All the latest news from the industry weekly compiled by the editorial team for you free of charge.
This eMail is already registered.
An unexpected error occured.
Please accept our Terms of Use.
Registration successful.

POWER & ENERGY Cyber security considerations in smart grid ecosystem

Jul 9, 2020

With the smart grid ecosystem ready to bring in a new era efficiency and reliability, it has invited cyber-attack issues that could potentially wreck havoc for national security infrastructure and customer satisfaction. It is essential to ensure that something so critical considers security in the early stages of the software lifecycle. LDRA has developed and driven the market for software that automates code analysis and software testing for safety, mission, security and business-critical markets. It traces requirements through static and dynamic analysis to unit testing and verification for a wide variety of hardware and software platforms. The article explains aspects that need to be taken into consideration, requirements and procedures for security of the smart grids. - Priyasloka Arya, Sr Technical Manager, LDRA Certification Services; Harish Balasubramanian, Marketing Research Manager, LDRA

Smart grids provide bi-directional communication between utility and customers, sensing from power generation to consumption. A smart grid ecosystem would transform the energy industry into a new era of reliability, availability, security and efficiency. As the electrical energy is a just-in-time product, it needs to be consumed as it is generated for continuous usage. The monitoring and control needs to be in real-time, as any disruption in generation, distribution and consumption would create havoc and affect almost all critical infrastructures.

Consideration for security

Due to the interconnected nature of various sub-networks, systems, interfaces and operational modes that attack surfaces are numerous. Any exploit on the vulnerable network and system would have a domino effect, impacting the infrastructure and would lead to disruptions.

Development of security requirements for a smart grid ecosystem

The requirements are analysed for violation against top-level security goals (confidentiality, integrity, availability, non-repudiation and privacy) as a precondition. The deriving security requirements are a complex exercise for interconnected ecosystems like the smart grid. The procedure for deriving security requirements for a smart grid is:

  1. Detailed architecture and description of the smart grid system needs to be devised after considering the requirement analysis & the interaction of multiple domains.

  2. Based on the top-level architecture, appropriate use cases are developed.

  3. Security-driven risk assessment is conducted considering grid architecture and potential use cases.

  4. The outcome of risk assessment and security management processes would capture detailed security architecture and security controls (mitigations).

  5. A list of constraints – physical, technical and financial – needs to be considered.

  6. Detailed security requirements are developed depending on architectures, controls, measurements and processes.

  7. Implementation of security requirements will lead to development, installation operation and maintenance process creation/update. Besides, it might generate new requirements for additional product development and installation.

  8. Any change in development, installation, operation and maintenance process will invoke impact analysis and risk assessment.

  9. With the discovery of new vulnerabilities of the legacy systems, set-up configurations would be assessed for potential risks and subsequently be mitigated to an acceptable level.

Existing regulations/standards

NIST has released a framework and roadmap for Smart Grid Interoperability Standards, Release 3.0 in 2014, which is available on their website. As per table 4-1(reference [6]), there are many smart grid relevant standards identified. Some of the relevant regulations and standards are NERC CIP Sets, NIST Special publications (800-82 & 1108), IEC 62351, IEC 61850, ISA/IEC 62443, IEEE 1815, etc. Let’s understand more about ISA/IEC 62443(increasingly adopted as a risk-based standard) framework and software considerations as per ISA/IEC 62443-4-1 (Part 4-1).

ISA/IEC 62443 framework

ISA/IEC 62443 standard sets mentioned above have evolved as a perfect risk-based security standard for industrial systems. This standard set has been evolved from ANSI/ISA-99 and is currently being adopted by various industries, including the smart grid. This is a supplemental standard set, not a replacement of the compliance-based standards or regulation. In fact, by adopting ISA/IEC 62443, it would be easy to show adherence to regulation or compliance.

Software considerations in security

The vulnerabilities of software design and implementation could be exploited to compromise a system and impact critical assets in smart grids. The scope of ISA/IEC 62443-4-1:2018 is limited to the suppliers of secure products in an Industrial Automation and Control Systems (IACS) environment. This part (part 4-1) encourages to consider security in the early stages of software life cycle (rather than handling retrospectively) by following the eight practices, namely:

  • Security management

  • Specifications of security requirements

  • Secure by design

  • Secure implementation

  • Security verification & validation testing

  • Management of security related issues

  • Security update management

  • Security guidelines

Compliance with the best practices mentioned in ISA/IEC 62443-4-1:2018 can be eased through the usage of automated and integrated software, such as LDRA.

Focused securing of systems & subsytems

The recommended regulatory framework for the security of smart grid systems would be a mix of compliance guidelines, regulations from the country-specific agencies and risk-based consensus standards, like ISA/IEC 62443 set. Software aspects of security are critical because most of the critical systems and subsystems are extensively driven by software. By performing requirement traceability, static verification, software composition analysis & comprehensive testing, including Vulnerability Assessment and Penetration Audit & Testing (VAPT), errors in software could be reduced to a greater extent.

Image Gallery

  • ISA IEC 62443 set of standards

  • Priyasloka Arya

    Sr Technical Manager

    LDRA Certification Services

  • Harish Balasubramanian

    Marketing Research Manager

    LDRA

Companies related to this article
Related articles