Post on 11-Apr-2018
Security andPrivacy in
Smart Grids
Edited byYANG XIAO
OTHER TElEcOmmunicaTiOns BOOKs FROm auERBacH
Ad Hoc Mobile Wireless Networks: Principles, Protocols, and ApplicationsSubir Kumar Sarkar, T.G. Basavaraju, and C. PuttamadappaISBN 978-1-4665-1446-1
Communication and Networking in Smart GridsYang Xiao (Editor)ISBN 978-1-4398-7873-6
Delay Tolerant Networks: Protocols and ApplicationsAthanasios V. Vasilakos, Yan Zhang, and Thrasyvoulos SpyropoulosISBN 978-1-4398-1108-5
Emerging Wireless Networks: Concepts, Techniques and ApplicationsChristian Makaya and Samuel Pierre (Editors)ISBN 978-1-4398-2135-0
Game Theory in Communication Networks: Cooperative Resolution of Interactive Networking Scenarios Josephina Antoniou and Andreas PitsillidesISBN 978-1-4398-4808-1
Green Communications: Theoretical Fundamentals, Algorithms and Applications Jinsong Wu, Sundeep Rangan, and Honggang Zhang ISBN 978-1-4665-0107-2
Green Communications and NetworkingF. Richard Yu, Xi Zhang, and Victor C.M. Leung (Editors) ISBN 978-1-4398-9913-7
Green Mobile Devices and Networks: Energy Optimization and Scavenging TechniquesHrishikesh Venkataraman and Gabriel-Miro Muntean (Editors)ISBN 978-1-4398-5989-6
Handbook on Mobile Ad Hoc and Pervasive CommunicationsLaurence T. Yang, Xingang Liu, and Mieso K. Denko (Editors)ISBN 978-1-4398-4616-2
Intelligent Sensor Networks: The Integration of Sensor Networks, Signal Processing and Machine LearningFei Hu and Qi Hao (Editors)ISBN 978-1-4398-9281-7
IP Telephony Interconnection Reference: Challenges, Models, and EngineeringMohamed Boucadair, Isabel Borges, Pedro Miguel Neves, and Olafur Pall EinarssonISBN 978-1-4398-5178-4
LTE-Advanced Air Interface TechnologyXincheng Zhang and Xiaojin ZhouISBN 978-1-4665-0152-2
Media Networks: Architectures, Applications, and StandardsHassnaa Moustafa and Sherali Zeadally (Editors)ISBN 978-1-4398-7728-9
Multihomed Communication with SCTP (Stream Control Transmission Protocol)Victor C.M. Leung, Eduardo Parente Ribeiro, Alan Wagner, and Janardhan Iyengar ISBN 978-1-4665-6698-9
Multimedia Communications and NetworkingMario Marques da SilvaISBN 978-1-4398-7484-4
Near Field Communications HandbookSyed A. Ahson and Mohammad Ilyas (Editors)ISBN 978-1-4200-8814-4
Next-Generation Batteries and Fuel Cells for Commercial, Military, and Space ApplicationsA. R. Jha, ISBN 978-1-4398-5066-4
Physical Principles of Wireless Communications, Second EditionVictor L. Granatstein, ISBN 978-1-4398-7897-2
Security of Mobile CommunicationsNoureddine Boudriga, ISBN 978-0-8493-7941-3
Smart Grid Security: An End-to-End View of Security in the New Electrical GridGilbert N. Sorebo and Michael C. EcholsISBN 978-1-4398-5587-4
Transmission Techniques for 4G SystemsMário Marques da Silva ISBN 978-1-4665-1233-7
Transmission Techniques for Emergent Multicast and Broadcast SystemsMário Marques da Silva, Americo Correia, Rui Dinis, Nuno Souto, and Joao Carlos SilvaISBN 978-1-4398-1593-9
TV White Space Spectrum Technologies: Regulations, Standards, and ApplicationsRashid Abdelhaleem Saeed and Stephen J. ShellhammerISBN 978-1-4398-4879-1
Wireless Sensor Networks: Current Status and Future TrendsShafiullah Khan, Al-Sakib Khan Pathan, and Nabil Ali Alrajeh ISBN 978-1-4665-0606-0
Wireless Sensor Networks: Principles and PracticeFei Hu and Xiaojun CaoISBN 978-1-4200-9215-8
auERBacH PuBlicaTiOnswww.auerbach-publications.com
To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: orders@crcpress.com
CRC PressTaylor & Francis Group6000 Broken Sound Parkway NW, Suite 300Boca Raton, FL 33487-2742
© 2014 by Taylor & Francis Group, LLCCRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Printed on acid-free paperVersion Date: 20130611
International Standard Book Number-13: 978-1-4398-7783-8 (Hardback)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit-ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.
Library of Congress Cataloging‑in‑Publication Data
Security and privacy in smart grids / editor, Yang Xiao.pages cm
“A CRC title, part of the Taylor & Francis imprint, a member of the Taylor & Francis Group, the academic division of T&F Informa plc.”
Includes bibliographical references and index.ISBN 978-1-4398-7783-8 (hardcover : acid-free paper)1. Smart power grids--Security measures. I. Xiao, Yang, 1966-
TK3105.S32 2013621.3190285’58--dc23 2012048623
Visit the Taylor & Francis Web site athttp://www.taylorandfrancis.com
and the CRC Press Web site athttp://www.crcpress.com
v
Contents
Preface vii
acknowledgment ix
about the editor xi
contributors xiii
Part 1 smart grids in general
chaPter 1 an overview of recommendations for a technical smart grid infrastructure 3
Petr aBeenk en,roBertBleik er ,JoséGonzá lez ,seBast i a nrohJa ns,M ich a elsPecht,Joer ntr efk e ,a ndM athi asUsl a r
chaPter 2 smart grid and cloud comPuting :minimizing Power consumPtion and utility exPenditure in data centers 57
sU M itkU M a rBose ,M ich a elsa lsBUrG,scot tBrock ,a ndrona ldsk eoch
chaPter 3 distributed oPPortunistic scheduling for building load control 85
PeizhonGY i,X ih UadonG,a BiodU ni waY eM i,a ndchizhoU
vi Contents
chaPter 4 advanced metering infrastructure and its integration with the distribution management system 101
zh aoli,fa nGYa nG,zhen Y Ua nwa nG,a ndYa nzh UY e
chaPter 5 cognitive radio network for the smart grid 139
r aGh Ur a Mr a nGa nath a n,roBertQi U,zhenh U,sh U J iehoU,zhechen,M a r BinPa zos-r ev ill a,a ndna nGUo
Part 2 security and Privacy in smart grids
chaPter 6 requirements and challenges of cybersecurity for smart grid communication infrastructures 187
roseQinGYa nGh Ua ndY iQi a n
chaPter 7 regulations and standards relevant for security of the smart grid 205
stef fenfr iesa ndh a ns-Joachi Mhof
chaPter 8 vulnerability assessment for substation automation systems 227
a da Mh a hn,M a ni M a r a nGov inda r asU,a ndchen-chinGli U
chaPter 9 smart grid, automation, and scada system security 245
YonGGewa nG
chaPter 10 smart grid security in the last mile 269
ta eoh,sU M itaM ishr a,a ndcl a r khochGr a f
list of acronyms 293
index 303
vii
Preface
asmartgridisanintegrationofpowerdeliverysystemswithcommu-nicationnetworksandinformationtechnology(it)toprovidebetterservices.securityandprivacywillprovidesignificantrolesinbuildingfuturesmartgrids.Thepurposeofthiseditedbookistoprovidestate-of-the-artapproachesandnoveltechnologiesforsecurityandprivacyinsmartgridscoveringarangeoftopicsintheseareas.
This book investigates fundamental aspects and applications ofsmart grids, security, andprivacy. it presents a collection of recentadvances in theseareascontributedbymanyprominent researchersworkingonsmartgridsandrelatedfieldsaroundtheworld.containing10chaptersdividedintotwoparts—Parti:smartGridsinGeneraland Part ii: security and Privacy in smart Grids, we believe thisbookwillprovideagoodreferenceforresearchers,practitioners,andstudentswhoareinterestedintheresearch,development,design,andimplementationofsmartgridsecurityandprivacy.
Thisworkismadepossiblebythegreateffortsofourcontributorsandpublisher.weareindebtedtoourcontributors,whohavesacrificeddays andnights toput together these chapters forour readers.we
viii PrefaCe
wouldliketothankourpublisher.withouttheirencouragementandqualitywork,wecouldnothavethisbook.
Yang XiaoDepartment of Computer Science
The University of AlabamaTuscaloosa, Alabama
E-mail: yangxiao@ieee.org
252 seCurity and PrivaCy in smart Grids
9.3 sCAdA security
inthissection,wedemonstratethechallengestosecurethecurrentautomation systems, such as scada systems with examples. Partof theseanalysiswere taken fromtheworkofwang.19 ina typicalscada system,20 data acquisition and control are performed byremoteterminalunits(rtUs)andfielddevicesthatincludefunctionsfor communications and signaling. scada systems normally useapollresponsemodelforcommunicationswithcleartextmessages.Pollmessagesaretypicallysmall(lessthan16bytes),andresponsesmight range fromashort “iamhere” toadumpofanentireday’sdata.somescadasystemsmayalsoallowforunsolicitedreportingfromremoteunits.Thecommunicationsbetweenthecontrolcenterandremotesitescouldbeclassifiedintothefollowingfourcategories.
1. Data acquisition:Thecontrolcentersendspoll(request)mes-sagestortUs,andthertUsdumpdatatothecontrolcen-ter.inparticular,thisincludesstatus scan and measured value scan.Thecontrolcenterregularlysendsastatusscanrequesttoremotesitestoobtainfielddevicesstatus(e.g.,oPenorclosedorafastclosed-oPen-closedsequence)andameasuredvaluescanrequesttoobtainmeasuredvaluesoffielddevices.Themeasuredvaluescouldbeanalogvaluesordigitallycodedvaluesandarescaledintoengineeringfor-matbythefront-endprocessor(feP)atthecontrolcenter.
2. Firmware download :Thecontrolcentersendsfirmwaredown-loadstoremotesites.inthiscase,thepollmessageislarger(e.g.,largerthan64,000bytes)thanothercases.
3. Control functions:ThecontrolcentersendscontrolcommandstoanrtUatremotesites.controlfunctionsaregroupedintofoursubclasses:individualdevicecontrol(e.g.,toturnon/offa remotedevice); controlmessages to regulating equipment(e.g., a raise/lower command to adjust the remotevalves);sequentialcontrolschemes(aseriesofcorrelatedindi-vidual control commands); and automatic control schemes(e.g.,closedcontrolloops).
4.Broadcast:Thecontrolcentermaybroadcastmessagestomul-tiple rtUs. for example, the control center broadcasts anemergentshutdownmessageoraset-the-clock-timemessage.
253smart Grid and sCada seCurity
acquired data are automatically monitored at the control centerto ensure that measured and calculated values lie within permissi-blelimits.Themeasuredvaluesaremonitoredwithregardtorateofchangeandforcontinuoustrendmonitoring.Theyarealsorecordedforpostfaultanalysis.statusindicationsaremonitoredatthecontrolcenterwithregardtochangesandtimetaggedbythertUs.inlegacyscadasystems,existingcommunicationlinksbetweenthecontrolcenter and remote sites operate at very low speeds (couldbeon anorderof300to9,600bps).notethatpresentdeploymentsofscadasystemshavevariantmodelsandtechnologies,whichmayhavemuchbetterperformances (forexample,61850-basedsystems).figure 9.1describesasimplescadasystem.
inpractice,morecomplicatedscadasystemconfigurationsexist.figure 9.2liststhreetypicalscadasystemconfigurations(see,e.g.,reportno.12oftheamericanGasassociation[aGa]21).
recently, there have been several efforts to secure the nationalscada systems. examples exist for the following companies andstandards:
1.american Gas association.21 The aGa was among thefirst todesignacryptographicstandard toprotectscadasystems.TheaGahadoriginallybeendesigningacrypto-graphic standard to protect scada communication links;thefinishedreportisaGa12,part1.aGa12,part2,hasbeentransferredtotheinstituteofelectricalandelectronicsengineers(ieee)(ieee1711).
2.ieee 1711.22 This was transferred from aGa 12, part 2.This standard effort tries to define a security protocol, theserialscadaProtectionProtocol(ssPP),forcontrolsys-temserialcommunication.
Control center Remote siteModem Modem
WAN card WAN card
FEPAntenna
Antenna
Radio or microwave
Leased lines RTU
RTU
RTU
Figure 9.1 A simple SCADA system. WAN, wide-area network.
254 seCurity and PrivaCy in smart Grids
3.ieee 1815.23 Standard for Electric Power Systems Communications—Distributed Network Protocol (DNP3). ThepurposeofthisstandardistodocumentandmakeavailablethespecificationsforthednP3protocol.
4.international electrotechnical commission technicalcommittee working Group 15 (iec tc 57 wG 15).24,25Theiectc57wG57standardizedscadacommunica-tionsecurityviaitsiec608705series.
5.national institute of standards and technology (nist).26Thenistindustrialcontrolsystemsecurity (ics)groupworks on general security issues related to control systemssuchasscadasystems.
6.nationalscadatestBedProgram.27ThedoeestablishedthenationalscadatestBedprogramatidahonationallaboratory and sandia national laboratory to ensure thesecure,reliable,andefficientdistributionofpower.
Modem
Splitter
Modem
RTU
Modem
RTU RTU
RTUModem
SCADA system with RTUs connected in a series-star con�guration
SCADA system with point-to-point con�guration
SCADA system with RTUs in a multi-drop architecture
FEP
RTUModem
Control center
ModemFEP
Control center
Control center
RTU
RTU
Modem
ModemModem
Modem
ModemFEP Modem RTU
Figure 9.2 Typical SCADA system configurations.
255smart Grid and sCada seCurity
9.3.1 Threats to SCADA Systems
scadasystemswerenotdesignedwithpublicaccessinmind;theytypically lackevenrudimentarysecurity.however,with theadventoftechnology,particularlytheinternet,muchofthetechnicalinfor-mationrequiredtopenetratethesesystemsiswidelydiscussedinthepublic forums of the affected industries. critical security flaws forscadasystemsarewellknowntopotentialattackers.it is fearedthatscadasystemscanbetakenoverbyhackers,criminals,orter-rorists.somecompaniesmayassumethat theyuse leased linesandthereforenobodyhasaccesstotheircommunications.Thefactisthatit is easy to tap these lines.28 similarly, frequency-hopping spread-spectrumradioandotherwirelesscommunicationmechanismsfre-quentlyusedtocontrolrtUscanbecompromisedaswell.
severalefforts26,27,29havebeenmadefortheanalysisandprotectionofscadasystemsecurity.accordingtothesereports,26,27,29thefac-torsthathavecontributedtotheescalationofrisktoscadasystemsincludethefollowing:
• Theadoptionofstandardizedtechnologieswithknownvul-nerabilities. in the past, proprietary hardware, software,and network protocols made it difficult to understand howscadasystemsoperated—andthereforehowtohackintothem. today, standardized technologies such as windows,Unix-likeoperatingsystems,andcommoninternetprotocolsareusedbyscadasystems.Thus,thenumberofpeoplewithknowledgetowageattacksonscadasystemshasincreased.
• The connectivity of control systems to other networks. toprovide decision makers with access to real-time informa-tionandallowengineerstomonitorandcontrolthescadasystems from different points on the enterprise networks,thescadasystemsarenormallyintegratedintotheenter-prisenetworks.enterprisesareoftenconnectedtopartners’networks and to the internet. some enterprises may alsousewide-areanetworksandtheinternettotransmitdatatoremotelocations.Thiscreatesfurthersecurityvulnerabilitiesinscadasystems.
256 seCurity and PrivaCy in smart Grids
• insecure remote connections. enterprises often use leasedlines,wide-areanetworks/internet, and radio/microwave totransmitdatabetweencontrolcentersandremotelocations.Thesecommunicationlinkscouldbeeasilyhacked.
• Thewidespreadavailabilityoftechnicalinformationaboutcon-trolsystems.Publicinformationaboutinfrastructuresandcontrolsystems is readilyavailable topotentialhackersand intruders.sean Gorman’s dissertation (see, e.g.,13,18), mentioned previ-ously,isagoodexampleforthisscenario.significantinforma-tiononscadasystemsispubliclyavailable(frommaintenancedocuments,fromformeremployees,andfromsupportcontrac-tors,etc.).alltheseinformationsourcescouldassisthackersinunderstandingthesystemsandfindingwaystoattackthem.
hackersmayattackscadasystemswithoneormoreofthefol-lowingactions:
1.causingdenial-of-serviceattacksbydelayingorblockingtheflowofinformationthroughcontrolnetworks
2.Makingunauthorizedchanges toprogrammed instructionsinrtUsatremotesites,resultingindamagetoequipment,prematureshutdownofprocesses,orevendisablingofcon-trolequipment.
3.sending false information to control system operators todisguise unauthorized changes or to initiate inappropriateactionsbysystemoperators
4.Modifyingthecontrolsystemsoftware,producingunpredict-ableresults
5.interferingwiththeoperationofsafetysystems
Theanalysisinreports26,27,29showedthatsecuringcontrolsystemsposessignificantchallenges,whichinclude
1.The limitations of current security technologies in securingcontrolsystems.existinginternetsecuritytechnologiessuchas authorization, authentication, andencryption requiremorebandwidth, processing power, and memory than controlsystem components typically have. controller stations aregenerally designed to do specific tasks, and they often uselow-cost,resource-constrainedmicroprocessors.
257smart Grid and sCada seCurity
2.Theperceptionthatsecuringcontrolsystemsmaynotbeeco-nomicallyjustifiable.
3.Theconflictingprioritieswithinorganizationsregardingthesecurityofcontrol systems. in thischapter,weconcentrateontheprotectionofscadaremotecommunicationlinks.in particular, we discuss the challenges for protection ofthese links anddesignnew security technologies to securescadasystems.
9.3.2 Securing SCADA Remote Connections
relativelycheapattackscouldbemountedonscadasystemcom-munication linksbetween thecontrol centerandrtUssince thereis neither authentication nor encryption on these links. Under theumbrellaofnist’scriticalinfrastructureProtectioncybersecurityof industrial control systems, the aGa scada encryptioncommittee has been trying to identify the functions and require-ments for authenticating and encrypting scada communicationlinks.Theirproposal21istobuildcryptographicmodulesthatcouldbe invisibly embedded into existing scada systems (in particu-lar,onecouldattachthesecryptographicmodulestomodems,suchas those of figure 9.2) so that all messages between modems areencryptedandauthenticatedwhennecessary,andtheyhaveidentifiedthe basic requirements for these cryptographic modules. however,due to theconstraintsofscadasystems,noviablecryptographicprotocolshavebeenidentifiedtomeettheserequirements.inparticu-lar,thechallengesforbuildingthesedevicesare21
1.encryptingofrepetitivemessages. 2.Minimizingdelaysduetocryptographicoperations. 3.ensuringintegritywithminimallatency:
• intramessageintegrity:ifcryptographicmodulesbufferamessageuntilthemessageauthenticatorisverified,itintro-ducesmessagedelaysthatarenotacceptableinmostcases.
• intermessageintegrity:reordermessages,replaymessages,anddestroyspecificmessages.
4.accommodating various scada poll response and retrystrategies:delaysintroducedbycryptographicmodulesmay
258 seCurity and PrivaCy in smart Grids
interfere with the scada system’s error-handling mecha-nisms(e.g.,time-outerrors).
5.supportingbroadcastmessages. 6.incorporatingkeymanagement. 7.controllingthecostofdevicesandmanagement. 8.dealing with a mixed mode: some scada systems have
cryptographiccapabilities;othersdonot. 9.accommodating different scada protocols: scada
devicesaremanufacturedbydifferentvendorswithdifferentproprietaryprotocols.
wang19hasrecentlydesignedefficientcryptographicmechanismsto address these challenges and to build cryptographic modules asrecommended in aGa report no. 12.21 These mechanisms canbeused tobuildplug-indevices called sscada(securescada)devices that could be inserted into scada networks so that allcommunicationlinksareauthenticatedandencrypted.inparticular,authenticated broadcast protocols are designed so that they can becheaplyincludedintothesedevices.ithasbeenamajorchallengingtasktodesignefficientlyauthenticatedemergencybroadcastprotocolsinscadasystems.
9.3.3 sSCADA Protocol Suite
Thesscadaprotocolsuite19isproposedtoovercomethechallengesdiscussed in the previous section. a sscada device installed atthecontrolcenteriscalledamastersscadadevice,andsscadadevices installed at remote sites are called slave sscada devices.eachmastersscadadevicemaycommunicateprivatelywithsev-eralslavesscadadevices.occasionally,themastersscadadevicemayalsobroadcastauthenticatedmessagestoseveralslavesscadadevices(e.g.,anemergencyshutdown).anillustrativesscadadevicedeployment for point-to-point scada configuration is shown infigure 9.3.
itshouldbenotedthattheaGahadoriginallydesignedaprotocolsuitetosecurethescadasystems21,30(anopensourceimplementa-tioncouldbefoundinreference31).however,wang19hasbrokentheseprotocolsuitesbymountingareplayattack.
259smart Grid and sCada seCurity
toreducethecostofsscadadevicesandmanagement,onlysym-metrickeycryptographictechniquesareusedinourdesign.indeed,due to the slow operations of public key cryptography, public keycryptographicprotocolscouldintroducedelaysinmessagetransmis-sionthatarenotacceptabletoscadaprotocols.semanticsecurityproperty32isusedtoensurethataneavesdropperhasnoinformationabouttheplaintext,eveniftheeavesdropperseesmultipleencryptionsofthesameplaintext.forexample,eveniftheattackerhasobservedtheciphertextsof“shutdown”and“turnon,”itwillnothelptheattackerto distinguish whether a new ciphertext is the encryption of “shutdown”or“turnon.”inpractice,therandomizationtechniqueisusedtoachievethisgoal.forexample,themessagesendermayprependa random string (e.g., 128 bits for advanced encryption standard[aes]128) to themessageanduse special encryptionmodes suchaschainingblockcipher(cBc)modeorhash-cBc(hcBc)mode.insomemodes,thisrandomstringiscalledtheinitializationvector(iv).Thisprevents information leakagefromtheciphertexteven iftheattackerknowsseveralplaintext/ciphertextpairsencryptedwiththesamekey.
sincescadacommunication linkscouldbeas lowas300bpsandimmediateresponsesaregenerallyrequired,thereisnosufficientbandwidthtosendtherandomstring(iv)eachtimewiththecipher-text;thus,weneedtodesigndifferentcryptographicmechanismstoachievesemanticsecuritywithoutadditionaltransmissionoverhead.inourdesign,weusetwocounterssharedbetweentwocommunicat-ingpartners,oneforeachdirectionofcommunication.
Thecountersareinitiallysettozerosandshouldbeatleast128bits,which ensures that the counter values will never repeat, avoidingreplayattacks.ThecounterisusedastheivinmessageencryptionsifcBcorhcBcmodeisused.aftereachmessageencryption,thecounterisincreasedbyoneifcBcmodeisused,anditisincreasedby the number of blocks of encrypted data if the hcBc mode is
FEP Modem Modem RTU
Control center
MasterSCADA
SlaveSCADA
Figure 9.3 sSCADA with point-to-point SCADA configuration.
260 seCurity and PrivaCy in smart Grids
used.Thetwocommunicatingpartnersareassumedtoknowtheval-uesofthecounters,andthecountersdonotneedtobeaddedtoeachciphertext.Messagesmaybecomelost,andthetwocountersneedtobesynchronizedoccasionally(e.g.,atoff-peaktime).asimplecountersynchronizationprotocolisproposedforthesscadaprotocolsuite.Thecountersynchronizationprotocolcouldalsobeinitiatedwhensomeencryption/decryptionerrorsappearduetounsynchronizedcounters.
fortwosscadadevicestoestablishasecurechannel,amastersecretkeyneedstobebootstrappedintothetwodevicesatdeploymenttime(orwhenanewsscadadevice isdeployed intotheexistingnetwork).formostconfigurations,securechannelsareneededonlybetweenamastersscadadeviceandaslavesscadadevice.forsomeconfigurations,securechannelsamongslavesscadadevicesmayalsobeneeded.Thesecurechannel identifiedwiththismastersecretisusedtoestablishotherchannels,suchassessionsecurechan-nels,timesynchronizationchannels,authenticatedbroadcastchannels,andauthenticatedemergencychannels.
assumethatH(·)isapseudorandomfunction(e.g.,constructedfromsecurehashalgorithm[sha]-256)andtwosscadadevicesAandBshareasecretK KAB BA= .dependingonthesecuritypolicy,thiskeyKAB couldbethesharedmastersecretorasharedsecretforonesessionthatcouldbeestablishedfromthesharedmasterkeyusingasimplekeyestablishmentprotocol(toachievesessionkeyfreshness,typicallyonenodesendsarandomnoncetotheotherone,andtheothernodesendstheencryptedsessionkeytogetherwithanauthenticatorontheciphertextandtherandomnonce).keysfordifferentpurposescouldbederivedfromthissecretasfollows(itisnotagoodpracticetousethesamekeyfordifferentpurposes):forexample,K AB AB= H K( , )1 isformessageencryptionfromAtoB, ′ =K AB ABH K( , )2 isformessageauthenticationfromAtoB,KBA AB= H K( , )3 isformessageencryp-tionfromBtoA,and ′ =KBA ABH K( , )4 isformessageauthenticationfromBtoA.
optionalmessageauthenticationcodes(Macs)areusedfortwopartiestoachievedataauthenticationandintegrity.Macsthatcouldbe used for sscada implementation include hMac,33,34 cBc-Mac,35 and others. when party A wants to send a message m toparty B securely, A computes the ciphertext c C K c mA AB A= E( , , || )and message authenticator mac MAC K C cAB A= ′( , || ), where c A is
261smart Grid and sCada seCurity
thelastlbitsofH( )CA (lcouldbeaslargeaspossibleifbandwidthis allowed, and 32 bits should be the minimal),E( , , || )C K c mA AB A denotes theencryptionof c mA || usingkeyKAB andrandom-prefix(oriv)CA,andCAisthecountervalueforthecommunicationfromAtoB.Then,AsendsthefollowingpacketstoB:
A B c mac→ : , (optional)
when B receives these packets, B decrypts c, checks that c A iscorrect,andverifiesthemessageauthenticatormacifmacispresent.assoonasB receivesthefirstblockoftheciphertext,Bcancheckwhether c A iscorrect.ifitiscorrect,thenBcontinuesthedecryptionandupdatesitscounter.otherwise,Bdiscardstheentireciphertext.ifthemessageauthenticatorcodemac ispresent,Balsoverifiesthecorrectnessofmac.ifmaciscorrect,Bdoesnothing;otherwise,BmaychoosetoinformAthatthemessagewascorruptedortrytoresyn-chronizethecounters.
Thereareseveralimplementationissuesonhowtodeliverthemes-sagetothetarget(e.g.,rtU).forexample,therearethefollowing:
1. Busesthecountertodecryptthefirstblockoftheciphertext;if the first l bits of the decrypted plaintext are not consis-tentwithH( )CA ,thenthereasoncouldbethatthecounterCA is not synchronized or that the ciphertext is corrupted.Bmaytryseveralpossiblecountersuntilthecounter-check-ingprocesssucceeds.Bthenusestheverifiedcounterandthecorrespondingkey todecrypt themessage anddeliver eachblockof the resultingmessage to the targetas soonas it isavailable. ifnocountercouldbeverified ina limitednum-beroftrials,BmaynotifyAofthetransmissionfailureandinitiatethecountersynchronizationprotocolinthenextsec-tion.Theadvantageof this implementation is thatwehaveminimizeddelayfromthecryptographicdevices,thusmini-mizing the interferenceofscadaprotocols.note that inthis implementation, the message authenticator mac is notused. if the ciphertext was tampered, we rely on the errorcorrection mechanisms (normally crc codes) in scadasystemstodiscardtheentiremessage.ifcBc(respectively
262 seCurity and PrivaCy in smart Grids
hcBc) mode is used, then the provable security proper-ties (respectively provable online cipher security properties)ofcBcmode(respectivelyhcBcmode)36,37guaranteethattheattackerhasnochancetotamperwiththeciphertext,sothatthedecryptedplaintextcontainsacorrectcrcthatwasusedbyscadaprotocolstoachieveintegrity.
2.Proceedasincase1.inaddition,themacisfurtherchecked,andthedecryptedmessageisdeliveredtothescadasystemonlyifthemacverificationpasses.Thedisadvantageforthisimplementationisthatthesecryptographicoperationsintro-ducesignificantdelayformessagedelivery,anditmayinterferewithscadaprotocols.
3.Proceedasincase1.Thedecryptedmessageisdeliveredtothescadasystemassoonasavailable.afterreceivingtheentiremessageandmac,Bwillalsoverifymac.iftheverifica-tionpasses,Bwilldonothing.otherwise,BresynchronizesthecounterwithAorinitiatessomeotherexception-handlingprotocols.
4.toavoiddelaysintroducedbycryptographicoperationsandto check the mac at the same time, sscada devices maydeliverdecryptedbytesimmediatelytothetargetexceptthelastbyte.ifthemessageauthenticatormacisverifiedsuccess-fully,thesscadadevicedeliversthelastbytetothetarget;otherwise,thesscadadevicediscardsthelastbyteorsendsarandombytetothetarget.Thatis,werelyontheerrorcor-rectionmechanismsatthetargettodiscardtheentiremes-sage.similarmechanismshavebeenproposed.21however,anattackermayinsertgarbagebetweentheciphertextandmac,thus tricking the sscada device to deliver the decryptedmessagestothescadasystem.ifthishappens,weessen-tiallydonotreceiveanadvantagefromthisimplementation.Thus,thisimplementationisnotrecommended.
5.insteadofprepending c A totheplaintextmessage,onemaychoose to prepend three bytes of other specially formattedstringtotheplaintextmessage(bandwidthofthreebytesisnormally available in scada systems) before encryption.This is an acceptable solution although we still prefer oursolutionofprependingthehashoutputsofthecounter.
263smart Grid and sCada seCurity
Therecouldbeotherimplementationstoimprovetheperformanceand interoperability with scada protocols. sscada devicesshouldprovideseveralpossibleimplementationsforuserstoconfig-ure.indeed,sscadadevicesmayalsobeconfiguredinadynamicwaysothatfordifferentmessagesitusesdifferentimplementations.
insomescadacommunications,messageauthenticationonlyissufficient.Thatis, it issufficientforA tosend(m,mac)toB,wherem is the cleartext message and mac = MAC(K′AB,CA ∙m). sscadadevices should provide configuration options to perform messageauthenticationwithoutencryption. in thiscase,even if thecountervalueisnotusedastheiv,thecountervalueshouldstillbeauthenti-catedinthemacandbeincreasedaftertheoperation.Thiswillpro-videmessagefreshnessassuranceandavoidreplayattacks.sscadashouldalsosupportmessagepass-throughmode.Thatis,themessageis delivered without encryption and authentication. in summary, itshouldbepossibletoconfigureansscadadeviceinsuchawaythatsomemessagesareauthenticatedandencrypted,somemessagesareauthenticatedonly,andsomemessagesarepassedthroughdirectly.
9.3.4 Counter Synchronization
in the point-to-point message authentication and encryption pro-tocol, we assume that both sscada devices A and B know eachother’scountervaluesCAandCB,respectively.inmostcases,reliablecommunicationinscadasystemsisprovided,andthesecuritypro-tocols intheprevioussectionworkfine.still,weprovideacountersynchronizationprotocolso thatsscadadevicescansynchronizetheircounterswhennecessary.Thecountersynchronizationprotocolcouldbeinitiatedbyeitherside.assumethatAinitiatesthecountersynchronizationprotocol.Then,theprotocollooksasfollows:
A B NB A C MAC K N C
A
B BA A B
→→ ′
:: , ( , || )
Theinitialcountervaluesoftwosscadadevicescouldbeboot-strappeddirectly.Thecountersynchronizationprotocolpresentedcouldalsobeusedby twodevices tobootstrap the initial counter values.amastersscadadevicemayalsousetheauthenticatedbroadcast
264 seCurity and PrivaCy in smart Grids
channelthatwediscussinthenextsectiontosetthecountersofsev-eralslavesscadadevicestothesamevalueusingonemessage.
9.4 Conclusion
in this chapter, we discussed the challenges for smart grid systemsecurity.wethenusecontrolsystems(inparticular,scadasystems)asexamplesforstudyinghowtoaddressthesechallenges.inparticu-lar,wementionedwang’sattack19ontheprotocolsinthefirstversionof theaGastandarddraft.30This attack showed that the securitymechanismsinthefirstdraftoftheaGastandardprotocolcouldbeeasilydefeated.wethenproposedasuiteofsecurityprotocolsopti-mized for scada/dcs systems. These protocols are designed toaddressthespecificchallengesofscadasystems.
recently,therehasbeenawideinterestinthesecuredesignandimplementationofsmartgridsystems.38Thescadasystemisoneofthemostimportantlegacysystemsofthesmartgridsystems.togetherwithothereffortssuchasthoseofferedinieee1711,22ieee1815,23iec tc 57,24 iec 60870-5,25 nist industrial control systemsecurity,26andthenationalscadatestbedProgram,27theworkinthischapterpresentsaninitialstepforsecuringthescadasec-tionofthesmartgridsystemsagainstcyberattacks.
references 1. department of energy. Title XIII—Smart Grid (2010). http://www.
oe.energy.gov/documentsandMedia/eisa_title_Xiii_smart_Grid.pdf
2. U.s. energy information administration. Net Generation by Energy Source: Total (All Sectors) (2011). http://www.eia.gov/cneaf/electricity/epm/table1_1.html
3. M.abramsandJ.weiss.Malicious Control System Cyber Security Attack Case Study—Maroochy Water Services, Australia (2010). http://csrc.nist.gov/groups/sMa/fisma/ics/documents/Maroochy-water-services-case-study_briefing.pdf
4. M.abramsand J.weiss.Bellingham,Washington, Control System Cyber Security Case Study (2007). http://csrc.nist.gov/groups/sMa/fisma/ics/documents/Bellingham_case_study_report2020sep071.pdf
265smart Grid and sCada seCurity
5. USA Today.aUroracase:U.s.videoshowshackerhitonpowergrid(2007).http://www.usatoday.com/tech/news/computersecurity/2007-09-27-hacker-video_n.htm
6. sPaMfighter. vancouver city-police investigating possible sabotageof traffic light computer system (2007). http://www.spamfighter.com/news_show_other.asp?M=10&Y=2007
7. s.Gorman.electricitygridinuspenetratedbyspies.Wall Street Journal(april8,2009).http://online.wsj.com/article/sB123914805204099085.html
8. isonewYorkindependentsystemoperator. NYISO Interim Report on the August 14, 2003 Blackout (2004).http://www.hks.harvard.edu/hepg/Papers/nYiso.blackout.report.8.Jan.04.pdf
9. G. keizer. is stuxnet the “best” malware ever? (2010). http://www.infoworld.com/print/137598
10. M. davis. smartgrid device security adventures in a new medium(2009).http://www.blackhat.com/presentations/bh-usa-09/Mdavis/BhUsa09-davis-aMi-slides.pdf
11. Mcafee. Global energy cyberattacks: night dragon (february 2011).http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf
12. k. zetter. fearing industrial destruction, researcher delays disclo-sure of new siemens scada holes (2011). http://www.wired.com/threatlevel/2011/05/siemens-scada-vulnerabilities/.
13. l.Blumenfeld.dissertationcouldbesecuritythreat.Washington Post ( July7,2003).http://www.washingtonpost.com/ac2/wp-dyn/a23689-2003Jul7
14. U.s.-canadaPowersystemoutagetaskforce.Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations(april2004).https://reports.energy.gov/Blackoutfinal-web.pdf
15. north american electric reliability council. Technical Analysis of the August 14, 2003, Blackout: What Happened, Why, and What Did We Learn?(2004). http://www.nerc.com/docs/docs/blackout/nerc_final_Blackout_report_07_13_04.pdf
16. n. falliere, l. Murchu, and e. chien. w32.stuxnet dossier (february2011).http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
17. nsslabs.homepage.http://www.nsslabs.com/. 18. J. rappaport.what you don’t know might hurt you: alum’s work bal-
ancesnationalsecurityandinformationsharing.http://gazette.gmu.edu/articles/11144
19. Y.wang. sscada:securingscada infrastructure communications,International Journal Communication Networks and Distributed Systems6(1),59–78(2011).
20. t.cegrell.Power System Control Technology.Prentice-hallinternational,harlow,Uk(1986).
266 seCurity and PrivaCy in smart Grids
21. americanGasassociation.AGA Report No. 12. Cryptographic Protection of SCADA Communications: General Recommendations.draft2,february5,2004.draft2isnolongeravailableonline.draft3(2010)isavailableforpurchase.http://www.aga.org/.
22. instituteofelectricalandelectronicsengineers.IEEE 1711. Trial Use Standard for a Cryptographic Protocol for Cyber Security of Substation Serial Links (2011). http://standards.ieee.org/findstds/standard/1711-2010.html
23. instituteofelectricalandelectronicsengineers.IEEE 1815. Standard for Electric Power Systems Communications—Distributed Network Protocol (DNP3)(2010).http://grouper.ieee.org/groups/1815/.
24. internationalelectrotechnicalcommission.IEC TC 57. Focus on the IEC TC 57 Standards(2010).http://www.ieee.org/portal/cms_docs_pes/pes/subpages/publications-folder/tc_57_column.pdf
25. internationalelectrotechnicalcommission.IEC 60870-5. Group Maillist Information(2010).http://www.trianglemicroworks.com/iec60870-5/index.htm
26. nationalinstituteofstandardsandtechnology(nist).NIST Industrial Control System Security (ICS) (2011). http://csrc.nist.gov/groups/sMa/fisma/ics/index.html
27. idahonationallaboratory.nationalscadatestbedProgram(2011).http://www.inl.gov/scada/.
28. Granite island Group. wiretapping and outside plant security—wiretapping101(2011).http://www.tscm.com/outsideplant.html
29. General accounting office. GAO-04-628. Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems. Testimony Before the Subcommittee on Technology Information Policy, Intergovernmental Relations and the Census, House Committee on Government Reform(March30,2004).http://www.gao.gov/new.items/d04628t.pdf
30. a.k.wright, J.a.kinast,and J.Mccarty.Low-Latency Cryptographic Protection for SCADA Communications,inProc. 2nd Int. Conf. on Applied Cryptography and Network Security, ACNS 2004, vol. 3809, LNCS,pp. 263–277.springer-verlag,newYork(2004).
31. a.wright.scadasafe(2006).http://scadasafe.sourceforge.net 32. s. Goldwasser and s. Michali. Probabilistic encryption, Journal of
Computer and System Sciences28,270–299(1984). 33. M.Bellare,r.canetti,andh.krawczyk.Messageauthenticationusing
hashfunctions—thehMacconstruction,RSA Laboratories CryptoBytes2(1)(spring1996).
34. h. krawczyk, M. Bellare, and r. canetti. HMAC: Keyed-Hashing for Message Authentication,internetrfc2104(february1997).http://www.itl.nist.gov/fipspubs/fip81.htm
35. nationalinstituteofstandardsandtechnology(nist).DES Model of Operation,fiPsPublication81.nist,Gaithersburg,Md(1981).
36. M. Bellare, a. Boldyreva, l. knudsen, and c. namprempre. on-lineciphersandthehash-cBcconstructions.inAdvances in Cryptology—Crypto 2001,vol.2139,LNCS,pp.292–309.springerverlag,newYork(2001).
267smart Grid and sCada seCurity
37. M.Bellare, J.kilian, andP.rogaway.The security of the cipherblockchaining message authentication code, Journal of Computer and System Sciences6(3),362–399(2000).
38. departmentofenergy.Study of Security Attributes of Smart Grid Systems—Current Cyber Security Issues (april 2009). http://www.inl.gov/scada/publications/d/securing_the_smart_grid_current_issues.pdf