Just like building a house that can withstand storms, building a smart grid device requires a secure operating system as the foundation. Starting with a proven, secure operating system deployed in thousands of critical applications forms the groundwork on which security for an intelligent grid can be built.
The smart energy market is hot. Just like a pressure cooker, there are many opposing forces pushing and pulling on the smart grid infrastructure, creating friction, heat, and opportunity. At the core, business challenges are colliding with technical and political challenges. There is money to be made by the utilities as well as grid component suppliers, and consumers will benefit from lower energy costs and more reliable energy. Politically, opposing forces are spouting concerns with privacy of information and even health hazards caused by the deployment and operation of smart energy equipment.
In its current state, the smart grid infrastructure is antiquated, completely insecure, incapable of supporting future energy demands, and not resilient to attack or system-level failures. That all said, utilities are rushing technology to market to provide automation and efficiency without any real consideration for security or reliability in their devices. At the next level down, in homes and businesses, the same can be said of the smart appliances that are being deployed.
Who is factoring security and reliability into their devices? There are huge ramifications for massively deploying insecure technology. Unfortunately, given the business drivers, it will likely take a catastrophic event to trigger government, utilities, and component manufacturers to come to the realization that they cannot sacrifice security and reliability without some different technology coming to bear.
Why security is so important
Much has been written on the security concerns of the grid and its systems, particularly Supervisory Control and Data Acquisition (SCADA, referring to computer systems that monitor and control industrial-, infrastructure-, or facility-based processes). Many in the SCADA world have heard of the Stuxnet worm, which was a deliberate cyber attack on a particular industrial system. In the future, smart people with misguided initiatives and time on their hands will start tapping into the devices in the home and take control of them, creating havoc, disrupting energy delivery, and stealing valuable private information. These are very real concerns for utilities and consumers, with enormous and far-reaching consequences.
Fortunately, there is hope for the smart grid as a whole. It will take time, but with an appropriate focus on protecting high-valued assets, smart grid component suppliers can leverage proven and certified technologies deployed in the aerospace, defense, industrial, and medical markets to make the grid more resilient and protected against component- and system-level failures as well as deliberate attacks.
For the grid to succeed, the components that make up the grid and the information and energy that traverse the grid must be secure and resilient. These elements must be secured, protected, and authenticated. Furthermore, when breakdowns occur, the grid must be able to self-heal and rapidly respond and recover from system failures. For system and device architects alike, the concept of defense in depth can and should be applied to people, operations, and the network of intelligent devices that comprise the grid. Single points of access and control are targets for attack and system failure. Layers of protection and separation of criticality need to exist to protect high-valued assets such as the systems monitoring and controlling the power grid.
Leveraging expertise with a certified operating system
To enable these capabilities in a cost-effective manner, smart grid device manufacturers should look to proven technologies and companies with experience deploying secure embedded devices in domains and applications like aerospace and defense that demand ultimate security and reliability. In these domains people’s lives are at stake, and systems must be designed to be absolutely secure, safe, and reliable.
The Green Hills Platform for Smart Energy provides the INTEGRITY certified Operating System (OS) to protect high-valued assets from well-funded attackers. INTEGRITY is the first and only OS technology to date to achieve certification from the National Security Agency for Evaluation Assurance Level (EAL) 6+ High Robustness, the highest level of security achieved for any commercial software. Green Hills, in business for nearly 30 years, has proven expertise in architecting secure, safe, and reliable embedded solutions. To address the software development of these complex and vital systems, developers utilize the best-in-class MULTI integrated development environment from Green Hills, which expedites the development, debugging, testing, and deployment of high-assurance real-time embedded applications.
Before looking at where the technology could be deployed, it is important to understand how and where this technology has been used. At the heart of the Green Hills platform for smart energy is an industry-proven real-time separation kernel, deployed in numerous safety- and security-critical applications such as the Joint Strike Fighter and the Joint Tactical Radio System.
The separation kernel uses hardware memory protection to create partitions and isolate and protect critical embedded applications. This ensures that each partition has the resources it needs to run correctly while also protecting the application from malicious attacks or application failures in other partitions. For complex security systems, applications with differing levels of security requirements can run in their own partitions. This architecture provides the necessary security and reliability capabilities compared to legacy applications running in a single address space.
When grid component suppliers design their devices, they make significant trade-offs between hardware cost, field upgradeability, power requirements, performance requirements, and hopefully security requirements. Manufacturers of intelligent devices need to determine what information and which devices need to be protected and how they will protect them.
With the INTEGRITY separation kernel, intrusion prevention and detection, health monitoring, firewalls, encryption, data protection, event logging, and communication stacks are all examples of applications naturally separated into partitions, enabling the device to be more resilient and secure. For in-transit data protection, support for IPv4/IPv6 with protocols such as SSH, SSL, IPsec, IKE, and RADIUS is possible. In the wireless world, WPA and WPA2 provide the latest in wireless security. INTEGRITY intrinsically supports Multiple Independent Levels of Security (MILS) with separation, data isolation, and information flow control.
Virtualization adds to resilience
Virtualization enables disparate systems to be consolidated onto a single platform, allowing more functionality to reside on a single device and thus reducing bill of material cost. Example applications include network devices or utility applications that have applications running across mixed OSs.
A concrete example is a home energy console with a Graphical User Interface (GUI) running Android that collects information from appliances in the home and transfers confidential household or business information out to a concentrator with a trusted real-time application. In this example, Green Hills Secure Virtualization enables the GUI to run in its own secure virtual machine while the communications run in an independent virtual machine. The separation kernel protects the overall system from being affected by insecure applications running in isolated partitions.
Separation and virtualization make the system more resilient by giving the developer the ability to separate critical from non-critical tasks. In this way, the system can adapt to problems, self-heal, restart applications, and safely and securely continue to operate under adverse conditions. Figure 1 depicts an example architecture utilizing separation and virtualization.
For the smart grid, there are many areas where certified separation kernel technology can make the overall system more resilient to attack. With the large installed base of insecure legacy devices in the grid, a separation kernel with virtualization enables entirely insecure devices to safely and securely operate independently within a partition. This allows the utilities and device manufacturers to leverage and reuse legacy devices in the overall grid architecture by isolating insecure partitions from security-critical components.
From the utility perspective, the ability to enable components in the grid with secure partitions for trusted communication and health monitoring means utilities can remotely monitor, control, and upgrade fielded components as required and as policy permits. This will enable both automated and manual response mechanisms to grid performance and functionality issues.
Getting the foundation right
Several other topics must be addressed to improve the grid’s resiliency, such as device and information authentication, secure boot, secure wireless and wired protocols, government policies, physical access control, and operational management. Those items cannot be properly addressed on top of an insecure OS.
At the heart of the grid are devices that collect, transmit, receive, and process valuable private information. The foundation for the success of the grid depends on these devices being properly secured and protected. Therefore, device manufacturers should leverage companies and technology that have a proven track record for delivering certified security and safety solutions in critical environments.
Green Hills Software 805-965-6044