Zone Principles as Cyber Security Architecture Element for Smart Grids

Transcription

1 1 Zone Principles as Cyber Security Architecture Element for Smart Grids Jens Zerbst, Vattenfall AB, Martin Schaefer, Vattenfall AB, and Iiro Rinta-Jouppi, Vattenfall AB 1 Abstract Today there is no single Smart grid in existence, but rather a conglomeration of different legacy systems paired with new technologies and architectural approaches, based on different standards and regulations that all need to be amalgamated into a communication network to support the challenges of the future electricity network. To support this objective, Zoning principles, as an element of the Cyber Security architecture for Smart Grids, are being presented on the basis of cyber security and architecture requirements, dependency on legacy installations, and present regulations and industry standards. Zoning principles provide a method of classifying functions and systems in a future Smart Grid communication network, and structuring them into a multilayered Defense in Depth architecture. Furthermore it introduces a structured method for defining security controls and thus enabling the further development of a compliance process with regard to trusted connectivity in a Smart Grid. Index Terms Communication system security, Computer security, Risk analysis, Smart Grid, Security Architecture, Zone Model, Zone principles, O I. INTRODUCTION NE of the challenges in the development of Smart Grids today is the introduction and expansion of a communication network for the electricity network in order to support the following aspects, among others: Intelligent control and connection of the different domains: customer, markets, service provider, operation, bulk generation, transmission and distribution [1] Time-critical adaptation for power balancing [2] Recovery after faults and self-healing functions [2] Highly user-orientated services [2] Higher quality and economic efficiency of electricity supply [2] The integration of large- and small-scale renewable energy sources [2] - Priorities for Regulation Increasing complexity [3] Increasing communication requirements [2] The fulfillment of local targets to reduce greenhouse gases and increase the share of renewable energies [4][5] However, the current challenge of a communication J. - T. Zerbst is with Vattenfall AB, Stockholm, Sweden ( jens.zerbst@vattenfall.com). M. Schaefer is with Vattenfall AB, Stockholm, Sweden ( martin.schaefer@vattenfall.com). I. Rinta-Jouppi is with Vattenfall AB, Stockholm, Sweden ( iiro.rinta-jouppi@vattenfall.com) network to support the vision of a future Smart Grid is to develop an architecture to integrate different kinds of legacy systems with new technologies and architectural approaches, and to ensure at the same time security and reliability, as well as compliance with different standards and regulations. To achieve these objectives, basic technological, architectural and organizational principles have to be developed and standardized to support the communication network. Different initiatives and forums (e.g. European Electricity Grid Initiative - EEGI [6], European Regulators Group for Electricity & Gas - ERGEG [7], and National Institute of Standards and Technology - NIST [8]) are currently developing and aligning principles, methodology and standards for the communication network, and in so doing defining a road map and strategies. The scope of these initiatives includes, for example, the discussion of communication protocols, architectural principles, risk assessment methods, etc. The purpose of this paper is to discuss the Cyber Security architecture requirements of a communication network supporting a Smart Grid. The discussion focuses on the Defense in Depth methodology, and demonstrates ways of introducing it by applying "Zone principles" as an architectural element on a generic level. The paper summarizes these in an outline for a solution statement, and concludes with a call for the need to introduce the "Zone principles" as an element of Cyber Security architecture for a Smart Grid in connection with existing industrial standards and best practices, for example in the nuclear industry (compare therefore NRC s Regulatory Guide 5.71 [9] and IAEA s Technical Framework [10]) or industrial standards such as ANSI/ISA /IEC [11]. II. METHODS The starting point for the derivation of "Zone principles" as an element of Cyber Security architecture for Smart Grids is the identification and definition of: Architecture and Cyber Security requirements Dependency of the legacy installations and architecture Present regulations and industry standards Best practice approaches Present knowledge of developments, accomplishments and requirements in the Smart Grid discussion. The requirements and pre-conditions are clustered into the areas of Architecture and Cyber Security, and are limited to the relevant scope of "Zone principles". To ensure

2 2 compatibility and interoperability with the different Smart Grid characteristics, discussions and evaluations, the requirements are defined on a generic level Furthermore, it is necessary to base the discussion on the current existing installations (including generation, transmission and distribution), prerequisites and principles to provide an appropriate transition path from the existing legacy environment to the target architecture of a future Smart Grid and to ensure appropriate compatibility and integration. During the process, it is important to understand that a Smart Grid is more than a simple grid upgrade [12] or a detached architecture development simply based on the vision of a Smart Grid [13]. A theoretical discussion without any connection to the current setup is neither realistic nor affordable. Life length of the physical assets in the network is years which makes it slow to adapt to the new requirements. A. Architectural requirements Architecture in relation to IT is "the study, design, development, implementation, support or management of computer-based systems, particularly software applications and computer hardware" [14]. As regards the relationship between the communication network and the electricity network, architecture should furthermore provide a common understanding of the communication network, including designs, standards, demonstrations and implementation [13]. In order to define architectural requirements as input to the process for developing "Zone principles" as an element of the Cyber Security architecture for a Smart Grid, the following elements are discussed: The current status of relevant standards and best practice The identification of requirements 1) Status Different kinds of standard organizations (e.g. NIST [8]), international (e.g. CEER&ERGEG [15]) and national organizations (e.g. German Federal Ministry for Economic and Technology [16]) as well as regional communities (e.g. European Technology Platform for the Electricity Network of the Future [17]) are currently in the process of developing different architectural approaches and standards to address the future challenges of the Smart Grid communication network. Examples include: NIST's Framework and Roadmap for Smart Grid Interoperability Standards [1], which provides a wide overview of Smart Grid and defines a vision, and uses cases, an action plan as well as a road map. Furthermore, the document summarizes existing standards and best practices. The Strategic Deployment Document issued by the European technology platform for the European Electricity Network of the future [18], which defines and suggests deployment priorities, a Smart Grid road map, funding options, communication strategies and next steps. IEC's Smart Grid Framework, which provides Smart Grid project guidelines, a collection of standards for generic use cases and standards for technical design and specification. [19] ERGEG Position Paper on Smart Grids [2], which is an initiative to align the vision and view of the European electric power systems and markets. Challenges, opportunities and drivers are discussed. European Strategic Energy Technology plan (SET plan) includes agreed roadmaps, action- and implementation plans for for the European Electricity Grid Initiative (EEGI). In this program there are a number of functional projects that show in large scale the possibility to reach European targets. Parts of the criteria for the projects are the cyber security policy and open standards and interoperability policy. [20] IEEE P2030 Guide for Smart Grid Interoperability of Energy Technology and Information Technology Operation with the Electric Power System (EPS), and End- Use Applications and Loads provides a guideline for smart grid interoperability, which discusses alternate approaches to good practices for the Smart Grid. [21] Additional local initiatives discuss and develop, among other aspects, action plans and road maps such as: Roadmap Smart Grids Austria [22] California Smart Grid Infrastructure [23] Smart Grids United Kingdom [24] Furthermore, Industrial Automation and Control Systems (IACS) and commercial IT architecture approaches and standards serve as a basis for different kinds of developments in the area of Smart Grid architecture. 2) Requirements The various challenges and use cases for Smart Grids make new demands on the communications network, which have to be solved in the architecture of the communication network. Table 1 gives an overview of various demands made on the communication network, and maps them to architecture requirements. The examples emphasize the various architectural requirements. TABLE 1 DEMANDS ON THE COMMUNICATION NETWORK, MAPPED TO ARCHITECTURE REQUIREMENTS AND UNDERLINED BY AN EXAMPLE Demands on the communication network An increasingly diverse range of generating technologies will need to be connected in efficient ways without endangering the quality and reliability of other network users. An increasing number of entry points and paths for potential adversaries [25] Time-critical communication Architectural requirements capacity expansion/planning modularity clear interfaces reliable flows flexibility, clear interfaces, multi-layer security strategy availability, reliability, intelligent flow Example There are no commonly agreed rules for integrating DER to the network. DER is not controlled from Balance perspective Smart Meter Device, rapidly rising number of telecontrolled disconnectors energy balancing (automatic real time adjustment of consumption and production)

3 3 Information accessibility An increasing number of smart grid actors [1] Disturbance prevention/compensation availability, intelligent management confidentiality integrity scalability, clear interfaces intelligent flow/routing scalability modularity interoperability time-critical management Decentralized energy modularity, storage [18] and electricity availability, supply reliability, interoperability, intelligent/timecritical management Bi-directional power flow handling [18] Support island mode operation interoperability, intelligent/timecritical management Layered functionality, modularity, real-time- / off-line functionality Compatible with the interoperability, current installation and availability, architecture principles [18] reliability real time consumption measurement, demand side participation Small-scale, decentralized energy generation (small scale wind power, solar panels etc.) increasing number of energy access points (e.g. multi-storey car parks car charging points) Compensate for energy peaks or generation/network outages small-scale storage of energy energy re-introduction, energy balancing, offshore generation, micro generation micro energy production, use case: car as an energy buffer, Solar panels on buildings, etc. Network areas willingly moving to island operation mode integration of new technology into current grid compatibility of technological developments (standards) 3) Conclusion To summarize, for the architectural requirements in the context of the development of "Zone principles", the following requirements could be adopted as input into the continued process: Ensuring the interoperability and connectivity between different domains, power plants and facilities as well as different parties Independence from certain entities such as protocols, applications or vendors Scalability and modularity to enable interoperability and connectivity between (n:m) parties Supporting connectivity between parties, which do not maintain or support the same or any kind of zone principle? Defining clear interfaces and responsibilities Establishing reliability to ensure an adequate energy supply B. Cyber Security requirements Compared to the architecture of a classic energy grid, new Smart Grid architecture challenges will increase the Cyber Security requirements and introduce new areas of cyber security, such as enhanced privacy controls. 1) Status The current specific discussion of Cyber Security in Smart Grid applications focuses mostly on topics such as: Cyber Security Risk Management Framework [13] Risk Management for SCADA systems [26], [27] Privacy of customer data [25] AMI Security [28] Protocol for the mapping of different players in different domains [13] A holistic and predictive discussion, as conducted in the general architecture, is currently lacking in the area of Cyber Security architecture. A sustainable and persistent Cyber Security concept is needed as an orientation during the various iterative development stages and opportunities for a Smart Grid. However, the robust development of general Cyber Security in Critical Infrastructure and Industrial Automation and Control Systems (IACS) supports the specific discussion of Cyber Security in Smart Grids, and needs to be closely connected. Relevant standards and best practices, which are associated with the application of "Zone principles" are, for example: ANSI/ISA Manufacturing and Control Systems Security [11] NERC CIP series [29] IEC Data and Communication Security [30] DHS Catalog of Control Systems Security [31] AMI System Security Requirements v1.01 [28] U.S. Nuclear Regulatory Commission (NRC) - Regulatory Guide Cyber Security Program for Nuclear Facilities [9] 2) Risks In addition to the vulnerabilities and threats of Information Technology, IACS and the enterprise integration of IACS, Smart Grid introduces another level of vulnerabilities and impact, which leads to an enhanced set of risks. To develop "Zone principles" as a risk mitigating element of a Cyber Security architecture, the definition of dedicated risks should serve as the basis for the further development of a Cyber Security architecture element. In this context, risk will be defined and split as a result of (threats x vulnerability x impact) 2. a) Threats In general, threats facing the communications network of a Smart Grid are comparable to the threats that are currently discussed in the Cyber Security of IACS and critical 2 NIST defines risks as a function of the likelihood of a given threatsource s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization [48]

4 4 infrastructure. However, the vulnerability and impact may differ due to the characteristics of a Smart Grid communications network. Threats could be categorized into intentional and unintentional paired with malicious and nonmalicious threats [32], [33]. Table 2 shows an abstract of possible threat types. TABLE 2 MATRIX OF POSSIBLE THREAT TYPES UNDERLINED WITH AN EXAMPLE malicious non-malicious intentional unintentional Criminal groups Terrorists Spyware/maleware authors Example: A hacker develops a worm that can jump across smart meters and black out neighborhoods, for example, or can k bl Foreign intelligence services Insiders Industrial spies Cyber espionage Example: A disgruntled employee or outsourcing vendor intentionally manipulates sensor data or entire control systems and causes shut down. Bot-network operators Phishers Spammers Example: Identity theft and thus access to critical infrastructure. DoS attacks performed via spamming. [46] equipment failure human failure untrained staff fire, water, disaster Example: An employee is unaware of current procedures and e.g. does not perform a proper change. Equipments function can fail and lead to e.g. wrong sensor data or incorrect data processing. [47] b) Vulnerabilities In addition to common vulnerabilities in Information Technology [34] or IACS, vulnerabilities could be specified which are based on the characteristics of Smart Grids [32]. Examples include 3 : Use of insecure legacy devices [12] Potential larger scale communication network [12] Increasing amount of customer data [1] Increasing technical complexity [1] "Security by obscurity" security culture background [12] No aligned common standards [12], [35] Interconnected networks can introduce common vulnerabilities [1] Lacking physical access restriction to, for example, field devices [36] Exposure of critical infrastructure due to connectivity reasons Introduction of new technologies and protocols Exposure of sensitive customer data Huge amount of devices with homogeneous technology (e.g. Smart Meter), which could be affected by a single disruption [1] Connectivity to untrustworthy partners that can not be selected (customers, other market actors) c) Impact Energy supply has a critical role in society and is vital for everyday life. Industries, health care and the Internet are all dependent on reliable energy supply. Minor network or energy production disruptions could cascade and result in huge impacts as recent incidents, such as the Northeast Blackout 3 A detailed vulnerability analysis is presented in the Report to NIST on Smart Grid Interoperability standards Roadmap [13] Appendix E. [37], have shown. The huge complexity, interconnectivity and homogeneity of Smart Grid components increase the possibilities of cascading effects. For instance, a huge amount of similar Smart Meter, which are malfunctioning could introduce misleading control and could seriously impact the power balancing function of a Smart Grid. The possible cascading effect of such incidents could spread over a larger grid, as investigated in a research paper concerning cascade-based attack vulnerability on the U.S. power grid [38]. This cascade could have a dramatically higher impact than the current "one directional power supply grid. 3) Conclusion The new characteristics of the Smart Grid communication network introduce new vulnerabilities with enhanced impact, thereby also introducing a new level of risk. Awareness and the cost-effective mitigation of these risks to an appropriate level is one of the key success factors of the Smart Grid. To develop "Zone principles" as one element in mitigating this future risk, the following security requirements could be stipulated: Maintenance of and support for the existing security architecture and architectural controls of the different domains (including the maintenance of "Defense in Depth/ Zone Principles" integrity in critical infrastructures) Maintenance of and support for valid Best Practices, Standards and Regulations Enablement of a platform for an appropriate secure connection between different parties Protection of critical infrastructure or co-operation with downstream systems Definition of clear controls based on zone classification Persistence security concepts for the different life cycle of the Smart Grid development C. Best Practices approach, Defense in Depth In the general security discussion Defense in Depth is defined as "An approach to security in which multiple levels of security and methods are deployed to guard against failure of one component or levels." [9]. In the Information and Information System security, Defense in Depth" became a standard security control principle that is applied on different levels, e.g. in the system design [11], software design [39], security architecture, or security control design [40]. In the current Cyber Security discussion of Smart Grids, Defense in Depth" is recognized as a possible Cyber Security control for Smart Grids [25], but detailed analysis and structured implementations are essentially missing. In the context of "Zone principles", the discussion of Defense in Depth" is limited to a multi-layered architecture approach, which has to be supported by different security controls to provide multiple, redundant and independent layers of protection. The objectives are as follows: Efficient elimination of single-point vulnerabilities or failures on architecture, infrastructure or system level. Deficiency of individual technical or organizational

5 5 controls regarding error-proneness [41] and vulnerabilities makes a multi-layered protection approach necessary. Custom fulfillment of various protection requirements in different zones of IACS, IT services and Defense in Depth principle and the use of multiple zones make it possible for an accurate separation of the architecture, such as business function, responsibilities and technology. Flexibility of controls in different zones without weakening the protection level. One disadvantage of the "Defense in Depth" methodology introduced as a security architecture element is the higher grade of complexity and cost of the architecture [42]. D. Zone principles in the general Cyber security discussion In the general Cyber security discussion, "Defense in Depth" methodology, as a multi-layered architecture approach, is often introduced as a "Zone model" [9] or "Level structure" [11], and is mostly supported by a classification model and dedicated security controls. To ensure the compatibility to the different domains of the Smart Grids, legacy environmental, or local regulations the different "Zone models" or Level structures" are normalized in a 6-Zone principle with the Zones: Zone 0 - Process Zone 1 - Critical Automation/Basic Control Zone 2 - Critical Operation control/ Supervisory Control Zone 3 - Operation Support/Management Zone 4 - Business Automation/Logistics Zone 5 - External Partner/Connections Figure 1 describes a normalized 6-Zone principle example based on mapping of the different industrial standards and best practices. However, the mapping gives only an indication of a general mapping, and could at any time be enhanced with other standards or regulations. Fig.1. Mapping of standards against a normalized Zone model III. RESULTS The result shows a possible attempt to introduce "Zone principles" as an element of the Cyber security architecture for Smart Grid architecture. The different functions and potentials of "Zone principles" are described briefly, and should provide a basic outline of an elaboration. Furthermore, the value creation based on the identified challenges and requirements of these principles are discussed. A. Zone principles in a context of a Smart Grid architecture Figure 2 shows a classification and segmentation of smallsample Smart Grid architecture on a generic level. The sample consists of two different companies (1 and 2) as well as three domains (Transmission/Distribution, Plant Entity and Market). Based on the normalized "Zone Principles", the functional and technical life cycles are classified to the different zones (Zone 1 to Zone 5) according to the legacy installations in a horizontal direction. The vertical direction shows the connectivity of functions and systems between different domains and/or companies. Figure 2 also shows that not all domains need the installation of all zones (cf. Domain C, missing Zones 1 and 2). Different zones could also be used by different domains of one company (cf. Company 2, Zones 4 and 5 are used in Domains B and C.). The application of "Zone principles" could serve to realize the following benefits: Classification of functions and system into different zones according to defined and aligned criteria and attributes. Introduction of an "inter-connection area" as an integration and connectivity platform, which enables and controls connections to other domains or companies. Basis for the standardized definition of interfaces and connectivity of different domains and/or companies. Presentation and differentiation of the domains, companies and/or legal entities Methods to illustrate different attributes, characteristics, and dependencies of and between the various zones, e.g. responsibilities, business functionality, security requirements or architecture. Methods to implement different security controls, frameworks or legal requirements for different zones. Definition of critical IT systems and functions (Zones 1 and 2) Introduction of a higher level of flexibility to define and apply controls, which is a basis for standardized controls for different levels of security requirements Normalization on a generic layer to enable compatibility with different architectural standards Applicable in an n:m -scenario in the dimensions of company, domain and function Multi-level defense strategy to isolate incidents and reduce impact B. Zone instances To ensure the flexibility, modularity and scalability of the Zone principles, the introduction of Zone instances as an additional element of a Zone is necessary. Based on the classification criteria of a Zone, different systems and functions could be classified to one zone. However, due to differences in locations, requirements or technical design, it may not be beneficial to handle all these functions or systems under one common control rule set (e.g. responsibility, physical security or system security). Therefore, the zone instances are used to differentiate and group different systems

6 6 Zone 1 Zone 2 Zone 3 Zone 4 Zone 5 Process Critical Automation / Basic Control Critical Operation Control / Supervisory Control Operations Support / Mgmt Inter-connection area Business Automation / Logistics External Partner Connection Company 1 Domain A Process Process Plant Block A: Critical Automation Plant Block B: Critical Automation Plant Block A; Supervisory Control Plant Block B; Supervisory Control Operations Support / Mgmt Inter-connection area Business Automation / Logistics External Partner Connection Company 2 Domain B Operations Support / Mgmt Inter-connection area Business Automation / Logistics External Partner Connection Domain C Fig.2. Zoning principles as an element of Cyber security architecture, including different zone instances and functions into one zone. Figure 2 shows zone instances in Company 2- Domain B and in all entities in Zone 3. C. Classification to the Zone principle The classification of the different systems and functions into the various zones is based on the defined criteria and requirements of the different zones (see also [43]). A system which is classified to a certain zone must meet the specific zone requirements. Zone requirements could in further discussion be adapted to the different characteristics of the various domains. Special requirements or exceptions can be handled using zone instances. If a system provides different functions, which are classified to different zones, the system should be assigned to the more stringent zone. D. Security controls To bring the "Zone principles" into effect, it is important not only to implement a multi-layer network schema, but also to implement and maintain security controls that assess, protect, respond to, prevent, detect and mitigate threats [9]. In this context, the security controls shall not be reduced to network controls or technical controls only, but should cover the different disciplines of security to guarantee an integrated protection and follow up, including technical controls, operational controls, management controls or physical controls. The security controls must be adapted to the different zones and zone instances, and reflect the various characteristics, such as domain affiliation, risk and threat scenarios, application, connection type, flows or ownership. The objective of the "Zone Principle" is not to define or provide different security controls, but to provide an additional framework to assign security controls or control families, e.g. regulation requirements, in a structured and traceable way to zones and zone instances. With the introduction of such a framework, compatibility with the different standards and regulations, but also to the iterative evolution of a Smart Grid, is safeguarded. A standardization of mandatory basic security controls in relation to the different zones and zone instances could deliver a set of requirements as a prerequisite for establishing connection between domains and companies, and could lead finally to a compliance process in the area of Smart Grids. E. "Inter-connection" area as zone instance of Zone 3 The "inter-connection area" of Zone 3 enables and supports the connectivity and interoperability of different domain entities and companies, and represents one of the core functions of a Smart Grid communication network. The introduction of an "inter-connection area" is a functional enhancement to current known "Zone principles. However, it could be compared to Level 3 of the "Assumed hierarchical computer control system structure for an industrial plant" in ANSI/ISA /IEC [44]. Unlike Zone 5 (external partner connection), which allows traditional transfers between companies and customers, the "inter-connection area" of Zone 3 supports time- or security-critical connectivity between Smart Grid functions and components. To ensure the necessary security of the various systems and functions in Zone 3, different kinds of security control have to be defined for the zone, zone instances and flows. The definition of standardized set the basis for the introduction of minimum requirement and compliance measures to enable connectivity and interoperability between domains, companies and assets. The objective could be a standard catalogue of controls for different kinds of connectivity and flows in order to build up a reliable level of trust between different entities in the Smart Grid. The possibility of encapsulating the different systems and functions in Zone 3 by introducing zone instances, the modularity, scalability and thus the flexibility of the principle is guaranteed. F. Mapping example of the Zone principle To visualize and prove the applicability and effectiveness of the "Zone principles", the scenario entitled "Electric Storage (ES)" of the "Unified Logical Architecture for the Smart Grid" [25] has been mapped to the "Zone principles". Owing to the generic character of the "Zone principles", other architectural approaches such as "P2030 Smart Grid Comms Reference Architecture" [45] could also be used and applied.

7 7 The mapping (Figure 3) provides a classification of the different systems and functions of the "Electric Storage (ES)"- scenario to different zones. However, in this example a hypothetic classification model was applied to map the different systems and functions to the different Zones. This example includes no applied security controls, but shall merely indicate the mapping procedure for the communication systems of any given use case example to the Zone principles of Smart Grid architecture. To bring the "Zone principles" up to full effect, a catalogue of security controls has to be defined for every zone, zone instance and flow. To present the various possibilities for system mapping, middleware components are included for different functions. G. Zone principles supporting non-security objectives The introduction of Zone principles as an element of Smart Grid architecture provides, in addition to the security objectives, further value to the operation and maintenance of a Smart Grid communication network. The following examples outline various possibilities: Basic structure and templates for SLA and OLA specifications according to zones and zone instances Definition of clear responsibilities Classification of interfaces, protocols and conductivities Classification of assets in terms of regulation or technical implications Zone 1 Zone 2 Zone 3 area Zone 4 Zone 5 PLC IED Market A Critical IT systems Operation A 8 Service Provider C Inter connection Customer Fig.3. Zoning principles applied to the "Electric Storage (ES)" of the "Unified Logical Architecture for the Smart Grid" [25]. 1 - Energy Market Clearinghouse; 2 - Middleware Energy Market Clearinghouses; 3 - ISO/RTO Operations; 4 - Bulk Storage Management; 5 - Distribution SCADA; 6 - Middleware Distribution SCADA; 7 - Aggregator / Retail Energy Provider; 8 - Distribution/Generation/Storage Mgmt System; 9 - Middleware Billing System; 10 - Billing System; 11 - Energy Service Interface; 12 - Customer Energy Management System (EMS); 13 - Meter; 14 - Customer DER: Generation and Storage IV. CONCLUSION Smart Grid is developing rapidly, with incumbent players 1 10 and new start-ups, innovative technologies, integration challenges, new business and use cases. With this, the risk of ad-hoc solutions, isolated architecture, and ineffective security controls is increasing. The impact could be incompatibility, isolated solutions, integration failure or ineffective or wrong prioritized security. The "Zone principles", as an element of the Cyber Security architecture of Smart Grids, introduce a "Defense in Depth" approach to defining and implementing security controls. Consequently, it serves as the basis for a platform of trust between the different parties making up a Smart Grid. As a consequence of its generic, modular and scalable character, the "Zone principle" is an element that provides stability throughout the different iterative evolution phases of the Smart Grid. "Zone principles" is based on proven industrial standards and best practices, thereby ensuring compatibility with the current installation. Furthermore, the development of this "Zone principles" approach transfers knowledge to the new challenges and requirements of a Smart Grid communication network. There is no single Smart Grid available at present, but rather a wide range of different systems that all need to be tied together. "Zone principles", as an element of a Cyber Security architecture, is a supporting element to structure this challenge in an efficient way. V. REFERENCES [1] National Institute of Standards and Technology (NIST), Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0 Appendix, Jan 2010 [2] European Regulators Group for Electricity & Gas (EREG), Position Paper on Smart Grids Ref: E09-EQS-30-04, Dec 2009 [3] Chris Thomas and Bruce Hamilton, ADICA, LLC, White Paper The Smart Grid and the Evolution of the Independent System Operator, 2009 [4] Official Journal of the European Union, DIRECTIVE 2009/28, 29, 30, 31/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, Apr [5] The White House - Office of the Press Secretary, President Obama Sets Greenhouse Gas Emissions Reduction Target for Federal Operations, Available at: (last visited 5th May 2010) [6] European Electricity Grid Initiative (EEGI), Available at: (last visited 12th May 2010) [7] European Regulators Group for Electricity & Gas (ERGEG), Available at: (last visited 12 th May 2010) [8] National Institute of Standards and Technology (NIST), Available at: (last visited 12 th May 2010) [9] U.S. Nuclear Regulatory Commission (NRC), Regulatory Guide Cyber Security programs for Nuclear Facilities, pp. 35, Jan 2010 [10] International Atomic Energy Agency (IAEA), Technical Areas, Available at: (last visited 14th May 2010) [11] American National Standards Institute (ANSI), International Electro technical Commission (IEC), International Society of Automation (ISA), ANSI/ISA , IEC Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts, and Models, 2007 [12] CISCO Whitepaper, Securing Smart Grid, 2009, Available at: (last visited 12 th May 2010)

8 8 [13] Electric Power Research Institute (EPRI), Report to NIST on the Smart Grid Interoperability Standards Roadmap, Jun 2009 [14] Information Technology Association of America (ITAA), Available at: Definitions.pdf (last visited 12 th May 2010) [15] European Energy Regulators CEER&ERGEG, Available at: (last visited 5 th May 2010) [16] German Federal Ministry for Economics and Technology, Available at: (last visited 5 th May 2010) [17] European Technology Platform for the Electricity Network of the Future, Available at: (last visited 5 th May 2010) [18] European Technology Platform for the Electricity Network of the Future, Strategic Deployment Document for Europe s Electricity Networks of the Future, Available at: _FINAL_APRIL2010.pdf (last visited 5th May 2010) [19] International Electro technical Commission (IEC), IEC Global Standards for Smart Grids, Available at: (last visited 5 th May 2010) [20] European Electricity Grid Initiative (EEGI), Roadmap and Detailed Implementation Plan , May 2010, Available at: _plan_may% pdf [21] IEEE, IEEE P2030 Guide for Smart Grid Interoperability of Energy Technology and Information Technology Operation with the Electric Power System (EPS), and End-Use Applications and Loads, Available at: index.html (last visited 5th May 2010) [22] Smartgrids Austria, Roadmap Smartgrid Austria - Der Weg in die Zukunft der elektrischen Stromnetze!, 2009 [23] Electric Power Research Institute (EPRI), Integrating new and emerging technologies into the California smart grid infrastructure - A report on a Smart Grid for California [24] Department of Energy Climate Change, Developing a UK Smart Grid, Available at: uk_supply/network/smart_grid/ smart_grid.aspx (last visited: 5th May 2010) [25] National Institute of Standards and Technology (NIST), Smart Grid Cyber Security Strategy and Requirements, Draft NISTIR 7628, Feb 2010 [26] International Society of Automation (ISA), CS2SAT - Control System Cyber Security Self-Assessment Tool, 2007 [27] Trusted Information Sharing Network for Critical Infrastructure Protection, Generic SCADA RISK Management Framework, Dec 2006 [28] AMI-SEC Task Force and AMI Security Acceleration Project (ASAP), AMI Security Implementation Guide V1.01, 2009 [29] North America Electric Reliability Corporation (NERC), Critical Infrastructure Protection series (CIP-001 CIP-009), 2009 [30] International Electro technical Commission (IEC), Power systems management and associated exchange - Data and communications security, Available at: Openform&key=62351&sorting=&start=1 (last visited 5 th May 2010) [31] Department of Homeland Security (DHS), Catalog of Control Systems Security: Recommendations for Standards Developers, Sep 2009 [32] National Institute of Standards and Technology (NIST), Guide to Industrial Control Systems (ICS) Security (NIST ), Sep 2008 [33] Department of Energy (DOE) Cyberspace Policy Review - Assuring a trusted and Resilient Information and Communication Infrastructure", May 2009 [34] National Institute of Standards and Technology (NIST), National Vulnerability Database, Available at: (last visited 5th May 2010) [35] Katie Fehrenbacher, Close to 80 Smart Grid Standards Revealed, Available at: (last visited 5 th May 2010) [36] Department of Homeland Security (DHS), Control Systems Cyber Security: Defense in Depth Strategies, May 2006 [37] Blackout 2003 USA, Available at: (last visited 5th May 2010) [38] Jian-Wei Wang, Li-Li Rong, Cascade-based attack vulnerability on the US power grid, Available at: doc/ /cascade-based-attack-vulnerability-on-the-us-power- Grid (last visited 5th May 2010) [39] International Standard Organisation (ISO), International Electrotechnical Commission (IEC), ISO/IEC Information Technology Basis Reference Model: The Basic Model, 1994 [40] Trusted Information Sharing Network for Critical Infrastructure Protection, Defense in depth, June 2008 Available at: SecurityPublications (last visited 5 th May 2010) [41] Avishai Wool, A Quantitative Study of Firewall Configuration Errors, IEEE Computer, Jun 2004, pp. 62 [42] Eric Byres, Defense in Depth, Jun 2008, Available at: (last visited 5th May 2010) [43] National Institute of Standards and Technology (NIST), SECURITY CATEGORIZATION OF INFORMATION AND INFORMATION SYSTEMS NIST Volume II Revision 1, 2008, Available at: Rev1.pdf [44] American National Standards Institute (ANSI), International Society of Automation (ISA), ANSI/ISA , Enterprise-Control System Integration, Part 1: Models and Terminology, [45] IEEE, Validating the IEEE P2030 TF3 Smart Grid Comms Reference Architecture By Mapping Utilities Architectures, Available at: (last visited: 15th May 2010) [46] The No Network is 100% Secure series - The Aurora Power Grid Vulnerability - A White Paper, Available at: (last visited 5th May 2010) [47] Cyber Incident Blamed for Nuclear Power Plant Shutdown, Available at: (last visited 5th May 2010) VI. BIOGRAPHIES J. T. Zerbst graduated in computer science. Today he is responsible for the IT Security in the Vattenfall Group. M. Schaefer graduated in computer science. Since 2008 he works for Vattenfall AB as a consultant for IT Security and Green IT. I. Rinta-Jouppi graduated in electronics and computer hardware, is engaged in the areas of Smart Grids, IT and IT security. Today he is responsible for development in Vattenfall Distribution Nordic.