Security
strategies
for dealing
with new
utility
challenges
Disruptive technologies are not the
only thing utilities face
U.S. utilities — and to a lesser or greater extent those around the world
— are being challenged as never before in their history. Not since
Thomas Edison built the first utility for direct-current distribution of
power to businesses and homes have utility executives had so many new
challenges on their plates. They are being called to re-invent themselves for a future that is very unclear at this point, but quite imminent.
Three of these major challenges include:
• They must find a way to generate enough electricity to meet skyrocketing demand in an increasingly carbon-constrained regulatory, legislative and economic environment. Coal, the most abundant
fuel source in the U.S. (which generates 50 percent of our electricity), is under attack and faces a very uncertain future. The cost of
most other energy supply sources is escalating rapidly, and no new
nuclear plants have been built in more than 30 years.
Thought Le adership­ – sponsored by sprint nextel
• In preparation for a supplyconstrained environment,
utilities are being forced to
install expensive new advanced
metering infrastructure (AMI)
components, as well as technology to deal with demand
response (DR) and the rapidly
changing legislative/regulatory
environment which emphasizes conservation rather than
generation. These technologies
are mostly mature, but not in
widespread deployment. Eventually, they will lead to what
have been called intelligent utility enterprises and smart grids
(IUE/SG). But there still is much
work to be done before utilities
achieve those future states.
• All of these efforts, especially
AMI and the IUE/SG, are going to
require widespread upgrading
of data and voice communications systems, which at many
utilities still are a generation
behind the evolution of telecommunications. The threat
of terrorism and the deployment of widespread IP-based
communications in the utility
enterprise require that these
systems be hardened against
attack from outside. Protecting
utilities’ assets now takes the
form of data passing through
wireline and wireless networks,
such as in SCADA and customer
information systems (CIS)
and physical assets, such as
personal computers and PDAs
with sensitive information. On
top of that, the Federal Energy
Regulatory Commission (FERC),
through the North American
Electric Reliability Corp. (NERC)
is requiring compliance with
www.energycentral.com E n e rgyB i z 49
a huge raft of new security
standards. Those standards are
backed by audits that threaten
fines of up to $1 million per day
for utilities found to be out of
complaince.
Communications will be
vital and the technology
is ready
The good news in all this is that
the technologies to meet most, if
not all, of these demands already
exists. Communications technology, especially, has evolved rapidly
since the days when utilities built
their own analog radio systems and
handled work in the field through
a dispatcher, who relayed information to field workers, who wrote it
down in their trucks. Most of that
communications now is handled by
data transfer, although voice is still
used as a supplement in many cases,
usually over the same communications channels. Radio, cellular and
even satellite systems enable all this
communication.
Utilities also — since the 1980s
and 1990s — have been able to
communicate with, monitor and
control devices on their grids to
automate switching, regulate power
flow, and read meters, as well as
support a variety of other energy
delivery applications. These devices
have become increasingly sophisticated and artificial intelligence
(AI) now is being added to enable
many of these devices to operate independently of human control. No
longer do trucks roll to a substation
at most utilities to enable a worker
to change a capacitor bank setting
or operate a switch — it can be
50 E n e rgyB i z May/June 2008
done remotely, and increasingly will
be done autonomously. Of course,
this also requires reliable communications and such systems are now
available and being deployed.
However, as communications systems to accomplish these tasks have
been installed, along come the security concerns, including the NERCCIP standards. As utilities enter a
period of widespread AMI, they are
going to be particularly concerned
about the ability to communicate
with homes — turn power on or
off remotely, get periodic readings
based on time-of-day and price, control devices in the home to reduce
consumption, etc. The security of
these connections is vital. An entire
AMI system can be established to
use wireless carriers, which are virtually ubiquitous, and still have the
security of a virtual private network
(VPN). This will help utilities meet
the NERC electronic security standard, which include:
Electronic Security
(CIP-002, 003, 005, 007, 009)
Under these standards, utilities
must:
• Maintain an inventory of all
electronics that are either part
of the critical assets list or are
necessary to the operation of
critical assets.
• Protect access to these critical
cyber-assets on a need-toknow basis.
• Create an electronic security
perimeter that prevents unauthorized users from accessing
any critical cyber-asset, whether they are outside or inside the
corporate network.
• Ensure that all electronic cyberassets are secure via user
account management, equipment, password management,
and secure networking policies.
Figure 1
Sprint PCS Data Link Overview
Sprint P C S Data Link c an provide ac c e s s to Sprint
M P L S V PN , Sprint Link Frame Relay or IPS e c V PN
Thought Le adership –
­ sponsored by sprint nextel
• Implement and test a critical
cyber-asset recovery plan.
As utilities increasingly turn to
commercial telecommunications carriers, such as Sprint Nextel and others,
it is important that the security concerns be dealt with aggressively. Using
the Sprint Nextel example, there are
two primary concerns about having
all this utility data passing through
wirelines and the “ether” of wireless
communications. Also, there are two
different solutions to deal with them.
Looking at wireless communications
first, lets look at the two primary
methods for securing traffic: private
wireless infrastructure or encryption of traffic end-to-end using VPN
technologies. An example of a private
wireless infrastructure is Sprint Nextel’s Data Link service. Data Link creates a unique logical network on the
carriers’s private backbone where the
traffic from any wireless device or modem is routed through the network
directly to the enterprise network of
the customer. Because the traffic is
isolated from all other carrier customers and the public domain (Internet),
a private IP addressing scheme of the
customer’s choosing can be used to
assign static private IP addresses to
the wireless endpoints. The end result is a true wireless extension of the
customer’s private network infrastructure. Security is further enhanced by
the requirement that each wireless
modem must authenticate against a
RADIUS server before the network
will allow the device to pass traffic.
The customer has complete control of
the RADIUS server to add or delete
wireless devices. Sprint’s Data Link
service can be used with static M2M
telemetry devices, laptop computers,
or mobile modems in vehicles. Figure
1 shows the Data Link traffic flow:
Figure 2
components of sprintsecure laptop guardian
Figure 3
Features at a glance
Laptop lost or stolen
Unique location and remote
data “kill” capabilities:
•IT removes encryption keys and
wipes data from the laptop
•IT receives verification that data is protected
Authentication
A data card provides the “ignition
key” for the laptop:
•Used as a second or third
means of authentication
•IT can revoke access to the
laptop anytime, anywhere
Data Protection
Embedded encryption keys:
•Protect key data on the laptop
•Keys are backed up, erased, rotated or recreated based on policies and threat levels
•Keys integrate with third-party HD
encryption — for even greater security
VPN usage
Automatic VPN connection:
•With no user action, a VPN connection
is established automatically — every
time, no matter how the user accesses
the network (3G, WiFi, LAN)
The second method that is commonly used is simple but effective
end-to-end encryption. While software VPN technology has been in
use for some time in support of laptop
users to allow secure access to enterprise network resources, there are
now also many autonomous M2M
devices that will self-initiate an encrypted VPN tunnel back to the host
computing environment. This traffic
does traverse the public Internet, but
due to the security of modern strong
encryption technologies, such as 128or 256-bit AES encryption, the traffic
is completely protected from “prying
Thought Le adership­ – sponsored by sprint nextel
Anti-tampering
Standalone computing technology:
•“Watches over” applications on the laptop
•IT is alerted and action is taken when changes
that affect the SprintSecure Laptop Guardian
or the laptop’s security have taken place
Laptop Location
GPS capability:
•IT can access location services
for the SSLG card
Third-party integration
An open architecture platform:
•Simple, open APIs allow third-party
applications to become always-on,
trusted and location aware
•Enterprises can continue using their bestof-breed point solutions with all the benefits
of the SprintSecure Laptop Guardian
100% patch laptops
All patches are installed on all laptops:
•Patches are stored on the laptop card
and applied when the laptop boots
eyes” at all points of the network. Using an encrypted tunnel infrastucture
creates a private network inside the
tunnels that can use your enterprise’s
private IP addressing scheme, with
static IP addresses assigned to wireless device endpoints, just like a truly
private network. The real advantage
of this technique is that while you
are protecting your data inside your
virtual private network, the data is
traversing the most highly redundant
network in the world, the Internet.
Now consider that with data roaming
www.energycentral.com E n e rgyB i z 51
on cellular networks, your primary
carrier could have its tower fail, but as
long as one of its roaming partners is
locally available, the wireless device
will connect to that roaming partner’s
network and the self-initiated VPN
will restore connectivity between the
endpoint device and the enterprise
network over its new roaming Internet connection. In this capacity, cellular devices have a level of redundancy unknown to the wireline world.
As utilities get more cyber assets
into the field, especially laptops that
can contain extensive amounts of
proprietary corporate information,
there is always the concern of theft
or loss of these devices. Sprint Nextel offers a solution to this problem
through its SprintSecure Laptop
Guardian (SSLG) system. SSLG
uses a specialized PCMCIA card that
not only provides mobile broadband
data connectivity, but also contains
its own tiny Linux computer and
battery to enforce a suite of security
applications on the laptop 24/7, even
when the laptop is turned off. The
laptop cannot be operated without
the card installed and the entire contents of the laptop are encrypted by
keys held by the SSLG device. In the
event the laptop is stolen, the card
includes a GPS system with battery
backup that can report its location,
even with the laptop turned off. Additionally, if necessary, the card can
be instructed remotely to disable the
laptop from being used, although it
can be enabled again by network
administrators managing the SSLG
control server at the corporate level
should the laptop be returned.
The components of Laptop Guardian are shown in figures 2 and 3
Now we can look at wireline systems where the security options are
very similar. Legacy private network
52 E n e rgyB i z May/June 2008
options, such as private line and
frame relay, are quickly becoming
obsolete. Today, the private network
of choice is called MPLS (multi-protocol label switching). This wireline
technology allows a private network
to be established with any-to-any
routing and quality of service support. On the same MPLS network
an enterprise can support interoffice
voice and data communications in
addition to secure communications
with M2M devices. Sprint’s Data
Link service will extend the private
MPLS network to wireless cellular
devices as well, allowing for an allencompassing hybrid wireline / wireless private network. The wireline
VPN option is virtually identical to
the wireless VPN. An enterprise can
use the Internet as a primary transport network for data being securely
transmited within encrypted tunnels, replicating a private network
within the VPN infrastructure.
There are many hardware solutions that incorporate both wireline
and wireless interfaces on the same
device to leverage the capabilities of
both networks. Two popular examples
would be the Cisco ISR series routers
with a combination of wireless (Cisco
ENZO Cellular Broadband Module)
and wireline interface cards, and the
Encore Network Bandit series of intelligent communication devices. A
common application of these hybridtype devices would be to use one type
of interface for primary connectivity,
with the other as a secondary backup.
Whether cellular wireless or a wireline interface is used as the primary
or secondary often depends on the
application’s technical requirements
and cost. Sprint Nextel’s engineering
staff frequently assists customers with
helping to determine the best mix
of the available technologies to best
meet the application’s requirements.
Physical security of communications devices also is of concern
to utilities, and to NERC. The
standards for this area include:
Physical Security (CIP-006)
Utilities must ensure the physical
security of all critical cyber-assets:
• Ensure that there is a physical security perimeter around
all critical cyber-assets.
• Identify and control all physical access points to critical
cyber-assets.
• Maintain an access log for all
critical cyber-assets via keycards, video or manual log.
The NERC-CIP standards also
call for other security around utility
facilities, such as surveillance cameras, etc. Physical security will play
a larger roll in AMI deployments as
most technologies strive to provide
remote discount switches, which currently are being operated in licensed
and unlicensed proprietary networks.
Remote discount switches in meters
may pose a security weakness unless
the security issues are addressed today. To thoroughly secure all the data
at a utility requires a comprehensive
strategy that includes all the elements of NERC-CIP, and protection
of wireline and wireless networks and
corporate assets that have company
or customer information. But security of data on wireless networks — at
least those operated by most commercial telecommunications carriers
— is in place and available. That’s a
good thing as utilities enter the brave
new world of IUE/SG. n
This piece prepared/authored by Sierra
Energy Group.
Thought Le adership –
­ sponsored by sprint nextel