0% found this document useful (0 votes)

10 views54 pages

Smart Grid Security Overview and Challenges

The document discusses security risks to smart grids. It describes several types of security attacks including physical attacks, cyber attacks, and denial of service (DoS) attacks. Specifically, it notes that DoS attacks work to overwhelm systems with packets while distributed DoS (DDoS) attacks coordinate multiple compromised systems to launch a widespread attack. The document also outlines security challenges for smart grids including harsh environments, unmanned field sites, integration of IT and operational technology networks, and use of fragile system devices.

Uploaded by

Abdul Haseeb

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

10 views54 pages

Smart Grid Security Overview and Challenges

Uploaded by

Abdul Haseeb

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

EE530 Smart Grid

Lecture 04
Smart Grid Security

Dr. Muhammad Tariq

Assistant Professor
Department of Electrical Engineering
FAST-NUCES Peshawar Campus
1
Overview of The Smart Grid
Smart Grid Overview (contd.)
System and Network

Dr. M. Tariq, EE530 Smart Grid, Lecture 04 3

Smart Grid Objectives (revision)

1. Self-healing
2. Empowers and incorporates the consumer
3. Resilient to physical and cyber attacks
4. Provides power quality needed by 21st century users
5. Accommodates a wide variety of generation options
6. Fully enables maturing electricity markets
7. Optimizes assets

Source: The US National Energy Technology Laboratory

Overview of Existing Power Grid
Control/Operations Centers

System &
Network
Communications Networks

Transmission Distribution Customer Premises

Generation

Power Field Field Field

Meter Loads
Plant Devices Devices Devices

Microgrid

Smart
Substation Substation Meter Customer

Non-renewable Enegy Electric Vehicle

Microgrid
Wind Enegy Solar Enegy 5
Power Generation Power Transmission Grid Power Distribution Grid Power Consumption
Smart Grid Communication Infrastructure

Layer Architecture of Smart Grid

Wireless
Control Center Backhaul
System & Concentrator Smart
Base Home
Network Wired Backhaul Station
Smart Device
Network Meter
Data Aggregation
Point (DAP)
Wide Area Network (WAN) Neighbor Area Network (NAN) Home Area Network (HAN)

PLC PLC PLC

Microgrid
Smart
Substation Substation
Meter Customer
Non-renewable Enegy Electric Vehicle

Microgrid
Wind Enegy Solar Enegy
Power Generation Power Transmission Grid Power Distribution Grid Power Consumption 6
Smart Grid Communication Infrastructure
(contd.)
SGCN is a three Tier Network:
• WAN (distribution) Miles
• NAN (metering)  Meters
• HAN (consumer)  Feets
Key Security Concepts Associated with
Our Power System
• For power systems, keeping the lights on is the primary
focus.
• Therefore the key security requirements are Availability
and Integrity, not Confidentiality (AIC, not CIA)
(Contrary to what SGCN required ….i.e. CIA)
• Encryption, by itself, does not provide security.
• Security threats can be deliberate attacks OR
inadvertent mistakes, failures, and natural disasters.
• The most dangerous “attacker” is a disgruntled
employee who knows exactly where the weaknesses are
the easiest to breach and could cause the worst damage.

8
Key Security Concepts Associated with
Our Power System (contd.)
• Security solutions must be end-to-end to avoid “man-in-the-
middle” attacks or failed equipment from causing denial of
service
• Security solutions must be layered, so that if one layer is
breached, the next will be there. Security is only as strong as
its weakest link.
• Security will ALWAYS be breached at some time – there is no
perfect security solution. Security must always be planned
around that eventuality.
• Security measures must balance the cost of security against
the potential impact of a security breach

Dr. M. Tariq, EE530 Smart Grid, Lecture 04 9

Types of Security Attacks on the Smart Grid
1. Physical Attacks
2. Cyber Attacks
3. Component based attack
4. IP Based Attacks

10
Physical attack

exists when a criminal physically attacks on grid components

People Issues
• SG network often managed by “Power and
Control Systems Department”, distinct from
“IT Department” running enterprise network
– Power personnel are not IT or networking experts
– IT personnel are not SGCN experts
• Majority of power systems workforce is
older and nearing retirement
– Few young people entering this field
– Few academic programs
Harsh Environments

• Temperature
• Vibration
• Dust
• Humidity
• Electrical
Transients
Unmanned Field Sites

exists when accessible information gets attacked causing a

compromise to the controller or appliances at
distribution/generation or control center
Sm
Cyber-attack Risksart Grid Cyber Security Drivers
Increasing New 2-Way
Interconnection Systems
and Integration (e.g. AMI)

Increasing Use of New Customer

Hardware Touch Points into
and Software Utilities

Control Systems Increasing Number

Not Designed with Of Systems and
Security in Mind Size of Code Base

Increased Attack Surface

Increased Risk to Operations
Denial of Service (DoS)
• Attacker exploiting maximum bandwidth from the victim, denying others the ability
to be served.
• This was done mainly by using simple methods of ping floods, SYN floods and UDP
floods.

Compromised Victim
Bad guy
host

Third parties
• These attacks had to be "manually" synchronized by a lot of attackers in order to
cause an effective damage.
Distributed Denial of Service (DDoS)
• Hundreds or thousands of computer systems across the Internet can be
turned into “zombies” and used to attack another system.

Master Victim (s)

Bad guy
agent

Slave agents
(zombies, bots)

Owned
host

Third parties
DoS and DDoS Attacks

• DoS attack overwhelms a system with too many

packets/requests
– Exhausts TCP stack or application resources
– Defenses include connection limits in firewall
• DDoS attack coordinates a botnet to overwhelm
a target system
– No single point of attack
– Requires sophisticated, coordinated defenses
– Weapon of choice for hackers, hacktivists, cyber-
extortionists
DoS, DDoS particularly lethal in systems where availability is
critical, i.e. against the principle of power system
Fragile System Devices

• Many IP stack implementations are fragile

– Some devices lockup on ping sweep or NMs scan
– Numerous incidents of system shut down by
uninformed IT staff running a well-intentioned
vulnerability scan
• Modern system devices are much more complex
– Some IEDs include web server for configuration and
status
– More lines of code leads to more bugs
– Open ports
– Modern IEDs require patching just like servers
Unpatched Systems

• Many systems are not patched currently

– Particularly Windows servers
– No patches available for older versions of windows
• Operating Systems (OS) and application patches can
break SGCN
– OS patches are tested for enterprise apps
• Uncertified patches can invalidate warranty
• Patching often requires system reboot
• Before installation of a patch:
– Vendor certification—typically one week
– Lab testing by operator
– Staged deployment on less critical systems first
– Avoid interrupting any critical process phases
Limited use of Host Anti-Virus (AV)

• AV operations can cause significant system

disruption at inopportune times
– 3am is no better than any other time for a full disk scan
on a system that operates 24x7x365
• SGCN vendors only beginning to support AV
– AV is only as good as the signature set
– Signatures may require testing just like patches

• AV may be losing ground in enterprise deployments

– impact on hosts, endpoint security not getting better
– virus writers have learned to test against dominant AV
• application whitelisting can be a good alternative
– enumerate goodness rather than badness
Poor Authentication and Authorization

• Machine-to-machine comms involve no “user”

• Many SG Systems have poor authentication
mechanisms
and very limited authorization mechanisms
• Many protocols use clear text passwords
• Many devices lack crypto support
• Sometimes passwords left at vendor default
• Device passwords are hard to manage appropriately
– Often one password is shared amongst all devices
and all users and seldom if ever changed
– This is happening AGAIN in Smart Meter deployments!
Poor Audit and Logging

• Many SGCN have poor or non-existent

support for logging security-related actions
– Attempted or successful intrusions may go
unnoticed
• Where IDS logs are kept, they are often not
reviewed
• Various regulatory requirements are driving
some change in this area
Legacy Equipment

• Much legacy equipment

• Usually impossible to update to add
security features
• Difficult to protect legacy communications
– but see IEEE P1711 for serial encryption
• Password protection is weak
• Little or no audit and logging
Unauthorized Applications

• Unauthorized apps installed on SGCN

systems can interfere with SGCN operation
• Many types of unauthorized apps have
been found during security audits
– Instant messaging
– P2P file sharing
– DVD and MPEG video players
– Games, including Internet-based
– Web browsers
Inappropriate Use of Systems
Desktops
• Web browsing from HMI can infect systems
– Browser vulnerabilities
– Downloads
– Cross-site scripting
– Spyware
• Email to/from control servers can infect
system
– Sendmail and outlook vulnerabilities
• Disk storage exhaustion can crash OS
– Storage of music, videos
Little or No Cyber Security Monitoring

• internal monitoring is essential to detect

low profile compromises
– Intrusion detection System (IDS)
– port scanning
– vulnerability scanning
– system audit
• without internal monitoring don’t know
whether systems have been compromised
Requirement for 3rd Party Access

• Firmware updates and PLC, IED programming are

sometimes done by vendor
– Many system have open maintenance ports
– Infected vendor laptops can bring down system
• Partners may require continuous status information
– Partner access is often poorly secured
– Partner channels can serve as backdoors
• 3rd parties may include:
– ISO, transmission provider or grid neighbor,
equipment vendor, emissions monitoring service or
agency, water level monitoring agency, vibration
monitoring service, etc.
Other Issues
• Unusual physical topologies
• Many special purpose, limited function
devices
• Static network configurations
• Multicast
• Long service lifetimes
Component Based Attacks
SCADA Attacks
• Internal attacks
 Employee
 Contractor
• External attacks
 Non specific- malware , hackers
 Targeted
 Special knowledge – former insider
 No special knowledge –hacker terrorist
 Natural disaster
 Manmade disasters

32
Scada vulnerability points

• Unused telephone line – war dialing

• Use of removable media – stuxnet

• Infected Bluetooth enabled devices

• Wi-Fi enabled computer that has Ethernet connection to scada

system

• Insufficiently secure Wi-Fi

• Corporate LAN /WAN

• Corporate web server email servers internet gateways

2/13/2017 33
Cyber Attacks on SCADA

• Web servers or SQL attacks

• Email attacks

• Zombie recruitment

• DDOS attacks

2/13/2017 34
Overview of Cyber Security – Threats

Admin Operator
Perform
SQL
Admin
ARP
EXEC
Scan
Opens Email
Send e-mail
with Malware
with malware

Acct Operator
Internet

4. [Link] performs
Hacker sends anan ARPwith
e-mail (Address
malware
Resolution Protocol) Scan Master
2.E-mail recipient opens the e-mail and the
DB
malware
5. Once gets installed
the Slave Database quietly
is found, hacker
[Link]
Usinganthe
SQL EXEC command
information that malware gets, Slave Database
hacker is able to take control of the e-mail
6. Performs another ARP Scan RTU
recipient’s PC!
7. Takes control of RTU
Example from 2006 SANS SCADA Security Summit, INL
Overview of Cyber Security – Threats

Cyber
Penetration
Attacker Communications
Controls
Performs the Network
(WAN)
Head
Remote End
AMCC
Attacker Disconnect
(Advanced Metering
Control Computer) Communications
Network
(WAN) Retailers
3rd Parties

AMI WAN AMI WAN AMI WAN

Data Management
Systems
(MDM/R)

UNIVERSITY

Example from AMRA

Webinar, Nov ’06
“The Active Attacker”
Protocol based Attacks
• All protocols runs on top of IP protocol and IP protocol has its own
set of weakness

• DNP3 implements TLS and SSL encryption which is weak

• The protocol is vulnerable to out-of-order, unexpected or

incorrectly formatted packets

• A significant weakness for IEC 61850 is that it maps to MMS

(Manufacturing message specification)as the communications
platform, which itself has a wide range of potential vulnerabilities

2/13/2017 Cyber security for smart grid 37

Protocol based attacks Internet

Enterprise Network Enterprise

Enterprise Network
Workplaces Optimization
Suite
Firewall Third Party
Application Mobile
Server Operator

Services IP
Network
Connectivity Historian Application Engineering
Server Server Server Workplace

Control
Network

Serial, OPC
Redundant
or Fieldbus

Device Network

Third Party
Controllers,
Servers, etc.

Serial RS485
How an Cyber Attack Proceeds—Step #1
IED Engineering
Workstation Management
Console HMI
IED
Modem Pool
Data
Historian
Web
Email
Server
Server
RTU Control
FEP System
Network
enterprise
Firewall