smart grid projects and ciber security in brazil conference
TRANSCRIPT
Smart Grid Projects, Privacy
and Smart Meters Security
Assessment in the Brazilian
Scenario
José Reynaldo Formigoni Filho, MSc
Information and Communication Security Technology Manager
CPqD Foundation
Moacir Giansante
Supply Chain Director - Aptel
Agenda
• Introduction: Brazilian Electric Sector
• Brazilian smart grid projects
• Privacy in smart grid
• Security assessment for smart meters
• Concluding remarks
Board of Trustees
Executive Board
Audit Committee
R&D Forum
Private Foundation
"Private company without shareholders"
Surplus reinvested
Corporate Governance
2015 Revenue:
US$ 100 mi
Total: 1300
Main R&D areas
Comunicações
Ópticas
Optical
Communications
Comunicações
ÓpticasIP Platforms
Comunicações
Ópticas
Business and
Operations
Support Systems
Communication
and Information
Security
Comunicações
Ópticas
Sensor
Technologies
and Networks
Comunicações
Ópticas
Services,
Applications,
Terminals and
Digital Inclusion
Comunicações
Ópticas
Decision
Management
Mobile
Communications
and Wireless
Networks
Smart
Grid
Aptel
• Aptel is an non profit association of utilities (electricity,
oil, gas, railways and highways) which manage critical
telecommunication systems for their core business.
Agenda
• Introduction: Brazilian Electric Sector
• Smart grid projects in Brazil
• Privacy in smart grid
• Security assessment for smart meters
• Concluding remarks
Brazilian Electric Sector
• Population: ~204 mi
• Attendance extension: superior to
98% of the population
• Number of consumer units: 75 mi
• Regulated consumption: 463.335
GWh
• Per capta consumption: 2.557
KWh/year
Brazilian Electric Sector
• The Electric System National
Operator is an entity of private right,
responsible for coordinating and
controlling the operation of
generation and transmission facilities
in the National interconnected
Power System (NIPS)
• Under supervision and regulation of
the Electric Energy National
Agency (ANEEL).
Brazilian Electric Sector
• Generation companies: 146
• Distribution companies: 55
• Transmission companies: 104
Brazilian Eletric Energy Matrix and Capacity
89.385
37.821
1.990 5.139
POWER (MW) - TOTAL CAPACITY 134,3 GW
Hidroeletric Thermoeletric Thermonuclear Wind
67%
28%
Agenda
• Introduction
• Smart grid projects in Brazil
• Privacy in smart grid
• Security assessment for smart meters
• Concluding remarks
Public policies to encourage Smart Grid
Projects: Aneel R&D Fund
• The electric power distribution, generation and
transmission should apply a minimum percent of
their net operating income every year in the R&D
Program for the Electric Power Sector;
• Aneel establishes guidelines and instructions
that regulate the elaboration of R&D projects
• The percentages to be invested from the net
operating income:
Segment %
Distribution 0,20%
Generation 0,40%
Transmission 0,40%
Public policies to encourage R&D investments
- Aneel R&D Fund
Year Number of projects Value (US$ mi)
2009 226 154,50
2010 569 821,59
2011 462 500,00
2012 489 769,23
2013 180 348,84
Total 1926 2.594,16
* Aneel – Relatórios de Gestão do Exercício 2009-2013
Innovate National Energy Plan• Sponsors:
• Aneel
• BNDS (Brazilian Development Bank)
• FINEP (Financier of Studies and Projects – state institution)
• One of the main subjects: Support the development and diffusion of
electronic, microelectronic devices, systems, integrated solutions and
standards for implementation of smart grids in Brazil.
• Total value: US$ 1,1 bi (from 2013 to 2017), only US$ 44 mi is 100%
subsidy
• Beneficiaries: power companies, suppliers of equipment and systems and
R&D centers
• 59 projects were approved in the first phase
Brazilian Smart Grid Projects*
• Total of power companies involved in SG projects:
• Generation: 21
• Transmission: 7
• Distribution: 34
• Number of projects: 273 from 2008 to 2013
• Total of investment: ~US$ 575 mi
• The 10 most important projects:
* Mapeamento da Cadeia Fornecedora de TIC e de seus produtos e Serviços para Rede Elétricas Inteligentes – ABDI – julho 2014
Brazilian Smart Grid Projects *
• Smart Grid sub-areas:• AMI – Advanced Metering Infrastructure
• DA – Distributed Authomation
• DG - Distributed Generation
• Telecom
• IT – Information Technology
• IB – Intelligent Building
• Smart Grid areas:• DSD - Distributed Storage Systems and
Batteries
• EVH - Electric vehicles, hybrids and loading
systems
• CMS – Customer Management System
• DEMO – Pilot Projects
• Others
AMI DA DG DSD EVH Telecom TI IB CSM Others
Quant. of projects Quant. of companies
* Mapeamento da Cadeia Fornecedora de TIC e de seus produtos e Serviços para Rede Elétricas Inteligentes – ABDI – julho 2014
Brazilian Smart Grid Projects – suppliers at
power companies*
Suppliers
Qu
an
t. o
fp
ow
er
co
mp
anie
s
* Mapeamento da Cadeia Fornecedora de TIC e de seus produtos e Serviços para Rede Elétricas Inteligentes – ABDI – julho 2014
Brazilian Smart Grid Projects – Universities
and R&D centers at power companies*
Qu
an
t. o
fp
ow
er
co
mp
anie
s
* Mapeamento da Cadeia Fornecedora de TIC e de seus produtos e Serviços para Rede Elétricas Inteligentes – ABDI – julho 2014
Brazilian Smart Grid Projects*
• Information security is not a priority in the
Brazilian smart grid projects
• Less than 10 projects have considered
Information Security (IS) activities
• Only one project is 100% focused in
Information Security
Agenda
• Introduction
• Smart grid projects in Brazil
• Privacy in smart grid
• Security assessment for smart meters
• Concluding remarks
Cemig Smart Meter Project
• Power company: CEMIG
• An open capital company
controlled by the Government
of the State of Minas Gerais
• Cemig is responsible for
supplying nearly 33 million
people in 805 municipalities in
the states of Minas Gerais and
Rio de Janeiro (including Light),
and for the management of the
largest electric energy
distribution network in South
America
• Name: Cities of the Future
• Budget: US$ 20 mi
• City: Sete Lagoas
• Number of consumer units: 5000
• Duration: 2011 - 2014
Cemig Smart Meter Project
Technological scope• Measurement of consumption
of the Consumer Units
• Distributed Automation
• Distributed Generation
• Telecommunication
• Information technology
• Georeferencing
Strategical scope• Regulatory
• Communication and
Relationships with
Consumers
• Privacy
• Process
• Indicators and Metrics.
Cemig Smart Meter Project
Technological scope• Measurement of consumption
of the Consumer Units
• Distributed Automation
• Distributed Generation
• Telecommunication
• Information technology
• Georeferencing
Strategical scope• Regulatory
• Communication and
Relationships with
Consumers
• Privacy
• Process
• Indicators and Metrics.
Cemig Smart Meter Project - Privacy
The main activities of privacy the project:
1. Data costumer privacy: Studies of contextualization
2. Development of a Methodology of Privacy Protection
3. Recommendations on privacy for the smart grid
elements: smart meter and telecom infrastructure
4. Recommendations on privacy on Smart Grid
environment: call center and MDM/AMI
5. Consumer Data Privacy - guidance manual for
employees of Cemig
6. Recommendations for creating Privacy Policy for
Cemig
Data costumer privacy: Studies of contextualization
Smart Grid Environment
Best Practices
Legal and regulatory framework
Data costumer privacy: Project scope
Customer Environment
Telecom Network
Environment
SmartMeters
Telecom Infrastructure
MAN Architecture and network
elements
Power Company Environment
Systems (HW and SW), IS policies,processes and people
MDM - Meter Data Management
Políticas Processos
Pessoas
ProcessesIS Policies
People
Agenda
• Introduction
• Smart grid projects in Brazil
• Privacy in smart grid
• Security assessment for smart meters
• Concluding remarks
Deployment of smart meters in Brazil – our
reality
• In August 2012, ANEEL approved a
resolution which states that energy
distributors will have to install electronic
meters for all consumers who choose
time-of-use billing program by
January 2014.
• It was the first step by the Brazilian
Government to replace the
electromechanical meters.
• Fraud average: 5,6%
dailyreporter.com
The main threats in Brazil – Energy usage frauds
• Many frauds related to
electromechanical meters currently in
use in Brazil
• There are also record of frauds related
to other new electronic devices, for
instance pay TV
Fraud
• It is possible to infer that the new smart
meter devices to be used in Brazil will
further increase the current level of fraud
Security assessment for smart meter – Project
Overview
• Name: R&D in security assessment for smart meters
• Client:
• Sponsor: Aneel R&D Fund
• Period: from September 2012 to December 2014
• Totally executed by CPqD Foundation
• Number of clientes: 2.4 mi
• 8ª. biggest power company in Brazil
• Number of cities: 228
Security assessment for smart meter – Project Overview
Subjects:
• Investigate different brands and types of smart
meters available in the market
• Run tests for checking security requirements
• Assess potential impacts
• Build two labs specialized in security evaluation of
smart meters and homologation
Security assessment for smart meter
Goal 1Methodology for security
assessment
Goal 2Smart Meter Cyber Security
Laboratory Deployment
Goal 3Security analysis and
tests of smart meters
State of the art survey for
smart meters security
Specification of the test
environment
Development of the
security assessment
methodology for smart
meters
Security test
Implementation of a Smart
Meter Security Training
Platform
Laboratory deployment
Laboratory operation
Knowledge and
technology transfer
Security Assessment for Smart Meters
Homologation test
Security requirements - references
• There are international standards related to security
requirements:
• OIML D31 - General requirements for software controlled
measuring instruments, 2008.
• NIST 7823* - Advanced Metering Infrastructure Smart Meter
Upgradeability Test Framework, July 2012
• This report describes conformance test requirements that may
be used voluntarily by testers and/or test laboratories to
determine whether Smart Meters and Upgrade Management
Systems conform to the requirements of NEMA SG-AMI**
• The Brazilian standard:
• Instituto Nacional de Metrologia, Qualidade e
Tecnologia – INMETRO. RTM 586 - Regulamento
Técnico Metrológico – 2012: addresses metrologically
relevant software security aspects of the smart
meters.
* National Institute of Standards and Methodology
** NEMA – National Electrical Manufacturers Association
*** INMETRO – Instituto Nacional de Metrologia
Hardware security requirements
• Unprotected interface
• Hardware anti-tampering mechanisms
• Hardware integrity checking
• Hardware backdoors
• Hardware anti-reverse engineering
Software security requirements
List of requirements:
1. Authentication
2. Authorization
3. Log registers
4. Software fault detection
5. Secure data storage (protection
against unauthorized access -
privacy of measurement data
and other data, cryptographic
key protection, etc.)
6. Safe boot
7. Cryptography support (for secure
transmission and other services)
8. Firmware authenticity
9. Firmware integrity
10. Firmware protection
11. Safe firmware update
12. Data integrity stored and
transmitted
13. Authenticity of transmitted
data
Security assessment methodology for smart
meter
Goal 1Methodology for security
assessment
Goal 2Smart Meter Cyber Security
Laboratory Deployment
Goal 3Security analysis and
tests of smart meter
State of the art survey for
smart meter security
Specification of the test
environment
Development of the
security assessment
methodology for smart
meter
Security test
Implementation a Smart Meter
Security Training Platform
Laboratory deployment
Laboratory operation
Knowledge and
technology transfer
Security Assessment for Smart Meters
Reliability test
Security assessment methodology for smart
meter
Main subjects:
• Security approach: Perform standard security
assessments for different types of smart meters used by
the Brazilian power companies.
• Homologation approach: Check if the smart meter is in
compliance with the standard from Inmetro called RTM
586 (Regulamento Técnico Metrológico – Inmetro)
Steps of the methodology
Scope
definition
Context
definition
Smart meter
technical
description
Threats
Identification
and analysis
Risk
analysis
Implementing
security tests
Implementing
homologation
tests
Elaboration of
the reports
1
2
3
4
5
6
8
7
Steps of the methodology
Scope
definition
Context
definition
Smart meter
technical
description
Threats
Identification
and analysis
Risk
analysis
Implementing
security tests
Implementing
homologation
tests
Elaboration of
the reports
1
2
3
4
5
6
8
7
Steps of the methodology
Scope
definition
Context
definition
Smart meter
technical
description
Threats
Identification
and analysis
Risk
analysis
Implementing
security tests
Implementing
homologation
tests
Elaboration of
the reports
1
2
3
4
5
6
8
7
Test results
• Number smart meters tested: 8
• Number of manufacters: 6
• The tests were performed in the Smart Meter Security
Assessment Laboratory at CPqD. A subset of these tests
were performed at the Elektro´s lab.
• Sw and hw vulnerabilities were found in 100% of smart
meters
Agenda
• Introduction
• Smart grid projects in Brazil
• Privacy in smart grid
• Security assessment for smart meters
• Concluding remarks
Concluding remarks (1/2)
• The last years a lot of money was invested in many Smart Grid
projects in Brazil. Most of them demanded by electric power
companies using Aneel R&D fund
• Participants of these projects: electric power companies, suppliers
(equipment and systems), R&D centers and universities
• CPqD has participated as a leader in some important projects (CEMIG,
Light and Eletrobrás)
• Most electric power companies do not prioritize information security
in smart grid projects: less then 5% of total
• Privacy is a real and an important threat for companies which are
deploying smart grid and they need to develop methodologies to
mitigate the risks
Concluding remarks (2/2)
• Smart meters are frequently
built without any security
requirements in mind.
• 100% of the smart meters
tested had hw and sw
vulnerabilities
• Smart meters are made of
electronic components and
encompass different types of
technologies, protocols, and
embedded systems.
Security of Embedded Systems
Embedded system security: much more
dangerous, costly than traditional software
vulnerabilities
Thank You!
www.cpqd.com.br
José Reynaldo Formigoni Filho
Information and Communication Security Technology Manager
CPqD Foundation
Tel.: +55 19 3705-7121 / Fax: +55 19 3705-6833
Cel.: +55 19 99838-2321
www.cpqd.com.br