DOC

AMI-SEC_Roadmap_Document_v0_4-20080930_NCG

By Wayne Howard,2014-09-14 10:34
8 views 0
UtiltyAMI_20081022_Face-to-Face_Meeting_Minutes

AMI-SEC Task Force Roadmap

Introduction

    This document serves to introduce readers to the Advanced Metering Infrastructure (AMI) Security (AMI-SEC) Task Force, a project of the UtiliSec Working Group under the auspices of the OpenSG Users Group. The OpenSG Users Group is a sub-working

    1group within the UCAIUG.

    The document encompasses information in which to push the reader to authoritative, primary materials of the Task Force, where possible. While the document is created to be a “front door” for the new and uninitiated to

    AMI-SEC Task Force project information, the document only describes activities and deliverables in the context of UtiliSec goals and objectives.

    Those individuals seeking introductory materials on such topics as Advanced Metering Infrastructure, Smart Grid technologies, SCADA, etc, are better served through other resources.

    AMI-SEC Statements of Objective

    Objective 1. This Task Force is charged with developing Cyber Security guidelines, recommendations, and best practices for AMI system elements. Cyber Security

    within this context is defined as those measures that protect and defend AMI information and systems by assuring their ability to operate and perform in the intended manner in the face of malicious actions, unauthorized users, and other

    2unintended actions.

    Objective 2. AMI-SEC will produce technical specifications that can be used by utilities to assess and procure Cyber Security related functionality. In addition to utility use, this specification will also be used by the OpenAMI Working Group as part of their AMI/DR Reference Design specification, and by vendors to produce compliant and compatible security technologies. The AMI-SEC membership will determine the baseline level of detail for the specifications with the anticipation that the specifications will be prescriptive in nature, such that compliant products will have known functionality and robustness. Ultimately the deliverables behind the

     1 UCAIUG The UCA International User’s Group, a “not-for-profit corporation consisting of utility user and

    supplier companies that is dedicated to promoting the integration and interoperability of electric/gas/water utility systems through the use of international standards-based technology. It is a User Group for IEC 61850, the Common Information Model Generic Interface Definition (CIM/GID as per IEC 61970/61968), advanced

    metering and demand response via OpenAMI.” Source: http://www.ucaiug.org/UCAIug/default.aspx 2 Source: http://ucaiug.org/UtilityAMI/AMISEC/default.aspx

    AMI-SEC Roadmap v1 DRAFT 1

    AMI-SEC body of work will provide additional assurance not previously available

    3 within the utility industry.

    Objective 3. The Task Force provides a focus point for industry discussions on Cyber Security as it relates to AMI. While there are no deliverables from this objective, the collaboration of information sharing and lessons learned between utilities on Cyber Security related issues is vital to the overall growth of the utility industry.

AMI-SEC Target Audience

    AMI Risk Exposure

    The operational imperatives for AMI Cyber Security recognizes the existence of gaps and a risk management differential between AMI and traditional information and communications technology (ICT) systems. AMI lies at the intersection of physical and logical infrastructures. AMI’s resiliency not only demands security and

    continuity, but rethinking the relationship of systems to services. Sin qua non

    without which there is nothing is apropos for AMI security; without security in

    AMI systems, electricity distribution will be unreliable and interruptible both on a physical and logical scale. An AMI systems potential exposures may exist in

    control functions in the form of remote service disconnects and management of devices in home area networks (HAN). These potential exposures exemplify the increased risk against the grid as a whole.

    There are pertinent examples of questions that expose this difference: ; How is the utility problem space different (from e.g.: telecom)?

    ; Why is AMI different from IT (or SCADA, or Telecommunications) Security? On the surface, the domain of AMI security seems interwoven and tacitly related to information security and/or telecommunications security. Describing the difference between these two or three domains is probably best done through a notional example. The following is such an attempt:

    Example 1. The potential for impact to citizens, government, and critical

    infrastructures is potentially more severe because the recovery efforts

    needed to reconstitute service are usually protracted. Electricity distribution

    relies on physical paths [not easily] re-routed in the event of disruptive

    events. Recovery efforts are labor intensive and have a real impact on the

    lives of the customers.

    Example 2. Bandwidth is assumed to be near capacity in densely populated

    (industrial, commercial, and residential) regions creating a just-in-time

     3 Source: AMI-SEC Charter Statement - v1_0 - 20071018 - drh.pdf, available at

    http://ucaiug.org/UtilityAMI/AMISEC/Shared%20Documents/Forms/AllItems.aspx

    AMI-SEC Roadmap v1 DRAFT 2

    reality for service continuity and delivery. Strains on AMI, especially against

    security, will cause immediate service failures because the risk tolerance (i.e.,

    ability to withstand service disruption) in the system is very low. An AMI environment is most similar to a data communications network using telemetry. Telemetry, technology that typically refers to wireless/radio communications system, allows the remote measurement and reporting of information of interest to a system designer or operator. Telemetry is also used to send control commands over wireless/radio communications systems to remote systems.

    Educational resources

    See AMI-SEC Task Force website at:

    http://osgug.ucaiug.org/utilisec/amisec/default.aspx

    Reference material

    AMI-SEC Task Force working, meeting and reference documents, including primary source reference materials and links, can be found at the following two pages:

    1. Working (Shared) Documents

    2. Meeting Documents

    3. Reference Documents

    Other source materials are available, by request, to the AMI-SEC chair and facilitator. Contact:

    Darren Highfill - AMI-SEC Chair

    Erich W. Gunther - AMI-SEC Facilitator

    Landscape

    The landscape for AMI is very different from traditional metering. In traditional metering, the metering component is normally composed of a measurement instrument with an embedded display and possibly a communications card (Automated Meter Reading, or AMR) providing read only information with no control component. There is little to be gained by attacking the meter beyond a single location. In modern AMI systems there are a large number of components and they are interconnected. The diagram below shows a conceptual diagram of an AMI system:

    AMI-SEC Roadmap v1 DRAFT 3

    Measurement Instrument

     Communications

    Card WAN Connector

    Event Manager Home Area Network Collector MDMR Disconnect - Limiter Short Term Storage Operator Consoles WAN Connector Portal Home Gateway Market Simulator In Home Display/Portal Controllers “The Meter” “The Concentrator” The four major boxes represent the logical components that are found in a typical AMI system meter, home, concentrator and the central office. Various system

     topologies may merge, or duplicate some of these locations.

    “The Home” For the purpose of this discussion, these changes are less important in the evaluation of Cyber Security in the real world. The meter includes the traditional

    “Central Office” measurement (metrology) instrument and adds a communications card to talk to the rest of the world; 1) through the concentrator, 2) HAN network interface card, and 3) a disconnect being used as a limiter.

    It is the last two components that introduce the control capability and make the AMI system a much more important system to secure than previous generations of metering systems. The concentrator typically has two communications cards. The first card interfaces to the meter and the second card communicates to the central office. In the diagram above, they are labeled collector and the WAN collector respectively. Between them is typically some processing capability to handle messaging and at least a small amount of memory to buffer between the two communications cards. Some concentrators have large amounts of memory and act as a storage location for several hours or days of information.

    The central office is connected to the collector via the WAN collector and interfaces with an event manager that processes the data coming in to find alarms and alerts for routing to other systems (e.g., outage management system, etc.). A meter data management repository (MDMR) retains the data from the meters for billing and other purposes with operator consoles used to manage and operate the system. Other systems, such as a portal for customers, provide insight into the power needs AMI-SEC Roadmap v1 DRAFT 4

    of the overall customer base by use and market simulators. Finally there is the home, which includes a home gateway that communicates to the meter while providing a path into the home automation system and/or in home display. Finally there are controllers that can be attached to various energy consuming devices in the home. This landscape provides ample opportunity for inadvertent actions and planned attacks. In a typical deployment there are 3 or more communications networks with the HAN, Meter to Concentrator, and the WAN. They can vary from simple low speed power line carrier to very high bandwidth wireless systems.

    Technologies

    Each major component has a range of technologies that are employed; The simplest is the measurement instrument that comes in the older electro-mechanical and the newer solid state devices.

    Communications methods for the communications cards and the collectors, and HAN can include but are not limited to:

    Powerline

    ; Low speed power line carrier embedded in the wave form (Traditional PLC)

    ; Medium speed power line carrier that is designed to span transformers and

    other grid devices (Advanced PLC)

    ; High speed power line carrier that will not span a transformer (DLC)

    ; Broadband over powerline (BPL)

    ; HomePlug

    Wired

    ; Plain Old Telephone Lines (POTS) phone lines plugged directly into the

    device(s)

    ; 802.11.x wired TCP/IP connections (e.g. Ethernet)

    ; Fiber Optic connections

    ; Television Cable connections (e.g. Coaxial cable)

    Wireless

    ; Cellular Telecommunications (GSM, GPRS, TXT MSG)

    ; Private licensed Radio (e.g. 700/800/900Mhz Trunked Radio Sidebands)

    ; Private licensed Radio (e.g. vendor licensed frequencies)

    ; Public Shared Radio

    AMI-SEC Roadmap v1 DRAFT 5

    ; WiFi

    ; WiMax

    ; Zigbee

    ; Satellite

    ; 6LoPan

    ; ZWave

    Each of these communications technologies has characteristics that change both the physical and logical solutions and either enhance or reduce security for the overall system.

    Collectors and Relays

    Collectors and relays can range from pure relays with no active components that can be compromised to collectors that actually manage the operation of the devices that report to them. Collectors and relays maintain rule bases providing intelligence on what the collector and reporting devices should be doing in each situation. Pure relays do not typically have any firmware that can be downloaded or modified. High end collectors typically have a full operating system with applications installed that can be remotely modified. In one extreme, a collector has the ability to self modify its code based on neural network techniques, opening new issues with security. In Home Displays and Gateways

    These devices range from simple one way displays that take information from the meter and display it for the customer to complete control systems for the home, including multi-media. At the low end since (one way devices), they offer few opportunities for compromise of the system.

    As the capabilities of the device increases, so does the exposure to vulnerabilities of the system. In high end systems the gateway or in home display may actually inform the rest of the devices in the home what to do and relay information to the meter for all the devices in the home, making it a high value target for the home owner or the hacker. Since most in-home devices will be sold as consumer devices, access to additional copies of the device for study is not an issue.

    In Home Controls

    In addition to displays and gateways there will be a wide range of in home controls available on the market ranging from thermostats to light switches. These devices may be either one way or two way communicating devices. These devices will typically control a single device or circuit in the home, though there are manufacturers who are working on smart load centers for the home allowing the control of every circuit in the home or small business. These customer purchased AMI-SEC Roadmap v1 DRAFT 6

    devices will provide indiscriminate access for disassembly providing an opportunity for reverse engineering.

    Wide Area Network (WAN)

    There are a wide range of WAN technologies and ownership models available from a privately owned WAN to use of the public Internet. Each WAN solution undertaken by a utility is based upon the following criteria:

    1) Ownership and general accessibility

    2) Standards used to develop it

    3) Connectivity to the wider Internet and the company intranet

    4) Physical security

    5) Security measures already taken

    6) Links to the metering LANs

    Head End Systems

    Each manufacturer of metering communications cards offers a specific set of applications used to communicate between their communications cards and meters and the HAN. This software is highly specialized control software and should be treated as such in the security review. In many cases these head ends will exist in the DMZ and may be deployed outside the typical data center for the utility opening additional security questions.

    Back Office

    The back office consists of various technologies, both hardware and software, for processing the information received from the AMI environment and for issuing commands for connect, disconnect and/or reconnect messages. Security audits/reviews can be accomplished both internally to the utility as well as third party resources using established industry best practice (e.g., SAS-70, SysTrust, etc.) type reviews. These types of security audits/reviews are a key part of the overall system and require careful review and planning.

Background

    Purpose / Value Proposition

    Advanced Metering Infrastructure systems promise to provide advanced energy monitoring and recording, sophisticated tariff/rate program data collection, and load management command and control capabilities. Additionally, these powerful mechanisms will enable consumers to better manage their energy usage, allowing the grid to be run more efficiently from both cost and energy delivery perspectives. AMI-SEC Roadmap v1 DRAFT 7

    These advanced capabilities will also allow utilities to provision and configure advanced meters in the field, offering new rate programs, as well as energy

    4 monitoring and control.

    Goals

    Advanced Metering Infrastructure systems offer a tremendous amount of potential, yet they introduce the requirements for industry proven, strong, robust, scalable, and open standards-based Cyber Security solutions. The goal of this Task Force is to define an exhaustive list of the potential security threats, threat agents and vulnerabilities to the systems, and to perform detailed to determine the risks they

    5present.

    Risks

    The worst AMI system attack scenario is where an attacker maliciously, and quite easily, uses a cyber attack (i.e., injects a computer worm into the network) to programmatically turn off power to every meter in the grid simultaneously. The result of which would “melt down” the transmission and distribution grid networks,

    take years and billions of dollars to repair and create catastrophic impacts on business and society. In addition to this doomsday scenario, attackers can cause

    6mistrust at all levels of the AMI system, including the distribution utility back office,

    systems, meter, home area networks and even our corporate information technology systems. This is, simply put, ‘not acceptable’ and the probability of this

    happening can be [reduced | lessened] through strong security systems engineering

    7practices.

    Benefits / Expectations

    [Probably should be rolled into one section on costs-to-benefits, which include tangible and intangible returns and expectations for secondary or tertiary

    contributions to the sector like grid performance, stability, etc.] [See also Cost below.]

    Scope

    [Can be answered a number of ways, including:

    ; Scope of AMI security [services, topology, architectural construct] ; Scope of AMI security [threats, vulnerabilities, risks]

     4 Source: Advanced Metering Security Threat Model, available at:

    http://www.ucaiug.org/UtilityAMI/AMISEC/Shared%20Documents/Forms/AllItems.aspx?RootFolder=%2fUtilityAMI%2fAMISEC%2fShared%20Documents%2fWorking%20Documents%2f2008%20Deliverables%2f1%20-%20System%20Security%20Requirements%20(Risk%20Assessment)%2fThreat%20Identification&FolderCTID=&View={2CDA7930-CA93-44F3-AC4D-9F98E89AEC38} 5 Source: See reference No. 4 (above) 6 See also “head-end” systems and/or office – a somewhat emerging term describing the major ingress/egress

    point for AMI telemetry into a utility’s [central] operations facilities. 7 Source: See reference No. 4 (above)

    AMI-SEC Roadmap v1 DRAFT 8

Roles, Responsibilities, External Parties

    [List of only major roles/responsibilities that will persist. Naming the AMI-SEC Task Force is probably a misnomer but perhaps the long-term standards bodies, like IEEE, UCAIUG, etc, should be referenced.]

    Timeline

    [Insert chart with time of inception, major milestones / deliverables, etc. Insert references, where necessary, to other ordinate and subordinate AMI deliverables that will impact or be impacted by AMI security work.]

    Cost

    [TBD Assumed to be approximate cost to industry in terms of both capital expenditure for AMI devices, return-on-investment, cost-savings benefits, and other intangible costs/benefits of AMI.]

    Process

    Formation

    Scope, FAQInitial CharterDef’nDiscussions

    External ProcessSDLCInterfacesDiscussions

    IECInit

    IEEEDev/Acq

    Risk Arch Comp Implt’nAssm’ntDescrCatalogGuide

    NISTImpl

    Sys Sec Reqmt’s

    Op/MaintASAPSupportReports, TestingRecd’ns

    Decomm

    Finding AMI-SEC project resources (e.g.: Tasks, Milestones, Deliverables / Work Items) See reference materials above and links to AMI-SEC Task Force web pages, working documents, and archive documents. In addition to this document, the following documents will serve as a good primer for those new to the project: AMI-SEC Roadmap v1 DRAFT 9

; AMI-SEC Task Force Charter

    ; AMI-SEC Task Force Process

    ; AMI-SEC Threat Model

    ; AMI-SEC Security Requirements

    ; AMI-SEC Architecture Description

    ; AMI-SEC Component Catalog

    ; AMI-SEC Implementation Guide(s)

    ; AMI-SEC FAQ

    ; AMI-SEC Presentations and Multimedia Resources

    How to participate / contribute | And When

    [Section should name who participates now and perhaps who AMI-SEC was incepted to include, even if those participants have never materialized.] [Section should include description and information on regular, recurring Dependencies

    [TBD… Assumed to relate to other Task Force entities beyond the control of AMI-SEC, in terms of project management and timelines.]

    Additional Resources

    ASAP (AMI Security Acceleration Project)

    A collaboration between Idaho National Laboratory, the Software Engineering Institute, the Electric Power Research Institute, Enernex, and IntelGuardians. Please contact the AMI-SEC chair, Darren Highfill, for further information.

AMI-SEC Roadmap v1 DRAFT 10

Report this document

For any questions or suggestions please email
cust-service@docsford.com