by Balu Ambady, Sensus
Utilities moving forward with advanced metering infrastructure (AMI) and distribution automation (DA) deployments must secure the two-way communications network that reaches every customer site and monitoring point in the power distribution and metering infrastructure. Such security encompasses a broad network footprint with many elements requiring safeguards to ensure the confidentiality, integrity and availability (CIA) of this critical utility infrastructure.
The National Institute of Standards and Technology (NIST) released in September 2010 NISTIR 7628 comprising standards for smart grid network security. These standards are broadly applicable for smart grid initiatives including AMI and DA.
As standards evolve, utilities can derive additional guidance from enterprise networking, control systems and other models by applying proven methods that provide multi-layered security, including physical controls, encryption, virtual private networking and more.
Smart grid network security goals include protecting all points of entry into the network, making reconnaissance difficult from both inside and outside the network, limiting points of vulnerability and thwarting attempts to misuse or compromise the network and its messages. Network developers and operators have a broad range of techniques and best practices available to achieve these goals. Principles of defense-in-depth and multiple reinforcing security controls allow organizations to create strong security posture appropriate for critical AMI and DA communications. Security differs in technology and intended use, however, multi-layered security is a non-negotiable security practice for utilities.
Following are six steps necessary to a secure an AMI or DA network.
Step No. 1: Protect Endpoints and Access Points
AMI and DA infrastructure security generally involves safeguarding the constituent network and technology. Endpoint device security, however, cannot be overlooked. Unsecured endpoints can enable a security breach that infiltrates the entire network. Tamper prevention and detection, physical hardening and other techniques can protect against unauthorized physical access to devices, particularly those in unsecure locations such as customer sites.
Endpoint devices and access points (collector stations) can use locks, seals and other tamper-resistant mechanisms. For example, access points, smart meters and home area network devices are equipped with locks, security tags and seals and secure physical mounts. Physical tampering with the devices will trigger a network management system. Not only does this discourage tampering, it immediately alerts the utility should tampering occur.
In a two-way AMI system, every deployed endpoint could potentially be used to exploit the particular network or even other networks that use the same technology. Logically layered security for authentication, access control and data transmission addresses those risks, establishing multiple barriers against unauthorized or accidental network misuse. Endpoint security should be designed such that single endpoint compromises do not lead to larger network attacks. For example, a single cryptographic key shared between large numbers of endpoints is a significant risk and must be constrained appropriately.
All endpoint components should integrity check firmware downloads and verify critical commands. In addition, endpoints may be protected by measures such as hardware/software protection for keys and other security parameters, integrity checks at boot-up, verification of applications at run time, and other measures.
Step No. 2: Protect Wireless Communications
Many AMI and DA networks use wireless communications between endpoints and other field-deployed infrastructure. Meter reads and other messages coming from endpoints to the head-end system via intermediate access points must ensure confidentiality and integrity. Command and control messages from the head-end to the endpoints must be similarly protected. Message authenticity and device authentication also are important security aspects.
Encryption can be used to protect messages traveling across AMI and DA networks. Encryption ensures that messages are read by only the intended receiver and makes data unreadable except to a device that has the key to decrypt the message. Depending on its strength, encryption can be suitable for AMI and DA network security. Encryption strength depends on the algorithm, the type and length of the encryption keys and resulting key space, and proper implementation of publicly vetted algorithmic implementations. In general, the longer the encryption key, the stronger the encryption. Although advanced encryption standard (AES) implementations using 128-bit keys are common and considered strong, longer keys are viable options for securing AMI and DA end points’ increased computing capabilities. Some communication systems using AES with 256-bit keys are considered to have “very secure” encryption strength.
Encryption also differs depending on whether it is symmetric or asymmetric. Symmetric encryption uses the same secret key for encryption and decryption. Asymmetric encryption uses a public key and a highly-protected private key, allowing anyone to send an encrypted message, but only the intended recipient to decrypt it. In the reverse direction, only the private key holder can digitally sign messages, but anyone can verify the message.
To ensure robust protection in AMI and DA networks using symmetric keys, multi-layer encryption combines several encryption keys. Each endpoint may have a unique key assigned during manufacturing. Unicast messages between the head-end and endpoints can be encrypted using this unique key, but additional keys may be enabled for other system functions. For example, all endpoints on the network may have a shared key for broadcast messages. In addition, logical groups of endpoints could be assigned a unique group key. With this encryption scheme, a compromise to one meter’s unique key cannot affect other networked meters or components. Shared key security can be maintained through key rotation and appropriate available functionality constraints via shared key protected messages.
In addition to encryption, some utilities enhance security by using a licensed spectrum-based wireless network. Licensed spectrum technology provides intrinsic security advantages because individuals cannot order components through the Internet or plug in at home; therefore, licensed spectrum is not a target for casual intruders.
Step No. 3: Protect Backhaul Communications
Virtual private networks (VPNs) are another way to protect communication in the AMI and DA network. VPNs can protect communication between the access points and head-end systems. These VPNs encapsulate the data being transmitted via transport layer security to encrypt transmissions. Users must be authorized to access or read/write the data to access the remote access points. Secure shell (SSH) or a similar secure protocol is recommended to establish a user connection or inter-system connection.
Step No. 4: Protect Head-end Systems
Various AMI and DA infrastructure head-end components should be deployed in a secure data center and may be protected using a layered approach. The network perimeter and critical junction points are typically protected using firewalls, intrusion detection/prevention systems, and other network security controls. Firewalls permit or deny data transmissions into a company’s network based on rules and other criteria. For a message to enter or leave the controlled network, it must pass through the firewall. Another option is an intrusion prevention system that blocks and prevents certain activities in real time. A demilitarized zone (DMZ) combines firewall and intrusion prevention systems to tightly regulate traffic entering the utility’s data center and computing assets, usually at the boundaries of “untrusted” network entities such as field-deployed AMI and DA equipment, and trusted AMI and DA components such as head-end systems.
In addition to protecting communications traversing the AMI and DA network, it is important to protect the information housed in other networked devices. For example, anti-virus software detects, prevents and removes from computers damaging code, including worms, viruses, Trojan horses and other malware. The head-end components needing externally facing Web interface may be hosted within the DMZ, but other crucial components may be hosted deep within the utility’s data center and protected by an appropriately stringent control set.
Key secrecy also is critical to encryption. Encryption key management helps ensure that each endpoint’s key, which was injected during manufacturing or introduced via other methods, is valid and protected appropriately throughout the key’s life. One solution is for a central server to securely manage the system’s encryption keys at the head-end system, which is located deep within the utility’s network. In this architecture, messages are encrypted and decrypted by the head-end system; passed through access points while encrypted, and need be decrypted and encrypted only by endpoints. Access points do not encrypt or decrypt messages; therefore it isn’t necessary to store keys on the access points, which are usually located in “untrusted” locations. The keys on the key servers are encrypted with a master key before being stored in the key database. Access to the master key is securely managed to the strongest Federal Information Processing Standardization (FIPS) standards (e.g. 140-2).
Security in AMI and DA networks also requires users and endpoints to be verified as authentic through passwords or by using strong authentication mechanisms or both. Even after authentication by the user or endpoint, authorization and access control processes will grant access to infrastructure resources only as permitted for the verified user, ensuring required separation of duties. Head-end systems must use robust user authentication and role-based access control to ensure separation of duties, restrict access to critical system functions, and provide audit control.
In a two-way AMI and DA system, every deployed endpoint or system component could potentially be used to exploit the primary network or other networks using the same technology. Logically layered security for authentication, access control and data transmission addresses those risks, establishing multiple barriers against unauthorized or accidental network misuse.
Step No. 5: Conduct Ongoing Security Validation and Testing
In addition to securing the various system components, ongoing validation and testing of security strategy, architecture, practices and implementation is important. Vendor products and their components that are certified by trusted third parties can provide a secure solution baseline. In addition to product certifications, it is recommended that a third party validate the vendor to ensure it employs a well-recognized set of security best practices for its products’ and solutions’ planning, development and implementation processes. Third party security reviews of the utility’s AMI and DA architecture and periodic testing performed by internal and external resources are also recommended.
Step No. 6: Provide Auditing and Logging Functionality
Another critical control set within any system includes the audit trails and logs that the system produces. These controls provide valuable information for understanding system component operations. They answer who, what, when and how questions underlying system events. Common events that should be included in any system audit log include date/time, user identification, current state, action performed, new state and success or failure of action. In addition to creating and storing these logs, protecting them from tampering is also critical. Access control and integrity of these logs are critical to protecting this information. This can be achieved using various methods, including operating system features, third party products and others.
Balu Ambady is director of security for Sensus, a provider of technology solutions that enable intelligent use and conservation of critical energy and water resources. Balu is responsible for all aspects of security for Sensus solutions. Prior to joining Sensus, he was director of advanced technology and security architecture for CableLabs.
PowerGrid International Articles Archives
View Power Generation Articles on PennEnergy.com