NES Patagonia Security

Transcription

1 NES Patagonia Security Networked Energy Services Corporation (NES) November

2 Executive Summary With NES Patagonia, our newly announced next generation platform, the security model is being reworked from the ground up, effectively setting the bar again for the industry. To build a secure grid system, we started with a clean slate and took a holistic approach grounded in the real world. We re planning across all components and interfaces of the system, and looking towards integrating smoothly with IT security systems. With the media taking a strong interest in security, it is easy to fall for security theatre, being taken in by impressive looking long keys and accredited algorithms and therefore overlooking the intricacies of a secure implementation. By taking an open and completely transparent approach we aim to work with the utility industry to build the most secure and reliable system possible. With that said, we freely acknowledge that there is no perfect system so we also prepared for intrusion response with detection and recovery mechanisms. As part of this consideration, we analyzed threat models to ensure that we considered attacks to a single device, as well as large-scale national security threats. NES Patagonia security architecture is taking advantage of the latest tools available, including algorithms recommended by the European Union Agency for Network and Information Security (ENISA), the National Institute of Standards and Technology (NIST), Data Protection Impact Assessment Template (DPIA) for Smart Grid and Smart Metering systems, and other renowned security-related initiatives. These algorithms were paired with a complete PKI (Public Key Infrastructure) system. The PKI model is designed in from the beginning and focuses on efficient implementations that aim to work for the most constrained parts of the grid. The architecture is designed with the complete life cycle of the system in mind, from the manufacturing of devices, installation, and operation to maintenance. At every level, NES is looking to prevent intrusion while supporting detection and incident response methods. The next steps are working with industry alliances, most prominently the OSGP Alliance, to incorporate such best practice security adaptations into the standards we use and support. While we take every effort to ensure the system is the best we can make it today, we are also designing in the ability to flexibly add innovative security upgrades at every layer of the system so as to keep up with the ever-evolving nature of grid and IT security.

3 NES Patagonia Security November Introduction Security in the electrical distribution grid is still in an early stage. Just a few years ago, the main threats to the distribution network were physical in nature. With the initial deployments of AMI systems, and then smart meters, a communication network has been overlaid, introducing a brand new security threat in a domain area unfamiliar to many who were responsible for distribution grid operations. Initially, the technical challenge focused on communication reliability, but with its background in control networks, NES immediately understood security was also an essential component, so it made security a key part of its system architecture. In this process, NES decided it was important, given where they believed future challenges would manifest, to consider the end to end implications of security and to have a keen understanding of the realities in the distribution grid - which are fundamentally different than other industries. As Smart Metering, and grid modernization in general, have become more common place at the utility, security has become a main topic for the utilities and regulators, but also a safety and privacy concern for the public. Technologies concerning security algorithms, computing power, and memory availability in Smart Meters and grid sensors have evolved quickly. Security has evolved from a concern to a top priority and now to the primary priority. The overall industry (utilities, regulators, technology suppliers) charter is to renew the myriad solutions offered with the latest security technology while the industry simultaneously develops and agrees on an in-depth understanding of the entire system and corresponding set of security requirements. Inherent in this process is a potential danger. While there are many proven security technologies and approaches, as an industry, we cannot be too fast to decide on a solution before we appreciate the unique requirements and threats of our unique industry. The distribution grid security challenge does have similarities to what communications, IT, and other networks have faced, but there are also fundamental differences. We believe the first step for the industry is to agree on the security requirements and then choose standards and solutions which are purpose-built to meet the distribution grid security challenge. From an NES perspective, it is important to focus on real comprehensive security and not find artificial comfort in large security keys and highly accredited algorithms. If the application and implementation of these state-of-the-art primitives are not carefully taken into consideration, then it will not matter if the biggest security key possible is used with the most secure primitive, the result is extremely likely to be insecure. The NES solution architecture has been purpose-built from the start with end to end security in mind. We are looking to set the bar again with our next generation platform, code named Patagonia. One key objective with Patagonia is to address a fundamental shift in security requirements; we believe the rate of change to address ongoing security requirements will be significant, so the system is designed to have the head room required and mechanisms in place to easily take advantage of new or updated algorithms as they evolve. What also is new is a company edict to share all the details of the platform during the development phase to collect input from the users, partners, and security communities in order to ensure the best long term result for the industry. 1

4 The remainder of this paper is structured as follows: y Section 2 describes the reality of real-world grid security y Section 3 defines the threat model for the Patagonia security architecture, i.e., the types of smart grid threats we address y Section 4 introduces the Patagonia security architecture y Section 5 highlights some of the central design goals of the Patagonia security architecture y Section 6 includes an outline of our security update proposal of OSGP y Section 7 concludes the paper with a summary of the key points of this paper followed by notes on future work 2

5 NES Patagonia Security November Real-World Grid Security It is important to take a strong stance on what real-world smart grid security is. Failure to do so can lead to false assumptions and insecure systems. In this section, we therefore cover four central topics that are critical to address in the grid industry: y Grid constraints y Transparency y Security theatre y Disaster and recovery 2.1. Grid Constraints From an IT perspective, the smart grid is a large segmented distributed system. Each segment of the grid has its own unique performance constraints. These constraints are dictated by the underlying network architecture, capabilities, and the available performance resources of the connected devices. For example, the IP network (WAN) that connects the back-end system to the control nodes tends to be broadband whereas the low voltage PLC network tends to be narrowband. The smart meters are also significantly limited in terms of hardware resources (memory and computational power) compared to other types of nodes in the network. Therefore, achieving high-grade security in even the most performance-constrained parts of the grid is where the real challenge is. Existing security architectures from other industries are not directly applicable to the smart grid. They often times have entirely different assumptions about the resources available and the security requirements needed. As a result, to successfully secure the grid, we need a comprehensive security approach that is designed specifically for the entire grid and integrated into the overall IT architecture from the very beginning. This is what NES has done in the past, and what we are doing again with our new Patagonia security architecture. The Patagonia security architecture is designed to take advantage of the recent hardware improvements in smart meters. These improvements enable us to further strengthen the overall security of the system Transparency A security system should be secure even if everything about the system, except the keys, is public knowledge. Auguste Kerckhoffs, 1883 The quote above captures a critical security principle that we strongly believe in. Security systems must be transparent and promote security analysis, never relying on security through obscurity. There are three main reasons why we take a strong stance on transparent security systems: 1. History has shown, that there is always a way of reverse engineering, and thereby exposing, the inner workings of a system. As a result, relying on the secrecy of proprietary technology is bound to catastrophically fail at some point. 3

6 2. By using open standards and recommendations, we draw on years of research and real-world experience. We also benefit from continuous analysis that widely-used open technology receives. 3. Systems based on open standards and widely accepted security recommendations are much easier to adopt and integrate into existing infrastructure. They also promote vendor interoperability, which is important in the grid industry. The main argument against transparent systems is that they are also more accessible to a potential attacker trying to find and exploit security vulnerabilities. This is true, but the attacker is competing with researchers trying to do the same but with the intention of improving the state-of-the-art. With the emergence of bug bounty programs and other similar initiatives, there is an increasing incentive for constructive security research. This directly benefits transparent systems Security Theatre As just mentioned, we strongly believe in the importance of building open security systems based on stateof-the-art security recommendations. However, choosing the right tools for the job is only the very beginning of developing a secure system. The industry needs to realize it is not enough to only rely on recommended security algorithms and key sizes. In fact, history has shown that the real security challenge, and where most security systems fail catastrophically, is implementing and using these tools securely in the context of how the specific system operates. For example, simply because an encryption mechanism uses AES with a 256-bit key (aka AES-256) does not make it secure by design. The combination of using AES with the biggest key possible may create a feeling of being secure. However, in reality, the security of this encryption mechanism critically relies on how AES is used and how the mechanism as a whole is implemented, integrated, and used in practice. The same is equally true for essentially all other security related mechanisms and protocols and we have not even begun to cover key management, the most difficult aspect of any type of cryptographic system. We believe in real and comprehensive security for the grid, and we do not get misled by security theatre that creates a false sense of security. This is arguably the worst sense of security there is when trying to secure critical infrastructure Incident Response: Disaster and Recovery We do everything we possibly can to prevent threats from occurring. However, we also recognize that there is no such thing as a perfect threat-prevention system in practice. It is therefore crucial to invest effort in developing security-related technologies and procedures that make it possible to recover from system compromises in the most simple and efficient way possible. Being able to securely recover from system compromises post-mortem is a necessity and an important aspect of how we perceive security in general. 4

7 NES Patagonia Security November Threat Model We are concerned with threats that violate the confidentiality and integrity of the grid. In addition, we are concerned with threats that limit the availability of the grid, i.e., threats that limit accessibility and efficiency. It is important to understand that these types of threats can occur not only from malicious behavior (internal and external) but also from natural disasters, human mistakes, and system flaws. A successful threat model for the grid must address all types of threats. We must realize we are up against a brand new set of security challenges and we must respect those, just as other industries have in developing security solutions based on in depth end to end requirements; we simply cannot borrow from other places and count on these approaches to work. As mentioned, we recognize that there is no such thing as a perfect prevention system in practice. Thus, by addressing a threat we therefore imply that we aim to prevent, detect, and respond to the threat as securely and efficiently as possible. To better understand threats originating from malicious behavior, we need to make explicit assumptions about a potential adversary s capabilities. Since the power grid is a critical part of modern infrastructure, we need to assume the most advanced adversary possible, i.e., large organizations such as foreign governments and intelligence agencies. As a result, the threat model spans less severe threats such as single node compromises all the way to large scale targeted attacks threatening national security. In terms of communication, every network is assumed to be hostile. Specifically, we assume that our adversary is able to eavesdrop on communication, actively engage in communication, and mount man-inthe-middle attacks. We also address the threat of having compromised and potentially malicious meters and data concentrators on the grid. To the extent possible, we address the threat of insider attacks. History has shown, that these threats are extremely difficult to mitigate in practice. However, simply ignoring this threat is not acceptable. We have learned from other industries such as the financial sector and we support grid administrators in addressing insider threats by providing them with advanced auditing capabilities and integrated safe-guard mechanisms that can be used to prevent and detect insider threats in practice. 5

8 4. The NES Patagonia Security Architecture The new security architecture aims to further strengthen the ability to prevent, detect, and respond to misuse of grid assets and malicious behavior. Specifically, it focuses on improving the ability to: 1) protect confidential information, 2) verify data integrity and authenticity, 3) maintain an efficient and available grid, 4) provide advanced logging and auditing mechanisms for detecting and responding to incidents, 5) limit the security impact of node compromises as much as possible, and 6) to the extent possible, protect the grid from Denial of Service (DoS) attacks. To meet these challenges, we have done a clean-slate design and are building the new security architecture from the ground up based on open standards and security recommendations from established and renowned organizations, cryptographers, and security experts. At the core of the new architecture, and the primary focus of this paper, is the fundamental change in key management, how keys used for authentication and communication are established, and how these keys are used for security purposes. It is going to be an integral part of the next generation smart grid platform, not simply an add-on. The key management system uses a Public Key Infrastructure (PKI) that binds node identities to public keys in the form of certificates. Once a node is part of the grid PKI, and thereby has one or more valid certificates, it can use one of its private keys to prove to the other node that it is who it claims to be. In order for the other node to verify this claim, it would obtain the node s certificate, verify it, and use the certificate s public key to verify the proof. Thus, in order to authenticate with each other, two nodes can simply exchange certificates. During this mutual node authentication, the nodes also establish short-term keys that they can use for communicating with each other in a secure and efficient manner. The most difficult aspect of the new security architecture, and any other type of cryptographic system, is key management. It defines how cryptographic keys and certificates are generated, distributed, renewed, revoked, and stored. It is the backbone of the new security architecture and it critically influences most of the security-related mechanisms across the grid. We believe a PKI approach to key management is the way forward. Using this approach has a number of advantages: y Certificate-based authentication: once two nodes on the grid are part of the PKI, they can authenticate each other and engage in secure communication without relying on pre-shared secret keys or the availability of key and authentication servers to be online. It is a significant improvement to the overall availability of the grid: even if two nodes lose the connection to the back end system, they are still able to engage in secure and authenticated communication with each other. This makes it a strong tool for securely automating grid processes and it takes advantage of the decentralized nature of the grid as a distributed system. y Node-unique certificates: each node in the PKI has its own set of private/public key pairs with a corresponding certificate it can use to authenticate itself to others. The key pairs are decidedly nodeunique and the private part of the key pair is retained inside the node itself. This eliminates the need for having to securely maintain and secure a large database of thousands, or even millions, of pre-shared node keys. It also limits the impact of node compromises since compromised node keys can only be used to spoof the identity of that particular node. Other nodes in the grid are not affected. 6

9 NES Patagonia Security November 2014 y Authenticated key negotiation: with the use of public-key cryptography, secret (symmetric) encryption keys are not transmitted over the network. Instead, two nodes will securely establish these types of keys when needed. In order to make sure that the two nodes do not establish a key with an untrusted node, they use the aforementioned certificates-based authentication approach. Preventing secret keys from being transmitted on the network, by design, is a strong security property of the new architecture. y Key life cycles: with a PKI in place, the security architecture now defines and enforces a standard and recommended key life cycle. This is important for making sure that policies are in place for each phase in a key s life. The new security architecture defines a set of default policies that are suitable for most cases. We understand that not all grids are the same, so these defaults are configurable. y Key renewal: all keys in the system have a specified validity period based on a start and an end date. The validity period can also depend on the number of times a key has been used. This means that every key in the PKI, and all the communication keys, are securely renewed at some point in time. The exact key update validity period is also configurable, but the security architecture provides a set of secure defaults to this as well. Both planned and unplanned key renewals are supported and performed securely. y Key revocation: all certificates, and thereby public keys, in the PKI are revocable, i.e., it is possible to tell the nodes never to trust a given certificate even if it is still within its validity period. Revocation is different from key renewal since it is an unplanned use case. It is often an after-thought in PKIs. For example, the PKI that most of us rely on for secure Internet connections on the web does not have an acceptable way of revoking certificates. To address this concern in the NES Patagonia security architecture, revocation has been a central design goal from the very beginning. y Automated key management processes: except for certain use-cases such as revocation, the key management processes are largely automated and do not require interaction from the grid administrator. However, if needed, the administrator can configure most of these processes to suit her/his needs. As is the case with any key management approach, there are also challenges that need to be solved. The following is a list of the primary challenges in using a PKI-based approach to key management in the grid. Each challenge is followed by a brief description on how we address it. y Performance requirements: a PKI requires node support for asymmetric (public-key) cryptography. These types of algorithms require significantly more computing power compared to symmetric-key cryptographic algorithms used in the current generation. The current and previous hardware platform did not have the needed resources to support these algorithms in practice. This is partly why this move towards a PKI-based solution was not done in the past. However, because of significant hardware, software, and high-speed cryptographic improvements, the next generation hardware platform is able to meet these performance requirements and potentially improve the performance of the grid. In addition, we also address performance concerns by only using asymmetric algorithms for node authentication and key negotiation. The actual node communication is secured using high-speed symmetric cryptography. This gives us the best of both worlds: asymmetric cryptography for authentication and high-speed symmetric cryptography for encryption and data authenticity. Keep in mind, that the majority of the time 7

10 is spent communicating, not performing certificate-based authentication. y CA security: a certificate authority (CA) is responsible for issuing certificates. Every node in the PKI trusts this authority to only issue certificates to legitimate nodes. The CA issues certificates by digitally signing a node s certificate with its private signing key. Thus, a PKI requires a high-security facility for protecting CA signing keys. Having high-security facilities for storing cryptographic keys is not a new requirement for grid administrators. Nevertheless, the new security architecture provides the grid administrators with a set of best practices and mechanisms for managing and securely storing CA signing keys. y The PKI reality: in practice, PKIs can be complex to set up and operate. This is true from a technical point of view but also from an organizational point of view. The new security architecture addresses the technical side by securely automating many of the PKI-related management processes. The architecture accommodates the organizational challenges by developing the PKI based on widely used and secure standards. This way, grid administrators can reuse existing standard tools and infrastructure to ease the management of the PKI in practice. To summarize, because of recent advancements in hardware and software technology, now is the time to improve the current state of security for the grid. With the new security architecture comes a number of significant enhancements to the overall security of the next generation smart grid. In the next section, we go into a bit more detail on what the important design goals are and what we do to meet them. 8

11 NES Patagonia Security November Design Goals This section will highlight some of the design goals for the Patagonia security architecture. This is not an exhaustive list, but to get a sense of the direction of our security architecture Based on Standards and Recommendations The architecture is based on open standards and security recommendations from organizations such as the European Union Agency for Network and Information Security (ENISA), the National Institute of Standards and Technology (NIST), Data Protection Impact Assessment Template (DPIA) for Smart Grid and Smart Metering systems, and other renowned security-related initiatives. It is also based on our past experience with security assessments of the smart grid and recommendations from cryptographers and security experts. As mentioned, we see these standards and recommendations as a way of selecting the best security tools for the job at hand. Applying and implementing them securely is the real challenge and something we take very seriously. That being said, we will make use of state-of-the-art algorithms and aim for high-grade security throughout the system. With respect to cryptographic primitives for secure communication, we make use of authenticated encryption ciphers (such as AES-GCM and AES-CCM) with support for 128, 192, and 256 bit key sizes. For authentication, we make use of ECC-based digital signature schemes (such as ECDSA) and use ECC-based authenticated key negotiation schemes (such as ECDHE) to establish session keys. We use cryptographically strong pseudo-random number generators (CSPRNG) for our cryptographic purposes such as key and randomnonce generation. All devices in the next generation hardware platform have a dedicated hardware-based random number generator which we take full advantage of in the Patagonia security architecture. In addition, we have designed the Patagonia security architecture in a way that makes it possible to replace any of these primitives if they are considered insecure in the future Backwards Compatible We recognize the importance of backwards compatibility, and have designed the new security architecture to be backwards compatible with the current security generation. While we will support a mixed population, we will not allow the security mechanism of a node to be downgraded. This is to ensure that in a mixed environment the strongest security model supported for each communication mode is chosen. We will also allow the grid administrator to disable the ability to support communication with nodes that do not have the latest security implemented Forward Secrecy Forward secrecy is an important security property and an important design goal of the Patagonia security architecture. We achieve forward secrecy by using long-term keys for authentication, and short-term randomly generated session keys for pair-wise device communication using an authenticated and recommended Diffie- 9

12 Hellman key agreement protocol. The result is that if an adversary is able to compromise a session key, then she or he can only use that key for compromising that particular session. The attacker is not able to go back in time and compromise previously recorded sessions. The same is true for future sessions; such an attacker would need to compromise the long-term authentication key in order to compromise future sessions by mounting a man-in-the-middle attack on the authenticated key agreement. However, compromising the long-term authentication key would still not allow the attacker to decrypt past sessions Node-Unique Secrets In order to limit the impact of cryptographic key compromises, we make sure to use node-unique keys. As a result, an attacker that obtains unauthorized access to a node s keys cannot, by design, use these keys to compromise other nodes keys. The compromise is therefore limited to the affected node only. This is equally true for session keys: compromising one session key only gives you access to that one session, as mentioned above Support for Certificate-Based Access Control With the use of a PKI also comes the ability for the Patagonia security architecture to support certificatebased access control schemes. That is, each certificate can also contain a set of access control permissions. These permissions are chosen by the grid administrator in order to meet a specific access control policy. Since these permissions are part of the trusted certificate issued by the CA, nodes are able to verify that they have not been changed (the certificate s signature would not check out if this was the case.) As a result, nodes can trust these permissions and therefore use them for authorizing specific device actions. 10

13 NES Patagonia Security November OSGP Continued involvement with OSGP is obviously a constant priority and is a key consideration for the Patagonia security architecture. Since OSGP does not currently support a PKI-based security architecture, a securityrelated update to OSGP will be necessary if the Alliance is to utilize the new recommended security architecture. We propose the following security-related updates to OSGP: y Instead of using symmetric, pre-shared keys for mutual authentication, we propose the use of a stateof-the-art asymmetric authentication mechanism based on elliptic curve cryptography. y Instead of relying on long-term, domain-wide symmetric keys for secure communication, we propose the use of short-term, randomly generated, pair-wise session keys. y Instead of using RC4 and the OMA Digest Algorithm for providing encryption and integrity protection, we propose the use of authenticated cipher constructions such as AES-GCM and AES-CCM. y Instead of using 96-bit authentication keys, we propose supporting 128, 192, and 256 bit keys. We are working closely with the OSGP alliance and security experts on the design and implementation details for this proposal. 11

14 7. Conclusion In this paper, we have identified the importance of basing transparent grid security systems on open standards, state-of-the-art security recommendations and industry-realistic requirements specific to the distribution grid. We simply cannot borrow solutions from other industries and hope these will be adequate we must respect the unique challenges of our industry. This paves the way for a realistic, truly comprehensive security architecture for the grid. We have also emphasized the importance of focusing on prevention mechanisms and detection mechanisms without neglecting efficient and secure incident response. Based on these principles, we have designed a new security architecture for our next generation NES Patagonia platform. The Patagonia security architecture is designed from the ground up to take full advantage of the hardware and software improvements that come with the new components of the platform. It is designed to achieve high-grade security in even the most performance-constrained real-world conditions while still maintaining an efficient and available grid. The core enhancements of the Patagonia security architecture include a new PKI-based key management system which is designed based on open standards and modern security recommendations by NIST, ENISA, and other renowned organizations and security experts. As part of the new key management system, secure and efficient pair-wise communication sessions between two nodes in the grid become possible. OSGP must also be considered in an architecture shift towards the Patagonia security design. We have therefore made an OSGP revision proposal that brings OSGP up to the same high-grade security level as that of the Patagonia security architecture. We will work with the OSGP Alliance and security experts to make this proposal as secure as possible, both in terms of design but also in terms of implementation. Smart grid security is our number one priority. After all, a true smart grid can only make smart decisions if it is based on trustworthy information. The public can only trust a smart grid if they have full confidence in its security, safety and reliability. At NES, the Patagonia platform represents another key commitment to real and long term solutions to enable a truly smart grid. We look forward to working with our industry colleagues to implement a robust and dependable security solution for the Smart Grid. 12