Building an Effective Security Program for Distributed Energy Resources and Systems. Mariana Hentea
Чтение книги онлайн.

Читать онлайн книгу Building an Effective Security Program for Distributed Energy Resources and Systems - Mariana Hentea страница 41

СКАЧАТЬ of how these services are used for the power grid depend upon appropriate risk assessment and risk control. Distinct types of attacks targeting ICS and IT systems as well as different performance requirements of these systems determine a specific priority order of the security services implemented for each system. In addition, the Smart Grid trends toward the integration of the operational and business systems require a unified view of security based on risk management instead of applying the old approach of separate techniques for IT and ICS systems. A unified approach based on risk management techniques is described in [Ray 2010].

      Therefore, solutions for designing cybersecurity into the Smart Grid with the vision of surviving a cyber incident while sustaining critical energy delivery functions must be carefully engineered and require novel solutions [Hawk 2014], [Ray 2010].

      2.4.1 Forces Shaping Cybersecurity

      Cybersecurity progress requires understanding of all its aspects as a vector quantity including the forces shaping its evolution as identified in [Agresti 2010]:

       Rebranding exercise means cybersecurity is replacing information security and information assurance as the term of choice; this move promises an engagement with the public.

       Organizational imperative means that offering information assurance in cyberspace, although infeasible, might be required because of assets ownership changes in contracts and service agreements with outside parties.

       Cyberspace domain redefinition means becoming part of a virtual world that:Refers to the virtual environment of information and interactions between people [FERC 2009]Includes the physical world such as CPS and IoT [NSF 2014], [Lee 2010], [IoT], [EC‐EPoSS 2008]In this context, the Smart Grid and process control systems are types of CPS [CPS 2014], and smart meters and home automation are examples of the IoT applications.

       National defense priority requires securing cyberspace, which is a matter of survival for any nation; one strategy is providing new interaction models such as engaging the public and private sectors to collaborate on the protection of critical infrastructures.

Schematic illustration of the forces shaping cybersecurity.

      Source: [Agresti 2010]. © 2010, IEEE.

      Energy sector users and organizations need to succeed in understanding these forces including disturbances created by emerging technologies and trends.

      2.4.2 Smart Grid Trends

      Examples of trends that impact Smart Grid cybersecurity include the following:

       Mobile computing refers to workforce dependence on being mobile and pervasive computing that has generated several devices that assist with this mobility. Forrester Research referred to mobile computing as the empowered movement, since companies are empowering their employees with modern consumer‐oriented technologies to better serve their customers [Forrester 2010]. Due to the decreasing cost of computing and the ubiquity of smartphone usage, applications have been developed to be used in home automation to control or remotely monitor a thermostat for air conditioning or a switch for lights.

       Future Internet and its services are driven by users' needs, and new technologies enable these services. Examples of future Internet services for Smart Grid include:Energy consumer demand and responseDistributed energy storage with guaranteesPersonalized energy consumer profileControl of consumer's appliances

       Web as ubiquitous computer refers to the convergence of mobile smart devices, cloud computing, and software as a service, which enables Web with anytime and anywhere computing capabilities [Pendyala 2009]; the applications are moving from the local PC machine to the ubiquitous computer. One issue is that users cannot keep up with frequent software updates and configuring Wi‐Fi security settings.

       Embedded systems surround us in many forms from cars to cell phones, video equipment to MP3 players, and dishwashers to home thermostats. However, security for these systems is an open and more difficult problem than security for desktop and enterprise computing. Even a washing machine can be used as a platform to launch distributed denial‐of‐service (DoS) attacks against the public, an organization, or the government.

       Data‐intensive computing and real‐time processing of massive data streams are required by more applications. The North American electric power grid operations generate 15 terabytes of raw data per year, and estimates for analytic results from control, market, maintenance, and business operations exceed 45 Tbytes/day. As developers add new high‐resolution sensors to the grid, this data volume is increasing rapidly. Data‐intensive problems challenge conventional computing architectures with demanding CPU, memory, and I/O requirements.

       Network changes and adoption of new services are determined by the increasing amounts of data collected from sensors, home devices, and power devices that demands reliable and faster communication networks. Profound changes are beginning to occur in public networks, data centers, and enterprise networks such as upgrades of major carrier backbones to higher data rates and the replacement of infrastructure based on old technologies for core networking/transport. Adoption of new services is facilitated by the migration to new protocols (e.g. IPv6, SIP, MIP (MIPv4, MIPv6)) and the emergence of Web services.

       Home networking in a step toward the next‐generation unified home networking technology enables operation over all types of in‐home wiring (phone line, power line, coaxial cable, and Cat‐5 cable) using a single transceiver with few programmable parameters to connect home devices. Thus, new threats and vulnerabilities may occur to smart meters and DER devices installed for customer energy management.

       Virtualization is being adopted as a standard for businesses, but the tools and technologies for addressing the security issues are relatively immature or not consolidated to offer sound security solutions. Although the advantages of virtualization are not disputed (examples include reductions in energy costs that are causing more organizations to consider virtual environments), the protection of a virtual computer hardware platform, OS, storage device, or computer network resources requires attention.

       Virtual organization entity is formed whenever a developer creates an application or a workflow that features autonomous services owned by multiple organizations, each of which shares some proprietary services and part of its own knowledge. However, virtual organization introduces security concerns. For example, traditional access control methods based on the identity of each user in a virtual organization do not scale as the number of users and services increase, especially when the population of users and services is highly dynamic as in the Smart Grid environment.

       Deperimeterization is a process that causes the boundaries between systems, which means the disappearing of boundaries between systems and organizations, to disappear; in this process, they become connected СКАЧАТЬ