Adapting PKI for the Smart GridTodd Baumeister

Information and Computer Science DepartmentUniversity of Hawaii at Manoa

Honolulu, Hawaii 96822Email: baumeist@hawaii.edu

Abstract—The Smart Grid is an update to the current powergrid infrastructure, which is becoming outdated. Incorporatinginformation systems into the traditional power grid allows thesystem to make smart decisions about the state of the power gridand dynamically alter the flow of electricity to meet changingneeds and conditions. However, this new infrastructure presentscyber security risks that must be mitigated in such an essentialsystem. Many information systems use a Public Key Infrastruc-ture (PKI) to solve this problem, but the unique requirementsof the electrical power grid don’t fit well into an existing PKIsolution. This paper will review those requirements and evaluatecurrent PKI trust models, recommending adaptations toward aSmart Grid PKI that will meet the Smart Grid cyber securityneeds.

I. INTRODUCTION

The Smart Grid is an initiative to modernize the currentelectrical power grid and expand its functionality. Informationsystems will be incorporated into the power grid to allow itto make smart decisions. The updated technology and newinformation systems can increase the efficiency and reliabilityof the power grid, but it will also introduce new cybersecurity challenges. The Smart Grid will contain millions ofdevices that are networked together, and the integrity of theseindividual devices will be important to the overall stability ofthe infrastructure.

This means that the Smart Grid will need an effective andefficient method to manage the digital identities of power griddevices, services, and users. One such management system isPublic Key Infrastructure (PKI). A PKI is a collection of hard-ware, software, policies, and procedures used to manage digitalcertificates. A digital certificate is used to bind an identity to apublic key. The public key can then be used in cryptographicalgorithms to enable security functions. Adams and Llyod[1]provide an overview of PKI concepts and standards.

The problem with using current PKIs is that they were notdesigned to meet the constraints of the Smart Grid. The powergrid is a large infrastructure made up of several electricalgeneration, transmission, and distribution systems working to-gether. The Smart Grid will automate the interactions betweenthe various power grid systems. The nature of the power gridsystems that the Smart Grid interconnects creates additionalPKI requirements that are not present in traditional informationsystems. PKIs will need to be adapted to meet these additionalrequirements.

The power grid is a critical infrastructure that is an im-portant part of our society, and its continuous operation has

become a necessity to everyday life. The Smart Grid willcontain many devices and services that are critical to itsoperation. Assume there is a device in the Smart Grid that isresponsible for controlling some physical aspect of the powergrid. This device uses data from surrounding sensors and theSmart Grid information system to estimate the current state ofthe power grid and react to changes in its state. The integrityof the data used by the device is important, so a PKI systemis used to manage the digital identities of the various entities.What happens if the PKI loses communication to a criticalAuthentication, Authorization, and Accounting (AAA) server,or if one of the sensor’s certificates has expired? In traditionalPKI systems, these events would result in a failed securitycheck, and the data would be dropped. However, the SmartGrid requires this data to make informed decisions about thepower grid. It is unreasonable to expect the Smart Grid to godown or revert to its less efficient predecessor every time acertificate is unavailable. The Smart Grid PKI must consideradditional requirements such as availability when evaluatingsecurity policies.

The example given above illustrates a few of the additionalrequirements imposed on the Smart Grid PKI. There aremore requirements that require further investigation. Theserequirements will be critical to properly implementing a PKIsolution in the Smart Grid. In this paper we provide thefollowing contributions:

• We analyze the additional requirements of using a PKIin a critical information and physical hybrid system.

• We evaluate and provide evidence to support the use ofdifferent PKI trust models in the Smart Grid.

II. BACKGROUND

The Smart Grid will integrate vast information systems intothe power grid. This will increase the level of functionalityand automation that the power grid can provide. The uniqueproperty of the Smart Grid is that it will directly connectthe information systems and physical systems of the electricalpower grid on a massive scale, so that automation of the powergrid can be supported. However, the Smart Grid will alsointroduce cyber security risks into the power infrastructure.

Managing digital identities of users and devices with a PKIis one method for mitigating some of the cyber security risksin the Smart Grid. We will focus on the task of adapting PKIscurrently used in information systems to meet the specificrequirements of the Smart Grid.

Cyber and Physical Security and Privacy (IEEE SmartGridComm)

978-1-4577-1702-4/11/$26.00 ©2011 IEEE 249

There are a few reasons for using a PKI to manage digitalidentities in the Smart Grid. First, the Smart Grid will be alarge infrastructure, and it would be impractical to configureeach trust relationship using shared keys. If each householdin the U.S. only has a single Smart Meter installed, the SmartGrid will need to maintain the digital identity of more thanone hundred million Smart Meters [2]. If shared keys areused, each device will also need to maintain a key for eachsecure link. A PKI only requires that each device has a singlecertificate. The second reason for using a PKI is that there areseveral well-established PKIs. Various PKI trust models havebeen used for several years in information systems, and manyof their strengths and weaknesses have already been identified.Several PKIs have also been standardized [3], [4], [5].

The problem is that current PKIs do not meet all of therequirements of the Smart Grid. Current PKIs are designed forinformation systems, but the Smart Grid will be a hybrid infor-mation and physical system. In addition, the general structureand operations of the Smart Grid impose requirements that nocurrent PKIs address, so a PKI will need to be adapted to theneeds of this new system.

One of the characteristics of the Smart Grid is the ability todynamically alter electrical current flows throughout the powergrid. This will allow the power grid to redirect electricity inthe event of equipment or transmission line failure and preventelectrical outages. The Smart Grid will need to collect sensordata from the surrounding area so it can continuously monitorthe state of the power grid. These sensors will then needto feed their data into a SCADA system. The SCADA willprocess the data and make changes to the physical system asneeded. In this example, it is assumed that the integrity of thesensor information is important for secure operation of thesystem, so all sensor data is digitally signed. What happens ifthe digital certificate of a sensor expires? Does the SCADAreject the data from the sensor? In an information system, theimpact of expired certificates is insignificant and they can berenewed when discovered. However in the Smart Grid, thiscould cause electric flows to be incorrectly altered. This couldresult in damage to equipment or even injury to persons. ThePKI will need to consider the additional requirements imposedby the physical components of the Smart Grid.

III. PROPOSED SOLUTION

We believe that current PKIs can be adapted to meet therequirements of the Smart Grid. In order to adapt currentPKIs, we performed two tasks. First we analyzed the additionalPKI requirements of the Smart Grid. Second we evaluatedcurrent PKI trust models against the additional requirementsof the Smart Grid, and provide arguments to support the useof selected trust models.

Many of the requirements of the Smart Grid PKI willremain the same as current PKIs used in information systems.Analyzing the additional requirements that the Smart Grid willimpose on a PKI allows us to identify what changes needto be made. In the example given in section II, the SmartGrid is controlling the flow of electrical currents throughout

the power grid in near real time. This example illustrates asafety requirement that will be placed on a Smart Grid PKI.In addition to identifying necessary changes, the Smart GridPKI requirements will be used to evaluate the use of differentPKI trust models in the Smart Grid.

Several PKI trust models could be used in the Smart Grid.Each model has its own strengths and weaknesses. We willevaluate a few of the most prominent trust models for use asa high-level PKI in the Smart Grid. Many organizations willmake up the structure of the Smart Grid, and this high-levelSmart Grid PKI will provide a means for interconnecting theorganizations. This high-level Smart Grid PKI will delegatethe task of managing equipment and users to the individualorganizations responsible for those assets.

A. Smart Grid PKI Requirements

In order for current PKIs to be successfully adapted towork in the Smart Grid, the following PKI requirements willneed to be addressed. We have identified thirteen Smart GridPKI requirements. These requirements are derived from thephysical and operational characteristics of the Smart Grid.

Safety. The primary purpose of the Smart Grid is the gener-ation, transmission, and distribution of electricity. Electricityis an essential part of our lives, but it can be dangerous ifnot properly controlled. The Smart Grid will automate thecontrol of electric power flows through the power grid. If thecontrol system malfunctions because of a security protocol, itcould result in damage to equipment, personal injury, or evendeath. Safety is of the highest importance, and any securitymeasures put in place cannot interfere with this requirement.Current PKIs were not designed with safety as a primaryconcern. There is often very little or no risk to declining asecurity request in traditional information systems. Conversely,the Smart Grid PKI must consider the risk associated witha security protocol failing. This can include protocols suchas password lockouts, certificate expiration, or time-stampmismatch. The Smart Grid PKI should still notify operators ofthese failures, but it may not be appropriate to fail the protocol,especially for critical power grid equipment.

High Availability. The power grid is a critical infrastructure,and society has come to rely on its availability. The SmartGrid PKI should be designed to match the high availabilityof electrical power equipment. Independent failure modes isone of the concepts mentioned by Gray and Siewiorek[6] forbuilding a high availability system. To this end, the PKI shouldavoid having a single point of failure. Single points of failurenot only create targets for malicious attacks, but they arealso susceptible to natural disasters. The various componentsof the PKI must also be able to operate independently forextended lengths of time when regular communications aredisrupted. This will also help manage the various operationaldependencies in the PKI. An example would be authenticatinga certificate. Certificate authentication information could bestored locally and be used when communication to the central-ized authentication server are disrupted. This local certificateauthentication information would need to be properly managed

250

to avoid security vulnerabilities, and it would need to beassigned an expiration time. This local cache of authenticationinformation will allow the PKI to operate disconnected fromthe authentication server for an extended period of time.

Real-Time Operation. Several devices in the Smart Gridrequire real-time operation. This means that the Smart GridPKI will need to support the hard time limits imposed bythe real-time systems. Son, Mukkamala, and David[7] arguethat security and timeliness have conflicting goals in real-timesystems. They suggest that there are times when minor securityviolations are allowable so that the system can maintain time-liness. Security protocol behaviors should be defined in theevent that the system does not meet a real-time requirement.This will typically include requirements related to safety. TheSmart Grid PKI may also need to be designed with localinformation stores and use caching to improve throughput soreal-time limits can be met. This is a critical requirement andwill have large impact on the PKI architecture. Therefore,more research is required to determine the most effective wayto accomplish this goal in the Smart Grid.

Legacy Support. The Smart Grid PKI will need to sup-port legacy equipment. The Smart Grid will not be createdovernight, and it will take time to change out the equipmentused. During this time of transition, legacy systems will be inuse. The Smart Grid PKI will need to support these devicesand account for any security vulnerabilities that they willintroduce.

Scalable. The power grid is a large infrastructure. The SmartGrid PKI will need to maintain the identities of hundreds ofmillions of devices and users. The Smart Grid PKI will requiretool support for various operations that can be automated.The PKI will also need to operate efficiently. This means thatstructural planning and testing of PKI layout will need to bedone.

Upgradeable. The equipment used in the electrical powergrid has a long life expectancy. However, the cryptographicalgorithms used for security have much shorter life expectan-cies as computational power increases. This means that theSmart Grid PKI must be able to update the technologies usedin the PKI with minimal impact on the system. The long lifeexpectancies of the power grid equipment will make updatingthe Smart Grid PKI a challenge.

Policy Enforcement. The Smart Grid will be made upof hundreds of different organizations, but the operation ofthe Smart Grid will require the sum of the organizationsworking as a whole. The security of the organizations as acollective is only as strong as the weakest link. The Smart GridPKI should provide policy enforcement. This would ensurethat all participating parties meet a minimum set of securitypolicies. A standard policy enforcement would also fosterinteroperability between the different organizations.

Flexible. Each of the Smart Grid organizations will havedifferent requirements. The Smart Grid PKI will need to beflexible enough to meet these requirements, but not so flexiblethat it introduces security threats into the system. There aremany things that could be done to provide flexibility, but one

possibility is to allow each organization to implement theirown PKI solution. Then the Smart Grid PKI could providefunctionality to tie each organization’s PKIs together.

Interoperable. The Smart Grid PKI will need to be inter-operable between the diverse organizations that make up theSmart Grid. There will be several different vendors creatingPKI solutions for the Smart Grid related organizations. Cur-rently individual organizations are implementing the initialframework of the Smart Grid. These implementations tendto be confined to a single organization. Eventually the SmartGrid will grow to the point where related organizations needto begin communicating. The Smart Grid PKI will need to beable to interconnect with the multiple PKI solutions developedby vendors. Doing complex conversions between different PKIsystems can introduce weak points in security, and they shouldbe avoided. A PKI standard should be developed or adaptedfor the Smart Grid to increase interoperability.

Existing Structure Integration. The Smart Grid PKI must beable to integrate any existing PKI solutions that organizationsare using. The Smart Grid PKI either needs to be able tohandle existing PKI solutions as they are, or have a processto convert existing PKI solutions to a compatible solution. Itmay be costly or impractical for an organization to changetheir current PKI solution, and the Smart Grid PKI will needto accommodate these organizations. Companies are alreadybeginning to provide Smart Meter solutions that include a PKIcomponent[8].

Virtual Borders. The Smart Grid will most likely crossmultiple state and country borders. It is inevitable that differentstates and countries will have different information and privacylaws that may affect the information communications in theSmart Grid. The Smart Grid PKI will need to support virtualborders, which can be used to logically separate states andcountries. This requirement will require further research.

Naming Convention. The Smart Grid PKI should support astandard entity naming convention. There will be millions ofdevices used in the Smart Grid, and if meaningful names arenot used it will be difficult to efficiently identify individualdevices. One solution to this issue is to use name constraintsthat follow a hierarchical structure.

External Equipment. The Smart Grid PKI will need tosupport customers who have their own equipment. If customerspurchase their own Smart Meters or power generation devices,the Smart Grid PKI will need to be able to interface with them.There will also need to be a process for validating customer-owned equipment for use in the Smart Grid.

B. PKI Model Evaluation

There are several prominent PKI trust models in use. Inthis section, we evaluate these trust models for use in theSmart Grid, in particular as high-level PKI systems used toconnect the various Smart Grid organizations together. We arenot evaluating these PKI trust models for use by individualorganizations. Each organization is unique, and will need toperform an individual evaluation to determine their specificPKI needs. Models such as web of trust[9], [10], Simple

251

Fig. 1. Certificate Trust List PKI Trust Model

PKI[11], and quorum based[9] are not evaluated here becauseof scalability and application domain related issues.

The criteria used to evaluate the PKI trust models willbe based off of the following requirements from SectionIII.A: high availability, real-time operation, scalability, pol-icy enforcement, flexibility, interoperability, existing structureintegration, and naming convention. The other requirementsare not evaluated because they have little impact or requirefurther research. The evaluation of the different PKI models isbased off of PKI survey work done by Linn[12] that evaluateddifferent PKI models for use in the X.509 specification.Also some of model evaluation is from a PKI survey byPerlman[10].

Certificate Trust ListsIn the certificate trust list model, there are several inde-

pendent root Certificate Authorities (CAs). Each of these rootCAs are well known. Each user, service, or device is suppliedwith the list of root CA certificates from a publishing authority.The user, service, or device will then use the list of certificatesto validate any incoming request. The incoming request willcontain a certificate or certificate chain. The trust anchor forthose certificates needs to be present in the local list of rootCA certificates for the request to be trusted. Adoption by webbrowsers has made this the most widely used model. Theweb browser developers supply the list of trusted root CAcertificates when the web browser is installed.

This model meets several of the additional Smart Grid PKIrequirements. It is a very simple trust model, and it pushesmost of the responsibility down to the client level. Since eachuser, service, or device has a local store of the list of trustedroot CAs, this model meets many of the high availabilityrequirements. The limited interactions between componentsin this model also contributes to high availability. The localstore also makes building certificate paths and validating thema trivial task, so this helps meet the timeliness requirementof the real-time operations. Moreover, this model fostersinteroperability because it is very simple and already widelyaccepted by many communities.

Several of the Smart Grid PKI requirements are not met bythis model. In general the certificate trust list model is scalablewhen all of the clients have similar configurations. However,most of the clients in the Smart Grid will not share a commonconfiguration, and maintaining different client configurations

Fig. 2. Hierarchical PKI Trust Model

creates a lot of overhead. Another scalability issue is relatedto root CAs being well known. On the Internet, third partyorganizations are dedicated to providing trust anchors. Thismay happen in the Smart Grid as it progresses, but it is alsopossible that each organization will act as their own root CA.If this happens there will be so many root CAs that they willnot all be well known and maintaining a trusted list will beimpractical. Also, storing the list of trusted root CAs couldbecome an issue on resource-constrained devices. This modelhas limited policy enforcement, and it places most of theresponsibility with the clients. In addition, this model doesnot integrate existing PKI structures very well, and it canonly enforce naming conventions on a per root CA basis. Thesimplicity of this model limits its flexibility in regard to thecertificate paths it can create.

HierarchicalIn a hierarchical model, there is a single root CA that is

responsible for delegating trust to delegate CAs. The root CAwill serve as a central point of control in the Smart GridPKI. The root CA will be the source of trust for the entireSmart Grid. Since the Smart Grid may span multiple countryborders, it may be advisable to have the root CA be controlledby a consortium of individuals and organizations from theparticipating countries.

The structure of this model promotes the timeliness require-ment of real-time operations. This trust model provides a clearhierarchy of trust that can be used to enable efficient certificatepath discovery and validation in the PKI. This model allows formultiple levels of trust delegation. This trust delegation can beused to separate the Smart Grid into sub-domains and allowsfor greater scalability. The hierarchical model also promotesa centralized security policy enforcement. Since there is onlyone root CA, it can enforce security policies and procedures.The hierarchical model promotes interoperability. All of theSmart Grid organizations would be connected to the samePKI hierarchy and be subject to the same security policies.The nature of the model also enables a hierarchical namingconvention.

The hierarchical model does not meet the high availabilityrequirement. The single root CA creates a single point of fail-ure. Delegate CAs can be configured to operate for extendedperiods disconnected from the root CA, but if the root CA

252

Fig. 3. Mesh PKI Trust Model

were compromised it would compromise the entire system.This model has a very rigid structure and is not very flexible.Even though the model promotes interoperability because allorganizations are a part of the same PKI hierarchy, there arestill interoperability issues related to agreeing on a trusted rootCA. Also this model does not integrate existing PKI structurevery easily.

MeshIn the mesh trust model, each organization is responsible

for creating and maintaining their own PKI solution. Theorganizations will cross certify [13] with other organizationsthat they wish to communicate with. This will produce amesh network. Each organization operates independently andis responsible for maintaining their cross certifications to otherorganizations.

This model is very flexible. Each organization is operatingindependently, and can choose a PKI trust model that meetstheir needs. This model will also easily integrate existing PKIsolutions into the Smart Grid PKI. The different organizationsare acting as peers, and this creates a distributed trust sourcewhich will make the PKI more resilient to attacks and naturaldisasters. This distributed nature promotes high availability.

There is no centralized agent to enforce security policies, sothe interoperability of security policies between organizationswill be an issue. The decentralized nature of the model alsoplaces the responsibility of validating trust relationships onthe organizations. It may be difficult for an organizationto evaluate another organization’s trust level since there areno enforced security policies across the system. The meshmodel can create inefficient structures if its growth is notcontrolled. Complex mesh structures will make path discoveryan inefficient task, and will cause scalability issues [14]. Inaddition to scalability issues the inefficient path discovery hin-ders the timeliness of real-time operations. This model allowsfor naming conventions between cross-certified organizations;however, it does not allow for naming conventions across theentire Smart Grid.

Bridged CAIn the bridged CA trust model, each organization is respon-

sible for creating and maintaining their own PKI solution.Instead of directly cross certifying with other organization

Fig. 4. Bridged CA PKI Trust Model

like the mesh model, organizations can use a bridge to crosscertify. The bridge acts as a centralized agent that maintainscross certification relationships. This model combines central-ized management with distributed trust. The bridged modelalso uses policy mapping to promote interoperability betweendifferent organizations.

The bridged CA model is very flexible. Each organization isoperating independently and can choose a PKI trust model thatmeets their needs. This flexibility allows for easy integrationof existing PKI structures into the Smart Grid PKI. Thebridged model provides a form of centralized control overthe cross certifications between organizations. This central-ized control can be used to enforce security policies. Thecentralized control can manage the growth of the cross certifi-cations and create more scalable structures, and it can enforcenaming conventions throughout the Smart Grid. Issues withinteroperability that the mesh model had are mitigated withfeatures such as policy mapping. Policy mapping maps oneorganization’s policies over to another organization’s policies.

The bridge provides a central point of control, but it alsocreates a single point of failure. This single point of failureaffects high availability. Real-time operations can also behindered because cross certification between organizationscan create inefficient certificate path discovery and validationissues.

In conclusion, the bridged model combines the idea ofdistributed trust sources and a centralized management intoone trust model. These properties provide a balance betweenresiliency to attacks and efficient management of the PKI.In addition, work has been done to promote efficient pathdiscovery in the bridged model[15]. The single point offailure will require further research to mitigate. The level offunctionality and flexibility provided by the bridged modelmake it a good choice to use as the backbone PKI system inthe Smart Grid. Humphrey, Basney, and Jokl[16] make a casefor using a bridged CA in a grid computing system. The gridcomputing system has many similarities to the requirementsin the Smart Grid, and several parallels can be drawn betweenthe two systems that support the use of a Bridged CA. Alsothe U.S. Federal Bridge represents an example of the bridgedmodel that extends across many organizations.

253

IV. RELATED WORK

Metke and Ekl[17] present two possible solutions to cybersecurity issues in the Smart Grid: a PKI framework anda trusted computing model. Their PKI solution is brokendown into four technical elements: PKI standards designedspecifically for the Smart Grid, automated trust anchor securityfor automatically transferring trust anchors in Smart Griddevices, certificate attributes to cache certificate informationin the event of communication failures, and Smart Gridtools to automate management of the Smart Grid PKI. Theauthors argue that combining a PKI framework with a trustedcomputing model will solve cyber security issues in the SmartGrid. The work done by Metke and Ekl provides solutions toseveral of the Smart Grid PKI requirements listed in sectionIII. However, there are several Smart Grid PKI requirementsthat their work does not address.

Several authors have evaluated current PKI trust models.Perlman[10] gives an overview of different PKI trust models.This work is slightly dated and does not include trust modelsthat were recently developed such as the bridged model [18]and Simple PKI (SPKI). Ellison, Frantz, and Lampson providean overview of SPKI[11]. More recent work has been doneby Connolly, Dijk, Vierboom, and Wilson on evaluating PKImodels[19].

There has been related work to evaluate the path discoveryefficiency of different PKI models. Zhao and Smith developeda simulation model that can be used to analyze performanceof certificate path discovery methods[20]. Li, Ren, Wang,Xie, and Yao[15] modified a bridged CA to increase theperformance of certificate path discovery.

Work was done by Humphrey, Basney, and Jokl[16] thatbuilds a case for the use of a bridged CA in a grid computingenvironment. Parallels can be drawn from grid computing andthe Smart Grid in regards to PKI requirements. Similar workwas done by Yildiz[21]. Here an evaluation of the Turkishgovernment PKI requirements is performed, and different PKItrust models are evaluated.

NIST did some preliminary work on Smart Grid cybersecurity[22]. They provide a high level guideline for cybersecurity. This work provides an outline for future cybersecurity work.

V. CONCLUSION AND FUTURE WORK

In the future, the Smart Grid will be used throughout theworld to manage the distribution of electricity through thepower grid. Such an essential infrastructure should be resilientto malicious attacks, natural disasters, and other failures. Therequirements described in this paper provide a guideline forimplementing PKI systems in the Smart Grid. Currently thereare several PKIs available for information systems, but thesemust be adapted to meet the unique requirements of the SmartGrid.

Through an analysis of current PKI trust models, bridgedCA has shown itself to be the best theoretical solution forthe Smart Grid PKI. The bridged CA model meets mostof the requirements such as scalability, policy enforcement,

flexibility, interoperability, existing structure integration, andnaming conventions. With adaptations, the bridged modelwill also meet the high availability and real-time operationsrequired in the Smart Grid. Future work needs to be done onfurther addressing implementing virtual borders and safety inthe Smart Grid PKI.

REFERENCES

[1] C. Adams and S. Lloyd, Understanding PKI: concepts, standards, anddeployment considerations. Addison-Wesley Longman Publishing Co.,Inc. Boston, MA, USA, 2002.

[2] “State & County QuickFacts,” 2010. [Online]. Available: http://quickfacts.census.gov/qfd/states/00000.html

[3] J. Callas, L. Donnerhacke, H. Finney, D. Shaw, and R. Thayer, “RFC4880-OpenPGP Message Format,” 2007.

[4] D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk,“RFC 5280: Internet X. 509 Public Key Infrastructure Certificate andCertificate Revocation List (CRL) Profile,” Internet Engineering TaskForce (IETF), 2008.

[5] ITU-T, “Recommendation X.509: Information technology Open Sys-tems Interconnection The Directory: Public-key and attribute certificateframeworks.” Telecommunication Standardization Sector of Interna-tional Telecommunication Union (ITU-T), 2005.

[6] J. Gray and D. P. Siewiorek, “High-availability computer systems,”Computer, vol. 24, no. 9, pp. 39–48, 1991.

[7] S. H. Son, R. Mukkamala, and R. David, “Integrating security and real-time requirements using covert channel capacity,” Knowledge and DataEngineering, IEEE Transactions on, vol. 12, no. 6, pp. 865–879, 2000.

[8] GridNet, “4G Smart Grid Solution Overview,” 2010. [Online].Available: http://www.grid-net.com/dl/GridNet SmartGrid SecurityWhitePaper.pdf

[9] K. Aberer, A. Datta, and M. Hauswirth, “A decentralised publickey infrastructure for customer-to-customer e-commerce,” InternationalJournal of Business Process Integration and Management, vol. 1, no. 1,pp. 26–33, 2005.

[10] R. Perlman, “An overview of PKI trust models,” Network, IEEE, vol. 13,no. 6, pp. 38–43, 2002.

[11] C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, and T. Ylonen,“SPKI certificate theory,” 1999.

[12] J. Linn, “Trust models and management in public-key infrastructures,”RSA Laboratories, vol. 12, 2000.

[13] J. Turnbull, “Cross-certification and pki policy networking,” Entrust, Inc,pp. 1–10, 2000.

[14] M. Henderson, R. Coulter, E. Dawson, and E. Okamoto, “ModellingTrust Structures for Public Key Infrastructures,” in Information Securityand Privacy, ser. Lecture Notes in Computer Science, L. Batten andJ. Seberry, Eds. Springer Berlin / Heidelberg, 2002, vol. 2384, pp.203–221.

[15] M. Li, Y. Ren, Z. Wang, J. Xie, and H. Yao, “A New Modified BridgeCertification Authority PKI Trust Model,” in Pervasive Computing andApplications, 2006 1st International Symposium on. IEEE, 2007, pp.23–26.

[16] M. Humphrey, J. Basney, and J. Jokl, “The case for using BridgeCertificate Authorities for Grid computing,” Software: Practice andExperience, vol. 35, no. 9, pp. 817–826, 2005.

[17] A. R. Metke and R. L. Ekl, “Security Technology for Smart GridNetworks,” IEEE Transactions on Smart Grid, vol. 1, no. 1, pp. 99–107, 2010.

[18] P. Alterman, “The US federal PKI and the federal bridge certificationauthority,” Computer Networks, vol. 37, no. 6, pp. 685–690, 2001.

[19] C. Connolly, P. van Dijk, F. Vierboom, and S. Wilson, “PKI Interoper-ability Models,” 2005.

[20] M. Zhao and S. Smith, “Modeling and evaluation of certification pathdiscovery in the emerging global PKI,” Public Key Infrastructure, pp.16–30, 2006.

[21] E. Yildiz, “A proposal for Turkish government public key infrastructuretrust model,” Ph.D. dissertation, Citeseer, 2001.

[22] NIST, “Guidelines for Smart Grid Cyber Security: Vol. 1, Smart GridCyber Security Strategy, Architecture, and High-Level Requirements,NISTIR 7628,” 2010.

254