Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Smart grid - report

Ad

1
A SECURITY POLICY PROPOSAL FOR SMART GRID
Final project
INF 522 - Policy - foundation for successful information assuran...

Ad

2
TABLE OF CONTENTS
I. BACKGROUND RESEARCH - SMART GRID…………………………………………………………………………….3
A. Information identification and c...

Ad

3
I. BACKGROUND RESEARCH - SMART GRID
Smart Grid is an evolving technology in the energy industry capable of automating th...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Hier ansehen

1 von 13 Anzeige
1 von 13 Anzeige
Anzeige

Weitere Verwandte Inhalte

Anzeige
Anzeige

Smart grid - report

  1. 1. 1 A SECURITY POLICY PROPOSAL FOR SMART GRID Final project INF 522 - Policy - foundation for successful information assurance Report prepared by Name: SWETHA KAZA | USC ID: 6077884518 | e-mail: skaza@usc.edu
  2. 2. 2 TABLE OF CONTENTS I. BACKGROUND RESEARCH - SMART GRID…………………………………………………………………………….3 A. Information identification and classification……………………………………………………………………………..3 B. Currently available privacy protection guidelines……………………………………………………………………..4 II. REVIEW OF AB-1274 PRIVACY: CUSTOMER ELECTRICAL OR NATURAL GAS USAGE DATA....5 III. EXECUTIVE SUMMARY………………………………………………………………………………………………………5 A. Threat space……………………………………………………………………………………………………………………………5 B. High level policy statements…………………………………………………………………………………………………….5 C. High level mechanism/Implementation……………………………………………………………………………………7 D. Policy implementation breakdown…………………………………………………………………………………………..9 E. Role based access control………………………………………………………………………………………………………10 F. Access control matrix for discretionary control………………………………………………………………………10 IV. CONSIDERING OTHER MODELS FOR IMPLEMENTATION…………………………………………………11 V. GAPS IN THE ACCESS CONTROL POLICY……………………………………………………………………………12 A. Risks due to missing requirements…………………………………………………………………………………………12 B. Enhancements……………………………………………………………………………………………………………………….12 C. Recommendations…………………………………………………………………………………………………………………12 VI. CONTEMPLATING A HIGH ASSURANCE ALTERNATIVE…………………………………………………….13 VII. CONCLUSION………………………………………………………………………………………………………………….13 VIII. REFERENCES…………………………………………………………………………………………………………………13
  3. 3. 3 I. BACKGROUND RESEARCH - SMART GRID Smart Grid is an evolving technology in the energy industry capable of automating the provision, collection, aggregation, maintenance (such as self-healing properties) and billing of energy usage of consumers participating in the Smart Grid. This report aims to analyze, contrast and detail the principles, models and laws using which private data could be securely used in a Smart Grid application A. Information identification and classification: National Institute of Standards and Technology (NIST) identifies the following information to be potentially available through the Smart Grid: 1. Personal identification information (PII) such as name and address of the consumer using the Smart Grid services, associated with the name and address of the consumer paying the utility bills (if they are separate entities), account number (for the utility to identify the consumer), SSN 2. Equipment-specific information such as IP address associated with the meter (if any), a unique identification number for the meter (such as the device ID), and equipment vendor information 3. Network parameters of the Home Area Network (HAN) used as a gateway to connect appliances to the Smart Grid and third-party providers 4. Service provider information pertaining to the utility supplying electricity 5. Aggregated information (seemingly anonymous) from a dedicated meter such as the reading on the meter at a given point in time, average energy consumption, electricity bill due, and the billing and payment history A gist of the kind of information that can be derived or extrapolated at any given point in time, using the data communicated between the consumer and the service provider: Exploited for surveillance on a suspect (by government entities/service providers themselves):  The time, duration of the day, and the frequency with which particular devices are used  A homeowner’s possession and usage of certain medical equipment (and the frequency at which they might be used), possible work schedules (based on their presence or absence in the household), personal routines (shaving, showering, eating, playing video games, watching TV, vacuuming, exercising, sleeping, waking, etc.)  The devices used in a particular portion of the household  The whereabouts and travel time of an electric vehicle (EV), provided it is used by the household  The number of individuals dwelling in the unit, where each individual is, what he/she is doing and whether or not the house is occupied  Access to call detail records collected by telecommunications providers Exploited for marketing:  The type of appliances and generators used by a consumer based on equipment MAC address and signature
  4. 4. 4 Exploited by outsiders:  Information possibly shared about the energy usage of a certain device used by the homeowner on a social networking medium B. Currently available privacy protection guidelines: Neither are there laws that are solely directed at Smart Grid security, nor are there any explicit references to privacy protection in the existing U.S. electricity delivery regulations. But there are general laws pertaining to privacy protection in the U.S. which could be altered to suit Smart Grid data protection. These are elaborated in the NIST report [1] Customers and service providers alike, should be educated about these laws and the importance of privacy protection. Individuals whose data is collected should be informed about the purpose of data collection (performed legally) and should be notified if there is an attempt or an actual breach of the collected information. Individuals should also be consulted for their consent when the purpose of information collection changes from the one stated earlier. Minimalistic anonymized information should be obtained as and when required and this operation should be monitored and audited at all times. Policies and procedures should be regularly updated to meet the security needs for protecting personal information. All these and more are summarized in the privacy principles listed by the NIST in their guidelines [1] for Smart Grid security: Fair Information Practice Principles (FIPP) is available with framework and guidelines for privacy protection targeted at institutions that participate in the collection, retention and distribution of data collected using automated data systems. The American Institute of Certified Public Accountants (AICPA)’s Generally Accepted Privacy Principles (GAPP) has the following privacy principles1 in place: Management • Notice • Choice and consent • Collection • Use, retention and disposal • Access • Disclosure to third parties • Security and privacy • Quality • Monitoring and enforcement ISO/IEC 27001 - Information security management is a security standard provided jointly by International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) for systematically managing security assets The Organization for Economic Cooperation and Development (OECD) has its own set of privacy principles listed as follows: Collection limitation principle • Data quality principle • Purpose specification principle • Use limitation principle • Security safeguards principle • Openness principle • Individual participation principle • Accountability principle NIST documents the Privacy Impact Assessment (PIA) findings focused primarily on the following ten principles, to ensure secure operation using the Smart Grid: Management and accountability • Notice and purpose • Choice and consent • Collection and scope • Use and retention • Individual access • Disclosure and limiting use • Security and safeguards • Accuracy and quality • Openness, monitoring and challenging compliance
  5. 5. 5 II. REVIEW OF AB-1274 PRIVACY: CUSTOMER ELECTRICAL OR NATURAL GAS USAGE DATA AB-1274 is targeted at protecting PII such as name, address, account number, electric or gas usage information stored, communicated and utilized by automated power supply entities via the advanced metering infrastructure tied to the Smart Grid. The law applies to third-party entities other than utilities that may require access to customers’ PII in order to provide desired services to them, and encompasses the following aspects of data protection: It requires sensitive personal data to be stored in a secure manner and not be disclosed due to unauthorized access, destruction, use, modification, disclosure or unprecedented events such as a disaster, thereby preventing misuse of personal information. A contract between a business (utility) and a third-party should ensure that the third-party follows certain security procedures and standards for using customer data shared with them. The law mandates that prior consent be taken from the consumer for sharing data related to them in any manner, with a third-party. Secure disposal of customer data (both electronic copies and on paper) is required by law III. EXECUTIVE SUMMARY A. Threat space:  Threat to confidentiality is observed when the sensitive PII data is not encrypted while in storage or in transit. It can also be possible if strong authentication mechanisms are not in place.  Threat to integrity occurs when data source is not authenticated appropriately or when poor access control is implemented such that an outsider is able to tamper with sensitive data.  Threat to availability stems as a result of smart meter malfunction or corruption either due to an internal fault or due to natural phenomena. Threats that exist due to inherent and unidentified loopholes in the smart meter system may result in the system breaking. Threats may otherwise arise as a result of a natural disaster where data might be exposed or be rendered unavailable to access AB-1274 addresses only the confidentiality of personally identifiable information pertaining to the customer. It does not address integrity protection and availability of information. Threats can result as a result of either intentional (masquerade attack, insider abuse, subversion by an outsider) or unintentional (improper disposal of collected data) disclosure of information to third parties. Once this happens, there is no guarantee that the third party would not share or use that data in unexpected ways. The threats to intentional disclosure of data is not addressed by AB-1274 The policy summarized below, addresses confidentiality, integrity and availability aspects of all the sensitive data items used in the Smart Grid application. B. High level policy statements: Some broad policy statements have been derived from the representation of the Smart Grid [FIGURE 1] available in the NIST document [1] 1. Service provider (utility or third-party) information can be made publicly accessible but unauthorized modification to this information should be prevented 2. The following information should only be accessible to designated personnel operating on customer data on behalf of authorized entities:
  6. 6. 6 a. PII such as the customer’s name, address and/or the bill payer’s name and address, and SSN b. Customer account number - the unique identification number using which the service provider can identify the customer c. Network parameters of the customer’s HAN such as (Gateway) IP address, device ID and MAC address of the advanced metering infrastructure (or smart meter), network keys, etc. d. Information communicated between the customer and the service provider at arbitrary intervals with respect to energy consumption such as meter reading, bill amount due, billing history, payment history, information regarding any payment defaults, monitored load data, average energy consumption, etc. And the authorized entities only include the user of the advanced metering infrastructure, the service provider(s) and the operations team when required 3. Principle of least privilege should be enforced - for example, only aggregated meter data can be viewed by the service provider unless otherwise requested for specific purposes with user’s informed consent; minimalistic information (number of data parameters) should be obtained and the frequency at which meter data is read should be kept at a bare minimum required for the efficient functioning of all entities in the Smart Grid FIGURE 1: Smart Grid Framework
  7. 7. 7 4. The customer and an authorized third-party (other than a retail energy provider) would only have read access to the data collected by the smart meter whereas the service providers would have both read and write access to the collected data so that they can perform billing and other manipulations over the data to extract useful information from it if required (with prior consent from the customer) 5. The information shared by the utility with an authorized third-party (other than a retail energy provider) after obtaining consent from the end-user, should be treated before being shared. Data should be a. sanitized (cleanse out the sensitive data) b. anonymized (consistently substitute fake data in place of original data) and c. aggregated (represent as a random statistical piece of information) 6. The customer using AMI should have discretionary access over what information is shared, to what extent and to which entities (discretionary access is restricted to the extent that a customer can only “agree” or “disagree” to the request for consent made by the utility on behalf of a third-party in a set of constraints documented by the utility in the form of a digital contract) 7. Mandatory Access Control should dictate that authorization be mandatorily obtained from a customer before his/her information is shared to a third-party [every time sensitive data is set to be shared, C. High level mechanism/Implementation: 1. Physically or digitally, there must exist a prior contract of some kind between the customer and the service provider which draws out the procedures followed for smart meter data collection, purpose of use, retention and disposal as per law and on additional terms (if any) decided between the customer and utility. 2. A utility must explicitly obtain authorization from the customer in case the collected data is used for any purpose other than that stated in the contract - this is mandated by the Mandatory Access Control policy. Data (both physical documents and digitally stored information) should be retained only for as long as it is required and should be disposed in a secure manner 3. The energy/power usage data collected on a continuous basis should be stored in some form of hardware attached externally or housed within the smart meter such as an encrypted storage device and such that it could be aggregated locally before being communicated to the third party (other than a retail energy provider). This could help prevent data breach in the case of a user’s HAN being compromised 4. The aggregated data in the storage device should be encrypted using a strong encryption mechanism [2] before being sent over a potentially dedicated short-range communication channel1 between the customer and the service provider 5. A multifactor authentication mechanism, possibly with some form of OTP [3] should be mandated for access to sensitive user information that is sent over the communication channel, and stored at both ends (i.e., customer’s AMI and service provider’s database). The 1 “Dedicated short-range communications.” Wikipedia [last modified 2015, Aug 11]. More information available at https://en.wikipedia.org/wiki/Dedicated_short-range_communications Currently, this model is applicable only for the automotive industry. It remains to be explored whether such protocols could be applied to Smart Grid
  8. 8. 8 rules for setting a password should be stringent and must mandate a password change after regular pre-decided periods of time 6. Firewalls should be set up at the customer end such that user has knowledge and control over data leaving the HAN through the customer-to-utility communication channel. Additionally, firewalls could be set up at the service provider’s end to control what information is shared to a third-party (other than a retail energy provider) 7. Reference monitor - completeness: Every access to sensitive user information at the utility’s end should be moderated using an authorization mechanism and logged with timestamp and other essential details, for identifying any attempts at unauthorized access 8. IDS should be implemented at the service provider’s end to detect data breach and curb it 9. Reference monitor - verifiability: Audits should be conducted regularly in order to check whether the service provider is adhering to all the security procedures mandated by the law and also documented and agreed upon in the contract signed between the customer and the service provider; checks should also be placed on the regular update and maintenance of privacy principles governing the operation of Smart Grid 10. Reference monitor - isolation: Separation of duty is key to making the system tamper proof. Thus, employees handling such sensitive data must be assigned to different stages of data processing (for example, collection, billing, payments, etc.) such that the probability of them colluding to compromise the system is minimized 11. Training should be provided to both service providers and customers using the AMI on aspects related to security; each entity should be made aware of the choices they are entitled to Reference Monitor Authorization Database Audit records Subjects Objects All entities involved in the Smart Grid. These are identified in the diagram derived from the NIST document All information types identified in the “A. Information identification and classification” section Monitors every subject’s access or attempt to access objects. Stores details regarding the access/attempt in log files (which are read-only) Contains authentication information pertaining to employees of the service provider, the end-user, and the trusted third-party; DAC authorization for identified users and groups as defined in access control matrix; MAC authorization stating externally binding conditions, and the clearance for subjects associated with classification of objects
  9. 9. 9 D. Policy implementation breakdown: Appropriate management of information is required for the secure and smooth functioning of any application, including the Smart Grid. The following Mandatory Access Control (MAC) classification of information (objects) and clearances (for subjects) can be made based on sensitivity and value to the entities involved: Public: Service provider information - information about the vendors providing the AMI and the service provider offering the utility service This information comprises things like advertisements broadcast by the vendor with broad statistics to indicate features and benefits of using AMI that can be made available to public Internal: Anonymously aggregated energy information such as meter readings, average energy consumption, billing information, payment information, payment defaults (if any), disposal of collected information This information is internal to the employees of the service provider and the operations team, who manage the aggregated information received from the smart meter. These can also be shared with the bulk generation facility, transmission and distribution offices, and the markets [if requested, with user consent]. These entities are granted access only on a need-to-know basis. Each functionality (such as data collection, billing, payment, and disposal) should be clearly demarcated and isolated from other functionalities such that the operations at the utility provider’s end are tamper proof Confidential: Equipment related information such as device ID, IP address, and the associated user account [for deployment of bills to the household] This category holds certain forms of metadata that can link the aggregated data received from an AMI to the corresponding customer information based on network parameters and device ID Separation of duty and anonymization: There is clear isolation between every level of clearance. For example, let us compare the internal data and confidential data - employees who have access to internal data may simply get sets of information that can be marked “Customer 1,” “Customer 2,” and so on. The order in which they are received can be tracked and linked to the location/device from which they were received, at the confidential level. This way, an employee with clearance to “Internal” data would only be able to work with random values required to perform data collection or billing, without information about whose values they are, whereas employees with “Confidential” level of clearance would only be able to link processed data to be sent back to the customer in the form of a bill and not know internal details of how the billing was done. Hence, there is clear separation of duty Restricted: Personally identifiable information of the customer and of the entity or individual paying the utility bill (if they are different), such as name, address, account number, and communication channel related information such as network keys, source and destination IP verification and a granular breakdown of energy data formally requested from the customer for a stated purpose This information is to be held at the highest level of secrecy. It holds personally identifiable information protected by law. Information held at restricted level requires a written consent from
  10. 10. 10 the customer on stating the purpose for which the data is collected, the purpose for which it will be used, the entities with which it would possibly be shared, the amount of time for which it would be retained and the manner in which it would be disposed The level of clearance from higher to lower following the “no read up” and “no write down” principle for subjects attempting to access these objects is: Restricted > Confidential > Internal > Public The customer on the other hand, at the restricted level of clearance, does not have write access to the AMI but is allowed to read details shown by the smart meter at the customer’s end and also has discretionary access on the type of data shared with a third-party (discretionary access is restricted to the extent that a customer can only “agree” or “disagree” to the request for consent made by the utility on behalf of a third-party in a set of constraints documented by the utility in the form of a digital contract) The MAC restricts the sharing of information - it does that by requesting user consent (user must agree) every time an entity chooses to share information with another entity in the Smart Grid E. Role based access control: Since the service provider employs multiple employees to manage different types of responsibilities, role based access system would best suit such a need. Data collection team, billing team, payment processing team, back-up/information disposal team, device distribution team, grievance redressal team, technology team, higher management, and finally the end-user.  Entities not mentioned in the access control matrix such as bulk generation facility, transmission and distribution units, operations unit, etc., fall under the “Internal” clearance level that can access only the aggregated energy information.  Also not explicitly mentioned in the access control matrix are government entities that might want to access such information in relation with a certain court case. The government should first obtain a subpoena (official court order) for accessing such sensitive information. Once approved, the government entity could then request the service provider for customer information, with express consent from the customer in this regard. F. Access control matrix for discretionary control: The access control matrix (ACM) used here is a prohibited access control - which means that all access rights mentioned here are denied unless explicitly granted otherwise. Access can be granted to employees internal to the utility, on a need-to-know basis. But the underlying MAC should restrict access granting capabilities of the service provider to an authorized third-party (other than a retail energy provider) with a condition to obtain consent from the customer Legend: Ads: Advertisements/campaigns Averages: Average power consumption Spikes: Any unusual behavior in the power supply Rate: The current price per unit of power (value changes as per government regulations and needs to be kept up to date) R: Read access W: Write access S: Grant/Share
  11. 11. 11 Authentication checks: Checks both user end authentication as well as authentication at every level of clearance PII: Personally Identifiable Information pertaining to the customer Granular data: Data collected at shorter time intervals (upon receiving user consent) Note: In order to protect the confidentiality of sensitive user information, back-up of data should be done with k-anonymity2 and l-diversity3 in mind (contents of collected information should be anonymized such that k-anonymity and l-diversity values are both high) IV. CONSIDERING OTHER MODELS FOR IMPLEMENTATION The Smart Grid is network based. So partitioned TCB method can be used to ensure that the policy is correctly implemented by dividing the Smart Grid network into components and ensuring that the each policy subset is implemented correctly in that particular network component. That way, the complete policy is enforced by all the network components together. This model would give us the flexibility of implementing locally autonomous reference monitors for each domain. Also, since each component’s subject would only communicate with a subject of the same clearance level as itself on the other component, there wouldn’t be any need for discretionary access control in such a model. 2 “k-anonymity.” Wikipedia [last updated on 2015, Jul 15]. More information available at https://en.wikipedia.org/wiki/K-anonymity 3 “l-diversity.” Wikipedia [last updated on 2015, Aug 13]. More information available at https://en.wikipedia.org/wiki/L-diversity
  12. 12. 12 V. GAPS IN THE ACCESS CONTROL POLICY A. Risks due to missing requirements:  Damages to customer due to willful violation of private data will cost the service provider a fine of $ 500 and a greater loss of reputation - the violation could happen as the result of an insider abuse (employee of the service provider misuses customer information)  Phishing - by posing as a government entity or a legitimate third party - to obtain authentication information. This can lead to the system getting subverted  Availability of data should be ensured at all times  There is no way to check whether the service providers are indeed using the customer information for purposes stated in their initial agreements  There is no check on whether a said set of information has been disposed after a said period of time as agreed in a contract  The issue of covert channels for communication has not been addressed B. Enhancements:  Background checks should be performed on individuals employed by the service provider  Training should be provided to employees regarding phishing and employees must be asked to report such e-mails to higher management immediately  Due to the fact that the storage of information for a longer period of time can cause a lapse in security, information should be backed-up in an aggregated and anonymized form (following the principles of k-anonymity)  The law should mandate audits to perform regular checks on whether service providers are using customer information for the stated purpose  The date (or frequency) for data disposal could be automated (or programmed through the meter) while setting up the AMI for a particular user. The date could later be modified with user consent in case it requires an extension of some kind C. Recommendations: 1. Notify the customer of an attempted data breach The customer should be notified of an attempt at a data breach at the service providers end and inform the customer to make necessary changes on the authentication front 2. Notify the customer of an actual data breach The customer should be notified of an actual data breach at the service providers end and let the customer know if his/her data has been compromised in order for the customer to make an informed decision 3. Smart meters should be graded based on the security features they offer in their product and the privacy protection policies effectively implemented by them, so that customers can make an informed decision about using a product 4. There should be a method to communicate General notes Entities manufacturing Smart Grid equipment should be audited for implementation of stringent security protection features in their product; i.e., a security assessment of the product should be mandated before its distribution in the market. Documented security policies should be mandated
  13. 13. 13 and their implementation should be audited regularly for third-party providers interested in targeting Smart Grid consumers. VI. CONTEMPLATING A HIGH ASSURANCE ALTERNATIVE The foundation to high assurance is a Trusted Computing Base (TCB) where the security perimeter is treated as the TCB boundary inside of which every entity is trustworthy and outside of which everything is untrusted. Multics was a relatively penetration-resistant TCB based formal security policy model which employed stringent configuration management constraints for administrator and operator functions in the system. It had the mechanism to audit covert channels (which was stated as a risk in our current system).  High assurance is possible when systems are not connected to a network. In the case of a Smart Grid, assurance of a “trusted path” between the customer and the service provider or between any two entities in the grid cannot be guaranteed. Implementation of the so-called “trusted path” is highly expensive.  Multics was based on Bell LaPadula model which works on the principle of “no read up” and “no write down.” Although conceptually, this is great for protecting data confidentiality, a system based on such a design is useless today, since it does not allow for the higher-level processes to provide commands to run the lower-level processes.  The Multics system was also based on the security of a kernel that was not as complex as the ones we deploy today. As the complexity of the kernel increases, the reference monitor becomes harder to implement and its security becomes much harder to prove. Thus, not much value can be obtained out of implementing a high assurance system for the Smart Grid VII. CONCLUSION Smart Grid is no doubt paving way to great bounds of innovation in the electricity sector. It is designed to bring convenience not just to the consumer but also to the service provider in more ways than one. But ensuring the security of the data circulated in such a system is vital to the growth of such an invention. With its wide acceptance and more laws introduced to specifically address this goal, Smart Grid is here to stay. VIII. REFERENCES [1] Grid, NIST Smart. "Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid." Guideline, Aug (2010). [2] Li, Fengjun, Bo Luo, and Peng Liu. "Secure information aggregation for smart grids using homomorphic encryption." Smart Grid Communications (SmartGridComm), 2010 First IEEE International Conference on. IEEE, 2010. [3] Li, Depeng, et al. "Efficient authentication scheme for data aggregation in smart grid with fault tolerance and fault diagnosis." Innovative Smart Grid Technologies (ISGT), 2012 IEEE PES. IEEE, 2012. [4] Chopra, Aneesh, and Vivek Kundra. "A POLICY FRAMEWORK FOR THE 21st CENTURY GRID: Enabling Our Secure Energy Future." (2011).

×