7/31/2019 High Assurance Smart Grid

1/2

High Assurance Smart Grid

Thomas M. Overman, CISSP, ISSMP, PMP

Chief Architect, Boeing Energy Cyber Security

Boeing Defense, Space and Security

884 Hermosa Ct.

Sunnyvale, CA 94088thomas.overman@boeing.com

Ronald W. Sackman

Chief Network Architect, Applied Network Solutions

Boeing Defense, Space and Security

884 Hermosa Ct.

Sunnyvale, CA 94088ronald.w.sackman@boeing.com

Terry L. Davis, P.E.

Technical Fellow, Airplane Systems

Boeing Commercial Airplanes

3003 West Casino Road

Everett, WA 98204terry.l.davis@boeing.com

Abstract As electrical grids evolve through the introduction ofadditional smart sensors and actuators, cyber security becomes

an even more significant factor. Information Assurance controlsmust be implemented throughout the grid, from large scalepower generating facilities, through transmission anddistribution systems, to Building Management Systems (BMS) &Home Area Networks (HAN). A precursor to determining theappropriate controls for any particular device is to determine thetrust model within which these devices exist. This paper sets outto define a multi-level framework for a trust model to be usedthroughout the electrical grid. The model is based on two coreprinciples: categorize cyber security requirements based on asubsystems potential impact on the overall grid; and implementcontrols based on an assumed compromise of adjacentsubsystems.

From a Smart Grid Cyber Security perspective, rather thanattempting to create an all encompassing enclave of trust, thismodel suggests that systems should be designed in ways whichexpect compromise of adjacent systems. An expansive sphere ofimplied trust will inevitably lead an expansive sphere ofvulnerability. Having an expectation of compromise, of a lack oftrust, would be preferable as it will require subsystems toimplement independent, rather than dependent, cyber securitycontrols.

Keywords-Smart Grid; Trust Model; Standards; Cyber Security;Information Assurance;

Copyright Statement:

Permission to make digital or hard copies of all or part of thiswork for personal or classroom use is granted without feeprovided that copies are not made or distributed for profitor commercial advantage and that copies bear this notice and thefull citation on the first page. To copy otherwise, to republish, topost on servers or to redistribute to lists, requires prior specificpermission and/or a fee.

CSIIRW '10, April 21-23, Oak Ridge, Tennessee, USA

Copyright 2010 ACM 978-1-4503-0017-9 ... $5.00

I. INTRODUCTIONThe electrical grid encompasses everything from power

generation to transmission and distribution systems, and theelectrical loads connected to the system. It also includes bothcentralized and distributed power generation and storage systemswhich vary in scale by several orders of magnitude. This grid canbe viewed as a networked system of systems, with literallymillions of nodes. For many years there have been reports ofcyber security vulnerabilities being identified and exploitedwithin the grid. As the implementation of additional electronicsensors and actuators becomes more pervasive over the comingdecades, implementing appropriate cyber security controls willbecome even more critical to the overall health of the system.

In such an extensive and diverse system of systems, it is neitherpossible nor necessary to establish peer trust relationshipsbetween every device in the system. For example, a home waterheater and a transmission substation actuator have very differentimpact on the overall grid. Over the past two decades theaviation industry has been addressing security of integratedsensors and actuators made by several vendors and integratedinto a single system.

The model proposed here is based to some extent on the modelused in the aviation industry for categorizing various control sub-systems by their criticality to the overall system (the airplane)[1]. The model defines three categories, based on the impact of asub-system failure (catastrophic, major and minor impact) to theregional grid. The initial guidance shown in [1] gives three levelsof sub-system impact:

1. Level A2. Level B3. Level C

Aviation also defines Levels D and E, as levels for which havelower levels of impact. These may be applicable for uses likesome system metering needs, some industrial metering, and homemeeting.

The second principle to be taken from [1] is the concept of failsafe operation. Avionics systems must be designed in ways which

7/31/2019 High Assurance Smart Grid

2/2

expect failure of adjacent systems. From a Smart Grid CyberSecurity perspective, rather than attempting to create an allencompassing enclave of trust, this model suggests that systemsshould be designed in ways which expect compromise (whetherthrough system failure, user error, or malicious activity) ofadjacent systems. An expansive sphere of implied trust willinevitably lead an expansive sphere of vulnerability. Having anexpectation of compromise, of a lack of trust, would be preferable

as it will require subsystems to implement independent, ratherthan dependent, cyber security controls.

I. REFERENCES[1] Federal Aviation Administration Advisory Circular AC-25.1309-1A, 21-

June-1988.

Additional references in full paper to be published at a later date.