Power distribution supplies critical infrastructure sectors, including water, transportation, telecommunications, health and financial sectors. With the development of smart cities, smart cars and smart homes, our dependence on electricity distribution continues to grow exponentially. To cater the growing electricity demand, power distribution utilities are adopting digital technologies and communication to increase their efficiency and competitiveness in the market. But numerous advantages of today’s increasingly digitized and interconnected infrastructures come with major cyber security challenges.

Threats to power grid range from natural disasters, extreme weather conditions, physical attacks and cyber security attacks. Considering all threats and where these attacks might occur, consequences can vary drastically. Distribution and local delivery of electricity are generally not considered part of the Bulk Energy System (BES) and not covered under NERC CIP. Transmission and Generation infrastructure are considered higher critical than local distribution infrastructure, considering their risk of failure. Compromise of generation and transmission facilities is generally likely to produce the greatest and most detrimental consequences. But this does not mean that the distribution network is immune to a cyber-attack. In December 2015 Ukraine cyber security attack, a distribution system was the attack point, causing power outages for 225,000 customers. 

Most of the time attackers go for the low-hanging fruits than attacking tightly secure systems. An attacker is more likely to gain access to Distribution substations that are lacking in basic cyber security practices and physical security protections, than attacking NERC-CIP bound substations. Someone might argue that an attack on the distribution network would only have an impact on regional areas, but not on the overall power grid. But an orchestrated cyber security attack on number of distribution utilities (2015 Ukraine attack), could cause power outages in many regions leaving many customers in the dark. A cyber-attack on a distribution substation could involve manipulating breakers to interrupt power or compromising SCADA operations to cause load instability. If an attacker can (physically or remotely) get access to a Distribution SCADA Master, risk is significantly greater as the SCADA Master allows access to other distribution and potentially transmission elements within the system. 

Cyber security challenges in distribution networks

Distribution utilities rely on networks to communicate data about equipment operating status, to monitor operating conditions, and to communicate changes to current equipment operations. Distribution Automation (DA) and the advanced distribution network enables utilities to quickly locate, isolate and recover from faults. Because network vulnerabilities due to misconfiguration, poor management and lack of security awareness, networks are still among the most popular entry points for threat actors. Distribution utilities increasingly rely on remote access, to manage geographically widespread assets, increase convenience and reduce costs. Insecure access or connection to critical systems via remote tools and devices are often cited as the mostly used entry point for cyber incidents.

Closer to the customer, smart Meters and Automatic Metering Infrastructure (AMI), Home Area Networks (HAN), energy storage devices, vehicle charging stations, and residential solar and wind controls are also being deployed.  Most of these devices use wireless for their communication. Together, they make up a large, complex, heterogeneous network called the Field Area Network (FAN). One of the major challenges in the advanced distribution network is how to monitor and secure these FANs. FANs are exposed to a variety of threats. An attacker may attempt to disable power in a specific local area. Metering data could be be forged, altered or subject to eavesdropping, which could result in improper billing to customers and loss of customer privacy.

Distribution network operates with older legacy equipment at some facilities, mixed with highly connected digital assets at other facilities. And the distribution network is inherently difficult to defend due to the geographic distribution and thousands of unmanned remote facilities. This provides attackers opportunities to continuously target vulnerabilities in older technologies, or pursue exploits in new interconnected IEDs. Some distribution facilities are in rural areas, in open fields, without any cyber or physical security. The sheer number of geographically dispersed grid elements means cyber security requirements between and throughout systems are difficult to manage and implement.

Devices communicating with or functioning as a part of a Distribution Automation (DA) system also pose new threats to utilities and to the electric grid. A Vulnerability in a device may become a problem if they are uncovered and exploited by malicious organizations or individuals. Depending on the weakness, various penetration schemes may be used by an attacker to exploit that vulnerability. Examples of device vulnerabilities can be firmware backdoors, default passwords, manufacturing defects, programming errors and design flaws. IED manufacturers should follow Secure Development Life Cycle (SDLC) process to produce robust firmware and find these weaknesses as early as possible in the development cycle.

An attacker is more likely to gain access to distribution substations that are lacking in basic cyber security hygiene. Often, organizational cyber security is impaired by poor cyber hygiene such as weak or no password usage, no password change, no network segregation, unpatched software, and even poor physical security. Through Phishing, Attackers often exploit poor personnel cyber security awareness more often than attacking assets directly.

Distributed Automation System Architecture

Distribution Automation (DA) and the advanced distribution network enables utilities to quickly locate, isolate and recover from faults. Figure 1 provides a view of communication infrastructure in the distribution grid, such as Wide Area Network (WAN) and Field Area Network (FAN). FAN connects smart meters, reclosers, smart meters, public electric vehicle charging stations, and solar and wind farms to the distribution substations and/or control center. Distributed field devices are typically equipped with radio, wireless, or cellular communication to transmit data to collection points and ultimately back to utility control centers using backhaul communications networks. At the operation center tier, there can be many solution elements, including Distribution Management Systems (DMS), Meter Data Management System (MDMS), Advanced Distribution Automation (ADA) system and Advanced Metering Infrastructure (AMI) head-end. Security services illustrated in the Figure 1 provides access control, directory services, intrusion detection and security information & event management to the overall distribution system.

Figure 1: Illustration of a Distributed Automation System

Addressing cyber security challenges in distribution networks require a multi-layered active cyber defense strategy incorporating a Defense-in-depth approach. Defense-in-depth approach is layering security elements to successfully protect the infrastructure by multiple layers of defense that are distributed throughout the control network. Some of these defensive security controls are vulnerability management, asset management, user management, access control, boundary protection, intrusion detection, efficient incident management, backup plans and recovery plans.

Antivirus and white-listing solutions help utilities to deter, detect, or prevent malicious code spreading in Control Center and substation Local Area Networks (LANs). User accounts are managed in Microsoft Active Directory (AD), and central AAA (Authentication, Authorization & Accounting) is provided through Remote Authentication Dial-In User Service (RADIUS) server. All the meters and devices that are joining the FAN needs to get authenticated before being allowed access to the Distributed Automation System (DAS). FAN network passes on the new device’s credentials to the centralized Remote Authentication Dial-In User Service (RADIUS) server. Once the device is authenticated, it is allowed to join the mesh and will be authorized to communicate with other nodes.

All traffic originating from the FAN needs to be passed through a high-performance firewall. Firewall are used between zones to filter incoming and outgoing network traffic based on security rules and policies. An important aspect of threat detection is the use of Security Information & Event Management (SIEM). SIEM aggregates data from various logs and correlate events occurring in different parts of the grid to identify critical security incidents, enabling a faster coordinated response. Network Intrusion Detection System (NIDS) is used in utility networks to analyze the network traffic with aim of detecting and reporting malicious activities or policy violations.

Data from smart meters and distribution automation devices traverse through public or private WAN before they reach the control center. To ensure data integrity and confidentiality for data from smart meters and distribution automation devices, it is highly recommended that data be encrypted with IPSec or other secure tunneling method, if data traverse through public or private WAN backhaul. 

Conclusion

Distribution networks have evolved into a digital infrastructure that increasingly relies in intelligent electronic devices (IEDs) using digital communication methods to monitor and control operations. But advantages of today’s increasingly digitized and interconnected infrastructures come with a heavy price: Cyber security has become a major challenge and cyberattacks have become a serious risk. Distribution and local delivery of electricity are not considered part of the NERC-CIP BES. But unsecured distribution networks are serious threat vectors to the power grid. Distribution utilities require a multi-layered active cyber defense strategy incorporating modern security controls and well-defined security policies to avert this security risk.