1. White paper September 2009IBM end-to-end security forsmart grids

2. IBM end-to-end security for smart grids Page 2IntroductionContentsThe electric grid has been providing reliable electric energy for decades.Comprised of generating, transmission, and distribution equipment along with2 Introductionits associated control systems and operating staff, the electric grid is vital to3 Why we need a smart grid4 Security for the smart grid the world. And when it fails, civilization comes to a standstill.5 How can IBM address The grid infrastructure has been subjected to minimal maintenance-modesmart grid security?6 Security for the utilityinvestment for decades, and it needs to be overhauled. An aging workforce,businessrising energy costs, globalization, environmental issues, and terrorism or mali-6 Security for advanced cious abuse of these systems threaten the grids sustainability. Security con-metering data manage- cerns for these critical infrastructures in North America and Europe havement systemsrecently been heightened.18 Security for SCADAnetworks Around the globe, the reliability of the grid is governed by various entities:10Supporting Critical government mandates and commissions, industry consortiums, and regulatoryInfrastructure Protectionbodies. In December 2008, the U.S. Department of Energy (DOE) published astandards14Conclusionreport on the nations goal to transform its energy grid into a more intelligent,15For more informationresilient, reliable, secure, self-balancing, and interactive network.2 InMarch 2009, the U.S. Federal Energy Regulatory Commission (FERC) pro-posed a policy statement and action plan that provides guidance for the devel-opment of a smarter grid for the nations electric transmission system. Thisplan focuses on the development of key standards to achieve interoperabilityof smart grid devices and systems.3 An IBM white paper published ve yearsago concurs with these views of DOE and FERC to build smart grids.4The Council of the European Union recently adopted a Council Directivefor the identication and designation of European critical infrastructures andthe assessment of the need to improve their protection.5 While EU memberstates are responsible for policies regarding the security of energy facilities in 3. IBM end-to-end security for smart grids Page 3their territories, the European Commission for Energy is responsible for Highlights developing pan-EU critical infrastructure protection policies and recommen-dations.6 In the UK, the Centre for the Protection of National Infrastructure(CPNI) is the government authority that provides protective security advice tobusinesses and organizations across the national infrastructure.7This paper focuses on the security aspects of protecting the electric grid. Itdiscusses the end-to-end security needs and solutions at various points in thesmart grid chain. Security solutions related to the North American ElectricReliability Corporation Critical Infrastructure Protection (NERC-CIP)requirements are used as examples of best-practice methods for securing thegrid. In addition, this paper addresses security for remote device monitoring,Supervisory Control And Data Acquisition (SCADA) systems, and theAdvanced Meter Infrastructure (AMI). The paper then explains how IBM soft-ware, hardware and services can help you meet these regulations and securityrequirements. Why we need a smart gridA smart grid applies a set of diverse The concept of a smart grid is the application of a set of diverse digital tech-digital technologies to enhance the nologies that enhance the value chain of the electric power industry. Thesevalue chain of the electric power digital technologies, comprised of new devices and applications, some ofindustry, improving not only man- which are Internet Protocol (IP) enabled, will aid in the sharing of informa-agement of energy ow but alsotion and coordination of management of the generation, transmission, and dis-information exchange and equip- tribution aspects of the infrastructure across distributed energy resources.ment operation. Grid modernization will overhaul the energy industry, creating better visu-alization and control for operators. The application of digital technologies canhelp reduce peak demand through dynamic optimization, reduce operationsand maintenance costs, integrate renewable sources of energy, improve gridreliability, and make transmission and distribution more efficient. Such effi-ciencies can be established only with smart devices and applications thatenable a ner level of visibility, control and automation. 4. IBM end-to-end security for smart grids Page 4On the residential front, consumers can be given more options to controlHighlightshome appliances and to derive on-demand information to better understandand manage their consumption.We need a smart grid to manage not only energy ow but also informationexchange and equipment operation. Regulations imposed by governments orindustry consortiums oversee the development and enforcement of reliabilitystandards and monitor the bulk-power systems. The stakeholders of the elec-trical grid include independent service operators (ISOs), remote transmissionoperators (RTOs), various utilities, and consumers. Security for the smart gridSecurity is a vital element of any technology related to sensitive assets, andnew technological advancements force organizations to face new security con-cerns and risks. When devices like smart meters are made more secure, theirbusiness value increases because organizations can respond dynamically andwith condence to new market opportunities or changing conditions. Thisallows for improved efficiency, reduced costs, and improved continuity of serv-ices. Robust security for the grid can have a tremendous positive impact, as alack of security directly threatens the safety of the public and all of those whoare affected by grid failures. A digital infrastructure can be more As an example, there is a global effort to transform the electric grid to aexible and dynamic, but it can alsodigital infrastructure. A fundamental move like this is considered necessary inintroduce new security vulnerabili- order to keep up with energy and utility operational demands while maintain-ties that threaten the safe and effi- ing or improving the bottom line. A digital infrastructure can be more exiblecient functioning of the grid.and dynamic; however, such a network may expose the critical infrastructureto additional security concerns such as unapproved access and cyber attacks. 5. IBM end-to-end security for smart grids Page 5 A lack of adequate security in the energy industry could pose threats of serv- ice disruption, which can impede safe and efficient functioning of the system. Added layers of security controls, policies, and procedures are necessary to help protect and manage the grid. The best approach to securing smart grids is to identify and quantify the risks across the entire value chain, develop the appropriate policies and con- trols to manage these risks, deploy the policies and controls, and then perform systematic, periodic reviews, including vulnerability testing.How can IBM address smart grid security? IBM has been very successful in providing security consulting, design, build, and managed services solutions for critical infrastructure in a wide range of demanding industries, including defense, nancial services, and energy and utilities. IBM security solutions are based on the IBM Security Framework (see Figure 1), which denes an end-to-end approach to developing, deploying and supporting security solutions across domains of people, networks, applica- tions, data, and the physical plant. Figure 1: IBM takes a holistic approach to security through the IBM Security Framework. 6. IBM end-to-end security for smart grids Page 6 IBM has the technology and expertise to deploy end-to-end security solutions Highlightsfor smart grid implementations, and is committed to providing security solu- tions within the context of regulatory standards.IBM has the technology and expert-ise to deploy end-to-end securitySecurity for the utility businesssolutions for smart grid implemen- In-depth IT security design principles state that better security management istations, and is committed to provid- achieved when an entity is protected by not just one layer or one component,ing security solutions within thebut by multiple, diverse mechanisms. These and many other IT security prin-context of regulatory standards. ciples are addressed by global IT security standards ISO 27002:2005 and ISO 15408. They cover areas such as defense-in-depth principles, trusted and consistent identities, authentication and access control, information ow con- trol, encryption of sensitive data at-rest and in-transit, audit and compliance, and resiliency. All energy and utility organizations should leverage these prin- ciples for their corporate business and IT infrastructures. Business applications can pose a serious security threat when accessed by unauthorized users. Applications can produce unintended results with mal- formed input data. Thus, utility applications must be immune to issues such as suspicious demand-response bids from a home, a negative meter reading, or more subtle but seemingly valid scenarios. IBM can help utilities scan applications with security penetration testing for vulnerabilities before they are deployed and while they are in operation.Security for advanced metering data management systems IBM is working with utilities to implement smart meters as a core component of a new intelligent utility network infrastructure that uses digital technology. Many meter vendors have implemented their own protocols between the smart meter and the head-end collectors to comply with the security requirements 7. IBM end-to-end security for smart grids Page 7released by the Advanced Metering Infrastructure (AMI-SEC) Task Force.8HighlightsThese security requirements take into account security standards from organi-zations such as NERC, IEC, and National Institute of Standards andTechnology (NIST). Advanced meter management from While the jurisdiction between smart meters and the head-end collectorsIBM is a cornerstone of the often lies with the meter vendor of choice, the utility meter network data isIBM Intelligent Utility Network fed into different business processes and applications such as meter demandsolution suite. management, enterprise asset management, nancial management, customersupport, and outage management. IBM has been working with utilitycompanies to rapidly adopt a service-oriented architecture (SOA) approach forsuch business processes and applications. Advanced meter management fromIBM is a cornerstone of the IBM Intelligent Utility Network solution suite.9 The IBM Solution Architecture forIBM has also developed the Solution Architecture for Energy (SAFE), aEnergy (SAFE) framework enables framework which enables integration across the enterprise with grid and dis-the utility to build and extend new tribution management, nance and administration, customer management,services to customers easily andhuman resources, and procurement. As shown in Figure 2, the enterprise por-cost-effectively through the effi-tion of SAFE is based on SOA, which enables the utility to build and extendcient ow of information across the new services to customers easily and cost-effectively through the efficient owenterprise. of information across the enterprise. This architecture is intended to providebusiness applications and services that can securely interoperate with businesspartners, suppliers, regulators, and utility customers while securely maintain-ing the condentiality, integrity, and accountability of data exchanged, andthat can also link to embedded and operational systems. 8. IBM end-to-end security for smart grids Page 8 Figure 2: The IBM Solution Architecture for Energy (SAFE) framework for utilities enables secure integration across the enterprise.Security for SCADA systems IBM recognizes that security for the smart grid goes beyond the business and IT domains. Conventional enterprise IT security measures must be adapted and extended into the industrial process control systems, which involve a myr- iad of proprietary interfaces, protocols, and heterogeneous devices spread over a large geographic and governance space. The challenge for smart grid secu- rity is that there are two distinct spaces that must be bridged securely. The business enterprise operations of the energy utility often engage in data sharing that relies on the Internet as well as corporate intranets and extranets. Existing programmable logic controllers, remote terminal units (RTUs), and SCADA systems may have been designed with security based on physical isolation. Some utilities are using corporate intranets or even the Internet to access devices on the control systems in order to increase produc- tivity and offer seamless connectivity. These approaches require thoughtful analysis because they may introduce new security vulnerabilities. 9. IBM end-to-end security for smart grids Page 9Industrial control systems security typically involves securing two different computing systems and networks. First, the operator consoles and applications that use commercial operating systems must be secured. These consoles are typically protected by enterprise role-based access control and governed by business-driven policy. Second, the process equipment control systems that receive commands, measure data, and generate actions and events must be secured. These eld devices were designed to reside in isolated process-control networks, with the assumption that only a few, trusted operators would have the ability to access them. IP-enabling this eld equipment into intelligent electronic devices (IEDs) allows for seamless remote control but can make the control infra- structure more vulnerable. Proper network demarcation and protection of net- works with appropriate security controls is essential for robust smart grid security (see Figure 3). SCADA network TRANSMISSION AND Meter to concentratorsystemsSUBSTATION SYSTEMGenerating station DISTRIBUTIONSYSTEM Step-downResidentialsubstationWIRELESS customerCOMMUNICATIONS LINK UtilityCommercial customer Concentrator ConcentratorWIRELESSSubstation remote COMMUNICATIONS LINKAdvanced metering data monitoring equipment management system Utility communication linkFigure 3: Robust smart grid security addresses security focus points all along the utility value chain. 10. IBM end-to-end security for smart grids Page 10IBM participates in open security standards committees and embraces theseHighlightsstandards to facilitate integration with industry-leading components, includingintegration with different end-point devices and with independent service ven-dors (ISVs) who are helping to create successful solutions. This is essential forSCADA security where there are several players that comprise the processcontrol grid equipment.Remote device monitoring is the key to enhancing the reliability of thegrid. The substations along the electricity supply chain contain many RTUs orIEDs. However, the monitored data from these substations can only be reliedupon if the integrity of the data is assured by the security of the substationequipment. Currently, there is a need to perform case-by-case technicalassessments of vendor products, studying the interfaces they expose and theprotocols they use so that their security can be assured within the greatercyber security context. Security for such devices is being standardized accord-ing to the IEC/TS 62351 and 62443 standards. IBMs IT security capabilities can beAs more standardization occurs in smart grids, the process control networksused for remote device monitoring,can benet from lessons learned from IT networks running business applica-along with enterprise asset tions. This allows for some Internet technologies to be applied for remotemanagement software and griddevice monitoring where applicable. Timing and deterministic properties haveoperations. to be evaluated so security does not disrupt the prime mission of these sys-tems. IBMs IT security capabilities can be used for remote device monitoring,along with enterprise asset management software and grid operations. Supporting Critical Infrastructure Protection standardsMost countries have developed mandatory reliability standards applicable toall energy-producing and transmitting utilities, like the NERC CriticalInfrastructure Protection (CIP) standard in North America.10 One area of regu-latory reliability specically addresses protecting electric grid bulk-powercyber assets. 11. IBM end-to-end security for smart grids Page 11 IBM can help utilities comply with critical infrastructure protection stan-Highlights dards like the ones listed in NERC CIP-001 through CIP-009 by applying security offerings at consulting, design, development, build, and operationalIBM can help utilities comply with levels. Leveraging the IBM Security Framework infuses security into thecritical infrastructure protection lifecycle of energy management software and the networking of eldstandards such as NERC-CIP by control devices.applying a range of industry-leading security solutions. Sabotage Reporting (CIP-001) NERC provides directives and proce- dures for detection, recognition and reporting of sabotage events. It species procedures for communications to appropriate parties and local authorities. It expects security monitoring tools to provide near real-time notications for reporting. IBM solutions enable the utility to continuously monitor security violations during operations, as well as detect out-of-compliance conditions. These products can even help track user activity for privileged users, includ- ing physical location, deterring insider attacks. Critical Cyber Asset Identication (CIP-002) NERC has recognized the need for identication and documentation of critical cyber assets. Identifying these assets and their relationships helps lay the foundation for applying security principles within each assets function as well as communi- cations between the asset and other assets in the grid value chain. IBM can assist in building an integrated asset management solution. Security Management Controls (CIP-003) This directive calls for responsible organizations to document and implement a cyber security policy to represent the companys commitment to security and their ability to secure critical cyber assets. IBM can assist with a comprehensive cyber security solu- tion with functions like policy management, authentication and authorization 12. IBM end-to-end security for smart grids Page 12 of grid systems commands, protection and inspection of all XML traffic across Highlightsnetwork boundaries, management of keys used in encryption of data stored on tapes and disk, enablement of change management processes for conguration changes to cyber assets, comparison of activity logs against security policies, and provision of centralized identity, access, attestation and audit services. Personnel & Training (CIP-004) With this directive, NERC denes the obligations of utility management to conduct thorough personnel risk assess- ments in accordance with federal, state, provincial, and local laws. All person- nel having authorized cyber access or authorized unescorted physical access to critical cyber assets as well as eld assets must get access on a need-to- know basis. IBM solutions can help oversee the entire process of managing personnel risk assessments, including enrollment, proong, and background checks as part of the identity vetting process. IBM also provides tools for man- aging learning/training programs. Electronic Security Perimeter (CIP-005) According to NERC, the util- ity is responsible for ensuring that every critical cyber asset resides within an electronic security perimeter. This perimeter needs to be identied and all access points to it need to be identied, documented, and controlled. IBM solutions for intrusion and anomaly detection can not only protect IT networks from worms, malware and viruses, but also monitor traffic between intelligent eld devices for signs of suspicious activity. IBMs command and control center Physical Security of Critical Cyber Assets (CIP-006) This directivesolution provides advanced physi-denes the physical security of a critical cyber asset as being comprised of vecal security integration, enabling distinct elements: deterrence, detection, assessment, communications, andorganizations to control, monitorand maintain disparate securitysystems and assets through a sin-gle interface. 13. IBM end-to-end security for smart grids Page 13 response. IBMs command and control center solution provides advancedHighlights physical security integration, enabling organizations to control, monitor and maintain disparate security systems and assets through a single interface. Systems Security Management (CIP-007) This item in the standard directs security management and testing procedures, patch management, account management, and vulnerability analysis. Organizations need to ensure that new cyber assets and signicant changes to existing cyber assets within the electronic security perimeter do not adversely affect existing cyber security controls. IBM provides a comprehensive management suite that provides uniform patch management for heterogeneous platforms, change and conguration management, intrusion detection and analysis, authoring and enforcement of strict identity provisioning policies, vulnerability testing for applications, con- solidated logging, event correlation, dashboards for visualization, and escala- tion mechanisms.IBMs service, incident, and prob- Incident Reporting and Response Planning (CIP-008) This directive lem management capabilities helpcalls for the IT and process-control operations to develop and maintain a manage processes for security inci- cyber security incident response plan, documenting procedures to classify and dents with a well-documented, escalate events and report security incidents to authorities. IBMs service, repeatable workow. incident, and problem management capabilities help manage processes for security incidents with a well-documented, repeatable workow.Recovery Plans for Critical Cyber Assets (CIP-009) Standard CIP-009 ensures that recovery plans are put in place for critical cyber assets and that these plans follow established business continuity and disaster 14. IBM end-to-end security for smart grids Page 14 recovery techniques and practices. IBMs asset management solutions enable Highlightsservices delivery and support processes for the most dynamic IT infrastruc- tures, ensuring business resilience and promoting faster recovery duringIBM enables a holistic approach to failures.grid security, providing hardware,software, and services that build on Conclusionan integrated security framework toIBMs holistic approach to grid security is about not only the comprehensivedeliver comprehensive capabilities.set of capabilities listed above, but the ability to build on our common secu- rity framework, integrating and optimizing the built-in security features of IBM hardware, software and service offerings while providing a platform for other ISV security products as well (see Figure 4). Figure 4: The IBM Security Framework integrates IBM hardware, software, and services while providing a platform for other ISV security products. 15. IBM end-to-end security for smart grids Page 15 IBM provides a comprehensive set of products and consulting, design, deploy- ment, and managed service offerings to help comply with NERC-CIP security requirements and other industry regulations. IBM also has the expertise to implement the 21 steps recommended by the DOE for SCADA security.11 IBM has a proven track record in securing our nations most critical infra- structures including military, banking, stock markets, and utilities. IBM is unique in its ability to provide an unparalleled breadth and depth of technol- ogy, services, and scalability for proven, quantiable results.For more information To learn more about how IBM solutions can help your organization meet security regulations and requirements, contact your IBM representative or IBM Business Partner, or visit: ibm.com/security and ibm.com/energy 16. Copyright IBM Corporation 2009IBM Corporation Software GroupRoute 100Somers, NY 10589U.S.A.Produced in the United States of AmericaSeptember 2009All Rights ReservedIBM, the IBM logo, and ibm.com are trademarksor registered trademarks of InternationalBusiness Machines Corporation in theUnited States, other countries, or both. If theseand other IBM trademarked terms are markedon their rst occurrence in this information witha trademark symbol ( or ), these symbolsindicate U.S. registered or common lawtrademarks owned by IBM at the time thisinformation was published. Such trademarksmay also be registered or common lawtrademarks in other countries. A current list of4 Callahan, Stephen J., Rebuilding the grid,IBM trademarks is available on the Web at IBM. April, 2004. www-935.ibm.com/services/Copyright and trademark information at in/igs/pdf/ge510-3587-00f-rebuild-grid.pdfibm.com/legal/copytrade.shtml The customer is responsible for ensuring 5 Council Directive 2008/114/EC, Official Journal compliance with legal requirements. It is theOther company, product and service names of the European Union. December 2008. customers sole responsibility to obtain advice of may be trademarks or service marks of others. http://eur-lex.europa.eu/LexUriServ/LexUriServ. competent legal counsel as to the identication do?uri=OJ:L:2008:345:0075:0082:EN:PDFReferences in this publication to IBM products and interpretation of any relevant laws andand services do not imply that IBM intends to6 European Commission, Energy, Critical regulatory requirements that may affect themake them available in all countries in which Infrastructure Protection. http://ec.europa.eu/ customers business and any actions theIBM operates. energy/infrastructure/critical_en.htm customer may need to take to comply with suchNo part of this document may be reproduced or laws. IBM does not provide legal advice or7 Centre for the Protection of Nationaltransmitted in any form without written represent or warrant that its services or Infrastructure. www.cpni.gov.ukpermission from IBM Corporation. products will ensure that the customer is in 8 AMI System Security Requirements V1.01,Product data has been reviewed for accuracy compliance with any law or regulation.UCAIUG: AMI-SEC-ASAP. December 17, 2008.as of the date of initial publication. Product data 1 Gorman, Siobhan, Electricity Grid in U.S.www.controlsystemsroadmap.net/pdfs/is subject to change without notice. Any Penetrated by Spies, The Wall Street Journal.AMI_System_Security_Requirements-statements regarding IBMs future direction and April 8, 2009. http://online.wsj.com/ v1_01-1.pdfintent are subject to change or withdrawal article_email/SB123914805204099085-9 Smarter Grids for a Smarter Planet: IBMs without notice, and represent goals and lMyQjAxMDI5MzA5ODEwNDg4Wj.htmlIntelligent Utility Network Solutions,objectives only. 2 Smart Grid: Enabler of the New EnergyIBM. May 28, 2009.THE INFORMATION PROVIDED IN THIS Economy, The Electricity Advisoryhttps://www950.ibm.com/events/wwe/grp/DOCUMENT IS DISTRIBUTED AS IS Committee of the U.S. Department of Energy. grp018.nsf/vLookupPDFs/T2_4_Smarter_Grids/WITHOUT ANY WARRANTY, EITHER EXPRESS December 2008. Guido Bartels, IBM General $le/T2_4_Smarter_Grids.pdfOR IMPLIED. IBM EXPRESSLY DISCLAIMS Manager, Energy & Utilities Industry and 10 North American Electric Reliability Corporation, ANY WARRANTIES OF MERCHANTABILITY, Chairman, Gridwise Alliance, provided key Reliability Standards, Critical Infrastructure FITNESS FOR A PARTICULAR PURPOSE leadership for this paper. www.oe.energy.gov/ Protection (CIP). www.nerc.com/page.php? OR NON-INFRINGEMENT. IBM products DocumentsandMedia/nal-smart-grid-report.pdfcid=2|20 are warranted according to the terms 3 FERC accelerates Smart Grid development 11 21 Steps to Improve Cyber Security of SCADA and conditions of the agreements with proposed policy, action plan, Networks, The Presidents Critical Infrastructure (e.g. IBM Customer Agreement, Statement Federal Energy Regulatory Commission. Protection Board, U.S. Department of Energy. of Limited Warranty, International Program March 19, 2009. www.ferc.gov/news/www.oe.netl.doe.gov/docs/prepare/License Agreement, etc.) under which they news-releases/2009/2009-1/03-19-09.asp21stepsbooklet.pdf are provided.TIW14041-USEN-00