University of Illinois Urbana-Champaign • Information Trust Institute
Presented by:Himanshu Khurana, University of Illinois
ACM CCS 2009 Tutorial on Cyber Security for the Power Grid
Trustworthy Wide Area Measurement Systems
University of Illinois Urbana-Champaign • Information Trust Institute
Outline
• Wide area transmission systems• August 2003 blackout
– Analysis and recommendations• North American SynchrPhasor Initiative (NASPI)• NASPInet Wide Area Network• Challenges: distributed networking, quality of service, cyber
security
University of Illinois Urbana-Champaign • Information Trust Institute
Background: Power Grid Control Center Networks and Applications
Control Communication Architecture
From a presentation by D. Whitehead, “Communication and Control in Power Systems”, tcip summer school, June, 2008
University of Illinois Urbana-Champaign • Information Trust Institute
Background: Power Grid Control Center Networks and Applications
Control centers
University of Illinois Urbana-Champaign • Information Trust Institute 5
• Federal Energy Regulatory Commission (FERC)
• North American Electric Reliability Corp. (NERC)
• State legislatures
• Regional reliability councils
• ISOs and RTOs
• State commerce commissions
• Control area operators
Who’s in charge?
University of Illinois Urbana-Champaign • Information Trust Institute 6
NERC Regions
University of Illinois Urbana-Champaign • Information Trust Institute 7
Balancing Authorities (Control Areas)
University of Illinois Urbana-Champaign • Information Trust Institute
Current Control Strategy and Hierarchy
Control Strategy• Centralized Control Center
(Balancing Area)– Open loop control– Telemetry through SCADA
• Polls data ~ 2 seconds
• Local control (Power plants, Substations)– Feedback control– Protection
Control Hierarchy• Balancing Authorities (BAs)
– Real-time generation, load and interchange balance
• Reliability Coordinators (RCs)– Wide area coordination and
reliability
University of Illinois Urbana-Champaign • Information Trust Institute 9
NERC Interconnections
University of Illinois Urbana-Champaign • Information Trust Institute
Independent System OperatorsRegional Transmission Operations
10
University of Illinois Urbana-Champaign • Information Trust Institute 11
Major North American Blackouts
Date Location Load Interrupted
November 9, 1965 Northeast 20,000 MW
July 13, 1977 New York 6,000 MW
December 22, 1982 West Coast 12,350 MW
January 17, 1994 California 7,500 MW
December 14, 1994 Wyoming, Idaho 9,336 MW
July 2, 1996 Wyoming, Idaho 11,743 MW
August 10, 1996 Western Interconnection 30,489 MW
June 25, 1998 Midwest 950 MW
August 14, 2003 Northeast 61,800 MW
University of Illinois Urbana-Champaign • Information Trust Institute 12
Blackout of August 14, 2003
Credit: Jeff Dagle
University of Illinois Urbana-Champaign • Information Trust Institute
August 14, 2003 Blackout Investigation
• Phase I– Investigate the outage to determine
its causes and why it was not contained– Interim report released November 19, 2003
• Phase II– Develop recommendations to reduce the
possibility of future outages and minimize the scope of any that occur
– Final report released April 5, 2004
Investigate the cascading electrical failure.
Review performanceof plants and assess possibility of damage.
Determine if failureswere caused withmalicious intent.
Credit: Jeff Dagle
University of Illinois Urbana-Champaign • Information Trust Institute 14
Blackout Root Causes
• Situational Awareness: lack of effective– contingency analysis capability– procedures to ensure operators were aware
of the status of critical monitoring tools– procedures to test monitoring tools after
repairs– monitoring tools after alarm system failed
• Vegetation management• Reliability Coordinator Diagnostics
– Lack of wide area visibility, monitoring, coordination
University of Illinois Urbana-Champaign • Information Trust Institute
Select Blackout Report Recommendations
• Use better real-time tools for grid monitoring and operation
• Establish physical and cyber-security capabilities
University of Illinois Urbana-Champaign • Information Trust Institute
Wide Area Situational Awareness
• A FERC/NIST Priority Area– Monitoring and display of power system components and
performance across interconnections and wide geographic areas in real time
– Enable understanding, optimized management, performance, prevent/respond to problem
• Other relevant priorities• Cyber Security: “Measures to ensure the confidentiality, integrity and
availability of the electronic information communication systems, necessary for the management and protection of the Smart Grid’s energy, information technology, and telecommunications these infrastructures”
• Network Communications: “Encompassing public and non-public networks, the Smart Grid will require implementation and maintenance of appropriate security and access controls tailored to the networking and communication requirements of different applications, actors and domains”
University of Illinois Urbana-Champaign • Information Trust Institute
Wide Area Measurement System
• A Wide Area Measurement System (WAMS) is crucial for the Grid
• One very promising data source for WAMS: Synchrophasors– GPS clock synchronized; Fast data rate > 30
samples/sec– Phasor Measurement Unit (PMU)
• Future applications will rely on large number of PMUs envisioned across Grid (>100k)
• WAMS Design and Deployment underway: North American Synchrophasor Initiative - (www.naspi.org)– Collaboration - DOE, NERC, Utilities, Vendors,
Consultants and Researchers– NASPInet – distributed, wide-area network
University of Illinois Urbana-Champaign • Information Trust Institute
• Traditional SCADA data since the 1960’s– Voltage & Current Magnitudes– Frequency– Every 2-4 seconds
• Future data from Phasor Measurement Units (PMU’s)– Voltage & current phase angles– Rate of change of frequency– Time synchronized using GPS and 30 -
120 times per second18
PMUs and Synchrophasors
University of Illinois Urbana-Champaign • Information Trust Institute
Why do Phase Angles Matter?
Wide-area visibility could have helped prevent August 14, 2003 Northeast blackout
Source: www.nerc.comAngles are based on data from blackout analysis.Angle reference is Browns Ferry.
University of Illinois Urbana-Champaign • Information Trust Institute
O u t a g e d T r a n s m i s s i o n L i n e s
A r o u n d G u s t a v I s l a n d
B a t o n R o u g e
N e w O r l e a n s
Why do Phase Angles Matter?
Entergy and Hurricane Gustav -- a separate electrical island formed on Sept 1, 2008, identified with phasor data
Island kept intact and resynchronized 33 hours later
Source: Entergy
University of Illinois Urbana-Champaign • Information Trust Institute
Phasor Application Taxonomy
University of Illinois Urbana-Champaign • Information Trust Institute
PMU Applications and Deployment
Source – Chakrabarti, Kyriakides, Bi, Cai and Terzija, “Measurements Get Together,” IEEE Power & Energy, January-February 2009
Source: NASPI
University of Illinois Urbana-Champaign • Information Trust Institute
Current Architecture for PMU Data Sharing
Secure Network
Apps
Source: NASPI
University of Illinois Urbana-Champaign • Information Trust Institute
Envisioned PMU Data Flow in NASPInet
University of Illinois Urbana-Champaign • Information Trust Institute
Opportunities and Challenges
• Opportunities– Important applications emerging that require data sharing
• Research into new applications needed– Smart Grid Investment Program to fund deployment of 800+ PMUs
nation-wide
• Challenges in data sharing– Distributed network for data delivery– Tradeoffs between operational, regulatory and business aspects
• Challenges in realizing NASPInet– Distributed wide-area network design– Network management– Quality of Service and real-time delivery– Cyber security– Progress on these topics made in recently released NASPInet
specification document (Quanta Technologies)
University of Illinois Urbana-Champaign • Information Trust Institute
Wide Area Networking
Source: NASPInet Specification
University of Illinois Urbana-Champaign • Information Trust Institute
Network Management
• Network management functions– Performance– Configuration– Accounting– Fault management– Security management
• Need for appropriate services in NASPInet and means to coordinate between organizations
University of Illinois Urbana-Champaign • Information Trust Institute
Quality of Service
• QoS goals per data flow are to minimize latency, delay, jitter, loss, error
• Overall QoS goals are to support dedicated bandwidth, resource provisioning and allocation, avoiding and managing network congestion, shaping network traffic and managing priorities
• A suggested approach: class-based QOS
University of Illinois Urbana-Champaign • Information Trust Institute
Cyber Security
• Authentication and Integrity– Essential to ensure reliable and trustworthy decisions– Tools: cryptographic protocols leveraging digital signatures,
HMACs, etc.– Challenges: efficiency, supporting one-to-many data exchanges
• Availability– Essential due to the critical nature of underlying power system– Specific requirements may vary by application classes– Tools: redundancy, security monitoring, attack detection and
response, fail-safe design– Challenges: scalability and cost-effective design
• Confidentiality– Needed to provide data privacy– Tools: encryption protocols, access control– Challenges: efficiency for streaming data, supporting one-to-many
data exchanges
University of Illinois Urbana-Champaign • Information Trust Institute
Cyber Security
• Key Management– Distribution and management of key material and
credentials– Revocation– Tools: Public Key Infrastructure, on-line credential
distribution/verification services– Challenges: scalability, trust establishment
• Monitoring and compliance– Intrusion detection and response services– Future regulations may apply; e.g., NERC CIP– Tools: IDS, firewalls, etc.– Challenges: multi-organization coordination
University of Illinois Urbana-Champaign • Information Trust Institute
Authentication Protocols for Power Grid
• Authentication is a widely recognized problem for power grid. – Currently, there is a focus on developing authentication
protocols; e.g., DNP3 Secure Authentication and IEC’s 62351-5.
• Designing security protocols is hard and error-prone– Literature has many examples of security protocols that
were considered secure but were broken later
Protocols Attacks Cause/Vulnerability
Authentication Protocol by Woo & Lam
Impersonation attacks
Lack of explicit names
STS by Diffie, Oorschot & Wiener
Impersonation attacks
Change in environmental conditions
Kerberos V4 by Steve & Clifford
Replay attacks
Incorrect use of timestamps
TMN by Tatebayashi, Matsuzaki, & Newman
Oracle attacks Information flow
University of Illinois Urbana-Champaign • Information Trust Institute
Principle Attacks Mitigated Applicability to Power Grid Authentication Protocols
Explicit Names
Impersonation attacks. Need for explicit names for each entity in power grid.
Unique Encoding
Interleaving and parsing ambiguity attacks.
Insufficiency of legacy protocols to build security on them due to no protocol identifiers in them.
Explicit Trust Assumptions
Prevents errors due to unclear or ambiguous trust assumptions
Need to clearly state all trusted entities in power grid protocols and the extent of trust in them.
Use of Timestamps
Prevents replay attacks. Need for high granularity for time synchronization.
Protocol Boundaries
Prevents incorrect function of protocol in it’s environment.
Need for thorough analysis of the power grid environment.
Release of Secrets
Prevents blinding attacks and compromise of old keys.
Need to ensure that compromise of some remote devices should not compromise large number of keys.
Explicit Security Parameters
Prevents errors due to exceeding the limitations of cryptographic primitives.
Reduction in maintenance overhead by explicitly mentioning security parameters in remote devices.
Design Principles for Power Grid Cyber-Infrastructure Authentication Protocols