Will the “Smart Grid” breath new life into MLS?
Lately I’ve been working with the SEL-2032, learning the device capabilities provided through the SEL protocol, Modbus, DNP3, UCA2, GOOSE, etc. GOOSE (which stands for Generic Object Oriented Substation Events) is particularly interesting. GOOSE (a component of the 61850 protocol) is a mechanism for fast transmission via ethernet of substation commands and sensor data used for tripping switchgear, starting a disturbance recorder, and in the implementation of, among other things, safety interlock systems. GOOSE stipulates VLAN technology and priority tagging as per IEEE 802.1Q to have separate virtual network within the same physical network and sets appropriate message priority level. (Which means it MAY be vulnerable to a denial of service attack originating from and even targeting a different network that happens to share the frame-relay level resources with the GOOSE VLAN, and MAY be vulnerable to VLAN Hopping attacks, perhaps using a fast traffic generator e.g. Mausezahn ). Cisco has identified at least 8 different possible VLAN attacks, but to be fair Cisco also asserts:
“The security of VLAN technology has proven to be far more reliable than its detractors had hoped for and only user misconfiguration or improper use of features have been pointed out as ways to undermine its robustness. The most serious mistake that a user can make is to underestimate the importance of the Data Link layer, and of VLANs in particular, in the sophisticated architecture of switched networks. It should not be forgotten that the OSI stack is only as robust as its weakest link, and that therefore an equal amount of attention should be paid to any of its layers so as to make sure that its entire structure is sound.”
The GOOSE level remote switching and overall grid control is mission critical functionality requiring an extremely high-level of assurance. Currently storing very large quantities of electrical power is not very feasible (except storing potential electricity in the form of water behind a damn). So the power grids basically operate within very defined boundaries. Supply must be matched to demand; over voltage, under voltage and a host of other power quality conditions can result in economic inefficiency, equipment damage, and temporary or prolonged power outages, and conceivably significant safety hazards. The root causes of these problems may have originated up or down stream of where the impact is most severely felt. For this reason power grid control is extremely dependent on upstream and downstream data & commands.
As I learned about GOOSE I learned that it is part of the IEC-61850 family of protocols, that 61850 is being adopted rapidly especially in Europe, and is proposed for that panacea for all our power reliability and efficiency problems, the ‘Smart Grid’. So I decided to review some of the recent Smart Grid technology articles. The Economist review of the “Smart Grid” this week is a real nice popular introduction to the concept.
The recent article by CNN ['Smart Grid' may be vulnerable to Hackers] pointed out that the advance metering infrastructure of the smart grid presents some security issues as has been highlighted by research done by IOActive. IOActive asserts that a determined attacker with $500 of equipment and materials and a background in electronics and software could “take command and control of the [advanced metering infrastructure]. The CNN article contrasted that while a representative of Edison Electric Institute has asserted that “We are not going to manufacture this car without a seat belt.” – the article also noted that “as of now there are no clear-cut Smart Grid cybersecurity standards”. According to the Economist article, the United States is a bit behind in terms of the advanced metering technology adoption rate, behind especially Italy. The Economist sites ABI Research which say’s that 76 Million smart meters have already been installed world-wide and also states that about 12 million smart meters will be installed in California over the next few years.
The advanced metering used to determine if I am drawing from the grid today or selling excess power from my roof top solar panels or the 25 kWhr Lithium Ion battery pack of the Wrightspeed X1 in my garage (just kidding) back to the grid may not seem as mission critical as the relays controlling breakers for a major metropolitan area. But the thing is, to be effective the data from my house must be fused with the data from other residences as well as with data from substations, generation plants, etc.
And so there is the current GOOSE information domain which goes from secure node to secure node and is clearly mission critical functionality requiring an extremely high-level of assurance. On the other hand, the Smart Grid’s private residence based advanced metering constitutes a different information domain. Assurance is important for the advanced metering but to be effective advanced metering must be bidirectional and it is doubtful that an information domain extending to private residences can attain the level of assurance absolutely critical to the current GOOSE information domain. This is the makings of a Multi-Level security (MLS) problem, a kind of problem here to fore largely germane only to military and intelligence organizations.
A system is said to be Multi-Level Secure when it meets the following criteria:
1. The system must process information for more than one information domain; and
2. The system must be implemented with assurance that the security policies within each domain are enforced.
(citation from AEPOS Technology)
MLS sounds like a simple problem to the layman. In fact MLS Research began in the 60’s and has eaten through literally millions of research dollars at this point. So far we’ve learned, among other things, that the coverage you get per dollar expended on MLS technology tends to be lower than one might expect, that the ‘covert channel problem’ is pernicious and really difficult, that even the most successful technologies sometimes have significant performance (network transfer speed) impact which would be a non-starter in the 4 millisecond time frame of the GOOSE world, and that application-level-only solutions are insufficient, rather hardware and operating system level guards are essential. For a good review of MLS research see the “Introduction to Multilevel Security” by Dr. Rick Smith of the University of St. Thomas, Minnesota, and the Wikipedia MLS article.
All of which isn’t to say that a secure “Smart Grid” with an advanced metering infrastructure that also supports data fusion with the mission critical grid functionality is impossible. I’m just saying it might be a good idea to send our best cyber security minds to the ISA99 10/7 – Morning Panel: Cyber Security Considerations for Smart Grid Technologies 
Author: Martin Solum
Posted: June 18th, 2009 under Uncategorized.
Comments: 4
Comments
Comment from Matt Franz
Time: June 19, 2009, 10:29 am
Martin,
I find this blog confusing but sort of interesting, nonetheless.
So are you talking about talking about using like labeled networking or other OS level MAC(Manditory Access Controls)/MLS/TE (Type Enforcement) mechanisms such what is available within SELinux within a “smart grid” infrastructure. Meaning in the underlying network or infrastructure?
See http://free.linux.hp.com/~pmoore/files_lj/labeled_networking-lfjapan-07092008.pdf
Or are you talking about implementing MLS/MAC/TE functionality within the protocols themselves?
I’m not sure which is the most unlikely, given the limited penetration of this in commercial space.
(what is the first thing most users do on their RHEL/CentOS box, turn off SELinux so their apps work)
Comment from Martin Solum
Time: June 19, 2009, 11:47 am
Hi Matt,
(Thanks for putting your comments so delicately.) This is a confusing blog; you should have seen the 3 earlier versions! I wrote this blog because the smart grid train is leaving the station, has to leave the station now, and there are some really difficult issues that “should have” been solved already. Economics is driving the time table but the cyber security issues are real and I think they will become economically critical very quickly.
Maybe there is some big thing I am missing, but it just looks to me that for the smart grid to work overall (not just for smart metering to work), it has to be architected as a MLS problem. Outside of military applications, yesterday MLS was one of those solutions looking for a problem. I think today, smart grid is that problem.
I agree that neither of the alternatives you list (running the smart grid over a network or os based labeling infrastructure or implementing MLS/MAC/TE functionality within the protocols themselves) seems particularly likely. I do not claim to be an expert in either the smart grid the area of MLS. While what you list as the second choice, implementing MLS/MAC/TE functionality within the protocols themselves, actually kind of makes more sense from a theoretic point of view, I can’t see it as being feasible in the required time frame. To me, it seems from a mile high that using labeled networking or other OS level MAC(Manditory Access Controls)/MLS/TE (Type Enforcement) mechanisms such as what is available within SELinux within a “smart grid” infrastructure, no matter how much of a stretch that is, is the only choice conceivable within the required time frame.
But please understand, I don’t feel very strong that I know the remedy. I just have a strong hunch that very soon the problem will be obvious to everyone, not just me.
-Martin
Comment from Rob Lewis
Time: June 20, 2009, 1:24 pm
Right on Martin,
The MLS reluctance or general revulsion at the thought of labelled security stems from previous implementations being horrendous. The concepts are sound. What is needed are new approaches to implementing MLS. We have been promoting one for a number of years now, but “your best security minds” are inclined to dismiss it without even checking it out, so good luck trying to get any of them to think out of the box.
SELinux is still not a great choice due to complexity but neither is it the only choice.
You might want to refer to my comment on Dale’s post,
“NERC CIP, Low Hanging Fruit and the Weak Link”
Comment from Mike Toecker
Time: June 22, 2009, 2:01 pm
I’m still trying to figure out why we are connecting all these meters over an pure TCP/IP based network. Don’t get me wrong, I love TCP/IP, it built the internet.
But is this a case of using our favorite hammer to drive in an object that is definitely not a nail?
SmartGrid apps I’ve seen are mainly of the command-control variety, where a single control point commands multiple device points. Very little intercommunication between the meters is necessary in this type of configuration, so why use pure TCP/IP, a protocol built expressly to allow nearly infinite intercommunication?
If the interconnections between the devices expressly denied communications between meters, an IOActive like exploit would have a much more difficult time finding other meters to exploit. This seems like a smart idea anyway, since these meters and their communication nodes are going to be:
1. Located in publicly accessible places
2. Have a VERY attractive price point, allowing purchase by just about anyone. Or they can just steal one.
3. The sheer volume of traffic on this network will likely make monitoring problematic. We’re talking dispatch orders, monitoring points, exception reports, all requiring minimal latency and operating in small time slices.
4. The devices are purpose built, and likely aren’t ready for the rigors of being in an IP environment. Isn’t this why we don’t attach control systems to corporate networks?
Every conversation I’ve heard so far is vendors selling the same things they have been selling the past 20 years to support a technology and infrastructure that is barely off the drawing board yet. This is new, maybe it needs something new to support it…
Mike Toecker, Private Citizen
…and now persona non grata with every network equipment manufacturer in the nation.
Write a comment