Smart Grid Deployment and Identity Management
This paper is the author's personal opinions on the role that identity management will play in the utility industry as smart grid evolves across North America.
Utility- Home Energy Controller
One significant portion of smart grid is the interaction between the home energy controller and the utility.
The home owner may choose to allow the utility to monitor appliance, air conditioner, electric heater and gadget events in the home and potentially to control some of them (e.g. downing an air conditioner in a peak load to trim the peak load and avoid a grid brownout).
This requires identity management to authenticate between the home energy controller and the utility's home management system potentially every few minutes. Most of the current deployments set a uid (uniform identification) and password in place allowing the application to log on to the local data store in the home.
I believe that this approach is not secure from the customer's perspective since passwords are easily obtainable through a variety of different methods. I also believe that over the next several years, privacy litigation against utilities will force the utility to adopt a more rigorous method of authenticating to the home.
I foresee the use of digital certificates issued by the utility to the home owner's energy controller and then to use web services to authenticate to the device. This means that utilities must get in place a solid PKI infrastructure and also deploy access control that is highly available.
Home Owner - Utility Interaction
The home owner will either use software supplied by enterprises like Google or use the utility's own portal software or combinations thereof to communicate with the utility.
Further, I also foresee that in the future energy controller bought in the store will be installed by third parties who will then help the home owner create their account and interface the controller with the utility.
Further, the home owner will want to assign different authorization rights to their family members allowing them different control over the home energy management system.
Finally, many families will be delegated administration rights for different family members (e.g. elderly people may delegate some or all of their privileges to their caregivers).
All of this requires:Robust identity management system to provision the assets and applications to the home ownerIntegration with B2B infrastructureAllow for easy log on using things like voice recognitionFine grained authorization
Electric Vehicle Management
I foresee several areas where identity management would be important in leveraging a smooth customer interaction with the utility. This included:Vehicle identity registration systems with the utility - likely involving issuing a digital certificate to the carUtility identity federation with credit card companies and energy suppliers (e.g. Chevron, Exxon, Shell, etc.)Utility federation with parking garage owners who offer electric vehicle rechargingPossible federation with electric vehicle car manufacturersPossible use of registering the vehicles in an energy saving program IF it turns out that battery recharging on numerous vehicles significantly loads the grid (the jury is still out on this)
SCADA Home/Commercial Electrical Generation Authentication
As the home and commercial users begin to generate electricity and want to connect to the gird to sell it back to the utility, I foresee the following:Need to identify and register the devices with the utility - likely will involve in the future the ability to install a digital certificate on the energy generating device or the device that connects the energy generating device to the gridAuthentication of the devices to the grid
As smart transformers, power line monitors and feeder automation devices and software are deployed on the SCADA systems, this will require the following identity management infrastructure:Registration of all devices in a central LDAP store from the authoritative sourcesAuthentication of the devices by either the HMI in the control room and/or an identity management access control systemIdentity management for personnel and third parties who will be working and interacting with the devices and their software
I foresee a significant shift in the future to what happens in a utility's operations control centre and it's IT operations. The integration of the home and the digitization of the networks using TCP/IP means that:Enterprise incident management must now integrate formerly separate IT and SCADA change management systems into oneMonitoring systems need to be significantly improved from stem to stern (i.e. the home with its appliances and gadgets all the way through to utility corporate and utility SCADA systems)Network architecture will need to be significantly upgraded and will require more numerous internal DMZ zones to limit utility risk of someone able to penetrate to the SCADA systemSecurity operations must now be moved out of IT and Facilities and into the control room to actively monitor and manage all security to watch for physical and logical penetrations
Operations concern me the most when considering smart grid. While the software sales people and utility marketing people are making the most of "smart grid", I don't think many utilities have considered the operational impact, organizational reorganization and security requirements required.
This brief paper outlines, at a high level, the challenges of deploying smart grid for a utility from an identity management and operational perspective. Many state and provincial legislation is forcing utilities to take on home or commercial generated power without thinking through the security, operations and identity implications.
Concurrently, I believe that many senior utility managers are "hopping on board" the smart grid bandwagon without knowing the true infrastructure, operational costs and enterprise reorganization.
What most does not realize is that with the digitization of the SCADA network to TCP/IP communication AND the deployment to the home requires extremely tight integration between IT and SCADA.
Those utilities that figure this out early will be the winners while those who don't may open themselves, unknowingly, to significant security holes.
About the Author
Guy Huntington is a learned and burned identity management and security consultant. He has led a utility identity management program, participated in a utility security assessment, integrated physical and logical security and rescued several large Fortune 500 identity projects. His white papers can be read at http://www.authenticationworld.com/papers.html. He can be reached at firstname.lastname@example.org or 1-604-861-6804.Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.