SPRINGER BRIEFS IN CYBERSECURITY Sanjay Goel Yuan Hong Vagelis Papakonstantinou Dariusz Kloza Smart Grid Security SpringerBriefs in Cybersecurity Editor-in-chief Sandro Gaycken, ESMT European School of Management and Technology, Germany Editorial Board Sylvia Kierkegaard, International Association of IT Lawyers, Denmark John Mallery, Massachusetts Institute of Technology, USA Steven J. Murdoch, University of Cambridge, UK Cybersecurity is a difficult and complex field. The technical, political and legal questions surrounding it are complicated, often stretching a spectrum of diverse technologies, varying legal bodies, different political ideas and responsibilities. Cybersecurity is intrinsically interdisciplinary, and most activities in one field immediatelyaffecttheothers.Technologiesandtechniques,strategiesandtactics, motives and ideologies, rules and laws, institutions and industries, power and money—allofthesetopicshavearoletoplayincybersecurity,andalloftheseare tightly interwoven. TheSpringerBriefsinCybersecurityseriesiscomprisedoftwotypesofbriefs: topic- and country-specific briefs. Topic-specific briefs strive to provide a comprehensive coverage of the whole range of topics surrounding cybersecurity, combining whenever possible legal, ethical, social, political and technical issues. Authors with diverse backgrounds explain their motivation, their mindset, and their approach to the topic, to illuminate its theoretical foundations, the practical nuts and bolts and its past, present and future. Country-specific briefs cover national perceptions and strategies, with officials and national authorities explaining the background, the leading thoughts and interests behind the official statements, to foster a more informed international dialogue. More information about this series at http://www.springer.com/series/10634 Sanjay Goel Yuan Hong (cid:129) (cid:129) Vagelis Papakonstantinou (cid:129) Dariusz Kloza Smart Grid Security 123 SanjayGoel Vagelis Papakonstantinou Department Information Technology Research GrouponLaw, Science, Management Technology&Society (LSTS) UniversityatAlbany Vrije Universiteit Brussel Albany,NY Brussels USA Belgium YuanHong Dariusz Kloza Department of InformationTechnology Research GrouponLaw, Science, Management Technology&Society (LSTS) UniversityatAlbany Vrije Universiteit Brussel Albany,NY Brussels USA Belgium ISSN 2193-973X ISSN 2193-9748 (electronic) SpringerBriefs inCybersecurity ISBN 978-1-4471-6662-7 ISBN 978-1-4471-6663-4 (eBook) DOI 10.1007/978-1-4471-6663-4 LibraryofCongressControlNumber:2015932438 SpringerLondonHeidelbergNewYorkDordrecht ©TheAuthor(s)2015 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpart of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilarmethodologynowknownorhereafterdeveloped. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publicationdoesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexempt fromtherelevantprotectivelawsandregulationsandthereforefreeforgeneraluse. Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthis book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained hereinorforanyerrorsoromissionsthatmayhavebeenmade. Printedonacid-freepaper Springer-VerlagLondonLtd.ispartofSpringerScience+BusinessMedia (www.springer.com) Foreword Anirrevocableprocesshasbeensetintomotion:Theworldisgrowingsmart.Every kind of technology is presently reconsidered as transformable into an intelligent, sensory and communicative, networked device. There are many good reasons for thisreconsideration.Ashasbeenseeninthepast,suchtransformationshavemany benefits. Technological processes can be of higher density, better synchronized, of higher efficiency, less prone to human error, they can offer more functionally and quite generally become more profitable. In sum, many stakeholders emerge to design such technologies and initiate a market for products. But as ever so often with technology in general and information technology in particular, there are risks and side effects. In this current paradigm of “smartifica- tion”ofourpreviously“dumb”technologies,therisksofthoseoldtechnologiesare confronted with and infiltrated by the functionalities and risks of the new tech- nologies.Thisfusionchallengesmanyinitialassumptionsandestablishedconcepts forsafetyandsecurityinnovelways.Oldriskssuchasphysicaldamagesofmany of our old technologies, previously forged into acceptable states by electrome- chanical safety concepts, may reemerge in different shapes and sizes when chips and logic replace single switches and valves, and when the net is slowly creeping in. A smart car or a smart factory may be more efficient and more transparent to someextent,butitwillalsobemoreopentooutsiders,moreaccessible,itmightbe more prone to unwanted complex developments, as any kind of IT always adds tremendous complexity, and it will most certainly require much more attention, moremaintenanceandmoreexpertise.Also,entirelynewrisksmaycomeup,such asprivacyconcernssimplybydrivingacarorheatingthehouse,giventhefactthat “smart” technologies generate data—which can be information about people to some extent. Accordingly, this new fusion of old technologies and new ones requires fore- sight and wisdom. It may in fact already be a little to late to call for that. The engineers and industries have started these paradigms a long time ago, and approachimplementationandsalesfastnow.Toomuchmoneyandefforthasbeen spent to pause and reconsider everything. This, by the way, is a very classical v vi Foreword problemoftechnologyresearch.Aslongasatechnologyisinitsinfancy,itsactual impact and its use models cannot be predicted with high certainty, so its risks and side effects are difficult to pinpoint. The technology researcher can only guess and hypothesize, which in turn renders much of her effort into an ivory tower per- spective.Onlyoncetechnologiesreachafirststageofmaturity,withusemodelsin actualimplementation,moreprecise,correctandrelevantassumptionscanbemade. But then, too much money has been spent and too many paradigms are in imple- mentation already to return to the drafting board and start over on some funda- mentals.Atthatpoint,technicalandeconomicalpathdependenciesareestablished. They can be reformed, to be sure. The widely known saying that you cannot stop progress is a little imprecise to this end. Progress at large may be unstoppable for many reasons. But any particular progress can always be shaped and directed, evenreconsideredandrevokedentirely,ifitsbenefitsarenotnearlyinlinewithits risks—especially as long as it is not too established yet. Smart technologies, fortunately, are still comparatively young and could be viewedwithakindof“designoptimism”.Theyaredangerous,tobesure,riskyand difficult, as two highly complex types of technologies are melted into each other, with a lot of difficult scenarios emerging. But they should also be considered malleable and even an opportunity. Any fresh start in innovation is also a chance to do things better this time. Information technology is so incredibly bad in its security,soopentosabotageandespionage,tosurveillanceandmanipulationthata reform within an environment with much higher concerns in safety and security could force it to return to some of its fundamental issues and try harder. A precondition for such an effort is a thorough understanding and a good and causally well-defined structuring of the problems and their roots. They have to be intelligible in their technical, economic, legal and societal dimensions, so options andopportunities canbe developed andrecommendedfor implementation.To this end, the whole process of “smartification” still requires a lot more literature, especiallyinterdisciplinarywritings,connectingthetechnicalandthehumanworld and reflecting the possible realities of smart worlds. This SpringerBrief aims to fill this gap in the important field of smart power. Smartpower(alsocalled“smartgrids”)isafirstlargertechnicalareaunderreform by networked information technology. It is already in application and implemen- tation and can be assessed in its processes and regulations, its technicalities and risks. Theauthorsofthisbriefhavedoneanexcellentandoutstandingjobilluminating this new field and explaining the risks and benefits, the conditions and opportu- nities, causalities and first actors of this field. As a result of their great work, this briefwillserveasanexcellentguide—atruebriefing—notjusttosmartpower,but to the whole emerging smart world and its core topics. ESMT Berlin, January 2015 Dr. Sandro Gaycken Contents 1 Security Challenges in Smart Grid Implementation . . . . . . . . . . . 1 Sanjay Goel and Yuan Hong 1.1 Smart Grid Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.2 Communication Technologies. . . . . . . . . . . . . . . . . . 3 1.1.3 Sensors and Devices. . . . . . . . . . . . . . . . . . . . . . . . 4 1.2 Smart Grid Security Concerns and Threats. . . . . . . . . . . . . . . 5 1.2.1 Reported Attacks on Electric Grids. . . . . . . . . . . . . . 6 1.2.2 Security Concerns. . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2.3 Impact of Threats on Smart Grid . . . . . . . . . . . . . . . 8 1.3 Ensuring Security in Smart Grids . . . . . . . . . . . . . . . . . . . . . 9 1.3.1 Standards and Architectures. . . . . . . . . . . . . . . . . . . 11 1.3.2 Sensors and Devices. . . . . . . . . . . . . . . . . . . . . . . . 11 1.3.3 Network Security Threats. . . . . . . . . . . . . . . . . . . . . 13 1.4 Mitigating Cyber-Physical Threats. . . . . . . . . . . . . . . . . . . . . 15 1.4.1 Risks at Cyber-Physical Interface . . . . . . . . . . . . . . . 16 1.4.2 Mitigating Cyber-Physical Threats. . . . . . . . . . . . . . . 18 1.5 Mitigating Smart Meter Threats . . . . . . . . . . . . . . . . . . . . . . 19 1.5.1 Threats and Vulnerabilities in Meter Infrastructure . . . 19 1.5.2 Security Breach on Smart Meter. . . . . . . . . . . . . . . . 21 1.6 Mitigating Data Manipulation Threats . . . . . . . . . . . . . . . . . . 22 1.6.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 1.6.2 Resolving Data Integrity Violation in State Estimation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 1.6.3 Resolving Other Data Manipulation Threats. . . . . . . . 26 1.7 Mitigating Privacy Threats. . . . . . . . . . . . . . . . . . . . . . . . . . 28 1.7.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 1.7.2 Privacy Threats in Smart Grid Infrastructure. . . . . . . . 29 vii viii Contents 1.7.3 Privacy Laws w.r.t. Smart Grid. . . . . . . . . . . . . . . . . 31 1.7.4 Embedding Privacy Protection into the Design and Implementation of “Smart Grid”. . . . . . . . . . . . . 32 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 2 Legal Protection of Personal Data in Smart Grid and Smart Metering Systems from the European Perspective . . . . . . . . . . . . 41 Vagelis Papakonstantinou and Dariusz Kloza 2.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 2.2 The Rationale and Modus Operandi for the EU Action Concerning Smart Grid and Smart Metering Systems . . . . . . . 43 2.3 The EU Regulatory Framework for Smart Grid and Smart Metering Systems . . . . . . . . . . . . . . . . . . . . . . . . 46 2.3.1 The Legally Binding Framework . . . . . . . . . . . . . . . 46 2.3.2 The Non-binding Framework . . . . . . . . . . . . . . . . . . 53 2.4 Actors in the Field of Energy Regulation in the EU . . . . . . . . 58 2.4.1 European Commission—Directorate-General for Energy (DG ENER). . . . . . . . . . . . . . . . . . . . . . 58 2.4.2 Smart Grids Task Force (SGTF). . . . . . . . . . . . . . . . 59 2.4.3 Agency for the Cooperation of Energy Regulators (ACER). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 2.4.4 National Regulatory Authorities in the EU/EEA . . . . . 60 2.4.5 Selected European Organizations and Associations of Industry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 2.4.6 Selected European Standardization Bodies. . . . . . . . . 63 2.5 Legal Framework for Personal Data Protection in the EU . . . . 63 2.5.1 Context and Background of the Data Protection Law in Europe. . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 2.5.2 Basic Data Protection Terminology. . . . . . . . . . . . . . 67 2.5.3 Data Protection Principles . . . . . . . . . . . . . . . . . . . . 67 2.5.4 The Rights of the Individuals with Regard to Processing Their Personal Data. . . . . . . . . . . . . . . 70 2.5.5 The Reform of the EU Data Protection Framework. . . 71 2.6 The Interaction of Smart Grid and Smart Metering Systems with Data Protection Law . . . . . . . . . . . . . . . . . . . . 73 2.6.1 Application of the Data Protection Law for Smart Grid and Smart Metering Systems . . . . . . . 73 2.6.2 Distinction Between Data Processors and Data Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 2.6.3 The Purpose Limitation Principle . . . . . . . . . . . . . . . 76 2.6.4 Data Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 2.6.5 Fair and Lawful Processing of Personal Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Contents ix 2.6.6 The Principle of Proportionality . . . . . . . . . . . . . . . . 77 2.6.7 Data Quality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 2.6.8 Monitoring and Oversight of Smart Grid Data Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . 78 2.6.9 The Scope and Exercise of the Data Subject’s Rights. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 2.6.10 Legal Basis for Processing—Subscribers’ Consent . . . 83 2.6.11 Security and Confidentiality of Data Processing . . . . . 84 2.7 The Non-binding EU Regulatory Framework for Personal Data Protection in Smart Grid and Smart Metering Systems. . . 86 2.7.1 Opinions and Recommendations. . . . . . . . . . . . . . . . 86 2.7.2 Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems . . . . . . . 101 2.8 Tools for the Protection of Privacy and Personal Data. . . . . . . 107 2.8.1 Privacy by Default . . . . . . . . . . . . . . . . . . . . . . . . . 107 2.8.2 Privacy by Design (PbD). . . . . . . . . . . . . . . . . . . . . 108 2.8.3 Privacy Enhancing Technologies (PET). . . . . . . . . . . 110 2.8.4 Transparency Enhancing Tools (TET) . . . . . . . . . . . . 111 2.8.5 Privacy Impact Assessment (PIA). . . . . . . . . . . . . . . 112 2.8.6 Legal Protection by Design (LPbD). . . . . . . . . . . . . . 114 2.8.7 Privacy Certification . . . . . . . . . . . . . . . . . . . . . . . . 114 2.8.8 Overview of Applicable Privacy-Friendly Algorithms for Smart Metering. . . . . . . . . . . . . . . . . 116 2.8.9 Going Beyond Mere Privacy: Technology Assessment (TA) . . . . . . . . . . . . . . . . . . . . . . . . . . 121 2.9 Consumer Empowerment. . . . . . . . . . . . . . . . . . . . . . . . . . . 122 2.10 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 2.10.1 The Netherlands. . . . . . . . . . . . . . . . . . . . . . . . . . . 124 2.10.2 The United Kingdom . . . . . . . . . . . . . . . . . . . . . . . 126 2.11 Observations: Key Points. . . . . . . . . . . . . . . . . . . . . . . . . . . 126 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127