The smart grid, a significant emerging source of embedded systems, has its own important critical security requirements. If these aren’t addressed properly, it will prove difficult — if not impossible — to protect individuals and groups from attack.
One obvious concern is financial. Attackers could, for example, manipulate metering information and subvert control commands to redirect consumer power rebates to false accounts. That’s just the tip of the iceberg, however. Because smart grids imply the addition of remote connectivity—from millions of homes to the back-end systems that control power generation and distribution—the ability to impact power delivery has obvious safety ramifications as well. And the potential to affect a large population increases the attractiveness of the smart grid as a target for attack.
The back-end systems of smart grids are protected by the same security technologies—firewalls, network access authentication, intrusion detection and protection systems—that today defend banks and governments against Internet-borne attacks. Successful intrusions into these systems occur daily. The smart grid, if not architected properly for security, could provide hostile nations and cyber terrorists with a path to attack targets from the comfort of their living rooms. Every embedded system along that path, from the smart appliance to the smart meter to the network concentrators, must be secured (Figure 1 ). Since public utilities and their suppliers are early in the process of developing security strategy and network architectures for smart grids, a golden opportunity now exists to build in safety measures from the start.
Figure 1. Every embedded system on a possible cyber attack path, from the smart appliance to the smart meter to the network concentrators, must be a secure smart grid embedded system.
Click on image to enlarge.
The increasing reliance on embedded systems in commerce, critical infrastructure and life-critical functions makes them attractive targets for attackers. Embedded industrial control systems that manage nuclear reactors and oil refineries, for example, provide assailants with an opportunity to inflict widespread damage.
To get an idea of the kinds of sophisticated attacks we can expect on the smart grid, look no further than the July 2010 Stuxnet attack on nuclear power infrastructure. This worm infiltrated Siemens’ process control systems at nuclear power plants by subverting the Windows-run workstations operators use to configure and monitor embedded control electronics (Figure 2 ). As the first known direct malware assault on embedded process control systems, Stuxnet illustrated the incredible damage potential of modern smart grid security attacks.
There’s been much speculation in the security community about not just the identity and motive of the attacker, but also the unprecedented level of sophistication of the worm, which included a clever rootkit construction and the employment of no fewer than four zero-day Windows vulnerabilities. Those vulnerabilities enabled Stuxnet to gain access to and download malware to the Siemens controller itself; that suggests the attackers had intimate knowledge of its embedded software and hardware.
In addition to demonstrating the need for improved security skills within the embedded development community, Stuxnet clarified the necessity for a higher level of assurance in critical infrastructure than that provided by standard commercial IT practices.
The worm also exposed the interdependence between embedded systems and IT systems. Supervisory control and data acquisition (Scada) networks used in industrial-control systems are controlled by common PCs, for instance. As a response to the Stuxnet attack, the U.S. Department of Defense’s cyber command chief, General Keith B. Alexander, last September recommended the creation of an isolated network for critical infrastructure that would include the power grid.
That may sound heavy-handed, but it is precisely how many governments protect their most sensitive and compartmentalized classified networks. Sure, physical isolation introduces some inefficiency. But you can ameliorate that with the application of high-assurance access solutions that let a client computer securely access multiple isolated virtual desktops and back-end networks. Those access control systems use the latest and greatest Windows or Linux human-machine interfaces, but—importantly—do not depend on Windows or Linux for security.
The recent tragedy affecting Japan’s nuclear program, while not the product of human malice, paints a grim picture regarding the potential impact of a successful cyber attack on critical infrastructure. Such systems, controlled by common computers and networks, have proved both enticing and assailable to well-funded individuals and groups intent on malfeasance.
The key point is that securing against sophisticated smart grid threats cannot be effectively retrofitted; robust security measures must be designed in from the beginning. And since security claims are a dime a dozen, confidence can only come from independent expert assessments based on internationally accepted security evaluation standards.
The international standard for evaluating the security of IT systems is ISO/IEC 15408, more commonly known as the Common Criteria. Under the Common Criteria, IT products are evaluated against Protection Profiles that specify the product family’s functional security requirements and Evaluated Assurance Level (EAL). For example, there are Protection Profiles for firewalls, antivirus applications and operating systems. The Protection Profiles themselves must be evaluated as well, to ensure that products are measured against well-understood, valid and accepted standards. Table 1 includes a list of Common Criteria profiles for operating system protection, their security levels, and the intended threat environment corresponding to each security level. As you can see, only the Separation Kernel Protection Profile (SKPP) is appropriate to protect high-value resources (such as the smart grid) against sophisticated and determined attackers.
Table 1. Operating system protection profiles as described under the Common Criteria (ISO/IEC 15408).
Click on image to enlarge.
The National Security Agency (NSA) created the SKPP to specify security requirements for “high robustness” operating systems that control computers that manage and protect high-value resources in the face of attacks by resourceful adversaries (Table 2 ). According to Department of Defense guidance, high robustness refers to “security services and mechanisms that provide the most stringent protection and rigorous security countermeasures.”
Table 2. NSA robustness requirements relative to the asset value and the threat environment.
Click on image to enlarge.
SKPP contains both functional and assurance requirements. Functional policies are those enforced by the operating system. For example, an SKPP-compliant platform must guarantee that a malicious application cannot harm (corrupt, deny service to, steal information from, etc.) any other application running on the computer.
Assurance, on the other hand, refers to evidence indicating, with high confidence, that the products implement the security functional requirements.
The requirements of SKPP re far more stringent than those of any other operating system security standard. The resulting assurance (or confidence) that developers, users and other stakeholders derive from an SKPP evaluation is extremely high and is indeed unprecedented in the world of computer security. SKPP requires an extremely rigorous development process, formal methods (to provide mathematical proof of security) and penetration testing by NSA security experts who have complete access to the source code.
Green Hills Software has achieved high-robustness (Common Criteria EAL 6+) software security certification from the NSA and is actively working on high-assurance smart grid security architecture with other cyber-security organizations across the industrial, government and academic communities.
The emerging architecture addresses such issues as hardware and systems software partitioning and management strategies, robust control of cryptographic and key management systems for device authentication and information protection, and scalability from battery-powered devices up to high-end network concentrators and back-office servers.
About the author
David Kleidermacher is chief technology officer at Green Hills Software, where he is responsible for technology strategy, platform planning and solutions design.