1. Smart Grid for the CSO Jack Danahy Co-Author : The Smart Grid Security Blog October, 2009

2.

Setting the Stage

Drivers for an Evolution in Grid infrastructure

Introducing the Smart Grid

Smart Grid Risks

Common Smart Grid Elements and Implications

Growing Resources for Smart Grid Content

A Simple Smart Grid Checklist

Conclusion and Questions

Agenda 3. Who would recognize their brainchild? Alexander Graham Bell Father of the Telephone Network Thomas Alva Edison Father of the Grid ( and snappy dresser ) ? 4. Would todays phone system ring a bell?

Independent providers of services to individual consumers

• International, regional, national, and local carriers

• Multiple devices/lines/types per household/business

Configurable value-added services

• Voicemail

• Text messaging

• Variable pricing

• Cell phone as multimedia content-delivery platform

Heterogeneous transmission media

• Traditional copper

• Cellular

• VOIP

• Fiber optic

Market-based competition on rates/services/satisfaction

Img courtesy mgraves.org then now 5. Grid changes would be much less shocking

Major Generation Platforms

• Power producers

Transmission and Distribution Networks and Infrastructure

• Power management

• Load balancing and predicting

• Outage and fail-over protections

Regional Regulated Utilities

• Power to homes/businesses

Technology-enabled

• Not technology-driven

img courtesywww.blackhillsenergy.com /customers/lingo/ then now same 6. While the usage profile has changed completely

Consumption has risen drastically

Power quality has become a big issue

Power pricing has stabilized

A majority of new technologies require substantial additional power

There is no slackening of consumption in sight

7. Whats wrong with that?

The Brittle Grid

• Grid element Interdependence produces cascading failures

Volatility in Energy

• Costs vary widely for generation fuels

• Regional conflicts impact fuel price and supply

• Political pressure to decrease reliance on foreign sources

Growing Environmental Impacts

• Carbon emissions facing public scrutiny and federal/international regulation

• Increases in traditional generation facilities face local resistance

Customer Dissatisfaction

• Seeking information and flexibility

• Creating opportunities for new services, revenue, and products

img courtesy NOAA Northeast Blackout 2003 8. Who wants what? A Bidirectional Network A Smarter Infrastructure creates a new generation ofProsumers , producing and consuming energy in a balanced and equitable system to the benefit of customers and utilities alike Customers

Demand more information about use and efficiency

Are more environmentally sensitized to energy use

Want more control over usage rates and schedule

Will generate power to sell back to the grid

Demand involvement in the evolution of the grid

Utilities

Must reduce the cost to serve and support customers

Are driven to adapt to new technologies

Must meet new expectations for services

Seek to monetize deployment of new energy services

Experiencing massive operations transformation

9. A Smarter GridIScoming : market forces demand it Expectations of Financials Markets Regulatory &Policy ChangesTechnological Advancements CustomerExpectations Aging Assets &Workforce Dynamics Volatile Energy / Fuel Costs Security Environment & Climate 10. So what is a Smart Grid?

A future power delivery grid that meets the needs of the next generation of Americans:

Enableactive participationby consumers

Accommodateall generation and storage options

Enablenew products, services and markets

Provide power qualityfor the range of needs in a digital economy

Optimizeasset utilization and operating efficiency

Anticipate and respondto system disturbances in aself-healingmanner

Operate resilientlyagainst physical and cyber attacks, and natural disasters

11. What does a Smart Grid look like? Img courtesy: www.smartgrid.epri.com 12. The Smart Grid isNOTwithout risks Risk to Critical Infrastructure Inconsistent information sharing and collaboration among stakeholders Private sector controls over 90% of critical infrastructures High degree of social, economic dependence on digital systems Deperimeterizationand new customer touch points into networks Uneven application of security engineering to increasingly complex systems Growing capability of adversaries and growing number of exploits 13. Security challenges from/for the new Smart Grid

Complexity : As systems are added and increase functionality, security is more difficult to address

Connectivity : Increasing connection to previously isolated systems and networks expands the threat surface

Internetworking:Connections between networks permit more rapid spread of any corruption or breach

Communications Dependency : Reliance on networking technologies introduces new risk based on network stability

Confidentiality : Critical and sometimes private data drives the smart in Smart Grid, creating a new area of concern

14. Where are specific areas of concern? Img courtesy: www.smartgrid.epri.com

System security

Vulnerable software

Lack of access control

Mis-configuration of options

Data Vulnerability

Weak/No encryption

Inappropriate storage

Installation of malcode

Potential Fraud

Invalid credentials

Weak authorization

Insufficient tamper protection

Downtime

Denial of service risk

System corruption

o o o o o o o o o o o 15. Thus there are multiple scenarios to plan for External Threat Insider Threat Accidental Event Intentional Event Malware Denial of service Sophisticated, organized attacks Natural disasters Economic upheaval Changing Political Climate Unpatched systems Code vulnerability Lack of change control Human error or carelessness Undiscovered back doors Information theft Insider fraud 16. Issues and Items to Understand Terms, Technologies, and Tough Questions 17. Smart Meters

Legacy power meters were simple

• Mechanical devices

• Displayed a rolling record of usage

• Read by roaming utility personnel

Smart meters are more functional

• Additional sensors monitor for outages, power quality, temperature, etc. notification

• Tag readings with time/date/location

• Can communicate wirelessly to aggregation pts or to remote readers

• Ordinarily one-way communication outbound

You should know where and how Smart Meters will be deployed

18. Advanced Metering Infrastructure (AMI)

Advanced Metering Infrastructure (AMI) includes hardware, software, communications, customer associated systems and meter data management(MDM) software

AMI Meters support two-way communications and conforms to AMI standards

You must know:

• Where and how are you using AMI meters?

• What kinds of data and/or control are you passing to and receiving from the utilities?

• Which products and services companies are involved in this AMI implementation?

• Have the components been tested for security?

• Are you protected from eavesdropping and attack?

Img courtesy: http://seclab.uiuc.edu 19. Net Metering Img courtesy cr.middlebury.edu

Net Meteringrefers to the net result of considering the production and consumption of electrical power by an organization or a building

• Meaning "what remains after deductions" ... the deduction of any energy outflows from metered energy inflows

• Under net metering, system owners receivecredit for the electricity they generate

Home or small business power generation generally includes: solar, wind, fuel cell and micro co-generation (MCG) or Micro combined heat and power (MCHP)

You need to know whether your organization is going to invest in power generation to create positive net metering

img courtesy of hilaroad.com Provided Generated $$ COST 20. Demand Management

Demand Managementrefers to the proactive reduction of power demand during periods when energy-supply systems are constrained

• This does not necessarily decrease total energy consumption, it time shifts it

• Can reduce costs for participants

• Reduces the need for addition power generation

Companies participate in order to achieve savings through reduced consumption during mutually agreed periods

You must know:

• How will the systems be configured to comply with the expected reductions in service?

• How have the management systems been secured against corruption or inadvertent reductions in power?

• Who will be empowered to reduce available power?

Peak period Off Peak Off Peak 21. Energy Storage

Energy Storageis a critical enabler of the Smart Grid capability to integrate renewable power

• Existing grid is a just in time/use it or lose it system

• Many renewables are variable (wind/no wind, sun/no sun) and storage smoothes the cycle

Energy storage technologies are arriving:

• Battery arrays

• Compressed air, flywheels, pumped water systems

• V2G automobiles

You need to know:

• How much storage will be in place to support power requirements?

• How is that storage managed and controlled?

• Who has access to the systems controlling and monitoring the storage functions?

img courtesy upei.ca 22. Microgrids

Microgridsare small-scale power supply and consumption units

• Generating sufficient or nearly sufficient power for use in served community

• Connected to traditional power infrastructure for back-up and for surplus power trade

Organizations, campuses, bases, and small communities can be served via Microgrid

You must know:

• The security of components and control systems that will manage and monitor the microgrid

• The nature of data sharing/interconnect with other Microgrids, Smart Grids, or traditional utility control elements

img courtesy of ieses.fsu.edu 23. Groups and resources to know

FERC : http://www.ferc.gov

• Federal Energy Regulatory Commission - Assist consumers in obtaining reliable, efficient and sustainable energy services at a reasonable cost through appropriate regulatory and market means

NERC : http://www.nerc.gov

• North American ElectricalReliabilityCorporation - Enforces reliability standards with all U.S. users, owners, and operators of the bulk power system.Owns responsibility for Smart Grid security standards

NIST : http://www.nist.gov/smartgrid

• National Institutes of Science and Technology Smart Grid working group Responsible for creating recommendations for security and interoperability of the Smart Grid

DOE : http://www.oe.energy.gov/smartgrid.htm

• Department of Energy Office of Electricity and Reliability Driving Smart Grid development and direction

Gridwise Alliance : http://www.gridwise.org

• Gridwise Alliance Industry group working on cooperative evolution of the Smart Grid

Smart Grid News

• http://smartgridnews.com

National Demand Response Potential (FERC)

• http://www.ferc.gov/legal/staff-reports/06-09-demand-response.pdf

NIST Draft Smart Grid Interoperability Standards

• h ttp://www.nist.gov/public_affairs/releases/smartgrid_interoperability.pdf

21 Steps to Improve Cyber Security of SCADA Networks

• http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf

A Systems View of the Modern Grid, Appendix 3

• http://www.netl.doe.gov/moderngrid/docs/ASystemsViewoftheModernGrid_Final_v2_0.pdf

NERC Memo on Critical Cyber Asset Identification

• http://online.wsj.com/public/resources/documents/CIP-002-Identification-Letter-040609.pdf

24. Where to begin, a checklist. Manage Identities and Access:Create processes for ensuring appropriate access control to planned strategic energy management and monitoring systems Protect Data and Information:Ensure capability for granular protection ofunstructured & structured data, data leak prevention and acceptable use policy monitoring Control Software and Application Releases:Process for assuring security, efficiency andintegrity of any custom or contracted software development Manage Change and Configuration:Mandate regular process for routine, emergency andout-of-band changes that will minimize or prevent operational outages Understand and Address Threats and Vulnerabilities:Continually monitor systems and expert resources to remain informed on protection for enterprise infrastructure for new and emerging threats Implement Security Information and Event Management:Automate the process of auditing, monitoring and reporting on security and compliance posture across the enterprise Manage Problems and Incidents:Designate responsibility and ownership for any issues in security, reliability, or power quality, and their investigation.Maintain trained event forensics team or create relationship with expert provider Attain visibility into organizational power strategy:Develop and maintain risk profiles and lists of potential and planned partners and technology acquisitions Provide Security Training & Ensure Awareness:Ensure awareness of security issues in ppower and power facilities by providing consistent training to end users and operators 25. The Smart Grid IS coming Get Ready 26. Questions? Jack Danahy Co-Author : The Smart Grid Security Blog smartgridsecurity.blogspot.com [email_address]