Assuring the Trustworthiness of the Smarter Electric Grid - ICPE 2012
Assuring the Trustworthiness of the Smarter Electric Grid
Bill Sanders University of Illinois at Urbana-‐Champaign www.tcipg.org [email protected] ICPE 2012
| 1
Coordinated Science Laboratory Building Interdisciplinary Excellence with Societal Impact • Excellence in:
• Affiliated Institutes:
- -
•
Initiatives: - - - -
•
Computing and Networks - Circuits, Electronics & Surface- Science - - Communications & Signal Processing • - Decision & Control - - Remote Sensing -
Computer Vision SRC Focus Center Research Program Neuroengineering IGERT Human-Machine Adversarial Network MURI
- -
Statistics: -
60 years as a premier national interdisciplinary research facility - 550 Researchers: 110 professors, 330 graduate students, 60 undergraduate students, & 50 professionals - Over $300M in active research projects as of Jan. 2011
- - - -
ITI: Information Trust Institute ADSC: Advanced Digital Sciences Center (Singapore) PCI: Parallel Computing Institute
Major Centers: Illinois Center for Wireless Systems NSF National Center for Professional and Research Ethics NSF Science of Information Science and Technology Center DOE/DHS Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) Center Boeing Trusted Software Center HHS SHARPS Health Care IT Security Center NSA Science of Security Center Illinois Center for a Smarter Electric Grid
Outline
• • • •
A Quick Primer on the Modern Electric Grid VulnerabiliKes and Threats Challenges to Achieving Trustworthy OperaKon TCIPG’s Research Mission and Results
| 3
Outline
• • • •
A Quick Primer on the Modern Electric Grid VulnerabiliKes and Threats Challenges to Achieving Trustworthy OperaKon TCIPG’s Research Mission and Results
| 4
Power Grid Trust Dynamics Span Two Interdependent Infrastructures Cyber Infrastructure
Electrical (Physical) Infrastructure | 5
The Challenge: Providing Trustworthy Smart Grid OperaKon in Possibly HosKle Environments • Trustworthy – A system which does what is supposed to do, and nothing else – Availability, Security, Safety, … • HosKle Environment – Accidental Failures – Design Flaws – Malicious AUacks • Cyber Physical – Must make the whole system trustworthy, including both physical & cyber components, and their interacKon.
| 6
Next-Generation Power Grid Cyber Infrastructure Challenges • Multiparty interactions with partial & changing trust requirements • Regulatory limits on information sharing Other Coordinators Market Coordinator Operator Cross Cutting Issues • Large-scale, rapid propagation of effects • Need for adaptive operation Day Ahead • Need to have confidence in trustworthiness of resulting approach Market
Market Par4cipant
| 7
Load Following AGC
Control Area
• Need to create secure and reliable computing base • Support large # of devices • Timeliness, security, and reliability required of data and control information 7
Infrastructure must provide control at mulKple levels ² Mul4-‐layer Control Loops ² Mul9-‐domain Control Loops ² Demand Response ² Wide-‐area Real-‐Kme control ² Distributed Electric Storage ² Distributed GeneraKon ² Intra-‐domain Control Loops ² Home controls for smart heaKng, cooling, appliances ² Home controls for distributed generaKon ² UKlity distribuKon AutomaKon ² Resilient and Secure Control ² Secure and real-‐9me communica9on substrate ² Integrity, authenKcaKon, confidenKality ² Trust and key management ² End-‐to-‐end Quality of Service ² Automated a@ack response systems ² Risk and security assessment ² Model-‐based, quanKtaKve validaKon tools
Resilient and Secure Control Loops Generation and Transmission
Transmission and Distribution
Distribution and Generation
Note: the underlying Smart Grid Architecture has been developed by EPRI/NIST.
| 8
The Power Grid of Tomorrow: Smart Control of Electrical Equipment and an Open Grid Consumer Portal: • Security issues are huge – Privacy, Billing integrity, Mischief, vandalism, intrusion, Consumer manipulaKon of system • Customer educaKon – Understanding impact of choices, Home user technical abiliKes, Home user security knowledge
Who is responsible for security? • Consumer? UKlity? – Who would accept responsibility? • Will be decided by regulators – PoliKcal decision, but may be influenced by technology | 9
9
Power Grid of Tomorrow: North American SynchroPhasor IniKaKve • IniKaKve, funded by DOE and industry, to invesKgate pu_ng Phasor Measurement Units (PMUs) throughout physical power infrastructure • Need significant changes in power cyber infrastructure to support PMUs. • “Class A” service requires low latency, data integrity & availability (“no gaps”) | 10
10
Trustworthiness through Cyber-‐Physical Resiliency
• Physical infrastructure has been engineered for resiliency (“n-‐1”), but • Cyber infrastructure must also be made resilient: – Protect the best you can (using classical cyber security methods opKmized for grid characterisKcs), but – Detect and Respond when intrusions succeed • Resiliency of overall infrastructure dependent on both cyber and physical components • Approaches must be developed that make use of sound mathemaKcal techniques whose quality can be proven (need a science of cyber-‐physical resilience) | 11
Outline
• • • •
A Quick Primer on the Modern Electric Grid VulnerabiliKes and Threats Challenges to Achieving Trustworthy OperaKon TCIPG’s Research Mission and Results
| 12
VulnerabiliKes in Current Power Systems 109 MW Hanover
S. Schaum ber g Golf Mill
Busse Landm
Skokie Spaulding Bar tlett
• Systems are designed to be robust in the face of single failures but are at risk for certain kinds of multiple failures – While secure against single points of failure, analysis may reveal combinations of faults that would have severe consequences • The tools to find such combinations are not difficult to construct • In a couple hours, using a commercially available Power simulator, and publicly available power flow data, TCIP researchers found a small set of breakers who’s tripping would lead to a blackout almost the scale of the August 2003 blackout
Evanston
River
Elgin Tonne
Niles
Howar d
Devon
Cedarburg
South Elgin
Higgins
Des Plaines
Idle 71%
Alt GE
Nor di Glendale
Nor thr idge
West Chicago
UIUC
Addison Natom a
-0.40 deg 77%
Chur ch Fr anklin Par k
78% 2.35 deg
Aur or a
Westville
Mole
Rockwell
Galewood
Oak Par k
Ber keley
S u g ar Grove
Congr ess
74%
Oakbr ook
N Au rora
76%
Bellwood
Clin t
Junction 4.49 deg
Y450
Dekov
76%
La Gr ange
74%
Ridgeland Glen Ellyn
Island
-7.36 deg -7.10 deg M cCook
Fisk D799
Butte Craw f ord War r enville
Yor k Center
D775
Dow n ers Groove Fron ten ac W600 (Naper ville)
Sawyer
Wood rid g e Ford City
Wolf Creek Clearn in g
Willow W6 0 4 Osw eg o
Grafton
Bed f ord Park Bur r Ridge S ayre
W6 0 3
W6 0 1
J3 0 7 Plan o
Brid g eview Bolin g b rook Alsip
M on tg omery
Rob erts Will Co.
Romeo
Orlan Palos
109 MW Hanover
S. Schaum ber g Golf Mill
Busse
119%
Landm
Skokie Spaulding Bar tlett
Evanston
River
Elgin Tonne
75% Niles
Howar d
Devon
Cedarburg
South Elgin
Higgins
Des Plaines
Idle Alt GE
88%
Nor di Glendale
Nor thr idge
West Chicago
UIUC
Addison Natom a
-0.40 deg Chur ch
89%
Fr anklin Par k
71%
Aur or a
110%
Westville
Mole
2.35 deg
S u g ar Grove
Rockwell
Galewood
Oak Par k
168% 177% 98%
93% 100%
179% 170%
80%
113%
Bellwood
Junction
179% 175% 220% 225%
Island
Clin t
80% 4.49 deg
Y450
106%
Ridgeland
84%
Dekov
113%
La Gr ange
Glen Ellyn
Congr ess
106%
88%
84% -7.36 deg
-7.10 deg M cCook
Fisk D799
Butte
93% 99%
War r enville
Yor k Center
Craw f ord
D775
Dow n ers Groove Fron ten ac W600 (Naper ville)
Wood rid g e
93%
81%
Sawyer
Ford City
Wolf Creek Clearn in g
72% Willow
79%
W6 0 4 Osw eg o
Grafton
Bed f ord Park Bur r Ridge S ayre
W6 0 3
W6 0 1
J3 0 7 Plan o Bolin g b rook
Brid g eview
70%
72% Alsip
M on tg omery
86% Rob erts Will Co.
Romeo
Orlan Palos
74% 74%
109 MW
Hanover
S. Schaum ber g Golf Mill
Busse
146%
78%
Landm
Skokie Spaulding Bar tlett Elgin
River
Tonne
90% 76% 78%
72%
Devon
Cedarburg
South Elgin
Niles
Howar d
Higgins
Des Plaines
Idle Alt GE
108%
72%
Nor di Glendale
Nor thr idge
79%
West Chicago
UIUC
Addison
85%
Chur ch
109% 133%
2.35 deg
Westville
Mole
144%
71%
Fr anklin Par k
Aur or a
Rockwell
Galewood
Oak Par k
71% S u g ar Grove
114%
Natom a
-0.40 deg
71%
131% 139%
122%
Ber keley Congr ess
145%
Oakbr ook
N Au rora
153%
Bellwood
Clin t
119%
Junction 4.49 deg
Y450
La Gr ange
146%
Ridgeland Glen Ellyn
92%
Island
75%
128%
126% 118%
-7.10 deg
89%
M cCook
Dekov
154%
-7.36 deg
Fisk
77%
D799 Butte Craw f ord War r enville
Yor k Center
D775
71%
101%
Dow n ers Groove Fron ten ac
W600 (Naper ville)
Sawyer
Wood rid g e Ford City
Wolf Creek Clearn in g
91% 89%
Willow
Grafton
Bed f ord Park Bur r Ridge
74% W6 0 1
W6 0 3 J3 0 7
Plan o
Brid g eview Bolin g b rook Alsip
M on tg omery
Rob erts Will Co.
Romeo
Orlan
82%
82% 76%
W6 0 4
94%
Osw eg o
S ayre
| 13
111%
Ber keley Oakbr ook
N Au rora
Palos
Classical (Physical) AUack Approaches • Physical attacks on lines, buses and other equipment can also be effective: – “low tech” attacks may be easy, and are also difficult to defend against – Requires physical proximity of attacker – Particularly effective if multiple facilities are attacked in a coordinated manner • But coordination may be much easier in a cyber attack J.D. Konopka (a.k.a. Dr. Chaos) Alleged to have caused $800K in damage in disrupting power in 13 Wisconsin counties, directing teenaged accomplices to throw barbed wire into power stations. (From Milwaukee Journal Sentinel) http://www.jsonline.com/news/Metro/may02/41693.asp | 14
Intelligent Electronic Devices • Intelligent Electronic Devices (IEDs) monitor and control devices, relays, and breakers • IEDs may be subject to cyber tampering given access to the substaKon network and knowledge of a password. – Publicly accessible informaKon contains the default passwords for some IEDs | 15
PASSWORD Shows or sets passwords. Command pulses ALARM contacts closed momentarily aier password entry. PAS 1 OTTER sets Level 1 password to OTTER. PAS 2 TAIL sets Level 2 password to TAIL.
• AUacks on mulKple grid locaKons, whether physical or cyber, would need to be well synchronized to be effecKve (
Bill Sanders University of Illinois at Urbana-‐Champaign www.tcipg.org [email protected] ICPE 2012
| 1
Coordinated Science Laboratory Building Interdisciplinary Excellence with Societal Impact • Excellence in:
• Affiliated Institutes:
- -
•
Initiatives: - - - -
•
Computing and Networks - Circuits, Electronics & Surface- Science - - Communications & Signal Processing • - Decision & Control - - Remote Sensing -
Computer Vision SRC Focus Center Research Program Neuroengineering IGERT Human-Machine Adversarial Network MURI
- -
Statistics: -
60 years as a premier national interdisciplinary research facility - 550 Researchers: 110 professors, 330 graduate students, 60 undergraduate students, & 50 professionals - Over $300M in active research projects as of Jan. 2011
- - - -
ITI: Information Trust Institute ADSC: Advanced Digital Sciences Center (Singapore) PCI: Parallel Computing Institute
Major Centers: Illinois Center for Wireless Systems NSF National Center for Professional and Research Ethics NSF Science of Information Science and Technology Center DOE/DHS Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) Center Boeing Trusted Software Center HHS SHARPS Health Care IT Security Center NSA Science of Security Center Illinois Center for a Smarter Electric Grid
Outline
• • • •
A Quick Primer on the Modern Electric Grid VulnerabiliKes and Threats Challenges to Achieving Trustworthy OperaKon TCIPG’s Research Mission and Results
| 3
Outline
• • • •
A Quick Primer on the Modern Electric Grid VulnerabiliKes and Threats Challenges to Achieving Trustworthy OperaKon TCIPG’s Research Mission and Results
| 4
Power Grid Trust Dynamics Span Two Interdependent Infrastructures Cyber Infrastructure
Electrical (Physical) Infrastructure | 5
The Challenge: Providing Trustworthy Smart Grid OperaKon in Possibly HosKle Environments • Trustworthy – A system which does what is supposed to do, and nothing else – Availability, Security, Safety, … • HosKle Environment – Accidental Failures – Design Flaws – Malicious AUacks • Cyber Physical – Must make the whole system trustworthy, including both physical & cyber components, and their interacKon.
| 6
Next-Generation Power Grid Cyber Infrastructure Challenges • Multiparty interactions with partial & changing trust requirements • Regulatory limits on information sharing Other Coordinators Market Coordinator Operator Cross Cutting Issues • Large-scale, rapid propagation of effects • Need for adaptive operation Day Ahead • Need to have confidence in trustworthiness of resulting approach Market
Market Par4cipant
| 7
Load Following AGC
Control Area
• Need to create secure and reliable computing base • Support large # of devices • Timeliness, security, and reliability required of data and control information 7
Infrastructure must provide control at mulKple levels ² Mul4-‐layer Control Loops ² Mul9-‐domain Control Loops ² Demand Response ² Wide-‐area Real-‐Kme control ² Distributed Electric Storage ² Distributed GeneraKon ² Intra-‐domain Control Loops ² Home controls for smart heaKng, cooling, appliances ² Home controls for distributed generaKon ² UKlity distribuKon AutomaKon ² Resilient and Secure Control ² Secure and real-‐9me communica9on substrate ² Integrity, authenKcaKon, confidenKality ² Trust and key management ² End-‐to-‐end Quality of Service ² Automated a@ack response systems ² Risk and security assessment ² Model-‐based, quanKtaKve validaKon tools
Resilient and Secure Control Loops Generation and Transmission
Transmission and Distribution
Distribution and Generation
Note: the underlying Smart Grid Architecture has been developed by EPRI/NIST.
| 8
The Power Grid of Tomorrow: Smart Control of Electrical Equipment and an Open Grid Consumer Portal: • Security issues are huge – Privacy, Billing integrity, Mischief, vandalism, intrusion, Consumer manipulaKon of system • Customer educaKon – Understanding impact of choices, Home user technical abiliKes, Home user security knowledge
Who is responsible for security? • Consumer? UKlity? – Who would accept responsibility? • Will be decided by regulators – PoliKcal decision, but may be influenced by technology | 9
9
Power Grid of Tomorrow: North American SynchroPhasor IniKaKve • IniKaKve, funded by DOE and industry, to invesKgate pu_ng Phasor Measurement Units (PMUs) throughout physical power infrastructure • Need significant changes in power cyber infrastructure to support PMUs. • “Class A” service requires low latency, data integrity & availability (“no gaps”) | 10
10
Trustworthiness through Cyber-‐Physical Resiliency
• Physical infrastructure has been engineered for resiliency (“n-‐1”), but • Cyber infrastructure must also be made resilient: – Protect the best you can (using classical cyber security methods opKmized for grid characterisKcs), but – Detect and Respond when intrusions succeed • Resiliency of overall infrastructure dependent on both cyber and physical components • Approaches must be developed that make use of sound mathemaKcal techniques whose quality can be proven (need a science of cyber-‐physical resilience) | 11
Outline
• • • •
A Quick Primer on the Modern Electric Grid VulnerabiliKes and Threats Challenges to Achieving Trustworthy OperaKon TCIPG’s Research Mission and Results
| 12
VulnerabiliKes in Current Power Systems 109 MW Hanover
S. Schaum ber g Golf Mill
Busse Landm
Skokie Spaulding Bar tlett
• Systems are designed to be robust in the face of single failures but are at risk for certain kinds of multiple failures – While secure against single points of failure, analysis may reveal combinations of faults that would have severe consequences • The tools to find such combinations are not difficult to construct • In a couple hours, using a commercially available Power simulator, and publicly available power flow data, TCIP researchers found a small set of breakers who’s tripping would lead to a blackout almost the scale of the August 2003 blackout
Evanston
River
Elgin Tonne
Niles
Howar d
Devon
Cedarburg
South Elgin
Higgins
Des Plaines
Idle 71%
Alt GE
Nor di Glendale
Nor thr idge
West Chicago
UIUC
Addison Natom a
-0.40 deg 77%
Chur ch Fr anklin Par k
78% 2.35 deg
Aur or a
Westville
Mole
Rockwell
Galewood
Oak Par k
Ber keley
S u g ar Grove
Congr ess
74%
Oakbr ook
N Au rora
76%
Bellwood
Clin t
Junction 4.49 deg
Y450
Dekov
76%
La Gr ange
74%
Ridgeland Glen Ellyn
Island
-7.36 deg -7.10 deg M cCook
Fisk D799
Butte Craw f ord War r enville
Yor k Center
D775
Dow n ers Groove Fron ten ac W600 (Naper ville)
Sawyer
Wood rid g e Ford City
Wolf Creek Clearn in g
Willow W6 0 4 Osw eg o
Grafton
Bed f ord Park Bur r Ridge S ayre
W6 0 3
W6 0 1
J3 0 7 Plan o
Brid g eview Bolin g b rook Alsip
M on tg omery
Rob erts Will Co.
Romeo
Orlan Palos
109 MW Hanover
S. Schaum ber g Golf Mill
Busse
119%
Landm
Skokie Spaulding Bar tlett
Evanston
River
Elgin Tonne
75% Niles
Howar d
Devon
Cedarburg
South Elgin
Higgins
Des Plaines
Idle Alt GE
88%
Nor di Glendale
Nor thr idge
West Chicago
UIUC
Addison Natom a
-0.40 deg Chur ch
89%
Fr anklin Par k
71%
Aur or a
110%
Westville
Mole
2.35 deg
S u g ar Grove
Rockwell
Galewood
Oak Par k
168% 177% 98%
93% 100%
179% 170%
80%
113%
Bellwood
Junction
179% 175% 220% 225%
Island
Clin t
80% 4.49 deg
Y450
106%
Ridgeland
84%
Dekov
113%
La Gr ange
Glen Ellyn
Congr ess
106%
88%
84% -7.36 deg
-7.10 deg M cCook
Fisk D799
Butte
93% 99%
War r enville
Yor k Center
Craw f ord
D775
Dow n ers Groove Fron ten ac W600 (Naper ville)
Wood rid g e
93%
81%
Sawyer
Ford City
Wolf Creek Clearn in g
72% Willow
79%
W6 0 4 Osw eg o
Grafton
Bed f ord Park Bur r Ridge S ayre
W6 0 3
W6 0 1
J3 0 7 Plan o Bolin g b rook
Brid g eview
70%
72% Alsip
M on tg omery
86% Rob erts Will Co.
Romeo
Orlan Palos
74% 74%
109 MW
Hanover
S. Schaum ber g Golf Mill
Busse
146%
78%
Landm
Skokie Spaulding Bar tlett Elgin
River
Tonne
90% 76% 78%
72%
Devon
Cedarburg
South Elgin
Niles
Howar d
Higgins
Des Plaines
Idle Alt GE
108%
72%
Nor di Glendale
Nor thr idge
79%
West Chicago
UIUC
Addison
85%
Chur ch
109% 133%
2.35 deg
Westville
Mole
144%
71%
Fr anklin Par k
Aur or a
Rockwell
Galewood
Oak Par k
71% S u g ar Grove
114%
Natom a
-0.40 deg
71%
131% 139%
122%
Ber keley Congr ess
145%
Oakbr ook
N Au rora
153%
Bellwood
Clin t
119%
Junction 4.49 deg
Y450
La Gr ange
146%
Ridgeland Glen Ellyn
92%
Island
75%
128%
126% 118%
-7.10 deg
89%
M cCook
Dekov
154%
-7.36 deg
Fisk
77%
D799 Butte Craw f ord War r enville
Yor k Center
D775
71%
101%
Dow n ers Groove Fron ten ac
W600 (Naper ville)
Sawyer
Wood rid g e Ford City
Wolf Creek Clearn in g
91% 89%
Willow
Grafton
Bed f ord Park Bur r Ridge
74% W6 0 1
W6 0 3 J3 0 7
Plan o
Brid g eview Bolin g b rook Alsip
M on tg omery
Rob erts Will Co.
Romeo
Orlan
82%
82% 76%
W6 0 4
94%
Osw eg o
S ayre
| 13
111%
Ber keley Oakbr ook
N Au rora
Palos
Classical (Physical) AUack Approaches • Physical attacks on lines, buses and other equipment can also be effective: – “low tech” attacks may be easy, and are also difficult to defend against – Requires physical proximity of attacker – Particularly effective if multiple facilities are attacked in a coordinated manner • But coordination may be much easier in a cyber attack J.D. Konopka (a.k.a. Dr. Chaos) Alleged to have caused $800K in damage in disrupting power in 13 Wisconsin counties, directing teenaged accomplices to throw barbed wire into power stations. (From Milwaukee Journal Sentinel) http://www.jsonline.com/news/Metro/may02/41693.asp | 14
Intelligent Electronic Devices • Intelligent Electronic Devices (IEDs) monitor and control devices, relays, and breakers • IEDs may be subject to cyber tampering given access to the substaKon network and knowledge of a password. – Publicly accessible informaKon contains the default passwords for some IEDs | 15
PASSWORD Shows or sets passwords. Command pulses ALARM contacts closed momentarily aier password entry. PAS 1 OTTER sets Level 1 password to OTTER. PAS 2 TAIL sets Level 2 password to TAIL.
• AUacks on mulKple grid locaKons, whether physical or cyber, would need to be well synchronized to be effecKve (
