smart grid projects and ciber security in brazil conference

Smart Grid Projects, Privacy

and Smart Meters Security

Assessment in the Brazilian

Scenario

José Reynaldo Formigoni Filho, MSc

Information and Communication Security Technology Manager

CPqD Foundation

Moacir Giansante

Supply Chain Director - Aptel

Agenda

• Introduction: Brazilian Electric Sector

• Brazilian smart grid projects

• Privacy in smart grid

• Security assessment for smart meters

• Concluding remarks

CPqD Foundation – Campinas – SP - Brazil

Board of Trustees

Executive Board

Audit Committee

R&D Forum

Private Foundation

"Private company without shareholders"

Surplus reinvested

Corporate Governance

2015 Revenue:

US$ 100 mi

Total: 1300

Main R&D areas

Comunicações

Ópticas

Optical

Communications

Comunicações

ÓpticasIP Platforms

Comunicações

Ópticas

Business and

Operations

Support Systems

Communication

and Information

Security

Comunicações

Ópticas

Sensor

Technologies

and Networks

Comunicações

Ópticas

Services,

Applications,

Terminals and

Digital Inclusion

Comunicações

Ópticas

Decision

Management

Mobile

Communications

and Wireless

Networks

Smart

Grid

Aptel

• Aptel is an non profit association of utilities (electricity,

oil, gas, railways and highways) which manage critical

telecommunication systems for their core business.

Agenda

• Introduction: Brazilian Electric Sector

• Smart grid projects in Brazil




Brazilian Electric Sector

• Population: ~204 mi

• Attendance extension: superior to

98% of the population

• Number of consumer units: 75 mi

• Regulated consumption: 463.335

GWh

• Per capta consumption: 2.557

KWh/year


• The Electric System National

Operator is an entity of private right,

responsible for coordinating and

controlling the operation of

generation and transmission facilities

in the National interconnected

Power System (NIPS)

• Under supervision and regulation of

the Electric Energy National

Agency (ANEEL).


• Generation companies: 146

• Distribution companies: 55

• Transmission companies: 104

Brazilian Eletric Energy Matrix and Capacity

89.385

37.821

1.990 5.139

POWER (MW) - TOTAL CAPACITY 134,3 GW

Hidroeletric Thermoeletric Thermonuclear Wind

67%

28%

Agenda

• Introduction





Public policies to encourage Smart Grid

Projects: Aneel R&D Fund

• The electric power distribution, generation and

transmission should apply a minimum percent of

their net operating income every year in the R&D

Program for the Electric Power Sector;

• Aneel establishes guidelines and instructions

that regulate the elaboration of R&D projects

• The percentages to be invested from the net

operating income:

Segment %

Distribution 0,20%

Generation 0,40%

Transmission 0,40%

Public policies to encourage R&D investments

- Aneel R&D Fund

Year Number of projects Value (US$ mi)

2009 226 154,50

2010 569 821,59

2011 462 500,00

2012 489 769,23

2013 180 348,84

Total 1926 2.594,16

* Aneel – Relatórios de Gestão do Exercício 2009-2013

Innovate National Energy Plan• Sponsors:

• Aneel

• BNDS (Brazilian Development Bank)

• FINEP (Financier of Studies and Projects – state institution)

• One of the main subjects: Support the development and diffusion of

electronic, microelectronic devices, systems, integrated solutions and

standards for implementation of smart grids in Brazil.

• Total value: US$ 1,1 bi (from 2013 to 2017), only US$ 44 mi is 100%

subsidy

• Beneficiaries: power companies, suppliers of equipment and systems and

R&D centers

• 59 projects were approved in the first phase

Brazilian Smart Grid Projects*

• Total of power companies involved in SG projects:

• Generation: 21

• Transmission: 7

• Distribution: 34

• Number of projects: 273 from 2008 to 2013

• Total of investment: ~US$ 575 mi

• The 10 most important projects:

* Mapeamento da Cadeia Fornecedora de TIC e de seus produtos e Serviços para Rede Elétricas Inteligentes – ABDI – julho 2014

Brazilian Smart Grid Projects *

• Smart Grid sub-areas:• AMI – Advanced Metering Infrastructure

• DA – Distributed Authomation

• DG - Distributed Generation

• Telecom

• IT – Information Technology

• IB – Intelligent Building

• Smart Grid areas:• DSD - Distributed Storage Systems and

Batteries

• EVH - Electric vehicles, hybrids and loading

systems

• CMS – Customer Management System

• DEMO – Pilot Projects

• Others

AMI DA DG DSD EVH Telecom TI IB CSM Others

Quant. of projects Quant. of companies


Brazilian Smart Grid Projects – suppliers at

power companies*

Suppliers

Qu

an

t. o

fp

ow

er

co

mp

anie

s


Brazilian Smart Grid Projects – Universities

and R&D centers at power companies*

Qu

an

t. o

fp

ow

er

co

mp

anie

s


Brazilian Smart Grid Projects*

• Information security is not a priority in the

Brazilian smart grid projects

• Less than 10 projects have considered

Information Security (IS) activities

• Only one project is 100% focused in

Information Security

Agenda

• Introduction





Cemig Smart Meter Project

• Power company: CEMIG

• An open capital company

controlled by the Government

of the State of Minas Gerais

• Cemig is responsible for

supplying nearly 33 million

people in 805 municipalities in

the states of Minas Gerais and

Rio de Janeiro (including Light),

and for the management of the

largest electric energy

distribution network in South

America

• Name: Cities of the Future

• Budget: US$ 20 mi

• City: Sete Lagoas

• Number of consumer units: 5000

• Duration: 2011 - 2014

Cemig Smart Meter Project

Technological scope• Measurement of consumption

of the Consumer Units

• Distributed Automation

• Distributed Generation

• Telecommunication

• Information technology

• Georeferencing

Strategical scope• Regulatory

• Communication and

Relationships with

Consumers

• Privacy

• Process

• Indicators and Metrics.

Cemig Smart Meter Project - Privacy

The main activities of privacy the project:

1. Data costumer privacy: Studies of contextualization

2. Development of a Methodology of Privacy Protection

3. Recommendations on privacy for the smart grid

elements: smart meter and telecom infrastructure

4. Recommendations on privacy on Smart Grid

environment: call center and MDM/AMI

5. Consumer Data Privacy - guidance manual for

employees of Cemig

6. Recommendations for creating Privacy Policy for

Cemig

Data costumer privacy: Studies of contextualization

Smart Grid Environment

Best Practices

Legal and regulatory framework

Data costumer privacy: Project scope

Customer Environment

Telecom Network

Environment

SmartMeters

Telecom Infrastructure

MAN Architecture and network

elements

Power Company Environment

Systems (HW and SW), IS policies,processes and people

MDM - Meter Data Management

Políticas Processos

Pessoas

ProcessesIS Policies

People

Agenda

• Introduction





Deployment of smart meters in Brazil – our

reality

• In August 2012, ANEEL approved a

resolution which states that energy

distributors will have to install electronic

meters for all consumers who choose

time-of-use billing program by

January 2014.

• It was the first step by the Brazilian

Government to replace the

electromechanical meters.

• Fraud average: 5,6%

dailyreporter.com

The main threats in Brazil – Energy usage frauds

• Many frauds related to

electromechanical meters currently in

use in Brazil

• There are also record of frauds related

to other new electronic devices, for

instance pay TV

Fraud

• It is possible to infer that the new smart

meter devices to be used in Brazil will

further increase the current level of fraud

Security assessment for smart meter – Project

Overview

• Name: R&D in security assessment for smart meters

• Client:

• Sponsor: Aneel R&D Fund

• Period: from September 2012 to December 2014

• Totally executed by CPqD Foundation

• Number of clientes: 2.4 mi

• 8ª. biggest power company in Brazil

• Number of cities: 228

Security assessment for smart meter – Project Overview

Subjects:

• Investigate different brands and types of smart

meters available in the market

• Run tests for checking security requirements

• Assess potential impacts

• Build two labs specialized in security evaluation of

smart meters and homologation

Security assessment for smart meter

Goal 1Methodology for security

assessment

Goal 2Smart Meter Cyber Security

Laboratory Deployment

Goal 3Security analysis and

tests of smart meters

State of the art survey for

smart meters security

Specification of the test

environment

Development of the

security assessment

methodology for smart

meters

Security test

Implementation of a Smart

Meter Security Training

Platform

Laboratory deployment

Laboratory operation

Knowledge and

technology transfer

Security Assessment for Smart Meters

Homologation test

Security requirements - references

• There are international standards related to security

requirements:

• OIML D31 - General requirements for software controlled

measuring instruments, 2008.

• NIST 7823* - Advanced Metering Infrastructure Smart Meter

Upgradeability Test Framework, July 2012

• This report describes conformance test requirements that may

be used voluntarily by testers and/or test laboratories to

determine whether Smart Meters and Upgrade Management

Systems conform to the requirements of NEMA SG-AMI**

• The Brazilian standard:

• Instituto Nacional de Metrologia, Qualidade e

Tecnologia – INMETRO. RTM 586 - Regulamento

Técnico Metrológico – 2012: addresses metrologically

relevant software security aspects of the smart

meters.

* National Institute of Standards and Methodology

** NEMA – National Electrical Manufacturers Association

*** INMETRO – Instituto Nacional de Metrologia

Hardware security requirements

• Unprotected interface

• Hardware anti-tampering mechanisms

• Hardware integrity checking

• Hardware backdoors

• Hardware anti-reverse engineering

Software security requirements

List of requirements:

1. Authentication

2. Authorization

3. Log registers

4. Software fault detection

5. Secure data storage (protection

against unauthorized access -

privacy of measurement data

and other data, cryptographic

key protection, etc.)

6. Safe boot

7. Cryptography support (for secure

transmission and other services)

8. Firmware authenticity

9. Firmware integrity

10. Firmware protection

11. Safe firmware update

12. Data integrity stored and

transmitted

13. Authenticity of transmitted

data

Security assessment methodology for smart

meter

Goal 1Methodology for security

assessment

Goal 2Smart Meter Cyber Security

Laboratory Deployment

Goal 3Security analysis and

tests of smart meter

State of the art survey for

smart meter security

Specification of the test

environment

Development of the

security assessment

methodology for smart

meter

Security test

Implementation a Smart Meter

Security Training Platform

Laboratory deployment

Laboratory operation

Knowledge and

technology transfer

Security Assessment for Smart Meters

Reliability test

Security assessment methodology for smart

meter

Main subjects:

• Security approach: Perform standard security

assessments for different types of smart meters used by

the Brazilian power companies.

• Homologation approach: Check if the smart meter is in

compliance with the standard from Inmetro called RTM

586 (Regulamento Técnico Metrológico – Inmetro)

Steps of the methodology

Scope

definition

Context

definition

Smart meter

technical

description

Threats

Identification

and analysis

Risk

analysis

Implementing

security tests

Implementing

homologation

tests

Elaboration of

the reports

1

2

3

4

5

6

8

7

Test results

• Number smart meters tested: 8

• Number of manufacters: 6

• The tests were performed in the Smart Meter Security

Assessment Laboratory at CPqD. A subset of these tests

were performed at the Elektro´s lab.

• Sw and hw vulnerabilities were found in 100% of smart

meters

Agenda

• Introduction





Concluding remarks (1/2)

• The last years a lot of money was invested in many Smart Grid

projects in Brazil. Most of them demanded by electric power

companies using Aneel R&D fund

• Participants of these projects: electric power companies, suppliers

(equipment and systems), R&D centers and universities

• CPqD has participated as a leader in some important projects (CEMIG,

Light and Eletrobrás)

• Most electric power companies do not prioritize information security

in smart grid projects: less then 5% of total

• Privacy is a real and an important threat for companies which are

deploying smart grid and they need to develop methodologies to

mitigate the risks

Concluding remarks (2/2)

• Smart meters are frequently

built without any security

requirements in mind.

• 100% of the smart meters

tested had hw and sw

vulnerabilities

• Smart meters are made of

electronic components and

encompass different types of

technologies, protocols, and

embedded systems.

Security of Embedded Systems

Embedded system security: much more

dangerous, costly than traditional software

vulnerabilities

Questions ?

www.cpqd.com.br

Thank You!

www.cpqd.com.br

José Reynaldo Formigoni Filho

Information and Communication Security Technology Manager

CPqD Foundation

Tel.: +55 19 3705-7121 / Fax: +55 19 3705-6833

Cel.: +55 19 99838-2321

[email protected]

www.cpqd.com.br