Title: Himanshu Khurana, University of Illinois
1Trustworthy Wide Area Measurement Systems
- Presented by
- Himanshu Khurana, University of Illinois
- ACM CCS 2009 Tutorial on Cyber Security for the
Power Grid
2Outline
- Wide area transmission systems
- August 2003 blackout
- Analysis and recommendations
- North American SynchrPhasor Initiative (NASPI)
- NASPInet Wide Area Network
- Challenges distributed networking, quality of
service, cyber security
3Background Power Grid Control Center Networks
and Applications
Control Communication Architecture
From a presentation by D. Whitehead,
Communication and Control in Power Systems,
tcip summer school, June, 2008
4Background Power Grid Control Center Networks
and Applications
Control centers
5Whos in charge?
- Federal Energy Regulatory Commission (FERC)
- North American Electric Reliability Corp.
(NERC) - State legislatures
- Regional reliability councils
- ISOs and RTOs
- State commerce commissions
- Control area operators
6NERC Regions
7Balancing Authorities (Control Areas)
8Current Control Strategy and Hierarchy
- Centralized Control Center (Balancing Area)
- Open loop control
- Telemetry through SCADA
- Polls data 2 seconds
- Local control (Power plants, Substations)
- Feedback control
- Protection
- Balancing Authorities (BAs)
- Real-time generation, load and interchange
balance - Reliability Coordinators (RCs)
- Wide area coordination and reliability
9NERC Interconnections
10Independent System OperatorsRegional
Transmission Operations
11Major North American Blackouts
Date Location Load Interrupted
November 9, 1965 Northeast 20,000 MW
July 13, 1977 New York 6,000 MW
December 22, 1982 West Coast 12,350 MW
January 17, 1994 California 7,500 MW
December 14, 1994 Wyoming, Idaho 9,336 MW
July 2, 1996 Wyoming, Idaho 11,743 MW
August 10, 1996 Western Interconnection 30,489 MW
June 25, 1998 Midwest 950 MW
August 14, 2003 Northeast 61,800 MW
12Blackout of August 14, 2003
Credit Jeff Dagle
13August 14, 2003 Blackout Investigation
Review performance of plants and assess
possibility of damage.
Determine if failures were caused with malicious
intent.
Investigate the cascading electrical failure.
- Phase I
- Investigate the outage to determine its causes
and why it was not contained - Interim report released November 19, 2003
- Phase II
- Develop recommendations to reduce the possibility
of future outages and minimize the scope of any
that occur - Final report released April 5, 2004
Credit Jeff Dagle
14Blackout Root Causes
- Situational Awareness lack of effective
- contingency analysis capability
- procedures to ensure operators were aware of the
status of critical monitoring tools - procedures to test monitoring tools after repairs
- monitoring tools after alarm system failed
- Vegetation management
- Reliability Coordinator Diagnostics
- Lack of wide area visibility, monitoring,
coordination
15Select Blackout Report Recommendations
- Use better real-time tools for grid monitoring
and operation - Establish physical and cyber-security
capabilities
16Wide Area Situational Awareness
- A FERC/NIST Priority Area
- Monitoring and display of power system components
and performance across interconnections and wide
geographic areas in real time - Enable understanding, optimized management,
performance, prevent/respond to problem - Other relevant priorities
- Cyber Security Measures to ensure the
confidentiality, integrity and availability of
the electronic information communication systems,
necessary for the management and protection of
the Smart Grids energy, information technology,
and telecommunications these infrastructures - Network Communications Encompassing public and
non-public networks, the Smart Grid will require
implementation and maintenance of appropriate
security and access controls tailored to the
networking and communication requirements of
different applications, actors and domains
17Wide Area Measurement System
- A Wide Area Measurement System (WAMS) is crucial
for the Grid - One very promising data source for WAMS
Synchrophasors - GPS clock synchronized Fast data rate gt 30
samples/sec - Phasor Measurement Unit (PMU)
- Future applications will rely on large number of
PMUs envisioned across Grid (gt100k) - WAMS Design and Deployment underway North
American Synchrophasor Initiative -
(www.naspi.org) - Collaboration - DOE, NERC, Utilities, Vendors,
Consultants and Researchers - NASPInet distributed, wide-area network
18PMUs and Synchrophasors
- Traditional SCADA data since the 1960s
- Voltage Current Magnitudes
- Frequency
- Every 2-4 seconds
- Future data from Phasor Measurement Units (PMUs)
- Voltage current phase angles
- Rate of change of frequency
- Time synchronized using GPS and 30 - 120 times
per second
19Why do Phase Angles Matter?
Wide-area visibility could have helped prevent
August 14, 2003 Northeast blackout
20Why do Phase Angles Matter?
Entergy and Hurricane Gustav -- a separate
electrical island formed on Sept 1, 2008,
identified with phasor data Island kept intact
and resynchronized 33 hours later
Source Entergy
21Phasor Application Taxonomy
22PMU Applications and Deployment
Source Chakrabarti, Kyriakides, Bi, Cai and
Terzija, Measurements Get Together, IEEE Power
Energy, January-February 2009
23Source NASPI
24Current Architecture for PMU Data Sharing
Secure Network
Apps
Source NASPI
25Envisioned PMU Data Flow in NASPInet
26Opportunities and Challenges
- Opportunities
- Important applications emerging that require data
sharing - Research into new applications needed
- Smart Grid Investment Program to fund deployment
of 800 PMUs nation-wide - Challenges in data sharing
- Distributed network for data delivery
- Tradeoffs between operational, regulatory and
business aspects - Challenges in realizing NASPInet
- Distributed wide-area network design
- Network management
- Quality of Service and real-time delivery
- Cyber security
- Progress on these topics made in recently
released NASPInet specification document (Quanta
Technologies)
27Wide Area Networking
Source NASPInet Specification
28Network Management
- Network management functions
- Performance
- Configuration
- Accounting
- Fault management
- Security management
- Need for appropriate services in NASPInet and
means to coordinate between organizations
29Quality of Service
- QoS goals per data flow are to minimize latency,
delay, jitter, loss, error - Overall QoS goals are to support dedicated
bandwidth, resource provisioning and allocation,
avoiding and managing network congestion, shaping
network traffic and managing priorities - A suggested approach class-based QOS
30Cyber Security
- Authentication and Integrity
- Essential to ensure reliable and trustworthy
decisions - Tools cryptographic protocols leveraging digital
signatures, HMACs, etc. - Challenges efficiency, supporting one-to-many
data exchanges - Availability
- Essential due to the critical nature of
underlying power system - Specific requirements may vary by application
classes - Tools redundancy, security monitoring, attack
detection and response, fail-safe design - Challenges scalability and cost-effective design
- Confidentiality
- Needed to provide data privacy
- Tools encryption protocols, access control
- Challenges efficiency for streaming data,
supporting one-to-many data exchanges
31Cyber Security
- Key Management
- Distribution and management of key material and
credentials - Revocation
- Tools Public Key Infrastructure, on-line
credential distribution/verification services - Challenges scalability, trust establishment
- Monitoring and compliance
- Intrusion detection and response services
- Future regulations may apply e.g., NERC CIP
- Tools IDS, firewalls, etc.
- Challenges multi-organization coordination
32Authentication Protocols for Power Grid
- Authentication is a widely recognized problem for
power grid. - Currently, there is a focus on developing
authentication protocols e.g., DNP3 Secure
Authentication and IECs 62351-5. - Designing security protocols is hard and
error-prone - Literature has many examples of security
protocols that were considered secure but were
broken later
Protocols Attacks Cause/Vulnerability
Authentication Protocol by Woo Lam Impersonation attacks Lack of explicit names
STS by Diffie, Oorschot Wiener Impersonation attacks Change in environmental conditions
Kerberos V4 by Steve Clifford Replay attacks Incorrect use of timestamps
TMN by Tatebayashi, Matsuzaki, Newman Oracle attacks Information flow
33Design Principles for Power Grid
Cyber-Infrastructure Authentication Protocols
Principle Attacks Mitigated Applicability to Power Grid Authentication Protocols
Explicit Names Impersonation attacks. Need for explicit names for each entity in power grid.
Unique Encoding Interleaving and parsing ambiguity attacks. Insufficiency of legacy protocols to build security on them due to no protocol identifiers in them.
Explicit Trust Assumptions Prevents errors due to unclear or ambiguous trust assumptions Need to clearly state all trusted entities in power grid protocols and the extent of trust in them.
Use of Timestamps Prevents replay attacks. Need for high granularity for time synchronization.
Protocol Boundaries Prevents incorrect function of protocol in its environment. Need for thorough analysis of the power grid environment.
Release of Secrets Prevents blinding attacks and compromise of old keys. Need to ensure that compromise of some remote devices should not compromise large number of keys.
Explicit Security Parameters Prevents errors due to exceeding the limitations of cryptographic primitives. Reduction in maintenance overhead by explicitly mentioning security parameters in remote devices.
34Questions?