Trustworthy Wide Area Measurement Systems

University of Illinois Urbana-Champaign • Information Trust Institute

Presented by:Himanshu Khurana, University of Illinois

ACM CCS 2009 Tutorial on Cyber Security for the Power Grid

Trustworthy Wide Area Measurement Systems


Outline

• Wide area transmission systems• August 2003 blackout

– Analysis and recommendations• North American SynchrPhasor Initiative (NASPI)• NASPInet Wide Area Network• Challenges: distributed networking, quality of service, cyber

security


Background: Power Grid Control Center Networks and Applications

Control Communication Architecture

From a presentation by D. Whitehead, “Communication and Control in Power Systems”, tcip summer school, June, 2008


Background: Power Grid Control Center Networks and Applications

Control centers

University of Illinois Urbana-Champaign • Information Trust Institute 5

• Federal Energy Regulatory Commission (FERC)

• North American Electric Reliability Corp. (NERC)

• State legislatures

• Regional reliability councils

• ISOs and RTOs

• State commerce commissions

• Control area operators

Who’s in charge?


NERC Regions


Balancing Authorities (Control Areas)


Current Control Strategy and Hierarchy

Control Strategy• Centralized Control Center

(Balancing Area)– Open loop control– Telemetry through SCADA

• Polls data ~ 2 seconds

• Local control (Power plants, Substations)– Feedback control– Protection

Control Hierarchy• Balancing Authorities (BAs)

– Real-time generation, load and interchange balance

• Reliability Coordinators (RCs)– Wide area coordination and

reliability


NERC Interconnections


Independent System OperatorsRegional Transmission Operations

10


Major North American Blackouts

Date Location Load Interrupted

November 9, 1965 Northeast 20,000 MW

July 13, 1977 New York 6,000 MW

December 22, 1982 West Coast 12,350 MW

January 17, 1994 California 7,500 MW

December 14, 1994 Wyoming, Idaho 9,336 MW

July 2, 1996 Wyoming, Idaho 11,743 MW

August 10, 1996 Western Interconnection 30,489 MW

June 25, 1998 Midwest 950 MW

August 14, 2003 Northeast 61,800 MW


Blackout of August 14, 2003

Credit: Jeff Dagle


August 14, 2003 Blackout Investigation

• Phase I– Investigate the outage to determine

its causes and why it was not contained– Interim report released November 19, 2003

• Phase II– Develop recommendations to reduce the

possibility of future outages and minimize the scope of any that occur

– Final report released April 5, 2004

Investigate the cascading electrical failure.

Review performanceof plants and assess possibility of damage.

Determine if failureswere caused withmalicious intent.

Credit: Jeff Dagle


Blackout Root Causes

• Situational Awareness: lack of effective– contingency analysis capability– procedures to ensure operators were aware

of the status of critical monitoring tools– procedures to test monitoring tools after

repairs– monitoring tools after alarm system failed

• Vegetation management• Reliability Coordinator Diagnostics

– Lack of wide area visibility, monitoring, coordination


Select Blackout Report Recommendations

• Use better real-time tools for grid monitoring and operation

• Establish physical and cyber-security capabilities


Wide Area Situational Awareness

• A FERC/NIST Priority Area– Monitoring and display of power system components and

performance across interconnections and wide geographic areas in real time

– Enable understanding, optimized management, performance, prevent/respond to problem

• Other relevant priorities• Cyber Security: “Measures to ensure the confidentiality, integrity and

availability of the electronic information communication systems, necessary for the management and protection of the Smart Grid’s energy, information technology, and telecommunications these infrastructures”

• Network Communications: “Encompassing public and non-public networks, the Smart Grid will require implementation and maintenance of appropriate security and access controls tailored to the networking and communication requirements of different applications, actors and domains”


Wide Area Measurement System

• A Wide Area Measurement System (WAMS) is crucial for the Grid

• One very promising data source for WAMS: Synchrophasors– GPS clock synchronized; Fast data rate > 30

samples/sec– Phasor Measurement Unit (PMU)

• Future applications will rely on large number of PMUs envisioned across Grid (>100k)

• WAMS Design and Deployment underway: North American Synchrophasor Initiative - (www.naspi.org)– Collaboration - DOE, NERC, Utilities, Vendors,

Consultants and Researchers– NASPInet – distributed, wide-area network

http://www.naspi.org/


• Traditional SCADA data since the 1960’s– Voltage & Current Magnitudes– Frequency– Every 2-4 seconds

• Future data from Phasor Measurement Units (PMU’s)– Voltage & current phase angles– Rate of change of frequency– Time synchronized using GPS and 30 -

120 times per second18

PMUs and Synchrophasors


Why do Phase Angles Matter?

Wide-area visibility could have helped prevent August 14, 2003 Northeast blackout

Source: www.nerc.comAngles are based on data from blackout analysis.Angle reference is Browns Ferry.


O u t a g e d T r a n s m i s s i o n L i n e s

A r o u n d G u s t a v I s l a n d

B a t o n R o u g e

N e w O r l e a n s

Why do Phase Angles Matter?

Entergy and Hurricane Gustav -- a separate electrical island formed on Sept 1, 2008, identified with phasor data

Island kept intact and resynchronized 33 hours later

Source: Entergy


Phasor Application Taxonomy


PMU Applications and Deployment

Source – Chakrabarti, Kyriakides, Bi, Cai and Terzija, “Measurements Get Together,” IEEE Power & Energy, January-February 2009

Source: NASPI


Current Architecture for PMU Data Sharing

Secure Network

Apps

Source: NASPI


Envisioned PMU Data Flow in NASPInet


Opportunities and Challenges

• Opportunities– Important applications emerging that require data sharing

• Research into new applications needed– Smart Grid Investment Program to fund deployment of 800+ PMUs

nation-wide

• Challenges in data sharing– Distributed network for data delivery– Tradeoffs between operational, regulatory and business aspects

• Challenges in realizing NASPInet– Distributed wide-area network design– Network management– Quality of Service and real-time delivery– Cyber security– Progress on these topics made in recently released NASPInet

specification document (Quanta Technologies)


Wide Area Networking

Source: NASPInet Specification


Network Management

• Network management functions– Performance– Configuration– Accounting– Fault management– Security management

• Need for appropriate services in NASPInet and means to coordinate between organizations


Quality of Service

• QoS goals per data flow are to minimize latency, delay, jitter, loss, error

• Overall QoS goals are to support dedicated bandwidth, resource provisioning and allocation, avoiding and managing network congestion, shaping network traffic and managing priorities

• A suggested approach: class-based QOS


Cyber Security

• Authentication and Integrity– Essential to ensure reliable and trustworthy decisions– Tools: cryptographic protocols leveraging digital signatures,

HMACs, etc.– Challenges: efficiency, supporting one-to-many data exchanges

• Availability– Essential due to the critical nature of underlying power system– Specific requirements may vary by application classes– Tools: redundancy, security monitoring, attack detection and

response, fail-safe design– Challenges: scalability and cost-effective design

• Confidentiality– Needed to provide data privacy– Tools: encryption protocols, access control– Challenges: efficiency for streaming data, supporting one-to-many

data exchanges


Cyber Security

• Key Management– Distribution and management of key material and

credentials– Revocation– Tools: Public Key Infrastructure, on-line credential

distribution/verification services– Challenges: scalability, trust establishment

• Monitoring and compliance– Intrusion detection and response services– Future regulations may apply; e.g., NERC CIP– Tools: IDS, firewalls, etc.– Challenges: multi-organization coordination


Authentication Protocols for Power Grid

• Authentication is a widely recognized problem for power grid. – Currently, there is a focus on developing authentication

protocols; e.g., DNP3 Secure Authentication and IEC’s 62351-5.

• Designing security protocols is hard and error-prone– Literature has many examples of security protocols that

were considered secure but were broken later

Protocols Attacks Cause/Vulnerability

Authentication Protocol by Woo & Lam

Impersonation attacks

Lack of explicit names

STS by Diffie, Oorschot & Wiener

Impersonation attacks

Change in environmental conditions

Kerberos V4 by Steve & Clifford

Replay attacks

Incorrect use of timestamps

TMN by Tatebayashi, Matsuzaki, & Newman

Oracle attacks Information flow


Principle Attacks Mitigated Applicability to Power Grid Authentication Protocols

Explicit Names

Impersonation attacks. Need for explicit names for each entity in power grid.

Unique Encoding

Interleaving and parsing ambiguity attacks.

Insufficiency of legacy protocols to build security on them due to no protocol identifiers in them.

Explicit Trust Assumptions

Prevents errors due to unclear or ambiguous trust assumptions

Need to clearly state all trusted entities in power grid protocols and the extent of trust in them.

Use of Timestamps

Prevents replay attacks. Need for high granularity for time synchronization.

Protocol Boundaries

Prevents incorrect function of protocol in it’s environment.

Need for thorough analysis of the power grid environment.

Release of Secrets

Prevents blinding attacks and compromise of old keys.

Need to ensure that compromise of some remote devices should not compromise large number of keys.

Explicit Security Parameters

Prevents errors due to exceeding the limitations of cryptographic primitives.

Reduction in maintenance overhead by explicitly mentioning security parameters in remote devices.

Design Principles for Power Grid Cyber-Infrastructure Authentication Protocols


[email protected]

Questions?

Documents

Trustworthy Wide Area Measurement Systems