Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

PID#

Four Layers of Smart Grid Security

Session: Energy Cybersecurity II

Ernie Hayden CISSP CEHManaging Principal – Critical Infrastructure Protection/Cyber Security Verizon Risk TeamFeb 13, 2013

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 2

Today’s Agenda

• Smart Grid Security: Who’s Worried and Why?• “Layers” of Concern

– Physical Layer– Cyber Layer– Privacy Layer– Storage Layer

• Just What To Do?• Question & Answer

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 3

History of Verizon Security Practice

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 4

Who is Worried About Smart Grid Security?High-Level Security Concerns from Global Agencies

• Acknowledged by:– European Network and Information

Security Agency (ENISA)– National Institute of Standards and

Technology (NIST)– North American Electric Reliability

Corporation (NERC)– Department of Homeland Security (DHS)– Department of Energy (DOE)– Federal Energy Regulatory Commission

(FERC)– Government Accountability Office (GAO)– Selected Nations and US State Public Utility

Commissions

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 5

DOE and NIST Concerns

• Increasing Complexity of the Grid

• Interconnected Networks Can Introduce Common Vulnerabilities

• Increasing Vulnerabilities to Communications

• Introduction of Malicious Software

• Increased Number of Entry Points and Paths for Potential Adversaries to Exploit

• Potential for Compromise of Data Confidentiality, Including Breach of Customer Privacy

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 6

Who Said Anything About Complexity?

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 7

“LAYERS” OF CONCERN

PhysicalCyberPrivacyStorage

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 8

Physical Layer Security

• Natural Disasters– Snow Storms– Hurricanes– Solar Flares– Geomagnetic Storms– Earthquakes– Flooding– Volcanoes

• Recognize that Location of the Smart Grid Components Can Be Affected by the Surrounding Environment

• US Case – Overheating Meters

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 9

Cyber Layer Security

• The Biggest Opportunity for Trouble• “The Last Mile” Issues • Remember – Added Complexity Causes Concerns

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 10

“Last Mile”

• Broadband Power Line Systems• Power Line Carrier Systems• Public Switched Telephone Network (PSTN)• Cat5/6 Network Connection• Radio Frequency

– WiMax – ZigBee– 6LoWPAN– 802.11x– Cellular (CDMA/EVDO, GSM, LTE)

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 11

Cyber Attacks

• Remember C I A–Confidentiality Attacks

• Reading, “Sniffing” the data –Integrity Attacks

• Changing the Data–Availability Attacks

• Denial of Service – Prevent Use of Service

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 12

Privacy Attacks

http://www.dora.state.co.us/puc/DocketsDecisions/DocketFilings/09I-593EG/09I-593EG_Spring2009Report-SmartGridPrivacy.pdf

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 13

Privacy Attacks (2)

• Very Emotional Discussion• State of California

– Smart Grid and IOU’s• Theoretical Impacts• But…Demographic Data has Value

http://www.baystatetech.org/graphics/major-app.jpg

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 14

“Data Avalanche!” – Numerous Data Fields and Classes

Simple Data Fields – KWH Used Since Last Reading

Read Every ~15 Minutes or More FrequentlyMinimal Data Accumulation

Automatic ReadingRead Monthly (or Less Frequently)

“Smart” Digital Meters & “Smart” Sensors

Analog Meters or Simple Digital Meters Manually Read or Use “Drive By” Reading

The Future Smart GridToday’s Environment

www.smartgridnews.comMicrosoft Clip Art Online Microsoft Clip Art Online Microsoft Clip Art OnlineUsed with Permission – E N Hayden

Storage

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 15

Is it a Data Avalanche? Tsunami?

• Lux Research: Utilities Manage 9x Current Data if Go to Smart Grid (Boston: Jan 26, 2011)

• Types of Data from Smart Meters– Broadcast Data– Billing Interval Data– Detailed Consumption Data– Aggregate Statistical Data

• Predictions– Prediction for U.S. by 2019 100M Meters 100 Petabytes

generated during the next 10 years (West Coast Utility)– Utilities spent $356M on Smart Grid data analytics tools in

2010 $4.2B in 2015 (Pike Research)– 300 TB per year of meter data by 2012 (Southeast

U.S. Utility) (as of 2011)

http://obiblog.files.wordpress.com/2008/08/data-pic.jpg

1 Petabyte is 1000 Terabytes!

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 16

What To Do?

• #1: Start with the NISTIR 7628 and ENISA• #2: Begin with Security in Mind• #3: Work with Your Meter Vendors• #4: Establish Incident Response Team and

Practice• #5: Include Security Experts in Design, Build

and Operate Phases• #6: Have a Dedicated Security Team for SG• #7: Monitor Regulations Affecting the SG• #8: Ensure Code Includes Security (Ref: OWASP)• #9: Beware of Remote Connections• #10: Ultimate Job: Protect the Data!

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 17

QUESTIONS? OBSERVATIONS?

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 18

Ernie Hayden CISSP CEHManaging Principal

Critical Infrastructure Protection/Cyber Security Verizon Risk Team

+1 206-458-8761ernie.hayden@verizon.com