Architecting the smart grid for security

by David Kleidermacher, CTO, Green Hills Software Inc. , TechOnline India - April 20, 2011

The key point is that security against the sophisticated smart grid attack threats cannot be effectively retrofitted; we must design the smart grid for high robustness from the start.

The smart grid is an important, emerging source of embedded systems with critical security requirements. One obvious concern is financial: for example, attackers could manipulate metering information and subvert control commands to redirect consumer power rebates to false accounts. However, smart grids imply the addition of remote connectivity, from millions of homes, to the back end systems that control power generationand distribution. The ability to impact power distribution has obvious  safety ramifications, and the potential to impact a large population increases the attractiveness of the target.

These back end systems are protected by the same security technologies (firewalls, network access authentication, intrusion detection and protection systems) that today defend banks and governments against

Internet-borne attacks. Successful intrusions into these systems are a daily occurrence. The smart grid, if not architected properly for security, may provide hostile nation states and cyber terrorists with an attack path from the comfort of their living rooms. Every embedded system on this path – from the smart appliance to the smart meter to the network concentrators – must be secure.

The good news is that utilities and their suppliers are still early in the development of security strategy and network architectures for smart grids; a golden opportunity now exists to build security in from the start.

Sophisticated attackers

The increasing reliance of embedded systems in commerce, critical infrastructure, and life-critical function makes them attractive to attackers. Embedded industrial control systems managing nuclear reactors, oil refineries, and other critical infrastructure present opportunity for widespread damage. To get an idea of the kinds of sophisticated attacks we can expect on the smart grid, look no further than the recent Stuxnet attack on nuclear power infrastructure.

Stuxnet infiltrated Siemens process control systems at nuclear power plants by first subverting the Microsoft Windows workstations operators use to configure and monitor the embedded control electronics (Figure 1).

The Stuxnet worm is likely the first malware to directly target embedded process control systems and illustrates the incredible damage potential in modern smart grid security attacks.

 

                    

 

 Figure 1 - Stuxnet infiltration of critical power control system via operator PC

 

Much of the security community discussion about Stuxnet has been speculation about the attacker’s identity and motive as well as the unprecedented level of attack sophistication, which includes clever rootkit construction and the employment of no fewer than four zero-day Windows vulnerabilities. These vulnerabilities enabled Stuxnet to gain access to and download malware to the Siemens controller itself, implying that the attackers had intimate knowledge of its embedded software and hardware.

Stuxnet demonstrates the need for improved security skills within the embedded development community, but it also elucidates the requirement for a higher level of assurance in critical infrastructure than standard commercial IT practices.

Stuxnet also exposes the interdependence between embedded systems and IT systems. SCADA networks are controlled by common PCs. As a response to Stuxnet, the U.S. Department of Defense Chief of Cyber Command, General Keith B. Alexander, recommended in September 2010 the creation of an isolated network for critical infrastructure, including the power grid.

This may sound like a heavy-handed approach, but it is precisely how many governments protect their most sensitive, compartmentalized classified networks. Physical isolation introduces some inefficiency that can be ameliorated with the application of high assurance access solutions that enables a client computer to securely access multiple isolated virtual desktops and back-end networks. These access control systems use the latest and greatest Windows or Linux human-machine interfaces but do not depend on Windows or Linux for their security.

The recent tragedy affecting Japan’s nuclear program, while not the product of any human malice, paints a grim picture regarding the potential impact of successful cyber attack on critical infrastructure. These systems are controlled by common computers and networks that have proven enticing and assailable to well-funded attackers.

The key point is that security against the sophisticated smart grid attack threats cannot be effectively retrofitted; we must design the smart grid for high robustness from the start. Green Hills Software, the only organization to have achieved a high robustness (Common Criteria EAL 6+) software security certification, is actively working with a number of other leading cyber security organizations, across the industrial, government, and academic communities, on high assurance smart grid security architecture. The architecture addresses hardware and systems software partitioning and management strategies, cryptographic systems and key management, and scalability from battery-powered devices up to high-end network concentrators and back-office servers.

 

 

 

 

About the author:

David Kleidermacher is Chief Technology Officer at Green Hills Software where he is responsible for technology strategy, platform planning, and solutions design.

Kleidermacher is a leading authority in systems software and security, including secure operating systems, virtualization technology, and the application of high robustness security engineering principles to solve computing infrastructure problems.

Kleidermacher earned his bachelor of science in computer science from Cornell University and has been with
Green Hills Software since 1991.

 

Comments

blog comments powered by Disqus