Western Energy Summer 2012 : Page 14
FEATURE SMART GRID METER SECURITY Western Energy / Summer 2012 / westernenergy.org/we Meter Security in the Smart Grid Context By Edward Beroset, Elster Solutions Security is a critical consideration in smart grid design and deployment. Information Technology (IT) security experts are able to successfully apply knowledge and experience to many parts of the smart grid’s generation and transmission systems. However, design aspects and operational considerations of electricity metering devices are often unfamiliar. Similarly, embedded systems engineers are often very familiar with design aspects and operational considerations, but are likely not well versed in best practices for maintaining a secure grid. This article aims to bridge that gap while advancing the cause of building secure, smart grids. The well-written and thoughtful NIST Special Publication, SP 800-82, “Guide to Industrial Control Systems,” discusses many of these issues in a more general way. It is useful and informative for anyone involved in smart grid security issues. Instead of taking a general approach, this article considers the complexity of meter security alone. 14 Meter Design Considerations There are a great number of design considerations for a typical residential meter. Some have little
Meter Security in the Smart Grid Context
Security is a critical consideration in smart grid design and deployment. Information Technology (IT) security experts are able to successfully apply knowledge and experience to many parts of the smart grid's generation and transmission systems. However, design aspects and operational considerations of electricity metering devices are often unfamiliar. Similarly, embedded systems engineers are often very familiar with design aspects and operational considerations, but are likely not well versed in best practices for maintaining a secure grid. This article aims to bridge that gap while advancing the cause of building secure, smart grids. The well-written and thoughtful NIST Special Publication, SP 800- 82, "Guide to Industrial Control Systems," discusses many of these issues in a more general way. It is useful and informative for anyone involved in smart grid security issues. Instead of taking a general approach, this article considers the complexity of meter security alone.<br /> <br /> Meter Design Considerations <br /> <br /> There are a great number of design considerations for a typical residential meter. Some have little Relationship to security functions, but many have at least an indirect influence. A fewofthe most important considerations are listed here: <br /> <br /> Cost <br /> <br /> The typical cost of a networked smart meter is around US $100. While the costs could certainly be higher, the scale of deployment means that even a modest increase in the cost of an individual device can easily translate into millions of dollars in capital expense for the utility. Any additional costs are ultimately borne by the energy consumer and must have sufficient business justification. It is important to note that the cost of purchasing the device is only about half of the total cost. Additional costs include the labor needed to deploy and maintain the devices, the cost of energy consumed by the device, and the energy used by needed infrastructure and fleet vehicles during deployment and maintenance. To keep costs reasonable, while still maintaining good security, the use of symmetric key cryptography with either low-cost specialized security processors, or even lowercost, general-purpose processors, is a good strategy. Providing for secure cryptographic key change over the communication medium, without having to make a field visit to the device, is essential for containing operational costs.<br /> <br /> Power Consumption <br /> <br /> Both ANSI Standard CI2.I and IEC 62053-61 state that the maximum energy consumption for multifunction meters must be no greater than 5W. For comparison purposes, a typical laptop's microprocessor alone draws over 30W. This has implications for the amount of processing power that can be deployed within a meter, and it should be understood that the processor is only one of many components in the meter. Another consumer of power in smart grid meters is the radio (or radios) used to communicate with other components within the smart grid. All of these devices must fit within the design's overall power budget. Efficient cryptographic algorithms and efficient radio protocols are essential in meeting the low-power requirements of smart meters. These include the Advanced Encryption Standard (AES) and self-organizing, self-healing mesh networking.<br /> <br /> Environment <br /> <br /> Closely related to the cost and power considerations are environmental constraints. First, in North America as well as many other parts of the world, residential meters are typically installed outdoors. This means that the device and its constituent components must be able to operate in a wide temperature range, which is typically specified as -40° to +85° C. This has a cost implication since parts that meet this industrial temperature range typically cost more than those that only meet the commercial temperature range (0° C to +70° C). Industrial temperature range parts may be available from few suppliers, further limiting design choices. Buyers of metering equipment should ensure that both the meter and the communications board or boards meet the full industrial temperature range. Utilities cannot afford to replace meters that fail during extreme temperatures. Thermal concerns are a design consideration within the meter. Typical meter construction has circuit boards inside a plastic housing called a meter module. The module and other pieces (e.g., voltage and current sensors) are then assembled into the entire meter and then the whole assembly is installed with a weather- and insect-proof cover. In addition to keeping water and bugs out, the cover also keeps heat in, which in practice, tends to be more of a limitation than the regulatory limit of 5W mentioned above. Experienced manufacturers of utility-grade equipment already practice careful thermal management as part of the design process, but not all equipment comes from such manufacturers.<br /> <br /> Longevity <br /> <br /> Meters installed on the side of a building are expected to work correctly for many years, with a typical specified lifetime of 15 years. If we look back 15 years to 1997, we can recall the now-obsolete Data Encryption Standard (DES) that was in use. To gain appreciation for what this span of time means for technology, consider what kind of cell phone or desktop computer you might have used in 1997. Residential meters today typically cost less than the cost to install the meter. In other words, it costs more to send trained meter technicians with a truck and tools to the meter site than the cost of the meter itself. For this reason, the installation process cannot require multiple visits or the deployment costs quickly become t oo large. This means that not only must the device work reliably in the field without intervention, it must also be capable of remote upgrades. Within the next 15 years, there may well be a new cryptographic standard; which means that even the device's cryptographic algorithms must be upgradeable.<br /> <br /> Remoteness <br /> <br /> Unlike a utility company's enterprise server in a server room, meters are installed in remote locations and cannot be centrally located. This has operational implications for security. If a server requires a patch, it may be possible to switch over to a backup server, apply the patch and, after testing, return the patched server to operation. Due to the remoteness of residential meters, as well as some of the considerations discussed earlier, such an approach cannot directly translate to the maintenance of meter firmware. For this reason, much more emphasis must be placed on getting security right the first time, rather than assuming that the devices can be patched after deployment. While patching after deployment is a useful capability, it's not wise to base a strategy on its use. This is akin to how an airplane pilot may be wise to bring a parachute on a flight, but only a very poor flyer would count on having to use one For this reason, we need to take a close look at engineering methods and code development practices. They are designed to ensure that the quality and consistency of the meter flows steadily from engineering to parts procurement, to final assembly, to test.<br /> <br /> Regulatory <br /> <br /> Environmental and electrical standards are often cited in regulations, effectively giving the provisions of these standards the weight of law. Some, such as the temperature and power burden of meters, have already been mentioned, but there are other performance-related regulations, such as those that specify the accuracy of the devices' measurements. This has an indirect effect on security because the microprocessor, which is responsible for making these accurate measurements, is often the same microprocessor that is called on to perform a task such as encryption of transmitted data. If the processor is t oo busy with encryption or transmission of data, it could miss important, time-based measurements in the meter, impacting accuracy. For this reason, the design of the meter and the AM I system in which it operates must ensure that the performance of the system is not adversely affected by having the security features operating. One should not have to make the choice between accuracy and security, but should instead insist on both.<br /> <br /> Physical Security <br /> <br /> A head-end server that communicates with an AMI system is typically installed within a physically secured, temperature-controlled building, within a locked room. In addition, it often has a source of backup power, sometimes both short term (such as an uninterruptible power supply (UPS) and longer term (such as a backup diesel generator). A substation usually has a fence around it, with padlock, alarms and video surveillance. By contrast, a residential electric meter is installed on the side of the power consumer's building; generally with no fence, lock or much at all in the way of physical security. Current industry practice is to install a meter seal on installation, but this seal is intended to provide evidence of tampering after it has occurred, not to prevent tampering. In the same way, no reasonably priced meter can prevent all possible attacks, but the best among them should be able to detect and report them. For instance, physical tamper detection and outage monitoring at the meter can be used to trigger an alarm at the head-end system, which may result in dispatch of revenue protection personnel to investigate. Additional capabilities, such as logging of events within the nonvolatile memory of the meter, should be required.<br /> <br /> Conclusion <br /> <br /> Security is a well-studied subject, but security as it applies to electricity meters has been undergoing rapid changes of late. For over a century, the sole purpose of electricity meters was to measure and record kilowatthours.<br /> This measuring and recording capability is still at the core of electricity metering, but some recent trends, which include embedded communications and remote service connect/disconnect, have security implications that must not be overlooked. The successful deployment of smart meters requires smart buyers to know which questions to ask and which answers to accept.<br /> <br /> Edward Beroset has been working with computers and software for over 30 years. He is the director of technology and standards at Elster Solutions, where he has worked for over 15 years. He serves on IEC, ANSI and IEEE electricity metering protocol standards groups and chairs the group which created the ANSI CI2.22 Standard. He is a member of both the IEEE and the ACM, has published many technical articles and holds several U.S. and foreign patents.