Embed Size (px)
Citation preview
1
A SECURITY POLICY PROPOSAL FOR SMART GRID
Final project
INF 522 - Policy - foundation for successful information assurance
Report prepared by
Name: SWETHA KAZA | USC ID: 6077884518 | e-mail: [email protected]
2
TABLE OF CONTENTS
I. BACKGROUND RESEARCH - SMART GRID…………………………………………………………………………….3
A. Information identification and classification……………………………………………………………………………..3
B. Currently available privacy protection guidelines……………………………………………………………………..4
II. REVIEW OF AB-1274 PRIVACY: CUSTOMER ELECTRICAL OR NATURAL GAS USAGE DATA....5
III. EXECUTIVE SUMMARY………………………………………………………………………………………………………5
A. Threat space……………………………………………………………………………………………………………………………5
B. High level policy statements…………………………………………………………………………………………………….5
C. High level mechanism/Implementation……………………………………………………………………………………7
D. Policy implementation breakdown…………………………………………………………………………………………..9
E. Role based access control………………………………………………………………………………………………………10
F. Access control matrix for discretionary control………………………………………………………………………10
IV. CONSIDERING OTHER MODELS FOR IMPLEMENTATION…………………………………………………11
V. GAPS IN THE ACCESS CONTROL POLICY……………………………………………………………………………12
A. Risks due to missing requirements…………………………………………………………………………………………12
B. Enhancements……………………………………………………………………………………………………………………….12
C. Recommendations…………………………………………………………………………………………………………………12
VI. CONTEMPLATING A HIGH ASSURANCE ALTERNATIVE…………………………………………………….13
VII. CONCLUSION………………………………………………………………………………………………………………….13
VIII. REFERENCES…………………………………………………………………………………………………………………13
3
I. BACKGROUND RESEARCH - SMART GRID
Smart Grid is an evolving technology in the energy industry capable of automating the provision,
collection, aggregation, maintenance (such as self-healing properties) and billing of energy usage of
consumers participating in the Smart Grid. This report aims to analyze, contrast and detail the
principles, models and laws using which private data could be securely used in a Smart Grid
application
A. Information identification and classification:
National Institute of Standards and Technology (NIST) identifies the following information to be
potentially available through the Smart Grid:
1. Personal identification information (PII) such as name and address of the consumer using the
Smart Grid services, associated with the name and address of the consumer paying the utility
bills (if they are separate entities), account number (for the utility to identify the consumer),
SSN
2. Equipment-specific information such as IP address associated with the meter (if any), a unique
identification number for the meter (such as the device ID), and equipment vendor information
3. Network parameters of the Home Area Network (HAN) used as a gateway to connect appliances
to the Smart Grid and third-party providers
4. Service provider information pertaining to the utility supplying electricity
5. Aggregated information (seemingly anonymous) from a dedicated meter such as the reading on
the meter at a given point in time, average energy consumption, electricity bill due, and the
billing and payment history
A gist of the kind of information that can be derived or extrapolated at any given point in time, using
the data communicated between the consumer and the service provider:
Exploited for surveillance on a suspect (by government entities/service providers themselves):
The time, duration of the day, and the frequency with which particular devices are used
A homeowner’s possession and usage of certain medical equipment (and the frequency at which they might be used), possible work schedules (based on their presence or absence in the
household), personal routines (shaving, showering, eating, playing video games, watching TV,
vacuuming, exercising, sleeping, waking, etc.)
The devices used in a particular portion of the household
The whereabouts and travel time of an electric vehicle (EV), provided it is used by the household
The number of individuals dwelling in the unit, where each individual is, what he/she is doing and whether or not the house is occupied
Access to call detail records collected by telecommunications providers
Exploited for marketing:
The type of appliances and generators used by a consumer based on equipment MAC address and signature
4
Exploited by outsiders:
Information possibly shared about the energy usage of a certain device used by the homeowner on a social networking medium
B. Currently available privacy protection guidelines:
Neither are there laws that are solely directed at Smart Grid security, nor are there any explicit
references to privacy protection in the existing U.S. electricity delivery regulations. But there are
general laws pertaining to privacy protection in the U.S. which could be altered to suit Smart Grid
data protection. These are elaborated in the NIST report [1]
Customers and service providers alike, should be educated about these laws and the importance of privacy protection. Individuals whose data is collected should be informed about the purpose of
data collection (performed legally) and should be notified if there is an attempt or an actual breach
of the collected information. Individuals should also be consulted for their consent when the
purpose of information collection changes from the one stated earlier. Minimalistic anonymized
information should be obtained as and when required and this operation should be monitored and
audited at all times. Policies and procedures should be regularly updated to meet the security needs
for protecting personal information. All these and more are summarized in the privacy principles
listed by the NIST in their guidelines [1] for Smart Grid security:
Fair Information Practice Principles (FIPP) is available with framework and guidelines for privacy
protection targeted at institutions that participate in the collection, retention and distribution of data
collected using automated data systems. The American Institute of Certified Public Accountants
(AICPA)’s Generally Accepted Privacy Principles (GAPP) has the following privacy principles1 in place:
Management • Notice • Choice and consent • Collection • Use, retention and disposal • Access • Disclosure
to third parties • Security and privacy • Quality • Monitoring and enforcement
ISO/IEC 27001 - Information security management is a security standard provided jointly by
International Organization for Standardization (ISO) and International Electrotechnical Commission
(IEC) for systematically managing security assets
The Organization for Economic Cooperation and Development (OECD) has its own set of privacy principles listed as follows:
Collection limitation principle • Data quality principle • Purpose specification principle • Use limitation
principle • Security safeguards principle • Openness principle • Individual participation principle •
Accountability principle
NIST documents the Privacy Impact Assessment (PIA) findings focused primarily on the following ten
principles, to ensure secure operation using the Smart Grid:
Management and accountability • Notice and purpose • Choice and consent • Collection and scope • Use
and retention • Individual access • Disclosure and limiting use • Security and safeguards • Accuracy and
quality • Openness, monitoring and challenging compliance
5
II. REVIEW OF AB-1274 PRIVACY: CUSTOMER ELECTRICAL OR NATURAL GAS USAGE DATA
AB-1274 is targeted at protecting PII such as name, address, account number, electric or gas usage
information stored, communicated and utilized by automated power supply entities via the
advanced metering infrastructure tied to the Smart Grid. The law applies to third-party entities
other than utilities that may require access to customers’ PII in order to provide desired services to
them, and encompasses the following aspects of data protection:
It requires sensitive personal data to be stored in a secure manner and not be disclosed due to
unauthorized access, destruction, use, modification, disclosure or unprecedented events such as a
disaster, thereby preventing misuse of personal information. A contract between a business (utility)
and a third-party should ensure that the third-party follows certain security procedures and
standards for using customer data shared with them. The law mandates that prior consent be taken
from the consumer for sharing data related to them in any manner, with a third-party. Secure
disposal of customer data (both electronic copies and on paper) is required by law
III. EXECUTIVE SUMMARY
A. Threat space:
Threat to confidentiality is observed when the sensitive PII data is not encrypted while in storage or in transit. It can also be possible if strong authentication mechanisms are not in
place.
Threat to integrity occurs when data source is not authenticated appropriately or when poor
access control is implemented such that an outsider is able to tamper with sensitive data.
Threat to availability stems as a result of smart meter malfunction or corruption either due to
an internal fault or due to natural phenomena. Threats that exist due to inherent and
unidentified loopholes in the smart meter system may result in the system breaking. Threats
may otherwise arise as a result of a natural disaster where data might be exposed or be
rendered unavailable to access
AB-1274 addresses only the confidentiality of personally identifiable information pertaining to the
customer. It does not address integrity protection and availability of information. Threats can result
as a result of either intentional (masquerade attack, insider abuse, subversion by an outsider) or
unintentional (improper disposal of collected data) disclosure of information to third parties. Once
this happens, there is no guarantee that the third party would not share or use that data in
unexpected ways. The threats to intentional disclosure of data is not addressed by AB-1274
The policy summarized below, addresses confidentiality, integrity and availability aspects of all the
sensitive data items used in the Smart Grid application.
B. High level policy statements:
Some broad policy statements have been derived from the representation of the Smart Grid
[FIGURE 1] available in the NIST document [1]
1. Service provider (utility or third-party) information can be made publicly accessible but
unauthorized modification to this information should be prevented
2. The following information should only be accessible to designated personnel operating on
customer data on behalf of authorized entities:
6
a. PII such as the customer’s name, address and/or the bill payer’s name and address,
and SSN
b. Customer account number - the unique identification number using which the
service provider can identify the customer
c. Network parameters of the customer’s HAN such as (Gateway) IP address, device ID
and MAC address of the advanced metering infrastructure (or smart meter),
network keys, etc.
d. Information communicated between the customer and the service provider at
arbitrary intervals with respect to energy consumption such as meter reading, bill
amount due, billing history, payment history, information regarding any payment
defaults, monitored load data, average energy consumption, etc.
And the authorized entities only include the user of the advanced metering infrastructure,
the service provider(s) and the operations team when required
3. Principle of least privilege should be enforced - for example, only aggregated meter data can
be viewed by the service provider unless otherwise requested for specific purposes with
user’s informed consent; minimalistic information (number of data parameters) should be
obtained and the frequency at which meter data is read should be kept at a bare minimum
required for the efficient functioning of all entities in the Smart Grid
FIGURE 1: Smart Grid Framework
7
4. The customer and an authorized third-party (other than a retail energy provider) would
only have read access to the data collected by the smart meter whereas the service
providers would have both read and write access to the collected data so that they can
perform billing and other manipulations over the data to extract useful information from it
if required (with prior consent from the customer)
5. The information shared by the utility with an authorized third-party (other than a retail
energy provider) after obtaining consent from the end-user, should be treated before being
shared. Data should be
a. sanitized (cleanse out the sensitive data)
b. anonymized (consistently substitute fake data in place of original data) and
c. aggregated (represent as a random statistical piece of information)
6. The customer using AMI should have discretionary access over what information is shared,
to what extent and to which entities (discretionary access is restricted to the extent that a
customer can only “agree” or “disagree” to the request for consent made by the utility on
behalf of a third-party in a set of constraints documented by the utility in the form of a
digital contract)
7. Mandatory Access Control should dictate that authorization be mandatorily obtained from a
customer before his/her information is shared to a third-party [every time sensitive data is
set to be shared,
C. High level mechanism/Implementation:
1. Physically or digitally, there must exist a prior contract of some kind between the customer
and the service provider which draws out the procedures followed for smart meter data
collection, purpose of use, retention and disposal as per law and on additional terms (if any)
decided between the customer and utility.
2. A utility must explicitly obtain authorization from the customer in case the collected data is
used for any purpose other than that stated in the contract - this is mandated by the
Mandatory Access Control policy. Data (both physical documents and digitally stored
information) should be retained only for as long as it is required and should be disposed in
a secure manner
3. The energy/power usage data collected on a continuous basis should be stored in some
form of hardware attached externally or housed within the smart meter such as an
encrypted storage device and such that it could be aggregated locally before being
communicated to the third party (other than a retail energy provider). This could help
prevent data breach in the case of a user’s HAN being compromised 4. The aggregated data in the storage device should be encrypted using a strong encryption
mechanism [2] before being sent over a potentially dedicated short-range communication
channel1 between the customer and the service provider
5. A multifactor authentication mechanism, possibly with some form of OTP [3] should be
mandated for access to sensitive user information that is sent over the communication
channel, and stored at both ends (i.e., customer’s AMI and service provider’s database). The
1 “Dedicated short-range communications.” Wikipedia [last modified 2015, Aug 11]. More information available at https://en.wikipedia.org/wiki/Dedicated_short-range_communications Currently, this model is applicable only for the automotive industry. It remains to be explored whether such protocols could be applied to Smart Grid
8
rules for setting a password should be stringent and must mandate a password change after
regular pre-decided periods of time
6. Firewalls should be set up at the customer end such that user has knowledge and control
over data leaving the HAN through the customer-to-utility communication channel.
Additionally, firewalls could be set up at the service provider’s end to control what
information is shared to a third-party (other than a retail energy provider)
7. Reference monitor - completeness: Every access to sensitive user information at the utility’s
end should be moderated using an authorization mechanism and logged with timestamp
and other essential details, for identifying any attempts at unauthorized access
8. IDS should be implemented at the service provider’s end to detect data breach and curb it
9. Reference monitor - verifiability: Audits should be conducted regularly in order to check
whether the service provider is adhering to all the security procedures mandated by the law
and also documented and agreed upon in the contract signed between the customer and the
service provider; checks should also be placed on the regular update and maintenance of
privacy principles governing the operation of Smart Grid
10. Reference monitor - isolation: Separation of duty is key to making the system tamper proof.
Thus, employees handling such sensitive data must be assigned to different stages of data
processing (for example, collection, billing, payments, etc.) such that the probability of them
colluding to compromise the system is minimized
11. Training should be provided to both service providers and customers using the AMI on aspects related to security; each entity should be made aware of the choices they are
entitled to
Reference
Monitor
Authorization
Database
Audit records
Subjects Objects
All entities involved in the
Smart Grid. These are
identified in the diagram
derived from the NIST
document
All information types
identified in the “A.
Information identification
and classification” section
Monitors every subject’s access or
attempt to access objects. Stores
details regarding the access/attempt
in log files (which are read-only)
Contains authentication information pertaining to employees of the
service provider, the end-user, and the trusted third-party; DAC
authorization for identified users and groups as defined in access
control matrix; MAC authorization stating externally binding
conditions, and the clearance for subjects associated with
classification of objects
9
D. Policy implementation breakdown:
Appropriate management of information is required for the secure and smooth functioning of any
application, including the Smart Grid. The following Mandatory Access Control (MAC) classification
of information (objects) and clearances (for subjects) can be made based on sensitivity and value to
the entities involved:
Public: Service provider information - information about the vendors providing the AMI and the
service provider offering the utility service
This information comprises things like advertisements broadcast by the vendor with broad
statistics to indicate features and benefits of using AMI that can be made available to public
Internal: Anonymously aggregated energy information such as meter readings, average energy
consumption, billing information, payment information, payment defaults (if any), disposal of
collected information
This information is internal to the employees of the service provider and the operations team, who
manage the aggregated information received from the smart meter. These can also be shared with
the bulk generation facility, transmission and distribution offices, and the markets [if requested,
with user consent]. These entities are granted access only on a need-to-know basis. Each
functionality (such as data collection, billing, payment, and disposal) should be clearly demarcated
and isolated from other functionalities such that the operations at the utility provider’s end are
tamper proof
Confidential: Equipment related information such as device ID, IP address, and the associated user account [for deployment of bills to the household]
This category holds certain forms of metadata that can link the aggregated data received from an
AMI to the corresponding customer information based on network parameters and device ID
Separation of duty and anonymization: There is clear isolation between every level of clearance. For
example, let us compare the internal data and confidential data - employees who have access to
internal data may simply get sets of information that can be marked “Customer 1,” “Customer 2,”
and so on. The order in which they are received can be tracked and linked to the location/device
from which they were received, at the confidential level. This way, an employee with clearance to
“Internal” data would only be able to work with random values required to perform data collection
or billing, without information about whose values they are, whereas employees with “Confidential”
level of clearance would only be able to link processed data to be sent back to the customer in the
form of a bill and not know internal details of how the billing was done. Hence, there is clear
separation of duty
Restricted: Personally identifiable information of the customer and of the entity or individual
paying the utility bill (if they are different), such as name, address, account number, and
communication channel related information such as network keys, source and destination IP
verification and a granular breakdown of energy data formally requested from the customer for a
stated purpose
This information is to be held at the highest level of secrecy. It holds personally identifiable
information protected by law. Information held at restricted level requires a written consent from
10
the customer on stating the purpose for which the data is collected, the purpose for which it will be
used, the entities with which it would possibly be shared, the amount of time for which it would be
retained and the manner in which it would be disposed
The level of clearance from higher to lower following the “no read up” and “no write down”
principle for subjects attempting to access these objects is:
Restricted > Confidential > Internal > Public
The customer on the other hand, at the restricted level of clearance, does not have write access to
the AMI but is allowed to read details shown by the smart meter at the customer’s end and also has
discretionary access on the type of data shared with a third-party (discretionary access is restricted
to the extent that a customer can only “agree” or “disagree” to the request for consent made by the
utility on behalf of a third-party in a set of constraints documented by the utility in the form of a
digital contract)
The MAC restricts the sharing of information - it does that by requesting user consent (user must
agree) every time an entity chooses to share information with another entity in the Smart Grid
E. Role based access control:
Since the service provider employs multiple employees to manage different types of
responsibilities, role based access system would best suit such a need. Data collection team, billing
team, payment processing team, back-up/information disposal team, device distribution team,
grievance redressal team, technology team, higher management, and finally the end-user.
Entities not mentioned in the access control matrix such as bulk generation facility,
transmission and distribution units, operations unit, etc., fall under the “Internal” clearance
level that can access only the aggregated energy information.
Also not explicitly mentioned in the access control matrix are government entities that might
want to access such information in relation with a certain court case. The government should
first obtain a subpoena (official court order) for accessing such sensitive information. Once
approved, the government entity could then request the service provider for customer
information, with express consent from the customer in this regard.
F. Access control matrix for discretionary control:
The access control matrix (ACM) used here is a prohibited access control - which means that all
access rights mentioned here are denied unless explicitly granted otherwise. Access can be granted
to employees internal to the utility, on a need-to-know basis. But the underlying MAC should
restrict access granting capabilities of the service provider to an authorized third-party (other than
a retail energy provider) with a condition to obtain consent from the customer
Legend:
Ads: Advertisements/campaigns
Averages: Average power consumption
Spikes: Any unusual behavior in the power supply
Rate: The current price per unit of power (value changes as per government regulations and needs to be kept up to date)
R: Read access W: Write access
S: Grant/Share
11
Authentication checks: Checks both user end authentication as well as authentication at every
level of clearance
PII: Personally Identifiable Information pertaining to the customer
Granular data: Data collected at shorter time intervals (upon receiving user consent)
Note: In order to protect the confidentiality of sensitive user information, back-up of data should be
done with k-anonymity2 and l-diversity3 in mind (contents of collected information should be
anonymized such that k-anonymity and l-diversity values are both high)
IV. CONSIDERING OTHER MODELS FOR IMPLEMENTATION
The Smart Grid is network based. So partitioned TCB method can be used to ensure that the policy is
correctly implemented by dividing the Smart Grid network into components and ensuring that the
each policy subset is implemented correctly in that particular network component. That way, the
complete policy is enforced by all the network components together. This model would give us the
flexibility of implementing locally autonomous reference monitors for each domain. Also, since each
component’s subject would only communicate with a subject of the same clearance level as itself on
the other component, there wouldn’t be any need for discretionary access control in such a model.
2 “k-anonymity.” Wikipedia [last updated on 2015, Jul 15]. More information available at https://en.wikipedia.org/wiki/K-anonymity 3 “l-diversity.” Wikipedia [last updated on 2015, Aug 13]. More information available at https://en.wikipedia.org/wiki/L-diversity
12
V. GAPS IN THE ACCESS CONTROL POLICY
A. Risks due to missing requirements:
Damages to customer due to willful violation of private data will cost the service provider a fine of $ 500 and a greater loss of reputation - the violation could happen as the result of an insider
abuse (employee of the service provider misuses customer information)
Phishing - by posing as a government entity or a legitimate third party - to obtain
authentication information. This can lead to the system getting subverted
Availability of data should be ensured at all times
There is no way to check whether the service providers are indeed using the customer information for purposes stated in their initial agreements
There is no check on whether a said set of information has been disposed after a said period of
time as agreed in a contract
The issue of covert channels for communication has not been addressed
B. Enhancements:
Background checks should be performed on individuals employed by the service provider
Training should be provided to employees regarding phishing and employees must be asked to report such e-mails to higher management immediately
Due to the fact that the storage of information for a longer period of time can cause a lapse in security, information should be backed-up in an aggregated and anonymized form (following
the principles of k-anonymity)
The law should mandate audits to perform regular checks on whether service providers are
using customer information for the stated purpose
The date (or frequency) for data disposal could be automated (or programmed through the meter) while setting up the AMI for a particular user. The date could later be modified with user
consent in case it requires an extension of some kind
C. Recommendations:
1. Notify the customer of an attempted data breach
The customer should be notified of an attempt at a data breach at the service providers end
and inform the customer to make necessary changes on the authentication front
2. Notify the customer of an actual data breach
The customer should be notified of an actual data breach at the service providers end and
let the customer know if his/her data has been compromised in order for the customer to
make an informed decision
3. Smart meters should be graded based on the security features they offer in their product
and the privacy protection policies effectively implemented by them, so that customers can
make an informed decision about using a product
4. There should be a method to communicate
General notes
Entities manufacturing Smart Grid equipment should be audited for implementation of stringent
security protection features in their product; i.e., a security assessment of the product should be
mandated before its distribution in the market. Documented security policies should be mandated
13
and their implementation should be audited regularly for third-party providers interested in
targeting Smart Grid consumers.
VI. CONTEMPLATING A HIGH ASSURANCE ALTERNATIVE
The foundation to high assurance is a Trusted Computing Base (TCB) where the security perimeter
is treated as the TCB boundary inside of which every entity is trustworthy and outside of which
everything is untrusted. Multics was a relatively penetration-resistant TCB based formal security
policy model which employed stringent configuration management constraints for administrator
and operator functions in the system. It had the mechanism to audit covert channels (which was
stated as a risk in our current system).
High assurance is possible when systems are not connected to a network. In the case of a Smart Grid, assurance of a “trusted path” between the customer and the service provider or between
any two entities in the grid cannot be guaranteed. Implementation of the so-called “trusted
path” is highly expensive.
Multics was based on Bell LaPadula model which works on the principle of “no read up” and “no
write down.” Although conceptually, this is great for protecting data confidentiality, a system
based on such a design is useless today, since it does not allow for the higher-level processes to
provide commands to run the lower-level processes.
The Multics system was also based on the security of a kernel that was not as complex as the
ones we deploy today. As the complexity of the kernel increases, the reference monitor becomes
harder to implement and its security becomes much harder to prove.
Thus, not much value can be obtained out of implementing a high assurance system for the Smart
Grid
VII. CONCLUSION
Smart Grid is no doubt paving way to great bounds of innovation in the electricity sector. It is
designed to bring convenience not just to the consumer but also to the service provider in more
ways than one. But ensuring the security of the data circulated in such a system is vital to the
growth of such an invention. With its wide acceptance and more laws introduced to specifically
address this goal, Smart Grid is here to stay.
VIII. REFERENCES
[1] Grid, NIST Smart. "Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid."
Guideline, Aug (2010).
[2] Li, Fengjun, Bo Luo, and Peng Liu. "Secure information aggregation for smart grids using
homomorphic encryption." Smart Grid Communications (SmartGridComm), 2010 First IEEE
International Conference on. IEEE, 2010.
[3] Li, Depeng, et al. "Efficient authentication scheme for data aggregation in smart grid with fault
tolerance and fault diagnosis." Innovative Smart Grid Technologies (ISGT), 2012 IEEE PES. IEEE,
2012.
[4] Chopra, Aneesh, and Vivek Kundra. "A POLICY FRAMEWORK FOR THE 21st CENTURY GRID:
Enabling Our Secure Energy Future." (2011).
