By Kip Gering, Itron, and Jim Alfred, Certicom
Advanced metering infrastructure (AMI) is headed for mass deployment in the United States. Southern California Edison (SCE), San Diego Gas and Electric (SDG&E) and Centerpoint Energy are some of the latest utilities to embark on large-scale smart meter deployments. One of the most important decisions for these utilities involves selecting the strongest security technology available to protect both utility and customer assets and information.
Click here to enlarge image
AMI and smart grid networks are evolving with all manner of physical and logical network technology. The networks’ openness and two-way communication capabilities add new risks to what has been traditionally an isolated transmission and distribution system. Given this network diversity, end-to-end security must be transparent to the network, and it is vitally important for utilities to quickly grasp the security nuances and mitigate their risks.
Evolution of AMI
Those who lived through the California energy crisis in 2000 to 2001 or felt the impact of the northeastern blackout in August 2003 know firsthand the importance of a secure and stable electricity supply. Some experts were already concerned with the power grid’s physical security, but numerous deaths and billions of dollars in economic damage in 2003 got everyone’s attention.
The critical infrastructure protection (CIP) standards and compliance laws made operators and generators accountable for the bulk electric system’s security, further raising security awareness in the industry (see interview with Michael Assante on page 50 of this issue for more on CIP). With the advent of two-way AMI technology, a utility’s network is not only connected to substations but now extends to each end customer.
Click here to enlarge image
Smart grid security concerns put Congress back into action with the Energy Policy and Security Act of 2005. The act mandates that state utility regulators study smart metering and demand response technologies. Standards like ANSI C12.22 are now more important. Deployment of several types of networks like power line carrier and radio frequency mesh has made flexibility important as well. And, the California Energy Commission’s Title 24, which mandates the use of programmable communicating thermostats (PCTs) for load shed, has moved AMI even further.
Title 24 also created further awareness of security issues. Recording an emergency load shed radio signal and rebroadcasting it, a so-called replay attack, became a significant concern that must be addressed, otherwise the PCT could threaten the distribution network. Authenticating load shed and demand response signals also became critical.
Security Requirements and the AMI-SEC Task Force
With deployment timelines set, utilities went into high gear in 2007, assessing security requirements. Early adopters of AMI such as SCE, Pacific Gas & Electric, American Electric Power, Consumers Energy, SDG&E and Florida Power & Light joined together to leverage resources via an industry task force, AMI-SEC. Enlisting security domain experts, standards body representatives, utility engineers and industry-leading vendors, the utility AMI task force’s immediate goal was clear: Produce usable requirements and guidance for utilities on the procurement path.
The task force identified threats to which smart meters, home area networks and distribution infrastructure would be exposed. Lessons learned from first-generation AMI deployments were obvious: Don’t rely on simple passwords and shared encryption keys in every meter; and when demand response, remote disconnect and other services are implemented, provide enhanced security to protect critical systems assets and end user privacy.
AMI-SEC classifies baseline security requirements by high-level functionality–confidentiality and privacy, integrity, availability, authentication and authorization, non-repudiation and traceability (auditable logging). Each function is applied to system assets based on a threat assessment that identifies what assets need to be protected and from which specific threats. Assets throughout the AMI system, from meter firmware and encryption keys to communications infrastructure, such as collector routing tables and head-end management interfaces, are considered against threat vectors. An example of a threat vector would be a teenage hacker or cyber criminal cracking a physical meter or PCT and copying its keys. When looking at the threat vectors for the head-end where system commands originate, internal assailants must be considered.
Security experts were quick to identify the flaws in existing solutions based solely on symmetric encryption technologies used in earlier AMI rollouts. Symmetric encryption has its limitations and if can provide people with a false sense of security.
The experts recognized the need for asymmetric (public key) cryptography and enhanced key distribution techniques to protect the system from key compromise. Asymmetric cryptography forms the basis of public key infrastructure (PKI) which secures today’s Web services, securing billions of Internet transactions every day.
Case Study: SCE
SCE is one of the largest electric utilities in the United States, with 5.3 million customers spread over a 50,000-square-mile service area. SCE began planning its AMI deployment more than five years ago, filing an AMI business case with the California Public Utilities Commission (CPUC) in March 2005. By early 2008, the stage was set. SCE underscored its baseline requirements and began executing AMI rollout plans, selecting Itron for its AMI deployment.
Itron was heavily involved in ANSI-C12.22 and AMI-SEC, and as SCE’s incumbent AMR provider, it understood the challenges of securing a wide service area and meeting the end-to-end security requirements. SCE’s network exposes more than 22,000 MW of load controlled by the utility.
Itron believes it is important to be aggressive when it comes to AMI-SEC requirements. The company’s strategy is to leverage the extensibility of ANSI C12.22 and enhance the security of its OpenWay platform. To accomplish its security goals, Itron partnered with Certicom, a company that specializes in elliptic curve cryptography (ECC), a public key cryptosystem ideal for securing millions of resource constrained metering endpoints.
The ECC public key cryptosystem is different from the symmetric key or password-based solution in that if a single device is tampered with and compromised only that device’s keys are exposed. This allows the meters to be factory provisioned, then registered and securely rekeyed over the air.
The Itron and Certicom collaboration resulted in the world’s first large-scale AMI deployment secured with ECC. Efficient ECC offers the highest security per bit of any public key cryptosystem, allowing OpenWay to manage millions of critical meter and system keys with high security and no network performance degradation.
A secure message protocol ensures that demand response commands, emergency load sheds, remote disconnects and key update messages to any meter are replay-resistant and authentic.
SCE is in deployment today with the goal of completing the installation by 2012.
Case Study: Centerpoint Energy
CenterPoint Energy, which serves the Houston area, has more than 2 million electricity customers and 1 million gas customers, making it one of the largest utilities in the United States.
CenterPoint Energy had been evaluating AMI technologies and working with the Center for the Commercialization of Electricity Technologies (CCET) on a demand response pilot using broadband-over-powerline (BPL) technology for 5,000 select customers. Because BPL security is based on 56-bit predictable keys at the physical layer with the simple network management protocol at the IP layer, it would have been difficult and expensive for CenterPoint to scale the system for its 2 million customers.
Like SCE, CenterPoint Energy’s service area demands a mix of communications technologies, from BPL to wireless mesh networking, and with so many customers, security must be scalable as well as transport layer independent. Itron’s OpenWay Collection Engine and Certicom’s AMI 7000 security appliances are being produced for CenterPoint Energy’s mass meter deployments scheduled for the second half of 2009.
CenterPoint Energy plans to have 50,000 meters installed in the field by August, 150,000 by the end of 2009, and ultimately will be installing 500,000 meters per year to complete the 2.2 million electric meter project.
Case Study: SDG&E
SDG&E is the third public company to have commissioned the new OpenWay 2.0 platform with Certicom’s security appliances. Like SCE, SDG&E spent a great deal of time looking at security issues, both in AMI-SEC and in the ZigBee Smart Energy initiative.
In SDG&E’s case, the smart electricity meter upgrade is being accompanied by new gas meters. The meter systems share a common network infrastructure, with battery-powered ZigBee Smart Energy modems connecting the electricity and gas service points. With ZigBee Smart Energy enabled in the meter, SDG&E is using its AMI rollout to spur innovative demand response applications throughout the home.
SDG&E is in deployment now and is building towards an install rate of 5,000 meters per day by mid-2010. It plans to complete installation of 1.4 million electricity meters by the end of 2011.
Led by innovators like SCE, SDG&E and Centerpoint, the pace of AMI rollouts in North America is accelerating. Not all utilities have the resources or time to study smart meter security. Best practices from industry peers and guidance from organizations like AMI-SEC will help utilities deploy smart grid technology. More and more AMI systems will adopt higher security functionality in parallel with industry standards groups to ensure AMI has a secure foundation in the smart grid.
Kip Gering is a senior product manager for OpenWay software applications at Itron. Jim Alfred is senior director, product management at Certicom.