Cyber-Physical Device Authentication for

Smart Grid Electric Vehicle Ecosystem

Aldar C-F. Chan and Jianying Zhou

October 23, 2013

Abstract

Entity authentication and related key management is an active research topic in both

computer and smart grid security alike. But existing works seem to have overlooked the

significance that the smart grid is a cyber-physical system,which entails more consid-

erations in the integration of its cyber and physical domains. Ignoring this could pos-

sibly undermine the security of the smart grid since the effects of cyber authorization

are usually extended into the physical domains. The substitution attack, a kind of the

main-in-the-middle attack, has been demonstrated using this gap. This paper proposes

a two-factor cyber-physical device authentication protocol to defend against coordinated

cyber-physical attacks to the smart grid. The idea is to combine a novel contextual fac-

tor based on physical connectivity in the power grid with theconventional authentication

factor in the challenge-response protocol, widely and commonly used in cybersecurity.

The resulting protocol provides assurance on not only the digital identity of a device, but

also the controllability of the device in the physical domain. While the design is in the

context of electric vehicle ecosystem, the framework couldbe readily extended to other

smart grid subsystems.

Keywords: multi-factor authentication, coordinated cyber-physical attacks, challenge-

response protocol, IEC 61851.

1

1 Introduction

Secure smart grid communication requires mutual authentication of the communicating en-

tities. Entity authentication refers to the security primitive which corroborates the identity

of an entity, be it a person or a device, as it accesses certainresources entailing autho-

rization. It should be distinguished from message authentication [8] which protects the in-

tegrity of a message and corroborates its origin. Entity authentication has been widely stud-

ied in computer security as in authenticated key exchange and/or multi-factor authentication

[2, 3, 6, 14, 15, 23–25, 30]. The handshake in the widely used Transport Layer Security (TLS)

protocol [13] is an example of entity authentication. Entity authentication in the smart grid

is also a significant research problem actively considered in the literature [5,9–11,16,22,30].

A research report published by Gartner [29] also states thatan electric vehicle as a roaming

appliance has to be identified and located whenever it is connected to the power grid. How-

ever, there are salient features in smart grid communication, making entity authentication still

challenging. Some subtle issues have not been adequately addressed by the existing works.

First, one key feature of the smart gird is that it will ultimately facilitate fully automated

management of energy devices and systems without human intervention. Device authentica-

tion would be the primary form of authentication in the smartgrid. In other words, machine-to-

machine (M2M) communication will be the most common mode of smart grid communication

in the future. This poses a particular challenge for entity authentication in the smart grid con-

text because most of the existing approaches [2, 3, 6, 14, 15,24] are not designed to support

unattended operation. To provide a strong assurance of digital identities in an unattended,

fully automated environment demands a strong protection ofthe private key in most of the ex-

isting entity authentication protocols. That is, some formof a trusted computing base (TCB)

or secure element is inevitable, which is now a widely presumed assumption in entity authen-

tication and key management for the smart grid [5, 9–11, 16, 22, 30]. Paverd and Martin [22]

proposes a hardware security architecture to provide such atrusted computing platform for

2

device authentication in the smart grid. This paper gives analternative instantiation.

Second, all the existing protocols [5, 9–11, 16, 22, 30] provide security assurance up to

within the cyber domain only, overlooking the significance that the smart grid is a cyber-

physical system in nature. This indeed undermines smart grid security and has serious implica-

tions to typical smart grid applications such as demand response and vehicle-to-grid (V2G) [7].

The study of coordinated cyber-physical attacks is also regarded as an area of high priority in

the widely cited NIST Framework and Roadmap for Smart Grid Interoperability Standards,

Release 2.0 [18].

The core concept of the smart grid is that, through the use of advanced digital communica-

tion for instrumentation and control, different subsystems of the power grid can be coordinated

for optimized and automated operation to increase the reliability of power supply and mini-

mize waste due to spinning reserve, while supporting the integration of new appliances such

as electric vehicles and renewable energy sources. There are two paths between devices in

the smart grid — a two-way (cyber) communication channel anda (physical) power network

supporting two-way power flow [18]. When a device is authenticated in the cyber domain, the

resulting authorization actually extends beyond the cyberdomain into the physical domain.

In fact, most of the cyber commands are effected as certain operations in the power network,

like closing a circuit breaker, or turning on/off of a relay.That is, a device successfully au-

thenticated in the cyber domain is actually granted access and authorization to act freely in

the physical domain. Consequently, the power grid reliability may be at risk if entity authen-

tication provides little assurance that a cyber-authenticated device will be responsive to cyber

commands and act accordingly to effect changes in the physical power network.

Chan and Zhou [7] actually shows, using the electric vehicle(EV) ecosystem as an exam-

ple, that an EV passing the typical challenge-response authentication using a TCB (which is

deemed as secure in any cybersecurity standards) may not be the device which is physically

connected to the power grid. Rather, it could be a malicious load connecting to the power grid,

3

thus risking the reliability of the power grid. For instance, the malicious load could be irre-

sponsive to the demand-response commands requesting the EVto curtail its power consump-

tion when there is a shortfall of power supply.1 Such an attack also has serious repercussions

in other smart grid applications: undermining V2G when battery profiling is used [27], and

eroding utility’s revenue in flat-rate charging subscription plan.

This paper proposes a new two-factor cyber-physical authentication protocol for the smart

grid EV ecosystem using a novel contextual factor, namely, physical connectivity of the charg-

ing cable. It is basically a challenge-response protocol with two challenges — one sent over

the standard cyber path (cyber challenge) and the other sentover the charging cable of the

electric vehicle (physical challenge).This is the first design of cyber-physical authentication

for the smart grid in the literature.A proof-of-concept design is given with experiment.

The contribution is two-fold. First, a novel cyber-physical device authentication protocol

for electric vehicles is presented. The protocol has a number of desirable properties: unlike

IEC 15118 [27], it does not require any modifications on the EV, thus readily deployable;

besides, the protocol provides a strong binding between thecyber and physical parts of an EV,

assuring that the EV passing the authentication knows the needed secret key (in the tamper

resistant device or TCB) and is physically connected to the specified point of the power grid

(as given in the digital data); in addition, it also providesa means to verify the controllability of

the EV in the physical domain. It should be emphasized that, while the protocol is specifically

designed for the EV ecosystem, the idea of two-factor cyber-physical authentication could be

widely applicable in the smart grid to secure switchgears, trippers, etc.. The key is to find

a relevant contextual factor. This paper gives a basic framework for designing new protocols

with new smart grid contextual factors. Second, a hardware mechanism for binding an onboard

1Circuit breakers are ineffective in this case. The allowable current range is 6-80A in typical charging ac-

cording to IEC61851, meaning the circuit breaker will only breaker at 80A or above. There is a potential gap of

74A between the supply and demand side in the worst case for demand response, whereas, a typical household

would usually draw no more than 30A.

4

unit (OBU) and an EV is proposed. The basic idea is that once the device is deployed —

plugged in to the Control Area Network (CAN) bus of an EV, it isin a particular state such

that unplugging it would disable its CAN bus interface. The design could find application in

other scenarios such as vehicular telemetry and location-based electronic road pricing.

The paper is organized as follows. The coordinated cyber-physical attack called the sub-

stitution attack [7] is explained in the next section. The proposed cyber-physical device au-

thentication protocol is given in Section 3. Section 4 present the prototype implementation

with details of tailoring and optimizations adopted. Section 5 and 6 discuss the security of

the proposed protocol and the experimental results. Related work is discussed in Section 7,

followed by a conclusion in Section 8.

2 Substitution Attack

The substitution attack [7] can be viewed as a special type ofthe Man-in-the-Middle (MitM)

attack. The following discussion assumes that each EV is installed with an onboard unit

called the Intelligent Electronics Device (IED). The IED, with tamper resistant storage of a

secret key, serves as a token to assure the identity of the EV.Only the grid operator would

have access to this secret key. Even the EV owner himself would not have access to it.

Though with unique advantage of ready deployment, the IED model is just one of the

instantiations of providing digital identity assurance for EVs. In IEC15118 [27], the secret

key is pre-installed in the EV itself, say, in one of its Electronics Control Units (ECUs). It is

assumed that the IED is bound to the EV at installation, say, through the CAN bus security

mechanism presented in Section 4.2. The crux is that the IED is inseparable from the EV once

installed. It is also assumed that a conventional challenge-response protocol [1] based on the

stored secret in the IED is used for authentication.

In the desirable situation, when the IED passes the authentication, it means that the EV has

a valid registration and is eligible for charging if the useridentity and billing account also pass

5

IED’IED

Challenge

Response

IED’

STOLEN

IED

Smart CardAccess Control

Figure 1: Substitution Attack against EV Device Authentication

verification. Imagine that an EV has been stolen. With its registration and certificate revoked

(as possibly initiated by its original owner), it should notbe able to gain access to the power

grid for charging, even though the car-thief uses his own user account to pay the charging

cost. To charge a stolen car, the car-thief has to replace itsIED — equivalent to changing its

identity. This is the main security objective of device authentication.

However, consider the substitution attack as depicted in Figure 1. When the authentication

is conducted through a wireless channel, which is widely accepted as the default means of

communication for the EV ecosystem. Now the car-thief can use the IED of another EV with

a valid certificate and registration to run the challenge-response authentication protocol over

the wireless link, while plugging in the stolen EV to the charging station. Since the keys and

certificates of IED’ in the second EV are still valid, they will pass the device authentication

test. If the car-thief’s billing account also has sufficientfund, then a charging session would

start to charge the stolen EV, rather than the second EV. Charging of a stolen EV would go

undetected in this way, which might have serious repercussions, such as irresponsive loads in

demand response. It should be emphasized that, depending onthe wireless channel in use,

cooperation from the second EV is not necessary. That is, thesecond EV could be innocently

and unconsciously helping the stolen EV to pass the authentication.

Linking or binding a user’s identity with his EV’s identity may not work either since the

second EV could be owned by the car-thief who has a valid user identity linked to the EV’s

identity. Instead, it causes inconvenience to EV owners. For the same reason, the require-

6

ment to tap a smart card at the charging station for verification would not work either. This

substitution attack applies to all existing charging stations using wireless authentication pro-

tocols. Indeed this problem is not entirely new. For instance, a remote computer, storing valid

credentials, could log into a legitimate user’s bank account, but the user behind the computer

may not be the account owner. Including physical features isthe key to thwarting this kind of

attacks.

While the stolen car scenario is used as an example for illustration, the impact of such

an access control breach could potentially be far more serious regarding the power grid reli-

ability. For instance, malicious actions can be carried outin the physical domain in demand

response [7] or V2G. A mis-representation of situation or connectivity in the physical domain

by the cyber domain information could lead to power supply shortfall in these core smart

grid applications. Was such breach occurring, the controllability of the electric vehicle (or

more precisely the malicious load) remains a big security concern to the utility. In fact, the

new release of the NIST 1108 report [18] places study on coordinated cyber-physical attacks

as one of the key themes for revising the widely-cite NISTIR 7628 cybersecurity guidelines,

bespeaking the significance of addressing cyber-physical attacks like the substitution attack.

3 Cyber-Physical Device Authentication

3.1 Communication Settings

Depicted in Figure 2 is the communication setting for the cyber-physical device authentication

protocol. The IED onboard of the EV and the charging station have direct communication with

the utility’s backend server. The communication link between the IED and the charging station

is merely a logical link.The server could be seen as the verifier for the EV identity andissue

commands to the charging station to grant access to the EV.That is, a direct communication

channel between the IED and the charging station is not necessary. The IED onboard of the

7

IED on EV

Onboard

charger

Cyber

connection

Challenge sent over

the charging cable

Cyber

connection

Servers at utility

company

Figure 2: The Communication Setting for Cyber-Physical Device Authentication

EV is connected to the CAN bus of the EV, through the OBD-II diagnosis port commonly

adopted in nearly all automobiles. The charging cable is assumed to follow the SAE J1772

standard, which is adopted in all EV models for level 2 charging. That is, the charging cable

has a control pilot pin using IEC 61851 signaling. This assumption is fairly reasonable and

the resulting protocol covers almost all EV models.

3.2 Security Assumptions

The main security assumption of the proposed protocol is theIED’s tamper resistance which

is a common assumption in the smart grid literature. As argued by [22], this assumption is

inevitable to support the fully automated M2M smart grid communication. As a corollary to

such an assumption, we can assume that it is hard for an attacker to modify the IED’s firmware

without being detected. Remote code attestation may also beregularly used to check the code

integrity of the IED.

3.3 Protocol Design of Cyber-Physical Device Authentication

The cyber-physical authentication protocol aims to corroborate the following: 1) the IED on-

board of the EV stores the secret key corresponding to the digital identity of a valid EV; 2) the

EV is physically connected to the claimed charging station.The proposed protocol is a typ-

8

ical challenge-response protocol [1], except that part of the challenge could only be received

through a particularly designated physical medium, which is the charging cable. Details of

how the second challenge is embedded in the signaling of the charging cable are given in

Section 4.1.

A conventional challenge-response protocol involves two parties — a prover and a verifier.

The purpose of the protocol is for the verifier to check whether the prover knows a particular

secret, which is usually a cryptographic key. The verifier sends the prover a random bit string

as a challenge, and in response, the prover could sign on the challenge using its private key.

Then the verifier could verify the signature to see whether the prover really knows the private

key in question. In the case with a symmetric key shared between the prover and verifier, the

prover could decrypt the challenge or generate a MAC (Message Authentication Code) [12]

for the challenge, in place of the signature. In this paper, the most generalized form of response

computation, namely, a pseudorandom functionPRFK(·) — with secret keyK — is used in

the discussion. It should be noted that thePRF could be instantiated by any of the preceding

primitives (digital signatures, MAC, decryption). HMAC [12] is used to instantiate the PRF

in the prototype implementation (Section 4) and experiment(Section 6) in this paper.

In the cyber-physical authentication, there are two parts of a challenge, namely, a cyber

challengeCcyber and a physical challengeCphysical. Ccyber is received over the wireless chan-

nel, whereas,Cphysical is received over the charging cable. Both challenges are originated from

the server. The response is then computed as:

r = PRFK(Ccyber||Cphysical),

whereK could be the secret key stored inside the IED or a session key derived from it, de-

pending on the actual implementation which is out of the scope of this paper.

The server (knowingK) could verify whether the response is a correct one. This protocol

is a two-factor authenticationscheme: while the secret keyK shared between the server and

the IED is one factor (the ’what-you-know’ factor), the physical challengeCphysical is another.

9

Cphysical is a novel factor which combines its numerical value and the dedicated channel for

its delivery (the charging cable and its signaling). It is obvious that the underlying security

guarantees of these two factors are based on very different means. While the first factor is

a conventional one, the second one iscontextual, similar the notion of [2]. In addition, the

contextual factor provides an assurance that the EV is actually physically connected to the

charging station, and the digital information it provides to the server truly reflects the situation

of the physical domain.

Figure 3 shows the execution of the protocol. The charging station and the IED onboard of

the EV are denoted byCS andIED(EV ) respectively. Step 1 is a typical TLS handshake to

establish a session keyK which is used to secure the channel betweenServer andIED(EV )

. A similar TLS handshake is executed to establish a secure channel betweenServer andCS

with another session keyK ′. It should be noted that, from Step 2 onwards, all communication

betweenServer andCS is secured against eavesdropping and message modification.The

same also applies to communication betweenServer andIED(EV ). Step 2 shows that the

EV sends a request to initiate a new charging session to access the power grid. The execution

of the cyber-physical device authentication protocol starts at Step 3, with details as follows:

3. When a new charging session is requested,Server randomly picks a bit sequenceCcyber

as the cyber challenge and then sends it toIED(EV ) through the secure channel. The

challenge should be at least 80 bits long.2 Server storesCcyber for later verification.

4. At the same time,Server randomly picks another independent bit sequenceCphysical

as the physical challenge and then sends it to theCS via another secure channel. The

challenge should be of similar length withCcyber (but not necessarily strictly enforced3)

2A 64-bit sequence is also acceptable because the protocol isexecuted in real time and an attacker cannot

repeatedly fail the test. In other words, the offline brute force attack is inapplicable. Once a test is failed, a new

random sequence is used in the next test.3Since HMAC is used, the input toPRF could be arbitrary in length. Consequently, the two challenges need

not be equally long.

10

Note thatCphysical is kept secret fromIED(EV ). Server storesCphysical for later

verification.

Note that step 3 and 4 could be placed in reverse sequence without affecting the opera-

tion of the protocol.

5. Upon receiving the encrypted challenge fromServer, CS decrypts it to get backCphysical.

A parity check code is computed and appended toCphysical. An 8-bit parity check code

should be sufficient. CS then embeds the challengeCphysical with the parity bits in the

PWM (Pulse Width Modulation) signal of the control pilot pinof the charging cable.

More specifically, using a lookup table, CS maps the bit sequence ofCphysical and the

parity bits into a sequence of duty cycle or pulse width values, which are effected on

the control pilot pin. According to IEC61851, these duty cycle values inform an EV to

adjust its maximum charging current. The resulting maximumcurrent values could be

read from the CAN bus of the EV.

As Cphysical is sent over the control pilot pin, the maximum allowable current the EV

takes in is also changing accordingly, based on IEC61851. The original purpose of the

PWM pulses is to inform the EV the maximum allowable chargingcurrent. This paper

uses them to embed the bit sequenceCphysical. That is, the PWM pulses are seen as a

sequence of symbols embeddingCphysical. While Cphysical is being sent, the charging

current consumed by the EV is also measured atCS at an interval corresponding to

each symbol and compared with the maximum allowable currentset forth by the corre-

sponding PWM pulse duty cycle. If the measured current is larger than the maximum

allowable current, it is consider as a failure for that symbol. At the end of transmitting

Cphysical, the percentage of failures is computed and sent toServer. If this percentage

exceeds a certain predefined threshold, the authenticationis considered as failed.

6. The IED(EV ) reads the sequence of maximum current values from the CAN bus,

11

and looks up from a table the corresponding bit sequence of the challengeCphysical.

The parity bits are checked. If the verification fails, theIED(EV ) requestsCS to

resendCphysical (which is ideally a new value). A request of using a quantization

scheme with coarser granularity on the duty cycles could be sent. IED(EV ) then

uses the established session keyK shared withServer to generate the responser =

PRFK(Ccyber||Cphysical) and sends it toServer. BothCphysical andK, corresponding

to the two authentication factors, are needed for generating a correctr to passServer’s

verification.

7. Upon receivingr from theIED(EV ), Server computesPRFK(Ccyber||Cphysical) to

verify whetherr is a correct response. Equality would mean IED(EV) has the correct

keyK and correctCphysical (implying that the EV is connected to the specifiedCS as

IED(EV ) claims). If the verification of IEC61851 compliance (performed in the last

step) also passes, the server then sends an ”AuthenticationOK” to CS to inform it to

start the charging session and grant access to the EV.

If the verification fails,Server would informCS to repeat Steps 3-6 again, possibly with

longer symbol duration for the PWM pulses. The probability of a verification failure should

be practically negligible. After a predefined number of authentication failures,Server could

informCS to terminate the charging session setup.

4 Prototype Implementation

A full proof-of-concept prototype is implemented to demonstrate the two-factor cyber-physical

device authentication. The NXP-ATOP platform [20], a system-on-chip module including two

ARM7 and one ARM9 processors, is used to implement the IED andthe controller for the

charging station. The power part of the charging station is also constructed. The backend

server is also implemented, running the Ubuntu OS. The IED and charging station communi-

12

IED(EV) CSServer

Secure channel established

between Server and CS with

session key K’

TLS Handshake

Secure channel established

between Server and IED(EV)

with session key K

ID(CS)

Random Challenge Cphysical

Random Challenge sent over the charging cable

Response

Authentication OK

1. IED(EV) connects to

the server.

2. EV arrives at a CS and

IED(EV) sends the

identity of CS to the

server to initiate a

charging session.

5. CS decrypts to get

the challenge

Cphysical and embeds

it in the PWM signal

of the control pilot

pin of the charging

cable and sends it to

EV. Simultaneously,

CS checks IEC61851

compliance of the EV

and return the result

at the end of sending

Cphysical.

6. IED(EV) computes the

response:

r = PRFK(Ccyber || Cphysical)

7. Server computes

PRFK(Ccyber || Cphysical), and

compares it with the received

response r. Equality passes

the first verification. When

IEC61851 compliance check

is also OK, Server sends

“Authentication OK” to CS.

Otherwise, steps 356 are

repeated.

8. Charging starts

Random Challenge

Ccyber

3. Server chooses a random bit

sequence Ccyber as the cyber challenge

and encrypts it and sends it to

IED(EV). Server stores Ccyber.

4. Server chooses a random bit

sequence Cphysical as the physical

challenge and encrypts it and sends

it to CS. Server stores Cphysical.

IEC61851 Compliance

Check Result

Figure 3: Detailed Execution of the Cyber-Physical Device Authentication Protocol

13

Figure 4: PWM Pulses over the Control Pilot Pin of SAE J1772

cate with the server using GPRS (General Packet Radio Service) provided in the NXP-ATOP.

The prototype include a number of optimizations, includingthe coding method to embed the

physical challenge bit sequence into the PWM pulses of the control pilot pin of the SAE J1772

standard, and a specially designed CAN locker or secure hardware interface, which ensures

the binding between the IED and the EV. SAE J1772 is the most widely adopted charging

cable standard.

4.1 Mapping the Physical Challenge into the PWM Signal of theSAE

J1772 Control Pilot Pin

An encoding scheme is designed to achieve that no synchronization between the IED and

charging station is needed when sending the physical challenge which is embedded in the

duty cycles of the PWM pulses. In an IEC62196 or SAE J1772 plug, square pulses are sent

from the charging station to the EV over the control pilot pinof the charging cable, as shown

in Figure 4. By changing the duty cycle of these pulses, the charging station can request the

EV to adjust the maximum charging current. This protocol is defined in IEC 61851, which is

adopted by IEC62196 and SAE J1772.

The physical challenge is sent as a sequence of different duty cycle values over the control

pilot pin. The duty cycle values of the PWM signal are in essence a set of symbols. The EV

treats this sequence as a challenge and generates a responseaccordingly. Note that what can

be read from the CAN bus is the maximum negotiated charging current rather than the duty

14

cycle. A lookup table is created to covert the current value back to the duty cycle.

4.1.1 Table Creation

To create the lookup table, the following procedure is adopted:

1. Set the minimum duty cycle valueTMIN to the minimum allowable value in IEC61851.

Determine the maximum duty cycle valueTMAX based on the power rating of the charg-

ing station.

2. Divide [TMIN , TMAX ] into partitions of equal length:T1, T2, . . . , Ti, . . . , TN . The num-

ber of bits for eachTi is thenn = ⌊log2N⌋ − 1.

3. For eachn-bit string rj, randomly pick 2 elementsi1, i2 ∈ [1, N ] and compute the

minimum current valuesIMINi1

, IMINi2

of those 2 partitions,Ti1 , Ti2, based on IEC61851.

4. Create the first table TableCS as follows: for eachrj, create two rows, filling the first

with rj and the mid-value ofTi1 and the second withrj and the mid-value ofTi2 . That

is, eachrj is mapped to two duty cycle values.

5. Create the second table TableEV as follows: for eachrj , create two rows, filling the

first with rj andIMINi1

, and the second withrj andIMINi2

; sort the table in ascending

order ofIMINi .

These two tables (TableCS and TableEV) are pre-stored in both the charging station

and IED. Note thatrj corresponds to the physical challenge bit sequence and eachbit string

rj is mapped to two different duty cycle values. The purpose is to eliminate the need of

synchronization between the charging station and IED. Whentwo consecutive symbols both

take on the same bit stringrj, it would be difficult for the IED to decide whether there is one

or two symbols ifrj always maps to the same symbol. This implies that time synchronization

may be necessary to tell when to sample the duty cycle values.Yet, this paper intentionally

15

maps eachrj to two different duty cycle values, so that, when two consecutive symbols take on

the samerj, two distinct duty cycle values would always be transmittedfor the two symbols

although the two duty cycle values map back to the samerj . In summary, with this encoding,

adjacent symbols used to send the physical challenge alwaysdiffer. Two symbols will never

be mistaken as one symbol.

There could be multiple mappings with differentn or, equivalently, partition size to support

different levels of granularity. When the channel seems notvery reliable, a mapping for a

smallern could be used to ensure reliable delivery of the physical challenge.

4.1.2 Table Lookup

TableCS is used in the charging station to look up from a random bit string to a duty cycle

value. Upon receiving the binary string of the physical challengeCphysical, the charging station

divides the string inton-bit sub-strings. For each sub-string, the charging station looks up from

TableCS the corresponding duty cycle value. This forms a sequenceof duty cycle values. The

charging station varies the duty cycle of the PWM signal on the control pilot pin according to

this sequence.

TableEV is used in the IED onboard of the EV to look up from the maximum negotiated

current values to a binary string in order to recover the physical challenge and its parity check

bits. For each negotiated current valueICAN read from the CAN bus of the EV, the IED

looks up from TableEV the maximumIMINi which is still smaller thanICAN and append the

bit string rj to the previously decoded values to form the physical challenge (and its parity

bits). Then the IED checks the physical challenge using the parity bits to detect any error in

transmission.

16

4.2 CAN Interface Security

A tailored security mechanism is designed to ensure the binding of the IED and the EV such

that the secret key inside the IED can be seen as a proof of identity for the EV.

Through the tamper-resistant storage of the IED and the TLS protocol used to establish

the secure session, the server and the charging station could be assured that it is the specified

IED which runs the protocol. The knowledge of the physical challenge would further infer

to a reasonably high level of confidence that this specified IED is somehow connected to the

charging station via the charging cable. If the attacker could remove the IED from a valid car

and plug it into the stolen car, this would pass the verification. A mechanism is thus designed

to ensure that each IED can be plugged in once only. Subsequent removals and plug-in’s

would disable the CAN bus interface of the IED. This assures that only the IED installed by

the authority could function properly.

The purpose of this mechanism is to ensure that an IED could only be plugged in to an

EV by an authorized party, after which unplugging and re-plugging the IED to the OBD-II

socket will render the IED’s CAN bus interface disabled. Thebasic idea of this protection

mechanism is that different states are defined for the IED to operate at. Details of the state

definitions can be found in Figure 5. The states are defined based on the number of reboots,

and whether the CAN bus interface has been unplugged and re-plugged. It is assumed that

a trusted computing base (TCB) is available, which is provided by the secure element of the

NXP-ATOP in this paper. The current state of the IED is signedby the TCB with a digital

signature appended. In other words, the TCB is purely used togenerate a digital signature for

the current state of the IED. The need of the TCB could bewaivedif the IED has no backup

battery and draws its power only from the ODB-II socket. In other words, the requirement of

having a TCB in the IED is not mandatory in the design.

17

State 0

State 1

State 2A State 2B

State 3

HALT

reboot

1st

bootup

V+ removal

V+ removal

CAN removal

CAN removal

reboot

rebootreboot

reboot

Figure 5: State Diagram for Secure CAN Bus Interface in the IED

4.2.1 IED Bootup Sequence

When the IED is rebooted, whether the CAN bus interface is enabled depends on the signed

state denoted ascurrentstate. The IED bootup sequence is as follows:

1. Verify the signature ofcurrent state.

2. If (current state =State0 ) and the signature verification is OK, do:

(a) Enable the CAN bus interface.

(b) Generate a digital signature forState1.

(c) Updatecurrent state toState1.

3. Else, do:

(a) Disable the CAN bus interface.

The bootup sequence is designed in such a way that, after the first enabling of the CAN

bus interface by the authorized party, the IED will transit into a state (State 1) which disallows

18

GND CAN_H

CAN_L V+

Figure 6: OBD-II socket of the EV and Signal Level of CAN Bus

Figure 7: Glue Logic for the State Transition Signals

enabling of the CAN bus interface upon subsequent reboots. Enabling the CAN bus interface

is allowed only in State 0. In other words, after the authorized party first boots up the IED and

installs it in the EV, the attacker should not have the digital signature for a state which allows

enabling of the CAN bus interface. As can be seen, all states except State 0 will not allow

the enabling of the CAN bus interface upon reboot. This thus can prevent the attacker from

unplugging the IED and using it on the stolen EV. Remote code attestation protocol could also

be used to verify the integrity of the software if necessary.

4.2.2 State Transition Signals and Glue Logic

Shown in Fig 6 is the OBD-II socket of the EV, through which theIED is connected to the

CAN bus of the EV. The signals V+, CANH, CAN L are used, through some glue logic, to

trigger state transition in the IED.4

4It should be noted that, in the simplest case, using these state transition signals may not be compulsory. They

are included in the design for finer granularity of control and later expansion.

19

Depicted in Figure 7 is the glue logic for the state transition signals. The output signals

V+ REMOVAL and CAN REMOVAL are fed as input to two edge-sensitive GPIO (General

Purpose Input Output) of the NXP-ATOP. A downward transition of any of these two signals

triggers an ISR (Interrupt Service Routine) to update the current state of the IED. When V+

is removed, there will be a downward transition of the signallevel at V+. This downward

moving edge of V+ can be used to trigger the transition from State 1 to State 2A. In normal

situations, CANL and CAN H would move in opposite direction. However, when the plug

is removed, both CANL and CAN H will go downward in voltage level simultaneously. A

downward transition at both CANL and CAN H could be used to trigger the state transition

from State 1 to State 2B. The two ISRs are as follows.

Subroutine V plus removal

1. Verify the signature ofcurrent state.

2. If (current state =State1) and the signature verification is OK, do:

(a) Generate a digital signature forState2A.

(b) Updatecurrent state toState2A.

3. If (current state =State2B) and the signature verification is OK, do:

(a) Generate a digital signature forState3.

(b) Updatecurrent state toState3.

End V plus removal

Subroutine CAN removal

1. Verify the signature ofcurrent state.

2. If (current state =State1) and the signature verification is OK, do:

20

(a) Generate a digital signature forState2B.

(b) Updatecurrent state toState2B.

3. If (current state =State2A) and the signature verification is OK, do:

(a) Generate a digital signature forState3.

(b) Updatecurrent state toState3.

End CAN removal

5 Security Analysis

5.1 Security of Cyber-Physical Device Authentication Protocol

The cyber-physical device authentication protocol could withhold most attacks, except sophis-

ticated tampering of the charging cable, which involves relatively deeper technical know-how

difficult for most adversaries. Simple tapping or tamperingof the charging cable would give

a wrong impedance value and should fail the verification of IEC61851. Even for those more

sophisticated attacks, the protocol still can assure that the malicious load is acontrollableone

which is responsive to the load curtailing requests made through the control pilot pin signaling.

That is, a car may be plugged in with the wrong identity using asophisticated tampering at-

tack, but passing the authentication protocol in this case means that this illegitimate car would

still follow the grid’s instructions when demanded.

The security analysis of the cyber-physical device authentication protocol is similar to

that of a typical challenge-response authentication protocol, a formal proof of which might

not be available. In order to compute a correct response thatcan pass the verification by the

server, the IED needs to have the knowledge of the secret keyK and all the inputs (Ccyber and

Cphysical) to thePRF . This is based on the unpredictability assumption of the PRFwhich in

turn is a result of the well-known indistinguishability assumption of PRFs. While an attacker

21

might use a second car with a validK, he has to plug in that car, rather than the malicious

load, in order to obtainCphysical as well.

The key of the security against the substitution attack [7] hinges on the access toCphysical.

There should be no other way than tapping onto the control pilot pin of the charging cable to

obtainCphysical as the encryption used between the charging station and the server is assumed

to be secure. Simple tampering of the charging cable fails the IEC 61851 protocol verification.

In order to launch the relay attack posed by [28] successfully, the protocol proposed in this

paper makes physical access to the second EV a necessity. While the first EV, which is the

malicious one in our consideration so far, can obtainCphysical, it has to passCphysical to the

second EV through a certain channel. Unless the attacker could modify the IED firmware of

the second EV —- which is difficult in general due to the tamperresistance discussed — the

IED firmware of the second EV has to acceptCphysical through the CAN bus. Feeding another

input to the IED’s CAN interface is highly unlikely due to theCAN security implemented.

The only possible means to feedCphysical to the IED of the second EV is through its charging

cable again. In other words, the attacker has to launch the relay attack over the charging cable,

and IEC61851 has safe-guarded simple tampering techniques.

For the more sophisticated cable tampering attacks, we should distinguish between two

cases: that the second EV is cooperative in the attack, and that the second EV is innocent and

unaware of its involvement in the attack. In both case, physical access to the second EV is

inevitable, which already imposes an additional layer of difficulty to the attacker in the latter

case, making a massive attack unlikely. For the former case with a cooperative EV, a complete

defeat of the attack might be impossible. Even the distance bounding protocol [4, 28] might

not work well. Imagine the relay attack to access a car as in [28]: if the car owner holding

the key cooperates with the attacker, how can defence to suchan attack be possible? This

is the same for the case of substitution attack, if the attacker builds sophisticated tampering

devices to relay the charging cable signals. Nevertheless,the cyber-physical authentication

22

protocol still gives a better protection guarantee for the power grid reliability in this case.

First, even the malicious car would be responsive to load curtailing commands as it is verified

to be compliant to IEC61851 in the cyber-physical authentication protocol. Second, the task

of relaying is made more difficult to average attackers.

It should be noted that the distance bounding protocol over the charging cable might not

be able to withhold the substitution attack with a cooperative second EV. First, the delay

difference between the two cars could be too small to obtain aclear resolution with high

confidence. Second, the delay could be tampered as physical access to the two cars is assured.

Besides, the equipment required makes it impractical.

5.2 Analysis of CAN Interface Security

The only state which allows the IED to boot up with the CAN bus interface enabled is State

0. Once an IED is deployed, it would never have a signed state for State 0. The signature for

State 0 would be immediately erased after the first installation by the authorized dealer. In

State 1, the IED could operate normally with the CAN bus interface enabled. However, once

rebooted, the CAN bus interface will be disabled at the next bootup. Since the attacker has no

knowledge of a valid signature for State 0, this check cannotbe bypassed in the next bootup.

It is possible that the attacker could obtain a new IED from the manufacturer but this new

IED does not have the necessary credentials (including the secret key and certificates) pre-

stored. In other words, the attacker could only get an IED with CAN bus interface enabled

but without the needed credentials or an IED with proper credentials but with the CAN bus

interface disabled.

23

6 Experiment Results

A number of experiments, including demand response on a realEV, the substitution attack,

how the cyber-physical authentication protocol withholdsthe substitution attack and detects

a malicious load, and an execution of the cyber-physical authentication protocol on an EV

emulator. We have built our own charging station as shown in Figure 8 and implemented a

basic demand response application. When carrying out the substitution attack, the malicious

loads including a water kettle and hairdryer are plugged in,instead of the EV. The normal

challenge-response protocol is passed without detecting any anomaly and the charging station

supplies power to the kettle and dryer. When a load curtailing command is issued, these loads

are irresponsive. We then tested the cyber-physical authentication on the same attack setting

and the system is now able to detect the malicious loads and deny the access at the start. On

average the time needed to complete the cyber-physical authentication protocol ranges from

40s to 100s. Since the authentication could be done automatically after plugging in without

demanding active human attention, the latency of the protocol could be reasonably practical.

The following discussion will focus on the execution of the protocol on the EV emulator.

The EV emulator is built on an 8051 microcontroller from SiLab. The experiment setup is

shown in Figure 8, which also depicts how the physical challenge is embedded in the PWM

signal of the control pilot pin.

7 Related Work

Man-in-the-middle (MitM) attacks are not an entirely new problem in security engineering.

Anderson has a fairly comprehensive discussion in his book [1]. This paper takes the specific

context of the smart grid into consideration to illustrate the potential impact of such an attack.

The discussion of MitM attacks could be found in various contexts including web browsers

[2,15] and physical access control [4].

24

Change in

duty cycle

Figure 8: Experiment Setup

Multi-factor entity authentication has also been addressed in different applications [2,3,6,

14, 15, 23–25, 30]. Besides the existing forms of typical authentication factors, namely, what

the prover has, what the prover knows, and what the prover is,we introduce a new factor

of authentication based on where the prover is or where the prover is physically connected

in the smart grid. This shares some similarity with [15] yet different. The main difference

lies in that human involvement is avoided in the current context, which is desirable. While

the distance bounding protocol [4, 28] could partly solve the problem of substitution attacks,

it poses stringent requirements on the physical channel forrunning it. Besides, there is still

chance that physical proximity may not guarantee physical connectivity. On the contrary,

the proposed method in this paper assures that the EV passingthe authentication is the one

plugged in. Of course, it is possible that the attacker tailors a special charging cable to bypass

the protocol. But it requires deep technical expertise. Similarly, using RFID tags on electric

vehicles may not provide the desired strength of binding between the RFID tag and the electric

vehicle.

It is fair to say most research in smart grid security focuseson cyber mechanisms. For

instance, [26] develops a secure Intelligent Electronics Device (IED) which is safe to connect

to the Internet. Entity authentication and key management in the smart grid is also actively

25

studied [5, 9–11, 16, 22, 30]. However, nearly all of the existing works only consider purely

cybersecurity issues and it is unsure whether such approaches could defend coordinated cyber-

physical attacks in the real deployment scenario. It is truethat combined cyber-physical con-

siderations have to take specific details of the contexts or application scenarios, say, what

equipment is being secure and where it is connected to the power grid, into account, which

might limit the range of applications of the resulting schemes. However, considering specific

contexts would also mean optimized performance in the targeted application. There is tradeoff

between generality and optimization. More importantly, a generic design might not be able

to withhold even the simplest form of coordinated cyber-physical attacks. It is important that

coordinated cyber-physical attacks be considered early onin smart grid security designs.

8 Conclusion

In this paper, we illustrate the potential risks of a specifictype of coordinated cyber-physical

man-in-the-middle attack, called the substitution attack, to the smart grid. We also propose a

cyber-physical device authentication protocol to withhold the substitution attack, and a CAN

security mechanism to provide a strong binding between the IED and the electric vehicle. A

proof-of-concept prototype is implemented to demonstratethe strength of combined cyber-

physical approach to defend the man-in-the-middle attack in the smart grid. This idea could

be extended to other equipments in the smart grid. By taking specific details of the context

of the EV ecosystem into consideration, the prototype achieves an advantage that no intrusive

modifications to electric vehicles is necessary. The advantages of our design over NFC (Near

Field Communication)/RFID and IEC15118 are shown in the following table.

26

Table 1: Comparison of Different Approaches

Physical Minimum Demand

Connectivity Modification Response

Assurance On EV Compliance

NFC/RFID NO YES NO

IEC15118 YES NO NO

Our Approach YES YES YES

Acknowledgment

The authors would like to thank Energy Market Authority (EMA) of Singapore for providing

funding support.

References

[1] R. J. Anderson,Security Engineering: A Guide to Building Dependale Distributed System,

2nd ed. Wiley, 2008.

[2] A. Ben-David, O. Berkman, Y. Matias, S. Patel, C. Paya, and M. Yung, “Contextual

OTP: Mitigating Emerging Man-in-the-Middle Attacks with Wireless Hardware Tokens,”

in F. Bao, P. Samarati and J. Zhou (Eds.): ACNS’12, Springer LNCS, vol. 7341, p. 30-47,

2012.

[3] J. Brainard, A. Juels, R. L. Rivest, M. Szydlo, and M. Yung, “Fourth-Factor Authentica-

tion: Somebody You Know,” inACM CCS’06, p.168-178, 2006.

[4] S. Brands, and D. Chaum, “Distance-Bounding Protocol,”in Eurocrypt’93, 1993.

27

[5] T. Baumeister, “Adapting PKI for the Smart Grid,” inIEEE SmartGridComm’11, p.249-

254, 2011.

[6] X. Boyen, Y. Dodis, J. Katz, R. Ostrovsky, and A. Smith, “Secure Remote Authentication

using Biometric Data,” inR. Cramer (Ed.): Eurocrypt’05, LNCS, vol. 3494, p.147-163,

2005.

[7] A. C-F. Chan, and J. Zhou, “On Smart Grid Cybersecurity Standardization: Issues of

Designing with NISTIR 7628,”IEEE Communications Magazine51(1), p.58-65, January,

2013.

[8] M. M. Fouda, Z. M. Fadlullah, N. Kato, R. Lu, and X. Shen, “ALightweight Message

Authentication Scheme for Smart Grid Communications,”IEEE Trans. on Smart Grid,

vol. 2, no. 4, p.675-685, December, 2011.

[9] H. Khurana, R. Bobba, T. Yardley, P. Agarwal, and E. Heine, “Design Principles for Power

Grid Cyber-Infrastructure Authentication Protocols,” inHICSS’10, January, 2010.

[10] N. Kuntze, C. Rudolph, I. Bente, J. Vieweg, and J. von Helden, “Interoperable Device

Identification in Smart-Grid Environments,” inIEEE PES General Meeting, p.1-7, July,

2011.

[11] S. Lakshminarayanan, “Authentication and Authorization for Smart Grid Application

Interfaces,” inIEEE/PES PSCE’11, March, 2011.

[12] IETF, RFC 2104 — HMAC: Keyed-hashing for Message Authentication.

[13] IETF, RFC 5246 — The Transport Layer Security (TLS) Protocol, version 1.2.

[14] M. S. Mannan, and P. C. van Oorschot, “Using a Personal Device to Strengthen Password

Authentication from an Untrusted Computer,” inS. Dietrich, R. Dhamija (Eds.): FC’07,

Springer LNCS vol. 4886, p.88-103, 2007.

28

[15] J. M. McCune, A. Perrig, and M. K. Reiter, “Seeing-is-believing: Using Camera Phones

for Human-verifiable Authentication,” inIEEE Symposium on Security and Privacy,

p.110-124, 2005.

[16] H. Nicanfar, P. Jokar, K. Beznosov, and V. C. M. Leung, “Efficient Authentication and

Key Management Mechanisms for Smart Grid Communications,”to appear inIEEE Sys-

tem Journal, 2013.

[17] NIST, NISTIR 7628: Guidelines for Smart Grid Cyber Security, vol.1-3, August, 2010.

[18] NIST, NIST SP1108: Framework and Roadmap for Smart Grid Interoperability Stan-

dards, Release 1.0 (January, 2010), Release 2.0 (February, 2012).

[19] NERC,Critical Infrastructure Protection (CIP-001 to CIP-009).

[20] NXP, ATOP datasheet, accessed athttp://www.nxp.com/documents/

leaflet/939775016910.pdf.

[21] SGIP-CSWG,Standard Review Report on “Security Assessment of SAE J2847-1: Com-

munication between Plug-in Vehicles and the Utility Grid,”November, 2010.

[22] A. J. Paverd, and A. P. Martin, “Hardware Security for Device Authentication in the

Smart Grid,” inJ. Cuellar (Ed.): SmartGridSec’12, Springer LNCS vol. 7823, p. 72-84,

2013.

[23] D. Pointcheval, and S. Zimmer, “Multi-factor Authenticated Key Exchange,” in

S. M. Bellovin, R. Gennaro, A. D. Keromytis, and M. Yung (Eds.): ACNS’08, Springer

LNCS, vol. 5037, p.277-295, 2008.

[24] B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. Mitchell, “Stronger Password Authen-

tication using Browser Extensions” inUSENIX Security’05, p.17-32, 2005.

29

[25] B. Schneier, “Two-factor Authentication: Too Little,Too Late,” Communications of the

ACM 4(4), 2005.

[26] J. Zhang, C. Grier, S. T. King, and C. A. Gunter, “Secure Intelligent Electronic Devices,”

accessed athttp://tcipg.org.

[27] ISO/IEC, ISO/IEC 15118-2: Vehicle-to-Grid Communication Interface — Part 2: Net-

work and Application Protocol Requirements (Draft International Standard), 2012.

[28] A. Francillon, B. Danev, S. Capjun, “Relay Attacks on Passive Keyless Entry and Start

Systems in Modern Cars,” inNDSS’11, February, 2011.

[29] Z. Sumic,Gartner Research Report: Hype Cycle for Smart Grid Technologies, 2012,

July, 2012.

[30] F. Zhao, Y. Hanatani, Y. Komano, B. Smyth, S. Ito, and T. Kambayashi, “Secure Authen-

ticated Key Exchange with Revocation for Smart Grid,” inIEEE ISGT’12, 2012.

30