Gunnar Björkman, ABB Mannheim Smart Grids Security SICS Security Seminar in Kista on April 8, 2014
Smart Grids Security Agenda Traditional Supervision and Control Evolution to Smart Grids Grid4EU A large scale Smart Grid project Smart Grid Security Examples of Cyber Attacks April 9, 2014 Slide 2
SCADA for electrical grids April 9, 2014 Slide 3
SCADA - Typical sizes Number of I/O points: 20.000 to 200.000 Number of substations: 20 to 500 Number of consoles/screens: 20/100 Throughput: 500 to 1000 events per second Response times: one second for display call up, one second for Data Acquisition and Commands Historical storage times: Up to two years online Number of electrical nodes in model: 100 to 3000 Number of electrical customer: 100.000 to 5.000.000 Availability 24*7*365, better than 99,98% April 9, 2014 Slide 4
SCADA Basic Functions Typical features: Schematic and Geographic based world map Event and Alarm handling High throughput and fast response times Device Locate User defined Tagging, Interlocking and Sequential Control User Defined Calculations User benefits: Fast assessment of all network situations Fast and safe network operations Secure and fast network restoration Well documented operation records April 9, 2014 Slide 5
SCADA Advanced Applications Monitoring Status & Analog Retrieval(SAR) Network Model Builder (NMB) Scheduler Function (SF) State Estimation (SE) Network Sensitivity (NS) Analysis Dispatcher Power Flow (DPF) Security Analysis (SA) Short Circuit Analysis (SCA) Operations Enhancement Optimal Power Flow (OPF) Security Constrained Dispatch (SCD) Voltage Stability Analysis (VSA) Thermal Security Analysis (TSA) Available Transmission Capacity (ATC=VSA+TSA) Equipment Outage Scheduler (EOS) Bad Topology Detection (BTD) Network Parameter Update (NPU) Network Modeling Assistant (NMA) Decision Support Interlocking with LF & SA Study Data Base Network Save Cases April 9, 2014 Slide 6
SCADA - Potential attack points April 9, 2014 Slide 7
North-east American Blackout on Aug. 14, 2003 Other Black-outs: WECC 1996 Break-up, European Blackout (4-Nov.-2006), London (28- Aug.-2003), Italy (28-Sep.-2003), Denmark/Sweden (23-Sep.-03),... April 9, 2014 Slide 8
North-east American Blackout - Causes Physical Cause: FirstEnergy Corporation s failure to trim trees in part of its OH service area. A generation plant in OH went off-line during high demand, stressing HV lines which came in contact with "overgrown trees", and went out of service. Informational Cause: Software bug in GE s EMS. Stalled FirstEnergy s control room alarm system. (Lack of system state awareness) The failure deprived them of alerts for monitoring important changes in system state. (Lack of early warnings) Back-up server failures slowed the screen refresh rate of the operators consoles from 1-3 seconds to 59 seconds per screen. (Lack of dynamic visibility) The loss of alarms led operators to dismiss a call from American Electric Power about the tripping and reclosure of a 345 kv shared line in northeast Ohio. (Lack of corrective measures) U.S. - Canada Power System outage Task Force Final Report on the August, 14, 2003 Blackout April 9, 2014 Slide 9
Today s energy challenge Soaring demand; electricity growth greater than average Current Policies Scenario Europe, USA 9% 30% China 92% 205% Latin America Middle East, Africa India 64% 84% 63% 131% 142% 284% Source: IEA World Energy Outlook 2011 Forecast 2009-35: Growth in primary energy demand Growth in electricity demand April 9, 2014 Slide 10
Additions of renewables brings new growth opportunities Wind, hydro and solar are most prevalent technologies 100 % Projected Additional Renewable Capacity, 2009-2035 Global projected additional renewable capacity 2009-35 Wind Hydro Solar Other South America 126 GW 681 GW Europe, USA 176 GW Middle East & Africa 258 GW 654 GW India China Source: IEA 2011, New Policies Scenario April 9, 2014 Slide 11
Traditional power grid Relatively simple April 9, 2014 Slide 12
The evolving grid New complexities April 9, 2014 Slide 13
The evolving grid New intelligence Wind Integration of renewables Shore-to-ship power Energy storage Communication Networks IT/OT Solar Energy efficiency Grid automation Demand Response E-mobility Smart Cities Smart Home/Buildings April 9, 2014 Slide 14
The evolving grid From traditional to smart grid Traditional grid Centralized power generation One-directional power flow Generation follows load Top-down operations planning Operation based on historical experience April 9, 2014 Slide 15
The evolving grid From traditional to smart grid Centralized and distributed power generation Intermittent renewable power generation Multi-directional power flow Consumption integrated in system operation Smart grid Operation based on real-time data April 9, 2014 Slide 16
Grid4EU An EU FP7 Smart Grids project - Project lead by 6 Electricity Distribution System Operators - covering altogether more than 50% of metered electricity customers in Europe - Overall 27 partners from various horizons (utilities, manufacturers, universities and research institutes) - Duration: 51 months from November '11 to January '16 - Total eligible costs: 54M - requested EC Grant 25.5M April 9, 2014 Slide 17
Grid4EU Main Objectives Smart Grid cost-benefits analysis Technologies and Standards Scalability and Replicability over Europe Knowledge Sharing April 9, 2014 Slide 18
Grid4EU Main R&D Topics Using more renewable energy sources connected to distribution networks Implementing active, more efficient participation of customers to electricity markets (active demand) Secure energy supply and network reliability Medium and low voltage network supervision & automation Improving peak load management through increased interactions between network operation and electricity customers Electric vehicles Storage Micro-grids & islanding April 9, 2014 Slide 19
Smart Grids Summary Efficiency is the key to a sustainable energy future Integration of renewables and reliability improvements are increasingly important Smart transmission and distribution grids is a necessity to support efficiency and renewable energy. Managing and optimizing two-way flow of power and information becomes vital Security is an vital, but sometimes forgotten, aspect when designing the new grid April 9, 2014 Slide 20
Smart Grid Security Challenges The number of installed, IP enabled equipment will grow dramatically, e.g. smart meters Automatic control functions will increase and will be moved to lower voltage levels. Sizes of medium and low voltage networks are much bigger than transmission networks Increased automatic control requires that primary equipment, e.g. breakers, need to communicate with each other The need for communication can most probably not be met with utility owned communication. The need to use public network will increase Conclusion: The attack surface for cyber attacks on the electrical infrastructure will increase radically with the introduction of Smart Grids Security is not easliy added afterwards. Security, as well as availability, must be considered at system design April 9, 2014 Slide 21
Smart Grid Security Two types of consequences Economical and non-economical consequences are two ways of describing an outage Economical consequences is calculated as lost Gross Domestic Product Non-economical consequences can be described with a logarithmic scale named Outage Magnitude which closely resembles the Richter scale for earth quakes April 9, 2014 Slide 22
Smart Grid Security Society Simulator Model A virtual society with all necessary infrastructure like blocks, apartments, streets, etc. With companies, public and private service operations producing welfare Including an electrical grid which realistic load curves With people living in the city consuming welfare Calculates cost for power outages as lost GDP Can scale to all EU countries plus NO and CH Please contact Mats BO Larsson (Mats B-O Larsson mats@mml.se) for further details of the society simulator April 9, 2014 Slide 23
Examples of Cyber Attacks Attack blinding the SCADA system The attacker has physical access to the RTU communication network and is as such able to connect his own equipment to the network using a switch in an unmanned substation. From this point the attacker floods a number of logical connections with a continuous stream of packets, which creates an overload in the Front-End applications and blinds the operators to what is happening in the grid. The attacker has chosen a time for the attack when a severe snow and ice storm is expected and the control operators are unable to counteract the loss of physical devices created by the storm. This leads to an overload of power lines feeding the capital city and this also goes unnoticed in the control centre. The blind SCADA severely delays the power restoration efforts to reenergize the capital city. CySeMoL index on the likelihood of compromising control system 20% Society Cost (M ) Not delivered energy (GWh) Impact Magnitude Virtual Country (1/6 of Sweden) 312 155 8,4 April 9, 2014 Slide 24
Examples of Cyber Attacks Attack on RTU communication The attacker gains physical access to the process WAN, on which he is able to gain a network address. As the data flows between RTUs and SCADA are not encrypted the attacker is able to read any transmitted data in clear text. The attacker uses this opportunity to perform an ARP spoof attack and position himself between an RTU and the PCU (i.e., a man-in-themiddle attack). As such, the attacker is able to both send malicious requests to the RTU and hide to the operator the real events. The attacker uses this for an unauthorized opening of a distribution feeder breaker feeding a major manufacturing industry connected directly on the 40 KV level. The attacker s intention is to create a power outage that will severely disturb or stop the production in a continuously operated plant in order to create economical and/or physical damage. CySeMoL index on the likelihood of compromising control system 99% Cost of attack for United Paper (lost production for 48 hours) 270 000 Euro April 9, 2014 Slide 25
Examples of Cyber Attacks Attack on Protection Settings The attacker is an employee of the attacked utility and he has access to substations and to substation engineering tools. He uses the engineering tools for the substation protection devices to set line protection parameters to default values. The default values in the protection devices are defined at such low limits that the protection devices will trip all power lines also at a normal operating state. The attack is done in a central HV/MV substation on the MV side and it will cause a total blackout in the capital city. CySeMoL index on the likelihood of compromising control system 100% Cost (M ) Not delivered energy (GWh) Impact Magnitude Virtual Country (1/6 of Sweden) 3.7 1.4 6.4 April 9, 2014 Slide 26
Examples of Cyber Attacks Attack using an Internet Browser An uninformed operator in the control room connects his workstation to Internet during a night shift. He does this to be able to use Facebook to chat with his friends and to surf on Internet. This operator has the tendency to accept any friend request on Facebook and add as his friend. The attacker uses this to request the operator to add him as a friend. In a chat, his Facebook friend sends him a link that was created by an attacker. Without becoming suspicious, the operator clicks on the link and gives the attacker access to his control room workstation. The attacker is now able to remotely connect to this system and he can open a shell with root privileges on the compromised system. From his own location the attacker is now able to open SCADA displays containing real-time information from the grid and to execute commands. He uses this to open HV breakers in the power grid which leads to cascading events that causes a total blackout of the high voltage grid. CySeMoL index on the likelihood of compromising control system 61% Virtual Country (1/6 of Sweden) Society Cost (M ) Not delivered energy (GWh) Impact Magnitude 54 20 7,6 See this on attack on Youtube (www.youtube.com/watch?v=y_ifu65fdxo&feature=youtu.be) April 9, 2014 Slide 27
Examples of Cyber Attacks Attack using a remote workstation This attacker gains access to a remote work station placed in a regional office that is directly connected to the main SCADA system. The regional office is not manned at night time. The attacker uses a paper note with an operator password that is placed in a desk drawer to gain access to the SCADA system and thereby gains authority to operate medium voltage breakers in the distribution grid. The attacker opens a 40 KV breaker in a high/medium voltage transformer station and will cause a blackout in a neighbouring rural town. CySeMoL index on the likelihood of compromising control system 100% Society Cost (M ) Not delivered energy (GWh) Impact Magnitude Virtual Country (1/6 of Sweden) 0,1 < 0,1 4,8 April 9, 2014 Slide 28