historiandatabases)tostoreandtrenddataaswell
asconditionanalysisapplications,CMMSapplications,displayapplicationsandSCADA/EMS.
Objective/Requirements:
Dataprovidedisaccurateandtrustworthy.
Dataisprovidedtimely.
Scenario3:Utilityperformslocalizedloadreductiontorelievecircuitand/ortransformer
overloads
Transmissioncapacitycanbecomeconstrainedduetoanumberofsystemlevelscenariosand
resultinanoverloadsituationonlinesandsubstationequipment.Circuitand/ortransformer
overloadsatthedistributionlevelcanoccurwhenhigherthananticipatedcustomerloadsare
placedonacircuitorwhenoperatororautomaticswitchingactionsareimplementedtochange
thenetworkconfiguration.Traditionalloadreductionsystemsareusedtoaddressgeneration
shortfallsandothersystemwideissues.Localizedloadreductioncanbeakeytoolenablingthe
operatortotemporarilycurtailtheloadinaspecificareatoreducetheimpactonspecific
equipment.ThisscenariodescribestheintegrateduseoftheAMIsystem,thedemandresponse
system,otherloadreductionsystemsandtheSCADA/EMStoachievethisgoal.
Objective/Requirements:
Loadreductionmessagesareaccurateandtrustworthy.
Customersinformationiskeptprivate.
DRmessagesarereceivedandprocessedtimely.
Scenario4:Utilitysystemoperatordetermineslevelofseverityforanimpendingassetfailure
andtakescorrectiveaction

82

Whenpendingassetfailurecanbeanticipatedthesystemoperator,assetmanagement,
apparatusengineeringandmaintenanceengineeringstaffworkcloselytogetherwiththe
objectiveofavoidinganunplannedoutagewhileavoidingfurtherdamagetotheequipment.
Thisscenarioinvolvestheuseofonlineconditionmonitoringdevicesfortherangeofassets
monitored,offlinetestresults,mobileworkforcetechnologies,thecommunicationsequipment
usedtocollecttheonlinedata,datamarts(historiandatabases)tostoreandtrenddataaswell
asconditionanalysisapplications,CMMSapplications,displayapplicationsandSCADA/EMS.
Objective/Requirements:
Assetinformationprovidedisaccurateandtrustworthy.
Assetinformationisprovidedtimely.

83