Académique Documents
Professionnel Documents
Culture Documents
INTERIMPROJECTREPORT
SMARTGRIDCYBERSECURITY
POTENTIALTHREATS,
VULNERABILITIESANDRISKS
Preparedfor: CaliforniaEnergyCommission
Preparedby: CaliforniaStateUniversitySacramento
MA Y 2012
C EC 500 2012 047
Prepared by:
Primary Author:
Isaac Ghansah, Ph.D.
Center for Information Assurance and Security
College of Engineering and Computer Science
California State University Sacramento (CSUS)
6000 J Street
Sacramento, CA 95819-6021
Prepared for:
California Energy Commission
David Chambers
Project Manager
Mike Gravely
Office Manager
Energy Systems Research Office
Robert P. Oglesby
Executive Director
DISCLAIMER
This report was prepared as the result of work sponsored by the California Energy Commission. It
does not necessarily represent the views of the Energy Commission, its employees or the State of
California. The Energy Commission, the State of California, its employees, contractors and
subcontractors make no warrant, express or implied, and assume no legal liability for the information
in this report; nor does any party represent that the uses of this information will not infringe upon
privately owned rights. This report has not been approved or disapproved by the California Energy
Commission nor has the California Energy Commission passed upon the accuracy or adequacy of
the information in this report.
Preface
TheCaliforniaEnergyCommissionsPublicInterestEnergyResearch(PIER)Programsupports
publicinterestenergyresearchanddevelopmentthatwillhelpimprovethequalityoflifein
Californiabybringingenvironmentallysafe,affordable,andreliableenergyservicesand
productstothemarketplace.
ThePIERProgramconductspublicinterestresearch,development,anddemonstration(RD&D)
projectstobenefitCalifornia.
ThePIERProgramstrivestoconductthemostpromisingpublicinterestenergyresearchby
partneringwithRD&Dentities,includingindividuals,businesses,utilities,andpublicor
privateresearchinstitutions.
PIERfundingeffortsarefocusedonthefollowingRD&Dprogramareas:
BuildingsEndUseEnergyEfficiency
EnergyInnovationsSmallGrants
EnergyRelatedEnvironmentalResearch
EnergySystemsIntegration
EnvironmentallyPreferredAdvancedGeneration
Industrial/Agricultural/WaterEndUseEnergyEfficiency
RenewableEnergyTechnologies
Transportation
SmartGridCyberSecurityPotentialThreats,VulnerabilitiesAndRisksistheinterimreportforthe
SmartGridInformationAssuranceandSecurityTechnologyAssessmentproject(Contract
Number50008027)conductedbyCenterforInformationAssuranceandSecurity(CIAS)at
CaliforniaStateUniversitySacramento(CSUS).Theinformationfromthisprojectcontributesto
PIERsEnergySystemsIntegrationProgram.
FormoreinformationaboutthePIERProgram,pleasevisittheEnergyCommissionswebsiteat
www.energy.ca.gov/research/orcontacttheEnergyCommissionat9166544878.
Pleasecitethisreportasfollows:
Ghansah,Isaac,2009.SmartGridCyberSecurityPotentialThreats,VulnerabilitiesAndRisks
CaliforniaEnergyCommission,PIEREnergyRelatedEnvironmentalResearchProgram.
CEC5002012047.
i
ii
TABLE OF CONTENTS
Preface ................................................................................................................................................i
Abstract...............................................................................................................................................vii
EXECUTIVESUMMARY..................................................................................................................1
INTRODUCTION................................................................................................................3
1.0
1.1.
WhatisSmartGrid?.......................................................................................................3
1.2.
ReportOrganization......................................................................................................7
2.0
REPORTEDVULNERABILITIESOFSMARTGRID.....................................................8
3.0
INFORMATIONASSURANCEANDSECURITYCONCEPTSANDPOLICIES.....12
3.1.
Confidentiality................................................................................................................12
3.2.
Integrity...........................................................................................................................12
3.3.
Availability......................................................................................................................12
3.4.
Accountability.................................................................................................................12
3.5.
SecurityConceptsandSmartGrid..............................................................................12
ADVANCEDMETERINGINFRASTRUCTURE(AMI)SECURITYISSUES..............15
4.0
4.1.
Introduction....................................................................................................................15
4.2.
AMISecurityThreats....................................................................................................16
5.0
DEMANDRESPONSESECURITYISSUES.....................................................................21
5.1.
Introduction....................................................................................................................21
5.2.
DemandResponseandSecurityConcerns.................................................................22
5.2.1.
Confidentiality...........................................................................................................23
5.2.2.
Authentication...........................................................................................................23
5.2.3.
DataIntegrity.............................................................................................................24
5.2.4.
Availability.................................................................................................................24
5.2.5.
Accountability...........................................................................................................24
5.3.
OpenAutomatedDemandResponse..........................................................................24
5.3.1.
OpenAutomatedDemandResponseCommunicationsInfrastructure............24
5.3.2.
DemandResponseAutomationServer(DRAS)...................................................26
5.3.3.
OpenADRandSecurityConcerns..........................................................................27
5.4.
DemandResponseatResidentialSitesandSecurityIssues.....................................32
5.4.1.
6.0
PossibleAttacksinPCT...........................................................................................32
iii
6.1.
Introduction....................................................................................................................34
6.2.
HomeAreaNetwork(HAN)........................................................................................35
6.2.1.
ZigBee.........................................................................................................................35
6.2.2.
ZWave.......................................................................................................................36
6.3.
GatewayComponent.....................................................................................................36
6.4.
WirelessNeighborhoodAreaNetwork(WNAN).....................................................36
6.5.
PotentialSecurityIssues/Risks.....................................................................................37
6.5.1.
ZigBee.........................................................................................................................37
6.5.2.
ZWave.......................................................................................................................38
6.5.3.
Gateway......................................................................................................................38
6.5.4.
WNAN........................................................................................................................39
IEEE802.11..........................................................................................................................39
IEEE802.15.4.......................................................................................................................40
IEEE802.16..........................................................................................................................41
6.6.
7.0
ComprehensiveSecurityissueswithHAN/Gateway/NAN..................................42
SUPERVISORYCONTORLANDDATAACQUISITION(SCADA)SYSTEMSECURITY
ISSUES...................................................................................................................................43
7.1.
Introduction....................................................................................................................43
7.1.1.
SCADAArchitectureindetail.................................................................................45
7.1.2.
SecurityIssuesInSCADA.......................................................................................45
PublicInformationAvailability........................................................................................45
PlatformConfigurationVulnerabilities..........................................................................46
PlatformSoftwareVulnerabilities....................................................................................46
NetworkConfigurationVulnerabilities..........................................................................47
NetworkPerimeterVulnerabilities..................................................................................47
NetworkCommunication(DNP3)Vulnerabilities.......................................................48
8.0
PLUGINELECTRICVEHICLES(PEV)SECURITYISSUES........................................51
8.1.
Introduction....................................................................................................................51
8.2.
PrivacyofMovement.....................................................................................................52
8.3.
SecurePayment..............................................................................................................52
8.4.
SmartMetering...............................................................................................................53
8.5.
CriticalInfrastructure&PhysicalSecurity.................................................................53
8.6.
Communication..............................................................................................................54
9.0
GENERICSECURITYISSUESOFTHESMARTGRID.................................................55
iv
9.1.
Introduction....................................................................................................................55
9.2.
AuthenticatingandAuthorizingUsers(People)toSubstationIEDs.....................55
9.3.
AuthenticatingandAuthorizingMaintenancePersonneltoSmartMeters..........56
9.4.
9.5.
AuthenticatingandAuthorizingConsumerstoMeters...........................................56
9.6.
AuthenticatingMetersto/fromAMIHeadEnds(MutualAuthentication............57
9.7.
AuthenticatingHANDevicesto/fromHANGateways...........................................57
9.8.
SecuringSerialSCADACommunications..................................................................57
9.9.
ProtectionofRoutingProtocolsinAMILayer2/3Networks..................................57
9.10.
KeyManagementforMeters........................................................................................58
9.11.
InsecureFirmwareUpdates..........................................................................................58
9.12.
SideChannelAttacksonSmartGridFieldEquipment............................................58
9.13.
KeyManagementandPublicKeyInfrastructure(PKI)............................................58
9.14.
PatchManagement.........................................................................................................59
GLOSSARY.........................................................................................................................................60
REFERENCES.....................................................................................................................................64
APPENDIXA......................................................................................................................................67
List of Figures
Figure1.Smartgridnetwork...................................................................................................................4
Figure2.Smartgridworking...................................................................................................................5
Figure3.AMIcomponents.....................................................................................................................16
Figure4.Demandresponseusecaseshowstheinterfacesbetweeneachcomponent(fromNIST)
.....................................................................................................................................................23
Figure5.Genericopenautomateddemandresponseinterfacearchitecture..................................25
Figure6.DRASInterfaces.......................................................................................................................26
Figure7.PathofattackinPCT...............................................................................................................33
Figure8.HAN/Gateway.........................................................................................................................34
Figure9.SCADAgenerallayout...........................................................................................................43
Figure10.SCADAarchitecture..............................................................................................................45
List of Tables
Table1.SecuritythreatsonAMIwithrespecttosecuritygoals.......................................................19
Table2.Possibleattacksutility/ISOoperatorinterfaces.....................................................................28
Table3.PossibleattacksandimpactsofDRASclientinterfaces.......................................................29
Table4.Possibleattacksandimpactsofparticipantinterfaces.........................................................31
Table5.HANsecurityissues.................................................................................................................42
Table6.SCADAsecurityissues.............................................................................................................50
vi
Abstract
ThisreportisaboutpotentialSmartGridInformationAssuranceandSecurityIssues.Issues
specificallyaddressedarethreats,vulnerabilitiesandrisks.Mitigationandcountermeasuresto
addressthosevulnerabilitieswillbecoveredinsubsequentreports.
Thisreportisthefirstinaseriesofresearchtasksspecifiedinthestatementofworkforthe
CaliforniaEnergyCommissionasfollows(inbrief):
1) Identifythepotentialissuesaffectingtheconfidentiality,integrity,andavailabilityof
informationflowintheSmartGridsystem.Grouptheissueswithrespectto
confidentiality,integrity,andavailability.
2) Investigatewhichofinformationsecuritybestpractice(s)applytosmartgridandto
whatextentcantheybeapplied.Thesebestpracticesareintendedtomitigateactions
thatviolateconfidentiality,integrity,andavailabilityoftheinformationflow.
3) ExplorepossiblecybersecurityR&DissuesthatshouldbeaddressedinSmartGrid.
Someofthesecouldinvolvewirelesssensors,wirelesscommunicationsystems,
monitoring,and,incidentresponsesystems.
4) IdentifyandrecommendwhichpotentialR&Deffortsshouldandshouldnotbe
confidential.
5) Identifytechnicalandnontechnicalsolutionstoensuretheprivacyofenduser
information.
TheresearchersusedinformationfromvariousSmartGridworkinggroupsthataredealing
withCybersecurityissues.ThesegroupsincludedUtilitySecurity,OpenSmartGrid,National
InstituteofStandardsandTechnology,Intelligrid.Informationwasalsoobtainedfromweb
sources,journals,andmagazines.
TheresultsshowthatSmartGridhasanumberofpotentiallysignificantcybersecurityissues
thatmustbeaddressed.Theyincludeconfidentialityofuserinformation,integrityofdemand
responsesystems,integrityandavailabilityofSCADA(grid)systems,andintegrityand
availabilityofPlugInElectricVehicles.
BecausethesmartgridwillhaveextensiveInformationSystemscomponent,bestpracticesused
onthosesystemscanbeusedtomitigatethosevulnerabilities.Ontheotherhandbecauseofthe
uniquecharacteristicsofSmartGrid,especiallyasacriticalinfrastructurefurtherresearchwill
beneededtoaddresssecurityissuesinthoseuniquecases.Theresearchersplantoreporton
theminfuturedocuments.
Keywords:PublicInterestEnergyResearch,PIER,smartgrid,electricgrid,cybersecurity,
criticalinfrastructure,informationassurance.
vii
viii
EXECUTIVE SUMMARY
Introduction
AttherequestofCaliforniaEnergyCommissionPublicInterestEnergyResearch(PIER),the
CenterforInformationAssuranceandSecurity(CIAS)atSacramentoStateUniversityprovides
thisreportonCyberSecurityvulnerabilities,threats,andrisksoftheSmartGrid.
Themaingoaloftheagreementwastodetermineinformationassurance,security,andprivacy
issuesassociatedwithSmartGridinfrastructureandrecommendresearchanddevelopment
(R&D)prioritiesinthoseareas.Theprojectwillalsoidentifybestpracticesininformation
securitythatcanbeappliedtotheSmartGridsystem.
ThisreportisthefirstinaseriesofresearchdocumentscoveringCyberSecurityissuesofthe
SmartGridnamely:
Potentialthreats,vulnerabilitiesandrisks
Bestpracticestomitigatethoserisks
Researchissuestobeaddressedinsmartgridcybersecurity
Privacyissuesinsmartgridinfrastructure
TheresearchspecificallyfocusedonCyberSecurityissuesofthefollowingSmartGrid
components:AdvancedMeterInfrastructure,DemandResponseSystems,HomeAreaNetwork
(HAN),NeighborhoodAreaNetworks,whichconnectsthehometotheutilitysystems,
SupervisoryControlandDataAcquisition(SCADA)system,whichisusedforthecontrolling
generation,transmissionanddistributionsystems,andPluginElectricVehicles.
Toachievetheseobjectivestheresearchers:
ParticipatedinbothconferencecallsandfacetofacemeetingswithexpertsontheSmart
Grid
Performedliteraturesearchontheweb
Interviewedsomeutilityexpertsontheelectricitygeneration,transmission,and
distributionprocesses
Attendedworkshopsondemandresponseresearchandsmartgridinteroperability
Outcome:
Asisindicatedinthereport,theresultsshowthatSmartGridhasanumberofpotentially
significantcybersecurityissuesthatmustbeaddressed.Theyincludeconfidentialityofuser
information,integrityofdemandresponsesystems,integrityandavailabilityofSCADA(grid)
systems,andintegrityandavailabilityofPluginElectricVehicles.AdditionallyCyberSecurity
issuesofcommunicationsystemsareaddressed.Becausethesmartgridwillhaveanextensive
InformationSystemscomponent,bestpracticesusedonthosesystemscanbeusedtomitigate
thosevulnerabilities.Ontheotherhand,becauseoftheuniquecharacteristicsofSmartGrid,
oneofwhichisacriticalinfrastructure,furtherresearchwillbeneededtoaddresssecurity
issuesinthoseuniquecases.Theresearchersplantoreportontheminfuturedocuments.
BenefitsforCalifornia:
IncreasecustomertrustoftheSmartGrid.
IncreaseregulatorunderstandingofthesecurityissuesinSmartGridthatneedtobe
addressedbyManufacturersandUtilities.
IncreaseunderstandingoftheprivacyissuesinSmartGridandhowtheycanbe
addressed.
BecausetheprojectwillidentifysecurityandprivacyissuesintheSmartGrid
infrastructureandproposesolutionsandresearchareastobeexamined,itsresultswill
ultimatelyenableacceptanceofwidedeploymentoftheSmartGridresultinginincrease
energyefficiencyandlowenergycosts.
1.0 INTRODUCTION
ThisdocumentcontainstheComprehensiveSmartGridSecurityIssuesresearchedbySmart
GridResearchGroupwhichispartoftheCenterforInformationAssuranceandSecurity(CIAS)
atCaliforniaStateUniversitySacramento(CSUS).ThisreportisaboutpotentialSmartGrid
InformationAssuranceandSecurityissues.Issuesspecificallyaddressedinthisreportare
threats,vulnerabilitiesandrisks.Mitigationandcountermeasurestoaddressthose
vulnerabilitieswillbecoveredinsubsequentreports.
Thisreportisthefirstofaseriesofresearchtasksspecifiedinastatementofworkforthe
CaliforniaEnergycommissionasfollows:
1) Identifythepotentialissuesaffectingtheconfidentiality,integrity,andavailabilityof
informationflowintheSmartGridsystem.Forinstance,hacker/terroristuseof
malicioussoftwaretoperformdenialofserviceattacksoncriticalinfrastructuresuchas
theSmartGridwillbeexamined.Grouptheissueswithrespecttoconfidentiality,
integrity,andavailability.
2) Investigatewhichinformationsecuritybestpractice(s)applytosmartgridandtowhat
extentcantheybeapplied.Bestpracticessuchasuseoffirewallsforperimeterdefense,
intrusiondetection,incidentresponsehanding,defenseindepth,etcarewellknownin
theinformationsecurityarena.Thesebestpracticesareintendedtomitigateactionsthat
violateconfidentiality,integrity,andavailabilityoftheinformationflow.
3) ExplorepossiblecybersecurityR&DissuesthatshouldbeaddressedinSmartGrid.
Someofthesecouldinvolvewirelesssensors,wirelesscommunicationsystems,
monitoring,andincidentresponsesystems.
4) IdentifyandrecommendwhichpotentialR&Deffortsshouldandshouldnotbe
confidential.
5) Identifytechnicalandnontechnicalsolutionstoensuretheprivacyofenduser
information.BecauseSmartGridsystemswillcontainenduserinformation,privacyis
critical.
Thisreportisaboutthefirsttasklistedabove.Subsequentreportswilldiscussothertasks.
1.1.
Asmartgrid(SeeFigure1andFigure2)deliverselectricityfromsupplierstoconsumersusing
digitaltechnologytosaveenergy,reducecostandincreasereliabilityandtransparency.Itisa
modernizedelectricitynetworkwhichisbeingutilizedasawayofaddressingenergy
independence,globalwarmingandemergencyresilienceissues. 1
TheprimarycomponentsofSmartGridareshowninFigure1.Figure2explainshowtheSmart
Gridworks.
1.Wikipediahttp://en.wikipedia.org/wiki/Smart_grid.
3
SmartGridhasthefollowingcharacteristics 3
Selfhealingfrompowerdisturbanceevents
Enablingactiveparticipationbyconsumersindemandresponse
Operatingresilientlyagainstphysicalandcyberattack
Providingpowerqualityfor21stcenturyneeds
Accommodatingallgenerationandstorageoptions
Enablingnewproducts,services,andmarkets
Optimizingassetsandoperatingefficiently
2.http://www.larta.org/lartavox/articles/52009/FederalStimulusandCleantechInfrastructure.htm
3.NationalEnergyTechnologyLaboratory(20070727(pdf).AVisionfortheModernGrid.UnitedStates
DepartmentofEnergy.Page5
http://www.netl.doe.gov/moderngrid/docs/A%20Vision%20for%20the%20Modern%20Grid_Final_v1_0.p
df.Retrieved20081127
4
4.TheSmartGridFrontier:WideOpen;DavidHeyerman;May3,2009
Available[Online]:tinycomb.com/2009/05/03/whatisthesmartgrid/
5
Technically,theSmartGridisuniqueinmanyrespects.FirstbyitsnaturetheSmartGridisa
complexsystem.Second,SmartGridisoneof18criticalinfrastructuresidentifiedbyDHS.
ThesesystemsaresovitaltotheUnitedStatesthattheirincapacitationordestructionwould
haveadebilitatingeffectonsecurity,nationaleconomicsecurity,publichealthorsafety,orany
combinationthereof. 5Third,smartgridisalargesystembecauseitisusedtocontrolelectricity
whichispresentisalmosteveryhome.Fourthsmartgridisaspecialcriticalinfrastructure
becausemanyofthe18criticalinfrastructuresdependonit.Forinstance,electricityisneeded
bybanks,emergencyservicessuchashospitals,telecommunications,computers,etc.Indeed,
theCyberSecurityStrategyforthe44thPresidentoftheUnitedStatescitesenergy,financial,
InformationTechnology(IT),andtelecommunicationsasthefourcriticalinfrastructureswith
themostcriticalcyberassets.
Theuniquecharacteristicsofsmartgridstatedabovearethereasonswhycybersecurityofthe
smartgridisimperative.Thesmartgridhasmanyanticipatedbenefits. 6
Improvespowerreliabilityandquality
Optimizesfacilityutilizationandavertsconstructionofbackup(peakload)power
plants
Enhancescapacityandefficiencyofexistingelectricpowernetworks
Improvesresiliencetodisruption
Enablespredictivemaintenanceandselfhealingresponsestosystemdisturbances
Facilitatesexpandeddeploymentofrenewableenergysources
Accommodatesdistributedpowersources
Automatesmaintenanceandoperation
Reducesgreenhousegasemissionsbyenablingelectricvehiclesandnewpowersources
Reducesoilconsumptionbyreducingtheneedforinefficientgenerationduringpeak
usageperiods
Improvescybersecurity
Enablestransitiontopluginelectricvehiclesandnewenergystorageoptions
Increasesconsumerchoice
Becauseofitsmanybenefitsthefederalgovernmentandmanyotherstategovernments
includingCalifornia,arefundingresearchanddemonstrationeffortsforthesmartgrid.BothUS
departmentsofcommerceandenergyarepushingforinteroperabilitystandardsforsmartgrid.
NIST,asabranchofthecommercedepartmentisleadingtheefforttocreatethosestandards.
Additionally,organizationsasdiverseasElectricUtilities,USDOE,NIST,Google,Microsoft,
GE,IEEE,NERC,FERC,IEC,andANSIhavepublisheddocumentsaboutSmartGrid.
5.DHSWebsitehttp://www.dhs.gov/files/programs/gc_1189168948944.shtmRetrieved20091014
6.NISTFrameworkandRoadmapforSmartGridInteroperabilityStandardsRelease1.0(Draft).
6
Majorreasonforthiscybersecurityresearchisbecauseofthecomplexityofthesmartgrid,the
importanceofthesmartgridasasupercriticalinfrastructure,andthefactthatmanyreportsof
potentialattacksonthegridhavebeendisseminatedinthemedia.Thisresearchshouldhelp
putsomethesemediareportsinperspective.However,theprimarypurposeofthiscurrent
reportistodiscussthreatsandvulnerabilities,andgeneralsecurityproblems.Subsequent
reportswilladdresscontrolstomitigatethoserisksandcountermeasures,usingbestpractices;
andwherebestpracticesarenotadequatetheresearcherswillsuggestresearchtopicsthatneed
tobeaddressedinthefuturetohelpsolvethoseproblems.
1.2.
Report Organization
Thisdocumentisorganizedasfollows:
ExamplesofreportedvulnerabilitiesofthesmartgridarefirstintroducedinChapter2.
Informationassuranceandsecurityconceptsandterminologythatareusedthroughout
thedocumentarediscussedinChapter3.
Securityissuesofimportantsmartgridcomponents,namelyAdvanceMetering
Infrastructure,DemandResponse,CustomerDomainSystems(i.e.HomeArea
Networks,Gateways,andNeighborhoodAreaNetworks),Grid(SupervisoryControl
andDataAcquisitionandDistributedNetworkProtocol),andPluginElectricVehicles
arediscussedinChapters4through8.
Importantsecurityissuesthatarecriticalinsmartgridbutthatdonotfitcleanlyinthe
abovesmartgridcomponentsareincludedinChapter9.Mostoftheissueslistedin
Chapter9willeventuallybecomeresearchtopicsthatwillbediscussedinmoredetailin
subsequentdocuments.
MostoftheinformationinthatchapteriscurrentlybeingdiscussedintheNISTBottomup
SecurityGroupwhichissubgroupwithintheNISTSmartGridCyberSecurityCoordination
TaskGroup(CSCTG)followedbyalistofReferences.
Finally,AppendixAisalistofUseCasesforthevariouscomponentsoftheSmartGridand
correspondingCybersecurityrequirements.ItispartofNISTIR7628. 7TheAppendixcanbe
viewedasanexcellentsummaryofmostofthecybersecurityissuesdiscussedinthisreport.
7.NISTFrameworkandRoadmapforSmartGridInteroperabilityStandardsRelease1.0(Draft).
7
8.http://www.cisco.com/web/strategy/docs/energy/aag_c45_539956.pdf
9.http://carbonpros.com/blog1/2009/08/smart_grid_security_vulnerabil.html
8
EverydaywegetreportsfromdifferentsourcesregardingthepotentialattackstoSmartGrid.
TheDepartmentofHomelandSecurity(DHS)hasreportedthatcyberspies,likelyfromChina
andRussia,havemanagedtoinjectmalicioussoftwareintotheelectricgrid,water,sewage,and
otherinfrastructurecontrolsoftware.Thissoftwarecouldenablemalicioususerstotakecontrol
ofkeyfacilitiesornetworksviatheInternet,causingpoweroutagesandtremendousdamageto
allsectorsoftheeconomy. 10Asthegridbecomesmorecentraltoourenergyinfrastructure,it
willbecomemoreimportanttoensureitssecurity.SmartGridsystemscreatealinkbetween
physicalsystemsandsoftwaresystems,bothofwhichcanfail. 11IOActive,aprofessional
securityservicesfirm,determinedthatanattackerwith$500ofequipmentandmaterialsanda
backgroundinelectronicsandsoftwareengineeringcouldtakecommandandcontrolofthe
AMIallowingfortheenmassemanipulationofservicetohomesandbusinesses.TheReports
fromCNNquestionedthesmartnessofSmartGridtoforgeaheadwiththehightechnology,
digitallybasedelectricitydistributionandtransmissionsystem.Italsoreportedthatthetests
haveshownthatahackercanbreakintothesystem,andcybersecurityexpertssaidamassive
blackoutcouldresult. 12TheAmericanSocietyforIndustrialSecurity(ASIS)InternationalChief
SecurityOfficer(CSO)Roundtablereportedthattheelectricgridishighlydependenton
computerbasedcontrolsystems.Thesesystemsareincreasinglyconnectedtoopennetworks
suchastheinternet,exposingthemtocyberrisks.Anyfailureofourelectricgrid,whether
intentionalorunintentional,wouldhaveasignificantandpotentiallydevastatingimpactonour
nation.TheWallStreetJournalrecentlyreportedthatcyberspiesfromChina,Russia,andother
countriesmayhavepenetratedtheUSelectricalgridandimplantedsoftwareprogramsthat
couldbeusedtodisruptthesystem. 13
ThecommunicationsofAssociationforComputingMachinery(ACM)reportedthat
vulnerabilitiesinthesmartgridalsocanbecausedbyinadequatepatch,configuration,and
changemanagementprocesses,insufficientaccesscontrols,andthefailuretocreaterisk
assessment,audit,management,andincidentresponseplans.Therearealsoanumberof
privacyconcernsassociatedwiththerealtime,twowaycommunicationbetweenconsumers
andsuppliersthatthesmartgridwillallow.Oneimportantissuethatneedstobedealtwithis
10.http://www.smartgridnews.com/artman/publish/News_Blogs_News/Foreign_CyberSpies_Inject
_Spyware_into_U_S_Grid_with_Potential_for_Serious_Damage562.html
11.http://www.smartgridnews.com/artman/publish/Technologies_Security_News/SmartSecurityfora
SmartGridNewThreatsontheHorizon1226.html
12.http://www.cnn.com/2009/TECH/03/20/smartgrid.vulnerability/index.html
13.http://www.ensec.org/index.php?option=com_content&view=article&id=198:thesecurity
vulnerabilitiesofsmartgrid&catid=96:content&Itemid=345
9
thedatathatwillbecollectedautomaticallyfromsmartmetersandhowthatinformationwill
bedistributedandusedthroughoutthegrid. 14
TheSmartGridattackswerealsotestedinlaboratories.IOActivehavecreatedawormthat
couldquicklyspreadamongSmartGriddevices,smallcomputersconnectedtothepowergrid
thatgivecustomersandpowercompaniesbettercontrolovertheelectricitytheyuse. 15YaoLiu,
PengNingfromNorthCarolinaStateUniversityandMichaelK.ReiterfromUniversityof
NorthCarolina,ChapelHillhavereportedanewclassofattacks,calledfalsedatainjection
attacks,againststateestimationinelectricpowergridsandtheyshowthatanattackercantake
advantageoftheconfigurationofapowersystemtolaunchsuchattackstosuccessfullybypass
theexistingtechniquesforbadmeasurementdetectionanddemonstratedthesuccessofthese
attacksthroughsimulationusingtheIEEE9bus,14bus,30bus,118bus,and300bus
systems. 16
TheSmartGridandrelatedfieldshavebeenattackedintherealworld.CIAsreportfromthe
AssociatedPresshasreportedthathackersliterallyturnedoutthelightsinmultiplecitiesafter
breakingintoelectricalutilitiesanddemandingextortionpaymentsbeforedisruptingthe
power.ReportsfromWashingtonPostalsoclaimthattheCIAAnalystssaidcyberattackers
havehackedintothecomputersystemsofutilitycompaniesoutsidetheUnitedStatesandmade
demands,inatleastonecasecausingapoweroutagethataffectedmultiplecities.Theattackers
informationwasnotknownbuttheintrusioncamefromtheInternet. 17TheNationalJournal
MagazinereportedthatComputerhackersinChina,includingthoseworkingonbehalfofthe
Chinesegovernmentandmilitary,havepenetrateddeeplyintotheinformationsystemsofU.S.
companiesandgovernmentagencies,stolenproprietaryinformationfromAmericanexecutives
inadvanceoftheirbusinessmeetingsinChina,and,inafewcases,gainedaccesstoelectric
powerplantsintheUnitedStates,possiblytriggeringtworecentandwidespreadblackoutsin
FloridaandtheNortheast.Thehackertriggeredacascadeeffect,shuttingdownlargeportions
oftheFloridapowergridwhichcreatedtheFloridaBlackOut 18.Theinterconnectednatureof
thebulkelectricsystemrequiresallentitieswhoseoperationscanaffecttheoperationofthe
bulkelectricsystemtobeassecurefromcyberincidentsaspracticabletoensurebulkelectric
systemreliability.TheNorthAmericanElectricReliabilityCorporation(NERC)reportedthaton
January25,2003,theSQLSlammerWormwasreleasedbyanunknownsource.Theworm
14.http://cacm.acm.org/news/43974smartgridvulnerabilitiescouldcausewidespread
disruptions/fulltext
15.http://hardware.slashdot.org/article.pl?sid=09/03/22/082236
16.ftp://ftp.csc.ncsu.edu/pub/tech/2009/TR20095.pdf
17.http://www.cyberpunkreview.com/newsascyberpunk/theciaslatestclaimhackershaveattacked
foreignutilities/
18.http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php
10
significantlydisruptedmanyInternetservicesforseveralhours.Italsoadverselyaffectedthe
bulkelectricsystemcontrols. 19
SmartGridwillsimultaneouslyexpandtheinfrastructurefortransportingelectricityand
presentamorephysicallychallenginginfrastructuretoprotect.SmartGridsuseofinternet
technologiesshouldhavefullprotectionpriortoitsdeploymentasitisamatterofnational
security. 20
19.http://www.nerc.com/docs/standards/ChuckNobleRBBLetter.pdf
20.http://www.smartgridnews.com/artman/publish/News_Blogs_News/Foreign_CyberSpies_Inject
_Spyware_into_U_S_Grid_with_Potential_for_Serious_Damage562.html
11
3.1.
Confidentiality
Preservingauthorizedrestrictionsoninformationaccessanddisclosure,includingmeansfor
protectingpersonalprivacyandproprietaryinformation.
Thepropertythatsensitiveinformationisnotdisclosedtounauthorizedindividuals,entitiesor
processes.
3.2.
Integrity
Guardingagainstimproperinformationmodificationordestruction,andincludesensuring
informationnonrepudiationandauthenticity.
Dataintegrityisthepropertythatdatahasnotbeenalteredinanunauthorizedmanner.It
coversdataintegritycoversdatainstorage,duringprocessing,andwhileintransitand
includesthepropertythatsensitivedatahasnotbeenmodifiedordeletedinanunauthorized
andundetectedmanner.
3.3.
Availability
Ensuringtherestimelyandreliableaccesstoanduseofinformation.
3.4.
Accountability
Isthesecuritygoalthatgeneratestherequirementforactionsofanentitytobetraceduniquely
tothatentity?Thissupportsnonrepudiation,deterrence,faultisolation,intrusiondetectionand
prevention,andafteractionrecoveryandlegalaction.
3.5.
WiththeSmartGridstransformationoftheelectricsystemtoatwowayflowofelectricityand
information,theInformationTechnology(IT)andtelecommunicationsinfrastructureshave
becomecriticaltotheenergysectorinfrastructure.Therefore,themanagementandprotection
ofsystemsandcomponentsoftheseinfrastructuresmustalsobeaddressedbyanincreasingly
diverseenergysector.
ITandtelecommunicationsectorshaveexistingcybersecuritystandardstoaddress
vulnerabilitiesandassessmentprogramstoidentifyknownvulnerabilitiesinthesesystems.
21.http://www.nerc.com/docs/standards/ChuckNobleRBBLetter.pdf
12
ThesesamevulnerabilitiesneedtobeassessedinthecontextoftheSmartGrid.Inaddition,the
SmartGridhasadditionalvulnerabilitiesduetoitscomplexity,largenumberofstakeholders,
andhighlytimesensitiveoperationalrequirements.
ThefollowingdefinitionsofcyberinfrastructureandcybersecurityfromtheNational
InfrastructureProtectionPlan(NIPP)andquotedinNISTIR7628areincludedtoensurea
commonunderstanding.
CyberInfrastructure:Includeselectronicinformationandcommunicationssystemsand
servicesandtheinformationcontainedinthesesystemsandservices.Informationand
communicationssystemsandservicesarecomposedofallhardwareandsoftwarethat
process,store,andcommunicateinformation,oranycombinationofallofthese
elements.Processingincludesthecreation,access,modification,anddestructionof
information.Storageincludespaper,magnetic,electronic,andallothermediatypes.
Communicationsincludesharinganddistributionofinformation.Forexample:
computersystems;controlsystems(e.g.,SCADA);networks,suchastheInternet;and
cyberservices(e.g.,managedsecurityservices)arepartofcyberinfrastructure.
Forthisdocument,cybersecurityisdefinedasfollows:
CyberSecuritytheprotectionrequiredtoensureconfidentiality,integrityand
availabilityoftheelectronicinformationcommunicationsystem.
Integrityisgenerallyconsideredthemostcriticalsecurityrequirementforpowersystem
operations,andincludesassurancethat:
Datahasnotbeenmodifiedwithoutauthorization
Sourceofdataisauthenticated
Timestampassociatedwiththedataisknownandauthenticated
Qualityofdataisknownandauthenticated
Availabilityisgenerallyconsideredthenextmostcriticalsecurityrequirement,
althoughthetimelatencyassociatedwithavailabilitycanvary:
o
4msforprotectiverelaying
Subsecondsfortransmissionwideareasituationalawarenessmonitoring
SecondsforsubstationandfeederSCADAdata
Minutesformonitoringnoncriticalequipmentandsomemarketpricing
information
Hoursformeterreadingandlongertermmarketpricinginformation
Days/weeks/monthsforcollectinglongtermdatasuchaspowerquality
information
13
Confidentialityisgenerallytheleastcriticalforactualpowersystemoperations,
althoughthisischangingforsomepartsofthepowersystem,ascustomerinformationis
moreeasilyavailableincyberform:
o
Privacyofcustomerinformationisthemostimportant
Electricmarketinformationhassomeconfidentialportions
Generalcorporateinformation,suchashumanresources,internaldecision
making,etc.
14
Introduction
AdvancedMeteringInfrastructure(AMI)referstosystemsthatmeasure,collectandanalyze
energyusage,fromadvanceddevicessuchaselectricitymeters,gasmeters,and/orwater
meters,throughvariouscommunicationmediaonrequestoronapredefinedschedule.This
infrastructureincludeshardware,software,communications,customerassociatedsystemsand
meterdatamanagement(MDM)software. 22
Thenetworkbetweenthemeasurementdevicesandbusinesssystemsallowscollectionand
distributionofinformationtocustomers,suppliers,utilitycompaniesandserviceproviders.
Thisenablesthesebusinessestoeitherparticipatein,orprovide,demandresponsesolutions,
productsandservices.Byprovidinginformationtocustomers,thesystemassistsachangein
energyusagefromtheirnormalconsumptionpatterns,eitherinresponsetochangesinpriceor
asincentivesdesignedtoencouragelowerenergyusageuseattimesofpeakdemandperiods
orhigherwholesalepricesorduringperiodsoflowoperationalsystemsreliability.
AMIsystemsareviewedasconsistingofthefollowingcomponents(seealsoFigure3): 23
SmartMeterThesmartmeteristhesourceofmetrologicaldataaswellasother
energyrelatedinformation.Thesesmartmeterscanprovideintervaldataforcustomer
loadsaswellasdistributedgeneration.
CustomerGatewayThecustomergatewayactsasaninterfacebetweentheAMI
networkandcustomersystemsandapplianceswithinthecustomerfacilities,suchasa
HomeAreaNetwork(HAN)orBuildingManagementSystem(BMS).Itmayormaynot
colocatewiththesmartmeter.
AMICommunicationsNetworkThisnetworkprovidesapathforinformationtoflow
fromthemetertotheAMIheadend.
AMIHeadEndThissystemmanagestheinformationexchangesbetweenexternal
systems,suchastheMeterDataManagement(MDM)systemandtheAMInetwork.
22.Wikipedia;AdvancedMeteringInfrastructure;Available[Online]:
http://en.wikipedia.org/wiki/Advanced_Metering_Infrastructure
23.OpenSmartGrid;SharedDocuments;Available[Online]:
http://osgug.ucaiug.org/Shared%20Documents/Forms/AllItems.aspx
15
24
4.2.
25
ThefollowingtypesofsecuritythreatsarepossibleonAMIofSmartGrid:
Eavesdropping:Itisunauthorizedrealtimeinterceptionofaprivatecommunication.
TrafficAnalysis:Itistheprocessofinterceptingandexaminingmessagesinorderto
deduceinformationfrompatternsincommunication.
EM/RFInterception:ElectroMagnetic/RadioFrequencyinterceptiontoperform
unauthorizedinterceptionofprivatecommunication.
IndiscretionsbyPersonnel:Lackofdiscretionofpersonnelcouldleadtounauthorized
interceptionofprivatecommunication.
24.http://osgug.ucaiug.org/Shared%20Documents/Forms/AllItems.aspx
25.CyberSecurityIssuesforAdvancedMeteringInfrastructure(AMI);F.M.ClevelandSeniorMember
IEEE,IEEET&DConference,April2008
AdvancedMeteringInfrastructureSecurityConsiderations;RaymondC.Parks;AssuranceTechnologies
andAssessments,SANDIAREPORT,SAND20077327;SandiaNationalLaboratories
16
MediaScavenging:Itinvolvesrummagingthroughdisposedmagneticmediafor
retrievingsensitivedatathatisleftbehindonit.
Intercept/Alter:UnauthorizedpeoplemayinterceptandaltertheAMIdata.
Repudiation:People,includingpublicauthorities,maymodifytheAMIdataandthus
refusetoacknowledgeanactionthattookplace.
Masquerade:Itisatypeofattackwheretheattackerpretendstobeanauthorizeduser
ofasysteminordertogainaccesstoitortogaingreaterprivilegesthantheyare
authorizedfor.
BypassingControls:Peoplemaybypasssecuritycontrolstogetaccesstothe
confidentialdataandmakeunauthorizedmodifications.
AuthorizationViolation:PeoplemayviolatetheauthorizationofAMIsystemto
performunauthorizedactions.
PhysicalIntrusion:PeoplemayphysicallyintrudeintoAMIsystemcomponentslike
SmartMetertoperformunauthorizedactions.
ManintheMiddle:Itisaformofactiveeavesdroppinginwhichtheattackermakes
independentconnectionswiththevictimsandrelaysmessagesbetweenthem,making
thembelievethattheyaretalkingdirectlytoeachotheroveraprivateconnectionwhen
infacttheentireconversationiscontrolledbytheattacker.
IntegrityViolations:Integrityisviolatedwhensomeoneaccidentallyorwithmalicious
intentmodifiestheAMIinteractiondata.
Theft:PhysicaltheftoftheAMIcomponentscouldleadtounauthorizedactionsbeing
performed.
Replay:Itisaformofnetworkattackinwhichavaliddatatransmissionismaliciously
orfraudulentlyrepeatedordelayed.
Virus/Worms:Acomputervirusisacomputerprogramthatcancopyitselfandinfecta
computer.Acomputerwormisaselfreplicatingcomputerprogram.Itusesanetwork
tosendcopiesofitselftoothernodes(computersonthenetwork)anditmaydoso
withoutanyuserintervention.
TrojanHorse:Itisatermusedtodescribemalwarethatappears,totheuser,toperform
adesirablefunctionbut,infact,facilitatesunauthorizedaccesstotheuserscomputer
system.
Trapdoor:Anundocumentedentrypointintoacomputerprogram,whichisgenerally
insertedbyaprogrammertoallowdiscreetaccesstotheprogram.
ServiceSpoofing:Itisasituationinwhichonepersonorprogramsuccessfully
masqueradesasanotherbyfalsifyingdataandtherebygaininganillegitimate
advantage.
17
ResourceExhaustion:Hackersmayuseupallavailablefacilitiessonorealworkcanbe
accomplishedandthusAMIsystemresourcesbecomeunavailabletotheintendedusers.
IntegrityViolations:Integrityisviolatedwhensomeoneaccidentallyorwithmalicious
intentmodifiestheAMIdataandthuspreventsintendedusersfromusingtheAMI
systemresources.
Stolen/Altered:TheAMIdatacouldbestolenoralteredandthatcouldleadtodenialof
actionthattookplaceorclaimofanactionthatdidnottakeplace.
Repudiation:People,includingpublicauthorities,mayrefusetoacknowledgeanaction
thattookplace.
InsiderAttack:Theinsiderattackwouldtakeadvantageofaccesstosystemsatthe
oppositeendoftheAMIsystemfromthecustomerendpoint.Thesystemsthatthe
insidermaybeabletoaccessincludetheAMIheadend,thesystemfromwhichitgets
pricinginformation(eitherEMSorICCPservertoanISOorgenerationentity),andthe
networkinfrastructuresupportingbothofthosesystems.Whichcybereffectaninsider
useswoulddependupontheiraccesstothesesystems.
UnauthorizedAccessfromCustomerEndpoint:ThereisapotentialforAMItoallow
accesstothebulkelectricgridfromtheresidentialorsmallbusinesscustomerendpoint.
Theadversarycansubornthecustomerendpoint,crackwirelesscommunications
betweentheAMImeterandotherendpointequipment,orcrackwireless
communicationsfromtheAMImetertothelocalconcentrator.Theseattackswillexpose
theheadendequipmentandsystemstowhichtheheadendareconnected.Theexact
detailsofthisattackaregreatlydependentontheimplementationofAMI,particularly
attheheadend.Certainconfigurationswouldallowanattackertoaffectthebulk
electricgrid.
CheatingCustomer:Thecustomeratanendpointwouldattacktoachievethegoalof
reducedcostofelectricand/ornaturalgasuse.Theywoulduseinformationfreely
availablefromtheAMImetervendororastandardassociatedwithAMImeterstoreset
themeterandreprogramittoreportfalseinformation.Iftheinformationisnotfreely
available,theattackerwouldreverseengineerametertodevelopawaytomodifyit.
Thisisverysimilartothemanycablemodemattacksthatareopenlyavailable.Either
theconfigurationsettingsfromtheutilityortheactualfirmwarecontrollingthe
operationofthemeterwouldbemodifiedinthisattack.
ThefollowingtablesummarizesthevarioussecuritythreatsonAMIwithrespecttosecurity
goalsandpotentialthreatlevel.
18
Modification
Traffic Analysis
EM/RF Interception
Indiscretions by Personnel
Media Scavenging
Interactions
Planted in
System
Security Goal
Compromised
Description
Security Threat
Level
Confidentiality
High
Integrity
High
Confidentiality
Integrity
Availability
Accountability
High
Confidentiality
Integrity
Availability
Accountability
High
Repudiation
Masquerade
Bypassing Controls
Authorization Violation
Physical Intrusion
Man-in-the-Middle
Integrity Violations
Theft
Replay
Virus/Worms
Trojan Horse
Trapdoor
Service Spoofing
19
Security Issue
Denial of Service
After-the-Fact
Insider Attack
Unauthorized
Access from
Customer
Endpoint
Cheating
Customer
Security Goal
Compromised
Description
It is an attempt to make AMI system
resources unavailable to its intended
users.
Resource Exhaustion
Integrity Violations
Stolen/Altered
Repudiation
20
Security Threat
Level
Availability
High
Accountability
Medium
Confidentiality
Integrity
Availability
Accountability
Confidentiality
Integrity
Availability
Accountability
Confidentiality
Integrity
Availability
Accountability
Low to High
High
Low to High
Introduction
Whenelectricitydemandispeak,particularlyinsummer,utilitiesandotherelectric
IndependentSystemsOperators(ISOs)keepelectricgeneratorsonlineinordertomeethigh
demand.Thissolutionwastesenergyandincreasesairpollution. 26Ifthedemandishighestin
mostregionsandexceedsavailablesupplies,brownoutsandblackoutscanhappen.Asaresult,
theelectricitygridsarenotreliableenough.Manyutilities,government,andothershavebeen
developingDemandResponse(DR)tomanagegrowthinpeakelectricitydemands,andto
providemorereliableelectricitygridsandmoreeconomicenergy.DemandResponseisan
actiontakentoreduceelectricitydemandinresponsetoprice,monetaryincentives,orutility
directivessoastomaintainreliableelectricservicesoravoidhighelectricityprices. 27During
thepeakhours,demandresponseprogramsortariffslowertheenergyuseinreturnfor
decreasingtotalsystemcostsandelectricloads.DemandResponsecanreduceenergy
consumptionduringpeaktimeorbasedonevents(ofwhichtheenergypricesarehigh),suchas
congestion,supplydemandbalanceand/ormarketconditionsthatraisetheenergysupply
costs.DemandResponseResearchCenter(DRRC)hasbeenputtingeffortstodevelop,
demonstrateanddeployactivitiesrelatedtoaframeworkwhichcanenableautomateddemand
response.ThedevelopmentofOpenAutomatedDemandResponse(OpenADRorOpenAuto
DR)hasbeencarriedoutinordertoimproveoptimizationbetweenelectricsupplyanddemand
whichcanimprovethereliabilityofelectronicgridandlowerthetotalcostofoverallsystems.
Thissectionwillmainlyfocusonsecurityissuesincommunicationsandinterfacesbetweenthe
entitiesinDRsystemandOpenADR.OpenADRisasetofstandard,continuous,open
communicationsignalsandsystemsprovidedovertheInternettoallowfacilitiestoautomate
theirdemandandresponsewithnohumanintheloop. 28Thisreportdoesnotintendtofocus
onthedetailsofhowtheDRandOpenADRsystemsoperate.ItmayaddresssomeofDemand
Responsesystems,butthemainfocusisonthesecurityissuesintheDRandOpenADR
systems.
26.CaliforniaEnergyCommissionsPublicInterestEnergyResearchProgram,PIERBuildingsProgram,
AutomatedDemandResponseCutsCommercialBuildingEnergyUseandPeakDemand,Technical
Brief,PublicInterestEnergyResearchProgram,2008[online].Available:
http://www.energy.ca.gov/2008publications/CEC5002008086/CEC5002008086FS.PDF.[Accessed
October15,2009]
27.U.S.FederalEnergyRegulatoryCommission(FERC),AssessmentofDemandResponseand
AdvancedMetering,2007[online].Available:
http://www.ferc.gov/legal/staffreports/0907demandresponse.pdf.[AccessedOctober17,2009]
28.S.Kiliccote,M.A.Piette,J.H.Dudley,LawrenceBerkeleyNationalLaboratory(LBNL);E.KochandD.
Hennage,Akuacom,OpenAutomatedDemandResponseforSmallCommercialBuildings,Lawrence
BerkeleyNationalLaboratory,July2009[online].Available:http://drrc.lbl.gov/pubs/lbnl2195e.pdf.
[AccessedOctober16,2009]
21
5.2.
TheprimaryfocusontheDemandResponse(DR)istoprovidethecustomerswithpricing
informationsothatthecustomersortheenergymanagementandcontrolsystem(EMCS)atthe
customerssitesmayrespondbasedonthedemandsforelectricityandelectricitypricesduring
someperiodoftime.Forinstance,thecustomermaydecreasedemand(orshedload)during
higherpricedtimeperiodsorincreasedemand(orshiftload)duringlowerpricedtimeperiods.
Thepricinginformationcouldberealtimebased,tariffbasedorsomecombination.DRcould
beimplementedinmanydifferentwaysbasedonthetypeofpricingsignals.Therealtime
pricing(RTP)requirescomputerbasedresponse,whilethefixedtimeofusepricingmaybe
manuallyhandledbythecustomerbaseduponthetimeperiodsandthepricing.Sincethe
pricinginformationcouldbetransmittedelectronicallyorfixedforlongperiodandcouldbe
accessedbytheparticipantsoftheDRprogramthecustomerssecurityandprivacyshouldbe
addressed.Also,theintegrityofthepricingsignaliscriticalbecauseifitcanbemanipulated,it
couldleadtofinancialimpactsontheorganizationorcustomers.Thus,mostoftheDR
functionsinthesmartgrid,suchasloadshedding,timeofusepricing(ToU),dynamicpricing,
etc.requiredataintegrityand/orconfidentialitytomaintainthereliabilityofthegridand
preventadversariestomanipulatetheinformationinthesystem.Failuretoprovideintegrity
and/orconfidentialitycouldresultintheexposureofcustomersinformation,unauthorized
modificationandmanipulationoftheinformation.
Securityissuesareexplainedbelowbyfirstlookingatinterfacesofcomponentsthataffect
demandresponse.NextAutoDemandresponsesystemsareanalyzedwithrespecttosecurity.
Figure4showsthemajorcomponentsofSmartGridthataffectSmartGridandtheir
interactions.
22
Figure 4. Demand response use case shows the interfaces between each component (from NIST).
Source: Lawrence Berkeley National Laboratory/ Akuacom
29
5.2.1. Confidentiality
Theinformationsentbetweeneachentity,suchascontrolusageofthemeter,pricingand
meteringusageandbillinginformation,needstobeconfidentialandprotectedfrom
unauthorizedaccesstotheinformation,suchaseavesdroppingattacks,sinceitcanleadtothe
invasionofcustomerprivacyandtheleakingoftheinformationtoanadversary.
5.2.2. Authentication
ThecomponentsinDRsystem,suchasHomeAreaNetwork(HAN)Devices,Energy
ManagementSystem(EMS),DRservicesproviderandmetering,mustbeauthenticatedinorder
tocommunicatewitheachother.IftheyfailtoauthenticatewiththeDRcontrolservices,they
mustnotbeabletoconnectorrespondtotheDReventsignalsinordertoprotectfromthe
unauthorizeddevicestocommunicatewiththeDRsystem,suchashijackingofthemeter
connection.
29.A.Lee,T.Brewer,ComputerSecurityDivision,InformationTechnologyLaboratory,National
InstitutionofStandardsandTechnology(NIST)(Sept2009).SmartGridCyberStrategyand
Requirements(DraftNISTIR7628).Available:http://csrc.nist.gov/publications/drafts/nistir7628/draft
nistir7628.pdf.[AccessedOctober20,2009]
23
5.2.4. Availability
Pricingandmeteringusageinformationneedtobeconfidential,accurateandavailableallthe
time;otherwise,itwouldaffectDRcontrolbehavior.Thegridmaynotbeabletoresponse
basedonthesignalsandtakeawrongaction,leadingtofinancialimpactsoncustomersand
markets.RealtimeloaduseinformationtransmittedbetweenDRservicesproviderand
customerEMSneedstobeavailableinthetimelymannersinceitcanaffectthebehaviorofthe
grid.Legacydevicesatenduserandlowbandwidthofcommunicationchannelsmayresultin
thelossofavailability.
5.2.5. Accountability
Failuretoholdaccountoftheactionstakenbycommunicatingpartiesbecauseoftheinvalid
meter,EMS,orDRservicesproviderinformationwouldresultinthedisputebetweenparties
anddecreasecustomerconfidence.
5.3.
OpenADRisacommunicationsdatamodeldesignedtointeractwithDemandResponsesignals
byautomatedDRactionsfromEnergyManagementandControlSystem(EMCS),whichare
preprogrammed,atelectricconsumerssites.InternetbasedelectricitypricingandDRsignals
areusedwithpreprogrammedcontrolstrategiestooptimizeenergyuseofasiteorbuilding
withnomanualintervention.OpenADRisusedtoexchangeinformationbetweenautilityor
IndependentSystemOperator(ISO)andtheendpointusersorcustomersystems.
24
30
InformationflowintheOpenADRarchitectureisinfivesteps,asfollows:
1) TheutilityorISOdefinesDReventandpricesignalsthataresenttoDRAS.
2) DReventandpriceservicespublishedonaDRAS.
3) DRASclients,thatcanbeaclientandlogicwithintegratedrelay(CLIR)foralegacy
controlsystemorwebservicesoftwareforasophisticatedcontrolsystem,requestevent
informationfromtheDRASeveryminute.
4) PreprogrammedDRstrategiesdetermineactionbasedoneventandprice.
5) EMCScarriesoutloadshedbasedonDReventsandstrategies.
30.S.Kiliccote,M.A.Piette,J.H.Dudley,LawrenceBerkeleyNationalLaboratory(LBNL);E.KochandD.
Hennage,Akuacom,OpenAutomatedDemandResponseforSmallCommercialBuildings,Lawrence
BerkeleyNationalLaboratory,July2009[online].Available:http://drrc.lbl.gov/pubs/lbnl2195e.pdf.
[AccessedOctober16,2009]
25
31
31.M.A.Piette,G.Ghatikar,S.Kiliccote,E.Koch,D.Hennage,P.Palensky,andC.McParland,Open
AutomatedDemandResponseCommunicationsSpecification,DemandResponseResearchCenter,
26
April2009[online].Available:http://drrc.lbl.gov/openadr/pdf/cec5002009063.pdf.[AccessedOctober
20,2009]
27
Purpose
To initiate or update
DR event
information in DRAS
To initiate bid
request in DRAS
28
Purpose
To send shed or
event information to
trigger the event
client to shed or shift
loads at participant
sites, facilities or
aggregator sites
29
Purpose
To send request for
bid to participant or
facility manager or
aggregator
To notify the
acceptance or
rejection notification
to the participant or
facility manager or
aggregator
30
Purpose
To set, adjust or
cancel standing
bids in the
DRAS.
To send the
system load
status
information to
DRAS from
DRAS clients.
Participant Interface
Information transmitted
Overall Impacts
Load reduction per time block
Confidentiality (M):
(price and load amount)
Attacker intercepts load reduction information sent
from participant to the DRAS in order to gain
knowledge of this information, causing the leak in the
electricity usage of the customer.
Integrity (H):
Attacker submits bids for participants, causing the
financial impacts on participants.
Availability (L):
Failure in communication between DRAS and DRAS
client.
Program identifier, facility or
Confidentiality (H):
participant identifier, date & time Eavesdropping on this formation could invade the
of the event (shed or shift), shed customer privacy.
data in kW/kWh, load reduction
Integrity (H):
Unauthorized manipulation on this information could
end uses (HVAC, lighting, etc.),
make DRAS not be able to record the actual response
event type (Day-Ahead or Dayof the DRAS client to the DR events received. The
Of)
DRAS may make an inappropriate response to the DR
program according to the false system load status.
This could lead to the unreliability of the grid.
Availability (L):
Failure in communication between DRAS and DRAS
client.
31
5.4.
Demandresponseeventsarriveattheresidentialsitefromtheutilitytoadjusttheelectricity
price.Duringpeakhoursthepriceoftheelectricityrises;throughdemandresponsethe
customerscanadjusttheirresidentialtemperatureonthebasisofthedemandresponseevent
received.Duringnormalconditionsthebroadcastmessagesconsistingofpricesignalsaresent
toresidentialwhereasduringemergencycontrolsignalsareissued.TheProgrammable
CommunicatingThermostat(PCT)wouldbeusedinordertoreducetheelectricpoweratthe
residentialsite.Broadcastmessageswhichwillbesentouttothethermostatwhichcausesthe
thermostattoupdatethepowerconsumption.ThePCTwillbeprovidedtotheresidential
customersbytheIOUs.ThePCTwillcommunicatewiththeutilitythroughameter.The
connectionisdonethroughawideareanetwork.ThePCTallowsthecustomertosetthe
temperatureforheatingaswellascooling.Securityissuessuchasconfidentiality,integrity,
availabilityand,nonrepudiationcomeintoeffectforthePCTduringtheflowofeventsfrom
theutilitytotheresidentialsite.IntegrityplaysacrucialroleinPCT.Anattackercancause
annoyance,affecthealthandsafety,gridinstabilitybycarryingoutblackout,increasecostfor
thecustomerassomeformofthreats.
AnattackermayattempttoshutdowntheA/C,preventtheloadreduction,and
manipulatetheschedulingofeventsreceived.
AnattackertriestotamperwiththeincomingsignalsorPCTsystem.Theattacker
carriesouttheattacksbycarryingoutmasqueradingandmaninthemiddleattackby
shuttingorturningdowntheA/Cunitsinordertocausethegridinstability.
Anattackerblockstheincomingbroadcastsignalbycarryingoutdenialofservice
attack.Replayattackscanbecarriedoutinordertomanipulatetheincomingdemand
responsesignal.
AnattackercouldmanipulatethesystembydisablingthePCTantennaorchangingthe
PCTlocaltime.
AsummaryofattackpatternsinPCTisshowninFigure7.
32
Figure 7. Path of attack in PCT.
Source: Lawrence Berkeley National Laboratory/Akuacom
32
32.E.W.Gunther,ReferenceDesignforProgrammableCommunicatingThermostatsCompliantwith
Title242008,March2007[online].Available:
http://drrc.lbl.gov/pct/docs/ReferenceDesignTitle24PC_rev15.doc.[AccessedOctober22,2009]
33
Introduction
ActorsintheCustomerdomainenablecustomerstomanagetheirenergyusageandgeneration.
Someactorsalsoprovidecontrolandinformationflowbetweenthecustomerandtheother
domains.Theboundariesofthecustomerdomainaretypicallyconsideredtobetheutility
meter.Thecustomerdomainiselectricallyconnectedtothedistributiondomain.It
communicateswiththeDistribution,Operations,Market,andServiceProviderdomains.The
reasonwhythissectionissubdividedintoHAN,gatewayandNeighborhoodareanetworkis
thateachactorcontributestomakingthecustomerinteractionwiththesmartgridapossibility.
Thereforewewillhandleeachofthedomainsinthesameorder
Figure8depictstheentirecustomerdomainwithcomponentssuchasUtility,AMIHAN
interface,GatewayandmultipleHANprotocolswhichhelpconnectvarioussmartappliances
intheHomeareanetwork.AlongwithHAN,gatewaythereexistWNANaswellwhichis
depictedinthefigurebelowascommunicationbetweensmartmeterandtheutility.Thetwo
communicationstandardsconsideredinthisfigureareWirelessNeighborhoodAreaNetwork
(WNAN)andLocalAreaNetwork(LAN).
Figure 8. HAN/Gateway.
Source: From the draft document on Residential Gateway Reference Design meeting held at UC Berkeley
34
6.2.
SmartGridprovidestwowaycommunicationsbetweenhomeownerspremisesandutility
companiesbackendITinfrastructure.ThisisdonebydeployingAdvancedMetering
Infrastructure(AMI)systemsthatcombineHomeAreaNetworks(HANs)andNeighborhood
AreaNetworks(NANs).AHANtypicallyconnectshomedevicestogetherwhereasaNAN
connectsthehomefortheUtilityNetwork.Thekeyenablingtechnologyforenergy
managementproductsinthehomeareprotocolssuchasZigBeeandZWave,ultralowpower
IEEE802.15.4basedwirelessnetworkingstandardthathasemergedasthekeytorobust,
reliableandsecureHANdeployments.AlthoughthereareseveralotherpotentialHAN
Protocols,ZigBeeistheonlyonediscussedindetail,sinceitisthemostpopularopenstandard
forHANs.
6.2.1. ZigBee
FollowingthestandardOSIreferencemodel,ZigBeesprotocolstackisstructuredinlayers.The
physicalandthemediaaccesslayerarebasedonthe802.15.4standard.Thelayersontopof
thesetwolayersarespecifictoZigbee.Theyarethenetworklayer,GeneralOperation
Framework(GOF)andtheapplicationlayer.IEEE802.15.4isastandardwhichspecifiesthe
physicallayerandmediaaccesscontrolforlowratewirelesspersonalareanetworks.Itfocuses
onlowcost,lowspeedubiquitouscommunicationbetweendevices(incontrastwithother,
moreenduserorientedapproaches,suchasWiFi).Theemphasisisonverylowcost
communicationofnearbydeviceswithlittletonounderlyinginfrastructure,soastoexploitthis
tolowerpowerconsumption. 33ItisthebasisforZigBee.
ZigBeemakesitpracticaltoembedwirelesscommunicationsintovirtuallyanyhome/building
automation/meteringproductwithouttheprohibitivecostanddisruptionofinstallinghard
wiring.ZigBeeallowsindividualdevicestoworkforlongperiodsoftime(approximately2+
years)onbatterypower. 34
33.K.Stouffer,J.Falco,K.Scarfone,GuidetoIndustrialControlSystems(ICS)Security,National
InstitutionofStandardsandTechnology(NIST),Sept2008[online].Available:
http://csrc.nist.gov/publications/drafts/80082/draft_sp80082fpd.pdf
34.A.Lee,T.Brewer,ComputerSecurityDivision,InformationTechnologyLaboratory,National
InstitutionofStandardsandTechnology(NIST),SmartGridCyberStrategyandRequirements,Draft
NISTIR7628,Sept2009[online].Available:http://csrc.nist.gov/publications/drafts/nistir7628/draftnistir
7628.pdf
35
6.2.2. Z-Wave
ZWaveisawirelesscommunicationsproprietarystandarddesignedforhomeautomation,
specificallytoremotecontrolapplicationsinresidentialandlightcommercialenvironments.
Thetechnology,whichisdevelopedbyZensys,usesalowpowerRFradioembeddedor
retrofittedintohomeelectronicsdevicesandsystems,suchaslighting,homeaccesscontrol,
entertainmentsystemsandhouseholdappliances.Sinceitisaproprietarystandard,notmuch
informationisavailableonZWave. 35
6.3.
Gateway Component
HomeGateway(HG),alsocalledResidentialGateway(RG)isadevicethatinterconnects
varioushomeelectronicdevicestooneanotheraswellasconnectstheseprivatehomenetwork
devicestoexteriorpublicnetwork.Inthesmartgridarchitecturethecurrentassumptionisthat
thereisanidentifiableunitperformingthegatewayfunction.Butwhetherthegatewaywillbe
anindependentfunctionalunitorwillitbeapartofothersmartgridcomponentisanopen
possibility.
Therearetwoimplementationtechniquesforthegateway:
1) ThegatewayispartofthePCT(ProgrammableCommunicatingThermostat),onesuch
exampleistheUSNAP(UtilitySmartNetworkAccessPort). 36Thisisahardware
solutiontotheinteroperabilityissuesbetweenthenativeAMInetworkandthehome
areanetwork.USNAPcardbringsaSerialinterfacebetweenthemodulethat
communicateswiththeUtilityAMInetworkandtheHANcontrolunit.
2) Agatewayasanindividualcomponent.Thisgatewayimplementationtechnique
involveshardwarecomponentwhichintegratesZigBeebasedhomeautomationsystem
withanexternalIPbasednetwork.Thegatewayprovidestwofunctionalities: 37
1) DatatranslationbetweentheIPbasednetworkandtheZigBeenetwork.
2) Toprovideasecureenvironmentforprocessingcommandreceivedfromthe
externalnetwork.
ThegatewayconsistsofWiFimodule,aZigBeeMicrocontrollerandapowersupply.
6.4.
TheubiquitousnetworkrequirementsforSmartGridareidentifiedasfollows:reliable,secure,
powerefficient,lowlatency,lowcost,diversepath,scalabletechnology,abilitytosupportburst,
35.E.W.Gunther,ReferenceDesignforProgrammableCommunicatingThermostatsCompliantwith
Title242008March2007[online].Available:
http://drrc.lbl.gov/pct/docs/ReferenceDesignTitle24PC_rev15.doc
36.USNAPAllianceIndustryWhitePaperENABLINGTHEHOMEAREANETWORKMARKET.
March20,2009
37.KhusvinderGill,ShuangHuaYang,FangYao,andXinLuAZigBeeBasedHomeAutomation
System.LoughboroughUniversity,UK2009.
36
asynchronousupstreamtraffictonameafew.Wirelessneighborhoodareanetworks(WNAN)
areatypeofpacketswitchedwirelessmobiledatanetworks.WirelessNANsareflexiblepacket
switchednetworkswhosegeographicalcoverageareacouldbeanywherefromthecoverageare
ofaWirelessLocalAreaNetwork(WLAN),towirelessmetropolitanareanetwork(WMAN),to
WirelessWideAreaNetwork(WWAN).InSmartGrid,WNANhasaroletoplayintheHOME
toHOMEorHOMEtoGRIDcommunication.Thefollowingarethecommunicationprotocols
thatareunderconsiderationforwirelessneighborhoodareanetworkforSmartGrid:
1) IEEE802.11:IEEE802.11isasetofstandardsdefinedfortheimplementationof
wirelesslocalareanetworkcomputercommunication,whichoperatesinthe2.4
GHz,3GHzand5GHzfrequencybands.The802.11boperatesat2.4GHzwitha
datatransferrateintherangeof5Mbits/sto25Mbits/swithamaximumoutdoor
rangeof90meters,while802.11goperatesat2.4GHzaswell,withadatatransfer
rateintherange22Mbits/sto128Mbits/swithamaximumoutdoorrangeof90
meters. 38
2) IEEE802.15.4:802.15.4definesthephysicalandmediumaccesscontrollayersforlow
datarate,shortrangewirelesscommunication.Theoperationisdefinedinbothsub
1GHzand2.4GHzfrequencybands,supportingDirectSequenceSpreadSpectrum
signalingwitharawdatathroughputof250kbpsandcantransmitpointtopoint,
ranginganywherefromtenstohundredofmetersdependingontheoutputpower
andreceivesensitivityofthetransceiver. 39
3) IEEE802.16:WiMax(WorldwideInteroperabilityforMicrowaveAccess)that
provideswirelesstransmissionofdatainvarietyofmodesfromapointtomulti
pointlinks.ItisalsocalledastheLastMileConnectivityofBroadbandwireless
accesswitharangeofaround50kmandadatatransferrateofupto70Mbpswith
theabilitytosupportdata,voiceandvideo.ItdoesnotrequireLOS(LineOfSight)
andusespublickeycryptography. 40
6.5.
6.5.1. ZigBee 41
1) PowerFailuresNonce 42valuesareinitializedtoastandardvalue,thusmakingthe
nonceaknownvalue.
2) FastDenialofserviceAttackonAESCTR(AdvancedEncryptionStandardCTRmode).
38.http://en.wikipedia.org/wiki/IEEE_802.11
39.NaveenShastry,DavidWagner,SecurityConsiderationsforIEEE802.15.4Networks.UCBerkeley.
YearofPublication2004.
40.http://en.wikipedia.org/wiki/WiMAX
41.Matera:SecurityIssuesonZigBeeBasilicataUniversity,Italy,January18,2006
42.Asideinputtotheencryptionalgorithm.
37
3) AcknowledgesForgerysincetheACKframereturnsonlytheDNS(DomainName
Server)value.IftheattackerknowstheDNSvaluehe/shecansendafalse
acknowledgementtothesendersayingthatthereceiverhasreceivedthemessagewhen
infactithasnt.
4) WeakIntegrityProtectiononAESCTR.
5) AllowstheuseofSameKeysonmultipleACL(AccessControlList)entries.Allowsthe
useofGroupKeys.
6.5.2. Z-Wave 43
Unsecureconnectionwhileestablishmentofthenetworkanddistributionofthenetworkkeyis
takingplace.Opentosnifferattacks.
Solution:Thenewdeviceandtheprimarycontrollermustbelessthanonemeterapartforset
up.Oncethenewdevicehasbeenincludedonthenetworkdatabaseitcanbeplacedanywhere
withinrangeofthenetwork.
6.5.3. Gateway
MediumAccessControl(MAC)addressspoofing:WhentheUSNAPcardispluggedinfor
thefirsttimeitregistersonthenetwork.Sincethenetworkoperatesinanunlicensedfrequency
bandanyeavesdroppercanlistentoongoingtrafficandspooftheMACaddress,thisMAC
addresstheUSNAPcardusesasanIDtouniquelyrecognizeacard.Thesecondscenario
occurswhenpricinginformationissentbytheutilitytotheconsumer,butastheMACaddress
ofthecardhasbeenspoofed.Inthiscasetheutilitywouldbesendingsensitivedatatoan
unauthorizedpersonwhichisbreachofconfidentialityofhighestsecuritylevel. 44
PublicKeyInfrastructuresecurityissues:TheUSNAPcardusesPublicKeyinfrastructureasa
securityfeature.WiththeuseofPKIemergestheproblemofdistributionofpublickeysandthe
addedresponsibilityofchoosingacertifyingauthoritytosignthekeys. 45Thisissueisaproblem
foranysystemwhichusesPKIandisdiscussedfurtherinchapter9.
VirtualHomeitssecurityfeaturesandloopholes:Inavirtualhome,whereinthegatewayhas
addedcomponentssuchasvirtualhome,networkcoordinatoranddevicedatabase.Every
commandwhichisreceivedfromtheexternalnetworkischeckedforitsauthenticitybythe
networkcoordinatorandthedevicedatabaseinthevirtualhomeenvironment.Oncethe
43.WirelesssecurityHowsafeisZwave?Knight,M
44.USNAPAllianceIndustryWhitePaperENABLINGTHEHOMEAREANETWORKMARKET.
March20,2009.
45.JohnLinn,RSALaboratories,Bedford,MA,USAMarcBranchaud,RSASecurityInc.,Vancouver,BC,
Canada.AnExaminationofAssertedPKIIssuesandProposedAlternatives.2004.
38
commandhasbeenverifieditsthenimplementedintherealhomesystem.Thesecurity
concernswithsuchasetupareasfollows: 46
ThegatewayacceptscommandsevenfromaZigBeebasedremotecontrolandthese
commandsarenotverifiedinthevirtualhomeenvironment.Amaliciousdevice
emittingZigBeesignalscouldbeinterpretedascommandstothehomeenvironment.
Sincethegatewayuseshardwarecomponentsdevicedriverupdatesisneeded.These
updatesshouldbedoneinacontrolledmanner;otherwisevirtualhomewhichistrusted
formanagingthesecurityofthehomeareanetworkwillbecompromised.
6.5.4. WNAN
IEEE 802.11 47
ConvenientAccess:Networksannouncetheirexistencewiththeaidofbeaconframes
whicharealsoinvitingthreats.SoftwareisusedbyWarDriverstologthese
appearancesofbeaconframesandfindthelocationsusingGPS.
RougeAccessPoints:Oneofthecommonsecurityrisksiswiththerougeaccesspoints
whichareeasytosetupanddoesnotevenrequireauthorization.
MACSpoofing:Themanagementframesarenotauthenticatedin802.11.Everyframe
hasasourceaddress.Theattackerstakeadvantageofthespoofedframetoredirectthe
trafficandcorrupttheARPtables.
DenialofServiceAttacks:
o PhysicalAttacks:Simpledevicesthatoperatein2.4GHzfrequencybandlike
cordlessphonesthatsupport802.11bcanbeusedtotakethenetworkoffline.
Thisisdonebyreducingthesignaltonoiseratioofthechanneltoanunusable
range,byinducingnoiseintothenetwork.
o
DatalinkAttacks:Fordevicesmanufacturedbefore2003withwiredequivalent
privacy(WEP)turnedon,theattackercanperformDoSattacksbyaccessingthe
userinformationonthelinklayer.Datalinkattacksaredifficultforpost2003
devicesthatsupportWPA2.
NetworkAttacks:AnattackercanfloodICMPpacketstothegateway,therebycreating
adifficulttimeforclientsassociatedtothesameAPtosendandreceivepacket.
ManintheMiddle(MITM)Attacks:TherearetwoversionsMITMattack.Theyare
o Eavesdropping
o
Manipulating
46.KhusvinderGill,ShuangHuaYang,FangYao,andXinLuAZigBeeBasedHomeAutomation
System.LoughboroughUniversity,UK2009.
47.BobFleck,BrucePotter.802.11Security.OReillyPublications,December2002,ISBN:0596002904
39
Solution:WiFiProtectedAccess(WPA)hasanimprovedencryptionalgorithmcalled
TemporalKeyIntegrityProtocol(TKIP)whichusesuniquekeyforeveryclientandalsouses
longerkeysthatarerotatedatconfigurableintervals.WPAalsoincludesanencryptedmessage
integritycheckfieldinthepackettopreventdenialofserviceandspoofingattacks.
IEEE 802.15.4 48
1. Confidentiality:Encryptionschememustbeusedtopreventfrommessagerecovery.
Theprocesssemanticsecurityistoencryptthemessagetwicetogettwociphertexts.But
ifthesameencryptionprocessisused,thenthesemanticsecurityisviolated.The
techniquetopreventthisviolationistousesauniquenonceforeachinvocationof
encryptionprocess.Thedecryptionusesthisnonceatthereceiverend,thenonceissent
clearinthesamepacketwiththeencrypteddataandhencethesecurityofencryptionis
notdependentonthenonce.Thenonceisintroducedtogivesomevariationstothe
messages.
2. LossofACLState:EachACLentryintheACLtableisusedtostoredifferentkeysand
theirassociatednonce.TherearechancesofACLtablegettingclearedwhenthereisa
powerfailureorwhenthedeviceoperatesinalowpoweredstate.
o PowerFailure:IncaseofpowerfailurestheACLentriesarecleared,however,
theACLtableisrepopulatedbythesoftwarewithappropriatekeys.But,the
issueiswiththenoncestates.Allthenoncestatesareresettoaknownvaluesay
0andtherebyreuseofnoncestateincurredthatcompromisessecurity.
o
Lowpoweredoperation:Againtheissueiswithhowtoretainthenoncestates
whenthedeviceentersthelowpoweredstate.
PossibleFix:Suitablefixtothisproblemcouldbesavingandstoringthenoncestatesin
flashmemorieswhichincursadditionalcost,powerconsumptionandalsoisslowand
energyinefficient.
3. KeyManagementProblems:ThisproblemarisesduetotheinabilityintheACLtables
tosupportdifferentkeyingmodels.
o GroupKeying:ThereisnosupportforusingthesamekeyformultipleACL
entries.IfattemptsaremadetocreateseparateACLentriesforeachnodethen
thereuseofnoncestateproblemarises.
PossibleFix:FixforthiscouldbecreatingasingleACLentryforaparticularkey.Before
sending,changingthedestinationaddressassociatedwiththatACLentryforamessage
wouldsufficetofixthisissue.
o
NetworkSharedKeying:Thenetworkcannotbeprotectedfromreplayattacks
whenusinganetworkwidesharedkey.Inordertousethenetworkshared
keyingmodeltheapplicationhastousethedefaultACLentrybutadefaultACL
entrycouldbeusedonlyifthereisnomatchingACLentry.
48.NaveenShastry,DavidWagner,SecurityConsiderationsforIEEE802.15.4Networks.UCBerkeley.
YearofPublication2004.
40
4. ConfidentialityandIntegrityProtection:Researcheshaveproventhatunauthenticated
encryptionmodescanintroducerisksofprotocollevelvulnerabilitiescompromisingnot
onlyintegritybutalsoconfidentiality.AnexampleforthiscouldbeAESCTRwhich
usescountermodewithoutaMAC.
5. DenialofServices:Asdiscussedpreviously,thereplayattackscouldcausethedeviceto
rejectpackets.
6. NoAcknowledgementPacketsIntegrity:Thereisanoptionforthesendertorequest
foranacknowledgementfromtherecipientforthesentpackets.Butthereisno
confidentialityorintegrityprovidedfortheacknowledgementpacketsthereby
attractingtheattackertoforgetheacknowledgementpackets.
IEEE 802.16 49
Authentication:ThedrawbackwithWiMaxisthatitdoesnothaveBaseStation
authenticationwhichmakesitpronetoManinthemiddleattacksexposingsubscribers
toconfidentialityandavailabilityattacks.SinceBSdoesnotauthenticateitself,theSS
cannotbeprotectedfromrougeBS.
Encryption:802.16esupportsforAdvancedEncryptionStandard(AES)cipher
providingstrongconfidentialityonuserdata.Againthedrawbackiswithencryption
notappliedonthemanagementframestherebysufficingtheattackertogather
informationaboutthesubscribersintheareaandalsoaboutthenetworkcharacteristics.
Availability:EventhoughWiMaxusesalicensedRFspectrum,attackerscanuseeasily
availablegadgetstojamthenetwork.Thisisanexampleforphysicallayerdenialof
serviceattackswhereasattackerscansendlegacymanagementframestodisconnect
legitimatestation,thisisnothingbutdeauthenticatefloodattacks.
WaterTortureAttack:Thisisaformofphysicallayerattackwhereintheattackersends
aseriesofframestoanynodetodrainthebatterylifeofthevictimnode.
49.http://www.networkworld.com/columnists/2006/121106wirelesssecurity.html?page=1
41
6.6.
IEEE 802.11
IEEE 802.16
IEEE 802.15.4
42
Introduction
SCADAsystemsarewidelydeployedinCriticalInfrastructureindustrieswheretheyprovide
remotesupervisoryandcontrol.IntheSmartGridSCADAsystemsareusedinautomation.
DespitetherelevantimportanceofSCADAsecurity,SCADAsystemsarereportedtobe
vulnerabletoelectronicattacks.Takingintoaccountthewidedeploymentofnetworking
technologiesinSCADAandahighconnectivityofSCADAnetworkswithothernetworkssuch
asthecorporateintranetoreventheinternet,SCADAsystemsareexposedtoelectronicattacks
nowadaysmorethanever.
ThissectiondiscussesSCADAsystemsecurityissuesforthepurposeofimplementingan
efficientdefenseofSCADAandProcessControlSystemsingeneralitisnecessarytoresearch
onnovelsecurityapproaches,implementthemandcarefullymeasuretheirsuitabilityinterms
ofefficiencyandoverhead.
Forinstance,tomonitorandcontrolgridequipmentsuchastransformers,customerequipment,
generationandtransmissionsystem,etc.ThegenerallayoutofaSCADAsystemisshownin
figures9and10.
ThefigureabovegivesagenerallayoutofaSCADA(SupervisoryControlandData
Acquisition)system.SCADAisacollectionofsystemsthatmeasure,report,andchangeinreal
timebothlocalandgeographicallyremotedistributedprocesses.Thefundamentalcomponents
intheabovefigurearethecontrolcenterusuallycomputerbased,referredtoasMTU(Master
TerminalUnit),RTU(RemoteTerminalUnit)oralsocalledasfieldsite,andthecommunication
linkbetweenthem.TheMTUissuescommandstodistantfacilitiesandgathersdatafromthem,
interactswithothersystemsinthecorporateintranetforadministrativepurposesandinterfaces
43
withhumanoperators.InaSCADAsystemitistheMTUwhichhasfullcontrolondistributed
remoteprocesses.AnoperatorcaninterfacewithaMTUthroughaninterfacedeviceconsisting
inavideodisplayunit,akeyboard,etc.ControlcommandssentbyaMTUtodistantfacilities
aretriggeredbyprogramsinthatMTUwhichareexecutedeithermanuallyorthrougha
programmablebuiltinscheduler.
RTUsaregenerallybasedonmicroprocessorsandarephysicallyplacedinremotelocations.
Theirtaskconsistsofcontrollingandacquiringdatafromdevicessuchassensors,actuators,
controllers,pulsegenerators,etc.AnMTUcommunicateswithoneormoreremoteRTUsby
sendingrequestsforinformationthatthoseRTUsgatherfromdevices,orinstructionstotakean
actionsuchasopenandclosevalves,turnswitchesonandoff,etc.Thecommunications
betweenaMTUandRTUsfollowamasterslaveschema,inwhichtheMTUisamasterand
RTUsareslaves,andonlytheMTUisallowedtoinitiateatransaction.50
TheSCADAsystemisacontrolsystemwhichwasoriginallydesignedtooperateinanisolated
environment.Todaytheyaretypicallyconnectedtothecorporatenetworkforbusiness
reasons.TheseControlSystemswerealsooriginallydesignedtobeefficientratherthansecure.
Communicationprotocols(e.g.DistributedNetworkProtocol(DNP3))whichallowremote
controloftheSCADAdevicesweredesignedwithlittlesecurityinmind.Impactofattackson
SCADAsystemscouldbephysical,economic,orsocietal.
ThefollowingsectionsdiscusssecurityissuesinSCADAsystems.
50.NationalInstituteofStandardsandTechnology,USdepartmentofCommerce(September2008).
GuidetoIndustrialControlSystems(ICS)Security(SpecialPublication80082FINALPUBLICDRAFT).
KeithStouffer,JoeFalco,KarenScarfone.
44
51.East,Samuel.Butts,Jonathan.Papa,Mauricio.AndShenoi,Sujeet.(2009).Ataxonomyofattackson
theDNP3Protocol.CriticalInfrastructureProtectionIII,IFIPAICT311,pp.6781,2009.IFIPInternational
FederationforInformationProcessing.
52.UnderstandingSCADASystemSecurityVulnerabilities,Riptech.
45
Websitesoftenprovidedatausefultonetworkintrudersaboutcompanystructure,
employeenames,emailaddresses,andevencorporatenetworksystemnames.
Domainnameservice(DNS)serverspermitzonetransfersprovidingIPaddresses,
servernames,andemailinformation.
OSandapplicationsecuritypatchesarenotmaintained.
InadequateAccesscontrols.Poorlyspecifiedaccesscontrolscanresultingivingan
SCADAusertoomanyortoofewprivileges.Thefollowingexemplifyeachcase:System
configuredwithdefaultaccesscontrolsettingsgivesoperatoradministrativeprivileges,
systemimproperlyconfigured,resultsinanoperatorbeingunabletotakecorrective
actionsinanemergencysituation.
Passwordpoliciesareneededtodefinewhenpasswordsmustbeused,howstrongthey
mustbe,andhowtheymustbemaintained.Withoutapasswordpolicy,systemsmight
nothaveappropriatepasswordcontrols,makingunauthorizedaccesstosystemsmore
likely. 53
Denialofservice(DoS):SCADAsoftwarecouldbevulnerabletoDoSattacks,resulting
inthepreventionofauthorizedaccesstoasystemresourceordelayingsystem
operationsandfunctions.Theycouldproactivelyexploitsoftwarebugsandother
vulnerabilitiesinvarioussystems,eitherinthecorporatenetworkortheSCADA
network,togainunauthorizedaccesstoplacessuchascontrolcenternetworks,SCADA
systems,interconnections,andaccesslinks.Cyberattacksthatarebasedondenialof
service(DoS)mechanisms,andothersthatspreadduetovirusesandwormsbycausing
atrafficavalancheinshortdurations,canpotentiallybringdownsystemsandcausea
disruptionofservicesandareknownasFloodbasedCyberAttackTypes.
Intrusiondetection/preventionsoftwarenotinstalled:Incidentscanresultinlossof
systemavailability;thecapture,modification,anddeletionofdata;andincorrect
executionofcontrolcommands.IDS/IPSsoftwaremaystoporpreventvarioustypesof
attacks,includingDoSattacks,andalsoidentifyattackedinternalhosts,suchasthose
infectedwithworms.IDS/IPSsoftwaremustbetestedpriortodeploymenttodetermine
thatitdoesnotcompromisenormaloperationoftheSCADA. 54
Malwareprotectionsoftwarenotinstalled,definitionsnotcurrent,implemented
withoutexhaustivetesting:Malicioussoftwarecanresultinperformancedegradation,
lossofsystemavailability,andthecapture,modification,ordeletionofdata.Malware
protectionsoftware,suchasantivirussoftware,isneededtopreventsystemsfrombeing
53,54.NationalInstituteofStandardsandTechnology,USdepartmentofCommerce(September2008).
GuidetoIndustrialControlSystems(ICS)Security(SpecialPublication80082FINALPUBLICDRAFT).
KeithStouffer,JoeFalco,KarenScarfone.
46
infectedbymalicioussoftware.Outdatedmalwareprotectionsoftwareanddefinitions
leavethesystemopentonewmalwarethreats.Malwareprotectionsoftwaredeployed
withouttestingcouldimpactnormaloperationoftheSCADA. 55
Network Configuration Vulnerabilities
Thenetworkarchitecturedesigniscriticalinofferingtheappropriateamountofsegmentation
betweentheInternet,thecompanyscorporatenetwork,andtheSCADAnetwork.Network
architectureweaknessescanincreasetheriskthatacompromisefromtheInternetcould
ultimatelyresultincompromiseoftheSCADAsystem.Somecommonarchitecturalweaknesses
includethefollowing: 56
Configurationoffiletransferprotocol(FTP),web,andemailserverssometimes
inadvertentlyandunnecessarilyprovidesinternalcorporatenetworkaccess
Networkconnectionswithcorporatepartnersarenotsecuredbyfirewall,IDS,orvirtual
privatenetwork(VPN)systemsconsistentwithothernetworks
Dialupmodemaccessisauthorizedunnecessarilyandmaintenancedialupsoftenfail
toimplementcorporatedialaccesspolicies
Firewallsandothernetworkaccesscontrolmechanismsarenotimplementedinternally,
leavinglittletonoseparationbetweendifferentnetworksegments
TCP/IPnetworksbytheirverynaturepromoteopencommunicationsbetweensystems
andnetworks,unlessnetworksecuritymeasuresareimplemented.Impropernetwork
configurationoftenleadstoinboundandoutboundnetworkleaksbetweenSCADA
networks,corporatenetworks,businesspartners,regulatorsandoutsourcersandeven
theInternetwhichposeasignificantthreattonetworkreliability.Networkleakscan
allowworms,virusesorhackersdirectvisibilitytovulnerableSCADAsystems.
InsecureConnectionsExacerbateVulnerabilities
Potentialvulnerabilitiesincontrolsystemsareexacerbatedbyinsecureconnections.
Organizationsoftenleaveaccesslinkssuchasdialupmodemstoequipmentand
controlinformationopenforremotediagnosticSCADA,maintenance,and
examinationofsystemstatus.Suchlinksmaynotbeprotectedwithauthenticationor
encryption,whichincreasestheriskthathackerscouldusetheseinsecureconnectionsto
breakintoremotelycontrolledsystems.Also,controlsystemsoftenusewireless
55,56,57.NationalInstituteofStandardsandTechnology,USdepartmentofCommerce(September
2008).GuidetoIndustrialControlSystems(ICS)Security(SpecialPublication80082FINALPUBLIC
DRAFT).KeithStouffer,JoeFalco,KarenScarfone.
47
communicationssystems,whichareespeciallyvulnerabletoattack,orleasedlinesthat
passthroughcommercialtelecommunicationsfacilities.
Firewallsnonexistentorimproperlyconfigured
Alackofproperlyconfiguredfirewallscouldpermitunnecessarydatatopassbetween
networks,suchascontrolandcorporatenetworks.Thiscouldcauseseveralproblems,
includingallowingattacksandmalwaretospreadbetweennetworks,makingsensitive
datasusceptibletomonitoring/eavesdroppingontheothernetwork,andproviding
individualswithunauthorizedaccesstosystems.
Openstandard
Interoperabilitybetweenmultivendordevices
Aprotocolthatissupportedbyalargeandincreasingnumberofequipment
manufacturers
LayeredarchitectureconformingtoIECenhancedperformancearchitecturemodel
OptimizedforreliableandefficientSCADAcommunications
Supportedbycomprehensiveimplementationtestingstandards
Theabilitytoselectfrommultiplevendorsforfuturesystemexpansionand
modification
Herearesomeattackswhichexploittheprotocolspecifications:
PassiveNetworkReconnaissance:Anattackerwiththeappropriateaccesscapturesand
analyzesDNP3messages.Thisattackprovidestheattackerwithinformationabout
networktopology,devicefunctionality,memoryaddressesandotherdata.
BaselineResponseReplay:AnattackerwithknowledgeofnormalDNP3trafficpatterns
simulatesresponsestothemasterwhilesendingfabricatedmessagestooutstation
devices.
58.East,Samuel.Butts,Jonathan.Papa,Mauricio.AndShenoi,Sujeet.(2009).Ataxonomyofattackson
theDNP3Protocol.CriticalInfrastructureProtectionIII,IFIPAICT311,pp.6781,2009.IFIPInternational
FederationforInformationProcessing.
48
RogueInterloper:Anattackerinstallsamaninthemiddledevicebetweenthemaster
andoutstationsthatcanreadmodifyandfabricateDNP3messagesand/ornetwork
traffic.
LengthOverflowandDFCFlagAttack:Theseattackseitherinsertsanincorrectvaluein
theLengthfieldthataffectsmessageprocessingorsetstheDFCflag,whichcausesan
outstationdevicetoappearbusytothemaster.Theseattackscanresultindata
corruption,unexpectedactionsanddevicecrashes.
ResetFunctionandunavailablefunctionAttack:ThisattacksendsaDNP3messagewith
FunctionCode1(resetuserprocess)tothetargetedoutstation.Theattackcausesthe
targeteddevicetorestart,renderingitunavailableforaperiodoftimeandpossibly
restoringittoaninconsistentstate.Examplesareinterruptionofanoutstationand
modificationofanoutstation.Inunavailablefunctionattack,theattackersendsaDNP3
messagewithFunctionCode14or15,whichindicatesthataserviceisnotfunctioningor
isnotimplementedinanoutstationdevice.Theattackcausesthemasternottosend
requeststothetargetedoutstationbecauseitassumesthattheserviceisunavailable.
DestinationAddressAlteration:Bychangingthedestinationaddressfield,anattacker
canrerouterequestsorrepliestootherdevicescausingunexpectedresults.Anattacker
canalsousethebroadcastaddress0xFFFFtosenderroneousrequeststoallthe
outstationdevices;thisattackisdifficulttodetectbecause(bydefault)noresult
messagesarereturnedtoabroadcastrequest.
FragmentedMessageInterruption:TheFIRandFINflagsindicatethefirstandfinal
framesofafragmentedmessage,respectively.WhenamessagewiththeFIRflagarrives,
allpreviouslyreceivedincompletefragmentsarediscarded.Insertingamessagewith
theFIRflagsetafterthebeginningofatransmissionofafragmentedmessagecausesthe
reassemblyofavalidmessagetobedisrupted.InsertingamessagewiththeFINflagset
terminatesmessagereassemblyearly,resultinginanerrorduringtheprocessingofthe
partiallycompletedmessage.
TransportSequenceModification:TheSequencefieldisusedtoensureinorderdelivery
offragmentedmessages.Thesequencenumberincrementswitheachfragmentsent,so
predictingthenextvalueistrivial.Anattackerwhoinsertsfabricatedmessagesintoa
sequenceoffragmentscaninjectanydataand/orcauseprocessingerrors.
OutstationDataReset:ThisattacksendsaDNP3messagewithFunctionCode15.The
attackcausesanoutstationdevicetoreinitializedataobjectstovaluesinconsistentwith
thestateofthesystem.Examplesofthisattackareinterruptionandmodificationofan
outstation.
49
SecurityIssuesinSCADAandDNP3aresummarizedinTable6.
Table 6. SCADA security issues
Security Issue
Public Information
Availability
Policy and Procedure
Vulnerabilities
Platform Configuration
Vulnerabilities
Platform Software
Vulnerabilities
Network Configuration
Vulnerabilities
Network Perimeter
Vulnerabilities
Network Communication
Vulnerabilities
Description
Information available through
manuals, vendors, and through
routine public queries.
Inadequate security policies, without
the security architecture and design
pose a threat. Lack of security audits,
disaster recovery plan etc.
OS and application security patches
are not maintained. Inadequate
access control to systems,
inadequate password policies.
Buffer Overflow. Denial of Service,
Intrusion detection/prevention
software not installed, malware
protection not provided
Weak network security architecture,
data flow control not applied
Firewalls nonexistent or improperly
configured, Insecure Connections
Exacerbate Vulnerabilities, Network
Leak Vulnerabilities
Passive Network Reconnaissance
Baseline Response Replay
Rogue Interloper
Length Overflow and DFC Flag Attack
Reset Function and unavailable
function Attack
Destination Address Alteration
Fragmented Message Interruption
Transport Sequence Modification
Outstation Data Reset
Outstation Application Termination
Integrity
Availability, Integrity
Confidentiality, Integrity,
Accountability
Integrity
Accountability
Integrity
Integrity, Confidentiality
Availability
Availability
Integrity
Integrity
Integrity, Availability
Availability
ThereisarecentsecurityextensiontoDNP3buttheresearchersarenotawareoftheir
widespreadimplementation.
50
Introduction
Despitethecurrenthighcostofmaintainingelectricvehicles,theyaregenerallycheaperto
operateoverthelongrunbecausetheyreducedependencyonoilresourceswhichhavebeen
fluctuatinginpriceduetopoliticalinstabilityofthenationsthatsupplythenaturaloil.Electric
vehiclesalsoproducelessgreenhouseemissionsthangaspoweredvehicleswhichwillhelp
reducetheeffectsofglobalwarming.
ManytechnologicalandeconomicalchallengescomewiththecontinuedtrendofPEVs
becomingmoreprevalent.Inparticular,batterytechnology(e.g.,batterycapacityandcharge
time)andtheinfrastructure(e.g.,chargestationsandgrid),areessentialprerequisitesfora
massivedeployment. 59TheSmartGridwillutilizeVehicletoGrid(V2G)whichisoneofthe
technologicaladvancesthatwillbeusedinmakingelectricvehiclesaviablemainstreamoption
forprospectiveautomobilecustomers.V2Gwillbeavitalcomponentforboththevehicles
ownersandtheenergyprovidersbecauseitwillallowbothpartiestodrawpowerfromeach
otherasneeded.PeakloadlevelingisaconceptthatallowsV2Gvehiclestoprovidepowerto
helpbalanceloadsbyvalleyfilling(chargingatnightwhendemandislow)andpeak
shaving(sendingpowerbacktothegridwhendemandishigh). 60V2Gallowselectricvehicle
thecapabilitytochargetheirfuelcellswhenenergydemandislowwhileenergyenables
companiestodrawpowerfromthevehicleswhenthereisashortageofpower.Sincemost
vehiclesareparkedanaverageof95percentofthetime,theirbatteriescouldbeusedtolet
electricityflowfromthecartothepowerlinesandback,withavaluetotheutilitiesofupto
$4,000peryearpercar. 61SeeingthatV2Gfollowstheconceptofpeakloadleveling,power
consumersandproviderscanhelpeachotherreducecostandimproveoveralleffectivenessof
powerdistribution.
EventhoughtherehasbeensomeprogressinsolutionsforPEVtechnology,othersecurity
issuesassociatedwiththetechnologyandthedataitwilluseremain.Somepotentialfor
securityissuesrelatedtoPEVsincludeSecurePaymentandPrivacy,SmartMetering,andthe
CriticalInfrastructureandPhysicalSecurity. 62
59,61.Paar,Christof,AndyRupp,KaiSchramm,AndreWeimerskirch,andWayneBurleson.Securing
GreenCars:ITSecurityinNextGenerationElectricVehicleSystems.Tech.Amherst:ECEDepartment,
UniversityofMassachusettsatAmherst.
60,62.Vehicletogrid.VehicletogridWikipedia,thefreeencyclopedia.Wikipedia,2Oct.2009.
51
8.2.
Privacy of Movement
PHEVwilloverloadthesmartgridwhentheyarepluggedinforchargingbecausethePHEVs
moveforplacetoplacesothepowerrequirementstothelocationschange.Forexample,there
maybeacitylikeManhattanwheremoretrafficflowsinduringpeakofficehours.Ifmany
PHEVsarepluggedintothegridlocatedatthatpoint,atatime,itwilloverloadthegrid.To
solvethisproblemthepositionofthePHEVsshouldbemonitored.Theconstantmonitoringof
thePHEVlocationlendstoprivacyconcernstoonesindividualfreedom.Additionally,if
someonebreaksintothemonitoringsystem,theycouldgetaccesstothisinformation.
8.3.
Secure Payment
Averyimportantelementtothesmartgridisapaymentsystemwhichworksreliablyand
secure,andwhichprotectsboththeenduserandtheprovider.Therearegoodreasonstoprefer
electronicpaymentsystemsovercashpayments,suchasreducedrevenuecollectioncostsand
reduceoflosses;enhancecustomersatisfaction,improvedservicesandoperationalefficiencyas
wellasmoreflexiblepricingstrategies.Onetypeofsolutionistousecreditcards.However
creditcardsystemsdohaveproblemsaswell.Forexample,transactionneedstobeprotectedso
thatanindividualsinformationisnotrevealedtothirdparties.Anotherapproachwouldbeto
adoptIntegratedTransportationPaymentSystems(ITPS).Unfortunately,therearealso
examplesofseriousshortcomingsoftodaysITPS.Existingsystemsdonothavemechanisms
protectingtheirsecurityandespeciallytheprivacyoftheirusers.Oneproblemisthatsome
systemsdeploycryptographicallyweakproprietaryprimitives.Currentlyecashprotocolshave
beenextensivelystudied.Thestudyshowsthatitispossibletoconstructsecureoffline
paymentthatprotecttheanonymityofhonestusersbutisneverthelessabletodisclosetheir
identitiesassoonastheytrytocheatthesystem.
Potentialattackerscanbecategorizedasasmallsetofindividuals,commercialcompanies,and
governmentinstitutions.Typicallyregularindividualswillattackthesystemtoacquireprivate
sensitiveinformationinordertotrackindividualsorattackthesystembecausetheyarecurious.
Ontheotherhandcommercialcompanieswillgenerateuserprofilestoincreasetheirrevenue.
Theywillusuallyrespectlegalrestrictionsbuttheywillalsoexploitlegalloopholes.Finally,
governmentinstitutionswillhaveextensivepowerandtheymightevenbeabletodefinethe
legalenvironment.Thereforeitisimportanttodefinealegalframeworktoaccountfor
companiesandgovernmentinstitutions,anddefinetechnicalsolutionsthataccountfor
individualattackers.
Privacyisachallengingproblem,sinceitinvolvescryptographictheory,engineering,policy
andsociology.Inordertoenableadeployment,adequatesecurityandprivacymechanisms
mustbearequirement.TopreventmaliciousactionsbyattackerssomeformofITsecurityneed
tobeintroducedtosystems.Suchmethodsrangefromcryptographicmechanisms,tosecure
andprivacypreservingpaymentsystemstoacriticalinfrastructureinterpretationoftheelectric
carchargingnetwork.Thisshouldleadtowardsaddressingthesecurityproblems.
52
8.4.
Smart Metering
TheownerofthePEVmightwanttoreportlesselectricitythanwhatwasactuallydeliveredto
thePEVsbatteries,andtheenergyprovidermightwanttochargeformoreenergythanwhat
wasactuallydelivered.Evenworsethanthesetwowouldbeathirdpartyormiddleman,such
asachargingstation,whichwouldbeabletocheatboththeenergyprovidersandtheownersof
thePEV.Thiscanhappenifcareisnottakeninsecuringthesmartmeterfromtampering.
Therearebestpracticesthatcanbeappliedtoprovideprotection.
8.5.
WhenPEVsbecomesthenorm,thelinkbetweentheenergyandtransportationcritical
infrastructurewillbecometightlyintertwined.Anymaliciousattackmadeagainsteitheroneof
thesetwocriticalinfrastructurescouldpotentiallyposeathreattothesecurityofthesetwo
infrastructures,specificallyintheareasoftrafficmanagement,andpaymentsforservices
rendered,pertainingtochargingofaPEV.Sincethelinkbetweenthesetwocritical
infrastructuresisinunchartedterritoryforboththeenergyandtransportationcritical
infrastructuresectors,researchwillbeneededtobetterunderstandtheimpactsofsuchaclose
relationshipbetweenthetwosectors.Ifamaliciousattackweretopenetratethedefensesof
eithertheenergyorthetransportationcriticalinfrastructure,itwouldbedevastationtoboth
criticalinfrastructures,monetarilyandphysically.Manybusinesseswillnotbeabletooperate
withouttheabilitytochargetheirvehicles.Trafficmanagementwillalsobecomeaproblem,
andcanpotentiallyleadtophysicalharmtoindividuals.Becauseoftheseverityofthe
problemsthatcanbecausedbyamaliciousattack,theDepartmentofDefenseshouldbean
activeparticipantinthesecurityoftheenergyandtransportationssectorsofthecritical
infrastructures.
PhysicalSecurityoftheequipmentisalsoimportanttothesecurityofPEVs.Ifanindividualis
allowedtotakeelectricitywithoutpayingforit,mostofthetimethatindividualwilltakethe
opportunity.TheSmartchargerswillneedtobesecureenoughsothatapotentialattacker
cannothackthesmartchargerforaPEVtoprovidetheirPEVwithfreeelectricity.Therealso
mightbeattackersthatarenotonlylookingforfreeelectricity;butalsotoobtainsensitive
informationfromthesmartchargingofthecurrentownerorpreviousownersofthesmart
chargingdevice.
Sometimesattackersarenotonlylookingtostealinformationorenergy;butalsolookingto
causephysicalharmtotheownerofthePEV.Ifabatteryisoverchargedthereisapossibility
thatthebatterywillexplodeandcausephysicalharmtoanyoneinthevicinityoftheexplosion.
Thesolutiontosuchaproblemshouldbemultifaceted.Themanufacturesofthebattery
shouldincludecircuitrytonotallowoverchargingoftheirbatteriesandthesmartmetershould
makesurethatoverchargingofabatteryisnotallowed.Anotherplacethatanattackercan
causemischiefisatachargingstationforaPEVs,byeitherskewingtheamountofenergy
purchasedorbystealingcreditcardnumbersviacardskimmers.Particularcarehastotaken
whendealingwiththephysicalsecurityofthehardwarethatinvolvesPEVs.
53
SuccessfulintegrationofPEVsintotheSmartGriddependsonovercomingthesecurity
challengesofSecurePaymentandPrivacy,SmartMetering,andtheCriticalInfrastructureand
PhysicalSecurity. 63
8.6.
Communication
ThePHEVsmightusecellularnetworkforcommunicationbuttherearevulnerabilitiesinthis
networkthatcanbeusedasameansofgettingaccessintothesystem,sendingwrong
information,attackingthesystemetc.Thepotentialattacksthatcanbeperformedare,middle
manattack,spoofing,etc.
63.Paar,Christof,AndyRupp,KaiSchramm,AndreWeimerskirch,andWayneBurleson.SecuringGreen
Cars:ITSecurityinNextGenerationElectricVehicleSystems.Tech.Amherst:ECEDepartment,
UniversityofMassachusettsatAmherst.
54
Introduction
Thesesecurityissuesarecriticalbuttheyarenotuniquelyassociatedwithaspecificsmartgrid
logicalcomponent.Theseissuescouldaffectanysmartgridcomponentandrefertoactual
fieldcases.Theresearchershavenotbeenabletoverifythesefieldcaseswithrelevant
CaliforniaUtilities.Whentheydosotheywilldocumentitinsubsequentreports.Mostofthese
issuesaddressedherecanbefoundinNISTsmartgridbottomupsecurityanalysisofsmart
griddocumentaswellassmartgridvulnerabilitylist.
55
9.5.
Incasemetersactashomeareanetworkgatewaysforprovidingenergyinformationto
consumersand/orcontrolfordemandresponseprograms,ifconsumerareauthenticatedto
meters,authorizationandaccesslevelsneedtobecarefullyconsidered,i.e.,aconsumercapable
ofsupplyingenergytothepowergridmayhavedifferentaccessrequirementsthanonewho
doesnot.
56
9.7.
DemandresponseHANdevicesmustbesecurelyauthenticatedtotheHANgatewayandvice
versa.ItisimportantforaHANdevicetoauthenticateanydemandresponseorcommands
fromtheDRheadendtoordertopreventcontrolbyanadversary.Withoutsuchauthentication,
coordinatedfalsificationofcontrolcommandsacrossmanyHANdevicesand/oratrapidrates
couldleadtogridstabilityproblems.ItisimportantthattheDRheadendauthenticatethe
HANdevicebothtoensurethatcommandsaredeliveredtothecorrectdevice,andthat
responsesfromthatdevicearenotforged.
ShouldaHANdevicefailtoauthenticate,itwillpresumablybeunabletorespondtodemand
responsesignals.ItshouldnotbepossibleforabroadDOSattacktocausealargenumberof
HANdevicestofailtoauthenticateandtherebynotrespondtoaDRevent.
9.8.
Manysubstationsanddistributioncommunicationsystemsstillemployslowseriallinksfor
variouspurposesincludingSCADAcommunicationswithcontrolcentersanddistributionfield
equipment.Furthermore,manyoftheserialprotocolscurrentlyinusedoesnotofferany
mechanismtoprotecttheintegrityorconfidentialityofmessages,i.e.,messagesaretransmitted
incleartextform.SolutionsthatsimplywrapaseriallinkmessageintoprotocolslikeSSLor
IPSECoverPPPwillsufferfromtheoverheadimposedbysuchprotocols(bothinmessage
payloadsizeandcomputationalrequirements)andwouldundulyimpactlatencyand
bandwidthofcommunicationsonsuchconnections.Asolutionisneededtoaddressthe
securityandbandwidthconstraintsofthisenvironment.
9.9.
IntheAMIspace,thereisincreasinglikelihoodthatmeshroutingprotocolswillbeusedon
wirelesslinks.Wirelesssuffersfromseveralwellknownandofteneasilyexploitableattacks
partlyduetothelackofcontroltothephysicalmedium(theradiowaves).Modernmechanisms
like802.11ihaveworkedtoclosesomeoftheseholesforstandardwirelessdeployments.
However,wirelessmeshtechnologypotentiallyopensthedoortosomenewattacksintheform
ofrouteinjection,nodeimpersonation,L2/L3/L4trafficinjection,trafficmodification,etc.Most
currentondemandandlinkstateroutingmechanismsdonotspecifyaschemetoprotectthe
dataortheroutesthedatatakes,primarilybecauseofthedistributednatureofthesystemitself.
Theyalsogenerallylackschemesforauthorizingandprovidingintegrityprotectionfor
adjacenciesintheroutingsystem.Withoutroutingsecurity,attackssuchaseavesdropping,
57
impersonation,maninthemiddle,anddenialofservicecouldbeeasilymountedonAMI
traffic.
tokeyservers,certificateauthorities,OCSPservers,etc.Thescaleofthesystemsinvolvedand
theirdistributionisunprecedented,asitwillinvolvemillionsofdevices.Therewillalsobe
issuesofcrosscertificationacrossdifferentdomainsandcheckingforvalidityofcertificates
withinthecontextofthisunprecedentedscale.
59
GLOSSARY
ACL
AccessControlList
ACM
AssociationforComputingMachinery(ACM)
AESCTR
AdvancedEncryptionStandardCounterMode
AMI
AdvancedMeteringInfrastructure
AMR
AutomatedMeterReading
ASIS
AmericanSocietyforIndustrialSecurity
AutoDR
AutomatedDemandResponse
BMS
BuildingManagementSystem
BPL
BroadbandoverPowerLine
CCSS
CenterforControlSystemSecurity
CEC
CaliforniaEnergyCommission
CHP
CombinedHeatandPower
C&I
CommercialandIndustrial
CIA
CentralIntelligenceAgency
CMMS
ComputerMaintenanceManagementSystem
CSO
ChiefSecurityOfficer
DA
DistributionAutomation
DER
DistributedEnergyResources
DFC
DynamicFlowConcept
DHS
USDepartmentofHomelandSecurity
DLC
DirectLoadControl
DNP
DistributedNetworkProtocol
DoE
USDepartmentofEnergy
DOS
DenialofService
DR
DemandResponse
DRAS
DemandResponseAutomationCenter
60
DRRC
DemandResponseResearchCenter
DSPF
DistributionSystemPowerFlow
DSM
DemandSideManagement
DSSS
DirectSequenceSpreadSpectrum
EEI
EdisonElectricInstitute
EM
ElectroMagnetic
EMS
EnergyManagementSystem
EMCS
EmergencyManagementControlCenter
EPRI
ElectricPowerResearchInstitute
HAN
HomeAreaNetwork
HG
HomeGateway
HVAC
HeatingVentilation&AirCondition
HTTP
HyperTransferTextProtocol
ICCP
InterControlcenterCommunicationsProtocol
ICS
IndustrialControlSystems
IDART
InformationDesignAssuranceRedTeam
IED
IntelligentElectronicDevices
IOU
InvestorOwnedUtility
IP
InternetProtocol
ISO
IndependentSystemOperator
IT
InformationTechnology
ITPS
IntegratedTransportationPaymentSystems
kW
Kilowatt
kWh
KilowattHour
LAN
LocalAreaNetwork
LOS
LineofSight
LSE
LoadServingEntity
LTC
LoadTapChanger
61
MAC
MediaAccessControl
MDM
MeterDataManagement
MDMS
MeterDataManagementSystem
MTU
MasterTerminalUnit
NAN
NeighborhoodAreaNetwork
NIST
NationalInstituteofStandardsandTechnology
NOC
NetworkOperatingCenter
OSCP
OnlineCertificateStatusProtocol
OpenADR
OpenAutomatedDemandResponseorOpenAutoDR
PCT
ProgrammableCommunicatingThermostat
PEV
PlugInElectricVehicle
PG&E
PacificGas&Electric
PHEV
PlugInHybridElectricVehicle
PIER
PublicInterestEnergyResearch
PKI
PublicKeyInfrastructure
PLA
PeoplesLiberationArmy
PLC
ProgrammableLogicControllers
RCD
ResidualCurrentDevice
RD&D
Research,DevelopmentandDemonstration
RF
RadioFrequency
RFB
RequestForBids
RG
ResidentialGateway
RTO
RegionalTransmissionOperators
RTP
RealTimePricing
RTU
RemoteTerminalUnit
SCADA
SupervisoryControlandDataAcquisition
SCE
SouthernCaliforniaEdison
SDLC
SystemsDevelopmentLifeCycle
62
SG
SmartGrid
SOAP
SimpleObjectAccessProtocol
T&D
TransmissionandDistribution
TDM
TimeDivisionMultiplexing
TLS
TransportLayerSecurity
TOU
TimetoUse
UIS
UtilityInformationSystem
USNAP
UtilitySmartNetworkAccessPort
V2G
VehicletoGrid
WNAN
WirelessNeighborhoodAreaNetwork
WiMax
WorldwideInteroperabilityforMicrowaveAccess
WSDL
WebServiceDescriptionLanguage
XML
ExtensibleMarkupLanguage
XSD
XMLSchemaDefinition
63
REFERENCES
http://www.cisco.com/web/strategy/docs/energy/white_paper_c11_539161.pdf
http://carbonpros.com/blog1/2009/08/smart_grid_security_vulnerabil.html
http://hardware.slashdot.org/article.pl?sid=09/03/22/082236
ftp://ftp.csc.ncsu.edu/pub/tech/2009/TR20095.pdf
http://www.industrialdefender.com/general_downloads/news_industry/2009.07.28_black_hat_s
mart_meter_worm_attack_planned.pdf
http://www.cyberpunkreview.com/newsascyberpunk/theciaslatestclaimhackershave
attackedforeignutilities/
http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php
http://www.nerc.com/docs/standards/ChuckNobleRBBLetter.pdf
http://www.smartgridnews.com/artman/publish/News_Blogs_News/Foreign_Cyber
Spies_Inject_Spyware_into_U_S_Grid_with_Potential_for_Serious_Damage562.html
http://www.smartgridnews.com/artman/publish/Technologies_Security_News/SmartSecurity
foraSmartGridNewThreatsontheHorizon1226.html
http://www.cnn.com/2009/TECH/03/20/smartgrid.vulnerability/index.html
https://www.csoroundtable.org/knowledge/securityvulnerabilitiessmartgrid
http://cacm.acm.org/news/43974smartgridvulnerabilitiescouldcausewidespread
disruptions/fulltext
CaliforniaEnergyCommissionsPublicInterestEnergyResearchProgram,PIERBuildings
Program,AutomatedDemandResponseCutsCommercialBuildingEnergyUseandPeak
Demand,TechnicalBrief,PublicInterestEnergyResearchProgram,2008[online].
Available:http://www.energy.ca.gov/2008publications/CEC5002008086/CEC500
2008086FS.PDF
U.S.FederalEnergyRegulatoryCommission(FERC),AssessmentofDemandResponseand
AdvancedMetering,2007[online].Available:
http://www.ferc.gov/legal/staffreports/0907demandresponse.pdf
S.Kiliccote,M.A.Piette,J.H.Dudley,LawrenceBerkeleyNationalLaboratory(LBNL);E.Koch
andD.Hennage,Akuacom,OpenAutomatedDemandResponseforSmallCommercial
Buildings,LawrenceBerkeleyNationalLaboratory,July2009[online].Available:
http://drrc.lbl.gov/pubs/lbnl2195e.pdf
64
M.A.Piette,G.Ghatikar,S.Kiliccote,E.Koch,D.Hennage,P.Palensky,andC.McParland,
OpenAutomatedDemandResponseCommunicationsSpecification,DemandResponse
ResearchCenter,April2009[online].Available:http://drrc.lbl.gov/openadr/pdf/cec500
2009063.pdf
E.Koch,Akuacom;M.A.Piette,LawrenceBerkeleyNationalLaboratory(LBNL),Architecture
ConceptsandTechnicalIssuesforanOpen,InteroperableAutomateDemandResponse
Infrastructure,2007[online].Available:
http://www.gridwiseac.org/pdfs/forum_papers/104_paper_final.pdf
A.Lee,T.Brewer,ComputerSecurityDivision,InformationTechnologyLaboratory,National
InstitutionofStandardsandTechnology(NIST),SmartGridCyberStrategyand
Requirements,DraftNISTIR7628,Sept2009[online].Available:
http://csrc.nist.gov/publications/drafts/nistir7628/draftnistir7628.pdf
K.Stouffer,J.Falco,K.Scarfone,GuidetoIndustrialControlSystems(ICS)Security,National
InstitutionofStandardsandTechnology(NIST),Sept2008[online].Available:
http://csrc.nist.gov/publications/drafts/80082/draft_sp80082fpd.pdf
E.W.Gunther,ReferenceDesignforProgrammableCommunicatingThermostatsCompliantwithTitle
242008,March2007[online].Available:
http://drrc.lbl.gov/pct/docs/ReferenceDesignTitle24PC_rev15.doc
R.Ramesh,CSCTGDemandResponseInterfacesNISTIR,Aug2008[online].Available:
http://collaborate.nist.gov/twikisggrid/pub/SmartGrid/CsCTGDR/CSCTGDR
Draft_082809.doc
KhusvinderGill,ShuangHuaYang,FangYao,andXinLuAZigBeeBasedHomeAutomation
System.LoughboroughUniversity,UK2009.
http://www.usnap.org/technical.aspx
Matera:SecurityIssuesonZigBeeBasilicataUniversity,Italy,January18,2006
KenMasica,RecommendedPracticesGuideForSecuringZigBeeWirelessNetworksinProcessControl
SystemEnvironments,LawrenceLivermoreNationalLaboratory
http://en.wikipedia.org/wiki/IEEE_802.15.42003
http://en.wikipedia.org/wiki/ZWave
http://en.wikipedia.org/wiki/IEEE_802.11
http://www.oreillynet.com/pub/a/wireless/2002/05/24/wlan.html
http://en.wikipedia.org/wiki/WiMAX
BobFleck,BrucePotter.802.11Security.OReillyPublications,December2002,ISBN:0596
002904
65
NaveenShastry,DavidWagner,SecurityConsiderationsforIEEE802.15.4Networks.UCBerkeley.
YearofPublication2004.
KeithStoufferJoeFalco,KarenScarfone.GuidetoIndustrialControlSystems(ICS)Security
(SpecialPublication80082FINALPUBLICDRAFT).NationalInstituteofStandardsand
Technology,USdepartmentofCommerce.
East,Samuel.Butts,Jonathan.Papa,Mauricio.AndShenoi,Sujeet.Ataxonomyofattacksonthe
DNP3Protocol.CriticalInfrastructureProtectionIII,IFIPAICT311,pp.6781,2009.IFIP
InternationalFederationforInformationProcessing(2009).
RobertF.Dacey,Director,InformationSecurityIssues.CriticalInfrastructureProtection,
ChallengesinSecuringControl.USGovernmentAccountabilityOffice,UnitedStates
GeneralAccountingOfficeOctober2003.
Chikuni,EdwardandDondo,Maxwell.InvestigatingthesecurityofElectricalPowerSystems
SCADA.(2007).
Paar,Christof,AndyRupp,KaiSchramm,AndreWeimerskirch,andWayneBurleson.Securing
GreenCars:ITSecurityinNextGenerationElectricVehicleSystems.Tech.Amherst:ECE
Department,UniversityofMassachusettsatAmherst.Print[PEV2]Vehicletogrid.
VehicletogridWikipedia,thefreeencyclopedia.Wikipedia,2Oct.2009.
66
APPENDIX A
IntelliGridUseCases,onlythepowersystemoperationsUseCasesandDemand
Response/AMIonesareofparticularinterestforsecurity.TheEPRIIntelliGridproject
developedthecompletelistofUseCases(700cases).
AMIBusinessFunctionswhichwereextractedfromAppendixBoftheAMISEC
SecurityRequirementsSpecification.
BenefitsandChallengesofDistributionAutomationUseCaseScenariosextractedfrom
CECdocumentwhichhas82UseCases.
EPRIUseCaseRepository,compilationofIntelliGridandSCEUseCases,plusothers.
SCEUseCasesdevelopedbySouthernCaliforniaEdison(SCE)withtheassistanceof
EnerNex.
TheUseCaseshasbeengroupedincategoriesthatfollowandtheyrepresentagoodsummary
ofmostoftheinformationdiscussedinthisreport.
1.1.
Category: AMI
Scenario1:MeterReadingServices(PeriodicMeterReading,OnDemandMeterReading,
NetMeteringforDERandPEV,FeedInTariffMeteringforDERandPEV,BillPaycheck
Matching)
CyberSecurityRequirements:
Integrityofmeterdataisimportant,buttheimpactofincorrectdataisnotlarge.
Availabilityofmeterdataisnotcriticalinrealtime.
Confidentiality(privacy)ofcustomermeteringdataovertheAMIsystem,meteringdatabase,
andbillingdatabase,toavoidseriousbreachesofprivacyandpotentiallegalrepercussions.
Scenario2:PrePaidMetering(LimitedEnergyUsageandLimitedDemand)
CyberSecurityRequirements:
Integrityofmeterdataiscritical,toavoidunwarranteddisconnectionsduetoperceivedlackof
prepayment.Securitycompromisescouldhavealargeimpactonthecustomerandcouldcause
legalrepercussions
Availabilitytoturnmeterbackonafterpaymentisimportant,butcouldbehandledbyatruck
rollifnecessary.
67
Confidentiality(privacy)ofcustomermeteringdataovertheAMIsystem,meteringdatabase,
andbillingdatabase
Scenario3:RevenueProtection(TamperDetection,AnomalousReadings,MeterStatusand
SuspiciousMeter)
CyberSecurityRequirements:
Integrityofmeterdataisimportant,butiftamperingisnotdetectedorifunwarranted
indicationsoftamperingaredetected,thereisnopowersystemimpact,justrevenueimpact.
Availabilitytoturnmeterbackonafterpaymentisimportant.
Confidentiality(privacy)ofcustomermeteringdataovertheAMIsystem,meteringdatabase,
andbillingdatabaseisimportant.
Scenario4:RemoteConnect/DisconnectofMeter(RemoteConnectforMoveIn,Remote
ConnectforReinstatementonPayment,RemoteDisconnectforMoveOut,RemoteDisconnect
forNonPayment,RemoteDisconnectforEmergencyLoadControlandUnsolicitedConnect/
DisconnectEvent)
CyberSecurityRequirements:
IntegrityofcontrolcommandstotheRCDswitchiscriticaltoavoidunwarranted
disconnectionsordangerous/unsafeconnections.Theimpactofinvalidswitchingcouldbevery
largeifmanymetersareinvolved.
Availabilitytoturnmeterbackonwhenneededisimportant.
ConfidentialityrequirementsoftheRCDcommandisgenerallynotveryimportant,except
relatedtononpayment.
Scenario5:OutageDetectionandRestoration(Smartmetersreportoneormorepowerlosses
e.g.lastgasp,Outagemanagementsystemcollectsmeteroutagereportsandcustomer
troublecalls,Outagemanagementsystemdetermineslocationofoutageandgeneratesoutage
troubletickets,Workmanagementsystemschedulesworkcrewstoresolveoutage,Interactive
utilitycustomersystemsinformthecustomersabouttheprogressofeventsandTroubletickets
areusedforstatisticalanalysisofoutages)
CyberSecurityRequirements:
Integrityisimportanttoensureoutagesarereportedcorrectly.
Availabilityisimportanttoensureoutagesarereportedinatimelymanner(afewseconds).
Confidentialityisnotveryimportant.
Scenario6:MeterMaintenance(Connectivityvalidation,GeolocationofmeterandSmartmeter
batterymanagement)
68
CyberSecurityRequirements:
Integrityofmetermaintenancerepairsandupdatesareessentialtopreventmalicious.
Intrusions
Availabilityisimportant,butonlyintermsofhoursormaybedays.
Confidentialityisnotimportantunlesssomemaintenanceactivityinvolvespersonal
information.
Scenario7:MeterDetectRemoval
ThisscenariodiscussestheAMImetersfunctionalitytodetectandreportunauthorized
removalandsimilarphysicaltampering.AMImetersrequireadditionalcapabilityover
traditionalmeterstopreventtheftandtamperingduetotheeliminationofregularvisual
inspectionprovidedbymeterreading.
Objective/Requirements:
Reduceenergytheft.Preventtheft/compromiseofpasswordsandkeymaterial.Prevent
installationofmalware.
Scenario8:UtilitiesdetectsProbablemeterBypass
AMImeterseliminatethepossibilityofsomeformsoftheft(i.e.meterreversal).Othertypesof
theftwillbemoredifficulttodetectduetotheeliminationofregularphysicalinspection
providedbymeterreading.Thisscenariodiscussestheanalysisofmeterdatatodiscover
potentialtheftoccurrences.
Objective/Requirements:
Reducetheft.Protectintegrityofreporting.Maintainavailabilityforreportingandbilling.
1.2.
Scenario1:RealTimePricing(RTP)forCustomerLoadandDER/PEV
UseofRealTimePricingforelectricityiscommonforverylargecustomers,affordingtheman
abilitytodeterminewhentousepowerandminimizethecostsofenergyfortheirbusiness.The
extensionofrealtimepricingtosmallerindustrialandcommercialcustomersandeven
residentialcustomersispossiblewithsmartmeteringandinhomedisplays.Aggregatorsor
customerenergymanagementsystemsmustbeusedforthesesmallerconsumersduetothe
complexityand24x7natureofmanagingpowerconsumption.Pricingsignalsmaybesentvia
anAMIsystem,theInternet,orotherdatachannels.
CyberSecurityRequirements:
Integrity,includingnonrepudiation,ofpricinginformationiscritical,sincetherecouldbelarge
financialandpossiblylegalimplications.
69
Availability,includingnonrepudiation,forpricingsignalsiscriticalbecauseofthelarge
financialandpossiblylegalimplications.
Confidentialityisimportantmostlyfortheresponsesthatanycustomermightmaketothe
pricingsignals.
Scenario2:TimeofUse(TOU)Pricing
Timeofusepricingcreatesblocksoftimeandseasonaldifferencesthatallowsmallercustomers
withlesstimetomanagepowerconsumptiontogainsomeofthebenefitsofrealtimepricing.
Thisisthefavoredregulatorymethodinmostoftheworldfordealingwithglobalwarming
AlthoughRealTimePricingismoreflexiblethanTimeofUse,itislikelythatTOUwillstill
providemanycustomerswillallofthebenefitsthattheycanprofitablyuseormanage.
CyberSecurityRequirements:
IntegrityisnotcriticalsinceTOUpricingisfixedforlongperiodsandisnotgenerally
transmittedelectronically.
Availabilityisnotanissue.
Confidentialityisnotanissue,exceptwithrespecttometerreading.
Scenario3:NetMeteringforDERandPEV
Whencustomershavetheabilitytogenerateorstorepoweraswellasconsumepower,net
meteringisinstalledtomeasurenotonlytheflowofpowerineachdirection,butalsowhenthe
netpowerflowsoccurred.OftenTimeofUse(TOU)tariffsareemployed.
TodaylargerC&IcustomersandanincreasingnumberofresidentialandsmallerC&I
customershavenetmeteringinstalledfortheirphotovoltaicsystems,windturbines,combined
heatandpower(CHP),andotherDERdevices.Aspluginelectricvehicles(PEVs)become
available,netmeteringwillincreasinglybeimplementedinhomesandsmallbusinesses,even
parkinglots.
CyberSecurityRequirements:
Integrityisnotverycriticalsincenetmeteringpricingisfixedforlongperiodsandisnot
generallytransmittedelectronically.
Availabilityisnotanissue.
Confidentialityisnotanissue,exceptwithrespecttometerreading.
Scenario4:FeedInTariffPricingforDERandPEV
FeedintariffpricingissimilartonetmeteringexceptthatgenerationfromcustomerDER/PEV
hasadifferenttariffratethanthecustomerloadtariffrateduringspecifictimeperiods.
CyberSecurityRequirements:
70
Integrityisnotcritical,sincefeedintariffpricingisfixedforlongperiodsandisgenerallynot
transmittedelectronically.
Availabilityisnotanissue.
Confidentialityisnotanissue,exceptwithrespecttometerreading.
Scenario5:CriticalPeakPricing
CriticalPeakPricingbuildsonTimeofUsePricingbyselectingasmallnumberofdayseach
yearwheretheelectricdeliverysystemwillbeheavilystressedandincreasingthepeak(and
sometimeshoulderpeak)pricesbyupto10timesthenormalpeakprice.Thisisintendedto
reducethestressonthesystemduringthesedays.
CyberSecurityRequirements:
Integrityisnotcritical,sincefeedintariffpricingisfixedforlongperiodsandisgenerallynot
transmittedelectronically.
Availabilityisnotanissue.
Confidentialityisnotanissue,exceptwithrespecttometerreading.
Scenario6:MobilePlugInElectricVehicle(PEV)Functions
CustomerconnectsPEVatanotherhome.CustomerconnectsPEVoutsidehometerritory.
CustomerconnectsPEVatpubliclocation.CustomerchargesthePEV.
CyberSecurityRequirements:
Integrityisnotcritical,sincefeedintariffpricingisfixedforlongperiodsandisgenerallynot
transmittedelectronically.
Availabilityisnotanissue.
Confidentialityisnotanissue,exceptwithrespecttometerreading.
1.3.
Scenario1:CustomersInHomeDeviceisProvisionedtoCommunicatewiththeUtility.
Configurecustomersdevicetoreceiveandsenddatatoutilitysystems.Thedevicecouldbean
informationdisplay,communicatingthermostat,loadcontroldeviceorsmartappliance.
Objective/Requirements:
Protectpasswords.Protectkeymaterial.AuthenticatewithotherdevicesontheAMIsystem.
Scenario2:CustomerViewsPricingorEnergyDataonTheirInHomeDevice
Theinformationavailabletocustomersontheirinhomedevices.
Multiplecommunicationpathsanddevicefunctionswillbeconsidered.
71
Objective/Requirements:
Tovalidatethatinformationistrustworthy(integrity).
Scenario3:InHomeDeviceTroubleshooting
Theresolutionofcommunicationorothertypesoferrorsthatcouldoccurwithinhomedevices.
Therolesofthecustomer,devicevendorandutilitywillbediscussed.
Objective/Requirements:
Avoiddisclosingcustomerinformation.Avoiddisclosingkeymaterialand/orpasswords
Scenario4:CustomerViewsPricingorEnergyDataviatheInternet
Theinformationthatshouldbeavailabletothecustomerusingtheinternetandsomepossible
usesforthedata.
Objective/Requirements:
Protectcustomersinformation(privacy).Provideaccurateinformation
Scenario5:UtilityNotifiesCustomersofOutage
Whenanoutageoccurstheutilitycannotifyaffectedcustomersandprovideestimated
restorationtimesandreportwhenpowerhasbeenrestored.Smartgridtechnologiescan
improvetheutilitysaccuracyfordeterminationofaffectedareaandrestorationprogress.
Objective/Requirements:
Validatethatthenotificationislegitimate.Customersinformationiskeptprivate.
Scenario6:CustomerAccesstoEnergyRelatedInformation
Accesstorealtime(ornearrealtime)energyanddemandusageandbillinginformation
Requestingenergyservicessuchasmovein/moveoutrequests,prepayingforelectricity,
changingenergyplans(ifsuchtariffsbecomeavailable),etc.
Accesstoenergypricinginformation.
AccesstotheirownDERgeneration/storagestatus.
AccesstotheirownPEVcharging/dischargingstatus.
Establishingthermostatsettingsfordemandresponsepricinglevels.
Althoughdifferenttypesofenergyrelatedinformationaccessisinvolved,thesecurity
requirementsaresimilar.
CyberSecurityRequirements:
Integrity,includingnonrepudiation,iscriticalsinceenergyandpricingdatawillhavefinancial
impacts
72
Availabilityisimportanttotheindividualcustomer,butwillnothavewidespreadimpacts
Confidentialityiscriticalbecauseofcustomerprivacyissues
1.4.
Scenario1:BulkPowerElectricityMarket
Thebulkpowermarketvariesfromregiontoregion,andisconductedprimarilythrough
RegionalTransmissionOperators(RTO)andIndependentSystemOperators(ISO).Themarket
ishandledindependentlyfromactualoperations,althoughthebidsintothemarketobviously
affectwhichgeneratorsareusedforwhattimeperiodsandwhichfunctions(baseload,
regulation,reserve,etc.).
Thereforetherearenodirectoperationalsecurityimpacts,buttherearedefinitelyfinancial
securityimpacts.
CyberSecurityRequirements:
Integrityforpricingandgenerationinformationiscritical
Availabilityforpricingandgenerationinformationisimportantwithinminutestohours
Confidentialityforpricingandgenerationinformationiscritical
Scenario2:RetailPowerElectricityMarket
Theretailpowerelectricitymarketisstillminor,butgrowing,comparedtothebulkpower
market,buttypicallyinvolvesaggregatorsandenergyserviceprovidersbiddingcustomer
ownedgenerationorloadcontrolintobothenergyandancillaryservices.Againitishandled
independentlyfromactualpowersystemoperations.Thereforetherearenodirectoperational
securityimpacts,buttherearedefinitelyfinancialsecurityimpacts.
CyberSecurityRequirements:
Integrityforpricingandgenerationinformationiscritical
Availabilityforpricingandgenerationinformationisimportantwithinminutestohours
Confidentialityforpricingandgenerationinformationiscritical
Scenario3:CarbonTradingMarket
Thecarbontradingmarketdoesnotexistyet,butthesecurityrequirementswillprobablybe
similartotheretailelectricitymarket.
CyberSecurityRequirements:
Integrityforpricingandgenerationinformationiscritical
Availabilityforpricingandgenerationinformationisimportantwithinminutestohours
Confidentialityforpricingandgenerationinformationiscritical
73
1.5.
Scenario1:DistributionAutomation(DA)withinSubstations
DistributionSCADASystemMonitorsDistributionEquipmentinSubstations
SupervisoryControlonSubstationDistributionEquipment
SubstationProtectionEquipmentPerformsSystemProtectionActions
ReclosersinSubstations
CyberSecurityRequirements:
Integrityofdistributioncontrolcommandsiscriticalfordistributionoperations,avoiding
outages,andprovidingpowertocustomersreliablyandefficiently
Availabilityforcontroliscritical,whilemonitoringindividualequipmentislesscritical
Confidentialityisnotveryimportant
Scenario2:DistributionAutomation(DA)UsingLocalAutomation
LocalAutomatedSwitchManagement
LocalVolt/VarControl
LocalFieldCrewCommunicationstoUndergroundNetworkEquipment
CyberSecurityRequirements:
Integrityofdistributioncontrolcommandsiscriticalfordistributionoperations,avoiding
outages,andprovidingpowertocustomersreliablyandefficiently.
Availabilityforcontroliscritical,whilemonitoringindividualequipmentislesscritical.
Confidentialityisnotveryimportant.
Scenario3:DistributionAutomation(DA)MonitoringandControllingFeederEquipment
Remotelyopenorcloseautomated
switches
Remotelyswitchcapacitorbanksin
andout
Remotelyraiseorlowervoltage
regulators
Blocklocalautomatedactions
AutomationofEmergency
Response
DynamicRatingofFeeders
Sendupdatedparameterstofeeder
equipment
Interactwithequipmentin
undergrounddistributionvaults
Retrievepowersysteminformation
fromSmartMeters
74
CyberSecurityRequirements:
Integrityofdistributioncontrolcommandsiscriticalfordistributionoperations,avoiding
outages,andprovidingpowertocustomersreliablyandefficiently.
Availabilityforcontroliscritical,whilemonitoringindividualequipmentislesscritical.
Confidentialityisnotveryimportant.
Scenario4:FaultDetection,Isolation,andRestoration
Theautomatedfaultlocation,isolation,andservicerestorationfunctionusesthe
combinationofthepowersystemmodelwiththeSCADAdatafromthefieldonreal
timeconditionstodeterminewhereafaultisprobablylocated,byundertakingthe
followingsteps:
Determinesthefaultsclearedbycontrollableprotectivedevices
DeterminesthefaultedsectionsbasedonSCADAfaultindicationsandprotection
lockoutsignals
Estimatestheprobablefaultlocations,basedonSCADAfaultcurrentmeasurementsand
realtimefaultanalysis
Determinesthefaultclearingnonmonitoredprotectivedevice
Usesclosedlooporadvisorymethodstoisolatethefaultedsegment
Oncethefaultisisolated,itdetermineshowbesttorestoreservicetounfaulted
segmentsthroughfeederreconfiguration
CyberSecurityRequirements:
Integrityofoutageinformationiscritical.
Availabilitytodetectlargescaleoutagesusuallyinvolvemultiplesourcesofinformation
Confidentialityisnotveryimportant.
Scenario5:LoadManagement
Loadmanagementprovidesactiveandpassivecontrolbytheutilityofcustomerappliances
(e.g.cyclingofairconditioner,waterheaters,andpoolpumps)andcertainC&Icustomer
systems(e.g.plenumprecooling,heatstoragemanagement).
Directloadcontrolandloadshedding
Demandsidemanagement
Loadshiftscheduling
Curtailmentplanning
SelectiveloadmanagementthroughHomeAreaNetworks
CyberSecurityRequirements:
75
Integrityofloadcontrolcommandsiscriticaltoavoidunwarrantedoutages
Availabilityforloadcontrolisimportantinaggregate(e.g.>300MW),itcanbecritical.
Confidentialityisnotveryimportant.
Scenario6:DistributionAnalysisusingDistributionPowerFlowModels
ThebrainsbehindthemonitoringandcontrollingoffielddevicesaretheDAanalysissoftware
applications.Theseapplicationsgenerallyusemodelsofthepowersystemtovalidatetheraw
data,assessrealtimeandfutureconditions,andissuetheappropriateactions.Theapplications
maybedistributedandlocatedinthefieldequipmentforlocalassessmentsandcontrol,and/or
maybecentralizedinaDistributionManagementSystemforglobalassessmentandcontrol.
Localpeertopeerinteractionsbetweenequipment.
NormaldistributionoperationsusingtheDistributionSystemPowerFlow(DSPF)model.
EmergencydistributionoperationsusingtheDSPFmodel.
StudyModeDistributionSystemPowerFlow(DSPF)model.
DSPF/DERModelofdistributionoperationswithsignificantDERgeneration/storage.
CyberSecurityRequirements:
Integrityiscriticaltooperatethedistributionpowersystemreliably,efficiently,andsafely.
Availabilityiscriticaltooperatethedistributionpowersystemreliably,efficiently,andsafely.
Confidentialityisnotimportant.
Scenario7:DistributedEnergyResource(DER)ManagementDistributionOperations
Inthefuture,moreandmoreofgenerationandstorageresourceswillbeconnectedtothe
distributionnetworkandwillsignificantlyincreasethecomplexityandsensitivityof
distributionoperations.Therefore,themanagementofDERgenerationwillbecomeincreasingly
importantintheoverallmanagementofthedistributionsystem,includingloadforecasts,real
timemonitoring,feederreconfiguration,virtualandlogicalmicrogrids,anddistribution
planning.
DirectmonitoringandcontrolofDER.
ShutdownorislandingverificationforDER.
PluginHybridVehicle(PEV)management,asload,storage,andgenerationresource.
Electricstoragefill/drawmanagement.
RenewableenergyDERwithvariablegeneration.
Smallfossilresourcemanagement,suchasbackupgeneratorstobeusedforpeakshifting.
76
CyberSecurityRequirements:
Integrityiscriticalforanymanagement/controlofgenerationandstorage.
Availabilityrequirementsmayvarydependingonthesize(individualoraggregate)oftheDER
plant.
ConfidentialitymayinvolvesomeprivacyissueswithcustomerownedDER.
Scenario8:DistributedEnergyResource(DER)ManagementControlCenters
Distributionplanningtypicallyusesengineeringsystemswithaccessonlytoprocessedpower
systemdatathatisavailablefromthecontrolcenter.Itisthereforerelativelyselfcontained.
Operationalplanning
AssessingPlannedOutages
StormConditionPlanning
Shorttermdistributionplanning
ShortTermLoadForecast
ShortTermDERGenerationand
StorageImpactStudies
Longtermdistributionplanning
LongTemLoadForecastsbyArea
DistributionFinancialPlanners
DistributionSystemUpgradesand
Extension
OptimalPlacementsofSwitches,Capacitors,Regulators,andDER
CyberSecurityRequirements:
Integritynotcriticalduetomultiplesourcesofdata.
Availabilityisnotimportant.
Confidentialityisnotimportant.
1.6.
Scenario1:CustomerConnectsPluginHybridElectricVehicletoEnergyPortal
Acustomerplugginginanelectricvehicleattheirpremisetochargeitsbattery.Variationsof
thisscenariowillbeconsideredthataddcomplexity:acustomerchargingtheirvehicleat
anotherlocationandprovidingpaymentorchargingatanotherlocationwherethepremise
ownerpays.
Objective/Requirements:
Thecustomersinformationiskeptprivate.Billinginformationisaccurate
Scenario2:CustomerConnectsPluginHybridElectricVehicletoEnergyPortaland
ParticipatesinSmart(Optimized)Charging
Inadditiontosimplyplugginginanelectricvehicleforcharging,inthisscenariotheelectric
vehiclechargingisoptimizedtotakeadvantageoflowerratesorhelppreventexcessiveload
peaksontheelectricalsystem.
77
Objective/Requirements:
Customerinformationiskeptprivate.
Scenario3:PlugInHybridElectricVehicleorCustomerReceivesandRespondstoDiscrete
DemandResponseEvents
Anadvancedscenarioforelectricvehiclesistheuseofthevehicletoprovideenergy
storedinitsbatterybacktotheelectricalsystem.Customerscouldparticipateindemand
responseprogramswheretheyareprovidedanincentivetoallowtheutilitytorequest
powerfromthevehicleattimesofhighsystemload.
Objective/Requirements:
Improvedsystemstabilityandavailability.Tokeepcustomerinformationprivate.
ToinsureDRmessagesareaccurateandtrustworthy
Scenario4:PlugInHybridElectricVehicleorCustomerReceivesandRespondstoUtilityPrice
Signals
Theelectricvehicleisabletoreceiveandactonelectricitypricingdatasentfromtheutility.The
useofpricingdataforchargingisprimarilycoveredinanotherscenario.Thepricingdatacan
alsobeusedinsupportofadistributedresourceprogramwherethecustomerallowsthe
vehicletoprovidepowertotheelectricgridbasedonmarketconditions.
Objective/Requirements:
Improvedsystemstabilityandavailability.Pricingsignalsareaccurateandtrustworthy.
Customerinformationiskeptprivate.
1.7.
Scenario1:CustomerProvidesDistributedResource
Theprocessofconnectingadistributedresourcetotheelectricpowersystemandthe
requirementsofnetmetering.
Objective/Requirements:
Customerinformationiskeptprivate.Netmeteringisaccurateandtimely.
Scenario2:UtilityControlsCustomersDistributedResource
Distributedgenerationandstoragecanbeusedasademandresponseresourcewheretheutility
canrequestorcontroldevicestoprovideenergybacktotheelectricalsystem.Customersenroll
inutilityprogramsthatallowtheirdistributedresourcetobeusedforloadsupportortoassist
inmaintainingpowerquality.Theutilityprogramscanbebasedondirectcontrolsignalsor
pricinginformation.
78
Objective/Requirements:
Commandsaretrustworthyandaccurate.Customersinformationiskeptprivate.
DRmessagesarereceivedtimely.
1.8.
Scenario1:RealtimeNormalTransmissionOperationsUsingEMSApplicationsandSCADA
Data
Transmissionnormalrealtimeoperationsinvolvemonitoringandcontrollingthetransmission
systemusingtheSCADAandEnergyManagementSystem.Thetypesofinformation
exchangedinclude:
Monitoredequipmentstates(open/close),alarms(overheat,overload,batterylevel,capacity),
andmeasurements(current,voltage,frequency,energy)Operatorcommandandcontrol
actions,suchassupervisorycontrolofswitchingoperations,setup/optionsofEMSfunctions,
andpreparationforstormconditions.
Closedloopactions,suchasprotectiverelayingtrippingcircuitbreakersuponpowersystem
anomalies.
Automationsystemcontrolsvoltage,varandpowerflowbasedonalgorithms,realtimedata,
andnetworklinkedcapacitiveandreactivecomponents.
CyberSecurityRequirements:
Integrityisvitaltothesafetyandreliabilityofthetransmissionsystem.
Availabilityiscriticaltoprotectiverelaying(e.g.<4ms)andoperatorcommands(e.g.one
second).
Confidentialityisnotimportant.
Scenario2:EMSNetworkAnalysisBasedonTransmissionPowerFlowModels
EnergyManagementSystems(EMS)assessesthestateofthetransmissionpowersystemusing
thetransmissionpowersystemanalysismodelsandtheSCADAdatafromthetransmission
substations.
EMSperformsmodelupdate,stateestimation,busloadforecast.
EMSperformscontingencyanalysis,recommendspreventiveandcorrectiveactions.
EMSperformsoptimalpowerflowanalysis,recommendsoptimizationactions.
EMSorplannersperformstabilitystudyofnetwork.
ExchangepowersystemmodelinformationwithRTOs/ISOsand/orotherutilities.
CyberSecurityRequirements:
79
Integrityisvitaltothereliabilityofthetransmissionsystem.
Availabilityiscriticaltoreacttocontingencysituationsviaoperatorcommands(e.g.one
second).
Confidentialityisnotimportant.
Scenario3:RealTimeEmergencyTransmissionOperations
Duringemergencies,thepowersystemtakessomeautomatedactionsandtheoperatorscan
alsotakeactions:
PowerSystemProtection:Emergencyoperationshandlesunderfrequencyload/generation
shedding,undervoltageloadshedding,LTCcontrol/blocking,shuntcontrol,series
compensationcontrol,systemseparationdetection,andwidearearealtimeinstabilityrecovery.
Operatorsmanageemergencyalarms.
SCADAsystemrespondstoemergenciesbyrunningkeyapplicationssuchasdisturbance
monitoringanalysis(includingfaultlocation),dynamiclimitcalculationsfortransformersand
breakersbasedonrealtimedatafromequipmentmonitors,andprearmingoffastacting
emergencyautomationSCADA/EMSgeneratessignalsforemergencysupportbydistribution
utilities(accordingtotheT&Dcontracts):
Operatorsperformsystemrestorationsbasedonsystemrestorationplansprepared(authorized)
byoperationmanagement.
CyberSecurityRequirements:
Integrityisvitaltothesafetyandreliabilityofthetransmissionsystem.
Availabilityiscriticaltoprotectiverelaying(e.g.<4ms)andoperatorcommands(e.g.one
second).
Confidentialityisnotimportant.
Scenario4:WideAreaSynchroPhasorSystem
TheWideAreaSynchroPhasorsystemprovidessynchronizedandtimetaggedvoltageand
currentphasormeasurementstoanyprotection,control,ormonitoringfunctionthatrequires
measurementstakenfromseverallocations,whosephaseanglesaremeasuredagainsta
common,systemwidereference.Presentdayimplementationofmanyprotection,control,or
monitoringfunctionsishobbledbynothavingaccesstothephaseanglesbetweenlocaland
remotemeasurements.Withsystemwidephaseangleinformation,theycanbeimprovedand
extended.Theessentialconceptbehindthissystemisthesystemwidesynchronizationof
measurementsamplingclockstoacommontimereference.
80
CyberSecurityRequirements:
Integrityisvitaltothesafetyandreliabilityofthetransmissionsystem.
Availabilityiscriticaltoprotectiverelaying(e.g.<4ms)andoperatorcommands(e.g.one
second).
Confidentialityisnotimportant.
1.9.
Scenario1:RTO/ISOManagementofCentralandDERGeneratorsandStorage
RTOsandISOsmanagetheschedulinganddispatchofcentralanddistributedgenerationand
storage.
Thesefunctionsinclude:
RealtimeschedulingwiththeRTO/ISO(fornonmarketgeneration/storage)
RealtimecommitmenttoRTO/ISO
RealtimedispatchingbyRTO/ISOforenergyandancillaryservices
RealtimeplantoperationsinresponsetoRTO/ISOdispatchcommands
Realtimecontingencyandemergencyoperations.
BlackStart(systemrestorationafterblackout).
Emissionsmonitoringandcontrol.
CyberSecurityRequirements:
Integrityisvitaltothesafetyandreliabilityofthetransmissionsystem.
Availabilityiscriticaltooperatorcommands(e.g.onesecond).
Confidentialityisnotimportant.
81
Objective/Requirements:
Dataisaccurate(integrity).
Dataisprovidedtimely.
Customerdataiskeptprivate.
Scenario2:Utilitymakesdecisionsonassetreplacementbasedonarangeofinputsincluding
comprehensiveofflineandonlineconditiondataandanalysisapplications.
Whendecisionsonassetreplacementbecomenecessarythesystemoperator,asset
management,apparatusengineeringandmaintenanceengineeringstaffworkcloselytogether
withtheobjectiveofmaximizingthelifeandutilizationoftheassetwhileavoidingan
unplannedoutageanddamagetotheequipment.
Thisscenarioinvolvestheuseofonlineconditionmonitoringdevicesfortherangeofassets
monitored,offlinetestresults,mobileworkforcetechnologies,thecommunicationsequipment
usedtocollecttheonlinedata,datamarts(historiandatabases)tostoreandtrenddataaswell
asconditionanalysisapplications,CMMSapplications,displayapplicationsandSCADA/EMS.
Objective/Requirements:
Dataprovidedisaccurateandtrustworthy.
Dataisprovidedtimely.
Scenario3:Utilityperformslocalizedloadreductiontorelievecircuitand/ortransformer
overloads
Transmissioncapacitycanbecomeconstrainedduetoanumberofsystemlevelscenariosand
resultinanoverloadsituationonlinesandsubstationequipment.Circuitand/ortransformer
overloadsatthedistributionlevelcanoccurwhenhigherthananticipatedcustomerloadsare
placedonacircuitorwhenoperatororautomaticswitchingactionsareimplementedtochange
thenetworkconfiguration.Traditionalloadreductionsystemsareusedtoaddressgeneration
shortfallsandothersystemwideissues.Localizedloadreductioncanbeakeytoolenablingthe
operatortotemporarilycurtailtheloadinaspecificareatoreducetheimpactonspecific
equipment.ThisscenariodescribestheintegrateduseoftheAMIsystem,thedemandresponse
system,otherloadreductionsystemsandtheSCADA/EMStoachievethisgoal.
Objective/Requirements:
Loadreductionmessagesareaccurateandtrustworthy.
Customersinformationiskeptprivate.
DRmessagesarereceivedandprocessedtimely.
Scenario4:Utilitysystemoperatordetermineslevelofseverityforanimpendingassetfailure
andtakescorrectiveaction
82
Whenpendingassetfailurecanbeanticipatedthesystemoperator,assetmanagement,
apparatusengineeringandmaintenanceengineeringstaffworkcloselytogetherwiththe
objectiveofavoidinganunplannedoutagewhileavoidingfurtherdamagetotheequipment.
Thisscenarioinvolvestheuseofonlineconditionmonitoringdevicesfortherangeofassets
monitored,offlinetestresults,mobileworkforcetechnologies,thecommunicationsequipment
usedtocollecttheonlinedata,datamarts(historiandatabases)tostoreandtrenddataaswell
asconditionanalysisapplications,CMMSapplications,displayapplicationsandSCADA/EMS.
Objective/Requirements:
Assetinformationprovidedisaccurateandtrustworthy.
Assetinformationisprovidedtimely.
83