FERC staff’s Preliminary Assessment of NERC’s proposed reliability standards identified a number of potential deficiencies, many of which NERC plans to address. What adjustments must be...
Securing Tomorrow's Grid (Part I)
Protecting smart systems against cyber threats.
technologies and protocols had insufficient security and were easily hacked, while others today still haven’t received substantial scrutiny.
Compromising AMI networks is attractive to a host of attackers: from hobbyist hackers with similar motivations to those mentioned for the HAN; to homeowners attempting to control their energy bill; and more ominously to malicious actors intending to create fear or distrust of the technology, or to extort money.
Ensuring meter security over the equipment’s long deployment life (10 to 20 years) becomes increasingly difficult as vulnerabilities grow over time with hacker capabilities. In particular, mesh networks are targeted by hackers because this architecture, if not properly secured, is inherently susceptible to worm-style ( i.e., self-propagating) attacks. Residential meters tend to be highly resource-constrained, with low processing power and small amounts of memory that make firmware updates challenging. Pushing firmware updates out over the wire or the air also presents bandwidth challenges due to the large number of devices, and challenges in ensuring that the meter only authenticates and authorizes changes from the utility.
Figure 5 summarizes potential impacts of a successful cyber attack against metering systems. The following mitigation practices would address many known attack vectors.
• Remote status and alarm for meter tamper-detection mechanisms.
• Cryptographic hardware modules such as trusted platform modules (TPM) that perform all encryption, decryption, and digital signing operations including key storage, so that cryptographic keys are never exposed to other hardware components such as the microprocessor, RAM, or flash memory.
• Auditing and unique credentials for each technician connecting to the meter in the field via optical port or wireless hand-held equipment.
• Unique keys for each meter, ensuring compromise of one key doesn’t compromise more than one meter. This is applicable for both optical port communication and wireless communication with the head end.
• Cryptographic signing and validation of software and firmware upgrades upon receipt from the head end and during each boot process.
• Compartmentalized field-area network design such that individual meters are assigned to a small and finite number of potential aggregation points and network devices.
• No decryption of payload data at aggregation points or any other points between the meter and the head end.
• Cryptographic signing of all data in transit and encryption of all data deemed sensitive ( i.e., firmware).
A complete list of recommendations presented in a systematic approach can be found in the UCAIug AMI Security Profile v2.0 .4 The AMI Security Profile uses a security domain analysis approach to tailor controls from the DHS Catalog of Control Systems Security 5 to AMI components. These controls are currently being re-evaluated by the AMI security subgroup within the NIST cyber security working group to drive them to a level that may be independently tested and certified.
Transmission Domain: Phasor Measurement
Existing situational awareness tools such as state estimators extrapolate transmission-level data from SCADA-based systems to produce a periodic estimate of the state of the transmission system. In contrast, advanced measurement technologies, such as PMUs, capture GPS time-synchronized transmission-level data at a much faster rate