Critical Resources & Demand Response Systems

There are differing opinions in regards to what constitutes a critical resource. Each utility will determine the criticality based upon its own internal knowledge, priorities, and government mandates. There is an emerging utility strategy that bears intense scrutiny. That is the concept that Smart Grids and Demand Response systems are becoming prevalent. By any definition, at the core of enabling either system, is the ability to communicate to intelligent meters or gateways that can respond to utility/command signals and be monitored by the utility. Applying the lessons learned, we must first identify security perimeters. In this case, the intelligent meter/gateway is the junction of two security perimeters. One perimeter needs to be established to protect utility assets and information. The other perimeter needs to protect household information and assets.

Figure 6 attempts to depict a list of high priority assets that need to be protected. Appropriately designed defenses must be constructed for each of these. Protection is required for the demand signal and communication media over which the utility issues the signal and monitors household information.

Physical Security (building a gatehouse and drawbridge): The communication media of the utility should be physically separated from the physical media used within the household. It would be even more effective if the communication media within each perimeter were different. This would facilitate the meter as a barrier between the two perimeters. If the communication media used by the utility is also used by the household to acquire information, then separation of communication information also needs to be designed.

Identity Establishment: It is undesirable to have inadvertent loads shed due to cyber attacks or testing. Therefore, the demand signal must be authenticated, by the meter, and mechanisms in the protocol used must allow it to be digitally signed. Why not use challenge and response? A challenge/response mechanism is not an appropriate technology for large scale demand response systems since thousands of meters challenging a command would be inefficient and fraught with problems, given the bandwidth/technology constraints used for demand response systems.

Access Control: The fact that a demand signal is received by the "meter" does not automatically indicate that internal household loads are to be shed. The determining factors are the preferences and configuration that the household has determined. These preferences should not be able to be read/exposed to the utility. The most ideal situation would be that the "meter" forwards the demand information to an intelligent agent within the household perimeter (e.g., not part of the actual meter). Such a defensive design creates another wall that needs to be breached. Within the utility perimeter, at least the permissions of View, Configure, Execute, and Security, would need to be granted.

Alarms and Alerting: The "meter" must have a mechanism of tracking and enunciating security issues such as non-authenticated demand signals.

Resources and Time: With thousands of "meters" participating in a demand/response system, it is difficult to transfer new credential information, but such mechanisms need to be provided. If AES128 is used for digital signatures, it would be recommended to change utility credentials at least once every five years.

Although the defensive design does not select specific technologies, the roadmap towards technology and implementation choices was accomplished through common sense principles. While cyber warriors are providing defensive strategies for the future, they need to reflect upon the lessons learned from the human history regarding warfare.