Applied Cyber Security and the Smart Grid: Implementing Security Controls into the Modern Power Infrastructureby Eric D. Knapp
Many people think of the Smart Grid as a power distribution group built on advanced smart metering—but that’s just one aspect of a much larger and more complex system. The "Smart Grid" requires new technologies throughout energy generation, transmission and distribution, and even the homes and businesses being served by the grid. This also represents
Many people think of the Smart Grid as a power distribution group built on advanced smart metering—but that’s just one aspect of a much larger and more complex system. The "Smart Grid" requires new technologies throughout energy generation, transmission and distribution, and even the homes and businesses being served by the grid. This also represents new information paths between these new systems and services, all of which represents risk, requiring a more thorough approach to where and how cyber security controls are implemented.
This insight provides a detailed architecture of the entire Smart Grid, with recommended cyber security measures for everything from the supply chain to the consumer.
- Discover the potential of the Smart Grid
- Learn in depth about its systems
- See its vulnerabilities and how best to protect it
- Elsevier Science
- Publication date:
- Sold by:
- Barnes & Noble
- NOOK Book
- File size:
- 4 MB
Read an Excerpt
Applied Cyber Security and the Smart Grid
Implementing Security Controls into the Modern Power Infrastructure
By Eric D. Knapp, Raj Samani, Joel Langill
Elsevier ScienceCopyright © 2013 Elsevier Inc.
All rights reserved.
What is the Smart Grid?
INFORMATION IN THIS CHAPTER:
Common components of the Smart Grid
Pitfalls of the Smart Grid
Understanding how the Smart Grid works first requires an understanding of how industrial networks operate, which in turn requires a basic understanding of the underlying communications protocols that are used, where they are used, and why. There are many systems that comprise the larger system of the "Smart Grid," which utilize both common and open protocols as well as many highly specialized protocols used for industrial automation and control, most of which are designed for efficiency and reliability to support the economic and operational requirements of large distributed control systems. Similarly, industrial protocols are designed for real-time operation requiring deterministic results with continuous availability. Combined together, this blend of open and proprietary networks enables the much larger network of measurements, controls, metering, and automation that is the Smart Grid. This amalgam of disparate systems and networks is also a major factor in the cyber security concerns facing the Smart Grid today.
Consider the plug socket in your home today. Regardless of whether there are two or three pins the net result is that it provides us with the foundation on which our modern society is built upon. Although this may sound somewhat farfetched, just consider the inconvenience we experience when there is a power outage. Although an inconvenience for us as consumers, the impact for a business can be considerably significant. We have come to expect that when we plug something into the socket, that electricity will be supplied. A recent paper by Schneider Electric entitled "How Unreliable Power Affects the Business Value of a Hospital" cited the following example:
"The financial impact of power disruption was demonstrated during the August 2003 blackout, which affected 45 million people in eight US states and 10 million people in parts of Canada. Healthcare facilities experienced hundreds of millions of dollars in lost revenue from canceled services, legal liability, and damaged reputations. Six hospitals were in bankruptcy 1 year later."
To address this and other issues with our current energy network, a dramatic transformation is underway to develop the concept of the Smart Grid. Much like every other industry, technology is acting as a catalyst to provide efficiencies that we could only previously dream about. The need for transformation is of the upmost priority, with demand for energy over the next 20 years anticipated to grow exponentially. More importantly, our desire for reliable and clean energy is fast becoming an imperative to our modern society.
According to the United Nations, the world population is anticipated to reach 10.1 billion within the next 90years, reaching 9.3 billion by 2050. Combining the population growth with the forecasted income growth and the demands for more energy becomes clear. According to the BP Energy Outlook, "Since 1900 the population has more than quadrupled, real income has grown by a factor of 25, and primary energy consumption by a factor of 22.5." In a world today when according to the International Atomic Energy Agency, one in four people still do not have electricity, and many in the Western world have to live through numerous blackouts the need for a greater energy becomes clearer. Consider the cost of these blackouts; which according to the US Department of Energy is $150 billion in the US alone, roughly the equivalent of $500 per US citizen.
The answer? Well there is considerable focus on the modernization of the energy network with the provision of greater automation of the electricity grid, as well as the development of a communication infrastructure. There are of course many definitions of the Smart Grid, which itself appears to be the newest buzzword (obviously overtaking the "cloud"). The following are a list of definitions from established sources:
"A Smart Grid is a modern electricity system. It uses sensors, monitoring, communications, automation, and computers to improve the flexibility, security, reliability, efficiency, and safety of the electricity system."
"Smart Grid generally refers to a class of technology people are using to bring utility electricity delivery systems into the 21st century, using computer-based remote control and automation. These systems are made possible by two-way communication technology and computer processing that has been used for decades in other industries. They are beginning to be used on electricity networks, from the power plants and wind farms all the way to the consumers of electricity in homes and businesses. They offer many benefits to utilities and consumers—mostly seen in big improvements in energy efficiency on the electricity grid and in the energy users' homes and offices."
Despite the number of various definitions, there are some key objectives expected from the Smart Grid, according to the Canadian Electricity Association these are to increase grid resilience, improve environmental performance, or deliver operational efficiencies.
In 2004, the House of Commons Trade and Industry Committee published their report into the Resilience of the National Electricity Network. The report was written in response to power cuts in the United Kingdom only 1year earlier, and focused on addressing concerns about the resilience of the electricity network. Although the report highlighted the relative reliability of the UK network as opposed to other nations, clearly identified a number of risks: for example, like the energy networks of other countries found that "UK's electricity transmission and distribution network was built in two main periods of activity, in the late 1950s and the mid 1960s–early 1970s. The design life of the assets used in the network was about 40 years." In light of the aging equipment, there were some concerns raised about their maintenance. In particular, The Institution of Civil Engineers raised concerns that the operators were reducing the skill levels of the maintenance staff, and witnesses to the enquiry questioned the logic of decreasing the technical knowledge of engineering staff when the need to maintain equipment is only likely to increase. In order to prevent the need for such enquiries in the future, a smarter grid is absolutely necessary, a grid capable of reacting to unforeseen events and maintaining the availability of energy to its customers, otherwise known as resilience. The term resilience refers to the capability of a given entity to withstand from unexpected actions, and recover very quickly thereafter. The development of these predictive maintenance technologies help offset reduction in both skill level and numbers of support staff—effectively improving maintenance efficiencies. Clearly in the case of the electricity network, a Smart Grid should be able to withstand such environmental threats (both intentional or unintentional), and recover in a timely fashion.
To illustrate the requirements for greater resilience for the modern electricity network, we can use the case study presented by Smart Grid Australia. The nation itself is faced much like the world with geographical growth pockets, in this case within South East Queensland and Western Sydney. This growth, when combined with the ever-increasing demands for more energy to power such devices as air conditioning, and heating to combat the fluctuating seasonal weather provide an insight into some of the reasons why the nation has recognized the need for the replacement of its aging generation assets. Moreover, there is recognition that the current electricity network is almost 50years old and has also suffered from outages due to extreme weather events. Such events are not limited to Australia, with numerous examples of blackouts experienced globally, and consumers are warned that this is simply the tip of the iceberg. The Electric Reliability Council of Texas, for example, recently warned that the state's energy grid has almost reached capacity. The council is responsible for overseeing power, rather unsurprisingly for the state of Texas. In early 2011, approximately 4400 Texans mainly from the west of the state were subjected to rolling blackouts and given the advice to conserve power particularly in the morning. With peak demands for power experienced largely in the morning, it is expected demand will reach record levels. Satisfying these peak demands can be particularly costly, generally there exist three levels of satisfying electricity demands, and these are as follows:
Baseload generating units: Such units are intended to satisfy the base level of electricity demand. Meeting such demand has low operating costs and is able to meet fluctuating demands (to a degree) by increasing power generation, or decrease based on demands.
Intermediate units: To address greater fluctuations in energy demands are intermediate units. Although they often have higher operating costs than baseload units, there ability to quickly adapt to demand fluctuations make them more appropriate to meeting higher energy demands.
Peaking units: To meet the peak, demands are peaking units. These units typically have the highest operating costs but are able to quickly provide a full load within a short period, as well as able to shutdown again within minutes. Due to the nature of their operations and obvious cost, the peaking units only operate for a number of days per year.
Of course, there are significant risks regarding the availability of electricity because the equipment in the grid is very old as was highlighted in the House of Commons report, and susceptible to environmental pressures. Take the case in Texas, for example, apparently the almost 5000 citizens from the west of Texas were left without power, apparently due to frozen pipes at two power plants. Another significant risk is that any targeted intentional action aimed to disrupt the electricity network can equally have significant ramifications. The grid today is very much centralized, which means that a malicious event will only need to attack specific strategic points within the grid in order to impact thousands (and perhaps more) consumers and subsequently impact a key component of our critical infrastructure.
The psychological impact of being in a power outage in today's world may lead to a feeling of sheer terror. For many, if the lights do go out, or people are stuck in lifts, the question of whether this is caused by terrorist action. A New York citizen who experienced recent blackouts immediately assumed the incidents were due to terrorist actions, "It's almost like 9/11," she said. "Everybody panicked, wondering what happened. Anything could happen when the dark comes down." Of course, the impact of such fear should not be underestimated; however, there are other impacts of such actions. More recently, many citizens in both India and the United States experienced a world without power. Consider not only the impact of the storm, or outage itself but also the secondary effects. For example, the loss of communications that were felt (e.g. something as simple as not being able to charge a cell phone). To emphasize the impact on energy supply disruption, a simulation exercise was conducted by the Heritage Foundation in June 2010. Its intention was "to assess the strategic and economic impact of a major energy supply disruption caused by coordinated terrorist attacks on key nodes in the global energy infrastructure," and although it focused on the broader impact of a disruption of the energy sector, the findings did identify the financial implications are severe resulting from deliberate actions, and the failure to develop a resilient energy network:
Petroleum prices jump from $75 per barrel to $250 per barrel and eventually fall back to $125 per barrel after 2 years;
Gasoline prices jump to $8 per gallon and remain above $4 per gallon throughout the first year;
Gross domestic product (GDP) losses exceed $300 billion per year for both years of the crisis;
Employment drops by more than 1.3 million the first year and drops an additional 1.1million in the second year for a total two-year drop of 2.4million.
These figures are certainly very sobering and really emphasize the importance on developing an energy network that is capable of dealing with external threats and maintaining the availability of energy to everybody that demands it.
Excerpted from Applied Cyber Security and the Smart Grid by Eric D. Knapp. Copyright © 2013 by Elsevier Inc.. Excerpted by permission of Elsevier Science.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Meet the Author
Eric D. Knapp is a globally recognized expert in industrial control systems cyber security, and continues to drive the adoption of new security technology in order to promote safer and more reliable automation infrastructures. He firsst specialized in industrial control cyber security while at Nitrosecurity, where he focused on the collection and correlation of SCADA and ICS data for the detection of advanced threats against these environments. He was later responsible for the development and implementation of end-to-end ICS cyber security solutions for McAfee, Inc. in his role as Global Director for Critical Infrastructure Markets. He is currently the Director of Strategic Alliances for Wurldtech Security Technologies, where he continues to promote the advancement of embedded security technology in order to better protect SCADA, ICS and other connected, real-time devices.
He is a long-time advocate of improved industrial control system cyber security and participates in many Critical Infrastructure industry groups, where he brings a wealth of technology expertise. He has over 20 years of experience in Infromation Technology, specializing in industrial automation technologies, infrastructure security, and applied Ethernet protocols as well as the design and implementation of Intrusion Prevention Systems and Security Information and Event Management systems in both enterprise and industrial networks. In addition to his work in information security, he is an award-winning author of cition. He studied at the University of New Hampshire and the University of London.
He can be found on Twitter @ericdknapp
Raj Samani is an active member of the Information Security industry, through involvement with numerous initiatives to improve the awareness and application of security in business and society. He is currently working as the VP, Chief Technical Officer for McAfee EMEA, having previously worked as the Chief Information Security Officer for a large public sector organisation in the UK and was recently inducted into the Infosecurity Europe Hall of Fame (2012).
He previously worked across numerous public sector organisations, in many cyber security and research orientated working groups across Europe. Examples include the midata Interoperability Board, as well as representing DIGITALEUROPE on the Smart Grids Reference Group established by the European Commission in support of the Smart Grid Mandate.
In addition, Raj is currently the Cloud Security Alliance’s Strategic Advisor for EMEA having previously served as the Vice President for Communications in the ISSA UK Chapter where he presided over the award of Chapter Communications Programme of the Year 2008 and 2009, having previously established the UK mentoring programme. He is also on the advisory council for the Infosecurity Europe show, Infosecurity Magazine, and expert on both searchsecurity.co.uk, and Infosec portal, and regular columnist on Computer Weekly. He has had numerous security papers published, and appeared on television (ITV and More4) commenting on computer security issues. He has also provided assistance in the 2006 RSA Wireless Security Survey and part of the consultation committee for the RIPA Bill (Part 3).
Most Helpful Customer Reviews
See all customer reviews