Cyber Security for the Smart Grid:
A R&D Perspective
Manimaran Govindarasu
Dept. of Electrical and Computer Engineering
Iowa State University
Email:
http://powercyber.ece.iastate.edu
NATO Advanced Institute on Energy Security
Antalya, Turkey, October 4-11, 2015
Outline
•
Basics of cyber security concepts
•
Cyber Security of WAMPAC - overview
•
Cyber Risk Assessment - overview
•
Cyber Security Testbeds - overview
•
Cyber Security Standards & Best practices
•
AMI Security & Privacy
Smart Grid: A Cyber-Physical System
Smart Grid: A Cyber-Physical System
Cyber Threats to Critical Infrastructures
Cyber-Based Attacks
Protocol
Attacks
Intrusions
Worms /
Spyware/
Malware
Routing
Attacks
Denial of
Service (DoS)
[General Accounting Office, CIP Reports, 2004 to 2010]; [NSA “Perfect Citizen”, 2010]:
Recognizes that critical infrastructures are vulnerable to cyber attacks from numerous sources, including hostile governments, terrorist groups, disgruntled employees, and other malicious intruders.
Insider
Threats
Power Grid Cyber Security Roadblocks
Legacy systems
Geographically disperse
Insecure remote connections
Long system deployments
Limited physical protections
Adoption of standardized technologies with known
vulnerabilities
Connectivity of control systems to other networks
No “fail-closed” security mechanisms
Securing system is difficult …
Open and interoperable protocols
Security vs. performance tradeoff
Security vs. usability tradeoff
Security is expensive
Attackers enjoy breaking into a system
Security had been not a design criteria
1.3 Information & Network Security
concepts
Security Properties
•
Confidentiality:
–
Message content should be accessed by authorized users only
–
Achieved by using
encryption
•
Integrity:
–
Making sure that message was not altered
(in transit, or later) without
detection
–
Achieved by using hashing
•
Availability:
–
services must be accessible and available
to authorized users
•
Authentication:
–
Sender, receiver want to confirm identity of each other
–
Achieved by using digital signatures
•
Non-Repudiation:
–
The actual sender can not claim that he did not send the message
Security Properties
Traditional IT Systems
Industrial Control Systems
Confidentiality
Availability/Integrity
Integrity
Integrity/Availability
Availability
Confidentiality
Power Grid
Applications
Information &
Infrastructure Security
Application Security
AMI
I, AT, C
I, N
DMS
I, A, AT
I, AT
EMS
I, A, AT
I, AT
WAMPAC
I, A, AT, C
I, A
Power Markets
I, A, AT, C
I, N
Priorities
Power Grid Applications – Sample Cyber Security Requirements
Network Security – Firewalls
Source: Guidelines on Firewalls and Firewall Policy, NIST Special Publication 800-41, September 2009.
Firewalls control flows of network traffic between networks or hosts based on security
policies.
•
Create firewall policies that specifies
how
firewalls should handle inbound and outbound
network traffic.
•
Identify all requirements that should be
considered when determining which firewall to
implement.
•
Create rule sets that implement the organization’s
firewall policy while supporting firewall
performance.
•
Manage firewall architecture, policies, software,
and other components throughout the life of the
firewall solutions.
Network Security – Firewalls
Source: Guidelines on Firewalls and Firewall Policy, NIST Special Publication 800-41, September 2009.
•
Packet Filtering
•
Stateful Inspection
•
Application Firewalls
•
Application-Proxy Gateways
•
Dedicated Proxy Servers
•
Virtual Private Networking
•
Network Access Control
•
Unified Threat Management
•
Web Application Firewalls
•
Firewalls for Virtual Infrastructures
Firewall Technologies
•
Policies based on IP Addresses and Protocols
•
IP addresses and IP characteristics
•
IPv6
•
TCP and UDP
•
ICMP
•
IPsec protocols
•
Policies based on Applications
•
Policies based on User Identity
•
Policies based on Network Activity
Network Security – IDS
Source: Guide to Intrusion Detection and Prevention Systems (IDPS), NIST Special Publication 800-94, February 2007.
Intrusion detection
is the process of monitoring the events occurring in a computer
system or network and analyzing them for signs of possible incidents.
Intrusion prevention
is the process for performing intrusion detection and attempting
to stop detected possible incidents.
Types of Intrusion Detection and Prevention Systems
•
Network-Based
– monitors network traffic for suspicious
activity
•
Wireless
– monitors wireless network traffic for suspicious
activity
•
Network Behavior Analysis
– examines traffic to identify
threats that generate unusual traffic flows, e.g. DDoS attacks,
malware, policy violations
•
Host-Based
– monitors characteristic of a single host and
events occurring for suspicious activity
•
Signature-Based Detection
•
Anomaly-Based Detection
•
Stateful Protocol Analysis
Network Security – IDS
Source: Guide to Intrusion Detection and Prevention Systems (IDPS), NIST Special Publication 800-94, February 2007.
Network Security – WLAN Security
WLAN’s are extensions to wired LAN’s based on IEEE 802.11 standard.
Fundamental architecture of WLAN consists of Access Points (AP), client devices, and
Distribution Systems (DS) that connect to wired LAN’s.
Source: Guidelines for Securing Wireless Local Area Networks (WLANs), NIST Special Publication 800-153, February 2012.
Steps to minimize risk:
1.
Password Policies & management
1.
Encrypt data using standards like WPA2
1.
Restrict access using security controls
1.
Mac address filtering
2.
Disable appropriate network
interfaces, bridging traffic
1.
Configure host-based network security
tools like firewalls, IDS
Smart Security = Info + Infra + System
Information Security
Infrastructure Security
Control Systems Security
N
E
E
D
S
Information Protection
Message
Confidentiality
Message Integrity
Message Authenticity
Infrastructure protection
Routers
DNS servers
Links
Internet protocols
Service availability
Generation control apps.
Transmission control apps.
Distribution control apps.
Real-Time Energy Markets
M
E
A
N
S
Encryption/Decryption
Digital signature
Message Auth.Codes
Public Key Infrastructure
Traffic Monitoring
Statistical analysis
Authentication Protocols
Secure Protocols
Secure Servers
Attack-Resilient Control Algos
Model-based Algorithms
- Anomaly detection
- Intrusion Tolerance
- Bad data elimination
Risk modeling and mitigation
Summary
•
SCADA and automation concepts
•
Cyber Threat landscape, Coordinated attacks on
WAMPAC, and consequences
•
Information security concepts – Symmetric and
asymmetric key cryptography, digital signatures
•
Network security concepts – Firewalls, IDS, WLAN
Control Systems Attack Model
Yu-Hu. Huang, Alvaro A. Cardenas, S. Amin, S-Z. Lin, H-Y. Tsai, and S. Sastry, “Understanding the Physical and Economic Consequences of Attacks on Control Systems,” International Journal of Critical Infrastructure Protection, 2(3):72-83, October 2009.
•
Data integrity
•
Replay
•
Denial of service
•
De-synchronization
and timing-based
Types of Attacks
Generic Control System Model
Cyber
System
Physical
System
Control Signal Sensing Signal Integrity Attack DoS Attack SignalCyber attack classification
•
Denial of Service attacks
• e.g. flood communication network and affect command
information flow
Timing attacks
•
Attacks on measurements or controls
• e.g., block instead of trip, VAR increase instead of
decrease.
Data integrity
attacks
•
Attacks coordinated in space, and/or time
• e.g.
attack on SPS of major transmission line followed byattack on sub-transmission and distribution feeders
Beyond IT Security – Why?
• Limited encryption
capabilities
• Poor patch
management
• Software bugs
• Security not design
criteria
• Replay attacks
• Denial Of Service
attacks
• Timing attacks
• E.g., Heartbleed bug
• Secure system today
Vulnerable system
tomorrow
• Information and
infrastructure security
secure the entry points
• Application security
identifies anomalies in
data when IT and
infrastructure security fails
Legacy Infrastructure
Encrypted comm. can
also be tampered
Evolving Vulnerability
and Threat landscape
Smart Security = Info + Infra + System
Information Security
Infrastructure Security
Control Systems Security
N
E
E
D
S
Information Protection
Message
Confidentiality
Message Integrity
Message Authenticity
Infrastructure protection
Routers
DNS servers
Links
Internet protocols
Service availability
Generation control apps.
Transmission control apps.
Distribution control apps.
Real-Time Energy Markets
M
E
A
N
S
Encryption/Decryption
Digital signature
Message Auth.Codes
Public Key Infrastructure
Traffic Monitoring
Statistical analysis
Authentication Protocols
Secure Protocols
Secure Servers
Attack-Resilient Control Algos
Model-based Algorithms
- Anomaly detection
- Intrusion Tolerance
- Bad data elimination
Risk modeling and mitigation
WAMPAC Applications
Monitoring
Control
Protection
State Estimation
(SE)
Automatic Generation
Control (AGC)
Remedial Action
Schemes (RAS)
Situational Awareness
Generation/Load balance
Prevent system instability
Wide-Area Measurements
(SCADA and PMU network)
Cyber physical security of WAMPAC
1
• Vulnerability
Assessment
2
• Attack classification
3
• Attack Impact metrics
4
• Impact analysis
5
• Mitigation development
6
• Experimental validation
Attack model
Attack vectors
Impact
Analysis
Attack Mitigation
Research areas
R&D Methodology
Attack/Defense
Evaluation
Synchrophasors
•
Phasors –
–
Magnitude
–
Angle
•
Synchrophasors –
–
Common measurement
time-stamp using GPS
SCADA vs. PMU data
•
SCADA data:
–
Voltage & Current
•
Magnitudes
–
Data rate
•
Every 2-4 seconds (per sample)
•
PMU data:
–
Voltage & Current
•
Magnitudes
•
Phase angles
–
Frequency
–
Rate of change of frequency
–
Time synchronized (using GPS Satellite)
–
Data rate
•
30 -120 samples per second
SCADA DATA
PMU deployment worldwide (2009)
Source
: Chakrabarti, Kyriakides, Bi, Cai and Terzija, “Measurements Get Together,” IEEE Power & Energy
magazine, Jan/Feb 2009.
Risk Assessment and Risk
Management Process
Risk Assessment & Mitigation
Risk Assessment
Hierarchical Risk Modeling
System
Vulnerability
Scenario Vulnerability
Access Point Vulnerability
Real-Time Monitoring
Threat & Vulnerability Analysis
Impact Analysis
Defense measures
high risk
low risk
Risk = Threat x Vulnerability x Impacts
System Vulnerability Scenario Vulnerability Access point Vulnerability
Risk Management Process
Hierarchical Risk Management Model
Qualitative Risk Analysis Matrix
Combines the
probability
and
consequence
of a risk to
identify a
risk rating
for each individual risk.
•
Risk ratings
–
Represents a judgment as to the relative risk to the project
–
Categorizes each risk as
•
Low
•
Moderate
Qualitative Risk Analysis Matrix
Risk Assessment - Quantitative
Mitigation of
Coordinated Attacks
Offline:
Risk Modeling and Mitigation
Online:
Alert Correlation and Mitigation
Cyber System Definition
(Topology, Security)
Power System Definition
(Control, Protection)
Cyber System Modeling
(Petri Nets)
Power System Modeling
(DIgSILENT, PSSE)
Attack Probability Impact
Offline Mitigation
Attack Template
if risk > threshold
E.g. - Modify settings, Add security
E.g. - Increase transmission capacity
risk
Qualitative vs. Quantitative
Property
Qualitative
Quantitative
To be viable …
Relies on Expert Knowledge
Data sets, probabilities
Benefit …
Coarse-grain analysis
Fine-grain analysis
Analyzability …
Subjective?
Verifiable if assumptions hold
Security investment
High-level
Detailed analysis
Who uses
Industry
Academic
Both are complimentary !
•
Threat modeling is not well understood
- more of an art than science
•
Vulnerability assessment is subjective –
assumptions on cyber system
Mission Oriented Risk and Design Analysis
(MORDA)
Attack Trees
Source: NERC Cyber Attack Task Force report, May 2012 (www.nerc.com)
NERC CATF Risk Mitigation Framework
Cyber-Physical Security Testbeds
Adam Hahn, Aditya Ashok, Siddharth Sridhar, Manimaran Govindarasu,
Cyber-Physical Security Testbeds:
Need for Testbeds
1
• Vulnerability Analysis
2
• Impact Analysis
3
• Mitigation Research
4
• Cyber-Physical Metrics
5
• Data and Model Development
6
• Security Validation
7
• Interoperability
8
• Cyber Forensics
9
• Operator Training
CPS Testbed – A Layered View
Information/Control
Layer
Physical Layer
Communication Layer
attacks
Cyber
EMS, SAS, RTUs, IEDs
Routing infrastructure,
Network protocols,
Routers, Firewalls
Power System
Simulators (RTDS,
Power factory)
Defenses
Aditya Ashok, Adam Hahn, and Manimaran Govindarasu, “A cyber-physical security testbed for smart grid: system architecture and studies”, Proceedings of the Cyber Security and Information Intelligence Research (CSIIRW '11).
Cyber Security Testbeds
•
National SCADA test bed (NSTB) @ Idaho National Lab
•
Virtual Control System Environment @ Sandia National Lab
•
SCADA Security Testbed @ Pacific Northwest National Lab
•
PowerCyber Security Testbed @ Iowa State University
•
SCADA Security Testbed @ Washington State University, Pullman
•
Virtual Power System test bed (VPST) @ University of Illinois, Urbana
•
Critical Infrastructure Security Testbed @ Mississippi State University
Iowa State’s PowerCyber Testbed
Adam Hahn, Aditya Ashok, Siddharth Sridhar, Manimaran Govindarasu, Cyber-Physical Security Testbeds: Architecture, Application, and Evaluation for Smart Grid,
Visualization
USC/ISI DETER Testbed
ISU PowerCyber Testbed
Cyber Security Compliance &
Best practices
Cyber and Control Systems Security Standards
for Electric Power Systems
•
IEEE –
Institute of Electrical and Electronics Engineers
•
IEC
– International Electro-technical Commission
•
NERC
– North American Electric Reliability Council
•
CIGRE
– International Council on Large Energy Systems
•
FERC
– Federal Energy Regulatory Commission
•
PSRC
– Power Systems Reliability Committee
Organizations for Cyber Security Standards
Cyber Security Standards for Electric Power Systems
Protocol
Scope
IEEE 1402
Electric Power Substation Physical and Electronic Security
IEC 62351
Data and Communication Security
NERC 1300
Cyber Security Standards (CIP Standards) [www.nerc.com]
FERC SSEMP
Security Standards for Electric Market Participants
NISTIR 7628 – Guidelines for Smart Grid Cybersecurity
Vol. 1
Security Strategy, Architecture and High-Level Requirements
•
Applicability of CIA in the smart grid environment
•
Access control, Cryptography and key management
•
Risk management and assessment
Vol. 2
Privacy and the Smart Grid
•
New privacy concerns and classification of privacy
•
Laws and regulations with respect to privacy
Vol. 3
Supportive Analysis and References
•
Vulnerability definition and classification
•
Bottom-up Security Analysis
•
Security requirements –
•
Device security
•
Cryptography and key management
•
Network security
NIST – Smart Grid Interoperability Panel
NIST – Smart
Grid Scope
Standards Development
Research
•
Energy management and Metering
•
Smart-grid Architecture and Operations
•
Wide-Area Monitoring and control
•
Communication protocols and cybersecurity
•
Electric vehicles and storage
•
Interoperability standards
•
Cybersecurity standards
[
NISTIR 7628
– Guidelines for
Smart Grid Cyber Security]
NISTIR 7628 – Smart Grid Cyber Security Strategy
1. Use case analysis
Top-down analysis
(inter-component/domain)
Bottom-up analysis
(vulnerability classes)
2. Risk Assessment
•
Identify assets
•
Vulnerabilities
•
Threats
•
Impacts
3. High-level security
requirements
Privacy
Assessment
4a. Security
Architecture
4b. Smart Grid
Standards Assessment
Existing standards (IEEE,
CIP, etc.)
5. Conformity
Assessment
NERC – Critical Infrastructure Protection (CIP)
Objective:
Physical, cyber and operational security for bulk power system
Vulnerability and risk assessment
Threat response
Physical security
IT/Cyber security
Protecting sensitive data
Communications
NERC CIP
Scope
Support operation and protection
Deterrence, prevention, detection
and correction
Production, storage, transmission and disposal Facility and field
equipment Cyber and physical
countermeasures
Identify vulnerabilities and countermeasures
NERC – CIP Standards (Version 5)
CIP - 002
BES Cyber System Categorization
Security Management Controls
Personnel & Training
Electronic Security Perimeter(s)
Physical Security of BES Cyber
Systems
Systems Security Management
Incident Reporting and Response
Planning
Recovery Plans for BES Cyber
Systems
CIP - 004
CIP - 006
CIP - 008
CIP - 003
CIP - 005
CIP - 007
CIP - 009
Configuration Change Management
and Vulnerability Assessments
Information Protection
CIP - 010
Cyber security Best Practices
Defense in Depth
approach
Protect network boundaries
Protect computing environment
Firewalls
•
Limit inbound and outbound connections
•
Authorize appropriate outbound
connections
•
Filter malicious traffic
Intrusion Detection Systems
•
Analyze network traffic in near real-time
•
Based on signatures, anomaly based
•
Regular OS patching and updating
•
OS Hardening
•
Periodic Anti-virus updates
•
Use of Host based Firewalls
•
Routine Vulnerability Scanning
•
Use of Proxy servers and Web
content filters
•
Email attachment filtering
•
Monitoring logs
•
Authorize devices on LAN
ICS-CERT best practices
•
Minimize network exposure for all control system devices.
•
Firewall and isolate control network
•
Secure remote access using VPN’s
•
Account lockout policies
•
Password management policies
•
Access control management policies
•
Patch management policies
Vulnerability Lifecycle
Creation
Discovery
Notification
Mitigation
Released
Mitigation
Applied
Vendor mistake in
design/development
process
(Vendor/Coordinator/Rese
archer) disclose the
vulnerability to utilities
and/or general public
Vendor provides patch
and/or configuration
strategy to mitigate the
issue
Vulnerability discovered by
(Vendor/ Utility/Security
Researcher/Attacker)
Utilities/System integrators
work on testing, deploying
patch
Vulnerability Assessment
Inspect weaknesses in industry standards, software
platforms, network protocols and configurations
•
Common activities include
–
Vulnerability Scanning
–
Cryptography Analysis
–
Software fuzz testing
•
Common tools
–
Nmap – a security scanner to discover hosts and services
on a network
–
Wireshark – a network packet sniffer & analyzer tool
–
Nessus – a comprehensive vulnerability scanning program
Footprinting
Scanning
Enumerating
Exploit!
Multiple layers & Multiple vendors
–
Heterogeneous environment with both
industry-specific and traditional IT software
–
Must be able to flexibly manage vulnerabilities
discovered in both domains
Application
Network
Infrastructure
Operating
System
Web Database Email SCADA EMS WAMS SPS
Ethernet TCP/IP SSL NTP DNP3 IEC-TC57 Modbus
Microsoft Unix Linux IOS VXworks Embedded
Vulnerability Disclosure
ICS-CERT Advisory
•
An ICS-CERT Advisory is intended to provide awareness or
solicit feedback from critical infrastructure owners and
operators concerning ongoing cyber events or activity with
the potential to impact critical infrastructure computing
networks. (
http://ics-cert.us-cert.gov
)
NERC ES-ISAC
•
“Facilitates sharing of information pertaining to physical and
cyber threats, vulnerabilities, incidents, potential protective
measures, and practices”. (
http://www.nerc.com
)
ICS CERT Advisory
•
A typical ICS-CERT Advisory contains:
–
Affected products
–
Impact
–
Background
–
Vulnerability Characterization
•
Vulnerability Overview
•
Vulnerability Details
–
Exploitability
–
Existence of Exploit
–
Difficulty
–
Mitigation
Need for Advanced Metering Infrastructure
(AMI)
System Operation
Benefits
Reduction in peak loads Improved Monitoring and control Improved efficiency and reliability Cost reductionCustomer Service
Benefits
Billing accuracy and flexible billing cycleTime based rate options Custom energy profiles for Energy Efficiency Demand Response
Financial Benefits
Reduced equipment and maintenance costs Reduced support expenses Faster outage restoration Improved inventory managementAdvanced Metering Infrastructure
Digital hardware and
software
Interval data measurement
capability
Two-way remote
communications
AMI in Modern Grid vision
Advanced Metering Infrastructure, National Energy Technology Laboratory, U.S Department of Energy, Office of Electricity Delivery and Energy Reliability, February 2008
Basic AMI architecture
Customer
Data
Collection
Communication
Network
Utility/ Third Party
Data Reception and Management
Data Transmission
Network
(BPL,PLC, RF,
Public Networks)
AMI Host
server
Meter Data
Management
System
(MDMS)
Electricity Meter
Gas Meter
AMI communication architecture
Advanced Metering Infrastructure, National Energy Technology Laboratory, U.S Department of Energy, Office of Electricity Delivery and Energy Reliability, February 2008
AMI security issues
Cleveland, F.M.; , "Cyber security issues for Advanced Metering Infrastructure (AMI)," Power and Energy Society General Meeting - Conversion and Delivery of Electrical Energy in the 21st Century, 2008 IEEE , vol., no., pp.1-5, 20-24 July 2008.
Conclusion
•
Cyber-Physical Security of Power Grid is a national priority
•
Smart Grid Security = Info Sec + Infra Sec + Application Security
•
Defense-in-Depth & End-to-end Security & Attack-resilient Systems
•
Cyber-Physical Security Testbeds & Experimentations
•
Standards development and Industry adoption are critical
•
Education and workforce development are very important
•
Synergistic collaboration between Industry-University-National Labs
THANK YOU …
•
Acknowledgements
:
•
U.S. National Science Foundation (NSF)
•
U.S. Department of Homeland Security (DHS)
•
U.S. Department of Energy (DOE)
•
U.S. NSF IU/CRC Power Engr. Research Center (PSERC)
•
Iowa State Univ., Electric Power Research Center (EPRC)
•
Graduate Students
:
Aditya Ashok (ISU)
•
Collaborator
s:
Prof. Chen-Ching Liu, Washington State University (WSU)
Prof. Venkat Ajjarapu, Iowa State University (ISU)
Dr. Adam Hahn, MITRE
Dr. Jianhui Wang, PNNL
Dr. C. W. Ten, Michigan Tech.
•
Professional
: