Utilities are aware that their growing reliance on wired and wireless sensor networks to support advanced grid operations has a downside – an increased attack surface. But many utilities have yet to realize that there’s another risk in the significant deployments of machine to machine (M2M) networks that’s relatively undefined but has potential impacts that could cost utilities dearly. That’s the issue of vulnerabilities to timing accuracy incorporated into sensors and intelligent devices deployed in today’s grids.
These components and devices integrate to perform highly synchronized operations and provide timestamps for data used by equipment widely deployed in utility networks to monitor and manage grid operations. If timing is vulnerable to physical or cyber tampering, their precision can be altered, leading to incorrect operations and inaccurate timestamps. What does that mean for the data created or transmitted by these devices? That data becomes inaccurate too.
There are three main timing transfer methods used in today’s telecommunications networks:
- Global Positioning System (GPS)
- Network Time Protocol (NTP)
- Precision Time Protocol (PTP)
While GPS is widely known, the latter two protocols are increasingly found within telecommunications operations that support carrier networks as well as privately managed networks such as those deployed by utilities and other business sectors with significant telecommunications infrastructure.
Is precision timing really important for utilities? Absolutely! Advanced grid operations require accurate synchronization to ensure that one true time for data exists across their systems. For instance, the addition of Distributed Energy Resources (DER)
assets harnessed for balancing volt/VAR levels will require precise and accurate timing coordination. EPRI’s technical resources have worked with utilities to confirm that inaccurate timing data regarding fault locations sent utility work crews miles in the wrong directions and in other cases was the causative factor to tripped breakers on high voltages lines. Those situations have top-line and bottom-line impacts to utilities.
Utilities, labs, and academic institutions have confirmed some vulnerabilities in precision timing that may pose risks to grid applications, mission-critical and otherwise, that rely upon highly accurate timing. However, the potential risks associated with exploitation of these vulnerabilities is unknown.
In addition to the absence of clarity regarding potential risks created by precision timing vulnerabilities, there is also an absence of field-tested and proven mitigations for the most critical vulnerabilities. Existing research on vulnerability mitigations has been mostly confined to theoretical situations, not the practical knowledge needed to address the unique requirements of utility operations.
The Electric Power Research Institute (EPRI) Timing Security Assessment and Solutions research project will examine three essential questions about precision timing:
- Is equipment relied on for precision timing vulnerable to attacks that could impact synchronized grid operations?
- For equipment vulnerabilities identified, what is the potential level of risk to power delivery systems?
- Can mitigations be identified and implemented to reduce the potential for exploitation of vulnerabilities in power systems?
If your utility hasn’t asked, or can’t answer these questions, now is the time to start building awareness and take action. For more information about EPRI’s Timing Security Assessment and Solutions research, please get in touch with us.
About the Authors
Christine Hertzog is a Technical Advisor for ICT and Cyber Security R&D programs at EPRI. She was previously the founder of a consulting firm focused on innovative grid solutions and has an extensive telecommunications hardware, software, and services background. She authored the Smart Grid Dictionary and co-authored Data Privacy for the Smart Grid. She has also served in an advisory capacity to startups, industry associations, and publications. She has an MS in Telecommunications from the University of Colorado at Boulder.
Glen Chason is a Principal Technical Leader of Cyber Security & Privacy in the Power Delivery and Utilization group at EPRI. He is also the manager for EPRI’s Cyber Security and Research Lab located in Knoxville, TN. In this role at EPRI, Glen leads numerous projects in the areas of Penetration Testing, Threat Assessment, and the analysis of security for embedded systems. He is also providing technical leadership for a number of other projects including the Policy-Based Configuration Framework (PBCONF) project, Incident Management, and the Security Architecture. He also participates in numerous working groups and technical committees on cyber security for the electric sector. Glen has a Bachelor’s degree in Computer Science from the University of Texas at Dallas and Master’s degrees in Telecommunications and Security Engineering from Southern Methodist University.
References
For a detailed discussion about time-aware applications and the need for timing accuracy, the authors refer readers to the Time-Aware Applications, Computers, and Communication Systems (TAACCS) Technical Note 1867 published by the National Institute of Standards and Technology in February 2015.