Trustworthy Cyber Infrastructure for the Power Grid (TCIPG)

Bill Sanders TCIPG

Cybersecurity for Energy Delivery Systems Peer Review July 24-26, 2012

• Objectives – Identify and address critical security

and resiliency needs at the cyber-physical junction in the evolving power grid

– Engage Industry (utility, control system vendors, technology providers)

– Research Excellence

– Education

• Technical Approach – Identify and take on important &

hard problems

– Unique balance of long view of grid cyber security, with emphasis on practical solutions

– Work to get solutions adopted

• Schedule: Sept 30, 2009 – May 15, 2015

• Performers: University of Illinois at Urbana-Champaign, Dartmouth College, Cornell University, University of California Davis, Washington State University

• Partners: 9-Member External Advisory Board (EAB) from utility and industry, as well as large Industry Interaction Board

TCIPG Summary

TCIPG Impacts all aspects of the 2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity

Build a Culture of Security

Conduct summer schools for

industry

Develop K-12 power/cyber

curriculum

Develop public energy literacy

Directly interact with industry

Educate next-generation cyber-

power aware workforce

Assess and Monitor Risk

Analyze security of protocols (e.g. DNP3, Zigbee, ICCP, C12.22)

Create tools for assessing security of devices, systems, &

use cases

Create integrated scalable

cyber/physical modeling

infrastructure

Distribute NetAPT for use by utilities

and auditors

Create fuzzing tools for SCADA

protocols

Protective Measures/Risk

Reduction

Build secure, real-time, & flexible communication mechanisms for

WAMS

Design secure information layer

for V2G

Provide malicious power system data

detection and protection

Participate in industry-led CEDS

projects

Manage Incidents

Build game-theoretic response

and recovery engine

Develop forensic data analysis to

support response

Create effective Intrusion detection approach for AMI

Sustain Security Improvements

Offer testbed and expertise as a

Service to Industry

Anticipate/address issues of scale:

PKI, data avalanche, PMU

data compression

Act as repository for cyber-security-

related power system data

TCIP

G E

ffor

ts

• Approach

– TCIPG is a multi-university R&D center

– Research is organized into four topical Clusters, each of which contain a number of Activities (32 total)

– Cross-cutting efforts address Industry Interaction, Education/Outreach, and Testbed

• Metrics for Success

– Impact in the sector in the form of technology and knowledge transfer

– Collaboration with National Labs; industry; and groups such as IEEE PES, NASPI, GPA, EPRI, and others

– Publications

– Workforce development: Graduates placed in industry and academia

Technical Approach and Feasibility

TCIPG Technical Clusters and Threads

Trustworthy Technologies for Wide Area Monitoring

and Control

Communication and Data Delivery

(5 activities)

Applications

(2 activities)

Component Technologies

(3 activities)

Trustworthy Technologies for Local Area Monitoring, Management, and Control

Active Demand Management

(3 activities)

Distribution Networks

(2 activities)

Responding to and Managing Cyber Events

Design of Semi-automated Intrusion Detection and

Response Techniques

(6 activities)

Trust Assessment

Model-based Assessment

(6 activities)

Experiment-based Assessment

(5 activities)

• Challenges to Success

– Project Coordination

• Addressed by weekly leadership meetings, weekly “all-hands” meetings, annual retreat

– Competing demands on industry and utility experts

• Addressed by EAB mechanism, Industry Workshop

– Achieving technology impact

• Cross-cutting industry interaction activity. Active engagement with utilities. Pilot deployments

Technical Approach and Feasibility

2012 Q1 Progress: IDS for Embedded Systems, Protocols, and AMI

• Embedded device IDS

– Ongoing discussions with SEL on Autoscopy; investigating embedding in SEL product

– Autoscopy Junior featured in “New Scientist”

• Specification-based IDS for AMI

– Collaboration with Fujitsu on threat modeling

– Presented at EPRI Power Delivery and Utilization (PDU)

– Will be used in Utility ARRA project

2012 Q1 Progress: Security of Wide Area Measurements (Including PMUs)

• False data injection analysis and countermeasures

– Abstract accepted for NIST Workshop: Cybersecurity for Cyber-Physical Systems (April 2012) on Security-aware state estimation

• GPS Spoofing and SCADA-based countermeasures

– Showed efficacy of attack via detailed simulation; now building hardware prototype to demonstrate in laboratory

• Security of measurement devices

2012 Q1 Progress: NetAPT

• Further adoption in utility evaluation programs – More than 15 external deployments

– Large investor-owned utility

– Several members of the Association of Illinois Electric Cooperatives (AIEC)

– NERC / SERC Auditors

– Used in multiple NERC Audits

• Feedback has led to tool improvement and new features

– Predefined filters based on NERC guidance

– Now supports new Cisco firewall set features

– Initial support for SonicWall (popular firewall in the utility sector)

• Interface to Sophia (with INL)

• New funding from DHS Science & Technology to foster commercialization

(Sanitized) NetAPT Map of real EMS

2012 Q1 Progress: TCIPG Testbed Highlights

• Functional Itron Smart Meter Testbed being leveraged for active research.

• Further augmentation of PMU capabilities, including RTDS integration cases.

• Increasing engagement with Utilities, Vendors, and other testbeds.

• Accelerating DETER integration and DEFT demonstration capabilities.

2012 Q1 Progress: Education and Engagement

Objectives • Bulleted List

• Charge Up Energy Education Exhibit at Illinois Engineering Open House 2012e

2012 Q1 Achievements

• Link researchers, educators, consumers, and students

• Connect with schools and national curriculum endeavors

• Develop interactive lessons and activities available on the web and for touch tablet devices

• Create interest in STEM disciplines and careers

• Illustrate issues necessary for consumer acceptance and use of smart grid technologies

• Continuing to develop the interactive e-book for iPad and HP Touchpad incorporating suggestions from audience tests

• Partnered with Mahomet Public Library to receive IEEE Science Kits for Libraries grant

• Partnered with Champaign School District #4 to receive an award from the Illinois State Board of Education to provide professional development to teachers

Education and Engagement

FY 11 TCIPG Scholarly Impact (October 2010 – September 2011)

• Degrees

– 3 BS, 7 MS, 6 PhD

– Numerous students at various stages of thesis preparation or defense

– Graduates have started careers in academia, industry (University of Miami, Intel, Microsoft, NSA, PowerWorld, Oracle, SEL, Florida Power & Light, Stanford)

• Publications and Presentations – Over 70 papers published in (or accepted to) journals and

conferences

– Over 100 presentations

• TCIPG actively seeks industry involvement in

– Identifying critical R&D needs

– Providing opportunities for pilot deployment of technology

• Annual Industry Workshop (This year: October 30-31, 2012)

– Industry-led panels

– Posters for TCIPG activities

– Active solicitation of industry input on research direction

• Ongoing contacts (follow-on from Industry Workshop)

– Industry and vendor involvement with AMI security activity

• In addition to industry, TCIPG collaborates with the National Laboratories, NIST, NASPI, EPRI, and others

• Challenge: Bandwidth of industry thought leaders

Collaboration: Plans to gain industry input

TCIPG as Catalyst for Accelerating Industry Innovation

TCIPG

Utilities Vendors/Tech Providers

Sector Needs Pilot Deployment

Data

Access to equipment R&D Collaboration

Solutions Validation and Assessment

Products Incorporating Solutions

• Co-Leads of 3 CEDS Industry Projects

– Honeywell

– GPA

– ACS (Telcordia)

• Multiple projects with EPRI

• Targeted funding from and technology transfer to industry

– Fujitsu, GE, Lockheed Martin, Northrop Grumman, SEL, Honeywell

• Utilities (large as well as rural cooperatives) are now using TCIPG tools such as NetAPT

– Verify network access conforms to desired policy

– Use as a CIPS pre-audit tool

• AMI Security activity has engaged meter manufacturers as well as a major IOU

• SEL Interest in TCIPG technologies (GridStat, ZigBee Self-assessment, Autoscopy JR)

Example Collaboration/Technology Transfer

Additional Recent TCIPG Focused Industry Interaction Examples

• Reviews and Audits

– OpenPDC code audit (for GPA)

– AMI security review of deployments and specifications

– ASAP-SG security profile input and review

– Guidance in realizing NASPInet

• Interaction with investor-owned utilities

– Ameren: NERC CIPS support

• Rural Electric Cooperatives

– Vulnerability assessment for member co-ops of the Association of Illinois Electric Cooperatives

• NERC RCs

– SERC evaluation of NetAPT as CIPS pre-audit tool

• Industry-initiated opportunities in regard to a campus testbed/microgrid

• Approach for the next year or end of project

– Recently started Year 3 of 5

– Periodically review and revise project activities

– Continue and accelerate industry interaction and technology transfer

– TCIPG Retreat planned for August

• Invite industry to identify gaps

• Potentially recalibrate activities accordingly

– Industry Workshop – October 30-31, 2012

• Project results that may form the basis of future control systems security work or link to other programs/organizations

– CONES synergy with SIEGate

– Hardware IDS interaction with Sandia

– PMU Data Quality and other activities are relevant to NASPI

Next Steps

TCIPG Seminar Series on Technologies for a Resilient Power Grid

Monthly TCIPG Seminar Series are presented live and webcast to an academic/government/industry audience

Friday, January 6, 2012 1PM CT, NCSA Auditorium & Webcast Presenter: William H. Sanders, University of Illinois University of Illinois at Urbana-Champaign Title: Making Sound Design Decisions Using Quantitative Security Metrics Friday, February 3, 2012 1PM CT, NCSA Auditorium & Webcast Presenter: Jeff Dagle, Pacific Northwest National Laboratory Title: Power Grid Impacts Resulting From Unintentional Demand Response Friday, March 2, 2012 1PM CT, NCSA Auditorium & Webcast Presenter: Melanie Johnson, U.S. Army Engineer, Engineering Research & Development Center, CERL Title: ERDC-CERL Microgrids at Fixed Installations, Security and Economics Friday, April 6, 2012 1PM CT, NCSA Auditorium & Webcast Presenter: Pete Sauer, Electrical Engineering, University of Illinois at Urbana-Champaign Title: Computation of Margins to Power System Loadability Limits Using Phasor Measurement Unit Data Friday, May 4, 2012 1PM CT, NCSA Auditorium & Webcast Presenter: Michael Assante, President & CEO, and David Tobey, Director of Research, NBISE Title: Ground Truth Competency Assessment for Smart Grid Cyber Security

To Learn More

• www.tcipg.org

• Bill Sanders whs@illinois.edu

• Request to be on our mailing list

• Attend Monthly Public Webinars

• Attend our Industry/Govt. workshop Oct. 30-31, 2012