Security Implications of the Electric Smart Grid
The United States is in the process of upgrading its electrical power infrastructure. The patchwork nature of the current electric grid, which consists of more than 9,200 electric generating units with more than one million megawatts of generating capacity connected to more than 300,000 miles of transmission lines (U.S. Department of Energy, 2013, What Is the Smart Grid?), has been stretched to its capacity.
Steps to transform the nation’s power grid into a smart grid – an advanced, digital infrastructure with two-way capabilities for communicating information, controlling equipment, and distributing energy – are being implemented from the bottom up and will take place over many years (NIST, 2010a). Intelligent, bi-directional communication devices are being incorporated in the industrial control systems (ICS) used by the electric industry.
These ICS include supervisory control and data acquisition (SCADA) systems used to monitor and control widely dispersed operations (Energy Sector Control Systems Working Group/ESGSWG, 2011, Roadmap to achieve systems cybersecurity) in electricity transmission and distribution; energy management systems (EMS) used with SCADA systems to optimize energy delivery system performance; distributed control systems used in bulk generation plants for load control; and other components such as remote terminal units (RTUs), programmable logic controllers (PLCs), and intelligent electronic devices (IEDs) that monitor system data and initiate programmed control activities in response to input data and alerts (ESCSWG, 2011). Integrating information technology (IT) within the power grid is central to realizing the benefits of the smart grid, among them: increasing energy efficiency and reliability; transitioning to renewable sources of energy; reducing greenhouse gas emissions; and building a sustainable economy that ensures future prosperity (ESCSWG, 2011).
Throughout this transition, the electric industry must address increasingly complex power system operations while accommodating greater demands for electricity and maintaining grid stability. Availability (reliability) of power system delivery is critical, with varying time latency needs: no more than 4 milliseconds for protective relaying; sub-seconds for transmission of wide area situational awareness monitoring; seconds for substation and feeder SCADA system data; minutes for monitoring noncritical equipment and some market pricing information; hours for meter reading and longer-term market pricing information; and days/weeks/months for collecting long-term data, such as power quality information (NIST, 2010b). In addition, regardless of events, power system operations must continue 24/7, with 99.99-percent availability for SCADA systems and higher for protective relaying (National Institute of Standards and Technology/NIST, 2010, Guidelines for Smart Grid Cyber Security: Vol 3, Supportive analyses and references).
Increasing Threats and More Vulnerabilities
ICS used by the electric sector are transitioning from isolated systems running proprietary industry control protocols that use specialized hardware and software (NIST, 2011, NIST Special Publication 800-82: Guide to Industrial Control Systems (ISC) Security), to Internet Protocol (IP)-based communications and commercial off-the-shelf technologies. While these reduce costs and increase compatibility between different vendors’ components, they also increase the likelihood of successful IP-based network attacks, such as IP spoofing and distributed denial of service attacks. Blocked or delayed data transmission could disrupt ICS operations, degrading power system reliability.
As systems become more interconnected, the implicit trust that exists between ICS devices makes them vulnerable to data spoofing, which could cause false control signals to be transmitted, readings from smart meters to be fabricated, protective relays to be disabled, and load balances to become disrupted by abrupt increases or decreases in the demand for electricity.
Greater interconnectedness means less physical isolation from external, remote threats. Many of the systems and components that were once located in physically secured areas are now in unsecured locations that are not under electric utility control. Among those components most vulnerable to physical access are digital meters used in the Advanced Metering Infrastructure (AMI), distributed energy resources equipment, distribution automation field equipment, home area network (HAN) devices, and energy services interface (ESI)/HAN gateways.
In addition, the increasing use of mobile devices and wireless communications puts control systems at higher risk from adversaries who do not have physical access. Remotely transmitted, unauthorized changes to instructions, commands, or alarm thresholds could damage, disable, or shut down equipment or interfere with the operation of safety systems, causing environmental catastrophes or endangering human life (NIST, 2011). Malware can be inserted and transmitted to add or modify device functions or to alter ICS software or configuration settings, with equally adverse outcomes.
Sources of Threats
Threats to the smart grid can come from many sources, the most likely being customers, insiders, and terrorists/nation-states. The basis of most customer attacks is fraud. Some customers will almost certainly attempt to steal electrical power by falsifying smart meter data. Attacks against smart meters will probably be similar to existing attacks against broadband modems. For years, subscribers have been able to “uncap” their cable modems: using open source software to edit the configuration files of their DOCSIS (Data Over Cable Service Interface Specification)-compliant modems, allowing them to control the modem’s upload and download speeds, thereby overriding the bandwidth caps put in place by cable service providers (R.C. Parks, 2007, Advanced Metering Infrastructure Security Considerations).
Just as cable modems are physically accessible to Internet service subscribers, smart modems are accessible to utility customers. In a similar manner, utility customers could modify the firmware controlling the operation of the smart meters, causing them to underreport electric usage, and therefore lower the customers’ cost of electric use (Parks, 2007). Impact on the smart grid will be negligible if only a few customers alter their smart meters; however, reliability and security problems will arise when smart meter hacking tools become readily accessible. In the long term, the electric utility may not plan infrastructure that will meet loads because the data show the loads to be less than actual. During large outages due to weather or ground fault conditions, crews may not be able to pinpoint problems because customer-hacked meters are unable to provide the necessary outage information, delaying power restoration and increasing utility operating costs (Parks, 2007).
Insider attacks also can be financially motivated. Targeted smart grid systems include the AMI and either the EMS or the Inter-Control center Communications Protocol (ICCP) server to an independent system operator or generation entity. These are the systems through which pricing information flows. An insider in collusion with a generation provider could use the AMI to increase peak usage, thereby creating increased demand for power generation at a higher price point than would otherwise occur. The generation provider would earn significantly higher profits, which would be shared with the insider. The impacts on the power system from such an attack include higher peak usage of electricity and artificially high usage reporting for planning (Parks, 2007).
Terrorist/nation-state attacks are enabled by the size and complexity of the smart grid, the trust relationships between the many systems and devices involved, and the vulnerabilities in IT used by the smart grid. A declassified report from the National Research Council found that physical damage by terrorists to large transformers could disrupt power to large regions of the country and could take months to repair, and that such attacks could be carried out by knowledgeable attackers with little risk of detection (National Research Council/NRC, 2012, Terrorism and the Electric Power Delivery System). Only a limited number of spare transformers are available within the U.S., and the replacement of large transformers essential to the reliable operation of the grid could require twenty months or longer (U.S. Department of Energy, 2012, Large Power Transformers and the U.S. Electric Grid). Impacts on the power system could include instability of the bulk electric grid, widespread and lengthy outages, and equipment damage.
Certain methods and technologies that have been developed to address physical and logical security issues in traditional IT systems have the potential to introduce serious operational problems in the smart grid. Some IT solutions can disable or shut down power delivery systems, and poorly configured security tools can slow critical data communications to the point where electricity delivery becomes inoperable (ESCSWG, 2011). Problems arise because the operating performance requirements are very different. Reliability and safety are of paramount importance in electric power systems (NIST, 2010a, Guidelines for Smart Grid Security: Vol 1, Smart grid cyber security strategy, architecture, and high-level requirements), and as a result, their ICS have different objectives than typical IT systems. These include ensuring the health and safety of human lives, minimizing damage to the environment, limiting economic losses, and avoiding the compromise of proprietary information (NIST, 2011). Because the goals of reliability and safety can sometimes conflict with the IT perspective of control system design and operation, ICS often use operating systems and applications that are considered unconventional to typical IT personnel (NIST, 2011). It is important that the security technologies that are implemented respect the real-time operation imperative of the power delivery system, and do not introduce unacceptable latency or degrade or disrupt service (ESCSWG, 2011).
Read more on smart grid security strategies, including four areas of focus, after the break.