cyber security requirements and recommendations for...
TRANSCRIPT
-
1
October,2015
Cyber Security Requirements and Recommendations for CSI RD&D Solicitation #4 Distributed Energy Resource Communications Jordan Henry, Rick Ramirez, Sandia National Laboratories Frances Cleveland, Xanthus Consulting International Annabelle Lee, Brian Seal, Electric Power Research Institute Tom Tansy, Bob Fox, Anil Pochiraju, SunSpec Alliance
-
CSIRD&DSOLICITATION#4CyberSecurityRecommendations ii
-
CSIRD&DSOLICITATION#4CyberSecurityRecommendations iii
Cyber Security Requirements and Recommendations for CSI RD&D
Solicitation #4 Distributed Energy Resource Communications
Jordan Henry, Frances Cleveland, Annabelle Lee, Rick Ramirez, Brian Seal, Tom
Tansy, Bob Fox, Anil Pochiraju
Abstract ThisCaliforniaSolarInitiative(CSI)RD&DSolicitation#4DistributedEnergyResource(DER)cybersecuritydocumentprovidescybersecurityrecommendationsforresidential inverterbasedDERassetsthatusearemovablecommunicationsmodule.ThecommunicationsmoduleisaCEA2045snapinmodulethatisresponsiblefortranslatingwideareanetwork(WAN)communications,suchasOpenADR2.0bandIEEE2030.5(SEP2),intoSunSpecModbusmessageswhicharesupportedbymost residential DER systems. Specific communications addressed in the scope includecommunications between a utility or aggregator/vendor and the inverter via the CEA2045communicationmodule.ThisincludesthelocalinterfacebetweenthemoduleandtheDERsystemitself.Thecybersecurityrecommendationsarebasedonimpactlevelsoflow,moderate,andhighforthevarioussecurityrequirementsandsecurityobjectives.Threatanalysis,functionalscoring,bestpractices,andpracticalconsiderationswereallconsideredduring thedevelopmentof therecommendations.
-
CSIRD&DSOLICITATION#4CyberSecurityRecommendations v
Table of Contents
1 EXECUTIVESUMMARY.............................................................................................................112 BACKGROUND..........................................................................................................................21
2.1 Scope................................................................................................................................212.2 Objectives.........................................................................................................................232.3 UtilityDERCommunicationArchitecture........................................................................24
3 INCORPORATIONOFINDUSTRYSTANDARDS..........................................................................31
3.1 CyberSecurityHighLevelGuidance................................................................................313.2 CommunicationApplicationLayerCyberSecurityStandardsandGuidelines................323.3 TransportLayerCyberSecurityStandards......................................................................323.4 WirelessCryptography.....................................................................................................333.5 SomeAdditionalCyberSecurityTechniques...................................................................34
4 THREATS,VULNERABILITIES,ANDIMPACTSONPOWERSYSTEMRESILIENCEWITHDERSYSTEMS...........................................................................................................................41
4.1 ResilienceandCyberSecurity..........................................................................................414.2 ThreatsEngineeringandCyber.....................................................................................42
PhysicalandElectricalThreatsMostlybutNotEntirelyInadvertent...............42 CyberThreatsInadvertentandDeliberate.......................................................43
4.3 VulnerabilitiesEngineeringandCyberVulnerabilities..................................................46 PowerSystemVulnerabilitiesandAttacks..........................................................47 CyberSecurityVulnerabilitiesandAttacks..........................................................49
4.4 RiskManagementandMitigationTechniques..............................................................411 RiskHandling......................................................................................................411 RiskMitigationCategories.................................................................................412
5 CYBERSECURITYRECOMMENDATIONSMETHODOLOGY.......................................................51
5.1 MethodologyOverview...................................................................................................515.2 InverterFunctions............................................................................................................525.3 SecurityAssessment........................................................................................................565.4 InclusionofThreat...........................................................................................................585.5 Analysis............................................................................................................................58
6 CYBERSECURITYRECOMMENDATIONSFORCSIRD&DSOLICITATION#4DERCOMMUNICATIONMODULES..................................................................................................61
6.1 CyberSecurityRecommendationCategories..................................................................616.2 InterfaceA:CSIRD&DSolicitation#4DERCyberSecurityRecommendations...............616.3 InterfaceB:CSIRD&DSolicitation#4DERCyberSecurityRecommendations...............64
-
CSIRD&DSOLICITATION#4CyberSecurityRecommendations vi
6.4 CyberSecurityforCommunicationProtocols..................................................................66 IEEE2030.5(SEP2)CyberSecurity.......................................................................66 IEEE1815(DNP3)CyberSecurity.........................................................................68
7 SUMMARY................................................................................................................................71APPENDIXACYBERSECURITYSCORINGOFDERFUNCTIONSFORRESIDENTIALDER
SYSTEM....................................................................................................................................A1
-
CSIRD&DSOLICITATION#4CyberSecurityRecommendations vii
List of Figures Figure1:CSIRD&DSolicitation#4DERCyberSecurityScope...................................................21Figure2:CommunicationsbetweenUtilitiesandindividualDERsystems,FDEMS,andREPS...22Figure3:ScopeofEPRICSIRD&DSolicitation#4InteractionswithDERSystemswithinResidentialSites...........................................................................................................................23Figure4:FiveLevelHierarchicalDERSystemArchitecture.........................................................24Figure5:SecurityRequirements,Threats,andPossibleAttacks..............................................411
-
CSIRD&DSOLICITATION#4CyberSecurityRecommendations ix
List of Tables Table1:MitigationCategoriesforCyberPhysicalSystems......................................................414Table2:DERInverterFunctionList..............................................................................................52Table3:CyberSecurityRecommendationsforCSIRD&DSolicitation#4DERCommunication:InterfaceA....................................................................................................................................62Table4:CyberSecurityRecommendationsforCSIRD&DSolicitation#4DERCommunication:InterfaceB....................................................................................................................................64Table5:IEEE2030.5SecurityMeasures......................................................................................67TableA1:CyberSecurityScoringofDERFunctions:CommunicationModuletoUtility............A1TableA2:CyberSecurityScoringofDERFunctions:CommunicationModuletoAggregator/Vendor......................................................................................................................A9TableA3:CyberSecurityScoringofDERFunctions:CommunicationModuletoDER..............A17
-
CSIRD&DSOLICITATION#4CyberSecurityRecommendations xi
Nomenclature
ACL:AccessControlList.AES:AdvancedEncryptionStandard.BITW:BumpInTheWire.CA:CertificateAuthority.CIM:CommonInformationModel.CRL:CertificateRevocationList.CSI4:CaliforniaSolarInitiative4.DER:DistributedEnergyResource.DERMS:DERDatabaseandManagementSystems.DMS:DistributionManagementSystems.DNP3:DistributedNetworkProtocol3.0.DR:DemandResponse.DSO:DistributionSystemOperators.EAP:ExtensibleAuthenticationProtocol.ECP:ElectricalConnectionPoints.FDEMS:FacilityDEREnergyManagementSystem.FIPS:FederalInformationProcessingStandards.GIS:GeographicalInformationSystem.HEMS:HomeEnergyManagementSystem.HTTPS:HyperTextTransferProtocol.ICCP:InterControlCenterProtocol.ICS:IndustrialControlSystem.IDS:IntrusionDetectionSystem.IEC:InternationalElectromechanicalCommission.IED:IntelligentElectronicDevice.IEEE:InstituteofElectricalandElectronicsEngineers.IP:InternetProtocol.IPS:IntrusionPreventionSystem.IPsec:InternetProtocolSecurity.ISO:IndependentSystemOperators.MMS:ManufacturingMessageSpecification.NAT:NetworkAddressTranslation.NERC:NorthAmericanElectricReliabilityCouncil.NIST:NationalInstituteofStandardsandTechnology.OCSP:OnlineCertificateStatusProtocol.OMS:OutageManagementSystem.PCC:PointofCommonCoupling.PKI:PublicKeyInfrastructure.REP:RetailEnergyProvider.RFC:RequestForComment.RTO:RegionalTransmissionOperators.
-
CSIRD&DSOLICITATION#4CyberSecurityRecommendations xii
SCADA:SupervisoryControlandDataAcquisition.SEP2:SmartEnergyProfile2.0.SGIP:SmartGridInteroperabilityPanel.SIWG:SmartInverterWorkingGroup.TBLM:TransmissionBusLoadModel.TCP:TransmissionControlProtocol.TLS:TransportLayerSecurity.TSO:TransmissionSystemOperators.VPN:VirtualPrivateNetwork.WAN:WideAreaNetwork.XML:ExtensibleMarkupLanguage.
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 11
1 EXECUTIVE SUMMARY
ThisCSIRD&DSolicitation#4DistributedEnergyResource(DER)cybersecuritydocumentprovidescyber security recommendations for smart residential inverterbasedDER assets that use theSunSpec Modbus protocol and CEA2045 communications module as well as for wideareacommunicationsystemsthatuseprotocolssuchasOpenADR2.0bandIEEE2030.5.TheConsumerElectronics Association CEA2045 communicationsmodule is a plugin device, responsible fortranslatingwideareanetwork(WAN)communicationsintoSunSpecModbusmessageswhicharesupportedbymost residentialDER systems. Specific communications addressed in the scopeincludecommunicationsbetween:
Autilityandthecommunicationmodule
Anaggregator/vendorandthecommunicationmodule
ThecommunicationmoduleandtheDERsystemitself
The cyber security recommendations in this document are based on impact levels of low,moderate,andhighassignedtothesecurityrequirements.Threatanalysis,functionalscoring,bestpractices,andpracticalconsiderationswereallconsideredduringthedevelopmentoftherecommendations.
Thisprojectformedacybersecurityworkinggroupthatdevelopedthisreport.ThecybersecurityworkinggroupscoringresultsforallthreeresidentialDERcommunicationinterfacescanbefoundinAppendixA.Thescoresgenerallyindicatethat:
Authenticationandintegrityofdataarethemostimportantcybersecurityrequirements,andwereassessed tobecritical forall typesof interactions, includingmonitoringandcontrolcommands,toensurethatthedataexchangedcomesfromknownsourcesandhasnotbeenmodifiedintransit.
Authorization and nonrepudiation are important to ensure that commands areauthorized,executedasspecified,andreportedbackaccurately.
Availability is lesscriticalsinceDERsystemsusuallyoperateautonomouslyandcanbepresettoperformtheDERfunctions.
ConfidentialityisonlyimportantforselectDERfunctionswhereeitherprivacyorsensitivedatais being exchanged, such as personal information or contractual data. For residential DERsystems,itisnotexpectedthatmuchconfidentialdatawillbeexchanged.
Cyber security recommendations are then enumerated in Sections 6.2 and 6.3. Therecommendationsaremeanttoworkintandemwithapplicableindustrystandardbestpractices(Section3),notreplacethem.
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 21
2 BACKGROUND
2.1 Scope
ThescopeofthisCaliforniaSolarInitiative4(CSIRD&DSolicitation#4)DistributedEnergyResource(DER) cyber security document covers cyber security for the communications of residentialinverterbasedDERassetsusingtheCEA2045formatcommunicationsmodule.
Thecommunicationsmodule isaplugindevice in theConsumerElectronicsAssociationsCEA2045format,responsiblefortranslatingwideareanetwork(WAN)communications,suchasIEEE2030.5 (SEP2), into SunSpecModbusmessageswhich are supported bymost residentialDERsystems.Specificcommunicationsaddressedinthescopeincludecommunicationsbetween:
Autilityandthecommunicationmodule
Anaggregator/vendorandthecommunicationmodule
ThecommunicationmoduleandtheDERsystem
Outsidethescopeofthisdocumentareinterfacesthatdonotusethecommunicationsmodule.Forinstance,thefollowingareexcluded:communicationinterfacesforcommercial,industrial,andutility owned DERs, communication interfaces for noninverterbased DERs, and utilitytoaggregator communication interfaces. Additionally, this document does not addresscommunication interfaces from utilities or aggregators to home energymanagement systems(HEMS),tofacilityDERenergymanagementsystems(FDEMS),ortootherDERproxiessuchasdataconcentrators/gateways.
ThescopeisillustratedmostsuccinctlyinFigure1.Asdepictedinthefigure,thescopeincludesDERcommunication interfacesAandB,where interfaceArepresentsthefirsttwoscopebulletsaboveandinterfaceBrepresentsthethirdscopebulletabove.CommunicationinterfaceA is the network interface that connects from the utility or aggregator/vendor to thecommunicationsmodule,whilecommunicationinterfaceBislocalbetweenthecommunicationsmoduleandtheDERsystem.
Figure1:CSIRD&DSolicitation#4DERCyberSecurityScope
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 22
Oneof themotivatorsof theCSIRD&D Solicitation#4projectwasCalifornias Smart InverterWorking Group (SIWG) effort to define the functional and communications requirements forinverterbased DER systems within California. The SIWG Phase 2 communications scope isillustratedinFigure2andcomprisesthecommunicationsrequirementsbetween(seeredlightningboltsindicatingWideAreaNetworks):
1. UtilitiesandindividualDERSystems
2. Utilities and Facility DER EnergyManagement Systems (FDEMS) whichmanage DERsystemswithinafacility,plant,and/ormicrogrid
3. UtilitiesandRetailEnergyProviders(REP)/Aggregators/FleetOperatorswhichmanageandoperateDERsystemsatvariousfacilities
Figure2:CommunicationsbetweenUtilitiesandindividualDERsystems,FDEMS,andREPS
Thecirclednumbers#2,#5,and#12withintheresidentialboxatthelowerrightsideofthefigureillustratetheprojectsscopeasitrelatestotheSmartInverterWorkingGroup(SIWG),assumingthattheinterfaces#2and#5arewiththeDERsystemandnotahomeenergymanagementsystem.Noticethattheprojecteffortsscope issignificantlynarrowerandfundamentallydifferentfromthatoftheSIWG.TheSIWGPhase2recommendationsforupdatestoRule21onlyfocusonthe
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 23
communications interfaces at the utilities and leave the broader scope of exactly what isrecommendedattheDERfacilitiestootherefforts,suchastheCSIRD&DSolicitation#4project.
AnotherdiagramFigure3canbeusedtoillustratethescopeoftheCSIRD&DSolicitation#4project,whichaddressesthecybersecurityrequirementsatthecommunicationmodule.
Figure3:ScopeofEPRICSIRD&DSolicitation#4InteractionswithDERSystemswithinResidentialSites
2.2 Objectives
Theobjectivesofthisdocumentarefirst,toprovidegeneralinformationoncybersecurityconcernsrelated to residential inverterbased DER communications, covering cyber security policies,procedures,and technologies that canbeused tomitigate these cyber security concerns,andsecondly,torecommendspecificcybersecuritysolutionsforthecommunicationsinterfaceswithCSIRD&DSolicitation#4DERcommunicationsmodules.
Inparticular,thisdocumentwillpresentgeneralrecommendationsusingalogicaltaxonomythatmimicstheNationalInstituteofStandardsandTechnologyInteragencyReport(NISTIR)7628andNISTSpecialPublication(SP)80053,rev4controlclassesthataddresscybersecurityforanysizeresidentialinverterbasedDERcommunicationsinterfacesinaholisticfashion.Thisdocumentalso
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 24
providescybersecurity implementationguidanceforIEEE2030.5(SEP2),IEEE1815(DNP3),andModbus.
2.3 Utility DER Communication Architecture
IntheSIWG,intheSmartGridInteroperabilityPanel(SGIP),andinotherforums,thehierarchicalarchitectureofDERsystemshasbeendevelopedandillustratedasinFigure4.
Figure4:FiveLevelHierarchicalDERSystemArchitecture
Thefivedifferentlevelsaredescribedas:
1. Level1DERSystems(greenintheFigure)isthelowestlevelandincludesthecyberphysicalDERsystems.TheseDERsystemsareinterconnectedtolocalgridsatElectricalConnectionPoints(ECPs)andtotheutilitygridthroughthePointofCommonCoupling(PCC)(theECPandthePCCmaybethesameiftheDERisdirectlygridconnected).TheseDERsystemswillusuallybeoperatedautonomously.Inotherwords,theseDERsystemswillberunningbasedonlocalconditions,suchasphotovoltaicsystemsoperatingwhenthesunisshining,windturbinesoperatingwhenthewindisblowing,electricvehicleschargingwhenpluggedinbytheowner,anddieselgenerators
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 25
operatingwhenstartedupbythecustomer.ThisautonomousoperationcanbemodifiedbyDERownerpreferences,presetparameter,andcommandsissuedbyutilitiesandaggregators.
2. Level2FacilityDERManagement(blueintheFigure)isthenexthigherlevelinwhichafacilityDERmanagementsystem(FDEMS)managestheoperationoftheLevel1DERsystems.ThisFDEMSmaybemanagingoneortwoDERsystemsinaresidentialhome,butmorelikelywillbemanagingmultipleDERsystemsincommercialandindustrialsites,suchasuniversitycampusesandshoppingmalls.UtilitiesmayalsouseaFDEMStohandleDERsystemslocatedatutilitysitessuchassubstationsorpowerplantsites.
3. Level3ThirdParties:RetailEnergyProviderorAggregators(redintheFigure)showsmarketbasedaggregatorsandretailenergyproviders(REP)whorequestorevencommandDERsystems(eitherthroughthefacilitysFDEMSorviaaggregatorprovideddirectcommunicationlinks)totakespecificactions,suchasturningonoroff,settingorlimitingoutput,providingancillaryservices(e.g.voltvarcontrol),andothergridmanagementfunctions.AggregatorDERcommandswouldlikelybepricebasedeithertominimizecustomercostsorinresponsetoutilityrequirementsforsafetyandreliabilitypurposes.Thecombinationofthislevelandlevel2mayhavevaryingscenarios,whilestillfundamentallyprovidingthesameservices.
4. Level4DistributionUtilityOperationalGridManagement(yellowintheFigure)appliestoutilityapplicationsthatareneededtodeterminewhatrequestsorcommandsshouldbeissuedtowhichDERsystems.DistributionSystemOperators(DSOs)willmonitorthepowersystemandassessifefficiencyorreliabilityofthepowersystemcanbeimprovedbyhavingDERsystemsmodifytheiroperation.Thisutilityassessmentinvolvesmanyutilitycontrolcentersystems,orchestratedbytheDistributionManagementSystem(DMS)andincludingtheDERdatabaseandmanagementsystems(DERMS),GeographicalInformationSystems(GIS),TransmissionBusLoadModel(TBLM),OutageManagementSystems(OMS),andDemandResponse(DR)systems.Oncetheutilityhasdeterminedthatmodifiedrequestsorcommandsshouldbeissued,itwillsendtheseeitherdirectlytoaDERsystem,indirectlythroughtheFDEMS,orindirectlythroughtheREP/Aggregator.
5. Level5TransmissionandMarketOperations(purpleintheFigure)isthehighestlevel,andinvolvesthelargerutilityenvironmentwhereTransmissionSystemOperators(TSOs),regionaltransmissionoperators(RTOs),orindependentsystemoperators(ISOs)mayneedinformationaboutDERcapabilitiesoroperationsand/ormayrequestaggregatedservicesforthebulkpowersystemfromDERsystemsthroughthedistributionutilityorthroughtheREP/Aggregators.Theseaggregatedservicesmaybeestablishedthroughcontracts,tariffs,ormarketoperations.
Although ingeneralDER systemswillbepartofahierarchy,different scenarioswill consistofdifferenthierarchicallevelsandvariationsevenwithinthesamehierarchicallevel.Forinstance,small residentialPV systemsmaynot include sophisticated FacilitiesDEREnergyManagementSystems(FDEMS),while largeindustrialandcommercialsitescouldincludemultipleFDEMSandevenmultiple levels of FDEMS. SomeDER systemswill bemanaged by aggregators through
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 26
demandresponseprograms,whileothersmaybemanaged(notnecessarilydirectlycontrolled)byutilitiesthroughfinancialandoperationalcontractsortariffswithDERowners.
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 31
3 INCORPORATION OF INDUSTRY STANDARDS
SmartGridcybersecurityindustrystandardsareproceduralandtechnicalrulesgenerallyaccepted(ifnotwidelyimplemented)bytheindustryascriticaltoimprovethesafety,reliability,security,sustainability,andcosteffectivenessofgridoperations. Followingthese industrystandardscansavetimeandmoney,andofferbenefitsofincreasedsecuritytobothutilitiesandconsumersalike.SomeSmartGridcybersecurityindustrystandardsevenofferguidelinesthathavebeentestedandproventoenablehigherlevelsofreliabilityandsecurityforDERcommunications.Applicabilityofrelevantstandards fromdifferent industriesshouldalsonevergooverlookedand incorporatedwherepossible.
3.1 Cyber Security High Level Guidance
Some applicable Smart Grid cyber security guidelines, industrial standards, and technicalspecificationsare:
NISTIR 7628 Guidelines for Smart Grid Cybersecurity, rev 1; the Smart GridInteroperabilityPanelCyberSecurityWorkingGroup,September2014.Thisisa3volumereport including Smart Grid Cybersecurity Strategy, Architecture, and High LevelRequirements,PrivacyandtheSmartGrid,andSupportiveAnalysesandReferences.
NorthAmericanElectricReliabilityCorporation(NERC)CriticalInfrastructureProtection(CIP)CyberSecurityStandards002009; this isa seriesof standards includingCriticalCyber Asset Identifications, Security Management Controls, Personnel and Training,ElectronicSecurityParameters,PhysicalSecurityofCriticalCyberassets,SystemsSecurityManagement, IncidentReportingandResponseaPlanning,RecoveryPlans forCriticalCyberAssets.
IEC/ISO27001,27002,and27019:InformationSecurityStandards,with27019focusedonelectricpowerindustry.
NIST SP 80053 Security and Privacy Controls for Federal Information Systems andOrganizations, Rev 4; This publication covers the steps in the Risk ManagementFramework that address security control selection for federal information systems inaccordancewiththesecurityrequirements inFederal InformationProcessingStandard(FIPS)200.
NISTSP80082GuidetoIndustrialControlSystems(ICS)Security,rev2:thisisaguidefor securing ICS including supervisory control and data acquisition (SCADA) systems,distributedcontrolsystems(DCS),andothercontrolsystemsusedinelectric,waterandwastewater,oil andnatural gas, chemical,pharmaceutical,pulp andpaper, food andbeverage,anddiscretemanufacturingindustries.
IEC 62351 Parts 813, Information Security for Power System Control Operations:defineshighlevelsecurityrequirementsforpowersystemmanagementandinformationexchange, includingrolebasedaccesscontrol,keymanagement,securityarchitecture,XMLsecurity,DERresilience,andcybersecurityrequirementsinstandards.
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 32
IEC62443SeriesonSecurityforIndustrialProcesses:measurementandcontrol(workinprocess)
IEEE1686Substation IntelligentElectronicDevices (IEDs)CyberSecurityCapabilities(beingupdated)
CIGREB5/D2.46:ApplicationandmanagementofcybersecuritymeasuresforProtection&Controlsystems
CIGRED2.31SecurityarchitectureprinciplesfordigitalsystemsinElectricPowerUtilitiesEPUs
DOE/DHSElectricitySubsectorCybersecurityCapabilityMaturityModel(ESC2M2)
DOE/NIST/NERC Electricity Subsector Cybersecurity Risk Management ProcessGuideline
3.2 Communication Application Layer Cyber Security Standards and Guidelines
Communicationshaveveryspecificcybersecurityrequirements
IEC62351Parts17,InformationSecurityforPowerSystemControlOperations:definessecurity requirements for power system management and information exchange,includingsecurityforTCP/IPandMMSprofiles,securityforIEC61850,DNP3,ICCP,andcommunicationsnetworkmanagement.
IEEE2030.5(SEP2):definescybersecurityrequirementsfortheSEP2protocol.
IEEE1815(DNP3):definescybersecurityrequirementsforDNP3.
3.3 Transport Layer Cyber Security Standards
SomeapplicableTransportLayersecurityrequirementsinclude:
IETFRFC6272InternetProtocolsfortheSmartGrid(identifiesRFCsusedintheSmartGrid)
TransportLayerSecurity(TLS)wasderivedfromSecureSocketsLayer(SSL)andspecifiesasymmetric cryptography for authentication of key exchanges via a Public KeyInfrastructure (PKI), symmetric encryption for confidentiality, and messageauthentication codes formessage integrity. As indicated by the name, TLS providessecurityforthetransportlayer.AlthoughthemostcommonlyimplementedversionisstillTLS1.0,thenewestversionTLSv1.2,definedinRFC5246,shouldbespecifiedfornewimplementations.TLSincludesmanyalternativeciphersuitesthesecouldorshouldbepareddowntoafewinspecificationstoensurethatimplementationsprovideadequatesecurityandinteroperability.IEC623513Ed2providessuchaspecification.
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 33
HypertextTransferProtocolSecurity (HTTPS) isacombiningofHTTPoverTLS,and isformalizedinRFC2818.
InternetProtocolSecurity(IPsec)authenticatesandencryptseachIPpacketaswellasprovidingmutualauthenticationatthestartofasession,thusprovidingsecurityattheNetworkLayerratherthanattheTransportLayer.IPseciscoveredinRFCs4101,RFC4102,RFC4103BasestandardsforIPSecurity.
VirtualPrivateNetwork(VPN)createsatunnelthroughtheInternet(orothernetwork)inwhichtheentireIPpacketisencryptedandthenencapsulatedintoanotherIPpacket.IPsecisoftenusedtocreatethesecuretunnel,althoughTLSandothersecurityprotocolscanalsobeused.
TheGroupDomainOfInterpretation(GDOI)methoddefinedinRFC6407supportsthedistributionofasymmetricgroupkeytoallpreconfiguredorotherwiseenrolledentities,typicallydevices.
RFC6347DatagramTransportLayerSecurity(DTLS)
RFC3711SecureRealtimeTransportProtocol(SRTP)
RFC4962Authentication,Authorization,andAccounting
RFC5247ExtensibleAuthenticationProtocol(EAP)KeyManagementFramework
RFC5746TransportLayerSecurity(TLS)RenegotiationIndicationExtension
RFC2712:1999,AdditionofKerberosCipherSuitestoTransportLaterSecurity(TLS)
RFC3268,2002,AdvancedEncryptionStandard(AES)CiphersuitesforTransportLayerSecurity(TLS)
FIPS1862,DigitalSignatureStandard(DSS)
RFC 3447, PublicKey Cryptography Standards (PKCS) #1; RSA CryptographySpecifications,Version2.1
3.4 Wireless Cryptography WirelesscryptographysystemsusethesecurityprovidedbyIEEE802.11iWPA2,whichestablishesaRobustSecurityNetwork(RSN)thatusestheAdvancedEncryptionStandard(AES)blockcipher(asdomostciphersuitesatthistime),requirestheCounterwithCipherBlockChainingMessageAuthenticationCode(CCM)Protocol(CCMP)fora4wayhandshakebetweentwostations,andtheincludesaGroupKeyHandshake.SomesuggestionsformanagingWiFicouldinclude:
UsingcentrallymanagedWiFiinfrastructuresandtheauthentication
AdoptingtheIEEE801.1xauthenticationinfrastructure
AdoptingarogueAPdetectionmechanism
TheExtensibleAuthenticationProtocol(EAP)isanauthenticationframeworkfrequentlyusedinwirelessnetworksandpointtopointconnections.ItisdefinedinRFC3748andwasupdatedby
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 34
RFC5247.EAP isoneof thepossible authentication schemaof themore general IEEE801.1xstandardthat isthedefactomandatorystandardforWiFienterprisedeployment,and it isalsoapplicabletowiredLANs.WhenappliedtowiredLANs,802.1xcanallowalogicalsegregationofVLAN inside the same physical infrastructure. 802.1x is a role basedNetwork Access ControlmechanismandbringstheRBACmodeltoLANaccesscontrol.
3.5 Some Additional Cyber Security Techniques
Someadditionalcybersecuritytechniquesincludethefollowing:
Network Address Translation (NAT) functions isolate systems from direct access byexternalsystems.TheyareoftenincludedinWiFinetworkrouters,inwhichasingleInternetIPisprovidedtoasite,andissharedbyallnetworkeddevicesatthatsite.TheNAThandlesall interactionswith the Internet and passes only authorizedmessages to the systemsbehindtheNATrouter,thusprovidingsecurityagainstunauthorizedtraffic.
AccessControlLists(ACL)areusedinrouterstolimitwhichportsand/orIPaddressesarepermittedtobeaccessedbywhichentities.
IntrusionDetectionandPreventionsystems(IDSandIPS)monitornetworksformaliciousorimpermissibletraffic.TheIDScandetectsuchmalicioustrafficandnotifyusers,whileanIPScanactuallyblockmalicioustrafficandsupportpreventionofadditiontraffic fromasuspectIPaddress.
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 41
4 THREATS, VULNERABILITIES, AND IMPACTS ON POWER SYSTEM RESILIENCE WITH DER SYSTEMS
4.1 Resilience and Cyber Security
Intheenergysector,twokeyphrasesarebecomingthefocusofinternationalandnationalpolicies:gridresilienceandcybersecurityof thecyberphysicalgrid.Gridresilienceresponds to theoverarchingconcern:"Thecriticalinfrastructure,theSmartElectricGrid,mustberesilienttobeprotectedagainstbothphysicaland cyberproblemswhenpossible,butalso to copewithandrecoverfromtheinevitabledisruptiveevent,nomatterwhatthecauseofthatproblemiscyber,physical,malicious,orinadvertent."
Grid resilience includes hardening, advanced capabilities, and recovery/reconstitution.Althoughmostattentionisplacedonbestpracticesforhardening,resiliencestrategiesmustalsoconsideroptionstoimprovegridflexibilityandcontrol.1Resilienceofthegridisoftenassociatedwithmakingthegridabletowithstandandrecoverfromsevereweatherandotherphysicalevents,butresilienceshouldalso includetheabilityofthecyberphysicalgridtowithstandandrecoverfrommaliciousandinadvertentcyberevents.
Resilience,sometimesdefinedasthefastrecoverywithcontinuedoperationsfromanytypeofdisruptioncanbeappliedtothepowersystemcriticalinfrastructure.Aresilientpowersystemisdesigned and operated not only to prevent andwithstandmalicious attacks and inadvertentfailures,butalsotodetect,assess,copewith,recoverfrom,andeventuallyanalyzesuchattacksandfailuresinatimelymannerwhilecontinuingtorespondtoanyadditionalthreats.
Thecyberphysicalgridimpliesthatthepowersystemconsistsofbothcyberandphysicalassetsthataretightly intertwined.Boththecyberassetsandthephysicalassetsmustbeprotected inorderforthegridtoberesilient.Butprotectionoftheseassets isnotenough:thesecyberandphysicalassetsmustalsobeusedincombinationtocopewithandrecoverfrombothcyberandphysicalattacksintoordertotrulyimprovetheResilienceofthepowersysteminfrastructure.
All too often, cyber security experts concentrate only on traditional IT cyber security forprotectingthecyberassets,withoutfocusingontheoverallresilienceofthephysicalsystems.Atthesame time,powersystemexpertsconcentrateonlyon traditionalpowersystemsecuritybasedontheengineeringdesignandoperationalstrategiesthatkeepthephysicalandelectricalassetssafeandfunctioningcorrectly,withoutfocusingonthesecurityofthecyberassets.However,the twomustbecombined:resilienceoftheoverallcyberphysicalsystemmust include tightlyentwinedcybersecuritytechnologiesandphysicalassetengineeringandoperations,combinedwithriskmanagementtoensureappropriatelevelsofmitigationstrategies.
1EconomicBenefitsofIncreasingElectricGridResiliencetoWeatherOutages,ExecutiveOfficeofthePresident,August2013.Seehttp://www.smartgrid.gov/sites/default/files/doc/files/Grid%20Resilience%20Report_FINAL.pdf
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 42
Asanexample,distributedenergyresources (DER)systemsarecyberphysicalsystemsthatareincreasinglybeinginterconnectedtothedistributionpowersystemtoprovideenergyandancillaryservices. However, distribution power systems were not originally designed to handle thesedispersed sources of generation, while DER systems are generally not under direct utilitymanagementorunder the securitypoliciesandproceduresof theutilities.ManyDER systemsprovideenergyfromrenewablesources,whicharenotreliablyavailableatalltimes.Therefore,theResilienceofpowersystemstoeventypicaldisruptionsisincreasinglyatriskasmoreoftheseDERsystemsareinterconnected.
4.2 Threats Engineering and Cyber
Physical and Electrical Threats Mostly but Not Entirely Inadvertent
Utilitiesareaccustomedtoworryingaboutphysicalthreats,suchasequipmentfailuresandsafetyimpactingcarelessness.Transformerscanoverheatandexplode.Power linescansag intotrees,tripcircuitbreakers,andcausecascadingpowerfailures.Squirrelscanchewthroughcablesandcauselocaloutages.Naturaldisastersaregettingincreasedattention,particularlyforutilitiesthatcommonlyexperiencehurricanes,earthquakes,cyclones,icestorms,etc.,eventhoughthesearelookeduponasbeyondthecontroloftheutility.Infact,severeweathereventsseemtobecomingmore common, so thatutilities are trying to increase the resilienceof theirpower systems ingeneralthroughdisasterplanninganddisasterrecoverystrategies.
Electricalthreats include inadequategenerationtomeetthe loadcausingbrownoutoroutages,overgeneration,andfrequencyfluctuationsthatcancausecascadingpowerfailures.Utilitiesarecontinuallytryingtoimprovetheirmanagementofthesefactorsthroughforecastinggenerationand load,monitoringcurrentpower system status,andanalyzingpower systemconditions forpossiblecontingencies.
Somethreatscanbedeliberate,suchasapersonshootingatransformersothattheoildrainsoutorstealingcoppergroundingwiresoutofsubstations.
Anewtypeofelectricalthreatisbeginningtoberealized,namelytheimpactofDERsystemsthatarenotunderthedirectcontrolofutilities.DERsystemscannow impactnormalpowersystemoperations if theyare largeenoughor if they consistofa largeenoughgroupof smallerDERsystems.Suchelectricalthreatscouldincludedeliberaterapidfluctuationsofrealpowerbylarge(orlargegroupsof)DERsystemstocausepowersysteminstability,ortheunauthorizedexportofexcessgenerationtooverloadacircuit.Theseimpactsincludethefollowing:
Antiislanding failures. Under certain circumstances DER systems may not properlydisconnectwhenthegriddoesexperienceanoutage,thusfailingtodetectanelectricalisland.Thissituationcanbeaserioussafetyhazard.
Power system instability. Variations in DER generation due to unmanaged andunmonitoredDERsystemscancausepowersystem instabilityandpossiblywidespreadpoweroutages.
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 43
Fluctuatingenergyoutput.FluctuationsinDERenergyoutputduetovariablerenewableenergysourcesorresponsestolocalloadscancausechangesinvoltageandfrequencywhichmaycausethemtoexceedtheirnormalranges.
Unnecessary DER disconnections. If voltage and/or frequency exceed their normalranges,DER systemswill cease energizing the grid and disconnect, thusworsening asituationthatmightotherwisehavebeenrecoveredfrom.
Reversepowerflows.UnmonitoredDERoutputcancausebackfeeding insubstationsthatarenotdesignedforreversepowerflows.
Cyber Threats Inadvertent and Deliberate Utilities are increasingly recognizing the importance of protecting cyber assets and cyberinformation,which are becoming critical aspects of safe, reliable, and efficient power systemoperations. Cyber assets now are used to operate circuit breakers, monitor power systemequipment,andmanageenergymarkets.Cyber informationthat isinadvertentlyordeliberatelycompromisedcouldcausemajoroutages,destroyequipment,andtriggerfinancialdisruptions.
Threatsaregenerallyviewedasthepotentialforattacksagainstassets.Theseassetscanbephysicalequipment,computerhardware,buildings,andevenpeople.Inthecyberworld,however,assetsalsoincludeinformation,databases,firmware,andsoftware.Countermeasurestothesesecuritythreatsmustincludeprotectionagainstbothphysicalattacksaswellascyberattacks.
Threatstoassetscanresultfrom inadvertenteventsaswellasdeliberateattacks. Infact,oftendamagecanresultfromsafetybreakdowns,equipmentfailures,carelessness,andnaturaldisastersthan fromdeliberateattacks.However, the reactions tosuccessfuldeliberateattackscanhavetremendouslegal,social,andfinancialconsequencesthatcouldfarexceedthephysicaldamage.
Securityriskassessmentandmanagementisvitalindeterminingexactlywhatneedstobesecuredagainstwhatthreatsandtowhatdegreeofsecurity.Thekeyisdeterminingthecostbenefitratio,wherethelikelihoodandmagnitudeofanimpactaregreaterthanthecosttomitigatethatimpact.Thereisnosilverbullet:justencryptingdataorjustrequiringusernamesandpasswordsdonotbythemselvesprovideadequatesecurity.Forbothpowersystemengineeringandforcybersecurity,layersofdefensivemechanismsarebetterthanasinglesolution.Thatiswhyredundantprotectiverelaysareusedinasubstation,andwhyevenauthorizedinputdatashouldbecheckedforvalidityandreasonability.Ultimatelynoprotectionagainstattacks,failures,mistakes,ornaturaldisasterscaneverbecompletelyabsolute.Thereforetheplanningofcopingmechanismsduringemergencysituations and recovery procedures from those emergency situationsmust also be part of acompleteResiliencestrategy.
Threatagentscanbedefinedasoneofthefollowing:
Maliciousperson[malicious]whoisdeliberatelyattackingsystemsforfinancial,power,revenge,orothergain
Inadvertentmistake[error]causedbyapersonwhoeitherfailedtopayattentionordidnot recognize the consequencesof theiraction.Computerapplications canalsohave
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 44
bugs or other flaws that cause them tomisoperate. Poorly designed systems andinadequateoperatingproceduresalsofallinthiscategory.
Equipment failure [failure] thatwasnotanypersons fault,but reflects the fact thatelectronicandmechanicaldevicescanfail.Equipmentthatrespondsinunexpectedwaystonormalconditionscanalsobeplacedinthiscategory.
Naturaldisasters[disaster]causedbyeventscompletelyoutsidethecontrolofhumans.
The following sections discuss some of themost common threatswhich can have significantimpacts. Understanding these threats can help in the development of the best mitigationstrategies.
4.2.2.1 Inadvertent Threats Inadvertent threats are more common that deliberate attacks, while the impacts of theseinadvertentactionsarenotfocusedonanyspecificpurpose.Thismakesthesethreatsboth lesseasytopreventbutmoreamenabletolayersofsecurityandtoresiliencedesignsandoperations.Utilitieshavealotofexperienceindesigningsystemstoresistandcopewiththesetypesofthreats.However,oftenotherDERstakeholdersdonothavethisextensiveexperience,sinceintegrationofDERsystemsisstillanewandevolvingarea.
SafetyFailures:Safetyhasalwaysbeenaprimaryconcernforanypowersystemfacilities,and must be part of DER implementation and operation. In the power industry,meticulousprocedureshavebeendevelopedandrefinedtoimprovesafety,butnotallofthesehaveyetbeenfullydevelopedforDERsystems.Autonomoussafetymeasuressuchas protective relaying, are a primary defense, but monitoring of the status of keyequipmentand the logging/alarmingofcompliance to safetyprocedurescanenhancesafetytoasignificantdegree.
EquipmentFailures:Equipmentfailuresarethemostcommonandexpectedthreatstothereliableoperationofthepowersystem.OftenthemonitoringofthephysicalstatusofDERequipmentcanalsobenefitmaintenanceefficiency,possiblepreventionofcertaintypesofequipmentfailures,realtimedetectionoffailuresnotpreviouslymonitored,andforensicanalysisofequipmentfailureprocessesandimpacts.
Software/Firmware Malfunctions: Software and firmware malfunctions (e.g. bugs,crashes,andincorrectresults)canstilloccurevenifsystemsarethoroughlytested,oftenduetothecomplexityofthesoftwareandhowitinteractswiththeoperatingsystemorothersoftwareapplications.Newlyimplementedorupgradedsoftwareapplicationsareparticularlyvulnerabletomalfunctions,whilepatchesandupgradestoreliablesoftwarecansometimescausemalfunctions.
Mistakes,Carelessness,orLackofKnowledge:Mistakescausedbycarelessnessorjustalackofknowledge isoneofthethreatstoprotectingDERsystems,whether it isnotlocking doors or inadvertently allowing unauthorized personnel to access passwords,keys,andothersecuritysafeguards.Oftenthiscarelessnessisduetocomplacency(noonehaseverharmedthisDERsystemyet)orinexperience(Ididntrealizethattheemail
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 45
did not come from the DERmanufacturer, and so I provided the attackerwithmypasswordintotheDERsystem).
NaturalDisasters:Naturaldisasters,suchasstorms,hurricanes,andearthquakes,canleadtowidespreadpowersystemfailures,safetybreaches,andopportunitiesfortheft,vandalism,andterrorism.MonitoringofthephysicalandcyberstatusofDERsystemsinrealtimecanprovidetheeyesandearstounderstandwhatistakingplaceandtotakeamelioratingactionswithrespecttotheutilizationofDERtominimizetheimpactofthesenaturaldisastersonpowersystemoperations.
4.2.2.2 Deliberate Threats Deliberatethreatscancausemorefocuseddamagetofacilitiesandequipmentinsubstationsthanthe inadvertentthreats.The incentivesforthesedeliberatethreatsare increasingastheresultsfromsuccessfulattackscanhave increasinglyeconomicand/orsocio/politicalbenefits to theattackers.Sophisticatedmonitoringoffacilitiesandequipmentcanhelpdetectandpreventsomeofthesethreats,whileamelioratingtheimpactofsuccessfulattacksthroughrealtimenotificationsand forensic trails.This isanewarea formostDER stakeholders, includingutilities,where thethreats are less well understood. Engineers understand Resilience requirements againstinadvertent threats to theirpowersystemsbutarestilldeveloping theirunderstandingofhowdeliberatecyberthreatscanimpactthisResilience.
DisgruntledEmployee:Disgruntledemployeesarean important threat forattacksonpowersystemassets,includingDERsystems.Unhappyemployeeswhohavethedetailedknowledge to do harm can cause significantlymore damage than a nonemployee,particularly in the power system industrywhere theDER equipment and supportingsystemsareuniquetotheindustry.
Industrial Espionage: Industrial espionage in the power system industry is becomingmoreofa threatasderegulationandcompetition involvingmillionsofdollarsprovidegrowingincentivesforunauthorizedaccesstoinformationandthepossibledamagingofequipmentfornefariouspurposes.DERsystemsareparticularlyvulnerablesincetheyare usually located in relatively unprotected environments on customer property. Inadditiontofinancialgains,someattackerscouldgainsocio/politicalbenefitsthroughshowinguptheincompetenceorunreliabilityofcompetitors.
Vandalism:Vandalismcandamagefacilitiesandequipmentwithnospecificgaintotheattackersotherthantheactofdoingit,andtheprooftothemselvesandothersthattheycan do it. Often, the vandals are unaware of or do not care about the possibleconsequences of their actions.Again,DER systemsmay be particularly vulnerable tovandalism, partly because of their unprotected environments, but also because theirgenerationcapabilitiescandirectlyaffectthepowergrid,includingcausingoutages.
CyberHackers:Cyberhackersarepeoplewhoseektobreachcybersecurityforgain.Thisgainmaybedirectlymonetary, industrialknowledge,political,social,or just individualchallenge tosee if thehackercangainaccess.Mosthackersuse the Internetas theirprimary gateway to entry, and therefore firewalls, isolation techniques, and other
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 46
countermeasures can be used to separateDER systems from the Internet.However,hackersmay initiatemultistageattacks thatuse the internet just tosetupanattack,whiletheactualattackoccursonaDERsystemthatisnotconnectedtotheinternet.DERsystemsmayusetheInternetforsoftwareupdates,thusopeningupachannelforcyberhackers. Individual DER systems are unlikely to be targeted by sophisticated Cyberadversaries (nationstates), however when networked intomicrogrids and at placeswhereDERdataisaggregatedtheycouldbecomesuchtargets.
VirusesandWorms:Likehackers,virusesandworms typicallyattackvia the Internet.However, some viruses andworms canbeembedded in software that is loaded intosystemsthathavebeenisolatedfromtheInternet,orcouldpossiblybetransmittedoversecurecommunicationsfromsomeinsecurelaptoporothersystem.Theycouldincludemaninthemiddleviruses,spywareforcapturingpowersystemdata,andotherTrojanhorses.Afamous(orinfamous)exampleistheStuxnetworm,whichsuccessfullyattackedtheIranianuraniumcentrifuges.DERsystemsareequallyvulnerabletosuchattacks.
Theft:Thefthasastraightforwardpurposetheattackerstakesomething(equipment,data,orknowledge) that theyarenotauthorized to take.Generally, thepurposehasfinancial gain as themotive, althoughothermotives arepossible aswell.Monitoringaccess to locked facilitiesandalarminganomalies in thephysical statusandhealthofequipment(e.g.notrespondingordisconnected)aretheprimarymethodsforalertingpersonnelthattheftispossiblybeingcommitted.
Terrorism: Terrorism is the least likely threat but the onewith possibly the largestconsequencessincetheprimarypurposeofterrorismistoinflictthegreatestdegreeofphysical, financial, and socio/politicaldamage.Monitoring and alarming anomalies toaccess(includingphysicalproximity)tosubstationfacilitiesispossiblythemosteffectivemeans to alert personnel to potential terrorist acts, such as physically blowing up asubstationorotherfacility.However,terroristscouldbecomemoresophisticatedintheiractions,andseektodamagespecificequipmentorrendercriticalequipmentinoperativeinways that couldpotentiallydomoreharm to thepower system at large than justblowing up one substation. Therefore, additional types of monitoring are critical,includingthestatusandhealthofequipment.Thatbeingsaid,theResiliencebenefitsofdistributedgenerationwhichpresentsmanysmalldispersedtargetstotheadversaryshouldnotbeoverlooked.
4.3 Vulnerabilities Engineering and Cyber Vulnerabilities Allsystemshavevulnerabilities.Thekeyrequirementistodevelopcybertechniques,engineeringstrategies,andoperationalstrategiestominimizethelikelihoodofanattack/failureortomitigatethe impactofanattack/failure.There isgenerallynotaonetoonecorrespondencebetweenavulnerability and amitigation technique; oftenmultiplemitigation techniques can be used incombinationtoaddressmultiplevulnerabilities.Layersofmitigationscanprovidedefenseindepthcombinations that increase the strength of these mitigations. For instance, cyber securitytechniquescanhelpdecreasethelikelihoodofaparticularattack/failure,whileengineeringcopingstrategiescanmitigatetheimpactofasuccessfulattackorsystemfailure.
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 47
Power System Vulnerabilities and Attacks
Power systemshavebeenvulnerable toequipment failures,operationalmistakes,andnaturaldisasterssincetheywerefirstinvented.Someofthevulnerabilitiesarerelatedtothesoftwareandhardwarethatisusedinthepowersystemequipmentcontrollersandanalysissystems.
Different vulnerabilities can be present in equipment at different stages of its life. Somevulnerabilitiesaffectnewlydevelopedsystems,suchasasoftwarebugcausingincorrectresults.Somevulnerabilitiesbecomemorecriticalovertime,forinstancewhenasystemthathadbeenworkingcorrectlywithsmallnumbersofalarms,isrequiredtohandlelargevolumesofalarmsandnowfailstoprocessthem.Particularlycriticalarethetimeswhensystemsarepatchedorupdated,sincenewvulnerabilities can causeapreviously reliable system to failor tobeopen to cyberattackers.
Someofthecausesofthesetypesofvulnerabilitiesinclude:
Equipmentvulnerabilities:Equipmentfailurescauseimproperoperations.Forinstance,acircuitbreaker fails to tripduringashortcircuitevent,causingpowerequipment tooverloadandburn,andpersonneltobeelectrocuted.
Complexity of analysis: Complexity of analysis of large numbers of DERs providesincorrectresults.Forexample,engineerswhosetprotectiverelayparametershavenottaken intoaccount certain typesof contingencies, so thatoneevent causesa secondevent,andcausesacascadingfailureofthepowersystem,resultinginmajoroutages.
Lackofstandardizedoperatingprocedures:Lackofstandardizedoperatingprocedurescauses misunderstandings and results in incorrect actions, incorrect responses tosituations,andconfusionduringemergencies.
Incorrect settings: Incorrect settings cause incorrect responses to power systemsituations. For instance, DER systems have not included appropriate voltage andfrequency ridethroughsettings,which results innumerousoutageswhenevervoltageandfrequencyfluctuationsoccurduetostormsorrapidchangesinsunlightorwind.
Inabilitytodetectlossofgridpower:TheinabilityofDERsystemstodetectthelossofgrid power causes safety concerns as well as uncertainty and delay in addressingemergencysituations.Forexample,DERsystemswhicharesupposedtodisconnectuponthe loss of the grid power, do not disconnect because their traditional antiislandingmethodsfailtodetectthelossofpowerduetomaskingbyotherDERsystemsortheirownsmartDERvoltvarfunctions,causingsafetyproblemsandequipmentdamage.
Inadequate analysis capabilities: Inadequate analysis capabilities of softwareapplications results in sending invalid pricing signals, control settings, and controlcommandstoDERsystems.Forinstance,inadequateanalysisofthelocationandamountofDERgenerationcausesoverorundervoltageorfrequencyeventsandresultsinlargescaleoutages.
Inadequatepersonneltraining:Inadequatepersonneltrainingresultsinpoorjudgmentonactions.Forexample,inadequatelytrainedcrewsfailtodisconnectDERsystemsduring
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 48
systemmaintenanceactivities,or inadequatelytrained fireandpoliceonhowtocopewithDERsystems,leadingtosafetyproblemsandoutages.
Manipulatedormistakenmarketprices:Manipulatedormistakenmarketpricesresultinuneconomicalorunfairactions.Forinstance,marketpricingsignalscallfordecreasedgenerationwhenactuallymoregeneration isneeded, leadingtohigherpricesforspotgenerationorevenoutages.
Inadequately structured authority hierarchy: Inadequately structured authority orcontractualhierarchycausesconfusionduringemergencies.Forexample,aDERoperatorignoresutilitysetlimitsandgeneratesmorethantheutilitycircuitcanhandle,damagingsubstationequipmentandcausingoutages.
Degradationinanalysisaccuracy:Degradationovertimeinanalysisaccuracyduetotherapid growth and resulting increasingly complex interactions between DER systems,causesincreasingreliabilityandpowerqualityproblems.Forinstance,DERsystemsareexpanding rapidly in theirnumberand typesofdeployments, resulting in increasinglycomplexinteractionsbetweenthemandalsobetweentheseDERsystemsandothergridequipment,leadingtoincorrectsettingsandnonoptimalactionsbyoperators.
IncompletetestingofcomplexintelligentDERsystems:MultipleDERsystems,eachwithcomplex intelligent behavior, cause unsafe or unexpected actions because theircomplexity inhibits the testingofallpossiblecombinationsof situations.For instance,intelligentDERsystemscapableofundertakingmanynewfunctionalities,tendtohavemoredesignandoperationalerrorsbecausedevelopmentismorecomplexandtestingjust cannot cover all possible types of interactions. Often there are unintendedconsequences toactions incomplexenvironments thatmaynotbeevident insimplerenvironments.
Inadequately specified requirements: Inadequately specified requirements for DERsystems cause unsafe or unexpected actions, because the systems that are notwellunderstood can lead to errors in development and performance. For instance, therequirements for managing high penetrations of DER systems in coordination withexistingdistributionequipmentarestillunderextensivestudy.
Mismatched assumptionsbetweenorganizations:Mismatched assumptionsbetweenorganizationsresult inconfusedor incorrectactions. For instance, ifoneorganizationusesencryptiontechniquesorsomesettingsnotsupportedbyanotherorganization,thentheexpectedinteractionswillnottakeplace.
Lackof confidence in analysis results: Lackof confidence in analysis results in slowresponses to problems. For example, some power flow studies or DER generationforecastsorothercomplexanalysesmaynotbe trustedbyoperators,possiblydue toprevious failures or inexperience with the type of analysis, leading to personnelrespondingslowlyortakingincorrectactions.
Inadequatechangemanagementprocedures: Inadequatechangemanagementcausesdecisions to bemade on inaccurate data. For example, inadequatemanagement of
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 49
changestosystems,whichshould includepretestingofthechangesandtheabilitytorestoreapreviousversionifthechangedsystemfailstooperatecorrectly,couldcausefailuresandincorrectresults.
Powersystemsarenowvulnerabletoproblemsactuallycausedbycybersecuritytechnologies.Theseinclude:
DenialofService:DERsystemsloseaccesstothirdpartycryptographickeyauthenticationandupdateservers,causingcommunicationswiththeutilitytobedenied.Orencryptedmessages increasethetrafficonacommunicationschanneltothepointwhereahighprioritymessagecannotgetthroughinatimelymanner,causinganoutage.
Inadequately protected backdoor access: A vendor of a DER system performsmaintenanceusingabackdoorport,thenleavesthisportopen.Anattackerusesthisport which has complete access to the DER software since it is assumed that nounauthorizedaccesscouldbepossiblethroughthisnormallydeactivatedport.
Poormanagementofpasswords:Apowersystemeventoccursbuttheutilityoperatordoesnothave(remember)therightpasswordtoundertakeacriticalDERoperationtopreventacascadingfailure.
Poor securitymaintenance: A certificate or secret key expires before a new one isactivated, causing equipment to shut down or cease to respond to communicationcommands.
Inadequatesecuritytraining:Frustratedmaintenancepersonnelwhocannotrememberlarge numbers of passwords, use the same password for all equipment.When theirpassword is compromised by an attacker, that attacker can now access all of thatequipmentwhichwasassumedtobecybersecure.
Inadequate retestingprocedures:Securitypersonnelmaintainsecureaccess tosomecriticalequipment,butmisunderstandordonotproperlytestarequesttoupdatethesecurityofthesoftwareandcausetheequipmenttolockout.
Security management failures: Inadequate security management may allowunauthorizedpersonneltolearnpasswordsorothersensitivematerial.
Cyber Security Vulnerabilities and Attacks Thethreatscanberealizedbymanydifferenttypesofattacks,someofwhichare illustrated inFigure 5. Often an attack takes advantage of a vulnerability, which may be due to humancarelessness,aninadequatelydesignedsystem,orcircumstancessuchasamajorstorm.Ascanbeseen, the same typeofattack canoftenbe involved indifferent security threats.Thiswebofpotential attacksmeans that there is not just onemethod ofmeeting a particular securityrequirement:eachofthetypesofattacksthatpresentaspecificthreatneedstobecountered.
Althoughimportanceofspecificcyberthreatscanvarygreatlydependingupontheassetsbeingsecured,someofthemorecommonhumanandsystemvulnerabilitiesthatenableattacksare:
Lackofsecurity:Security,evenifitexists,isneverturnedon.
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 410
Indiscretionsbypersonnel:Employeeswritedowntheirusernameandpasswordsandplacethemintheirdeskdrawer.
Simpleoreasytoguesspasswords:Employeesuseshortalphaonlypasswordsorusetheirdogsnameand/ortheirbirthdayastheirpassword.
Socialengineering:Anattackerusespersonalinformationorsubterfugetolearnauserspassword,suchaspretendingtobefromabankorleaningoversomeonesshoulderastheytypetheirpassword.
Bypasscontrols:Employeesturnoffsecuritymeasures,donotchangedefaultpasswords,oreveryoneusesthesamepasswordtoaccessallsubstationequipment.Orasoftwareapplicationisassumedtobeinasecureenvironment,sodoesnotauthenticateitsactions.
Integrityviolation:Dataismodifiedwithoutadequatevalidation,suchthatthemodifieddata causes equipment to malfunction or allows access to unauthorized users orapplications.
Softwareupdatesandpatches:The software isupdatedwithoutadequate testingorvalidationsuchthatworms,viruses,andTrojanHorsesareallowedintootherwisesecuresystems.Alternatively,securitypatchesneededtofixvulnerabilitiesarenotapplied.
Lack of trust: Different organizations have different security requirements and usedifferentcybersecuritystandards.
Somecommontypesofattacksinclude:
Eavesdropping:ahackerlistenstoconfidentialorprivatedataasitistransmitted,thusstealingtheinformation.Thisistypicallyusedtoaccessintellectualproperty,marketandfinancialdata,personneldata,andothersensitiveinformation.
Masquerade:ahackerusessomeoneelsescredentialstopretendtobeanauthorizeduser,andthusabletostealinformation,takeunauthorizedactions,andpossiblyplantmalware.
Maninthemiddle:agateway,dataserver,communicationschannel,orothernonendequipmentiscompromised,sothedatathatissupposedtoflowthroughthismiddlenodeisreadormodifiedbeforeitissentonitsway.
Resource exhaustion: equipment is inadvertently (or deliberately) overloaded andcannotthereforeperform its functions.Oracertificateexpiresandpreventsaccesstoequipment.Thisdenialofservicecanseriouslyimpactapowersystemoperatortryingtocontrolthepowersystem.
Replay:acommandbeingsentfromonesystemtoanotheriscopiedbyanattacker.Thiscommand is thenusedat someother time to further theattackerspurpose, suchastrippingabreakerorlimitinggenerationoutput.
Trojanhorse:theattackeraddsmalwaretoasystem,possiblyaspartofan innocentappearingenhancementorapplication,andpossiblyduringthesupplychain(e.g.duringcomponentmanufacturingorsystemintegrationorshippingorduringinstallation).This
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 411
malwaredoesnothinguntilsomecircumstancelocallyorremotelytriggersittocauseanunauthorizedaction.
Figure5:SecurityRequirements,Threats,andPossibleAttacks
4.4 Risk Management and Mitigation Techniques
Risk Handling The riskassociatedwithan attackor failure is the combinationof the likelihoodof theevent(includingthecosttotheattackertoundertaketheattack)withtheprobableimpactofasuccessfulattackorfailure.Riskscanbehandledindifferentways:
The riskcanbeaccepted (ignored)because theexpected likelihoodand impactofaneventdoesnotappeartobeworththecostof implementingmitigationmeasures.Forinstance,requiringredundantcommunicationstoallDERsystemswouldmostlikelynotbeworththecostofimplementingsuchredundancy.
Theriskcanbeshared,forinstancebypayinganinsurancecompanytotakeontherisk.This approach isoftenused forprotection against the lossofphysical assets such asbuildingsandthephysicalDERequipment.
Theriskcanbetransferred,forinstancebycontractingathirdpartytotakeresponsibilityforoperatingandmaintainingDERsystems.
Theriskcanbemitigatedtodifferentlevels.Forinstance,someDERsystemsmayrequireonly the use of username/password for access control protection, while other DER
Atta
cks
Thre
ats
Atta
cks
Thre
ats
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 412
systemsmayrequiretwopartyauthenticationandcryptographiccertificateverificationforanyaccess.
Riskmitigationusually implies costs.Thesemitigation costs can range fromminimal to totallyimpractical.Therefore, riskmanagement is theartand scienceofbalancing the likelihoodandimpactofaneventagainstthemitigationcost.RiskassessmentmethodologiesarecoveredindetailinNISTSpecialPublication(SP)80030,GuideforConductingRiskAssessments.
Risk Mitigation Categories Mitigationsagainsttheeffectsofattacksandfailuresareoftendescribedashavingeightcategories.Associated security countermeasures can mitigate one or more of these purposes; thesemitigationsareillustratedinTable1:
Preventionofattack,by takingactivemeasures thatare ineffectatall timesandaredesigned to prevent a failure or attack. These usually are engineering designs andprocedures,aswellascybersecuritydesignandarchitecturemeasures.
Deterrencetoafailureorattack,totrytomakefailuresandattackslesslikely,oratleastdelaythemlongenoughforcounteractionstobeundertaken.
Detectionofafailureorattack,tonotifytheappropriatepersonorsystemsthatanattackor failureevent tookplace.Thisnotificationcouldalso includeattemptsatattacksorfailuresthatselfhealed.Detectioniscrucialtoanyothersecuritymeasuressinceifanattack isnot recognized, little canbedone toprevent it.Monitoringof systems andcommunicationsiscritical,whileintrusiondetectioncapabilitiescanplayalargeroleinthiseffort.
Assessmentofafailureorattack,todeterminethenatureandseverityoftheattack.Forinstance,istheentryofanumberofwrongpasswordsjustsomeoneforgettingorisitadeliberateattemptbyanattackertoguesssomelikelypasswords.
Responsetoafailureorattack,whichincludesactionsbytheappropriateauthoritiesandcomputersystems tostop thespreadof theattackor failure ina timelymanner.Thisresponsecanthendeterordelayasubsequentattackorfailure,ormitigatetheimpactofcascadingfailuresorattacks.
Copingduringafailureorattack,whichincludesinitiatingadditionalactivitiestomitigatethe impacts,suchasperformingswitchingoperationsto improvetheResilienceofthepower system, sending crews to failure sites, requiring increased authenticationmeasures for any interactions with compromised systems, and gracefully degradingperformanceasnecessary.
Resilience during failure or attack, which involves sustaining minimum essentialoperationsduringattackdespitesystemcompromiseandsomeoperationaldegradation.
Recoveryfromafailureorattack,whichincludesrestorationtonormaloperationsafterafailurehasbecorrected,requiringfullvirusandvalidationscansofaffectedsystems,orchangingpasswordsforaffectedsystems.
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 413
Auditandlegalreactionstoafailureorattack,whichcouldincludeanalyzingauditlogs,assessing the nature and consequences of the event, performing additional riskassessments,andevenpursuinglitigationagainstthoseresponsiblefortheevent.
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 414
Table1:MitigationCategoriesforCyberPhysicalSystems
Category Description PowerEngineeringExamples CyberExamples
ProtectionandDeterrenceBeforeFailureorAttack
Preparationandprotectionagainstafailureorattack
Activemeasuresusedinnormalcircumstancesthataredesignedtopreventanattack
Erectsubstationfences;Limitaccesstocontrolcenter;Specifyrobust,hardenedequipmentDesignthepowersystemwithadequateflexibilitytohandleanomaloussituations;Deployredundantequipment;Establishdefaultsystemsettingstofailures;Establishautonomousmodesofoperationincaseoflackorlossofcommunications;Performcontingencyanalysisstudiesonpowersystemconditions;Designcommunicationnetworkstobeisolatedfromeachother;Trainpersonneladequately
Designsystemsandapplicationstohandleanomaloussituations;Testallsoftwareapplicationsforbothnormaloperationsandanomaloussituations;Validatedataentry;Requiremessageauthentication;Requirestrongpasswords;Userolebasedaccesscontrol;Encryptconfidentialmessages;Disableunneededports/services;Requirenonrepudiationmethods;Validatepatchesbeforeimplementingthem;
Deterrencetoafailureorattack
Preparingforapossiblefailureordiscouragingsomeonefromengaginginanattack
Developemergencyoperationsplansandprocedures;Testemergencyplansperiodically;Displaysignsindicatingdangerorprivateproperty;Warnoflegalactions;DeployCCTVcameras;Changesystemsettingsforstormsorothernaturaldisasters;Testnewsoftwareandsystems;Assesspotentialfailureimpactsofalladditionstothepowersystem
Developemergencyplansfornetworkfailures;Displaywarningswhenapplicationsordataaremodified;Requirelegalacceptancewheninstallingsoftware
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 415
Category Description PowerEngineeringExamples CyberExamples
Detection,Assessment,Response,andCopingDuringFailureorAttack
Detectionofafailureorattack
Identifyingafailureorattackandnotifyingappropriateentities
Monitorpowersystemstatusandmeasurements;entereventsineventlog;alarmoperators;initiatecellphonecalltoondutyperson;providequalityflagsformonitoreddata
Detectintrusions;checksignatures;scanforviruses;monitornetworkconfigurations;alarmsecuritypersonnel
Assessmentofafailureorattack
Assessandcategorizetheseverityofafailureorattack,usingtriageconcepts
Initiatedynamicresponsetopowersystemconditions;usepowerflowcontingencyanalysistodeterminechangesinpowersystemresilience;runequipmentdiagnostictests
Determinethesecurityleveloftheattackstarget;determinethenumberofsimultaneousattacks;determinethetypeofattack
Responsetoafailureorattack
Stoppingthespreadofthefailureorattackbyusingemergencymeasures
InitiateemergencyfunctionssuchasDERridethrough;tripbreakers;shedload;increasegeneration;isolatemicrogrids;switchtodifferentequipmentsettings
Shutdownnetwork;turnoffcomputer;isolatenetwork
Copingduringafailureorattack
Initiatingadditionalactivitiestomitigatetheimpact
Switchtobackupsystems;reconfigurefeeders;startadditionalgeneration;managemicrogrids
Startmanualactivitiestoreplaceautomatedactivities
Resilienceduringafailureorattack
Sustainingminimumessentialoperationsdespitethefailureorattack,preparingforcontinuingattacks
Protectagainstcascadingfailures,suchasshorttermvoltageanomaliestriggeringDERsystemstodisconnectandcausingunnecessaryoutages,degradingperformanceasnecessary
Ensuringthatsystemsprovidingessentialservicesremainoperationalsolongastheyarenotdirectlyaffectedbythefailureorattack
RecoveryandAnalysisAfterFailureorAttack
Recoveryfromafailureorattack
Restoringtonormaloperationsafterafailurehasbecorrectedoranattackhasbeenstopped
Testallfailedorcompromisedpowerequipment;restorepower;switchtoprimarysystems;reestablishnormalsettingsandmodes;returntonormaloperations
Testallsystemsandnetworks;reconnectisolatednetworksandsystems;
Analysisofcausesandassessmentofcopingresponse
Analysisandassessmentofthenatureandconsequencesofafailureorattack
Analyzeauditlogsandotherrecords;changeproceduresforhandlingsimilarevents;provideadditionaltrainingforsuchevents;
Debriefandpostmortemanalysis;systemreconfiguration;policychanges
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 51
5 CYBER SECURITY RECOMMENDATIONS METHODOLOGY
The cyber security recommendations in this document are based on a methodology thatcombinesempiricalmethods and anumerical scoringbased approach, sinceneithermethodalonehasbeenproventoyieldcompletelyexhaustiveresults.Threatanalysis,functionalscoring,bestpractices,andpracticalconsiderationswereallconsideredduringthedevelopmentoftherecommendations.
5.1 Methodology Overview
At itscore,themethodologyused inthedevelopmentoftherecommendationsanalyzesDERinverterfunctionstodeterminethetypesofthreats,thelikelihood(risk)ofthosethreatsbeingrealized, and the cost (financial,privacy, and societal)of thepossible impactof a successfulattack.Theriskmultipliedbytheimpactisthenweighedagainstthedifferenttypesandlevelsofpossiblecybersecuritymeasures,recognizingthatthelikelihoodofcertainattacksisasubjectiveassessmentandsomeimpactsmaynotbequantifiable.
However,byinvestigatingthefunctionsandcapabilitiesoftheDistributedEnergyResource(DER)inverters themselves, the team was able to assess the types of cyber security measurescommensurate to the criticality of each function. Themethodology followed the followinggeneralprocess:
1. PerformthreatanalysisonresidentialinverterbasedDERsystemstoidentifythreatsandvulnerabilities.
2. EnumeratepotentialinverterbasedDERfunctions,sinceattacksondifferentfunctionscouldhavedifferentimpacts.
3. Score each DER function (High, Medium, or Low) on the merits of confidentiality,integrity,availability,authentication,authorization,andaccountability.
4. Combine DER scoring metrics, threat data, industry standards, and practicalrequirements to develop general, highlevel cyber security recommendations forresidentialinverterbasedDERsystems.
DERfunctionscoringwasrepeatedforeachofthethreeDERinvertercommunicationinterfacesidentifiedinthescope,includingcommunicationsbetween:
Utilityandthecommunicationmodule
Aggregator/vendorandthecommunicationmodule
ThecommunicationmoduleandtheDERinverteritself
This separationensured any variances in requirementsdue todifferences in communicationendpointswereidentified.
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 52
5.2 Inverter Functions
TheDERfunctionsusedinthescoringwerederivedfromtheIEC61850907standardandtheSmartInverterWorkingGroup(SIWG)Phase1andPhase3functions,whichwerebasedonandextensionstotheIEC61850907functions.ThelistofDERfunctionsisenumeratedinTable2below.
Table2:DERInverterFunctionList
SIWG/IECFunction Description
AntiIslandingProtection(AI)
TheDERsystemtripsoffifvoltageorfrequencylimitsareexceededoverspecifiedtimeperiods.Althoughdefaulttripofflimitssettingswouldbeimplementedinitially,thesesettingscouldbemodifiablethroughagreementbetweentheAreaEPSandtheDERoperator.
Low/HighVoltageRidethrough(L/HVRT)
TheDERsystemremainsconnectedduringvoltageexcursionsbeyondnormallimits,basedonextendedvoltagelimitsduringspecifiedtimewindows.TheDERsystemwoulddisconnectonlywhentheridethroughwindowhasexpired.Althoughdefaultridethroughsettingswouldbeimplementedinitially,thesesettingscouldbemodifiablethroughagreementbetweentheAreaEPSandtheDERoperator,basedonthetechnicalcapabilitiesoftheDERsystemandusedtopossiblymitigateabruptlossesofgeneration.
Low/HighFrequencyRidethrough(L/HFRT)
TheDERsystemremainsconnectedduringfrequencyexcursionsbeyondnormallimits,basedonextendedfrequencylimitsduringspecifiedtimewindows.TheDERsystemwoulddisconnectonlywhentheridethroughwindowhasexpired.Althoughdefaultridethroughsettingswouldbeimplementedinitially,thesesettingscouldbemodifiablethroughagreementbetweentheAreaEPSandtheDERoperator,basedonthetechnicalcapabilitiesoftheDERsystemandusedtopossiblymitigateabruptlossesofgeneration.
VoltVarModewithWattPriority
TheDERsystemimplementsvolt/varcurvesthatdefinetheavailablereactivepowerrequiredatdifferentvoltagelevels.SettingsarecoordinatedbetweentheutilityandDERoperator.Availablereactivepowerisdefinedaswhatreactivepowerisavailablewithoutdecreasingrealpoweroutput.
DERcontrollercontainspreestablishedvolt/varsettings,and/or Volt/varsettingscanbeupdatedremotely
RampRatesThedefaultramprateisestablished,contingentuponwhattheDERcando.Additionalemergencyrampratesandhigh/lowrampratelimitsmayalsobedefined.
FixedPowerFactorTheDERsystemsetstheinvertertothespecifiedpowerfactorsetting:
DERcontrollercontainspreestablishedpowerfactorsetting,and/or Powerfactorsettingcanbeupdatedremotely
SoftStart
TheDERsystemreconnectstothegridafterpowerisrestoredusingsoftstartmethodssuchasrampingupand/orrandomlyturningonwithinatimewindowaftergridpowerisrestored,toavoidabruptincreasesingeneration.Thedelaytimebetweenpowerrestorationandthestartofreconnectionispreset,asaretherampingrateandthetimewindow.
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 53
SIWG/IECFunction Description
CommunicationInterface
Standardinterfacescanconnecttodifferentwiredand/orwirelessmedia.Thesemediacouldincludeutilitywirelesssystems,cellphoneGPRS,customerWiFinetwork,andtheInternet.Utilitieswouldspecifywhichcommunicationinterfacemodulesarerequiredforspecificimplementations.
TransportProtocols BasicInternettransportlayerstandardsofTCP/IP,inparticularanIPaddress.
DataModel AbstractinformationmodelsforDERsystemsshouldusetheIEC618507420andIEC61850907forDERsystems.
MappingtoApplicationProtocols
DERsystemsshouldsupporttheabilitytomaptheabstractIEC61850informationmodeltostandardprotocols,suchasModBus,DNP3(IEEE1815),IEC61850(MMS),IEEE2030.5,etc.ThedefaultprotocolforcommunicationswithautilityisDNP3(IEEE1815:2012)althoughothermutuallyagreedtoprotocolscouldbeused.Theutilityprotocolmaybeusedbetweenafacilitygatewayandtheutility,whilethecommunicationsbetweenthefacilitygatewayandtheDERsystemsmayuseotherprotocols.ThisgatewaymaybeprovidedbytheDERownerorbytheutility,reflectingthemosteconomicalarrangement.
TransportCyberSecurity Cybersecurityatthetransportlayershouldbeprovided,suchasTransportLayerSecurity(TLS)orIEEE802.11i.
UserCyberSecurity
Cybersecurityforuseranddeviceidentificationandauthenticationshouldbeprovided,basedonuserpasswords,devicesecuritycertificates,androlebasedaccesscontrol.Confidentialityisoptional.PublicKeyInfrastructure(PKI)couldbeusedforkeymanagement.
MonitorAlarmsTheDERsystem(andaggregationsofDERsystems,suchasvirtualpowerplants)providesalarmsandsupportingemergencyinformationviatheFDEMStotheutility.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.
MonitorDERStatusandOutput
TheDERsystem(andaggregationsofDERsystems,suchasvirtualpowerplants)providescurrentstatus,powersystemmeasurements,andotherrealtimedata(possiblyaggregatedviatheFDEMS)totheutility,inordertosupportrealtimeandshorttermanalysisapplications.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.(Revenuemeteringdataisprovidedviaalternatemeans.)
LimitMaximumRealPower
TheutilityissuesadirectcommandtolimitthemaximumrealpoweroutputattheECPorPCC.ThereasonmightbethatunusualoremergencyconditionsarecausingreverseflowintothefeederssubstationorbecausethetotalDERrealpoweroutputonthefeederisgreaterthansomepercentageoftotalload.ThecommandmightbeanabsolutewattvalueormightbeapercentageofIDERoutput.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.ItmightalsobeusedtoensurefairnessacrossmanyDERsystems.
Connect/Disconnect
TheDERsystemperformsadisconnectorreconnectattheECPorPCC.TimewindowsareestablishedfordifferentDERsystemstorespondrandomlywithinthatwindowtothedisconnectandreconnectcommands.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.
ProvideDERInformationatInterconnection/Startup
TheDERsystemprovidesoperationalcharacteristicsafteritsdiscoveryandwheneverchangesaremadetoitsoperationalstatus.
InitiatePeriodicTestsofSoftwareandPatches
InitialDERsoftwareinstallationsandlaterupdatesaretestedbeforedeploymentforfunctionalityandformeetingregulatoryandutilityrequirements,including
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 54
SIWG/IECFunction Descriptionsafety.Afterdeployment,testingvalidatestheIDERsystemsareoperatingcorrectly,safely,andsecurely.
ScheduleOutputLimitsatPCC
Theutilityestablishes(orpreestablishes)aschedule(e.g.onpeak&offpeak)ofactualormaximumrealpoweroutputlevelsattheECPorPCC,possiblycombininggeneration,storage,andloadmanagement.Thereasonmightbetominimizeoutputduringlowloadconditionswhileallowingorrequiringhigheroutputduringpeakloadtimeperiods.
ScheduleDERFunctionsTheDERsystemreceivesandfollowsschedulesforrealpowersettings,reactivesettings,limits,modes(suchasautonomousvolt/var,frequencywatt),andotheroperationalsettings.
ScheduleStorage
ForaDERsystemthathasstoragecapabilities,suchasbatterystorageoracombinedPV+storagesystemorafleetofelectricvehicles.Presettimeofchargevaluescanbeestablished.SettingsarecoordinatedbetweentheutilityandDERoperator.Differentscenarioscouldinclude:
Lowloadconditionsatnightarecausingsomerenewableenergytobewasted,sochargingenergystorageDERsystemsatthattimemakespowersystemoperationsmoreefficient.
DERcontrollerchargesatthespecifiedrate(lessthanorequaltothemaximumchargingrate)untilthestateofcharge(SOC)reachesaspecifiedlevel.
DERcontrollerchargesatthenecessaryrateinordertoreachthespecifiedSOCwithinthechargebytime.
FrequencyWattMode
TheDERsystemreducesrealpowertocounteractfrequencyexcursionsbeyondnormallimits(andviceversaifadditionalgenerationorstorageisavailable),particularlyformicrogrids.HysteresiscanbeusedasthefrequencyreturnswithinthenormalrangetoavoidabruptchangesbygroupsofDERsystems.
VoltageWattMode
TheDERsystemmonitorsthelocal(orfeeder)voltageandmodifiesrealpoweroutputinordertodampvoltagedeviations.SettingsarecoordinatedbetweentheutilityandDERoperator.Hysteresisanddelayedresponsescouldbeusedtoensureoverreactionsorhuntingdonotoccur.
DynamicCurrentSupport
TheDERsystemcounteractsvoltageanomalies(spikesorsags)throughdynamiccurrentsupport.TheDERsystemsupportsthegridduringshortperiodsofabnormallyhighorlowvoltagelevelsbyfeedingreactivecurrenttothegriduntilthevoltageeitherreturnswithinitsnormalrange,ortheDERsystemrampsdown,ortheDERsystemisrequiredtodisconnect.
LimitMaximumRealPower
DERsystemsareinterconnectedtothegridwithapresetlimitofrealpoweroutputtobemeasuredatthePCC.ThereasonmightbethattheIDERsystemissizedtohandlemostofthelocalloadbehindanECPorthePCC,butoccasionallythatloaddecreasesbelowacriticallevelandtheincreasedrealpowerattheECPorPCCmaycausebackflowatthesubstationandbeareliabilityconcernfortheutility.MostlikelyforlargerDERsystems.
SetRealPower
TheutilityeitherpresetsorissuesadirectcommandtosettheactualrealpoweroutputattheECPorPCC(constantexport/importifloadchanges;constantwattsifnoload).Thereasonmightbetoestablishabaseorknowngenerationlevelwithouttheneedforconstantmonitoring.Thisistheapproachoftenusedtodaywithsynchronousgenerators.ThisfunctionisfeasibleonlyiftheICT
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 55
SIWG/IECFunction Descriptioninfrastructureisavailable.Meterreadscouldprovide15minuteenergybytheendofthedaycouldprovideproductioninformationforoperationalplanning.
SmoothFrequencyDeviations
TheDERsystemmodifiesrealpoweroutputrapidlytocounterminorfrequencydeviations.Thefrequencywattsettingsdefinethepercentageofrealpoweroutputtomodifyfordifferentdegreesoffrequencydeviationsonasecondorevensubsecondbasis
BackupPowerTheDERsystem,includingenergystorageandelectricvehicles,hastheabilitytoproviderealpowerwhenthesiteisdisconnectedfromgridpower.Thereasonisforprovidingbackuppowertothefacilityandpossiblyblackstartcapabilities.
ImitateCapacitorBankTriggers
Similartocapacitorbanksondistributioncircuits,theDERsystemimplementstemperaturevarcurvesthatdefinethereactivepowerfordifferentambienttemperatures,similartouseoffeedercapacitorsforimprovingthevoltageprofile.Curvescouldalsobedefinedforcurrentvarandfortimeofdayvar.
OperatewithinanIslandedMicrogrid
Aftergridpowerislostordisconnected,oruponcommand,theDERsystementersintomicrogridmodeaseitherleadingorfollowingthemicrogridfrequencyandvoltage,whileactingeitherasbasegenerationorasloadmatching,dependinguponpresetparameters.
ProvideLowCostEnergy
Utility,REP,orFDEMSdetermineswhichIDERsystemsaretogeneratehowmuchenergyoverwhattimeperiodinordertominimizeenergycosts.SomeDERsystems,suchasPVsystems,wouldprovidelowcostenergyautonomously,whilestoragesystemswouldneedtobemanaged.
ProvideLowEmissionsEnergy
Utility,REP,orFDEMSdetermineswhichnonrenewableDERsystemsaretogeneratehowmuchenergyinordertominimizeemissions.RenewableDERsystemswouldoperateautonomously.
ProvideRenewableEnergyUtility,REP,orFDEMSselectswhichnonrenewableDERsystemsaretogeneratehowmuchenergyinordertomaximizetheuseofrenewableenergy.RenewableDERsystemswouldoperateautonomously.
ExecuteSchedules
TheFDEMSprovidesscheduled,planned,and/orforecastinformationforavailableenergyandancillaryservicesoverthenexthours,days,weeks,etc.,forinputintoplanningapplications.SeparateDERgenerationfromloadbehindthePCC.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.
IssueGenerationandStorageSchedules
TheDERsystemprovidesschedulesofexpectedgenerationandstoragereflectingcustomerrequirements,maintenance,localweatherforecasts,etc.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.
ProvideBlackStartCapabilities
TheDERsystemoperatesasamicrogrid(possiblyjustitself)andsupportsadditionalloadsbeingadded,solongastheyarewithinitsgenerationcapabilities.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.
ParticipateinAutomaticGenerationControl
TheDERsystem(oraggregationsofDERsystems)implementsmodificationofrealpoweroutputbasedonAGCsignalsonamultisecondbasis.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 56
SIWG/IECFunction Description
ProvideSpinningorOperationalReserve
TheDERsystemprovidesemergencyrealpoweruponcommandatshortnotice(secondsorminutes),eitherthroughincreasinggenerationordischargingstoragedevices.Thisfunctionwouldbeinresponsetomarketbidsforprovidingthisreserve.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.
RealPowerResponsetoDemandResponsePriceSignals
TheDERsystemreceivesademandresponse(DR)pricingsignalfromautilityorretailenergyprovider(REP)foratimeperiodinthefutureanddetermineswhatrealpowertooutputatthattime.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.
ManageAncillaryServiceResponsetoDemandResponseSignals
TheDERsystemreceivesaDRpricingsignalfromautilityorretailenergyprovider(REP)foratimeperiodinthefutureanddetermineswhatancillaryservicestoprovideatthattime.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.
Registration(AutomatedDERDiscovery)
TheDERsystemsupportsitsautomateddiscoveryasinterconnectedtoalocationonthepowersystemandinitiatestheintegrationprocess.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.Otherwise,manualmethodsmustbeused.
PV/StorageFunctions Changethesignalparametersforthestoragesystem
VoltVarmode ProvidemaximumvarsconstrainedbyWMax
Temperaturemodebehavior
Temperaturebasedcurves
Pricingsignalmodebehavior
Modecurvesbasedonutilitysignal(pricinginformation???doublecheck)
Event/HistoryLogging Requesteventlogs
TimeSynchronization Setinvertertime(manual/automatedbasedontimingsignals[GPSornetwork])
5.3 Security Assessment
AssessingthesecurityofeachDERinverterfunctionwasbasedonsixdifferentitems.Thefirstthreeitemsaresecurityobjectivesandthesecondthreearesecurityrequirements:
Confidentiality:Imposingauthorizedrestrictionsoninformationaccessanddisclosure,includingmeansforprotectingpersonalprivacyandproprietaryinformation.
Integrity:Preventingimproperinformationmodification,destruction,ortheft.
Availability:EnsuringtimelyandreliableaccesstoinverterbasedDERsandensuringtheirabilitytoperformasrequired.
Authentication:Awayofverifyingtheidentityofusersanddevicestoensuretheuserordeviceiswhoorwhatitisdeclaredtobe.
Authorization:Grantingpermissionforperformingspecifictaskswithadevice.
NonRepudiation:Preventingthedenialofanactionthattookplaceortheclaimofanactionthatdidnottakeplace(notetoincludeauditinginhereaswell).
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 57
Thetraditionalinformationsecurityobjectivesofconfidentiality,integrity,andavailabilityformthebasisoftheanalysis;however,theadditionalrequirementsofauthentication,authorization,andnonrepudiationwereaddedtoenablemoregranularityandemphasisonspecificsecurityissues.EachsecurityobjectivewasgivenavalueofHigh,Moderate,orLowforeveryDERinverterfunction.ThevaluesarebasedontheHigh,Moderate,andLowdefinitionsarelooselybasedontheFederalInformationProcessingStandards(FIPS)Publication199:
Low: The lossofconfidentiality, integrity,availability,authentication,authorization,ornonrepudiationcouldbeexpected tohavea limitedadverseeffectonorganizationaloperation,organizationalassets,orindividuals.
AMPLIFICATION: A limited adverse effect means that, for example, the loss ofconfidentiality, integrity,availability,authentication,authorization,ornonrepudiationmight: (i)causeadegradation inmissioncapabilitytoanextentanddurationthattheorganizationisabletoperformitsprimaryfunctions,buttheeffectivenessofthefunctionsisnoticeablyreduced;(ii)result inminordamagetoorganizationalassets;(iii)result inminorfinancialloss;or(iv)resultinminorharmtoindividuals.
Moderate:Thelossofconfidentiality,integrity,availability,authentication,authorization,ornonrepudiationcouldbeexpectedtohaveseriousadverseeffectonorganizationaloperations,organizationalassets,orindividuals.
AMPLIFICATION: A serious adverse effect means that, for example, the loss ofconfidentiality, integrity,availability,authentication,authorization,ornonrepudiationmight:(i)causeasignificantdegradationinmissioncapabilitytoanextentanddurationthattheorganizationisabletoperformitsprimaryfunctions,buttheeffectivenessofthefunctionsissignificantlyreduced;(ii)resultinsignificantdamagetoorganizationalassets;(iii)resultinsignificantfinancialloss;or(iv)resultinsignificantharmtoindividualsthatdoesnotinvolvelossoflifeorseriouslifethreateninginjuries.
High:The lossofconfidentiality, integrity,availability,authentication,authorization,ornonrepudiationcouldbeexpectedtohavecatastrophicadverseeffectonorganizationaloperations,organizationalassets,orindividuals.
AMPLIFICATION:Asevereorcatastrophicadverseeffectmeansthat,forexample,thelossofconfidentiality,integrity,availability,authentication,authorization,ornonrepudiationmight: (i)causea severedegradation inor lossofmissioncapability toanextentanddurationthattheorganizationisnotabletoperformoneormoreofitsprimaryfunctions;(ii)resultinmajordamagetoorganizationalassets;(iii)resultinmajorfinancialloss;or(iv)resultinsevereorcatastrophicharmtoindividualsinvolvinglossoflifeorseriouslifethreateninginjuries.
EachDERinverterfunctionvaluewasassignedcollectivelybytheCSIRD&DSolicitation#4cyberworkinggroup.
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 58
5.4 Inclusion of Threat
Threatandvulnerabilityanalysiswasusedasa feedback loop into theDER function scoring.Relevantthreatsandvulnerabilitiesweremappedtoeachfunctionandincludedinthedecisionmakingprocessofthescoring.DetailedthreatanalysiscanbefoundinSection4.
5.5 Analysis
ThecybersecurityworkinggroupresultsforallthreeresidentialDERcommunicationinterfacescanbefoundinAppendixA.Thevaluesgenerallyindicatethat:
Authenticationandintegrityofdataarethemostimportantcybersecurityrequirements,andwereassessed tobecritical forall typesof interactions, includingmonitoringandcontrolcommands,toensurethatthedataexchangedcomesfromknownsourcesandhasnotbeenmodifiedintransit.
Authorization and nonrepudiation are important to ensure that commands areauthorized,executedasspecified,andreportedbackaccurately.
Availability is lesscriticalsinceDERsystemsusuallyoperateautonomouslyandcanbepresettoperformtheDERfunctions.
ConfidentialityisonlyimportantforselectDERfunctionswhereeitherprivacyorsensitivedataisbeingexchanged,suchaspersonalinformationorcontractualdata.ForresidentialDERsystems,itisnotexpectedthatmuchconfidentialdatawillbeexchanged.
TheresultsofthisanalysisledtothecybersecurityrecommendationsenumeratedinSection6.
-
CSIRD&DSolicitation#4CyberSecurityRecommendations 61
6 CYBER SECURITY RECOMMENDATIONS FOR CSI RD&D Solicitation #4 DER COMMUNICATION MODULES
6.1 Cyber Security Recommendation Categories
This section provides the cybersecurity recommendations for residential inverterbasedDERcommunications as suggested by the CSI RD & D Solicitation #4 working group.Recommendationsarecapturedinthesectionsbelow.Recommendationsarecategorizedusingthefollowingtaxonomy:
PhysicalSecurity AccessControl
- Authentication- Authorization- Registration
Integrity- DataIntegrity- HardwareIntegrity
Confidentiality Cryptography/KeyManagement Policy
- Audit- Logging
ThesegeneralrecommendationsareintendedtoaddresscybersecurityimplicationsrelatedtoDER systems that include a CSI RD&D Solicitation #4 DER communicationsmodule. Theserecommendations are guidelines meant to work in tandem with applicable standards andindustry best practices to strengthen security for residential inverterbased DERcommunications. As illustrated in Figure 1, Section 6.2 outlines recommendations forcommunication interface A and Section 6.3 outlines recommendations for communicationinterfaceB.
ItisrecognizedthatDERcybersecuritycanalsobeenhancedthroughengineeringstrategiesinthedesignandimplementationofDERsystems.GuidelinesontheseengineeringstrategiescanbefoundinIEC/TR6235112ResilienceandSecurityRecommendationsforPowerSystemswithDistributedEnergyResources(DER)CyberPhysicalSystems(tobepublishedsoon).
6.2 Interface A: CSI RD&D Solicitation #4 DER Cyber Security Recommendations
Communication interfaceA,asdepicted inFigure1, istheoutward,wideareanetworkfacinginterfaceoftheCSIRD&DSolicitation#4DERcommunicationsmodule. It isthis interfacethatutility, aggregator, and vendor communicationswill directly communicate via some routablecontrolprotocol,suchasIE