Smart Grids and Control

System Security
INSE 6640 – Securing the Smart Grid
(Lecture 6)

Prof. Walter Lucia

 Security Models for the Smart Grid

• NISTIR 7628: Recap

• IEEE 2030-2011 power system, communication technology, and
information technology reference diagrams
• ISA-62443 (also known as ISA-SP99): zones and conduits in
Smart Grids

Lecture Mapping security requirements to Smart Grid

environments
Outline • Securing the zones
• Securing the conduits

Securing the supply chain

Moodle Timed Exams – Sample Questions

Recap Previous Lectures
NISTIR 7628 – Steps for Developing Smart
Grid Cybersecurity

4
Other Security Models and
Existing Standards

5
IEEE 2030-2011

6
IEEE 2030 reference model
• IEEE 2030 models the Smart Grid, the various actors and influencers,
and the interconnection between systems
• IEEE 2030 primary concern is the interoperability more than security,
therefore, the provided mapping is slightly less comprehensive than
NISTIR’s.
• IEEE 2030 consider the following actors (“domains” in NISTIR 7628):
bulk generation, transmission, distribution, customer, service
provider, control and operations, and markets.
• Actors/domains are grouped in 3 main categories: power & energy,
communication, and information technology
7
IEEE 2030® Grid Framework
• Power & Energy: Defines the
numerous data flows necessary
for reliable, secure, bi-directional
flow of power and energy
• Communications: Identifies the
communications infrastructure
necessary for smart grid, from
high-speed synchrophaser data
to meter and customer
notification systems
• Information Technology (IT):
Defines the system-to-system
communications requirements
and data flow to leverage
individual systems into a system
of systems
8
ISA-62443 (also known as ISA99): zones and
conduits in Smart Grids

https://www.isa.org/intech/201810standards/
https://www.isa.org/isa99/

9
ISA 99 intent and ISA/IEC 62443
• The International Society of Automation (ISA) committee 99 originally
developed a road map for the creation of a series of standards,
guidelines for the security of industrial automation and control
systems.

• Prior to the final ratification of most of the documents within the

series, the designation was officially changed to ISA/IEC-62443.

10
ISA/IEC 62443 relevance
• Industrial automation is extensively used in the Smart Grid; therefore
this standard is very relevant!
• ISA-62443 security recommendations are based upon the physical
and logical separation of the systems that need to be protected.
• The standard applies the important “zone and conduit” model to
identify which systems by necessity or functions work as a group
(zones) and how they should be separated from other groups by
means of proper interfaces (conduits).

11
 ISA/IEC 62443: reference model for multi-plant
zone separation
• This model isolates functional groups and
provides a single, controllable connection
path between them.
• It may be necessary to further subdivide a
zone into multiple “subzones” which allows
further segmentation of assets based on
common criteria (not shown in the figure).
• ISA-62443 considers that the first allocation
of zones could be based on the physical
grouping of assets. Next, additional subzones
can be created for a logical grouping of
assets in order to apply a specific set of
security requirements to these assets based
on the desired level of protection. Why?
12
Importance of subzones
• Example: the same types of security controls cannot be applied to:
• Embedded devices (PLCs, RTUs, IEDs)
• Windows-based devices (servers, HMIs).
• It is natural to provide compensating security measures based on the
subzone’s characteristics (which are shared amongst all the members in the
subzone).
• In windows-based asset subzones, application control technologies may be used to
mitigate the risk of malware
• In embedded device subzones we may focus more on deep packet inspection
technology to limit malicious commands from reaching these assets.
• ISA-62443 focuses on the importance of separating assets by level of
criticality. It prevents attackers from breaching less important (and
presumably less secured) systems and then pivoting from those systems to
more important targets.
13
Challenge of zones and conduits model (1/2)
• In many Smart Grid deployments, functionality that should exist in
different dedicated assets may be integrated into just one device:
• E.g. measurement systems, controllers, gateways may be integrated into a
single physical asset.
• A substation gateway provides remote connectivity, substation and field
services, automation control, protocol translation and measurements.
• These types of multi-function devices are common due to the various
economic benefits, but they present a challenge to the zone/conduit
model.
• Highly integrated devices must be very carefully deployed and
managed to ensure that the proper degree of separation is
accomplished.
14
Challenge of zones and conduits model (2/2)

• Some systems are separated physically, while some are separated

logically.
• Where possible, separate systems into zones and carefully control the
connections (conduits) between them.
• Knowing that pure separation may not be obtainable, introduce as
many additional security measures as possible in order to ensure:
• devices are secure from malware
• applications are being used as intended
• data aren’t manipulated

15
Assets within Conduits (1/4)

• Assets are not only in the zones but also in the conduits!
• The conduits between zones can contain multiple communication
“channels” that represent the actual data.
• The channels for ISA-62443 are also assets and all channels within a
conduit should share the same security level (or requirements)

16
Assets within Conduits (4/4)
• The intent is to identify and protect each conduit based on its relative
security requirements (see e.g. the specifications in the NISTIR model).
• Some conduits may require simple site-to-site encryption and
authentication, while others may require additional security such as
content inspection, and threat management .
• The reference model wants to selectively implement security measures
in the conduits interconnecting zones. The same security measures
apply to all the channels within a conduit.

17
Assets within Conduits (3/4)

Why do we not just implement everything at the highest security level?

The problem is that with increased security and complexity also come
increased cost in terms of both equipment and maintenance and
support costs !

18
Siemens was the first company certified IEC
62443 on August 2016

• Siemens was the first company worldwide to receive IEC 62443

automation cybersecurity certification. The secure substation
framework from Siemens was certified to IEC 62443-2-4 (requirements
for system integrators) and IEC 62443-3-3 (requirements for the
security functions of systems)

Siemens page: https://new.siemens.com/global/en/company/topic-areas/future-of-manufacturing/industrial-

security/certification-standards.html

19
Mapping security requirements to Smart Grid
environments

How can we now implement specific countermeasures?

20
Security controls within Smart Grid: objectives

• While no one product or technology is certain to stop all attacks, the

objective is to minimize the risk of a successful cyber-attack.
• We would like to create a system consisting of multiple layers of
protection that enables the architecture to remain resilient even
when a small number of security defenses are violated, creating a sort
of fault-tolerant security environment.
 Securing zones and conduits in the Smart Grid
• There are several methods of securing a device or endpoints against a
cyber attack. Common technology-based methods are:
• Access control/data access control.
• Antivirus.
• Change control or configuration control
• Database security, Endpoint encryption.
• Host data loss prevention (DLP); Host firewall.
• Host intrusion detection systems/host intrusion prevention systems (HIDS/ HIPS).
• System hardening.
• Secure Control Systems? <-------- what does this mean? (Lectures 8-11)
• In Smart Grid, we can define a reference model based on a simplified zones
and conducts scheme. For each zone and conduct, we can describe the
security measures that can be implemented
Securing the Zones

23
Simplified Smart Grid: Zones

24
Field Zones Protection
Field Zone Protection (1/3)

• Field devices are often embedded systems designed around low-cost

and low-power consumption.
• If security measures need to be implemented, these need to consume
less memory and utilize fewer CPU resources w.r.t. what we have in
traditional IT systems.
• Usually the Smart Grid owner or operator will (typically) be unable to
alter these devices.
• The device manufacturer must take care of device security.
Field Zone Protection (2/3)

• Many commercially available technologies are significant and

applicable to field device protection.
• Application whitelisting is one of the most popular software security
solutions for embedded devices:
• Unlike blacklist technology, which defines a rapidly growing list of what is bad,
whitelisting defines a finite list of known good applications and blocks
everything else.
• “Applications” here refers to executables, including DLLs and other system
functions, making it extremely difficult for malware to circumvent
• In an embedded system, the whitelist rarely changes eliminating the need to
update the security profile on the embedded device
Field Zone Protection (3/3)

• However, it is important to remember that there are exceptions to all

rules: some systems in the field may run on standard computing
platforms using commercial operating systems.
Control Zones Protection
Control Zone Protection (1/3)
• As we move from the field to the substations, more sophisticated
devices are used:
• SCADA servers
• Measurement and data management servers
• AMI headend, and similar server-based systems
• In these devices any security can theoretically be installed.
Control Zone Protection (2/3)
• Application whitelisting solves the patching and resource problems
associated with traditional antivirus and is therefore recommended
on all systems.
• Antivirus are useful as well. If whitelisting technology is used, then
antivirus scans should never detect malware.
• Full system hardening. It removes all unnecessary applications and
services from the host (see e.g. gateway). Separation of services is
recommended to prevent cross-contamination if the system becomes
compromised.
Control Zone Protection (3/3)
• Host IDS or Host IPS is also recommended even if signature-based host
detection may still be challenges due to the same patching challenges
that anti-virus faces.
• Host data loss prevention (DLP) enables sensitive data to be tagged and
monitored, so that attempts to extract these data can be alerted
and/or blocked.
• Event logging: this is not a security control per se but any information
from system utilization, network activity, security events,
authentication activities, et al. that can used by centralized system, e.g.
the security information and event management (SIEM) systems, for
global analysis.
Service Zones and Back Office Systems
Protection
Service zone protection and back-office
systems
• As we get closer to the centralized SCADA systems, back-office systems,
and billing system, the capabilities of the server's increase, as does the
value of the data created by (or utilized by) these systems.
• The same security countermeasures apply, however, there is an
increased reliance upon the integrity of data and less on availability
since we are moving away from real-time control to more transaction-
based information.
• The increased volume of information needs the use of supporting
database(s) to store and manage data. It is important to consider data
integrity and information assurance tools, including database security
solutions, database auditing, and data loss prevention tools in these
areas.
Recap: Zones Protection
Securing the Conduits
 Conduits and Wires
• Ideally, we would like to have
only 1 physical conduit that
contains the necessary
communication paths (wires)
• In this way, the conduit can be
easily demarcated with a
security gateway (a VPN,
firewall, intrusion detection
system, etc.)
Conduits and Wires: difficulties (1/2)
• In a system as complex as a Smart Grid, there are so many
interconnected systems, blurring the “perimeter” and making
network security a much greater challenge (multiple conduits and
multiple wires).
• Managing and controlling multiple conduits and multiple wires can be
extremely difficult.
• Any extra connectivity (any extraneous interfaces, ports or services)
should be eliminated so that
• legitimate connections can be sufficiently protected,
• Protections systems cannot be circumvented via an unintentional “backdoor.”
Conduits and Wires: difficulties (2/2)

• There is a need for strong network security between critical systems,

including encryption and authentication
• However, only a small subset of the substation, control room, data center, and
field devices support this natively.
• Commercially available TLS isn’t always the best solution, because the added
overhead may interfere with real-time communication
• TLS is needed to fully comply with IEC 62351 standard requirements.
Compromise: risk vs visibility

• The process of encryption can also put blinders on security

monitoring and situational awareness tools. The solution, therefore,
lies in careful compromises, and in compensatory measures.

If traffic is encrypted in transit, make sure that the traffic can still be
monitored at both ends <------ Why?
Compromise: risk vs visibility

If traffic is encrypted in transit, make sure that the traffic can still be
monitored at both ends

• This will prevent a compromised device from gaining free reign to

transmit exploits and malware across a connection that is “invisible”
to security communication monitoring tools.
Compensating Network Security
Compensating Network security (1/3)

• Compensating network security controls includes devices/technologies

to prevent unauthorized network connections:
• firewalls, intrusion detection and prevention systems, network access control
systems, and similar devices.
Compensating Network security (2/3)

• Monitoring and inspection technology:

• Industrial protocol filters monitoring industrial protocols and capable to filter

traffic based upon the protocol being used and on the content of the protocol
• i.e. allow DNP3 “read” commands, disallow DNP3 “writes”.
• Intrusion detection systems performing deep packet inspection (DPI) on
network traffic and check against a defined set of exploit or vulnerability
signatures (a “rule set”). An IDS is a passive device: it will only alert when a
signature match is detected.
Compensating Network security (3/3)

• Monitoring and inspection technology:

• Intrusion prevention systems function just like an IDS. Moreover, they can
actively block traffic—often by dropping the offending packet, or by resetting
the TCP session.
• Application content inspection systems perform a hybrid function: they
inspect and decode the contents of a series of packets like an IDS and analyze
the contents like an Industrial Protocol filter.
• Transport layer security are cryptographic protocols designed to provide
communications security (privacy and data integrity). They are increasingly
supported by those devices intended for use in substations automation,
thanks to IEC 61850 and IEC 62351.
Network security: difficulties
• Without costly hardware tools, encrypted traffic is extremely difficult to
inspect.
• If the encryption occurs at the host, the host itself must be secured to
ensure the integrity otherwise an infected endpoint could authenticate and
send encrypted exploits without risk of detection
• It’s also not always possible to implement just any commercial off-the-shelf
security tool
• Many substations present extreme temperature conditions and high levels of
electromagnetic interference.
• Space may be limited, or other physical or environmental conditions might prevent
installation.
• Many network security tools today can be virtualized and installed as
software. While not as strong, virtualization offers more flexible
deployment options and (typically) lower cost
Securing the Supply Chain
Why should we care about the Supply Chain?
• It is quite likely for the composition of the zones to be reliant on third
parties
• The management of the zones (or part of them) may be entirely outsourced
to a third party.
• Many components are likely to be from third-party providers, even the
technical architecture of the zone is probably designed by a third party.

• What are there risks related to third parties?

Supply Chain Concerns
• Simply put the use of compromised hardware or software undoes any
efforts to deliver a safe and secure system
• These vulnerabilities are invariably outside the control of the grid
operator, and most certainly the end consumer
• Although this may be an unlikely event, this is something that may
happens.
• E.g. The US Department of Homeland Security found out that there have
been cases where electronics sold in the United States have been preloaded
with malicious programs by unknown foreign parties
Cybersecurity is not only an IT problem

• Many people think of cybersecurity as an IT problem — creating the

right defenses against attack, denial of service and system infiltration.
• That is not wrong, it is just not the whole story!
• Cybersecurity also depends on supply chain security to prevent the
insertion of counterfeit or compromised components into the system.
Supply Chain Security Risks (1/2)
• For example, rogue code could be inserted into the software long
before devices are connected
• kill switches or back doors could be built into the hardware to enable
remote access which could both steal data and disable the system.
• Counterfeit items, which can degrade system performance.
• Maintenance and repair activities (software upgrades and equipment
services), on site or remotely, create opportunities to corrupt or
compromise systems.
• Faulty end-of–life disposal can create new counterfeiting opportunities.
Supply Chain Security Risks (2/2)
• Power industry has decades of experience in assuring reliability in
purchases of electrical equipment!
• The acquisition of “smart” components for the grid has created new
challenges and the need for increased scrutiny of global IT vendors
• These new IT component suppliers may not be familiar with the security
and reliability requirements of systems with 30-year life spans.
• Supply chain professionals understand how to establish a secure chain of
custody but are not typically part of the cybersecurity strategy. IT
professionals are often unfamiliar with the security procedures that make
supply chain “tamper-evident” or with quality assurance programs that
detect the insertion of unwanted IT functions.
End-to-End Smart Grid Supply Chain (1/2)
End-to-End Smart
Grid Supply Chain
(2/2)
-Moodle Timed Exams -
Sample Questions
Understanding Number of Questions and Time Left
• The quiz is timed; All the students must start at the same time
• The questions must be answered in sequence;
• On top of each question, the time to spend on each question is suggested. Number of questions
and time left is indicated on the right side
Question – Sample 1
Question – Sample 2
Question – Sample 3
Thank you!