Issue 29 – July 2011
This article was written by Steve Molitor, National Electrical Manufacturers Association (NEMA). Programme Manager. It is summarised from Electroindustry magazine Vol. 16 No. 6 by permission of the National Electrical Manufacturers Association.
As we add intelligence, communications, and computing power to the electrical grid, we are creating openings for cybersecurity problems. According to a 2010 report on critical infrastructure cybersecurity by McAfee, '... 80% [of survey respondents] had faced a large-scale denial-of-service attack, and 85% had experienced network infiltrations.'1
Referring to the same report, Dark Reading, a news portal that focuses on IT security, noted: The survey … found that 40% of executives believed that their industry's vulnerability had increased, according to the researchers. Nearly 30% believed their company was not prepared for a cyberattack, and more than 40% expect a major cyberattack within the next year.2
This emerging threat will only grow as the sophistication of computer intelligence applied to the national electrical grid increases. While computers and communication between infrastructure elements are essential to the creation and maintenance of a Smart Grid, they also represent a rich target for hackers who are merely curious to those with malicious intent.
Cybersecurity issues have long been the concern of internet and computer information technology providers and there are lessons we can learn from their efforts at stopping cyber attacks.
Preparation is one key aspect of cybersecurity. The Internet Engineering Task Force (IETF) RFC 2196 publication Site Security Handbook3 mandates that the first aspect of securing cyber assets is a comprehensive security policy. The handbook outlines characteristics and components that can be adapted to the Smart Grid environment.
Smart Grid functionality and reliability is closely tied to the communication between devices and nodes in the grid, and between humans and devices. Communications should therefore be based on the concept of 'mutual distrust – no communication occurs until both sides can adequately identify each other.
The National Institute of Standards and Technology (NIST) calls this identification and authentication (I&A).4 There are three means of authentication, which can be used alone or in combination:
- something the individual knows (a secret – for example, a password)
- something the individual possesses (a token – for example, an ATM card)
- something the individual is (a biometric – for example, a fingerprint)
One of the easiest cryptographic mechanisms to employ is PKI (public key infrastructure), a means of identifying a trusted source by binding a 'public key' with an individual's identity through a certificate authority registration and issuance process. It enables encrypting communication by issuing messages encoded with the sender's private key, which can only be decrypted by the sender's public key. PKI could ensure that communication within the Smart Grid comes from a trusted source, thus hindering cyber attacks.
Another internet security concept is that of 'defence in depth,' the use of layers. This can be accomplished by combinations of authentication methods as noted above, or by forcing procedures that check authentication, and check again at another time in the communication. Re-authentication may be triggered by the expiration of a preset timer, for example after 15 minutes. It can also be a significant event, such as the end of a pre-established connection (a 'transmission complete' message), or the end of a pre-established amount of data transfer.
The National Electrical Manufacturers Association (NEMA) Smart Grid Council is reworking the manufacturers' position statement on cybersecurity, originally published in January 2010 and expects to distribute that document to federal agencies and members of Congress later this year. To view the position statement, go to www.nema.org/smartgrid (www.nema.org/smartgrid).
1 www.mcafee.com/us/resources/reports/rp-critical-infrastructure-protection.pdf, p. 6.
4 NIST Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook, Part IV, chapter 16.