ww

w.in

l.g

ov

February 2017

Kenneth Rohde

Cyber Security Research & Development Smart Cities

Transportation Workshop

The Idaho National Laboratory

Energy and Environment

National Reactor Testing

Station

1949 1997

Environmental Management

Mission

2005

INEEL & ANL-W combined to create the new Idaho National Laboratory

Nuclear Energy

National and Homeland Security

2015

Nuclear Energy

Optimization

Infrastructure

Protection

Clean Energy

Demonstration

1974

Energy Mission – Reactor Science,

Safety and Sustainability

Solutions

- WEST

INL’s Position Today – Nationally

• One of 10 DOE multi-program labs

• DOE’s designated lead lab for nuclear energy research, development and demonstration

• A major contributor in national and homeland security, alternate and renewable energy and science and technology

• 890 sq. miles

• 4000+ staff

Industry Focused Infrastructure Protection

Providing owners and operators testing results and information…

Applied laboratory with strong “Built-Test-Build” culture

Several full-scale and interconnected infrastructure test beds

Infrastructure operations and management expertise

Industry interface and experience

…to manage the risk and head off tomorrow’s problem.

Department of Energy Cybersecurity for Energy Delivery Systems National SCADA Test Bed • Assessments

• Research and Development

• Training and outreach

• Subject matter experts

Objectives

• Create secure CS environments that improve the security posture of our nation’s critical infrastructure.

Capabilities

• Fully functional SCADA systems and Energy Management Systems (EMS)

• Fully functional Distributed Control Systems (DCS)

• Safety systems and protective components

• Real world configurations and consequence testing

• Ability to generate CS data traffic

• Vendor and asset owner partnerships – Large SCADA/EMS systems

– On-site assessments

Working Relationships With Global Vendors

General Assessment Process

• An assessment is not a validation or certification

• Collaborative work with vendors and industry to help improve the security of their products

– Worked is performed under Cooperative Research and Development Agreements (CRADA) or Non-disclosure Agreements (NDA)

• Cyclical work over a long period (years) to allow improvements to be further tested as the product(s) evolve

• Work is focused to find problems with portions of the system the vendor can improve (i.e. we don’t worry about vulnerable versions of an OS)

• Laboratory and on-site (deployed systems)

Department of Energy Vehicle Technologies Office Electric Vehicle Infrastructure Laboratory

Evaluate Conductive and Wireless Charging Systems

• System Efficiency

• EM-field emissions

• Power quality

o Total harmonic distortion

o Power factor

o Transient response

• Cyber security assessment

o Communications security

• Wired and wireless

o Software and firmware

• Wide range of input power

o 120 VAC, 208 / 240 VAC, 480 VAC 3 phase

o 400 kVA total capability

• Grid Emulator (60 kVA) enables the evaluation of charging infrastructure performance and response during transient grid events

Smart Grid EVSE Assessments (2013)

• Five prototype EVSE units tested in 24 months

• These units are “smart-grid” enabled

• Each was evaluated for cyber security issues

– Remote compromise

– Unauthorized access and control

– Firmware modifications

– Potential impact on the Energy Grid

• Issues were reported to the vendor to help secure the product before it is commercialized

Common EVSE Issues

• Lack of secure web development practices

• Lack of physical security practices

– Reverse engineering

– Unauthorized network access

• Remote accessibility via the internet

• Weak authentication and authorization

CAN Bus Security (2013)

Hacker

CAN Bus Security

• Remote CAN Bus Network access

– Determine the external vulnerability exposure by exploiting the wireless communication links

• TPMS

• Bluetooth

• 802.11

• GSM/LTE

• Vehicle to Vehicle

Vehicle-to-Infrastructure (2015)

• Research focusing on the cyber security of the interconnectivity between vehicles, charging stations, and the Energy Grid

• Lots of potential for research, but very little technology available

Plug-in Electric Vehicle Potential Problems

• Potential for overcharging the large lithium batteries since the PEV is negotiating with the charger

– Demands a variable charging rate

– Notifies when to stop

• This communication is done over CAN Bus or Power Line Carrier (PLC)

• What are the implications for Critical Infrastructure?

• Procured a DC Level-2 Fast Charger (DCFC) with both a CHAdeMO and a SAE J1772-Combo cordset

Lab Environment

• The actual hardware…

Virtual Environment

• For exploit development and testing…

Attack Pathway

• Compromised PEV infects DCFC and vice versa

Status of Exploit Development 1. PEV Charge Module

2. DCFC Vehicle

Controllers

3. DCFC Local Server

Status of Exploit Development

1. PEV Charge Module

– Successful removal of microcontroller from communications board

– Successful extraction of firmware

• Reverse engineering ECU firmware is painful

2. DCFC Vehicle Controllers

– Successful extraction of firmware

– Successful reflash of factory firmware via CAN from the Local Server

3. DCFC Local Server

– Successful extraction of flash memory

• Running Ubuntu Linux 12.0.4 LTS

– All factory firmware located in the file system

DOE Grid Modernization Laboratory Consortium

• DOE Vehicle Technology Office funded a 3 year effort to develop a framework for exchanging security information between electric vehicles, charging stations, and a building energy system

– Collaborative work with ANL, NREL, and PNNL

• Initial project work includes a cyber security assessment of 2 commercial AC Level-2 EVSE units – The identified cyber security issues will be used later to demonstrate project

functionality

• INL is developing a set of Diagnostic Security Modules (DSMs) that will be integrated with the PEVs, EVSEs, and the Building Energy Management System (BEMS) – This functionality will someday be implemented directly in the target system

hardware

• The DSM framework will allow a BEMS operator to intelligently decide if a PEV or EVSE is allowed to operate in the building infrastructure by notifying the operator of any cyber security issues detected in a PEV or EVSE

• The system will later be tested in a large scale EV lab environment by a “red team”

Diagnostic Security Module Framework (2016)

Year 1 Efforts

• Procurement of 2 AC Level-2 EVSE – ChargePoint

– SemaConnect

• Prototyping DSM hardware to integrate with EVSE and PEV

• Subcontracting with the University of Louisiana-Lafayette – Support with coordination of efforts with community

– Experts in informatics and data exchange

• Installation of EVSE in INL lab space and begin the cyber security assessments

• Initial integration of DSMs with a PEV and EVSE

Year 2 Efforts

• Completion of cyber security assessments – Reports delivered to ChargePoint and SemaConnect

– Potential for NDAs with the EVSE vendors

• DSMs integrated with EVSEs and PEV at INL

• Cyber health methods (fingerprint) developed for EVSE and PEV

• Initial BEMS functionality developed

DSM

DSM

DSM

Building Energy

Management System

Year 3 Efforts

• Installation of DSM framework at partner laboratory

• DSM environment functioning with multiple EVSE and PEV

• Red vs. Blue (penetration) testing of DSM framework environment

• Methods and algorithms for systems monitoring published

• Security exchange protocol published to standards bodies (e.g. SEP 2.0, SAE J2931/7)

DSM

DSM

DSM

DSM

DSM

DSM

DSM

Building Energy

Management System

University of Louisiana at Lafayette

Informatics Research Institute University Research Division

“The Informatics Research Institute (IRI) conducts research in data science to unleash the potential of Big Data for the benefit of society in such areas as health, crisis response, community resiliency, and smart and connected community.”

Center for Visual & Decision Informatics National Science Foundation

Established in 2012, CVDI works in partnership with government, industry, and academia to develop the next-generation visual and decision support tools and techniques that enable decision-makers to significantly improve the way their organization’s information is organized and interpreted.

Questions?

Kenneth Rohde

(208) 526-0672

kenneth.rohde@inl.gov

More Information:

https://energy.gov/under-secretary-science-and-energy/grid-modernization-initiative

https://energy.gov/under-secretary-science-and-energy/grid-modernization-lab-consortium

https://energy.gov/oe/services/technology-development/cybersecurity-for-energy-delivery-systems

https://informaticsinstitute.louisiana.edu/

http://nsfcvdi.org/wordpress/

http://www.inl.gov