Smart grids provide bi-directional communication between utility and customers, sensing from power generation to consumption. A smart grid ecosystem would transform the energy industry into a new era of reliability, availability, security and efficiency. As the electrical energy is a just-in-time product, it needs to be consumed as it is generated for continuous usage. The monitoring and control needs to be in real-time, as any disruption in generation, distribution and consumption would create havoc and affect almost all critical infrastructures.
Consideration for security
Due to the interconnected nature of various sub-networks, systems, interfaces and operational modes that attack surfaces are numerous. Any exploit on the vulnerable network and system would have a domino effect, impacting the infrastructure and would lead to disruptions.
Development of security requirements for a smart grid ecosystem
The requirements are analysed for violation against top-level security goals (confidentiality, integrity, availability, non-repudiation and privacy) as a precondition. The deriving security requirements are a complex exercise for interconnected ecosystems like the smart grid. The procedure for deriving security requirements for a smart grid is:
Detailed architecture and description of the smart grid system needs to be devised after considering the requirement analysis & the interaction of multiple domains.
Based on the top-level architecture, appropriate use cases are developed.
Security-driven risk assessment is conducted considering grid architecture and potential use cases.
The outcome of risk assessment and security management processes would capture detailed security architecture and security controls (mitigations).
A list of constraints – physical, technical and financial – needs to be considered.
Detailed security requirements are developed depending on architectures, controls, measurements and processes.
Implementation of security requirements will lead to development, installation operation and maintenance process creation/update. Besides, it might generate new requirements for additional product development and installation.
Any change in development, installation, operation and maintenance process will invoke impact analysis and risk assessment.
With the discovery of new vulnerabilities of the legacy systems, set-up configurations would be assessed for potential risks and subsequently be mitigated to an acceptable level.
NIST has released a framework and roadmap for Smart Grid Interoperability Standards, Release 3.0 in 2014, which is available on their website. As per table 4-1(reference ), there are many smart grid relevant standards identified. Some of the relevant regulations and standards are NERC CIP Sets, NIST Special publications (800-82 & 1108), IEC 62351, IEC 61850, ISA/IEC 62443, IEEE 1815, etc. Let’s understand more about ISA/IEC 62443(increasingly adopted as a risk-based standard) framework and software considerations as per ISA/IEC 62443-4-1 (Part 4-1).
ISA/IEC 62443 framework
ISA/IEC 62443 standard sets mentioned above have evolved as a perfect risk-based security standard for industrial systems. This standard set has been evolved from ANSI/ISA-99 and is currently being adopted by various industries, including the smart grid. This is a supplemental standard set, not a replacement of the compliance-based standards or regulation. In fact, by adopting ISA/IEC 62443, it would be easy to show adherence to regulation or compliance.
Software considerations in security
The vulnerabilities of software design and implementation could be exploited to compromise a system and impact critical assets in smart grids. The scope of ISA/IEC 62443-4-1:2018 is limited to the suppliers of secure products in an Industrial Automation and Control Systems (IACS) environment. This part (part 4-1) encourages to consider security in the early stages of software life cycle (rather than handling retrospectively) by following the eight practices, namely:
Specifications of security requirements
Secure by design
Security verification & validation testing
Management of security related issues
Security update management
Compliance with the best practices mentioned in ISA/IEC 62443-4-1:2018 can be eased through the usage of automated and integrated software, such as LDRA.
Focused securing of systems & subsytems
The recommended regulatory framework for the security of smart grid systems would be a mix of compliance guidelines, regulations from the country-specific agencies and risk-based consensus standards, like ISA/IEC 62443 set. Software aspects of security are critical because most of the critical systems and subsystems are extensively driven by software. By performing requirement traceability, static verification, software composition analysis & comprehensive testing, including Vulnerability Assessment and Penetration Audit & Testing (VAPT), errors in software could be reduced to a greater extent.