When it comes to securing today’s mesh networked smart meters -- the kind that make up most of the 50 million or so (and counting) smart meters deployed in North America today -- there’s a desperate need for cybersecurity at the fringes of the network.
That’s one way of describing a core cybersecurity challenge for smart meter neighborhood area networks (NANs) laid out in a recent report from the Electric Power Research Institute. Given the mounting pressure from the Obama administration and federal regulators on securing the country’s critical infrastructure from cyber-attack -- along with the continuing news of hacks of smart meter networks -- it’s worth going into in more detail.
EPRI’s report, Intrusion Detection Systems for Advanced Metering Infrastructure, studies the ability of today’s AMI security systems to catch intrusion attempts, which can range from data theft attempts to cyber-attacks or other threats. While EPRI didn’t name specific AMI vendors, the report collected data from utilities with big mesh-based AMI deployments including Landis+Gyr customer Oncor, Itron customers DTE Energy and Southern California Edison, and Exelon, which owns Silver Spring Networks customer Commonwealth Edison.
EPRI also talked to fifteen smart grid security solutions vendors in the field, and found that almost all of them practiced two forms of centralized cybersecurity: using network-based intrusion detection sensors and centralized security information and event managers (SIEMs). An SIEM is a utility network-based piece of software that “receives logs from security appliances and devices using Syslog and a variety of information sources,” and offers central databases to manage event correlation and visualization over time.
These products, many of which were originally developed for SCADA networks, “offer a cost-effective solution to monitoring events and communication traffic from a large volume of AMI devices,” the report found. However, “the cost advantage of deploying only a centralized solution has to be weighed against the limitation of not having visibility over events that occur at the edge of the network.”
That’s because the hundreds or thousands of smart meters that make up a neighborhood area network are open to threats that centralized systems may not catch, Galen Rasche, EPRI’s technical executive for industrial cybersecurity, said in an interview last week
“As far as I know, there’s not much monitoring going on of what happens in field networks themselves,” he said. “We’ve not done the testing on that ourselves at this point” to prove out the data collected in the report, he clarified, though EPRI did review fourteen separate academic studies on IDS in SCADA or AMI-related fields during its hunt for solutions.
Not knowing what’s happening in the NAN can be a problem, however, Rasche said. If an intruder can get into that network, he or she can do things like harvest meters away from the communications hubs or relays that connect meters to the utility’s central network, flood them with an overflow of data, or even inject commands, he said. While meters don’t control a ton of power flow, they can automatically connect and disconnect -- and they’re also repositories of customer data that utilities have pledged to protect.
EPRI’s report finds a number of reasons why utilities haven’t invested in more field-area intrusion detection, including the “need for high cost efficiency, the lack of maturity of AMI security (e.g., how to assess the likelihood and criticality of a smart meter compromise), and the difficulty of integrating proprietary communication protocols” like today’s AMI mesh networks, which remain proprietary at the physical layer of communications.
The report also goes into some detail on one potential solution to the problem. It’s called a “specification-based IDS,” and it’s a way of embedding some simple security into field-area networks, via formal models for the simple protocols like ANSI C12.22 that underlie today’s mesh networks.
Those protocols have certain sequences of handshakes, initiation and data transfer events and messages that can be tracked, Rasche explained. A specification-based IDS, which could be embedded on a few of the hundreds of smart meters out in the FAN or in a separate device, creates a model that detects and flags anything that falls outside that normal flow and pattern of data traffic, so that “if you see a packet from something, a meter, that seems out of order or doesn’t make sense, you can identify it,” he said.
Rasche added that the University of Illinois’s PERFORM group, a research team that worked on the report, has developed a specification-based IDS that it’s piloting with utilities, though he wouldn’t say which ones. (PERFORM has published a report on its specification-based IDS (PDF), as well as other intrusion detection research.)