- 1 -
D6.2.4.: Information security architectures and requirements supporting Smart Grid
D6.2.4: Information security requirements supporting Smart Grid
Revision History
Edition / Date / Status / Editor1st / 3.6.2011 / TOC, contents and brief introduction / P. Ahonen
2nd / 6.6.2011 / Small changes to the TOC / H. Jormakka
3rd / 31.8.2011 / Use case text, plus small notes added after discussion with Henryka / P. Ahonen
4th / 20.2.2012 / Restructured doc, text from Henryka and some table from Pasi / H. Jormakka, P. Ahonen
5th / 21.02.2012 / Some requirements added to the tables, + minor corrections / H. Jormakka, P. Ahonen
6th / 27.02.2012 / Finalization / H. Jormakka, P. Ahonen
Abstract
D6.2.4: Information security requirements supporting Smart Grid
Table of Contents
Revision History 1
Abstract 1
Table of Contents 2
1 Introduction 3
2 Main smart grid system objectives 5
2.1 Main system objectives 5
2.2 Information security objectives 7
3 About risks and threats for smart grids 9
4 Information security requirements for smart grids 12
4.1 About capturing information security requirements 12
4.2 Generic information security requirements for smart grids 14
4.3 Domain specific information security requirements 24
4.4 Operations based security requirement analysis 27
4.4.1 Distribution Grid Management 27
4.4.2 Customer Energy Management 36
5 Conclusions 41
6 References 42
Appendix A: List of Abbreviations 43
1 Introduction
The energy sector has come to a point of major changes, which will reshape the whole industry and will last for many years. Among the main reasons behind the changes are distribution of energy generation due to increasing amount of electricity from renewable resources, demand for electrical cars due to increasing prizes of gasoline, or pressure from decision makers for changing the energy market to more competitive, offering some incentives for the customers . This means that the current grid has to evolve to distributed, highly dynamic system supporting growing demands of the society. Those changes however, bring new big challenges, which from security point of view are mainly due to the following reasons:
· Large number of new technology solutions have been offered to operators, who suffer with the procurement complexity
· The dependability and resilience properties of information security solutions are uncertain for the needs of smart grids
· There are needs to communicate via vulnerable networks that are managed by others. Vulnerable protocols and gateways in the control connection to distributed resources in consumer premises
· Smart grids incorporates smart metering and load management which could disclose the user behaviour pattern, therefore also privacy and trust are becoming essential
· The possibilities to control physical access to distributed resources are limited
· Information secured data communication between new and legacy systems may be challenging. Security solutions may be proprietary
· Vulnerabilities of current information security solutions supporting smart grids
This paper discusses the requirements of the emerging smart grids from the security point of view. The initial section, chapter 2 starts with brief description of generic objectives of the ICT system controlling and monitoring smart grids such as availability, scalability, or interoperability and continues with the objective of the system security.
Chapter 3 focuses on the system’s security vulnerabilities and threats that lead to the numerous requirements imposed on the system. The requirements are presented in chapter 4, which after discussion on the generic ICT systems’ requirements, concentrates on detailed review of domain specific requirements taking into consideration two main domains: energy distribution network management and customer energy management.
The main goal of the paper is to present detailed requirements related to security of the ICT system controlling and monitoring the energy distribution network and the customer management operations of smart grid. The requirements need to be addressed when designing the security features of smart grid’s ICT architecture that will be designed at the later stage of the project.
2 Main smart grid system objectives
The energy networks controlled by ICT systems cover very wide areas. Therefore the ICT applications require high availability of communication, specified maximum latencies and data security. They are sensitive to loss of packets and denial of communication service. Lost, delayed or modified measurement, alarm and control signals can lead to expensive consequences. Additionally, it is important to remember that the critical communication needs and problems in electricity and telecommunication networks tend to be correlated; power system outage often reduces communication capacity and increases both critical and non-critical communication load.
In the following subsections the main SG objectives from ICT point of view as well as reasoning for security importance will be briefly discussed.
2.1 Main system objectives
As the communication network will be responsible for monitoring and controlling of all the energy network’s nodes, as well as for collecting big amount of sensitive data and acting upon the received data, there are many strict requirements for the network. To the most important requirements related to the operation of the network belong:
· Reliability and availability
Reliability and availability of IT operations are among the most important requirements, as on them may depend the human safety and protection of the system processes. Power system resiliency to events potentially leading to outages has been the primary focus of power system engineering and operations. Availability requirements between different system’s entities vary and may depend even on an application between the same entities. An example is a SCADA-substation communication; in case of switching or critical monitoring operations it is high, in case of less crucial device monitoring. In general, it is assumed that the availability of system-critical components should be over 99.9% (SCADA systems must have approximately 99.98% availability with 24 x 7 monitoring). In case of non-critical, the availability is assumed to be 99.5+. In case of energy boxes unavailability of up to one hour per month is accepted, in case of more critical communication 1-10 minutes per month is the maximum.
· Interoperability
SG as any distributed, integrated system requires different layers of interoperability starting from basic connectivity to compatible processes in business transactions. Standard solutions supported by conformance testing and certification policy are critical for interoperability provision.
· Scalability
High and potentially growing number of SG’s communication nodes it requires that the system is able to support and handle increasing number of access connections without compromising the requirements on investment and maintenance costs, performance, reliability, security etc. So the system’s operational capacity can be easily increased and the corresponding software and hardware upgraded.
· Performance
Among the main requirements related to system performance category are such as requirements stating limits for bandwidth, data rate, delay, or jitter. For instance concerning bandwidth, the requirements vary, depending on the link. E.g. end-to-end bandwidth from the Aggregator/DSO or metering company to Energy Box/meter over the private is expected not to be less than 2.4-3.6kbps. In this case the range is given by the narrowest bandwidth amongst crossed available technologies (i.e. PLC over LV network).
Solution must be designed to guarantee a minimum bandwidth for the customer and to reserve an strict priority bandwidth for the Telecontrol function.
Similar is the situation in case of latency and jitter. Acceptable values for telecontrol function amounts to 600 ms (latency) and 120 ms (jitter) in mobile access, while 100 ms and 20 ms in fixed access (e.g. ADSL) respectively.
· QoS
Every network (or network part) should be able to manage differentiated services through the management of priority levels. Instead of DiffServ e.g. MPLS label switch path protocols can be used. Necessary is Service Level Agreement (SLA) between operators. The SLAs should specify the QoS attributes that characterize each class, such as e.g. delay, bandwidth, packet loss, or jitter and should define conditions under which specified QoS levels should be met.
Additionally, relevant applications may be implemented using priority aware libraries. In case of alarms, e.g. in conjunction with power inverters, the according asynchronous messages must be transported very fast to the controller, as alarms normally reflects a very soon loss of energy production. In order to further guarantee the stability of the smart grid, therefore, this information must be transported with highest priority or via reserved communication channels.
· Management (network, information, …)
The devices of the system shall support a network management system (NMS) e.g. SNMP and MIB for network information management. The management system should provide visualization of the status of all network elements for easy overview of the whole network. The network management system should support remote configuration of the equipment. Remote reset of the devices should be available.
Handling (processing, analysing, semantically classifying and accessing) large volumes of data that partially have to be stored for later use (e.g. billing, planning, historical analysis, regulation) requires that the data must be kept consistent and synchronized with other systems within seconds.
2.2 Information security objectives
The geographically distributes energy utilities have been for many years using industrial automation and control systems that have been isolated (or designed and believed to be isolated) from administrative company networks, or public networks due to heterogeneous proprietary networks and security concerns. With emerging smart grids the situation is changing. Information important for management and business operations of providers, distributors, traders and other participants is provided by the operational parts of the energy generation, transmission and distribution infrastructures. Due to the increasing complexity and integration as well as the necessity to improve effectiveness of business and production in a highly competitive environment where fast communication and data exchange are crucial factors, the use of communication networks, open technologies and protocols in control systems for critical infrastructures is increasing. Low-cost Internet Protocol (IP) based devices like routers, hubs, or switches are replacing proprietary solutions rendering the control systems analogous to the information networks blurring formerly different domains of business operations and control of infrastructures. While attractive from performance, operational and business points of view, they bring high safety and security risks.
While security solutions have been designed for security issues of traditional IT systems, they have to be carefully adapted to demands of an ICS environment. In spite of many common features and similarities, ICS differs from typical Internet-based information processing systems, including different threats and priorities. In IT systems data confidentiality and integrity is the main requirement. In control systems it is the human safety followed by protection of the system processes to save from harm the environment and prevent financial losses, so system availability and integrity are the core priorities. ICS has also different performance and reliability requirements than IT systems. Its response to human and emergency interaction is critical. Furthermore, the goal of efficiency may sometimes conflict with security in the design and operation of ICSs. For that reason, taking also into account that many old proprietary control systems (still operating) do not offer security, it is important to re-evaluate ICS security architecture in order to mitigate the possibilities of electronic attacks. Finally, it has to be remembered that the life cycle of control system equipment varies from 5 to 15 years or more, while in case of IT systems it is 2 to 3 years.
It is today possible to securely operate an inherently insecure system encapsulated in a security architecture that uses layers of externally arranged electronic and procedural measures to ensure that the probability of compromise of the core control systems remains small. Electronic access can be protected by multiple levels of firewalls and intrusion detection systems with data transfer architectures that transport externally relevant data from the inside to the outside while blocking requests that originates on the outside. Communication protocols can be secured using virtual private networks and associated authentication/authorization mechanisms at the network tunnel endpoints. Non-existing access controls at the console of the control system can be addressed e.g. by introduction of, potentially technically supported, operational policies and procedures that ensure that only authorized persons have physical access to the control system.
Adding to the complexity of the situation, IT cyber security and control system expertise is typically not found within the same group of personnel. Therefore control engineers, ICS operators and IT security professionals need to cooperate closely. At the same time the energy control systems are high-profile targets for organized crime, foreign intelligence, or terrorists that are not the teenage internet hackers, but well equipped, trained and motivated groups of computer and control system experts. For attackers the best targets are the control centers. Usually external attacks at them are launched via the administrative units secured only to support general business processes, not safety critical systems. Once the attacker gains access to the control network, he can monitor the communication between the SCADA workstations and field device controllers and then manipulate the control system processes and functions. Alternatively, an attack may be started from the SCADA field site, where the field devices are locked in unmanned remote cabinets. Often the devices physical security level is low. It is due to the cost of large number of sites and the belief that a single device cannot cause a substantial damage. However, known vector attack (see [Holstein]) using the remote device’s network showed that this belief is not based on facts.
To provide security for smart grid it is important to develop high level smart grid security requirements and evaluate existing tools for assessing risks to smart grid components during design, implementation, operation and maintenance. The security measures defined during that process should be taken into account for prevention and detections of attacks, during responses to on-going attacks and system recovery in case the provided protection measures were not sufficient.
Finally, it has to be remembered that a single security product or technology cannot protect an energy network control system, a multiple layer strategy involving two or more different overlapping security mechanisms (defence-in-depth) is an advised requirement. The objective is to mitigate the risk so that if one component of the defence is compromised or circumvented, the result will not be a cascading set of failures.
3 About risks and threats for smart grids
The smart grid requires development of extensive ICT infrastructure that supports situational awareness and allows command and control operations. Some of the system’s challenges and threats will be similar to those of the traditional networks, although involving more complex interactions. To the main threats belong the following: