SUCCESS D4.2 v1.0

Page 1 (57)

SUCCESS

D4.2 v1.0

Solution Architecture and Solution Description, V2

The research leading to these results has received funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement no 700416.

Project Name SUCCESS

Contractual Delivery Date: April 30, 2017

Actual Delivery Date: April 30, 2017

Contributors: LMF, RWTH, EDD, P3E

Workpackage: WP4 – Securing Smart Infrastructure

Security: PU

Nature: R

Version: 1.0

Total number of pages: 57

Abstract: The SUCCESS project is developing a new approach to the security of energy systems, guaranteeing their security of operation. This report motivates and describes SUCCESS’s approach in relation to the threats to the energy system and the state of the art in mitigating those threats. It introduces the project and should be read first to get an overview of it. It describes the SUCCESS Architecture from the viewpoints of Utilities, Communication and Security and describes the SUCCESS Security Monitoring Solution, which is intended to detect cyber-attacks and provide mechanisms to mitigate the attacks.

Keyword list: Security, communication, Utility, Architecture, Security Monitoring, Threat, Countermeasure

Disclaimer: All information provided reflects the status of the SUCCESS project at the time of writing and may be subject to change.

SUCCESS D4.2 v1.0

Page 2 (57)

Executive Summary

Cybersecurity is a serious and ongoing challenge for the energy sector where ICT is growing in importance for infrastructure management. This is especially true for Distribution Grids, which have traditionally been passive and relatively un-intelligent, compared to Transmission Grids. Now, however, Distribution Grids must become active to cope with the increased penetration of Distributed Energy Resources and the new focus on the provision of services to the end-customers, leading for a growing need for grid automation. Fulfilling this need is not trivial, given the size and the complexity of Distribution Grids that reach every single customer. This capillary structure calls for more distributed solutions and consequently new ICT architectures. The SUCCESS architecture supports bringing the final customers into the system and while guaranteeing the overall system level security

The SUCCESS project is developing an overarching approach to threat and countermeasure analysis with special focus on the vulnerabilities that could be introduced through Smart Meters. Starting from a security and privacy by design approach and placing resiliency and survivability in focus, the SUCCESS Security Monitoring Solution applies ICT in the energy domain to detect security threats to the Electricity Distribution Grid’s management and communication systems and execute countermeasures which mitigate these threats.

SUCCESS’s work covers three very different domains, Utilities, Communications and Security, which each have their own view of the world, their own concerns and their own terminology. This document acts as an introduction to, and motivation of, SUCCESS and its approach to cyber-security in the energy domain. This document describes the conceptual architecture of the SUCCESS system, based on an analysis of what features are expected to be supported in short-, medium- and long-term timescales, and the resulting implemented system, called the SUCCESS Security Monitoring Solution.

SUCCESS is developing a New-generation Open Real time smart Meter (NORM), which is a secure Smart Meter Gateway from which services can be offered securely to the customer. Accordingly, SUCCESS’s approach to threat and countermeasure analysis has a special focus on the vulnerabilities that could be introduced through Smart Meters and its associated architecture. SUCCESS is developing a new mobile communications network function, the Breakout Gateway (BR-GW), which implements mobile core network functionality on an edge cloud system located at the eNodeB (the radio base station of 5G mobile systems). BR-GW also supports distributed edge processing, allowing distributed automation function to be realised at edge of the power network. BR-GW additionally can implement real-time countermeasures to cyber-attacks. The SUCCESS architecture includes a service-oriented distributed management platform for the energy domain, which allows interoperability between grid devices and utility management applications, and addresses the Utilities’ need to provide services to end-customers. SUCCESS is developing a two-level cyber-security monitoring solution. One level is designed for the single grid operator and one as a European level to integrate and share knowledge among all the operators. The two levels interwork through a SUCCESS API. The SUCCESS Security Monitoring Solution and its components reflect the results of the research being done in the project. Two examples of this are: resilience-by-design through counteracting cyber-attacks by decoupling data and functions in a virtual environment (so-called Double Virtualisation), and SUCCESS’ focus on attacks on the synchronisation as a key element of Security by Design

SUCCESS D4.2 v1.0

Page 3 (57)

Authors

Partner Name e-mail OY L M ERICSSON AB (LMF) Patrik Salmela patrik.salmela@ericsson.com  RWTH Aachen University (RWTH) Padraic McKeever pmckeever@eonerc.rwth-aachen.de Gianluca Lipari  glipari@eonerc.rwth-aachen.de  ERICSSON GmbH (EDD) Dhruvin Patel dhruvin.patel@ericsson.com   Syed Zain Raza Mehdi  syed.zain.raza.mehdi@ericsson.com   Frank Sell  frank.sell@ericsson.com  P3 ENERGY & STORAGE GmbH (P3E) Manuel Allhoff Manuel.Allhoff@p3-group.com Engineering – Ingegneria Informatica SPA (ENG) Antonello Corsi antonello.corsi@eng.it Giampaolo Fiorentino giampaolo.fiorentino@eng.it

SUCCESS D4.2 v1.0

Page 4 (57)

Table of Contents

1.  Introduction ................................................................................................. 6 

1.1  How to Read This Document ......................................................................................... 6 

2.  Motivation for the SUCCESS Security Monitoring Solution .................... 8 

2.1  Cyber-Attacks on the Critical Energy Infrastructures ..................................................... 8 2.1.1  Attacks at TSO level ............................................................................................... 8 2.1.2  Attacks at DSO level .............................................................................................. 9 

2.2  Concepts used by SUCCESS ........................................................................................ 9 2.2.1  Security Concepts .................................................................................................. 9 2.2.2  Utility Concepts .................................................................................................... 10 2.2.3  Communication Concepts .................................................................................... 10 

2.2.3.1  5G Key Enablers ........................................................................................ 11 2.3  Evolution of Power Grid and Communications Networks ............................................ 12 

2.3.1.1  Medium Term (2020+) ............................................................................... 12 2.3.1.2  Long term (2030+) ..................................................................................... 13 

2.4  Challenges in Securing Smart Grids Addressed by SUCCESS Solution .................... 14 2.4.1  Wide-area Security Monitoring ............................................................................. 14 2.4.2  Local-area Security Monitoring ............................................................................ 16 2.4.3  Smart Meter Gateway Challenges ....................................................................... 17 2.4.4  Privacy, Security, Resilience, Survivability ogf Smart Grids ................................ 18 2.4.5  Communications as a Key Enabler for Smart Grids ............................................ 20 

2.5  Answering the Challenge: SUCCESS Security Monitoring Solution ........................... 21 

3.  SUCCESS Architecture ............................................................................. 25 

3.1  Stakeholders and Concerns in SUCCESS Architecture .............................................. 25 3.1.1  Stakeholders in SUCCESS Architecture .............................................................. 25 3.1.2  Concerns Stakeholders in SUCCESS Architecture ............................................. 25 

3.2  SUCCESS Architecture Overview ............................................................................... 26 3.3  SUCCESS Architecture: Utility View ............................................................................ 28 

3.3.1  Concerns and Stakeholders ................................................................................. 28 3.3.1.1  Concerns .................................................................................................... 28 3.3.1.2  Stakeholders .............................................................................................. 28 

3.3.2  Utility Conceptual Model: Timescale Today ......................................................... 29 3.3.3  Utility Conceptual Model: Timescale 2020+ and 2030+ ....................................... 29 3.3.4  Utility Topological Model Timescale 2020+ and 2030+ ....................................... 33 

3.4  SUCCESS Architecture: Communication View ........................................................... 33 3.4.1  Concerns and Stakeholders ................................................................................. 33 

3.4.1.1  Concerns .................................................................................................... 33 3.4.1.2  Stakeholders .............................................................................................. 34 

3.4.2  Communication Conceptual Model ...................................................................... 34 3.4.3  Communication Topological Model ...................................................................... 35 

3.5  SUCCESS Architecture: Security View ....................................................................... 37 3.5.1  Concerns and Stakeholders ................................................................................. 37 

3.5.1.1  Concerns .................................................................................................... 37 3.5.1.2  Stakeholders .............................................................................................. 39 

3.5.2  Security Conceptual Model .................................................................................. 39 3.5.2.1  Security Conceptual Model Timescale 2020+ and 2030+ ......................... 40 

3.5.3  Security Topological Model .................................................................................. 42 3.5.3.1  SUCCESS API ........................................................................................... 43 3.5.3.2  Threat Detection and Countermeasures .................................................... 44 

3.5.4  Security Components ........................................................................................... 45 3.5.4.1  Communications Security .......................................................................... 45 3.5.4.2  Physical Security ........................................................................................ 46 3.5.4.3  Other Security Measures ........................................................................... 47 3.5.4.4  Double Virtualisation .................................................................................. 47 

SUCCESS D4.2 v1.0

Page 5 (57)

4.  Implementing the SUCCESS Security Monitoring Solution .................. 48 

4.1  Operation Sequences of SUCCESS Security Monitoring Solution .............................. 51 

5.  Conclusions .............................................................................................. 53 

6.  References ................................................................................................. 54 

7.  List of Abbreviations ................................................................................ 56 

SUCCESS D4.2 v1.0

Page 6 (57)

1. Introduction

Cybersecurity is a serious and ongoing challenge for the energy/electricity sector. Addressing cybersecurity is critical to enhancing the security and reliability of both the transmission and distribution electricity grids. Cyber threats to electricity delivery systems can impact national security, public safety, and the national economy. Because the private sector owns and operates most of the energy sector’s critical assets and infrastructure, and governments are responsible for national security, securing energy delivery systems against cyber threats is a shared responsibility of both the public and private sectors. A common vision and a framework for achieving that vision are needed to guide the public-private partnerships that will secure electricity delivery systems. In the past, ensuring a resilient HV electricity grid has been particularly important since it is one of the most complex and critical infrastructures, upon which sectors depend to deliver essential services. However, the world of energy is changing and the electrical grid is at the centre of this change. In a nutshell, this change is defining a new role for the end customers. This change is summarised by the expression customer-centric grid. Users are becoming prosumers and then playing a new role in grid operations. This new role of the customers corresponds to the progressive deployment of Distributed Energy Resources (DER), Renewable Energy Sources (RES), in particular those that are substituting the traditional power plants. In this new scenario, the complete grid operations will be turned upside down. Traditionally, grids have been managed with a centralised, top down approach, while in this new structure a decentralised bottom-up approach looks more reasonable. Accordingly, it is expected that this new architecture will require a wider use of Information and Communication Technology (ICT) that will support the distributed architecture providing the needed intelligence: this is what is commonly called Smart Grid. The main impact of Smart Grid is on the so-called Distribution Grid, i.e. that part of the electrical grid dedicated to distributed power from main load nodes to the final customers. Distribution Grids typically involve the part of infrastructure at Middle and Low Voltage (MV and LV). This section of the grid is traditionally passive and not has not yet been subject to significant automation. In accordance with the centralised view, the automation has traditionally been deployed in the Transmission System (i.e. the High Voltage, HV, section of the infrastructure): this is the part where large power plants are connected. The new distribution grid is called Active Distribution Network (ADN), stressing the fact that now power is generated at every voltage level (think about Wind and PV plants which, depending on their size, can be connected at LV, MV or HV level) and that the Distribution Grid is not a passive infrastructure anymore. Exactly for this reason, there is a growing need for automation in Distribution Grids. Fulfilling this need is not trivial, given the size and the complexity of Distribution Grids that are capable of reaching every single customer. This capillary structure calls for more distributed solutions and consequently new ICT architectures. Such architectures should be able on one hand to bring the final customers into the system and on the other hand guarantee the overall system level security of the infrastructure.

1.1 How to Read This Document

This document is intended to introduce the SUCCESS project. It should be the first project deliverable that an interested reader should consult.

The information in this document is supplemented by the following further detailed SUCCESS results which are listed in the order of their suggested reading:

the results of the Threat Analysis, which forms the basis of the design, implementation and field testing performed in SUCCESS, are available in D1.2 [2];

D4.4 [1] describes the software and hardware components produced by, or used by, the SUCCESS Security Monitoring Solution and the countermeasures it applies;

SUCCESS D4.2 v1.0

Page 7 (57)

the results of research into privacy aspects of developing countermeasures are available in D2.1 [3] and the architectural consequences of privacy are described in D3.2 [7];

the pan-European Security Monitoring Centre, which performs wide-scale monitoring of the status of critical infrastructures, is detailed in D4.7 [10]

the results of research into the areas of security, resilience and survivability (WP2) are available in D2.2 [4], D2.4 [5] and D2.6 [6] respectively;

details of the DSO Security Monitoring Centre, which identifies attacks and applies countermeasures on DSO-level, are given in D3.4 [8];

the unbundled next Generation Smart meter (NORM) is described in D3.7 [9]; the approach to feature testing and certification is described in D3.13 [[11]].

Work Package 4 of SUCCESS will design the architecture of the SUCCESS system, including solutions for Security Monitoring and Communications. This report is an output of Task 4. 2 of SUCCESS, and is the second of three versions of this document, updating the D4. 1.

The structure of this document is as follows:

Details of the motivation for SUCCESS’s approach to securing critical infrastructures are given in Chapter 2.

SUCCESS is concerned with cyber-security and communications in distributed energy grids. It is concerned not just with the intersection of these three main areas, but in making a system that adequately addresses the concerns of these areas. The architecture of the system is described from four different perspectives in Chapter 3 of this document: first, an overview of the SUCCESS architecture is given. secondly, views of the SUCCESS architecture from the perspectives of the Utility,

Communications and Security are given. The abstract SUCCESS architecture is realised in the SUCCESS Security Monitoring

Solution, which is described in Chapter 4. This is the system produced by the SUCCESS project, which will be instantiated in the SUCCESS trial sites and will be available to DSOs and TSOs to be instantiated in their infrastructures.

SUCCESS D4.2 v1.0

Page 8 (57)

2. Motivation for the SUCCESS Security Monitoring Solution

The motivation for the SUCCESS Security Monitoring Solution is firstly to address cyber-attacks in Smart Grids, an extensive list of such attacks being given in D1.2 [2]. Chapter 2.1 describes some recent cyber-attacks on Smart Grids. SUCCESS addresses the overlap between the domains of Utilities, Communications and Security: background concepts and information on these domains is given in Ch.2.2 and their expected evolution over the next decades is outlines in Ch.2.3. The next sub-chapter, Ch.2.4, goes into detail on the challenges which exist in the areas of security monitoring, Smart Meter Gateways, achieving privacy, security, resilience and survivability in Smart Grids and Smart Grid communications, outlines the gaps in existing approaches and the way that SUCCESS will address these gaps.

2.1 Cyber-Attacks on the Critical Energy Infrastructures

Addressing cybersecurity is critical to enhancing the security and reliability of both transmission and distribution electricity grid. Ensuring a resilient HV electricity grid is particularly important since it is one of the most complex and critical infrastructure that other sectors depend upon to deliver essential services. Over the past two decades, the roles of electricity sector stakeholders have shifted: generation, transmission, distribution and supply functions have been separated into distinct markets; customers have become generators using distributed generation technologies; and vendors have assumed new responsibilities to provide advanced technologies and improve security. These changes have created new responsibilities for all stakeholders in ensuring the continued security and resilience of the electricity Transmission and Distribution grids.

Cybersecurity is a serious and ongoing challenge for the energy sector. Cyber threats to electricity delivery systems can affect national security, public safety, and the national economy. Because the private sector owns and operates many of the energy sector’s critical assets and infrastructure, and governments are responsible for national security, securing energy delivery systems against cyber threats is a shared responsibility of both the public and private sectors. A common vision and a framework for achieving that vision are needed to guide the public-private partnerships that will secure electricity delivery systems.

There are very many recent cyber security attacks events in the electricity grid. Here is a list of the most relevant and recent ones registered in the electricity HV transmission and in the electricity distribution grids.

2.1.1 Attacks at TSO level

50Hertz is one of the four German TSOs (Transmission System Operators) and the key player of the world’s TSOs in integrating renewables. In fact, 38% of the energy transmitted at 50Hertz is produced by renewable sources. On 20 November 2015, the ICT systems of 50Hertz has been under attack which shows that the growing concerns about the vulnerability of smart grids to digital assaults are not overstated.

The onslaught, which was “serious but not dangerous" according to 50Hertz, lasted five days and came in the form of a DDoS attack (Distributed Denial of Service) against the company's internet domain, which resulted in the breakdown of the website and of the externally accessible services, such as the mail service. The attackers have not been identified, but the origins of IP addresses have been tracked down in Russia and Ukraine.

Although no transmission infrastructure and electricity supplies were affected by the assault, 50Hertz took it seriously and discussed it at a meeting of ENTSO-E (European Network of Transmission Systems Operators for Electricity).

The security of ITC systems working on power grids must be a priority for energy operators, according to a report recently produced by McAfee. Growing automation of power grids means higher vulnerability to cyber threats. In addition, the risks are higher for an old physical infrastructure. For 50Hertz, securing its system implies high investments.[31]

SUCCESS D4.2 v1.0

Page 9 (57)

2.1.2 Attacks at DSO level

It is clear that cyber security attacks are not only a possible threat, but they have been already proved to be possible. At DSO level, the most recent such event is the Ukraine cyber-attack which took place on 23rd of December 2015, where at least two DSOs have been hacked at dispatch level and more than 200,000 people were disconnected from the distribution grid by malicious commands in substations of the power grid. According to [10], seven 110 kV and twenty-three 35 kV substations were disconnected for three hours. In the document, it is said that “the attackers demonstrated a variety of capabilities, including spear phishing emails, variants of the BlackEnergy 3 malware, and the manipulation of Microsoft Office documents that contained the malware to gain a foothold into the Information Technology (IT) networks of the electricity companies”.

2.2 Concepts used by SUCCESS

This chapter outlines some existing concepts used in the areas of security, utilities and communications, which are needed to understand the area with which the SUCCESS project is concerned.

2.2.1 Security Concepts

Security is the degree of resistance to, or protection from, harm. As with any communication system, the three high-level security objectives in Smart Grids are: Availability: Ensuring timely and reliable access to and use of information. This is important

because a loss of availability is the disruption of access to or use of information, which may further undermine the power delivery.

Integrity: Guarding against improper information modification or destruction is to ensure information non-repudiation and authenticity. A loss of integrity is the unauthorised modification or destruction of information that can further induce incorrect decision regarding power management.

Confidentiality: Preserving authorised restrictions on information access and disclosure is mainly to protect personal privacy and proprietary information. This is, in particular, necessary to prevent unauthorised disclosure of information.

To ensure security, one must rely on cryptography. Cryptography is the practice and study of techniques for ensuring secure communication in the presence of third parties called adversaries. In cryptography, encryption refers to the process by which messages or information is encoded in such a way that only authorised entities can decipher it. A digital signature on the other hand is used for demonstrating the authenticity of a digital message. Symmetric-key algorithms are cryptographic algorithms for encryption that use the same cryptographic keys for both encryption of plaintext and decryption of cyphertext. Public-key cryptography or asymmetric cryptography on the other hand is a cryptographic system that uses a pair of keys: public keys that may be distributed widely, and private keys that are known only to the owner. With asymmetric keys, there are two functions that can be achieved: using a public key to authenticate that a message originated by a holder of the corresponding private key; or encrypting a message with a public key to ensure that only the holder of the corresponding private key can decrypt it. Any system is open to various threats. Even if the security design is good, there is typically still the possibility of security incidents as a 100% secure system, covering all possible threats, is too expensive, and often not even possible to design. The security of the system should be designed based on its security requirements, risk analysis and defining what are acceptable risks. When a threat is actualised, we call it a security incident. It can be a result of malicious activity, human error or device malfunction. The actions to counter an incident we call a countermeasure, which is a set of actions taken to recover from and minimise the effects of the incident. As an example, encryption is part of the security design. A threat to this could be the possibility of an attacker obtaining the encryption key and using it for injecting his own messages. The related incident would be the actual leakage of the encryption key and the misuse of it, and the countermeasure could include the steps of revoking that key and re-bootstrapping a new key to the affected device, as well as taking measures to protect against

SUCCESS D4.2 v1.0

Page 10 (57)

similar key leaks in the future, e.g.through software updates to fix some security vulnerability in the node.

2.2.2 Utility Concepts

Electrical grids are traditionally divided into three parts: generation, transmission and distribution. The traditional energy flow is from large, centralised Generation plants, over long distances through High Voltage Transmission lines to the Medium- and Low-Voltage Distribution Grid, where the end-consumers are reached. De-centralised generation and storage is performed by distributed energy resources (DERs). with a generation capacity, typically in the range of kW to MW. With the increasing penetration of Distributed Renewable Energy sources, however, significant amounts of energy are being generated in de-centralised, small plants and fed into the Distribution Grid directly at MV- and LV- levels. A related term to DER is Renewable Energy Sources (RES), which, however, excludes the usage of non-renewable energy sources, such as hydrocarbon fuels. The conventional electricity network becomes a Smart Grid when it is enhanced with IT, communication, measurement, control, and automation technology. "Smart" means that network states can be monitored in real-time" and that control and regulation of the network becomes possible, so that the existing network capacity can actually be fully utilised. Transmission grids have been “smart” in this sense for a long time already, with extensive measurement and control equipment. However, the Transmission Grid is relatively small in extent compared to the Distribution Grid, which has very little “smartness” so far, effectively being a passive receiver of energy generated by large power plants and transmitted through the “smart” Transmission Network. The term Active Distribution Network (ADN) is used for the “smart” Distribution Grid, emphasising that it is no longer an unintelligent, passive network. Vertical integration is an arrangement in which the supply chain of a company is owned by that company. Contrary to horizontal integration, which is a consolidation of many firms that handle the same part of the production process, vertical integration is typified by one firm engaged in different parts of production.

2.2.3 Communication Concepts

Telecommunications networks consist of access networks and the core network. The core network is the central part of a telecommunications network that provides various services to customers who are connected by various access networks. Examples of access networks are the fixed access network, where customers use landlines, and mobile access networks, where there have been several different systems and generations, such as GSM, LTE. Mobile communications are in a continuous flow of evolution. Every ten years, a completely new mobile standard emerges such as GSM, UMTS, LTE, and soon 5G. Future mobile networks will enable the transition towards Networked Society, where all devices are connected and can directly exchange information. 5G networks will reach European markets by the year 2020, and they will support new types of communication services that are highly scalable in terms of speed, reliability, capacity, availability and latency. On top of that, 5G will connect billions of devices that are inexpensive to make and maintain and that are energy-efficient. These advantages put new requirements on connectivity and set the scene to move from LTE technology to next generation wireless access - 5G. Figure 1 shows how mobile communications is evolving, and the road towards 5G networks. Key technology enablers for 5G include Network slicing, E2E security, Network Function Virtualisation (NFV), new Radio Access networks, and Software-Defined Network (SDN).

SUCCESS D4.2 v1.0

Page 11 (57)

Figure 1: 5G Access time plan

2.2.3.1 5G Key Enablers

5G systems will be built using key technologies that are realised more as logical than physical resources. The following technologies enable us to utilise 5G as a communications technology for the SUCCESS Security Monitoring Solution.

2.2.3.1.1 5G Radio Access

5G radio enables the wide range of future wireless use cases with customised connectivity. 5G systems will be based on flexible radio-access solution that can support different requirements and deployment types. In 5G radio access, the system will be able to operate in wide frequency spectrum starting from below 1GHz to extremely high frequencies more than 10 GHz. This lower frequency range will enable low latency, ultra-high reliability. The frequency ranges above 10 GHz will allow delivering extreme data rates and extremely high capacity in dense areas [26].

2.2.3.1.2 Network Function Virtualisation

NFV allows a network function to be implemented programmatically instead of by a physical piece of hardware. The most significant benefit brought by NFV is the flexibility to execute network functions independent of their locations. The network functions can be executed in different places for different network slices. By placing network functions accordingly, the same physical hardware can provide connectivity with different latencies [26].

2.2.3.1.3 Network Slicing

Current network systems have made it difficult to scale and adapt to changing subscriber demands and meet the requirements of emerging use cases. This has given birth to network slicing which is based on network function virtualisation. Network slicing in 5G enables different users to use communication network facilities with characteristics tailored to their needs. Characteristics such as bandwidth, latency and QoS settings will be customisable. Each slice can have its own management function, security enablers and network topology. For instance, critical energy functions can be supported by their own network slice and are not disturbed by other mobile traffic.

2.2.3.1.4 Devices

We distinguish between massive and critical communications scenarios as they have contrasting communications requirements. Depending on the specific use case under consideration, functionality designed for one of these scenarios will be considered as part of a solution. Figure 2 visualises the two different use cases, with varying requirements.

SUCCESS D4.2 v1.0

Page 12 (57)

Figure 2: Massive Communication and Critical Communication [27]

Massive communication devices need to have a very low manufacturing cost, low power consumption and higher scalability. One of the requirements for massive machine-type-communication (MTC) is to provide ultra-long range, which is supported by EC-GSM-IoT (extended coverage, connecting GSM radio to 5G core) [47]. It supports 20dB coverage improvements and can be deployed in the existing GSM networks [24]. NB-IoT technology covers all the components, such as low complexity, low energy and long range. One of the examples for the use of such devices is for connecting sensors, or advanced metering infrastructure (AMI) differs from traditional Automatic Meter Infrastructure (AMI), where there is a two-way communication with the meter. Critical MTC communication devices require higher availability and reliability along with low latency. Latency reduction techniques are standardised in 3GPP release [46]. Smart Grid applications such as grid monitoring and control require very low latency and ultra-reliability which is covered by the LTE evolution. Such devices are suitable for use in intelligent transport systems [44], see Figure 2 above.

2.3 Evolution of Power Grid and Communications Networks

Power Grids are currently experiencing the effects of the change in the balance of generation from being overwhelmingly based on large centralised generators to a situation where greater amounts of the generation come from distributed sources, combined with the more grid automation, especially in Distribution Grids. Communications Networks have developed at a breath-taking rate in the last decades and the pace of development looks set to be maintained. It is a truism that the only constant is change but that no one knows which specific changes will come. Even so, it is worthwhile to attempt to list some expected changes, in order to set the scene for the development of the SUCCESS Security Monitoring Solution. In the lists below, two timeframes have been considered: medium and long term. The lists represent what experts from the SUCCESS project in the field of Power Grids and Communication Networks anticipate as developments.

2.3.1.1 Medium Term (2020+)

Power Grid:

Real time Smart Meters (SM) Increase in penetration of Renewables Increased deployment of Storage systems more sensors in Distributed Generation (DG) to ensure voltage stability More grid automation to MV/LV grids Move to bottom-up approach to grid management more Automatic Fault Detection Advanced energy management systems Flexible tariffs (US already offering hourly prices in 2016) Demand response solutions Growth in energy services market

SUCCESS D4.2 v1.0

Page 13 (57)

Shift to platform based services offered in cloud, remote from energy provider (security monitoring centre)

In Germany, no nuclear by 2022, but more nuclear in other countries Increase in Electric Vehicles Cyber Security requirements increase, SCADA system requirements is a hot topic Security of supply concerns increase as renewables increase Smart Meter deployment is different in the different countries. More energy management, Smart Meters will not be stand-alone but integrated with

Smart Home, Smart management, Energy Management (EM) systems. Flexible tariffs: still early stages, not by 2020, but in the US they have had hourly pricing

for the last 5 years. First movers in Germany will have this by 2020, others earlier. Services increasing already. Demand response will increase, trend towards offering services rather than products (e.g.offer and maintain PV panels).

Communication Technologies:

Narrowband IoT communication, LTE with very big cells, devices can be reached in areas without voice coverage

because voice needs 20dB more power in signal 5G communications (1st deployment) Software-Defined Networking (SDN) Network Functions Virtualisation (NFV) Low cost LTE IoT modems (long battery life, limited throughput, latency 200ms with

optimisation, limited throughput, small (in watch), <10€) mass market in 2017) Cyber security requirements increasing.

2.3.1.2 Long term (2030+)

Power Grid:

Microgrids planned as recovery from blackouts Microgrids as neighbourhoods power networks (peer to peer) Cyber security a major issue Privacy related concerns Renewables penetration >75% Energy as a Service will be major market force, e.g.rent heating system (owned by

energy provider), and buy energy (kWh per year). Evolution in market structure (integrated supply of Gas, power, internet) Power grid architecture change (real time control and automation to LV level, distributed

control, more meshed networks, more interconnects in EU, more cloud based control systems)

Oil will be less relevant EV penetration >25% (maybe >50%) Integrated cross sector optimisation (transport, power, energy) Better generation and consumption forecasting, essential for power grid stability LV network architecture evolving, EVs and storage systems in houses Germany will still be in transit towards renewables, e.g.it is building gas turbines now,

reserve of power plants in system will still be in place (reserve inertia) Regulatory changes (pay for power and not energy) Services sold together with free goods (e.g.free USB sticks) User expectations (acceptance of technologies) Sharing economy Security problems

 Communication Technologies:

5G communications widespread deployment Network Slicing available Breakout Boxes enabling microgrids recovery from blackouts Double Virtualisation available as solution

SUCCESS D4.2 v1.0

Page 14 (57)

Security improved to an extent that the currently known threats are mitigated by defining a new Architecture which is deployed by 2030 (SUCCESS ambition, possible scenario)

Updates quick and automatic for new threats (from several weeks now down to one hour in 2030)

Distribution of Precision Time Protocol for synchronisation of devices (e.g.low cost PMUs)

More sophisticated attacks and detection systems Who wins the race? The battleground moves to new levels Standard security commonplace in energy and built into budgets Attacks organised increasingly on a large scale rather than individual hackers New disruptive technologies, currently not on our radars, will appear that will introduce

new threats.

2.4 Challenges in Securing Smart Grids Addressed by SUCCESS Solution

This chapter surveys the challenges existing in securing Smart Grids from several viewpoints: wide-area and local area Security Monitoring, Smart Meter Gateways, Privacy, Security, Resilience and Survivability and Resilience and Smart Grid Communications.

2.4.1 Wide-area Security Monitoring

Regional Security Coordinators (RSCs) are regional companies created by transmission system operators (TSOs) to assist them with services to maintain the operational security and efficiency of the electricity system. In particular, RSCs coordinate in almost real-time between TSOs across country borders to integrate more renewables into the grid and to reduce carbon emission

Hence, RSCs (1) increase system operation efficiency, (2) minimise risk of wide area events (e.g.brownouts and blackouts), and (3) lower costs through maximised availability of transmission capacity to market participants. RSCs are monitored by the European Network of Transmission System Operators (ENTSO-E) which will ensure that the RSCs are developed consistent with EU legislation. [31]

Currently, three operational RSCs are established and one further is planned:

1. Transmission System Operator Security Cooperation (TSC) with its service company TSCNET Service was launched in 2008 as the first RSC. Its members are 50Hertz (Germany), Amprion (Germany), APG (Austria), ČEPS (Czech Republic), ELES (Slovenia), Energinet. dk (Denmark), HOPS (Croatia), MAVIR (Hungary), PSE (Poland), Swissgrid (Switzerland), TenneT (Germany), TenneT (The Netherlands), and TransnetBW (Germany). [32]

2. Security Coordination Centre SCC, Ltd Belgrade (SCC) was founded in 2015 for Southeast Europe by JP "Elektromreža Srbije" - EMS (TSO of Serbia), Crnogorski Elektroprenosni Sistem ad - CGES (TSO of Montenegro) and Nezavisni Operator Sistema u BiH - NOS BiH (TSO of Bosnia and Herzegovina). [33]

3. Founded in 2008, CORESO started to coordinate services with TSOs, where the TSOs remain responsible for operation. Members are Terna (Italy), 50 Hertz (Germany), Elia (Belgium), National Grid (England), RED Electrica de Espana (Spain), Redes Energéticas Nacionais (Portugal), and RTE Réseau de Transport d'Electricité (France). [34]

In 2013, ENTSO-E launched the European Awareness System (EAS), an information platform helping TSOs to ensure that energy consumers stay seamlessly connected during extreme weather peaks or system failures. EAS monitors the entire European power system in real time. Data shared between TSOs comprise among others the frequency, real-time power balance and the systems state. Moreover, it is possible to share the occurring of a critical event such as a terrorist attack [35]. However, until now, to our best knowledge, only CORESO uses the software solution EAS [36].

A pan-European analysis system focusing on cyber incidents for critical infrastructure is developed in the ECOSSIAN (European Control System Security Incident Analysis Network) project, which is funded by the EU under the 7th framework program for research and development. [42] The ECOSSIAN ecosystem comprise a three-tiered architecture, that is,

SUCCESS D4.2 v1.0

Page 15 (57)

security operations centres are located on organisation, national and European level, and provides a holistic information sharing system between the layers. [43] The system focuses on advanced persistent threat campaigns where the cyber-attacks are processed in a stealthy and continuous way. The analysis of threats is based on the national level, where documents such as forum posts, email messages or general security advisory are clustered. From these document clusters, statements about the system’s security status are derived. [41] The national tier communicates with further national ties via the European level to share information about its security status. Hence, the European level serves as a service to share incident information. It should be highlighted that regulatory and legal changes are needed in the individual countries to make European-level monitoring possible.

The European Awareness System (EAS) and the Regional Security Coordinators (RSCs) monitor the electrical grid at a European level, but do not specifically address cyber security threats, as they have been described in Ch. 2.1. When a cyber-attack causes an abnormal behaviour in the grid, RSCs and EAS will only passively monitor system variables like the frequency across multiple TSOs. No counter measurements are initiated to defend the attack. Moreover, DSOs will not directly receive information from RSCs, but only from the TSOs associated to the RSCs. This lack of direct communication may cause a significant delay of efficiently sharing information about the systems status, such that the cyber-attack’s impact cannot be contained.

The ECOSSIAN project focuses on sharing cyber-attacks information that is mined at a national level. The pan-European tier distributes advisories to the lower tier, that is, to the national and organisation tier. As no particular security logic is implemented at the European tier, sophisticated cyber-attacks revealing complex attack patterns across Europe cannot be identified with this approach. The independency of the national and organisation tier remains in the sense that no aggregated data evaluation on a European level takes place.

All projects dealing with the detection of cyber-attacks focus on a national and regional level where local information about the network system is generated and evaluated to detect cyber-attacks. In the case of a distributed, simultaneous cyber-attack on several DSOs and TSOs, information about the incident is not aggregated due to the independency of DSOs and TSOs. Due to this lack of a direct communication link, complex, distributed cyber-attacks on several DSOs/TSOs at the same time cannot be recognised.

SUCCESS’s Addressing Gaps in Wide-area Security Monitoring:

SUCCESS addresses methods for monitoring the power and communication network at both the DSO/TSO level and the pan-European level. Thereby, the SUCCESS monitoring solution recognise activities of abnormal behaviour and provides alerts which may reduce the impact of potential cyber-attacks in real-time.

The monitoring activity is based on key information extracted from NORM, containing power network related data with possible relevance from the network security point of view, or communication network data such as traffic patterns, which might reveal e.g.cyber-attacks.

The data to be used by the monitoring centre need to preserve the privacy of end users, thus the category of private data will be carefully addressed according with national and European relevant laws.

Moreover, the communication between NORM Security Agent and the upper level (e.g.DSO Security Monitoring Centre) is established by using a more secure encryption method, based on Physically Unclonable Function (PUF), thus allowing a more trusted environment for the cyber-security aspects.

With ESMC, the SUCCESS monitoring solution comprises a pan-European monitoring system to judge the system’s security status. Typically, DSOs and TSOs all over Europe resort to similar solutions in hardware and software and have no possibility to communicate in real time with each other in the case of a cyber-attack. Hence, the attack on multiple systems at the same time becomes possible. ESMC actively gathers information across Europe and performs analyses to detect small, but similar attacks on DSOs/TSOs, which might not be recognised on a regional or national level. Here, ESMC differs to the ECOSSIAN solution, as the security logic is implemented at the pan-European level to obtain more statistical power.

ESMC is the first solution that obtains data from various DSOs/TSOs across Europe to combine them to form a holistic view of the security status. The combination step implies data analytics

SUCCESS D4.2 v1.0

Page 16 (57)

with up-to-date Big Data technologies to leverage real-time processing of the received data stream. Moreover, ESMC shares information about identified cyber-attack incidents with DSOs and TSOs automatised and in real-time, which thereby results in crucial information about their critical infrastructures being obtained.

ESMC considers privacy issues that occur when processing personal data by applying anonymisation steps where necessary. Making the data anonymous will happen at the regional level, such that the DSOs/TSOs will still have full control of their collected data at any time.

2.4.2 Local-area Security Monitoring

Several research projects address specifically cyber threats for the energy sector at a regional level, as shown in Table 1.

Project Contribution

DATES (Detection and Analysis of Threats to the Energy Sector) [40]

Developed a security information/event management (SIEM) solution to protect the energy control systems of DSOs.

MASSIF (Management of Security information and events in Service Infrastructures) [39]

Provided real-time security alerts by the correlation of security events from different event sources.

SCISSOR (Security in Trusted SCADA and Smart-Grids) [38]

Followed a holistic approach to create a new generation SCADA security monitoring framework, where a SIEM solution takes data from heterogeneous monitoring events as well as the native control processes.

PRECYSE (Prevention, protection and REaction to CYber attackS to critical infrastructures) [37]

Developed methods and tools to improve the security of critical infrastructure by design and developed methods to generate warning messages of attacks to critical infrastructure and the issuing of countermeasures.

Table 1: Work on Security Monitoring at Local Level

Challenges in Local-area Security Monitoring:

The cyber threats so far analysed and addressed in the European projects mentioned in Ch.2.4.1 allow an extensive reference frame to the investigations of potential Cyber physical attack schemes. Those schemes have allowed grid operators to establish various defence mechanisms, which have been commonly orchestrated in three stages: protection, detection, and mitigation.

This approach has strengths but also weaknesses because it does not allow the DSO operator to adopt a proactive mode of behaviour, but reactively and with manual procedures. The difficulties with this current approach are

Slow response: Generally, by the time threat containment strategies are put in place, the menace has already compromised much of the network. Detection and containment must be initiated within minutes or seconds to prevent widespread infection in a 24-hour period.

Constant Effort: Every new detected threat requires a major amount of work to identify and act to contain it. There is a pressing need for a new threat detection and mitigation strategy that is real-time (and which therefore can contain the threat before it can infect a significant fraction of the network), and can deal with new threats with a minimum of human interaction.

To address these challenges the SUCCESS Security Monitoring Solution approaches the problem from a different point of view, allowing the DSO operators not only to address the already known threats but allowing real-time detection of new threats attacks to the Neighbourhood Area Network (NAN) level to the Smart Grid.

SUCCESS D4.2 v1.0

Page 17 (57)

The SUCCESS solution has a real-time detection system that potentially can initiate some containment countermeasure in a proper timeframe to prevent widespread attack. It is not based on external, manually supplied, input but instead the system can learn and extract threat characteristics, even for new threats that may arise in future. This is thanks to the continuously expanding inner database that is populated as the system starts running and that is a real baseline for the creation of a benchmark against which to correlate the new threats.

2.4.3 Smart Meter Gateway Challenges

Today, Smart Meters’ state of the art is characterised by:

Energy measurement with metrology certification; Complex tariff implementations Designed to have communication with DSO (in most EU countries) through PLC (power

line carrier) in most cases or by GPRS/3G in some cases Smart meters have the possibility to provide on request instrumentation measurements

at high reporting rates, between 1 and 10 seconds, as possible support for SCADA functionalities. Instrumentation data (e.g.u, i, p, q) are available with the chip-sets which measure energy

Load profiles of energy, instrumentation and of other data can be stored on medium to long periods, such as one months to several months, depending on selected time for LPs memorisation

Usual protocols for data readout from Smart Meters are specialised for AMR/AMI data collection, e.g.DLMS/COSEM protocol and its associated data model

Some electrical energy Smart Meters have functionalities to collect data from other local meters: gas, water or heat meters

Some electrical energy Smart meters have local interface, to communicate with local devices and with end-users.

Challenges when advancing towards Smart Grid and complex energy and energy services markets:

Multi-user communication is not possible directly with the user through the smart meter, but delayed through a trusted party (usually DSO) which collects meter data at regular intervals, such as each one day or each six to one hour;

Complex services using real-time (seconds) and/or near real-time (intra-hour) data cannot be used, due to low communication speed with DSO, especially through the PLC technology;

SCADA functionalities are easily used by the DSOs dispatch centres because there is not real-time functional link between today’s AMR/AMI systems and DSO SCADA systems. Moreover, the direct communication of the dispatch centre front-end cannot be made directly with the meter, due to protocol incompatibility (AMR protocols such as DLMS are different from SCADA protocols such as IEC 61850);

There is no strong redundancy concept in acquisition of data, to validate/invalidate acquired data at the meter level;

Smart meter cyber-security strength is still not very high; There is no holistic concept on the whole data chain to mitigate cyber-attacks, starting

from the meter as primary source of data; There is no functionality related to integrate synchronous phase measurements (from

PMUs), even if this becomes more and more important, especially in active distribution networks having high penetration of renewables. Different barriers regarding PMU large deployments are listed below;

Even by integrating the PMU in a similar way to other “local meters”, PMU measurements are difficult to introduce, also due to difficulties in providing GPS synchronisation, which needs sky visibility;

PMU protocols are also different than SCADA protocols and there are difficulties in merging them due to similar barriers as with meters: special acquisition and storing systems are specific to PMUs, different from the SCADA systems

PMU data is much richer than meter data, allowing one to 50 measurements per second;

SUCCESS D4.2 v1.0

Page 18 (57)

Regarding the collection of data from other local meters (gas, heat, water), there is still a limited number of meter types which can be accessed, for a certain “main” smart meter.

NORM is addressing the challenges:

At the Smart Meter Gateway (SMG) level of NORM, a multi-user and multi-protocol communication is implemented with all external actors having the right to access data and to interact with NORM; for this an Unbundled Smart Meter (USM) architecture has been used, which splits fixed metrology part of the meter from the flexible part which allows the implementation of complex communication strategies;

NORM is designed for high speed communication based on 3G/4G/5G or other high speed IP-based communication, which allows real-time and near real-time services to be easily applicable;

The same high speed communication allows support for smart grid SCADA functionalities, enabled also by the specific IEC 61850 protocol implementation;

A conceptual approach for cyber-security is embedded in NORM’s Smart Meter Gateway, supported by a Security Agent (SecA) which collects non-private data, makes local consistency checks (based on data redundancy to be presented below) and sends relevant data to a higher level of cyber-security analysis (the DSOSMC); this allows the implementation of a holistic concept to the whole data chain to mitigate cyber-attacks;

NORM has an unprecedented higher level of cyber-security, due to the Physically Unclonable Function (PUF) implementation used for secure communication, especially for Administration and other critical communications;

Low-cost PMU integration (LC-PMU) in the Smart Meter, bringing support for active distribution networks and for microgrid control. LC-PMU is implemented as an unbundled component of USM;

PC-PMU synchronisation is implemented with PTP synch protocol, which is enabled by a combination of the local ICT network and 5G communication;

PC-PMU data is converted in event-based MQTT data, ready for high streaming of data and ICT friendly, allowing easy implementation of cross-platform data exchange and various services;

Data redundancy is supported by the NORM design, having two measurement sources for voltage and frequency, thus allowing a first level of data consistency check at meter level, useful for the local SecA functionality

Collection of data from other meters is more flexible, as the right communication interface can be selected (e.g.ZigBee or Mbus) and the right driver for each additional meter to be integrated in the main meter, supported by the USM architecture of NORM.

2.4.4 Privacy, Security, Resilience, Survivability ogf Smart Grids

The main challenge regarding cyber security of smart grids is the elimination of the factors that can make them vulnerable and accessible to cyber misuse, together with the enhancement of the overall robustness. The aim of cyber security systems is the implementation of techniques that are able to ensure the reliability, performance and manageability of the smart grids as well as the ability of the electrical grid to respond digitally to the different energy demands A more robust grid operation requires that the security techniques focus on the following primary objectives:

Security: An unauthorised access to the measurement and network devices of power grids may result in an unacceptable information modification. Therefore, the main challenge is to guarantee the accuracy and consistency of data in order to assure proper decision can be made on power management.

Resiliency: Authorised persons should have immediate access to data and information of the power grid, when they need it. Non-accomplishment of this objective violates correct power delivery.

Survivability: The power system should be able to provide service to customers in case of severe disturbance, either minimising the area affected by the resulting outage or minimising the recovery time after a blackout.

SUCCESS D4.2 v1.0

Page 19 (57)

In a classical view of the distribution grids, the monitoring and control functions are mainly centralised in the DSO control centre. Data flows are predominantly unidirectional, going from field devices (e.g.energy meters) to the centralised Supervisory Control and Data Acquisition (SCADA) system of the DSO. Moreover, the measurement and communication devices are hardly accessible by unauthorised users, since they usually employ proprietary custom hardware and software solutions. In this configuration, the main effort of the security measures implemented in present distribution grids is focused on securing a centralised architecture with a reduced number of possible entry points. As regards resiliency, the present resiliency strategies pay specific attention to the power related aspects of the subject. From a power perspective, in the vast majority of power systems subject to faults, initial disconnection of power system components is followed by the subsequent action of reclosing that returns the system back to the original topology. Mathematically, the fault changes the power network’s topology and transforms the power system’s evolution from the pre-fault dynamics to fault-on dynamics. The goal of resiliency in present power grids is to drive the system back to the normal stable operating point, or at least to a fault-cleared one, that can guarantee continuity of the service [13]. Lastly, the present survivability strategies applied in power grids follow a top-down approach: in case of blackout the first step is, in fact, to restore the operation of bulk generation units and then to gradually restore the power supply to the end users. This means that the service recovery procedure is exclusively based on centralised controls and resources, and their availability in case of a massive blackout must be maintained or restored in the fastest way possible. Gaps in the present approaches to Smart Grid Privacy, Security, Resiliency and Survivability: Smart Grids are assisted, nowadays, by communication technologies, which provide the bi-directional information transfer between utilities and consumers needed for proper operation. The integration of communication networks with the transmission and distribution grids can mean increased vulnerability of smart grids against cyber-attacks. Moreover, with the growing digitalisation of the automation of DGs and the increasing number of field devices, like measurement and control devices distributed in the field, the power distribution grid is turning into a so-called Cyber-Physical System (CPS). A CPS is a system controlled or monitored by computer-based algorithms, tightly integrated with the internet and its users. In cyber-physical systems, physical and software components are deeply intertwined, each operating on different spatial and temporal scales, exhibiting multiple and distinct behavioural modalities, and interacting with each other in a myriad of ways that change with context. Lastly, time critical applications and controls, which rely on synchronised measurements and precise time references, will grow in number and importance in future power systems, hence their security, including that of time synchronisation, is essential. For these reasons, the present approaches to security, resiliency and survivability fail to effectively guarantee the appropriate level of performance needed for a safe operation of modern smart grids. The SUCCESS project proposes new security, resiliency and survivability by design concepts, able to overcome the limitations of classical approaches and better target the main challenged posed by the future power grid architecture. The SUCCESS security by design concept combines traditional detection and mitigation techniques developed in the power systems and in the IT domains for developing cost efficient joint detection and mitigation solutions. At a high level, it leverages the cyber-physical nature of power systems, i.e. the fact that disturbances in the IT system have an effect on the physical domain (electric power), and disturbances in the physical domain can have observable effects in the IT domain. In the first part of the SUCCESS project, the main effort in the security by design concept development has been focused on securing PMU time synchronisation [4]. This decision is justified for two main reasons: first, the problem of time synchronisation security is notoriously difficult, and has not been fully understood in the context of PMUs; secondly, PMU

SUCCESS D4.2 v1.0

Page 20 (57)

data is expected to be used for a variety of applications in future power systems, hence its security, including that of time synchronisation, is essential. The resiliency by design technique explored in the SUCCESS project is mainly based on the cloud-computing paradigm [5]. In fact, grid automation architectures are migrating towards distributed cloud solutions, which offer unquestionable advantages in terms of scalability, together with being a natural candidate for the implementation of decentralised and hierarchical control and automation strategies that perfectly match with the growing penetration of distributed energy resources. In this new scenario, system resilience is enhanced by enabling fast relocation of cloud virtual resources when a security incident (attack) is identified. Lastly, the survivability by design concept developed in the SUCCESS project focuses on the exploitation of the distributed energy resources, nowadays widely available in the distribution grids, to implement a power restauration strategy [6]. The proposed methodology has a bottom-up approach, energising small microgrids first and then reconnecting them together incrementally, which is the opposite of the currently employed grid restoration methodologies, which are top-down based, reflecting the traditional concept of a centralised power grid. With this assumption in mind, the proposed survivability by design concept considers the formation of microgrid clusters, where a microgrid that produces more energy than currently needed may supply electricity to another microgrid that faces the prospect of a blackout. The resulting formation provides complete enhanced robustness under single-failure conditions, and a reduction of the power outage duration for customers in widespread blackout scenarios. The SUCCESS Security Monitoring Solution emphasises maintaining the privacy of personal data, respecting the EU General Data Protection Regulation (GDPR) and adopting a “privacy-by-design” approach. The flow of personal data within SUCCESS Infrastructure is highly limited and protected to respect the “data minimisation” and the “necessity” principles stated by the GDPR: personal data are collected only in NORM, are kept separate from the other components and are collected under the full consent of data subjects. If any transmission of data had to occur, it will be encrypted and pseudonymised and respect the data minimisation principle. Another important safeguard is that in the SUCCESS Security Monitoring Solution the “identifiers” of end-users (name, address, etc.) can be accessed only by one identified subject (the DSO), so that also the “data storage limitation” principle is respected. End-users will be able to exercise their data protection rights (right to access, right to erasure, right to rectification, right to portability) through a user platform (SMXCORE) which will enable a Role-Based-Access-Control System. In particular, end-users will be able to check all accesses to their personal data. End-users’ decisions, combined with the DSO’s legislative duties (e.g.in terms of data retention period, etc.) will be collected in a “User Privacy Profile” (UPP), which all SUCCESS users will be obliged to respect.

2.4.5 Communications as a Key Enabler for Smart Grids

Today, 4th Generation of mobile communication technology is being deployed worldwide. The main driver behind 4G was to increase mobile broadband traffic and to provide connectivity for internet for mobile devices. With the increase in the machine type communication requirement and the deployment of huge number of sensors and actuators requiring connectivity, LTE is further evolved and new enhancement of LTE focuses on fulfilling the requirement of machine type communication. At the same time, 5G is being standardised, 5G will bring new radio and flexible core networks, making the rigid protocols of telecom standards more flexible. 5G will address a wide range of partly contradictory use cases such as connectivity for massive machine-type-communication (MTC), ultra-reliable connectivity with low latency for services for critical infrastructure and enhanced mobile broadband services. In SUCCESS, based on the requirement of providing distributed intelligence at the edge of power networks, technology enablers such as SDN are being utilised to enable breakout gateway functions. The Breakout Gateway Function in the SUCCESS architecture will realise and enhance some of the 5G concepts for distributed cloud to enable critical and security-relevant applications can be realised at the edge of power networks.

SUCCESS D4.2 v1.0

Page 21 (57)

Challenges when enabling communication for real-time countermeasure implementation and local edge processing:

Current mobile communication technology does not allow distributed edge processing; Current mobile communication networks are not designed to host enterprise

applications and instances for local edge processing of utility specific functions (in our case distributed automation) to be realised near the sensors and actuators of the distribution grid.

5G based SUCCESS communication network addressing the Challenges:

In the upcoming fifth generation mobile communications, technology enablers such as Software Defined Networking (SDN) and Network Function Virtualisation (NFV) will allow a flexible deployment of the mobile core network.

In this project, we enable mobile core network functionality to “break-out” of its current centralised implementation and be implemented as distributed functionality, in what is called an “edge cloud”, i.e. the software is implemented in a virtualised computer infrastructure which is physically located at the edge of the mobile core network, where the core network interfaces to the radio network.

Mobile core network functionality is realised at the edge of the mobile communications network at the eNodeB, which is the node that makes the radio network, using the SDN technique. The function thereby created is called the Breakout Gateway (BR-GW), which is a new function in the 5G mobile network made in the SUCCESS project. SDN allows a set of core network functions to be chosen and located in the BR-GW.

The BR-GW will, in addition to hosting core network functionality, also host distributed utility grid automation functionality in the edge cloud. This enables the implementation of distributed utility grid automation functionality with low latency communication and enhanced resilience to communication failures of the core network.

In summary, the SUCCESS Solution including the Breakout Gateway will lead to three major benefits for grid operators:

Greatly reduced latency (information round-trip times), Localised processing in the Breakout Gateway close to the elements of the power grid,

and Data remaining local, not shared with other parties.

2.5 Answering the Challenge: SUCCESS Security Monitoring Solution

SUCCESS is developing a new approach to the security of the energy systems, guaranteeing their security of operation, based on new concepts for Security, Resilience and Survivability, as well as Next Generation Open Real-time Smart Metering, in the short and long term, and implemented as the SUCCESS Security Monitoring Solution, supporting a complete customer-centric automation architecture, while preserving the privacy of the customers involved. SUCCESS starts from the ongoing sea-change that is happening in Distribution Grids and builds the pillars to create a secure and future-oriented solution for grid operation. Starting from a security by design approach and placing resiliency and survivability in focus, a new joint design of Energy Infrastructure and ICT is proposed. Following on the research results, an implementation approach is pursued based on the definition of a New-generation Open Real time smart Meter (NORM) as a key building block. NORM aims to secure the end nodes of the energy system while providing innovative services in a customer centric grid. The SUCCESS project will develop an overarching approach to threat and countermeasure analysis with special focus on the vulnerabilities introduced by Smart Meters. On the other hand, because cyber-attacks are anyhow always possible, the SUCCESS architecture proposes the idea of Double Virtualisation to guarantee Resiliency by Design. Double Virtualisation decouples data and functions in a virtual environment so that, in case of cyber-attack, the data or functionality can be moved to a different virtual computer and continue to function. As mentioned in the beginning, a key element of the new energy scenario is end-customer involvement. To implement the customer involvement, an HW/SW solution should allow the

SUCCESS D4.2 v1.0

Page 22 (57)

deployment of services at customer level. Services can be offered to and/or from the customers in the interaction with the grid operator. Security at this level is important, because customers become part of the overall infrastructure and grid operators need to operate in a relationship of trust with the customers. In SUCCESS, the NORM represents the proposed solution for this platform for offering secure services Customers will then be aggregated at local level in a bottom-up view. It is then necessary to establish secure local communications with the distributed automation of the future grid operators. Fifth-generation mobile communications (5G) offers an interesting solution to this challenge thanks to the availability of cloud-edge solutions. In SUCCESS, the edge cloud system located at the edge of the communications network hosts mobile core network functionality and application service functionality, with the development of the Breakout Gateway (BR-GW) by SUCCESS. The BR-GW offers a secure communication link between the customers and the distribution grid automation. The edge structure will help ensure that the communications are operating during a grid failure, and will contribute to the rebuilding of the entire grid from the bottom giving a new option of Survivability by Design. Another important point to stress is that this envisioned architecture based on distributed intelligence will rely significantly on the concept of Network Control. Network Control, i.e. the possibility to perform control in a distributed fashion involving communication channels, requires solid and precise synchronisation measures. Currently, synchronisation can be achieved using satellite signals (GPS time synchronisation) or by means of dedicated communication protocols (Precise Time Protocol, PTP). Recent literature has shown that both solutions can be easily targeted by cyber-attacks. For this reason, SUCCESS decided check for attacks on the time synchronisation as one of the most representative and typical for the energy solutions: solving the synchronisation issue is a key element of Security by Design. Other cyber-attacks considered by SUCCESS are, however, not specific and can benefit from work performed also in other projects. The Security Monitoring functionality in SUCCESS applies a defence-in-depth approach, performing security threat detection analyses on the edge of the mobile communications networks (on a mobile radio cell basis), in the DSO’s management system and on a Europe-wide basis. Monitoring information is collected and shared between these levels, as is information on security incidents. Countermeasures can be adopted, both automatically at DSO-level and mobile-cell level, and subject to the operator’s discretion. The scope of the domain addressed by SUCCESS is illustrated in Figure 3. Measurement points in the electrical grid, particularly the New-generation Open Real-time Smart Meter (NORM) provide measurement data, which passes through the communications network to the security monitoring functionality at DSO and pan-European level, where a single monitoring centre interworks with distributed monitoring centres catering for each individual DSO. A further level of distribution is achieved by using the radio base station locations in the mobile grid to host edge cloud systems with distributed communications network and security monitoring functionality.

SUCCESS D4.2 v1.0

Page 23 (57)

Figure 3: SUCCESS Security Monitoring Solution in Electrical Grid and Mobile Communications Network

Table 2 gives an overview of which aspects of the SUCCESS Security Monitoring Solution are supported by which component.

Solution Component Unbundled Smart Meter Gateway, capable of interworking with Smart Meters but also containing its own Phase Measurement Unit, offering secure communications and extensible to support applications brought close to the customer.

NORM

Implements end-user application functionality distributed to the edge of the mobile network, at the radio base station.

Edge Cloud

Implements mobile core network functionality on the edge cloud. Can detect security incidents related to the content of the communications traffic and implement countermeasures to mitigate security incidents.

Breakout Gateway

Performs security monitoring on DSO level, scrutinising data from the DSO’s electrical grid and implementing countermeasures to mitigate security incidents.

DSOSMC

Performs security monitoring on pan-European level, with agents providing information from DSO level, scrutinising data all the DSO’s electrical grids, as well as ancillary security-relevant data. Detects security indicants and alerts operator of them.

ESMC

Offers SCADA-type functionality as a service to grid operators and third parties, enabling grid data to be shared between these different actors.

UMP

Table 2: SUCCESS Security Monitoring Solution

SUCCESS D4.2 v1.0

Page 24 (57)

Last not but least, as in any process, monitoring is a key functionality to verify that the process is moving according to plan. SUCCESS proposes a two-level cyber-security monitoring solution. One level is designed for the single grid operator and one as a European level to integrate and share knowledge among all the operators.

SUCCESS D4.2 v1.0

Page 25 (57)

3. SUCCESS Architecture

SUCCESS’s work covers three very different domains, Utilities, Communications and Security, which each have their own view of the world, their own concerns and their own terminology. To make a system architecture description which attempts to simultaneously satisfy these different viewpoints is a difficult task. Hence, the approach adopted in this document will be to describe the SUCCESS Architecture according to the ISO/IEC/IEEE 42010 standard [1], where there is not just one single architecture description but the architecture is described through several different viewpoints. The viewpoints adopted are those of the Utility, Communications and Security. The resulting system made by SUCCESS is the SUCCESS Security Monitoring Solution, is a system-of-systems performing security-related functionality in the Smart Grid domain.

3.1 Stakeholders and Concerns in SUCCESS Architecture

This chapter introduces the SUCCESS Architecture by analysing which entities have an interest in it and what their concern is, i.e. what it is they are interested in. In the subsequent chapters describing the Utility, Communications and Security viewpoints into the SUCCESS Architecture, the stakeholders and concerns relevant for each viewpoint are identified.

3.1.1 Stakeholders in SUCCESS Architecture

The stakeholders include a multitude of entities. From a security perspective, the entities include the customers, whose data usage and any personally identifiable information must remain private and secure. The user must also have access to high quality of service and should have sufficient energy supply to meet his/her demands. The user should also be protected from malicious billing. Since typically users are naïve when it comes to following security instructions, it is also important that any user actions required by the system are easy to perform and have low cognitive overhead. Similarly, another important entity from a security perspective is the utility company. The utility company wants to provide a reliable service to its customers and ensure that there are no free-riders or other malicious entities that circumvent the billing system. As with any other network, the Smart Grid system would consist of devices and components from various manufacturers and vendors. It is important for a reliable service delivery and network performance that the devices and components perform reliably and contain no-known backdoors. Other stakeholders include:

SUCCESS project members, SUCCESS Trial Sites, Public users, Users after SUCCESS project, Network operators providing cloud-enabled services to support power grid, Energy retailers, and 3rd parties providing energy services.

3.1.2 Concerns Stakeholders in SUCCESS Architecture

Here we need to describe each Concern, or area of interest. The following questions express the concerns.

What are the purpose(s) of the SUCCESS Security Monitoring Solution? What is the suitability of the architecture for achieving the SUCCESS Security

Monitoring Solution’s purpose(s)? How feasible is it to construct and deploy the SUCCESS Security Monitoring Solution? What are the potential risks and impacts of the SUCCESS Security Monitoring Solution

to its stakeholders throughout its life cycle? How is the SUCCESS Security Monitoring Solution to be maintained and evolved?

SUCCESS D4.2 v1.0

Page 26 (57)

What are the dependencies between the different parts of the SUCCESS Security Monitoring Solution?

From a security perspective, the SUCCESS Security Monitoring Solution should consider the entire lifecycle when designing the security components. The lifecycle for any component would start with the initial manufacturing and deployment phase, span through the operational phase, and continue until the recycling or decommissioning of the concerned component.

While the exact components used for the SUCCESS Security Monitoring Solution would change over time as the platform itself evolves based on the feedback and experiences from the trials, we intend to rely on well-studied and evaluated security protocols and suites. The use of standardised protocols would also enable easy integration with the rest of the system components and provide interoperability.

As noted by Bruce Schneier, it is also critical to ensure that the platform has adequate secure remote-update capabilities. This is because, over time, new vulnerabilities and security issues would be discovered and therefore it should be possible for utility companies and smart meter vendors to update and patch any vulnerabilities that are found.

From the Utility point-of-view, the SUCCESS Security Monitoring Solution should enable interoperability between devices in different grids and services based on the data generated by the devices, enabling a move from vertically integrated Utilities to having services offered by different specialised companies. The SUCCESS Security Monitoring Solution should offer secure, reliable, cost-effective communications to very large numbers of devices based on open and standardised interfaces and off-the-shelf technologies.

3.2 SUCCESS Architecture Overview

The SUCCESS project’s work addresses three different timescales:

Short Term: Investigations and results applicable to today’s Smart Grid Networks (2016)

Medium Term: Investigations and results applicable to Next Generation Smart Grid Networks (2020+)

Long term: Investigations and results applicable to Future Smart Grid Networks (2030+)

Based on the Threat Analysis of D1.2 [2], countermeasures are identified, implemented and trialled for the short, medium and long term. New long-term concepts for security, resilience and survivability of future Smart Grid Networks are developed.

Figure 4: SUCCESS Time Horizons

The three timescales which SUCCESS addresses, shown in Figure 4, are reflected in the SUCCESS Architecture presented in this document.

SUCCESS D4.2 v1.0

Page 27 (57)

An overview of the SUCCESS architecture is shown in Figure 5. It is a conceptual representation of a system for management of Power Grids, taking communications and security considerations into account. The architecture is not drawn to show any strict layering, but rather to show the functional elements considered relevant.

Figure 5: SUCCESS Architecture Overview

Communication functionality is needed between all nodes in the architecture. SUCCESS has a particular focus on using advanced mobile fourth generation (4G) and fifth generation (5G) technologies, such as Software Defined Networks and Network Function Virtualisation. Additionally, SUCCESS will develop a new network function, the Breakout Gateway (BR-GW), which brings mobile core network functionality to an edge cloud located at the edge of the radio network (the eNodeB). BR-GW, together with the capability to implement non-communication-related application functionality at the same edge location, means that distributed utility applications can be implemented very close to the power grid, reducing the communication latency and enabling a cloud-based approach to Distribution Grid management to be

SUCCESS D4.2 v1.0

Page 28 (57)

considered for use cases which have previously been only possible with specialised computers located in the Distribution Grid.

Security functionality is, like communications functionality, needed everywhere in the SUCCESS architecture. It manifests itself particularly in security of communications and the security functionality of the individual physical and virtual nodes in the SUCCESS architecture. SUCCESS will develop components that provide security functionality from the meter or smart device at a range of levels right up to the pan-European Security Monitoring Centre level. In particular, the New-generation Open Real-time Smart Meter (NORM) being developed by SUCCESS will feature several security technologies, including using the physically Unclonable Function (PUF) technique.

One of the biggest challenge for DSOs and utilities currently is to become service-oriented. The SUCCESS architecture reflects a service focus in the form of providing a set of service APIs which enable interoperability between management functionality (Apps) and the field devices, such as the NORM or EV Chargers shown in Figure 5.

Another major theme of SUCCESS is cyber-threat detection and the implementation of cyber countermeasures. Threats monitoring is implemented at local (DSO) level, and countermeasures can be initiated from this level. Additionally, threats are monitored on a pan-European level. Between these two levels, we define the SUCCESS API for co-ordination of threat detection between these two levels.

Hence, the SUCCESS architecture covers both the different short-term, medium-term and long-term timescales and the different aspects shown in Figure 5. In order to describe it in more detail, this document addresses the SUCCESS architecture by means of describing different views which address the different aspects. Separate Utility, Communication and Security views are given in the sub-chapters below.

3.3 SUCCESS Architecture: Utility View

This chapter gives a view of the SUCCESS Architecture concentrating on the perspective of the Utility. This view is not a complete description of the SUCCESS Architecture but is complemented by the communications and security views. The Utility view covers grids, such as the electricity, gas or water grid and grid-specific equipment and systems. It includes the components in the grids, the functions performed by them and the information passed between them.

This view excludes communication between grid components and security, i.e. although it is understood that the grid components must communicate with each other and that security must be provided, the description in this chapter omits these aspects.

3.3.1 Concerns and Stakeholders

3.3.1.1 Concerns

Maintaining grid stability while enabling increasing amount of DERs to be introduced into the distribution grid,

Coping with the change from having power generated overwhelmingly by large conventional power plants feeding into the HV network to having most of the power generated by DERs and feeding into the MV and LV networks,

Increasing level of monitoring and automation of DGs, Enabling new and innovative Energy Services to be offered to energy customers, Enabling DSOs to avail of cost-effective, standardised and modern ICT technologies; Enabling new business models to emerge and new actors to enter the energy domain, Enabling change having vertically integrated Utilities in DGs to separation of ownership

of generation, grid operation, grid services and customer services.

3.3.1.2 Stakeholders

DSOs, Prosumers, ICT companies,

SUCCESS D4.2 v1.0

Page 29 (57)

Cloud infrastructure providers, Energy Service providers, Energy markets, and Energy aggregators.

3.3.2 Utility Conceptual Model: Timescale Today

The left-hand side of Figure 6 shows a simplified functional view of the architecture in today’s Distribution Grids, from the standpoint of the Distribution System Operator, omitting communication and security details. Details of the communications and security are omitted for simplicity. Each DSO is managing the devices in his grid using some set of management systems, shown as being different for each DSO. The interfaces between the management systems have been standardised in many cases. Today’s Distribution Grids are characterised by vertical integration. Each DSO owns the physical grid, the devices in it and the management systems that control and manage it. This is illustrated in the left-hand side of Figure 6 by showing two DSOs, A and B, each of which has its own Management Systems for managing its own grid.

The Devices in the left-hand side of Figure 6 are any physical devices in the Distribution Grid, which have sensors and/or actuators, i.e. devices that produce measurements or can be operated or controlled. There are many such devices, e.g.transformers, circuit breakers, Smart Meters, DERs, EVs, BMSs, EMSs.

The protocols towards the Devices are generally standardised, although proprietary protocols may be in use.

There is are different Management Systems performing different roles in the DSOs enterprise, such as managing the grid, customer care, and billing. The interfaces between the Management Systems are partly standardised, partly proprietary, according to the particular DSO and the history of the development of their management infrastructure. It is unlikely that two DSOs will have the same Management Systems. It is also the case that the data generated in one DSO’s grid remains there and is not shared with any third parties.

The level of grid automation present in Distribution Grids today is limited. Generally, there is little or no measurement equipment beyond the secondary transformer, so that the DSOs do not have detailed information about the actual grid status. Any Smart Meters deployed are used for billing purposes only.

3.3.3 Utility Conceptual Model: Timescale 2020+ and 2030+

The shift to energy services offered from cloud-based platforms and the growth in the energy services market is reflected in the conceptual model of Figure 6. It shows a cloud-based platform, called Utility Management Platform (UMP), which interworks with the devices in the Distribution Grid and acts as a gateway between the devices and grid management functions (called “Apps”, but in principle the same as (and including) today’s Distribution Grid Management Systems). The UMP gathers measurement data, processes it and making it available to the App. Then the UMP controls and actuates the devices in the grid based on the orders from the Apps. UMP’s purpose is to enable interoperability between the Apps and the various devices. It is, in principle, a SCADA system for Utilities. Such an architecture requires a highly distributed but resilient implementation, where it is very important that the different parts keep time synchronisation. Different instances of UMP can be deployed as gateways to achieve a de-centralised distribution grid management architecture. Additionally, UMP could be deployed on edge cloud systems and Double Virtualisation could be applied to its constituent parts. The salient difference to today’s Distribution Grids is the interoperability between Devices and Apps. Comparing the right-hand side of Figure 6 with the left-hand side, we see that each DSO no longer needs to have his own separate infrastructure but that the management functionality is shared and that access to devices can be made open. The data from a given DSO’s Devices can be made available to third parties, subject to compliance with data privacy. The data made available could be aggregated or anonymised data but could it could also be a 3rd party who is performing some grid management functions. Hence, this architecture supports new actors and business cases in a flexible way. Today’s vertical integration within the DSO is removed and the creation of new services, the entry of new players with specialised competences is made

SUCCESS D4.2 v1.0

Page 30 (57)

possible. This will both enable faster change in the Distribution Grid management architecture and allow this change to be successfully introduced. This architecture better supports a market with multiple different actors performing different roles than does the vertically integrated architecture shown in the left-hand side of Figure 6. It is less expensive to build and run than the vertically integrated architecture because each actor no longer needs to bear the full cost of having their own dedicated management systems, the costs are now shared.

Platforms such as the UMP can use the services of other such Platforms and interwork with existing Distribution Management Systems by means of publishing their offered services and using standardised interfaces. Figure 6 shows a general conceptual view of the Utility Layer in SUCCESS. It covers both the 2020+ and 2030+ timescales, i.e. no conceptual architectural change in considered necessary to cope with the changes in the power grid in this period. It is a Service-oriented Architecture. In this view,

devices represent grid equipment which produces data or can be managed; devices may be accessed directly by the UMP or through a gateway;

the Apps are grid management applications that use services of the UMP to manage the grid.

the UMP represents functionality which supports interoperability between devices and apps. It offers a set of services to the Apps.

Example of Devices: NORM, EVs, Smart Meters, PMUs, Smart Charger

SUCCESS D4.2 v1.0

Page 31 (57)

Figure 6: Conceptual Models of Today’s Utility Grid (showing N DSOs) evolving into the Utility Grid of 2020+ and 2030+

Example of Apps: Billing, Customer Services, SUCCESS’s ESMC (E-SMIS and DE-SMIS), SUCCESS’s DSO Security Monitoring Centre (DSOSMC), Distribution Grid Management Systems, SCADA.

Being cloud-based means that the UMP runs a computing infrastructure which it shares with other users and where additional computing and data storage resources can be added as needed. To be able to exploit these possibilities, the UMP software must be designed to be

SUCCESS D4.2 v1.0

Page 32 (57)

able to scale up and down along with the available computer resources. For example, the number of devices which UMP handles can become very large if UMP manages all the devices in a city or country and the UMP software architecture and the technologies used must support this scalability. The concept of UMP does not depend on any particular technology, however; rather, it is envisioned that the technologies employed will evolve along with the general technological development of ICT. SUCCESS builds its solution starting from the results of the FP7 FINESCE project1. FINESCE introduced for the first time the idea of a utility operating in a service-oriented economy. The key component of the new utility operation is the availability of an open cloud platform. In the context of FINESCE, the platform was developed using the general-purpose FIWARE cloud platform as a basis. A utility cloud platform needs two types of interfaces:

An interface to the field to exchange data and commands, and An interface to external service providers in the form of an open Services Application

Program Interface (API), defining a set of Utility services. The first interface is particularly critical from a security point of view. In the context of SUCCESS this interface is achieved via the application of the NORM Smart Meter Gateway. The NORM is used to connect the Utility devices to the UMP, providing a secure communication channel. Real-time Smart Meters can use the NORM as a gateway that concentrates the measurements or, can communicate directly with the UMP, subject to communication requirements being met. The DSOSMC, E-SMIS and DE-SMIS can gather information using UMP services. Data acquired in the cloud platform via communication via NORM will be used by the utility to implement the required/desired services. Services will be implemented using standard SW components available in the platform. In the case of the FINESCE solutions these SW components are called Generic Enablers (GE) when they are not specific of a given business sector and Domain Specific Enablers (DSE) when they are specific of a given business sector, energy in this case. Although it is an App, DSOSMC bases on is based on the FINESCE Platform-like architecture and implemented with FIWARE GEs. The FINESCE API provides the other interface giving the opportunity to develop third party services integrated in the utility operation. SUCCESS extends the FINESCE API with a new set of services only developed for security reasons. This set of services forms the SUCCESS API (see Ch. 3.5.3.1), which will support the interconnection of a generic DSO with the European Security Monitoring Centre to support the overall security of the energy infrastructure at European level.

The UMP Middleware contains a data model for the Utility domain, and performs data processing and storage.

The Device Adapters in the UMP interface between the protocols used between the Devices and the UMP and the UMP Middleware’s data model.

The Utility Services in UMP use the Middleware as basis for accessing the data needed and as provider of service building blocks.

The Utility Services and the data storage in UMP are virtualised, i.e. not directly associated with particular physical equipment:

The Utility Services are implemented in a distributed cloud platform and accessed as resources through URIs. They are thus independent of any particular physical infrastructure.

The UMP’s data storage is implemented in a distributed database in the distributed cloud platform and is thus independent of any particular physical infrastructure.

1 www. finesce. eu

SUCCESS D4.2 v1.0

Page 33 (57)

3.3.4 Utility Topological Model Timescale 2020+ and 2030+

This model gives more details on the types of Devices and Apps expected in the grid in the future, based on the Conceptual Model of 3.3.3. The Devices in the Conceptual Utility View correspond to equipment in the Electricity Grid in the Utility Topological View.

The UMP is a cloud-based platform. Different instantiations of the Platform can be introduced as needed, e.g.for different microgrids or different parts of grids in general. The use of cloud technologies offers the advantage of scalability, so that the increase in the amount of DERs, EVs, services, automation between the medium- and long-terms can be catered for.

Figure 7: Topological Model of Utility

3.4 SUCCESS Architecture: Communication View

This chapter gives a view of the SUCCESS Architecture concentrating on the communications perspective, i.e. communication for utility grids. This view is not a complete description of the SUCCESS Architecture but is complemented by the Utility and security views.

3.4.1 Concerns and Stakeholders

3.4.1.1 Concerns

From communication perspective, the most important concerns are following: Latency: Latency is the time it takes to travel from source A to destination B. QoS: It is the performance of communication channel. In communication network, QoS

parameters are defined.

SUCCESS D4.2 v1.0

Page 34 (57)

Coverage: Coverage is the geographical area covered by the radio station. Here the main concern is indoor penetration since in smart grid network, utility meters are installed inside homes and in cellars, so indoor network coverage is very important.

Power consumption of the devices: Smart grid communication gateways must be less power consuming in order to have more battery life and less maintenance cost.

Bandwidth: Bandwidth is the amount of data that can be transferred in some prescribed time limit.

3.4.1.2 Stakeholders

The stakeholders of the communication viewpoint are the Telco service providers, Telco manufacturers and utility grids.

3.4.2 Communication Conceptual Model

The conceptual protocol stack of the communication architecture is shown in Figure 8 The communication architecture is independent of the use cases and, therefore applicable to many types of use cases. Use cases address the end-to-end capability of the communication architecture, implying that use cases affect all layers of the architecture. When a specific use case is realised, relevant functions from each layer are deployed. For example, if a device or gateway makes use of 3GPP communication, it will locally use services available through the 3GPP modem and trigger corresponding network services. Examples for such network services can be functions for support of mobility or 3GPP authentication. The general conceptual view of the communication architecture is shown in Figure 8. It consists of four layers.

At the lowest level are the devices and gateways, which enable connectivity over wired or wireless medium. These devices gather data and transmit it to the upper layers. Connectivity enables the communication between the devices and the services. The type of connectivity could be wired or wireless supporting wide range of protocols.

Service Enablement: It enables the services and provides the core functionality of the whole communication. such as enabling protocols, messages, configurations, Orchestration services, connectivity management.

Applications are the services that require the underlying data from the devices through the connectivity and service enablement layers.

In an interaction between the connectivity and service enablement layers, relevant information is provided, for example how a service can reach a selected device or gateway. From the service enablement layer capabilities are exposed, so that applications can, for example, limit connectivity.

SUCCESS D4.2 v1.0

Page 35 (57)

Applications

Service Enablement

Connectivity

Devices or Gateways

Use

ca

ses

Figure 8: Communication Conceptual Model

The communication architecture is independent of the use cases. This means that this architectural model can be used for many types of use cases. Use cases address the end-to-end capability of the communication architecture, implying that use cases affect all layers of the architecture. When a specific use case is realised, relevant functions from each layer are deployed. For example, if a device or gateway makes use of 3GPP communication, it will locally use services available through the 3GPP modem and trigger corresponding network services. Examples for such network services can be functions for support of mobility or 3GPP authentication.

3.4.3 Communication Topological Model

All functions of the layers in the conceptual model can be mapped to the layers in the topological model. Some aspects of the mapping between conceptual and topological model are described further below. In Figure 9, the devices such as sensors and actuators in the smart grid can be connected directly via 5G modems, or via gateways that aggregate communication from devices of limited capabilities. The future 5G standard for mobile telecommunications is perfectly suited for managing large numbers of small-scale, inexpensive and long-lasting devices even in situations where the radio coverage is not perfect, such as inside larger buildings. The 5G Core includes classic connectivity functions such as mobility services, but also enhanced service capabilities, which are relevant for connectivity services for IoT devices. An example is the handling of device addresses so that network initiated services can connect to the correct trusted device, even if subscription details are not known to the controlling application. The access layer includes the 5G radio interface from the modem to the 5G radio base station. This will ensure that communication in the network that is highly reliable, offers maximum security, and features ultra-low latency, meeting essential requirements when operating future smart grids. In the access layer, the corresponding access technologies are supported so that radio or broadband access can be terminated in this layer and communication paths to the network and application services can be established.

SUCCESS D4.2 v1.0

Page 36 (57)

Figure 9: Communication Topological Model

Applications are typically realised in control servers, but in the SUCCESS scenarios parts of the application functionality are executed in the Breakout Gateway (BR-GW) which are located at the edge of the mobile network, i.e. close to the 5G radio network. The advantage of distributed operation of these SUCCESS functions is reduced latency, and faster response times in case urgent decisions to maintain stability and security of the smart grid. The BR-GW is a functional unit, rather than being a physical entity in communications networks. However, the location of BR-GW depends upon the network configuration. The main purpose of BR-GW is to enable local edge processing and real-time countermeasure implementation by introducing edge computing. When used in Smart Grid applications, the BR-GWs can host distributed grid management functionality and is connected to other grid management systems. Hence, BR-GW enables the implementation of distributed grid management functionality.

SUCCESS D4.2 v1.0

Page 37 (57)

Applications

Service Enablement

Connectivity

Devices or Gateways

Breakout Gateway

Control Servers

Core Network

Access Layer

Device

Figure 10: Communication Conceptual to Topological mapping

3.5 SUCCESS Architecture: Security View

This chapter gives a view of the SUCCESS Architecture concentrating on the security perspective. The view covers security for utility grids, such as the electricity, gas or water grid and grid-specific equipment and systems. This view is not a complete description of the SUCCESS Architecture but is complemented by the Utility and security views.

3.5.1 Concerns and Stakeholders

3.5.1.1 Concerns

For distribution automation; availability, integrity and authenticity are critical, while confidentiality is relatively less critical [1]. The following additional security objectives are also important:

Authenticity: Ensuring that devices and networks can mutually authenticate each other using shared secrets. [14]

Authorisation: Concerned with ensuring access to system functions (e.g.via API) is obtained only by actors with proper permissions.

Auditability: Being able to reconstruct a history of events from records of actions taken on the system.

Nonrepudiability: Being able to provide irrefutable proof of who initiated an action in the system. Often connected to regulatory requirements. [15]

Security is needed at all the different layers of the network and device stack. Here we elaborate the security requirements and solutions available at different layers:

Application layer security: The North American Electric Reliability Corporation (NERC) has defined a series of requirements for protection of critical cyber assets. Part of the requirement is that electronic access controls and monitoring of electronic access shall be implemented to restrict access to authorised users and detect and alert for unauthorised access or attempted access [16]. Central Authentication, Authorisation and Accounting (auditability) management (AAA) is important to prevent network access of unauthorised devices or users at the application level [17]. Authentication and authorisation services must be able to operate in an autonomous manner at the local level to avoid lock-out if the communication link to the central authority is lost. Use of insecure protocols presents a further risk at the application layer [1]. RADIUS and Diameter are specific protocols commonly used for AAA security [14] [18] [19].

Transport layer security: Transport layer security (TLS) protects data above the transport layer and is designed to prevent eavesdropping, tampering or message

SUCCESS D4.2 v1.0

Page 38 (57)

forgery [14]. Protocols such as TLS and IPsec provide secure end-to-end communications that ensure confidentiality and integrity of regardless of the intermediate hops [17]. The International Electrotechnical Commission (IEC) standard, IEC 62351, specifies the security requirements for data and communication security for power systems. TLS is specified for IEC 61850 protocols as detailed in IEC 62351 [25]. Therein, for example, substation communications are required to support the following cipher suite TLS_DH_RSA_WITH_AES_128_SHA [25].

Network layer security: IPsec offers cryptographically-based security for IPv4 & IPv6 at the network layer to create a virtual private networks (VPN). It provides confidentiality (via encryption), access control, integrity, data origin authentication and detection and rejection of replays. Moreover, the IPsec security protocols (Authentication Header (AH) and Encapsulating Security Payload (ESP) are designed to be independent of the cryptographic algorithm, which allows selection of different sets of algorithms as appropriate. Most security requirements can be met with ESP as it can be configured to provide integrity and data origin authentication without confidentiality [20]. This is noteworthy for smart grid applications, such as substation automation, where data confidentiality could be traded for reduced latency. By offering protection at the lower network layer the host can identify legitimate messages and discard others thereby reducing the vulnerability [14]. In other words, devices should not act on traffic that does not conform to the protocol or message standard [1].

An IPsec security association (SA) must be established between two end points via a key management protocol, for example the Internet Key Exchange (IKE) protocol [20]. Keys can be pre-shared (symmetric) or dynamically distributed (asymmetric) using Public Key Infrastructure (PKI). The advantage of symmetric keys is that it is computationally faster, while asymmetric keys allow for scalability and more efficient key management through automation of key generation and distribution [21] [26]. In the case of substation automation where IEDs transmit a broadcast message (filtered to multicast) then IPsec must support multicast SAs.

Link layer security: It is stated by NERC [16] that Critical Cyber Assets shall reside within an Electronic Security Perimeter (EPS). For wireless technologies, eavesdropping is typically of concern [14]. LTE counters this by providing mutual authentication based on the Universal Subscriber Identity Module (USIM), with integrity and replay protection and strong encryption (128 bit keys) of the signalling between the terminal and the Radio Base station (RBS). The transport between the RBS and the core network is protected by IKE/IPsec. Once the connection is established, the user-plane traffic between the RBS and the terminal is protected by strong encryption as integrity protection would result in too great an overhead [24]. Relying solely on the link layer protection of LTE is not sufficient for mission critical data and a defence-in-depth strategy must be considered.

Physical layer security: Access to physical hardware offers vulnerability that could lead to compromise of the network. Physical access should be limited based on criticality of the device. Tamper resistance, tamper/intrusion detection and alerts can complement physical barriers such as secure locked buildings [22]. Regarding physical security, NERC specifies that all Cyber Assets within a defined Electronic Security Perimeter shall sit within an identified Physical Security Perimeter. Physical access points and access control measures shall be identified and controlled through, for example, key cards. Monitoring and logging of physical access shall also be undertaken through, for example, video surveillance [23]. This should be applied in the context of electrical grid asset protection as specified in [16]. The use of Physically Unclonable Function (PUF) is also needed to ensure physical security.

In addition to the security protocols available at the different layers of the protocol stack, hardware-rooted trust can provide additional security capabilities. Trusted Platform Module (TPM) and Trusted Execution Environment are two such technologies which may enhance the security of smart grid networks. Trusted Platform Module (TPM) is a secure crypto-processor that supplements the main computational processor and is designed to secure hardware by integrating cryptographic keys into devices. TPM's technical specification is written and developed by the Trusted Computing Group (TCG). A TPM can provide features such as remote attestation. This essentially means that the device equipped with a TPM can create a one-way unforgeable hash key that provides a summary of the device software and hardware status. This hash can then be compared against known good values to ensure that the device

SUCCESS D4.2 v1.0

Page 39 (57)

has not been tampered with. Such a feature can be extremely useful when devices are deployed in the wild and it may be impossible to physically protect them. The Trusted Execution Environment (TEE) on the other hand is a secure area within the main processor. It guarantees code and data loaded inside is protected with respect to confidentiality and integrity. The TEE provides features such as isolated execution, integrity of critical applications along with confidentiality of their data. The TEE provides a higher level of security than a rich operating system (mobile OS). A TEE may be used to protect critical data such as keys that are used for authentication and to push secure software updates. This can be useful for different components of a smart grid network system. The use of hardware-security modules such as TEE and TPM in smart grid networks has also been suggested by Paverd and Martin [30]. When utilising 3GPP for network access, some security functions are already provided by the network; the device and network mutually authenticate, the control signalling is protected end-to-end and the user plane communication is (typically) protected on the air interface. In addition, the 3GPP credentials and infrastructure can also be used for authentication and key agreement for non-3GPP service using the Generic Bootstrapping Architecture (GBA, 3GPP TS 33. 220). After this, the established key material can be used for setting up network, transport or application layer security. In addition to building a secure system it is also important to be prepared for a potential breach of that security. This can be done by implementing methods and tools for detecting, reacting and mitigating the attacks. One way of trying to contain an attack is to isolate the affected part of the system, possibly using virtualisation techniques, e.g.NFV and SDN, for reconfiguring the network.

3.5.1.2 Stakeholders

The main stakeholders are the utility companies who deploy their infrastructure and need it to be properly secured to provide reliable service and protection against possible attacks. Of course, this is closely related to the customers of the utility companies, who expect that their service is uninterrupted and that their possibly privacy sensitive information is handled with care and according to regulations. Also, individual component providers need to make sure that the products they are providing meet the security requirements, also taking into account new discoveries related to possible security flaws in the products or protocols used.

3.5.2 Security Conceptual Model

The security model has security enablers on each layer mapped with Communication conceptual model, the security enablers are the functions which enables the security. Network Access Control (NAC) enforces the policies that describe how the nodes will connect to the network. Physically Unclonable Function (PUF) is embodied in to the device that makes it harder to predict and practically impossible to duplicate, it is a type of cryptography. Connectivity layer security enablers, enables the encryption and ciphering over the wireless communication. It makes sure that the data which is transmitted over the connectivity layer is encrypted. Device authentication and authorisation enables the authentication of correct device which connects to the network. Data Integrity refers to assuring the accuracy of the data over its entire life-cycle. On top of everything, a Pan European security architecture will be implemented. There could be multiple security enablers with multiple security functions in each enabler. The security function such as device authentication can also be enabled on devices.

SUCCESS D4.2 v1.0

Page 40 (57)

Figure 11: Security Conceptual Model

The layers in the conceptual model refer to the actual nodes and devices in the network, and the security functions implemented by them. The devices connect via the access network (connectivity) to the core network (connectivity and service enablement). The devices are mutually authenticated with the core network based on their credentials and the matching credentials stored in the core network in HLR/HSS or AAA server and will be used for security services such as authentication or encryption. In addition, the devices and services residing on them might further authenticate to application services or other devices, possibly with different credentials. The access network provides some communication security, while the devices use additional security protocols as needed for securing communication end-to-end. This can include e.g. transport layer security and application layer security.

3.5.2.1 Security Conceptual Model Timescale 2020+ and 2030+

The features expected in the medium- and long-term from a security point of view are discussed next. Medium term (2020+): Much of the ongoing security standardisation work for 5G, IoT and Smart Grid security happens at the Internet Engineering Task Force (IETF), 3 Generation Partnership Project (3GPP) and Institute of Electrical and Electronics Engineers (IEEE). We expect that in the medium term, a lot of the standardised protocols will see increased field trials and deployment. Here we highlight the important ongoing work in these standardisation bodies which will likely see larger deployment in the medium term: In recent years, the IETF has worked on a new version of the HTTP protocol. The new version is called HTTP/2, and it provides performance improvements by means of a binary representation of the commands. Other improvements include header field compression and support of multiple exchanges on the same connection. HTTP/2, published as IETF RFC 7540 (May 2015). On the security side, the HTTP/2 RFC states that TLS version 1.2 or a higher version must be used for HTTP/2 over TLS. The new phase of work also focuses on opportunistic encryption for HTTP. This proposal makes it possible to run HTTP over TLS and encrypt the communication, without requiring strong server authentication (17 March 2016). The IETF is also updating the TLS protocol (the latest draft is for TLS is v 1.3, 21 March 2016). One of the main goals of the new version is to encrypt as much as possible of the handshake messages to reduce the amount of data available to attackers. Another major goal is to reduce the handshake to one round‐trip. TLS 1.3 will also update the profiles to address known weaknesses in CBC block cipher modes and RC4. The Internet of Things (IoT) is one of the areas where IETF has been dedicating a considerable amount of effort. Whilst HTTP can be used for IoT devices, a new lighter weight version of the protocol has been defined for Constrained Devices. That protocol is called “The Constrained Application Protocol (CoAP)”, which is specified in RFC 7252. CoAP is based on the same Representational State Transfer (REST) architecture and provides a generic request/response

SUCCESS D4.2 v1.0

Page 41 (57)

interaction model like the Hypertext Transfer Protocol (HTTP). However, unlike HTTP, messages in CoAP are exchanged asynchronously over the unreliable datagram-oriented transport such as UDP with optional reliability. Datagram Transport Layer Security (DTLS) provides communications privacy for datagram protocols and is based on the standard Transport Layer Security (TLS) protocol that is used widely on the Internet. The CoAP base specification provides a description of how DTLS can be used for securing CoAP. It proposes three different modes for using DTLS, namely: Preshared key mode (where nodes have pre-provisioned keys for initiating a DTLS session with another node), Raw Public Key mode (where nodes have an asymmetric-key pair(s) but no certificates to verify the ownership) and Certificate mode (where public keys are signed in certificates by a certification authority). In addition, IETF has also specified an implementation profile for TLS version 1.2 and DTLS version 1.2 that offers communications security for resource-constrained nodes that are part of IoT. The CoAP specification also provides an alternative approach for securing communication with Internet Protocol Security (IPsec). It argues that many constrained devices already have support for link layer encryption in hardware which can be used to make IPsec a viable option in such networks. There is work ongoing in this area with the standardisation of header compression for IPsec. There are also other communication security issues associated with resource-constrained IoT devices that sleep during their lifecycle to save energy. Such IoT devices cannot afford to stay online for large amounts of time to be polled for data or support computationally intensive security protocols. To ensure data integrity, authenticity and confidentiality in such devices, the cryptographic protection measures need to be applied directly to the application-layer message objects. This method of communication security is also referred to as “object security”. The IETF is also currently working on a specification to provide object security on top of the CoAP protocol. This is referred to as Object Security for CoAP (OSCOAP). Access control mechanisms are a necessary and crucial design element to any application's security. Therefore, it is not surprising that IETF is also investigating how web‐based access control and authorisation solutions can be applied to resource-constrained devices that are part of the IoT. It is currently defining an authorisation and access control framework for resource-constrained nodes based on the OAuth 2.0 framework, which is currently the de-facto standard for authorisation on the web. In many smart grid deployments, the devices are connected to the Internet via a gateway that is directly reachable one hop away. For example, an IEEE 802.11 Access Point (AP) typically connects the client devices to the Internet over just one wireless hop. However, some deployments of Internet-connected devices (such as smart meters) may require routing between the devices themselves for reducing the cost of deployment and increasing the reliability of the network. The IETF has therefore defined the IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL) RFC6550 [28] RPL provides support for multipoint-to-point traffic from resource-constrained smart objects towards a more resourceful central control point, as well as point-to-multipoint traffic in the reverse direction. It also supports point-to-point traffic between the resource-constrained devices. A set of routing metrics and constraints for path calculation in RPL are also specified. JavaScript Object Notation (JSON) is a lightweight text representation format for structured data RFC7158 [29]. It is often used for transmitting serialised structured data over the network. IETF has defined specifications for encoding public keys, signed content, and claims to be transferred between two parties as JSON objects. They are referred to as JSON Web Keys (JWK), JSON Web Signatures (JWS) and JSON Web Token (JWT). An alternative to JSON, Concise Binary Object Representation (CBOR) RFC7049 is a concise binary data format that is used for serialisation of structured data. It is designed for extremely resource-constrained nodes and therefore it aims to provide a fairly small message size with minimal implementation code, and extensibility without the need for version negotiation. There is ongoing work to specify CBOR Object Signing and Encryption (COSE), which would provide services similar to JWS and JWT.

SUCCESS D4.2 v1.0

Page 42 (57)

IEEE has recently initiated the formation of some projects related to privacy in IEEE protocols. Specifically, the creation of project "P802E - Recommended Practice for Privacy Considerations for IEEE 802 Technologies” which is intended to draw up recommendation documents on Privacy in IEEE 802. This group was formed as a result of an IEEE Project Authorisation Request (PAR) from the IEEE 802 EC Privacy Recommendation Study Group. The IEEE privacy study group coordinated some MAC randomisation trials at recent IETF meetings in Hawaii (IETF91), and Berlin (IETF92), and at one IEEE 802 standards meeting. SA3, the 3GPP security group, with its new SI on Study on the Security Aspects of the Next Generation System (TR 33.899) will potentially result in many security enhancements for 5G which will also be deployed in the context of Smart Grids. Long term (2030+): From a long-term security view perspective, the most important development, beyond what is discussed for 2020+, we believe would be in field of quantum computing. As quantum computers become a reality, many of the well-known asymmetric, public-key algorithms such as RSA may need to be replaced or may require significantly longer key sizes to ensure security. This will also have impacts on the overall performance of the system.

3.5.3 Security Topological Model

The SUCCESS security architecture, shown in Figure 12, consists of multiple components. The core of it is a distributed security monitoring solution. At the DSO level, it is used for monitoring the DSO network and its events using DSO security monitoring centres (DSOSMC). The DSOSMC both analyses the legacy traffic, signalling and state information reaching the DSO as well as information reports from the network components on abnormal behaviour. This additional information is received from the SUCCESS components NORM and BR-GW. The BR-GW analyses the integrity of traffic at the edge of the 3GPP access network, and is co-located with the 3GPP base station. It can utilise data centric security (DCS) for verifying the message integrity and analysing traffic patterns of the client devices. The NORM is a Smart Meter Gateway which collects grid measurements from a Smart Meter or Phasor Measurement Unit (PMU) and provides them via the BR-GW to the DSOSMC. NORM uses Virtual Private Network (VPN) and Physically Unclonable Function (PUF) technologies to secure the communications with BR-GW and DSOSMC. DSOs further share their findings with a distributed wide area pan-European information sharing and analysing system, called the pan-European Security Monitoring Centre (ESMC). However, the information is first anonymised to reduce privacy concerns. In addition to data anonymisation, sharing this information across borders will require changes to legislation as today this information is in most, if not all, countries not allowed to be communicated outside the country of origin. The ESMC consists of a central European security monitoring and information system (E-SMIS) and multiple distributed European security monitoring and information system (DE-SMIS). The DE-SMIS are co-located with the DSOs, and is where the DSOs share their anonymised data, including identified threats and attacks. The DE-SMIS also gathers input from other external sources that might provide relevant information for analysing the state of the network, such as weather information and information from social media. DE-SMIS then shares the information to E-SMIS, which gathers all the DE-SMIS data, correlates the data and tries to identify relevant patterns. The findings of E-SMIS are then fed back to the DSOs via the DE-SMISs. The communication interfaces of the ESMC are performed over the SUCCESS APIs defined in the project.

SUCCESS D4.2 v1.0

Page 43 (57)

Figure 12: SUCCESS Security Architecture Topology

3.5.3.1 SUCCESS API

The SUCCESS API allows information exchange between DSO level and pan-European level in the European Security Monitoring Centre. It is realised as interfaces described and made publicly available in the deliverable D4.4 [1]. Referring to the interfaces shown in Figure 14 on p48, the SUCCESS API includes the following interfaces:

Interfaces I-3 (between DSOSMC and DE-SMIS), I-4 (between DE-SMIS instances), I-5 (between DE-SMIS and E-SMIS), I-6 (E-SMIS and external data sources) and I-7 (between DE-SMIS and internal data sources).

The SUCCESS API supports passing information about (1) security incident detection, (2) triggering and advising of countermeasures, and (3) further payload between the SUCCESS components. Payload data is data about the grid status (obtained by NORM) or the IT infrastructure (obtained by e.g. firewall log files).

SUCCESS D4.2 v1.0

Page 44 (57)

Figure 13: SUCCESS API in context of SUCCESS Security Monitoring Solution

The SUCCESS API is published for use by DSOs. The main purpose in exposing the SUCCESS API is to allow interoperability of different components and a flexible, downstream implementation of additional threats and countermeasures. The API definition will be made openly available. However, the actual data passed on the API will be restricted and subject to security controls. No data related to private persons will be passed on the SUCCESS API. Data will be anonymised and private data protected.   The SUCCESS API provides unified definitions of how grid-state data can be made available between different DSOs or between DSOs, organisations operating a pan-European monitoring centre (E-SMIS) and national or local monitoring centres (DE-SMIS). Analysis and comparison of these data at the different levels can reveal abnormalities which may be caused by physical or cyber-attacks. Therefore, the communication via the SUCCESS APIs implements the holistic security approach of SUCCESS, which includes multiple tiers for the detection of a security incident and the initiation of countermeasures.

3.5.3.2 Threat Detection and Countermeasures

When threats are realised and there is a security incident, the DSOSMC, and in some cases the BR-GW, can initiate pre-defined countermeasures to the identified incidents. In some cases, the reaction needs to be instantaneous, i.e. autonomous reaction by the system, while other countermeasures might require a human operator or administrator to approve the action of the countermeasure. The main focus in SUCCESS is on cyber-security related incidents but also some physical security related incidents and associated countermeasures have been identified. A comprehensive approach to threat detection is performed on three levels: BR-GW performs checks on the integrity of the data communications, DSOSMC looks just at the grid data whereas ESMC also looks both at other locally available data (e.g. computer logs) and analyses

SUCCESS D4.2 v1.0

Page 45 (57)

over a wide area making it possible to do information correlation to get further insight. This three-level approach is mirrored in the way countermeasures are applied: applying countermeasures over a wide area is something which requires manual control by a grid operator. Hence, whereas ESMC informs the grid operator of incidents and the operator is responsible for applying the countermeasures, DSOSMC can autonomously apply countermeasures in its local area and BR-GW can apply countermeasures for the data communications handles by the given virtual BR-GW instance. Information about detected incidents and applied countermeasures is shared and co-ordinated between BR-GW, DSOSMC and ESMC. Threats are identified in deliverable D1.2, while incidents and countermeasures are detailed in deliverable D4.4.

3.5.4 Security Components

All the information communicated between entities in the smart grid is sensitive. The levels of sensitivity range from end-user privacy concerns to business and operation critical information. Integrity and confidentiality protection are the two main types of protection mechanisms mentioned in many architectures. Like the information sensitivity, the levels of protection offered by integrity and confidentiality protection vary. Furthermore, security cannot be seen as a separate tool/add-on in individual protocols, components, and architecture descriptions. Instead, it begins with the individual protocol decisions, is embedded into the components of the architecture, and is executed according to scrutinised processes and operating procedures. Like many critical systems, smart grid communication requires protection against modification. Much of the information can be privacy sensitive and often requires also protection against unauthorised access to the communicated information. The information can either directly or based on data analysis reveal information about a customer and his behaviour. The information also relates to financial transactions, so modification of the information could result in financial loss for either party. Moreover, the security requirements may extend even beyond the communication event, and in some cases, create additional security requirements for data storage and handling. In addition to the information exchanged between the smart meter at the client’s premises and the network, the nodes within the power infrastructure also exchange information with high security requirements. This information includes management of the nodes in the network, statistics reporting and other network state information. The basic security for the network includes both the security functions needed for enabling secure communication but also the physical security measures needed for securing the network components against physical threats to the equipment. Physical threats include both malicious attacks with intent to disrupt service by destroying network components as well as other causes of equipment malfunction such as natural phenomena or component malfunction.

3.5.4.1 Communications Security

The basis for communications security is the device identity, which consists of an identifier and an associated credential. An example of this is a public key certificate as the identifier and the corresponding private key then taking the role of the credential. Also, symmetric key based credentials are possible, where the identifier is a device identity such as the 128-bit universally unique identifier (UUID) and the associated credential is a secret key. In this case, it is important to have a strong enough key, meaning a long enough and random key. The drawback with symmetric approaches is that you can (should) not use the same key towards multiple peers/services as the likelihood of a key being compromised increases and at the same time the effect of it is in theory amplified directly related to the number of entities sharing the same secret key. However, before the device can use the identity, the identity needs to be provisioned to the device. This is known as security bootstrapping and entails providing the device with all required security configuration; credentials, configuration about which protocols to use and which peers/services to connect to. Furthermore, access control information is configured and installed, software is verified to be up-to-date. In addition to bootstrapping this information to the device, the network also needs to be made aware of the new device that will be installed

SUCCESS D4.2 v1.0

Page 46 (57)

into the network. This can be done a-priori to device installation and connection to the network or as part of the device installation process. The minimum requirement is that the device identity is provided to at least one authentication server so that the device is able to authenticate itself to peers/services in the network. With the identities in place, the devices need to be aware of the services/peers they need to interact with as well as their identities. In some cases, it might be enough to know that any peer with a certificate from a trusted certificate authority (CA) is a trusted peer, while in other cases only specific identifiers should be trusted. Furthermore, different peers/services might have different levels of trust, or the device should only share certain types of information with certain identified peers/services. This is defined through authorisation policies and access control and this information can be configured to the devices directly or securely over the network using some device management protocol such as LwM2M [45]. When connecting to a peer, the device should authenticate the peer before interacting with it. Here the device verifies that the identity of the peer is one of the trusted ones with which it should interact. Typically, also the peer wants to authenticate the device, resulting in mutual authentication. The authentication is based on the strong identities used by the devices. The Extensible Authentication Protocol (EAP) is one typical authentication protocol, which is primarily targeted towards access authentication, such as a device requesting access from an access point or gateway but it can be applied for other types of authentication as well. EAP supports multiple different authentication methods and credential types. Another typical example of mutual authentication is the setup of Transport Layer Security (TLS) with both client side and server side certificates. In the case that the device has 3GPP credentials, it is also possible to utilise them for authentication and key-agreement with the service using the Generic Bootstrapping Architecture (GBA). Finally, after successful authentication, the device can start interacting with the peer/server. Now it is up to the security policy to define the level of security required by the communication. Even if the access network might itself provide secured access, the communication should ideally be protected end-to-end rather than hop-by-hop. In most cases confidentiality protection, i.e. encryption, is a default choice, especially in smart grid type of scenarios. Encrypted data without integrity protection can however in many cases be modified on the path by an attacker without the receiver noticing it. Typically, the attacker can only achieve random modification of the plaintext, but not choose the exact modification. The more the attacker knows about the plaintext the more he can target the change to a specific part of it. Assuming the plaintext has well defined format and expected value ranges (e.g. reported temperature or power consumption), the receiver can sometimes notice these types of attacks if the random modifications result in unrealistic values or corrupted message formats. However, explicit integrity protection should ideally be used, e.g.by applying keyed hashes, MACs or digital signatures. Replay protection is also an important feature, which in many cases is provided by the protocols themselves. If this is not the case, it should also be explicitly applied. Protocols for applying communication security include (D)TLS, object security and IPsec. For all of them it is possible to select different algorithms and cipher suites according to requirements. The key material used for securing the communication is typically either based on the authentication keys or negotiated as part of the authentication procedure. By applying these principles of having a strong identity, proper access control and requiring end-to-end authentication and encryption we can arrive at a good base level of security and many of the threats identified in D1.2 [2] such as man-in-the-middle, eavesdropping and data injection attacks can be efficiently prevented.

3.5.4.2 Physical Security

In addition to the communications security discussed in Ch.3.5.4.1, another big part of the smart grid security is the physical security of the smart grid nodes. There are nodes located at customer premises to which the customer might have direct access and in addition part of the infrastructure nodes are out in the field in unmanned locations. Furthermore, it is not only the node itself that needs to be protected, but also its power supply and communication capabilities, as disabling either of them would also render the node unavailable. The physical protection of nodes can include both blocking unauthorised access to them and sensors for identifying perimeter breaches. The sensors can be both for the site and for the

SUCCESS D4.2 v1.0

Page 47 (57)

node itself, e.g.with sensors sensing the opening of the device enclosure. In addition to signalling breaches of the device enclosure, the device could store a state related to this. To protect against tampering of this state it could be stored in hardware secured memory, e.g.in a trusted platform module (TPM). The node’s state can then be queried remotely using a remote attestation service, and the state stored in the TPM would be part of the state of the node. The TPM could also be used for storing the credentials and other security critical parameters of the node so that an attacker cannot copy/clone them. Also, other hardware secured modules, such as the universal integrated circuit card (UICC), better known as the SIM card, could be used for storing credentials.

3.5.4.3 Other Security Measures

In addition to what has already been discussed, it is of course essential to have well educated staff familiar with the underlying systems as well as proper security policies for how they can behave and access data and nodes in the network. This should also be combined with logs providing non-repudiation. It is also good to define in advance countermeasures for handling identifiable possible security risks or incidents. This also requires that these incidents can be identified which means that the network and its nodes need to be monitored. The network monitoring centre gathers information about node and network state and actions in the network and alerts the administrator of any abnormal behaviour. This could be e.g. a node firmware being updated without the update being scheduled in the system, which could be an indication of an attack on the node. Based on these alerts, the administrator investigates the cause and potentially performs countermeasures to fix the problems and minimise the effect of them to the network. Furthermore, up-to-date software, such as OS, firmware and applications, should be maintained in all nodes. For the most critical nodes, hardening of the software might also be a good precaution. Also, anti-virus programs, firewalls and possibly deep packet inspection (DPI) should be installed in the nodes and networks to protect against network and malware types of attacks, such as viruses as identified in D1.1. Other isolation techniques, such as virtualisation and SDN, could be applied as well to shield the nodes and the smart grid network from the public networks as well as node internal functions from each other. By promptly applying updates, potential bugs in the software can be removed, eliminating unforeseen vulnerabilities. Also, the used cipher suites and security algorithms should be updated if it is found out that there are some weaknesses to them or they have been broken. The most critical nodes in the network should be duplicated for resilience. In case of malfunction, attacks or accidents the network should be able to continue functioning even when a node is not available, which can be achieved by having a backup node that can handle the critical functions of the disabled node.

3.5.4.4 Double Virtualisation

In addition to using well known security mechanisms, such as strong authentication and communications security, for securing the Smart Grid, some more recent and even new security concepts are also being defined and used in the project. Double virtualisation (DV) is used for separating data from functionality, and makes it possible to move those between different physical devices independently from each other. This is especially useful if/when a cyber-attack is targeting the device as the functionality can be moved to another physical host, helping to keep the system up and running. In SUCCESS, DV is being applied as a resilience solution for the power and communication grids based on a separation of applications from their data and the execution of the functionality related to the application and data parts on separate Virtual Machines in the edge cloud. The DV approach and implementation are described in detail in D2.4 [5].

SUCCESS D4.2 v1.0

Page 48 (57)

4. Implementing the SUCCESS Security Monitoring Solution

The SUCCESS Security Monitoring Solution addresses the problem of detecting hacker attacks on the Smart Grid and mitigating the attacks by applying countermeasures. The SUCCESS project will implement the component parts of the Solution and perform component-level and system-level integration testing of them. The resulting system, called SUCCESS Security Monitoring Solution implements the SUCCESS security architecture. It will be instantiated in the SUCCESS trial sites. It will also be available to DSOs and TSOs to be instantiated in their infrastructures. This Solution shows how the components of the SUCCESS infrastructure work together to detect security threats to the Electricity Distribution Grid’s management and communication systems and execute countermeasures which mitigate these threats.

Figure 14: SUCCESS Security Monitoring Solution. Interfaces between the elements are denoted as I1…I8

Figure 14 gives a functional overview of the SUCCESS Security Monitoring Solution, showing the components arranged into functional layers and the interfaces between the components. Details of the components and interfaces are given in D4.4 [1].

SUCCESS D4.2 v1.0

Page 49 (57)

The Security Monitoring components are located in two layers:

the DSO/TSO level (see DSOSMC and DE-SMIS at the centre of Figure 14), and the pan-European level (see E-SMIS at the top of Figure 14).

E-SMIS and DE-SMIS form the Pan-European Security Monitoring Centre (ESMC), which consists of a single European-level Security Monitoring and Information System (E-SMIS) and several decentralised E-SMIS instances (called DE-SMIS) which act as ESMC proxies at DSO-level, interworking with the local DSOSMC. ESMC is intended to monitor a large area and to alert DSOs or TSOs in case of security threats. ESMC performs data analytics to detect patterns indicating security incidents, that (D)E-SMIS users (the DSOs or TSOs) can potentially use in a downstream process to trigger countermeasures, i.e. ESMC will not directly initiate countermeasures. but notifies the DSO or TSO who is responsible for initiating the countermeasures. The supporting DSO/TSO SCADA system is not included in the scope of the SUCCESS project and the generation of countermeasures by DSOs or TSOs is outside the scope of the SUCCESS project. However, DE-SMIS notified DSOSMC of security incidents detected by ESMC. In the SUCCESS Security Monitoring Solution, DSOSMC and BR-GW can apply countermeasures. NORM devices located in the distribution grid measure consumer, prosumer or grid-related data. Selected data produced by NORM, which may be relevant for the security assessment at higher levels, are provided to the DSOSMC by a Security Agent running in NORM through the communications network, where the BR-GW component is introduced by SUCCESS (and other existing communications components are not shown in Figure 14). The DSOSMC receives data from NORMs directly over Interface 1 or via BR-GW over Interface 2. After analysing the data, the DSOSMC provides the results to a DE-SMIS instance via Interface 3. Both DSOSMC and DE-SMIS instances lie on the DSO/TSO level where they interact in a 1:1 relationship. The DSOSMC monitors and generates countermeasures for local electricity distribution grids. DE-SMIS instances receive data from:

The DSOSMC (see Interface I3), related to detected threats and initiated countermeasures,

Further internal data sources (see Interface I7), Other DE-SMIS instances located at other DSO/TSOs (see Interface I4); and The E-SMIS instance (see Interface I5).

Hence, DE-SMIS receives data from a wide variety of data sources. In particular, DSOSMC is only one among many of such sources. The rationale is that DE-SMIS uses data mining methods on the data from the different data sources to extract new meaning and information about the status of the system. The E-SMIS instance receives data from DE-SMIS instances and from external security-related data sources, such as logs, and social media streams (see Interface 6). In the SUCCESS Security Monitoring Solution, besides the (D)E-SMIS, the DSOSMC and the Breakout gateway can also initiate countermeasures. However, in fact, in the SUCCESS project, only DSOSMC and BR-GW will initiate countermeasures. The countermeasures are executed through the DSO Security Monitoring Centres, the Breakout Gateways and the Double Virtualisation logic. Double virtualisation logic will be part of the Edge Cloud. Accordingly, the Edge Cloud can provide security hazard indications to the DSOSMC on which DSOSMC can initiate countermeasures such as virtual instances migration. It is useful to distinguish between the SUCCESS Security Monitoring Solution (which contains all the interfaces and components of SUCCESS) and a particular implementation, for example in a SUCCESS trial site, which may not contain all the components shown in Figure 14. Figure 15 shows exemplary instantiations of the SUCCESS Security Monitoring Solution in the field

SUCCESS D4.2 v1.0

Page 50 (57)

trial sites, with each trial site providing IT-related data over I7 and BR-GW being omitted in two of the trial sites. Please note that this example is for illustrative purposes only does not necessarily reflect the actual trial site setups.

Figure 15: Exemplary Instantiations of SUCCESS Security Monitoring Solution in the Field Trial Sites

SUCCESS D4.2 v1.0

Page 51 (57)

4.1 Operation Sequences of SUCCESS Security Monitoring Solution

The principle of operation of the SUCCESS Security Monitoring Solution may be illustrated using two exemplary scenarios. These scenarios are intended to give a high-level sketch of the information flow and the role of the different components.

Figure 16: Security Monitoring Sequence Without Attack

In the scenario shown in Figure 16, the NORM supplies measurement data that is pre-processed by the DSOSMC. The pre-processed is passed by DSOSMC on to the DE-SMIS where it is anonymised. Each of the components BR-GW, DSOSMC and DE-SMIS analyses the data: BR-GW looks at the communication streams, DSOSMC looks for patterns in the measurement data and DE-SMIS looks for patterns considering also additional data. Results of the security analyses are passed between the components and to the E-SMIS, which performs a security analysis considering the data from many DE-SMISs and from additional data sources. In this case, no hacker attack is detected by any component.

In the scenario shown in Figure 17, an attacker intercepts data from the NORM and tampers with it. In the case shown, the tampering is detected by the BR-GW. In general, depending on the attack vector, the attack might be detected by a different component. In this regard, the SUCCESS Security Monitoring Solution adopts a principle of defence in depth. Once BR-GW detects the attack it makes the NORM as corrupted and informs the other security monitoring components. In case the attack were detected not by BR-GW but by DSOSMC, DE-SMIS or E-SMIS they would also inform the other security monitoring components and, in case of DSOSMC, initiate countermeasures.

SUCCESS D4.2 v1.0

Page 52 (57)

Figure 17: Man-in-the-Middle Attack Detected by Breakout Gateway

SUCCESS D4.2 v1.0

Page 53 (57)

5. Conclusions

This deliverable has introduced the SUCCESS project and its approach to performing security monitoring of critical infrastructures, in particular to the Smart Grid. The level of cyber-threat is generally increasing in ICT systems in all domains. Because the level of penetration of automation into grids, especially distribution grids, is increasing, it brings with it a corresponding increase of the use of ICT and consequently the risk of cyber-attack is becoming greater. SUCCESS’s approach to addressing this increasing danger has been motivated in this document. The security monitoring system architecture is meant to address the security needs of today and the foreseen technical developments of the coming decades. It has been described from the viewpoints of the utility, communications and security. The architecture is implemented by SUCCESS Security Monitoring Solution, which will be tested in three field trials in the Irish, Italian and Romanian electricity grids.

SUCCESS D4.2 v1.0

Page 54 (57)

6. References

[1] SUCCESS D4. 4 v2. 0, “Description of Available Components for SW Functions, Infrastructure and Related Documentation, V1”, April 2017

[2] SUCCESS D1. 2 v1. 0, “Identification of existing threats V1”, April 2017 [3] SUCCESS D2. 1 v1. 0, “Recommendation on how to develop data privacy complaint

countermeasures”, October 2016 [4] SUCCESS D2. 2 v1. 0, “The Security by Design Concept V1”, April 2017 [5] SUCCESS D2. 4 v1. 0, “The Resilience by Design Concept V1”, April 2017 [6] SUCCESS D2. 6 v1. 0, “The Survivability by Design Concept V1”, April 2017 [7] SUCCESS D3. 2 v1. 0, “Privacy-Preserving Information Security Architecture, V2”, April

2017 [8] SUCCESS D3. 4 v1. 0, “Information Security Management Components and

Documentation, V1”, January 2017 [9] SUCCESS D3. 7 v1. 0, “Next Generation Smart Meter, V1”, April 2017 [10] SUCCESS D4. 7 v1. 0, “Integration and Validation Plan - Test and certification

specifications, V1”, January 2017 [11] SUCCESS D3. 13 v1. 0, “Smart Grid Test & certification specifications V1”, April 2017 [12] Dand B. Rawat, Chandra Bajracharya, “Cyber Security for Smart Grid Systems: Status,

Challenges and Perspectives” Proceedings of the IEEE SoutheastCon 2015, April 9 - 12, 2015 - Fort Lauderdale, Florida

[13] T. L. Vu and K. Turitsyn, "A Framework for Robust Assessment of Power Grid Stability and Resiliency" in IEEE Transactions on Automatic Control, vol. 62, no. 3, pp. 1165-1177, March 2017

[14] Internet Engineering Task Force (IETF). Request for Comments: 6272 Internet Protocols for the Smart Grid. June 2011.

[15] Dzung, D. , M. Naedele, T. P. Von Hoff and M. Crevatin. Security for Industrial Communication Systems. Proceedings of the IEEE. Vol. 93, No. 6, p1152-1177, June 2005.

[16] NERC, Cyber Security — Electronic Security Perimeter(s), CIP-005-4a, 2011. [17] Tropos Networks. Bringing Enterprise-Class Security to IP-Based Field Area

Communication Networks. A Technology Brief. 2012. [18] RuggedCom. RuggedCell HSPA for RX1000. Product description. 2009. [19] GarrettCom. Magnum DX940. Configurable Route with Cellular. Product description.

2011. [20] Internet Engineering Task Force (IETF). RFC 4301 - Security Architecture for the Internet

Protocol. December 2005. [21] K2E Security, 2012. Network Security Protocols: Background – Part I. www. k2esec.

com/secure-communications, accessed 2012-04-11. [22] IEEE 1402. IEEE Guide for Electric Power Substation Physical and Electronic Security.

IEEE Std 1402TM-2000 (R2008). [23] NERC, Cyber Security — Physical Security of Critical Cyber Assets, CIP-006-3d, 2012. [24] Blom, R. , K. Norrman, M. Näslund, S. Rommer and B. Sahlin. Security in the Evolved

Packet System. Ericsson Review, 2, 2010. [25] IEC TS 62351-6. Power systems management and associated information exchange –

Data and communications security – Part 6: Security for IEC 61850. 2007. IEC/TS 62351-6:2007 (E).

[26] Cisco. Cisco IOS Public-Key Infrastructure: Deployment Benefits and Features. Data Sheet. 2002.

[27] https://www. ericsson. com/res/docs/whitepapers/wp_iot. pdf [28] Thubert, P. , A. Brandt, J. Hui, R. Kelsey, P. Levis, K. Pister, R. Struik, J. P. Vasseur,

and R. Alexander. "RPL: IPv6 routing protocol for low power and lossy networks. " RFC 6550 (2012).

[29] Bray, T. "The JavaScript Object Notation (JSON) Data Interchange Format. " RFC 7158 (2013).

[30] Paverd, Andrew J. , and Andrew P. Martin. "Hardware security for device authentication in the smart grid. " In International Workshop on Smart Grid Security, pp. 72-84. Springer Berlin Heidelberg, 2012.

[31] https://www. entsoe. eu/major-projects/RSC/Pages/default. aspx, last access: 31th March 2017

SUCCESS D4.2 v1.0

Page 55 (57)

[32] http://www. tscnet. eu/mission/, last access: 31th March 2017 [33] http://www. scc-rsci. com/, last access: 31th March 2017 [34] http://www. coreso. eu/, last access: 31th March 2017 [35] Jańıček, F. , Jedinák, M. and Šulc, I. “Awareness System Implemented in the European

Network”, Volume 65, Issue 5, pp. 320-32, Journal of Electrical Engineering, 2014 [36] http://www. coreso. eu/activities/support-in-case-of-large-disturbance/, last access: 31th

March 2017 [37] http://precyse. eu/, last access: 31th March 2017 [38] https://scissor-project. com, last access: 31th March 2017 [39] https://ec. europa. eu/digital-single-market/en/news/massif-creates-next-generation-

framework-security-information-and-event-management-siem, last access: 31th March 2017 [40] http://www. csl. sri. com/projects/dates, last access: 31th March 2017 [41] Settanni, G. , Skopik, F. , Shovgenya, Y. , Fiedler, R. , Carolan, M. , Conroy, D. ,

Boettinger, K. ,Gall, M. , Brost, G. , Ponchel, C. , Haustein, M. , Kaufmann, H. , Theuerkauf, K. , Olli, P. “A collaborative cyber incident management system for European interconnected critical infrastructures” Journal of Information Security and Applications, May 2016

[42] Kaufmann, H. , Hutter, R. , Skopik, F. , Mantere, M. „A structural design for a pan-European early warning system for critical infrastructures”, Elektrotechnik und Informationstechnik, November 2014

[43] Shovgenya, Y. , Skopik, F. , Settani, G. , Fiedler, R. , Theuerkauf, K. , Kaufmann, H. , Gebhardt, T. , Ponchel, C. , Böttinger, K. , Carolan, M. , Conroy, D. , Davey, G. , Olli, P. , Pentikaeinen, H. “A Blueprint for a Pan-European Cyber Incident Analysis System” Proceedings of the 3rd International Symposium for ICS Cyber Security Research 2015, May 2015

[44] Ericsson Research blog – IoT [https://www. ericsson. com/research-blog/internet-of-things/cellular-iot-alphabet-soup/]

[45] OMA Lightweight M2M (LWM2M), http://www. openmobilealliance. org/wp/Overviews/lightweightm2m_overview. html

[46] 3GPP TR 36. 881, “Study on Latency Reduction Techniques for LTE. ” [47] Dohler, Mischa, and Takehiro Nakamura, “5G Mobile and Wireless Communications

Technology”, Eds. Afif Osseiran, et al. Cambridge University Press, 2016

SUCCESS D4.2 v1.0

Page 56 (57)

7. List of Abbreviations

3GPP 3rd Generation Partnership Project (standardisation body for cellular communication) 4G 4th Generation Mobile Communication Network, a. k. a. LTE 5G 5th Generation Mobile Communication Network AAA Authentication, Authorisation and Accounting ADN Active Distribution Network AES Advanced Encryption Standard AH Authentication Header AMI Advanced Metering Infrastructure AMR Automatic Meter Reading API Application Programming Interface BMS Building Management System BR-GW Breakout Gateway CoAP Constrained Application Protocol COSEM Companion Specification for Energy Metering CPS Cyber-Physical System dB decibel (measurement unit for signal) DER Distributed Energy Resources DDoS Distributed Denial of Service Attack DE-SMIS Distributed instance of European Security Monitoring and Information System DG Distribution Grid DG Distributed Generation DLMS Device Language Message specification DSE Domain Specific Enabler DSO Distribution System Operator DSOSMC DSO Security Monitoring Centre DTLS Datagram Transport Layer Security DV Double Virtualisation E2E End-to-end EAS European Awareness System EC-GSM-IoT Extended Coverage GSM for IoT EM Energy Management eNodeB Evolved Node B, radio base station in LTE and 5G networks ENTSO-E European Network of Transmission System Operators for Electricity ESMC Pan-European Security Monitoring Centre E-SMIS Central instance of European Security Monitoring and Information System ESP Encapsulating Security Payload EV Electric Vehicle GBA Generic Bootstrapping Architecture GDPR General Data Protection Regulation GE Generic Enabler GSM Groupe Spécial Mobile, 2nd generation mobile communications system. GPRS General Packet Radio Service, 2. 5 generation mobile communications system. HLR Home Location Register, node in mobile network HSS Home Subscriber Server, node in mobile network HTTP Hypertext Transfer Protocol HV High Voltage ICT Information and Communication Technology IEC International Electrotechnical Commission IED Intelligent Electronic Device IETF Internet Engineering Task Force IKE Internet Key Exchange IoT Internet of Things IPsec Internet Protocol Security LV Low Voltage LTE Long-term Evolution, 4th generation mobile communications system MV Medium Voltage MTC Machine-type Communication

SUCCESS D4.2 v1.0

Page 57 (57)

MQTT Message Queue Telemetry Transport NERC North American Electric Reliability Corporation NAC Network Access Control NAN Neighbourhood Area Network NFV Network Function Virtualisation NORM New-generation Open Real-time Smart Meter NB-IoT Narrow-Band Internet-of-Things OS Operating System PKI Public Key Infrastructure PV Photo Voltaic PMU Phasor Measurement Unit PUF Physically Unclonable Function PTP Precise Time Protocol RBS Radio Base Station RES Renewable Energy Sources REST Representational State Transfer RSA Rivest, Shamir und Adleman (asymmetric cryptographical process) RSC Regional Security Coordinator QoS Quality of Service SA Security Association SCADA Supervisory Control and Data Acquisition SIEM Security Information/Event Management SDN Software Defined Networking SHA Secure Hash Algorithm SM Smart Meter TEE Trusted Execution Environment TLS Transport Layer Security TPM Trusted Platform Module TSO Transmission System Operator UDP User Datagram Protocol UMP Utility Management Platform USM Unbundled Smart Meter UMTS Universal Mobile Telecommunications System, 3rd generation mobile communications system USIM Universal Subscriber Identity Module VPN Virtual Private Network