- Key Management for Substations: Symmetric Keys, Public Keys or No Keys?
PSCE 2011: Presented at the IEEE Power Systems Conference & Exposition, March 2011, Phoenix, Arizona, USA
Abstract: In this paper, we discuss symmetric-key and public-key protocols for key management in electricity transmission and distribution substations—both for communication within substations, and between substations and the network control center. Key management in the electricity network is widely regarded as a challenging problem, not only because of the scale, but also due to the fact that any mechanism must be implemented in resource-constrained environments. NISTIR 7628, the foundation document for the architecture of the US Smart Grid, mentions key management as one of the most important research areas, and the IEC 62351 standards committee has already initiated a new specification dedicated to key management. In this document, we describe different variants of symmetric-key and public-key protocols. Our design is motivated by the need to keep the mechanism simple, robust, usable and still cost effective. It is important to take into account the complexity and the costs involved not just in the initial bootstrapping of trust but also in subsequent key management operations like key update and revocation. It is vital to determine the complexity and the cost of recovery mechanisms—recovery not only from malicious, targeted attacks but also from unintentional failures. We present a detailed threat model, analysing a range of scenarios from physical intrusion through disloyal maintenance personnel to supply-chain attacks, network intrusions and attacks on central systems. We conclude that while using cryptography to secure wide area communication between the substation and the network control center brings noticeable benefits, the benefits of using cryptography within the substation bay are much less obvious; we expect that any such use will be essentially for compliance. The protocols presented in this paper are informed by this threat model and are optimised for robustness, including simplicity, usability and cost.
- Who controls the off switch?
SmartGridComm 2010: IEEE Conference on Smart Grid Communications, Oct 2010, NIST, Maryland, USA
Abstract: We're about to acquire a significant new cyber-vulnerability. The world's energy utilities are starting to install hundreds of millions of `smart meters' which contain a remote off switch. Its main purpose is to ensure that customers who default on their payments can be switched remotely to a prepay tariff; secondary purposes include supporting interruptible tariffs and implementing rolling power cuts at times of supply shortage. The off switch creates information security problems of a kind, and on a scale, that the energy companies have not had to face before. From the viewpoint of a cyber attacker -- whether a hostile government agency, a terrorist organisation or even a militant environmental group -- the ideal attack on a target country is to interrupt its citizens' electricity supply. This is the cyber equivalent of a nuclear strike; when electricity stops, then pretty soon everything else does too. Until now, the only plausible ways to do that involved attacks on critical generation, transmission and distribution assets, which are increasingly well defended. Smart meters change the game. The combination of commands that will cause meters to interrupt the supply, of applets and software upgrades that run in the meters, and of cryptographic keys that are used to authenticate these commands and software changes, create a new strategic vulnerability, which we discuss in this paper.
- On the security economics of electricity metering
WEIS 2010: Workshop on Economics of Information Security, June 2010, Harvard University, USA
Abstract: Smart grids are a hot topic, with the US administration devoting billions of dollars to modernising the electricity infrastructure. Significant action is likely in metering, where the largest and most radical change may come in the European Union. The EU is strongly encouraging its 27 Member States to replace utility meters with ‘smart meters’ by 2022. This will be a massive project: the UK, for example, looks set to replace 47m meters at a cost of perhaps £350 each. Yet it is not at all clear what it means for a meter to be secure. The utility wants to cut energy theft, so it wants the ability to disable any meter remotely; but a prudent nation state might be wary of a facility that could let an attacker turn off the lights. Again, the utility may want to monitor its customers’ consumption by the half hour, so it can price discriminate more effectively; the competition authorities may find this abhorrent. Other parts of government might find it convenient to have access to fine-grained consumption data, but might find themselves up against privacy law. There are at least half-a-dozen different stakeholders with different views on security – which can refer to information, to money, or to the supply of electricity. And it’s not even true that more security is always better: some customers may opt for an interruptible supply to save money. In short, energy metering is ripe for a security-economics analysis, and in this paper we attempt a first cut. We end up with five recommendations for the regulation of a future smart meter infrastructure.
- The Protection of Substation Communication
S4 2010: SCADA Security Scientific Symposium, January 2010, Miami, USA
Abstract: The last few years have seen considerable investment in the security of industrial control systems. In the power sector, there has been a focus on operational measures directed by NERC, while technical solutions have been proposed through the IEC and the ISA. Many of these proposals use cryptography to secure communications, so that some of the defensive effort can be moved from the perimeter to the end systems. However the security mechanisms need to take into account implementation costs as well as operational challenges. In this paper, we discuss these challenges in the context of protecting communications within substations. Proposals to use digital signatures are impractical because of both performance and cost. We analyse the complexities of these solutions both from security economics as well as engineering perspectives and argue that the right technology for this application is shared-key, namely message authentication codes: it gives the necessary performance at a fraction of the cost.
- Certifications and Evaluations: A Security Economics perspective
ETFA 2009: IEEE Conference on Emerging Technologies and Factory Auomation, September 2009, Mallorca, Spain
Abstract: There has been some discussion in the industrial control system security community of evaluation and certification. There are already at least two independent third party evaluators, and some have advocated Common Criteria certification of products used in critical systems. The broader IT security community has considerable experience of evaluation and certification, which we seek to summarise and share in this paper. Certification is not a silver bullet, and can very easily end up as spin rather than substance: as ‘security theatre’ designed to reassure customers or regulators rather than a genuine risk- reduction mechanism. It can also be very expensive, and once entrenched it can impose deadweight costs on industry that are difficult to eliminate even when certification processes are widely seen as failing. We discuss a number of further issues such as perverse incentives, usability and liability and argue that the industry should proceed with great caution.
- Security Economics and Critical National Infrastructure
WEIS 2009: Workshop on Economics of Information Security, June 2009, University College London, UK
Abstract: There has been considerable effort and expenditure since 9/11 on the protection of `Critical National Infrastructure' against online attack. A consensus is emerging that the protection of such assets is more a matter of business models and regulation -- in short, of security economics -- than of technology. We describe the problems, and the state of play, in this paper. Industrial control systems operate in a different world from systems previously studied by security economists; we find the same issues (lock-in, externalities, asymmetric information and so on) but in different forms. Lock-in is physical, rather than based on network effects, while the most serious externalities result from correlated failure, whether from cascade failures, common-mode failures or simultaneous attacks.
- Response to the draft on roadmap to secure energy delivery systems
This is our response to the draft on 'Roadmap to Secure Energy Delivery Systems' published by the Energy Sector Control Systems Working Group.
- Data Privacy and Security – Response to Ofgem's Consultation
This is our response to the public consultation by Ofgem on the UK's smart meter project.
- Response to the draft on NISTIR 7628
This is our response to the public consultation by NIST on NISTIR 7628.