IEEE Copyright Statement:
Copyright © 2012 IEEE. Reprinted from Proceedings of the IEEE, Vol. 100, No. 1, 2012, Pp. 195- 209.
This material is posted here with permission of the IEEE. Such permission of the IEEE does not
in any way imply IEEE endorsement of any of Carnegie Mellon University's products or services.
Internal or personal use of this material is permitted. However, permission to reprint/republish
this material for advertising or promotional purposes or for creating new collective works for
resale or redistribution must be obtained from the IEEE by writing to pubs-permissions@ieee.org.
By choosing to view this document, you agree to all provisions of the copyright laws protecting it.
INVITED
PAPER
Cyber–Physical Security of a
Smart Grid Infrastructure
The authors of this paper discuss the limitations of advances, measures
to make the smart grid secure, and also to assure continuous
power flows and dynamic power pricing.
By Yilin Mo, Tiffany Hyun-Jin Kim, Kenneth Brancik, Dona Dickinson,
Heejo Lee, Adrian Perrig, and Bruno Sinopoli
ABSTRACT
|
It is often appealing to assume that existing
solutions can be directly applied to emerging engineering do-
mains. Unfortunately, careful investigation of the unique chal-
lenges presented by new domains exposes its idiosyncrasies,
thus often requiring new approaches and solutions. In this
paper, we argue that the Bsmart[ grid, replacing its incredibly
successful and reliable predecessor, poses a series of new se-
curity challenges, among others, that require novel approaches
to the field of cyber security. We will call this new field cyber–
physical security. The tight coupling between information and
communication technologies and physical systems introduces
new security concerns, requiring a rethinking of the commonly
used objectives and methods. Existing security approaches are
either inapplicable, not viable, insufficiently scalable, incom-
patible, or simply inadequate to address t he challenges posed
by highly complex environments such as the smart grid. A con-
certed effort by the entire industry, the research community,
and the policy makers is required to achieve the vision of a
secure smart grid infrastructure.
KEYWORDS
|
Cyber–physical systems; security; smart grids
I. INTRODUCTION
The electric grid is arguably the world’s largest engineered
system. Vital to human life, its reliability is a major and
often understated accomplishment of humankind. It is the
motor of the economy and the major driver of progress. In
its current state, the grid consists of four major compo-
nents: 1) generation produces electric energy in different
manners, e. g., by burning fossil fuels, inducing nucl ear
reaction, harnessing water (hydro-electric dams), wind,
solar, and tidal forces; 2) transmission moves electricity via
a very high voltage infrastructure; 3) distribution steps
down current and spreads out for consumption; and
4) consumption, i.e., industrial, commercial, and residen-
tial, uses the electric energy in a multitude of ways.
Given the wide variety of systems, their numerous
owners, and a diverse range of regulators, a number of
weaknesses have emerged. Outages are often recognized
only after consumers report. Matching generation to de-
mand is challenging because utilities do not have clear cut
methods to predict dem and and to request demand reduc-
tion (load shedding). As a consequence, they need to
overgenerate power for peak demandVwhich is expensive
and contributes to Green-ho use Gas (GhG) emissions. For
similar reasons it is difficult to incorporate variable gene-
ration, such as wind and solar p ower, into the grid. Last,
there is a dearth of information available for consumers to
determine how and when to use energy.
To address these challenges, the smart grid concept has
evolved. The smart grid uses communications and infor-
mation technologies to provide better Bsituational aware-
ness[ to utilities regarding the state of the grid. Smart grid
provides numerous benefits [1]–[4]. Using intelligent
communications, load shedding can be implemented so
that peak demand can be flattened, which reduces the
need to bring additional (expensive ) generation plants on-
line. Using information systems to perform predictive
analysis, including when wind and solar resources will
produce less power, the utilities can keep power appro-
priately balanced. As new storage technologies emerge at
Manuscript received April 17, 2011; revised June 22, 2011; accepted June 23, 2011.
Date of publication September 12, 2011; date of current version December 21, 2011.
Y. Mo, T. H.-J. Kim, A. Perrig, and B. Sinopoli are with the Department of Electrical
and Computer Engineering, Carnegie Mellon University, Pittsburgh, PA 15213 USA
(e-mail: ymo@ece.cmu.edu; hyunjin1@ece.cmu.edu; adrian@ece.cmu.edu;
brunos@ece.cmu.edu).
K. Brancik and D. Dickinson are with Northrop Grumman Corporation, McLean,
VA 22102 USA (e-mail: kenneth.brancik@ngc.com; dona.dickinson@ngc.com).
H. Lee was with the CyLab, Carnegie Mellon University, Pittsburgh, PA 15213 USA. He is
now with Division of Computer and Communication Engineering, Korea University,
Seoul 136-701, Korea (e-mail: heejo@korea.ac.kr).
Digital Object Identifier: 10.1109/JPROC.2011.2161428
Vol. 100, No. 1, January 2012 | Proceedings of the IEEE 1950018-9219/$26. 00
2011 IEEE
the utility scale, incorporation of these devices will like-
wise benefit from intelligent demand prediction. Last, the
ability for consumers to receive and respond to price signals
will help them manage their energy costs, while helping
utilities avoid building additional generation plants.
With all these approaches, the smart grid enables a
drastic cost reduction for both power generation and
consumption.
Dynamic pricing and distributed generation with local
generators can significantly reduce the electricity bill.
Fig. 1(a) shows how to use electricity during off-peak pe-
riods when the price is low. Conversely, Fig. 1(b) shows
load shedding during peak times and utilization of energy
storage to meet customer demand. The effect of peak de-
mand reduction by Bdemand management[ is shown in
Fig. 2. Pilot projects in the states of California and
Washington [1] indicate that scheduling appliances based
on price information can reduce electricity costs by 10%
for consumers. More advanced smart grid technologies
promise to provide even larger savings.
To establish the smart grid vision, widespread sensing
and communications between all grid components (gene-
ration, transmission, distribution, storage) and consumers
must be created and managed by information technology
systems. Furthermore, sophisticated estimation, control, and
pricing algorithms need to be implemented to support the
increasing functionality of the grid while maintaining
reliable operations. It is the greatly increased incorporation
of IT systems that supports the vision, but unfortunately also
creates exploitable vulnerabilities for the grid and its users.
A. A Cyber–Physical Approach to Smart
Grid Security
A wide variety of motivations exist for launching an
attack on the p ower grid, ranging from economic reasons
(e.g., reducing electricity bills), to pranks, and all the way
to terrorism (e.g., threatening peo ple by controlling elec-
tricity and other life-critical resources). The emerging
smart grid, while benefiting the benign participants (con-
sumers, utility companies), also provides powerful tools
for adversaries.
The smart grid will reach every house and building,
giving potential attackers easy access to some of the grid
components. While incorporating information technology
(IT) systems and networks, the smart grid will be exposed to
a wide range of security threats [5]. Its large scale also makes
it nearly impossible to guarantee security for every single
subsystem. Furthermore, the smart grid will be not only large
but also very complex. It needs to connect different systems
and networks, from generation facilities and distribution
equipment to intelligent end points and communication
networks, which are possibly deregulated and owned by
several entities. It can be expected that the heterogeneity,
diversity, and complexity of smart grid components may
introduce new vulnerabilities, in addition to the common
ones in interconnected networks and stand-alone microgrids
[3]. To make the situation even worse, the sophisticated
control, estimation, and pricing algorithms incorporated in
the grid may also create additional vulnerabilities.
The first-ever control system malware called Stuxnet
was found in July 2010. This malware, targeting vulnerable
SCADAsystems,raisesnewquestionsaboutpowergrid
security [6]. SCADA systems are currently isolated, pre-
venting external access. Malware, however, can spread
using USB drives and can be specifically crafted to
Fig. 1. During off-peak time periods, inexpensive electric power can be
used without restrictions (e.g., diverted to energy storage). During
peak time periods, some appliances will be temporarily turned off, and
stored energy is used. (a) Power usage during off-peak time period.
(b) Power usage during peak time period.
Fig. 2. The peak demand for electricity will be reduced by the use of
smart appliances, local generators, and/or local energy storage.
Mo et al.: Cyber–Physical Security of a Smart Grid Infrastructure
196 Proceedings of the IE EE |Vol.100,No.1,January2012
sabotage SCADA systems that control electric grids. Fur-
thermore, increasingly interconnected smart grids will
unfortunately provide external access which in turn can
lead to compromise and infection of components.
Many warnings concerning th e security of sm art grid s
are appearing [7]–[12] and some guidelines have been
published, such as NISTIR 7628 [3] and NIST SP 1108 [13].
This paper argues that a new approach to security, bringing
together cyber security and system theory under the name
of cyber–physical security (CPS), is needed to address the
requirements of complex, large-scale infrastructures like
the smart grid. In such systems, cyber attacks can cause
disruptions that transcend the cyber realm and affect the
physical world. Stuxnet is a clear example of a cyber attack
used to induce physical consequences. Conversely physical
attacks can affect the cyber system. For example, the
integrity of a meter can be compromised by using a shunt to
bypass it. Secrecy can be bro ken by placing a compromised
sensor beside a legitimate one. As physical protection of all
assets of large-scale physical systems, such as the smart
grid, is economically infeasible, there arises the need to
develop methods and algorithms that can detect and
counter hybrid attacks. Based on the discussions at the
Army Research Office workshop on CPS security in 20 09,
we classify current attacks on cyber–physical systems into
four categories and provide examples to illustrate our
classification in Table 1. Although cyber security and
system theory have achieved remarkable success in
defending against pure cyber or pure physical attacks,
neither of them alone is sufficient to ensure smart grid
security, due to hybrid attacks. Cyber security is not
equipped to provide an analysis of the possible conse-
quences of attacks on physical systems. System theory is
usually concerned with properties such as performance,
stability, and safety of physical systems. Its theoretical
framework, while well consolidated, does not provide a
complete modeling of the IT infrastructure.
In this paper, we propose to combine system theory
and cyber security to ultimately build a science of cyber–
physical security. Toward this goal, it is important to
develop cyber–physical security models capable of inte-
grating dynamic systems and threat models within a
unified framework. We believe that cyber–physical secu-
rity can not only address problems that cannot be c urrently
solved but provide new improved solutions for detection,
response, reconfiguration, and restoration of system func-
tionalities while keeping the system operating. We also
believethatsomeexistingmodelingformalismscanbe
used as a starting point toward a systematic treatment of
cyber–physical security. Game theory [14] can capture the
adversarial nature of the interaction between an attacker
and a defender. Networked control systems [15] aim at
integrating computing and communication technologies
with system theory, providing a common modeling
framework for cyber–physical systems. Finally, hybrid
dynamic systems [16] can capture the discrete nature of
events such as attacks on control systems.
The rest o f the paper motivates the need for cyber–
physical security in the context of the smart grid. Section II
reviews cyber threats and countermeasures. Section III
describes system-theoretic approaches to contingency ana-
lysis and detection of anomalies in the sensory system.
Section IV shows ho w methods from either domain may be
incapable to address specific security threats. Section V
provides e xamples of the unique features of cyber–physical
security. Finally, Section VI concludes the paper with
future research directions.
II. CYBER SECURITY APPROACHES
This section delineates cyber security approaches to smart
grid security.
A. System Model
As Fig. 3 shows, smart grids consist of four compo-
nents: generation, transmission, distribution, and con-
sumption.Intheconsumptioncomponent,customersuse
Table 1 Taxonomy of Attacks and Consequences in Cyber and Physical Systems
Fig. 3. A cyber security view of smart grid.
Mo et al.: Cyber–Physical Security of a Smart Grid Infrastructure
Vol. 100, No. 1, January 2012 | Proceedings of the IEEE 197
electric devices (e.g., smart appli ances, electric vehicles),
and their usage of electricity will be measured by an en-
hanced metering device, called a smart meter. The smart
meter is one of the co re components of the advanced
metering infrastructure (AMI) [ 17]. The meter can be
collocated and interact with a gateway of a home-area
network (HAN) or a business-area network (BAN). For
simple illustration, we denote a smart meter in the figure
as a gateway of a HAN. A neighbor-area network (NAN) is
formed under one substation, where multiple HANs are
hosted. F inally, a utility company may leverage a wide-a rea
network (WAN) to connect distributed NANs.
B. Cyber Security Requirements
In this section, we analyze the information security
requirements for smart grids. In general, information se-
curity requirements for a system include three main secu-
rity properties: confidentiality, integrity, and availability.
Confidentiality prevents a n unauthorized user from ob-
taining secret or private information. Integrity prevents an
unauthorized user from modifying the information. Avail-
ability ensures that the resource can be used when
requested.
As shown in Fig. 4, price information, meter data, and
control commands are the core information exchanged in
smart grids which we consider in this paper.
While more types of information are exchanged in
reality, these core information types provide a comprehen-
sive sample of security issues.
We now examine the importance of p rotecting the core
information types with respect to the main security pro-
perties. The degree of importance for price information,
contr ol commands, and met er data is equivalent to the use
cases of NISTIR 7628 [3] , to w hich we added the degree of
importance for software. The m ost important requirement
for protecting smart grids are outlined below.
• Confidentiality of power usage: Confidentiality of
meter data is important, because power usage data
provides information about the usage patterns for
individual appliances, which can reveal personal
activities through nonintrusive appliance monitor-
ing [18]. Confidentiality of price information and
control commands are not important in cases
where i t is public knowledge. Confidentiality of
software should not be cri tical, because the secu-
rity of the system should not rely on the secrecy of
the software, but only on the secrecy of the keys,
according to Kerckhoffs’s principle [19].
• Integrity of data, commands, and software:Integrity
of price information is critical. For instance, nega-
tive prices injected by an attacker can cause an
el ectri city utilization spike as numerous devices
would simultaneously turn on to take advantage of
the low pri ce. Although integ rity of meter data and
commands is important, their impact is mostly li-
mited to revenue loss. On the other hand, integrity
of software is critical since compromised software
or malware can control any device and grid
component.
• Availability against DoS/DDoS attacks: Denial-of-
service (DoS) attacks are resource consumption
attacks that send fake requests to a server or a
network, and distributed DoS (DDoS) att acks are
accomplished by utilizing distributed attacking
sourcessuchascompromisedsmartmetersand
appliances. In smart grids, availability of informa-
tion and pow er is a key a spect [20]. More
specifically, availability o f price information is
critical due to serious financial and possibly legal
implications. Moreover, outdated price informa-
tion can adversely affect demand. Availability of
commands is also important, especially when turn-
ing a meter back on after completing the payment
of an electric bill. On the other hand, availability of
meter data (e.g., power usage) may not be as cri-
tical because the data can usually be read at a later
point.
From the above discussion, we can summarize the im-
portance of data, c ommands, and software, which are
shown in Ta ble 2. BHigh[ risk implies that a property of
certain information is very important/critical, and
Bmedium[ and Blo w[ risks classify properties that are
important and noncritical, respectively. This classification
enables prioritization of risks, to focus effort on the most
critical aspect s first. For ex ample, integrity of price
information is more important than its confidentiality;
consequently, we need to focus on efficient cryptographic
authentication mechanisms before encryption.
C. Attack Model
To launch an attack, an adversary must first exploit
entry points, and upon successful entry, an adversary can
deliver specific cyber attacks on the smart grid infrastruc-
ture. In the following sections, we describe this attacker
model in detail.
1) Attack Entry Points: In general, strong perimeter de-
fense is used to prevent external adversaries from access-
ing information or devices within the trusted grid zone.
Fig. 4. Information flows to/from a smart meter including price
information, control commands, and meter data.
Mo et al.: Cyber–Physical Security of a Smart Grid Infrastructure
198 Proceedings of the IE EE |Vol.100,No.1,January2012
