Security

Cyber Security is an important success criterion for a secure, efficient and reliable operation of the Smart Grid. The most important goal of Cyber Security is the protection of all relevant assets in the scope of the Smart Grid from any type of hazards such as deliberate cyber security attacks, inadvertent mistakes, equipment failures, information theft and natural disasters. These hazards predominantly concern the IT and telecommunication infrastructure.

In order to achieve an adequate level of protection, classical security objectives such as confidentiality, integrity, availability, non-repudiation and privacy must be assured by the implementation of security controls. Cyber Security issues are already addressed in the scope of the critical infrastructure protection efforts. As recognized there, any vulnerability could be exploited in order to attack the stability of the underlying systems with a fatal impact on energy supply and reliability. Because of the nature of the Smart Grid as a huge network of interconnected sub-networks and its inherent complexity, the aforementioned risks could quickly be increased. This comes along with a vast number of systems, interfaces, operational modes and policies implemented by the stakeholders involved which leads to more vulnerabilities and a higher probability that these will be exploited. In addition, new functionalities like smart metering introduce stronger requirements for data protection and privacy. The subsequent bullets state the risks more precisely:

• The architecture of the Smart Grid will be complex with a very high number of endpoints, participants, interfaces and communication channels and with different levels of protection in the underlying systems. In general, it is always a challenge and requires effort to achieve an adequate level of protection for such a complex system.

• The introduction of Smart Metering systems and processes will increase the number of endpoints dramatically and will move them to private households. Physical security is

hard to achieve in these scenarios and time and motivation to penetrate the systems are in plentiful supply.

• Many components of the Smart Grid can be characterized as legacy where security has never been an important requirement.

• The majority of network connections and communications paths in the scope of the Smart Grid will be based on Internet-technologies / IP-networks. This infrastructure comes along with high flexibility and many existing systems but also introduces a higher vulnerability because of the mal-ware (e.g.: worms, viruses) which already exists in this ecosystem and the potential risk of this spreading quickly, which could have fatal consequences.

• A higher number of attack scenarios based on very different objectives, ranking from industrial espionage and terrorism to privacy breaches can be anticipated.

4.2.2.2 Requirements

Based on the main objective, the mitigation of risks in order to achieve a stable and secure operation of the Smart Grid, Cyber Security requirements will be derived as a result of risk assessments and general architectural decisions. In order to achieve this in a comprehensive and granular manner, security objectives based on the classical security goals (confidentiality, integrity, availability, non-repudiation, and privacy) are a precondition.

Cyber Security requirements for the Smart Grid do already partly exist in the different domains and specific applications. New requirements will evolve as those applications move forward to address Cyber Security as an important driver. In addition, the characteristic of the Smart Grid as a network of many inter-connected networks and applications will produce new and more common system-spanning Cyber Security requirements.

The initial requirement management activities can be based on well-defined requirement analysis and risk management processes. As a technical precondition, a detailed architecture and description of the Smart Grid needs to be elaborated. This architecture should reflect the specific applications and underlying domains as well as their relationship and interaction.

Based on the documented architecture of the Smart Grid, essential use cases relevant for Cyber Security can be developed. Both artefacts, the architecture and the essential use cases, are bases for the risk assessments that need to be conducted. The outcome of the risk assessment and risk management process will lead to a comprehensive security architecture which comprises all security controls.

In a final step, more granular Cyber Security requirements based on measurements and processes can be derived. It is important to consider the impact of existing systems and interfaces that are already part of the Smart Grid. This constraint will affect the process of the definition of Cyber Security requirements at any time.

Furthermore, change and growth are significant characteristics of the Smart Grid. This makes a continuous cycle of risk assessments and subsequent adjustments of implemented security controls necessary. Finally, the high increase in IT and telecommunication technologies and systems might create new requirements in the scope of power systems that already exist in these domains and which are covered by standards and recommendations. The broad utilization of wireless technologies is a perfect example to illustrate this.

4.2.2.3 Existing Standards

Cyber Security requirements already exist for specific applications and domains. They differ in granularity and scope, ranking from process oriented to technical standards. Some standards address the operator, while others contain very detailed implementation requirements.

The subsequent bullets list relevant documents:

• IEC 62351-1 to 6, Power systems management and associated information exchange - Data and communications security (Content: security for protocols, network and system management, role-based access control; NWIPs are in planning)

• NERC CIP-002 and CIP-003 to CIP-009 (Content: The North American Electric Reliability Corporation (NERC) has issued the Critical Infrastructure Protection (CIP) Cyber Security Standards to protect electrical systems. The CIP Cyber Security Standards are mandatory and enforceable across all users, owners and operators of the bulk-power system. CIP-002 specifies the means by which critical cyber assets are identified. CIP-003 through CIP-009 cover security management controls, personnel and training, electronic security perimeters, physical security of cyber assets, systems security management, incident handling and recovery planning.)

• IEEE 1686-2007, IEEE Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities, Institute of Electrical and Electronics Engineers (Content:

Specifies functionality of intelligent electronic devices in order to address critical infrastructure protection programmes)

• ISO/IEC 27001, Information technology - Security techniques - Information security management systems - Requirements

• ANSI/ISA-99, Security for Industrial Automation and Control Systems (Content: Covers the process for establishing an industrial automation and control systems security programme based on risk analysis, establishing awareness and countermeasures, and monitoring and Cyber Security management systems)

• NIST Special Publication 800-82 [Content: Guide to Industrial Control Systems (ICS) Security; Current status is draft]

4.2.2.4 Gaps

Missing standards and recommendations will be identified as a result of the risk assessment and the Cyber Security requirements which stem from that. There is a high probability that existing standards are not sufficient to cover the complex architecture and the manifold use cases of the Smart Grid. Not all protocols have a "security" extension. As an example, IEEE 1588 has no security mechanism at all while being crucial for protection applications.

In addition to domain- and application-specific standards, common and application-spanning aspects need to be addressed.

This is especially true for the requirements covering the aspects of end-to-end security.

Furthermore, technical requirements will not be sufficient to address the complexity of the Smart Grid, especially towards growth and change. Operational aspects such as policies and training as well an ongoing cycle of risk assessments needs to be developed and introduced.

4.2.2.5 Recommendation

In order to capture the complexity of the Smart Grid, an Overall Security Architecture needs to be addressed by standardization efforts. It should contain the following aspects, either as integral parts or as references to separate standards.

Recommendation G-S-1

A specification of a dedicated set of security controls (e.g. perimeter security, access control) to protect the Smart Grid needs to be comprehensively developed. As an example, a specification of granular access controls for the discrete boundaries derived from compartmentalization needs to be determined.

Recommendation G-S-2

A compartmentalization of Smart Grid applications (domains) based on clear network segmentation and functional zones needs to be developed.

Recommendation G-S-3

A specification comprising identity establishment (based on trust levels) and identity management in the Smart Grid as a large network connecting a high number of entities and end points needs to be developed. It should cover the aspect of credential management (distribution, validation, revocation) as an essential part.

Recommendation G-S-4

Moreover, existing standards must be reviewed, adapted and enhanced to support general and ubiquitous security across wired and wireless connections.

Recommendation G-S-5

IEC 62443 should confirm the standards architecture and the implementation methods, harmonize the constitution of standards with ISA and other organizations, speed up the standardization process, and be compatible with the contents of the Smart Grid. The goal is to realize the unification and standardization of any industrial control systems.

Recommendation G-S-6

Security of the legacy components in the Smart Grid was not fully considered in the initial design, thus the security performance was poor and difficult to upgrade. Standardization of the physical protection and network protection should be enhanced for the legacy.

4.2.3 Planning for the Smart Grid