The document discusses security concerns for smart grids and outlines IBM's approach to addressing these concerns. It notes that smart grids require security at multiple points due to their use of IP protocols and open standards. It then lists IBM's portfolio of cybersecurity solutions for smart grids, which take a full lifecycle approach from defining security strategies to conducting security testing. The solutions are designed to help utilities meet NERC-CIP and other grid security standards.
2. What is involved in a smarter energy infrastructure? Electric Meters In-Home displays Personal Computers Load Control Devices Smart Appliances Handheld Data Devices Gas Meters Water Meters Electric Vehicles Outlets Solar Panels Reclosers Condition Sensors Voltage Controllers Switches Substation & Grid Devices Smart Meters In-home Devices Ruggedised Laptops Mobile Devices Distributed Resources Cell Phones Wind Turbines Home Area Network Neighborhood Network Access Network Backhaul Network Extranet Office Network 1. Smart, Connected Devices 2. Integrated Communication Networks 3. System Integration Platform 4. Applications & Analytics Servers EMS System and Network Management DMS MDMS Meter Data Collection Load Control GIS Network Analytics OMS Asset Management CIS Call Management Storage and Backup Business Process Management Computing Infrastructure Application Integration WMS CHP Systems Management Security Management Messaging & Web Services Instrumented Interconnected Intelligent 5. Presentation Employee Portal/Dashboard Field Employee Mobile Devices Display Device Interface Customer Mobile Devices Customer Web Paper Bills Energy Storage
3. A smart grid needs security enforcement at multiple points IP addressability and use of open standard protocols for the control grid necessitates it to be securely protected at multiple points Pike Research forecasts smart grid cyber security sector will increase from $1.2 billion in 2009 to $3.7 billion by 2015
4.
5. Information Sharing Components in a Smart Grid Source: NIST Smart Grid Framework 1.0 NIST = National Institute of Standard & Technology Colored lines denote domain changes
14. Gartner research: “ Evolving Cybersecurity Issues in the Utility Industry” 20/08/2010 “ Utilities need to assess the risks and make good decisions over which controls are reasonable and appropriate for their situation”
15. Enterprise IT systems are increasingly becoming integrated with a broader set of operational technologies (OT). IT and OT will continue to become more entwined in terms of both technology and management Source: Gartner Market Insight: Utilities Industry Primer, 2010 19 August 2010
Germany could soon be confronted with a problem: they will have too much solar power, unadapted to their lifestyle. The electric grid, designed for times that had far less consumers and producers than they are now, will ultimately come to an overload, says Stephan Köhler, head of DENA, Germany’s energy agency, to the Berliner Zeitung on Oct. 17. Questo articolo spiega bene il problema; in sostanza il modello tradizionale, che si basa su una modulazione della produzione in funzione della richiesta, con le rinnovabili, intermittenti e non modulabili a piacere, non funziona. http://www.germanenergyblog.de/?p=4293 In effetti in Germania si parla di 30 GW da solare per fine 2011, mentre noi in Italia a fine 2009 eravamo ancora ad 1 GW (però abbiamo una potenza installata di circa 5 GW da eolico, che producono circa il 2% del totale di energia consumata in Italia). Quindi noi sembriamo ancora lontani dal problema tedesco, ma è interessante la seguente considerazione sul bilancio fra solare ed eolico a livello di sistema europeo e non solo nazionale: A smart, long-term solution, comes from Tim Nuthall, from the European Climate Foundation in Brussels, Belgium, who says that “ in Europe, you need a grid that balances the sun in the south with the wind in the north .” And he may be right. Denmark, for example, is a perfect recipient for the solar power produced in Germany or Italy , and their wind (which is much more than they need) is perfectly suited for generating energy for the Germans or some other southern countries. REMUNERAZIONE DEGLI INVESTIMENTI STRATEGICI (2008-2012) Remunerazione aggiuntivagarantitaper 8-12 anniper nuoviinvestimentimiratia: – Ridurrele congestionisullareteditrasmissione – Modernizzarelereti di distribuzione • La remunerazione complessivadegliinvestimentistrategicièattualmente tra il 9% -10% in termini reali prima delle tasse
Intelligent, Connected Digital Devices New devices and enhancements to existing devices for a variety of applications Embedded Software Integrated Communications network Integrated, IP-based network segments that parallel the electricity networking connecting in the home, the neighborhood, and up the distribution and transmission network Using a variety of technologies and networking standards Applications New applications and updates to traditional legacy systems that recognize and take advantage of the smart grid Integration platform ESB, infrastructure that ties it all together Lo sviluppo delle Smart Grid porterà all’introduzione di milioni di nuovi componenti intelligenti nelle infrastrutture che presidiano l’erogazione dell’energia Le comunicazioni tra questi elementi saranno di tipo evoluto (bi-direzionalità, protocolli aperti) Questa evoluzione apre nuovi fronti per la sicurezza: La protezione dell’infrastruttura critica per l’economia e le nazioni La tutela della privacy (la conoscenza dei profili di consumo energetici può rivelare le attività personali)
IBM End-to-end security for Smart Grids Building blocks of Smart Grid include: ● Advanced Metering Infrastructure (AMI) ● The power grid ● Communications and information infrastructure ● Transmission and distribution control & automation ● Distributed and renewable generation ● Distributed Control Systems or SCADA (Supervisory Control and Data Acquisition) ● Home area networks for appliance management ● Electric vehicle refueling infrastructure - Protecting the Smart Grid is not like protecting a traditional IT data center Widely dispersed sensors remote from data center are more susceptible to attacks (for example: remote station managers in substations reporting on temperatures, oil pressures in transformers, switchgear) Involves heterogeneous technologies and proprietary protocols between sensors and devices, non-carrier class communication, and control points that are not always standardized and secure. (Meters and concentrators often use loosely secured proprietary protocols). Endpoints often built in embedded systems with non-traditional OS, where normal security functions may not exist (example: SCADA systems endpoints like PLCs, RTUs, concentrators) Cost-conscious endpoint vendors often cut corners for security (for example: factory-set cryptographic keys in electric meters) In summary, end to end security for the Smart Grid involves multiple touch points in protecting a variety of endpoints, interfaces, networks, applications, and data to ensure we make the end to end system robust and impervious to attacks. A variety of technologies, scenarios come into play in protecting this space.
Why software security for Smart Grid systems Utilities’ legacy apps (IT and operational) have been getting the job done for decades, however ... Smart Grid functionality requires updates to legacy and whole new classes of applications linked to legacy For utilities, ensuring this new code* is developed, deployed and integrated free of severe security vulnerabilities is now a critical responsibility *The responsibility for the security of acquired COTS Smart Grid software ultimately falls upon the utilities who purchase and deploy it.
Software you already made or bought Identify it Prioritize it Probe it Analyze it Protect it Fix it (if you can) Rinse and repeat whenever it changes Software you’re going to make (or have made for your org) Spec it Develop it securely and test it Deploy it Rinse and repeat whenever it changes COTS software you’re going to buy What is and is not acceptable to you What to ask vendor re: security during development and in ongoing releases Can you protect it with systems already in place Software security strategies depend on origin
So, in the ‘old days’ (Pre-1990) the big RF “worry” was a rogue dispatcher on the utility’s truck frequency. Now, SCADA is quite vulnerable. But SCADA is generally a “bulk” control via RF. For Smart Grid, one could conceptually not only turn off the power to a house, but could turn on the power or a device IN a house.
IBM Confidential
1 International Organization for Standardization 2 International Electrotechnical Commission (IEC) 3 Institute of Electric and Electronics Engineers (IEEE) For “Solution-driven energy,” “Smart grid enablement” can include: Real-world aware systems-of-systems architectures Modeling, analytics and optimization Renewable and EV integration and optimization Demand response Interoperability frameworks and messaging Cyber-physical system security Social computing Compute and storage clouds, high-performance computing (HPC) Intelligent buildings and green data centers Photovoltaics Battery storage for electric vehicle Chip and server systems power management
1 National Institute of Standards and Technology (NIST) 2 Department of Energy (DOE) 3 International Electrotechnical Commission (IEC) 4 International Organization for Standardization (ISO) 5 Joint Technical Committee (JTE) 6 Utility Communication Architecture (UCA) 7 OASIS 8 National Institute of Standards (NIST) 9 Organization for the Advancement of Structured Information Standards (OASIS) 10 Utilities Telecom Council (UTC) 11 Institute of Electrical and Electronics Engineers (IEEE)
IBM End-to-end security for Smart Grids NERC is North American Electric Reliability Corporation CIP is Critical Infrastructure Protection NERC-CIP 001-009 are nine compliance standards announced by NERC. Other Worldwide standards equivalent to NERC-CIP UK : The Center for Protection of National Infrastructure: http://www.cpni.gov.uk/ EU : European Network and Information Security Agency: http://www.enisa.europa.eu/pages/About_ENISA.htm List of NERC-CIP Directives NERC-001: Sabotage Reporting NERC-002: Critical Cyber Asset Identification NERC-003: Security Management Controls NERC-004: Personnel & Training NERC-005 Electronic Security Perimeter NERC-006: Physical Security of Critical Cyber assets NERC-007: Systems Security Management NERC-008: Incident Reporting and Response Planning NERC-009: Recovery Plans for Critical Cyber Assets