• New Regulation
• Distributed Energy Resources
This paper provides smart grid security perspectives from a security expert involved in both attacking and defending these types of systems in practice. It is formatted as an interview, with questions and answers. The topics include smart grid threats, defensive approaches, and security certification perspectives.
Security is getting a lot of attention in all sorts of industries. For utilities, what are the main types of threats they face related to smart meter systems (AMI), and the smart grid in general?
There are three sets of threats that need to be addressed. There is the set of "old school" threats of fraud, theft and safety, which have long been a top concern for utilities. There is a newer and growing set of regulatory threats around non-compliance, such as the General Data Protection Regulation in Europe. Finally, there are the threats associated with the adoption, use and increasing reliance on information technology, such as cyberattacks that can prevent a utility from delivering its services. Some of these threats are similar to those of a traditional IT infrastructure, but their priorities and threat model usually differ significantly. For example, utilities use AMIs and smart grids to store, distribute, and manage energy using information technology. Therefore, they share many of the same assets and corresponding threats as other entities relying on information technology systems. There are three main types of threats I spend a lot of time thinking about while working on providing a safe and resilient platform for smart grids.
- Threats that disrupt or prevent utilities from delivering energy. Most of us rely on the availability of electricity to power heating systems, hospitals, communication systems, transportation systems, etc. Outages can have severe and even fatal consequences for us and our businesses. There are many threats that can result in outages; from nation-sponsored cyberattacks to software malfunction, operational mistakes and natural disasters.
Fig. 1: Key considerations of a security system.
- Threats originating from criminal organisations that monetise from a utility’s lack of security. Over the past years, we have seen a rapid increase in malware samples and attacks specifically targeting utilities managing AMIs and smart grids. “Smart” almost always means “vulnerable” which in turn means opportunity for cybercriminals. A common, and unfortunately effective, tactic is to demand a ransom in exchange for not damaging a utility's infiltrated systems and/or reputation.
- Threats that may compromise our privacy as utility customers. Utilities are responsible for handling and storing private information. This makes data leaks and unauthorised accesses to this data two of the main threats to privacy.
Of course, these are only part of the threat landscape that needs to be specifically mapped out by experts when conducting risk assessments for the specific grid at hand.
AMI and the smart grid is an evolution that continues to change within the industry, how has security and protection evolved over time, and what are the expected changes that we will see in the future?
Before AMIs and smart girds, the industry relied on physical security measures and obscurity to protect the power grid. Fences, door locks, guards, video surveillance, and the obscurity of physically-isolated proprietary control systems were often enough to manage the threats utilities were facing. In addition, incident response procedures were often wellestablished and fairly comprehensive.
The introduction of AMIs and smart grids, and thus information technology, changed everything and necessitated a new industry expertise: information security. However, although industry embraced the many operational and financial promises of AMIs and smart grids, information security expertise was severely lacking and properly securing these new and advanced systems became an afterthought at best. This resulted in fragile and insecure smart grid deployments developed from non-existent or misguided security recommendations.
We are only now seeing industry and nationleaders waking up to the “cyber” reality as devastating cyberattacks on utilities are publicly being disclosed. As a result, initiatives to establish nation-wide baseline security requirements and security certifications are in progress. Unfortunately, these initiatives may be too late in some cases and may even foster a compliancy-defined approach to security. We have learned from other industries that this is a harmful approach; an expert-driven risk-based approach to safe and resilient smart grids is the way forward.
Smart grids will continue to increase in complexity, and attacks will continue to increase in both sophistication and frequency. An adaptive and comprehensive approach to security is needed to keep up with this advancement and it starts with expertise, politics, and financial incentives.
How should a utility approach ensure security of its systems?
Utilities need to go beyond compliance, make information security an integral part of their core business and invest in it accordingly, focus not only on protective measures but in detection and incident response as well, conduct independent risk assessments on a regular basis with their technology vendors, and most importantly, obtain as much expert knowledge as possible in order to determine exactly how and precisely where to invest in security.
A misconception that I often hear is the assumption that the internet and the smart grid share identical system characteristics. In reality, smart grids differ greatly from the internet in terms of communication technologies, network reliability, smart meter/ server resources, and threat model.
A consequence of applying an internet-biased security mindset to the smart grid can result in degradation of performance forcing utilities to compromise on security in order to meet service-level agreements (SLAs). You must understand the technical differences in order to apply the appropriate security measures. There is no one-size-fits-all when it comes to securing these complex systems.
There are various certifications used by utilities to ensure compliance to various standards and processes. How does certification factor into security solutions and implementations?
One on side, certification provides a minimum baseline of practice and raises the bar for all. Certifications also provide transparency and accountability for security and compliance,and helps utilities demonstrate to regulators and legislators that they are doing their job. If security certification becomes part of regulation, then it also forces utilities to spend money on security. These are all positive and important factors of certification.
On the other side, however, security certifications can discourage utilities to go beyond compliance as there is little financial incentive to do so. Certification processes also have a long-standing reputation for being disruptive, cost ineffective, and providing superficial security assurances. Certification can also discourage new practices and technology adoption because of the need for re-certification. Finally, certifications are slow-moving which is in direct contrast to the fast-changing threat landscape that they hopelessly try to keep up with. That being said, I do believe a regulated security program can be beneficial to the industry if it is able to resolve the issues mentioned before, help hold utilities financially liable for securing the power grids that we all rely on, and to use it as a tool to foster a risk-based and comprehensive approach to security.
What are the key areas needed to ensure a secure system?
Utilities should continuously strive to maintain a safe and resilient system. To do so, three key areas need to be covered: protection, detection, and incident response.
Protection is about trying to prevent security breaches from happening in the first place. Encryption and authentication are two examples of preventative security measures designed to protect the confidentiality and integrity of information, respectively. There is one thing we have learned in the security industry – the highly skilled and focused attackers will always find a way to either break through or entirely circumvent the protective measures. This brings us to detection and incident response.
Detection is about detecting security breaches before, after, or as they are happening. It is important to have measures in place for monitoring both incoming and outgoing events. There are many attacks that go undetected once they have infiltrated the system.
Incident response is about being able to handle breaches of security in a timely and efficient manner. It relies on people, processes, and technology. During a crisis, it is essential to have an action plan in place to regain control of the situation as fast as possible.
You mentioned that "comprehensive security" is the essential approach for utilities. What does this mean to you?
“Comprehensive security” is a loaded term. It means different things to different people. For me, basically, it means that your security goes through a continuous cycle of three stages:
- Identify: Pinpointing areas of concern and prioritising them based on risk. This is also known as risk assessment. For a risk assessment to be considered comprehensive, keeping up to date with current threats is crucial.
- Improve: Design and implementation of the security measures used to address the identified areas of concern.
- Evaluate: Evaluating all of the security measures in practice. This needs to be done internally as well as by an expert third-party ensuring a fresh perspective. In relation to the previous question, it is worth noting that comprehensive security leads to compliancy.
Some industry experts state that utilities should conduct risk assessments to identify the areas of concern, what is involved in a risk assessment?
The ultimate goal of a risk assessment is to answer the following question: where should we invest in security? To answers this question, utilities must first identify and prioritise their assets. Next, they need to enumerate all threats to the assets. Finally, they must assess and rank each threat according to the impact and likelihood of the threat. Based on the rankings, a decision can be made as to which risks need to be addressed. This is the classic approach. The hard part, as always, is hidden in the details.
A version of this paper was published in Smart Grids Polska, issue 16. Contact Emil Gurevitch, Networked Energy Services, firstname.lastname@example.org
Tauron Distribution is at the final stage of the AMIplus Smart City Wrocław project. Over 350,000 AMI smart meters were installed between 2014-2017. The present work concentrates on optimizing the meter reading system solution and completing the installation of meters in the southern part of the city.
AMIplus is a smart metering system that enables automatic processing, transmission and management of measurement data. It enables bi-directional communication between the electricity meters and the distribution company while providing the customer with up-to-date information on their electricity consumption.
Tauron Distribution installed AMI smart meters from two manufacturers, NES and Apator, in its distribution network. The meters use power line communications and are compliant with OSGP (Open Smart Grid Protocol).
Measurement data from the AMI meters is available for Tauron Distribution customers on the dedicated Tauron eLicznik platform. The platform is available through Tauron’s website, as well as from mobile devices based on the most popular platforms including iOS, Android, and Windows Mobile.
Tauron Distribution has provided HAN service to Tauron AMIplus customers in the AMIplus Smart City Wrocław project. This enables customers to access measurement data directly from their energy meter in real time. Activation of the service is carried out through the Tauron eLicznik portal.
The solution implemented in Wrocław has made it possible to improve the method of obtaining readings from electricity meters. The readings are obtained as a remote reading, without the need for a field technician. The method of operating the measuring system has also changed. At present, the vast majority of the maintenance work for the measuring system is performed remotely, without the involvement of assembly services.
Additional Project Information
In addition to the 350,000 smart meters, Tauron’s AMIplus Smart City Wroclaw project includes more than 2,400 NES data concentrators along with head-end system software from NES. All transmitted data is encrypted using the AES128 bit standard. The smart meters provide greater than 99.5% daily availability of 15 minute energy profiles for 4 values (active power import/export and reactive power import/export) along with energy billing data and events.
NES urges utility providers to brace for cyberattacks on power grids
Over the last two months, the world has been subject to two major ransomware attacks. The most recent being an attack known as 'Petya', a malicious software that spread through large firms that led to PC's and essential data being locked up and held for ransom. Prior to this incident, the 'Wannacry' ransomware locked data from nearly 230,000 computers used by leading international organizations in at least 150 countries, including the UK’s National Health Service, Russian Ministry of Interiors, and FedEx. These attacks, once again, brought to forefront the significance of cyber security at a time when cyber-crime has evolved into a growth industry with low risks and high returns.
In light of this event, Networked Energy Services Corporation (NES), a global smart grid market leader with the industry’s leading Patagonia Energy Applications Platform (EAP ™), has thrown the spotlight on the critical role of security in Smart Grids. The connected infrastructures in power grids such as intelligent networks, smart meters, and Internet of Things (IoT) solutions have increased the possibility of cyber threats in the energy sector. In line with this, the company has urged the community, individuals, organizations and utility providers alike to be prepared to deal with cyberattacks for national security and economic well-being. Utility providers such as Dubai Electricity and Water Authority and Sharjah Electricity and Water Authority in the UAE are stepping up their efforts to ensure security in their grids from such attacks with the installation of smart meters, which is currently underway across the country in a bid to complete over one million smart meters by 2020.
Michel Madi, CEO – Middle East, Africa and India, Networked Energy Services Corporation, said: “Smart Grids are not just electrical infrastructure but are huge data networks that are critical for the seamless functioning of the various economic sectors of a country. It has now become imperative for key sectors, particularly energy, to ensure the implementation of the latest security solutions to secure Smart Grids and avert risks. The UAE is one of the leading countries in the region on track in safeguarding their services as the country’s smart metering market looks to increase at a rate of 9 per cent over 2016 to 2024 in line with its Energy Plan 2050.” NES offers various important security related recommendations including adopting a systematic approach to assess cyber risks, improving the protection of energy systems, fostering a performance-based cybersecurity culture; framing cybersecurity guidelines; and promoting physical preparedness and resilience.
About Networked Energy Services Corporation (NES)
Networked Energy Services Corporation is a global smart energy leader in the worldwide transformation of the electricity grid into an energy control network, enabling utilities to provide their customers with a more efficient and reliable service, to protect their systems from current and emerging cybersecurity threats, and to offer innovative new services that enable active, intelligence use of energy. NES was formed as a result of the spinoff of Echelon Corporation’s Grid Modernization Division in October 2014. NES is headquartered in the US with R&D centers located in Silicon Valley, North Dakota and Poland, and sales offices throughout the world. NES’ smart grid technology is used in nearly 40 million smart meters and other smart end devices around the world. NES is a member of the OSGP Alliance, a global association of utilities and smart grid companies, which promotes the Open Smart Grid Protocol and cooperates to provide utilities greater value by enabling true, independently-certified, multi-vendor interoperability based upon open international specifications and standards. You can find out more information about NES, its Patagonia Energy Applications PlatformTM (including grid management software, distributed control nodes, and smart meters) and services at: www.networkedenergy.com.