One proven approach to security is to build physically separate secure and non-secure devices and networks. For much of the smart grid, this approach is impractical because of the expense and redundancy involved. A more cost-effective solution is to leverage embedded virtualization to run both secure and non-secure software on the same device.
Virtualization enables developers to partition a single hardware platform into multiple virtual machines, each running its own guest Operating System (OS). The virtual machines are managed by a hypervisor (also known as a virtual machine monitor) that sits between the guest OSs and the hardware.
With a secure hypervisor such as the Wind River Hypervisor, the virtual machines are strictly separated from one another, so that an attack, crash, or poor behavior in one partition will not impact the other partitions. This separation allows a single hardware platform to safely run secure and non-secure software side by side.
Figure 1 shows an example of a secure partitioning architecture that supports secure, trusted virtual machines. This architecture could support smart grid control and data processing in a secure, trusted partition running a minimal executive.
Real-time control and device interfaces with lower security requirements could run on a Real-Time Operating System (RTOS) in a second partition. Meanwhile, a Graphical User Interface (GUI) could run on a General-Purpose OS (GPOS) in the third partition.
Figure 1. An example of secure partitioned architecture.
As security becomes a more important requirement for the grid, it may become necessary to validate and certify the security characteristics of smart grid devices. Validating system security is a tedious, costly, and time-consuming task, and the effort required grows considerably for complex systems. A secure hypervisor can simplify matters by separating security-critical functions into trusted partitions and less critical software into non-trusted partitions. This separation reduces the validation workload because only the software in trusted partitions requires verification.
In order for secure partitioning to be used in smart grid devices, there must be a secure and reliable way for the trusted components to communicate with non-trusted components, and a secure way to communicate on a network of smart grid devices.