The benefits of smart grid technologies and data-driven management are well understood. Using open protocols to control energy resources, extract information, and optimize responses can enable enormous productivity and stimulate new services. Similarly, the accumulation of data can inform better planning for a more resilient grid.
But, as explained in “The Dark Side of the Smart Grid,” the introduction of smart grid technologies exposes the grid to enormous cybersecurity risks. Also, the full benefits of a smart grid will only be realized when grid stakeholders can share information among themselves. So far, entities have been reluctant to share information, contributing to the slow adoption of these technologies. Finally, the fact that there are only rudimentary guidelines for moving ahead coherently as an industry means that we will see hit-and-miss advances that are difficult to scale.
This article will demonstrate that this state of affairs is not permanent and that technologies exist that can help the smart grid meet its full potential. Notably:
- We can illuminate the dark side and satisfactorily reduce cybersecurity and other risks.
- An open, industry-wide architecture and protocols can be designed that allow all stakeholders to benefit from information exchanges at scale.
- A scalable trust management system that can handle many kinds of entities and allow them to rely on one another and on the data they provide is possible. This system can work with all kinds of services and devices in a fully decentralized and scalable smart grid. It can also cover the various supply chains involved.
- Information can be shared freely for the common good, while allowing for individual privacy and entities to maintain both the confidentiality and strategic and monetary value of their data
- Smart grid systems can be used for such applications as communicating real-time pricing signals and bid-ask declarations while working with multiple stakeholders and grid control and regulation systems. An open yet secure signaling system joined with a secure data management system can universally support these sorts of applications.
- This sort of system is not unprecedented. We can learn from the communications industry’s adoption of a signaling system that allowed both technical and business cooperation. We can benefit from understanding both the successes (there were many) and failures (one big one) of that effort. With this example in mind, we can design a signaling system for the grid based on an architecture comprised of abstract elements and communication protocols that allow those elements to securely cooperate.
Opportunities in Perspective
When adding an element to the grid (such as a generator, load, storage device, or controller), it should be possible to extract the maximum utility from that element while ensuring increased overall grid stability, resilience, performance, and predictability. The element could be anywhere: in a home, power plant, factory, interconnect point, etc. A smart grid should collect various types of information from the element, and provide instructions/information to it for optimization . While the details aren’t in the scope of this article, such optimization promises massive and lucrative benefits for various energy industry value-chain participants, from consumers to producers. This is especially true for power grids which will increasingly be made up of many and varied distributed resources.
We have already seen that the current grid and other energy networks are vulnerable to cyber attacks. Increasing data communication on the grid can make matters much worse. Furthermore, the world has become hyper-connected making it practically impossible to isolate resources from communications networks. Industrial assets have been successfully attacked even when they are not connected to any network, i.e., “air-gapped.” Amassing grid information, sharing it with multiple entities, and providing remote control capabilities is inherently risky. Unless we address this issue directly and effectively, many other issues such as the social and economic dynamics of information sharing will be moot.
There is a useful parallel in the communications industry. In 1975, an architecture for information resources and control for the public switched telecommunications network (PSTN), i.e. the telephone system of the time, called Signaling System 7 (SS7) was introduced. It provided a set of abstract elements that could be configured to create numerous services (both foreseen and unforeseen), together with a set of communication protocols. .
Similar to the situation many utilities are facing today, SS7 came at a time of impending deregulation, technologies that had been in the lab were ready to be introduced into the wild, and there was great impetus to move ahead with new digital communications services internationally. One of its aims was to provide both reliability and efficiency in a system with variable load and mostly fixed (though slowly expanding) capacity. By defining a relatively small number of architectural elements (e.g., switching points, signaling points, and control points), versatile messaging protocols, and a general application layer, SS7 was adopted worldwide over the past 45 years. It is still going strong as it has moved onto the internet (see SIGTRAN) and the mobile world. It is an architecture designed for interoperability that has supported innumerable services not dreamed of in 1975, allowed large numbers of vendors to innovate and cooperate, and the industry as a whole to expand at a rapid rate.
The energy industry now has an opportunity to define a similar standardized signaling architecture appropriate for energy grids. Standards are required to overcome what ironically turned out to be SS7’s greatest weakness: security failures. SS7 was originally thought to be only implemented in private sub-networks, and strict security measures were not included. However, as the industry deregulated and as applications expanded, it became a public, interoperable resource. For example, SMS or texting originated with SS7, and the underlying messaging protocol is now used worldwide. However, SS7 continues to be a source for systematic insecurity. The stakes are much higher for smart grids as they involve physical assets whose misbehavior could be catastrophic. Knowing that, we envision an architecture for a power industry signalling system built on security and data governance principles that still enables the same kind of explosion of services that SS7 enabled.
Design Principles and Strategies
The design of a standard signaling architecture will require input from experts with experience in the energy industry. Based on many years of secure systems experience and more recent engagement with the energy industry, we offer a set of design principles and strategies that get us toward the goals enumerated above.
Model for Protected Elements
An architecture with security built-in needs to provide a model for the elements that need protection. A typical element attached to the grid will have controls, state, sensor data, and other resources. Access to each of these needs to be protected. We advocate an IoT security model that requires all access to be made using security protocols designed to operate independent of the communications system. All access to a resource or request for an action will require permissions. These permissions are mapped to identities of entities that seek access. This approach effectively establishes application-level security that is network independent. It is sometimes referred to as “trustless” (a misnomer since we still need to trust numerous mechanisms). The idea is to not require trust in any network. Operational guidelines and vulnerability analysis can focus on minimizing the number of entities with which a given element needs to interact. Many devices will require low latency, and high availability on a local network, and therefore direct trusted peer-to-peer interaction needs to be supported. Other interactions could be performed through proxies and cloud-based elements with greater and more comprehensive protection capabilities and up-to-date threat intelligence.
Digital Twins for Security
The concept of digital twin is not new, but we believe that it is an essential element of a secure systems architecture for IoT in general and especially for a grid signaling architecture. Digital twins can greatly expand the capabilities of grid devices and allow the isolation strategy described above to be carried out more effectively. Data from devices can be condensed and selectively offloaded to their twins which will have greater capabilities for processing and access. This will decrease the need for entities to access the physical device. Furthermore, device configurations can be staged with the twin and modeled and tested before actual instantiation, affording the opportunity to catch misconfiguration early and to apply much more powerful analysis tools.
Using the strategies above, our security model provides for the concept of an Explicit Private Network. Based on performance needs and interactions with a cloud-based digital twin, the Explicit Private Network limits the number of entities a given device can interact with. The digital twin interactions can happen using a highly secure and lightweight protocol that will not tax the fielded device.
This approach can allow most grid attached devices to be highly secure without having much operational security burden at all. Cloud-based services acting on the digital twins can provide security configurations with strong, up-to-date security parameters. Initial configuration, software updates, new or updated peer-to-peer security associations, backup and offloading of log data, etc. can be done via exceptionally strong security protocols based on information from the device’s twin. There should be no need for a fielded device to interact with any unauthorized entities.
The next strategy for an effective signaling architecture involves the use of data governance. We recommend a standard system that associates detailed permissions with data elements so that data rights can be enforced. Using policy-based data governance, we can enforce privacy policies protecting consumers, provide for confidentiality when sharing or auditing data, and help make it possible to monetize it as well. By programatically respecting the rights of participants, this approach can give smart grid stakeholders more confidence and encourage widespread data sharing, enabling numerous applications that can increase the efficiency of grid management. .
To prevent fraud and ensure proper data provenance, standards-based data authentication is an essential component of any secure signaling strategy. There are good and efficient approaches to this problem, such as the use of assertion-oriented blockchains. These, unlike transaction-oriented blockchains, are designed to use policies that can vet the credentials or characteristics of data originators and transformers, and can employ highly efficient means for both entering and validating data that energy systems analysis will depend on.
In an open, automated yet mission-critical system where actions require permissions and granting permissions require authority, a strong public identity management system covering devices, software, and humans is required. This is especially true where the consequences of a given action can be so consequential.
We need to employ a strategy for effective identity management that can be used throughout the industry. Choosing a single protocol and provider for establishing and verifying identity would be both futile and unwise because the authority that controls identities needs to be specialized. Identity management has to allow for change and evolve. A solution is available that uses a flexible, policy-based, fit-for-purpose approach to identity allowing multiple purveyors of identity management solutions to participate while avoiding chaos.
Once a strong solution for data authentication and data governance is established, we can deploy a highly aggressive and comprehensive approach to system behavior logging that can help identify impending threats and failures and overall bad behavior. By logging action requests of all sorts from many parts of the grid, we will be able to much more effectively use AI classification and anomaly detection techniques to identify impending attacks and illicit behavior. The establishment of data governance and authentication is a prerequisite as data sharing and aggregation is an important part of this strategy. The AI industry has effective solutions, but the availability of good data and the willingness to share it is a major issue.
Comprehensive, but Simplifying, Standards Approach
The solution strategies we have described need to be revised, extended, refined, and broadly adopted throughout the industry. Standards can take a long time and involve a lot of politicking. But they don’t need to. NIST has established guidance for security in this area by enumerating threats. With the right mandate and modern protocols, secure cloud computing, and a systematic approach to system security, a community of experts can design a governed data architecture and secure signaling system for the energy industry in relatively short order. The power industry, like the communications industry, has a successful history of standards-setting. Given the imperatives of both decarbonization and securing the grid, the industry can move quickly to take advantage of this opportunity to create a secure but open architecture and signaling protocol for the smart grid.
—Dave Maher is CTO and executive vice president of Intertrust Technologies. He has more 30 years of experience in secure computing and is responsible for research and development at Intertrust. In addition, he is currently president of Seacert Corp., a certificate authority for the Internet of Things, a developer of application security software, and co-chairman of the Marlin Trust Management Organization, which oversees the world’s only independent digital rights management ecosystem.