Embedded Technologies for the Smart Grid
Securing and Improving the Smart Grid Requires Military Grade Technology
The Smart Grid is vast and complex, uniting a power distribution system with a data and control network. As a result, its vulnerabilities are many and often subtle. Securing this huge system will require military grade attention, tools, systems and attention to detail.
JIM MCELROY, GREEN HILLS SOFTWARE
Page 1 of 1
Reliability and resiliency of the Smart Grid must be the primary focus for utilities and their suppliers as the Smart Grid is critical to both national security and the global economy. With these goals in mind, in-depth vulnerability analysis should be performed on critical infrastructure assets on a regular basis to ensure cyber-secure device interoperation that helps realize the benefits of more reliable and available energy at lower cost and with less impact on the environment. Eliminating vulnerabilities throughout the grid is important. However, further protection and response mechanisms are necessary to safely quarantine infected or degraded components so they do not adversely affect other subsystems within the grid. In reality, the Smart Grid is now under constant attack and will be hacked, so preparing for this eventuality needs to take place now, both at the business level as well as in the field of devices throughout the grid. Recognizing that the Smart Grid encompasses information technology and control systems assets, security and response mechanisms will need to bridge the gap between traditional IT infrastructures and industrial operational control systems.
Fortunately, Smart Grid device manufacturers can leverage military grade software and hardware already proven in use to secure, protect and control vital assets in high-assurance applications. For suppliers of Smart Grid devices such as meters, concentrators, Supervisory Control and Data Acquisition (SCADA) systems, and the communications infrastructure connecting such components, these technologies can expedite the time-to-market for delivering a secure and reliable grid infrastructure. Although it is acknowledged that both physical and cyber security must work hand-in-hand to properly secure the grid, we will focus more here on the cyber world aspects and relate how some of the Smart Grid challenges have been solved in other markets with military grade operating system technology, middleware, key management and encryption technologies.
The Smart Grid industry, and in particular the advanced metering infrastructure (AMI), is expanding at a rapid pace with device manufacturers rushing devices to the market to capture market share while responding to the demands of utilities, consumers and the government. As a result of this expansion and without full consideration of system and component-level security, industry research estimates that there will be over 250 million new hackable devices introduced into the Smart Grid in the next five years, dramatically increasing the number of potential vulnerabilities and the overall security risks to the grid. For terrorists and hackers who want to cause harm or steal valuable information, this is great news. For consumers, utilities and the government, hoping to realize the benefits of smart energy, the accelerating number of nodes and resulting attack points lessens the probability of sustained successful secure and safe energy delivery.
The threats to the grid are real. Successful exploits to grid vulnerabilities have already resulted in real physical harm. The latest notable example is the Stuxnet worm, which deliberately and successfully attacked a particular industrial control system. Every day advanced persistent attacks occur on the transmission and distribution networks, control and data centers, and field area networks. Attackers are getting smarter all the time and exploits have been observed to take place over seconds, hours, days, months and even years without being detected. Unfortunately, the vast majority of these systems are “secured” by inherently insecure operating systems such as Windows and Linux, deployed in network devices and firewalls. The reality is that most industrial control systems deployed are relying on these insecure operating systems and potentially, even worse, the ability of each individual utility and vendor to keep up with patches that attempt to fix the vulnerabilities.
In most cases, these systems and devices are not patched effectively, exposing the grid to attacks and breakdowns. These operating systems simply were not designed for this level of security and resiliency, and it is impossible to introduce these capabilities retrospectively. The grid cannot be secured entirely in its current form. With a complex infrastructure of aging components, mixed with a tremendous influx of new components, offering expanded capabilities and connection strategies, the grid must be secured one large step at a time with an emphasis on securing the most critical and vital assets first. The “Guidelines for Smart Grid Cyber Security” (NISTR 7628) sets the path for securing the Smart Grid and outlines the vulnerability classes for the grid into four primary areas:
- people, policies and procedures
- platform software/firmware vulnerabilities
- platform vulnerabilities
Focusing here on the platform and network for the Smart Grid, NISTR 7628 identifies a collection of vulnerabilities that may exist in the Smart Grid device platform (hardware, software, firmware and operating system). From the software and firmware perspective, many of these vulnerabilities result from poor code quality, such as buffer overflows, memory leaks and leftover debug code. In addition to poor code quality, poor software design can lead to ineffective error handling, logic errors, protocol errors and weak authentication and authorization practices, potentially exposing vital grid information to unauthorized observation or mutation. For platform software and firmware in critical grid operational assets such as SCADA systems, transmission and distribution controllers, synchrophasors and utility business applications protecting the confidentiality, integrity and availability of information is paramount.
As a best practice, a rigorous security-focused life cycle should be in place for developers of critical Smart Grid assets to eliminate device and system vulnerabilities. The aerospace and defense embedded software market can serve as a good model for developing secure and safe embedded devices. A common practice in this environment is to implement a rigorous, traceable software development approach with best-of-breed development tools. For applications requiring safety, security and reliability, the separation kernel operating system architecture provides significant benefits. This practice enables these software teams to develop devices and systems that isolate, protect and secure software applications and data. Furthermore, in these critical environments the right selection of operating system, tools and hardware can expedite the delivery and also reduce the bill-of-material cost for each secure device.
Common high-priority grid vulnerabilities exist in authentication and authorization of devices, applications, firmware and people. It is vitally important to ensure that only the right people, the right devices configured with the right software, and operating on the right information participate in grid functional collaboration. This should start at the earliest stages, even during the hardware manufacturing process where devices must be constructed from trusted and authenticated components. The firmware, middleware and application software all need to be created with security in mind, authenticated and securely “injected” into the device.
A trusted boot process should start things rolling when it comes to an authenticated and authorized device joining the grid infrastructure. Public Key Infrastructure (PKI) technology and encryption is now commonly utilized to enable authentication, protection of data, provisioning and authorization. Strong password control, management and even biometrics may also be deployed to properly authenticate actors and data within the system. Addressing the authentication vulnerability requires that only trusted devices with trusted information and trusted communication can interact throughout the grid.
Securing and making the Smart Grid network itself more resilient and secure is a vast topic on its own, as there are numerous protocols such as Wi-Fi, ZigBee, TCP/IP, WiMAX, GPRS, BPL and PLC used throughout the grid. Furthermore, the SCADA systems often have their own set of protocols. For the entire grid, it is becoming increasingly important to check the validity and integrity of the data at each end of the communication line. Application “whitelisting” is developing into a common technique to protect and ensure secure communication channels and data integrity by only allowing specific applications to see and operate on specific data. Protecting data at rest and in transit throughout the grid is important, and today’s military grade applications leverage the latest in encryption technology to secure the data and the keys to the information. Protecting “key” information about the device, its content, its firmware and applications can prevent tampering, counterfeiting and stealing personal or business information.
Firewalls and IPS/IDS systems, such as those fielded in the market today, can help in protecting the grid, however, the reality is that these systems too have only been designed, developed and certified to protect systems against casual or inadvertent attempts to breach system security. They also rely heavily on users properly configuring these devices, which often is not the case. In addition, many of these systems are certified at only Evaluation Assurance Level (EAL) 3 or 4+ at best. This is a topic for another discussion, but suffice it to say that this is not a sufficient level of protection to secure Smart Grid critical assets.
At the core of these critical Smart Grid devices, military grade software development tools and operating system technology can and should be deployed to provide high-assurance security and safety in a similar fashion to their use in developing secure aircraft avionics, military equipment, industrial equipment, medical devices and defense systems. In these environments, suppliers of high-assurance technology start with a formal development process, optimized development and debugging tools, and a secure and resilient platform upon which they deploy safety and security- critical applications. An example of such a platform is the Green Hills Integrity real-time operating system. Green Hills Software, specializing in high-assurance platforms and solutions, has successfully taken specific versions of this technology through a number of certifications in varying critical software domains. The Integrity operating system technology has achieved an EAL6+ high robustness certification from the NSA, having passed formal analysis and rigorous NSA penetration testing, demonstrating that this operating system has been designed and constructed specifically for the task of protecting high-valued assets from well-funded attackers. It is this type of technology, with security designed in from the start, which should be deployed to protect the critical assets of the grid.
Not all vulnerabilities of the grid can be covered in this article. However, looking at the overall platform of software, hardware and the network connecting the nodes throughout the grid, vulnerabilities primarily exist in weak architectural design. Examples include no defense in depth, inadequate malware protection, ineffective logging and alerting mechanisms, and a weak and insecure operating system infrastructure. Security and resiliency must be built into the platform itself, from the ground up, and that means the hardware and the software operating system upon which all applications run.
Many military grade applications now leverage separation kernel technology with an intrinsic hypervisor to enable time and space isolation for applications and data, potentially running under different operating systems, safely and securely. With this architecture in place, Smart Grid intelligent electronic devices can have security, safety and resiliency built in where no one application can adversely affect other applications running in their own partition. System monitors, device drivers, communication stacks can all safely run in their own virtual address spaces, safely and securely. This military grade platform architecture also enables the capture of forensic evidence throughout the lifecycle of the applications. Degraded components can be safely quarantined and log files can be managed safely and securely. Military grade software development methodologies, tools and platforms can provide the foundation for building a more resilient Smart Grid.
Green Hills Software
Santa Barbara, CA.