Smart Grid Safety vs Confidentiality

(This article was originally published on the Findings From the Field blog.)

I just returned from Smart Grid Security East. The event featured an impressive set of high-powered government and regulatory speakers and a fair number of vendors as well. Surprisingly, I found the "NERC-CIP Compliance" workshop very useful -- in addition to the usual introductory information, there was insightful discussion between a number of security consultants and former NERC auditors as to how this word or that phrase are being interpreted during audits. The event also crystallized for me an understanding of why I have found the AMI/smart meter security space so confusing for the last little while: IT folks see smart meters as billing appliances. ICS folks, like me, see them as control devices. Security requirements for the two classes of devices are very different. Thus far, the IT interpretation is winning...

Security Priorities

Industrial control system (ICS) security priorities are generally:
  1. Public safety - don't kill or injure large numbers of people. Think nuclear generators.
  2. Employee safety - don't kill or injure your own workers.
  3. Availability - keep the lights on.
  4. Confidentiality.
(3) is related (1) in some cases, for example by public health agencies. When the lights go out, home medical devices stop working, there are more traffic accidents and so on. Strong correlations between blackouts and deaths or injuries are rare, but soft correlations are drawn routinely.

Traditional IT priorities are the classic "CIA" - confidentiality, integrity and availability. In the smart grid space, this translates into concerns about customer-private data and tamper-resistance to prevent electricity theft. A clear majority of participants at Smart Grid Security East held to the IT perspective of smart meters. When you ask representatives of meter vendors at these shows about security, they answer in terms of encryption, because their IT-centric customers tell them that customer data privacy is their biggest concern.

The good news is that meter security is improving. All the vendors I spoke to swore they had unique keys in every meter -- no more nonsense where every meter's key was the same, or every meter had a copy of a common shared-secret control center key. Even better, Industrial Defender's consulting personnel report that the technical people they work with from meter vendors very much understand safety. They regard Zigbee interfaces as hostile networks, they keep control decisions as close to the physical hardware as they can, and as much as possible they separate control communications from more routine communications.

Grid Reliability Concerns

So what are the concerns about safety and smart meters? NERC issued a report very recently: Reliability Considerations from the Integration of Smart Grid. The report documents NERC's position on the impact emerging smart grid technologies are expected to have on the reliability of the BES.

The high-level conclusion of the report is that smart grid technologies are generally expected to improve the reliability of the electric system. If you look closer at the report, this makes sense because the report uses a definition of "smart grid" that seems at odds with the one used by most participants at the conference. At the conference, the vast majority of participants were attending AMI-focused tracks and sessions. The ICS-focused sessions were nearly empty. The majority opinion seems pretty clear: the smart grid is AMI, AMI is a big billing system, and so traditional CIA/IT-centric priorities apply.

The NERC report, however, echoes the conference chair Mike Ahmadi's comments on the second day. By count, some 49 of the NERC report's technologies are distribution automation technologies, only 15 are consumer-visible technologies, and only four of those are related to smart meters. Mike tried to remind people that the smart grid was about distribution automation as much as it was about smart meters. His comments fell on deaf ears.

NERC's comments on consumer-visible technologies, including those mediated by smart meters, display concern for the availability of the bulk electric system, and by implication for public health concerns that arise from an unreliable power grid. Among those concerns:
  • Demand response: "... there may be bulk power system impact with a large enough number of centrally controlled demand management systems."
  • Electric vehicle charging: "Security considerations for electric transport loads ... will become important when significant customer demand management capacity is being aggregated."
  • Home area networks: "...if the cyber attacker were able to manipulate thousands of homes together and turn off all their power at once using denial of service or other forms of malware, the reliability of the bulk power system would be affected."
In fact, the NERC report comments that "HAN devices were the most vulnerable to cyber concerns because they are outside the control of [a utility] organization." I asked the AMI panel about the wisdom of connecting to HAN networks that will inevitably be poorly patched and far from professionally secured. One of the members - I forget who, my apologies - answered bluntly: "The security of today's AMI infrastructure looks like the 'wild, wild west.' The security situation on HAN's is more like the 'dark ages.'" To be fair though, I think the comment about existing AMI security reflects older AMI deployments. Recent versions of AMI technologies tend to reflect recommendations of the NISTIR 7628 and the Security Profile for Advanced Metering Infrastructure.

Looking Forward...

Even power grid people are in denial. I have had more than one power grid expert tell me that when smart meters are widely deployed, no attack on them can affect the stability of the grid. "Do the math" they tell me:
  • AMI meters are relevant to only residential load,
  • About 30% of most grids' load is residential,
  • About 20% of AMI meters being installed have remote-disconnect capability, and
  • Most grids have a variety of meter versions and vendors being installed, so no one vulnerability can be exploited to affect all meters.
In the very worst case then, only 20% x 30% = 6% of the load can be manipulated by a remote-shut-off worm and this is less than the roughly +/- 10% load bumps the grid is designed to handle routinely without stability problems. I am inclined to believe the math today, but because only a tiny fraction of residences have smart meters connected to them today. Down the road, many indications contradict "the math:"
  • NERC reports that large deployments of electric vehicles may significantly increase residential loads,
  • Some utilities are installing 100% of their meters with remote disconnect capability,
  • HAN worms or botnets on home PC's connected to Zigbee/HAN networks can control load whether or not meters are involved, and
  • The prospect of an AMI network under constant assault by hundreds of thousands connections to compromised HAN's is not even being discussed.
The NERC report focused on threats to the reliability of the BES - that is their mandate. I think we need a comprehensive investigation of worst-case consequences of HAN, AMI, and combined HAN/AMI security breaches. Grid reliability impacts and the obvious privacy and denial-of-service concerns are only some of the possible consequences. Who is investigating scenarios where a Zigbee worm reprograms televisions to show only Fox news channels? Or reprograms space heaters and kitchen appliances to turn on and off at random? There are public safety and other concerns in this space which have not been explored anywhere.

No comments:

Post a Comment