.

HOME SMART ENERGY NETWORKS

New smart grid technologies provide two-way communications between consumers’ premises and utility companies’ back-end systems. These new technologies enable both the consumers and the utility companies to work together to better manage household energy consumption. Advanced metering infrastructure (AMI) systems that include home area networks (HANs) are some of these new technologies that are being deployed by utilities.

AMI systems extend current smart meter technology by allowing utilities to send and receive information and commands to/from the home for multiple purposes, including time-of-use pricing information and demand response actions. During peak demand periods, HANs connect a consumer’s digital devices, such as computers, televisions, home security systems, "smart" appliances, and telephones. A HAN will allow a consumer to monitor and manage energy usage and remotely monitor and control electric appliances. In-home displays will allow a consumer to keep informed of current energy usage and the cost.

AMI systems and HANs can coordinate to reduce usage of high-load devices such as air conditioners and pool pumps. With time-of-use pricing, appliances connected to the HAN can be set to operate only during low-cost energy periods. The goal with all these devices is more efficient energy management - and cost savings to the consumer.

One important aspect of HANs is cyber security. To assist utilities, regulators, and integrators who are deploying and configuring ZigBee Smart Energy Profile 1.0 and/or Smart Energy Profile 1.1 (collectively referred to as SEP 1.x) in field devices, the EPRI-led National Electric Sector Cybersecurity Organization Resource (NESCOR), the Smart Grid Interoperability Panel (SGIP) Cyber Security Working Group (CSWG), and other experts jointly developed a technical white paper that provides guidance on the use of SEP 1.x. The results were published as EPRI white paper, Smart Energy Profile (SEP) 1.x, Summary and Analysis, Technical Update 1023055, December 2011. There are two objectives for the white paper. First, assist stakeholders in understanding the potential vulnerabilities in SEP 1.0 and 1.1. Second, provide stakeholders with actionable advice on how to mitigate or minimize these potential vulnerabilities and implement best practices and mitigations. Following are highlights from the white paper.

SEP 1.X SUMMARY AND ANALYSIS
Load control capabilities in Home Area Networks (HANs) are an integral part of the smart grid and energy efficiency modernization efforts currently underway. Like other smart grid systems, HANs are vulnerable to cyber attacks and adequate security measures are needed. The SEP 1.x specifications present a communication framework for HAN devices along with a security framework. SEP 1.x is being deployed by several utilities. In addition, some states, such as Texas and California are deploying SEP 1.x in the HANs to give customers the benefits of the product, including addressing cyber security requirements.

The ZigBee SEP 1.x specifications are very detailed. To assist users in understanding the specifications and the security analysis, several representative system architectures were developed. Two of these logical architectures are included below. All logical architectures include Trust Centers, which are a critical component in the configuration, deployment, and maintenance of a secure HAN. The ZigBee Trust Center Best Practices document defines policies and roles for the Trust Center but these home smart energy netWorks are specified as best practices and not requirements. These best practices should be assessed and recommendations made on whether some, or all, of the best practices should be requirements. Use cases may be developed to assist in this analysis. In addition, cyber security failure scenarios may be used in determining how to configure a Trust Center.

A comprehensive assessment of the security of the SEP 1.x specifications includes an analysis of the security func- tionality, security controls, cryptographic primitives, and mapping of security requirements. In addition, stakeholders need to understand the differences between versions SEP 1.0 and 1.1 of the specifications, to understand the applicability of each specification to their HANs.

As cyber security threats, vulnerabilities, and environments constantly change, the SEP 1.x specifications will need to be revised, particularly in the area of cryptography. Some of the cryptographic primitives included in the SEP 1.x specifications will be deprecated by the National Institute of Standards and Technology (NIST) or are not approved / recommended by NIST. All proposed revisions should be considered for future updates to the SEP 1.x specifications. In addition, the technical recommendations should be assessed against the SEP 2.0 specification.

The SEP 1.x specification is focused on HAN deployments. There are several other network architectures connected to the HAN, such as a Neighborhood Area Network (NAN), backhaul networks, and other non-ZigBee interfaces within a HAN. These networks do not use ZigBee technology or their architectures and security are not sufficiently detailed in the SEP 1.x specification.

REPRESENTATIVE SYSTEM
ARCHITECTURES
Smart energy networks primarily have two types of devices - a smart meter which bridges a HAN to a NAN and ZigBee home devices that are part of a single HAN. Smart meters and HAN devices use ZigBee to communicate across the network. The SEP 1.x specification allows for different network topologies. One topology is where ZigBee devices join a smart ener- gy network coordinated by a smart meter. In this topology, a smart meter coordinates network management and security. In a second topology, the ZigBee devices do not join a smart energy network but create a home area network for the consumer called a Consumer Private - Home Area Network (CP-HAN). In a CP-HAN a device creates an application level bridge between the smart energy network and the CP-HAN. This device is called an Application Layer Gateway (ALG) and is the ZigBee network coordinator for the CP-HAN. Networks with smart meters acting as the coordinator are called Utility Enabled - Home Area Networks (UE-HAN). In another topology, the ALG is the ZigBee network coordinator and Trust Center for the CP-HAN. In this third topology there is no UE-HAN and the smart meter provides the usage data (and optionally the public pricing data) to the ALG acting as an information sensor.

Following are two representative architectures where SEP 1.x is deployed. Figure 1 depicts a Utility Enabled HAN (UE-HAN) and its connection through a utility meter to a utility backend environment. In this architecture, a smart meter coordinates network management and security. Figure 2 depicts a home area network called a Consumer Private - Home Area Network (CP-HAN). In a CP-HAN, a device (called an Application Layer Gateway (ALG)) creates an application level bridge between the smart energy network and the CP-HAN. The white paper only addresses the UE-HAN and the devices registered with the utility. The CP-HAN and the customer-owned devices on the CP-HAN are outside the scope of the white paper.

TRUST CENTER
The Trust Center in a ZigBee HAN has the responsibility of network coordination, network security, and network management. As such, the Trust Center is the central device in the ZigBee network. Most of the vulnerabilities identified in various security analyses documents can be addressed by proper usage of the ZigBee specifications, SEP 1.x specifications, and deployment of a robust, extensible, and flexible Trust Center. A flexible and exten- sible approach will make it possible to further improve security by implementing additional measures when new security vulnerabilities and threats are identified.

POTENTIAL VULNERABILITIES,
MITIGATIONS, AND BEST PRACTICES
There are many potential vulnerabilities, impacts, and mitigations when deploying, configuring, and implementing SEP 1.x. First, there are vulnerabilities, impacts, and mitigations related to the requirements included in the SEP 1.x specifications, including deprecated cryptographic algorithms and link keys and network keys vulnerabilities. Second, there are vulnerabilities and mitigations for implementation specific requirements that are outside the scope of the SEP 1.x specifications, but that are applicable to ensuring the security of the operational system. Some examples include: access control, devices leaving the network, detecting malicious devices, and key updates. Third, there are best practices, such as for the Trust Center, certificate management, and key domain overlaps. Fourth, there is security functionality that is outside the scope of the SEP 1.x specifications, such as customer privacy in the CP-HAN, restricted physical access to the meter, plug in vehicles, and distributed energy resources that allow devices in the HAN to put energy back into the grid. All of the potential vulnerabilities and impacts should be assessed and mitigated to ensure that the cyber security requirements of SEP 1.x and the operational environment are met.

NEXT STEPS
Securing the Trust Center is only one component to securing the HAN. Areas remaining to be addressed include the practical and operational steps needed to ensure a secure HAN deployment; including ensuring that requirements are met and associated vulnerabilities are mitigated. These additional areas are outside the scope of the SEP 1.x specifications, but necessary to securing the HAN.

After an organization deploys a Trust Center, the deployed and operational hosting system must remain secure. This will require the development of a set of cyber security test scenarios specifically for the Trust Center. This effort should leverage ongoing efforts such as an AMI security test plan being developed by the EPRI-led NESCOR team. Applicable requirements and guidelines developed by standards bodies and regulatory agencies should be used in all the efforts identified above.

CONCLUSION
With the deployment of smart grid technology, including smart meters, HANs, and intelligent appliances, securing the communications among the various devices and with a utility is critical. The SEP 1.x specifications include cyber security requirements applicable to a stakeholder’s HAN and interconnected devices.

ABOUT THE AUTHOR
Ms. Lee is a Technical Executive in the Power Delivery and Utilization Sector of EPRI.

From 1996 to 2010, she was a Senior Cyber Security Strategist at the National Institute of Standards and Technology (NIST). She led the Smart Grid Cyber Security Working Group (CSWG) at NIST. Annabelle established the CSWG, defined the work program, and defined the cyber security and privacy strategies for the Smart Grid. The CSWG published the NIST Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security in September 2010. The NISTIR is being used throughout the United States and has been adopted by both China and Sweden.

Annabelle was detailed to the Department of Homeland Security (DHS) for four years. At DHS, Annabelle was the Director, Standards, Best Practices, and R&D Requirements Program and the Director of the Supply Chain Risk Management (SCRM) Program within the DHS National Cyber Security Division.

Annabelle has a BA from Stanford University and an MA from Michigan State University.