1

The Vicious Circle of Smart Grid Security

Justin A. Turner, Amit K. Barik, Reuben Mathew

Justin.A.Turner@colorado.edu, Amit.Barik@colorado.edu, Reuben.Mathew@colorado.edu

A capstone paper submitted as partial fulfillment of the requirements for the degree of

Masters in Interdisciplinary Telecommunications at the University of Colorado, Boulder,

3 May 2011. Project directed by Jose R. Santos.

1 Introduction

The massive push for energy efficiency and conservation is driving rapid development and deployment of Smart Grid technology around the globe, effectively driving integration and connection of Supervisory Control and Data Acquisition (SCADA) systems closer and closer to the user edge. The resulting network is vast, complex and very similar to the Internet. This environment greatly increases the possibility of cyber-attacks (Ten, Liu, & Manimaran, 2008) by introducing attack vectors that were nonexistent in the past. This is a serious threat to the national power infrastructure that must be addressed. The tragic events surrounding the Fukushima Daiichi nuclear power plant following the massive 2011 earthquake in Japan underscore the importance of system availability and data integrity. Initial reports indicate that primary systems remained intact. Unfortunately, critical axillary systems and communications infrastructure are significantly damaged. Without these systems, the reactor core is on the edge of a catastrophic meltdown. In 2010, the Stuxnet worm discovered in an Iranian nuclear plant could have created a similar situation. Several reports suggest that damage was extensive enough that it will take several years to recover from. Stuxnet demonstrates how devastating that a highly sophisticated and focused cyber-attack can be to a power utility. “If the critical infrastructures of the world are to be safe and secure, then the owners and operators need to recognize that their control systems are now the target of sophisticated attacks. Improved defense-in-depth postures for industrial control systems are needed urgently. Waiting for the next worm may be too late.” (Byres, Ginter, & Langil, 2011) Unfortunately we are treading down a dangerous path. Actions taken by utility companies, equipment manufacturers and regulators are not adding up to form a safe and secure environment for which the “smart grid” needs to become a reality. We believe that in order for stakeholders to build an advanced, efficient and attack resilient smart grid, we must address considerable gaps that exist between each stakeholder. According to the Department of Energy, “if we approach issues of reliability, affordability, energy independence and grid security piecemeal, piecemeal solutions are all we will get.” (DoE, 2010) The statement is clear! Utilities, equipment manufacturers and regulators must work together to solve the cyber-security crisis that we are seeing unfold within the power industry today.

2 Methodology

This paper will analyze the perspective of three critical stakeholders. We will start with the Utility companies, followed by Regulators responsible for developing policies to shape the industry and finish with a look at the equipment manufacturers. All parties have a critical role in delivering the smart grid; however each has a unique set of challenges with respect to addressing cyber-security. This paper seeks to identify the most critical gaps that exist between the stakeholders today. With a better understanding of the existing environment we can then make

2

recommendations to close gaps, improve awareness and ultimately the overall security posture of the smart grid going forward.

3 Analysis of Stakeholders

3.1 Utilities

Utilities in the United States are a mixture of public and private companies. Similar to other for profit businesses, they strive to maximize profits to survive in order to provide services to society. Currently, electric utility companies are leveraging U.S stimulus money to rapidly deploy smart meters throughout the U.S. (Mills, 2010). It can be inferred from current research, that utilities are expanding their markets by working on multiple smart grid projects simultaneously (Leeds, 2010). From a security perspective, this rapid deployment approach is troublesome as it decreases the amount of time to plan and deploy security measures. This in turn increases the cyber threat surface to the power grid by exposing new devices that are not fully vetted and secured.

According to a recent report, “U.S. based utilities will invest $21 billion by 2015 in cyber security related activities and technologies to protect the smart grid” (Pike Research, 2010). This is only a prediction; however this indicates the substantial monetary requirement for securing the grid. Even though the government is supporting utilities to some degree, small to mid-sized companies are not often capable of investing in their cyber-security infrastructure at high enough rates to maintain a good security posture. According to Bigger & Willingham, 2005, Small electric and gas utilities are concerned with what they see as “looming security requirements” that they cannot afford or that the results will not benefit their customers. This indirectly creates two possible scenarios which negatively affect the security posture of the entire smart grid. First, small utilities which are unable to rapidly invest in security will form weak links in the interconnected smart grid. Second, if smaller utilities have little to no influence over vendor decisions due to lack of spending ability, larger utilities will disproportionately influence manufacturing decisions. The resulting equipment options may not be suitable for smaller deployments and will force smaller utilities to selectively choose only core capabilities without advanced cyber-security options.

The rapid state of change combined with the monetary challenges highlighted above is creating a difficult environment in which utility cyber-security professionals are struggling to overcome. One of the major problems faced by utility companies is “explaining the technical advantages of cyber-security to their executives” (Wheatman, 2011). Finding metrics that show clear business advantages to investing in cyber-security are hard to find. This makes it increasingly difficult to justify what are in many cases mandated cyber-security practices. Cyber-security training programs can be expensive and are not always implemented willingly as a result. Additionally, there is a knowledge gap between IT security personnel and SCADA engineers. All of these challenges contribute to difficulties with implementing strong cyber-security practices and technologies within utilities (Clements & Kirkham, 2010).

Looking at security from another perspective, interoperability is one challenge that is widely recognized but largely unresolved. “The need for standards is urgent” (Lee, 2011). Defining standards and migrating towards them is important for the smart grid to become a reality, however combining various networks which operate on different standards exponentially

3

increases vulnerabilities. According to Idaho National Laboratory, 2006, “multi-network integration strategies often lead to vulnerabilities that greatly reduce the security of an organization”. If utilities had the luxury to implement a single vendor, single standard environment they would, however that will likely never be an option. The reality is that equipment manufacturers are focused on individual pieces of the larger smart grid puzzle. Until we have developed widely recognized standards that are economically feasible to adopt, the industry will be stuck in a vicious circle trying to balance proprietary vender technologies with increasing cyber threats.

From the utilities perspective a critically important security issue lies with the alarming increase in known vulnerabilities to the systems and networks that we depend on. Consider the Night-Dragon case (McAfee Foundstone Professional Services and McAfee Labs, 2011). The Night-Dragon, code named by MacAfee, emerged in November of 2009 in the U.S., Greece, Kazakhstan and Taiwan. According to McAfee Foundstone Professional Services and McAfee Labs, China was the origination point of this attack which exploited various utility companies targeting important proprietary information. The attack used the following methods to compromise and infiltrate systems:

• Targeted Command and Control systems (in U.S.) using social engineering techniques which confuse operators into erroneously providing information such as usernames and passwords.

• Used RAT and other available hacker tools (like ASPXSpy and WebShell) to compromise and penetrate security systems.

• Used SQL-injections to compromise firewalls and database systems.

• Gained access to executive workstations and other sensitive devices (all running Windows OS) using credentials gathered through social engineering efforts and know windows exploits.

The attack suggests that victim utilities did not follow a defense-in-depth security approach. The practice of isolating critical control systems using basic firewall configurations, considered by many utilities to be their cyber-security savior is an antiquated practice when used alone and was easily exploited by the Night-Dragon attack using common tools and techniques that take advantage of untrained and generally unaware users. This attack was sophisticated and deliberate in nature, indicating that basic measures for securing critical systems is not enough.

SCADA systems which sit at the heart of most utility company operations are increasingly targeted due to their known reputation for lackadaisical security controls. In 2010, Stuxnet revealed exactly how critical systems can become crippled by sophisticated attacks. Stuxnet is “malware made specifically for sabotaging SCADA processes using PCS7 and Siemens WinCC control systems” (Byres, Ginter, & Langil, 2011) . The Stuxnet attack which targeted nuclear power plants in Iran propagated using multiple vectors including USB flash drives, infected PDF files and unpatched hosts. Apart from considering all of the possible attack vectors used, it is important to know that targeted machines used for command and control of the worm were mainly Windows based. The worm took advantage of Windows vulnerabilities in order to infiltrate the network targeting specific models of Siemens control systems. The attack was not detected by antivirus software since signatures did not exist at the time of attack. Furthermore, the sophisticated design of the Stuxnet worm allowed it to “live on the victim’s network for a long time undetected while penetrating all the way through to reach critical control

4

systems.” (Malcho, Harley, Rodionov, & Matrosov, 2010) Many security researchers who have examined the Stuxnet worm believe it would successfully infiltrate utility networks in the U.S. today even if the victims followed all of the standards outlined by Siemens in their security best practices documentation. The Stuxnet attack is a clear indication that highly sophisticated and targeted attacks are a reality today. Utilities must not wait until the next attack occurs on a U.S. facility to take serious measures to secure their environments.

3.2 Regulators

Regulators have always played an important role in directing and shaping the landscape for which utilities and equipment manufacturers operate in any industry. In 2007, the Department of Energy was directed by the Energy Independence and Security act to “modernize the nation’s electricity grid to improve its reliability and efficiency.” (DoE, 2010) Since then, utilities and manufacturers have scrambled to begin shaping this new and rapidly changing environment now called the smart grid. This monumental task comes with great risk. Cyber-security considerations were not heavily measured when initial policies emerged directing and shaping the smart grid. Focus has improved, however it is increasingly clear that confusion and gaps among interested parties is prohibiting progress. The following diagram presented in a Depart of Energy briefing in March of 2011 visually depicts a confusing and difficult to follow landscape. Figure 1 below depicts government entities at the state and federal level, working groups, commissions, Industry associations and utilities.

Figure 1: Cyber Security Standards / Requirements relationship map (Hunteman, 2011)

5

As the title suggests, this map depicts the relationships between organizations involved in developing standards for manufacturers and utilities to follow in order to secure the smart grid. Context is missing from this diagram however in the briefing Mr. Hunteman specifically highlights several key challenges to addressing cyber-security for the smart grid which include inconsistent standards at the federal, state, and local levels; significant gaps between implementation of policies by Federal and State agencies and lack of clearly defined roles and responsibilities for cyber-security in the smart grid. This sentiment is shared by several utilities and equipment manufacturers who responded to the DoE’s request for comments on addressing policy and logistical challenges to smart grid implementation. For example Edison Electric Institute states in their response that “there is insufficient coordination among the many independent groups doing testing, or proposing to do testing, and that there should be a certifying body to oversee compliance with testing and certification procedures.” (EEI, 2010) Others such as Cisco systems commented that “various federal agencies involved in the creation of the Smart Grid and the standards on which it will be based can and should address risks as early as possible.” (Cisco, 2010) The Department of Energy web site contains over seventy five responses from equipment manufacturers and utilities, many of which repeat this sentiment over and over.

We can say a few things with certainty regarding the organizational structure of the

regulatory environment and smart grid cyber-security today. First, congress has directed the Department of Energy to lead the charge with development and implementation of the smart grid including cyber-security related issues as discussed above. Second, congress has charged the National Institute of Standards and Technology (NIST) with developing standards for smart grid technology and implementation. NIST issued standards and/or best practices for smart grid security in a 2010 document. The policy is a good attempt to lead utilities and equipment manufacturers in the right direction however several key pieces of information were not addressed. In the January 2011 Government Accountability Office (GAO) report titled “Electricity Grid Modernization” the GAO states that while NIST efforts to include missing pieces to policy are underway, “the plan and schedule are still in draft form.” “Until the missing elements are addressed, there is an increased risk that smart grid implementations will not be secure as otherwise possible.”

The Federal Energy Regulatory Commission (FERC) is a federal yet independent agency similar to the Federal Communications Commission and is charged with “regulation of public utility transmission and sales” (Greenfield, 2010). This is an oversimplified description of FERC responsibilities, but in their own words, FERCs authority to regulate does not include local distribution or resale. If the smart grid is supposed to be an end-to-end system, this policy must change.

The National Energy Reliability Commission (NERC) which is designated by FERC to develop reliability standards for bulk power generation and transmission within North America has published seventeen cyber-security guidelines to date. These guidelines fall under their Critical Infrastructure Protection (CIP) standards addressing critical asset identification, security management controls, personnel and training, electronic security parameters, physical security, systems security management, incident reporting and recovery management. NERC according to their Chief Information Officer Mark Weatherford, believes that CIP standards are having an impact. Industry experts agree with one caveat, which is that “utilities are focusing on regulatory

6

compliance instead of comprehensive security” (GAO, 2011). Regardless, NERC regulatory oversight governs bulk power generation and transmission only. To date there is no uniform regulation or cross cutting authority given to any agency to provide a common direction and oversight to smart grid cyber-security efforts.

3.3 Equipment Manufacturers

Equipment manufacturers have an important role in assisting utilities and regulators implement smart grid technologies. Similar to auto and computer manufacturers, they are the subject matter experts for the systems they sell and support. As such they play a key role in the development and employment of robust end-to-end cyber-security technology and policies with respect to the smart grid. During the onset of smart grid deployment, many service providers and manufacturers considered security only relevant to smart metering thus ignoring the attention required towards automation, substation, control systems and SCADA. Recent events such as Stuxnet already discussed in this paper have reinvigorated attention to these critical control systems that sit at the heart of power utilities.

It is not immediately clear what specific security concerns that equipment manufacturers have. For the purpose of discussion we consider open source information from Siemens, Cisco and others who all provide systems critical to the smart grid. Several manufacturers produce SCADA systems. One of the major players is Siemens who develops hardware, software and networking equipment for utilities. Siemens happened to be the system targeted by Stuxnet; however this paper in no way intends to cast blame on Siemens alone for exploits used by Stuxnet. A common Siemens control system is the SIMATIC PCS 7 product suite which is primarily a Distributed Control System (DCS) automation technology for process control systems is developed around a defense-in-depth strategy. The system uses security features like automated Windows security patch management, remote access using IPSec and VPNs, virus scans and firewalls, time synchronization, user and access rights, active directory and work groups, network management, disaster recovery and system segmentation. Siemens has a published framework describing best practices to secure their systems. Unfortunately this framework is “not often implemented in practice” (Byres, Ginter, & Langil, 2011) according to reports describing how Stuxnet infected and damaged critical control systems.

Cisco Systems who is a manufacturer of enterprise level network devices, strongly believes that in order to approach the modern smart grid infrastructure, “a comprehensive security architecture is a must that has improved integration of diverse digital devices, increased use of sensors, layers of physical and cyber security integrated across all operational aspects of the grid.” (Cisco, 2010) Cisco like Siemens has developed their own security framework with best practices as they see them for securing the smart grid. Figure 2 depicts the Cisco approach for developing a smart grid security plan.

7

Figure 2: Cisco Grid Security Implementation Model

This model loosely depicts the idea of wrapping layers of security around critical infrastructure. Cisco’s report goes on to describe their technologies and implementation strategies to protect and defend critical infrastructure. The challenge with the Cisco model along with Siemens or others is applying it to an environment where multiple vender technologies exist. In many cases, the interoperability gap will interfere with best practices described in their security guideline framework. Equipment manufacturers need to continue working on development of interoperable standards for the safety and security of the smart grid. In an ideal scenario, equipment manufacturers providing equipment for all portions of a utility network would be drawn into the plant development process in order to deliver a robust end-to-end security framework. This is a utopia scenario which assumes that manufacturers will work together in harmony and openly share information that is often times considered proprietary and sensitive in nature. We know this will likely never happen, however if manufacturers knew that utilities would generally choose a manufacturer based on their ability to integrate whole solutions which incorporated cross brand solutions, manufacturers would start working towards common standards. Cisco highlighted this in their response to the DoE’s RFI noting that “the convergence of networking industry participants on the TCP/IP standard was critical to the rapid evolution of the internet.” (Cisco, 2010) Similar behavior on the part of smart grid manufacturers will “play the same role in the emerging Smart Grid, by ensuring that utilities and their customers will benefit from choices among standards-compliant devices that together will comprise the Smart Grid.” (Cisco, 2010)

8

4 Recommendations

Through our analysis of the stakeholder positions, we concur with statements made in the very recent report released by the Government Accountability Office. Specifically, we believe that “key players have to work together as a team” (GAO, 2011) in order to secure the smart grid.

Figure 3: The Vicious Circle of Smart Grid Security

Figure 3 above graphically depicts the vicious circle of smart grid security as we see it today. Starting with utility companies, we see policies and requirements put in front of them by regulators which do not always come with clear direction or a supporting business case. Moving clockwise around the circle we see equipment manufacturers who are working to respond to the needs of utility companies demanding secure, cost effective and flexible solutions, but do not have a clear understanding of what is required or standards to develop to. Finally we see regulators working to develop and provide smart grid standards and security measures to manufacturers while pushing utilities to modernize and deliver the smart grid to society. It is a difficult problem that will take some time to correct.

9

We recommend the following actions at a minimum to help correct the security crisis that we are facing with respect to smart grid implementation:

i. Appoint or nominate a single authority with national reach to assess and measure compliance with security standards developed by NIST, NERC and any other federal authority appointed to develop cyber-security standards. This authority should have the ability to evaluate the entire grid from SCADA system to the household meter.

ii. Reconsider time tables outlined in guidelines used by utilities to secure government assistance in deployment of smart grid technologies. The sense of urgency to meet these deadlines to acquire funding is causing utilities and manufacturers to rush through what should be carefully thought out security plans and implementation testing.

iii. Create a testing and certification body which independently tests and evaluates systems and technologies to ensure security and standards compliance. Regulators (Governments) must clearly define standards for the testing body to use. Utilities and Equipment manufacturers must participate in the development of these standards without bias. Leverage the process used by the Department of Defense to test and certify communications systems (Joint Interoperability Testing and Certification)

iv. Develop an anonymous reporting and discussion forum where utilities,

manufacturers, government entities and possibly law enforcement authorities can exchange information and ideas freely without fear of recourse.

5 Conclusion

The cyber threats that we face today are very real and dangerous. We know that cyber-attacks like Night Dragon and Stuxnet will continue to occur as networked technologies are integrated with the power grid. We also know that new cyber vulnerabilities are emerging with increasing frequency. Overcoming these challenges will require the entire smart grid industry from utilities to equipment manufacturers to regulators to work together to form a secure end-to-end power grid. Having explained the challenges faced by three of the key players, we hope that our recommendations will generate more action across the industry at a minimum. Security is paramount and we are all responsible for ensuring it is sufficiently addressed to make the smart grid a reality.

Acknowledgement

Our research project was successfully completed with the efforts and guidance of numerous

people from academia and industry alike. We would like to thank our project mentor, Jose

Santos and advisor Prof. Stephen Barnes for all their time and valuable insights throughout every

stage of our project. We had two amazing opportunities to speak with the chief Cyber Security

advisor at the Department of Energy, Mr. William Hunteman and the Chief Security Officer at

the National Energy Reliability Corporation (NERC) Mr. Mark Weatherford. Each provided

10

volumes of important insight from multiple perspectives. They each provided some level of

confirmation of conclusions that we have drawn throughout this paper. We would also like to

thank Arun Gerra, Security Engineer at Alchemy Security, LLC for his inputs and industry

perspective of smart grid security. Finally, we would like to take this opportunity to sincerely

thank Prof. Tim Brown for all his patience and detailed guidance in completing this paper.

References

Bigger, J., & Willingham, M. (2005). Critical Infrastructure Protection in the National Capital Region.

George Mason University.

Byres, E., Ginter, A., & Langil, J. (2011). White Paper: How Stuxnet Spreads. Multiple Cities: White

Paper.

Cisco. (2010, April 3). Cisco Smart Grid Security Solutions. Retrieved April 4, 2011, from Cisco.com:

http://www.cisco.com/web/strategy/docs/energy/CiscoSmartGridSecurity_solutions_brief_c22-

556936.pdf

Cisco. (2010). Comments of Cisco Systems to Office of Electricity Delivery and Energy Reliability

Department of Energy. San Jose: Cisco Systems.

Clements, S., & Kirkham, H. (2010). Cyber-security considerations for the smart grid. Power and Energy

Society General Meeting, 2010 IEEE, (pp. 1-5). Minneapolis.

DoE. (2010). What a Smart Grid means to our Nations Future. Washington D.C.: U.S. Department of

Energy.

EEI. (2010). RE: Smart Grid RFI: Addressing Policy and Logistical Challenges to Smart Grid

Implementation. Washington D.C.: Edison Electric Institute.

GAO. (2011). Electricity Grid Modernization Progress Being Made on Cybersecurity Guidelines, but Key

Challenges Remain to be Addressed. Washington D.C.: United States Government Accountability

Office.

Greenfield, L. R. (2010). An Overview of the Federal Energy Regulatory Commission and Federal

Regulation of Public Utilities in the United States. Washington D.C.: Associate General Counsel

– Energy Markets 1 Office of the General Counsel Federal Energy Regulatory Commission.

Hunteman, W. (2011). Electric Sector and Smart Grid Cyber Security. Smart Grid Security East.

Washington D.C.: U.S. Department of Energy.

Idaho National Laboratory. (2006, May). Control Systems Cyber Security: Defense in Depth Strategies.

Retrieved from United States Computer Emergency Readiness Team: http://www.us-

cert.gov/control_systems/practices/documents/Defense%20in%20Depth%20Strategies.pdf

11

Lee, A. (2011, January 11). NIST and the Smart Grid. Retrieved from National Institute of Standards and

Technology: http://csrc.nist.gov/cyber-md-summit/documents/presentations/nist-and-smart-

grid_ALee.pdf

Leeds, D. J. (2010, February 10). The 2010 North American Utility Smart Grid Deployment Survey.

Retrieved from GTM Research: http://www.gtmresearch.com/report/the-2010-north-american-

utility-smart-grid-deployment-survey

Malcho, J., Harley, D., Rodionov, E., & Matrosov, A. (2010). Stuxnet Under the Microscope [White

paper].

McAfee Foundstone Professional Services and McAfee Labs. (2011). Global Energy Cyberattacks:

“Night Dragon” [White paper]. Retrieved from McAfee:

http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-

dragon.pdf

Mills, E. (2010, May 15). Money trumps security in smart-meter rollouts, experts say | InSecurity

Complex - CNET News. Retrieved from Technology News - CNET News:

http://news.cnet.com/8301-27080_3-20007672-245.html

Pike Research. (2010, February 4). Utilities to Invest $21 Billion in Smart Grid Cyber Security by 2015.

Retrieved from Pike Research: http://www.pikeresearch.com/newsroom/utilities-to-invest-21-

billion-in-smart-grid-cyber-security-by-2015

Smart Grid Request for Information and Public Comments. (n.d.). Retrieved from U.S. Department of

Energy: http://www.oe.energy.gov/Smart Grid Request for Information and Public

Comments.htm

Ten, W., Liu, C., & Manimaran, G. (2008). Vulnerability assessment of cybersecurity for SCADA

systems. Power Systems. IEEE Transactions on Power Systems, 23(4), 1836-1846.

Wheatman, J. (2011, February 16). Why Communication Fails: Five Reasons the Business Doesn't Get

Security's Message. Retrieved from Gartner: www.gartner.com/DisplayDocument?id=1549927