Wednesday, December 5, 2012

So Far, it Seems WAMPAC Systems are Insecure by (Lack of) Design

Thanks to colleague Jeff K for pointer to recent NESCOR reports.

First things first: in IBM and elsewhere the phrase "secure by design" is used to describe a project or a system where security requirements are considered at the earliest stages, right along with all the functional requirements.

Now for new initiates, WAMPAC = Wide Area Monitoring, Protection and Control, and the term refers to a group of new technologies and capabilities that will put the Smart in Smart Grid much more than the more attention grabbing Smart Meter.

This IEEE abstract does a better job defining WAMPAC than I could, so here you go:
Market driven grid management, increased number of renewable/distributed generation sources, complexities to address reactive support, and a progressively more stressed transmission network have increased the complexity of operation, monitoring, control and protection of large interconnected electric power systems considerably. Power-grid congestion issues and disturbances worldwide have emphasized the need to enhance power grids with WAMPAC systems as a cost-effective solution to improve grid planning, operation, maintenance, and energy trading. WAMPAC systems take advantage of the latest advances in sensing, communication, computing, visualization, and algorithmic techniques.
Sounds like one could become rather dependent on systems like this, no?  So you would want to ensure that the P in WAMPAC includes protection of the system itself so the system can do its job helping to protect the grid. Alas, it seems, that's not how it's gone down so far.

Please allow me to pause for a brief, somewhat alarmist thought. Let your mind wander for a moment and imagine the importance of data integrity in such a system, and what could befall large chunks of the grid should the data that drives WAMPACs be modified surreptitiously by an uninvited 3rd party.

From the most recent draft of the Annabelle Lee and EPRI-led security review of WAMPAC initiatives underway, we get the following findings up front:

  • Several WAMPAC standards were developed on a fast track, and several new standards are either in the final approval or development stage. During this standards development organization (SDO) process, guidelines for a consistent approach to cyber security requirements across the standards were not developed
  • Most of the WAMPAC standards do not mention any cyber security requirements. Some that do mention cyber security but at a very generic level, suggesting that such issues should be addressed by separate standards focused on cyber security.
Long suffering security pro's will hardly be surprised by the lack of inclusion of security requirements, even for projects as important as WAMPAC. Others may be be surprised. Whichever camp you fall in, you can read the full report HERE. Lots of good recommendations included, though you can't help but wish we weren't in bolt-on security mode again.

Photo credit: ISO New England


Ralph Mackiewicz said...

Why is it that executive summaries only mention problems and ignore any improvements that are being made? While the NESCOR-EPRI paper has some useful information about WAMPAC, the executive summary on which this blog entry is based, is not an accurate reflection of what is happening in the industry related to cyber security standards for WAMPAC. Users would be well advised to ignore much of the seemingly authoritative assertions made by the authors as it pertains to some of these standards.

For instance, the authors are completely hung-up on SGIP as some kind of absolute authority on the efficacy of standards. Review and approval of standards by SGIP is good. Declaring that there is some kind of serious industry problem if SGIP hasn't approved something yet is way over the top. For instance, this is from the paper:

"IEC 61850-90-5 was approved by SGIP for inclusion in CoS. The standard makes a reference to standards that have NOT been considered and approved by SGIP. This “alert” is important for the users since the conclusions may be valid only when all normative (i.e. mandatory) references are also approved."

There are other places where SGIP standards review declarations are provided as prima facie evidence of misleading assertions. Having participated in one of these reviews I believe that such reliance is not warranted. In several cases misunderstandings about the purpose, application and structure of the standards drives some of the conclusions made.

Although I might argue numerous other points in that report, the point of my objection here is that users should NOT ignore the most up to date and security oriented standard that has been developed for WAMPAC applications simply because SGIP has not approved it yet or because the result is not invulnerable to every possible (e.g. attacks on the configuratin files of PMUs which are being addresses in other standards).

The reports should have described how IEC TR 61850-90-5 represents a sea change in the way that protocols for power systems are being developed. The IEC technical committee responsible for the IEC TR 61850-90-5 standard (IEC TC 57 WG 10) specified a standard that has practical and useful communications security built-in right from the start. This was done because the wide area (WA) aspects of the WAMPAC use cases demanded it. NERC has even taken the unprecedented step of publicly lauding the IEC TR 61850-90-5 standard (even without SGIP approval: NERC Release). My company, SISCO, and Cisco Systems have jointly donated an open-source implementation of the IEC TR 61850-90-5 standards to help promote adaption of this important secure protocol.

I would exercise caution with the conclusions made by this executive summary.

Maik G. Seewald said...

I fully agree with Ralph. Security was on the requirement list for IEC 61850-90-5 from the beginning. This is a crucial precondition for robust security. IEC 61850-90-5 contains protocol security, a security model in depth as well as key management.