ww
w.in
l.g
ov
February 2017
Kenneth Rohde
Cyber Security Research & Development Smart Cities
Transportation Workshop
The Idaho National Laboratory
Energy and Environment
National Reactor Testing
Station
1949 1997
Environmental Management
Mission
2005
INEEL & ANL-W combined to create the new Idaho National Laboratory
Nuclear Energy
National and Homeland Security
2015
Nuclear Energy
Optimization
Infrastructure
Protection
Clean Energy
Demonstration
1974
Energy Mission – Reactor Science,
Safety and Sustainability
Solutions
- WEST
INL’s Position Today – Nationally
• One of 10 DOE multi-program labs
• DOE’s designated lead lab for nuclear energy research, development and demonstration
• A major contributor in national and homeland security, alternate and renewable energy and science and technology
• 890 sq. miles
• 4000+ staff
Industry Focused Infrastructure Protection
Providing owners and operators testing results and information…
Applied laboratory with strong “Built-Test-Build” culture
Several full-scale and interconnected infrastructure test beds
Infrastructure operations and management expertise
Industry interface and experience
…to manage the risk and head off tomorrow’s problem.
Department of Energy Cybersecurity for Energy Delivery Systems National SCADA Test Bed • Assessments
• Research and Development
• Training and outreach
• Subject matter experts
Objectives
• Create secure CS environments that improve the security posture of our nation’s critical infrastructure.
Capabilities
• Fully functional SCADA systems and Energy Management Systems (EMS)
• Fully functional Distributed Control Systems (DCS)
• Safety systems and protective components
• Real world configurations and consequence testing
• Ability to generate CS data traffic
• Vendor and asset owner partnerships – Large SCADA/EMS systems
– On-site assessments
Working Relationships With Global Vendors
General Assessment Process
• An assessment is not a validation or certification
• Collaborative work with vendors and industry to help improve the security of their products
– Worked is performed under Cooperative Research and Development Agreements (CRADA) or Non-disclosure Agreements (NDA)
• Cyclical work over a long period (years) to allow improvements to be further tested as the product(s) evolve
• Work is focused to find problems with portions of the system the vendor can improve (i.e. we don’t worry about vulnerable versions of an OS)
• Laboratory and on-site (deployed systems)
Department of Energy Vehicle Technologies Office Electric Vehicle Infrastructure Laboratory
Evaluate Conductive and Wireless Charging Systems
• System Efficiency
• EM-field emissions
• Power quality
o Total harmonic distortion
o Power factor
o Transient response
• Cyber security assessment
o Communications security
• Wired and wireless
o Software and firmware
• Wide range of input power
o 120 VAC, 208 / 240 VAC, 480 VAC 3 phase
o 400 kVA total capability
• Grid Emulator (60 kVA) enables the evaluation of charging infrastructure performance and response during transient grid events
Smart Grid EVSE Assessments (2013)
• Five prototype EVSE units tested in 24 months
• These units are “smart-grid” enabled
• Each was evaluated for cyber security issues
– Remote compromise
– Unauthorized access and control
– Firmware modifications
– Potential impact on the Energy Grid
• Issues were reported to the vendor to help secure the product before it is commercialized
Common EVSE Issues
• Lack of secure web development practices
• Lack of physical security practices
– Reverse engineering
– Unauthorized network access
• Remote accessibility via the internet
• Weak authentication and authorization
CAN Bus Security (2013)
Hacker
CAN Bus Security
• Remote CAN Bus Network access
– Determine the external vulnerability exposure by exploiting the wireless communication links
• TPMS
• Bluetooth
• 802.11
• GSM/LTE
• Vehicle to Vehicle
Vehicle-to-Infrastructure (2015)
• Research focusing on the cyber security of the interconnectivity between vehicles, charging stations, and the Energy Grid
• Lots of potential for research, but very little technology available
Plug-in Electric Vehicle Potential Problems
• Potential for overcharging the large lithium batteries since the PEV is negotiating with the charger
– Demands a variable charging rate
– Notifies when to stop
• This communication is done over CAN Bus or Power Line Carrier (PLC)
• What are the implications for Critical Infrastructure?
• Procured a DC Level-2 Fast Charger (DCFC) with both a CHAdeMO and a SAE J1772-Combo cordset
Lab Environment
• The actual hardware…
Virtual Environment
• For exploit development and testing…
Attack Pathway
• Compromised PEV infects DCFC and vice versa
Status of Exploit Development 1. PEV Charge Module
2. DCFC Vehicle
Controllers
3. DCFC Local Server
Status of Exploit Development
1. PEV Charge Module
– Successful removal of microcontroller from communications board
– Successful extraction of firmware
• Reverse engineering ECU firmware is painful
2. DCFC Vehicle Controllers
– Successful extraction of firmware
– Successful reflash of factory firmware via CAN from the Local Server
3. DCFC Local Server
– Successful extraction of flash memory
• Running Ubuntu Linux 12.0.4 LTS
– All factory firmware located in the file system
DOE Grid Modernization Laboratory Consortium
• DOE Vehicle Technology Office funded a 3 year effort to develop a framework for exchanging security information between electric vehicles, charging stations, and a building energy system
– Collaborative work with ANL, NREL, and PNNL
• Initial project work includes a cyber security assessment of 2 commercial AC Level-2 EVSE units – The identified cyber security issues will be used later to demonstrate project
functionality
• INL is developing a set of Diagnostic Security Modules (DSMs) that will be integrated with the PEVs, EVSEs, and the Building Energy Management System (BEMS) – This functionality will someday be implemented directly in the target system
hardware
• The DSM framework will allow a BEMS operator to intelligently decide if a PEV or EVSE is allowed to operate in the building infrastructure by notifying the operator of any cyber security issues detected in a PEV or EVSE
• The system will later be tested in a large scale EV lab environment by a “red team”
Diagnostic Security Module Framework (2016)
Year 1 Efforts
• Procurement of 2 AC Level-2 EVSE – ChargePoint
– SemaConnect
• Prototyping DSM hardware to integrate with EVSE and PEV
• Subcontracting with the University of Louisiana-Lafayette – Support with coordination of efforts with community
– Experts in informatics and data exchange
• Installation of EVSE in INL lab space and begin the cyber security assessments
• Initial integration of DSMs with a PEV and EVSE
Year 2 Efforts
• Completion of cyber security assessments – Reports delivered to ChargePoint and SemaConnect
– Potential for NDAs with the EVSE vendors
• DSMs integrated with EVSEs and PEV at INL
• Cyber health methods (fingerprint) developed for EVSE and PEV
• Initial BEMS functionality developed
DSM
DSM
DSM
Building Energy
Management System
Year 3 Efforts
• Installation of DSM framework at partner laboratory
• DSM environment functioning with multiple EVSE and PEV
• Red vs. Blue (penetration) testing of DSM framework environment
• Methods and algorithms for systems monitoring published
• Security exchange protocol published to standards bodies (e.g. SEP 2.0, SAE J2931/7)
DSM
DSM
DSM
DSM
DSM
DSM
DSM
Building Energy
Management System
University of Louisiana at Lafayette
Informatics Research Institute University Research Division
“The Informatics Research Institute (IRI) conducts research in data science to unleash the potential of Big Data for the benefit of society in such areas as health, crisis response, community resiliency, and smart and connected community.”
Center for Visual & Decision Informatics National Science Foundation
Established in 2012, CVDI works in partnership with government, industry, and academia to develop the next-generation visual and decision support tools and techniques that enable decision-makers to significantly improve the way their organization’s information is organized and interpreted.
Questions?
Kenneth Rohde
(208) 526-0672
More Information:
https://energy.gov/under-secretary-science-and-energy/grid-modernization-initiative
https://energy.gov/under-secretary-science-and-energy/grid-modernization-lab-consortium
https://energy.gov/oe/services/technology-development/cybersecurity-for-energy-delivery-systems
https://informaticsinstitute.louisiana.edu/
http://nsfcvdi.org/wordpress/
http://www.inl.gov