High Assurance Smart Grid

Thomas M. Overman, CISSP, ISSMP, PMP Chief Architect, Boeing Energy Cyber Security Boeing Defense, Space and Security 884 Hermosa Ct. Sunnyvale, CA 94088 thomas.overman@boeing.com Ronald W. Sackman Chief Network Architect, Applied Network Solutions Boeing Defense, Space and Security 884 Hermosa Ct. Sunnyvale, CA 94088 ronald.w.sackman@boeing.com Terry L. Davis, P.E. Technical Fellow, Airplane Systems Boeing Commercial Airplanes 3003 West Casino Road Everett, WA 98204 terry.l.davis@boeing.com

Abstract As electrical grids evolve through the introduction of additional smart sensors and actuators, cyber security becomes an even more significant factor. Information Assurance controls must be implemented throughout the grid, from large scale power generating facilities, through transmission and distribution systems, to Building Management Systems (BMS) & Home Area Networks (HAN). A precursor to determining the appropriate controls for any particular device is to determine the trust model within which these devices exist. This paper sets out to define a multi-level framework for a trust model to be used throughout the electrical grid. The model is based on two core principles: categorize cyber security requirements based on a subsystems potential impact on the overall grid; and implement controls based on an assumed compromise of adjacent subsystems. From a Smart Grid Cyber Security perspective, rather than attempting to create an all encompassing enclave of trust, this model suggests that systems should be designed in ways which expect compromise of adjacent systems. An expansive sphere of implied trust will inevitably lead an expansive sphere of vulnerability. Having an expectation of compromise, of a lack of trust, would be preferable as it will require subsystems to implement independent, rather than dependent, cyber security controls. Keywords-Smart Grid; Trust Model; Standards; Cyber Security; Information Assurance; Copyright Statement: Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. CSIIRW '10, April 21-23, Oak Ridge, Tennessee, USA Copyright 2010 ACM 978-1-4503-0017-9 ... $5.00

I. INTRODUCTION The electrical grid encompasses everything from power generation to transmission and distribution systems, and the electrical loads connected to the system. It also includes both centralized and distributed power generation and storage systems which vary in scale by several orders of magnitude. This grid can be viewed as a networked system of systems, with literally millions of nodes. For many years there have been reports of cyber security vulnerabilities being identified and exploited within the grid. As the implementation of additional electronic sensors and actuators becomes more pervasive over the coming decades, implementing appropriate cyber security controls will become even more critical to the overall health of the system. In such an extensive and diverse system of systems, it is neither possible nor necessary to establish peer trust relationships between every device in the system. For example, a home water heater and a transmission substation actuator have very different impact on the overall grid. Over the past two decades the aviation industry has been addressing security of integrated sensors and actuators made by several vendors and integrated into a single system. The model proposed here is based to some extent on the model used in the aviation industry for categorizing various control subsystems by their criticality to the overall system (the airplane) [1]. The model defines three categories, based on the impact of a sub-system failure (catastrophic, major and minor impact) to the regional grid. The initial guidance shown in [1] gives three levels of sub-system impact: 1. 2. 3. Level A Level B Level C

Aviation also defines Levels D and E, as levels for which have lower levels of impact. These may be applicable for uses like some system metering needs, some industrial metering, and home meeting. The second principle to be taken from [1] is the concept of fail safe operation. Avionics systems must be designed in ways which

expect failure of adjacent systems. From a Smart Grid Cyber Security perspective, rather than attempting to create an all encompassing enclave of trust, this model suggests that systems should be designed in ways which expect compromise (whether through system failure, user error, or malicious activity) of adjacent systems. An expansive sphere of implied trust will inevitably lead an expansive sphere of vulnerability. Having an expectation of compromise, of a lack of trust, would be preferable

as it will require subsystems to implement independent, rather than dependent, cyber security controls.

I.
[1]

REFERENCES

Federal Aviation Administration Advisory Circular AC-25.1309-1A, 21June-1988. Additional references in full paper to be published at a later date.