Introduction to Security for Smart Grid Systems

Electric power systems are critical infrastructure on which people’s health and safety depends. Consequently, cybersecurity is a fundamental requirement for the digitalization of power systems, and it must be designed into the digitalization architecture from the beginning because it is not possible to build a secure system on an insecure foundation. This chapter discusses the basics of cybersecurity for network systems and how they apply to power systems. Cybersecurity design begins with a threat assessment, determining the trust boundaries and attack surfaces and modeling threats. Once the threat assessment is complete, the security architecture and design to prevent and mitigate attacks is developed. These are based on cryptographic primitives, such as cryptographic hashes, symmetric and asymmetric cryptosystems, and other cryptographic algorithms. The algorithms are paired with standardized protocols such as IPSEC and TLS to secure communication between the different functional entities in the system. Security services such as identity and access management (IAM), public-key infrastructure (PKI), and role-based access control (RBAC) are then incorporated into the design at trust boundaries to gate access to critical data and systems. However, security technology cannot protect the system from improper use by untrained power systems personnel and therefore training of personnel in security best practices and periodic refresher exercises to keep people alert are required.

[1]  Eric Rescorla,et al.  Diffie-Hellman Key Agreement Method , 1999, RFC.

[2]  Jon Postel,et al.  User Datagram Protocol , 1980, RFC.

[3]  Jonathan C. Herzog,et al.  Use of Static-Static Elliptic Curve Diffie-Hellman Key Agreement in Cryptographic Message Syntax , 2011, RFC.

[4]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[5]  Jon Postel,et al.  Internet Protocol , 1981, RFC.

[6]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[7]  Bernard Aboba,et al.  Extensible Authentication Protocol (EAP) , 2004, RFC.

[8]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 1997, RFC.

[9]  James Kempf,et al.  Wireless Internet Security , 2008 .

[10]  Paul E. Hoffman,et al.  Algorithms for Internet Key Exchange version 1 (IKEv1) , 2005, RFC.

[11]  Stephen T. Kent,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[12]  S. Kent IP Authentication Header , 2002 .

[13]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[14]  Stephen E. Deering,et al.  Internet Protocol, Version 6 (IPv6) Specification , 1995, RFC.

[15]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[16]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[17]  Yakov Rekhter,et al.  Address Allocation for Private Internets , 1994, RFC.

[18]  Sean Turner,et al.  Transport Layer Security , 2014, IEEE Internet Computing.

[19]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2011, J. Math. Cryptol..

[20]  Jon Postel,et al.  Transmission Control Protocol , 1981, RFC.

[21]  Martin Thomson,et al.  Hypertext Transfer Protocol Version 2 (HTTP/2) , 2015, RFC.

[22]  David Mazières,et al.  A future-adaptive password scheme , 1999 .