january/february 2012 IEEE power & energy magazine 41

Staying in Control

By Julie Hull, Himanshu Khurana, Tom Markham, and Kevin Staggs

© BRAND X PICTURES & LUSHPIX

Digital Object Identifi er 10.1109/MPE.2011.943251 Date of publication: 13 December 2011

TTHE USE OF SUPERVISORY CONTROL AND DATAacquisition (SCADA) became popular in the 1960s due to the expense of manual monitoring and control and an increase in the complexity of the systems. The blackout of 1965 in the northeastern United States prompted the U.S. Federal Power Commission to urge passage of the Electric Power Reliability Act of 1967, which would have mandated closer coordination among regional coordination groups. The National Electric Reliability Council was formed in 1968. These events also drove the development of large energy management systems for transmission SCADA. Early SCADA protocols were built on electromechanical telephone switching technology. At that time, the goal of communications security was to ensure that

Cybersecurity and the Modern Electric Grid

1540-7977/12/$31.00©2012 IEEE

42 IEEE power & energy magazine january/february 2012

the command got to the mechanism for control (this secu-rity was typically implemented through repetition).

Subsequently, SCADA moved to digital communica-tions, and the use of parity bits and checksums became prevalent for error checking and is still common today in the fi eld. Many protocols were in use; typically, each manu-facturer created its own, and some end users did the same. The network architecture was typically hierarchical, with the substations isolated. In the 1980s, a number of groups began working toward a common set of standards for proto-cols. The introduction of master stations and RTUs neces-sitated local area networks (LANs) and wide area networks (WANs), both of which can utilize more than one linking technology (e.g., satellite, telephone, wireless, power line carrier, fi ber optics, or microwave) to connect RTUs to mas-ter stations. The RTUs typically perform actions requested by the master station and report out-of-bounds conditions; some also perform local control, logging, and reporting. This diversity of communication media and protocols has left its legacy in the fi eld and has made it diffi cult to secure the infrastructure.

More recently, there has been a merging of the automa-tion and business networks, with a linking of the automa-tion WAN to the corporate network and, in some cases, an extension of these networks into customer sites. The use of intelligent electronic devices (IEDs) has also become com-mon and has caused yet another shift in the communica-tions architecture. Traditionally, the system was serial and hierarchical in nature: users communicated with the sub-station through an RTU or data concentrator (which then communicated with meters, relays, equipment, and so on), or users communicated directly with feeder devices (reclos-ers, switch controllers, and other equipment). With the advent of IEDs, there is much more networked information, which then fl ows up to substations and/or feeder devices using serial, direct-connect, wireless, and packet-switched circuits. The substation communication is often through a router on a LAN, along with the human-machine interface (HMI), data concentrator, equipment, and relays and may offer remote access to feeder-level devices. Figure 1 illus-trates a typical architecture for modern SCADA systems. Since many electric grid systems are now built using tra-ditional IT hardware and software, their attack surface is much larger, making them more vulnerable to cyberattack. With that in mind, deployed systems use a layered protec-tion approach, with multiple levels of fi rewalls and “demili-tarized zones,” as seen in Figure 1.

Even with this type of layered protection, the system is still vulnerable. The National Electric Sector Cyber Secu-rity Organization (NESCO) has published a white paper, “DNS as a Covert Channel Within Protected Networks,” that demonstrates DNS data exfi ltration techniques that do not require direct connectivity to any external resource from the targeted device. An attacker can get information from the RTU out through the corporate fi rewall and create a com-munication path back to that device, highlighting the need to watch outgoing fi rewall data.

There is an increasing amount of evidence showing that attackers are now focusing on control systems. They are operating with varying motivations and intentions, including cybercrime, extortion, and warfare. In the area of cyberextortion, for example, we have been warned for years about the increased cyberextortion being practiced on elec-tric utilities in Africa, Europe, India, and Mexico, where criminals threaten to cut off power if they are not paid. In a recent paper published by McAfee and the Center for Strategic and International Studies (CSIS), “In the Dark, Crucial Industries Confront Cyberattacks,” 200 industry executives from critical electricity infrastructure enter-prises in 14 countries were surveyed. The survey group was composed of IT executives in the energy, oil and gas, and water sectors whose primary responsibilities include IT security, general security, and industrial control systems. According to the paper, “One in four survey respondents have been victims of extortion through cyberattacks or threatened cyberattacks.” And it follows that once a crimi-nal fi nds an avenue of attack that works, the attacker tends to use it again and expand the list of victims. Nation-states have also been accused of using cyberattacks on control systems; such intrusions include the Russian cyberattack on Georgia’s pipelines and the alleged 2007 Russian attack on Estonia. In Kenneth Geers’s paper “Cyberspace and the Changing Nature of Warfare,” the author outlines the stra-tegic reasons why cyberwarfare is on the rise with respect to the electric power sector, including the fact that the Inter-net is vulnerable to attack. Many may argue that the elec-tric power system is not on the Internet. In many cases it is, however. Even more common is the scenario in which a device without a direct Internet connection is connected to the Internet at some point in its life cycle for software or fi rmware updates, confi guration, or maintenance. Or the device may interface with another device (e.g., a laptop or USB drive) that has been on the Internet and carries an infection or malicious code.

There is an increasing amount of evidence showing that attackers are now focusing on control systems, operating with varying motivations and intentions.

january/february 2012 IEEE power & energy magazine 43

The methods used for a cyberattack vary depending on the attacker and the motivation. Some attackers are physically able to access a site through local surveillance, by browsing wireless networks within close physical proximity or even by accessing the site physically as part of the cyberattack; some perform the entire attack from a computer that could be 10,000 mi away. In any case, typically the fi rst step is to gather as much information as possible through publicly available sources (say, from the Internet). The Internet can provide names, phys-ical layouts, installed equipment, data useful for social engineering, and port scanning for other data. After this reconnaissance, adver-saries target specifi c components and systems using malware that exploits vulnerabilities to gain access to the system. There are many attack vectors for obtaining access to a SCADA system, from a brute-force attack through the business network to intercepting nonencrypted communications and playing them back, either to mimic control actions or to mask from the operator’s view the con-trol actions that are really being performed. Attacks can vary from the relatively simple—such as that of the disgruntled former contrac-tor who used existing privileges and gained access to the control system of a sewage treatment facility in Australia, then fl ooded the surrounding area with mil-lions of liters of untreated sew-age—to the Stuxnet worm, which was purportedly an attack on the Iranian nuclear industry using highly sophisticated malware and several zero-day vulnerabilities.

In the rest of this article we look at cybersecurity objectives and properties and discuss meth-ods for minimizing cyberattacks as well as detecting and respond-ing to attacks that do succeed. We then describe some cryptographic protocols commonly used to real-ize desired security properties such as confi dentiality and integ-rity. With this background in mind, we explore the challenges of

realizing secure control systems and some approaches that might work. We discuss control system security in general and use the example of modern SCADA systems to illustrate certain ideas. Finally, we review some key ongoing efforts in the control system security area involving the U.S. govern-ment, industry, and academia.

Legend

Denotes Attack Point

Note: There Are Many AttackVectors Not Noted on ThisDiagram, Including Drivers, Etc. Internet

Workstation ServerCorporateFirewall/DMZ

Business/CorporateNetwork

ControlCenter

Firewall

SCADAServer

Front-EndProcessor

FeederDevices

FeederDevices

RemoteAccess

Meters Relays

Subdivision BSubdivision A

WAN SCADANetwork

Local HMI Local HMI

Input/OutputPoints

Input/OutputPoints

Input/OutputPoints

EquipmentMonitor

NetworkInterface

NetworkInterface

RTU RTULAN

figure 1. Typical security architecture for SCADA systems.

44 IEEE power & energy magazine january/february 2012

What Are the Goals and Objectives of Cybersecurity? Cybersecurity tools and techniques are aimed at achieving three primary properties, namely, confi dentiality, integrity, and availability (CIA). Confi dentiality is the property that ensures that only authorized entities have access to sensitive information. For example, electricity market data and trans-action information are considered sensitive and should only be accessible to authorized market agents and not to other entities such as system operators. Integrity is the property that ensures that any unauthorized modifi cations to data and information are detected. For example, an adversary should not be able to modify sensor data without detection. Avail-ability is the property that ensures that critical systems and information must be available when needed. For example, communication networks supporting wide area measure-ment systems must be available to deliver data and informa-tion (e.g., synchrophasor measurements) even in the pres-ence of malicious activity such as an adversary launching a denial-of-service (DoS) attack . For critical infrastructure such as the electric grid, availability and integrity are typi-cally considered to be more important than confi dentiality.

Other security properties of interest to control sys-tems include nonrepudiation and privacy. Nonrepudiation involves assurances that a particular command or message was actually sent, as the receiving entity claims, and is typi-cally realized using digital signatures. Privacy, as a special form of confi dentiality, refers to adequate protection of per-sonally identifi able information and functions so that only authorized entities have access to this data. For example, consumer energy consumption data need to be kept private as AMI systems are realized. Achieving these properties for all computing and communication systems supporting the electricity grid is a major research, development, deploy-ment, and maintenance challenge.

A common approach to achieving these properties is to design, develop, and deploy cybersecurity technologies for protection, detection, and response. Protection sys-tems devise security components such as key management, authentication and authorization, and perimeter defense that help ensure the CIA properties against a range of

attacks. For example, encryption tools help provide con-fi dentiality, cryptographic message authentication tools help provide integrity, and redundancy helps provide avail-ability. Secure software and hardware development tech-niques are also an essential form of protection. Given the complexity of today’s systems, vulnerabilities are likely to remain after development that can be exploited by adver-saries despite the use of advanced protection systems. To deal with this, detection tools observe network and system behavior to identify malicious activities and attacks. For example, intrusion-detection systems may look for mal-ware signatures on the network. Finally, response tools are employed to enable administrators to deal with detected attacks and activities. For example, such tools may allow dynamic changes in fi rewall policies in order to limit infor-mation fl ow to and from adversaries to contain an attack. Collectively these protection, detection, and response sys-tems create an ecosystem in which secure and trustworthy operations can be executed. Typically, these technical solu-tions are used in conjunction with appropriate training for people and the use of well-defi ned processes to form a com-prehensive solution.

What Are Some Common Security Components?Earlier, we discussed the three objectives of security, namely, confi dentially, integrity, and authentication. Cryptography is used to provide confi dentiality and integrity.

The workhorse of secure communications systems is symmetric cryptography. This is often called secret-key cryptography because the keys, which are the same at both ends of the communications link, must be kept secret. These algorithms are frequently identifi ed by the length of their keys, e.g., the 128-bit Advanced Encryption Standard (AES). They can be thought of as codebooks that take a block of input data and encrypt it in a unique way based on the secret key. Figure 2 illustrates how a symmetric cipher could be used to protect data moving from a control center to a substa-tion. The process unfolds as follows:

1) The secret keys are generated, transported to the ends of the communications link, and loaded into crypto-graphic devices (often part of a larger computing de-vice) so that they are only known to the authorized sender and receiver. If attackers are able to obtain a copy of this key, they could also decrypt the data, ren-dering the system insecure.

2) The sender’s plaintext message is then passed through the codebook algorithm, where it is transformed into ciphertext. The output of the codebook is a function of both the key and the plaintext.

3) The ciphertext is transmitted over the communication link.

4) An eavesdropper listening in on the communications is able to intercept the ciphertext, but without the key the eavesdropper cannot decrypt the data and recover

figure 2. Symmetric key cryptography provides confidentiality.

Plaintext“Set 247 On”

Plaintext“Set 247 On”

Ciphertext“k3>A+zLcb+”

Ciphertext“k3>A+zLcb+”

Internet

Key Key

Eavesdropper

Codebook Codebook

january/february 2012 IEEE power & energy magazine 45

the plaintext. Thus, the symmetric cryptography pro-vides confi dentiality.

5) The receiver passes the ciphertext through the code-book algorithm in reverse, using the secret key. The output of the codebook is the original plaintext.

Securely distributing the keys for symmetric-key cryp-tography is cumbersome, so asymmetric-key (also called “public-key”) cryptography, a newer form, is used to trans-port the secret keys and perform other types of authentica-tion. Three common public-key systems are RSA, El-Gamal, and elliptic curve cryptography (ECC). The underlying mathematics of these algorithms are signifi cantly different. All three, however, have a private key used to encrypt or sign a message and a related public key used to decrypt or verify messages, as shown in Figure 3. The originator of a message (e.g., a control center) signs the message with its encryption key, which is kept private. It then distributes its public key to everyone, including potential attackers. The legitimate receiver (e.g., a substation) uses the public key to verify that the message indeed came from the claimed source. An attacker could also use the public key to verify the message. But if an attacker attempts to forge a message, the verify operation will fail. Thus, public-key cryptography can be used to provide integrity and nonrepudiation. Nonre-pudiation lets a third party verify that a message came from the entity holding the associated private key. Public-key cryptography may also be used to provide confi dentiality for small messages (e.g., a key for symmetric encryption) by encrypting them with the public key and then having the intended recipient decrypt them with its private key.

Hash functions, such as the Secure Hash Algorithm with 256-bit output (SHA-256), are used to produce a mathemati-cal fi ngerprint of a message or fi le. The hash function takes in a fi le of arbitrary size (often quite large) and produces a fi xed-length output. Hash functions have the following properties:

✔ Given a fi le and its corresponding hash, it is very dif-fi cult to fi nd another fi le that will produce the same hash output.

✔ It is very diffi cult to produce two fi les that when hashed will yield the same hash output.

The hash output may then be signed using asymmet-ric cryptography. The resulting signed hash lets a receiver check the integrity of a large fi le by recalculating the hash and comparing it with a hash signed with the private key of the sender.

Certifi cation authorities are organizations that verify the credentials of a user, device, or software and then use asymmetric cryptography together with a hash function to issue the entity a digital certifi cate (e.g., under the X.509 standard) that may then be used for authentication over a net-work. Public-key infrastructure, using certifi cation authori-ties, hash functions, and of course public-key cryptography, is often used to build authentication and key management systems.

Cryptography is helpful in addressing many security issues. But the use of cryptography within the power grid is challenging for the following reasons:

✔ Legacy systems often lack the computing power and bandwidth necessary to support strong cryptography. SCADA systems often remain in the fi eld for years, making it impractical to support the newer, more computationally intensive algorithms required as the attacker’s computing power increases over the years.

✔ Cryptography often relies on random number genera-tors with high entropy. Many embedded devices lack the means to produce good random numbers.

✔ The key distribution and revocation process can be labor-intensive and prone to errors. This is especially true when multiple organizations are involved in the process. Mistakes made in the key management pro-cess may reduce the ability to communicate, which affects availability.

There are many other security functions used to enhance the integrity and availability of systems. Antitamper mecha-nisms are frequently used to protect hardware accessible to potential attackers (e.g., smart meters). These mechanisms deter the reverse-engineering of devices to recover crypto-graphic keys or fi rmware that would disclose how a device operates.

Why Is Cybersecurity for Control Systems Challenging?There are several contributing factors that make cyberse-curity of control systems a challenge. Three of these chal-lenges are:

✔ the clash between the operations team and IT team cultures

✔ the porting of legacy control software to common off-the-shelf (COTS) platforms

✔ the long life cycle of control systems.The fi rst is a cultural issue. The SCADA system engi-

neers are responsible for the confi guration and operation of any process. This includes a requirement to assure that cer-tain control systems, such as SCADA systems, are always available. In many cases, a control system is expected to

figure 3. Asymmetric-key (public-key) cryptography can provide integrity.

Key

InternetSign = Encrypt Verify = Decrypt

X

KeyOpen Breaker #3 Open Breaker #3

Open Breaker #1Public Key

Attacker

46 IEEE power & energy magazine january/february 2012

operate a plant over periods of many years with no shutdown or reduction in product manufactured by that control system. This means that availability is one of the most important requirements for any control system. Today’s modern con-trol systems are built using open-standard IT technologies such as Microsoft Windows–based computers and Ethernet networks that include commercial routers, switches, and fi rewalls. Because the SCADA system engineers are respon-sible for the operation of the process, they feel responsible for all of the equipment required to run the process. Because IT systems are now part of the equipment required to run the process, the IT department feels it is responsible for the IT equipment running that process. This leads to a clash between the IT department and the process engineering department. Among the factors contributing to this clash are items related to the management and maintenance of those IT assets. One example concerns the installation of secu-rity updates in the IT equipment. IT typically pushes out security updates shortly after they are available, and most security updates require a reboot of the computers being updated. These reboots are usually done at a time controlled by the IT department. A reboot of a control system computer can severely affect a process operator’s ability to operate a process safely, and so the process engineering team wants more control over when the updates are installed.

Another example results from migration to Ethernet net-works. Many modern control systems integrate the status of Ethernet components such as switches and routers into the overall system status displays. IT wants to manage and mon-itor the Ethernet equipment, and this can result in a loss of view of that equipment status to the SCADA operators. One way to sum up the clash is that IT is focused on the protec-tion of the intellectual assets of the company while SCADA system engineering focuses on the protection of the physical assets and manufacturing capabilities of the company. The priorities of the two can easily confl ict, leading to a clash between the two organizations.

Standards organizations such as the ISA99 standards development committee have recognized the unique secu-rity management needs of SCADA and control systems and are drafting security standards for those systems. The intent of ISA99’s proposed standards is to complement the IT standards that already exist while addressing those areas that need special attention for control systems. The North American Electric Reliability Corporation (NERC), the suc-cessor to the National Electric Reliability Council, has also realized the need for standards for control systems that con-

trol the generation and distribution of power and has created the NERC-CIP standards, which help guide the owners and operators of critical SCADA power systems.

The migration from proprietary control systems to open systems–based control has also contributed to some of the challenges. The IT industry and the control industry have evolved at different rates. While the IT industry was moving to PCs and servers, the control industry was still produc-ing proprietary systems on proprietary networks. The con-trol industry’s shift to open systems followed that of the IT industry by approximately seven years, and the control sys-tem industry is approximately that far behind in understand-ing how to develop and deploy secure systems. Many secu-rity issues that existed in IT systems six or seven years ago are now just starting to appear in control systems. One rea-son for this is that the way the migration of control systems to open systems occurred was to port as much of the propri-etary software to open system–based platforms as possible. Because the proprietary control systems had an implicit trust in the communications among devices in those systems, very few checks were performed in the code. Once ported to an open system, an application or device may become compro-mised by invalid input. Control device protocols were also developed with implicit trust, meaning that as they were moved to Ethernet, there was no attempt to add such things as authenticated and authorized communications.

Users of control systems expect them to last for a long time. It is not unusual for a control system to operate a plant for a period of 20 years or more. Most operators don’t expect to have to change the control system during that period. This period far exceeds the life cycle of any modern piece of open-systems hardware or software. The IT industry has a turnover rate of new systems every three to fi ve years, while the turnover rate for control systems has traditionally exceeded 20 years. As the control industry evolves further, the turnover rate will have to decrease. This will be a signifi -cant challenge for the industry as we move forward.

How Does One Design Secure Systems?There are several steps that can be taken to design secure control systems. First, consider procuring components that were designed with security in mind. Designing with secu-rity in mind means, for example, that the vendor of those components can demonstrate that it has integrated a security development life cycle (SDL) into its development process. The SDL will include security steps at all phases of devel-opment. This means there are security requirements for the

Many control devices will require security devices in the network that act as compensating controls to assist in securing them.

january/february 2012 IEEE power & energy magazine 47

table 1. Representative efforts in the area of best practices for control systems security.

Type Description Title and URL

Organization DHS Industrial Control Systems Joint Working Group (ICS JWG); Cross Sector Cyber Security Working Group (CSCSWG); IT Sector Coordinating Council (IT SCC); Communications Sector Coordinating Council (CommSCC)

Organization with enforced standards

NERC Cyber Attack Task Force (CATF) and several related task forceshttp://www.nerc.com/filez/catf.htmlSecurity guidelines: NERC 1300, CIP-002-1 through CIP-009-1http://www.nerc.com/page.php?cid=2%7C20http://www.nerc.com/docs/standards/sar/Draft_Version_1_Cyber_Security_Standard_1300_091504.pdf

Publication National Institute of Standards and Technology (NIST) SP800-53R3

NIST Special Publication 800-53, Revision 3http://csrc.nist.gov/publications/PubsSPs.html

Publication NISTIR 7628 NIST publication on guidelines for smart grid cybersecurity

Publication DOE-supported and industry-led roadmap

Roadmap to Secure Control Systems in the Energy Sector http://www.oe.energy.gov/DocumentsandMedia/roadmap.pdf

Working Groups/Research

DOE Office of Electricity Delivery and Energy Reliability; Control Systems Security; Cyber Security for Energy Delivery Systems (CEDS)http://www.oe.energy.gov/controlsecurity.htmNational SCADA Test Bed (NSTB)http://www.oe.energy.gov/nstb.htmhttp://www.sandia.gov/ccss/home.htmDraft road map:http://energy.gov/oe/downloads/roadmap-achieve-energy-delivery-systems-cybersecurity-2011

Working Group NIST Smart Grid Interoperability Panel (SGIP)

NIST Smart Grid Interoperability Panel, the Cyber Security Working Group (CSWG)http://www.nist.gov/smartgrid/

Working Group UCA International Users Group OpenSG

Open SG Security Working Group’s Advanced Security Acceleration Project (ASAP-SG)

Standards/Working Group

International Electro-technical Commission (IEC) Technical Committee 57 Working Group 15

Data and Communications Security; focused on security for protocols 60870-5, 60870-6, 61850, 61970, and 61968

Standards AGA 12 Cryptographic Protection of SCADA Communications Part 1:http://www.aga.org/our-issues/security/Documents/0603REPORT12.PDFPart 2, Performance Test Plan:http://cipbook.infracritical.com/book3/chapter8/ch8ref4.pdf

Standards API 1164 Pipeline SCADA Securityhttp://engineers.ihs.com/document/abstract/BPZBGBAAAAAAAAAA

Standards FIPS 140-2 Security Requirements for Cryptographic Modules

Standards IEC 62210 Power System Control and Associated Communications—Data and Communication Securityhttp://webstore.iec.ch/preview/info_iec62210%7Bed1.0%7Den.pdf

Standards IEC 62351 Power Systems Management and Associated Information Exchange—Data and Communications Security, Part 1 (there are seven parts, all of which can be found on the IEC Web site):http://webstore.iec.ch/preview/info_iec62351-1%7Bed1.0%7Den.pdf

Standards IEEE 1686, IEEE 1402

Standard for Intelligent Electronic Devices (IEDs) Cyber Security CapabilitiesIEEE Guide for Electric Power Substation Physical and Electronic Security

Standards ISA-99 Manufacturing and Control Systems Securityhttp://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821

Academic Research

Trustworthy Cyber Infrastructure for the Power Grid

Trustworthy Cyber Infrastructure for the Power Grid http://tcipg.org/

48 IEEE power & energy magazine january/february 2012

product. Roles are defi ned for the confi guration, operation, and administration of control systems. These roles should include privileges for each role and identifying how the device responds when a user attempts to perform an opera-tion on the device that the user does not have privileges to perform. Providing a role with only those privileges neces-sary to perform the associated functions is commonly called least privilege. The device should be deployed with least privilege already confi gured, so that the end user or inte-grator does not have to perform any additional steps for the device to be secure.

Many control devices will require security devices in the network that act as compensating controls to assist in securing them. When this is the case, the device speci-fication should define the compensating control, how to configure it, and an explanation of why it is required. The device vendor should be following secure coding practices. Finally, the device vendor should have pro-cesses in place to respond to a security vulnerability disclosure if one ever occurs for its product. These are just some of the steps required. There are many good examples of SDLs available, including Microsoft’s Secu-rity Development Lifecycle, the Open-Web Application Security Project, and the Common Lightweight Applica-tion Security Process.

Once components are procured, system integrators also need to have methodologies for developing and confi gur-ing control systems for end users. The system integrator is responsible for integrating all of the pieces that together form a control system. As a control system is integrated, it will consist of multiple devices connected to multiple areas of a process with multiple functions. A model for how a control system is to be confi gured and information is to fl ow within it exists within the international ISA-95 stan-dard. This model provides a topology to be applied while designing and confi guring a control system. This topology provides a natural defense-in-depth approach to help pro-tect the more vulnerable components of a control system. In addition to ISA-95, the International Society of Auto-mation (ISA) standards committees have formed the previ-ously mentioned ISA99 standards development committee, which is developing the security requirements for indus-trial automation and control systems. The ISA-99 standards build on the reference models in ISA-95 and create security reference models for a typical SCADA system and a typi-

cal digital control system, the two classic types of control systems.

What Is Being Done to Secure Control Systems Today?It is important to note that if the attackers and attack vectors are studied, a common set of high-ranking vulnerabilities can be created that will signifi cantly affect the success of the attack. There are many good studies that can be found on common vulnerabilities and recommendations. Here are several:

✔ “Common Cyber Security Vulnerabilities Observed in Control System Assessments by the INL NSTB Pro-gram” (November 2008, U.S. Department of Energy)

✔ “Catalog of Control Systems Security: Recommen-dations for Standards Developers” (June 2010, U.S. Department of Homeland Security; www.us-cert.gov/control_systems)

✔ “Common Cyber Security Vulnerabilities Observed in DHS Industrial Control System Assessments” (July 2009, U.S. Department of Homeland Security).

Many organizations and governments have spent millions of dollars and years’ worth of effort in studying and rec-ommending good practices for control systems security. In addition, most vendors today are actively including security in the design of their products. Table 1 provides examples of representative work in this area, rather than an exhaustive list of the many activities currently taking place.

ConclusionsThis article provides an introduction to relevant cyberse-curity concepts and issues pertaining to emerging modern electric grid systems. We looked at the history of these sys-tems, the objectives of cybersecurity, challenges in address-ing security for control systems, common security tools and components, processes for designing secure grid systems, and some key efforts under way today.

BiographiesJulie Hull is with Honeywell ACS Research Labs.

Himanshu Khurana is with Honeywell ACS Research Labs.

Tom Markham is with Honeywell ACS Research Labs.Kevin Staggs is with Honeywell ACS Research Labs. p&e

This article provides an introduction to relevant cybersecurity concepts and issues pertaining to emerging modern electric grid systems.