Security and Privacy in Smart Grids - IT Today · OTHER TElEcOmmunicaTiOns BOOKs FROm auERBacH Ad Hoc Mobile Wireless Networks: Principles, Protocols, and Applications Subir Kumar

Security andPrivacy in

Smart Grids

OTHER TElEcOmmunicaTiOns BOOKs FROm auERBacH

Ad Hoc Mobile Wireless Networks: Principles, Protocols, and ApplicationsSubir Kumar Sarkar, T.G. Basavaraju, and C. PuttamadappaISBN 978-1-4665-1446-1

Communication and Networking in Smart GridsYang Xiao (Editor)ISBN 978-1-4398-7873-6

Delay Tolerant Networks: Protocols and ApplicationsAthanasios V. Vasilakos, Yan Zhang, and Thrasyvoulos SpyropoulosISBN 978-1-4398-1108-5

Emerging Wireless Networks: Concepts, Techniques and ApplicationsChristian Makaya and Samuel Pierre (Editors)ISBN 978-1-4398-2135-0

Game Theory in Communication Networks: Cooperative Resolution of Interactive Networking Scenarios Josephina Antoniou and Andreas PitsillidesISBN 978-1-4398-4808-1

Green Communications: Theoretical Fundamentals, Algorithms and Applications Jinsong Wu, Sundeep Rangan, and Honggang Zhang ISBN 978-1-4665-0107-2

Green Communications and NetworkingF. Richard Yu, Xi Zhang, and Victor C.M. Leung (Editors) ISBN 978-1-4398-9913-7

Green Mobile Devices and Networks: Energy Optimization and Scavenging TechniquesHrishikesh Venkataraman and Gabriel-Miro Muntean (Editors)ISBN 978-1-4398-5989-6

Handbook on Mobile Ad Hoc and Pervasive CommunicationsLaurence T. Yang, Xingang Liu, and Mieso K. Denko (Editors)ISBN 978-1-4398-4616-2

Intelligent Sensor Networks: The Integration of Sensor Networks, Signal Processing and Machine LearningFei Hu and Qi Hao (Editors)ISBN 978-1-4398-9281-7

IP Telephony Interconnection Reference: Challenges, Models, and EngineeringMohamed Boucadair, Isabel Borges, Pedro Miguel Neves, and Olafur Pall EinarssonISBN 978-1-4398-5178-4

LTE-Advanced Air Interface TechnologyXincheng Zhang and Xiaojin ZhouISBN 978-1-4665-0152-2

Media Networks: Architectures, Applications, and StandardsHassnaa Moustafa and Sherali Zeadally (Editors)ISBN 978-1-4398-7728-9

Multihomed Communication with SCTP (Stream Control Transmission Protocol)Victor C.M. Leung, Eduardo Parente Ribeiro, Alan Wagner, and Janardhan Iyengar ISBN 978-1-4665-6698-9

Multimedia Communications and NetworkingMario Marques da SilvaISBN 978-1-4398-7484-4

Near Field Communications HandbookSyed A. Ahson and Mohammad Ilyas (Editors)ISBN 978-1-4200-8814-4

Next-Generation Batteries and Fuel Cells for Commercial, Military, and Space ApplicationsA. R. Jha, ISBN 978-1-4398-5066-4

Physical Principles of Wireless Communications, Second EditionVictor L. Granatstein, ISBN 978-1-4398-7897-2

Security of Mobile CommunicationsNoureddine Boudriga, ISBN 978-0-8493-7941-3

Smart Grid Security: An End-to-End View of Security in the New Electrical GridGilbert N. Sorebo and Michael C. EcholsISBN 978-1-4398-5587-4

Transmission Techniques for 4G SystemsMário Marques da Silva ISBN 978-1-4665-1233-7

Transmission Techniques for Emergent Multicast and Broadcast SystemsMário Marques da Silva, Americo Correia, Rui Dinis, Nuno Souto, and Joao Carlos SilvaISBN 978-1-4398-1593-9

TV White Space Spectrum Technologies: Regulations, Standards, and ApplicationsRashid Abdelhaleem Saeed and Stephen J. ShellhammerISBN 978-1-4398-4879-1

Wireless Sensor Networks: Current Status and Future TrendsShafiullah Khan, Al-Sakib Khan Pathan, and Nabil Ali Alrajeh ISBN 978-1-4665-0606-0

Wireless Sensor Networks: Principles and PracticeFei Hu and Xiaojun CaoISBN 978-1-4200-9215-8

auERBacH PuBlicaTiOnswww.auerbach-publications.com

To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: [email protected]

Security andPrivacy in

Smart Grids

Edited byYANG XIAO

OTHER TElEcOmmunicaTiOns BOOKs FROm auERBacH

Ad Hoc Mobile Wireless Networks: Principles, Protocols, and ApplicationsSubir Kumar Sarkar, T.G. Basavaraju, and C. PuttamadappaISBN 978-1-4665-1446-1

Communication and Networking in Smart GridsYang Xiao (Editor)ISBN 978-1-4398-7873-6

Delay Tolerant Networks: Protocols and ApplicationsAthanasios V. Vasilakos, Yan Zhang, and Thrasyvoulos SpyropoulosISBN 978-1-4398-1108-5

Emerging Wireless Networks: Concepts, Techniques and ApplicationsChristian Makaya and Samuel Pierre (Editors)ISBN 978-1-4398-2135-0

Game Theory in Communication Networks: Cooperative Resolution of Interactive Networking Scenarios Josephina Antoniou and Andreas PitsillidesISBN 978-1-4398-4808-1

Green Communications: Theoretical Fundamentals, Algorithms and Applications Jinsong Wu, Sundeep Rangan, and Honggang Zhang ISBN 978-1-4665-0107-2

Green Communications and NetworkingF. Richard Yu, Xi Zhang, and Victor C.M. Leung (Editors) ISBN 978-1-4398-9913-7

Green Mobile Devices and Networks: Energy Optimization and Scavenging TechniquesHrishikesh Venkataraman and Gabriel-Miro Muntean (Editors)ISBN 978-1-4398-5989-6

Handbook on Mobile Ad Hoc and Pervasive CommunicationsLaurence T. Yang, Xingang Liu, and Mieso K. Denko (Editors)ISBN 978-1-4398-4616-2

Intelligent Sensor Networks: The Integration of Sensor Networks, Signal Processing and Machine LearningFei Hu and Qi Hao (Editors)ISBN 978-1-4398-9281-7

IP Telephony Interconnection Reference: Challenges, Models, and EngineeringMohamed Boucadair, Isabel Borges, Pedro Miguel Neves, and Olafur Pall EinarssonISBN 978-1-4398-5178-4

LTE-Advanced Air Interface TechnologyXincheng Zhang and Xiaojin ZhouISBN 978-1-4665-0152-2

Media Networks: Architectures, Applications, and StandardsHassnaa Moustafa and Sherali Zeadally (Editors)ISBN 978-1-4398-7728-9

Multihomed Communication with SCTP (Stream Control Transmission Protocol)Victor C.M. Leung, Eduardo Parente Ribeiro, Alan Wagner, and Janardhan Iyengar ISBN 978-1-4665-6698-9

Multimedia Communications and NetworkingMario Marques da SilvaISBN 978-1-4398-7484-4

Near Field Communications HandbookSyed A. Ahson and Mohammad Ilyas (Editors)ISBN 978-1-4200-8814-4

Next-Generation Batteries and Fuel Cells for Commercial, Military, and Space ApplicationsA. R. Jha, ISBN 978-1-4398-5066-4

Physical Principles of Wireless Communications, Second EditionVictor L. Granatstein, ISBN 978-1-4398-7897-2

Security of Mobile CommunicationsNoureddine Boudriga, ISBN 978-0-8493-7941-3

Smart Grid Security: An End-to-End View of Security in the New Electrical GridGilbert N. Sorebo and Michael C. EcholsISBN 978-1-4398-5587-4

Transmission Techniques for 4G SystemsMário Marques da Silva ISBN 978-1-4665-1233-7

Transmission Techniques for Emergent Multicast and Broadcast SystemsMário Marques da Silva, Americo Correia, Rui Dinis, Nuno Souto, and Joao Carlos SilvaISBN 978-1-4398-1593-9

TV White Space Spectrum Technologies: Regulations, Standards, and ApplicationsRashid Abdelhaleem Saeed and Stephen J. ShellhammerISBN 978-1-4398-4879-1

Wireless Sensor Networks: Current Status and Future TrendsShafiullah Khan, Al-Sakib Khan Pathan, and Nabil Ali Alrajeh ISBN 978-1-4665-0606-0

Wireless Sensor Networks: Principles and PracticeFei Hu and Xiaojun CaoISBN 978-1-4200-9215-8

auERBacH PuBlicaTiOnswww.auerbach-publications.com

To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: [email protected]

CRC PressTaylor & Francis Group6000 Broken Sound Parkway NW, Suite 300Boca Raton, FL 33487-2742

© 2014 by Taylor & Francis Group, LLCCRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed on acid-free paperVersion Date: 20130611

International Standard Book Number-13: 978-1-4398-7783-8 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit-ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.

Library of Congress Cataloging‑in‑Publication Data

Security and privacy in smart grids / editor, Yang Xiao.pages cm

“A CRC title, part of the Taylor & Francis imprint, a member of the Taylor & Francis Group, the academic division of T&F Informa plc.”

Includes bibliographical references and index.ISBN 978-1-4398-7783-8 (hardcover : acid-free paper)1. Smart power grids--Security measures. I. Xiao, Yang, 1966-

TK3105.S32 2013621.3190285’58--dc23 2012048623

Visit the Taylor & Francis Web site athttp://www.taylorandfrancis.com

and the CRC Press Web site athttp://www.crcpress.com

v

Contents

Preface vii

acknowledgment ix

about the editor xi

contributors xiii

Part 1 smart grids in general

chaPter 1 an overview of recommendations for a technical smart grid infrastructure 3

Petr aBeenk en,roBertBleik er ,JoséGonzá lez ,seBast i a nrohJa ns,M ich a elsPecht,Joer ntr efk e ,a ndM athi asUsl a r

chaPter 2 smart grid and cloud comPuting :minimizing Power consumPtion and utility exPenditure in data centers 57

sU M itkU M a rBose ,M ich a elsa lsBUrG,scot tBrock ,a ndrona ldsk eoch

chaPter 3 distributed oPPortunistic scheduling for building load control 85

PeizhonGY i,X ih UadonG,a BiodU ni waY eM i,a ndchizhoU

vi Contents

chaPter 4 advanced metering infrastructure and its integration with the distribution management system 101

zh aoli,fa nGYa nG,zhen Y Ua nwa nG,a ndYa nzh UY e

chaPter 5 cognitive radio network for the smart grid 139

r aGh Ur a Mr a nGa nath a n,roBertQi U,zhenh U,sh U J iehoU,zhechen,M a r BinPa zos-r ev ill a,a ndna nGUo

Part 2 security and Privacy in smart grids

chaPter 6 requirements and challenges of cybersecurity for smart grid communication infrastructures 187

roseQinGYa nGh Ua ndY iQi a n

chaPter 7 regulations and standards relevant for security of the smart grid 205

stef fenfr iesa ndh a ns-Joachi Mhof

chaPter 8 vulnerability assessment for substation automation systems 227

a da Mh a hn,M a ni M a r a nGov inda r asU,a ndchen-chinGli U

chaPter 9 smart grid, automation, and scada system security 245

YonGGewa nG

chaPter 10 smart grid security in the last mile 269

ta eoh,sU M itaM ishr a,a ndcl a r khochGr a f

list of acronyms 293

index 303

vii

Preface

asmartgridisanintegrationofpowerdeliverysystemswithcommu-nicationnetworksandinformationtechnology(it)toprovidebetterservices.securityandprivacywillprovidesignificantrolesinbuildingfuturesmartgrids.Thepurposeofthiseditedbookistoprovidestate-of-the-artapproachesandnoveltechnologiesforsecurityandprivacyinsmartgridscoveringarangeoftopicsintheseareas.

This book investigates fundamental aspects and applications ofsmart grids, security, andprivacy. it presents a collection of recentadvances in theseareascontributedbymanyprominent researchersworkingonsmartgridsandrelatedfieldsaroundtheworld.containing10chaptersdividedintotwoparts—Parti:smartGridsinGeneraland Part ii: security and Privacy in smart Grids, we believe thisbookwillprovideagoodreferenceforresearchers,practitioners,andstudentswhoareinterestedintheresearch,development,design,andimplementationofsmartgridsecurityandprivacy.

Thisworkismadepossiblebythegreateffortsofourcontributorsandpublisher.weareindebtedtoourcontributors,whohavesacrificeddays andnights toput together these chapters forour readers.we

viii PrefaCe

wouldliketothankourpublisher.withouttheirencouragementandqualitywork,wecouldnothavethisbook.

Yang XiaoDepartment of Computer Science

The University of AlabamaTuscaloosa, Alabama

E-mail: [email protected]

ix

Acknowledgment

This work was supported in part by the U.s. national sciencefoundation (nsf) under grants ccf-0829827, cns-0716211,cns-0737325,andcns-1059265.

xi

About the Editor

Dr. Yang XiaoworkedinindustryasaMac(Mediumaccesscontrol)architect involved in institute ofelectricalandelectronicsengineers(ieee)802.11 standard enhance-ment work before he joined thedepartment of computer scienceat the University of Memphis in2002. he is currently a professorin the department of computerscience at the University ofalabama.hewasavotingmemberof ieee 802.11 working Groupfrom2001to2004.heisanieee

seniorMember.dr. XiaoservesasapanelistfortheU.s.nationalscience foundation (nsf), canada foundation for innovation(cfi) telecommunications expert committee, and the americaninstituteofBiologicalsciences(aiBs),aswellasareferee/reviewerformanynationaland international fundingagencies.his researchareas are security, communications/networks, robotics, and tele-medicine.hehaspublishedmorethan200refereedjournalarticlesandover 200 refereed conferencepapers andbook chapters relatedto these research areas. dr. Xiao’s research has been supported by

xii about the editor

the U.s. nsf, U.s. army research, the Global environment fornetwork innovations (Geni), fleet industrial supply center–sandiego (fiscsd), fiatech, and the University of alabama’sresearchGrantscommittee.hecurrentlyservesaseditor inchieffor the International Journal of Security and Networks (iJsn) andInternational Journal of Sensor Networks(iJsnet).hewasthefound-ing editor-in-chief for the International Journal of Telemedicine and Applications (iJta) (2007–2009).

xiii

Petra Beenkenoffisr&ddivisionenergyoldenburg,Germany

Robert Bleikeroffisr&ddivisionenergyoldenburg,Germany

Sumit Kumar BosecloudengineeringGlobaltechnologycenterUnisyscorporationoldenburg,Germany

Scott BrockcloudengineeringGlobaltechnologycenterUnisyscorporationoldenburg,Germany

Zhe Chentennesseetechnological

Universitycookeville,tennessee

Xihua DongMarvelsemiconductorinc.santaclara,california

Steffen FriessiemensaGcorporatetechnologyMunich,Germany

José Gonzálezoffisr&ddivisionenergyoldenburg,Germany

Manimaran Govindarasudepartmentofelectricaland

computerengineeringiowastateUniversityames,iowa

Contributors

xiv Contributors

Nan Guotennesseetechnological


Adam Hahndepartmentofelectricaland

computerengineeringiowastateUniversityames,iowa

Clark Hochgrafrochesterinstituteof

technologyrochester,newYork

Hans-Joachim Hofdepartmentofcomputer

scienceandMathematicsMunichUniversityofapplied

sciencesMunich,Germany

Shujie Houtennesseetechnological


Rose Qingyang Hudepartmentofelectricaland

computerengineeringUtahstateUniversitylogan,Utah

Zhen Hutennesseetechnological


Abiodun Iwayemidepartmentofelectricaland

computerengineeringillinoisinstituteoftechnologychicago,illinois

Zhao Liindustrialsoftwaresystem

GroupaBBUscorporationresearch

centerraleigh,northcarolina

Chen-Ching Liuschoolofelectricalengineering

andcomputersciencewashingtonstateUniversityPullman,washingtonandschoolofMechanicaland

MaterialsengineeringUniversitycollegedublindublin,ireland

Sumita Mishrarochesterinstituteof


Tae Ohrochesterinstituteof


Yi Qiandepartmentofcomputerand

electronicsengineeringUniversityofnebraska-lincolnomaha,nebraska

xvContributors

Robert Qiutennesseetechnological


Marbin Pazos-Revillatennesseetechnological


Raghuram Ranganathantennesseetechnological


Sebastian Rohjansoffisr&ddivisionenergyoldenburg,Germany

Michael SalsburgcloudengineeringGlobaltechnologycenterUnisyscorporationoldenburg,Germany

Ronald SkeochcloudengineeringGlobaltechnologycenterUnisyscorporationoldenburg,Germany

Michael Spechtoffisr&ddivisionenergyoldenburg,Germany

Joern Trefkeoffisr&ddivisionenergyoldenburg,Germany

Mathias Uslaroffisr&ddivisionenergyoldenburg,Germany

Yongge Wangdepartmentofsoftwareand

informationsystemsUnccharlottecharlotte,northcarolina

Zhenyuan WangGridautomationGroupaBBUscorporationresearch


Fang YangGridautomationGroupaBBUscorporationresearch


Yanzhu Yedepartmentofelectrical

engineeringandcomputerscience

Universityoftennesseeatknoxville

knoxville,tennessee

xvi Contributors

Peizhong Yidepartmentofelectricaland


Chi Zhoudepartmentofelectricaland


Part 1

Smart GridS in General

3

1an Overview Of

recOmmendatiOnS fOr a technical Smart

Grid infraStructure

P E t r A B E E n k E n , ro B E r t B l E i k E r , J o s é G o n z á l E z , s E B A s t i A n

ro h J A n s , M i C h A E l s P E C h t, J oE r n t r E f k E , A n d M At h i A s U s l A r

Contents

1.1 introduction 41.2 iectc57referencearchitectureoverview 5

1.2.1 introductiontostandardization 51.2.2 Mainstructureofthereferencearchitecture 61.2.3 structureofthecurrenttc57reference

architecture 71.2.4 futurevisionofaseamlessintegration 101.2.5 integrationofBusinessPartnersandapplications 10

1.2.5.1 iec61970:energyManagementsystemapplicationPrograminterface 13

1.2.5.2 iec61968:applicationintegrationatelectricUtilities—systeminterfacesfordistributionManagement 14

1.2.5.3 iec62325:frameworkforenergyMarketcommunications 14

1.2.5.4 TheieccommoninformationModel 151.2.5.5 componentinterfacespecification 191.2.5.6 TheinterfacereferenceModel 20

1.2.6 integrationofenergysystems 221.2.6.1 revenueMeters 231.2.6.2 ieds,relays,Meters,switchgear,cts,

andvts 28

4 seCurity and PrivaCy in smart Grids

This chapter introduces the international electrotechnicalcommission technical committee (iec tc) 57 seamlessintegration architecture (sia) as a reference architecture forsmartgrids.itcomprisesasetofstandardsthatareonvariouslevelsessentialandwidelyrecommendedforsmartgridimple-mentations in terms of technical interoperability. issues likebusinessintegration,datadefinition,applications,fieldcommu-nicationforinformationexchangeontheequipmentandsysteminterfaces,security,anddatamanagementareconsidered.eachcomponentofthearchitectureisdiscussedindetail.asthesiaisnotastep-by-stepguidetobuildaninformationandcommu-nicationstechnology(ict)infrastructureintheenergydomain,itisratherablueprintthatfocusesoniec-specificstandards.tousethesia,itisnecessarytointegratethearchitectureinthecompanyworkfloworbuildupanentirelynewprocess.Thus,amethodologyis introduceddescribinghowtomakethesiaapplicable.finally,furtherdevelopmentsofthesiaarelisted.

1.1 introduction

Many national and international smart grid studies, recommenda-tions,androadmaps1–4havebeenpublishedrecently.someofthemdifferintheirdefinitionofwhatthesmartgridisandwhichaspectsshouldbethefocus,butallofthemagreethatstandardizationiscru-cialtoachievetechnicalinteroperability.

1.2.6.3 dersandMeters 361.2.6.4 othercontrolcenters 37

1.2.7 securityanddataManagement 401.2.7.1 securecommunicationviaiec62351-3 401.2.7.2 secureProfilesthroughiec62351-4 411.2.7.3 authenticationtechniqueofiec62351-5 431.2.7.4 PdUsecurityextensionofiec62351-6 451.2.7.5 intrusiondetectionwithiec62351-7 45

1.3 applicationofthesia 461.4 summaryandoutlook 50references 51

5an overview of reCommendations

severalstandardswereidentifiedbymostofthesestudiesascorestandards(seetheworkofrohjansetal.5,6).Thefollowingstandards,whichwerealldevelopedwithin the internationalelectrotechnicalcommissiontechnicalcommittee(iectc)57,canberegardedastheconsensusonessentialinformationtechnology(it)standardsforthesmartgrid.

• IEC 60870: Communication and Transport Protocols7

• IEC 61334: Distribution Automation8

• IEC 61400-25: Communication and Monitoring for Wind Power Plants9

• IEC 61850: Substation Automation Systems and DER [distributedenergyresources]10

• IEC 61970/61968: Common Information Model (CIM)11,12

• IEC 62056: Electricity Metering13

• IEC 62325: Market Communications Using CIM14

• IEC 62351: Security for the Smart Grid15

• IEC 62357: TC 57 Seamless Integration Architecture [sia]16

Thetc57siahasaspecialroleasitprovidesareferencearchitec-turetosettheothertc57standardsinrelationtoeachotherandtocombinethem.italsopursuestheobjectivetoidentifyinconsistenciesbetween theother standardsand to resolve them, thusmaking thewholeframeworkseamless.

This chapter shows the essential standards to reach technicalinteroperabilityinasmartgridinfrastructure.

1.2 iEC tC 57 reference Architecture overview

1.2.1 Introduction to Standardization

inthegeneralscopeofsmartgrids,onehastodistinguishbetweendifferentstandardizationbodiesandotherstakeholdersforthetech-nicalinfrastructuretobedeveloped.forthetechnicalinfrastructure,mostutilitiestrytoadapttomultinationalvendorsandtheircorre-spondingproductportfolio.withinthisscope,thingshavechangedin the last few years: whereas typical system committees in stan-dardization had a narrow focus, joint working groups (wGs) havearisen todealwith thebiggerpicture.Usergroupshavedeveloped


tocopewithcertainaspectslikeinteroperability.Thetechnicalbaseofthesmartgridinfrastructurenowisthoroughlystandardizedandprovides,duetogoodinteroperabilitycheckingandtests,manynewpossibilitiesforbothutilitiesandvendors.intheverylightofinterna-tionalstandardization,withinthedifferentstandardizationbodieslikeitU (internationaltelecommunicationUnion), iso (internationalorganizationforstandardization),andiec,thesiahasbeeniden-tifiedasthecoreaspectoffuturesmartgridstandardization.variousnationalroadmapsliketheGerman,american,andchinesefocusonitsaspectsandcorestandards.furthermore,itislikelytobepartof the korean and Japanese road maps as well. realizing this, thesiawillbeattheveryheartofanyfuturestandardizedsmartgridarchitectureandproject.

1.2.2 Main Structure of the Reference Architecture

The iec technical report (tr) 62357 reference architecture16(Powersystemcontrolandassociatedcommunications—referencearchitectureforobjectModels,services,andProtocols)constitutesaframe-workforcurrenttc57standards.itshowshowthevariousstandard-izationactivitieswithintheiectc57(PowersystemsManagementandassociatedinformationexchange)interrelateandhowtheycon-tributetomeetthetc’sobjectives.Thereferencearchitectureshowshow current standards fit in an overall architecture and provide aseamlessintegrationacrosssystemswithinthescopeofthecommit-tee.aimingtoprovideaseamlessintegration,thearchitectureisalsooftencalledthesia(seamlessintegrationarchitecture).liketc57addressesbusinessfunctionsinthefollowingdomains,theseactuallycomprisethefunctionalscopeforthereferencearchitecture:

• supervisorycontrolanddataacquisition(scada)andnet-workoperation

• energymanagement• distributionautomation• customerinquiry• Meterreadingandcontrol• substationprotection,monitoring,andcontrol


• recordsandassetmanagement• networkexpansionplanning• operationalplanningandoptimization• Maintenanceandconstruction

withinthesedomains,thefocusoftc57isonmoreabstractdatamodelsandgenericinterfacesathigherlevelsinthearchitecture.Thiscomprises an abstract information modeling perspective as well astechnologymappingsforimplementationinallthesegivenareas.

Besidesclassifyingexistingstandards,areaswhereharmonizationbetweentc57standardsisneededandhowthiscouldbeachievedareidentifiedbythearchitecturetoalignandharmonizefurtherstan-darddevelopments.Ultimately,afuturearchitecturetoguidelonger-termgoalsandactivitiesisoutlinediniectr62357.

1.2.3 Structure of the Current TC 57 Reference Architecture

figure 1.1givesavisualoverviewofthetc57referencearchitectureasof2010.Thestructureofthearchitecturecanbebroadlydividedintothreeparts,whicharerepresentedbythedashedrectanglesatocinthefigure.tostructurethevariousstandardsandclassifytheircontents,thearchitectureispartitionedintodifferentlayersandpillars(horizontallyandvertically).Thesameshadingsindicatethecohesionofstandardsthroughoutdifferentlayers;inparticular,theyconstitutethepillarsinthelowerpartoftheframework.Thesedefinedbound-ariesarefinally todepict thecoverageofexistingstandards,allow-ingidentificationofharmonizationneeds.layersinthefirstpart(a)aremainlyconcernedwithbusinessintegration,datadefinition,andapplications,whichcanbecharacterizedashigher-levelabstractions.Thefirsthorizontal layer(1)coversstandardsfor integrationofdif-ferentsystemsandapplications(e.g., tobusinesspartnersormarketapplications).This couldbe realizedusingcommercialoff-the-shelfmiddlewareinamessage-orientedway,asforexampleoftenappliedinservice-orientedarchitectures(soas),inconjunctionwiththecor-respondingintersystem/interapplicationstandards(ciM;eXtensibleMarkuplanguage[XMl];ciMresourcedescriptionframework[rdf]).standardsusedonlayers2and3considerthedataconcepts


App

licat

ion

to A

pplic

atio

n (A

2A)

and

Busin

ess t

o Bu

sines

s (B2

B)Co

mm

unic

atio

n

App

licat

ion

Inte

rface

s

A B

Equi

pmen

t and

Syst

em In

terfa

ces

Spec

ific O

bjec

tM

appi

ngs

Dat

a Acq

uisit

ion

and

Cont

rol F

ront

-End

/Gat

eway

/Pro

xy S

erve

r/M

appi

ng S

ervi

ces/

Role

-bas

ed A

cces

sCo

ntro

l

Inte

r-Sy

stem

/App

licat

ion

Profi

les (

CIM

XM

L, C

IM R

DF)

1 2 3 4 5 6 7Fi

eld

Dev

ices

Tele

cont

rol C

omm

unic

atio

nsM

edia

and

Serv

ices

WA

N C

omm

unic

atio

nsM

edia

and

Serv

ices

Fiel

d O

bjec

t Mod

els

Spec

ific

Com

mun

icat

ion

Serv

ice M

appi

ngs

Prot

ocol

Pro

files

Exte

rnal

Sys

tem

s(S

ymm

etric

Clie

nt/

Serv

er P

roto

cols)

C

SCA

DA

App

sEM

S A

pps

DM

S A

pps

Mar

ket

Ope

ratio

nA

pps

Engi

neer

ing

&M

aint

enan

ceA

pps

Exte

rnal

ITA

pps

Brid

ges t

o ot

her D

omai

ns

Tech

nolo

gy M

appi

ngs

6197

0 Co

mpo

nent

Inte

rface

Spe

cific

atio

n (C

IS)/6

1968

SID

MS

CIM

Ext

ensio

ns61

970/

6196

8 Co

mm

on In

form

atio

n M

odel

(CIM

)

Ener

gy M

arke

tPa

rtic

ipan

tsU

tility

Cust

omer

sU

tility

Ser

vice

Prov

ider

Oth

erBu

sines

ses

TC13

WG

14M

eter

Stan

dard

s

6087

0-5

101 & 104

Network, System and Data Management (62351-7)

End-to-End Security Standards and Recommendations (62351 1-6)

TC13

WG

14

6087

0-5

RTU

s or

Subs

tatio

nSy

stem

s

6185

0Su

bsta

tion

Dev

ices

6185

0D

evic

esBe

yond

the

Subs

tatio

n

Fiel

d D

evic

esan

d Sy

stem

sus

ing

Web

Ser

vice

s

6087

0-6

TASE

.2

Oth

erCo

ntro

l Cen

ters

DER

s, M

eter

sRe

venu

eM

eter

sIE

Ds,

Rela

ys, M

eter

s, Sw

itchg

ear,

CTs,

VTs

6185

0-7-

3, 7-

4 Obje

ct M

odels

6185

0-7-

2 A

CSI

6185

0-8-

1M

appi

ng to

MM

SM

appi

ng to

Web

Ser

vice

sExist

ing

Obj

ect M

odel

s61

850-

6En

gine

erin

g

6087

0-6-

802

Obj

ect M

odel

s

6087

0-6-

503

App

Ser

vice

s

6087

0-6-

702

Prot

ocol

s

Com

mun

icat

ion

Indu

stry

Sta

ndar

d Pr

otoc

ol S

tack

s (IS

O/T

CP/I

P/Et

hern

et)

6133

4D

LMS

Figu

re 1

.1

Anno

tate

d ov

ervie

w of

IEC

TR 6

2357

Ref

eren

ce A

rchi

tect

ure b

ased

on IE

C 62

357.

CT =

curre

nt tr

ansf

orm

er; D

MS

= di

strib

ution

man

agem

ent s

yste

m; M

MS

= m

anuf

actu

r-in

g m

essa

ging

spec

ifica

tion;

RTU

= re

mot

e te

rmin

al u

nit;

SIDM

S =

syst

em in

terfa

ces

for d

istrib

ution

man

agem

ent s

yste

ms;

TASE

= te

leco

mm

unica

tion

appl

icatio

n se

rvice

elem

ent 2

; TC

P/ IP

= T

rans

miss

ion C

ontro

l Pro

toco

l/ Int

erne

t Pro

toco

l; VT

= v

oltag

e tra

nsfo

rmer

; WAN

= w

ide-

area

net

work

; WG

= W

orkin

g Gr

oup.

(Rep

rinte

d wi

th p

erm

ission

from

Inte

rnat

ional

El

ectro

chem

ical

Com

mis

sion.

IEC

6235

7, 2n

d ed

ition

: TC

57 A

rchi

tectu

re—

Part

1: Re

fere

nce A

rchi

tectu

re fo

r TC

57—

Draf

t, 20

09. G

enev

a, S

witz

erla

nd: I

EC.)


and interfaces for the focused applications (layer 4). These applica-tions serveas central it-drivenelements forpower systemscontrolandoperations.Therearetwoaspectstoconsiderfortheseapplica-tions: the upper integration using corresponding interfaces (appli-cation interfaces) and the lower integration (equipment and systeminterfaces).toallowforsuccessful integration, thesystemsmustbeenabledtobesuppliedwithoperation-relevantdata(e.g.,fromtech-nicaldevices likesubstations)andfurtherprovideotheritsystemsandapplicationswithimportantdata.currently,gatheringdataandcontrollingfielddevices requiredataandcommunicationmappingsbetween different standards due to a variety of access options anddata formats. for these cases, abstractions to encapsulate access totherequiredtechnicalinformationareofferedbylayer5,namely,thescadafrontend.

Belowthislayer,thearchitectureisstructuredinfourpillarscontain-ing mainly standards dealing with more technical field communica-tionforinformationexchangeontheequipmentandsysteminterfaces(partB).eachpillaraddressesstandardsfordifferentdevicecategories:revenue meters; intelligent electronic devices (ieds), relays, meters,switchgear, current transformers (cts), voltage transformers (vts);distributedenergyresources(der),meters;andothercontrolcenters.

Theupperlayersofthispart(6)includestandardscontainingobjectmodels forfielddevicesanddevicecomponents, specificcommuni-cation servicemappings, andprotocolprofiles.at this point, com-municationtoexchangedatausually takesplace throughwide-areanetworks(wans)ofgeographicallyseparatedlocationsusingstan-dardprotocolstacksliketheisoopensysteminterconnection(osi)modelortheinternetProtocolstackusingthetransmissioncontrolProtocol/internet Protocol (tcP/iP) and ethernet. standards forthe different devices and systems to communicate with are finallydepictedinlayer7.

verticallayersontheleft(c)indicatecross-cuttingstandardsthatespecially focusonsecurityanddatamanagementaddressedbytheiec62351standardsfamily.inthesestandards,eachhorizontallayeris addressed by individual parts to meet specific requirements. astheseverticallayersspanthewholeframework,theycanbeconsid-eredahighlyimportantfactorforsuccessful integration,andintheend,theycontributetosecuresystemsoperation.


1.2.4 Future Vision of a Seamless Integration

Basedonthefindingsfromreviewingthecurrentreferencearchitec-ture, the need for a long-term architecture vision was determined,going further than justharmonizationbetweendifferent standards.asastart, thecommitteeagreedon16architecturalprinciples, forinstance,aboutthefocusoftheongoingwork,harmonizationeffortsforexistingstandards,andthedefinitionofcriteriatoensureasys-tem’s compliance to the reference architecture. starting with theseprinciples,astrategyadoptingtheciMandotherabstractinforma-tionmodelsas the sourceof the semanticsasbasis for future stan-dardsdevelopmentispresented.Thismayleadtoreducedexecutiontimesandcanpotentiallyavoidinformationlossduetothemappingofdifferent languageconceptsondifferent layers,whichcanfinallyeaseintegration.

inthefollowingsections,acloserlookatthestandardsandthedif-ferentaspects,alignedwiththedifferentpartsofthecurrentreferencearchitecture,isprovided.Thesesectionsare“integrationofBusinessPartners and applications” (section 1.2.5), “integration of energysystems” (section 1.2.6), and “security and data Management”(section1.2.7).

1.2.5 Integration of Business Partners and Applications

Thetoppartofthesiaasillustratedinfigure 1.2addressestheinte-grationofbusinesspartners,BusinesstoBusiness(B2B),andapplica-tions, application to application (a2a). key elements of this partarethereforemarketparticipantslikeutilitycustomers,utilityservice

Application to Application (A2A)and Business to Business (B2B)

Communication

ApplicationInterfaces

Equipment andSystem

Interfaces

Speci�c ObjectMappingsData Acquisition and Control Front-End/Gateway/Proxy Server/Mapping Services/Role-based Access Control

Inter-System/Application Pro�les (CIM XML, CIM RDF)1

2

3

4

5

SCADAApps EMS Apps DMS Apps

MarketOperation

Apps

Engineering &Maintenance

Apps

External ITApps

Bridges to other Domains

Technology Mappings61970 Component Interface Speci�cation (CIS)/61968 SIDMS

CIM Extensions 61970/61968 Common Information Model (CIM)

Energy MarketParticipants

UtilityCustomers

Utility ServiceProvider

OtherBusinesses

Figure 1.2 Top part of the SIA.


providers, or other business participants and it applications withinutilitycompanieslikescadaoreMs(energymanagementsystems).

The top part of the sia can be divided into five layers: marketcommunication(1),coredatamodel(2),integrationofapplications(3),applications(4),andequipmentandsysteminterface(5).layers1–5aredescribednext:

• layer1coverstheintegrationofmarketparticipantsandtheiritsystemsbasedontheiecciManditsserializationindif-ferentformatslikeXMlorrdf.inaddition,theiec62325seriesdescribes theuseof theciMformarketcommunica-tionsbetweenbusinesspartners.communicationisdescribedindependentoftechnologybutrelyingoninterapplicationmes-sagingasprovidedbycommercialoff-the-shelfmiddleware.

• layer2providestheiec61970-301and61968-11standards,whichdescribe theciMdatamodel.TheciM is the coredatamodelwithin thesia forusagewithindataexchangeaddressingbothtypesofintegration,B2Banda2a.TheciMisadatamodelforabstractandphysicalobjectsintheelec-tricity domain. as requirements change and each utility isdifferent,customextensionsoftheciMmightbenecessary(ciMextensions).inparticular,theseextensionswillbecomenecessarywhendealingwithdatanotstrictlybelongingtotheelectricitydomain(bridgestootherdomains).

• layer3focusesonintegrationoftransmissionanddistributionitapplications.ontheonehand,iec61970-401providesapplicationinterfacesforeMss.ontheotherhand,theiec61968 standards series describes an enterprise applicationintegration (eai) framework for exchanging data betweendistributionmanagementsystems(dMss).inthecourseofnewtechnologies,technologymappingsmightbenecessary.

• layer4showsvarioustransmissionanddistributionitcom-ponentsofautilityapplication landscape.This includes thefollowingsystems:• scada:real-timesystemthatsupportsthecontrolroom

operation,includingdataacquisitionandsupervisorycon-trolusingremoteterminalunits(rtUs)inthesubstations.11


• eMs:computersystemprovidingbasicservicesandasetofapplicationstosupporttheeffectiveoperationofelec-tricalgenerationandtransmissionfacilities.17withinthis,monitorandcontrolfunctionalityisprovidedbyscadasystems.

• dMs: several distributed application components sup-porting the management of electrical distribution net-works.11 These components provide capabilities likemonitoringandcontrolofequipmentforpowerdelivery,managementprocessestoensuresystemreliability,voltagemanagement,demand-sidemanagement,outagemanage-ment,andworkmanagement.

• Market operations applications: dealing with dataexchange between market participants, supporting pro-cesseslikecustomerswitchingormeterdataexchange.

• engineering and maintenance applications: supportingprocesseslikenetworkmaintenanceandextensionplanning.

• externalitapplications:applicationsthatarenotstrictlyutilitysystemslikecustomerresourcemanagementsystems.16

• layer5addressestheintegrationofitsystemsoflayer4andexternalsystemsandtechnicaldevicesinthefield.Therefore,this layer describes an equipment and system interface toacquiredataorcontroldevices.applicationslistedinlayer4actasclientsthatconnecttoremoteserversinthefield,whereasthe connection canbeestablished throughvarious commu-nicationnetworksandtechnologies.layer5isthelastlayerofthetoppartofthesiaandconnectsthetoppartofthesiawiththelowerpart(seethedashedrectanglesaandBinfigure 1.1).

standards listed inthispartof thesiaarealldevelopedwithinwGs of iec tc 57, Power Systems Management and Associated Information Exchange.

inthefollowing,thecorestandardsseriesoftheupperpartofthesia(iec61970,iec61968,andiec62325)aswellastheiressentialcontributions,theiecciM,thecomponentinterfacespecification(cis),andtheiecinterfacereferenceModel(irM),areintroduced.


1.2.5.1 IEC 61970: Energy Management System Application Program Interface Theiec61970standardsseriesdefinesapplicationprograminterfaces (aPis) foreMsto support the integrationof applicationsdevelopedbydifferentsuppliersinthecontrolcenterenvironmentandtheexchangeofinformationtosystemsexternaltothecontrolcenterenvironment.12anoverviewoftheeMsaPisisprovidedinfigure 1.3.

Thefollowingpartsofiec61970arecurrentlyavailable:18

• IEC 61970-1 Ed. 1.0: Guidelines and General Requirements• IEC/ TS 61970-2 Ed. 1.0: Glossary• IEC 61970-301 Ed. 2.0: Common Information Model (CIM) Base• IEC/ TS 61970-401 Ed. 1.0: Component Interface Specification

(CIS) Framework• IEC 61970-402 Ed. 1.0: Common Services• IEC 61970-403 Ed. 1.0: Generic Data Access• IEC 61970-404 Ed. 1.0: High Speed Data Access (HSDA)• IEC 61970-405 Ed. 1.0: Generic Eventing and Subscription (GES)• IEC 61970-407 Ed. 1.0: Time Series Data Access (TSDA)• IEC 61970-453 Ed. 1.0: CIM Based Graphics Exchange• IEC 61970-501 Ed. 1.0: Common Information Model Resource

Description Framework (CIM RDF) Schema

SCADANetwork

System

LegacySCADASystem

LegacyWrapper

TopologyProcessor

NetworkApplications

LoadManagement

Accounting/Settlement

GenerationControl

AlarmProcessor

Programs

ProgramsPrograms

PublicData

PublicData

DistributionManagement

Systems

TASE. 2

UserPCs

ComponentInterface

PublicData

TASE. 2Network

Component Execution Systemand Component Adapters (e.g., Integration Bus)

CIM Server

PublicData

Programs

PublicData

Programs

PublicData

Programs

PublicData

Programs

PublicData

Figure 1.3 Overview of the EMS-API. PC, personal computer. (Reprinted with permission from International Electrochemical Commission. 61968-1: Application Integration at Electric Utilities—System Interfaces for Distribution Management Part 1: Interface Architecture and General Requirements, 2007. Geneva, Switzerland: IEC.)


Theiectc57wG13eMsaPiis inchargeofthedevelop-mentof the iec61970 series.Theiec61970 series, inparticulartheciM,isunanimouslyrecommendedforsmartgridarchitectures.

1.2.5.2 IEC 61968: Application Integration at Electric Utilities—System Interfaces for Distribution Management Theiec61968standardsseriesaimsatfacilitatingtheinterapplicationintegrationofthevariousdis-tributed software application systems supporting the managementofutility’selectricaldistributionnetworks.11incontrasttothegen-eralunderstandingofinterapplicationintegration,focusingonpro-grams in the same application system, the iec 61968 series aimsat integrating disparate loosely coupled applications within utilityenterprisesthatarealreadybuiltornew(legacyorpurchasedappli-cations).here,connectionsbetweenapplicationsareestablishedviamiddleware services thatbrokermessages. iec61968has the fol-lowingparts:18

• IEC 61968-1 Ed. 1.0: Interface Architecture and General Requirements

• IEC/ TS 61968-2 Ed. 1.0: Glossary• IEC 61968-3 Ed. 1.0: Interface for Network Operations• IEC 61968-4 Ed. 1.0: Interfaces for Records and Asset Management• IEC 61968-9 Ed. 1.0: Interfaces for Meter Reading and Control• IEC 61968-11 Ed. 1.0: Common Information Model (CIM)

Extensions for Distribution• IEC 61968-13 Ed. 1.0: CIM RDF Model Exchange Format

for Distribution

IEC TC 57 WG 14: System Interfaces for Distribution Management (SIDM)isresponsibleforthedevelopmentoftheiec61968series.

1.2.5.3 IEC 62325: Framework for Energy Market Communications Theiec62325aimsatdescribingtheuseoftheciMformarketcom-municationsbetweenbusinesspartners.Thetermmarket communica-tionsreferstodataexchangebetweenmarketparticipantslikeenergysuppliersordistributionsystemoperatorsalongtheelectricityvaluechain.here,wG16of the iectc57develops a framework forcommunicationsinaderegulatedelectricitymarket.Theiec62325consistsofthefollowingparts:18


• IEC/ TR 62325-101 Ed. 1.0: General Guidelines• IEC/ TR 62325-102 Ed. 1.0: Energy Market Model Example• IEC/ TR 62325-501 Ed. 1.0: General Guidelines for Use of

Electronic Business Using XML (ebXML)• IEC/ TS 62325-502 Ed. 1.0: Profile of ebXML

Theiec62325seriesisbeingdevelopedbytheiectc57wG16 (Deregulated Energy Market Communications). in contrast to theiec61968and61970standardsseries,thisseriesstillcontainsmanypartsthatarestillthesubjectoffuturework(seeiec62325-101).14

ascommunicationbetweenmarketparticipantsintheelectricitydomainissubjecttonationalregulation,applicationofthesestandardsrequiresanalysisofcurrentnationalregulations,laws,andguidelines.national guidelines may force the application of specific data for-matsandprotocolsnotconsideredwithiniec62325.inGermany,for instance, the electronic data interchange for administration,commerce,andtransport(edifact)formatiscurrentlyrequiredfordataexchangebetweenmarketparticipantsforprocesseslikecus-tomerswitching.

1.2.5.4 The IEC Common Information Model TheiecciMisaverylargeabstractdatamodeldescribingabstract(likedocuments)aswellas physical (like power transformer) objects of the energy domain.it was originally created to solve the problem of vendor lock-in byeMs.19Manyaspectsofthepowersystemofconcerntotc57aremodeledonlyusing theciM, likegenerationequipmentorenergyschedules.16however,otherpartsaremodeledinboththeciMandin the iec 61850 standards developed by wG 10 (e.g., substationequipment,includingtransformers,switches,orbreakers).16

TheideaoftheciMwastoprovideacommoninformationmodelthat should support the exchangeof informationbetweendifferenteMscomponentsandthusenabletheinterconnectionofapplicationsfrom different vendors. The ciM was originally developed withinseveralprojects sponsoredby theelectricPowerresearchinstitute(ePri).overtime,theciMwasextendedtofittheneedsofdistri-butionmanagement;atthemoment,wG16isextendingtheciMfor use within market communication. currently, tc 57 wG 13,wG14,wG16,andwG19areinvolvedinthedevelopmentofthe


ciM.20furthermore,manymembersofthewGsjoinedtheworkoftheciMUsersGroup(ciMug;http://cimug.ucaiug.org).

The formal definition of the ciM is done using the UnifiedModelinglanguage(UMl);anoverviewisdepictedinfigure 1.4.Themodelincludespublicclassesandattributesdescribing(realandabstract)objectsoftheenergydomainaswellasrelationshipsbetweenthem. it is currently maintained in the sparxsystems enterprisearchitect. for better maintenance, the various classes are groupedincorrespondingpackages,andthedifferentwGsfocusondifferentpackagesanddescribethemindifferentpartsofthestandardsseries,basicallyiec61968-11and61970-301.

whereasthestandardsdocumentsrelatedtotheciMaredevel-oped within the iec, the electronic UMl model is hosted at the

Class Main

IEC 61970 CIM Version

+ data: Absolute Date Time[0..1] = 2009–12–29{readOnly} |+ version: String [0..1] = IEC61970CIM 15v 01 {readOnly}

Load Model

EquivalentsWires

Generation

Generation Dynamics

Contingency

Meas

SCADA

TopologyOperational Limits

Core

Domain

Production

(from generation)

(from generation)

Outage Protection Control Area

{root}

Figure 1.4 Overview of the IEC CIM.


ciMug site.Therefore,ciMugmembershave access to themodelwithouttheneedtoparticipateintheiecstandardizationprocess.

itisdifficultandoftennotnecessarytousethewholemodelwithinaprojectorcompany.tomaketheuseoftheciMmoreapplicable,profilesof theciMthatonly includeessential classesandassocia-tionsoftheciMareused.ontheonehand,singlecompaniesuseintracorporateprofiles;ontheotherhand,largeprofilesexistthatarepartlystandardizedandwidespreadwithintheutilitydomain:

• CPSM: The common Power system Model (cPsM) isusedintheUnitedstatesfortheexchangeoftransmissionsystemmodels.21

• CDPSM:ThecommondistributionPowersystemModel(cdPsM)isusedineuropefortheexchangeofdistributionpowersystemmodels.22

• ENTSO-E:Theeuropeannetworkoftransmissionsystemoperatorsforelectricity(entso-e;http://www.entsoe.eu/)profileisusedineuropefortheexchangeoftransmissionsys-temmodels.

• ERCOT:Theelectricreliabilitycounciloftexas(ercot;http://www.ercot.com/)profileisanintracorporatedatamodel.

ThemainapplicationscenariosfortheciMareasfollows:23

• Exchange of topology data: supporting the exchange ofpower system models between systems through ciM pro-files for transmission (cPsM) and distribution (cdPsM)networks.inaddition,acorrespondingserializationoftheseprofilesforXMlandrdfisdefinedinthestandardseriesiec61968(distribution)andiec61970(transmission).Thisenablesstandards-basedexchangeofstaticanddynamicdataaswellasthecurrentstateofelectricalnetworks.

• Coupling of applications:Usingstandard-basedinterfacesasdescribedinthestandarddocumentsiec61968Part3-9andiec61970-4xx.here, theciMprovides thesemantics fortheunderlyingdataofthespecifiedinterfaces.Thissupportsintegrationofapplicationsofdifferentvendorswithinappli-cationlandscapesinutilities.


• XML-based message exchange with CIM semantics: canbeusedtobuildpersonalXMlschemastoenablestandards-based message exchange between applications. as withcoupling of applications, the ciM provides a standardizedsemanticsforcouplingapplicationsofdifferentvendors.atoolfordevelopingsuchschemasisavailable,forexamplethroughlangdaleconsultants(http://www.cimtool.org).

inthefollowing,somecharacteristicsoftheciMaresummarized:16

• The CIM is hierarchical:commonclassesinheritcommonattributestosubclasses.

• The CIM is normalized:allattributesareuniqueandbelongtoonlyoneclass.Theuseofattributeswithinotherclassesisdonebydefiningrelationshipsbetweentheseclasses.relationshipssupportedincludegeneralization,association,andaggregation.

• The CIM addresses the static (or structural) model view:intheciM,physicalobjectsmayberepresentedbyseveralinterrelatedclasses.Theobjectsoneapplicationmaywanttoaccessarenotgroupedinasingleclass.Therefore,themodelisnotappropriateforaddingdynamicsintheformofopera-tionsormethodstotheactualclassdefinitions.

• The CIM is modeled in UML:TheentireciMisprovidedasaUMlmodelfile.

• The CIM UML model is the basis for the standards: Thecorresponding iec standards documents are autogeneratedusingtheelectronicUMlmodel.

• The CIM has a representation in XML:seethedescribedciM application scenarios, like exchange of topology datausingcPsMandcdPsMorXMl-basedmessageexchange.

• The CIM is in use in many production systems:forexam-ple,intheUnitedstatestheuseoftheciMfordataexchangeis prescribed in several states. ineurope, theciM is usedfortheexchangeoftransmissionsystemmodelsbyeuropeantransmissionsystemoperatorsorganizedintheentso-e.

• TheciMismeanttocontainclassesandattributesthatwillbeexchangedoverpublicinterfacesbetweenmajorapplications.


The maintenance process is continuously improving the modelusingtheUMlformat.onceayear,anewreleaseispublished;thecurrentrelease isversion15.Proposals fortheextensionoramend-mentoftheciMaredoneviatheciMugsite.here,ciMugmem-berscanentermodelingissuesthatwillbediscussedlaterinmodelingteammeetingsandmayfinallyleadtochangesoftheciM.

1.2.5.5 Component Interface Specification Theiec61970-4xxstandardsdocumentsbasicallyprovidecisandGenericinterfacedefinitions(Gids)thatdefineinterfacesandaPisforastandards-basedintegra-tionofapplicationsorcomponentsofeMs.Thepurposeofthecisistospecifytheinterfacesthatanapplicationorsystemshouldusetofacilitatemessage-basedintegrationwithotherindependentlydevel-opedapplicationsor systems.16ontheonehand, thecisspecifiestheinformationcontentofthemessages;ontheotherhand,itdefineswhatservicesshouldbeusedtoconveythemessages.Thisway,acleardefinitionofwhatandhowinformationisavailableforprocessingandexpectedbyreceivingapplicationsisprovided.furthermore,thecisenablesasingleadaptertobebuiltforagiveninfrastructuretechnol-ogyindependentofwhodevelopedtheothersystems.

since multiple application categories require many componentinterface services, the service definitions are specified as genericservices independent of theparticular application that uses them.16TheGidisthecollectionofthesegenericservices.duetothemanygeneric services theiec61970-4xxstandards seriescomprises, thefollowingsubpartsconsiderthevarioustypesofdataexchange:16,23

• IEC 61970-401 CIS framework:describesscopeandvisionofthecis.

• IEC 61970-402 CIS—common services: describes com-monservicesthatserveasbasisfortheGid.here,theciMsemanticisusedfordatadefinitionsininterfaces.

• IEC 61970-403 CIS—generic data access: defines inter-facesthatcanbeusedtoreadandwritereal-timedata.Theseinterfacesprovidea request/reply-orientedservice foraccessofcomplexdatastructures.

• IEC 61970-404 HSDA: describes interfaces that can beusedforhigh-performanceaccessofsimpledatastructures.


• IEC 61970-405 GES:definesinterfacesthatcanbeusedto monitor events and alarms based on publish and sub-scribemethods.

• IEC 61970-407 TSDA: describes interfaces that can beusedtoaccessaggregatedhistoricaldata.

currently,thereplacementoftheaforementionediec61970-403and-407standardsisplannedbytheiec.insteadofthesestandards,thecorrespondingstandardsoftheoPcUnifiedarchitecture(Ua)shallbeusedinthefuture.

implementingaspecifictypeofapplicationrequiresdefiningwhatobjectclassesandattributesareexchangedaswellaswhatinterfaceisused.16Theseobjectclassesandattributestypicallyconsistofsub-setsorviewsoftheciMobjectclasses.inconclusion,theciMdatamodel defines “which” data can be exchanged; the cis and Gidspecifies“how”thesedatacanbeexchanged.20

in addition, following the open Management Group (oMG)Model driven architecture (Mda) approach24 descriptions basedontheconceptsoftheplatform-independentmodel*(PiM)andtheplatform-specific model† (PsM) are provided. first, the Part 4xxseriesofthe61970standardsprovidesthePiMcomponentmodelsofthecis,defininginterfacesintermsofevents,methods,andprop-erties independent of the underlying infrastructure.16 second, thePart5xxseriesofthe61970standardsdefinesthetechnologymap-pingstotechnologiessuchasc++,Java,webservices,andXMl.16

1.2.5.6 The Interface Reference Model The irM illustrated infigure 1.5 and described in the iec 61968-1 standard, interfacearchitectureandGeneralrecommendations11definesinterfacesforthemajorcomponentsofadMs.ThepurposeoftheirMandtheindividualsysteminterfacesdefinedthereinistoprovideaframeworkforaseriesofmessagepayloadstandardsbasedontheciM.Thesemessagepayloadstandardsarethesubjectoftheiec61968-3to–9

* aplatform-independentmodelisaviewofasystemfromtheplatform-independentviewpoint.24

† a platform-specific model is a view of a system from the platform-specificviewpoint.24


standards.16The irMaims at supporting interoperability betweenthesecomponentsindependentofsystems,platforms,andlanguages.

withintheiec61968-3to–9standards,theuseofXMlfortheexchangeof informationbetweenthevarioussystems is specified.16here,severalusecasesareprovidedthatdefinethedatacontentofmessagepayloadsbetweenthesevarioussystems.furthermore,XMlschemasareusedtodefinethestructureandformatforeachmessagepayload.Themessagepayloadsdefinedhereare intendedtobe lev-eragedbybothservice-orientedarchitectures(soas)andenterpriseservicebuses(esBs).inthefuture,itispossiblethatpayloadformatsotherthanXMlcouldalsobeadopted.16TheirMillustratessevendomainssupportingcorebusinessfunctionsofdistributionmanage-ment.eachdomaincontainsseveralabstractcomponentsandshowsthe relevant iec 61968 part (-3 to –9) where interface definitionsforthesecomponentsaredescribed.inaddition,componentsexter-nalbutrelatedtodMsaregroupedintheirowndomainexternalto

Network Operations(NO) – IEC 61968-3

Network OperationsMonitoring (NMON)

Network Control(CTL)

Fault Management(FLT)

OperationalFeedback

Analysis (OFA)Operation Statistics& Reporting (OST) Network

Calculations- Real Time (CLC)

Records & AssetManagement

(AM) – IEC 61968-4

Substation & NetworkInventory (EINV)

GeographicalInventory (GINV)

Asset InvestmentPlanning (AIP)

Operational Planning& Optimisation

(OP) – IEC 61968-5

Network OperationSimulation (SIM)

Switch ActionScheduling (SSC)

Power ImportScheduling. &

Optimization (IMP)

Maintenance andConstruction

(MC) – IEC 61968-6Maintenance &

Inspection (MAI)Construction WMS

(CON)

Design (DGN)

Work Scheduling & Dispatching (SCHD)

Field Recording (FRD)

NetworkExtensionPlanning

(NE) – IEC 61968-7

NetworkCalculations (NCLC)

Project De�nition(PRJ)

ConstructionSupervision (CSP)

CustomerSupport

(CS) – IEC 61968-8

Customer Service(CSRV)

Trouble CallManagement (TCM)

Meter Reading & Control(MR) – IEC 61968-9

Meter Reading(RMR)

External to DMS (EXT)

Energy Trading(ET)

Retail (RET)

Sales (SAL)

Customer AccountManagement (ACT)

Financial (FIN)

Business Planning &Reporting(BPR)

Dispatcher Training(TRN)

Load Control(LDC)

Meter Maintenance(MM)

Meter Data (MD)

StakeholderPlanning &

Management (SPM)

Supply Chain &Logistics (SC)

Premises (PRM)

Human Resources(HR)

Point of Sale (POS)

Meter Operations(MOP)

Advanced MeteringInfrastructure (AMI)

Meter DataManagement (MDM)

Metering System(MS)

Demand Response(DR)

General inventorymanagement (GIM)

Public Information(PI)

Energy ServiceProvider (ESP)

Premise AreaNetwork (PAN)

Application Integration Infrastructure

Figure 1.5 Overview of the IEC 61968 IRM. (Reprinted with permission from International Electrotechnical Commission (IEC). 61968-1: Application Integration at Electric Utilities—System Interfaces for Distribution Management Part 1: Interface Architecture and General Requirements (Draft) (2010). Geneva, Switzerland: IEC.)


dMs(eXt).allcomponentsareintegratedthroughaciM-based,message-orientedmiddleware (MoM)—theapplication integrationinfrastructure.TheapplicationintegrationinfrastructureactshereasanenablerforXMl-basedmessageexchangewithciMsemanticsasdescribedinsection1.2.5.4.

figure 1.5showsonlythetop-levelbusinessfunctionsandbusinesssubfunctionsoftheirM.adetailed,table-baseddescription,contain-ingthefollowingelements,isprovidedintheiec61968-1standard:25

• Business functions:likenetworkoperationsorrecordsandassetmanagement;seefigure 1.5.

• Business subfunctions:likenetworkoperationsmonitoringorsubstationandnetworkinventory;seefigure 1.5.

• Abstract components:aregroupedbybusinesssubfunctionsanddefineabstractlogicalcomponentslikescadasimula-tionorsubstationstatesupervision.itisexpectedthatconcretephysicalapplicationsofvendorswillprovidethefunctionalityofoneormoreabstractcomponents.11

after having explained the upper business integration part ofthesia in this section, the following section is about the integra-tionofenergysystemsthatdealswiththeconnectiontoinformationexchangeontheequipmentandsysteminterfaces.

1.2.6 Integration of Energy Systems

Thelowerpart(partBinfigure 1.1)ofthesia,showninfigure 1.6,canbedividedintofourlayeredpillars.Thebasementofeachpillarisa

6

7Field

Devices

Telecontrol CommunicationsMedia and Services

WAN CommunicationsMedia and Services

Field ObjectModels

SpecificCommunication

Service Mappings

Protocol Profiles

External Systems(Symmetric Client/Server Protocols)

TC13WG14Meter

Standards

60870-5101&

104

TC13WG14

60870-5RTUs or

SubstationSystems

61850Substation

Devices

61850Devices

Beyond theSubstation

Field Devicesand Systems

usingWeb Services

60870-6TASE.2

Other ControlCenters

DERs, MetersRevenueMeters

IEDs, Relays, Meters, Switchgear, CTs,VTs

61850-7-3, 7-4 ObjectModels

61850-7-2 ACSI

61850-8-1Mapping to MMS

Mapping toWeb Services

ExistingObject Models

61850-6Engineering

60870-6-802Object Models60870-6-503App Services

60870-6-702Protocols

Communication Industry Standard Protocol Stacks (ISO/TCP/IP/Ethernet)

61334DLMS

Figure 1.6 Lower part of the SIA.


groupofdifferentfielddevices(revenuemeters,section1.2.6.1;ieds,relays,meters,switchgear,ct,andvtinsection1.2.6.2;derandmeter,seesection1.2.6.3;othercontrolcenters,section1.2.6.4).Thenext layer(7)describesexternalcommunicationsystemsforthefielddevices,whichareconnectedtothefollowinglayers,includingproto-colprofiles,specificcommunicationservicemappings,andfieldobjectmodels.Thetopofthepillars(6)islinkedtothescadafront-endlayerofthesia.

1.2.6.1 Revenue Meters Thefirstpillar(seefigure 1.7)includesthecommunicationofrevenuemeters,whichisbasedonstandardsfromtheiectc13wG14.amongothers,thestandardseriesiec61334is mentioned. revenue meters include the various types of smartmetersforresidential,commercial,andindustrialbilling.

1.2.6.1.1 TC 13 WG 14 The iec tc 13 wG 14 name is Data Exchange for Meter Reading, Tariff and Load Control. its task is toestablish standards, by reference to iso/osi standards, necessaryfordataexchangesbydifferentcommunicationmedia,forautomaticmeter reading, tariff and load control, and consumer information.Thereby,themediacanbedistributionlinecarrier(dlc),telephone(including integrated services digital network [isdn]), radio,orotherelectricaloropticalsystem,andtheymaybeusedforlocalorremotedata exchange.furthermore, they are acting in categorydliaison with the dlMs (distribution line Message specification)Userassociation(Ua;http://www.dlms.com/index2.php).

TC13WG14Meter

Standards

TC13WG14

RevenueMeters

61334DLMS

Figure 1.7 Pillar for revenue meters.


The tc 13 strategic Business Plan (http://www.iec.ch/cgi-bin/getfile.pl/sbp_13.pdf?dir=sbp&format=pdf&type=&file=13.pdf)from2009specifiesfutureactivitiesofthewG14.onemainobjec-tiveistofocusontheextensionoftheiec62056tosupportsmartmetering,whichincludestheextensionofthecoseMdatamodel.The model has to deal with new functions and new dlMs-basedmessaging methods as well as communication profiles have to beadded.furthermore,standardsfromothertcsshallbeusedwhen-everitisappropriateandclosecooperationwiththedlMsUaandindustryconsortiaareplanned.

1.2.6.1.2 TC 13 WG 14 Meter Standards Thetc13wG14mainlydealswiththedevelopmentofthemeteringstandardsiec62056andiec62051,whicharepresentedinthefollowing:

• iec62056:IEC 62056,Electricity Metering—Data Exchange for Meter Reading, Tariff, and Load Control, consistsofseveralsubstandardsdealingwithdlMsandcoseM.Thefollow-ingsixpartscomprisethemainspecifications:18

• IEC 62056-21 Ed. 1.0: Direct Local Data Exchange• IEC 62056-42 Ed. 1.0: Physical Layer Services and Procedures

for Connection-Oriented Asynchronous Data Exchange• IEC 62056-46 Ed. 1.1: Data Link Layer Using HDLC

[high-leveldatalinkcontrol] Protocol• IEC 62056-53 Ed. 2.0: COSEM Application Layer• IEC 62056-61 Ed. 2.0: Object Identification System (OBIS)• IEC 62056-62 Ed. 2.0: Interface Classes

inpart21,13analternateprotocolstack isdefinedthat isbased on ascii. Mode e is introduced as a new modeenablingnegotiationstoaswitchovertocoseM/hdlc—definedinparts4626and5327—forclients.asaresultoftheswitchover, followingcommunicationswillbebasedon thecoseM/hdlcprotocolstack.hdlcdefinesastandarddatalinklayer,ensuringareliabletransportofcoseMdatapackages in a client-server architecture. Thereby, the layerperforms functions like low-level addressing, data integ-rity checks, data sequencing, and segmentation as well asassimilation, link-level handshaking, and data flow control.


coseMspecifiesaprotocolforapplicationlayersthatcov-ers basic functionalities like set, get, and action operationswithin the meters. Beyond these basic functions, coseMalsoallowshandlingofaccessrightsandclient-serverconnec-tions,abstractingmeterdatafrom/tocoseMclassinstances,framingdataintocoseMpackages,andhigh-levelsegmen-tationofdataintoblocks.

Physicallayerservicesneededforthedatacommunicationarespecifiedinpart42.28Part6129includestheoBis,whichdefinesastandardlistofmeterdataobjectidentifiers.Thoseidentifiersaredefinedassix-charactercodesforeachobject,and they are maintained by the dlMs Ua. Part 6230, asthelastmainpartoftheseries,considersstandardinterfaceclasses.Theycanbeusedtorepresentallpossiblemeterdata,whichareabstractedintohigh-levelobjects.finally,thepro-tocolstackscanoperateonthehigh-levelobjects.

inaddition,thestandardseriesincludesthefollowingparts:18

• IEC 62056-31 Ed. 1.0: Use of Local Area Networks (LANs) on Twisted Pair with Carrier Signaling

• IEC/ TS 62056-41 Ed. 1.0: Data Exchange Using Wide Area Networks: Public Switched Telephone Network (PSTN) with LINK+ Protocol

• IEC 62056-47 Ed. 1.0: COSEM Transport Layers for IPv4 [internetProtocolversion4] Networks

• IEC/ TS 62056-51 Ed. 1.0: Application Layer Protocols• IEC/ TS 62056-52 Ed. 1.0: Communication Protocols

Management Distribution Line Message Specification (DLMS) Server

• iec/tr 62051: The second standard series maintained bywG14 isIEC 6205131Electricity Metering—Data Exchange for Meter Reading, Tariff, and Load Control,which isa rela-tivelyshortseries.itprovidesdefinitionsofspecifictermsusedfordrafting standardswithin thecontextof electricalmea-surement,tariff,andloadcontrolaswellascustomer/utilityinformationexchangesystems.Thesetofprovideddefinitionsiscompletedbythosetermsalreadydealtwithiniec60050(http://www.electropedia.org/).Thedefinedtermscouldalso


beusedforupcomingstandardscopingwithelectricitypre-paymentsystemsandthedependabilityofelectricitymeter-ingequipment.• IEC/ TR 62051 Ed. 1.0: Glossary of Terms• IEC/ TR 62051-1 Ed. 1.0: Terms Related to Data Exchange

with Metering Equipment Using DLMS/ COSEM

1.2.6.1.3 IEC 61334 DLMS Thetc57wG9developsthestan-dard series IEC 61334, Distribution Automation Using Distribution Line Carrier Systems.Thosestandardsaremainly focusingprotocolsusedtoenablethecommunicationfromthedistributioncontrolcentertodistribution automationfielddevicesusing thedistributiongrid.Theapplicationareaofthestandardsseriescontainsthecommunica-tionbycarriersystemsonthemiddle-voltagelayeraswellasonthelow-voltage layer.Thereby, thedlcsystemsenable abidirectionalcommunicationforvariousdevicesandfunctionslikecontrolcenters,dataconcentrators,loadmanagement,orstreetlights.

Basedonaclient-serverarchitecture, thesubstandardiec61334-4-1,32whichisalsoknownasthedlMs,definesareferencearchitectureandprovidesanabstractandobject-orientedservermodel.Theservermodelexplicitlytakeslimitedhardwareresourcesandthelowbandwidthofdistributionequipmentintoconsideration.abstractsyntaxnotationone(asn.1)isusedtodescribetheprotocoldataunits(PdUs)oftheapplicationprotocol of themodel. iec61334-633 adds efficient cod-ingpossibilitiestothisdescription.Thesubstandardsiec61334-5-1to–5-534–38definedifferentphysicalandMediaaccesscontrollayerswithdifferentmodulationtechnologiesthatareapplicableforbothlow-andmedium-voltagegrids.iec61334-4-51139and–4-51240defineaman-agementframeworkandtechniquesthatareespeciallyalignedtoiec61334-5-1.iec61334-3-2141and–3-2242definerequirementstofeeddlcsignalsintomiddle-voltagelineswithoutviolatingsecurityissues.

currently,thestandardseriesincludesthefollowingparts:18

• IEC/ TR 61334-1-1 Ed. 1.0: General Considerations—Distribution Automation System Architecture

• IEC/ TR 61334-1-2 Ed. 1.0: General Considerations—Guide for Specification


• IEC/ TR 61334-1-4 Ed. 1.0: General Considerations—Identification of Data Transmission Parameters Concerning Medium- and Low-Voltage Distribution Mains

• IEC 61334-3-1 Ed. 1.0: Mains Signaling Requirements—Frequency Bands and Output Levels

• IEC 61334-3-21 Ed. 1.0: Mains Signaling Requirements—MV Phase-to-Phase Isolated Capacitive Coupling Device

• IEC 61334-3-22 Ed. 1.0: Mains Signaling Requirements—MV Phase-to-Earth and Screen-to-Earth Intrusive Coupling Devices

• IEC 61334-4-1 Ed. 1.0: Data Communication Protocols—Reference Model of the Communication System

• IEC 61334-4-32 Ed. 1.0: Data Communication Protocols—Data Link Layer—Logical Link Control (LLC)

• IEC 61334-4-33 Ed. 1.0: Data Communication Protocols—Data Link Layer—Connection Oriented Protocol

• IEC 61334-4-41 Ed. 1.0: Data Communication Protocols—Application Protocol—Distribution Line Message Specification

• IEC 61334-4-42 Ed. 1.0: Data Communication Protocols—Application Protocols—Application Layer

• IEC 61334-4-61 Ed. 1.0: Data Communication Protocols—Network Layer—Connectionless Protocol

• IEC 61334-4-511 Ed. 1.0: Data Communication Protocols—Systems Management—CIASE Protocol

• IEC 61334-4-512 Ed. 1.0: Data Communication Protocols—System Management Using Profile 61334-5-1—Management Information Base (MIB)

• IEC 61334-5-1 Ed. 2.0: Lower-Layer Profiles—The Spread Frequency Shift Keying (S-FSK) Profile

• IEC/ TS 61334-5-2 Ed. 1.0: Lower-Layer Profiles—Frequency Shift Keying (FSK) Profile

• IEC/ TS 61334-5-3 Ed. 1.0: Lower-Layer Profiles—Spread Spectrum Adaptive Wideband (SS-AW) Profile

• IEC/ TS 61334-5-4 Ed. 1.0: Lower-Layer Profiles—Multicarrier Modulation (MCM) Profile

• IEC/ TS 61334-5-5 Ed. 1.0: Lower-Layer Profiles—Spread Spectrum– Fast Frequency Hopping (SS-FFH) Profile

• IEC 61334-6 Ed. 1.0: A-XDR Encoding Rule


1.2.6.2 IEDs, Relays, Meters, Switchgear, CTs, and VTs Thesecondpillar(seefigure 1.8)covers themonitoringandcontrolofieds,commonrelays,meters,andswitchgearsaswellasctsandvts.Thislargegroupoffielddevicesmainlyusescommunicationstandardizedbythetwostan-dardseriesiec61850andiec60870-5,includingtheirsubstandards.

1.2.6.2.1 IEC 60870-5 RTUs or Substation Systems ThedevelopmentofthestandardseriesIEC 60870-5, Telecontrol Equipment and Systems—Part 5: Transmission Protocols,wasstartedinthe1980sbytc57wG3.Themainobjectivewastodevelopaninternationallystandardizedcom-munication protocol for telecontrol applications in distributed powernetworks.intheearly1990s,thefirstfivestandardswerepublished:18

• IEC 60870-5-1 Ed. 1.0: Transmission Frame Formats• IEC 60870-5-2 Ed. 1.0: Link Transmission Procedures• IEC 60870-5-3 Ed. 1.0: General Structure of Application Data• IEC 60870-5-4 Ed. 1.0: Definition and Coding of Application

Information Elements• IEC 60870-5-5 Ed. 1.0: Basic Application Functions

Then,allfurtherstandardsdealingwithspecialapplicationsshouldbepublishedascompanionstandards.tothisdate,thefollowingfourcompanionstandardshavebeenpublishedandarewidelyused:18

• IEC 60870-5-101 Ed. 2.0: Transmission Protocols—Companion Standard for Basic Telecontrol Tasks

60870-5101&

104

60870-5RTUs or

SubstationSystems

61850Substation

Devices

61850Devices


IEDs, Relays, Meters, Switchgear, CTs, VTs

61850-7-3, 7-4 Object Models

61850-7-2 ACSI



Mappingto Web Services

Figure 1.8 Pillar for IED, relays, meters, switchgear, CT, and VT.


• IEC 60870-5-102 Ed. 1.0: Companion Standard for the Transmission of Integrated Totals in Electric Power Systems

• IEC 60870-5-103 Ed. 1.0: Transmission Protocols—Companion Standard for the Informative Interface of Protection Equipment

• IEC 60870-5-104 Ed. 2.0: Transmission Protocols—Network Access for IEC 60870-5-101 Using Standard Transport Profiles

The whole standard series is under continuous development andproductsarebasedonstandardsthatareusedineurope,asia,andtheUnitedstates.Theyallowavendor-independentcommunicationamongtelecontrolandsubstationautomationdevices.comparedtotheiec61850standardseries,theiec60870-5doesnotofferthepossibilitytodefinetypicaldevicesinastandardizedmanner.so,insomecasesiec608970-5couldbereplacedbyiec61850standards,whereas only in a few situations does replacing one protocol withanotherprotocolleadtoadditionalvalues.

Beside the already mentioned basic and companion standards,theiec60870-5seriesincludesthefollowingsubstandardsdealingwithtesting:18

• IEC 60870-5-6 Ed. 1.0: Guidelines for Conformance Testing for the IEC 60870-5 Companion Standards

• IEC/ TS 60870-5-601 Ed. 1.0: Conformance Test Cases for the IEC 60870-5-101 Companion Standard

• IEC/ TS 60870-5-604 Ed. 1.0: Conformance Test Cases for the IEC 60870-5-104 Companion Standard

Becauseiec60870-5-101and–104arethemostestablishedcom-panionstandards,theyareanexplicitpartofthesiaanddescribednext. iec 60870-5-10243 is occasionally used, and iec 60870-5-10344isusedinvariousprotectionequipment.23

1.2.6.2.2 IEC 60870-5-101 and –104 iec 60870-5-1017 definesa communicationprofile that allows sendingbasic telecontrolmes-sagesbetweencentraltelecontrolstationsandtelecontroloutstations.Permanentanddirectlyconnecteddatacircuitsbetweenthestationsareused. insomecases, severalapplicationshave to send thesametype of messages between telecontrol stations. Therefore, data net-worksthatcontainrelaystationscouldbeused.Thesestationswould


store and forward the messages and provide only a virtual circuitinstead of a physical one. Thus, the messages are variably delayedrelatedtothenetworktrafficload.Theresultisthatitisnotpossibletousethelinklayerasitisdefinedinpart101.inspecialcases,how-ever, it ispossibletoconnecttelecontrolstationsthathaveall threelayersspecifiedinpart101tosuitabledatanetworksbyusingstationsof thepacket assembler-disassembler (Pad) type, providing accessforbalancedcommunication.inallothercases,part10445canbeusedtorealizebalancedaccessviaasuitabletransportprotocolbecauseitdoesnotusethelinkfunctionsofpart101.hence,iec60870-5-104includesacombinationoftheapplicationlayerdefinediniec60870-5-101andthetransportfunctionsfromtcP/iP.

1.2.6.2.3 IEC 61850 Substation Devices working Groups 10, 17,and18intc57areresponsiblefortheiec61850standardseries,Communication Networks and Systems in Substations,which isoneofthe most used and recommended standard series for smart grids.5it aimsat increasing interoperabilitybetweenmultivendor ieds insubstations, enabling data exchange and using data to implementthefunctionalityrequiredbytheapplication.Theieee(instituteofelectricalandelectronicsengineers)definitionofinteroperability*isused.so,itisnotthegoaltoreachinterchangeability.†

in addition to the communication technologies according to thesingle levels of the iso/osi layer, iec 61850 comprises solutionsfor system aspects like project management; domain-specific datamodels including model extension methodologies; domain-specificservices;aconfigurationlanguage;andconformancetests.asinotherstandard series, the subparts of iec 61850 have different focuses(e.g.,iedconfiguration,devicetesting,datamodeling,andabstractcommunicationinterfacesandtheirmappingonspecificcommunica-tiontechnologies).

* “abilityofasystemoraproducttoworkwithothersystemsorproductswithoutspecialeffortonthepartofthecustomer.interoperabilityismadepossiblebytheimplementation of standards” (http://www.ieee.org/education_careers/education/standards/standards_glossary.html).

† “ability of a system or product to be compatible with or to be used in place ofothersystemsorproductswithoutspecialeffortbytheuser”(http://www.ieee.org/education_careers/education/standards/standards_glossary.html).


fromahierarchicalperspective,arealphysicaldeviceismodeledasa logicaldevice(ld).eachldconsistsofvarious logicalnodes(lns), described in iec 61850-7-4.46 services conform to iec61850-7-247andimplementationoftheabstractcommunicationser-vice interface (acsi) is used for the communicationwith theld.Theiedsthemselvescanbeconfiguredbysubstationconfigurationlanguage (scl) files, described in iec 61850-6.48 configurationissuescouldbenetworks,modelentities,providedservices,andinte-grationintothegrid.

The following standardsarecurrentlypartof the standard seriesiec61850:18

• IEC/ TR 61850-1Ed. 1.0: Introduction and Overview• IEC/ TS 61850-2 Ed. 1.0: Glossary• IEC 61850-3 Ed. 1.0: General Requirements• IEC 61850-4 Ed. 1.0: System and Project Management• IEC 61850-5 Ed. 1.0: Communication Requirements for Functions

and Device Models• IEC 61850-6 Ed. 2.0: Configuration Description Language for

Communication in Electrical Substations Related to IEDs• IEC 61850-7-1 Ed. 1.0: Basic Communication Structure for

Substation and Feeder Equipment—Principles and Models• IEC 61850-7-2 Ed. 2.0: Basic Information and Communication

Structure—Abstract Communication Service Interface (ACSI)• IEC 61850-7-3 Ed. 2.0: Basic Communication Structure—

Common Data Classes (CDCs)• IEC 61850-7-4 Ed. 2.0: Basic Communication Structure—

Compatible Logical Node Classes and Data Object Classes• IEC 61850-7-410 Ed. 1.0: Hydroelectric Power Plants—

Communication for Monitoring and Control• IEC 61850-7-420 Ed. 1.0: Basic Communication Structure—

Distributed Energy Resources Logical Nodes• IEC 61850-8-1 Ed. 1.0: Specific Communication Service Mapping

(SCSM)—Mappings to MMS (ISO 9506-1 and ISO 9506-2) and to ISO/ IEC 8802-3

• IEC 61850-9-1 Ed. 1.0: Specific Communication Service Mapping (SCSM)—Sampled Values over Serial Unidirectional Multidrop Point to Point Link


• IEC 61850-9-2 Ed. 1.0: Specific Communication Service Mapping (SCSM)—Sampled Values over ISO/ IEC 8802-3

• IEC 61850-10 Ed. 1.0: Conformance Testing• IEC/ TS 61850-80-1 Ed. 1.0: Guideline to Exchanging Information

from a CDC-Based Data Model Using IEC 60870-5-101 or IEC 60870-5-104

• IEC/ TR 61850-90-1 Ed. 1.0: Use of IEC 61850 for the Communication between Substations

1.2.6.2.4 IEC 61850 Devices beyond the Substation whereas iec61850 was primarily intended to cope with substation automation,otherdeviceswerealaterfocus.substandardsiec61850-7-41049and–7-42050dealwiththosedevices.

iec 61850-7-410 includes extensions of the information modelforhydroelectricpowerplants.Themodelsdefinemanylns,whichdescribeautomationlogicandthusgofarbeyondtheiec61850-7-4definitions.Themainobjectiveistoenableautomationandmonitor-ingofhydroelectricpowerplantsinawaythatcouldlastforthenextcenturies.Thisispossiblebecauseduringthenext10to20years,hydroplant control and monitoring system will be renewed. sustainableinteroperabilityisofspecialinterestinthisarea.23

iec6180-7-420representsextensionsforderlikephotovoltaic,combinedheatandpower(chP),fuelcellsandreciprocatingengines.incontrasttothefieldofsubstationautomation,inwhichonlyafewglobalplayerscontrolthemarket,manysmallandmediumenterprisesparticipateinthedermarket.hence,itisanimportantchallengetospecifyinternationallyacceptedinformationmodels.inthefuture,thesemodelswillbetestedfortheirpracticalsuitabilitystepbystep.

extensionsoftheiec61850informationmodelforwindpowerplantsarepartoftheiec61400-25standard.9

1.2.6.2.5 Communication Industry Standard Protocol Stacks torealizeacommunicationtothefielddevices,ittransportprotocolsmustbeused.duringthelastdecades,sometransportprotocols,liketcP/iPandethernet,havebeenestablished.hence,theywererecommendedforuseintheutilitydomain.2


• TCP: The tcP is mainly based on two standards, rfc(requestforcomments)793(http://tools.ietf.org/html/rfc793)and rfc 1323 (http://tools.ietf.org/html/rfc1323). tcPspecifies how data can be exchanged between two comput-ers.itissupportedandusedbyallrecentoperatingsystems.furthermore, it is one of the core protocols of the internetProtocolsuite,sothatallmajorinternetapplicationsliketheworldwidewebande-mailrelyonit.tcPprovidesreliable,connection-oriented,andpacket-switchingcommunication.

• IP:rfc791(http://tools.ietf.org/html/rfc791)andrfc2460(http://tools.ietf.org/html/rfc2460)standardizetheiP,awell-establishednetworkprotocolwithincomputernetworks.it isalsooneofthecoreprotocolsoftheinternetandallowstheuseoftcP.ThemainobjectiveofiPistoroutedatapacketsacrossnetworkboundaries,whereasthetransmissionfromthesourcehosttothedestinationhostissolelybasedontheiraddresses.

• Ethernet:inthetcP/iPstack,ethernetisthelowestlayer,thebasisfortheiP.ethernetspecifiessoftwareandhardwareforwireddatanetworks,sothatdataexchangeamongdeviceswithinalanispossible.itcontainsvariousdefinitionsforanumberofwiringandsignalingstandards.Thosestandardscope with both the physical layer of the osi networkingmodelandthedatalinklayer(commonaddressingformatandavarietyofMediaaccesscontrolprocedures).

1.2.6.2.6 IEC 61850-8-1 Mapping to MMS specificcommunicationserviceMappings(scsMs)arepartofiec61850-8-1.51inthis,sub-standardmappingsoftheabstractmodeltoMMs(iso/iec9506-1and–2)andethernet(iso/iec8802-3)arespecifiedforcommuni-cationswithinthewholesubstation.Theinformationexchange,basedonGoose(Genericobjectorientedsubstationevent)andGsse(Generic substation status event) messages for real-time require-ments like trigger signals and a client-server communication forscadafunctions,isalsodefined.

1.2.6.2.7 IEC 61850-7-2 ACSI iec 61850-7-247 defines a basiccommunication infrastructure for substation and feeder equipment


focusingonacsis,includingtheirdescriptions.anacsiisintendedforuse for applications in theutilitydomain that require real-timecooperationofieds.furthermore,theacsiistechnologyindepen-dentintermsoftheunderlyingcommunicationsystems.Thedefini-tionsoftheacsiincludeahierarchicalclassmodeloftheinformationthatcouldbeaccessedbycommunicationsystems,servicesoperatingontheseclasses,andparameterslinkedtoeachservice.Thefollow-ingcommunicationservicesbetweenclientsandremoteserversareinthescopeofthesubstandard:

• real-timedataaccessandretrieval• devicecontrol• eventreportingandlogging• settinggroupcontrol• self-descriptionofdevices• datatypinganddiscoveryofdatatypes• filetransfer

1.2.6.2.8 IEC 61850-7-3 and –7-4 Object Models deviceslikederandsubstationsmodeledthroughiec61850conceptsareusedbyspe-cificapplications.constructed,attributedclassesandcommondataclasses(cdcs)arerelatedtothoseapplicationsanddefinediniec61850-7-3.52iec61850-7-446usesthesecdcstodefinecompatibledataobjectclasses.Theabstractdefinitionsfrompart7-247aremappedtoconcreteobjectdefinitions,whichareusedforspecificprotocolslikeMMs.indetail,thefollowingspecificationsareincludedinpart7-3:

• cdcforstatusinformation• cdcformeasuredinformation• cdcforcontrol• cdcstatussettings• cdcanaloguesettings• attributetypesusedinthesecdcs

one of the pursued objectives of the standard series is to reachahighdegreeofinteroperability.Therefore,alldataobjects—whichcouldbemandatory,optional,orconditional—withinthewholedatamodel are strongly defined in terms of syntax and semantics. Thesemanticinteroperabilityisachievedthroughnamesassignedtocom-monlns,theirdataobjectsaredefinedinpart7-446,andtheyare


part of the classmodel specified in7-153 anddefined in7-2.47Thenames are used to build a hierarchical object reference applied forcommunicatingwithiedsinautomationsystemsandinsubstationsaswellasondistributionfeeders.also,normativenamingrulesaredefinedtoavoidprivateandthusmaybe incompatibleextensionsoflnsanddataobjectnames.inaddition,dedicatedlnsaredefinedinotherpartslikeiec61850-7-42050tomodelmorespecificdeviceslikeder.somelnfeatureslikedatasetsandlogsarenotmodeledinpart7-4butinpart7-2.

inadditiontothedescriptionsofdevicemodelsandfunctionsofsubstations and feeder equipment, device models and functions forthefollowingissuescanbedescribed:

• substation-to-substationinformationexchange• substation-to-control-centerinformationexchange• power-plant-to-control-centerinformationexchange• informationexchangefordistributedgeneration• informationexchangeformetering

1.2.6.2.9 Mapping to Web Services webservices(http://www.w3.org/2002/ws/)specifiedbytheworldwidewebconsortium(w3c)aresoftwareapplicationsthatcommunicatewitheachotherusingXMlinterfacestosendmessagesviainternetprotocols.eachwebserviceis identifiable by its Uniform resource identifier (Uri). There arethreetypesofrolesinatypicalwebservicesystem:

• servicebroker• serviceprovider• servicerequester

Theserviceproviderusesthewsdl(webservicesdescriptionlanguage) standard toprovide its services to the servicebroker. insomecases,asmallandlocalserverisusedtoofferaservicetoregisterwebservicesviatheUddi(Universaldescription,discovery,andintegration) standard.Theservice requestercanalsousewsdltocommunicatewiththeservicebroker.itqueriesthebroker’sreposi-torytofindaQos(qualityofservice)orrequirement-fittingservice.incaseofsuccess,theservicerequesterexchangesthedatawiththechosen service provider using the simple object access Protocol(soaP)standard,forexample.


oneexampleformappingofanabstractcommunicationtowebservicesistheiec61850model,whichisextendedbyiec61400-25-254toenablemodelingofwindpowerplants.inthiscontext,anothersubstandardwasdeveloped,iec61400-25-455thatspecifiesaweb-service-basedcommunicationforalliec61850-baseddatamodels.

1.2.6.3 DERs and Meters figure 1.9 illustrates the third pillar ofthe lowersiapart. This excerpt represents theweb-service-basedcommunicationforderandsomemetertypes.Therefore,anXMl-basedconfigurationlanguageforsubstationscalledsclareutilizedjustasprotocolsliketcP/iPareused.twopartsofthisexcerptwerediscussedinsection1.2.6.2.

1.2.6.3.1 Field Devices and Systems Using Web Services Thefielddevicesshownintheotherpillarsareallaccessiblebystandardizedinterfacesusing standardized data models. This group, however, uses propri-etarysystems.forthisreason,it isnecessarytodefineinterfacessothatitispossibletomonitorandcontrolthedevices.Therefore,theydefinewebserviceinterfacestobeconnectedtotheupperlayers.

1.2.6.3.2 Existing Object Models IEC 61850-6 Engineering animpor-tantissueinstandardizationistheconfigurationofiedsinsubsta-tions;thus,iec61850-648specifiesasuitabledescriptionlanguage,scl,basedonXMl.Byallowingtheformaldescriptionofrelations


usingWeb Services

DERs, Meters



61850-6Engineering


Figure 1.9 Pillar for DER and meters.


betweenautomationsystemsand theprocesses like substationsandswitchyards,sclisusedtodescribeiedconfigurationsandcom-municationsystemsaccordingtoparts5and7-x.fromtheapplica-tion-levelperspective, switchyard topologiesandrelationsbetweentheir structureandsas(substationautomationsystem) functionsconfiguredonaniedcanbedescribed.Themainobjectiveofsclistoenableaninteroperableexchangeofcommunicationsystemcon-figurationdatabetweeniedconfigurationtoolsandsystemconfigu-rationtoolswithinamultivendorsystemarchitecture.

Thedefinitionsmadeinpart6canbeextended,ortheuseofvaluesofobjectscanberestrictedifitisnecessaryintermsofiec61850-8-151and–9-256concerningmappingsoftheabstractmodeldefinediniec61950-7-xtospecificcommunicationtechnologies.

1.2.6.4 Other Control Centers The last pillar (see figure 1.10) dealswithcontrol centers thatarenotconnectedvia iec61850,butviaiec60870-6.hence,acommunicationmainlybasedontase.2isconsidered.Theshowncommunicationprotocolstackwasdescribedinsection1.2.6.2.

1.2.6.4.1 IEC 60870-6 TASE.2 tc 57 wG 7 is developing theiec60870-6standardseriesTelecontrol Protocols Compatible with ISO Standards and ITU-T Recommendations,pursuingthegoalofprovidingprotocolsthatareabletorunoverwanstointerconnectcontrolcenters

60870-6TASE.2

OtherControl Centers

60870-6-802Object Models

60870-6-503App Services

60870-6-702Protocols


Figure 1.10 Pillar for other control center.


withheterogeneousdatabasesandeMsapplications.Thoseprotocolsand their services should be compliant to the osi layered referencemodelanduseexistingisostandardstothehighestpossibledegree.

tase.1wasthefirstpublishedstandard,anditwasbasedontheelcoM-90protocol.Themainobjectivewastoprovidetheopera-tionofanexistingelcoM-90protocoloveranosiprotocolstack.Thetase.1aPiwasdevelopedasspecifiedintheelcoM-90pro-tocoldocumentationtoenablereplacementsofthetwoprotocols.Thefollowingsubstandardsdealwithtase.1:18

• IEC 60870-6-501 Ed. 1.0: TASE.1 Service Definitions• IEC 60870-6-502 Ed. 1.0: TASE.1 Protocol Definitions• IEC/ TS 60870-6-504 Ed. 1.0: TASE.1 User Conventions• IEC 60870-6-701 Ed. 1.0: Functional Profile for Providing the

TASE.1 Application Service in End Systems

tase.2wasthesuccessoroftase.1providingautility-specificlayer over MMs. it was developed for two major reasons: to pro-vide extended functionalities and to maximize the use of existingosi-compatible protocols like MMs. whereas tase.1 providesscadadataanddevicecontrol functionalities,tase.2alsopro-videstheexchangeofinformationmessages(e.g.,shortbinaryfiles)andstructureddataobjects(e.g.,transmissionschedules).Therefore,aclient-serverarchitectureisused;itsclientsinitiatetransactionsthatareprocessedbytheservers.withinthearchitecture,specificobjectmodelsareusedtodefinethetransactionsandservices.inaddition,theexchangeddatawereseparatelydefinedasstaticdataobjects.hence,adistinctionbetweentheexchangeddataandtheusedserviceswasmade.inadditiontotheobjectmodel,ananonymouspoint-orientedmodelisusedtoidentifythereceivedvaluesandcontrolleddevices.asfortase.1,thefollowingsubstandardsdealwithtase.2:18

• IEC 60870-6-503 Ed. 2.0: TASE.2 Services and Protocol• IEC/ TR 60870-6-505 Ed. 1.1 Consol. with am1: TASE.2

User Guide• IEC 60870-6-702 Ed. 1.0: Functional Profile for Providing the

TASE.2 Application Service in End Systems• IEC 60870-6-802 Ed. 2.1 Consol. with am1: TASE.2 Object

Models


Besidethetase.1andtase.2specificsub-standards,theseriescomprisesthefollowing,moregeneralparts:18

• IEC/ TR 60870-6-1 Ed. 1.0: Application Context and Organization of Standards

• IEC 60870-6-2 Ed. 1.0: Use of Basic Standards (OSI Layers 1–4)• IEC 60870-6-601 Ed. 1.0: Functional Profile for Providing

the Connection-Oriented Transport Service in an End System Connected via Permanent Access to a Packet Switched Data Network

• IEC/ TS 60870-6-602 Ed. 1.0: TASE Transport Profiles

1.2.6.4.2 IEC 60870-6-702 Protocols iec60870-6-70257definesafunctionalprofilecoveringtheprovisionofthetase.2communica-tionservicesbetweentwocontrolcenterendsystems.furthermore,theprovisionoftheosiconnectionmodepresentationandsessionservicesbetweentheendsystemsisdefinedbythefunctionalprofile.

1.2.6.4.3 IEC 60870-6-503 App Services Part6-50358ofiec60870defines the tase.2 application modeling and service definitions.it specifies a method of exchanging time-critical control centerdata through wans and lans using fully iso-compliant proto-col stacks. furthermore, it contains provisions for supporting bothcentralizedanddistributedarchitectures.itincludestheexchangeofreal-timedataindications,controloperations,timeseriesdata,sched-ulingandaccountinginformation,remoteprogramcontrol,andeventnotification.Theuseoftase.2isnotrestrictedtocontrolcenterdataexchange.itmaybeappliedinanyotherdomainhavingcomparablerequirements. examples of such domains are power plants, factoryautomation,andprocesscontrolautomation.

Thisstandarddoesnotspecifyindividualimplementationsorprod-uctsanddoesnotconstraintheimplementationofentitiesandinter-faceswithinacomputersystem.Thisstandardspecifiestheexternallyvisible functionalityof implementations togetherwithconformancerequirementsforsuchfunctionalities.

1.2.6.4.4 IEC 60870-6-802 Object Models The primary objectiveoftase.2istransferringdatabetweencontrolsystemsandinitiat-ingcontrolactions.Thereby,dataisrepresentedbyobjectinstances.


iec60870-6-80259proposesobjectmodels,representingobjectsfortransfer,fromwhichtodefineobjectinstances.localsystemsmaynotmaintainacopyofeveryattributeofanobjectinstance.

1.2.7 Security and Data Management

Thesiaincludestheiec62351securitystandardasacrosssectionfordataandcommunicationsecurity(intc57).itisdraftedontheleftsideoffigure 1.1.Theiec62351includeseightparts:Part–1providesageneralintroduction,andpart–2includessomedefinitionsusedinthestandard.Parts–3to–6providesecurityenhancementsfor15

• profilesincludingtcP/iP(iec62351-3),• profilesincludingMMs(iec62351-4),• iec60870-5andderivatives(iec62351-5),and• iec61850profiles(iec62351-6)

Part–7ofthestandardisseparatelyoutlinedinthesiaoverview(seefigure 1.1)anddealswithdomain-specificdatamodelsfornetworkmanagement.aneighthpart,whichwillconsiderrole-basedaccesscontrol,isactuallyplannedandnotyetintegratedinthesiaoverview.

iec62351isastandardfordataandcommunicationsecurity.itisnotastandardforinformationsecuritymanagement.suchsecuritymanagementmethodscanbefoundiniec62443or,ofcourse,theiso/iec27k.

next,wefirstexplainthesecurityenhancementsdefinedinparts–3to–6andtheirbenefitsandrestrictions.afterthat,wefocusonthenetworkmanagementdefined in iec62351-7.The lastpartofthissectiongivesanoverviewofiec62351.

iec62351parts–3to–6providesecurityenhancementsdescribednext.

1.2.7.1 Secure Communication via IEC 62351-3 iec62351-3dealswiththesecuringoftcP/iP-basedprotocols.Theentirepart–3standardisaboutsecuringthecommunicationonthetransportlayerthroughtls(transportlayersecurity).60ingeneral,tls,asasuccessorofssl(securesocketslayer),realizesasecurecommunicationthroughahybridencryption.suchanencryptionmakesuseofasymmetricandsymmetricencryption.Theasymmetricencryptionisusedtosecurely


exchangesymmetrickeys,andthesymmetrickeysareusedtoencryptthetransferreddata.Thesymmetricencryptionisusedbecauseofitsbetterperformance.Theasymmetricencryption,whichonlyinitializesthe communication process as described, makes use of certificates.serverandclientcertificatesarepossible.ingeneral,theauthentica-tionthroughaserver-basedcertificateisverycommon.acertificateisastatementfromatrustedthirdparty(ttP)thatincludesapublickey.ThettPguaranteesthattheincludedpublickeybelongstothecertificateholder.

toconformtothisstandard,someaspectsorparametersfortheuseoftlsmustbementioned.

• onlytlsversion1.0(oratleastsslversion3.1)isallowed.• Macs (message authentication codes) that are optional in

tlsshallbeused.• symmetrickeysmustbe time-basednegotiatedby thecalling

nodes.forthiscipherrenegotiationcall,theremustbeatime-out.• for certification management, it is necessary to have more

thanonecertificationauthority.• Thesizeofacertificateshallnotbelongerthan8,192bytes.• certificateexchangeshallbebidirectional.• certificaterevocationisspecifiedinrfc3280.• signingviarivest,shamir, andadleman (rsa)ordigital

signaturestandard(dss)shallbesupported.• keyexchangewithamaximumkeysizeof1,024bitsviarsa

ordiffie-hellmanshallbesupported.

Thesecuredcommunication shallbeona separatedport so thatnonsecured communication can coexist. The use of this securityenhancementprovidessomebenefitsforintegrity,confidentiality,andauthenticity.Theprotectiongoalauthenticityisreachedthroughtheuseofcertificates.Theencryptionoftheconnectionsviatlsleadstoconfidentiality,andtheuseofMacsbringsintegrity.Therearesomerestrictionsfortheuseoftlsasasecurityenhancement.tlsdoesnotmentiontheprotectiongoalavailability,sothisstandardwillnotprotectagainstdenial-of-serviceattacks.

1.2.7.2 Secure Profiles through IEC 62351-4 iec62351-4bringsmanda-toryandoptionalsecurityenhancementsforasecurecommunication


whenusingMMs(iso/iec9506).iec61850-8-1andiec60870-6useMMs,eithertheosiortcPprofiles,inaseven-layerconnection-orientedmechanism,whichisdraftedinfigure 1.11.Therefore,differ-entsecurityprofilesareconsideredasaandtprofilesinthisstandard.Bothcanbefoundinthetc57context.Thesecurityprofilesdefineprotocolsandrequirementsforthelayersintheosireferencemodel.Theaprofilesorapplicationprofilesareconcernedwithosi layersfivetoseven,andthetprofilesortransportprofilesarepertinenttolayersonetofour.onecanseethesedeterminationsontherightsideoffigure 1.11.atthebottomoffigure 1.11,onecanseeafurtherdis-tinctionatthetprofileintotheositprofileandtcPtprofile.Thesecurityofositprofilesisoutofthescopeofiec62351-4.61

an implementation of MMs must mention secure profiles tobecompliantwiththis standard.Theremustbeapossibility tousecertificates for authentication. furthermore, there must be a pos-sibility todecidewhethera secureornonsecureprofile isnecessaryfor acceptance or initiation of communication or if it is not neces-sary.asecuresecuritylogisrecommended.forpeerauthentication,

MMS, ACSE

OSIReference Model

7

6

5

4

3

2

1

Application

Presentation

Session

Transport

Network

Datalink

Physical

ISO presentation

ISO session

ISO TP4 ISO TP0

ISO CLNP

IEEE 802.3

OSI T-pro�le TCP T-pro�le

T-pr

o�le

A-p

ro�l

e

RFC-1006

TCP

IP

Figure 1.11 Profile security. (Reprinted with permission from International Electrotechnical Commission (IEC). International Electrotechnical Commission (IEC). 62351-7: Data and Communication Security Security through Network and System Management (2007). Geneva, Switzerland: IEC.)


associationcontrolserviceelement(acse)(iso8650)shallusetheacseauthenticationmechanismandauthenticationvaluefields.tobe backward compatible, authentication values can be excluded fornonsecure profiles. a certificate-based MMs authentication valueincludes a signature certificate, a timestamp, and a signed value.certificatesmusthaveamaximumsizeof8,192octetsandshallbebasedonX.509.Thesignedvalueisatimestampreducedwithsecurehashalgorithm(sha-1)andsignedwithrsa.ifthesenttimestampdiffersfromtheencodedtimestamp,theconnectionshallberefused.There are some other conditions for a connection abort. Messagesolderthan10minuteswillbeignored.so,thereisawindowofvul-nerabilityof10minutes,duringwhichthesamesignedvaluecouldbeusedbyanattacker.

tobecomplianttothisstandard,securetcPtprofilesmustbeused.infigure 1.11,onecanseethetcPtprofiledraftedontheright.from layers3 to1, the followingprotocolsarementioned inthe tcP t profile: rfc 1006 (iso transport service), tcP, iP,andieee802.3(ethernet).Thisstandarddoesnotspecifysecurityspecificationsfortheseprotocolsordescribetheuseoftls.itfocuseson the layer4 isotP0protocolandspecifiesa securerfc-1006profile. This standard defines ports for the use of secure and non-securetprofiles.Thetlsdefined in iec62351-3 shall be used.furthermore,thisstandarddefinesthingsliketransportprotocoldataunit(tPdU)tobeignored,sizeoftransportselectors(tsels),sizeofcertificates,timetocheckcertificaterevocation,andrecommendedtlsciphersuites.

1.2.7.3 Authentication Technique of IEC 62351-5 Part–5oftheiecd62351standarddealswithsecuringiec60870-5protocolsandderi-vates. it focuses on authentication mechanisms on the applicationlayer.securitygoalslikeconfidentialityofdataareoutofthescopeofthisstandard,butwheniec60870-5-104isinuse,part–3ofthisstandardshallbementioned.62

Theprotocolsthatshallbesecuredthroughthisspecificationcomewithspecificcircumstances.Theconsideredprotocolsofthissecurityenhancementhaveanasymmetriccommunicationandmessageori-entationincommon.Thereisacontrollingandacontrolledstation,sowehaveabidirectionalcommunication.Therearesomesecurity


challengeswiththiskindofprotocol,whichavoidstheadoptionofsomesecuritymechanisms.someofthesechallengesaremissingorpoor sequencenumbersandmissingorpoor integritymechanisms,limitedframelength,longupgradeintervals,andmore.

Theauthenticationmechanismdescribedinthisspecificationmakesuseofagenericchallenge-responseconcept,whichshallbemappedinto different standards. The key element for the authentication isakeyedhashmessageauthenticationcode(hMac).ahMacisaMacwithaspecifichashalgorithm.BycreatinganhMac,ahashvalueofamessageisgeneratedandthenencryptedwithasharedsecretandsymmetrickey.Thelistenerwhoalsoknowsthesecretcanperformthehashingandencryption, so that the listenerknowswhether themessagewasmodifiedandthatonlytheotherpersonwiththesecretkeycouldhavesentthemessage.anhMacisnotadigitalsignaturebecausetheMackeyisknownbymorethanoneperson.Throughhashing,manipulationofmessagescanbedetected,sothisaccountsforintegrityrequirements.TheuseofasharedsecretkeyforthehMacbetweenbothsidesgainsauthenticity.toreachasecurekeyexchangebetweenthenodes,therearethreedifferentkeys:anupdatekey,amon-itoringsessionkey,andacontrolsessionkey.Theupdatekeyisusedtoencryptthesessionkeys.forsecurityreasons,therearetwodifferentsessionkeysforthemonitoringandcontroldirection.Theupdatekeyisapresharedsecret.Theprocesstosecurelyupdateuniquekeys(Uks)orapublickeymechanismforthatisoutofthescopeofthisstandard.Theexistenceofanupdatekeyisapreconditionforeverynode.

The authentication process specified in this standard is used forcriticalmessages,butalsoforperiodicmessages.Beforeperformingcriticalprotocolmessages,theapplicationservicedataunit(asdU),theexecutorof suchamessage,will initiateanauthentication.ThechallengerofthecriticalasdUhastostartanauthenticationchal-lenge, to which the executor will respond via an authenticationresponse. Before authentication via an hMac, it will be checkedwhetheracommonsecretsessionkeyexists.Thesessionkeyhastobetransferredencryptedwiththeupdatekey.

tobebackwardcompatible,anonsecurecommunicationshallalsobementionedandpossible.Therearesomefurtherrequirementslikeinteroperabilityrequirementsandconformancestatementsforspecialapplicationswithinthisstandard.


1.2.7.4 PDU Security Extension of IEC 62351-6 Part–6ofiec62351deals with the security of the iec 61850 protocols. Profiles usingMMs shall mention iec 62351-4. Profiles using simple networktime Protocol (sntP) should use rfc 2030 with authentica-tion algorithms. This standard specifies PdU enhancements. ThePdU shall include a Mac, which can be used for authentication.figure 1.12illustratesthisextension.

an application Protocol data Unit (aPdU) shall only be per-formedifthecalculatedMacisidenticaltothesentMac.Messagesolderthan2minutesshallbeignoredtoavoidreplayofGooseorsamplemeasuredvalue(sMv)messages.

to conform to this standard, scl has to be enhanced. it mustinclude certificates to realize authentication and encryption. TheaccesspointdefinitionofsclmustincludeGoose-security(iec61850-8-1)andsMv-security(iec61850-9-2).

encryption is not recommended for applications using Gooseand iec 61850-9-2 in combination with multicast because of theresponsetimerequirements.63

1.2.7.5 Intrusion Detection with IEC 62351-7 Part–7ofiec62351isaboutnetworkandsystemmanagementforpowersystems.Therefore,it specifiesabstractdatamodels for controllingandmonitoring thenetworkandconnecteddevices.Theinformationofthesedatamodelsshall beused as additional information for intrusiondetection sys-tems. The intention of this standard is to take availability require-ments into account.Themonitoringof thenetwork and connected

Current

Secure

Reserved

Header

Header

Length

Extended PDU

ExtensionGOOSE/SMV PDU

GOOSE/SMV PDU

CRC

Authentication Value(Digital Signature-HMAC)

Figure 1.12 Extended PDU. (Reprinted with permission from International Electrotechnical Commission (IEC). 62351: Data and Communication Security (2006). Geneva, Switzerland: IEC.)


devicesshalldetectattacks.also,thecontrollingofthenetworkandconnecteddevices shall reactonandetectedattack.61 iec62351-7doesnotdefineactionsforalarmscorrespondingtothesemonitoringdatamodelsorspecifytheprotocolstowhichtheabstractdatamodelscouldbemapped.infigure 1.13,onecanseethebasicelementsofapowersystemoperationsystemandcorrespondingelementsofthesecurity-monitoringarchitectureofiec62351.61

1.3 Application of the siA

atfirst,itshouldbeclearthatthesiaisnotastep-by-stepguidetobuild an ict infrastructure in the energy domain, but a blueprint

Cont

rol C

ente

r EngineeringSystems

SecurityClient

Historical Databaseand Data Interface

SCADA System

TASE.2 link toExternal Systems

Operator UserInterface

FeedersVoltage

Regulator

AutomatedSwitch

Capacitor BankController

WAN

Subs

tatio

n

SecurityServer

SubstationMaster

CircuitBreaker

Legend Clients Firewall

IDS

NSM data objectsServers

Other

ProtectionRelay

Load TapChanger PT CT

Figure 1.13 Security monitoring architecture of IEC 62351-7. CT, current transformer; IDS, intru-sion detector system; NSM, network and system management; PT, potential transformer. (Reprinted with permission from International Electrotechnical Commission (IEC). International Electrotechnical Commission (IEC). 62351-7: Data and Communication Security Security through Network and System Management (2007). Geneva, Switzerland: IEC.)


thatfocusesoniec-specificstandards.tousethesia,itisnecessarytointegratethearchitectureinthecompanyworkfloworbuildupanentirelynewprocess.Thenextsectionpresentsanexampleofhowtousethesia.

figure 1.14 shows a rough procedure model on how to create aspecificsiathatfitscustomneeds.ThedescribedproceduremodelisbasedonthespecificationofmethodsasdescribedbyGutzwiller.64according to Gutzwiller, a method is described using the follow-ingelements:activity,role,specificationdocument,metamodel,andtechnique.here,wepresentonlyaroughproceduremodelandthere-forefocusonactivities(steps),roles,andspecificationdocuments.Thestepsareillustratedasflowdiagramsenhancedbyrolesandspecifica-tiondocuments.

Thefirstgoalshouldbethecreationofasia-basedarchitecturewithspecificadaptations.toachievethis,athoroughanalysisofthecurrentstateaswellasthetargetrequirementsisnecessary(seestep1).inaddition,theregulatoryandtechnicalrequirementsmustbetaken

Activities Documents

RequirementDocuments

SelectedStandards

SIA-Based adapted

Architecture

Create companyor project speci�c

expression ofthe SIA

Create necessaryextensions

Does the SIAinclude all parts to meet

the requirements

Selection of usableparts out of

the SIA

Roles

IT ExpertsDomainExperts

Step

1

IT ExpertsStandards

Experts

IT ExpertsStandards ExpertsDomain Experts

Step

2St

ep 3

Analysis of thecurrent state

Target requirement

analysis

Regulatory andtechnical

requirements andcorporate standards

Yes

No

Figure 1.14 Create a company- or project-specific expression of the SIA.


intoaccount.also,manycompanieshaveinternalcorporatestandardsthatshouldcontributetotherequirements.

with these previously identified specifications, the usable partshavetobeselectedfromtheoriginalsia(seefigure 1.15forafic-tionalexample),step2infigure 1.14.

step3includesthedecisionaboutthecompletenessofthecutoutofthesia.ifoneormorerequirementsarenotmet,itisnecessarytoextendthesiawithcustomparts.Theseextensionscouldconsistofother non-iec standards, corporate standards, or regulatory rules.anexampleresultdocumentofanadaptedarchitecturecanbeseeninfigure 1.16.Theunusedpartshavebeenremoved,andtheusedoneshavebeenslightlyshrunktogether.atthebottomleft,thereisanexampleextensionwiththeoPcUaiec62541standard.

Thisadaptedarchitecturecannowbeusedasastartingpoint innewormigrationprojects.itispossibletoconstructrequirementsandroadmapsorevencheckliststotracktheprogressofadaptingthesiaintheimplementationprocessbasedonthis.

61850Substation

Devices

61850Devices


Field Devicesand Systemsusing Web

Services

DERs, MetersIEDs, Relays, Meters, Switchgear, CTs, VTs


61850-7-2 ACSI




61850-6Engineering


Data Acquisition and Control Front-End/Gateway/Proxy Server/Mapping Services/Role-based Access Control

Inter-System/Application Profiles (CIM XML, CIM RDF)

EMS Apps

Technology Mappings


End-

to-e

nd S

ecur

ity S

tand

ards

and

Reco

mm

enda

tions

(623

51 1

-6)

Figure 1.15 Fictional example of the selected SIA parts.


oneadditionalimportantpointhastobetakenintoaccount.Thesiadoesnotdictate the implementationof the interfacesbetweenthestandardsacrossthelayers.itisnecessarytoconsultthespecificstandard documentation for implementation details for the recom-mendedinterfaces.

furthermore,thereisalackofharmonizationworkbetweenpar-ticularstandards.Thisleadstoanindividualmappingwithacertaindegreeoffreedom,whichresultsinuniquecharacteristics.

Theiecisdevelopingasmartgridmappingtooltosupportthecreationprocess for anadaptedarchitectureprimarily for the iden-tificationandselectionofparts fromthesia.itconsistsmainlyofametadatadatabasethatalsocontains informationonthe includedstandardsand thedirector indirect connections toother standards

Data Acquisition and Control Front-End/Gateway/Proxy Server/Mapping Services/Role-based Access Control

Inter-System/Application Profiles (CIM XML, CIM RDF)

EMS Apps

Technology Mappings


End-

to-E

nd S

ecur

ity S

tand

ards

and

Reco

mm

enda

tions

(623

51 1

-6)

61850Substation

Devices

61850Devices



usingWeb Services

DERs, MetersIEDs, Relays, Meters, Switchgear, CTs,VTs


61850-7-2 ACSIMappings

Services

Models

62541 OPCUA Parts 3-7

62541 OPCUA Parts 8-11




61850-6Engineering

Communication Industry Standard Protocol Stacks(ISO/TCP/IP/Ethernet)

Figure 1.16 SIA-based adapted architecture.


withinthesia.onepotentialapplicationistoselectastartingstan-dard,checktheconnectionsinalldirections,andselecttherequestedstandardstoreiteratetheprocedurewiththenewselectedonetogetthefavoredsetofstandards.furthermore,thedataincludeinforma-tion about the application domains of standards within the energydomainlikeadvancedmeteringinfrastructure(aMi)orderetc.,soitshouldbepossibletoselectthedesiredtargetdomainandobtainalltherelevantstandardsforit.

1.4 summary and outlook

Thischaptershowedtherecommendedstandardsnecessaryforasuc-cessfulintegrationoftechnicalsmartgridinfrastructures.Theagreed-onandusedstandardssolvethechallengeoftechnicalintegration.inparticular,thetc57referencearchitecture(iectr62357)wasexaminedinmoredetail.itprovidesanarchitectureandoverviewforstandardsofiectc57,whosestandardshavealsobeenreferencedbyvariousnationalandinternationalsmartgridstandardizationroadmaps(e.g.,references1–4).

in the tc 57 reference architecture, the integration of busi-nesspartnerswasconsidered toconnect the smartgrid’sassociatedbusinesses, such as the energy markets and utilities. furthermore,standards for integration of field devices with scada systemswere described, and details on which standards can be applied fortheimportantcross-cuttingconcernssecurityanddatamanagementwereprovided.

The iec tr 62357 reference architecture provides a compre-hensiveframeworkofstandardstointegratevarioussmartgridpar-ticipants.currently, standardsneed tobeharmonized to achieve aseamless integration, which is already one of the tc’s key objec-tives.aspecialissuebeingaddressedatpresentistheharmonizationbetweeniec61970/61968(ciM)andiec61850.wG19,originallyfoundedtoresolvemodeldifferenceswherethereisanoverlapbetweenstandardsandtodevelopavisionfortc57forthefuturearchitec-ture,hasalreadytreatedthisissuetosomedegree.despiteharmoni-zationefforts,modifications to standards themselvesmightbecomenecessary,asforinstanceproposedforiecciM61970/61968,20or


newstandardsmightemerge,whichhastobeconsideredindependentstandards.inaddition,otherstandardsthatareoutofthetc’sscope,aretobeconsideredforintegration,liketheoPcUa,shownintheexample in section 1.3. according to this approach, the referencearchitecturehastoevolveconstantlyandincorporatethesechanges.

Thefuturevisionforthereferencearchitectureestablishesabasisforseamlessintegrationoftechnicalsystemsinvolvedinthesmartgridandthusmovesclosertorealizationofthevisionofthefuturepowergrid.recognizingthatasingle,agreedinformationmodel(ciM)canavoidmappingsandinconsistenciesbetweenstandardsand,beyondthat,isopentoandlinkedwithotherrelatedtcsandindustrycon-sortiumswillclearlyinfluencethecurrentpictureofthesia.

references 1. deutsche kommission elektrotechnik (dke). Die deutsche

Normungsroadmap E-Energy/Smart Grid (2010). frankfurt, Germany:vde.

2. national institute for standards and technology. NIST Framework and Roadmap for Smart Grid Interoperability Standards, release 1.0(2010).http://www.nist.gov/public_affairs/releases/upload/smartgrid_interoperability_final.pdf

3. Japan’s Roadmap to International Standardization for Smart Grid and Collaborations with Other Countries(2010).

4. stateGridchina.SGCC Framework and Roadmap for Strong and Smart Grid Standards(2010).

5. s. rohjans, M. Uslar, r. Bleiker, J. González, M. specht, t. suding,and t. weidelt. survey of smart Grid standardization studies andrecommendations.inFirst IEEE International Conference on Smart Grid Communications(2010),pp.583–588.

6. M.Uslar,s.rohjans,r.Bleiker,J.M.González,t.suding,M.specht,and t. weidelt. survey of smart Grid standardization studies andrecommendations—Part 2. in First IEEE International Conference on Smart Grid Communications(2010),pp.1–6.

7. international electrotechnical commission (iec). 60870-5-101 Ed. 2.0: Telecontrol Equipment and Systems—Part 5-101: Transmission Protocols—Companion Standard for Basic Telecontrol Tasks(2003).Geneva,switzerland:iec.

8. international electrotechnical commission (iec). 61334-1-1 Ed. 1.0:Distribution Automation Using Distribution Line Carrier Systems—Part 1: General Considerations—Section 1: Distribution Automation System Architecture(1995).Geneva,switzerland:iec.


9. internationalelectrotechnicalcommission(iec).61400-25-1 Ed. 1.0: Wind Turbines—Part 25-1: Communications for Monitoring and Control of Wind Power Plants—Overall Description of Principles and Models(2006).Geneva,switzerland:iec.

10. international electrotechnical commission (iec). 61850-1 Ed. 1.0: Communication Networks and Systems in Substations—Part 1: Introduction and Overview(2003).Geneva,switzerland:iec.

11. internationalelectrotechnicalcommission(iec).61968-1: Application Integration at Electric Utilities—System Interfaces for Distribution Management Part 1: Interface Architecture and General Requirements(2007).Geneva,switzerland:iec.

12. international electrotechnical commission (iec). 61970-1 Ed. 1: Energy Management System Application Program Interface (EMS-API)—Part 1: Guidelines and General Requirements ( January 2005). Geneva,switzerland:iec.

13. international electrotechnical commission (iec). 62056-21 Ed. 1.0: Electricity Metering—Data Exchange for Meter Reading, Tariff and Load Control—Part 21: Direct Local Data Exchange(2002).Geneva,switzerland:iec.

14. international electrotechnical commission (iec). 62325-101 DTR Ed. 1: Framework for Energy Market Communications Part 101: General Guidelines and Requirements( January2004).Geneva,switzerland:iec.

15. international electrotechnical commission (iec). 62351: Data and Communication Security(2006).Geneva,switzerland:iec.

16. international electrotechnical commission (iec). IEC 62357 Second Edition: TC 57 Architecture—Part 1: Reference Architecture for TC 57—Draft(2009).Geneva,switzerland:iec.

17. international electrotechnical commission (iec). 61970-2 Ed. 1: Energy Management System Application Program Interface (EMS-API)—Part 2: Glossary( January2003).Geneva,switzerland:iec.

18. international electrotechnical commission (iec). webstoreinternationalelectrotechnicalcommission (2011).http://webstore.iec.ch(accessedMarch30,2011).

19. electricPowerresearchinstitute(ePri).An Introduction to the CIM for Integrating Distribution(2008).Paloalto,ca:ePri.

20. M.Uslar,s.rohjans,M.specht,andJ.Gonzales.whatistheciMlack-ing?inFirst IEEE International Conference on Smart Grid Communications (2010),pp.1–8.

21. international electrotechnical commission (iec). 61970-452: Energy Management System Application Program Interface (EMS-API)—Part 452: CIM Transmission Network Model Exchange Profile(2009).Geneva,switzerland:iec.

22. international electrotechnical commission (iec). 61968-13 Ed. 1: Application Integration at Electric Utilities—System Interfaces for Distribution Management—Part 13: CIM RDF Model Exchange Format for Distribution(2008).Geneva,switzerland:iec.


23. offis,sccconsulting,andM.Managementcoaching.Untersuchung des Normungsumfeldes zum BMWi-Förderschwerpunkt ’E-Energy—IKT-basiertes Energiesystem der Zukunft’(2009).

24. openManagementGroup(oMG).MDA Guide Version 1.0.1(2003). 25. internationalelectrotechnicalcommission(iec).61968-1: Application

Integration at Electric Utilities—System Interfaces for Distribution Management Part 1: Interface Architecture and General Requirements (Draft) (2010).Geneva,switzerland:iec.

26. international electrotechnical commission (iec). 62056-46 Ed. 1.1 Consol. with am1: Electricity Metering—Data Exchange for Meter Reading, Tariff and Load Control—Part 46: Data Link Layer Using HDLC Protocol(2007).Geneva,switzerland:iec.

27. international electrotechnical commission (iec). 62056-53 Ed. 2.0: Electricity Metering—Data Exchange for Meter Reading, Tariff and Load Control—Part 53: COSEM Application Layer(2006).Geneva,switzerland:iec.

28. international electrotechnical commission (iec). 62056-42 Ed. 1.0: Electricity Metering—Data Exchange for Meter Reading, Tariff and Load Control—Part 42: Physical Layer Services and Procedures for Connection-Oriented Asynchronous Data Exchange(2002).Geneva,switzerland:iec.

29. international electrotechnical commission (iec). 62056-61 Ed. 2.0: Electricity Metering—Data Exchange for Meter Reading, Tariff and Load Control—Part 61: Object Identification System (OBIS) (2006). Geneva,switzerland:iec.

30. international electrotechnical commission (iec). 62056-62 Ed. 2.0: Electricity Metering—Data Exchange for Meter Reading, Tariff and Load Control—Part 62: Interface Classes(2006).Geneva,switzerland:iec.

31. international electrotechnical commission (iec). 62051 Ed. 1.0: Electricity Metering—Glossary of Terms(1999).Geneva,switzerland:iec.

32. international electrotechnical commission (iec). 61334-4-1 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 4: Data Communication Protocols—Section 1: Reference Model of the Communication System(1996).Geneva,switzerland:iec.

33. international electrotechnical commission (iec). 61334-6 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 6: A-XDR Encoding Rule(2000).Geneva,switzerland:iec.

34. international electrotechnical commission (iec). 61334-5-1 Ed. 2.0: Distribution Automation Using Distribution Line Carrier Systems—Part 5-1: Lower Layer Profiles—The Spread Frequency Shift Keying (S-FSK) Profile(2001).Geneva,switzerland:iec.

35. international electrotechnical commission (iec). 61334-5-2 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 5-2: Lower Layer Profiles—Frequency Shift Keying (FSK) Profile (1998).Geneva,switzerland:iec.


36. international electrotechnical commission (iec). 61334-5-3 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 5-3: Lower-Layer Profiles—Spread Spectrum Adaptive Wideband (SS-AW) Profile(2001).Geneva,switzerland:iec.

37. international electrotechnical commission (iec). 61334-5-4 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 5-4: Lower Layer Profiles—Multi-carrier Modulation (MCM) Profile(2001).Geneva,switzerland:iec.

38. international electrotechnical commission (iec). 61334-5-5 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 5-5: Lower Layer Profiles—Spread Spectrum—Fast Frequency Hopping (SS-FFH) Profile(2001).Geneva,switzerland:iec.

39. internationalelectrotechnicalcommission(iec).61334-4-511 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 4-511: Data Communication Protocols—Systems Management—CIASE Protocol(2000).Geneva,switzerland:iec.

40. internationalelectrotechnicalcommission(iec).61334-4-512 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 4-512: Data Communication Protocols—System Management Using Profile 61334-5-1—Management Information Base (MIB) (2001). Geneva,switzerland:iec.

41. internationalelectrotechnicalcommission(iec).61334-3-21 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 3: Mains Signalling Requirements—Section 21: MV Phase-to-Phase Isolated Capacitive Coupling Device(1996).Geneva,switzerland:iec.

42. internationalelectrotechnicalcommission(iec).61334-3-22 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 3-22: Mains Signalling Requirements—MV Phase-to-Earth and Screen-to-Earth Intrusive Coupling Devices(2001).Geneva,switzerland:iec.

43. international electrotechnical commission (iec). 60870-5-102 Ed. 1.0: Telecontrol Equipment and Systems—Part 5: Transmission Protocols—Section 102: Companion Standard for the Transmission of Integrated Totals in Electric Power Systems(1996).Geneva,switzerland:iec.

44. internationalelectrotechnicalcommission(iec).60870-5-103 Ed. 1.0: Telecontrol Equipment and Systems—Part 5-103: Transmission Protocols—Companion Standard for the Informative Interface of Protection Equipment(1997).Geneva,switzerland:iec.

45. internationalelectrotechnicalcommission(iec). 60870-5-104 Ed. 2.0: Telecontrol Equipment and Systems—Part 5-104: Transmission Protocols—Network Access for IEC 60870-5-101 Using Standard Transport Profiles(2006).Geneva,switzerland:iec.

46. international electrotechnical commission (iec). 61850-7-4 Ed. 2.0: Communication Networks and Systems for Power Utility Automation—Part 7-4: Basic Communication Structure—Compatible Logical Node Classes and Data Object Classes(2010).Geneva,switzerland:iec.


47. international electrotechnical commission (iec). 61850-7-2 Ed. 2.0: Communication Networks and Systems for Power Utility Automation—Part 7-2: Basic Information and Communication Structure—Abstract Communication Service Interface (ACSI)(2010).Geneva,switzerland:iec.

48. international electrotechnical commission (iec). 61850-6 Ed. 2.0: Communication Networks and Systems for Power Utility Automation—Part 6: Configuration Description Language for Communication in Electrical Substations Related to IEDs(2009).Geneva,switzerland:iec.

49. internationalelectrotechnicalcommission(iec).61850-7-410 Ed. 1.0: Communication Networks and Systems for Power Utility Automation—Part 7-410: Hydroelectric Power Plants—Communication for Monitoring and Control(2007).Geneva,switzerland:iec.

50. international electrotechnical commission (iec). 61850-7-420 Ed. 1.0: Communication Networks and Systems for Power Utility Automation—Part 7-420: Basic Communication Structure—Distributed Energy Resources Logical Nodes(2009).Geneva,switzerland:iec.

51. international electrotechnical commission (iec). 61850-8-1 Ed. 1.0: Communication Networks and Systems in Substations—Part 8-1: Specific Communication Service Mapping (SCSM)—Mappings to MMS (ISO 9506-1 and ISO 9506-2) and to ISO/IEC 8802-3(2004).Geneva,switzerland:iec.

52. international electrotechnical commission (iec). 61850-7-3 Ed. 2.0: Communication Networks and Systems for Power Utility Automation—Part 7-3: Basic Communication Structure—Common Data Classes (2010).Geneva,switzerland:iec.

53. international electrotechnical commission (iec). 61850-7-1 Ed. 1.0: Communication Networks and Systems in Substations—Part 7-1: Basic Communication Structure for Substation and Feeder Equipment—Principles and Models(2003).Geneva,switzerland:iec.

54. internationalelectrotechnicalcommission(iec).61400-25-2 Ed. 1.0: Wind Turbines—Part 25-2: Communications for Monitoring and Control of Wind Power Plants—Information Models(2006).Geneva,switzerland:iec.

55. internationalelectrotechnicalcommission(iec).61400-25-4 Ed. 1.0: Wind Turbines—Part 25-4: Communications for Monitoring and Control of Wind Power Plants—Mapping to Communication Profile(2008).Geneva,switzerland:iec.

56. international electrotechnical commission (iec). 61850-9-2 Ed. 1.0: Communication Networks and Systems in Substations—Part 9-2: Specific Communication Service Mapping (SCSM)—Sampled Values over ISO/IEC 8802-3(2004).Geneva,switzerland:iec.

57. international electrotechnical commission (iec). 60870-6-702 Ed. 1.0: Telecontrol Equipment and Systems—Part 6-702: Telecontrol Protocols Compatible with ISO Standards and ITU-T Recommendations—Functional Profile for Providing the TASE.2 Application Service in End Systems(1998).Geneva,switzerland:iec.


58. international electrotechnical commission (iec). 60870-6-503 Ed. 2.0: Telecontrol Equipment and Systems—Part 6-503: Telecontrol Protocols Compatible with ISO Standards and ITU-T Recommendations—TASE.2 Services and Protocol(2002).Geneva,switzerland:iec.

59. international electrotechnical commission (iec). 60870-6-802 Ed. 2.1 Consol. with am1: Telecontrol equipment and Systems—Part 6-802: Telecontrol Protocols Compatible with ISO Standards and ITU-T Recommendations—TASE.2 Object Models(2005).Geneva,switzerland:iec.

60. international electrotechnical commission (iec). internationalelectrotechnicalcommission(iec).62351-3: Data and Communication Security Profiles Including TCP/IP(2005).Geneva,switzerland:iec.

61. international electrotechnical commission (iec). internationalelectrotechnicalcommission(iec).62351-7: Data and Communication Security Security through Network and System Management(2007).Geneva,switzerland:iec.

62. internationalelectrotechnicalcommission (iec). IEC 62351-5: Data and Communication Security Security for IEC 60870-5 and Derivatives(2007).Geneva,switzerland:iec.

63. internationalelectrotechnicalcommission (iec). IEC 62351-6: Data and Communication Security Security for IEC 61850 Profiles(2005).Geneva,switzerland:iec.

64. t.Gutzwiller.dasccriM-referenzmodellfürdenentwurfvonbetrie-blichen, transaktionsorientierten informationssystemen. Phd thesis,hochschulest.Gallenfürwirtschafts-,rechts-undsozialwissenschaften,st.Gallen,switzerland(1994).

57

2Smart Grid and

clOud cOmputinG

MinimizingPowerconsumptionandUtilityexpenditureindatacenters

s U M i t k U M A r B o s E , M i C h A E l s A l s B U rG , s C o t t B ro C k ,

A n d ro n A l d s k E o C h

Contents

2.1 introduction 582.2 service-levelagreements 602.3 liveMigrationofavMimageincloudcomputing 62

2.3.1 dataMigration 632.3.2 networkMigration 64

2.4 architecture 662.4.1 applicationManager 672.4.2 siteBroker 682.4.3 hybridcloudBroker 68

2.5 solutions 692.5.1 applicationManager 692.5.2 siteBroker 732.5.3 hybridcloudBroker 76

2.6 smartMetersandsmartloads 772.6.1 ThedatacentersmartGrid 782.6.2 smartappliancesinthedatacenter 79

2.7 conclusions 81references 82Bibliography 83


today’s“internet-scale”systemsmaybemadeupofseveralhundredor thousand servers spread acrossmanygeographies.These sys-temsconsumeseveralmegawattsofelectricityaday.itisimportantthereforetobuildsystemsthatareoptimizedforpowermanage-ment.however,buildingsuchasystemisachallengeastrade-offsbetweenapplicationperformanceandpowerconsumptionneedtobeconsidered.inthischapter,wediscussrecentadvancementsincloudcomputingandsmartgridtechnologiestodesignapowermanagement system that helps reduce the power expenditureincurredbyacloudproviderwithout“overtly”sacrificingtheper-formanceoftheapplicationshostedbyit.inparticular,thischapterdiscusseswaysinwhichacloudprovidercanrespondtovariousdynamicpricingsignalsreceivedbythesmartmetersinstalledatitsfacilities,calleddatacenters,byautonomouslymoving“noncritical”applicationstoremotesitesduringpeakelectricgridloadsituationsbyleveragingtechniquesfromcloudcomputing.

2.1 introduction

today’s“internet-scale”systemsarehousedingeographicallydistrib-utedserverfarms,typicallyknownasdatacenters.Thesedatacentersmaycontainseveralhundredorthousandserversandareamongthelargestconsumersofelectricity.it is important insuchscenarios tomonitornotonly thecostofmanaging the information technology(it)infrastructurebutalsothecostofpoweringtheitinfrastruc-ture,alsocalledtheenergycost.itisestimatedthatthepowerexpen-ditureisnearlyone-fourthofthetotaloperationalcostofmoderndatacenters.forexample,thepowerconsumptionindatacentersaccountsfor1.2%oftheoverallelectricityconsumptionintheUnitedstatesandisprojectedtokeepgrowingat18%everyyear.1inlightofthesegrowingstatistics,itisimportanttoprofileandinferthepowerutili-zationcharacteristicsofapplicationsandexecutetheminanefficientmanner.numerousresearchworksinthepasthaveexploredstrate-giesforefficientexecutionofapplicationswiththeaimofminimizingpowerconsumption.2–4

inthefollowingparagraphs,wediscusswaystomonitorandman-agethepowerconsumptionofapplicationsduringpeakpowergrid

59smart Grid and Cloud ComPutinG

load-occurring situations. Monitoring and managing power con-sumptionatpeakpowergridload-occurringsituationsiscrucialastheelectricityexpenditureduringapeakpowergridload-occurringsitu-ationcouldbeoverwhelminglylargecomparedtothetotalelectricityexpenditureduringnonpeakloadsituations.Thereasonbehindthisispartlyduetotemporalvariationinelectricityprices:Theelectric-itypriceinpeakpowergridsituationsishighduetodemand-supplymismatch and thehigh costof generating electricity athigh loads.information about dynamic pricing is communicated by the powerutilitiesdistributioncompaniestotheirconsumersusingsmartmetersandadvancedmeteringinfrastructurescalledsmartgridsaspartofdemandresponse(dr)programs.

with thehelpof smartmeters installedatdifferentdata centersofacloudprovider, thepowerdistributioncompaniescanremotelymonitortheelectricityconsumptionatthesecenters.Thesepowerdis-tributioncompaniescanthenmakeuseoftheseadvancedmeteringsystems, ifrequired,topushappropriatedrsignalstodatacenterswhenfacedwithpowershortages.fromtheperspectiveofacloudpro-vider,thedrsignalsreceivedbythemprovidethenecessarypricinginformationandindicatethepricesthatthepowerdistributioncom-panywillchargethecloudproviderforconsumingelectricityduringperiodsofpeakpowergridload.inaddition,itmayspecifyapenaltythatthecloudproviderwillincurifitfailstofulfillitscommitmentofcurtailingitselectricityconsumptionduringtheseperiods.toreduceits electricity consumption during such situations, a cloud providerneedstoidentifyasubsetofapplicationsthatitcanaffordtooperateatsuboptimalperformancelevelsforbriefdurationsandanothersubsetofapplicationsthatitcanaffordtomigratetoremotecloudlocations.inthefollowingparagraphs,wediscusstherecentadvancementsinvirtualmachine(vM)migrationtechnologieswithincloudcomput-ing5 and how these advancements can be leveraged to achieve thisobjective.ThisintelligentmigrationofvMsacrossdifferentvirtual-izeddatacentersinanautonomicmannerhelpstominimizepowerconsumptionduringpeakpowergrid load situationswithminimalimpactonapplicationperformance.

Thechapterisorganizedasfollows:section2.2discussestheser-vice-level agreements (slas) and the application assortment prob-lem. section 2.3 discusses the server virtualization and the cloud


computingtechnologythatenableseamlessmovementofapplicationsfrom one data center to another. section 2.4 outlines the detailedsolution architecture and describes the interaction of the differentsolutioncomponents.section2.5discusses thevariouscomponentsofthearchitectureatlengthanddevelopsappropriatemathematicalmodelsforeachofthecomponents.

2.2 service-level Agreements

Beforetheserviceengagementbetweenacloudproviderandacloudconsumercanbegin,thetwopartiesmustmutuallyagreetothepro-visionsofalegallyenforceableservicecontractcalledtheservice-levelagreement (sla).Thisservicecontract isembodied inadocumentandformallydefinestheminimumperformancecriteriaagainstwhichthe service levels and hence the performance of a service providerwillbecompared.further,theservicecontractliststhepenaltiesforsituationswhentheserviceproviderfailstomeettheobligationsascommittedbyitpriortotheinitiationoftheserviceengagementandwhentheperformancefallsbelowthepromisedstandard.Broadly,anslacanbeoftwotypes:infrastructureandapplication.Provisionswithinaninfrastructureslaaremeanttoindicatethattheserviceparameters,suchastheavailabilityofthehardwareandthenetwork-ingswitches,aretheresponsibilityoftheserviceprovider.Provisionswithin an application sla are meant to indicate that the serviceparameters,suchasguaranteeingtheresponsetimeandthethrough-put, are the responsibilityof the serviceprovider. individualprovi-sionsof anslaareknownas service-level objectives (slos).Thefocusofthischapterisonapplicationslasandtheirslos.

The service parameters, such as response time and throughput,areknownastheperformancemetric.typically,anapplicationslaspecifies twoquality indicators foranyperformancemetric:averageand threshold. if the performance metric under consideration isresponsetime,thenthethresholdvalueindicatesthemaximumtimethataserviceprovidercantaketoserviceeachindividualuserrequest.if the performance metric under consideration is throughput, thenthethresholdvalueindicatestheminimumnumberofuserrequeststhataserviceprovidershouldbeabletoservicewithinagiventime


window.Thus,thethresholdvalueofaperformancemetricisthehardlimitthat,whenbreached,resultsinharmfulconsequencesforboththe cloudprovider and the cloudconsumer.Theaverage valueof aperformancemetricisanindicatorofthedesirablequalityandlevelofserviceoverrelativelylongperiodsoftime.insubsequentdiscus-sions, wedescribe the analytic problemusing response time as thekey performance metric. The analysis can be extrapolated easily tootherperformancemetrics.

assume that the sla for an application i requires the averageresponsetimetobeRavgandthethresholdresponsetimetobewithinRmax .weassumethatthetotalelectricloadthatthedatacenterneedsto shed, as communicatedby the smartmeter, is d >0.let P andP ′(P ′<P)indicatethepowerconsumptionofanapplicationattheworkloadλforachievingresponsetimesofRavgandRmax(Ravg<Rmax),respectively.Then,theobjectiveistoexploitthedifferenceinvaluesof these twoslaparameters (Rmax– Ravg) foreveryapplicationsothatthetotalelectricityconsumptionbytheapplicationsatthedatacenterduringpeakelectricgridloadcanbecurtailedbyd.Thatis,theshedding in electricity consumption by the applications should notovertly affect theperformanceof the application.Thus, thequalityofserviceasagreedtobythecloudserviceprovidersfortheapplica-tionsintheirrespectiveapplicationslasshouldremainacceptabledespitethereductioninelectricitydrawnbytheapplications.earlierresearchershaveexploredpowerperformancetrade-offsanddynamicvoltageandfrequencyscaling(dvfs)schemesformaintainingtheresponse time at a desired level with varying workloads. Thus, forworkloadsλ1andλ2 such thatλ1<λ2andaprocessoroperatingata fixed frequency f, the request response times will be R1 and R2,respectively,withR1< R2.Theseworks therefore lower theoperat-ing frequency of the processor to f ′ ( f ′ < f ) such that R1 ≈ R1 ≈Ravg . incontrast to theseworks, this chapter showshow toexploitthedifferencebetweenRmaxandRavgtoidentifyapplicationsthatarebest suited for migration to remote sites so that the power expen-ditureduetohighelectricitycostatpeakpowergridsituationscanbereduced.inthefollowingparagraphs,wheneveranapplicationisallocatedbarelyenoughcomputingresourcessuchthattheresponsetimeoftherequestsisRmax,theapplicationissaidtobeoperatingat


thresholdslalevels.however,whentheapplicationisallocatedsuf-ficientcomputingresourcessothattheresponsetimeoftherequestsisRavg,theapplicationissaidtobeoperatingatstandardslalevels.

adatacenteractsasahosttomanydifferentapplicationswithvary-inginput/output(i/o),centralprocessingunit(cPU),andmemorycharacteristics.inaddition,eachoftheseapplicationshasavaryingdegreeof tenacity tooperateat thresholdslalevelsduringdiffer-enttimesoftheday.Thus,attimet1anapplicationi1canoperateatthresholdslalevelsonlyfordurationτi1.attimet2,theapplicationcanoperateatthresholdslalevelsfordurationτi2,τi2≠τi1.again,attimet2adifferentapplicationi ’canoperateatthresholdslalevelsfordurationτ′i2.Theproblemthenisto identifythefollowingforadatacenterexperiencingpeakelectricityload:

1. acandidatesetofapplicationsthatcanoperateatthresholdsla levels for a fractionofduration forwhich the electricgridisexperiencingpeakload.

2.a candidate set of applications that need to be moved toanothercloudsitethatisnotexperiencinganadverseelectricgridloadsituation.

acombinationofitems1and2shouldensurethatthetotalcurtail-mentinelectricitydrawnbytheapplicationshostedatthedatacentershould be at least d.we call this the application assortment prob-lem.however,movinganapplicationatruntimefromonephysicalmachineonwhichitisalreadyexecutingtoanotherphysicalmachineisfraughtwithchallengesthatneedtoberesolved.6,7,8encapsulatingapplicationswithinvMs,andmovingentirevMsfromonephysicalmachinetoanotherphysicalmachinehasbeenproposedasawayoutofthesechallenges.ThefollowingsectiondiscusseslivemigrationofvMsindetail.

2.3 live Migration of a VM image in Cloud Computing

MigrationofvMimagesbetweengeographicallydispersednodesinthedistributeddatacenterorthecloudrequires,atahighlevel,thattwomajorconsiderationsbeaddressed.Thefirstconsiderationistheduplicationorreplicationoftheguestdata,whichincludestorageandmemoryresidentdata.Thesecondconsiderationisthetransitionor


redirectionofnetworkcommunicationsfromonelogicalnetworktoanother, ensuring that traffic will continue to reach the vM at itsnewlocation.

2.3.1 Data Migration

replicationofdataondiskcanbeimplementedinanumberofways,butmostmethodsinterceptwritesfromavMguesttoits“disk(s).”Themost commonapproach is to encapsulate this servicewithin adriverandtoplacethedriverinthei/ostackofthehostserverthatcontainstheguest.anotherapproach,andperhapsbestfromaper-formanceperspective, is tousea replicationsolution that is locatedoutsidetheserver infrastructurethatresides incomponentssuchasthestoragearrayorstorageareanetwork(san)switch.

inthei/odriverapproach,thisdriverislocatedinthei/ostack,usuallyinthedevicestack(justabovethemultipathingdriverifitispresent),onthehostserver.Thedriveriscapableofreadingtheheaderinformationofeachi/oframetodeterminewhichwritestoignoreandwhichtoreplicate.Thedriverisconfigurablesothatanynumberoflocaldrivescanbereplicated.

whenthereplicationfunctionresidesinotherinfrastructurecom-ponents,thei/odriverfunctionalityeffectivelyresidesintheoper-atingsystem(os)ofthatcomponent(san-os,switchos)sothedistinctionbetweentheapproachesisreallythedifferenceinlocationofthedriver.

ifawriteismadetoadiskthatistobereplicated,thatwriteiscop-ied,theoriginalispassedtoitsintendedtarget,andthecopyisroutedtobedeliveredeventuallytotheremotestoragewheretheremotevMhostserverresides.

oneofthepracticalconsiderationsinminimizingthetimethatittakestomigrateavMbetweenlocationsisthequestionoftheamountofdatathatremainstobetransferredoverthenetworkconnectionatthe point in time the migration process is initiated. This of coursedependsonhowdifferent,intermsofchangesthathavetobeapplied,thelocalandremotevMimagesare.replicationcanbeimplementedasanon-demandserviceorasabackgroundservice.replicationondemandhastheadvantageofnotimpactingnetworkresourcesuntila migration is needed. however, when the migration process is


initiated,replicationstartsonlyatthatpointintime,sothereislikelyarelativelylargequantitydatathatwillneedtobetransferred,atleastwhen compared to the alternative of background replication. withreplicationrunningasabackgroundprocess,somenetworkresourceswillbeconsumedduringfrequentregularintervalspriortoreceivingthemigrationcommand,butsincethedifferenceinlocalandremoteimagesislikelytorequirefewerupdates,theamountofdataremain-ingtobetransferredwhenthemigrationcommandoccursissignifi-cantlyless.Thebackgroundprocesswillrequirealargertotalamountofdatatobetransferredbecauseincrementalupdates,asopposedtoonesingleupdate,willhaveappliedupdates forsomefilesmultipletimes.Thus,thechoiceiseffectivelyatrade-offbetweenabackgroundprocess thatprepositions asmuchdata aspossible tominimize thelikelydifferencesbetweenlocalandremoteimagesatthecostofsomeadditionalnetworkloadingoranon-demandprocessthatmosteffi-cientlyusesthenetworkconnectionoverallatthecostofalongertimeintervaltoupdatetheremoteimage.

however,regardlessofthereplicationapproach,thereremainsthetask of replicating local resident data to the remote site. during alive migration of a vM guest, when the bulk of the disk data hasbeen replicatedand thosedataarenearly synchronousbetween thelocalandremoteimages,thelocalhostbeginstotransferdatainlocalmemorytotheremotevM.attheendofthismemoryechoprocess,thesourcevMispaused,last-seconddiskupdatesarecopied,andthefinaldataresidentinthelocalguestmemoryarecopiedtotheremotesite.ittakesonlyafewtensofmillisecondstomakethefinaltransi-tionfromthesourcevMtothetargetvMinstance.whenthedatatransitioniscomplete,restorationofnetworkconnectivityisrequiredbeforethenewvMimagecanresumeitshostingfunction,complet-ingthelivemigrationprocess.

2.3.2 Network Migration

oncetheremotevMimageresidingontheremotestorageiscom-pletely duplicated by the replication process, network connectivitymust be either redirected or reestablished to be accessible. at thispoint in the process, all of the network traffic is still being routed


to the network where the “old” vM image is now paused. Thereare various means to restore network connectivity to the new vMimage;twocommonapproacheswillsufficeasexamplesofhowthisisaccomplished.

oneapproachrequiresaninternetProtocol(iP)tunneltobecre-atedfromtheoldnetworkaddresstothenewguest.ThisiPtunneliscreatedjustbeforetheoldvMisplacedintoitspausedstate.Thistunnelallowsnetworktrafficinboundtotheoldaddresstoreachtheguestatitsnewlocation.asthenewguestgoesonline,itwillregisteritsnewaddresswiththedns(domainnamesystem)server,andeventuallywhenthednsentriesareupdatedanynewclienttrafficwill be able to connect with the guest directly. when connectionsovertheiPtunnelareallclosed,thetunnelwillcollapse.Thismecha-nismallowsmigrationoftheguestfromtheoldnetworktothenewnetworkwithoutsignificantclientdisruption.

anotherapproachrequiresthecreationofaMulti-Protocollabelswitching-virtualPrivatenetwork(MPsl-vPn)meshframeworkbetweenthevarioussites.oncethisframeworkisinplace,allofthevarioussitesexistasiftheywereallonalocalnetwork.Becausetheentirenetworkenvironmentistreatedasasingleentity,anaddressresolutionProtocol(arP)updatetooneswitchmakestheconnec-tionsofthenewvMavailabletotheentireenvironmentandacces-sibletoanyclient.fromamigrationperspective,thismeansthatasaguestcomesonlineandreceivesanewiPaddress,thisnewaddresswillbeplacedintothearPtables,andimmediatelyalltrafficwillberoutedtothisnewlocation.

toaccomplishthemigrationofvMsovergeographicdistances,itisnecessarytohavemeanstoreplicateavMimageandsupportingvolumesfromtheprimarylocationtothesecondarylocationandthentobeabletorestorenetworkconnectivitytothereplicatedimage.

The choice of where to implement write splitting and the repli-cation function depends primarily on whether the small additionalprocessing and i/o load on the host is tolerable and does not sig-nificantly impact thehost’sperformance.ahostdriver tends tobesimplertoimplementandlesscostlybutdoeshaveafootprintonthehost.sanorswitch-basedimplementationsdonothaveanimpactonthehostbutaretypicallymorecomplexandcostly.


various methods are available to migrate network connectivity,but the methods used usually depend on selecting a method com-patiblewith the existing infrastructure. The iP tunneling methodsare simplebut in some situations can causedelays for some clientsuntildnscachesare fullyupdated.TheMPls-vPnmethod isamorecomplexprocessbutprovidescomparativelyfasterupdatesandimprovedperformance.

2.4 Architecture

The solution architecture for the application assortment problem isshowninfigure 2.1.Thearchitectureconsistsofthreecomponents:applicationmanager,sitebroker,andhybridcloudbroker(hcB).Thefunctionalityofeachofthethreecomponentsisdescribednext.

Site BrokerDR

DR

SLA

Workload

ApplicationManager

ApplicationManager

Cloud-1Cloud-2

Cloud-3

ApplicationManager

ApplicationManager

Site Broker

ApplicationManager

ApplicationManager

Site Broker

Hybrid CloudBroker

Figure 2.1 Architecture for managing application migration under performance constraints and in the presence of demand response signals.


2.4.1 Application Manager

anapplicationmanager is responsible formanaginganapplicationlocallyatacloudsiteandfortrade-offsoftheapplication’sperformanceforsavingsinpowerconsumption.Powerperformancetrade-offpos-sibilitiesinclude

1. Powering down a few servers and redistributing the excessworkload, createdas a consequenceof shuttingdown theseservers,ontotheremainingservers9,10and

2.operating each of the servers that host the applicationat a lower frequency and voltage using dvfs schemes.11figure 2.2 shows the variation in power drawn, utiliza-tion, and response time as the operating frequency of theprocessor varies. The horizontal axis shows the processorfrequency, from a maximum of 1.6 Ghz to its minimalclock frequencyof0.6Ghz.as the frequency is reduced,theaverage service timeper request increases.This causesanincreaseintheaverageprocessorutilization.highutili-zationthenresultsindegradedaverageresponsetime.Thefigureshowsthat,atthehighestfrequencyof1.6Ghz(andhighestpowerconsumption),theresponsetimeisapproxi-mately25ms.asthefrequencyoftheprocessisreducedto0.8Ghz,theutilizationdoubles.Theresponsetimereaches

R

Rmax

∆Powerconsumption

Power

Utilization

E[s]

Response

Response∆Time

80

70

60

50

40

30

20

10

00.6 0.7 0.8 0.9 1 1.1 1.2 1.3 1.4 1.5 1.6

Figure 2.2 Relationship of response time, utilization, and power with operating frequency.


itsmaximumacceptablelevelof50ms.Thistypeofanalysisallowsustoexaminetherelationshipofprocessorfrequencytoresponsetime.

accordingly, the roleof theapplicationmanager is todeterminefor each application the optimal number of physical machines ortheoptimalvalueoftheoperatingfrequencyandvoltagesothatthepowerconsumptioncanbereducedtomaximallevelswithoutcom-promisingtheapplication’sperformanceasguaranteed in thesla.Thisinturnrequiresanapplicationmanagertoaddressthequestion:howmuchsavingsinpowerconsumptioncanbeexpectedbyallow-ing the application’s response time to temporarilydegrade toRmax?anotherkeyissuethattheapplicationmanagerneedstoresolveistodeterminethetimeduration,asafractionofthepeakpowergridloadduration,forwhichthreshold-levelperformanceoftheapplicationisacceptable.Theapplicationmanagercommunicatesthisinformationtogetherwiththepowersavingsthat itcanachievefortheapplica-tionthatitmanagestothesitebroker.

2.4.2 Site Broker

Thesitebrokerusestheinformationprovidedbytheapplicationman-agersandthedrsignalavailablefromthesmartmetertosequenceapplications’executionforthedurationinwhichtheelectricgridisexperiencing peak load so that the total electricity consumed at acloud site during this duration canbe reduced to acceptable levels.inaddition,thesitebrokerisresponsibleforminimizingthenumberofapplicationsthatneedtobemovedtoremotecloudsitestobringdownthetotalelectricityconsumptiontoacceptablelevelsduringsuchintervals.Movingapplicationstoremotecloudsitesshouldbethelastpriorityandshouldbeperformedonlywhenpoweringdownserversandreducingtheoperatingfrequencyoftheserversdoesnotsolvetheprobleminitsentirety.

2.4.3 Hybrid Cloud Broker

asdiscussed in theprevious section, recentadvancements incloudcomputing make it possible to move “live” applications between


physical servers located in different geographies.5 The hcB lever-agesthesenewapplicationmobilitytechniquestomoveapplicationsidentifiedbythesitebrokerformigrationtoremoteclouds.foreachof thesemigratingapplications, thehcBdetermines, fromamongthe clouds managed by it, the cloud that is best suited as the newhostingenvironment.ThehcBmusttakeintoconsiderationvariousconstraints, such as the incompatibility constraints and the capac-ityconstraints,whileassigninganapplicationtoaparticularcloud.ThehcBinitiatesthemigrationoftheapplicationsidentifiedbythesitebrokeroncesuitablecloudsthatcanhosttheseapplicationshavebeenidentified.

2.5 solutions

inthefollowingsections,weformulatemathematicalmodelsanddis-cuss solutionprocedures for theproblemsaddressedby eachof thethreecomponentsdiscussedpreviously.

2.5.1 Application Manager

inthissection,weestablishamathematicalrelationshipbetweentheresponsetimeofrequeststotheworkloadandtheoperatingfrequencyoftheprocessors.Thederivedsystemmodelassumesthatanapplica-tion i is hosted in a clustered environment and consists of a set offront-end servers responsible foraccepting requests andanother setofback-endserversresponsibleforprocessingtheacceptedrequests.Thisassumptionisnotprohibitiveasthearchitecturediscussedintheprevious section is extensible, and system models for various otherscenarioscanbeeasilyincorporatedaspartoftheapplicationman-ager.wefurtherassumethateachoftheback-endserverssupportsdvfssuchthattheoperatingfrequencyoftheprocessorscanvaryatdiscreteintervals.assumethatf maxisthemaximumfrequencyatwhichtheserverscanoperate.letμj

max betheservicerateofthejthserverwhenoperatingatf max.Theservicerateμj oftheserverwhenoperatingatfrequency fj(fj< f max)thenbecomesμj=(μj

max fj)/f max.iftheserversarehomogeneous,μj

max issameforall theserversandisdenotedusingμmax.Thepowerconsumptionbyaback-endserverPjcanbemodeledmathematicallyasaj+bj fj

3,whereαj andβjare


standard parameters obtained from regression tests on empiricallycollecteddata.Theapplicationmanagerneedstodeterminetheoper-atingfrequencyfjofeachserverjandthenumberofactiveserverssothattheaggregatepowerconsumptionisminimized,andtheresponsetimeguaranteesassociatedwiththeapplicationoperatingatthresholdslalevelsaremet.Thus,

Min X fj j j jj

N

( )α β+=

∑ 3

1

subjectto:

X j jj

N

iλ λ=

∑ =1

(2.1)

R Rj j j( , ) maxµ λ ≤ (2.2)

accordingtotheM/ M/1queuingmodelRj=1/(μj–λj).substitutingμj=(μj

maxfj)/f maxandRj=Rmax,weobtain

R f fj j jmax max max( )= −( )1 µ λ

and reorganizing fj = (f max/μjmax)(λj + 1/Rmax). on substituting the

expressionoffj ,theobjectivefunctionbecomes

X f Rj j j j jj

α β µ λ+ ( ) + ( )( )( )

=

max max max/ /13

11

N

∑and isuntenable for standard solvers.we thereforedeviseheuristicalgorithms for solving the problem in a realistic time. figure 2.3showsthedetailsofouralgorithm.

let λi represent the load experienced by the application and λjrepresenttheloadhandledbytheserverj.further,assumeNisthetotalnumberofmachinescateringtotheapplicationloadforensur-ing a response timeof Ravg. inotherwords, N is theupper boundforthenumberofserverstobeusedforoperatingtheapplicationatthresholdslalevels.inreality,notalloftheseserversmaybeusedwhentheapplicationoperatesatthresholdslalevels.Thealgorithm


rests on the observation that whenever the difference between thetermsβj fj

3andαj isgreaterthanαj , itisbeneficialfromthepowerconsumptionperspectivetoswitchtoanewmachine(step2).Thus,thefrequencyforamachinejisgovernedbytherelationshipβj fj

3–αj ≥ αj . rearranging the equation results in ′ =f j j j23 α β/ . sincethe operating frequency of all machines is limited by f ma, the fre-quencyfjofmachine j issetastheminimumoff maand 23 α βj j/ (step 3). rearranging fj = f max/μj

max)(λj + (1/Rmax)) and setting fj asmin( f max, 23 α βj j/ ), we obtain the amount of load handled bymachine jasλj= (fj *μj

max/f max)– (1/Rmax) (step4).Theamountofloadhandledbymachinejisthensubtractedfromthetotalremain-ing loadλ′i still tobe allocated.The remaining loadλ′ineeds tobe

1.Initialize λ′i = λi and a list of machines, J= {j | j= 1, … , N}. 2.Select a machine j from the list J. Calculate

′ =f j j

j

23

αβ

.

3. Set the frequency fj of machine j as min( f max, f ′j ). 4.Calculate the number of requests handled by machine j as

λµ

jj jff R

= −* max

max max1 .

5.Calculate λ′i = λ′i – λ j. If λ′i > 0, remove j from the list of machines, that is, J=J– {j}. If J is nonempty, go to step 2.

6.If λ′i ≤ 0 and J is nonempty, all machines j in J can be pow-ered down.

7.If λ′i > 0 and J is empty, calculate

′ = ′ +

f f

N Ri

max

max maxµλ 1 .

8.The operating frequency for all the servers j then becomes fj + f ′.

Figure 2.3 Outline of the provisioning algorithm for an application manager.


assignedtotherestofserversJ = J –{ j }(step5).incasetheentireloadhasbeenassigned(λ′i≤0),amachinethathasnotbeenallocatedanyloadcanbepowereddown(step6).itisalsopossiblethatthereisafractionoftheloadthatremainsunassignedinspiteofeverymachinereceiving a portion of the load. in such cases, the unassigned loadneeds tobedistributedamongall themachines, and theoperatingfrequencyofthemachinesneedstobeincreasedby(f max/μmax)((λ′i /N)+(1/Rmax))(step7).

next,wediscussthedurationτiforwhichanapplicationcanaffordto operate at threshold sla levels. assume T is the duration forwhichapeakelectricgridloadsituationexists.further,letusdenotetheperiodimmediatelyfollowingTbyT ′.sinceanapplicationneedstomaintainanaverageresponsetimeofRavgoverT +T ′,thefollow-ingequationmustholdtrue:

( ) ( ( )) ( ˆ )( ) ( ˆ

maxλ τ λ τ λλ

i i i iavg

i

i

R T R T RT

+ − + ′ ′+ λλi

avg

TR

′=

),

whereλiistheloadduringtheperiodT(Tisalsotheperiodwhenapeakpowergridloadsituationoccurs),andλi istheforecastedloadforthetimeperiodT ′immediatelyfollowingT.ourobjectiveistodetermineτi.however,theequationhasanadditionalunknownvari-ableR′.todetermineR′,wenotethatalargevalueofτi(τi<T )isdesirableeventhoughτineednotexactlybeequaltoT.duringT ′,theaimistocompensatethedeviationfromRavgtoRmax,duringT,by operating the application at maximum frequencies so that theresponsetimesareminimized.Thus,R′canbeapproximatedas

1µ λmax − i

N.

substitutingthevalueofR′inthepreviousequationresultsin

τ

λ λ λµ λ λ

λi

avgi i

ii

avg

i

R T T TN

TR

=

+ ′ − ′−

−( ˆ ) ˆ

(

max

1

RR Ravgmax )−


2.5.2 Site Broker

in this section, we describe the resource management problemaddressedbythesitebroker.Thecomplexityoftheproblemcanbeobservedfromtheexampleshowninfigure 2.4.assumetherearefourapplications,i =1,2,3,4,withpowerrequirements0.5,0.3,0.5,and0.4, respectively, foroperatingat standardslalevels.furtherassumethatforthedurationforwhichthepeakpowergridsituationexists, T is 3 units. application 1 can afford to operate at thresh-oldslaperformance levels for 1 timeunit, and thepower that itconsumesis0.2units.similarly,application2canoperateatthresh-old levels for 2 time units and consumes 0.2 power units. finally,applications3and4canoperateatthresholdslalevelsfor2timeunitseachandconsume0.3and0.35powerunits,respectively.ifthepowerbudgetisfor1unit,itcanbeverifiedthattheoptimalsolutionistomoveapplication4toadifferentcloudsite.Thesequencingoftheremainingapplicationsandtheirassociatedpowerconsumptiondetailsareshowninfigure 2.4.allotherconfigurationsaresubopti-mal.figure 2.5showsonesuchsuboptimalschedulingofapplications.

Thus,let:

Pi :Powerconsumedbyapplication i ifoperatingat reducedperformancelevelsduringpeakpower–gridload

Pi′:Power consumedby application i if operating at normalperformancelevels.

t3t2t1

Ebudget

T

E2

E3

E2

E3E3

E2E1E1

E1

Figure 2.4 The optimal solution to the resource allocation problem addressed by the site broker.


Pbudget:averagepowerbudgetduringpeakload τi:acceptabledurationforexecutingapplicationiatreduced

performancelevelsduringpeakpower–gridload

Xi

i =

1

0

if application is migrated

o/w

Y

i

i =

1 if application is executing at reduced perforrmance

level at time-slot

o/w

t

0

T:timedurationforwhichpeakpower−grid loadsituationexists.

wedivideT intoN slotsofdurationδeach,N=⎡t/δ⎤.weusetheidentifiertforthesetimeslots.Then,ni=⎡τi/δ⎤.further,assumethatEi is thepowerconsumedbyanapplication i inonetimeslot,andEbudgetistheaveragepowerconsumedbyallapplicationsinonetimeslot.Then,Ei=Pi /ni,Ei′=Pi′/(N–ni), andEbudget=Pbudget/N.Mathematically,theproblemthatthesitebrokeraddressescanbefor-mulatedas

Min Xii

∑

Ebudget

E2

E3

E2

E3

E3

E2E1E1E1

t3t2t1

T

Figure 2.5 A suboptimal solution to the resource allocation problem addressed by the site broker.


subjectto:

Y n X i

Y X i t

E Y E

itt

N

i i

it i

i iti

=∑

∑

= − ∀

≤ − ∀

+ ′

1

1

1

( )

( ) ,

ii iti

budgetY E t( )1− ≤ ∀∑Thecomputationaltimetodetermineanoptimalsolutiontothis

problemincreasesexponentiallywiththeproblemsizeas theprob-lemisnondeterministicpolynomial(nP)hard.wethereforeproposeheuristicsthatcanprovideasufficientlygoodsolutioninareasonabletime.wesorttheapplicationsinthedecreasingorderof(Ei′–Ei)*ni/Ei′*(N–ni).Thenumeratorindicatesthetotalpowersavingsgener-atedbyanapplicationiwhenthepowergridexperiencespeakload.Thissavingsinpowerisduetotheapplicationoperatingatthresh-oldslalevelsforafractionoftimewithintheperiodTandisanindicatorof thebenefits for retainingapplication i forexecutiononthecurrentcloudsite.Thedenominatorindicatesthenominalpowerconsumed by an application during time period T when operatingunderstandardslalevelsandisanindicatorofthecostforretain-ingapplicationiforexecutioninthecurrentcloudsite.applicationsthat do not qualify a certain user-defined threshold are candidatesformigrationtoremotecloudsites.werepresentthesetofapplica-tionsthatareretainedusingthenotationI ’.weproposeasequencingheuristicforapplicationsthathavebeenretainedforidentifyingthetimeinstanceswithintheperiodTwhenanapplicationshouldoper-ateatthresholdslalevels.assumethepowerconsumptionofeachapplicationiisrepresentedusingblocksoftwosizes:i1andi2.ablockwithsizei1representstheapplicationoperatingunderstandardslaconditions.Theblockwithsizei2representstheapplicationoperatingunder thresholdslaconditions.Theheuristic ismotivatedbyourobservationthatsincei1′>i2′ andi1>i2,blockswithsizei1′ aresched-uledforexecutiontogetherwithblockswithsizei2,andblockswithsizei1arescheduledforexecutiontogetherwithblockswithsizei2′.inaddition,therecouldbeblocksofsizei1′thatneedtobecombined


withblocksofsizei1.Thisresultsinthreeblocksofsizesi1′+i2,i1+i2′andi1′+i1 (ori2′+i2).Thus,atiterationltherewouldbel +1blocksofdifferent sizes. if the sizeof anyof theblocks exceeds thebud-getEbudget ,thealgorithmterminates.allremainingapplicationsareconsideredcandidatesforcloudmigration.itistobenotedthattheheuristicselectsapplicationsinthedecreasingorderof(Ei′–Ei)*ni/Ei′*(N–ni)formaximizingpackingefficiency.

2.5.3 Hybrid Cloud Broker

ThesitebrokercommunicatesthedetailsoftheapplicationsthatneedtobemigratedtoremotecloudsitestothehcB.itisassumedthateachmigratingapplicationhasatleastonealternatecloudwhereitcanbehosted.iftherearemultipleremotecloudsthatcanhostamigrat-ingapplication, thecriteriausedby thehcBto select aparticularcloudforhostingisthatthedegradationintheperformancemetricasaresultofrehostingshouldbeminimal.letDibetheamountofdataassociatedwithanapplication i thatneedstobemovedandVkk ′bethenetworktrafficbetweencloudskandk′.let –k=argmink ′(Di/Vkk ′).it is thendecided tomoveapplication i tocloudk fromitscurrenthostingcloudk.ThehcBthen initiates contactwith the sitebro-keroftheremotecloudsite.Thesitebrokercommunicatesresourceallocationdetailstotheprovisioningmanager,whichthenprovisionssufficientcomputingresourcesonthephysicalmachinesidentifiedbythesitebroker.ThehcBcantheninitiatetheactualphysicalmove-mentoftheapplicationtothemachineidentifiedbythesitebrokerpreviously. figure 2.6 shows that the total energy consumption byapplicationsexecutingatcloudaduringthepeakelectricgridloadperiodishigh(indicatedbythebottomdotinclouda).whenadrsignal is received by the smart meter installed at cloud a, the sitebrokeratcloudaidentifiesasetofapplicationsforwhichtheoperat-ingfrequencycanbeloweredforafractionofthepeakdurationandanothersetofapplicationsrequiringmigrationtocloudBasshowninfigure 2.7.figure 2.7showsthereductioninenergyconsumptionatcloudaafterasetofapplicationsismigratedfromclouda(threedots)tocloudB(indicatedbythetoptwodots).ThehcBisrespon-siblefororchestratingallintercloudmovementsofthevMs.


2.6 smart Meters and smart loads

Thetermsmart gridisusedinvariedcontexts:forsome,thesmartgridmeansasuperhighwayforlarge-capacitytransmissionoversignificantgeographicdistances;forothers,itisasystemthatcanintegratesmall-scalerenewablegenerationsources;stillothersseeitasawidelyavail-ablesourcenetworkforchargingelectriccars.Perhapsitwillturnouttobesomeorallofthesethingswhenfullyevolved.inthecontextofthedatacenterorcloud,wecanshedmuchofthisambiguityandneedonlyconsiderspecificallythefunctionalityrequiredtoenablethecapabilitytomonitorreal-timepowerconsumptionandcosts.

HCB

AMAM

SB

SB

AM

f ´ f

fRavg Rmax

Cloud A

Cloud B

$ Energy Consumption $$$

Response Time (R)

Workload Frequency (f)

f ´

Ravg Rmax


Response Time (R)


Figure 2.6 Scenario before application migration when a demand response signal is received by a smart meter at cloud A. AM = application manager; SB = site broker.

HCB

AM

SB

SB

AM

f ´ f

Ravg Rmax

Cloud A

Cloud B


Response Time (R)


f ´ f

Ravg Rmax


Response Time (R)


Figure 2.7 Scenario after application migration after a demand response signal is received by a smart meter at cloud A.


2.6.1 The Data Center Smart Grid

we are interested in determining the real-time marginal cost ofpower for an incremental load.The twokeyparameterswe requirethesmartgridorsmartmetertoprovideinformationaboutisthereal(ornear-real-time)powerloadforthedatacenter,typicallymeasuredinkilowatts,andcurrentprice,usuallyquotedperkilowatt-hour.so,inthisrespect,therequirementsforcalculatingmarginalpowercostsofthedatacenterinwhichoneormorecloudsresidearerathermod-est. existing data center sites do not have smart meters capable ofproviding the data we need. currently, these sites have a standardpowermeterthatisbasedonelectromechanicalinductionandneedstobereadat theendofabillingcyclebytheelectricutility.someutilitiesareusingnewermetersthatallowthesedatatobecollectedremotely, butmany facilities pre-date this effort.electricitymeterscontinuously measure the instantaneous voltage (volts) and current(amperes)andfindtheproductofthesetogiveinstantaneouselectri-calpower(watts).wattsarethenintegratedovertimetogiveenergyused(joules,kilowatt-hours,etc.).

Thecostofakilowatt-hourofelectricityisvariabledependingonmanyfactors;typically,thesespecificdataarenotprovidedbyexist-ingmeters.infact,autilitydoesnottypicallyevencalculatethiscostuntiltheendofabillingcycle.Mostutilitiesdeterminethecostforelectricityonatieredratestructure.Thisresultsinacostmodelthathasdiscontinuousstepfunctionincreasesincost.abaselinenumberofkilowatt-hoursisprovidedatacertainprice;whencumulativeuseforabilling intervalexceeds thisbaselineamount, theconsumer isthenchargedatanincreasedpriceforthenexttierforanotherfixedamountofkilowatt-hours,andsoon.whilethecostofelectricityisvariableandisdatanottypicallyprovidedbytheutilitynowhereclosetorealtime,weneedonlynotethatitisreadilycalculablebasedonlyonknowledgeofthestartofthebillingcycle,thetierrates,thetieramounts,andtotalmeteredusagetoapointintime.

while we lack the smart grid of the future that includes smartmeters that provide real-time price signals and current electricityusage,thisfunctionalitycanbeimplementedinadatacenterwithrel-ativeeaseandatamoderatecost.whatisrequiredismeteringinde-pendentoftheutility.Thiscouldbeimplementedwithanynumber


ofdigitalpowermetersavailableonthemarket.Thismetermustpro-videremotemonitoringsothatthedatacanbepolledinrealornear-realtimebyacomputersystem.weenvisionthatthesedatawouldbeavailable to thesmartmeter (sM)viapolling.This independentpowermeterneednotnecessarilybeshuntbasedandthusrequiredtobeinlinewiththeexistingutilitymeter;therearetypesofmetersthatmeasurethepowerusagebyinductivemagnetsthatneedonlyencircletheexistingphysicalwiresthatdeliverthemainpower,minimizinginstallationcosts.TheotherrequirementisthatthesMbeabletopollthemeterviaacommunicationprotocolthatisacommonfeatureofexistingdigitalpowermeters.ThesMwillknowatanypointintimethebillingperiodandthecumulativepowerconsumptionandthusbeabletoaccuratelyestimatethecostofelectricityatthatpointintime.

The cost of continuing operation of a load in the data center orofsheddingthatloadistheneasilycalculatedandprovidesthecostinputthatthesMtogetherwiththehcBusestomakethedecisiontomovelocalloadstoremotesites.

2.6.2 Smart Appliances in the Data Center

weshouldrecognizethatmovingavMfromalocalphysicalmachinetoaremotephysicalmachinedoesresultinasheddingofsomeload;however, the localphysicalmachinethat isstillpoweredoncanbeseen to be consuming electricity nonproductively. simply put, themaximumload is shedwhen thephysicalmachinenothostinganyvMsispoweredoff.infact,theeconomicpremiseunderpinningthesmartgridisthatareal-timepricesignal,assumingresourceconsum-ersareeconomicallyrational,willnecessarilyresultinmoreefficientuse.atacitassumptionhereisthatconsumersareabletorespondtotheprice signal. it is fromthispremiseandassumption that smartgrid proponents argue that the market will self-evidently providesmartappliances thatenable loadsheddingby time-of-daydelayofoperationorpower-savingmodesettings.

withrespecttothedatacenter,theimmenseexistingcapitalequip-mentwillnotbereplacedwithnextyear’ssmart-grid-friendlymodelsasamatterof course.so,wewillhave todealwithexisting infra-structures.however,existingserverstypicallydohavepower-saving


modesthatcanbeinvokedvianetwork-initiatedcommands.whenhibernatingorinpower-savingmodes,typicallyserverscanbecon-figured to respond to wake-on-lan (wol) signals. when vMsandtheir loadsareshedfromphysicalmachines,whenpossiblethesMshouldinitiatethepower-savingmodestomaximizetheloadthatisshed.inthiscase,theloadshedisthedifferencebetweenthepowerloadforthephysicalmachinewhenthevMsarehostedandwhenthephysicalmachineisinpowerhibernationmode.

it ispossible tocompletelymaximize the loadshedbypoweringoffthephysicalmachine.whilethiscommandcanbeinitiatedwithcommandssentviaanetworkconnectiontothephysicalmachine,themainproblemhereisthattypicallyintheoffstateamachinecannotbepoweredonremotelyandusuallyrequiresmanuallypressingthepoweronbutton.oneapproachtoresolvethisissueis, ineffect,toretrofitanexistingserver,equipmentcabinet,orparticularcircuit.insuchanimplementation,oneneedonlybuildablackboxdevicethatisinseriestothepowerprovidedtotheequipmentunderconsideration.Theminimalfunctionalityofthisblackboxprovidesmechanicalorsolid-staterelaycontroloftheinputpowersource.iftheon/offstateofthisrelaycanbecontrolledvianetworkorotherprotocols,thenthesMcanpowerdownthephysicalmachineoncommands.existingserverscanbeeasilyconfiguredtobootontheapplicationorrestora-tionofinputpower.

existing network-controlled power busses and even commercialpower meters provide exactly this functionality. such devices caneasilybeplacedinserieswithexistingpowerinputsforthephysicalmachine,equipmentcabinet,orpowercircuit.Theadvantageofusingapowermeterwiththisrelayfunctionalityisthatthesemeterstypi-callyhavenetwork-enabledcommunications.Thus,theyalsoprovidepower consumption telemetry at this granular level and enable thehcBtoexactlyquantifyhowmuchloadwillbeshedsincetheloadwhenvMsarehostedcanbemeasured;withthismethod,theyknowthatthecompleteloadwillbeshedwhenthesystemispowereddown.ThiswouldbeansM-initiatednetworksafeshutdowncommandtothehostpriortoansM-initiatedpowerdownofthepowersource.likewise, thesMcan initiate thepoweronofaphysical serverby


restoringthepowersourcetotheequipmentitiscontrollingwiththisnetworkedcontrolledrelay.

so,whilethesmartgridandsmartappliancesmaysoonberealizedinthenot-too-distantfuture,thefunctionalityweneedthesmartgridtoprovidethesMandthehcBistheabilitytomoveresourcesandthencompletelyshedtheloadassociatedwiththephysicalmachinesthatnolongerhosttheseresourcesbyimplementingexistingoff-the-shelfdevices.itreducestoasimplecost-benefitanalysistojustifytheassociated capital expenditures. The costs include the hardware toindependentlymeterthesitepowersourcetodeterminecurrentpowercosts thatcanbepolledby thesMandhcB.Minimally, thesMandthehcBmustbeabletocommunicatewiththephysicalserv-ersthathostthevMstoprovidecommandstoinvokepower-savingmodes.inaddition,hardwaremaybecost-benefitjustifiedtoprovidethenetworkcontrolledrelayfor inputpowerataserver,cabinet,orcircuitgranularity.ThecommunicationprotocolbetweenthesMandthe hcB and this hardware can be tcP/iP based, infrared (ir),radio frequency (rf), or perhaps even use the existing power lineinfrastructureusingzigBeeorsimilarprotocols.

2.7 Conclusions

The chapter described ways to reduce electricity usage within datacentersduringpeakpowergridloadsituationsbyidentifyingsuitableapplicationswhoseperformancecanbetradedoffforshortdurationsforsavingsinelectricityconsumption.reducingelectricityconsump-tion during peak power grid loads is important for data centers asa significantportionof the electricity cost incurredbydata centerscouldbeduetotheelectricityconsumedduringpeakpowergridload-occurring situations. The chapter described a solution architectureanddiscussedanalyticalformulationstogetherwithheuristicschemesforminimizingtheelectricityconsumedduringpeakpowergridsitu-ations.Theapproachleveragesrecenttechnicaldevelopmentsincloudcomputingthatmakeitpossibletomoveliveapplicationsacrossthewide-areanetwork.


references 1. J.choi,s.Govindan,B.Urgaonkar,anda.sivasubramaniam,Profiling,

prediction,andcappingofpowerconsumptioninconsolidatedenviron-ments,inProceedings of 16th IEEE International Symposium on Modeling, Analysis and Simulation of Computers and Telecommunication Systems (MASCOTS)(2008).

2. d.kusic,J.kephart,J.hanson,n.kandasamy,andG.Jiang,Powerandperformancemanagementofvirtualizedcomputingvialookaheadcon-trol,inProceedings of 5th International Conference on Autonomic Computing (ICAC)(2008).

3. J. kephart, h. chan, r. das, d. levine, G. tesauro, f. rawson, andc.lefurgy,coordinatingmultipleautonomicmanagerstoachievespeci-fied power-performance tradeoffs, in Proceedings of 4th International Conference on Autonomic Computing (ICAC)(2007).

4. G.tesauro,d.chess,w.walsh,r.das,a.segal,i.whalley,J.kephart,ands.white,amulti-agentsystemsapproachtoautonomiccomputing,inProceedings of 3rd International Joint Conference on Autonomous Agents and Multi-agent Systems (AAMAS)(2004).

5. r.Bradford,e.kotsovinos,a.feldmann,andh.schiöberg,livewide-area migration of virtual machines including local persistent state, inProceedings of the 3rd International ACM/Usenix Conference on Virtual Execution Environments(2007).

6. s.osman et al.Thedesign and implementationofzap:a system formigratingcomputingenvironments,inProceedings of the 5th Symposium on Operating Systems Design and Implementation,december2002.

7. JacobG.hansenanderic Jul.self-migrationofoperatingsystems,inProceedings of the 11th ACM SIGOPS European Workshop (ew 2004),pages126-130,2004.

8. M. kozuch and M. satyanarayanan, internet suspend/resume. inwMcsa ’02 Proceedings of the Fourth IEEE Workshop on Mobile Computing Systems and Applications (2002).

9. a.Gandhi,M.harchol-Balter,r.das,andc.lefurgy,optimalpowerallocation in server farms, in Proceedings of 11th International Joint Conference on Measurement and Modeling of Computer Systems(2009).

10. M.steinder,i.whalley,J.hanson,andJ.kephart,coordinatedmanage-mentofpowerusageandruntimeperformance,inProceedings of Network Operations and Management Symposium (NOMS)(2008).

11. e.elnozahy,M.kistler,andr.rajamony,energy-efficientserverclus-ters,inProceedings of 2nd Workshop on Power-Aware Computing Systems(2002).


BibliographyJ.chaseandr.doyle,Balanceofpower:energymanagementforserverclus-

ters,2001.http://www.cs.duke.edu/ari/publications/publications.htmlintelcorporation,Enhanced Intel® SpeedStep® Technology for the Intel® Pentium®

M Processor,whitepaper,March2004.s. kiliccote, M. Piette, G.wikler, J. Prijyanonda, and a. chiu, installation

andcommissioningautomateddemandresponsesystems,inProceedings of 16th National Conference on Building Commissioning(2008).

d.niyato,s.chaisiri, andl.sung,optimalpowermanagement for serverfarm to support green computing, in Proceedings of 9th IEEE/ACM International Symposium on Cluster Computing and the Grid(2009).

a. Qureshi, r. weber, h. Balakrishnan, J. Guttag, and B. Maggs, cuttingthe electric bill for internet-scale systems, in Proceedings of the ACM SIGCOMM Conference on Data Communication (SIGCOMM ‘09)(2009).

X.ruibin,z.dakai,r.cosmin,M.rami,andM.daniel,energy-efficientpolicies for embedded clusters determine the number of active nodes,in Proceedings of ACM SIGPLAN/SIGBED Conference on Languages, Compilers, and Tools for Embedded Systems(2005).

85

3diStributed OppOrtuniStic

SchedulinG fOr buildinG lOad cOntrOl

P E i z h o n G Y i , X i h UA d o n G , A B io d U n i wAY E M i , A n d C h i z h o U

The smart grid adds intelligence and bidirectional communi-cation capabilities to today’s power grid, enabling utilities toprovide real-time pricing (rtP) information to their custom-ersviasmartmeters.Thisfacilitatescustomers’participationindemandresponseprograms to reducepeakelectricitydemand.in this chapter, we provide a novel distributed opportunis-tic scheduling schemebasedon anoptimal stopping rule thataimstominimizetheexpenditureofelectricitywhilesatisfying

Contents

3.1 introduction 863.2 demandresponse 87

3.2.1 PowerPricing 873.2.2 demandresponse 883.2.3 drBenefits 893.2.4 drGuidelines 89

3.3 optimalstoppingrule 893.4 Problemformulation 903.5 simulationandresult 943.6 discussion 96

3.6.1 ModelingofPricesignals 963.6.1.1 randomModelingofPricesignals 963.6.1.2 Usage-dependentelectricityPrice 97

3.6.2 fairness 983.7 conclusion 98acknowledgment 98references 99


customers’timerequirements.Theproposedschedulingschemecanbe implemented ineither centralizedordistributedmode;constraintofapowerline’stotalpowerconsumptionisalsocon-sideredinthesystemmodel.simulationresultsshowitcandra-maticallyreducetheelectricitybillandminimizepeakloads.

3.1 introduction

Thesmartgridisanintelligentpowergeneration,distribution,andcon-trolsystemequippedwithtwo-waycommunication.itfacilitatesmanyservices, including integrationof renewableenergysources, real-timepricing(rtP)toconsumers,demandresponse(dr)programsinvolv-ingresidentialandcommercialcustomers,andrapidoutagedetection.

accordingtoareportfromtheU.s.departmentofenergy(doe),buildingsconsume72%ofallelectricalenergy.1Therefore,theabilityof a building automation system (Bas) to communicate and coor-dinatewith thepowergridhas tremendouspotential to reduce thepeakinresponsetopricinganddemandreductionsignalsbyutiliz-ingsmartmeterslocatedwithincustomersites.Thesedevicesprovidecustomersandutilitiesreal-timepowerconsumptiondataandrtPinformation. The automation system facilitates this information formonitoringandcontrollingbuildingloadsandhomeappliancesbyanintelligentenergymanagementalgorithm.

Thedralgorithmplaysakeyroleinsavingenergybytheprocessofcollecting,monitoring,controlling,andconservingenergyinabuilding.itenablespeopletoreducecosts,carbonemissions,andriskofincreasedpriceorsupplyshortages.typically,thisinvolvesfoursteps:(1)meteringandcollectionofthedataofenergyconsumptionandreal-timeprice;(2)findingapplianceshiftopportunitiesandestimatingenergysaving;(3)monitoringtheappliancetotargettheopportunitiestosaveenergy;and(4) trackingtheprogressbyanalyzingyourmeterdatatoseeaneffect.fromthis,wecansee that information is themost importantfactorforestimationandplanning.however,theday-aheadpricecan-notalwaysmatchthereal-timepriceduetosomefactors,suchasthoseshowninfigure 3.1(thedatawerecollectedJuly11to15,2011).

Theweathercanhaveabigimpactonthewholesalereal-timepriceofelectricity,particularlyduringthesummerandwinter.Therealsocanbeunexpectedandbriefpricespikesifmultiplepowerplantshave

87distributed oPPortunistiC sChedulinG

technical or mechanical problems at the same time or if there areproblemsinpartsoftheregionaltransmissionnetworkusedtotrans-portelectricityfromthepowerplanttothedistributionsystem.

inthischapter,weadoptanoveldistributedopportunisticsched-uling scheme based on the optimal stopping rule. The objective istominimizetheenergyconsumptionatthepeaktimewhilesatisfy-ingthepowerandtimingrequirementsofeachutility.incomparisonwithatraditionalcentralizedschedulingscheme,devicescanadjusttheir service time and mode adaptively according to the real-timepricewithout complicated computation.we show that theoptimalschedulingschemeisapurethresholdpolicy;thatis,eachutilitycanbeturnedonwhentheelectricitypriceislowerthanathresholdvalue.

3.2 demand response

3.2.1 Power Pricing

currently, the majority of residential customers are charged flat ortwo-tiered(peakandoff-peak)electricityratesbasedonaverageelec-tricity generation costs. The implication is that retail prices do notaccuratelyreflecttheactualcostofgeneratingelectricityatanygiventime.This results in inefficient investment ingenerationandtrans-missioncapacityandhigherretailprices.2duetothedeficienciesofthisscheme,avarietyofpricingschemeshasbeenintroducedtomoreaccuratelypassonthetruecostofelectricitytoretailcustomers.TheyincludertP,time-of-use(toU)pricing,day-aheadpricing(daP),

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

1 7 13 19 25 31 37 43 49 55 61 67 73 79 85 91 97 103 109 115Time (Hrs)

Pric

e ($)

Day-ahead priceReal-time price

Figure 3.1 Day-ahead price versus real-time (Ameren Energy Illinois: July 11, 2011 to July 15, 2011).


andcriticalpeakpricing(cPP).anexplanationofthepricingtermsandvariousdrschemesareprovidedintable 3.1.

3.2.2 Demand Response

Demand response isdefinedas“changes inelectricusagebyend-usecustomers from their normal consumption patterns in response tochangesinthepriceofelectricityovertime,ortoincentivepaymentsdesigned to induce lower electricity use at times of high wholesalemarketpricesorwhensystemreliabilityisjeopardized.”2drprogramsfallintotwocategories:price-basedandincentivedrprograms.

Table 3.1 DR Modes (Ameren Energy Illinois: January 17–21, 2011)

PRICE-BASED OPTIONSTime of use (TOU): A rate with different unit prices for usage during different blocks of

time, usually defined for a 24-h day. TOU rates reflect the average cost of generating and delivering power during those time periods.

Real-time pricing (RTP): A rate in which the price for electricity typically fluctuates hourly, reflecting changes in the wholesale price of electricity. Customers are typically notified of RTP prices on a day-ahead or hour-ahead basis.

Critical peak pricing (CPP): CPP rates are a hybrid of the TOU and RTP designs. The basic rate structure is TOU. However, provision is made for replacing the normal peak price with a much higher CPP event price under specified trigger conditions (e.g., when system reliability is compromised or supply prices are very high).

INCENTIVE-BASED PROGRAMSDirect load control: A program by which the program operator remotely shuts down or cycles

a customer’s electrical equipment (e.g., air conditioner, water heater) on short notice. Direct load control programs are primarily offered to residential or small commercial customers.

Interruptible/ curtailable (I/ C) service: Curtailment options integrated into retail tariffs that provide a rate discount or bill credit for agreeing to reduce load during system contingencies. Penalties maybe assessed for failure to curtail. Interruptible programs have traditionally been offered only to the largest industrial (or commercial) customers.

Demand bidding/ buyback programs: Customers offer bids to curtail based on wholesale electricity market prices or an equivalent. Mainly offered to large customers (e.g., those using 1 MW and more).

Emergency demand response programs: Programs that provide incentive payments to customers for load reductions during periods when reserve shortfalls arise.

Capacity market programs: Customers offer load curtailments as system capacity to replace conventional generation or delivery resources. Customers typically receive day-of notice of events. Incentives usually consist of up-front reservation payments, and face penalties for failure to curtail when called on to do so.

Source: Office of Electricity Delivery and Energy Reliability, “Benefits of Demand Response in Electricity Markets and Recommendations for Achieving Them,” U.S Department of Energy, 2006.


Price-baseddrmethodsincludertP,toU,andcPPschemes.Theretailpriceofelectricityvariesonanhourlybasistoreflectreal-timewholesaleelectricitycosts,andresidentialcustomerssavemoneybyeitherreducingtheirenergyconsumptionduringpeakperiodsorshiftingittooff-peakperiods.Thisdrschemerequirestheavailabil-ityofsmartmetersandanadvancedmeteringinfrastructure(aMi)tofacilitatethecommunicationofrtPtocustomers.

incentive-baseddrschemespaycustomers to reduce theirelec-tricityconsumptionwhenthepriceofelectricityishighorwhenthestabilityofthepowergridisunderthreatduetoexcessivedemand.These schemes typically involve the installation of a switch thatenablestheutilitytocycleresidentialairconditionersorwaterheat-erswhenprices(orsystemloads)arehigh.Thisschemeisalsotermeddirect load control.

3.2.3 DR Benefits

dradoptionpromisesbenefitsinseveralareas,includinglowerretailprices due to reduction in the need for expensive peaking powerplants(i.e.,powerplantsusedonlywhenthereishighorpeakpowerdemand),increasedgridreliabilityduetotheavoidanceofpowerout-ages,andreduction in theneed fornewgenerationcapacitydue toreduceddemand.

3.2.4 DR Guidelines

to guarantee widespread adoption and fulfill the potential of dr,residentialdrinfrastructuremusthavethefollowingfeatures:auto-mation;scalabilitytolargeareas;controlofintelligentandlegacy(ordumb)homeappliances;theintegrationofrenewableenergysourcessuchassolarcellarraysandplug-inhybridelectricvehicles(Phevs);andavoidanceofthecreationofreboundpeaksthatcanresultfromshiftingelectricityusagetooff-peakperiods.3

3.3 optimal stopping rule

TheoptimalstoppingruleistheperfecttoolfordrinaBas.Themethodaddressestheproblemofdeterminingthebesttimetotake


an action on an observed sequence of random variables to maxi-mize expected rewards or minimize expected costs.4 specifically,let(X1;X2;…)denotearandomprocesswhose jointdistributionisassumedknown,and(y0;y1(x1);y2(x1;x2);…;y∞(x1;x2;…))denoteasequenceofreal-valuedrewardfunctions.weneedtochooseastop-ping time N that satisfies {N = n} ∈ Fn where Fn is the σ algebrageneratedby(Xj;j<n)tomaximizeorminimizetheexpectedreturnE[YN].ithasbeenusedeffectivelyinstatistics,economics,mathemat-ics,finance,andnetworks.inourscenario,anactionmeansanelec-tricityuserorappliancestartstorun;theobservationistheelectricityprice,andtheobjectiveistominimizecostormaximizeprofit.

oneofthemostpopularexamplesofanoptimalstoppingprob-lemisthe“secretaryproblem”:abossneedstoselectaperfectsec-retaryfromNapplicants,forwhichN isknown.allapplicantscanberankedfrombesttoworstwithoutties.Theywillbeinterviewedinarandomorder,andthebosshasnoinformationaboutthecandi-datesbeforetheinterview.aftereachinterview,thebossmustmakeadecisiontoeitheracceptthecandidateonthespotorlosethechanceforever.oncetheapplicantisrejected,heorshecannotberecalled.howcanweguaranteethebosschoosesthebestsecretary?

intuitively, if we reject the first 50 percent of all applicants andchoose thefirstapplicantwitha scorebetter thanall thosealreadyobserved(andrejected),thenwehavegreaterthana25%probabilityofwinning.withtheoptimalstoppingrule,wecanfindthatifwedonot select fromthefirst37%ofcandidatesandchoose thenextintervieweewhoserankishigherthantheprevioushighestone,thewinning probability increases to 36%. if we consider choosing thefirstorsecondbestaswinning,thena57.4%winningprobabilitycanbeachieved.

3.4 Problem formulation

inthiswork,weusetheoptimalstoppingruletomodelyourprob-lem;moredetailscanbefoundinYietal.5ataskisdenotedhereastheminimumunit of an electricity user’swork,which canbedishwashing,Phevcharging,operatingelectricalmachines,andsoon.TheelectricitypriceprocessismodeledbyarandomprocessP(t),andthe time isdivided into slotswith lengthτ.weassume that, once


started,ataskcanbecompletedwithinonetimeslot.forsometasks,thisassumptionisvalid(e.g.,dishwashingandclotheswashing)sincetheycanbegenerallycompletedwithinashortperiod.however,sometasks may require a much longer time and may have time-varyingpower.inthiscase,wecandecomposethistasktomultiplesubtaskssothateachsubtaskcanbecompletedwithinonetimeslot,andmoreimportantly,wecanscheduleataskbysimplystartingorpostponingasubtask.forexample,considerataskthatrequirestwotimeslotsandhaspowerPLinthefirsttimeslotandPHinthesecondtimeslotasshowninfigure 3.2.

wedecomposethetasktothreesubtasks:subtask1,subtask2,andsubtask3withpowerPL,PL,andPH–PL,respectively.anotherimpor-tantreasonfortaskdecompositionisthatsomeusers(e.g.,refrigerator)requireminimumstandbypowerlevels(e.g.,PLinfigure 3.2);thus,partofthepowerconsumptioncannotbescheduled.Bythetaskdecom-positionmethod,wecanallocateaportionofthepowerconsumptionandschedulethispart(e.g.,task3)moreflexibly.differentfromotherscheduling schemes proposed by previous works (e.g., Mohsenian-radandleon-Garcia6),whichscheduleusersbychangingthepowerlevel, ourproposed schedulingpolicy isbinary; that is,weneed todecidewhethertostartorpostponeataskinatimeslot.Thus,itisthetaskdecompositionmethodthatmakesourschedulingpolicyfeasible.

Based on this discussion, in the remainder of this chapter, wealwaysmakethefollowingassumption:

Assumption 1:oncestarted,ataskcanbecompletedwithinonetimeslot;thatis,duringtheservicetimeofatask,theelectricitypriceisconstant.

ontheotherhand,taskdecompositionmayalsoresultindepen-dencebetweentasks.forexample,sometasksmayrequireexecuting

Power

PH

PL

τ t

Subtask 1 Subtask 2

Subtask 3

Figure 3.2 Task decomposition.


consecutively, which may complicate the scheduling problem.however,inthisinitialwork,thistypeofdependenceisnotconsid-eredandislefttofuturework.

wesometimesusetheexpression“schedulingoftasks”andsome-timesusetheexpression“schedulingofelectricityusers.”itisobvi-oustheyhavethesamefunction.Moreover,althougheachelectricityusermayhavemultipletasks,forsimplicityweassumedifferenttasksbelong todifferentusers.Thus, in the reminderof this chapter,weonlytalkabouttheschedulingofelectricityusers.

weconsiderapowersysteminwhichthetasksofelectricityusersarriverandomly.recallthattheelectricitypriceprocess ismodeledbyarandomprocessP(t),andthetimeisdividedintoslotswithequallength τ. Based on assumption 1, we also assume that once a userstarts to operate, the electricity price is constant during its servicetime.sinceweuseadiscrete-timemodel,weassumeallarrivalstakeplaceatthebeginningofatimeslot.weassumethenumberofarriv-als in a time slot is Poisson distributed with mean λ × τ, where λdenotestheaveragearrivalrate.specifically, letStdenotethesetofarrivalsinthetthtimeslot;wehave

Pr( )

!, , ,S k

ke kt

k

=( ) = = …−λτ λτ 0 1 (3.1)

where ⋅ denotesthecardinalityofaset.itiswellknownthatPoissondistributionisagoodmodelofmanyservicearrivalprocesses;otherexamplesincluderadioactivedecayofatoms,telephonecallsarrivingataswitchboard,andothers.

now, we consider an arbitrary electricity user i. let gi denoteitselectricityconsumptionduring its service timeandAidenote itsarrivaltime.letNdenoteaschedulingpolicythatdetermineswhentostartauserandNidenotethecorrespondingscheduledoperationtimeofuseri.Then,thewaitingtimeofuseriis

Wi=N(i)–Ai (3.2)

foragivenuser i, thereare twosourcesofcosts: (1)costduetopurchasingelectricity,denotedbyCi

p,and(2)costduetothewaitingtime,denotedbyCi

w.Then,itiseasytosee

Cip=gi×P(N(i)) (3.3)


Moreover,inthisinitialwork,weassumethecostduetowaitingisalinearfunctionofthewaitingtime,thatis,

Ciw=μi×τ×Wi (3.4)

whereμiisapositiveconstantandisreferredtoasthetimefactorofuseriinthiswork.ThetotalcostofuseriisCi

p+Ciw.weareinter-

estedinthelong-termaverageofthetotalcost,whichisgivenas

C NM

E C CM

ip

iw

i St

M

t

( ) lim= +( )

→∞

∈=∑∑1

1

(3.5)

wealsoassumethatthereisaconstraintonthetotalpowercon-sumption;thatis,atanytimet,thetotalpowerconsumptionsatisfies

g N i t Qii Sl

t

l

× ≤∈=∑∑ δ ( ( ), )

1

(3.6)

whereδ(N(i),t)=1,ifN(i)=t andδ(N(i),t)=0otherwise,andQisthepowerconstraint.noticethatintheinequality,wesumthetimefrom1totbecauseallarrivalsbeforetimetmaybescheduledtooperateattimet.oneofthemajorreasonsforustoconsiderapowerconstraintisthatwithopportunisticscheduling,manyusersmayoperatearoundtheoff-peaktimeandthusproduceapeakpowerrequirement,whichmaybeachallengeforthefacilities.

Basedonthisdiscussion,wearenowreadytoformulatethecost-minimizingopportunisticschedulingproblemasthefollowingoptimi-zationproblem:

Thecost-MinimizationProblem

min limN C M i

piw

i St

M

ME C C

t∈ →∞

∈=

+( )

∑∑1

1

(3.7)

s t g N i t Qii Sl

t

l

. . ( ( ), )× ≤∈=∑∑ δ

1

(3.8)

whereC istheclassofschedulingpolicies.


Remark 1: for convenience, we have assumed the number ofarrivalsinatimeslothasaPoissondistribution.however,asweshowintheremainder,ourmajorresultsdonotdependonthearrivaldistribution.so,ourworkcanbedirectlyextendedtoaddressotherarrivalprocesses.

Remark 2: Problem(3.7) isageneral formofthe infinite-user,infinite-horizon costminimization.Thefinite-userproblem(i.e., scheduling of a finite number of electricity users) orfinite-horizonproblem(i.e.,usershavedeadlines)canbefor-mulatedinasimilarway.Besides,weshowthatoursolutioninsection3.3canbedirectlyappliedtothefinite-usercase(infinite-timehorizon).for thefinite-horizonproblem,oursolutioncanalsobeappliedbymakingaslightmodification(the finite-horizon optimal stopping problem can be solvedbythedynamicprogrammingapproach4).insection3.4,weprovidesimulationresultsfordifferentcases.

Remark 3: ifweareinterestedinmaximizingtherateofreturninstead of total cost, we can also formulate the schedulingproblemasadualprofit-maximizationproblem.inourprevi-ouswork,7wehaveshownthat forthesingle-usercase, thecost-minimization problem and the profit-maximizationproblemareessentiallyequivalent.

3.5 simulation and result

in this section, we apply our optimal stopping method to actualrtP data from the ameren web site (https://www2.ameren.com/retailenergy/realtimeprices.aspx, July 14–23, 2011) to evaluate theperformanceofourresidentialschedulingscheme.wetakeaclothesdryerasoursimulationparameter.normally,therunningtimeofaclothesdryeris0.75h.Theaveragepowerinarunningcycleis3kw,andpeakenergyinacycleis6kw.wecanseefromfigure 3.3thatthetypicalclothesdryerusetimeisduringtheday,andthepeakhouroccursaround11a.m.,whichisalsothepeakdailyelectricityprice.due to itshighpeak energy in the cycle and short service time, itofferssignificantopportunitiesforshiftingpeakelectricityusage.

figures 3.4and3.5showtheperformanceofourproposedsched-ulingschemeusingtheoptimalstoppingrule(osr)andnooptimal


stopping rule (nosr). it candramatically reduce the costof elec-tricity,withcostsavingsupto50%.averagewaitingtimeisaccept-able.Thetimefactorreflectsthecustomer’stimerequirementforthisappliance.alargertimefactormeansresidentsaremoresensitivewiththeappliance,anditislessflexibletoschedule.smalltimefactorsaremoresuitablefordrandcansavemoreelectricitycosts.

0 0.005 0.01 0.015 0.02 0.025 0.033

4

5

6

7

8× 10–3

Time Factor (μ)

Cost

($)

OSR without constraintNOSR without constraintOSR with constraintNOSR with constraint

Figure 3.4 Clothes dryer time factor versus cost. OSR, optimal stopping rule; NOSR, no optimal stopping rule.

0.000

0.020

0.040

0.060

0.080

0.100

0.120

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 20 21 22 23 24

Normalized Hourly Energy UsageHour of the Day

Perc

enta

ge

19

Figure 3.3 Normalized hourly residential energy usage.


3.6 discussion

3.6.1 Modeling of Price Signals

inourpreliminarywork,7thepricesignalwasmodeledasanindepen-dentandidenticallydistributed(i.i.d.)randomprocess,whichisnotrealistic.weproposeseveralothermodelsforfuturestudy.Theopti-malstoppingsolutionfornon-i.i.d.pricesignalsisdifficulttoobtain.

3.6.1.1 Random Modeling of Price Signals Thoughmodeledasrandomprocessesinthisproposal,thepricesignalsoftencontaindeterministiccomponents,suchasseasonalcomponents(period)andatrend.Thesedeterministiccomponentscanbeutilizedtoestimatetheelectricityprice.Thus,ageneralelectricitypriceprocesscanbedecomposedas

P(t)=m(t)+s(t)+w(t) (3.9)

wheres(t)isaperiodicfunction,m(t)isadeterministicfunction,andw(t)isazero-meanrandomprocess.Thisdecompositionisexactlytheclassicaldecompositionmodeloftimeseries.9

now, we discuss these three components in detail. The seasonalcomponents(t)describestheshort-termvariationofpricesignals.forexample,therearepeaksatthehigh-demandafternoonsandtroughsatthelow-demandnighttimehours.inthiscase,(t)hasaperiodof24h.

0 0.005 0.01 0.015 0.02 0.025 0.030

2

4

6

8

10

Time Factor (μ)

Ave

rage

Wai

ting

Tim

e (hr

s)

OSR without constraintNOSR without constraintOSR with constraintNOSR with constraint

Figure 3.5 Clothes dryer time factor versus average waiting time.


Thetrendcomponentm(t)describesthelong-termvariationofpricesignals.forexample,due tohighenergydemand forheatingorairconditioning,theelectricitypricemaybehigherinwinterandsum-mer, respectively. The third component w(t) describes the random-nessofpricesignals.inourpreliminarywork,7weassumedthattheP(t)=w(t)isani.i.d.randomprocess.however,sincetheelectricityprocesshasmemoryingeneral(i.e.,theelectricitypricedoesnotchangetoomuchover twoconsecutive slots), amore realistic candidate fortherandomcomponentw(t)isthefinite-stateMarkovchain(fsMc)model.acounterpartinwirelesscommunicationisthefsMcmodel-ingoffadingchannels.10Buildingthemodelofpricesignalswillbeourfirsttask.Manyapproaches,suchaswienerfiltering,curvefitting(e.g.,polynomialfitting),willbeadoptedinourfutureanalysis.

3.6.1.2 Usage-Dependent Electricity Price in the last section,wedis-cussedrandommodelingofpricesignals.Thepricesignalisassumedtobeindependentofcustomerusage.insomescenarios,theelectric-ity price can be expressed as a deterministic function of customerusage.anexampleistheelectricitymarketwithanincliningblockrate(iBr)pricingscheme,whichhasbeenwidelyadoptedinthepric-ingtariffsbymanyutilitycompaniessincethe1980s(e.g.,southerncaliforniaedison,sandiegoGasandelectric,andPacificGasandelectric). iniBrpricing, themarginalprice increasesby the totalquantityconsumed.11Thatis,beyondacertainthresholdinthetotalmonthly/daily/hourly load, the electricity price will increase to ahighervalue.TheiBrpricingschemecanstimulatethecustomerstodistributetheirloadatdifferenttimesofdaytoavoidpayingforelec-tricityathigherrates.Moreover,iBrpricinghelpsinloadbalancingandreducingthepeak-to-averageratio(Par).6withiBrpricing,thepricesignalcanbeexpressedas

P(t)=f (u(t)); (3.10)

wheref (·)isadeterministicstepfunction,andu(t)isthetotalenergyconsumptioninthetthtimeslot.Therandommodelandtheusage-dependentmodelcanbecombinedtoprovideamoregeneralmodelofpricesignals.inthiscase,thepricesignalcanbeexpressedby

P(t)=f (u(t);t)+w(t) (3.11)


3.6.2 Fairness

in the studies discussed, the objective of optimal scheduling is tominimize the total cost of multiple appliances. in some scenarios,fairnessmustbetakenintoconsideration.forexample,weconsiderasystemwithmultipleindependentcustomers;eachuserhasaper-sonalinterest.Underfairnessconstraints,theobjectiveofschedulingbecomesminimizingthetotalutilityfunction.Therearetwotypesoffairnesscanbeconsidered,max-minfairnessandproportional fair-ness.now,weconsiderproportionalfairness.Theutilityfunctioncantakethefollowingform:13

Ur k

k r k kk

k=

=

− ≥

− −

log ,

( ) , , –

if

if

1

1 0 11 1 . (3.12)

Bysolvingthemin-costproblemin(3.7)withCireplacedbyUk(Ci),we can get the optimal scheduling scheme under the proportionalfairnessconstraint.

3.7 Conclusion

in this work, we presented our optimal stopping-based schedulingframeworkforbuildingdr.Thereal-timepricewasmodeledasran-domvariables,andeachappliancewasassignedadifferenttimefac-tor.ourschemeautomaticallydeterminedthebest timetoruntheappliancetosavetheexpenditureofelectricitywithoutwaitingalongtime.results showed thatouruser-friendly scheduling schemecanreduce domestic energy consumption with minimal user intrusionwhile mitigating peak rebound. future work includes investigationofpricesignalmodeling,fairness,andincorporationofPhevsintoourframework.

acknowledgmentThiswork is fundedbytheUsdepartmentofenergyundergrantde-fc26-08nt02875.


references 1. U.s.departmentofcommerce,integrationofBuildingcontrolsystems/

smart Utility Grid Project. http://www.nist.gov/el/highperformance_buildings/intelligence/smartgrid.cfm(accessedapril24,2011).

2. officeofelectricitydeliveryandenergyreliability,Benefits of Demand Response in Electricity Markets and Recommendations for Achieving Them.washington,dc:U.sdepartmentofenergy,2006.

3. M.leMay,r.nelli,G.Gross,andc.a.Gunter,anintegratedarchitec-turefordemandresponsecommunicationsandcontrol,Proceedings of the 41st Annual Hawaii International Conference on System Sciences, January2008,waikoloa,Bigisland,hawaii,p.174.

4. t.ferguson,optimal stopping andapplications.Electronic notes,www.math.ucla.edu/~tom/stopping/contents.html

5. P.Yi,X.dong,a.iwayemi,andc.zhou,real-timeopportunisticsched-ulingforresidentialdemandresponse,acceptedbyIEEE Transactions on Smart Grid,4(1):227–234(2013).

6. a.-h. Mohsenian-rad and a. leon-Garcia, optimal residential loadcontrol with price prediction in real-time electricity pricing environ-ments,IEEE Transactions on Smart Grid,1(2):120–133(2010).

7. P.Yi,X.dong,andc.zhou,optimalenergymanagementforsmartgridsystems—an optimal stopping rule approach, ifac world congressinvitedsessiononsmartGrids,august2011,Milan,italy.

8. a.iwayemi, P.Yi, X.dong, c.zhou, knowingwhentoact:anoptimalstoppingmethodforsmartgriddemandresponse.IEEE Network25(5):44-49(2011).

9. P.J.Brockwellandr.a.davis,Introduction to Time Series and Forecasting,2nded.newYork:springer,2002.

10. h. s. wang and n. Moayeri, finite-state Markov channel—a usefulmodelforradiocommunicationchannels,IEEE Transactions on Vehicular Technology,vol.44,no.1,pp. 163–171,1995.

11. P.c. reiss, M.w. white, household electricity demand, revisited(december2001).nBerworkingPaperno.w8687.availableatssrn:http://ssrn.com/abstract=294736

12. a.-h. Mohsenian-rad, v. w. s. wong, J. Jatskevich, and r. schober,optimal and autonomous incentive-based energy consumption sched-uling algorithm for smart grid, in Innovative Smart Grid Technologies (ISGT), 2010,January2010,Gaithersburg,Md,pp. 1–6.

13. officeofelectricitydeliveryandenergyreliability,“Benefitsofdemandresponse inelectricityMarkets andrecommendations forachievingThem,”U.sdepartmentofenergy,2006.

101

4advanced meterinG infraStructure and itS inteGratiOn with

the diStributiOn manaGement SyStem

z h Ao l i , fA n G YA n G , z h E n Y UA n wA n G , A n d YA n z h U Y E

Contents

4.1 introduction 1024.2 TheadvancedMeteringinfrastructure 104

4.2.1 TheaMiMeteringsystem 1044.2.2 aMicommunicationnetwork 106

4.2.2.1 ThehierarchicalaMicommunicationnetworkformat 107

4.2.2.2 internet-Protocol-BasedMeshaMicommunicationnetwork 109

4.2.3 TheMeterdataManagementsystem 1104.3 ThestandardizationoftheaMi 111

4.3.1 standardaMicommunicationProtocols 1114.3.1.1 ansic12.22 1124.3.1.2 iec62056 115

4.3.2 standardaMiinformationModel 1174.3.2.1 ansic12.19-2008 1174.3.2.2 iec62056-62 118

4.4 TheaMianddMsintegration 1204.4.1 MeterdataModelsinthedMs 120

4.4.1.1 iec61968-9:aMeterModelinciM 1214.4.1.2 Multispeak 1224.4.1.3 comparisonofGeneralMeterModels

andPowersystem,domain-specificMeterModels 123


recognizing thevalueofanadvancedmetering infrastructure(aMi), utilities worldwide are deploying millions of smartmeters.tobetterjustifyaMiinvestment,researchershaverec-ognized theurgencyofutilizing the fullpotentialofaMi toimprovethequalityofdistributionmanagementsystem(dMs)applications.however, the integrationofaMianddMsisachallenge as it entails different communication protocols andrequirements for handling various meter information models.inaddition,theaMimeterdataloadgeneratedbymillionsofsmartmeterscanpotentiallyoverwhelmdMss.inthischapter,wefirstbrieflyreviewthestateoftheartofaMitechnologiesandthenproposeaunifiedaMianddMsintegrationsolutionthateasilyadaptsdMssystemstovariousaMisystemswithminimalengineeringeffort.

4.1 introduction

Theadvancedmetering infrastructure (aMi)1consistsofmetering,communication, and data management functionalities, offering thetwo-way transportation of customer energy usage data and metercontrol signalsbetweencustomersandutilitycontrolcenters.aMiwasoriginallydevelopedfromadvancedmeterreading(aMr),2–6a

4.4.2 aMianddMsintegration 1244.4.2.1 Businessconsiderations 1244.4.2.2 challengesofaMianddMsintegration 125

4.5 TheMeterdataintegrationlayer:aUnifiedsolutionfortheaMianddMsintegration 1264.5.1 ThecontextoftheMdilayer 1264.5.2 softwarearchitectureoftheMdilayer 126

4.5.2.1 componentsoftheMdilayer 1274.5.2.2 BehavioroftheMdilayer 129

4.5.3 TheMdiarchitectureevaluation 1314.5.3.1 strategies 1314.5.3.2 testresultsanddiscussion 133

4.6 conclusion 134acknowledgments 135references 135

103ami and its inteGration with dms

one-way communication infrastructure that implements automaticcollection of meter measurements from residential smart meters toutility control centers for calculating monthly bills and fulfillingother related activities. Partially as the next generation of “aMr,”aMinotonlyenhancesthetraditionaldatacollectionfunctionality(i.e., improvingmonthlymeterdatacollectiontoreal-timeornear-real-timemeterdatacollection)butalsodevelopsthecommunicationcapabilityfromthecontrolcentertosmartmeters.

adistributionmanagementsystem(dMs)isdefinedasanonlinedecision-makingtoolthatreceivesinformationpertainingtothesys-temstatusandanalogpointsfromthedistributiongridandgeneratessupervisorycontrolcommandsthatarerelayedtodistributionbreak-ers,switchesandreclosers,switchedcapacitorbanks,voltageregula-tors, and load tapchangers (ltcs).to fulfill these functionalities,thedMsmusthave an efficient communication system capable ofgatheringthesystemstateinformationanddistributingcontrolcom-mandstocustomer-sidecontrolunits(i.e.,switchesandreclosers)inreal time and near real time.7 Practically, however, because such atransportation network does not yet exist, most dMs applications(i.e.,balancedorunbalancedloadflow)arecurrentlybasedonesti-mationvaluesofdatapoints,whichleadstoimprecise,eveninaccu-rate,results.

inthepastfewyears,aMitechnologieshavebenefitedfromtheU.s.government’seconomicstimulusplan.inaddition,theenergyPolicyactof2005requireselectricutilitieswithannualsalesgreaterthan500,000Mwhtoadoptthesmartmeteringoptionwithtime-basedrates.today,mostU.s.stateshavebeguntheprocessofdeploy-ing smart meters within an aMi. at the beginning of 2009, forexample,texasinitiatedaprojectofdeploying6millionsmartmetersandexpectedtocompleteitby2012;californiaplanstoinstall10mil-lionsmartmetersbytheendof2012.ThedeploymentofsmartmetersistakingplacenotonlyintheUnitedstatesbutalsothroughouttheworld.Basedoncurrentestimates,by2015smartmeterinstallationsareexpectedtoreach250millionworldwide.8hence,aMiandsmartmetersshouldbeubiquitouseverywhereinthenearfuture.

The deployment of aMi technologies has led to a need for ahigher-qualitydMs.Thus,thegoalofresearchmustbetointegrateaMiwithdMssystems.9–12astheintentionofaMiwastoserve


a general domain that included electricity, water, and gas utilities,whilethatofthedMswastoexclusivelyservetheelectricitydomain,the integrationof the twosystemscertainlyentails theadaptionofvariouscommunicationprotocols(i.e.,americannationalstandardsinstitute[ansi]c12.22,JMs[JavaMessagingservice],andwebservice) and information models (i.e., ansi c12.19, internationalelectrotechnicalcommission [iec]61968-9, andMultispeak®) totheaMianddMssystems.withthe“tsunami”ofaMimeterdatageneratedbymillionsofresidentialsmartmeters,thetaskofintegra-tionhasbecomeevenmorecomplicated,requiringthattheintegrationsolutionbescalableenoughtohandletheinfluxofalargenumberofmetermeasurements.

Therestofthischapterisstructuredasfollows:ThesecondsectionanalyzesthecomponentsoftheaMi(smartmeters,thecommunica-tionnetwork,andthemeterdatamanagementsystem[MdMs])andreviewsthecurrentstatusandfuturetrendsofthesecomponents.Thethird section discusses the standardization of the aMi meter datamodel and communication protocols, an effective way to protect autility’slong-terminvestmentintheaMibyextendingthelifecycleofaMi.Thefourthsectiondiscussesthechallengesintheintegra-tionofdMsandaMiintegration;basedonthediscussioninthissection, the fifth section conducts a meter data integration (Mdi)casestudy.Thelastsectionconcludesthechapter.

4.2 The Advanced Metering infrastructure

TheaMiconsistsofameteringsystem,acommunicationnetwork,and an MdMs. in this chapter, we briefly review the functional-itiesandfuturetrendsoftheseaMicomponents.

4.2.1 The AMI Metering System

astheenddeviceoftheaMi,theaMimeteringsystemreferstoallelectricitymeters,whichperformbothmeasuringandcommunica-tionfunctions,installedatcustomersites.aMimeteringsystemsfallintotwocategories:electromechanicalmetersanddigitalsolid-stateelectricitymeters.


an electromechanical meter (figure 4.1) operates by countingthe revolutionsof an aluminumdisk,designed to rotate at a speedproportional to the power. The number of revolutions proportionaltoenergyusagedeterminestheamountofenergyconsumptiondur-ing a certain period. currently, most utilities have a large numberof electromechanical meters in the field that provide reliable anddependablemeasurementservices.however,themajorconstraintoftheelectromechanicalmeter is its limitedandnonexpendablemea-surementcapabilities,whichpreventitswideapplicationinmodern“smart”powergrids.

a solid-state electricity meter, a meter constructed by digitalsignal-processing technologies, is actually a computer system thatutilizesthemicroprocessortoconvertanalogsignalstodigitalsignalsandfurtherprocessesthesedigitalsignals intouser-friendlyresults.forsolid-statemeters,addinganewfunctionisaseasyasinstallinga new application in a general computer. hence, its functionalitiescanbeeasilyexpandedtoadapttovariousapplicationscenarios.forexample, beyond the traditional kilowatt-hour consumption mea-surement, a solid-state meter provides demand interval informa-tion,time-of-use(toU)information,loadprofilerecording,voltagemonitoring,reverseflowandtamperdetection,poweroutagenotifi-cation,aservicecontrolswitch,andotherapplications.

tocommunicatewithothersmartmetersorutilitycontrolcenters,asmartmeterisgenerallyequippedwithacommunicationmodule.Popularcommunicationmodulesinthecurrentmarketarelow-power

(a) Electromechanical meter (b) Solid-state meter

Figure 4.1 (a) Electromechanical meter and (b) solid-state meter. (From Electromechanical meter and solid-state meter. http://en.wikipedia.org/ wiki/ Electric_energy_meter.13)


radios,theGlobalsystemforMobilecommunications(GsM),gen-eralpacketradioservices(GPrs),Bluetooth,andothers.ingeneral,eachaMivendordevelopsitsownproprietarycommunicationmod-ules (table 4.1) that arenot interoperablewith the communicationmodulesproducedbyothervendorsinmostcases.

formostutilities,thedeploymentofmillionsofsmartmetersisahuge investment, somanyutilities stillmaintainnumerouselectro-mechanical meters. however, because of their limited and non-expendablefunctionalities,themetersaregraduallybecomingamajorobstacle totheutilitiesshiftingtothesmartgrid,whichrequiresachangeinthefunctionalitiesoftheenddevices.Becauseoftechno-logicalenhancementsofthesmartgrid,utilitiesaregraduallyreplac-ingtheirelectromechanicalmeters,whichtheyexpecttolastwellintothe future with solid-state meters, so the solid-state meters shouldbegintodominatethemarketinthenearfuture.

4.2.2 AMI Communication Network

The aMi communication network is a two-way data transporta-tionchannelthattransportsmetermeasurementsandmetercontrolsignalsbackandforthbetweenindividualmetersandutilitycontrolcenters.technically,theaMinetworkcanbecategorizedintoeitherahierarchicalaMinetworkorameshaMinetwork.BecausethemeshaMinetwork,arelativelynewnetwork,hasseveraladvantages

Table 4.1 Communication Modules of Primary AMI Vendors in the United States (March 2011)

AMI VENDORS COMMUNICATION MODULES

Landis + Gyr Unlicensed RF, PLCItron ZigBee, unlicensed RF, public carrier network

(OpenWay®)Elster Unlicensed RF, public carrier networkEchelon PLC, RF, EthernetGE PLC, public carrier network, RFSensus Licensed RF (FlexNet®)Eka Unlicensed RF (EkaNet®)Smart Synch Public carrier networkTantalus RF (TUNet®)Trilliant ZigBee, public wireless network

Note: RF = radio frequency.


(i.e.,performanceandefficiency)overthehierarchicalaMinetwork,itwillbethedominantaMinetworkinthefuture.Bothtypesarediscussedhere.

4.2.2.1 The Hierarchical AMI Communication Network Format in ahierarchicalaMicommunicationnetwork,lower-levelelementshavestrictrelationshipswiththeirdirectupper-levelparentelements,andameterismanagedbyitsupper-leveldatacollector.figure 4.2illus-tratesatypicalmultilevelhierarchicalaMicommunicationnetwork,which can be classified into three layers: the home-area network(han),themeterlocal-areanetwork(lan),andthewide-areanet-work(wan).14,15YYinsuchnetworks,meterdataarecollectedandtransported from a lower- to higher-level meter data collector. Themajorfeaturesofeachlayeraredescribednext:

4.2.2.1.1 Wide-Area Network as the highest level of aggrega-tioninanaMinetwork,thewanhandlesconnectivitybetweenahigh-levelmeterdatacollectorandautilitycontrolcenterorbetween

HAN

Meter LAN

WAN

MDMS MDMS

Collector Collector

Meter

Figure 4.2 Infrastructure of the hierarchical AMI network.


high-level meter data collectors. The wan is the backbone of theaMicommunicationnetworkthroughwhichnumerousaMimea-surementsandcontrolsignalsaretransported.

4.2.2.1.2. Meter LAN Themeterlandistributionnetworkhan-dlesconnectivityfromdataconcentratorsorsomedistributionautoma-tiondevices(e.g.,monitors,reclosers,switches,capacitorcontrollers)tohigh-leveldatacollectors.comparedwiththewan,themeterlanhaslargergeographicalcoveragebutlessdatatransportation.

4.2.2.1.3 Home-Area Network for utilities, the han has beendefinedor viewedas a groupingofhomeappliances and consumerelectronic devices that allow for remote interface, analysis, control,andmaintenance.Theelectricmeteractsasthegatewayofthehan:collectingmeasurements(e.g.,electricity,water,andgas)andsendingthemtotheutilitycontrolcenterwhileexecutingcontrolcommandsreceivedfromtheutilitycontrolcenter.

Thewan,thelan,andthehanaregenerallyconstructedbywiredandwirelessnetworktechnologies.inthecurrentaMicom-munication network, while widely applied wired communicationtechnologiesincludecommunicationviatelephonesystems,ethernet,powerlinecarriers,andbroadbandoverpowerlines,widelyappliedwirelesstechnologiesincludecommunicationviamobilesystems,cel-lularnetworks,andwirelessmeshnetworks.table 4.2demonstratesthefeaturesofthesenetworktechnologiesinthecurrentmarket.

Thevarious layers of theaMinetwork requiredifferentperfor-mance, coverage, and security, so they are constructed by different

Table 4.2 Features of Primary AMI Communication Technologies

NAME DATA RATE RANGE SECURITy

Wired PLC 100K bps Same with power network

Exposed to public access

BPL <200 Mbps Same with power network

Exposed to public access

Fiber optic 10–40 Gbps 30–50 miles with repeaters

With security features

Wireless WiMAX <70 Mbps Up to 30 miles With security featuresWi-Fi 11–54 Mbps <100 m With security featuresZigBee (802.15.4) 20–250 kbps <1 mile With security features


wiredorwirelesscommunicationtechnologies.forthehan,whichrequiresself-healing,plug-inplay,lowpower,andlowcost,zigBeeisthepreferredtechnology.forthelan,whichrequiresgoodcov-erage and relatively low performance, power line communicator(Plc),unlicensedspectrumradio,andwi-fiarelikelychoices.forthewan,which requiresbothhighperformanceandgoodcover-age,broadbandoverpowerline(BPl),wiMaX,andthelicensed/unlicensedspectrumradioarepreferable.

4.2.2.2 Internet-Protocol-Based Mesh AMI Communication Network inameshaMicommunicationnetworkbasedontheinternetProtocol(iP),ameterisaniP-baseddevicecapableofgainingaccesstometerdata collectors and other meters through its iP address. in thissense, the iP-basedmeshaMinetwork is similar to the internet/intranet.Becauseofthissimilarity,manystandardinternetcommu-nicationprotocols(httP[hypertexttransferProtocol]andXMl[eXtensibleMarkuplanguage])arewidelyusedintheiP-basedaMinetwork even though they are neither specially designed nor opti-mizedforutilitymeterdata transportation.forexample,webGateclassicresidentialMetersolutionsprovidedbyMunet15offersaniP-enabledaMimeshnetworksolutioninwhichametercancom-municatewithanothermeterorameterdatacollectorthroughstan-dardinternetcommunicationprotocols(e.g.,htMlandXMl).

comparedwiththemultilevelhierarchicalaMinetwork,ameshaMinetworkhasmoreadvantages,especially inscalability, stabil-ity,andextensibility.Moreimportant,manywell-developedandfullytested software and hardware technologies from the internet (e.g.,variouscommunicationprotocolsandnetworksecuritytechnologies)canbesmoothlytransplantedintotheaMimeshnetwork,makingitmoresecureanduserfriendly.forexample,internetaddressingtech-nologies(e.g.,iPversion4[iPv4]andiPv6)helputilitieseffectivelyidentifyandcontrolindividualmeterslocatedinthenetwork.

Generally,mostadvancedsmartgridapplicationstendtotransportalargeamountofmeterdatainanefficientandsecureway.Becauseexistinghierarchicalcommunicationsnetworksareincapableofper-formingsuchatask,thedevelopmentofamoreadvancedaMinet-workisbecomingurgent.asmeshedaMinetworktechnologiesarestillintheresearch-and-development(r&d)phase,anintermittent


solutionistoborrowmaturedinternetcommunicationtechnologiesandapplythemtotheexistingaMinetwork.however,thissolutionis not tailored to power grid applications, so it must eventually bereplacedbyaMimeshnetworktechnologies.

4.2.3 The Meter Data Management System

whileautilitycanusetheaMitocollectdata,itmustalsobeabletouseitsaMidatatosupportdecisionmakingthroughouttheorga-nizationtoachievethemaximumreturnonitsinvestment.withthedevelopment of the smart grid, utilities are gradually realizing thattheaMicannotachieveallofthedesiredbenefitsunlessitcaneffec-tivelycleanse,process,store,andapplythedata,activitiesthatmustbeperformedifutilitiesaretoaddressandenhancetheirkeybusinesspro-cesses.ThesegoalshavedriventheneedforanentirelynewMdMs.

TheMdMsoftheaMiprovidesasetofadvancedsoftwaretoolsthatmanagelargevolumesofmeterdata.itcollects,validates,andstoresmeterdatainacentraldatarepositoryandallowsutilitiestotakefulladvantageofaMiinformationin:networkmonitoring,loadresearch,operationalanalyses,anddecisionmaking.inaddition,itenablesmeterdatatobesharedwithendcustomers,whocanaccessthedatawhen-evertheyneedtomakedecisionsabouthowandwhentheyuseenergy.

ThetypicalfunctionalitiesofanMdMsareasfollows:16

• settingup,configuring,andmonitoringmetersandcommu-nicationnetworks

• administratingnetworksecurityanddataaccessprivilege• loadingmeterdatafromcommunicationgateways• Providingagraphicuserinterface• cleaning,parsing,andstoringdataaswellasexportingdata

toothersystems• Processingvalidatedmeterdataforvariousutilityapplications

sinceanMdMscollectsmeterreadingsfrommillionsofmetersatacertaintimeinterval(i.e.,15minutes),thevolumeofmeterdataisalwaysincreasingandpotentiallycanbecomehuge.Therefore,thechallengeistostoreandmanagesuchahugedatasetandthenextractvaluable information from it to support variousutility applications,tasksthatcannotbecontrolledusingtraditionaldatabasetechnologies.


however, awell-defined solution thatprovides sufficient scalabilitytomanagesuchameterdatasetisinthedevelopmentphaseinboththeoryandpractice.

4.3 The standardization of the AMi

inthecurrentmarket,smartmetersfromdifferentvendorsaregener-allynoninteroperable.formostutilities,deployingmillionsofsmartmeters is a long-term investment, which means that once a utilityadopts smart meters from an aMi vendor, it must follow up withrelatedproductsfromthesamevendorforthesakeofcompatibility.however,utilitiesarereluctanttobeboundtoacertainmetervendor,especiallyintheearlystagesofsmartgriddevelopment.

enabling interoperability between aMi products from differentvendors is an effective way to protect utilities’ investment, so mostimportantstandardcommitteesintheworld(e.g.,aeic[americanenergy innovation council], ansi, ePri [electric Powerresearchinstitute],andnist[nationalinstituteofstandardsandtechnology])arecurrentlyrespondingtothisissue.table 4.3liststhepopular standard communication protocols and meter informationmodelsinthecurrentmarket,definedbyansi,iec,andnreca(national rural electric cooperative association). Most of thesestandardshaverecentlybeenrevised(i.e.,version2ofc12.19in2008)ornewlydefined(i.e.,version1ofc12.22in2008)tosupportnewrequirements(i.e.,demandresponses)fromthesmartgrid.

ThestandardizationoftheaMiincludesstandardizationofbothaMicommunicationprotocolsandaMiinformationmodels.

4.3.1 Standard AMI Communication Protocols

since2008,thefocusofthestandardizationofaMicommunicationprotocols has gradually shifted from the physical level (e.g., ansic12.1817)andthedevicelevel(e.g.,ansic12.2118)totheapplica-tionlevel(e.g.,ansic12.2219)becausetheapplication-levelcommu-nicationprotocolseffectivelyisolatethedetailsofunderlyingphysicalnetworkconfigurationsandimplementations.

in the following section,we introduce theprincipal application-levelcommunicationprotocolsandmeterinformationmodelsthatare


popular inboththeU.s.market(i.e.,c12.19andc12.22)andtheeuropeanmarket(i.e.,iec62056-5320andiec62056-6221).

4.3.1.1 ANSI C12.22 historically,afterasetofstandardtablecon-tentsandformatsweredefinedinansic12.19(thedetailsforthec12.19 standardarediscussed further in this chapter), apoint-to-pointstandardprotocol(ansic12.18)wasdevelopedtotransportthe tabledataover anoptical connection.TheProtocol Specification for Telephone Modem Communication(ansic12.21)wasdevelopedafterwardtoallowdevicestotransporttablesovertelephonemodems.Thec12.22standardexpandsontheconceptsofbothansic12.18

Table 4.3 Popular Standard Communication Protocols and Meter Information Models

NAMETIME TO MARKET CATEGORy FUNCTIONALITIES

APPLICATION DOMAIN

ANSI C12.19 1997 version 1

Data model Model the meter data in tables

Gas, water, and electricity2008

version 2C12.22 2008

version 1Communication

protocolTransfer data over

C12.22 networkGas, water,

and electricity

C12.18 1996 version 1

Communication protocol

Transfer data by point-to-point protocol


version 2C12.21 1999

version 1Communication

protocolTransfer data through

a modem-based point-to-point protocol


version 2IEC 61968-9 2009

version 1Data model Model meter data for

power system distribution application

Electricity

62056 2007 version 1

Communication protocol

Transfer meter data over series port or network

Gas, water, and electricity

NRECA MultiSpeak Latest version 2007

Data model Model meter data for power system distribution application

Electricity


andc12.21standardstoallowthetransportoftabledataoveranyreliablenetworkingcommunicationssystem.

4.3.1.1.1 Goals of ANSI C12.22 The goal of the ansi c12.22standardistodefineameshednetworkinfrastructurethatiscustom-izedforaMiapplications.Thegoalsofthestandardareasfollows:

• to define a datagram that may convey ansi c12.19 datatables through any network, which must include the aMinetworkandoptionallyincludestheinternet

• to provide a seven-layer communication infrastructure forinterfacing a c12.22 device to a c12.22 communicationmodule

• toprovideaninfrastructureforpoint-to-pointcommunica-tiontobeusedoverlocalportssuchasopticalportsormodems

• toprovideaninfrastructureforefficientone-waymessaging

overall,theansic12.22meshnetworkconsistsofthec12.22nodesandnetwork.

4.3.1.1.2 Network Infrastructure of ANSI C12.22 a c12.22 node,a point on the network that attaches to a ansi c12.22 network(figure 4.3), is a combination of both a c12.22 device and com-municationmodule.Thec12.22communicationmodule isahard-ware module that attaches a c12.22 device to a c12.22 network.Thec12.22devicecontainsmeterdataintheformsoftablesdefined

ANSI C12.19Meter

C12.22Comm Module

C12.22 Network Segment

A standard meter withinternal comm module

A standard meter withexternal gateway

Non-ANSIMeter

A nonstandard meter withinternal gateway

C12.22Gateway

C12.22Gateway

ANSI C12.19Meter

Figure 4.3 Typical examples of C12.22 nodes.


in the c12.19. The interface between the communication moduleandthedeviceiscompletelydefinedbythec12.22standard.

The c12.22 network defines an aMi-specific mesh communi-cation infrastructure that consists of one or more c12.22 networksegments (a subnetwork)or ac12.22lan(figure 4.4).withinanetworksegment,thereisacollectionofc12.22nodesthatcommu-nicatewithoneanotherwithoutforwardingmessagesthrougheitherac12.22relayorac12.22gateway.Thec12.22networksegmentscanbe connected into ac12.22wanthroughc12.22 relays andgateways,wheremeters fromdifferentnetwork segments cancom-municatewithoneanother.

similar to the open system interconnection (osi) model, thec12.22communicationprotocolconsistsofsevenlayers(figure 4.5):anapplicationlayer(layer7),apresentationlayer(layer6),asessionlayer(layer5),atransportlayer(layer4),anetworklayer(layer3),adata link layer (layer2), andaphysical layer (layer1).Unlikeosi,c12.22 is customized for meter data transportation. for example,theapplication layerofc12.22supportsonlyansic12.19 tables,ePseM,andacse(ePseMandacsearelanguagesthatencap-sulatec12.19meterdata22).Thestandardservicesprovidedbylayer7ofc12.22includeanidentificationservice,areadservice,awriteser-vice,asecurityservice,atraceservice,andothers;layers1through6supportvariousphysicalnetworkconnectionsinthemeterindustryaswellasthestandardinternetconnection.

C12.22 CommModule

C12.22 CommModule

C12.22 Relay



C12.22Node

C12.22Node

C12.22Device

C12.22 CommModule

C12.22Gateway

Figure 4.4 The basic C12.22 network.


4.3.1.2 IEC 62056 iec 62056, which defines the meter interfaceclasses for the companion specification for the energy Metering(coseM)model,includesaseriesofstandardsondataexchangeformeterreading,tariffs,andloadcontrol,asfollows:

• iec 62056-21: a standard that defines direct local dataexchange,whichdescribeshowtousecoseMoveralocalport(opticalorcurrentloop).itisdesignedtooperateoverallmedia,includingtheinternet,throughwhichametersendsasciiorotherformatmeterdatatoanearbyhandheldunitusingaserialport.

• iec 62056-42: a standard that defines physical-layer ser-vices and procedures for connection-oriented asynchronousdataexchange.

• iec 62056-46: a standard that defines a data link layerusingthehigh-leveldatalinkcontrol(hdlc)protocol,athree-layer,connection-oriented,hdlc-basedcommuni-cationprofile.

• iec62056-47:astandard thatdefinescoseMtransportlayersforiPv4networks,thetransmissioncontrolProtocol[tcP]/iP-basedcommunicationprofile.

C12.19 TablesC12.22 EPSEMC12.22 ACSE

C12.22 Layer 7

C12.22Layer 6 to 1

C12.22Layer 6 to 1

C12.22Layer 6 to 1

C12.22 Device

C12.19 TablesC12.22 EPSEMC12.22 ACSE

C12.22 Layer 7

C12.22 Communication Model

To LAN/WAN/MAN LAN – Local-Area NetworkWAN – Wide-Area NetworkMAN – Metropolitan-Area Network

Key:

Figure 4.5 Seven-layer Open System Interconnection model for meter data transportation.


• iec62056-53:astandardthatdefinesacoseMapplica-tionlayer.

• iec62056-61:astandardthatdefinesanobjectidentifica-tionsystem(oBis).

• iec62056-62:astandardthatdefinesinterfaceclassesandadatamodel.

similartoansic12.22,iec62056-53,theapplication-layercom-municationprotocol inthecoseMmodel(figure 4.6), isdefinedbased on several other iec 62056 series protocols, including iec62056-21, –42, –46, and –47. except for iec 62056-21, which isusedinhandhelddevicesforlocallyexchangingdatawithmeters,theremainingprotocolsareusedtodefinedifferentlayersofthecommu-nicationnetworkthat supportapplication-levelcommunication: thephysicallayer(iec62056-42),thedatalinklayer(iec62056-46),andthe transport layer (iec62056-47).similar toansic12.22,themeterdatacarriedbyiec62056-53aredefinedbyiec62056-61and iec62056-62,which arededicatedmeter datamodels in theiec62056series.

as an application-layer communication protocol, iec 62056-53primarily provides three services to application-level semantics: theGetservice(.request,.confirm),thesetservice(.request,.confirm),andtheactionservice(.request,.confirm).

Physical Channel

Physical Layer (IEC62056-42)

Intermediate Layers (data link & transportation layer)(IEC62056-46, 47)

Application Layer (IEC62056-53)

Client Server

Figure 4.6 Request/ response process of COSEM.


although both iec 62056 and ansi c12.22 provide a way ofconstructing the advanced mesh aMi network, each has a uniquemarketfocus:iec62056primarilyfocusesontheeuropeanmarket,whileansic12.22focusesonthenorthamericanmarket.inthecurrentnorthamericanmarket,mostaMivendorssupportc12.18andc12.21,butfewsupportc12.22sinceithasonlyrecentlybeendefined. itron,23elstor,24 andtrillant incorporated25were thepio-neerssupportingthec12communicationprotocols.Becauseoftheadvantagesofc12.22,wepredictthatinthenearfuturemostmajormetervendorswillsupportc12.22standardcommunicationproto-colsinthenorthamericanmarket.

4.3.2 Standard AMI Information Model

aninformationmodelisarepresentationofconcepts,relationships,constraints, rules, and operations that specify data semantics for achosen domain of discourse.26 in the aMi communication infra-structure, it is necessary that an information model, in which allcommunicationparticipantscansemanticallyreachacertainlevelofunderstanding,bemaintained.

inthischapter,webrieflydiscussmajorstandardinformationmod-elsintoday’smarket:ansic12.19andiec62056-62.TheformeriswidelyusedintheU.s.marketandthelatterintheeuropeanmarket.

4.3.2.1 ANSI C12.19-2008 ansic12.19resultedfromcomprehen-sive cooperative effort among utilities, meter manufacturers, auto-matedmeter-readingservicecompanies,ansi,Measurementcanada(forindustrycanada),neMa,theieee(instituteofelectricalandelectronics engineers), Utilimetrics, and other interested parties.currently,ithastwoversions:ansic12.19-1997andansic12.19-2008.as the latter is intended to accommodate the concepts of themostrecentlyidentifiedaMi,itisprimarilydiscussedinthischapter.

Theheartofansic12.19isasetofdefinedstandardtablesandprocedures; the former are methods of storing the collected meterdataandcontrollingparameters,andthelatteraremethodsofinvok-ingcertainactionsagainst thedataandparameters.22Thestandardtables inc12.19are typically classified into sections, referred toasdecades.eachdecadepertainstoaparticularfeaturesetandarelated


function.transferringdatafromortoanenddevicethatadherestothec12.19standardentailsreadingorwritingaparticulartableoraportionofatable.eventhoughthec12.19standardcoversabroaderrangeof tables andprocedures, it ishighlyunlikely that any smartmeter will be able to embed all tables or even a majority of thosedefined in ansi c12.19. hence, implementers are encouraged tochooseanappropriatesubsetthatsuitstheirneeds.

c12.19 is a general meter information model that serves vari-ous domains, including electricity, water, and gas. as an example,figure 4.7illustratestheelectricityinformationabstractedfromthetablesdefinedindecade1ofthec12.19standard.inaddition,thetablesinc12.19canbecustomizedthroughsomestandardoperations.

4.3.2.2 IEC 62056-62 Unlike ansi c12-19, which uses tables topackagemetermeasurements,iec62056-62modelsmeterinforma-tionthroughaseriesofinterfaceclasses.21astheinformationmod-eledbyc12.19andiec62056-62isidentical,wedonotduplicateoureffortstofurtherintroducethecontentofiec62056-62.similartoansic12.19,asageneralmeterdatamodel,iec62056supportsnotonlyelectricitymetersbutalsogasandwatermeters.

foraMivendors,thepreferencetosupportcertainstandardshasa stronggeographicalbias.forexample,most smartmetervendors

Figure 4.7 Electricity information modeled by C12.19. THD = total harmonic distortion, V = volt-age, I stands for current.


intheU.s.marketaremorelikelytochooseansiseriesstandards(i.e.,c12.19andc12.22),while those in theeuropeanmarketaremorelikelytoselectiecstandards.table 4.4liststhesituationsofthe major meter vendors in the U.s. market that support the iec62056seriesstandards.asoftoday,onlyelstercompletelysupportsiec62056seriesstandards,includingiec62056-42,–46,–53,–61,and–62.othervendors,suchasitron,supportonlyaportionoftheiec62056standards,andsomesuchasGeandsensusdonotsup-porttheseriesprotocolsatall.

triggeredbytherapiddevelopmentofthesmartgrid,beyondsup-porting proprietary communication protocols, most aMi vendorshave begun to support the standard communication protocols andmeterdatamodels.asoftoday,mostvendorshaveacceptedc12.19(table 4.5), but only a few pioneers (i.e., itron and elster) supportc12.22,whichisnecessaryforafuturemeshedaMinetwork.

overall,aMiisatwo-waycommunicationnetworkrangingfromresidentialhouses tocontrolcenters.asan informationprovider, itis complementary, to someextent, todMs,providing real-timeornear-real-timesystemstateinformation,andasacommandexecutor,conductingcontrolcommandssentfromtheutilitycontrolcenterstoresidentialsmartmeters.asreal-timeornear-real-timesystemstate

Table 4.4 Relationships between IEC 62056 Series Standards and Primary Meter Vendors in the U.S. Market (March 2011)

IEC 62056/DLMS/ COSEM

Landis + Gyr Europe: IEC 62056-21 (for local reading) and DLMS (as a system integration interface)

North America: NoItron United States: Quantum: mini-DLMS

Europe: IEC 62056-21 and DLMS/ COSEM for C&I meterElster A1800 ALPHA: DLMS/ COSEM and IEC 62056-42, –46, –53, –61, –62Echelon IEC 62056-21 (2002) (physical and electrical requirements only)GE NoSensus NoEka NoSmartSynch NoTantalus NoTrilliant No

Source: International Electrotechnical Commission. With permission.


information can significantly improve thequalityofdMsapplica-tions,integrationoftheaMiwiththedMsmayrepresentafeasible,efficientsolutionforimprovingthequalityofdMsapplications.

4.4 The AMi and dMs integration

in this section, we focus on the context, issues, and challenges ofaMianddMsintegrationfromanengineeringaspect.

4.4.1 Meter Data Models in the DMS

insteadofadoptingexistingaMimeterdatamodels(i.e.,c12.19andiec62056-62),thedMsdefinesitsownmeterdatamodelsthatareexclusivelyoptimizedfordMsapplicationsandarecompatiblewithexistingdMs informationmodels (e.g., thecommon informationModel [ciM]). The most popular meter data models in the dMstodayareiec61968-9andMultispeak.

Table 4.5 AMI Vendors and Standard Information Models and Communication Protocols in the U.S. Market (March 2011)

C12.18 C12.21 C12.22 C12.19IEC 61968/

CIM OTHERS

Landis + Gyr V V V V V Unlicensed RF, PLCItron V V V V V ZigBee, unlicensed RF,

public carrier network (OpenWay®)

Elster V V V V V Unlicensed RF, public carrier network

Echelon V V V PLCGE V V V V PLC, public carrier

network, RFSensus V V V Licensed RF (FlexNet®)Eka V V Unlicensed RF (EkaNet®)SmartSynch V V Public carrier networkTantalus V V N/ A V N/ A RF (TUNet®)Trilliant V V V V Not yet IEEE 802.15.4; ZigBee;

public WAN, including CDMA/1xRTT, GSM/ GPRS, WiMAX, etc.

Note: CDMA = code division multiple access; DLMS = Distribution Line Message Specification.


4.4.1.1 IEC 61968-9: A Meter Model in CIM Published by iec in2009,theiec61968-927standarddefinestheinterfaceformeterread-ingandcontrolinthedMs.Thegoaloftheinterfaceistheexchangeofinformationbetweenametersystemandotherapplicationsatelec-tricutilities,servingtheintegrationofmeterdatawithutilityapplica-tions.aspartoftheciMoftheutilities,theiec61968-9standardextendsthetraditionalciMtosupporttheexchangeofmeterinfor-mation between utility applications. electricity measurements pro-videdbyiec61968-9areimportantforavarietyofdMsapplications(figure 4.8),suchasoutagemanagement,serviceinterruptions,ser-vicerestoration,quality-of-servicemonitoring,distributionnetworkanalysis,distributionplanningdemand reduction, customerbilling,andworkmanagement.

inadditiontoelectricitymeasurements,theiec61968-9standarddefines a meter information exchange infrastructure consisting ofmessageandeventdefinitions,whicharemeterreading,metercontrol,meterevents,customerdatasynchronization,andcustomerswitching.

Meter datamanagement

Networkoperations

Metermaintenance

and assetmanagement

Outagemanagement

Metering system

Datacollection

Control andreconfiguration

Planning andscheduling

Customerinformationand billing

Servicepoint

Load managementsystem

Load analysis

Load control

[1]

[2][3]

[4]

[5]

[6]

[6][7]

[8][9]

[10]

[11]

[1][2]

[3]

[12]

[13]

[6]

IEC61968-9Meter model

1. Readings, events and status2. Controls and signals3. Meter readings4. Outage events5. Outage and restoration verification

6. Meter history7. Customer data set8. On request read9. Transaction records

10. Disconnected/reconnected, demand reset11. Demand respond signals12. Meter configuration and installation13. Meter health information

Figure 4.8 Improving the quality of DMS applications using AMI meter data.


figure 4.9demonstratesaniec61968-9messagesentbydMspoll-ingameterreadingbasedonameteridfromanaMisystem.

aspartofaciM,ametermodeledbyiec61968-9isrepresentedbytheMeterassetclass,anewlydefinedclassintheciMthatsup-portssmartmeters.ThroughtheMeterassetclass,aniec61968-9meter can easily exchange information with other devicesmodeledbytheciMandprovidebetterservicesforutilityapplications.Moreimportant,unlikec12.19,whichisageneralmeterdatamodelserv-ingwater,gas,andelectricity,ameteriniec61968-9isexclusivelytailoredtoutilityapplications(e.g.,loadanalysisandcontrol,outagemanagementandmetermaintenance,andassetmanagement).

4.4.1.2 MultiSpeak Multispeak28 is ade facto standard fundedbynreca.similartoiec61968,itfocusesondataexchangemod-elingandenterprise integration inelectricutilitiesand is intendedtosupportstandards-basedinterapplicationintegration.comparedtoiec61968-9,Multispeakisamatureprotocolthathasbeeninthemarketforsometime.

fromaninfrastructureperspective,iec61968-9fitsintoavarietyofmessagingmiddlewareframeworks,soitissuitableforutilitiesthatmayhaveanumberofdifferentmiddlewaresolutionsalreadyinplace.Multispeak, implemented in termsofweb services, ismore effec-tiveforsmallutilities,whichrarelyimplementmessagingmiddleware(figure 4.10).

<?xml version=”1.0” encoding=”UTF-8”?><m:MeterReadings xsi:schemaLocation=”http://iec.ch/TC57/2009/MeterReadings# MeterReadings.xsd”xmlns:m=”http://iec.ch/TC57/2007/MeterReadings#”xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”> <m:MeterReading> <m:MeterAsset> <m:mRID>6468822</m:m|RID> <m:MeterAsset> <m:MeterReading></m:MeterReadings>

Figure 4.9 Example of the meter pull information packaged by IEC 61968-9. (With permission from the IEC.)


4.4.1.3 Comparison of General Meter Models and Power System, Domain-Specific Meter Models overall, ansi c12.19 and iec 62056-62 aregeneral meter models serving the electricity domain, the waterdomain, and the gas domain, while Multispeak and iec 61968-9arecustomizedtotheelectricitydomain,whichsupportsenterpriseintegrationwithinthescopeoftheelectricutilities.

figure 4.11 illustrates the relationships between general metermodels and power system-specific meter models. even though all

Web Service Bus (MultiSpeak)

LoadPro�le

MeterReading

Outage Detection

LoadManagement Accounting

Meter DataManagement

SCADAApplications

CustomerBilling

GeographicInformation

System

Figure 4.10 MultiSpeak data model.

Information Model forElectronic Meters

IEC61968-9 andMultiSpeak Meter Models

Electric Meter ModelIn ANSI C12.19 andIEC62056-62

Measurementsfor Electric

Meters

Measurements for Gas Meters

Measurementsfor Water Meters

ANSI C12.19IEC62056-62IEC61968-9

MultiSpeakMessage

Events

TemperatureMeasurement

. Water Utilities

DMS Apps

EMS Apps

Gas Utilities

Electricity Billing

Figure 4.11 General meter data model versus power system-specific data model.


fourmeterdatamodelsdiscussedhaveelectricitymeasurements,thescopesofthemeasurementnamespacesandmessageinfrastructuresdiffer(refertothe lowerpartoffigure 4.11).aselectricity-specificmodels (i.e., iec 61968-9 and Multispeak) organize and modelinformationbasedonutilityapplications,theyhavealargerscopeofmetermeasurementnamespaces that include temperaturemeasure-ments,demandresponsecontrol,andotherdomaininformation,pro-vidingbetterservicesforvariousdMsapplications.inaddition,themessageandeventinfrastructureofelectricitymetermodelsarecom-patible with the existing utility information infrastructure, so theycaneasilybeintegratedwithutilityapplications.

4.4.2 AMI and DMS Integration

4.4.2.1 Business Considerations The dMs and the aMi are twoseparatesystemswithdifferentbusinessgoalsandarchitectures.ThepurposeofintegratingtheaMiandthedMsistoenablethetwosystemstoexchangeinformationwhileminimizingtheinfluenceofthe integrationonbothsystems in termsofperformanceandengi-neeringcosts.

UtilitiesthatadopttheMdilayermustaddresssomemajorbusi-nessconsiderations:

• different dMs applications use different approaches toimportexternaldata.forexample,somedMsapplicationsutilizetheenterpriseservicebus(esB),andothersrelyonthescada(supervisorycontrolanddataacquisition)system.inthissense,theintegrationsolutionshouldbeeasilyadaptabletobothesBandscadainterfaces.

• Utilitiesgenerallyhavedeployed(orarecurrentlydeveloping)aMisystemswithdifferenttypesofmeterdataserverssuchasMdMss.TheseaMisystemsareusuallybuiltbydifferentaMivendors.TheintegrationsolutionshouldbeadaptabletodiverseaMisystems.

• Meterdatamodels inaMisystemsaredesigned forappli-cations in different domains (i.e., electricity, water, andgas);however,dMsapplicationsprimarily require apowersystem-dedicatedmeterdatamodel(i.e.,iec61968-9).The


integrationsolutionshouldconsiderinformationgapsbetweenageneraldomainmeterdatamodelandapowersystem—aspecific meter data model—and match these gaps while anaMisystemandadMssystemareexchangingmeterdata.

• currently, the commercial requirement for regular meterreading is a 15-minute interval. with the development ofaMitechnologies,theintervalisbecomingshorter.however,handling meter data generated by millions of smart metersevery15minutescanposesubstantialchallengestodMssys-temsbecausetheoriginalarchitectureofmost legacydMssystemswasnotdesignedforheavyaMimeterdataloadcondi-tions.Therefore,theintegrationsolutionhastominimizetheinfluenceofthemeterdataloadonadMssystembycach-ingmeterdataandadjustingthemeterdatastreamthrough-puttoalevelthatcanbeacceptedbythedMssystemwhennecessary.

• aMi and dMs systems are usually developed by differentvendors.Thus,adifferentdialectislikelyusedinbothmetermodels and transportation protocols to describe even thesamegridnetwork.Theintegrationsolutionshouldharmo-nizethesedialects.

4.4.2.2 Challenges of AMI and DMS Integration The challenges ofdesigningtheintegrationsolutionareasfollows:

• Performance: The integration solution should be capable ofprocessingbothscheduled(expected)meterreadingdataandburstoccurred (unexpected)meteroutage reportsgeneratedbyalargenumberofsmartmetersinatimelymanner.ideally,itshouldbeabletowithstandaworst-casedata-loadingsce-nariowhenaregularmeterreadingsessioncoincideswithalarge-scaleoutagereportingevent.

• scalability:Theintegrationsolutionshouldbeabletohandlethe incomingdataof thousandsandevenmillionsofsmartmetersatadata-updatingintervalof1day,1hour,15min-utes,orevenshorter.

• adaptability: The integration solution should be able toadapttodistinctaMisystemsdeployedbyutilities.That


is,itshouldbecapableofadaptingtodifferentmeterdatamodels and different aMi data integration communica-tionprotocols.

• extensibility:The integration solution shouldbe capable ofintroducingappropriatetechnologiesthatfitnotonlythecur-rentaMianddMstechnology frameworkbutalso futureaMianddMsapplications.

4.5 The Meter data integration layer: A Unified solution for the AMi and dMs integration

4.5.1 The Context of the MDI Layer

a unified aMi and dMs integration solution, called the Mdilayer,29 isdescribed in this section; itcanbeviewedasmiddlewarebetweentheaMianddMssystems.figure 4.12illustratestheover-all system,whichconsistsof theaMi,thedMs,andthe integra-tionsolution.TheMdilayerenablestheeasyintegrationofdiverseaMi systems (i.e., the MdMs meter data collection engine) withthedMs.

4.5.2 Software Architecture of the MDI Layer

in this section, the Mdi layer architecture and the rationale andtrade-offsbehindthearchitecturearediscussed.

DMS 1

Met

er D

ata I

nteg

ratio

n La

yerMDMS

Meter DataCollector

AM

I Net

wor

k

Meters

Web Service

Data/Control

Data/Control

Data/Control

Data/Control

Data/Control

Wide Band Network

ESB

Meter Network (i.e., C12.22)

Meter Network

Meter Network

Data/Control

Meter NetworkMeter Network

Key: AMI Advanced Meter InfrastructureESB Enterprise Service BusMDMS Meter Data Management System

NM Network ManagerMDI Meter Data Integration

DMS 2

Data/Control

ESB/SCADA

Data/Control

ESB/SCADA

Figure 4.12 Context of the MDI layer. (From Z. Li, Z. Wang, et al., 2010 First IEEE Smart Grid Communication, NIST, Washington, DC, October 2010, pp. 566–571. Copyright IEEE. With permission from IEEE.)


4.5.2.1 Components of the MDI Layer figure 4.13 is the componentdiagramoftheMdilayer.overall,thecomponentsoftheMdicanbe classified into four categories based on their functionalities: theaMi adaptors, the aMi information translation and verificationinfrastructure, the loosely coupled event (lce) infrastructure, andthedMsadaptors.

4.5.2.1.1 AMI Adaptors aMiadaptors,thecomponentsillustratedon the left sideoffigure 4.13,canfitdifferent typesofaMidataservers(e.g.,theMdMsandthemeterdatacollector),transferringmeteringdatastreamsfromtheaMitothedMsorviceversa:

• for transferringmeterdata (e.g.,measurements andoutageinformation) from the aMi to the dMs, aMi adaptorsmustconformtotheaMicommunicationchanneltoreceivethemeterdatablockssentbythecorrespondingaMiserverandprocessthem.tofulfillthisconformableprocess,aMiadaptorsmustunderstandthecommunicationprotocolsandmeterdatamodelsoftheaMisysteminvolved.

• for transferringmetering information (e.g.,meter control andmeterpollcommands)fromthedMstotheaMi,aMiadap-torsmustpackthemeterpoll/controlinformationusingtheaMimeterdatamodelanddeliverthepackagestotheaMisystemusingthecommunicationprotocoladoptedbytheaMisystem.

AMI 1Adaptors

AMI 2Adaptors

AMI nAdaptors

Temp DB

LCEInfrastructure

Key: Data Channel

DMSAdaptor 1

DMSAdaptor 2

MDI Monitor

Pub/Sub LCE Message

Adapt AMI Aggregate, Cache, Translate, and Verify Meter Information Adapt DMS

Connect withESB

Connect with SCADA

Connect withAMI

Connect withMDMS

Connect withIndividual Meters

Figure 4.13 Architecture of the meter data integration solution. (From Z. Li, Z. Wang, et al., 2010 First IEEE Smart Grid Communication, NIST, Washington, DC, October 2010, pp. 566–571. Copyright IEEE. With permission from IEEE.)


eachaMisystemthatneedstosupportdMsapplicationsshouldhaveacorrespondingaMiadaptorintheMdilayer.anidealaMiadaptorpossessesthefollowingattributes:

• ithasahigh-performanceparserthatprocessestheincomingaMimeterdatastreameffectively.

• it canbedynamicallyplugged into theMdi layerwithoutinterruptingthenormaloperationofothercomponentsintheMdilayer.

TheutilizationofaMiadaptorscangreatlysimplifytheprocessofadaptingadMssystemtodiverseaMisystemsbecause,foranewaMi,thedeploymentprocessrequiresasimpleredesignofacorre-spondinglightweightaMiadaptorinsteadofaredevelopmentoftheentireaMiinterface.

4.5.2.1.2 The Information Translation and Verification Structure duetothevariationsamongthemeterdatamodelswithregardtotypi-cal aMi and dMs applications, we concluded in wang and li30that aMi systems utilize general meter data models (i.e., ansic12.19)thatcanbeappliedtoalldomains(i.e.,electricity,gas,andwater).however,dMssystemsusepowersystem-specificmeterdatamodels(i.e.,iec61968-9),sooneoftheprimarytasksoftheMdilayer is to eliminate the information gaps between the aMi anddMsmeterdatamodels,whichisaccomplishedusingtheinforma-tiontranslationandverificationstructure,thecomponentsofwhichareshowninthemiddlepartoffigure 4.13.

in the Mdi layer, translation means converting the aMi dia-lecttothedMsdialectwhenmeterdatafromtheaMiaredeliveredto the dMs and vice versa. translation is implemented by look-ingup theaMiand thedMscross-reference tables stored in thetempdB.verification involvesfilteringerror informationandveri-fying the integrityof the incomingmeteringdatabeforedeliveringthemtothetargetsystem(eithertheaMiorthedMs).verificationisimplementedbytheforeignkeyconstraintsoftherelationaltablesinthetempdB.

More important, in the worst-case scenario, in which a regularmeter-readingsessioncoincideswithalarge-scaleoutageevent,when


alargeamountofincomingmeterinformationrequiresverificationinashorttimeframe,theinformationtranslationandverificationinfra-structureguaranteesperformancebyutilizingthreadingtechnology.

4.5.2.1.3 The LCE Infrastructure The lce infrastructure is themessaging infrastructure of the Mdi layer. all functional compo-nentsintheMdilayerarecoordinatedbypublishingorsubscribingmessagestothelceinfrastructure.Thelceeventinfrastructure31hastwocharacteristics:

1.itisamessagingsystemthatefficientlycoordinatesthebehav-iorsofmessagesenders/receivers.

2.it is loosely coupled. Message senders (publishers)/receivers(subscribers) of the lce infrastructure are decoupled andrunindifferentprogramspaces;shuttingdownapublisherorsubscriberwillnotinfluencethenormaloperationsofotherpublishersorsubscribers.

4.5.2.1.4 DMS Adaptors Most design considerations for aMiadaptors (e.g., dynamically plugging in) are also applicable to thedesign of the dMs adaptors. More important, the design of thedMsadaptorsalsoconsidersthethroughputlimitationofdMsdatachannelswhendeliveringmeterdatatothedMssystem.

4.5.2.1.5 MDI Monitor TheMdimonitor,whichisusedtotrackthe status of the functional components in the Mdi layer by sub-scribing to the lce messages sent by these components, can bedynamicallypluggedintotheMdibyturningonitssubscriptionstolcemessages.

4.5.2.2 Behavior of the MDI Layer dynamically,theMdilayersup-portsthefollowingthreetypesofactivitiesorevents:(1)TheaMipushesmeterdatatothedMs(i.e.,reportsoutageandpushesreg-ular meter reading); (2) thedMspollsmeter data from theaMi(i.e., verifies outage and requires meter measurements) by sendingmeterpollcommandstotheaMi;and(3)thedMspushescontrolcommandstotheaMi(i.e.,meter-controllingdemand).


4.5.2.2.1 AMI Pushes Meter Data to the DMS The workflow oftheMdilayerprocessingmeterdatapushedbytheaMiisasfol-lows: on receiving a meter data package from the aMi, an aMiadaptor parses and delivers the parsed meter data to the tempdBfor translation and verification; meanwhile, it publishes a messagein thelceinfrastructure tonotifyothercomponents in theMdilayerthatareinterestedintheaMimeterdataarrivalnotice.oneoftheotherinterestedcomponentsisadMsadaptor.onreceivingthisnotice,thedMsadaptorinitiatesthefollowingworkflowtoprocesstheaMimeterdatathathavecomein:first,itpicksuptheverifiedandtranslatedmeterdatafromthetempdB,thenpacksthemusingthemessageformatrequiredbythedMssystem,andfinallydeliv-ersthepackedmessagetothedMssystem.duringtheprocess,thebehaviorsoftheaMiadaptor,thetempdB,andthedMsadaptorarecoordinatedbytheaMimeterdataarrivalnotice.

as previously mentioned, the meter data load pushed by theaMi can be very large. Thus, avoiding a delay in processing or alossofaMimeterdatarequiresahigh-performanceaMiadaptor.Performance can be enhanced by multicore and multithread tech-nologies.TheworkflowofmultithreadedaMiadaptorsthatprocessincomemeterdataisasfollows:onreceivingameterdatapackage,theaMiadaptorquicklyunpacksitandthenconcurrentlylaunchesanew thread thatparses themeterdatapackage, caches themeterdataintothetempdB,andsendsameterdataarrivalnoticetothelceinfrastructure.however,thecreationofnewthreadsconsumesaconsiderablenumberofsystemresources.afterall,whenthereisalargevolumeofdatapackagescomingin,aMiadaptorsmustlaunchalargenumberofthreadsinaveryshorttimeframe,quicklyusingupsystemresources.Thisphenomenoniscalledathread explosion.topreventsuchanevent fromoccurring,asemaphore installed intheaMiadaptorlimitsthenumberoflaunchedthreads.

4.5.2.2.2 DMS Pushes Meter Control Commands to the AMI TheworkflowofprocessingmetercontrolcommandspushedbythedMstotheaMiissimilartothatofprocessingmetermeasurementspushedbytheaMi,exceptfortheirstartingpoints:dMsadaptorsfortheformerandaMiadaptorsforthelatter.


4.5.2.2.3 DMS Polls Meter Data from the AMI TheworkflowofthedMspollingmeterdatafromtheaMiconsistsofthefollowingpro-cesses: (1)ThedMspushesmetercontrolcommands to theaMi,and(2)theaMipushesthemeterdatabacktothedMs.Thesetwoprocesseswerediscussedpreviouslyinthischapter.

4.5.3 The MDI Architecture Evaluation

to validate the Mdi design and evaluate its quality attributes ina real-world situation, we developed a prototype of the Mdi layerandameterdataloadsimulationsystem(theaMisimulator)usingMicrosoft.net enterprise technologies, a simulation system thatcancreatevarioustestingscenariosfortheMdilayerbysimulatingmanysmartmeteroperations(i.e.,meteroutages,meterreading,andmetercontrol).UsingtheMdiprototypeandtheaMisimulator,weranseveraltestcasestoevaluatethefunctionalitiesandtheassociatedqualityattributesofthedesignedMdilayer.

4.5.3.1 Strategies instead of exhausting all of the possible testingscenarios,wechose to test some important functionalitiesandtheirassociated quality attributes. Because the most important attributeoftheMdilayerisitsabilitytohandlemeterdataloadspushedbymillionsof smartmeters,we focusedour testcasesonameterdata“tsunami” scenario. in otherwords,weprimarily tested thequalityattributes(performance,scalability,andflexibility)ofthearchitectureoftheMdilayeragainstameterdataloadcreatedbymillionsofsmartmeters.Thetestenvironmentisillustratedinfigure 4.14,andadetaileddescriptionofthequalityattributesandtheirtrade-offsfollows.

4.5.3.1.1 Performance typically, a utility has millions of smartmeterswhosedata loadcancomefromregularmeasurementsevery15minutesoroutagereportscausedbyaburst.however,theavail-ableaMisimulatorserver(constrainedbyitscentralprocessingunit[cPU]andinternalmemory)cansimulatethebehaviorofonly65,000smartmeters. insteadof simulatingameterdata loadgeneratedbymillions of smart meters in 15 minutes, we simulated the load of63,445smartmeters(themeterscorrespondedtocustomersinafixed


numberofareasinoneutilitynetwork)in1minute.ourassumptionwasthatiftheMdilayercanprocessthemeterdataloadgeneratedbythe63,445smartmetersin1minute,thenitshouldbeabletoprocessameterdataloadgeneratedby1millionmetersin15minutes.

4.5.3.1.2 Scalability we tested the scale-up and scale-out capa-bilitiesof theMdi layer.for the scale-up test,weused twoaMisimulatorsthatconcurrentlypushedoutagereportstothesameMdilayer server; accordingly, two aMi adaptors configured in theMdi layer server received theoutage reports pushedby twoaMisimulators.UnlikeatypicalaMiadaptorsituation,thescale-uptestcasehandledaboutdoublethemeterdataload.

forthescale-outtest,weaddedasecondMdilayerserver,con-figured touse the sametempdBwith thefirstMdi layer. in thetwoMdilayerserverconfigurations,twoaMisimulatorswerecon-nected to the twoMdi layer servers.Theprimarypurpose for thescale-outtestcasewastoverifyifthedesignedMdilayercouldbe

AMI Simulator 1

Hardware:CPU: Intel Xeon X32202.4G, Quad CoreMemory: 4GHard disk: 250G, 7,200

Software:Windows 2008 Server

AMI Simulator 2Hardware:CPU: Intel Core 2 Quad95502.7G, Quad CoreMemory: 4GHard disk: 750G, 7,200


MDI Layer


Hardware:CPU: Intel Xeon X32202.4G, Quad CoreMemory: 4GHard disk: 250G, 7,200

Web Service

JMS

Figure 4.14 The configuration of the simulation test environment. (From Z. Li, Z. Wang, et al., A Unified Solution for Advanced Metering Infrastructure Integration with a Distribution Management System, 2010 First IEEE Smart Grid Communication, NIST, Washington, DC, October 2010, pp. 566–571. Copyright IEEE. With permission from IEEE.)


scaledoutsimplybymodifyingtheserverconfigurationratherthanbyrevisingthesourcecodeoftheMdilayer.

4.5.3.1.3 Flexibility for flexibility, we wanted to verify thecapabilityoftheMdilayerconnectedtodifferenttypesofaMisystems. to make more sense of the test results, we simulatedtwoaMisystems:onetransportedmeterdatausingJMs,32sup-ported by iBM websphere MQ 7.0 (transactional communica-tionchannel),33andtheotheraMisystemtransportedmeterdatausingwebserviceremotecall(anontransactionalcommunicationchannel). accordingly, the Mdi layer had two adaptors, one foreachaMisystem.

4.5.3.2 Test Results and Discussion The performance test resultsshowedthattheMdilayerservercouldcache,translate,andverifyeitherthemetermeasurementsortheoutageinformationgeneratedby63,445smartmetersin30seconds.Basedonthis“half-minute”meter data load, we can calculate that one Mdi layer server withsimilarresourcescanprocessthemeterloadgeneratedby1.9millionsmartmetersin15minutes.

The scalability test results showed that the designed Mdi layercould easily be scaled up by adding a second aMi adaptor that isidenticaltotheoriginalaMiadaptorbychangingtheconfigurationsratherthanthesourcecodeorthedesign.TheadditionofthesecondaMiadaptorbarelyinfluencedtheperformanceofthepreviousaMiadaptors. however, utilization of system resources increased; forexample,cPUutilizationincreasedfrom50%to70%.Thisdemon-stratedfromanotheranglethatifwehavesufficientsystemresources(cPUandmemory),wecanconnecttwoormoreaMisystemswithinonephysicalMdilayerserver.hence,anoptimisticestimationisthatthescale-upofaconfigurationwithtwoidenticalaMiadaptorscanhandleameterdataloadgeneratedby3.8million(2×1.9million)smartmetersin15minutesifthesystemresourcesofthetestMdilayerserverareadequate.

The flexibility test results showed that the designed architecturecouldeasilyconnecttodifferentaMisystems.similartothescale-uptest,theflexibilitytest,whichconnectedtwodifferenttypesofaMisystems(webserviceandJMs),barelyaffectedtheperformanceof


theMdilayer.inaddition,addingaseconddifferenttypeofaMiadaptorincreasedtheutilizationofsystemresources,demonstratingthat the Mdi layer can be scaled up by connecting it to differentaMisystems.

4.6 Conclusion

Therevolutionary contributionofaMi is that it creates a low-coststandardcommunicationnetworkfacilitatingthecollectionanddis-tributionofmetering information to customers, utilities, andotherparties.BecauseofaMi,awiderangeofnewdMsapplicationsthatusedtobeconsideredimportantbutimpracticalduetocommunica-tioncosts(i.e.,automaticoutagemanagementanddemandresponds)isintroducedorreactivated.inreturn,theseapplicationsexposetheprecisestateofthepowerdistributioninfrastructureandoperationalawareness fortheoptimizationofthedeliveryanduseofenergytoutilitycontrolcenters.

to effectively integrate aMi with dMs, a unified aMi anddMs integration solution, called the Mdi layer, was presented inthischapter.structurallyatypeofmiddlewaredeployedbetweentheaMianddMssystems,theMdicangreatlyreducedevelopmentand engineering efforts expended connecting dMs applications tovarioustypesofaMisystems.atthesametime,itcanminimizetheinfluenceoftheaMimeterdataloadontheperformanceofdMsapplications by decoupling the data model and protocol conversionfunctionalityfromthedMsapplications.Moreimportant,theMdilayercanbeeasilyexpandedbyaddingnewfunctionalities(e.g.,powersystemloadprofiling,forecastingandmodeling,outagescooping,andassetutilizationoptimization)tofulfillrequirementsfrompotentialdMsapplicationsinthefuture.

asthequalityattributesoftheMdilayerinareal-worldenviron-mentareamajorconcern,aseriesoftestcaseswereconductedagainstanMdiprototypeandanaMisimulatortoverifytheperformance,flexibility,andscalabilityoftheproposedMdilayer.ThetestresultsshowedthattheMdilayerdesigncouldmeetthereal-worldrequire-mentsofhandlingaMimeterdatageneratedbymillionsof smartmetersintermsofperformance,flexibility,andscalability.


in summary, with the development of the smart grid, aMi, asthebackboneof informationcollectionanddistribution in thegridsystem,isgraduallytranscendingtheelectricterritory,expandingthenetworktomillionsofutilityconsumers,variousrenewableresources,andmillionsofelectricalvehiclestothefaredgesofthedeliverysys-tem,theinitialprototypeofthe“internetofthings.”

acknowledgmentsThisworkwassupportedbytheaBBcorporationresearchfundsthatcomefromboththeindustrysoftwaresystemprogramandthegridautomationprogram.inaddition,wewouldliketothankXiaomingfengforvaluablecommentsontheearlyversiondrafts.

references 1. f.Yang,Advanced Metering Infrastructure Technology,Prestudyreportno.

Pt-07045.raleigh,nc:aBBU.s.corporateresearchcenter,2007. 2. r.a.fischer,a.s.laakonen,andn.n.schulz,agenerationpolling

algorithm using a wireless aMr system for restoration confirmation,IEEE Transactions on Power Systems,vol.16,no.2,pp. 312–316,2001.

3. h.dorey,advancedmeteringinoldandnewworlds,Power Engineering Journal,vol.10,no.4,pp. 146–148,august1996.

4. Y. Jin and M. d. cox, a pipelined automatic meter reading scheme,paperpresented at the instrumentation andMeasurementtechnologyconference,irvine,ca,pp. 715–720,May1993.

5. s. Mak and d. radford, design considerations for implementation oflargescaleautomaticmeterreadingsystems,IEEE Transactions on Power Delivery,vol.10,no.1,pp. 97–103,1995.

6. M.r.J.clayanda.J.Mcentee,advancedmeterreadingtokenlesspre-payment,Power Engineering Journal,vol.10,no.4,pp. 149–153,august1996.

7. electricPowerresearchinstitute.The Introduction of Smart Grid,2007.http://www.epri.com/intelliGrid/.

8. Pacific Gas and electric (PG&e), SmartMeter™ Installation Progress,PG&e,april2010.http://www.pge.com/myhome/customerservice/meter/smartmeter/deployment/.

9. r.w.Uluski, interactionsbetweenaMianddMsforefficiency/reli-ability improvement at a typical utility, paperpresented at ieeePesGeneralMeeting,raleigh,nc,July2008.

10. aliipakchi,implementingthesmartgrid:enterpriseinformationinte-gration,Grid-interopforum,2007.


11. General electric, Advanced Distribution Infrastructure, GE’s AMI and DMS Integration Solution. http://www.gepower.com/prod_serv/products/metering/en/going_ami_new.htm

12. energyiP,Siemens’s AMI and DMS Integration Solution.http://www.energy.siemens.com/us/pool/us/services/powertransmission-distribution/mdms/downloads/MdMs-overview.pdf

13. electromechanicalmeterandsolid-statemeter.http://en.wikipedia.org/wiki/electric_energy_meter

14. M.conner,Sensors Empower the Internet of Things,2010,pp. 32–38. 15. MunetMeters,2009.http://www.munet.com/. 16. aclarasoftware,Meter Data Management: The Key to Unlocking the Benefit

of Advanced Metering,aclarasoftwarewhitePaper.hazelwood,Mo:aclara,March2008.

17. american national standards institute, ANSI C12.18-2006, American National Standard Protocol Specification for ANSI Type 2 Optical Port.newYork:americannationalstandardsinstitute,2006.

18. american national standards institute, ANSI C12.21-2006, American National Standard Protocol Specification for Telephone Mode. new York:americannationalstandardsinstitute,2006.

19. internationalorganizationforstandardization/internationalelectrotechnicalcommission,ISO/IEC Standard 7498-1:1994.

20. internationalelectrotechnicalcommission,iec62056workshopinnewdelhi, february 2009. http://www.dlms.com/news/0000009c300e1ae01.html

21. internationalelectrotechnicalcommission,IEC 62056-62 the Interface Class for Electricity Metering Data Exchange for Meter Reading, Tariff and Load Control,2nded.Geneva,switzerland:iec,2006.

22. american national standards institute, ANSI C12.19-2008, American National Standard—Utility Industry End Device Data Tables, approvedfebruary24,2009.newYork:americannationalstandardsinstitute.

23. itron. The AMI/AMR Solution from Itron Inc. http://www.itron.com/pages/products_category.asp?id=itr_000238.xml

24. elster electricity, EnergyAxis from Elster Electricity LLC. http://www.elsterelectr icity.com/internet_content_1.nsf/sresults/d72B4a78cc3B0a1B85256dff006ef2c3

25. trilliant, Trilliant—A Trusted Solution Partner, solutionBrief,trilliantincorporated, 2009. http://www.trilliantinc.com/4_rsrcs/_Pdfs/tsB_trustedPartner.pdf

26. Y.t.lee,Information Modeling from Design to Implementation.newYork,nationalinstituteofstandardsandtechnology,1999.

27. internationalelectrotechnicalcommission,IEC 61968-9 Ed. 1 Part 9: Interface for Meter Reading and Control.newYork:iec/tc57,august14,2009.

28. G. a. Mcnaughton and B. saint, integration using the Multispeak®specification,PaperpresentationatUtility Automation,december2008.


29. z.li,z.wang,etal.,aunifiedsolutionforadvancedmetering infra-structureintegrationwithadistributionmanagementsystem,2010 FirstIEEE Smart Grid Communication, nist, washington, dc, october2010,pp. 566–571.

30. z.wangandz.li,Meter Data Integration for Distribution Management System,techreportno.crid80345&80596.raleigh,nc:aBBU.s.corporateresearchcenter,2009.

31. christian nagel enterprise services with the .net framework,Microsoft.netdevelopmentseries,January13,2005.

32. Java Message service. http://en.wikipedia.org/wiki/Java_Message_service 33. iBM,IBM WebSphere MQ.http://www-01.ibm.com/software/integration/

wmq/.

139

5cOGnitive radiO netwOrk

fOr the Smart Grid

r AG h U r A M r A n G A n At h A n , ro B E r t Q i U, z h E n h U, s h U J i E h o U, z h E C h E n ,

M A r B i n PA z o s -r E V i l l A , A n d n A n G U o

Contents

5.1 introduction 1415.1.1 cognitiveradio 1415.1.2 The802.22system 142

5.1.2.1 systemtopology 1425.1.2.2 servicecoverage 1425.1.2.3 systemcapacity 143

5.2 cognitiveradionetworkforsmartGrid 1445.2.1 cognitiveradionetworktestBed:hardware

Platformsforcognitiveradionetworks 1465.2.1.1 UniversalsoftwareradioPeripheral2 1465.2.1.2 smallformfactorsoftware-defined

radiodevelopmentPlatform 1485.2.1.3 wirelessopen-accessresearchPlatform 1495.2.1.4 Microsoftresearchsoftwareradio 150

5.3 innovativetestBedforcognitiveradionetworksandthesmartGrid 1515.3.1 MotherboardforthenewhardwarePlatform 1525.3.2 functionalarchitectureforBuildingnodesfor

networktestBeds 1535.3.3 innovativenetworktestBed 155

5.4 cognitivealgorithmsforthesmartGrid 1565.4.1 dimensionalityreductionandhigh-dimensional

dataProcessingincognitiveradionetworks 1565.4.1.1 dimensionalityreductionMethods 1565.4.1.2 spectrumMonitoringUsingdimensionality

reductionandsupportvectorMachinewithexperimentalvalidation 158


recently,cognitiveradiosandthesmartgridaretwoareasthathave received considerable research impetus. cognitive radiosare fully programmable wireless devices that can sense theirenvironment and dynamically adapt their transmission wave-form, channel access method, spectrum use, and networkingprotocols.itiswidelyanticipatedthatcognitiveradiotechnol-ogywillbeusedforageneral-purposeprogrammableradiothatwill serveasauniversalplatformforwireless systemdevelop-ment, much like microprocessors have served a similar rolefor computation. The salient features of the cognitive radio(i.e.,frequencyagility,transmissionspeed,andrange)areidealfor application to the smart grid. in this regard, a cognitiveradionetwork can serve as a robust andefficient communica-tionsinfrastructurethatcanaddressboththecurrentandfutureenergymanagementneedsofthesmartgrid.Thecognitiveradionetworkcanbedeployedasalarge-scalewirelessregional-areanetwork (wran) in a smart grid to utilize the unused tvbandsrecentlyapprovedforusebythefederalcommunicationscommission(fcc).inaddition,acognitiveradionetworktestbedforthesmartgridwouldserveasanidealplatformnotonlytoaddressvariousissuesrelatedtothesmartgrid(e.g.,security,informationflowandpowerflowmanagement,etc.)butalsoto

5.4.2 robustPrincipalcomponentanalysis 1615.4.3 independentcomponentanalysiswithrobust

PcaPreprocessingforrecoveryofsmartMeterwirelesstransmissionsinthePresenceofstrongwidebandinterference 1665.4.3.1 independentcomponentanalysissignal

ModelandreceiverBlockdiagram 1675.4.4 simulationresultsUsingtherobustPca-ica

approach 1705.5 securecommunicationsinthesmartGrid 172

5.5.1 developmentofcommunicationsinfrastructure 1745.5.2 fPGa-Basedfuzzylogicintrusiondetectionfor

thesmartGrid 1765.6 conclusions 178references 178

141CoGnitive radio network for the smart Grid

revealmorepracticalproblemsforfurtherresearch.inthischap-ter,thenovelconceptofincorporatingacognitiveradionetworkasthecommunicationsbackboneforthesmartgridisoutlined.abrief overviewof the cognitive radio is provided, includingthe recently proposed institute of electrical and electronicsengineers(ieee)802.22standard.inparticular,anoverviewofthecognitiveradionetworktestbed,existingandnewhard-ware platforms for cognitive radio networks, and functionalarchitectures isgiven.cognitivemachine learningapproachessuch asprincipal component analysis (Pca) andkernelPcafor dimensionality reduction of high-dimensional smart griddata are presented. in addition, a novel approach of combin-ing the recently developed robust Pca algorithm with a sta-tisticalsignal-processingmethodcalledindependentcomponentanalysis(ica)isdescribedforrecoveryofsmartmeterwirelesstransmissions inthepresenceofstrongwidebandinterference.securityforthesmartgridisstillintheincipientstagesandisthetopicofsignificantresearchfocus.Thischapteraddressestheimpendingproblemof securing the smartgrid, inaddition tothepossibilityofapplyingfuzzylogicintrusiondetectionbasedonfield-programmablegatearray(fPGa)forthesmartgrid.

5.1 introduction

5.1.1 Cognitive Radio

cognitiveradioisanintelligentsoftware-definedradio(sdr)tech-nologythatfacilitatesefficient,reliable,anddynamicuseoftheunder-used radio spectrumby reconfiguring its operatingparameters andfunctionalities in real time depending on the radio environment.cognitive radio networks promise to resolve the bandwidth scar-city problem by allowing unlicensed devices to transmit in unused“spectrum holes” in licensed bands without causing harmful inter-ference to authorizedusers.1–4 in concept, the cognitive technologyconfigurestheradiofordifferentcombinationsofprotocol,operatingfrequency,andwaveform.currentresearchoncognitiveradiocoversawiderangeofareas, includingspectrumsensing,channelestima-tion,spectrumsharing,andmediumaccesscontrol(Mac).


duetoitsversatility,cognitiveradionetworksareexpectedtobeincreasinglydeployedinboththecommercialandmilitarysectorsfordynamicspectrummanagement.todevelopastandardforcognitiveradios,theinstituteofelectricalandelectronicsengineers(ieee)802.22 working Group was formed in november 2004.5 The cor-respondingieee802.22standarddefines thephysical (PhY)andMaclayersforawirelessregional-areanetwork(wran)thatuseswhitespaceswithinthetelevisionbandsbetween54and862Mhz,especiallywithinruralareaswhereusagemaybelower.detailsoftheieee802.22standard,includingsystemtopology,systemcapacity,andtheprojectedcoverageforthesystemaregiveninthenextsection.

5.1.2 The 802.22 System

ieee 802.22 is the first standardized air interface for cognitiveradionetworksbasedonopportunisticutilizationofthetvbroad-castspectrum.6,7Themainobjectiveoftheieee802.22standardistoprovidebroadbandconnectivitytoremoteareaswithcomparableperformancetobroadbandtechnologies suchascable,dsl(digitalsubscriberloop),andsooninurbanareas.inthisregard,thefccselectedthepredominantlyunoccupiedtvstationchannelsoperatinginthevhf(very-high-frequency)andUhf(ultra-high-frequency)regionoftheradiospectrum.

5.1.2.1 System Topology The802.22 system is apoint-to-multipointwirelessairinterfaceconsistingofabasestation(Bs)thatmanagesacellcomprisedofanumberofusersorcustomerpremisesequipment(cPes).8 The Bs controls the medium access and “cognitive func-tions”initscell,transmitsdatatothecPesinthedownlink,whilereceiving data in the uplink direction from the cPes. The variouscPesperformdistributedsensingofthesignalpowerintheassortedchannelsofthetvband.inthismanner,theBscollectsthedifferentmeasurementsfromthecPesandexploitsthespatialdiversityofthecPestomakeadecisionifanyportionofthespectrumisavailable.

5.1.2.2 Service Coverage compared to other ieee 802 standards,suchas802.11,the802.22Bscoveragerangecanreachupto100kmifnotlimitedbypowerconstraints.Thecoverageofdifferentwireless


standardsisshowninfigure 5.1.Thewranhasthehighestcover-ageduetohighertransmitpowerandlong-rangepropagationcharac-teristicsoftvbands.

5.1.2.3 System Capacity Thewransystemscanachievecompara-bleperformancetothatofdsl,withdownlinkspeedsof1.5Mbpsanduplinkspeedof384kbps.Thesystemwouldthusbeabletosup-port12simultaneouscPes,resultinginanoverallsystemdownloadcapacityof18Mbps.

The specification parameters of the ieee 802.22 standard aresummarizedintable 5.1.

insection5.2,theconceptofdevelopingacognitiveradionetworkforthesmartgridispresented,inadditiontoanoverviewofvarious

RAN<100 km

802.22 (proposed) - 18 to 24 Mbps

WAN<15 km

802.20 (proposed)GSM, GPRS, CDMA, 2.5G,3G – 10

kbps to 2.4 Mbps

MAN< 5 km

802.16a/d/e - 70 MbpsLMDS - 38 Mbps

LAN< 150 m

11–54 Mbps802.11a/b/e/gHiperLAN/2

802.11n (proposed) > 100 Mbps

PAN< 10 m

802.15.1 (Bluetooth)–1 Mbps802.15.3 > 20 Mbps

802.15.3a (UWB) < 480 Mbps802.15.4 (Zigbee) < 250 kbps

Figure 5.1 Comparison of 802.22 with other wireless standards. CDMA = code division multiple access; GPRS = general packet radio services; GSM = Global System for Mobile Communications; HiperLAN = High Performance Radio LAN; LAN = local-area network; LMDS = local multipoint dis-tribution service; MAN = metropolitan-area network; PAN = personal area network; RAN = regional-area network; UWB = ultra-wideband; WAN = wide-area network.


existinghardwareplatformsforcognitiveradionetworks.section5.3outlinesnewapproachesforthedevelopmentofhardwaretestbedsforsmartgridcognitiveradionetworks.insection5.4,cognitivealgo-rithmsforpreprocessingandrecoveryofhigh-dimensionalsmartgriddataareillustrated.section5.5addressesthecriticalissueofsecurityinsmartgridcommunications,followedbyconclusionsinsection5.6.

5.2 Cognitive radio network for smart Grid

Thesmartgridexploresandexploitstwo-waycommunicationtech-nology, advanced sensing, metering and measurement technology,modern control theory, network grid technology, and machinelearning in the power system to make the power network stable,secure,efficient,flexible,economical,andenvironmentallyfriendly.tosupportthesmartgrid,adedicatedtwo-waycommunicationsinfra-structureshouldbesetupforthepowersystem.inthisway,secure,reliable,andefficientcommunicationandinformationexchangecanbeguaranteed.inaddition,thevariousdevices,equipment,andpowergenerationfacilitiesof thecurrentpowersystemshouldbeupdatedand renovated. novel technologies for power electronics should beusedtobuildadvancedpowerdevices(e.g.,transformer,relay,switch,storage,andsoon).

in the area of wireless communications, cognitive radio is anemergingtechnique.Theessenceofcognitive radio is theabilityofcommunicatingovertheunusedfrequencyspectrumadaptivelyandintelligently. The idea of using cognitive radio in the smart gridappearstobeproposedintheliterature,forthefirsttime,inQiu9–11

Table 5.1 IEEE 802.22 Characteristics

PARAMETER SPECIFICATION

Typical cell radius (km) 30–100 kmMethodology Spectrum sensing to identify free channelsChannel bandwidth (MHz) 6, 7, or 8Modulation OFDMAChannel capacity 18 MbpsUser capacity Downlink: 1.5 Mbps

Uplink: 384 kbps

Source: From IEEE, with permission. OFDMA = Orthogonal Frequency-Division Multiple Access.


andQiuetal.12Thecapabilityofcognitive radioenables thesmartgrid, in many aspects, including security. with minimal modifica-tionstosoftware,acognitiveradionetworkcanbeusedforefficientcontrolofthesmartgrid.

Thebenefitsofapplyingcognitiveradiotothesmartgridaresum-marizedintable 5.2.first,cognitiveradiocanoperateoverawiderange of frequency bands. it has frequency agility. This feature isespeciallyusefulforthesmartgridbecausethefrequencyspectrumtoday is so crowded, and cognitive radio provides the capability ofreusingunusedfrequencybandsforthesmartgrid.second,cognitiveradioenableshigh-speeddata transmissionfor thesmartgrid.Thisisduetothewidebandnatureofcognitiveradio.Thedataratecanbeashighastensofmegabitspersecond,incontrasttothezigBee,whichcanonlyprovideadatarateoftenstohundredsofkilobitspersecond.Third,cognitiveradiohasthepotentialtotransmitdataoveralongdistance.recently,thefederalcommunicationscommission(fcc) has decided to allow use of unused tv bands for wirelesscommunications.Thetvbandsareidealforlong-distancemassdatatransmission.cognitive radio in awranscenario is designed toutilizetheunusedtvbands.employingcognitiveradio,thesmartgridcancommunicateoveralongdistanceovertheair.fourth,cog-nitiveradioboastsofcognitivelearningandadaptationcapability.ithas theability to learn theenvironment, reason from it, andadaptaccordingly. cognitive radio makes the smart grid “smarter” andmore robust. fifth, cognitive radio is based on the sdr platform,which is a programmable radio. hence, cognitive radio is capableofperformingdifferentapplicationsandtasks.inaddition,security,robustness,reliability,scalability,andsustainabilityofthesmartgridcanbe effectively supportedby cognitive radiodue to itsflexibilityandreprogrammability.

Table 5.2 Advantages of Applying the Cognitive Radio (CR) to the Smart Grid

SALIENT FEATURES DESCRIPTION

Frequency diversity CR can operate over unused frequency bandsTransmission speed Data rates of up to tens of megabits per second can be achievedRange CR can transmit over long distances in a WRAN scenarioAdaptability CR has inherent intelligence to adapt to changes in the environmentProgrammability Built on an SDR platform, the CR can be selectively programmed


5.2.1 Cognitive Radio Network Test Bed: Hardware Platforms for Cognitive Radio Networks

Therehavebeensomewirelessnetworktestbeds,suchastheopenaccess research testbed for next-Generation wireless networks(orBit)13 and the wireless test bed developed by University ofcalifornia, riverside.14 some common features of those wirelessnetworktestbedsaresummarizedasfollows:first,thenodesinthenetworksaredevelopedbasedoncomputercentralprocessingunits(cPUs).second,thenodesuse802.11wi-finetworkinterfacecardsforwirelesscommunications.Thesenetworktestbedsmayworkwellfor evaluating algorithms,protocols, andnetworkperformances forwi-finetworks,buttheyarenotsuitableforcognitiveradionetworksduetotheirinherentlackofwidebandfrequencyagility.

recently,virginiatechdevelopedatestbedforcognitiveradionet-workswith48nodes,15whichisasignificantachievementinthisarea.eachnodeconsistsofthreeparts:anintelXeonprocessor-basedhigh-performanceserver,aUniversalsoftwareradioPeripheral2(UsrP2),andacustom-developedradio-frequency(rf)daughterboardthatcov-ersacontinuousfrequencyrangefrom100Mhzto4Ghzwithvari-ableinstantaneousbandwidthsfrom10khzto20Mhz.Thenodeiseasilycapableoffrequencyagility.however,astheauthorsmentioned,thedrawbacksofthenodearetwofold.first,itisnotalow-powerpro-cessingplatform.second,itisnotcapableofmobility.

regardlessofthekindofcognitiveradionetworktestbed,itiscom-posed of multiple nodes. There exist some commercial off-the-shelfhardwareplatformsdesignedforsdrthatmaybeusedforbuildingthenodesforcognitiveradionetworks.

5.2.1.1 Universal Software Radio Peripheral 2 UsrP and UsrP2,providedbyettusresearch, arewidelyusedhardwareplatforms intheareaofsdrandcognitive radio.UsrP2 is the secondgenera-tionofUsrP,anditbecameavailablein2009.16UsrP2consistsofamotherboardandoneormoreselectablerfdaughterboards,asshowninfigure 5.2.

ThemajorcomputationpoweronthemotherboardcomesfromaXilinxspartan-3Xc3s2000field-programmablegatearray(fPGa).Themotherboardisalsoequippedwitha100-mega-samplespersecond(MsPs), 14-bit, dual-channel analog-to-digital converter (adc); a


400-MsPs,16-bit,dual-channeldigital-to-analogconverter(dac);andaGigabitethernetportthatcanbeconnectedtoahostcomputer.There are some rf daughterboards available for UsrP2. amongthem,anewlydevelopedrfdaughterboardcalledwidebandwidthtransceiver (wBX) covers a wide frequency band of 50 Mhz to2.2Ghz,withanominalnoisefigureof5–7dB.

signals are received and downconverted by UsrP2 and its rfdaughterboard. subsequently, they are sent to a host computerfor further processing through the Gigabit ethernet. Most of theprocessingworkisdonebythehostcomputer.datatobetransmittedaresentfromthehostcomputertoUsrP2throughthesameGigabitethernetbeforetheyareupconvertedandtransmittedbyUsrP2anditsrfdaughterboard.

amajoradvantageofUsrP2isthatitworkswithGnUradio,17anopensourcesoftwarewithplentyofresourcesforsdrandmanyusers,which simplifies and eases theuseofUsrP2.on theotherhand, UsrP2 is not perfect. first, the Gigabit ethernet connect-ing UsrP2 and its host computer introduces random time delays.Theoperatingsystemonthehostcomputermayalsointroduceran-domtimedelays.accordingtoourmeasurement,theresponsedelayof UsrP2 is in the range of several milliseconds to tens of milli-seconds.18such random responsedelaymaybe acceptable forhalf-duplex communications. however, in cognitive radio networks,full-duplexcommunicationsaredesired,andrandomresponsedelaysmaydeterioratetheperformanceofcognitiveradionetworks.second,

Figure 5.2 USRP2 with WBX RF daughterboard.


UsrP2isusuallyusedtogetherwithGnUradiothatrunsonahostcomputer.whentheinstantaneousbandwidthofUsrP2increases,thecPUon thehost computer becomesmuchbusier.Therefore, amulticorecPUisdesired,similartowhatvirginiatechhasdonetoitsnetworktestbed.whentheinstantaneousbandwidthofUsPr2becomes wider and the processing tasks on GnU radio becomemuchmorecomplex,acommoncPUmaynotbecompetentenoughforreal-timeprocessing.

5.2.1.2 Small Form Factor Software-Defined Radio Development Platform Thesmallformfactor(sff)sdrdevelopmentplatform(dP)pro-videdbylyrtechincollaborationwithtexasinstruments(ti)andXilinxisaself-containedplatformconsistingofthreeseparateboards:digitalprocessingmodule,dataconversionmodule,andrfmodule,asshowninfigure 5.3.19–21

The digital processing module is designed based ontMs320dM6446 system-on-chip (soc) from ti and virtex-4sX35fPGafromXilinx.ThetMs320dM6446sochasac64x+digital signal processor (dsP) core running at 594 Mhz togetherwithanadvancedreducedinstructionsetcomputing(risc)machine(arM9)corerunningat297Mhz.Thedigitalprocessingmodulealsocomeswitha10/100-Mbpsethernetport.Thedataconversionmod-uleisequippedwitha125-MsPs,14-bit,dual-channeladcanda500-MsPs,16-bit,dual-channeldac.italsohasaXilinxvirtex-4

Figure 5.3 SFF SDR DP with low-band tunable RF module.


lX25fPGa.Thelow-bandtunablerfmodulecanbeconfiguredtohave either5-or20-Mhzbandwidthwithworking frequenciesof200–1,050Mhzforthetransmitterand200–1,000Mhzforthereceiver.Thenominalnoisefigureofthisrfmoduleis5dB.otherfrequencybandsmaybecoveredbyseveralotherrfmodules.

TherearetwofavorablefeaturesofthesffsdrdPforcognitiveradionetworks.one is that asffsdrdP is insffandcanbemovedeasily.Theotheristhatitiscapableofsupportingfull-duplexcommunications.however,therearealsotwotechnicaldrawbacksofusingittobuildnodesforcognitiveradionetworks.onedrawbackisthatitscomputingcapacityisfixed,anditisnoteasytoupgradetomeetthedemandsofcognitiveradionetworks.Theotherdrawbackistheresponsetimedelay.accordingtoourmeasurement,theresponsedelayofansffsdrdPisabouttensofmilliseconds,andthedelayisconstant.18suchanontrivialdelayisundesirableforcognitiveradionetworkssinceitmaydeteriorateperformance.

an sff sdr dP can be viewed as an example of independenthardware platforms, whereas UsrP2 is an example of computer-aidedhardwareplatforms.acomparisonbetweenthetwohardwareplatformshasbeenreportedinQiuetal.12

5.2.1.3 Wireless Open-Access Research Platform The wireless open-access research Platform (warP) developed by rice UniversityconsistsofanfPGaboardandonetofourradioboards,22asshowninfigure 5.4.ThesecondgenerationofthefPGaboardhasaXilinx

Figure 5.4 WARP FPGA board with two radio boards.


virtex-4fX100fPGaandaGigabitethernetport.23,24ThefPGacanbeusedtoimplementthephysicallayerofwirelesscommunica-tions.TherearePowerPcprocessorsembeddedinthefX100fPGathatcanbeusedtoimplementMacandnetworklayers.Theradioboard incorporates a dual-channel, 65-MsPs, 14-bit adc and adual-channel, 125-MsPs, 16-bit dac, covering two frequencyrangesof2,400–2,500Mhzand4,900–5,875Mhz,withaband-widthofupto40Mhz.

ThewarPplatformisalsoansffindependenthardwareplat-form,whichisattractiveforbuildingthenodesofcognitiveradionet-works.ThesecondadvantageofusingwarPisthatboththephysicallayerandMaclayercanbeimplementedononefPGa,whichmaysimplify the board design, compared to an “fPGa + dsP/arM”architecture.hence,timedelaysintroducedbytheinterfacebetweenfPGaanddsP/arMcanbereduced.however,accordingtoMangocommunications,24 thevirtex-4fPGaonwarP isnotpowerfulenough to accommodate both transmitter and receiver functions atthesametime.Thus,full-duplexcommunicationsdesiredbycognitiveradionetworkscannotbeimplementedusingjustonewarPplatform.

5.2.1.4 Microsoft Research Software Radio Microsoft research hasdevelopedasoftwareradio(sora)platform.25soraiscomposedofaradiocontrolboard(rcB)andaselectablerfboard,anditworkswithamulticorehostcomputer.ThercBisshowninfigure 5.5.

Figure 5.5 Sora radio control board.


ThercBcontainsaXilinxvirtex-5fPGa,anditinterfaceswithahostcomputerthroughaPeripheralcomponentinterconnectexpress(Pcie)interfaceatarateofupto16.7Gbps.actually,thercBisaninterfaceboardfortransferringdigitalsignalsbetweentherfboardandcomputermemory.TherfboardcanbeawarPradioboard.Processingwork,includingphysicallayerandMaclayer,isdoneonthehostcomputer.

sora isacomputer-aidedplatform.Themainadvantageofusingsora is that it provides a high-throughput interface between rfboards and a host computer. however, since processing work bur-densthehostcomputer,thehostcomputerhastobeverypowerfultosupportallthefunctionsrunninginrealtime.ontheotherhand,multicoreprogramminganddebuggingwith speed-up tricks isnoteasy. Moreover, implementing full-duplex communications on onehostcomputerischallenging.obviously,ahostcomputer(orserver)installedwithsoralacksmobility.

5.3 innovative test Bed for Cognitive radio networks and the smart Grid

allofthefourhardwareplatformsmentionedaredesignedforsdr.twoofthemconnecttoahostcomputerwheremajorprocessingworkisdone.Theothertwoarestand-alonehardwareplatforms.fromtheaspectofmobility,stand-aloneplatformsarepreferableforbuildingthe nodes of cognitive radio networks, whereas from the aspect ofsoftwaredevelopment,computer-aidedhardwareplatformsaremorepracticalsincesoftwaredevelopmentanddebuggingonahostcom-puteraregenerallyeasier.inchowdhuryandMelodia,26acompro-misebetweenthetwokindsofhardwareplatformsissuggested.Theauthors recommendedperforming time-critical tasks in thefPGaandasplitMacdesignwithhostandfPGaimplementations.

however,comparedtothehardwareplatformsforsdr,themajorconcernsabouthardwareplatformsforcognitiveradionetworksarecomputingpowerandresponsetimedelay.cognitiveradiointroduces“intelligence”beyondsdr, likedetectionand learningalgorithms,whichmeanscognitiveradiorequiresmuchmorecomputingpowerthansdr.ahardwareplatformwithampleandupgradablecomput-ingpowerisdesiredforbuildingcognitiveradiotestbeds.ontheother


hand,thedesiredhardwareplatformshouldhaveminimumresponsetimedelay.iftheresponsetimedelayislarge,thethroughputofcog-nitive radio networks will seriously degrade. Moreover, full-duplexcommunicationsforthedesiredhardwareplatformsarepreferable.

Unfortunately, none of the existing off-the-shelf hardware plat-formscanmeettheserequirementsatthesametime.Theyareorigi-nally designed for sdr instead of cognitive radio networks. it isimperativetodesignanewhardwareplatformforbuildingthenodesofcognitiveradionetworks.

an innovative cognitive radio network test bed is being built attennesseetechnologicalUniversity.12,27Theideaofapplyingacog-nitiveradionetworktestbedtothesmartgridwasdevelopedtherein themiddleof2009 ina fundedresearchproposal.28subsequently,thisideahasbeenstrengthened.10,12,29–31Theobjectiveofthistestbedistoachievetheconvergenceofcognitiveradioandthesmartgrid.32

The cognitive radio network test bed being built is unique andreal-timeoriented.itisdesignedtoprovidemuchmorestand-alonecomputing power and reduce the response time delay. The cogni-tiveradionetworktestbediscomprisedoftensofnodes,witheachnode based on a self-designed motherboard, and commercial rfboards.ontheself-designedmotherboard, thereare twoadvancedandpowerfulfPGasthatcanbeflexiblyconfiguredto implementanyfunction.Therefore,thisnetworktestbedcanbereadilyappliedtothesmartgrid.

5.3.1 Motherboard for the New Hardware Platform

inthissection,anarchitectureforthemotherboardofthenewhard-ware platform is given. regarding the rf front end, existing rfboardsfromwarPorUsrP2canbereusedtointerfacewiththismotherboardtoconstitutethenewhardwareplatform.

figure 5.6 shows the corresponding architecture of the first-generationnewmotherboardanditsmajorcomponents.twopower-fulfPGas (i.e., avirtex-6fPGaand avirtex-5fXfPGa) areemployed as core components on the motherboard. all the func-tionsforthephysicalandMaclayersareimplementedonthetwofPGas,andnoexternalhostcomputerisrequired.Thisnovelhard-wareplatformstandsalone;thus,ithasgoodmobility.Thevirtex-5


fXfPGahasPowerPccoresthatarededicatedforimplementingtheMac layer.Physical-layer functions, including spectrum sens-ing, are implemented on the two fPGas. The virtex-5 fPGa isusedforthetransmittingdatapath,anditisconnectedtooneortworfboardsaswellasaGigabitethernetport.Thevirtex-6fPGaisdedicatedforthereceivingdatapath,withconnectionstooneortworfboardsandanextensionport.Theextensionportcanbeusedtoconnect with external boards to gain access to additional comput-ing resources. The two fPGas are connected together by a high-throughput,low-latencyonboardbus.BothofthefPGashaveaccesstotheirownexternalmemories.TheuseoftwofPGasisatrade-offbetweenperformanceandcost.

Thenewmotherboard canprovideenoughandupgradable com-putingresourcesforcognitiveradionetworks.inaddition,thetimedelays between the two fPGas are trivial. Moreover, full-duplexcommunicationsareeasilysupportedbythismotherboardwithtwoormorerfboards.

5.3.2 Functional Architecture for Building Nodes for Network Test Beds

Basedonthenewmotherboarddescribedintheprevioussectionandoff-the-shelfrfboards,nodesfornetworktestbedscanbe imple-mented using the following functional architecture, as shown infigure 5.7:Thehardwareabstractionlayer(hal)isapackagedinter-faceforupper-levelfunctionsthatscreenshardware-specificdetails.

Radio Board(RF + ADC)

Rx 1

Radio Board(RF + ADC)

Rx 2

Radio Board(RF + DAC)

Tx 1

Radio Board(RF + DAC)

Tx 2

Virtex-6 FPGA(Rx)

Virtex-5 FPGAwith PowerPC

(Tx)

Memory(RAM 1)

Memory(RAM 2)

GigabitEthernet

ExtensionPort

FlashMemory(Flash 1)

FlashMemory(Flash 2)

Figure 5.6 Architecture of the motherboard for the new hardware platform.


it provides data interfaces to both receiving data and transmittingdatapaths,aswellasanaccess interfacetootherhardware-specificresourcesonthehardwareplatform.Thespectrumandchannelman-agermanageallthespectrum-andchannel-relatedresources,includ-ing links, frequencies, and modulation methods. There are severalfunctionalmodulesinterfacedwiththespectrumandchannelman-ager. The spectrum detection and prediction module provides theinformationregardingtheavailabilityofsomefrequencybands.Thedecision-makingmoduleutilizesdecisionalgorithms tomakedeci-sionssuchaswhichchannelwillbeusedandwhenitwillbeused.More learning algorithms can be implemented as an independentmoduletolearnandreasonfromtheinputs.Thegeolocationmoduleoutputs the latitude and longitude of the node. The spectrum and

Hardware Platform

Hardware Abstraction Layer (HAL)

Spectrum andChannel Manager

Knowledge/Policy/Data Base

Routing Manager

Data Manager

Applications

Security Manager

Spectrum Detection andPrediction

Decision Making

Other Learning Algorithms

Geolocation

Figure 5.7 Functional architecture for the nodes.


channelmanagercanusesuchgeolocationinformationtoloadpriorinformation about current location from the knowledge/policy/datadatabase.Theroutingmanageremploysroutingalgorithmstoselectthebestrouteforsendingandrelayingdatapackages.Thedataman-agerorganizesallthedatafromupper-levelapplicationsandthedatatoberelayed.Thesecuritymanagerprovidesencryptionanddecryp-tiontothedatamanager,routingmanager,andspectrumandchannelmanager.Theknowledge/policy/datadatabasestorespriorknowledge,policies,data,andexperiences.afterthenodesarebuilt,anetworktestbedisreadytobeestablished.

5.3.3 Innovative Network Test Bed

Multiplenodesconstituteanetworktestbed.figure 5.8showstheinnovativenetworktestbed.

allthenodesareconnectedusingGigabitethernettoaconsolecomputerthroughanethernetswitch.Theconsolecomputercontrolsandcoordinatesallthenodesinthenetworktestbed.Thisnetworktest bed can be used not only for cognitive radio, but also for thesmartgrid.insmartgridapplications,nodesofthenetworktestbedimplementmicrogridcentralcontrollers,smartmeters,orsubmeters.adaptivewirelesscommunicationsare incorporated into thenodes,

… ...

Gigabit Ethernet Switch

Console

Gigabit Ethernet

Node 1 Node 2 Node 3 Node N

Figure 5.8 Innovative network test bed.


and information canbe exchangedbetweenmicrogrid central con-trollers,smartmeters,andsubmeters.

5.4 Cognitive Algorithms for the smart Grid

5.4.1 Dimensionality Reduction and High-Dimensional Data Processing in Cognitive Radio Networks

in cognitive radio networks, data exist in a significant amount.however,inpractice,thedataarehighlycorrelated.Thisredundancyinthedataincreasestheoverheadofcognitiveradionetworksfordatatransmissionanddataprocessing.inaddition,thenumberofdegreesoffreedom(dof)inlarge-scalecognitiveradionetworksislimited.ThedofofaKuserMxNmultipleinputmultipleoutput(MiMo)interferencechannelhasbeendiscussed.33Thetotalnumberofdofisequaltomin(M,N)*KifK≤R,and

min , * *M N RR

K( )+1

ifK>R,where

R M NM N

= ( )( )

max ,min ,

.

This is achieved based on interference alignment.34–36 Theoreticalanalysis about dof in cognitive radio has been presented.37,38 Thedofcorrespondstothekeyvariablesorkeyfeaturesinthenetwork.Processing the high-dimensional data instead of the key variableswillnotenhancetheperformanceofthenetwork.insomecases,thiscould even degrade the performance. hence, compact representa-tionofthedatausingdimensionalityreductioniscriticalincognitiveradionetworks.

5.4.1.1 Dimensionality Reduction Methods dimensionality reduc-tion39–42 finds a low-dimensional embedding of high-dimensionaldata. Three dimensionality reduction methods can be employed—bothlinearmethodssuchasprincipalcomponentanalysis(Pca)43and nonlinear methods such as kernel Pca (kPca),44 and land-markmaximumvarianceunfolding(lMvU).45,46ifweassumethe


originalhigh-dimensionaldataasasetofMsamplesxi∈RN,i =1,2,⋯,M,thenthereducedlow-dimensionalsamplesofxiareyi∈RK,i =1,2,⋯,M,whereK<<N.xijandyijarecomponent-wiseelementsinxiandyi,respectively.

Pca43isthebest-knownlineardimensionalityreductionmethod;it performs linearmappingof thehigh-dimensionaldata to a low-dimensionalspacesuchthatthevarianceofthelow-dimensionaldatais maximized. in reality, the covariance matrix of the data is con-structed,andtheeigenvectorsofthismatrixarecomputed.Thecova-riancematrixofxicanbeobtainedas

C x u x u= − −=

∑1

1M i

i

M

iT( )( ) (5.1)

where

u x==

∑1

1M i

i

M

isthemeanofthegivensamples,andTdenotesthetransposeoperator.Theeigenvectorscorresponding to the largesteigenvaluescanbe

exploited to obtain a large portion of the variance of the originaldata.Theoriginalhigh-dimensionalspacecanbereducedtoaspacespanned by a few dominant eigenvectors. Pca works well for thehigh-dimensionaldatawithlinearrelationshipsbutalwaysfailsinanonlinear scenario. Pca can be applied in the nonlinear situationby akernel,47–50 calledkPca.44kPca is therefore akernel-basedmachine learning algorithm. it uses the kernel function, which isthesameasthesupportvectormachine(svM),toimplicitlymaptheoriginaldatatoafeaturespaceFwherePcacanbeapplied.

othernonlinear techniques fordimensionality reduction includemanifold learning techniques. within the framework of manifoldlearning, thecurrent trend is to learnthekernelusingsemidefiniteprogramming(sdP)51–55insteadofdefiningafixedkernel.ThemostprominentexampleofsuchatechniqueisMvU(maximumvarianceunfolding).45MvUcanlearntheinnerproductmatrixofyiautomati-callybymaximizingtheirvariance,subjecttotheconstraintsthatyiarecenteredandlocaldistancesofyiareequaltothelocaldistancesofxi.


here,thelocaldistancesrepresentthedistancesbetweenyi(xi)anditsknearestneighbors,inwhichkisaparameter.ThecorrespondingsdPcanbecastintothefollowingform:45

maximize trace )subject to

(I

I

I

I I

� 0

0

2

ijij

ii

∑ =

− iij jj ij ijD+ = =I , when η 1

(5.2)

whereIisaninnerproductmatrixofyi,Dij=||xi−xj||2,andI≻0impliesthatIisapositivesemidefinite(Psd)matrix.

lMvU46isamodifiedversionofMvUthataimstosolveprob-lemsonalargerscalecomparedtoMvU.itusestheinnerproductmatrixAofrandomlychosenlandmarksfromxi

46toapproximatethefullmatrixI,inwhichthesizeofAismuchsmallerthanI.inthisway,thespeedofcomputingisincreased.

5.4.1.2 Spectrum Monitoring Using Dimensionality Reduction and Support Vector Machine with Experimental Validation spectrummonitoringisoneofthemostchallengingandcriticaltasksincognitiveradionetworks.inthissection,thefeasibilityofapplyingdimensionalityreductiontothecognitiveradionetwork isstudiedbypresentinganexperimen-talvalidation.Thepreliminaryresults56illustratehowtoextracttheintrinsicdimensionalityofwi-fisignalsbyrecentbreakthroughsindimensionalityreductiontechniques.Thisisanewtrendincognitiveradio networks for spectrum monitoring, which differs from tradi-tionalspectrum-sensingtechniquessuchasenergydetection,matchedfilterdetection,andcyclo-stationaryfeaturedetection.57–59

wi-fi time domain signals have been measured and recordedusinganadvanceddigitalphosphoroscilloscope(dPo),atektronixdPo72004.60ThedPosupportsamaximumbandwidthof20Ghzandamaximumsamplingrateof50Gs/s.itiscapableofrecordingupto250Msamplesperchannel.inthemeasurements,alaptopaccessestheinternetthroughawirelesswi-firouter,asshowninfigure 5.9.anantennawithafrequencyrangeof800to2,500MhzisplacednearthelaptopandconnectedtothedPo.Thesamplingrateofthe


dPoissetto6.25Gs/s.recordedtimedomainwi-fisignalsareshown in figure 5.10. The duration of the recorded wi-fi signalsis40ms.

The recorded 40-ms wi-fi signals are divided into 8,000 slots,witheachslot lasting5μs.Theseslotscanbeviewedasspectrum-sensingslots.Thetimedomainwi-fisignalswithinthefirst1μsofeveryslotarethentransformedintothefrequencydomainusingthefastfouriertransform(fft),whichisequivalenttofft-basedspec-trumsensing.Thefrequencybandof2.411–2.433Ghzisconsidered.Theresolutioninthefrequencydomainis1Mhz.Therefore,foreachslot, 23points in the frequencydomain canbeobtained, ofwhich13pointswillbeselectedinthefollowingexperiment.

svMisexploitedtoclassifythestates(busyli=1oridleli=0)ofthemeasuredwi-fidatawithorwithoutdimensionalityreduction,given the true states.svMwill classify the states of the spectrumdataatdifferenttimeslots.

The dof of the wi-fi frequency domain signals is extractedfrom the original 13 dimensions. The flowchart of the svM pro-cessing combinedwithdimensionality reductionmethods is shownin figure 5.11. The false alarm rate obtained by combining svMwithdimensionalityreductionandemployingonlysvMisshowninfigure 5.12.

PC(Postprocessing)

DPO(Data Acquisition)

Access Point

Laptop

Figure 5.9 Setup for the measurement of Wi-Fi signals.


Time DomainSignals

FFT

DimensionReduction

DimensionReduction

SVM

SVM Labels

Labels

……

……

……

……

……

xi

yi

li

Figure 5.11 The flowchart of SVM combined with dimensionality reduction.

0 5 10 15Time (ms)

Am

plitu

de (V

)

20 25 30

–0.01

–0.005

0

0.005

0.01

Figure 5.10 Recorded Wi-Fi signals in time domain.


Theoriginaldimensionofthefrequencydomaindatavariesfrom1to13forthesvMmethod.inaddition,thesvMmethodisappliedtothedatawiththeextracteddimensionsfrom1to13,obtainedbydimensionalityreduction.

experimentalresultsshowedthatwithdimensionalityreduction,the performance was much better than that without dimensional-ityreduction.

5.4.2 Robust Principal Component Analysis

inmanypracticalproblems, thecollecteddatacanbeorganized inmatrix form.Usually, the sizeof thematrix ishuge.however, thedofofthematrixarefinite,whichmeansthematrixislowrank.

awell-knownlow-rankmatrixapproximationalgorithmisPca.61iftheobservationmatrixisR,Pcafindsalow-rankapproximationoftheoriginalmatrixRbysolvingtheoptimizationmodel

min , (L

R L L− ≤subject to rank ) r (5.3)

0 2 4 6 8 10 12 140

1

2

3

4

5

6

7

8 × 10−4

Dimension

False

Ala

rm R

ate

SVMPCA with SVMKPCA with SVMLMVU with SVM

Figure 5.12 False alarm rate.


inwhich∥⋅∥isthespectralnormofamatrix(thelargestsingularvalueofthematrix).Pcafindstheoptimallow-rankapproximationintheleast-square sense. This problem can be simply solved by singularvaluedecomposition(svd).however,anintrinsicdrawbackofPcaisthatitcanworkefficientlyonlywhenthelow-rankmatrixiscor-ruptedwithindependentandidenticallydistributed(i.i.d.)Gaussiannoise.Thatis,Pcaissuitableforthemodelof

R=L+N (5.4)

inwhichListhelow-rankmatrix,andNisthei.i.d.Gaussiannoisematrix.however,itwillfailwhensomeoftheentriesinLaregrosslycorrupted,

R=L+S (5.5)

inwhichLisstillthelow-rankmatrix,butthematrixSisasparsematrixwitharbitrarilylargemagnitude,andthenumberofnonzeroentriesism.

Theproblemofrecoveringthelow-rankmatrixfromagrosslycor-ruptedobservationmatrixhasbeensolvedefficientlybytherelaxedconvexoptimizationmodel(principalcomponentpursuit):62

min ,, *L S

L S R L S+ = +λ 1 subject to , (5.6)

in which ∥⋅∥* represents the nuclear norm of a matrix (sum of thesingularvalues),∥⋅∥1denotesthesumoftheabsolutevaluesofmatrixentries,andλisatrade-offparameter.ithasbeenthoroughlyinves-tigated62,63thataslongasSissparseenough,theformulatedoptimi-zationproblem(5.6)canexactlyrecoverthelow-rankmatrixL.ThiskindofproblemhasbeentraditionallycalledrobustPca,62–64whichiscloselyrelatedto,butharderthan,thefamousproblemofmatrixcompletion.65–70

oneoftherequirementsforrobustPcaisthatthelow-rankmatrixcannotbesparseatthesametime.anincoherenceconditiondefinedincandèsandtao65andcandèsandrecht66withparameterμstatesthatthesingularvectorsofLsatisfythefollowingtwoassumptions:

max , maxi

Hi

iH

ir

MrL

U e V e2 2

≤ ≤µ µ (5.7)


and

UVH urML∞

≤ (5.8)

where∥⋅∥∞ is themaximumabsolute valueof all the entries in thematrix,Hdenotesconjugatetranspose,andei isthecanonicalbasisvectorineuclideanspace.ThematricesareU=[u1,u2,⋯,ur]andV=[v1,v2,⋯,vr].ui,i=1,2,⋯,randvi,i=1,2,⋯,raretheleftandrightsingularvectorsobtainedbyperformingsvdonL:

L u v==

∑σi i iH

i

r

1

, (5.9)

whereσi,i=1,2,⋯,rarepositivesingularvalues,andLisarankrmatrixwithsizeM×L.Theincoherenceconditionimpliesthattheentriesinthesingularvectorsui,i=1,2,⋯,randvi,i=1,2,⋯,rarespreadout.

a theorem based on the two assumptions in (5.7) and (5.8) hasbeenproposedandproved62andisstatedasfollows:

Theorem 1.62 suppose L is a rectangular matrix of size M × L;thereisanumericalconstantcsuchthatprincipalcomponentpur-suitwith λ = 1 1/ M( ) succeedswithprobabilityatleast1 1

10− −cM( ) ,providedthat

rank( ) (log )( ) ( )L ≤ − −ρ µrM M21

12 (5.10)

m≤ρsML, (5.11)

ThematrixLobeys(5.7)and(5.8),andthesupportsetofSisuniformlydistributedamongallsetsofcardinalitym,inwhichM(1)=max(M,L),M(2)=min(M,L);ρrandρsarepositivenumericalconstants.

Thetheoremstatesthatthelow-rankmatrixLandsparsematrixS (with arbitrarily large magnitude) can be exactly recovered fromthe observation matrix R = L + S with very large probability oncetheassumptionsofthetheoremaresatisfied,thatis,L=LandS=Sareexact.Theoriginallow-rankandsparsematricesareexpressedbyLandS,respectively.Therecovered(extracted)low-rankandsparsematricesareexpressedbyLandS,respectively.


in the presented simulations, the inexact augmented lagrangemultiplier(ialM)71methodisemployedtorecoverthesparsecom-ponentSandthelow-rankcomponentLfromtheobservationmatrixR.TheparametersfortheialMalgorithmaresetidenticaltothedefaultvaluesofthecode,whichcanbedownloadedfromthewebsite.72Theerrorsbetweentherecoveredandtheoriginalmatricesarecomputedby

ˆ

,ˆL L

L

S S

S

− −F

F

F

F

. (5.12)

The simulation results are based on the theoretical covariancematrixofarandomprocess

y(n)=x(n)+w(n), (5.13)

inwhich

x n A f nTl l l

l

L

( ) sin( )= +=

∑ 21

π θ , (5.14)

x(n)andw(n)areassumedtobeindependent,andw(n)isaddedzero-meanwhitenoise.

TheMthordercovariancematrixofthisprocessis

R R Iyy xx= + σ2 , (5.15)

whereσ2Idenotesthecovariancematrixofnoisewithpowerspectraldensityσ2andRxxdenotesthecovariancematrixofrandomsignal.IrepresentstheMthorderidentitymatrix.

TheMthordercovariancematrixforx(n)canbewrittenas73

R e e e exxl

l

L

M l MH

l M l MT

lA f f f f= +

=∑

2

14

( ) ( ) ( ) ( )* (5.16)

whereHdenotescomplexconjugatetransposition,*denotescomplexconjugation,and


eM lfj f T

j f MT

( )exp( )

exp( )

=

12

2

1

1

π

π�

. (5.17)

Therankofmatrix(5.16)is2L.from (5.15), the theoretical covariance matrix Ryy, which is the

observationmatrixRhere,iscomprisedofthesparsecomponentσ2IexpressedbySandlow-rankcomponentRxxexpressedbyLwithrank2L.robustPcacanbeexploredtoseparatethelow-rankandsparsecomponentsfromobservationmatrixR.

first,consideringthecaseofL=1,Al=1,fl=0.02l, T=1of(5.14),and the order of covariance matrix M = 128, the results obtainedby applying the ialM algorithm to the matrix Ryy are shown infigure 5.13.

correspondingresultsachievedbyapplyingtheialMalgorithmtothematrixRyyofL=3,Al=1,fl=0.02l, T=1of(5.14)andtheorderofcovariancematrixM=128areshowninfigure 5.14.

0 10 20 30 40 50 60 70 80 90 1000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

�e PSD of the White Gaussian Noise in dB

Corr

espo

ndin

g Er

rors

Error between low rank matrixError between sparse matrix

Figure 5.13 Errors between extracted and original matrices of one real sinusoidal function.


Basedonfigures 5.13and5.14,itcanbeseenthatevenifthepowerspectraldensityofwhitenoiseincreasesto70dB(approximatedvalue),the ialM algorithm can still separate the low-rank and sparsecomponentsfromtheobservationmatrixRsuccessfullyviatheoreti-calanalysis.

in thenext section, the robustPcaalgorithm is employedas apreprocessing technique to mitigate strong wideband interferencebeforeapplyingtheicaapproachforrecoveringthewirelesssmartmetertransmissions.

5.4.3 Independent Component Analysis with Robust PCA Preprocessing for Recovery of Smart Meter Wireless Transmissions in the Presence of Strong Wideband Interference

smartmetersformanintegralpartofthesmartgrid.asmartmeterisanelectricalmeterthatrecordspowerconsumptionatregularinter-vals andcommunicates, either throughpower line communicationsorwirelesstransmissions,thatinformationtotheutilitycompanyformonitoringandbillingpurposes.sincethevisionofawirelesscog-nitiveradionetworkforthesmartgridispresentedinthischapter,

0 10 20 30 40 50 60 70 80 90 1000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

�e PSD of the White Gaussian Noise in dB

Corr

espo

ndin

g Er

rors

Error between low rank matrixError between sparse matrix

Figure 5.14 Errors between extracted and original matrices of three real sinusoidal functions.


smartmetersequippedwithwirelesstransmittersareconsidered.inthisregard,theconceptoficaincombinationwiththerobustPcatechniqueispresentedasapossibleapproachtorecoverthesimulta-neous smartmeterwireless transmissions in thepresenceof strongwidebandinterference.

5.4.3.1 Independent Component Analysis Signal Model and Receiver Block Diagram independent component analysis is a statistical signal-processingmethodforextractingunderlyingindependentcomponentsfrommultidimensionaldata,74–77inliaoandniebur,78icawasalsoappliedto loadprofileestimation inelectric transmissionnetworks.icaisverycloselyrelatedtothemethodcalledblindsourcesepara-tion(Bss)orblindsignalseparation.79–81Thetermblindreferstothefactthatwehavelittleornoknowledgeaboutthesystemthatinducesmixingofthesourcesignals.

in a smart meter network, it is critical to accurately recover thesmartmeterwirelesstransmissionsatthecentralnodeoraccesspoint(aP). inachieving thisobjective,oneof the foremostchallenges isthe robustnessof thedata recovery in thepresenceof strongwide-bandinterferenceduetoeasyaccessofthewirelessdatatounauthor-ized personnel and inadequacy of existing physical-layer securitymeasures.inthissection,ablindestimationapproachtosmartmeterdatarecoveryispresentedbyapplyingacomplexicatechnique82incombinationwiththerecentlydevelopedrobustPcaalgorithm62forinterferencemitigationandsecurityenhancement.

inasmartmeternetwork,eachsmartmetermeasuresthecurrentloadatregularintervalsandconveysthatinformationtothecontrolcenter at thepowerutility station. in this section, awireless smartmeternetworkisassumedinwhicheachsmartmeterisequippedwithawirelesstransmitter,andtheaPatthepowerutilitycontrolcentercollectsallthewirelesstransmissionsforprocessingtheinformation.since an ica-based algorithm is used for recovery of the wirelesssmart meter data, the smart meters can transmit their informationsimultaneously.inhushengetal.,83theconceptofcompressedsens-ing84,85wasexploitedtorecoverthesparsesmartmeterdatatransmis-sionsbyapplyingthebasispursuitalgorithm.86however,inhushengetal.,itwasassumedthattheaPhasaccurateknowledgeofthechan-nelflatfadingparametersfromthechannelestimationperiodofthe


dataframe.inthissection,anica-basedblindestimationapproachis applied by exploiting the statistical properties of the source sig-nals. as a result, channel estimation in each data frame can beavoided,therebyallowingmoreinformationtobesentineachframe.furthermore, to enhance the securityof transmitteddata, recoveryof thewireless smartmeter transmissions in thepresenceof strongwidebandinterferenceisalsoconsidered.inthisregard,therecentlydevelopedmethodofrobustPcacanbeused.62,71TherobustPcamethodexploitsthelow-rankandsparsenesspropertyoftheautocor-relationmatricesofthesmartmetersignalandwidebandinterferer,respectively,toeffectivelyseparatethempriortoicaprocessing.

ThesmartmeternetworkisassumedtoconsistofNsmartmeterscontrolled by an aP, similar to the illustration given in hushenget al.83 The channel parameters are assumed to be static over thetransmission period, with rayleigh flat fading characteristics. Thedata transmission section in the frame is divided into several timeslotsduringwhichtheactivesmartmeterscansimultaneouslytrans-mittheirreadings.Mathematically,thesignalmatrixZreceivedbytheaPcanbeexpressedasthefollowinglinearicasignalmodel:

Z =HPX +W (5.18)

H istherayleighflatfadingchannelmatrixbetweenthemetersand theaP, P is thepseudorandom spreading codematrix for themeters,Xisthesourcesignalmatrixtransmittedbythemeters,andWistheadditivewhiteGaussiannoise(awGn).Thespreadingcodeisknownonly to theaPandmetersand isunique foreachmeter.replacingHPbythematrixA,(5.18)becomes

Z =AX +W (5.19)

inthecontextofica,Aiscalledthemixingmatrix.TheobjectiveoficaistorecoverXbyestimatingamatrixAthatapproximatestheinverseofA.subsequently,anestimateofthesourcesignalmatrixXcanbeobtained,asgivenbythefollowingequation:

� �X AZ= (5.20)

incontrast to thepopularcarrier sensemultipleaccess (csMa)protocol, which uses a random back-off to avoid collisions in


transmissions,thesignificantadvantageofemployinganica-basedapproach is that it enables simultaneous transmission for the smartmeters.Thiseliminatestheproblemofincurringsignificantdelayindatarecovery.furthermore,sinceicaisa“blind”estimator,itdoesnotneedanypriorknowledgeof thechannelor thepseudorandomnoise(Pn)codematrix.aslongasthesmartmetertransmissionsareindependent,whichisalwaysthecasesincethemetersarespatiallyseparated,icacanexactlyrecoverallthesmartmetersignals.

inthissection,smartmeterdatarecoveryinthepresenceofstrongwidebandinterferenceisalsoaddressed.hence,intheeventofstronginterference,(5.19)becomes

Z =AX +W +Y (5.21)

sinceYisnotpartofthesignalmixingmodelAX,icaalgorithmscannotrecoverthesourcesignalsXinthepresenceoftheinterferer.hence, it is imperative to separate Y from the observation matrixZ before any icamethod canbe applied.toaccomplish this, thesecond-order statistics of the signal and interferer are exploited. inparticular,theautocorrelationfunctionofeachrowofZiscomputed.rewriting(5.21)intermsoftheautocorrelationmatrices,weobtain

R =L +S +E (5.22)

in (5.22), L is the low-rank autocorrelation matrix of the signalmixture,Sisthesparseautocorrelationmatrixofthewidebandinter-fererconsistingofonlydiagonalentries,andEistheautocorrelationmatrixoftheawGncomponent.Therefore,(5.22)canbewrittenas

R L I Eint= + +σ2 (5.23)

whereσintisthepoweroftheinterferer,andIistheidentitymatrix.inthismanner,(5.22)exactlyfitstherobustPcamatrixmodeldescribedintheprevioussection.62Therefore,therobustPcatechniquecanbereadilyappliedtorecoverthelow-ranksignalautocorrelationmatrixfrom the sparse interferer autocorrelationmatrix.Thisprocedure isrepeatedforalltherowsoftheobservationmatrixZ.Therein,oncetheinterfererYisseparatedfromZ,thesignalmodelbecomessimi-larto(5.19),andicacanbeappliedtorecoverthesourcesignalsorsmartmetertransmissionsX.


The baseband block diagram of the ica-based receiver (centralnodeoraP)isshowninfigure 5.15.Thevariousstagesofatypicalreceiver,suchasdownconversion,analog-to-digitalconversion,syn-chronization,andsoon,areassumedtobecompletedpriortothedatarecoverystageintheillustratedreceiver.

5.4.4 Simulation Results Using the Robust PCA-ICA Approach

typically, in a smart meter network, only a few meters would beactivelytransmittingtheirdata.asaresult,thesparsityofthesmartmeter data transmission to the central processing node or aP wasexploited83forapplyingtheprincipleofcompressedsensing.inthissection,itisassumedthatinasmartmeternetwork,N=10metersaresimultaneouslytransmittinginquadraturephaseshiftkeying(QPsk)modulation format.asa resultof the transmitteddatabeingcom-plexvalued,acomplexfasticaseparationalgorithmwithasaddlepointtestcalledficacPlX82isusedfortheblindrecoveryofsourcesignals.sinceicaisablock-basedtechnique,theprocessingblocklength(numberofcolumnsofZ)isassumedtobe1,000symbols.TheperformanceoftherobustPca-icaapproachisstudiedfordiffer-entvaluesofσ2

intfrom1to5.Thesignal-to-noiseratio(snr)issetat20dB.Thesignal-to-interferenceratio(sir)87isusedasthemeasureofperformanceandisgivenbythefollowingequation:

SIRN

pP

Np

mn

mnm

mn

= − +( )

∑∑1

21

12

2

2

2

max

maxx Pnmn2 1( )

−∑∑ (5.24)

whereP = AA is thepermutationmatrixoforderN, inour case, a10×10matrix.here,max|Pm|andmax|Pn|aretheabsolutemaxi-mum values of the mth row and nth columns of P, respectively.ideally, P should be a permutation matrix consisting of only ones.however, due to the amplitude ambiguity introduced by the icatechnique, therecoveredsignalshave tobescaledaccordingly.Thiscanbeaccomplishedbyincludingasmallpreambleatthebeginningof


Calc

ulat

eau

toco

varia

nce

Robu

st P

CA(r

ecov

er lo

w-

rank

sign

alau

toco

varia

nce

mat

rix)

Reco

ver s

igna

lve

ctor

Perm

utat

ion,

gain

, and

sign

ambi

guity

corr

ectio

n

Sym

bol

Dec

odin

g

Antenna 1 Antenna 2 Antenna M ........................

Calc

ulat

eau

toco

varia

nce

Calc

ulat

eau

toco

varia

nce

Robu

st P

CA(r

ecov

er lo

w-

rank

sign

alau

toco

varia

nce

mat

rix)

Robu

st P

CA(r

ecov

er lo

w-

rank

sign

alau

toco

varia

nce

mat

rix)

Reco

ver s

igna

lve

ctor

Reco

ver s

igna

lve

ctor

Perm

utat

ion,

gain

, and

sign

ambi

guity

corr

ectio

n

Perm

utat

ion,

gain

, and

sign

ambi

guity

corr

ectio

n

Sym

bol

Dec

odin

g

Sym

bol

Dec

odin

g

Com

plex

ICA

algo

rithm

Figu

re 5

.15

ICA-

base

d re

ceiv

er fo

r sm

art m

eter

dat

a re

cove

ry.


eachframe.Thesir(dB)achievedbytheicaalgorithmficacPlX,withandwithouttherobustPcamethodfordifferentσ2

int,isshowninfigure 5.16.Theconstellationplotsforthesmartmeter1QPsksignalbeforeandafterapplyingtheficacPlXalgorithmareshowninfigures 5.17and5.18,respectively.

5.5 secure Communications in the smart Grid

The smart grid is aimed at transforming the already-aging electricpowergridintheUnitedstatesintoadigitallyadvancedanddecen-tralized infrastructure with heavy reliance on control, energy dis-tribution, communication, and security. among the five identifiedkeytechnologyareasinthesmartgrid,theimplementationofinte-grated communications is a foundationalneed.88The smart grid inthenearfuturewillberequiredtoaccommodateincreaseddemandsforimprovedqualityandenergyefficiency.solarandwindfarmsarejoininginforpowergenerationinadistributedfashion.applianceswillbecomesmartandtalktothecontrolcentersforoptimumopera-tions.Monitoring,managing,andcontrollingwillberequiredatalllevels. Prediction of electricity prices, weather, and social/human

1 2 3 4 5−10

0

10

20

30

40

50

60

70

Strength of Interferer

SIR

(dB)

ICA with robust PCAICA w/o robust PCA

Figure 5.16 SIR(dB) versus σ2int for QPSK modulation.


−60 −40 −20 0 20 40 60−60

−40

−20

0

20

40

60

Real

Imag

inar

y

Figure 5.17 QPSK scatterplot before applying ICA.

−0.8 −0.6 −0.4 −0.2 0 0.2 0.4 0.6 0.8−0.8

−0.6

−0.4

−0.2

0

0.2

0.4

0.6

0.8

Real

Imag

inar

y

Figure 5.18 QPSK scatterplot after applying ICA.


activitieswillbetakenintoaccountforoptimumcontrol.Theadditionofthesenewelementswillresultincontinuouslyincreasingcomplex-ity.fordifferent subnetworksorelements tobe integrated into thesmartgridseamlessly,acommunicationbackbonehastobedevelopedpriortoaddingvariousfunctions.hence,theearlierthecommunica-tionbackboneisdetermined,thefewerthecomplicationsthatwillbefacedlaterinbuildingthegrid.

5.5.1 Development of Communications Infrastructure

todevelopthiscommunicationsinfrastructure,ahighlevelofinter-connectivity and reliability among its nodes is required. sensors,advanced metering devices, electrical appliances, and monitoringdevices,justtomentionafew,willbehighlyinterconnected,allow-ingfortheseamlessflowofdata.reliabilityandsecurityinthisflowofdatabetweennodes,asshowninfigure 5.19,iscrucialduetothelowlatencyandcyberattackresiliencerequirementsofthesmartgrid.

a distributed interconnection among these nodes will be ubiq-uitous, justasfindingasimilar levelofconnectivityamongcellularphonesorcomputingnodes ina largeorganization.Thesmartgridenvironment,however,posesanewsetofcommunicationsandsecu-rityparadigms.duetotheircomplexityandimportancetothereal-izationofthesmartgridinfrastructure,itisextremelyimportantto

Secure communication �owsElectrical �owsDomain

MarketsOperations

Transmission DistributionCustomer

ServiceProvider

BulkGeneration

Figure 5.19 Interaction among actors in smart grid domains through secure communication flows and flows of electricity.


studytheinteractionsamongthenodes,morespecifically,intermsoftheircommunicationsandsecurity.

takingintoaccountthatreliabilityandsecuritywillimposecon-straintsonthemajorityofthedevicesconnectedtothesmartgrid,ifnotall,itwouldbewisetoconsidercommunicationstandards,proto-cols,anddevicesthataredesignedfromthegrounduptobesecured,logicallyandphysically.sinceagreatportionofthetrafficgeneratedwithinthegridwillbetravelingonanunsecuredmediumsuchastheinternet,itisimperativetominimizetheamountofpotentialsecurityloopholes.inaddition,thehumanvariableshouldalsobetakenintoaccountinthesecuritymodelaspartofthesecurityinfrastructure.

whenitcomestosecurity,communicationiskey,andinformationshould be properly disseminated to all the parties involved, ensur-ing that everyone has a clear and common understanding of secu-rityneedsfacilitatingtheir implementationandoperation.trainingandinformingusersaboutprocesses,studyofhumanbehavior,andthe perception of events related to the processes are as importantto the entire security equation as it is to engineer a secured infra-structure.asamatteroffact,thegreatestsecuritythreattoanyinfra-structure ishumanerror, asopposed to the technology securing it.communicationsinthesmartgridisakeycomponentoftheentireinfrastructure,andlogicallywedivideitintotwosections:theback-bone communications (interdomain), which will carry communica-tions amongdomains suchas those shown infigure 5.19, and thecommunications at the lan (intradomain) limited by perimeterssuchasacustomer’shouseoradistributionfacility.89

we can say that current and emerging technologies in telecom-munications,mostofwhichareexpectedtofallinthewirelessrealm(wiMaX,zigBee,802.11,etc.),canaccommodatethecommunica-tionsneedsofboth inter-and intradomainenvironments,however,notwithoutflaws.fromasecuritystandpoint,thesetechnologiesarenotdesignedtobesecurefromthegroundup.forexample,zigBeeisastandardforshort-rangecommunications,andmanufacturersofzigBee-compliantchipsproducethemwithoutnecessarilyconsider-ingthesecurityissue.inaddition,chipmanufacturersprintthechipmodelontopofthechipitselfasastandardpractice.Thechipspeci-ficationscanthereforebeeasilydownloaded,andpotentialflawsofthechipcanbeeasilyexploitedbyattackers.also,bydefault,many


ofthesechipsdonotcarryanyinternalsecurityfeaturesandthere-fore rely on external chips or on higher-level software applicationsfor this purpose. an easy access to the external chip by any mali-ciousattackercouldpotentiallydisableanyinstalledsecurityfeatures.Thisandothersimilarscenariosleadsustothinkthatthesmartgridshouldbedrivenbytechnologiesandstandardsthatconsidersecurityastheirprimaryconcern.

Thesmartgridhasbeenconceivedasbeingdistributedinnatureandheavilydependentonwirelesscommunications.today’ssoho(small office/home office) and enterprise-graded wireless devicesinclude security features tomitigateattacks,with thevastmajoritystillrelyingonconventionalrule-baseddetection.ithasbeenshownthatconventionalrule-baseddetectionsystems,althoughhelpful,donothavethecapabilityofdetectingunknownattacks.furthermore,aspresentedinPazos-revillaandsiraj,90theseconventionalintrusiondetectionsystems(idss)wouldnotbeabletodetectsuchanattackifitiscarefullycraftedsincethemajorityoftheserulesaresolelybasedonstrictthresholds.

5.5.2 FPGA-Based Fuzzy Logic Intrusion Detection for the Smart Grid

artificialintelligencetechniquessuchasfuzzylogic,Bayesianinfer-ence,neuralnetworks,andothermethodscanbeemployedtoenhancethe security gaps in conventional idss. as shown in figure 5.20,

4. Apply aggregationmethod (max)

5. Defuzzify (centroid)

25%0

25%0

25%0

Alert = 16.7%

then Alert is medium

then Alert is low

if ICMP rate is medium

or Port scan is low

1. Fuzzify inputs

1.

2. Rule 2 has nodependencyon input 2

2. Apply or operator(max)

3. Apply implicationoperator (min)

25%0

25%0if ICMP rate is low

Figure 5.20 Fuzzy logic example applied to IDS. ICMP = Internet Message Control Protocol.


afuzzylogicapproachwasused91inwhichdifferentvariablesthatinflu-encetheinferenceofanattackcanbeanalyzedandlatercombinedforthedecision-makingprocessofasecuritydevice.inaddition,ifeachsecuritydeviceservingasanidsisawarenotonlyofitselfbutalsoofalimitednumber(dependingonlocalresourcesandtraffic)ofsur-roundingtrustedidsdevices,thealertsthattheseotherdevicesgen-eratecanbeusedtoadjustlocalvariablesorparameterstobettercopewithdistributedattacksandmoreaccuratelydetecttheirpresence.

Theresearchanddevelopmentof robustand securecommunica-tion protocols, dynamic spectrum sensing, as well as distributedand collaborative security shouldbe considered as an inherentpartof smart grid architecture. an advanced decentralized and secureinfrastructure needs to be developed with two-way capabilities forcommunicatinginformationandcontrollingequipment,amongothertasks,asindicatedintherecentlypublishedvolume1ofGuidelines for Smart Grid Cyber Securitybythenationalinstituteofstandardsandtechnology(nist).89Thecomplexityofsuchanendeavor,coupledwiththeamalgamoftechnologiesandstandardsthatwillcoexistinthedevelopmentofthesmartgrid,makesitextremelynecessarytohave a common platform of development with flexibility and reli-ableperformance.

fPGadPssharetheseadvantages,nottomentionthefactthatasinglesiliconfPGachipcanbeusedtostudyseveralsmartgridtechnologiesandtheirimplementations.fPGachipsoffersignificantpotentialforapplicationinthesmartgridforperformingencryptionanddecryption,intrusiondetection,low-latencyrouting,dataacqui-sitionandsignalprocessing,parallelism,configurabilityofhardwaredevices,andhigh-performanceandhigh-bandwidthtamper-resistantapplications. dr. william sanders, a member of the smart Gridadvisorycommitteeofthenist,hasbeenamongthemostinflu-ential recently in the research on smart grid security. his researchteam and several collaborating universities proposed the use of atrustworthycyberinfrastructureforthePowerGrid(tciPG)thatfocusesonthesecurityoflow-leveldevicesandcommunications,aswellastrustworthyoperationofthepowergridunderavarietyofcon-ditions,includingcyberattacksandemergencies.92tciPGproposesacoordinatedresponseanddetectionatmultiplelayersofthecyberinfrastructurehierarchy,includingbutnotlimitedtosensor/actuator


andsubstationlevels.attheselevelsofthehierarchy,sdrandwire-lesscommunicationstechnologiescouldbeusedandstudiedtopre-ventattackssuchaswireless jamming.sandersetal.alsoproposedtheuseofspecification-basedidsinprotectingadvancedmeteringinfrastructures (aMis).93adistributedfPGa-basednetworkwithadaptive and cooperative capabilities can be used to study severalsecurityandcommunicationaspectsof this infrastructure fromthepointofviewofboththeattackersandthedefenders.

5.6 Conclusions

inthischapter,aninnovativeapproachofemployingacognitiveradionetwork forefficientmanagementof informationflow in the smartgrid was presented. an outline of cognitive radio and the recentlyestablishedieee802.22standardforwranswasgiven.existingand new hardware platforms for the innovative network test bedbeing built at tennessee technological University were described.to efficiently process the high-dimensional data in cognitive radionetworks, dimensionality reduction techniques such as Pca,kPca,andlMvUcanbeused.ThesvMmethodwasappliedtoaspectrum-monitoringexampleinwi-finetworks,anditwasshownthat better performance is achievedusingdimensionality reductionforpreprocessingthedata.TherecentlydevelopedrobustPcaalgo-rithm was presented for recovering a low-rank matrix when it wasgrosslycorruptedwithasparsematrixofarbitrarilylargemagnitude.for theblindrecoveryof smartmeterwireless transmissions in thepresenceofstrongwidebandinterference,therobustPcawasusedasapreprocessingmethodbeforeapplyinganica-basedalgorithm.finally, the vital issue of security in the smart grid was discussed,alongwithapossibleapproachtoachievethisbyemployingfPGa-basedfuzzylogicintrusiondetection.

references 1. J.MitolaiiiandG.MaguireJr.,cognitiveradio:makingsoftwareradios

morepersonal,IEEE Personal Communications6(4),13–18(1999). 2. s.haykin,cognitiveradio:brain-empoweredwirelesscommunications,

IEEE Journal on Selected Areas in Communications23(2),201–220(2005).


3. G.Ganesan,Y.li,B.Bing,ands.li,spatiotemporalsensingincognitiveradionetworks,IEEE Journal on Selected Areas in Communications26(1),5–12(2008).

4. J.BazerqueandG.Giannakis,distributedspectrumsensingforcogni-tive radionetworks by exploiting sparsity, IEEE Transactions on Signal Processing58(3),1847–1862(2010).

5. c. cordeiro, k. challapali, d. Birru, s. shankar, et al., ieee 802.22:anintroductiontothefirstwirelessstandardbasedoncognitiveradios,Journal of Communications1(1),38–47(2006).

6. c.cordeiro,k.challapali,d.Birru,s.shankar,etal.ieee802.22:thefirstworldwidewirelessstandardbasedoncognitiveradios.in2005 First IEEE International Symposium onNew Frontiers in Dynamic Spectrum Access Networks, 2005. DySPAN 2005, pp. 328–337.ieee,newYork(2005).

7. c.cordeiro,k.challapali,andM.Ghosh.cognitivePhYandMaclay-ersfordynamicspectrumaccessandsharingoftvbands.inProceedings of the First International Workshop on Technology and Policy for Accessing Spectrum,p.3.acM,newYork(2006).

8. c. stevenson, G. chouinard, z. lei, w. hu, s. shellhammer, andw. caldwell, ieee 802.22: the first cognitive radio wireless regionalareanetworkstandard,IEEE Communications Magazine47(1),130–138(2009).

9. r.Qiu,acognitiveradionetworktestbed.officeofnavalresearch(onr)dUriP.n00010-10-0810.2010.

10. r.c.Qiu,smartGridresearchatttU.Presentedatargonnenationallaboratory (february 2010). available at http://iweb.tntech.edu/rqiu/publications.htm

11. r.c.Qiu,cognitiveradioandsmartGrid.Presentedatieeechapter,huntsville,al.(february18,2010).availableathttp://iweb.tntech.edu/rqiu/publications.htm

12. r.c.Qiu,z.chen,n.Guo,Y.song,P.zhang,h.li,andl.lai,towardsareal-timecognitiveradionetworktestbed:architecture,hardwareplat-form,andapplicationtosmartgrid.PresentedatProceedings of the Fifth IEEE Workshop on Networking Technologies for Software-Defined Radio and White Space, Boston( June2010).

13. d.raychaudhuri,i.seskar,M.ott,s.Ganu,k.ramachandran,h.kremo,r.siracusa,h.liu,M,andsingh.overviewoftheorBitradiogridtestbedforevaluationofnext-generationwirelessnetworkprotocols.inProceedings of IEEE Wireless Communications and Networking Conference,neworleans,la,March13–17,2005.pp. 1664–1669(2005).

14. i.Broustis,J.eriksson,s.krishnamurthy,andM.faloutsos.ablueprintforamanageableandaffordablewirelesstestbed:design,pitfallsandles-sonslearned.inProceedings of 3rd International Conference on Testbeds and Research Infrastructure for the Development of Networks and Communities,May21–23,2007.pp. 1–6(2007).

15. t.r.newman,s.s.hasan,d.depoy,t.Bose,andJ.h.reed,designingand deploying a building-wide cognitive radio network testbed, IEEE Communications Magazine48(9),106–112(2010).


16. ettusresearchllc,homepage( July2010).http://www.ettus.com/. 17. GnUradio,homepage( July2010).http://www.gnuradio.org/. 18. z. chen, n. Guo, and r. c. Qiu, experimental validation of channel

state prediction considering delays in practical cognitive radio, IEEE Transactions on Vehicular Technology16(4),1314–1325(2011).

19. lyrtech incorporated, Small Form Factor SDR Evaluation Module/Development Platform Users Guide. lyrtech, Quebec city, canada(february2010).

20. lyrtech incorporated, ADACMaster III Users Guide. lyrtech, Quebeccity,canada( January2009).

21. lyrtechincorporated,homepage( July2010).http://www.lyrtech.com/. 22. k.amiri,Y.sun,P.Murphy,c.hunter,J.cavallaro,anda.sabharwal,

warP,aunifiedwirelessnetworktestbedforeducationandresearch.inIEEE International Conference on Microelectronic Systems Education,sandiego,ca,June3–4,2007.pp. 53–54(2007).

23. riceUniversity,homepage( July2010).http://warp.rice.edu/. 24. Mango communications, home page (september 2010). http://www.

mangocomm.com/. 25. k.tan, J. zhang, J. fang, h. liu, Y. Ye, s. wang, Y. zhang, h. wu,

w.wang,andG.voelker,sora:highperformancesoftwareradiousinggeneralpurposemulti-coreprocessors.inProceedings of the 6th USENIX symposium on Networked Systems Design and Implementation,pp. 75–90.UseniXassociation,Berkeley,ca(2009).

26. k.chowdhuryandt.Melodia,Platformsandtestbedsforexperimentalevaluationofcognitiveadhocnetworks,IEEE Communications Magazine.48(9),96–104(2010).

27. z. chen, n. Guo, and r. c. Qiu, Building a cognitive radio networktestbed,Proceedings of IEEE Southeastcon. nashville,tn(March2011).

28. r.c.Qiu, Cognitive Radio Network Testbed.funded researchproposalfor defense University research instrumentation Program (dUriP)(august 2009). http://www.defense.gov/news/fiscal 2010 dUriPwinnerslist.pdf

29. r. c. Qiu, cognitive radio and smart Grid. invited presentation atieeechapter(february2010).http://iweb.tntech.edu/rqiu.

30. robert c. Qiu (Pi). cognitive radio institute. funded research pro-posal for 2010 defense earmark (2010). http://www.opensecrets.org/politicians/earmarks.php?cid=n00003126

31. r.Qiu,z.hu,G.zheng,z.chen,andn.Guo.cognitiveradionetworkforthesmartgrid:experimentalsystemarchitecture,controlalgorithms,security, andmicrogrid testbed, IEEE Transactions on Smart Grid 2(4),724–740(2011).

32. r.c.Qiu,M.c.wicks,z.hu,l.li,ands.J.hou,wirelesstomography(1):anovelapproachtoremotesensing.in5th International Waveform Diversity and Design Conference,niagarafalls,canada(august2010).

33. t.Guoands.a.Jafar,degreesoffreedomofthekuserMnMiMointerference channel, IEEE Transactions on Information Theory 56, 12(2010).


34. v.r.cadambeands.a.Jafar,interferencealignmentandspatialdegreesof freedom for the k user interference channel. in IEEE International Conference onCommunications, 2008. ICC’08, pp. 971–975,Beijing(May2008).

35. M.a.Maddah-ali,a.s.Motahari,anda.k.khandani,communicationover MiMo X channels: interference alignment, decomposition, andperformance analysis, IEEE Transactions on Information Theory 54(8),3457–3470(2008).

36. B.nazer,s.a.Jafar,M.Gastpar,ands.vishwanath,ergodicinterferencealignment.inIEEE International Symposium on Information Theory, 2009. ISIT 2009,pp. 1769–1773,seoul,korea(2009).

37. c.huangands.a.Jafar,degreesof freedomoftheMiMointerfer-ence channel with cooperation and cognition, IEEE Transactions on Information Theory55(9),4211–4220(2009).

38. c.s.vazeandv.M.k.ThedegreesoffreedomregionoftheMiMocognitive interference channel with no csit. in ISIT, pp. 440–444,austin,tX( June2010).

39. J.B.tenenbaum,v.silva,andJ.c.langford,aglobalgeometricframe-work for nonlinear dimensionality reduction, Science 290(5500), 2319–2323(2000).

40. s.roweisandl.saul,nonlineardimensionalityreductionbylocallylin-earembedding,Science290(5500),2323–2326(2000).

41. e.keogh,k.chakrabarti,M.Pazzani,ands.Mehrotra,dimensionalityreduction for fast similarity search in large time series databases,Knowledge and Information Systems3(3),263–286(2001).

42. M.l.raymer,w.f.Punch,e.d.Goodman,l.a.kuhn,anda.k.Jain,dimensionalityreductionusinggeneticalgorithms,IEEE Transactions on Evolutionary Computation4(2),164–171(2002).

43. i.Jolliffe,Principal Component Analysis.springer-verlag,newYork(2002). 44. B.scholkopf,a.smola, andk.Muller,nonlinear component analysis

as a kernel eigenvalue problem, Neural Computation 10(5), 1299–1319(1998).

45. k.weinbergerandl.saul,Unsupervised learningof imagemanifoldsby semidefinite programming, International Journal of Computer Vision70(1),77–90(2006).

46. k.weinberger,B.Packer,andl.saul,nonlineardimensionalityreduc-tion by semidefinite programming and kernel matrix factorization. inProceedings of the Tenth International Workshop on Artificial Intelligence and Statistics,pp. 381–388,Barbados( January2005).

47. G.Baudatandf.anouar,kernel-basedmethodsandfunctionapproxi-mation. in International Joint Conference on Neural Networks, 2001. Proceedings. IJCNN’01, vol. 2, pp. 1244–1249, washington, dc ( July2001).

48. G.wu,e.Y.chang,andn.Panda,formulatingdistancefunctionsviathekerneltrick.inProceedings of the Eleventh ACM SIGKDD International Conference on Knowledge Discovery in Data Mining,pp. 703–709,chicago(august2005).


49. J.Mariéthozands.Bengio,akerneltrickforsequencesappliedtotext-independent speaker verification systems, Pattern Recognition 40(8),2315–2324(2007).

50. J.wang, J.lee, andc.zhang,kernel trick embeddedGaussianmix-ture model. in Algorithmic Learning Theory, vol. 2842, pp. 159–174.springerlink,newYork(2003).

51. l.vandenbergheands.Boyd,semidefiniteprogramming,SIAM Review38(1),49–95(1996).

52. f.alizadeh,J.P.a.haeberly,andM.l.overton,Primal-dualinterior-pointmethodsforsemidefiniteprogramming:convergencerates,stabil-ityandnumericalresults,SIAM Journal on Optimization8(3),746–768(1998).

53. h.wolkowicz,r.saigal,andl.vandenberghe,Handbook of Semidefinite Programming: Theory, Algorithms, and Applications. springer-verlag,dordrecht(2000).

54. s. P. Boyd and l. vandenberghe, Convex Optimization. cambridgeUniversityPress(2004).

55. G.r.G.lanckriet,n.cristianini,P.Bartlett,l.e.Ghaoui,andM.i.Jordan,learningthekernelmatrixwithsemidefiniteprogramming,The Journal of Machine Learning Research5,27–72(2004).

56. s.J.hou,z.Qiu,r.chen,andz.hu,spectrumsensingusingsvManddimensionalityreductionwithexperimentalvalidation,http://arXiv.org/abs/1106.2325(2011).

57. s. haykin, d. Thomson, and J. reed, spectrum sensing for cogni-tive radio, Proceedings of the IEEE 97(5), 849–877 (May 2009). doi:10.1109/JProc.2009.2015711.

58. J. Ma, G. Y. li, and B. h. Juang, signal processing in cognitiveradio, Proceedings of the IEEE 97(5), 805–823 (2009). doi: 10.1109/JProc.2009.2015707.

59. d.cabric,s.Mishra,andr.Brodersen.implementationissuesinspec-trumsensingforcognitiveradios.inProceedings of Conference Record of the Thirty-Eighth Asilomar Conference on Signals, Systems and Computers,vol.1,772–776(2004).

60. z.chenandr.c.Qiu,Predictionofchannelstateforcognitiveradiousing higher-order hidden Markov model. in Proceedings of the IEEE Southeastcon,pp. 276–282(March2010).

61. i. Jolliffe, Principal Component Analysis, 2nd edition. springer-verlag,newYork(2002).

62. e. candès, X. li, Y. Ma, and J. wright, robust principal componentanalysis?Journal of ACM ( JACM),58(3),1–37(May2011).

63. J.wright,a.Ganesh,s.rao,andY.Ma,robustprincipalcomponentanalysis:exactrecoveryofcorruptedlow-rankmatricesviaconvexopti-mization,inProceedings of the Conference on Neural Information Processing Systems(niPs)(december2009).


64. v.chandrasekaran,s.sanghavi,P.Parrilo,anda.willsky,rank-sparsityincoherence for matrix decomposition, SIAM Journal on Optimization,21(2),572–596(2011).

65. e. candès and t. tao, The power of convex relaxation: near-optimalmatrixcompletion,IEEE Transactions on Information Theory56(5),2053–2080(2010).

66. e.candèsandB.recht,exactmatrixcompletionviaconvexoptimiza-tion,Foundations of Computational Mathematics9(6),717–772(2009).

67. e.candèsandY.Plan,Matrixcompletionwithnoise,Proceedings of the IEEE98(6),925–936(2010).

68. B.recht,M.fazel,andP.Parrilo,Guaranteedminimum-ranksolutionsoflinearmatrixequationsvianuclearnormminimization,Arxiv preprint arXiv:0706.4138(2007).

69. B. recht, w. Xu, and B. hassibi. necessary and sufficient conditionsforsuccessofthenuclearnormheuristicforrankminimization.in47th IEEE Conference on Decision and Control, 2008. CDC 2008, pp. 3065–3070.ieee,newYork(2009).

70. J.cai,e.candès,andz.shen,asingularvaluethresholdingalgorithmformatrixcompletion,Arxiv preprint arXiv:0810.3286(2008).

71. z.lin,M.chen,l.wu,andY.Ma,Theaugmentedlagrangemulti-pliermethodforexactrecoveryofcorruptedlow-rankmatrices,UiUctechnicalreportUilU-enG-09-2215(november2009).

72. M.chen.http://perception.csl.illinois.edu/matrix-rank/sample code.html. 73. s. Marple Jr., Digital spectral analysis with applications. Prentice hall,

englewoodcliffs,nJ(1987). 74. P. comon, independent component analysis, a new concept? Signal

Processing36(3),287–314(1994). 75. a.hyvarinenande.oja,one-unitlearningrulesforindependentcom-

ponent analysis. in Advances in Neural Information Processing Systems,480–486.Morgankaufmann,newYork(1997).

76. a.hyvarinenande.oja,independentcomponentanalysis:algorithmsandapplications,Neural Networks13(4–5),411–430(2000).

77. a.hyvarinen,J.karhunen,ande.oja,Independent Component Analysis.wiley,newYork(2001).

78. h.liaoandd.niebur,loadprofileestimationinelectrictransmissionnetworksusingindependentcomponentanalysis,IEEE Transactions on Power Systems18(2),707–715(2003).

79. d. Pham, Blind separation of instantaneous mixture of sources via anindependentcomponentanalysis,IEEE Transactions on Signal Processing44(11),2768–2779(2002).

80. t.lee,M.lewicki,andt.sejnowski,icamixturemodelsforunsuper-visedclassificationofnon-Gaussianclassesandautomaticcontextswitch-inginblindsignalseparation,IEEE Transactions on Pattern Analysis and Machine Intelligence22(10),1078–1089(2002).


81. s.amari,a.cichocki,andh.Yang.anewlearningalgorithmforblindsignal separation. in Advances in Neural Information Processing Systems,757–763.Morgankaufman,newYork(1996).

82. z.koldovskyandP.tichavsky,Blindinstantaneousnoisymixturesepa-rationwithbestinterference-plus-noiserejection.inProceedings of the 7th International Conference on Independent Component Analysis and Signal Separation,pp. 730–737.springer-verlag,newYork(2007).

83. l.husheng,M.rukun,l.lifeng,andr.Qiu,compressedmeterread-ing for delay-sensitive and secure load report in smart grid. in First IEEE International Conference on Smart Grid Communications, 2010. SmartGridComm 2010, pp. 114–119. Gaithersburg,Md(october2010).

84. d. donoho, compressed sensing, IEEE Transactions on Information Theory52(4),1289–1306(2006).

85. e.candès,J.romberg,andt.tao,robustuncertaintyprinciples:exactsignal reconstruction from highly incomplete frequency information,IEEE Transactions on Information Theory52(2),489–509(2006).

86. s.chen,d.donoho,andM.saunders,atomicdecompositionbybasispursuit,SIAM Review43(1),129–159(2001).

87. r. ranganathan andw. B. Mikhael, a comparative study of complexgradientandfixed-pointicaalgorithmsforinterferencesuppressioninstaticanddynamicchannels,Signal Processing88(2),399–406(2008).doi:10.1016/j.sigpro.2007.08.002.http://www.sciencedirect.com/science/article/B6v18-4Pf1w9k-2/2/f6fede5fcdf79d0b75c0b5d050020861.

88. nationalenergytechnologylaboratory,A Systems View of the Modern Grid.departmentofenergy,washington,dc( January2007).

89. national institute of standards and technology, Guidelines for Smart Grid Security:vol.1,Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements,ThesmartGridinteroperabilityPanel-cybersecurityworkingGroup,august2010.

90. M. Pazos-revilla and a. siraj, an experimental model of an fPGa-based intrusion detection systems. in 2011 International Conference on Computers and Their Applications, neworleans,la(March2011).

91. M.Pazos-revilla,fPGaBasedfuzzyintrusiondetectionsystemfornetwork security, master’s thesis, tennessee technological University,cookeville(2010).

92. w.sanders,TCIP: Trustworthy Cyber Infrastructure for the Power Grid,technical report. informationtrust institute, University of illinois atUrbana-champaign(2011).

93. r.Berthier,w.sanders,andh.khurana,intrusiondetectionforadvancedmetering infrastructures: requirements and architectural directions.in First IEEE International Conference on Smart Grid Communications (SmartGridComm), 2010,pp. 350–355.ieee,newYork(2010).

Part 2

Security and privacy in

Smart GridS

187

6requirementS and

challenGeS Of cyberSecurity fOr Smart

Grid cOmmunicatiOn infraStructureS

ro s E Q i n G YA n G h U A n d Y i Q i A n

Contents

6.1 introduction 1886.1.1 Background 1886.1.2 high-levelrequirements 190

6.2 vulnerabilitiesandsecurityrequirements 1926.2.1 Privacy 1936.2.2 availability 1946.2.3 integrity 1956.2.4 authentication 1966.2.5 authorization 1966.2.6 auditability 1966.2.7 nonrepudiability 1966.2.8 Third-PartyProtection 1976.2.9 trust 197

6.3 cybersecuritychallenges 1986.3.1 internetworking 1986.3.2 securityPolicyandoperations 1996.3.3 securityservices 200

6.4 conclusions 201references 202


Upgradinganexistingpowergridintoasmartgridrequiressig-nificant dependence on intelligent and secure communicationinfrastructures. it requires systematic security frameworks fordistributedcommunications,pervasivecomputing,andsensingtechnologiesinthesmartgrid.however,asmanyofthecom-munication technologies currently recommended for use by asmartgridarevulnerabletocyberattacks,itcouldleadtounreli-ablesystemoperations,causingunnecessaryexpenditures,evenconsequentialdisasterforbothutilitiesandconsumers.inthischapter,wesummarizethepossiblevulnerabilitiesandthecyber-securityrequirementsinsmartgridcommunicationsanddiscussthechallengesofcybersecurityforsmartgridcommunications.

6.1 introduction

asmartgridcommunicationsystemiscomprisedofseveralsubsys-tems. it iseventuallyanetworkofnetworks.asupervisorycontrolanddataacquisition(scada)systemisnotonlyacontrollingsys-tem but also a communication network in a smart grid. The com-municationnetworksinsmartgridsystemscouldincludededicatedor overlay land mobile radios (lMrs), cellular, microwave, fiber-optic,wiredlinessuchaspowerlinecommunication(Plc),rs-232/rs-485 serial links,wireless local-areanetworks (wlans)mediaoraversatiledatanetworkcombining thesemedia. in this section,webrieflydiscussthebackgroundofasmartgridsysteminseveralaspects:scadasystem,communicationnetworks,deploymentsofsecure smartgridcommunications, andhigh-level security require-ments.figure 6.1showsatypicalsmartgridcommunicationsystem.1

6.1.1 Background

core to themonitoringandcontrolof a substation is thescadasystem.itisutilizedfordistributionautomation(da)andcomputer-izedremotecontrolofmedium-voltage(Mv)substationsandpowergrids, and it helps electric utilities achieve higher supply reliabilityandreducesoperatingandmaintenancecosts.inthepast,sectional-izerswitchgears,ringmainunits,reclosers,andcapacitorbanksweredesignedforlocaloperationswithlimitedremotecontrol.today,using

189requirements and ChallenGes

scadaoverreliablewirelesscommunicationlinks,remoteterminalunits(rtUs)providepowerfulintegratedsolutionswhenupgradingremotelyinstalledelectricequipment.inadistributionmanagementsystem(dMs),rtUsseamlesslyinterfaceviascadawithawiderangeofhigh-performancecontrolcenters suppliedby leadingven-dors worldwide. connection to these energy management systems(eMss) and da/dMs control centers is typically provided via ahigh-performanceinternetProtocol(iP)gatewayorasimilarnode.2

PowerSystem

Operator

MeteringSystem

RegionalControlCenter

Database

RTU

RTU

RTU

RTU

Power Plant

Power Plant

TradingCoordinator

OperationData

Management

Database

PowerMarket

Operations

DataAcquisition

Control

DataAcquisition

Control

Utility A

Utility B

CircuitBreaker

CircuitBreaker

Substation

Substation

PowerSystem

Operator

Figure 6.1 A typical smart grid communication system. (From C. H. Hauser, D. E. Bakken, and A. Bose, IEEE Power and Energy Magazine, pp. 47–55, March– April 2005. With permission.)


differentscalesandstructuresofsmartgridsystemsadoptdiffer-entcommunicationnetworkingsolutions.advancedmeteringinfra-structure(aMi)solutionscanbemeshedorpointtopoint,withshortlocal coverage or long-range communications.3,4 options for back-haulsolutionsmightbefiber,wirelessbroadband,orbroadbandoverapowerline.ThepossiblesolutionsincludewiMaX,wlan,wire-less sensornetwork (wsn), cellular, andlMr,dependingon thereliability,throughput,andcoveragedesiredbytheutility.Thewire-less communication solutions can be either licensed or unlicensed,againdependingontheneedsoftheutility.forthehighestreliability,licensedsolutionsshouldbechosen.eachoftheseoptionshasadvan-tagesanddisadvantages,butwhatisconsistentlytrueofanyandallofthesolutionsistheneedtohaveascalablesecuritysolution.5

smartgriddeploymentsmustmeetstringentsecurityrequirements.strongauthenticationwillberequiredforallusersanddevicesthatmayaffecttheoperationofthegrid.withthelargenumberofusersanddevicesaffected,scalablekeyandtrustmanagementsystems,cus-tomizedtothespecificneedsoftheenergyserviceprovider,willbeessential.whathasbeenlearnedfromyearsofdeployingandoper-atinglargesecurenetworkcommunicationsystemsisthattheeffortrequiredtoprovisionsymmetrickeysintothousandsofdevicescanbetooexpensiveorinsecure.Thedevelopmentofkeyandtrustmanage-mentsystemsforlargenetworksisrequired;thesesystemscanbelev-eragedfromotherindustries,suchaslMrsystemsandassociationofPublic-safetycommunicationsofficials (aPco)radiosystems.several aPco-deployed systems provide statewide wireless cover-age, with tens of thousands of secure devices. trust managementsystems,basedonpublickeyinfrastructure(Pki)technology,couldbecustomizedspecificallyforsmartgridoperators,easingtheburdenofprovidingsecuritythatadherestothestandardsandguidelinesthatareknowntobesecure.6

6.1.2 High-Level Requirements

accordingtotheelectricPowerresearchinstitute(ePri),oneofthebiggestchallenges facingsmartgriddeployment is related tocyber-securityofthesystems.7accordingtotheePrireport,cybersecurityisacritical issueduetothe increasingpotentialofcyberattacksand


incidentsagainstthiscriticalsectorasitbecomesincreasinglyintercon-nected.cybersecuritymustaddressnotonlydeliberateattacks,suchasfromdisgruntledemployees,industrialespionage,orterrorists,butalsoinadvertentcompromisesoftheinformationinfrastructureduetousererrors,equipment failures,andnaturaldisasters.vulnerabilitiesmightallowanattackertopenetrateanetwork,gainaccesstocontrolsoftware,andalterloadconditionstodestabilizethegridinunpredict-ableways.Thehigh-levelrequirementsforsmartgridcommunicationsecurityareconducted invariousorganizationsandthecorrespond-ingstandardsindetails.Thecybersecurityrequirementsforsmartgridcommunicationsarediscussedfurtherintherestofthischapter.

There are many organizations working on the development ofsmart grid security requirements, including the north americanelectricalreliabilitycorporationcriticalinfrastructureProtection(nercciP),internationalsocietyofautomation(isa),instituteofelectricalandelectronicsengineers(ieee)(ieee1402),nationalinfrastructure Protection Plan (niPP), and national institute ofstandardsandtechnology(nist),whichhasanumberofsmartgridcybersecurityprogramsongoing.

one prominent source of requirements is the smart Gridinteroperability Panel (sGiP) cyber security working Group,previously the nist cyber security coordination task Group(csctG).8ThenistcsctGwasestablishedtoensureconsistencyinthecybersecurityrequirementsacrossallthesmartgriddomainsandcomponents.ThelatestdraftdocumentfromthecybersecurityworkingGroup,nistinteragencyreport(nist-ir7628),9Smart Grid Cyber Security Strategy and Requirements, continues to evolveat the time of this writing. nist and the department of energy(doe)Gridwisearchitecturecouncil(Gwac)10haveestablisheddomain expert working groups (dewGs): home-to-Grid (h2G),Building-to-Grid (B2G), industrial-to-Grid (i2G), transmissionanddistribution(t&d),andBusinessandPolicy(B&P).

workingwithstandardsbodies,suchasnistandothers,willbeextremelyimportanttoensureahighlysecure,scalable,consistentlydeployedsmartgridsystemasthesestandardsbodieswilldrivethesecurityrequirementsofthesystem.11

one thing is consistent among the various standards bodies:The security of the grid will strongly depend on authentication,


authorization, and privacy technologies. Privacy technologies arewell matured. The advanced encryption standard (aes)12 andtripledataencryptionalgorithm (3des)13 solutions approvedbythefederalinformationProcessingstandard(fiPs),offeringstrongsecurity and high performance, are readily available. The specificprivacy solution required will depend on the type of communica-tionresourceprotected.asaspecificexample,nisthasdeterminedthatthe3dessolutionwilllikelybecomeinsecurebytheyear2030.consideringthatutilitycomponentsareexpectedtohavelonglife-times,theaeswouldbethepreferredsolutionfornewcomponents.however,itisreasonabletoexpectthatundercertaincircumstanceswhenlegacyfunctionalitymustbesupportedandtheriskofcompro-miseisacceptable,3descouldbeused.

wirelesslinkswillbesecuredwithtechnologiesfromwell-knownstandardssuchasieee802.11i14andieee802.16e.15differentwire-less protocols have varying degrees of security mechanisms. wiredlinkswillbesecuredwithfirewalls,virtualprivatenetworks(vPns),and iPsec (internet Protocol security) technologies. higher-layersecuritymechanismssuchassecureshell(ssh)andsecuresocketslayer/transportlayersecurity(ssl/tls)shouldalsobeused.16

system architects and designers often identify the need for andspecifytheuseofsecureprotocols,suchassshandiPsec,butthenskiptheimplementationdetailsassociatedwithestablishingsecurityassociationsbetweenendpointsofcommunications.suchanapproachis likely to result in a system inwhich thenecessaryprocedures forsecurekeymanagementcanquicklybecomeanoperationalnightmare.Thisisbecause,whensystemarchitectsdonotdevelopanintegratedandcomprehensivekeymanagementscheme,customersmaybepro-videdwithfewkeymanagementoptionsandoftenresorttomanuallypreconfiguringsymmetrickeys.Thisapproachissimpleforthesystemdesigners,butitcanbeveryexpensiveforthesystemowners/operators.

6.2 Vulnerabilities and security requirements

Thereliabilityofasmartgriddependsonthereliabilityofthecontrolandcommunicationsystems.fordevelopmentofsmartgridsystems,thecommunicationsystemsarebecomingmoresophisticated,allow-ingforbettercontrolandhigherreliability.Thesmartgridwillrequire


higherdegreesofnetworkconnectivitytosupportthenewfeatures.The higher degree of connectivity should have sophisticated secu-rityprotocolstodealwiththevulnerabilitiesandsecuritybreaches.table 6.1listssomesecurityprotocolsadoptedbydifferentlayersincommunication networks with the specific security requirements;moredetailsweresummarizedbydzungetal.18inthissection,wediscussthemajorsecurityvulnerabilitiesandrequirementsinprivacy,availability,integrity,authentication,authorization,auditability,non-repudiability,third-partyprotection,andtrustcomponentsforsmartgridcommunicationsecurity.

6.2.1 Privacy

Privacyissueshavetobecoveredwiththederivedcustomerconsump-tiondataastheyarecreatedinmeteringdevices.consumptiondatacontaindetailed informationthatcanbeusedtogain insightsonacustomer’s behavior. smart grid communications have unintendedconsequences for customer privacy. electricity usage informationstoredatthesmartmeteranddistributedthereafteractsasaninfor-mation-richsidechannel,exposingcustomers’habitsandbehaviors.certainactivities,suchaswatchingtelevision,havedetectablepower

Table 6.1 Layered Security Protocols

LAyERSECURITy PROTOCOL APPLICATION CONFIDENTIALITy INTEGRITy AUTHENTICATION

Application WS-Security Document yes yes DataPGP/ GnuPG E-mail yes yes MessageS/ MIME yes yesHTTP digest authentication

Client to service

No No User

Transport SSH yes yes ServerSSL/ TLS yes yes

Network IPSec Host to host yes yes HostLink CHAP/ PAP Point to point No No Client

WEP/ WAP/802.1X Wireless access yes yes Device

Source: From y. yan, y. Qian, H. Sharif, and D. Tipper, IEEE Communications Surveys and Tutorials, vol. 14(4), pp. 998–1010, 2012. With permission from IEEE.17

Note: CHAP/PAP = Challenge Handshake Authentication Protocol/Password Authentication Protocol, HTTP = Hypertext Transfer Protocol, PGP/GnuPG = pretty good privacy/Gnu Privacy Guard, S/MIME = secure/multipurpose Internet mail extensions, WEP/WAP = wired equivalent privacy/WiFi protected access, WS-Security = web services security.


consumptionsignatures.historyhasshownthatwherefinancialorpolitical incentivesalign,thetechniquesforminingbehavioraldatawillevolvequicklytomatchthedesiresofthosewhowouldexploitthatinformation.19

Utility companies are not the only sources of potential privacyabuse. The recently announced Google PowerMeter service,20 forinstance,receivesreal-timeusagestatisticsfrominstalledsmartmeters.customerssubscribingtotheservicereceiveacustomizedwebpagethatvisualizeslocalusage.althoughGooglehasyettoannouncethefinalprivacypolicyforthisservice,earlyversionsleavethedooropentothecompanytousethisinformationforcommercialpurposes,suchasmarketingindividualoraggregateusagestatisticstothirdparties.althoughservicessuchasGooglePowerMeterareoptional,custom-ershave lesscontrolovertheuseofpowerinformationdeliveredtoutilitycompanies.existingprivacy laws intheUnitedstatesare ingeneralapatchworkofregulationsandguidelines.itisunclearhowtheseoranylawsapplytocustomerenergyusageyet.

6.2.2 Availability

availabilityreferstoensuringthatunauthorizedpersonsorsystemscannot deny access or use to authorized users. for smart grid sys-tems, thisreferstoall the informationtechnology(it)elementsoftheplant,likecontrolsystems,safetysystems,operatorworkstations,engineeringworkstations,manufacturingexecutionsystems,aswellasthecommunicationsystemsbetweentheseelementsandtotheout-sideworld.

Malicious attacks targeting availability can be considered asdenial-of-service (dos) attacks, which attempt to delay, block, oreven corrupt information transmission to make network resourcesunavailabletocommunicatingnodesthatneedinformationexchangeinthesmartgrid.sinceitiswidelyexpectedthatatleastpart,ifnotall,ofthesmartgridwilluseiP-basedprotocols(e.g.,internationalelectrotechnicalcommission[iec]61580hasalreadyadoptedthetransmission control Protocol [tcP]/iP as a part of its protocolstacks21), and tcP/iP is vulnerable to dos attacks. dos attacksagainst tcP/iP have been well studied in the literature regardingattackingtypes,prevention,andresponse.22–24


however,amajordifferencebetweenasmartgridcommunicationnetworkandtheinternetisthatthesmartgridismoreconcernedwiththemessagedelaythanthedatathroughputduetothetimingcon-straintofmessagestransmittedoverthepowernetworks.indeed,net-worktrafficinsmartgridcommunicationnetworksisingeneraltimecritical.forinstance,thedelayconstraintofGenericobjectorientedsubstationevent(Goose)messagesis4msiniec61850.9

intrudersonlyneedtoconnecttocommunicationchannelsratherthanauthenticatednetworksinthesmartgrid;itisveryeasyforthemto launch dos attacks against the smart grid communication net-works,especiallyforthewireless-basedcommunicationnetworksthataresusceptibletojammingattacks.25–27hence,itisofcriticalimpor-tancetoevaluatetheimpactofdosattacksonthesmartgridandtodesigneffectivecountermeasurestosuchattacks.

6.2.3 Integrity

integrityreferstopreventingundetectedmodificationofinformationbyunauthorizedpersonsorsystems.forsmartgridcommunicationsystems, this applies to information suchasproduct recipes, sensorvalues,orcontrolcommands.Thisobjectiveincludesdefenseagainstinformationmodificationviamessageinjection,messagereplay,andmessagedelayonthenetwork.violationofintegritymaycausesafetyissues;thatis,equipmentorpeoplemaybeharmed.

differingfromattackstargetingavailability,attackstargetingdataintegritycanberegardedas lessbruteforceandmoresophisticatedattacks.Thetargetof the integrityattacks iseithercustomer infor-mation (e.g., pricing information and customer accountbalance) ornetworkoperationinformation(e.g.,voltagereadings,devicerunningstatus). inotherwords, suchattacksattempt todeliberatelymodifytheoriginalinformationinthesmartgridcommunicationsystemtocorruptcriticaldataexchangeinthesmartgrid.

Theriskofattackstargetingdataintegrityinthepowernetworksisindeedreal.anotableexampleistherecentworkbyliuetal.,28which proposed a new type of attacks, called false data injectionattacks, against the state estimation in the power grid. it assumedthatanattackerhasalreadycompromisedoneorseveralmetersandpointedoutthattheattackercantakeadvantageoftheconfiguration


ofapowersystemtolaunchattacksbyinjectingfalsedatatothemon-itoring center, which can legitimately pass the data integrity checkusedincurrentpowersystems.

6.2.4 Authentication

authenticationisconcernedwithdeterminationofthetrueidentityof a communication system participator andmappingof this iden-titytoasystem-internalprincipal(e.g.,validuseraccount)bywhichthisuserisknowntothesystem.Mostothersecurityobjectives,mostnotablyauthorization,distinguishbetweenlegitimateandillegitimateusersbasedonauthentication.

6.2.5 Authorization

authorization,alsoknownasaccesscontrol,isconcernedwithprevent-ingaccesstothesystembypersonsorsystemswithoutpermissiontodoso.inthewidersense,authorizationreferstothemechanismthatdis-tinguishesbetweenlegitimateandillegitimateusersforallothersecurityobjectives(e.g.,confidentiality,integrity,etc.).inthenarrowersenseofaccesscontrol,itreferstorestrictingtheabilitytoissuecommandstotheplantcontrolsystem.violationofauthorizationmaycausesafetyissues.

6.2.6 Auditability

auditabilityisconcernedwithbeingabletoreconstructthecompletehistoryofthesystembehaviorfromhistoricalrecordsofall(relevant)actions executed on it. This security objective is mostly relevant todiscoverandfindreasonsformalfunctionsinthesystemafterthefactandtoestablishthescopeofthemalfunctionortheconsequencesofasecurityincident.notethatauditabilitywithoutauthenticationmayservediagnosticpurposesbutdoesnotprovideaccountability.

6.2.7 Nonrepudiability

nonrepudiabilityreferstobeingabletoprovideirrefutableprooftoathirdpartyregardingwhoinitiatedacertainactioninthesystem,evenifthisactorisnotcooperating.Thissecurityobjectiveisrelevant


toestablishaccountabilityandliability.inthecontextofsmartgridsystems, this is most important in reference to regulatory require-ments. violation of this security requirement typically has legal/commercialconsequences.

6.2.8 Third-Party Protection

Third-partyprotectionreferstoavertingdamagedonetothirdpartiesviathecommunicationsystems,thatis,damagethatdoesnotinvolvesafetyhazardsofthecontrolledplantitself.Thesuccessfullyattackedandsubvertedautomationsystemcouldbeusedforvariousattacksonthecommunicationsystemsordataorusersofexternalthirdparties(e.g.,viadistributeddos[ddos])orwormattacks.consequencescouldreachfromadamagedreputationofasmartgridsystemownertolegalliabilityforthedamagesofthethirdparty.Therisktothirdparties throughpossible safety-relevant failuresof theplant arisingoutofattacksagainsttheplantautomationsystemiscoveredbyothersecurityobjectives,mostnotablyauthorization/accesscontrol.

6.2.9 Trust

Thenewdesignsof futuresmartgridcommunicationsystemsformamultilayerarchitecture.Thegrowthofsmartgridsystemsresultedin a plentifulness of power system-related software applications,developedinmanydifferentprogramminglanguagesandplatforms.extendingoldapplicationsordevelopingnewonesusually involvesintegrating legacy systems. Therefore, approaching the security offuture smart grid communication networks cannot be done with acompletelynewstart.

inparallel to thedevelopmentof smartgridcommunication sys-tems, the complete and monolithic cybersecurity infrastructure isnot a viable option. instead, multilayer architecture, advanced con-trolmethodologies,anddependablesoftwareinfrastructureaswellasdeviceprotectionmechanismsandhardware-monitoringanchorshavetobespecifiedatthesametime.advancedcontrolapproacheshavetoinclude predictive and self-adaptive intelligence at higher-level andcross-layermappingtothedifferenttechnicallayers.Thedependablesoftware infrastructureshave tobedesigned to identify and isolate


higher-layerindependentapplicationsaswellastosecurecross-layercommunications.withsucharchitecture,itshouldhavetheflexibilityofincorporatingpartsofexistinginfrastructurewiththefrontiersandinterfaces to adjacent systems. furthermore, the architecture needsthe flexibility to interchange or update the part of the system in asecurewayata later stagedue tonew lawsandregulationsornewdevelopmentsintheenergymarket.29

6.3 Cybersecurity Challenges

Therearemanycybersecuritychallengesforasecuresmartgridcom-municationsystem.Themajorchallengesinbuildingandoperatingasecuresmartgridcommunicationsystemincludeinternetworking,securitypolicyandoperations,securityservices,andothers.

6.3.1 Internetworking

The interconnected smart grid communication systems are riddledwithvulnerabilitiesthatvaryacrossthenetworksduetothelackofbuilt-in security in many applications and devices. This should notbethemodelforanetworkasimportantasthesmartgrid.layersofdefenseshouldbebuiltintothesolutiontominimizethethreatsfrominterruption,interception,modification,andfabrication.

keepingthenetworkprivate(i.e.,withalltransportfacilitieswhollyownedbyautility)wouldgreatlyminimizethethreatsfromintrud-ersastherewouldbenopotentialforaccessfromintrudersovertheinternet.But,havingacompletelyseparatenetworkisnotfeasibleintoday’shighlyconnectedworld.itmakesgoodbusinesssensetoreusecommunicationfacilities,suchastheinternet.aminimallysecuredsmartgridconnectedtotheinternet,ascommonlyfoundwithcom-mercial networks, opens thegrid to threats frommultiple types ofattacks. These include cyberattacks from hostile groups looking tocauseaninterruptiontothepowersupply.19,30

one of these cyberattacks is worm infestations, which haveproven to negatively impact critical network infrastructures. suchthreatshavelargelybeentheresultofleavinganetworkvulnerabletothreatsfromtheinternet.forexample,therehavebeendosattacks


ona singlenetwork thatdisruptedalldirectoryname servers, thusprohibiting users from connecting to anyof the resources. it dem-onstrates the fragilityof an interconnected smartgrid communica-tioninfrastructure.31

allconnectionstotheinternetfromasmartgridnetworkneedtobehighlysecure.intrusiondetectionisneedednotonlyatthepointswhereasmartgridnetworkconnectstotheinternetbutalsoatcriticalpointswithinthenetworkaswellasvulnerablewirelessinterfaces.32

The components, systems, networks, and architecture are allimportanttothesecuritydesignandreliabilityofthesmartgridcom-municationsolutions.But,itisinevitablethatanincidentwilloccurat some point, and one must be prepared with the proper incidentresponseplan.Thiscanvarybetweencommercialprovidersandpri-vate utility networks. a private utility network is likely to providebetterconsistencyoftheincidentresponseplanintheeventofasecu-rity incident, assuming the private network is built on a standard-izedframeworkofhardwareandsoftware.Thespeedoftheresponsedecreasesexponentiallyasthenumberofparties involvedincreases.conversely,aprivatenetworkwouldideallydependonfewerparties;therefore, a more efficient incident response process would provideformorerapidresponseandresolution.Therapidityoftheresponseiscriticalduringsituationsthatinvolveablackout.33

criticalnessofadeviceorasystemalsodetermineshowproneitwillbetoattacks.historyhasshownthatprivatenetworksbytheirinherent nature are less prone to attacks. as a result, it is recom-mendedasthebestapproachwhensecurityisparamount.34

6.3.2 Security Policy and Operations

Thereliabilityof a smartgriddependson theproperoperationsofmanycomponents and theproper connectivitybetween them.35todisruptasmartgridsystem,anattackermightattempttogainelec-tronicaccesstoacomponentandmisconfigureitortoimpersonateanothercomponentandreportafalseconditionoralarm.oneofthesimplesttypeofattacksthatanadversarymightattemptisthedosattack:Theadversarypreventsauthorizeddevicesfromcommunicat-ingbyconsumingexcessiveresourcesononedevice.forexample,it


isawell-knownissuethatifanode,suchasaserveroranaccesscon-troldevice,usesanauthenticationprotocolthatispriortoauthentica-tionandauthorization,thenthenodemaybesubjecttodosattacks.smartgridprotocoldesignersmustensurethatpropercareandatten-tionaregiventothisthreatduringprotocoldevelopment.

Manyorganizationswillbeinvolvedintheoperationsofasmartgrid.asadditionaldistributedintelligenceisaddedtothenetwork,itwillbeessential thatentities (peopleordevices)canauthenticateanddeterminetheauthorizationstatusofotherentitiesfromaremoteorganization.This issue is commonly referred to as federated iden-titymanagement.Therearemanypossibletechnicalsolutionstothisissue,suchasthoseofferedbysecurityassertionMarkuplanguage(saMl),36webservicestrust (ws-trust),37andPki.38notonlywillvendorsneedtoofferconsistenttechnicalsolutions,butalsoorga-nizations will further need consistent security policies. Great caremustbetakenbyorganizationstoensuretheirsecuritypoliciesandpractices arenot in conflictwith thoseofotherorganizationswithwhichtheywillneedinteroperability.atleastaminimumsetofoper-ationalsecuritypoliciesfortheorganizationsoperatingasmartgridisformallyadoptedanddocumentedinindustrystandards.39

6.3.3 Security Services

Managingandmaintainingasecuresmartgridwillbeequallyasvitalasdeveloping,deploying, and integrating a secure smart grid solu-tion.securityserviceswillhelpnetworkoperators identify,control,andmanagesecurityrisksinsmartgridcommunications.accordingtoePri,everyaspectofasmartgridmustbesecure.6cybersecuritytechnologies are not enough to achieve secure operations withoutpolicies,ongoingriskassessment,andtraining.Thedevelopmentofthesehuman-focusedprocedurestakestimeandneedstotaketimetoensurethattheyaredonecorrectly.asmartgridrequiresaccesstocost-effective,high-performancesecurityservices,includingexpertiseinmobility,security,andsystemintegration.Thesesecurityservicescanbetailoredperutilitytobestfittheirneedsandhelpthemachieve


theirorganizationalobjectives.figure 6.2illustratesatypicalsetofsecurityservicesinsmartgridcommunications.40

6.4 Conclusions

in this chapter, we discussed the background and requirements aswellaschallengesforsmartgridcommunicationsecurity.asacriti-cal infrastructure, the smart grid requires comprehensive solutionsforcybersecurity.acomprehensivecommunicationarchitecturewithsecuritybuiltinfromtheverybeginningisnecessary.asmartgridcommunicationsecuritysolutionrequiresaholisticapproach,includ-ingtraditionalschemessuchasPkitechnology, trustedcomputingelements, and authentication mechanisms based on industry stan-dards. clearly, securing the smart grid communication infrastruc-turewillrequiretheuseofstandards-basedstate-of-the-artsecurityprotocols.toachievethevisionputforth,therearemanystepsthatneed to be taken. Primary among them is the need for a cohesiveset of requirements and standards for smart grid security. industryandotherparticipantsshouldcontinuetheworkthathasbegununderthedirectionofnisttoaccomplishthesefoundationalstepsquickly.however,theproperattentionmustbepaidtocreatingtherequire-mentsandstandardsastheywillbeutilizedformanyyears,giventhelifecycleofutilitycomponents.

People

Process

Policy

Technology

SecurityAssessment

SecurityPolicy

IncidentResponsePlanning

ManagedSecurity

Secure Design and

Implementation

RiskManagement

Figure 6.2 Smart grid security services. (From A. R. Metke and R. L. Ekl, in Innovative Smart Grid Technologies (ISGT2010), pp. 1–7, Gaithersburg, MD, March 2010. With permission from IEEE.)


references 1. c.h.hauser,d.e.Bakken,anda.Bose,afailuretocommunicate—next

generationcommunicationrequirements,technologies,andarchitectureforelectricalpowergrid,IEEE Power and Energy Magazine,pp. 47–55,March–april2005.

2. s.hongandM.lee,challengesanddirectiontowardsecurecommu-nicationinthescadasystem,in2010 Eighth Annual Communication Networks and Services Research Conference (CNSR),pp.381–386,Montreal,May2010.

3. l. wenpeng, d. sharp, and s. lancashire, smart grid communica-tionnetworkcapacityplanning forpowerutilities, in2010 IEEE PES Transmission and Distribution Conference and Exposition, pp. 1–4, neworleans,la,april2010.

4. e.liu,M.l.chan,c.w.huang,n.c.wang,andc.n.lu,electricitygridoperationandplanningrelatedbenefitsofadvancedmeteringinfra-structure,inCRIS2010,pp. 1–5,2010.

5. P.P.Parikh,M.G.kanabar, andt.s.sidhu,opportunities and chal-lenges of wireless communication technologies for smart grid applica-tions,inIEEE Power and Energy Society General Meeting,pp. 1–7,2010.

6. a.r.Metkeandr.l.ekl,securitytechnologyforsmartgridnetworks,IEEE Transactions on Smart Grid,vol.1,pp. 99–107,2010.

7. national institute of standards and technology, Report to NIST on Smart Grid Interoperability Standards Roadmap EPRI,June 17, 2009. available at http://www.nist.gov/smartgrid/interimsmartGridroadmapnistrestructure.pdf

8. z.tao, l. weimin, w. Yufei, d. song, s. congcong, and c. lu,Thedesign of information security protection framework to support smartgrid,POWERCON 2010,pp. 1–5,2010.

9. nationalinstituteofstandardsandtechnology,Draft Smart Grid Cyber Security Strategy and Requirements, NIST IR 7628, september 2009.available at http://csrc.nist.gov/publications/drafts/nistir-7628/draft-nistir-7628.pdf

10. s. widergren, a. levinson, J. Mater, and r. drummond, smart gridinteroperabilitymaturitymodel,in2010 IEEE Power and Energy Society General Meeting,pp. 1–6,2010.

11. s.rohjans,M.Uslar,r.Bleiker,J.Gonzalez,M.specht,t.suding,andt.weidelt,surveyofsmartgridstandardizationstudiesandrecommen-dations,inIEEE SmartGridComm 2010,pp. 583–588,2010.

12. nationalinstituteofstandardsandtechnology,Announcing the Advanced Encryption Standard (AES),infederalinformationProcessingstandardsPublication197,nist,Gaithersburg,Md,november26,2001.

13. national institute of standards and technology, Data Encryption Standard,federalinformationProcessingstandards(fiPs)Publication46-7,nist,Gaithersburg,Md,1999.


14. institute of electrical and electronics engineers, IEEE Standard 802.11i, IEEE Standard for Information Technology-Telecommunications and Information Exchange Between Systems—Local and Metropolitan Area Networks—Specific Requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications Amendment 6: Medium Access Control (MAC) Security Enhancements,pp. 1–175,ieee,newYork,2004.

15. instituteofelectricalandelectronicsengineers,IEEE Standard 802.16e, IEEE Standard for Local and Metropolitan Area Networks Part 16: Air Interface for Fixed and Mobile Broadband Wireless Access Systems Amendment 2: Physical and Medium Access Control Layers for Combined Fixed and Mobile Operation in Licensed Bands and Corrigendum 1,pp. 1–822,ieee,newYork,2006.

16. a.Bendahmane,M.essaaidi,a.elMoussaoui,anda.Younes,Gridcom-putingsecuritymechanisms:state-of-the-art,inInternational Conference on Multimedia Computing and Systems (ICMCS ’09),pp. 535–540,2009.

17. Y.Yan,Y.Qian,h.sharif,andd.tipper,IEEE Communications Surveys and Tutorials,vol.14(4),pp.998–1010,2012.

18. d.dzung,M.naedele,t.P.vonhoff, and M.crevatin, security forindustrialcommunicationsystems,Proceedingsof the ieee,vol. 93,pp. 1152–1177,2005.

19. P.Mcdanielands.Mclaughlin,securityandprivacychallengesinthesmartgrid,IEEE Security and Privacy,vol.7,pp. 75–77,2009.

20. k.allan,Power to thepeople [power energy saving], Engineering and Technology,vol.4,pp. 46–49,2009.

21. t.s.sidhuandY.Yin,Modellingandsimulationforperformanceevalu-ation of iec61850-based substation communication systems, IEEE Transactions on Power Delivery,vol.22,no.3,pp. 1482–1489,July2007.

22. c.l.schuba,i.v.krsul,M.G.kuhn,e.h.spafford,a.sundaram,andd.zamboni,analysisofadenialofserviceattackontcP,inProceedings of IEEE Symposium on Security and Privacy (S&P 1997),May1997.

23. a. Yaar, a. Perrig, and d. song, Pi: a path identification mechanismtodefend againstddosattacks, in Proceedings of IEEE Symposium on Security and Privacy (S&P 2003),2003.

24. J. Mirkovic and P. reiher, a taxonomy of ddos attack and ddosdefense mechanisms, SIGCOMM Computer Communications Review,vol.34,no.2,pp. 39–53,2004.

25. M.strasser,s.capkun,c.Popper,andM.cagalj,Jamming-resistantkeyestablishment using uncoordinated frequency hopping, in Proceedings of IEEE Symposium on Security and Privacy (S&P 2008), pp. 64–78,May2008.

26. c. Popper, M. strasser, and s. capkun, Jamming-resistant broadcastcommunicationwithoutsharedkeys,inProceedings of the 18th USENIX Security Symposium (Security 09),august2009.


27. Y. liu, P. ning, h. dai, and a. liu, randomized differential dsss:Jamming-resistant wireless broadcast communication, in Proceedings of the 29th IEEE Conference on Computer Communications (INFOCOM 10),March2010.

28. Y.liu,P.ning,andM.reiter,falsedatainjectionattacksagainststateestimation inelectricpowergrids, inProceedings of ACM Conference on Computer and Communications Security (CCS 09),september2009.

29. n.kuntze,c.rudolph,M.cupelli, J.liu,anda.Monti,trust infra-structuresforfutureenergynetworks,inIEEE Power and Energy Society General Meeting 2010,pp. 1–7,2010.

30. l.husheng,M.rukun,l.lifeng, andr.c.Qiu,compressedmeterreadingfordelay-sensitiveandsecureloadreportinsmartgrid,inIEEE SmartGridComm 2010,pp. 114–119,2010.

31. G.carl,G.kesidis,r.r.Brooks,andr.suresh,denial-of-serviceattack-detectiontechniques,IEEE Internet Computing, vol.10,pp. 82–89,2006.

32. s. kent, on the trail of intrusions into information systems, IEEE Spectrum,vol.37,pp. 52–56,2000.

33. c.w.ten,G.Manimaran,andc.c.liu,cybersecurityforcriticalinfra-structures: attack anddefensemodeling, IEEE Transactions on Systems, Man and Cybernetics, Part A: Systems and Humans,vol.40,no.4,pp. 853–865,July2010.

34. w.dong,l.Yan,M.Jafari,P.skare,andk.rohde,anintegratedsecu-ritysystemofprotectingsmartgridagainstcyberattacks,inInnovative Smart Grid Technologies (ISGT 2010),pp. 1–7,2010.

35. M.Jensen,c.sel,U.franke,h.holm,andl.nordstrom,availabilityofascada/oMs/dMssystem—acasestudy,inIEEE Innovative Smart Grid Technologies Conference Europe (ISGT Europe 2010),pp. 1–8,2010.

36. t. komura, Y. nagai, s. hashimoto, M. aoyagi, and k. takahashi,Proposalofdelegationusingelectroniccertificatesonsinglesign-onsys-temwithsaMl-Protocol,inNinth Annual International Symposium on Applications and the Internet (SAINT ’09),pp. 235–238,2009.

37. c. Yongkai and t. shaohua, security scheme for cross-domain grid:integrating ws-trust and grid security mechanism, in International Conference on Computational Intelligence and Security(CIS ’08),pp. 453–457,2008.

38. r.Perlman,anoverviewofPki trustmodels,IEEE Network, vol.13,pp. 38–43,1999.

39. r. J.Thomas,Puttinganactionplan inplace,IEEE Power and Energy Magazine,vol.7,pp. 26–31,2009.

40. a.r.Metkeandr.l.ekl,smartgridsecuritytechnology,inInnovative Smart Grid Technologies (ISGT2010),pp. 1–7,Gaithersburg,Md,March2010.

205

7reGulatiOnS and

StandardS relevant fOr Security Of the Smart Grid

s t E f f E n f r i E s A n d h A n s -J oAC h i M h o f

Contents

7.1 introduction 2067.2 standardization 206

7.2.1 internationalorganizationforstandardization/internationalelectrotechnicalcommission 207

7.2.2 iso/iec27000series 2077.2.3 iecsmartGridstrategicGroup 2077.2.4 iso/iec62351-1to11 2087.2.5 iso/iec62443 2137.2.6 internationalsocietyofautomation 2137.2.7 instituteofelectricalandelectronicsengineers 2137.2.8 internationalcouncilonlargeelectronicsystems 2147.2.9 securityforinformationsystemsandintranetsin

theelectricPowersystem 2147.2.10treatmentofinformationsecurityforelectric

PowerUtilities 2157.2.11northamericanelectricreliabilitycorporation 2157.2.12internetengineeringtaskforce 216

7.3 nationalregulations 2187.3.1 nationalinstituteofstandardsandtechnology 2187.3.2 specialPublication800-53 2187.3.3 specialPublication800-82 2187.3.4 specialPublication1108 2197.3.5 nistir7628 2197.3.6 U.s.departmentofhomelandsecurity 219


cyberattacksoncriticalinfrastructuresareincreasinglybecomingathreattosocietiesaroundtheworld.hence,governmentsandstandardizationorganizations aredefining and improving theirregulationandstandardsframeworkforoneofthemostimpor-tantcriticalinfrastructures:thesmartgrid.Thischaptergivesanoverviewofregulationsandstandardsrelevanttothesmartgridaswellasongoingactivitiesandstandardizationbodies.

7.1 introduction

today,thepowermarketandtheoperationofpowersystemsingen-eral are strongly influenced by a large number of regulations andstandards. recently, many of these standards also have addressedinformation technology (it)securityasan importantaspectof theprotection of critical infrastructures. This chapter gives a (surelyincomplete) overview of relevant regulation and standardizationactivities related to securityof the smartgrid.fora surveyofpro-posedstandardizationactivitiesrelatedtothesmartgridingeneral,theinternationalelectrotechnicalcommission(iec)andnationalinstitute of standards and technology (nist) activities definingstandardizationroadmapsarereferredto(therespectivedocumentsarereferenced).Partsofthischapterhavebeentakenfromfriesandhof 1andtheiec.2

7.2 standardization

Thefollowingsectionsprovidearoughoverviewofthemostimpor-tant security-related standardization and regulation activities withrespecttosecurityforthesmartgrid.referencestotheoriginaldocu-mentsorfurtherinformationareprovided.

7.3.7 Bundesverbandfürenergie-undwasserwirtschaft—Bdew(Germany) 219

7.3.8 europeanUnion’staskforcesmartGrid 2207.3.9 resultsfromtheeuropeansmartGrid

coordinationGroup 2207.4 summary 222references 224

207reGulations and standards

7.2.1 International Organization for Standardization/ International Electrotechnical Commission

The international organization for standardization (iso) and theiecarecooperatingstandardizationbodies.Theisoprovidesinter-nationalstandardsthattargettechnicalandorganizationalmeansinseveral application domains. The iec develops international stan-dards forallelectrical,electronic,andrelatedtechnologies.todealwithoverlapbetweenisoandiec,bothstandardizationorganiza-tionscooperateinso-calledjointtechnicalcommittees.

7.2.2 ISO/ IEC 27000 Series

The standard Information Technology—Security Techniques—Information Security Management Systems” consists of different parts. iso/iec270013 specifies information security management requirements. Therequirementsaresuitedforuseincertification.iso/iec270024pro-videsthecodeofpracticeforinformationsecuritymanagementandestablishesguidelinesandgeneralprinciplesforinitiating,implement-ing,maintaining,andimprovinginformationsecuritymanagementinanorganization. iso/iec27002providesgenericguidelines,whichcanbemappedtospecificdomains.Thisallowsaddressingspecialtiesforthetargetedapplicationdomain.oneexampleisiso27011,tar-getingthemappingofiso27002tothedomainoftelecommunica-tion.afurtherexampleisprovidedbytheGermandeutschesinstitutfür normung (din), which developed the din sPec 270095(cf. Information Security Management Guidelines for Process Control Systems Used in the Energy Utility Industry on the Basis of ISO/ IEC 27002),mappingiso27002guidelinesandprinciplestotheelectricutilitydomain.Thisnationalspecificationhasbeensubmittedtotheisoforadoptingtheworktoprovideitasaninternationalstandard.Thisdocumentiscurrentlyunderevaluation,aimingatiso27019.

7.2.3 IEC Smart Grid Strategic Group

TheiecsmartGridstrategicGroup(sG3)hasissuedtheSmart Grid Standardization Roadmapreport(sMB/4175/r),6whichencompassesrequirements,status,andrecommendationsofstandardsrelevantfor


thesmartgrid.aseparatesectionoftheSmart Grid Standardization Roadmapcoverssecurity-relatedtopics.Thereportrequestsanover-all securityarchitecturecopingwith thecomplexityof smartgrids.inaddition, thefollowingarerecommendationspertainingtoopenitemsandnecessaryenhancements:

• a specification of a dedicated set of security controls (e.g.,perimetersecurity,accesscontrol)

• a defined compartmentalization of smart grid applications(domains) based on clear network segmentation and func-tionalzones

• aspecificationcomprising identityestablishment(basedontrustlevels)andidentitymanagement

• Thenecessity toconsidersecurityof the legacycomponentswithinstandardization

• Theharmonizationwiththeiec62443standardtoachievecommonindustrialsecuritystandards

• review, adapt, and enhance existing standards to supportgeneral and ubiquitous security across wired and wirelessconnections

7.2.4 ISO/ IEC 62351-1 to 11

iso/iec 623517,8 is owned by the iec technical committee 57workingGroup15 (iso/iectc57wG15). its scope isdataandcommunicationsecurityforpowersystemmanagementandtheassoci-atedinformationexchangebetweenentitiesofthepowersystem.iso/iec62351 is used to establish and ensure end-to-end security. it isappliedtoprotocolslikeiec61850,iec60870-x(energyautomation),andiccP(tase.2,controlcentercommunication).

Thestandardhaseightparts,eachinadifferentstateofcomple-tion.furtherpartsmaybeaddedinthefutureifnecessary.Thelatestparttargetsthemanagementofsecuritycredentials.table 7.1givesanoverviewofthepartsofiso/iec62351andthecurrentstateofthestandardization.

Thefirstpartofiso/iec62351introducesthestandardsandpro-vides an overview. it addresses the security services needed in the


powerdomain.Part2providestheterminologyusedthroughoutthestandard.Parts3to8aredirectlyrelatedtodedicatedprotocolstypi-callyusedinenergyautomation,inparticulariso/iec61850(iec62351-6)andiso/iec60870-5-x(iec62351-5)aswellasthemap-pingofthoseprotocolstolower-layerprotocolslikethetransmissioncontrol Protocol/internet Protocol (tcP/iP) (iec 62351-3) andManufacturingMessagespecification (MMs) (iec62351-4).Thestandardalsoaddressesthemappingofsecuritytothenetworkman-agementinpart7.forsecuringend-to-endcommunication,abroadrangeofcryptographicalgorithmsisused,includingsymmetricandasymmetric cryptographic algorithms to secure payloads and com-municationlinks.iso/iec62351doesnottrytoreinventthewheel.hence,ituseswell-knownandwidelyusedsecurityprotocolsliketls(transportlayersecurity).tlsofferssecurityserviceslikemutualauthenticationofcommunicationpeersaswellasconfidentialityandintegrityprotectionof transmitteddata.amongother attacks, thisavoidsman-in-the-middleattacks.

Part 3 of iso/iec 62351 defines security services for tcP/iP-basedenergyautomationcommunication,includingthespecificationofciphersuites(theallowedcombinationofencryption,authentica-tion, and integrity protection algorithms) and requirements on cer-tificatestobeusedfortls.Thedefinitionofsecurityservicespaysattentiontocharacteristicsofenergyautomationcommunication.forexample,thedefinitionofcertificaterevocationproceduresisfocused

Table 7.1 Parts and Associated Standardization Status of the ISO/ IEC 62351 Standard

IEC 62351 DEFINITION OF SECURITy SERVICES FOR STANDARDIZATION STATUS

Part 1 Introduction and overview Technical specificationPart 2 Glossary of terms Technical specificationPart 3 Profiles including TCP/ IP Technical specificationPart 4 Profiles including MMS Technical specificationPart 5 Security for IEC 60870-5 and derivatives Technical specificationPart 6 Security for IEC 61850 Technical specificationPart 7 Network and system management (NSM) data object

modelsTechnical specification

Part 8 Role-based access control for power systems management

Technical specification

Part 9 Credential management Work in progressPart 10 Security architecture guidelines Technical reportPart 11 XML file security New work item proposal


onthehandlingofcrls(certificaterevocationlists),onlinevali-dationofcertificates(e.g.,usingtheocsP,onlinecertificatestatusProtocol) isnotcurrentlyconsidered inedition1ascommunicationlinks are severely limited in substations. another characteristic ofenergy automation communication are long-lived connections. Thisrequires the definition of strict key update and crl update inter-vals to restrict the application of cryptographic keys not only for adedicatednumberofpacketsbutalsoforadedicatedtime.anotherchallengetoconsideristheinteroperabilityrequirementsbetweentheimplementations of the products of different vendors. nevertheless,tlsasunderlyingsecurityprotocolhasevolvedovertime.Meanwhileitsapplicationisbeingrecommendedinsubstationautomation.Thisdrivesthedevelopmentofanedition2ofpart3,whichiscurrentlyunderreview.edition2allowsforusingocsPforcertificaterevoca-tionaswellastobetterinstrumenttlscapabilitiestocopewiththetargetenvironment.supportofsessionresumptionisjustoneexample.

Part4ofiec62351specifiesprocedures,protocolenhancements,andalgorithmstargetingtheincreaseofsecuritymessagestransmit-tedoverMMs.MMsisaninternationalstandard(iso9506)dealingwithamessagingsystemfortransferringreal-timeprocessdataandsupervisorycontrolinformationeitherbetweennetworkeddevicesorincommunicationwithcomputerapplications.Part4ofiec62351definesproceduresonthetransportlayer,basedontls,aswellasontheapplicationlayertoprotectthecommunicatedinformation.

Part5ofiec62351definesadditionalsecuritymeasuresforserialcommunication. inparticular,keyedhashesareused toprotect theintegrityofthedatasentoveraserialinterfaceemployingasymmet-rickey.Thispart alsodefinesdistinctkeymanagement for theuseofkeyedhashes.anedition2isexpectedsoon,handlingtheupdateofupdatekeysforthesymmetrickeys.

Part 6 of iec 62351 defines security for iec 61850 Peer-to-PeerProfiles.itcoverstheprofilesiniec61850thatarenotbasedon tcP/iP for the communication of Gooses (Generic objectorientedsubstationevents)andsvs(samplevalues)using,forexam-ple,plainethernet.Thistypeofcommunicationoftenusesmulticastcommunication;eachfielddevicedecidesbasedonthemessagetypeand sender whether it processes the message. The security definedinpart6usesdigitalsignaturesonthemessageleveltoprotectthe


integrityof themessages.Thisapproachiscompatiblewiththeuseofmulticastbutrequiresalotofcomputationalpower.especially,thenumberofpacketstobeprocessedcanbehigh.atasamplerateof80samplesperpowercycle,thereareupto4,000packetspersecondforthecommonfrequencyof50hz.fielddevicesusedaretypicallynotbuilttohandle4,000signaturespersecondforgenerationorforverification.hence,anedition2istargetedaddressingthisshortcom-ing.inthefuture,itislikelytouseagroup-basedapproach.here,agroupsharesasymmetrickeythatisappliedinthecalculationofanintegritycheckvalueusingkeyedhashfunctionslikeaes-GMac(advanced encryption standard-Galois Message authenticatoncode) or hMac-sha256 (hash-based Message authenticationcode-securehashalgorithmwithkey length256).digital signa-tures inthisapproachareonlyusedtoauthenticate towardthekeyserverdistributingthegroupkey.

Part7describessecurity-relateddataobjectsforend-to-endnetworkandsystemmanagement(nsM)andsecurityproblemdetection.Thesedataobjectssupportthesecurecontrolofdedicatedpartsoftheenergyautomationnetwork.Part7canhelptoimplementorextendintrusiondetectionsystemsforpowersystem-specificobjectsanddevices.

Part 8 supports role-based access control in terms of three pro-files.eachoftheprofilesusesanowntypeofcredentialasthereareidentitycertificateswithroleenhancements,attributecertificates,andsoftware tokens. role-based access control is necessary to supportauthorizationinprotectionsystemsandincontrolcenterapplications.Moreover,itsupportsstringenttraceability.oneusageexampleistheverificationofwhohasauthorizedandperformedadedicatedswitch-ingcommand.

Part9isaworkinprogresstargetingthedefinitionofkeyman-agementsupportingpowersystemarchitecturesingeneralandiec62351specifically.itshallcoverallkeymanagement-relatedpartsofiec62351,helpingtoreusekeymanagementoptionsasmuchaspos-sible,alsoinfuturepartstobedefined.

Part10targetsatechnicalreportratherthanatechnicalspecifica-tionandprovidesanoverviewconsideringsecurityforpowersystemarchitectures. it motivates the incorporation of security right fromthebeginningandsuggestscertainsecuritycontrols.Thedocumentisintendedtofostertheadaptationofsecurityandthusdoesnotprovide


acompletearchitecturebutarchitectureelements.Moreover,itrefer-encesseveralotherdocumentsprovidingcomprehensiveinsight,likethenistdocumentsreferencedpreviously.

Part11iscurrentlyanewworkitemProposaltargetingsecurityforXMl(eXtensibleMarkuplanguage)files.Thegoalofthispartisthemarkingofinformationinmessagesandlocaldataaccordingtoitssensitivity.Thisisnecessarytoallowareceiverofcertaininformationtoactontheinformationaccordingly.Thisbecomesespeciallyevidentifareceivertransformsandstorestheinformation,whichmaylaterbequeriedbyotherapplications.

afirstglimpseatthecurrentiec62351partsshowsthatmanyofthetechnicalsecurityrequirementstobeappliedtoenergyauto-mation components and systems can be directly derived from thestandard.forinstance,parts3and4explicitlyrequiretheusageoftls.Theydefineciphersuites,whicharetobesupportedasmanda-tory.Thesepartsalsodefinerecommendedciphersuitesanddeprecateciphersuites,whichshallnotbeappliedfromtheiec62351pointofview.notethatthemandatoryciphersuitesdonotcollapsewiththeciphersuitesthedifferenttlsversions(1.0,requestforcomments[rfc]2246;1.1,rfc4346;1.2,rfc5246)statedasmandatory.iec62351edition1standardsalwaysreferencetlsversion1.0tobetteraddressbackwardcompatibility.

analyzing the standard more deeply shows that several require-mentsareprovidedratherimplicitly.Theserequirementsaremostlyrelated to theoverallkeymanagement,whichguaranteesa smoothoperationofthesecuritymechanisms.iec62351makesheavyuseof certificates andassociatedprivatekeys (e.g.,whenusingtlsorGoose).however,keymanagement isunspecified.keymanage-ment includes generation, provisioning, revocation, and initial dis-tribution of keys and certificates to all related entities. it has beennoticed that standardizedkeymanagement isnecessary forgeneraloperationaswellasfortheinteroperabilityoftheproductsofdiffer-entvendors.Thishasbeenacknowledgedandwasthemainreasontostartworkingonpart9asdescribed.

Besides standard enhancements, which have become necessarythroughfindingsduringtheimplementationofiec62351,newsce-nariosmayalsorequirethefurtherevolvementofalready-existingornewpartsofthestandardtobettercopewithnewusecases.


7.2.5 ISO/ IEC 62443

Theiso/iectc65wG10 is currently standardizing iso/iec62443,9targetingnetworkandsystemsecurityinindustrialcommu-nicationnetworks.iso/iec62443isajointapproach,togetherwithinternationalsocietyofautomation(isa)99(seethenextsection);thatis,isa99documentswillbesubmittedtotheiecvotingprocess.Thestandardhasdifferentparts,whichareindifferentstatesofcom-pleteness.IEC 62443-1-1 (Terminology and Concepts), IEC 62443-2-1 (Establishment of an Industrial Automation and Control System [IACS] Security Program), and IEC 62443-3-1 (Security Technologies for IACS)arecurrentlyavailableasstandards.workisongoingonfurtherpartsaddressingthedefinitionofsecuritylevels,certificationrequirements,andthemappingofiso27002totheindustrialautomationdomain.

7.2.6 International Society of Automation

The isa is a nonprofit society in the field of industry automation.Besidesotherduties,isaisanimportantstandardizationbodyinthecontextofautomation.

isa-99 defines a framework addressing “security for industrialautomationandcontrolsystems.”10Thisbroadtopicalsoincludesenergy automation. The framework covers processes for establish-ing an industrial automation and control system security programbasedonriskanalysis,establishingawarenessandcountermeasures,andmonitoringandcybersecuritymanagementsystems.itdescribesseveral categories of security technologies and the types of prod-ucts available in those categories along with preliminary recom-mendationsandguidanceforusingthosesecuritytechnologies.Thestandard consists of several subparts, which are in different statesofcompletion.

7.2.7 Institute of Electrical and Electronics Engineers

TheieeestandardIEEE 1686-2007: Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities11definesmandatoryfunctionsandfeaturestoaccommodatecriticalinfrastructureprotec-tionprograms.itcoverssecurityintermsofaccess,operation,config-uration,firewallrevision,anddataretrievalfromieds.encryption


forthesecuretransmissionofdata,bothwithinandexternaltothesubstationisnotpartofthisstandard.

also applicable in the power system domain are the ieee 802standards:

• IEEE 802.1X: Port Based Network Access Control specifiesport-basedaccesscontrol,allowingtherestrictiveaccessdeci-sionstonetworksbasedondedicatedcredentials.itdefinesthe encapsulation of the eaP (extensible authenticationProtocol)overieee802,alsoknownaseaPoverlocal-areanetwork(lan)oreaPol.Thespecificationalsoincludeskeymanagement,formallyspecifiedinieee802.1af.

• IEEE 802.1AE: MAC [Mediaaccesscontrol]Securityspeci-fies security functionality in terms of connectionless dataconfidentialityandintegrityformediaaccess-independentpro-tocols.itspecifiesasecurityframeformatsimilartoethernet.

• IEEE 802.1AR: Secure Device Identity specifies unique perdevice identifiers and the management and cryptographicbindingofadevicetoitsidentifiers.

7.2.8 International Council on Large Electronic Systems

Theinternationalcouncilonlargeelectronicsystems(ciGre)isaninternationalorganizationcoveringtechnical,economic,environ-mental, organizational, ad regulatory aspects of electric power sys-tems.ThegoalsofciGreincludeprovidingstate-of-the-artworldpracticestoengineeringpersonnelandspecialistsinthefield.

7.2.9 Security for Information Systems and Intranets in the Electric Power System

ciGrepublishedthedocument,Security for Information Systems and Intranets in Electric Power Systems.12TheguidelinepresentstheworkoftheJointworkingGroupd2/B3/c2-01,focusingontheimpor-tanceofhandlinginformationsecuritywithinanelectricutility,deal-ingwithvarious threats andvulnerabilities, theevolutionofpowerutilityinformationsystemsfromisolatedtofullyintegratedsystems,theconceptofusingsecuritydomainsfordealingwithinformation


securitywithinanelectricutility,andtheuseoftheiso/iec17799standard(predecessorofiso27000).

7.2.10 Treatment of Information Security for Electric Power Utilities

working Group d2.22 published the document, Treatment of Information Security for Electric Power Utilities.Thedocumentincludesthreereports:

• Risk Assessment of Information and Communication Systems13

• Security Frameworks for Electric Power Utilities14and• Security Technologies Guideline15

Thethreereportsprovidepracticalguidelinesandexperiencesfordeterminingsecurityrisksinpowersystemsandthedevelopmentofframeworks,includingcontrolsystemsecuritydomains.

7.2.11 North American Electric Reliability Corporation

Themissionofthenorthamericanelectricreliabilitycorporation(nerc)istoensurethereliabilityofthebulkpowersysteminnorthamerica.todoso,nercdevelopsandenforcesreliabilitystandardsandmonitorsusers,owners,andoperatorsforpreparedness.nercisaself-regulatoryorganizationsubjecttooversightbytheU.s.federalenergy regulatory commission and governmental authorities incanada.nerchasestablishedthecriticalinfrastructureProtection(ciP)cybersecuritystandardsciP-002throughciP-011,whicharedefinedtoprovideafoundationofsoundsecuritypracticesacrossthebulkpowersystem.Thesestandardsarenotdesignedtoprotectthesystemfromspecificandimminentthreats.Theyapplytooperatorsofbulkelectricsystems(Bess;seealsonorthamericanreliabilitycorporation16).Theprofilesoriginatedin2006.nercciPprovidesaconsistentframeworkforsecuritycontrolperimetersandaccessman-agementwithincidentreportingandrecoveryforcriticalcyberassetsandcoverfunctionalaswellasnonfunctionalrequirements.table 7.2providesanoverviewofthevariousnercciPparts.

The draft standard ciP-011 may not lead to new cybersecurityrequirementsbutprovidesaneworganizationoftheexistingrequire-mentsoftheexistingciPstandards.newistheclassificationofBess


into the three categories—low-, medium-, and high-impact Bescybersystems—and their mapping to security controls. currently,workisongoingonversion5ofthesetofnercciPdocuments.

7.2.12 Internet Engineering Task Force

Theinternetengineeringtaskforce(ietf)developsinternationalstandardstargetingprotocolsuitesoperatingondifferentlayersoftheopen system interconnection (osi) stack. Prominent examples ofstandardsrelate totcP/iPandtheiPsuite.Theietfcooperates

Table 7.2 NERC CIP Parts

CIP TITLE/ CONTENT

002 Critical Cyber Asset IdentificationIdentification and documentation of critical cyber assets using risk-based assessment

methodologies003 Security Management Controls

Documentation and implementation of cybersecurity policy reflecting commitment and ability to secure critical cyber assets

004 Personnel and TrainingMaintenance and documentation of security awareness programs to ensure personnel

knowledge on proven security practices005 Electronic Security Protection

Identification and protection of electronic security perimeters and their access points surrounding critical cyber assets

006 Physical Security ProgramCreation and maintenance of physical security controls, including processes, tools, and

procedures to monitor perimeter access007 Systems Security Management

Definition and maintenance of methods, procedures, and processes to secure cyber assets within the electronic security perimeter to not adversely affect existing cybersecurity controls

008 Incident Reporting and Response PlanningDevelopment and maintenance of a cybersecurity incident response plan that addresses

classification, response actions, and reporting009 Recovery Plans for Critical Cyber Assets

Creation and review of recovery plans for critical cyber assets010 Bulk Electrical System Cyber System Categorization (draft)

Categorization of BES systems that execute or enable functions essential to reliable operation of the BES into three different classes

011 Bulk Electrical System Cyber System Protection (draft)Mapping of security requirements to BES system categories defined in CIP-010


alsowithother standardizationbodies, like the iso/iecorw3c(worldwidewebconsortium).Thefollowingrfcsareapplicableinthepowersystemdomainandthereforestatedhere:

• The ietf published rfc 6272, Internet Protocols for the Smart Grid,17 which contains an overview of security con-siderationsandafairlythoroughlistofpotentiallyapplicablesecuritytechnologydefinedbytheietf.

• RFC 3711: Secure Real-Time Transport Protocol (SRTP)18maybeusedforsecuringvoiceoverinternetProtocol(voiP)commu-nication,includingvideoconferencingorvideosurveillance.

• rfc 4101,19 rfc 4102,20 rfc 410321 are the base stan-dardsforiPsecurity(iPsec)providinglayer3security,typi-callyusedforvirtualprivatenetworks(vPns)orforremoteaccess.Thelistedrfcsdescribegeneralarchitectureaswellas the two modes ah (authentication header) and esP(encapsulatedsecurityPayload).

• RFC 4962: Authentication, Authorization, and Accounting22pro-videsguidanceforauthentication,authorization,andaccount-ing (aaa) key management and an architecture allowingcentralizedcontrolofaaafunctionality.

• RFC 5246: Transport Layer Security (TLS)23provideslayer4securityfortcP/iP-basedcommunication,currentlyusediniec62351.notethatthereareseveralextensionstotlsforadditionalciphersuites,transmissionofadditionalinforma-tionlikeauthorizationsorocsPresponses,andsoon.Theseextensionsarenotlistedhereexplicitly.

• RFC 5247: Extensible Authentication Protocol (EAP)24providesakeymanagementframeworkforeaP.singleeaPmethodsaredefinedinseparaterfcs.eaPistypicallyusedforcon-trollingdevice(orhuman)accesstonetworks.

• RFC 5746: Datagram Transport Layer Security (DTLS)25pro-vides layer4security forcommunicationbasedontheUserdatagramProtocol(UdP)/iP.itmaybeappliedinscenariosforwhichtlsisnotapplicable.

• RFC 6407: Group Domain of Interpretation (GDOI)26definesgroup-based key management, currently used in iec61850-90-5.


This list states themost obvious standards tobeusedbut is notlimitedtothem.

7.3 national regulations

Besides international standardization bodies and activities, manynational organizations and activities influence the development ofenergyautomation systems in the respective countries.This sectioncoversnationalactivitiesintheUnitedstatesandGermanyaswellasactivitiesonaeuropeanlevel.

7.3.1 National Institute of Standards and Technology

ThenistisaU.s.federaltechnologyagencythatdevelopsandpro-motesmeasurement,standards,andtechnology.Thefollowingnistdocuments cover security in energy automation systems or can bedirectlyappliedtosecurityinthesmartgrid.

7.3.2 Special Publication 800-53

nistspecialPublication(sP)800-53,Recommended Security Controls for Federal Information Systems27providesguidelinesforselectingandspecifying technical and organizational security controls and con-nected processes for information systems supporting the executiveagenciesofthefederalgovernmenttomeettherequirementsoffederalinformation Processing standard (fiPs) 200 (Minimum Security Requirements for Federal Information and Information Systems).28itpro-vides an extensive catalog of security controls and maps these in adedicatedappendixtoindustrialcontrolsystems(icss).

7.3.3 Special Publication 800-82

nistsP800-82:Guide to Industrial Control Systems (ICS) Security29covers how to secure icss, including supervisory control and dataacquisition (scada) systems, distributed control systems (dcss),andothercontrolsystemconfigurations,suchasprogrammablelogiccontrollers(Plcs).itusesthenistsP800-53asabasisandpro-videsspecificguidanceontheapplicationofthesecuritycontrolsin


nistsP800-53.Thispublicationisanupdatetothesecondpublicdraft,whichwasreleasedin2007.

7.3.4 Special Publication 1108

nist sP 1108, NIST Framework and Roadmap for Smart Grid Interoperability Standards30describesahigh-levelconceptualreferencemodelforthesmartgrid.itlists75existingstandardsapplicableorlikelytobeapplicabletotheongoingdevelopmentofthesmartgrid.Thedocumentalsoidentifiesfutureissues,including15high-prioritygaps and potential harmonization issues for which new or revisedstandardsandrequirementsareneeded.

7.3.5 NIST IR 7628

nistir762831,32originates from thesmartGrid interoperabilityPanel(cybersecuritywG)andtargetsthedevelopmentofacompre-hensivesetofcybersecurityrequirementsbuildingonthenistsP1108,alsostatedpreviously.Thedocumentconsistsofthreesubdocu-mentstargetingstrategy,30securityarchitecture31andrequirements,andsupportiveanalysesandreferences.33

7.3.6 U.S. Department of Homeland Security

TheCatalog of Control Systems Security—Recommendations for Standards Developers34oftheU.s.departmentofhomelandsecuritysumma-rizespracticesofvariousindustrybodiestoincreasethesecuritylevelof control systems both from physical and from cyber attacks. Thecatalogisnotlimitedtoenergyautomationbutmayalsobeusedforotherdomainstodevelopacybersecurityprogram.

7.3.7 Bundesverband für Energie- und Wasserwirtschaft—BDEW (Germany)

TheGermanBundesverband fürenergie-undwasserwirtschaft—BdewwasfoundedbythefederationoffourGermanenergy-relatedassociations:BundesverbandderdeutschenGas-undwasserwirtschaft(BGw), verband der verbundunternehmen und regionalenenergieversorgerindeutschland(vre),verbanddernetzbetreiber


(vdn), and verband der elektrizitätswirtschaft (vdew). TheBdewpublishedawhitepaper35definingbasicsecuritymeasuresandrequirementsforit-basedcontrol,automation,andtelecommunica-tion systems, taking intoaccountgeneral technical andoperationalconditions. it can be seen as a further national approach targetingsimilargoalsasnercciP.Thewhitepaperaddressedrequirementsforvendorsandmanufacturersofpowersystemmanagementsystemsandisusedasanamendmenttotenderspecification.

7.3.8 European Union’s Task Force Smart Grid

within theeuropeanUnion,adedicatedexpertgroupof thetaskforcesmartGrid iscurrentlyworkingonregulatory recommenda-tionsfordatasafetydatahandlinganddataprotection.36ThegoalofthetaskforceistheidentificationandproductionofasetofregulatoryrecommendationstoensureeU-wideconsistentandfastimplementa-tionofsmartgridswhileachievingtheexpectedsmartgrids’servicesandbenefitsforallusers involved.Thegoaloftheexpertgroupforsecurityistheidentificationofanappropriateregulatoryscenarioandrecommendationsfordatahandling,security,andconsumerprotec-tiontoestablishadataprivacyanddatasecurityframeworkthatbothprotectandenable.

7.3.9 Results from the European Smart Grid Coordination Group

TheobjectiveofmandateM/49037isthedevelopmentorupdateofaset of consistent standards within a common european frameworkthat will facilitate the implementation of the different high-levelsmartgridservicesandfunctionalities.ThesmartGridcoordinationGroup(sGcG)wasfoundedinJune2011todirectlyaddressmandateM/490. it is a joint activity from cen (european committee forstandardization, http://www.cen.eu), cenelec (europeancommittee for electrotechnical standardization, http://www.cenelec.eu/), and etsi (european telecommunications standardsinstitute,www.etsi.org/)torunforalmost2yearsuntiltheendof2012resultingin4reports.Theactivitywillbeenhancedforanother2-yearperiod.38assecurityisoneofthetargetsofthismandate,adedicated


subgroup—thesmartGridinformationsecurity(sGis)—addressesthistopicexplicitly.

it security is closely connected to the architectural model pro-videdbythereferencearchitecturegroupasthesGaM(smartGridarchitectural Model). This model is presented as a cube in whichusecasescanbemappedonzonesanddomainsondifferentlayersasdepictedinfigure 7.1.39

securityappliesbasicallytoeveryinterfaceandcomponentinthesGaMdependingon the intendedusecases.toprovideguidanceregardingwhichsecuritymeansaretobeapplied,ananalysisofthespecific use cases is necessary. This is typically being done by per-formingathreatandriskanalysisforadedicatedscenariotargetingthe identification of potential vulnerabilities based on the analysisoftheconsideredscenarioorusecase.Basedonthisanalysis,securityrequirementscanbederivedandappropriatecountermeasurescanberecommended.Thesecurityworkinggrouphasdevelopedamethod-ologyforthisapproach,whichisdescribedinthewGreportasthesecuritytoolbox.

Business ObjectivesPolitical/Regulatory Framework

Subfunctions

Data ModelData Model

ProtocolProtocol Market

Enterprise

Operation

Station

Field

Process

CustomerPremise

DERDistribution

Domains

Zones

TransmissionGeneration

Outline of Usecase

Inte

rope

rabi

lity D

imen

sion

BusinessLayer

FunctionLayer

InformationLayer

CommunicationLayer

ComponentLayer

Figure 7.1 Smart Grid Architecture Model39 (SGAM, cf. Smart Grid Coordination Group, Joint CEN, CENELEC and ETSI Activity on Standards for Smart Grids, 200938). DER = Distributed Energy Resources.


Thisisalsosupportedbysomeotherwork,whichhasbeendonebyprovidingamappingofsecurityrequirementsprovidedbythenistir7628(seepreviousdiscussion)tostandardslikeiso27001oriec62351.ThismappinghasalsobeendoneregardingthenercciPdocuments.Thegoalofthismappingwastheidentificationofgaps,whichneedtobeaddressedbytheresponsiblestandardizationbody.There have been explicit comments on iec 62351 on the techni-calsideandaclearpushforthetechnologycovered.Moreover,theGermandinsPec27009(seepreviousdiscussion)hasbeenpushedtoward internationalization in iso for the organizational securitypart intheenergyutility industry.Meanwhilethisactivityresultedinisotr27019.

it has been acknowledged that the work of the smart GridcoordinationGroupwillnotendwiththeworkingperiodontheM/490mandate.itisexpectedthattherewillbearefocusingofthegrouptoaddressspecificissuesdiscoveredduringthefirst2-yearruntime.

7.4 summary

The maternity of selected standards and their applicability is pre-sented in figure 7.2 as proposed in the european-funded projectescorts (efficient solar cells based on organic and hybridtechnology).40Thefigureisintendedtoprovideabetteroverviewforoperatorandmanufacturerregardingwhichstandardinfluencestheir

EnergyIndustrial automationIT

Design Details

Completeness

ISA 99

NIST 800-53

IEC 62351

NER

C CI

P

Operator Manufacturer

ISO 27001, ISO 27002

Technical Aspects

Management Aspects

Details of Operation

Relevance for Manufacturers

IEEE P 1686I

RFC 5246(TLS)

DIN SPEC 27009

CIGRE D2.22

Figure 7.2 Scope and completeness of selected standards (enhanced version of ESCORTS Project40).


businessmost.Thedifferentshadesofgreyinthefigureindicatethetargetedaudience.

while iec 62351 addresses the energy sector, more specificallysubstationautomationsystems,nercciPgenerallytargetsenergyoperators.whileiso27000andnist800-53aremainlytargetedtoitenvironments(thustargetedatprotecting information),otherstandards,suchasisa99orieeeP1686,directlyaddress(indus-trial)automationsystems.itshouldbenotedthatnistsP800-53appendixiisexplicitlyforicss,asisnistsP800-82.

standardsextendingtotherightinthex-axisdirectioninthefig-urehaverelevanceformanufacturers.typically,suchstandardshavedetailedtechnicalrequirementsuptothedefinitionofspecialsecurityprotocols,whichmustbeimplementedbythemanufacturers.incon-trast,themoreastandardextendstotheleftofthexaxis,themoreitisfocusedonasecureoperation.nercciP,forexample,prescribesspecificactionsforoperatorstodo,thusprovidingimplicitrequire-mentstothemanufacturerstosupporttheoperators.

standardsextendingtothetopoftheyaxislistprecisedesigndetailsandleavelittleroomforinterpretation.iec62351,forinstance,pro-vides design details to such an extent that device interoperabilitybetweenvariousmanufacturerscanbeguaranteed.

standardsextendingtothebottomoftheyaxiscoverabroadrangeofvarioussecurityareasandthuscanbeconsultedtoobtainanesti-mationoftheoverallsecuritylevel.

a smart grid information infrastructure can be characterized asacomplex,heterogeneous interconnected system involvingdifferentusages,stakeholders,andtechnologies.Thischaptergaveanoverviewofsmartgridstandardization,regulation,andguidelineactivities.

Besides the stated activities in Germany and north america,there are further activities, like the road map activities in asia(especiallyinJapanandchina),addressingsmartgridusecasesandconnectedstandardization.

several properties of a smart grid pose challenges for designinga practically deployable and usable security solution for the smartgrid.onepoint is the long lifetimeof energydevices compared tothe lifetime of it equipment. devices once deployed will remaininthefieldformanyyearsuntilreplacement.asecuritydesignhastoconsidermigrationaspectstocopewithlegacydevices,andithasto


bedesignedwiththeexpectationtobeadequateformanyyears.Thehugenumberofheterogeneousdevicesrequiresapractical,low-effortorzero-effortmanagementofcryptographickeysandcertificates.Thediversityofdevices,usecases,andstakeholdersimpliesthatdifferentkindsofsecuritydomainshavetobesupportedwithinasmartgrid.furtherchallengesareposedthroughthenecessarycoordinationandalignmentofrequirementsfromapluralityofstakeholders(operator,productvendors,consumers,regulations,etc.).

onebaseforbroadadaptationofsecurityasasysteminherentfea-tureisalsotheinteroperabilitybetweendifferentvendor’sproducts.Thisisprovidedbystandardization.

references 1. steffen fries and hans-Joachim hof, security considerations in the

smartgrid,in:larsBergerandkrisiniewski,Smart Grids,wiley,newYork,May2012.

2. internationalelectrotechnicalcommission,IEC 62351-10 TR, Security Architecture Guidelines for TC57 Systems, iec, Geneva, switzerland,october2012.

3. international organization for standardization, iso 27001, iso/iec 27001:2005 information technology—security techniques—information security Management systems—requirements, http://www.iso27001security.com/html/27001.html

4. international organization for standardization, ISO 27002, ISO/IEC 27002: 2005 Information Technology—Security Techniques—Information Security Management Systems—Code of Practice for Information Security Management,http://www.iso27001security.com/html/27002.html

5. DIN Spec 27009, Information Security Management Guidelines for Process Control Systems Used in the Energy Utility Industry on the Basis of ISO/IEC 27002,March2012.

6. iecsmartGridstrategicGroup (sG3),smartGridstandardizationroadmap http://www.iec.ch/cgi-bin/restricted/getfile.pl/sMB_4175e_r.pdf ?dir=sMB&format=pdf&type=_r&file=4175e.pdf

7. iso-iec 62351, Part 1-11, http://www.iec.ch/cgi-bin/procgi.pl/www/iecwww.p?wwwlang=e&wwwprog=sea22.p&search=iecnumber&header=iec&pubno=62351&part=&se=

8. steffenfries,hansJoachimhof,Thierrydufaure,andMaikseewald,security for the smart grid—enhancing iec 62351 to improve secu-rity in energy automation control, international Journal on advancesin security. april 2011, http://www.thinkmind.org/download.php?articleid=sec_v3_n34_2010_7


9. iso-iec 62443, Part 1-3, http://www.iec.ch/cgi-bin/procgi.pl/www/iecwww.p?wwwlang=e&wwwprog=sea22.p&search=iecnumber&header=iec&pubno=62443&part=&se=

10. internationalsocietyofautomation,ISA 99 Industrial Automation and Control Systems Security, Standards Framework,http://www.isa-99.com/.

11. ISO-IEC IEC 62357, Part 1: Reference Architecture for TC57, seconddraft,July2009.

12. ciGre Joint working Group d2/B3/c2-01, Managing informationsecurity in an electric Utility, http://d2.cigre.org/content/download/11370/334067/version/2/file/Managing+information+security+in+an+electric+utilityid41ver28.pdf

13. ciGre(internationalcouncilonlargeelectronicsystems)workingGroupd2.22report,Risk Assessment of Information and Communication Systems,august2008,electra.

14. ciGre report, Security Frameworks for Electric Power Utilities, wGd2.22,december2008,electra.

15. ciGre report, Security Technologies Guideline,wG d2.22, June 2009,electra.

16. north american reliability corporation, standards: reliabilitystandards,http://www.nerc.com/page.php?cid=2|20.

17. http://tools.ietf.org/html/rfc6272 18. http://tools.ietf.org/html/rfc3711 19. http://tools.ietf.org/html/rfc4101 20. http://tools.ietf.org/html/rfc4102 21. http://tools.ietf.org/html/rfc4103 22. http://tools.ietf.org/html/rfc4962 23. http://tools.ietf.org/html/rfc5246 24. http://tools.ietf.org/html/rfc5247 25. http://tools.ietf.org/html/rfc5746 26. http://tools.ietf.org/html/rfc6407 27. national institute of standards and technology, NIST SP 800-53,

Recommended Security Controls for Federal Information Systems and Organizations, revision 3, august 2009, http://csrc.nist.gov/publications/nistpubs/800-53-rev3/sp800-53-rev3-final.pdf

28. federalinformationProcessingstandard(fiPs)200:Minimumsecurityrequirementsforfederalinformationandinformationsystemshttp://csrc.nist.gov/publications/fips/fips200/fiPs-200-final-march.pdf

29. nationalinstituteofstandardsandtechnology,NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security,draft,september2008,http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf

30. national instituteofstandards andtechnology,NIST Framework and Roadmap for Smart Grid Interoperability Standards,version1.0, January2010,http://www.nist.gov/public_affairs/releases/upload/smartgrid_interoperability_final.pdf


31. national institute of standards and technology, NIST IR 7628 Guidelines for Smart Grid Cyber Security, Vol. 1 Smart Grid Cyber Security Strategy, draft, July 2010, http://csrc.nist.gov/publications/Pubsdrafts.html#nist-ir-7628

32. national institute of standards and technology, NIST IR 7628 Guidelines for Smart Grid Cyber Security, Vol. 3 Supportive Analyses and References,draft,July2010,http://csrc.nist.gov/publications/Pubsdrafts.html#nist-ir-7628

33. national institute of standards and technology, NIST IR 7628 Guidelines for Smart Grid Cyber Security, Vol. 2 Security Architecture and Security Requirements,draft,July2010,http://csrc.nist.gov/publications/Pubsdrafts.html#nist-ir-7628

34. U.s. department of homeland security, Catalog of Control Systems Security—Recommendations for Standards Developers, June 2010, http://www.us-cert.gov/control_systems/pdf/catalog%20of%20control%20systems%20secur ity%20-%20recommendations%20for%20standards%20developers%20June-2010.pdf

35. Bdew—Bundesverband der energie- und wasserwirtschaft,Datensicherheit,http://www.bdew.de/bdew.nsf/id/de_datensicherheit

36. eUtaskforcesmartGrid,expertGroup2,Regulatory Recommendations for Data Safety Data Handling and Data Protection,february16, 2011,http://ec.europa.eu/energy/gas_electricity/smartgrids/doc/expert_group2.pdf

37. european commission, directorate-General for energy, M/490, Standardization Mandate to European Standardisation Organisations (ESOs) to Support European Smart Grid Deployment,March2011,http://ec.europa.eu/energy/gas_electricity/smartgrids/doc/2011_03_01_mandate_m490_en.pdf.

38. smart Grid coordination Group, Joint CEN, CENELEC and ETSI Activity on Standards for Smart Grids,2009,http://www.cen.eu/cen/sectors/sectors/Utilitiesandenergy/smartGrids/Pages/default.aspx

39. siemens, siemens develops european architecture Model for smartGrid,http://www.siemens.com/press/en/pressrelease/?press=/en/pressrelease/2012/infrastructure-cities/smart-grid/icsg201205018.htm.

40. escortsProject,homepage,http://www.escort-project.eu/.

227

8vulnerability aSSeSSment

fOr SubStatiOn autOmatiOn SyStemS

A dA M h A h n , M A n i M A r A n G oV i n dA r A s U, A n d C h E n - C h i n G l i U

Growing cybersecurity concerns within the smart grid havecreated increasing demands for vulnerability assessments toensureadequatecyberprotections.Thischapterreviewsvulner-ability assessment requirements within substation automationcommunicationandcomputationmechanismsandidentifiesa

Contents

8.1 introduction 2288.2 assessmentMethodologies 230

8.2.1 Planning 2318.2.1.1 controlcenter 2318.2.1.2 substations 2328.2.1.3 networkProtocoloverview 2338.2.1.4 supportingProtocols 235

8.2.2 reviewtechniques 2368.2.2.1 systemconfigurationreview 2368.2.2.2 networkconfigurations/rulesets 2368.2.2.3 networktrafficreview 237

8.2.3 targetidentificationandanalysis 2388.2.3.1 networkdiscovery 2388.2.3.2 vulnerabilityscanning 239

8.2.4 targetvulnerabilityvalidation 2398.2.5 Postexecution 240

8.3 state-of-Practicereview 2418.4 summary 241references 243


methodologytoevaluatesecurityconcernswhileavoidinganynegative impactonoperational systems.finally,national andindustry efforts to expand assessment capabilities within thisdomainareaddressed.

8.1 introduction

Thesmartgridcreatesanincreasingdependencyonthecyberinfra-structure tomonitorandcontrol thephysical system.whilesuper-visory control and data acquisition (scada) technology has beenutilizedformanyyears,theincreasinginterconnectivityexpandsthegeneral cyberattack surface.recentgovernment reportshave raisedconcernsaboutthegeneralsecuritypostureofthesesystems.1,2inanattempttomitigatetheseconcerns,thenorthamericanreliabilitycorporation(nerc)hasproducedcompliancerequirementsforcrit-icalcyberresourcestoensureanappropriateprotectionlevel.3Thesedocumentsspecificallyrequirethatacybervulnerabilityassessmentisperformedtoverifythattheymeettheappropriatesecurityrequire-ments.Unfortunately,thevulnerabilityassessmentprocessisnotwellunderstood for this domain due to numerous constraining proper-ties,including

• heavy reliance on undocumented, proprietary communica-tionprotocols.

• high availability requirements that limit testing of opera-tionalsystems.

• softwareplatformsthathavenotundergoneathoroughsecu-rityanalysisandhavenotbeenengineeredtoundergoasecu-rityreview.

• Geographicdistributionofresourceslimitingphysicalresourceaccessibility.

figure 8.1providesanoverviewofthecommunicationinfrastruc-ture within the smart grid. distribution, transmission, and gen-erationdomainsareidentifiedaswellastheir interconnectivityanddependencyonotherparties.Thefigure identifiesvariousprotocolsnecessary to support this communication and highlights the con-nectivitybetweensubstationsandcontrolcenters.securityconcerns

229vulnerability assessment

MD

MS

Dist

r.M

gmt

AM

I Mgm

t

Wire

less

Wire

d

A

MI

Hea

dend

Dis

trib

utio

nCo

ntro

lTr

ans.

SCA

DA

Tran

smis

sion

Subs

tatio

nTr

ansm

issi

onCo

ntro

l

Dis

trib

utio

nSu

bsta

tion

Gen

erat

ion

Cont

rol

Syst

em

Gen

erat

ion

Cont

rol

Gen

erat

ion

IED

sIE

Ds

Ener

gyM

gmt.

HM

I

HM

I

Hist

oria

n

RTU

sRT

Us

PMU

Prot

ocol

sA

NSI

C12

.22

IEC

6185

080

2.15

.480

2.11

�ird

Par

tyM

arke

ts/I

SOs

Prot

ocol

sIE

C 61

850/

DN

P3M

odBu

s80

2.16

AN

SI C

12.2

2IE

C 61

850

Prot

ocol

sIE

C 61

850/

DN

P3,

Mod

Bus T

1,

Mic

row

ave

PPP

Corp

orat

eCI

S

Prot

ocol

sIE

C 61

850/

DN

P3M

odBu

s80

2.16

AN

SI C

12.2

2IE

C 61

850

Prot

ocol

sIE

C 61

850/

DN

P3M

odBu

sIC

CP

Util

ity W

orke

rsA

dditi

onal

Part

ies

AM

I

Figu

re 8

.1

Smar

t grid

env

ironm

ent.

ANSI

= A

mer

ican

Nat

iona

l Sta

ndar

ds In

stitu

te; C

IC=

Cus

tom

er In

form

atio

n Sy

stem

; HM

I = H

uman

Mac

hine

Inte

rfac

e; IC

CP =

Inte

r-Co

ntro

l Cen

ter P

roto

col;

IED

= In

telli

gent

Ele

ctro

nic

Devi

ce; I

SO =

Inde

pend

ent S

yste

m O

pera

tor;

MDM

S =

Met

er D

ata

Man

agem

ent S

yste

m; P

MU

= P

haso

r Mea

sure

men

t Uni

t; PP

P =

Poi

nt-t

o-Po

int P

roto

col;

RF =

Rad

io F

requ

ency

; RTU

= R

emot

e Te

rmin

al U

nit


arespecificallypresentedbytheunprotectedsubstationsandfeasibleexternalaccessibilityofcontrolcentersduetocorporateandvendorrequirements.inaddition,smartgridadvancementssuchasadvancedmeteringinfrastructures(aMis)andwide-areameasurementsystems(waMss)willonlypresentgreaterinterconnectivityofthesesystems.

This chapter addresses concerns for performing a comprehensivevulnerability assessment within this domain based on the previousconstraints. a methodology is presented to appropriately structureassessmentefforts.softwaretoolstoassistintheevaluationprocessareintroduced,andtheirapplicationtothisdomainisreviewed.inaddi-tion,currenteffortstoexpandassessmentcapabilitiesareintroduced.

8.2 Assessment Methodologies

a strong methodology is imperative to ensure that testing effortsappropriately target the technologies involved within the environ-mentandlikelythreatstothesystem.securitytestingeffortscanbetailoredtowarddifferentobjectivesbasedontheintendedscope.Thedevelopmentofvulnerabilityassessmentmethodologieshasbeenwellexplored within traditional information technology (it) environ-ments;thefollowinglistprovidessomeexamples:

• National Institute of Standards and Technology Special Publication (NIST SP) 800-115, Technical Guide to Information Security Testing and Assessment4

• NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems5

• Open Source Security Testing Methodology Manual (OSSTMM)6

a high-availability environment such as the smart grid pres-ents a requirement for nonintrusive methodologies. activities thatcould potentially cause availability or integrity problems must berestricted.Thischapterpresentsanexampleofmethodologybasedonthatproposedinnist800-115,butwithspecifictailoringtoavoidavailability concerns.figure 8.2provides anoverviewof themajorsteps,specificallyplanning,execution,andpostexecution.Thischap-ter primarily highlights the execution phase as it typically involvesmostofthetechnicalissues.Themaincomponentsoftheexecutionphaseare(1)reviewtechniques,(2)targetidentificationandanalysis,


and(3)targetvulnerabilityvalidation.Thesearefurtherexplainedinthefollowingsections.

8.2.1 Planning

akeycomponentoftheplanningphaseisthescopingandmonitor-ingoftestingactivitiestoensuretheydonotnegativelyinterferewithnormaloperations.Thisshould involveestablishingarepresentativetestenvironmentthatmaintainssimilarconfigurations.whileassess-mentscopecouldvarybasedontheassessment’sintent,thenercciP(northamericanreliabilitycorporationcriticalinfrastructureProtection) focused assessmentson the control centers, substations,andassociatedcommunications.7specificconcernswithinthesecom-ponentsareidentifiednext.

8.2.1.1 Control Center control centers will typically contain sets ofoperator/engineering workstations, control servers, and the result-ing network infrastructure. This environment will likely resemble atraditional it system containing windows/Unix systems and simi-lar networking switches/routers. while the control system software

System configurationNetwork trafficNetwork rulesets

ReviewTechniques

Planning Roles and responsibilitiesIdentify scope

Limitations and assumptions

Network discoveryVulnerability scanningTarget Identification/

AnalysisProtocol identification

Target VulnerabilityValidation

Password cracking

Penetration testingSocial engineering

ReportingMitigation reviewCause identification

Postexecution

Figure 8.2 Vulnerability assessment plan.


willbespecifictothepowerdomain,othersupportingservicessuchaswebservers,authenticationservices(lightweightdirectoryaccessProtocol (ldaP), active directory) and databases may be used.specificsystemswithinthisenvironmentinclude

• scada/eMs(energymanagementsystem)servers:controlservers thatperformmonitoring, control, and state estima-tiontasks

• historians:databases thatmaintainhistoric control systemdatafortrendinganalysis

• human-machine interfaces (hMis): systems that provideoperatorinterfacestothescada/eMssystems

often,controlsystemsmaintainsomeconnectivitytoothercorpo-ratelocal-areanetworks(lans)orotherthirdpartiesduetorequire-ments to collect operational data or provide vendor access.8 Thehigh-security requirements of this environment strongly emphasizescrutiny over remote access capabilities. in addition, while authen-ticationandauthorizationpresentkeysecuritymechanisms,itmustbeassumedthatinemergencysituations,thesecontrolsmayrequiresomeoverridefunction.

Assessment Guidance: specificsecurityconcernswiththecontrolenvironment include (1) appropriate network segregations throughroutingandfirewallrules;(2)implementationsofdemilitarizedzone(dMz) for services needing access by both control and corporateenvironments; (3) appropriate patching and system configurations;and(4)sufficientauthenticationandauthorizationenforcement.

8.2.1.2 Substations substations within both the transmission anddistributiondomainhaveuniquesecurity requirementsduetotheirgeographiclocation.Thecommunicationlinksprovideaspecificcon-cernduetothecriticalityofthetransmitteddataandtheirheavyuseof wireless communication. all communication paths between thecontrolcenterandsubstation,alongwithallintersubstationcommu-nications,requirethoroughanalysis.Field devicesarethecomponentsthatperformtheactualsensingandactuationfunctionsthroughoutthegrid.Thetermfield devices isusuallyageneralizationofvariousdevices,includingintelligentelectronicdevices(ieds),programmable


logiccontrollers(Plcs),andremoteterminalunits(rtUs).typically,theseareembeddedsystemswithlimitedprocessingcapabilities,non-standard operating systems, and software platforms. This increasesthe likelihood of vulnerabilities and creates difficulties during theassessment process. often, these devices are not internet Protocol(iP)enabled,andiftheyare,theymayimplementincompleteorfrailnetworkingstacksthatlimitanalysiscapabilities.

Assessment Guidance: specificsecurityconcernswithsubstationenvironments include (1) identification of all field device network-ing capabilities; (2) sufficient authentication of all accessible fielddevice management/administrative functions; (3) cryptographicallyprotectednetworkcommunicationbetweencontrolcentersorothersubstations;and(4)auditingofcontrol/monitoringfunctions,authen-ticationattempts,anddevicereconfigurations.

8.2.1.3 Network Protocol Overview Protocols used within a controlsystemvaryfromthosecommonlyfoundintraditionalitenviron-ments. They are primarily responsible for transmitting binary andanalog values on periodic intervals between systems. in addition,manyoftheseprotocolsweredesignedanddeployedbeforethepro-liferationofmoderncybersecurityconcerns.Thissectionintroducesnumerouscommunicationprotocols,providesabriefexplanation,andthen identifies necessary security concerns that require inspectionduringtheassessment.

8.2.1.3.1 Distributed Network Protocol The distributed networkProtocol (dnP3) is commonly usedwithin the electric grid, espe-cially in substation automation. while dnP3 has been used formanyyears,itwasrecentlyadoptedasaninstituteofelectricalandelectronicsengineers(ieee)standard(ieeestandard1815).9Theprotocoloperatesinamaster/slaveparadigm;themasteristypicallyrepresentedbythecontrolserverorrtU,andtheslavefunctionsasthefielddeviceoroutstation.withthismodel,themasterisabletotransmitcommandsandreceivereadingsfromthevariousfieldunits.

while packets are encapsulated with their own data, transport,and application layers, the application layer plays the most impor-tantroleintheassessmentprocess.eachcommandandresponseis


encapsulated within a dnP application service data unit (asdU).TheasdUcontainsa function codeused to identify thepurposeofthemessage(e.g.,read,write,confirm,response).Thefunctioncodeisthenfollowedbyoneormoreobjectsthatidentifythedata typeandvalueassociatedwiththefunctioncode.datatypesaretypicallyana-logsofdigitalinputs/outputs.

authentication within dnP3 is enforced by categorizing func-tioncodes as critical andnoncritical.critical functions are typicallythosethatperformsomecontrolorinitiateachangeontheoutstation.critical functionsdiffer fromnoncritical in that theoutstation canrequire a hash message authentication code (hMac). a hMacusesa sharedkeycombinedandamessagehash toverify themes-sage’sauthenticityandintegrity.ThehMaccalculationisbasedonthefollowingsetofpresharedkeys:

• controlkey,toauthenticatemessagessentbythemaster• Monitoringkey,toauthenticatemessagessentbytheoutstation• Updatekey,toperformasecurekeyupdateforboththecon-

trolandmonitoringkeys

in addition to the traditional utilization of dnP3, additionalworkreviewedtheuseoftransportlayersecurity(tls)orinternetProtocol security (iPsec) to provide a stronger underlying layerofsecurity.10

Assessment Guidance: a secure implementation of the dnP3protocols should achieve the following objectives: (1) identificationofthecommunicationpathforalldnP3traffic;(2)identificationofall functions/objectsthatrequireauthentication;(3)verificationoftheappropriate authentication on the resulting commands/responses;(4) identification of all communications protected by other means(e.g.,iPsecvirtualprivatenetworks[vPns]);and(5)analysisofthekeyupdateexchanges.

8.2.1.3.2 International Electrotechnical Commission 61850 Thetransi-tiontoasmarterelectricgridhasrequiredthedevelopmentofmoredynamics protocols. international electrotechnical commission(iec)61850hasbeendevelopedtoprovideincreasedinteroperability,specificallyinsubstationautomation,andprovidesimprovedsupportofsecuritymechanismssuchasauthenticationandencryption.iec


61850 presents an object-oriented approach to identifying substa-tioncomponentstosimplifyconfigurationandinteroperability.eachphysical devicewithinthesubstationisrepresentedbyaniec61860object;thisobjectcanthenhavesublogicaldevices,logical node,data,anddata attributes.nodesareassignednamesbasedon their func-tion;forexample, logicalnodeMMXUisusedforameasurement,whileXcBrisusedforacircuitbreaker.Thisnamingschememakesnetworktrafficanalysismoreintuitive.

iec61850isacomplexprotocolcapableofsendingvariousmes-sage types, including Generic object oriented substation event(Goose), Generic substation status event (Gsse), and sampleMeasuredvalues(sMvs).ThischapterfocusesonGooseasitsuti-lizationismoreprevalent.

Goosereliesonethernetvirtuallocal-areanetworks(vlans)(802.1q)toperformmulticastdeliveryofcontentwithina4-mstimeframeasrequiredforprotectiverelayingwithinsubstations.Goosemessages can enable digital signatures to both authenticate andensuretheintegrityofreceivedmessages.however,sincedigitalsig-naturesarebasedonpublickeycryptographyandcertificates,somecertificate management function must be deployed. This distribu-tionofcertificatesandtheutilizationofcertificateauthorities(cas)become critical to understanding the security of the resulting iec68150communications.

Assessment Guidance: a secure implementation of iec 61850shouldachievethefollowingobjectives:(1)identificationofthecom-municationpathforalltraffic;(2)identificationoftheuseofdigitalsignaturesorencryption;(3)identificationofthevlan802.1qcon-figurationonthenetworkdeviceforaccurateinclusionofnecessarysystemsandappropriatedeviceconfiguration;and(4)areviewofcer-tificatedistributionandtrustsofcas.

8.2.1.4 Supporting Protocols Many common it protocols are foundwithincontrolsystemsandintroducesecurityconcerns.domainnamesystem(dns)isfrequentlyusedbutcanbeproblematicduetoitsdependencyoninternetaccessasitmayprovideacovertchannelforattackers.11dns’sutilization shouldbe reviewed to ensure itdoesnotintroduceunnecessaryexternalaccesspoints.


ThesimplenetworkManagementProtocol(snMP)isoftenusedbyvariousdeviceswithincontrolsystemstoperformdeviceadmin-istration.accesstosnMPconfigurationisprotectedbysecretcom-munity strings;however,defaultstringssuchas“public”and“private”areoftennotchanged.Theuseofadefaultcommunitystringshouldbereviewed,specificallythosethatallowwriteaccesstodevices.

8.2.2 Review Techniques

The review step specifically addresses any nonintrusive analysis ofdatathatcanbeobtainedfromsystemsandnetworks.Theseactivi-ties include system configuration documents/files, network deviceconfiguration/rulesets,andnetworktraffic.reviewtechniqueswillplayacriticalroleintheassessmentprocessforthepowergridastheyaresignificantlylesslikelytohaveanimpactonsystemoperations.

8.2.2.1 System Configuration Review reviewingsystemconfigurationsprovidesanonintrusivemethodofdeterminingpotentialvulnerabili-ties.traditionally,thisinvolvesthereviewofanyconfigurationfilesandtheexecutionofcommandsthatprovidecurrentsystemstatus.Thisinformationcanthenbecorrelatedwithanyknownsecurebase-linesforthesystemtodeterminepotentialvulnerabilities.Thisreviewtype is most effective when system configurations are well known.whilethisistypicallythecasewithpopularoperatingsystemsandnetwork services, information is often unavailable for the softwareplatformsandfielddevicesused to support thegrid.research intotheidentificationofsecuresoftwareplatformconfigurationshasbeenexploredbytheBandolierproject.12Thiseffortreviewspopularsoft-ware with the electric grid and establishes assessment capabilitiesbasedonotherpopularassessmenttools(e.g.,ovalandnessus).

8.2.2.2 Network Configurations/ Rule Sets determining the networkarchitectureisanimportantaspectofthesecurityassessmentprocess.Thisstepfocusesonthereviewofnetworkdeviceconfigurationstoensure they appropriately enforce the desired network architecture.Thisstepiscriticalwithinthescadaparadigmduetoaheavyreli-ance on a secure network perimeter.3 incorrect assumptions about


networkingconfigurationmayprovideaccesstounauthorizedusers,whichisspecificallyconcerningduetoweakauthorizationcapabilitieswithinmanyofthefielddevices.

toolstoassistinthereviewofnetworkconfigurationsandfirewallrulesetsarecriticaltotheassessmentprocessduetotheirrelativedif-ficultyofinterpretationandtheheavyinterconnectivitybetweenvari-ous devices. fortunately, some tools have been developed to assist inthistask.ThenetworkaccessPolicytool(netaPt)istheresultofresearcheffortstoautomatetheinterpretationofnetworkconfigurationsandverifythattheymeetsomepreviouslyassumednetworkpolicy.13

future research should expand current tools to incorporateincreasedunderstandingofcontrolsystemcommunicationprotocolsandnetworktopologiestoprovideanincreasedcontextforconfigura-tionanalysis.

8.2.2.3 Network Traffic Review network traffic review provides amethodtodopassive discoveryofthevariousnetworkcommunications.Thisprovidestheassessorwithanunderstandingofmanysystems,ports,andprotocolsbeingusedwithintheenvironment.italsoprovidestheabilitytoanalyzevarioussecurity-relatedinformation,suchaswhetherencryptionandauthenticationarebeingusedappropriately.

Therearevarioussoftwaretoolsavailabletoperformnetworksniff-ing.wiresharkisanopensourcepacketsnifferthatmaintainsproto-coldissectorsformostpopularitandscadaprotocols,includingdnP, iec 61850, ModBus, and object linking and embedding(ole)forprocesscontrol(oPc).14whilewiresharkprovidesstrongfunctionality,moreadvanced toolshavebeendeveloped toassist inthisprocess.oneparticulartool,sophia,isbeingdevelopedbyidahonational lab to utilize network discovery capabilities to identifythenetworkcommunications.15sophiausesnetworkmonitoring todeterminethecurrentarchitectureandcommunicationrequirementsandidentifyanyanomalieswithintheenvironment.

whilenetworktrafficreviewisnecessarytounderstandthesystemandservicesoperatingonthenetwork, itdoesnotprovidesufficientanalysisofthenetworkactivity.varioussystemsorservicesmayper-formonlytransientcommunicationsandmaynotbedetectedthroughthesniffing.inaddition,notallserviceconfigurationscanbeaccurately


extractedfromthecommunications,especiallyifthetrafficisencryptedortheprotocol’sformatisnotwellknown.inthesecases,additionalactivitiesmustbeperformedtoprovideanaccuratesystemview.

table 8.1presentsanoverviewofthepresentedtoolsnecessarytosupportthereviewtechniquesdocumentedinthissection.Thetabledocumentsvulnerabilitiesthatthetoolcanhelpdiscover,itsabilitytonegativelyimpactoperationalsystems,andhowwellitsupportssmartgridenvironments.

8.2.3 Target Identification and Analysis

aftertheinitialreviewsteps,amorein-depthanalysisofspecificcom-ponents should be performed for target identification and analysis.often,theseactivitiescanbeconsideredintrusivesincetheyrequiretransmittingvariousrequeststosystemsinanattempttoidentifysys-temconfigurations.Theseactivitiescouldhaveanegativeimpactonoperationalsystemsandideallyshouldbeperformedonarepresenta-tivetestenvironment.

8.2.3.1 Network Discovery network discovery traditionally involvesprobingthevariousaddressesonthesystemtodiscoveralloperatingsystemsandservices.Thediscoveryphasetypicallyusesvarioustypesofscanningtoolsthatcansendvariousprobepacketsinthenetworkandinterprettheresponsestoidentifyoperatingservices.Thisactiv-ity,referredtoasport scanning,usesicMP(internetMessagecontrolProtocol)scanstodetermineactivesystemswhileusingtransmissioncontrol Protocol/User datagram Protocol (tcP/UdP) scans toidentifyopenports.

Table 8.1 System Configuration Review Tools

TOOL TARGETED VULNERABILITIES NEGATIVE IMPACT DOMAIN SUPPORT

Bandolier SCADA software configurations Low FullNetAPT Firewall rule set configurations None FullWireshark Networking configuration and

authentication/ encryption verificationLow Full

Sophia Networking configuration and authentication/ encryption verification

Low Full


a popular port-scanning tool, nMap, provides many differentnetwork probe types and reporting capabilities.16 The tool’s scan-ningcapabilitiesincludeicMP,arP(addressresolutionProtocol),UdP, and numerous tcP scans with various flag configurations.nMap maintains a dictionary of known port/protocol mapping tohelpidentifyoperatingservicesaswellasanoperatingsystemdetec-tionfeaturethatmaybeusefulwhenanalyzingfielddevicesforwhichlittlesysteminformationisknown.

8.2.3.2 Vulnerability Scanning vulnerability-scanning techniqueshave traditionally utilized network inspection methods to evalu-ate operating systems and network services in an attempt to iden-tifyvulnerabilities.Thistechniquedependsonadatabaseofknownvulnerability fingerprints that can be identified by various networkprobes.vulnerabilityscanningcanbeaneffectivewaytodetermineunpatched software and default/insecure configurations. whilevulnerability-scanning tools remain popular due to their ability toinspectfullrangesofsystemsandservices,theymaynotbeappropriateforanoperationalenvironmentduetopreviouslyaddressedavailabil-ityandintegrityconcern.inaddition,sincethistechniqueislimitedtonetworkprobing,theamountofcollectibleinformationislimited.

nessusisapopularvulnerability-scanningtoolthatiscontinuallygainingsupportforcontrolsystemsoftware.17alongwiththecom-prehensivesetoftraditionalitvulnerabilities,ithasrecentlyincludedvarious control system vulnerabilities in its database. nessus hasalso incorporatedcredential-basedscanningcapabilities thatdonotrequirenetworkprobing.whilethisfeaturesignificantlyreducesthelikelihoodofimpactsystemavailability,itisonlyavailableonwell-knownoperatingsystems.

table 8.2providesanoverviewoftheintroducedidentificationandanalysistools.

8.2.4 Target Vulnerability Validation

Thevulnerabilityvalidationphaseattemptstocorroborateanyprevi-ouslydeterminedvulnerabilityconcerns.validationplaysakeyrole


within thepowergridasvulnerabilitieswithinmanyprotocolsandsoftwareplatformsarenotwellknown.attemptstoconfirmtheexis-tence of a vulnerability may be required before investing resourcesindevisinganddeployingamitigationstrategy.Unfortunately, thisstep is generally extremely intrusive as attempts to exploit vulner-abilitiesoftenleavesystemsinunstablestates.activitiesinthisphaseshouldbeperformedonareplicatedtestingenvironmentinsteadofcritical operational systems. some tools are available to assist withthevulnerabilityvalidationprocess.oneexample is theMetasploitframework,anexploitdevelopmenttool,whichhasrecentlygainedsomescada-specificcapabilitiestocomplementitsexpansivecol-lectionoftraditionalitexploits(table 8.3).18

8.2.5 Postexecution

Thepostexecutionphase requires the evaluationof a vulnerability’spotentialsystemimpactsandidentificationofmitigationtechniquesand any reporting responsibilities. while impact analysis has beenaddressedinitsystemsthroughvariousquantitativeandqualitativemethods,thesemethodshavenotyettargetedacyberphysicalsys-temsuchasthesmartgrid.determiningimpactwithinthisdomainmayrequireadditionalresearchtodetecttheactualphysicalimpactfromapotentialexploitation.Mitigationeffortsalsovarygreatlywiththegrid.often,softwareandfielddevicesarenotstronglysupport-iveofupgradesandmayrequireincreasedcostduetolackofremote

Table 8.3 Vunerability Validation Tools


Metasploit Vulnerability exploitation High Limited

Table 8.2 Identification and Analysis Tools


NMap Network configurations and service/ OS detection

High Partial

Nessus Operating system/ services vulnerabilities and configurations

High Partial

Note: OS = operating system.


accessibility.Therefore,variousmethods,suchasnetworkreconfigu-rationsor increaseddetectioncapabilities,mayberequiredtosuffi-cientlyaddressassessmentfindings.

8.3 state-of-Practice review

Theprevioussectionsdiscussedtheprocessofperformingavulner-abilityassessment tailored towarda substationautomationenviron-ment.Thissectioncontinuesthisstate-of-practicereviewanalysisbyidentifyingcurrent researchefforts toprovide improvedcapabilitieswithin the domain. The process of identifying new vulnerabilities,improving detection within deployed systems, and managing themaftertheirdiscoverypresentsmanyresearchchallenges.Majoreffortsbyindustryandgovernmentareidentifiedandthencategorizedbasedontheirtargetedimpact.table 8.4providesacomprehensivereviewoftheseefforts.

8.4 summary

Thediscoveryofcybervulnerabilitiesisbecomingincreasinglyimpor-tantwithinthesmartgridduetoanincreaseddependencyoncom-munication and computation for grid control. while assessmenttechnologiesandmethodologieshavebeendeveloped for the tradi-tionalcomputingenvironment,thetransitiontothesubstationauto-mationenvironmentisnotwelldefined.

Thischapteridentifiedrequirementsforvulnerabilityassessmentswithinsmartgridenvironments,specificallyidentificationofsubsta-tionautomationsystems.acomprehensivemethodologywas intro-ducedtoidentifytherequiredstepswithintheprocessanddetailhowtheirapplicationtothisdomaindiffersfromtraditionalitenviron-ments.specificconcernswereaddressed,includingthepossibilitiesofnegatively impacting theoperational system through testing activi-ties.examplesof security concernswere identifiedbasedonpopu-lar scada protocols and communication architectures. finally, areviewofcurrentgovernmentandindustryeffortswithinthevulner-abilityassessmentdomainwaspresentedalongwithbothcurrentandfutureassessmenttools.


Table 8.4 Vulnerability Management State of Practice

EFFORT DESCRIPTION TARGET

POLICy

STANDARDSNIST 800-828 Identification of vulnerabilities, network architecture models,

and standards for security controlsISC

NISTIR 762819 Cybersecurity controls to address the increased connectivity within the smart grid

Smart grid

DHS CSET Compliance/ standards management and evaluation tool SCADA

CoMPLIANCENERC CIP3 Enforceable vulnerability assessment requirements for bulk

power systemsSCADA

NIST 800-5320 Enforceable security controls for government control system ISC

DISCOVER

DISCLoSURENIST NVD21 Detailed database of known software vulnerabilities and

misconfigurations IT

ISC-CERT22 Publishes advisories on newly discovered vulnerabilities with control system software platforms

ISC

Vendor advisories Vendor-released vulnerability information ISC

TEST BEDSNSTB23 National laboratory collaboration with actual SCADA

hardware/ software for vulnerability assessment targeting without impact concerns

SCADA

Academic For example, Iowa State University and University of Illinois,24,25 realistic SCADA hardware/ software, simulated power systems

SCADA

MANAGEMENT

IMPACT ANALySISCVSS26 Non-ISC-specific scoring system for vulnerability criticality IT

TESTING/ DEPLoyMENTISC-CERT Mitigation recommendations based on vendor suggestions

and ISC best practices ISC

Note: CSET = cyber security evaluation tool, CVSS = common vulnerability scoring system, ISC-CERT = Industrial Control Systems Cyber Emergency Response Team, NISTIR = National Institute of Standards and Technology Interagency Report, NSTB = National SCADA Test Bed, DVD = National Vulnerability Database.


references 1. Government accountability office (Gao), GAO-04-354: Critical

Infrastructure Protection Challenges and Efforts to Secure Control Systems.washington,dc:U.s.Gao(March2004).

2. Government accountability office (Gao), GAO-05-434: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities.washington,dc:U.s.Gao(May2005).

3. north american electric reliability corporation (nerc), NERC Critical Infrastructure Protection (CIP) Reliability Standards.atlanta,Ga:nerc(2009).

4. k.stouffer,J.falco,andk.scarfone,NIST SP 800-115: Technical Guide to Information Security Testing and Assessment.Gaithersburg,Md:nationalinstituteofstandardsandtechnology(september2008).

5. national institute of standards and technology (nist), NIST SP 800-53A: Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans.Gaithersburg,Md:nist( June2010).

6. instituteforsecurityandopenMethodologies(isecoM),Open Source Security Testing Methodology Manual (OSSTMM) (2010). http://www.isecom.org/osstmm/.

7. r.c.Parks,SAND2007-7328: Guide to Critical Infrastructure Protection Cyber Vulnerability Assessment. albuquerque, nM: sandia nationallaboratories(november2007).

8. k.stouffer,J.falco,andk.scarfone,NIST SP 800-82: Guide to Industrial Control Systems (ICS) Security.albuquerque,nM:nationalinstituteofstandardsandtechnology(september2008).

9. institute of electrical and electronics engineers, IEEE Standard for Electric Power Systems Communications, Distributed Network Protocol (DNP3), IEEE Std 1815-2010,pp. 1–775(1,2010). ieee,newYork.doi:10.1109/ieeestd.2010.5518537.

10. M. Majdalawieh, f. Parisi-Presicce, and d. wijesekera, dnPsec:distributed network Protocol version 3 (dnP3) security framework.ink.elleithy,t.sobh,a.Mahmood,M.iskander,andM.karim,eds.,Advances in Computer, Information, and Systems Sciences, and Engineering,pp. 227–234.springer,dordrecht,thenetherlands(2006).

11. s. Bromberger, DNS as a Covert Channel Within Protected Networks.clackamas,or:nationalelectricsectorcybersecurityorganization(nesco)( January2011).

12. Bandolier. Digital Bond, Inc. http://www.digitalbond.com/wp-content/uploads/2008/mktg/Bandolier.pdf

13. d.M.nicol,w.h.sanders,M.seri,ands.singh.experiencesvalidatingtheaccesspolicytoolinindustrialsettings.inProceedings of the 2010 43rd Hawaii International Conference on System Sciences, HICSS ’10, pp. 1–8.ieeecomputersociety,washington,dc(2010).

14. wireshark.Wireshark: A Network Protocol Analyzer.http://www.wireshark.org


15. G.rueff,c.Thuen,andJ.davidson.Sophia Proof of Concept Report,idahonationallaboratory(March2010).

16. nmap.Nmap Security Scanner.http://nmap.org 17. nessus.Tenable Network Security.http://www.nessus.org/nessus/. 18. Metasploit.Metasploit Framework. Rapid7.http://www.metasploit.com/. 19. national institute for standards and technology (nist), NISTIR

7628: Guidelines for Smart Grid Cyber Security.Gaithersburg,Md:nist(august2010).

20. nationalinstituteforstandardsandtechnology(nist),NIST SP 800-53: Recommended Security Controls for Federal Information Systems and Organizations.Gaithersburg,Md:nist(august2009).

21. national institute for standards and technology (nist), National Vulnerability Database. Gaithersburg, Md: national institute ofstandardsandtechnology(nist).http://nvd.nist.gov/.

22. industrial control systems cyber emergency response team (isc-cert).Department of Homeland Security (DHS) Control Systems Security Program (CSSP).http://www.us-cert.gov/control_systems/ics-cert/.

23. idahonationallaboratory(inl),Common Cyber Security Vulnerabilities Observed in Control System Assessments by the INL NSTB Program.idahofalls:inl(november2008).

24. d.c.Bergman,d. Jin,d.M.nicol,andt.Yardley,Thevirtualpowersystem testbed and inter-testbed integration, Second Workshop on Cyber Security Experimentation and Test,Montreal,canada(august2009).

25. a.hahn,B.kregel,M.Govindarasu,J.fitzpatrick,r.adnan,s.sridhar,andM.higdon,developmentofthePowercyberscadasecuritytes-tbed. in Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, CSIIRW ’10,pp. 21:1–21:4.acM,newYork(2010).

26. k. scarfone and P. Mell, an analysis of cvss version 2 vulnerabilityscoring,Third International Symposium on Empirical Software Engineering and Measurement,october15–16,2009,lakeBuenavista,fl(2009).

245

9Smart Grid, autOmatiOn, and

Scada SyStem Security

Yo n G G E wA n G

in this chapter, we discuss the challenges for secure smartenergy grid and automation systems. we first describe thecurrentsecuritystatusandexistingattacksonpowergridandcritical infrastructures. Then, we use the supervisory con-trolanddataacquisition(scada)systemasanexample toshow the challenges in securing the automation and smartpowergridsystems.distributedcontrolsystems(dcss)andscada systems were developed to reduce labor costs andto allow systemwide monitoring and remote control froma central location. control systems are widely used in suchcriticalinfrastructuresasthesmartelectricgrid,naturalgas,water,andwastewater industries.whilecontrolsystemscanbevulnerabletoavarietyoftypesofcyberattacksthatcouldhavedevastatingconsequences, littleresearchhasbeendonetosecurethecontrolsystems.TheamericanGasassociation(aGa),internationalelectrotechnicalcommissiontechnical

Contents

9.1 energyGridandsupervisorycontrolanddataacquisition:ahigh-levelintroduction 246

9.2 recentattacksandaccidentswithenergysystemsandautomationsystems 248

9.3 scadasecurity 2529.3.1 Threatstoscadasystems 2559.3.2 securingscadaremoteconnections 2579.3.3 sscadaProtocolsuite 2589.3.4 countersynchronization 263

9.4 conclusion 264references 264


committeeworkingGroup15(iectc57wG15),instituteof electrical and electronics engineers (ieee), nationalinstituteofstandardsandtechnology(nist),andnationalscada test Bed Program have been actively designingcryptographic standards toprotectscadasystems. in thischapter, we briefly review these efforts and discuss relatedsecurityissues.

9.1 Energy Grid and supervisory Control and data Acquisition: A high-level introduction

asstatedinadepartmentofenergy(doe)smartgridwhitepaper,1theUnitedstates is intheprocessofmodernizationof thenation’selectricity transmissionanddistributionsystem“tomaintaina reli-ableandsecureelectricityinfrastructurethatcanmeetfuturedemandgrowth”(sec.1301,p.1).Themajorcharacterizations1ofamodernelectricalgridsysteminclude

• improvedreliability,security,andefficiencyofenergydistributionbasedonmoderndigitalcommunicationandcontroltechniques

• integration of industries involved in production and sale ofenergy,includingthegasindustry(e.g.,naturalgasextractionanddistributionsystems),theelectricalpowerindustry,thecoalindustry,andrenewableresources(e.g.,solarandwindpower)

• integration of demand response technologies such as real-time, automated, interactive technologies that optimize thephysical operation of appliances and consumer devices forenergy generation, transmission, distribution, and retailing(e.g.,metering)

• deploymentofadvancedelectricitystorageandpeak-shavingtechnologies

• availability of real-time information and control optionstoconsumers

• integration of cybersecurity techniques within the gridsystems

insummary,thesmartgridsystemisasecureandintelligentenergydistribution system that delivers energy from suppliers to consum-ersbasedontwo-waydemandandresponsedigitalcommunication

247smart Grid and sCada seCurity

technologiestocontrolappliancesatconsumers’homestosaveenergyand increase reliability.Thesmartgridsystemoverlays theexistingenergydistributionsystemwithdigitalinformationmanagementandadvancedmeteringsystems.itisobviousthattheincreasedintercon-nectionandautomationoverthegridsystemspresentsnewchallengesfordeploymentandmanagement.

itischallengingtosecurelyandefficientlyconverttheexistingpowergridsystemstoasmartsystemwiththesecharacteristics.accordingtotheU.s.energyinformationadministrationwebsite,2attheendof2010thereweremorethan9,200electric-generatingplantsintheUnitedstates,includingcoal,petroleumliquids,petroleumcoke,nat-uralgas,othergases,nuclear,hydroelectric,renewables,hydroelectricpumpedstorage,andothertypes.Thesegeneratingplantsproduced312,334,000Mwhofelectricityduringfebruary2011.Theelectric-ityisdistributedtoconsumersviamorethan300,000milesoftrans-missionlinesthroughouttheUnitedstates.Thispowerinfrastructurewasdesignedforperformanceratherthansecurity,andtheintegratedcommunications protocols were designed for bandwidth efficiencywithouttheconsiderationofcybersecurity.whenmovingthecurrentenergy distribution infrastructure toward a smart grid, we have toovercomethechallengesofintegratingnetwork-basedsecuritysolu-tionswithautomationsystems,whichusuallyrequiresacombinationof new and legacy components and may not have enough reservedresourcestoperformsecurityfunctionalities.inthischapter,weusesupervisorycontrolanddataacquisition(scada)asanexampletoillustratethestrategiesthatmaybeemployedforthedesignofsmartgridsystems.

control systems are computer-based systems used within manycriticalinfrastructuresandindustries(e.g.,electricgrid,naturalgas,water, and wastewater industries) to monitor and control sensitiveprocesses andphysical functions.todeploy the smart grid system,there is a trend toward interconnecting scada systems and datanetworks(e.g.,intranet).Thus,withoutasecurescadasystemitisimpossibletodeployintelligentsmartgridsystems.

typically,controlsystemscollectsensormeasurementsandopera-tionaldatafromthefield,processanddisplaythisinformation,andrelaycontrolcommandsto localorremoteequipment.controlsys-tems may perform additional control functions, such as operating


railwayswitchesandcircuitbreakersandadjustingvalvestoregulateflowinpipelines.Themostsophisticatedonescontroldevicesandsys-temsatanevenhigherlevel.

controlsystemshavebeeninplacesincethe1930s;therearetwoprimarytypesofcontrolsystems:distributedcontrolsystems(dcs)andscadasystems.dcssystemstypicallyareusedwithinasin-gle processing or generating plant or over a small geographic area.scada systems typically are used for large, geographically dis-perseddistributionoperations.forexample, autility companymayuseadcstogeneratepowerandascadasystemtodistributeit.weconcentrateonscadasystems,andourdiscussionisgenerallyapplicabletodcssystems.

9.2 recent Attacks and Accidents with Energy systems and Automation systems

several (real and simulated) attacks on energy and scada sys-temswerereportedinthepastfewyears.3–13inthe2000Maroochyshireattack,3anaustralianmanhacked into theMaroochyshire,Queensland, computerized waste management system and caused200,000 gallons of raw sewage to spill out into local parks, rivers,andeven thegroundsofahyattregencyhotel. it is reported that49-year-oldvitekBodenhadconductedaseriesofelectronicattacksontheMaroochyshiresewagecontrolsystemafterhisjobapplicationhadbeenrejected.laterinvestigationsfoundradiotransmittersandcomputerequipmentinBoden’scar.Thelaptopharddrivecontainedsoftwareforaccessingandcontrollingthesewagescadasystems.

By exploiting a vulnerability in a control system, the simu-latedauroragenerator test5 conducted inMarch2007by theU.s.department of homeland security resulted in a hacker’s remoteaccess tothegeneratorroomattheidahonationallaboratoryandthepartialdestructionofa$1-milliondiesel-electricgenerator.

in september 2007, an individual who claimed to be a cUPe(canadianUnionofPublicemployees)memberhackedintothecitycomputersysteminvancouverthatcommandsthetown’strafficlightsand set thecomputerclock7hbehind.6Theresultwas that trafficsignalsgeared formidnightweremanaging traffic for themorningrushhour.


onapril8,2009,anarticle7intheWall Street JournalbyGormanreportedthat“cyberspieshavepenetratedtheU.s.electricalgridandleftbehindsoftwareprogramsthatcouldbeusedtodisruptthesystem,accordingtocurrentandformernational-securityofficials”(page1).Thesamearticlementionedthatinsteadofdamagingthepowergridorotherkeyinfrastructures,thegoalsoftheseattacksweretonavi-gatetheU.s.electricalsystemanditscontrolstomapthem.tomakethingsworse,theseattacksweremainlydetectedbyU.s.intelligenceagenciesinsteadofthecompaniesinchargeoftheinfrastructures.inotherwords,theU.s.utilitycompaniesarenotreadyfortheprotec-tionoftheircurrentinfrastructure,letalonethefutureinterconnectedsmartgridsystems.Theseattacksincreaseworriesaboutcyberattack-erswhomaytakecontrolofelectricalfacilities,anuclearpowerplant,financialnetworks,orwater,sewage,andotherinfrastructuresystemsviatheinternet.

onThursday,august14,2003,atapproximately4:11p.m.,awide-spreadpoweroutageoccurredthroughoutpartsof thenortheasternandmidwestern Unitedstates andontario,canada.according toareportbythenewYorkindependentsystemoperator(nYiso),8this northeastern blackout of 2003 affected approximately 10 mil-lion people in ontario and 45 million people in eight U.s. states;thenYisomegawatt loadhad a loss of 80%at theheight of theoutage.Thefinalreport14bytheU.s.-canadaPowersystemoutagetaskforceshowedthattheblackoutwastriggeredbyaracecondi-tion software bug inGeneralelectricenergy’s Unix-basedXa/21energymanagementsystem.Thebugcausedadisruptionofserviceatfirstenergy’s control room, and the alarm system there stoppedworkingforoveranhour.afterthealertsystemfailure,neitheraudionorvisualalertsforimportantchangesinsystemstatewereavailabletotheoperators.Theunprocessedeventsqueuedupquickly,andtheprimaryserverfailedwithin30minutes.Then,theserverapplications(includingthefailedalertsystems)wereautomaticallytransferredtothebackupserver,whichfailedsoonafter.Thelackofalarmsledoper-atorstodismissacallfromamericanelectricPower(aeP)aboutthetrippingandreclosureofa345-kvsharedlineinnortheasternohio.firstenergy’stechnicalsupportinformedcontrolroomoperatorscon-cerningthealarmsystemjustbeforethemassiveblackoutstarted.15


althoughthesoftwarebugtriggeredthisblackout,theU.s.-canadaPowersystemoutagetaskforcereport14listedfourmajorcausesfortheblackout:

1.firstenergy(fe)anditsreliabilitycouncil“failedtoassessandunderstandtheinadequaciesoffessystem,particularlywithrespecttovoltageinstabilityandthevulnerabilityofthecleveland-akron area, and fe did not operate its systemwithappropriatevoltagecriteria”(page17).

2.firstenergy“didnotrecognizeorunderstandthedeteriorat-ingconditionofitssystem”(page17).

3.firstenergy“failedtomanageadequatelytreegrowthinitstransmissionrights-of-way”(page17).

4.Therewas“failureoftheinterconnectedgridsreliabilityorga-nizations to provide effective real-time diagnostic support”(page17).

The affected infrastructure of the blackout included power gen-eration(powerplantsautomaticallywentinto“safemode”topreventdamageinthecaseofanoverload);watersupply(someareaslostwaterpressurebecausepumpsdidnothavepower); transportation (trainshadnopower, andpassenger security checking at affected airportsceased);communicationsystems(cellularcommunicationdevicesweredisrupted,radiostationsweremomentarilyknockedofftheair,andcable television systemsweredisabled);manufacturing (largenum-bersoffactorieswereclosedintheaffectedarea,andfreewayconges-tioninaffectedareasaffectedthe“ just-in-time”supplysystem).

in June 2010, it was reported9,16 that the stuxnet worm spreadsaround the world (with 59% infected systems in iran) to subvertscada systems. stuxnet malware targets only siemens scadaapplications Pcs 7, wincc, and steP7 that run on Microsoftwindowsandsiemenss7programmablelogiccontroller(Plc).Theworm initially spreadsusingUsB (universal serial bus)flashdrivesandthenusesfourzero-dayexploitstoinfectthesiemensscadaandhMi(human-machineinterface)systemsiMaticwinccandPcs7.onceinfected,itattacksPlcsystemswithvariable-frequencydrivesthatspinbetween807and1,210hz.whencertaincriteriaaremet,stuxnetperiodicallymodifiesthefrequencyto1,410hz,then


to2hz,andthento1,064hzandthusaffectstheoperationoftheconnectedmotorsbychangingtheirrotationalspeed.

in the 2009 Black hat conference in las vegas, nevada, Mikedavis10showedasimulationenvironmentinwhichanattackercouldtakecontrolof15,000of22,000homesmartmeterswithin24hbyexploitingdesignflawswithinanunnamedbrandofsmartmeters.

since november 2009, there have been reported11 coordinatedcovertandtargetedcyberattacksagainstglobaloil,energy,andpet-rochemicalcompanies.TheseattacksarecalledthenightdragonbyMcafee.11anattackfirstcompromisescompanyextranetwebserv-ersthroughstructuredQuerylanguage(sQl)injectiontechniquesandthenuploadssomecommonlyavailablehackertoolstothecom-promisedwebservers,whichwillallowtheattackertobreakintothecompany’sintranetandobtainaccesstosomesensitiveinternaldesk-topsandservers.BydisablingMicrosoftinternetexplorer(ie)proxysettings, the attacker achieves direct communication from infectedmachinestotheinternet.Theattackerproceedsfurthertoconnecttoothermachines(targetingexecutives)andexfiltratinge-mailarchivesandothersensitivedocuments.

accordingtozetter,12inMay2011,nsslabs17researchersonlyspent2monthsontestingafewscadacontrolsystemsandfoundseveralvulnerabilitiesinsiemensPlcandscadacontrolsystemsthatcouldbeexploitedbyhackerstoobtainremoteaccesstothecontrolsystemstocausephysicaldestructiontofactoriesandpowerplants.itshouldbenotedthatsiemensPlcandscadasystemsarewidelyusedintheworld,controllingcriticalinfrastructuresystemssuchasnuclearpowerandenrichmentplantsandcommercialmanufacturingfacilities.Underpressurebythedepartmentofhomelandsecurity,thensslabsdidnotdisclosedetailsbeforesiemenscouldpatchthevulnerabilities.Thisexampleshowsthatwhenthecontrolsystemsareinterconnectedwiththe intranet, a dedicated attacker could easilymount serious attacks.it should also be noted that, in his dissertation, Phd student seanGormanfromGeorgeMasonUniversityusingmaterialsavailablepub-liclyontheinternet(see,e.g.,Blumenfeld13andrappaport18),mappedeverybusinessand industrial sector in theamericaneconomytothefiber-opticnetworkthatconnectsthem.similarly,underpressurefromthegovernment,Gorman’sdissertationhasneverbeenmadepublic.


9.3 sCAdA security

inthissection,wedemonstratethechallengestosecurethecurrentautomation systems, such as scada systems with examples. Partof theseanalysiswere taken fromtheworkofwang.19 ina typicalscada system,20 data acquisition and control are performed byremoteterminalunits(rtUs)andfielddevicesthatincludefunctionsfor communications and signaling. scada systems normally useapollresponsemodelforcommunicationswithcleartextmessages.Pollmessagesaretypicallysmall(lessthan16bytes),andresponsesmight range fromashort “iamhere” toadumpofanentireday’sdata.somescadasystemsmayalsoallowforunsolicitedreportingfromremoteunits.Thecommunicationsbetweenthecontrolcenterandremotesitescouldbeclassifiedintothefollowingfourcategories.

1. Data acquisition:Thecontrolcentersendspoll(request)mes-sagestortUs,andthertUsdumpdatatothecontrolcen-ter.inparticular,thisincludesstatus scan and measured value scan.Thecontrolcenterregularlysendsastatusscanrequesttoremotesitestoobtainfielddevicesstatus(e.g.,oPenorclosedorafastclosed-oPen-closedsequence)andameasuredvaluescanrequesttoobtainmeasuredvaluesoffielddevices.Themeasuredvaluescouldbeanalogvaluesordigitallycodedvaluesandarescaledintoengineeringfor-matbythefront-endprocessor(feP)atthecontrolcenter.

2. Firmware download :Thecontrolcentersendsfirmwaredown-loadstoremotesites.inthiscase,thepollmessageislarger(e.g.,largerthan64,000bytes)thanothercases.

3. Control functions:ThecontrolcentersendscontrolcommandstoanrtUatremotesites.controlfunctionsaregroupedintofoursubclasses:individualdevicecontrol(e.g.,toturnon/offa remotedevice); controlmessages to regulating equipment(e.g., a raise/lower command to adjust the remotevalves);sequentialcontrolschemes(aseriesofcorrelatedindi-vidual control commands); and automatic control schemes(e.g.,closedcontrolloops).

4.Broadcast:Thecontrolcentermaybroadcastmessagestomul-tiple rtUs. for example, the control center broadcasts anemergentshutdownmessageoraset-the-clock-timemessage.


acquired data are automatically monitored at the control centerto ensure that measured and calculated values lie within permissi-blelimits.Themeasuredvaluesaremonitoredwithregardtorateofchangeandforcontinuoustrendmonitoring.Theyarealsorecordedforpostfaultanalysis.statusindicationsaremonitoredatthecontrolcenterwithregardtochangesandtimetaggedbythertUs.inlegacyscadasystems,existingcommunicationlinksbetweenthecontrolcenter and remote sites operate at very low speeds (couldbeon anorderof300to9,600bps).notethatpresentdeploymentsofscadasystemshavevariantmodelsandtechnologies,whichmayhavemuchbetterperformances (forexample,61850-basedsystems).figure 9.1describesasimplescadasystem.

inpractice,morecomplicatedscadasystemconfigurationsexist.figure 9.2liststhreetypicalscadasystemconfigurations(see,e.g.,reportno.12oftheamericanGasassociation[aGa]21).

recently, there have been several efforts to secure the nationalscada systems. examples exist for the following companies andstandards:

1.american Gas association.21 The aGa was among thefirst todesignacryptographicstandard toprotectscadasystems.TheaGahadoriginallybeendesigningacrypto-graphic standard to protect scada communication links;thefinishedreportisaGa12,part1.aGa12,part2,hasbeentransferredtotheinstituteofelectricalandelectronicsengineers(ieee)(ieee1711).

2.ieee 1711.22 This was transferred from aGa 12, part 2.This standard effort tries to define a security protocol, theserialscadaProtectionProtocol(ssPP),forcontrolsys-temserialcommunication.

Control center Remote siteModem Modem

WAN card WAN card

FEPAntenna

Antenna

Radio or microwave

Leased lines RTU

RTU

RTU

Figure 9.1 A simple SCADA system. WAN, wide-area network.


3.ieee 1815.23 Standard for Electric Power Systems Communications—Distributed Network Protocol (DNP3). ThepurposeofthisstandardistodocumentandmakeavailablethespecificationsforthednP3protocol.

4.international electrotechnical commission technicalcommittee working Group 15 (iec tc 57 wG 15).24,25Theiectc57wG57standardizedscadacommunica-tionsecurityviaitsiec608705series.

5.national institute of standards and technology (nist).26Thenistindustrialcontrolsystemsecurity (ics)groupworks on general security issues related to control systemssuchasscadasystems.

6.nationalscadatestBedProgram.27ThedoeestablishedthenationalscadatestBedprogramatidahonationallaboratory and sandia national laboratory to ensure thesecure,reliable,andefficientdistributionofpower.

Modem

Splitter

Modem

RTU

Modem

RTU RTU

RTUModem

SCADA system with RTUs connected in a series-star con�guration

SCADA system with point-to-point con�guration

SCADA system with RTUs in a multi-drop architecture

FEP

RTUModem

Control center

ModemFEP

Control center

Control center

RTU

RTU

Modem

ModemModem

Modem

ModemFEP Modem RTU

Figure 9.2 Typical SCADA system configurations.


9.3.1 Threats to SCADA Systems

scadasystemswerenotdesignedwithpublicaccessinmind;theytypically lackevenrudimentarysecurity.however,with theadventoftechnology,particularlytheinternet,muchofthetechnicalinfor-mationrequiredtopenetratethesesystemsiswidelydiscussedinthepublic forums of the affected industries. critical security flaws forscadasystemsarewellknowntopotentialattackers.it is fearedthatscadasystemscanbetakenoverbyhackers,criminals,orter-rorists.somecompaniesmayassumethat theyuse leased linesandthereforenobodyhasaccesstotheircommunications.Thefactisthatit is easy to tap these lines.28 similarly, frequency-hopping spread-spectrumradioandotherwirelesscommunicationmechanismsfre-quentlyusedtocontrolrtUscanbecompromisedaswell.

severalefforts26,27,29havebeenmadefortheanalysisandprotectionofscadasystemsecurity.accordingtothesereports,26,27,29thefac-torsthathavecontributedtotheescalationofrisktoscadasystemsincludethefollowing:

• Theadoptionofstandardizedtechnologieswithknownvul-nerabilities. in the past, proprietary hardware, software,and network protocols made it difficult to understand howscadasystemsoperated—andthereforehowtohackintothem. today, standardized technologies such as windows,Unix-likeoperatingsystems,andcommoninternetprotocolsareusedbyscadasystems.Thus,thenumberofpeoplewithknowledgetowageattacksonscadasystemshasincreased.

• The connectivity of control systems to other networks. toprovide decision makers with access to real-time informa-tionandallowengineerstomonitorandcontrolthescadasystems from different points on the enterprise networks,thescadasystemsarenormallyintegratedintotheenter-prisenetworks.enterprisesareoftenconnectedtopartners’networks and to the internet. some enterprises may alsousewide-areanetworksandtheinternettotransmitdatatoremotelocations.Thiscreatesfurthersecurityvulnerabilitiesinscadasystems.


• insecure remote connections. enterprises often use leasedlines,wide-areanetworks/internet, and radio/microwave totransmitdatabetweencontrolcentersandremotelocations.Thesecommunicationlinkscouldbeeasilyhacked.

• Thewidespreadavailabilityoftechnicalinformationaboutcon-trolsystems.Publicinformationaboutinfrastructuresandcontrolsystems is readilyavailable topotentialhackersand intruders.sean Gorman’s dissertation (see, e.g.,13,18), mentioned previ-ously,isagoodexampleforthisscenario.significantinforma-tiononscadasystemsispubliclyavailable(frommaintenancedocuments,fromformeremployees,andfromsupportcontrac-tors,etc.).alltheseinformationsourcescouldassisthackersinunderstandingthesystemsandfindingwaystoattackthem.

hackersmayattackscadasystemswithoneormoreofthefol-lowingactions:

1.causingdenial-of-serviceattacksbydelayingorblockingtheflowofinformationthroughcontrolnetworks

2.Makingunauthorizedchanges toprogrammed instructionsinrtUsatremotesites,resultingindamagetoequipment,prematureshutdownofprocesses,orevendisablingofcon-trolequipment.

3.sending false information to control system operators todisguise unauthorized changes or to initiate inappropriateactionsbysystemoperators

4.Modifyingthecontrolsystemsoftware,producingunpredict-ableresults

5.interferingwiththeoperationofsafetysystems

Theanalysisinreports26,27,29showedthatsecuringcontrolsystemsposessignificantchallenges,whichinclude

1.The limitations of current security technologies in securingcontrolsystems.existinginternetsecuritytechnologiessuchas authorization, authentication, andencryption requiremorebandwidth, processing power, and memory than controlsystem components typically have. controller stations aregenerally designed to do specific tasks, and they often uselow-cost,resource-constrainedmicroprocessors.


2.Theperceptionthatsecuringcontrolsystemsmaynotbeeco-nomicallyjustifiable.

3.Theconflictingprioritieswithinorganizationsregardingthesecurityofcontrol systems. in thischapter,weconcentrateontheprotectionofscadaremotecommunicationlinks.in particular, we discuss the challenges for protection ofthese links anddesignnew security technologies to securescadasystems.

9.3.2 Securing SCADA Remote Connections

relativelycheapattackscouldbemountedonscadasystemcom-munication linksbetween thecontrol centerandrtUssince thereis neither authentication nor encryption on these links. Under theumbrellaofnist’scriticalinfrastructureProtectioncybersecurityof industrial control systems, the aGa scada encryptioncommittee has been trying to identify the functions and require-ments for authenticating and encrypting scada communicationlinks.Theirproposal21istobuildcryptographicmodulesthatcouldbe invisibly embedded into existing scada systems (in particu-lar,onecouldattachthesecryptographicmodulestomodems,suchas those of figure 9.2) so that all messages between modems areencryptedandauthenticatedwhennecessary,andtheyhaveidentifiedthe basic requirements for these cryptographic modules. however,due to theconstraintsofscadasystems,noviablecryptographicprotocolshavebeenidentifiedtomeettheserequirements.inparticu-lar,thechallengesforbuildingthesedevicesare21

1.encryptingofrepetitivemessages. 2.Minimizingdelaysduetocryptographicoperations. 3.ensuringintegritywithminimallatency:

• intramessageintegrity:ifcryptographicmodulesbufferamessageuntilthemessageauthenticatorisverified,itintro-ducesmessagedelaysthatarenotacceptableinmostcases.

• intermessageintegrity:reordermessages,replaymessages,anddestroyspecificmessages.

4.accommodating various scada poll response and retrystrategies:delaysintroducedbycryptographicmodulesmay


interfere with the scada system’s error-handling mecha-nisms(e.g.,time-outerrors).

5.supportingbroadcastmessages. 6.incorporatingkeymanagement. 7.controllingthecostofdevicesandmanagement. 8.dealing with a mixed mode: some scada systems have

cryptographiccapabilities;othersdonot. 9.accommodating different scada protocols: scada

devicesaremanufacturedbydifferentvendorswithdifferentproprietaryprotocols.

wang19hasrecentlydesignedefficientcryptographicmechanismsto address these challenges and to build cryptographic modules asrecommended in aGa report no. 12.21 These mechanisms canbeused tobuildplug-indevices called sscada(securescada)devices that could be inserted into scada networks so that allcommunicationlinksareauthenticatedandencrypted.inparticular,authenticated broadcast protocols are designed so that they can becheaplyincludedintothesedevices.ithasbeenamajorchallengingtasktodesignefficientlyauthenticatedemergencybroadcastprotocolsinscadasystems.

9.3.3 sSCADA Protocol Suite

Thesscadaprotocolsuite19isproposedtoovercomethechallengesdiscussed in the previous section. a sscada device installed atthecontrolcenteriscalledamastersscadadevice,andsscadadevices installed at remote sites are called slave sscada devices.eachmastersscadadevicemaycommunicateprivatelywithsev-eralslavesscadadevices.occasionally,themastersscadadevicemayalsobroadcastauthenticatedmessagestoseveralslavesscadadevices(e.g.,anemergencyshutdown).anillustrativesscadadevicedeployment for point-to-point scada configuration is shown infigure 9.3.

itshouldbenotedthattheaGahadoriginallydesignedaprotocolsuitetosecurethescadasystems21,30(anopensourceimplementa-tioncouldbefoundinreference31).however,wang19hasbrokentheseprotocolsuitesbymountingareplayattack.


toreducethecostofsscadadevicesandmanagement,onlysym-metrickeycryptographictechniquesareusedinourdesign.indeed,due to the slow operations of public key cryptography, public keycryptographicprotocolscouldintroducedelaysinmessagetransmis-sionthatarenotacceptabletoscadaprotocols.semanticsecurityproperty32isusedtoensurethataneavesdropperhasnoinformationabouttheplaintext,eveniftheeavesdropperseesmultipleencryptionsofthesameplaintext.forexample,eveniftheattackerhasobservedtheciphertextsof“shutdown”and“turnon,”itwillnothelptheattackerto distinguish whether a new ciphertext is the encryption of “shutdown”or“turnon.”inpractice,therandomizationtechniqueisusedtoachievethisgoal.forexample,themessagesendermayprependa random string (e.g., 128 bits for advanced encryption standard[aes]128) to themessageanduse special encryptionmodes suchaschainingblockcipher(cBc)modeorhash-cBc(hcBc)mode.insomemodes,thisrandomstringiscalledtheinitializationvector(iv).Thisprevents information leakagefromtheciphertexteven iftheattackerknowsseveralplaintext/ciphertextpairsencryptedwiththesamekey.

sincescadacommunication linkscouldbeas lowas300bpsandimmediateresponsesaregenerallyrequired,thereisnosufficientbandwidthtosendtherandomstring(iv)eachtimewiththecipher-text;thus,weneedtodesigndifferentcryptographicmechanismstoachievesemanticsecuritywithoutadditionaltransmissionoverhead.inourdesign,weusetwocounterssharedbetweentwocommunicat-ingpartners,oneforeachdirectionofcommunication.

Thecountersareinitiallysettozerosandshouldbeatleast128bits,which ensures that the counter values will never repeat, avoidingreplayattacks.ThecounterisusedastheivinmessageencryptionsifcBcorhcBcmodeisused.aftereachmessageencryption,thecounterisincreasedbyoneifcBcmodeisused,anditisincreasedby the number of blocks of encrypted data if the hcBc mode is

FEP Modem Modem RTU

Control center

MasterSCADA

SlaveSCADA

Figure 9.3 sSCADA with point-to-point SCADA configuration.


used.Thetwocommunicatingpartnersareassumedtoknowtheval-uesofthecounters,andthecountersdonotneedtobeaddedtoeachciphertext.Messagesmaybecomelost,andthetwocountersneedtobesynchronizedoccasionally(e.g.,atoff-peaktime).asimplecountersynchronizationprotocolisproposedforthesscadaprotocolsuite.Thecountersynchronizationprotocolcouldalsobeinitiatedwhensomeencryption/decryptionerrorsappearduetounsynchronizedcounters.

fortwosscadadevicestoestablishasecurechannel,amastersecretkeyneedstobebootstrappedintothetwodevicesatdeploymenttime(orwhenanewsscadadevice isdeployed intotheexistingnetwork).formostconfigurations,securechannelsareneededonlybetweenamastersscadadeviceandaslavesscadadevice.forsomeconfigurations,securechannelsamongslavesscadadevicesmayalsobeneeded.Thesecurechannel identifiedwiththismastersecretisusedtoestablishotherchannels,suchassessionsecurechan-nels,timesynchronizationchannels,authenticatedbroadcastchannels,andauthenticatedemergencychannels.

assumethatH(·)isapseudorandomfunction(e.g.,constructedfromsecurehashalgorithm[sha]-256)andtwosscadadevicesAandBshareasecretK KAB BA= .dependingonthesecuritypolicy,thiskeyKAB couldbethesharedmastersecretorasharedsecretforonesessionthatcouldbeestablishedfromthesharedmasterkeyusingasimplekeyestablishmentprotocol(toachievesessionkeyfreshness,typicallyonenodesendsarandomnoncetotheotherone,andtheothernodesendstheencryptedsessionkeytogetherwithanauthenticatorontheciphertextandtherandomnonce).keysfordifferentpurposescouldbederivedfromthissecretasfollows(itisnotagoodpracticetousethesamekeyfordifferentpurposes):forexample,K AB AB= H K( , )1 isformessageencryptionfromAtoB, ′ =K AB ABH K( , )2 isformessageauthenticationfromAtoB,KBA AB= H K( , )3 isformessageencryp-tionfromBtoA,and ′ =KBA ABH K( , )4 isformessageauthenticationfromBtoA.

optionalmessageauthenticationcodes(Macs)areusedfortwopartiestoachievedataauthenticationandintegrity.Macsthatcouldbe used for sscada implementation include hMac,33,34 cBc-Mac,35 and others. when party A wants to send a message m toparty B securely, A computes the ciphertext c C K c mA AB A= E( , , || )and message authenticator mac MAC K C cAB A= ′( , || ), where c A is


thelastlbitsofH( )CA (lcouldbeaslargeaspossibleifbandwidthis allowed, and 32 bits should be the minimal),E( , , || )C K c mA AB A denotes theencryptionof c mA || usingkeyKAB andrandom-prefix(oriv)CA,andCAisthecountervalueforthecommunicationfromAtoB.Then,AsendsthefollowingpacketstoB:

A B c mac→ : , (optional)

when B receives these packets, B decrypts c, checks that c A iscorrect,andverifiesthemessageauthenticatormacifmacispresent.assoonasB receivesthefirstblockoftheciphertext,Bcancheckwhether c A iscorrect.ifitiscorrect,thenBcontinuesthedecryptionandupdatesitscounter.otherwise,Bdiscardstheentireciphertext.ifthemessageauthenticatorcodemac ispresent,Balsoverifiesthecorrectnessofmac.ifmaciscorrect,Bdoesnothing;otherwise,BmaychoosetoinformAthatthemessagewascorruptedortrytoresyn-chronizethecounters.

Thereareseveralimplementationissuesonhowtodeliverthemes-sagetothetarget(e.g.,rtU).forexample,therearethefollowing:

1. Busesthecountertodecryptthefirstblockoftheciphertext;if the first l bits of the decrypted plaintext are not consis-tentwithH( )CA ,thenthereasoncouldbethatthecounterCA is not synchronized or that the ciphertext is corrupted.Bmaytryseveralpossiblecountersuntilthecounter-check-ingprocesssucceeds.Bthenusestheverifiedcounterandthecorrespondingkey todecrypt themessage anddeliver eachblockof the resultingmessage to the targetas soonas it isavailable. ifnocountercouldbeverified ina limitednum-beroftrials,BmaynotifyAofthetransmissionfailureandinitiatethecountersynchronizationprotocolinthenextsec-tion.Theadvantageof this implementation is thatwehaveminimizeddelayfromthecryptographicdevices,thusmini-mizing the interferenceofscadaprotocols.note that inthis implementation, the message authenticator mac is notused. if the ciphertext was tampered, we rely on the errorcorrection mechanisms (normally crc codes) in scadasystemstodiscardtheentiremessage.ifcBc(respectively


hcBc) mode is used, then the provable security proper-ties (respectively provable online cipher security properties)ofcBcmode(respectivelyhcBcmode)36,37guaranteethattheattackerhasnochancetotamperwiththeciphertext,sothatthedecryptedplaintextcontainsacorrectcrcthatwasusedbyscadaprotocolstoachieveintegrity.

2.Proceedasincase1.inaddition,themacisfurtherchecked,andthedecryptedmessageisdeliveredtothescadasystemonlyifthemacverificationpasses.Thedisadvantageforthisimplementationisthatthesecryptographicoperationsintro-ducesignificantdelayformessagedelivery,anditmayinterferewithscadaprotocols.

3.Proceedasincase1.Thedecryptedmessageisdeliveredtothescadasystemassoonasavailable.afterreceivingtheentiremessageandmac,Bwillalsoverifymac.iftheverifica-tionpasses,Bwilldonothing.otherwise,BresynchronizesthecounterwithAorinitiatessomeotherexception-handlingprotocols.

4.toavoiddelaysintroducedbycryptographicoperationsandto check the mac at the same time, sscada devices maydeliverdecryptedbytesimmediatelytothetargetexceptthelastbyte.ifthemessageauthenticatormacisverifiedsuccess-fully,thesscadadevicedeliversthelastbytetothetarget;otherwise,thesscadadevicediscardsthelastbyteorsendsarandombytetothetarget.Thatis,werelyontheerrorcor-rectionmechanismsatthetargettodiscardtheentiremes-sage.similarmechanismshavebeenproposed.21however,anattackermayinsertgarbagebetweentheciphertextandmac,thus tricking the sscada device to deliver the decryptedmessagestothescadasystem.ifthishappens,weessen-tiallydonotreceiveanadvantagefromthisimplementation.Thus,thisimplementationisnotrecommended.

5.insteadofprepending c A totheplaintextmessage,onemaychoose to prepend three bytes of other specially formattedstringtotheplaintextmessage(bandwidthofthreebytesisnormally available in scada systems) before encryption.This is an acceptable solution although we still prefer oursolutionofprependingthehashoutputsofthecounter.


Therecouldbeotherimplementationstoimprovetheperformanceand interoperability with scada protocols. sscada devicesshouldprovideseveralpossibleimplementationsforuserstoconfig-ure.indeed,sscadadevicesmayalsobeconfiguredinadynamicwaysothatfordifferentmessagesitusesdifferentimplementations.

insomescadacommunications,messageauthenticationonlyissufficient.Thatis, it issufficientforA tosend(m,mac)toB,wherem is the cleartext message and mac = MAC(K′AB,CA ∙m). sscadadevices should provide configuration options to perform messageauthenticationwithoutencryption. in thiscase,even if thecountervalueisnotusedastheiv,thecountervalueshouldstillbeauthenti-catedinthemacandbeincreasedaftertheoperation.Thiswillpro-videmessagefreshnessassuranceandavoidreplayattacks.sscadashouldalsosupportmessagepass-throughmode.Thatis,themessageis delivered without encryption and authentication. in summary, itshouldbepossibletoconfigureansscadadeviceinsuchawaythatsomemessagesareauthenticatedandencrypted,somemessagesareauthenticatedonly,andsomemessagesarepassedthroughdirectly.

9.3.4 Counter Synchronization

in the point-to-point message authentication and encryption pro-tocol, we assume that both sscada devices A and B know eachother’scountervaluesCAandCB,respectively.inmostcases,reliablecommunicationinscadasystemsisprovided,andthesecuritypro-tocols intheprevioussectionworkfine.still,weprovideacountersynchronizationprotocolso thatsscadadevicescansynchronizetheircounterswhennecessary.Thecountersynchronizationprotocolcouldbeinitiatedbyeitherside.assumethatAinitiatesthecountersynchronizationprotocol.Then,theprotocollooksasfollows:

A B NB A C MAC K N C

A

B BA A B

→→ ′

:: , ( , || )

Theinitialcountervaluesoftwosscadadevicescouldbeboot-strappeddirectly.Thecountersynchronizationprotocolpresentedcouldalsobeusedby twodevices tobootstrap the initial counter values.amastersscadadevicemayalsousetheauthenticatedbroadcast


channelthatwediscussinthenextsectiontosetthecountersofsev-eralslavesscadadevicestothesamevalueusingonemessage.

9.4 Conclusion

in this chapter, we discussed the challenges for smart grid systemsecurity.wethenusecontrolsystems(inparticular,scadasystems)asexamplesforstudyinghowtoaddressthesechallenges.inparticu-lar,wementionedwang’sattack19ontheprotocolsinthefirstversionof theaGastandarddraft.30This attack showed that the securitymechanismsinthefirstdraftoftheaGastandardprotocolcouldbeeasilydefeated.wethenproposedasuiteofsecurityprotocolsopti-mized for scada/dcs systems. These protocols are designed toaddressthespecificchallengesofscadasystems.

recently,therehasbeenawideinterestinthesecuredesignandimplementationofsmartgridsystems.38Thescadasystemisoneofthemostimportantlegacysystemsofthesmartgridsystems.togetherwithothereffortssuchasthoseofferedinieee1711,22ieee1815,23iec tc 57,24 iec 60870-5,25 nist industrial control systemsecurity,26andthenationalscadatestbedProgram,27theworkinthischapterpresentsaninitialstepforsecuringthescadasec-tionofthesmartgridsystemsagainstcyberattacks.

references 1. department of energy. Title XIII—Smart Grid (2010). http://www.

oe.energy.gov/documentsandMedia/eisa_title_Xiii_smart_Grid.pdf

2. U.s. energy information administration. Net Generation by Energy Source: Total (All Sectors) (2011). http://www.eia.gov/cneaf/electricity/epm/table1_1.html

3. M.abramsandJ.weiss.Malicious Control System Cyber Security Attack Case Study—Maroochy Water Services, Australia (2010). http://csrc.nist.gov/groups/sMa/fisma/ics/documents/Maroochy-water-services-case-study_briefing.pdf

4. M.abramsand J.weiss.Bellingham,Washington, Control System Cyber Security Case Study (2007). http://csrc.nist.gov/groups/sMa/fisma/ics/documents/Bellingham_case_study_report2020sep071.pdf


5. USA Today.aUroracase:U.s.videoshowshackerhitonpowergrid(2007).http://www.usatoday.com/tech/news/computersecurity/2007-09-27-hacker-video_n.htm

6. sPaMfighter. vancouver city-police investigating possible sabotageof traffic light computer system (2007). http://www.spamfighter.com/news_show_other.asp?M=10&Y=2007

7. s.Gorman.electricitygridinuspenetratedbyspies.Wall Street Journal(april8,2009).http://online.wsj.com/article/sB123914805204099085.html

8. isonewYorkindependentsystemoperator. NYISO Interim Report on the August 14, 2003 Blackout (2004).http://www.hks.harvard.edu/hepg/Papers/nYiso.blackout.report.8.Jan.04.pdf

9. G. keizer. is stuxnet the “best” malware ever? (2010). http://www.infoworld.com/print/137598

10. M. davis. smartgrid device security adventures in a new medium(2009).http://www.blackhat.com/presentations/bh-usa-09/Mdavis/BhUsa09-davis-aMi-slides.pdf

11. Mcafee. Global energy cyberattacks: night dragon (february 2011).http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf

12. k. zetter. fearing industrial destruction, researcher delays disclo-sure of new siemens scada holes (2011). http://www.wired.com/threatlevel/2011/05/siemens-scada-vulnerabilities/.

13. l.Blumenfeld.dissertationcouldbesecuritythreat.Washington Post ( July7,2003).http://www.washingtonpost.com/ac2/wp-dyn/a23689-2003Jul7

14. U.s.-canadaPowersystemoutagetaskforce.Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations(april2004).https://reports.energy.gov/Blackoutfinal-web.pdf

15. north american electric reliability council. Technical Analysis of the August 14, 2003, Blackout: What Happened, Why, and What Did We Learn?(2004). http://www.nerc.com/docs/docs/blackout/nerc_final_Blackout_report_07_13_04.pdf

16. n. falliere, l. Murchu, and e. chien. w32.stuxnet dossier (february2011).http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

17. nsslabs.homepage.http://www.nsslabs.com/. 18. J. rappaport.what you don’t know might hurt you: alum’s work bal-

ancesnationalsecurityandinformationsharing.http://gazette.gmu.edu/articles/11144

19. Y.wang. sscada:securingscada infrastructure communications,International Journal Communication Networks and Distributed Systems6(1),59–78(2011).

20. t.cegrell.Power System Control Technology.Prentice-hallinternational,harlow,Uk(1986).


21. americanGasassociation.AGA Report No. 12. Cryptographic Protection of SCADA Communications: General Recommendations.draft2,february5,2004.draft2isnolongeravailableonline.draft3(2010)isavailableforpurchase.http://www.aga.org/.

22. instituteofelectricalandelectronicsengineers.IEEE 1711. Trial Use Standard for a Cryptographic Protocol for Cyber Security of Substation Serial Links (2011). http://standards.ieee.org/findstds/standard/1711-2010.html

23. instituteofelectricalandelectronicsengineers.IEEE 1815. Standard for Electric Power Systems Communications—Distributed Network Protocol (DNP3)(2010).http://grouper.ieee.org/groups/1815/.

24. internationalelectrotechnicalcommission.IEC TC 57. Focus on the IEC TC 57 Standards(2010).http://www.ieee.org/portal/cms_docs_pes/pes/subpages/publications-folder/tc_57_column.pdf

25. internationalelectrotechnicalcommission.IEC 60870-5. Group Maillist Information(2010).http://www.trianglemicroworks.com/iec60870-5/index.htm

26. nationalinstituteofstandardsandtechnology(nist).NIST Industrial Control System Security (ICS) (2011). http://csrc.nist.gov/groups/sMa/fisma/ics/index.html

27. idahonationallaboratory.nationalscadatestbedProgram(2011).http://www.inl.gov/scada/.

28. Granite island Group. wiretapping and outside plant security—wiretapping101(2011).http://www.tscm.com/outsideplant.html

29. General accounting office. GAO-04-628. Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems. Testimony Before the Subcommittee on Technology Information Policy, Intergovernmental Relations and the Census, House Committee on Government Reform(March30,2004).http://www.gao.gov/new.items/d04628t.pdf

30. a.k.wright, J.a.kinast,and J.Mccarty.Low-Latency Cryptographic Protection for SCADA Communications,inProc. 2nd Int. Conf. on Applied Cryptography and Network Security, ACNS 2004, vol. 3809, LNCS,pp. 263–277.springer-verlag,newYork(2004).

31. a.wright.scadasafe(2006).http://scadasafe.sourceforge.net 32. s. Goldwasser and s. Michali. Probabilistic encryption, Journal of

Computer and System Sciences28,270–299(1984). 33. M.Bellare,r.canetti,andh.krawczyk.Messageauthenticationusing

hashfunctions—thehMacconstruction,RSA Laboratories CryptoBytes2(1)(spring1996).

34. h. krawczyk, M. Bellare, and r. canetti. HMAC: Keyed-Hashing for Message Authentication,internetrfc2104(february1997).http://www.itl.nist.gov/fipspubs/fip81.htm

35. nationalinstituteofstandardsandtechnology(nist).DES Model of Operation,fiPsPublication81.nist,Gaithersburg,Md(1981).

36. M. Bellare, a. Boldyreva, l. knudsen, and c. namprempre. on-lineciphersandthehash-cBcconstructions.inAdvances in Cryptology—Crypto 2001,vol.2139,LNCS,pp.292–309.springerverlag,newYork(2001).


37. M.Bellare, J.kilian, andP.rogaway.The security of the cipherblockchaining message authentication code, Journal of Computer and System Sciences6(3),362–399(2000).

38. departmentofenergy.Study of Security Attributes of Smart Grid Systems—Current Cyber Security Issues (april 2009). http://www.inl.gov/scada/publications/d/securing_the_smart_grid_current_issues.pdf

269

10Smart Grid Security

in the laSt mile

tA E o h , s U M i tA M i s h r A , A n d C l A r k h o C h G r A f

Contents

10.1introduction 27110.2smartGridsystemarchitectureinthelastMile 27110.3controlsystemPerspective:impactofthesmartGridon

electricPowersystemstability 27210.4PlanningforsecurityandPrivacy 27210.5securityThreatsinthefield-areanetwork/neighbor-

areanetwork 27410.5.1 Physical-layerattacks 27410.5.2 link-layerattacks 27410.5.3 network-layerattacks 27510.5.4 internetProtocoladdressingspecificattacks 27610.5.5 transport-layerattacks 27610.5.6 application-layerattacks 27710.5.7 otherProminentsecurityThreats 277

10.5.7.1 Back-officecompromise 27710.5.7.2 Gridvolatility 27710.5.7.3 securitydiscrepancy 278

10.6securityofaMisystem:aMiissuesandcurrentweaknesses 27810.6.1 aMicomponents 27810.6.2 securityissuesinaMicomponents 279

10.6.2.1 confidentialityinanaMisystem 27910.6.2.2integrityinaMisystems 27910.6.2.3availabilityinaMisystems 27910.6.2.4nonrepudiationinaMisystems 28010.6.2.5authorizationinaMisystems 280


Maintainingintegrity,availability,authenticity,andconfidenti-alityofsmartgriddataandcontrolinformationbecomesincreas-inglychallenginginthelastmiletothehome.Physicalsecurityismoredifficulttoachieve,leadingtogreaterpotentialfortam-peringandcompromiseofnodes.The largernumberofnodesandtheinterdependencyofnodesforcommunicationleavethesystemmorevulnerabletocertaintypesofattacks.encryptionisessentialtonetworksecurity;however,encryptionkeyman-agement isaparticularchallenge inthesmartgridduetothelargenumberofdistributednodes.interoperabilityandflexibil-itygoalscanappeartobeatoddswiththe implementationofsecuritymeasuresthatensurevaliddataarebeingprovided.abalancemustbestruckbetweencompetingobjectives.securitydecisions in the lastmilemustbe evaluated from thebroaderperspectiveofmaintainingoperationofthesmartpowersysteminthefaceofevolvingattacksandadversariesoverthedeploy-mentlifeofthesystem.

10.6.3 MajorvulnerabilitiesincurrentaMisystems 28010.6.3.1 Plaintextnantraffic 28010.6.3.2 Bussnooping 28110.6.3.3 impropercryptography 28110.6.3.4 directtampering 28110.6.3.5 Meterauthenticationweaknesses 28210.6.3.6 denial-of-serviceThreats 28210.6.3.7 storedkeyandPasswords 28210.6.3.8 cryptographickeydistribution 282

10.7 addressingencryptionandkeyManagementneedsofthesmartGridUsingtechniquesadaptedfromsensornetworks 28310.7.1 dataencryption 28310.7.2 keyestablishmentandManagement 28410.7.3 link-layersecurityframeworks 286

10.8conclusionsandoutlook 287references 287recommendedreading 290

271smart Grid seCurity in the last mile

10.1 introduction

collectionofdataandcontrolofdevicesaretwomainobjectivesofthesmartgrid.collecteddatamayincludeenergyusage,powerconsump-tion,localvoltage,volt-amperereactive(var)power,andoperationalstatusfornumerousdevicesatnumerouslocations.devicecontrolmayincludechangingtapsontransformers,engagingvarcompensationcapacitors,disconnectingloads,reducingloads,delayingthestartofaload,orchangingcommandsetpointsfordistributedgenerators.

allofthesetasksrequirecommunicationofeitherinformationorcontrolsignals.ifinvalid,inaccurate,malicious,oruntimelyinforma-tion is provided, the effects on the power system operation can besevere, includingover-orundervoltage, interruptionofpowerbothlocally and regionally, damage to connected equipment, hazards topersonnel,andfinanciallosses.Theinformationgatheredcanbeusedfor inappropriate, unexpected, or unsavory purposes by authorizedandunauthorizedthirdparties.asaresult,bothsecurityandprivacyofsensordataandcontrolinformationareessential.

10.2 smart Grid system Architecture in the last Mile

anumberoforganizations,includingthenationalinstituteofstandardsand technology (nist), institute of electrical and electronicsengineers (ieee), electric Power research institute (ePri), andothers,havecreatedarchitecturalmodelsofthesmartgrid.inthelastmile,thesmartgridincludespowerdistributionequipmentandover-lappingcommunicationnetworks,forexample,thefield-areanetwork(fan), neighborhood-area network (nan), automated meteringinfrastructure(aMi),andhome-areanetworks(hans).

Muchoftheemphasisinthesmartgridisonsmartmeters(aMi)andlinkingaMiintoothernetworksinthehomeforloadcontrolorsendingpricingsignalstohomeowners,andinthepowersystemforconnectingaMiinfrastructuretohigher-levelcentralizingnetworks.

inGermany,asmartgridarchitecturewithdifferentslightlydif-ferentterminologyisused.1aMismartmeteringdevicesarepartofalocalmetrologicalnetwork(lMn)thatconnectstotheconsumer’shanandcancontrolloadsorgenerationunitsthatarepartofacon-trollablelocalsystem(cls).TheaMi/lMnnetworkdataispassed


backtowardacentraldatacollectorthroughagatewaythatconnectstoawide-areanetwork(wan).

Thearchitecturaldescriptiondifferencesaswellasdifferentprivacystandardsinfluencehowsecurityandprivacysolutionsareachieved.forexample,inGermany,thegatewayactsasafirewalltothehanandclsfromthewan.

10.3 Control system Perspective: impact of the smart Grid on Electric Power system stability

inthesmartgrid,end-consumersensordataandcontrollablesystemsareintegratedandaggregatedintolargervaluesofpowerconsumptionandlargereffectivecontrollableloadsystems.Thedataforaggregatepowermaybeused fordecisionsat the levelof a feeder, substation,orevenregion.Besidesdataaggregation,controlledlocalsystemsareaggregatedandmaybecommandedtoactasalargesinglecontrollableload.withthenewcontrollabilityarisingfromthesmartgrid,itisusefultotakeacontrolsystemsperspectiveonthefunctioningofthesmartgridsystem.

anadversarywhomanipulateseithertheloaddataorcontrollablelocalsystemsmaybeabletohaveabroadimpactontheelectricpowersystem.Bymanipulatingloadsonandoff,theadversarycouldreducedampingintheelectricpowersystem,modifyingthesystemeigen-valuesandworseninganylatentstabilityissues.combiningsuchanattackwithobfuscationofthesystemstatebymanipulationofsensordatamayleadtoalossofsystemcontrol.

Positive control benefits may also be achieved by adding activedampingusingaggregatedcontrollablelocalsystems.fromacontrolsystemperspective,lagandlatencybecomeacriticalissueinachiev-ingastablefeedbackcontrolsystemusingthesmartgridcontrollableloads.anyfeedbacksystemwithsufficientlagandgaincanbemadeunstable.ataminimum,laginfeedbacksignalscreatesareductioninstability.Thelagorlatencyintroducedbyaparticularsecurityimple-mentationmustbeconsideredinstabilityanalyses.

10.4 Planning for security and Privacy

designing a smart grid system for security and privacy can beapproachedstartingwithariskassessmentthatexaminesadversaries,


theirobjectives,andthreats.adversariesmaybeinsidersoroutsiders.Theymayhavephysicalaccessortheymaynot.Theirobjectivesmaybefinancial,political,ordisruptive.Guidelines forassessingcyber-security risks are available from the national association of stateenergyofficials(naseo)2andnist.3TheUtilitycommunicationarchitectureinternationalUserGroup(Ucalug)hasoutlinedsecu-ritystrategiesandthreatsspecifictoaMi.4

ageneral strategyof applying security in layers and atdifferentlevels is recommended. This “defense-in-depth” strategy includesphysical access control “fences and gates,” role limitations, securitylogs,encryption,securecommunication,andauditingofinformation-handling procedures and practices. ensuring security and privacygoesbeyondencryptionandsecurecommunication.

challengesinsmartgridsecuritydesigninclude

1.knowingwhototrust(authentication) 2.detectingintrusion,evenifthereisnodisruption 3.Understandinghowapotentialattackaffectssystemoperation 4.Maintainingsecuredata-handlingprocedures(privacy)across

organizationsoutsidetheutility(e.g.,thirdparties,outsourcedservices)

Germany’ssecuritystrategyfortheaMigateway1addresseschal-lenge3byspecificallyensuringthatifthecommunicationnetworkisdisrupted,thesystemfail-safeistoensurethatelectricityisstillpro-videdtotheconsumer,withnopossibilityofimpactonthedeliveryofthecommodity.

detecting intrusion, challenge 2, is addressed by security logs andtamperdetectionthatisobservablebyboththeconsumerandthegate-wayoperator.TheaMigatewaysarealsorequiredtobeinstalledinanonpublicenvironmenttoreducethepotentialforphysicalaccesstotheequipment.Messagesonthesystemhavetimestampstopreventareplayattack,bywhichacopyofanauthenticmessageisreplayedatalatertime.

inpreventinganadversaryfromaffectingthesystem,itisimpor-tantthattheadversarydoesnothaveaccesstothecompletesystemimage.concealmentofthenetworknodes,communicationpathways,and power system architecture is recommended. This prevents theattackerfromgainingrelevantinformationbyobservingresponsestoafailedmessageattemptorfromobservinginformationflow.


Maintainingprivacyofpersonalusageinformationcanbeaccom-plishedbyallowingupstreampartiestohaveaccesstoonlythemini-mum amount of data needed for billing or system operation. datashouldbeencryptedandpseudonymizedoraggregatedasappropriatetoanonymizeit.

10.5 security Threats in the field-Area network/ neighbor-Area network

10.5.1 Physical-Layer Attacks

smart grids are expected to have nodes that are installed in areasconsidered to be outside premises. in these locations, they becomehighlyvulnerabletophysicaldamageduetoenvironmentalreasonsormanhandlingofnodes.suchdamageposesathreattotheintegrityoftheentiresmartgridnetwork.atthephysical(PhY)layer, it isalso susceptible to break down of transmission medium and roguecapturingofnodes.5suchthreatscanbecombatedthroughtheutili-zationoftamper-resistantanddamage-imperviousdevicescapableofsendingsecurityalerts.Theuseofencryptionindevicesanddeploy-ment of devices that securely store cryptographic keys and executeanauthenticationcheckoneachlinksetupshouldbeundertakentothwartsecuritythreatsataphysicallevel.

10.5.2 Link-Layer Attacks

inanan,nodesareallowedto joinandleavedynamically,whichleadstoissuesofsecurelycommunicatingmulticastmessagesatthelinklayer.Jammingofthecommunicationmediumduetoreprobatecapture of the network is another issue that needs consideration.Jammingcanalsooccurinfast-hopadhocnetworksifthenumberof hops exceeds 1,000 hops/s, causing internal interference.6 Mostnannetworks are adhocnetworkshavingamediumaccess con-trol(Mac)protocolresponsibleforallocatingthemediumandtheavailableresourcesinadistributedmanner.Thismakesthenetworksusceptibletoavailabilityattacksbyselfishnodesthatmonopolizetheavailableresources.radio-frequency(rf)spectrumjammingcanbeavoided using frequency-hopping spread spectrum (fhss), which


variesthechannelfrom50to100timespersecond,makingitdif-ficulttolockontooneparticularfrequency.

withmultipletypesoftrafficbeingcarriedonaconvergedsmartgrid network, quality of service (Qos) is important to ensure thatcriticalcontroltrafficisnotdelayedbyless-criticaltraffic.allowablelatencytimesmaybelessthan3msforprotectionandsafety-criticalcontrolcommunications.someaspectsmaytolerateupto160msoflatency.noncriticalcommunicationscanhandle latenciesofgreaterthan160ms.Qos requirementsnotonly lead tomultiple levels ofsecuritybutalsoplacealimitonthemaximumtolerableprocessingtimeofsecuritymeasuresimplementedatthislayer.

onesecurityconcernpertainingcharacteristicallytoasmartgridnetworkissleepderivationortortureattacks.almostallcomponentsinasmartgridaredesignedtohavealongsleeptimewhenthedeviceisintheoffstate,whichtranslatestobreakdownofthedeviceifanattackoverloadsit.

The Mac layer attacks for the smart grid are generally avertedbysecurityprotocolsthatinvolvetechniqueslikeMacidfiltering,Qosprovisioning,andsoon.MostPhYlayersecuritymeasurescanalsobeextendedtotheMaclayer.

10.5.3 Network-Layer Attacks

network-layer attacks are generally characterized by attacks onrouting tables, which affect data traffic flows. The routing table isresponsible for relaying the messages to their correct destination.network-layer attacks aim at modifying the routing table so thattrafficflowsthroughaspecificnodecontrolledbytheattacker.Theattackerthencangeneratemessageswithfalseinformationorerro-neouslyrelayinformationthatmaycausecongestioninthenetwork.denial-of-service(dos)attacksat thenetwork layercanbeunder-taken by fabricating routing tables aimed at disrupting traffic flowandeavesdroppingontheinformationtransmittedinthesmartgrid.7

network-layerattacksincludethefollowing:

• routingblackholes:anodeishackedandisthenbroadcastastheshortestpath,resultinginalltrafficbeingdirectedtothehackednode.


• sybilattack:somesensornodesinthenetworkaremisguidedintobelievingthatnodesthateitheraremultiplehopsawayorthatdonotexistaretheirneighbors.

• wormholes:aconsiderableamountofthenetworktrafficistunneled from one place in the network to another distantplaceinthenetwork,deprivingotherpartsofthenetwork.

attackscanoccuronneighbor-sensingprotocolsbyinsertingunau-thorizednodes,whichcanbepreventedthroughtheroutineuseofencryption, integrity examination, and authentication mechanisms.however, this leads toanaddedsecurity threatofattacktoexploitroutemaintenanceprocedures.8

10.5.4 Internet Protocol Addressing Specific Attacks

TheuseofinternetProtocol(iP)addressinginsmartgridcommuni-cationdoesleadtoconfidentialityandauthorizationissues.iPspoof-ing,dual-stackconvergence,andcyberattacksatthislevelaresomeotherconcerns.cyber threats includecyberspiesmappingthegridandinstallingmalicioussoftwarecapableofdestroyingordisruptingservices. iP-based requirements were written for computers (hosts)androuters;someaMinodesdonotmeetthemandprobablycannotmeetthemwithoutfurtherspecificationdevelopment.ontheotherhand,securitymeasuresforiP-basedroutingarewelldefinedandcanbeaddedtothesmartgridwithsomeminormodifications.

10.5.5 Transport-Layer Attacks

Thecommunicationsmodule inside eachmeter is connected to themeterviaaserialport,whichcanbedisconnectedsothatthemeterdoes not report usage. deploying smart meters, which are capableof detecting such disconnects and other types of tampering andreportingsuch incidents tooperators, canmitigate service theftviameter/communications module interface intrusion. The primarytransportprotocolsliketcP(transmissioncontrolProtocol),UdP(User datagram Protocol), dccP (datagram congestion controlProtocol), and sctP (stream control transmission Protocol)


providemultiplexingofdifferenttrafficflowsbetweentwohosts,andthelogicalseparationprovidedbythetransportlayerisnotintendedtoguardagainstmaliciousattacksbyadeterminedadversary.

10.5.6 Application-Layer Attacks

attacksontheapplicationposeathreatsincecryptographyandencryp-tionarenotenoughtopreventthem.verifyingthedatareceivedwithstatisticaldatacorresponding to themodelcanprevent theattacks.whilethisisnotafoolproofmethod,themethodisuseful.

10.5.7 Other Prominent Security Threats

10.5.7.1 Back-Office Compromise Back-officecompromisecould takeplace whenindividualsillegallygainaccesstothesmartgridman-agementdatabase.fromthere,theycouldcompromisethereliabilityoftheentiregrid,includingunsanctionedaccesstobillingandotherback-office systems.This could lead to embezzlementof service inadditiontolossofcustomerconfidentiality.

Bythesametoken,withaccesstothedatabasethatstoresprivilegeddata,anattackercouldmodifythecredentialstowhichcoordinatorsrespondandpotentiallybringdownthegrid. Physicalsecurity,strongvalidation, authorization using multilevel privileges, and networkaccessregulationusingfirewallsareallmechanismsthatcanbeusedto combat a back-office attack. encryption of databases, password,andcustomerinformationshouldbeundertaken,andrightofentrytothecontrolsystemshouldberestrictedtospecificphysicallysafe-guardedsites.

10.5.7.2 Grid Volatility The smart grid network has much intelli-gence at its edges, that is, at the entrypoint andat the end-user’smeterandatthebackofficewhereallthedataareaccumulatedandprocessed.however, inthegridnetworkitself,thereis insufficientintelligence governing the switching functions. This lack of inte-grateddevelopmentmakesthegridavolatilenetworkwithlittleif


anysoftwareintelligencetocontrolit,makingthesmartgridvulner-abletophysicalandcyberattacksinthemiddle.9

10.5.7.3 Security Discrepancy withthesmartgrid,therearemultiplestakeholderswithdifferentagendasmotivatingthem.securitystan-dardshavetobeunbiasedandaccountforsecurityofthesmartgridinitstotality.also,encryptionandothersecuritymeasureshavetobemaintainedthroughouttheentirenetworkasthenetworkisonlyasstrongasitsweakestlink.

10.6 security of AMi system: AMi issues and Current weaknesses

advanced metering infrastructure security is one of the key com-ponents in the smartgrid infrastructure.There isaproposedaMisecurityspecificationunderdevelopmentthatwillprovidetheutilityindustryalongwithsupportingvendorcommunitiesandotherstake-holders a set of security requirements. The requirements should beappliedtoaMiimplementationstoensurethehighlevelofinforma-tionassurance,availabilityandsecuritynecessarytomaintainareli-ablesystemandconsumerconfidence.10

10.6.1 AMI Components

TheaMisystemconsistsofseveralcomponentsinterconnectedtoformanetworkarchitecture,whichprovidescommunicationcapabilitiesinapowergrid.someoftheprominentcomponentsareasfollows:11

Smart Meter: This meter provides energy-related informationaswellasmetrologicaldata.inaddition,themeterprovidesperiodicdataforcustomerenergyusage.

Customer Gateway:ThisgatewayisaninterfacebetweentheaMinetworkandhanorbuildingmanagementsystem(BMs).Thegatewaylocationmaybedifferentfromthatofthesmartmeter.

AMI Communications Network:Thenetworkprovidesinforma-tionflowfromthesmartmetertotheaMiheadend.

AMI Headend: The component provides a management func-tionforinformationflowbetweenanexternalsystemandtheaMinetwork.


10.6.2 Security Issues in AMI Components

10.6.2.1 Confidentiality in an AMI System Themainissueofconfiden-tialityinaMisystems10,12isprivacysincecustomerswouldnotwantprivatefirms,marketingagencies,orunauthorizedpeople toaccesstheirenergyorelectricutilizationpatterns.Therefore,theconcernedauthorityhastomakesurethatdataleaksdonotoccureitherinten-tionallyorunintentionally.

The aMi communications network must also restrict unauthor-izedaccessorinformationpassingbetweencustomers.itisimportanttokeep energy andother information from the smartmeter confi-dentialevenfromphysicaltamperingtoaccessthestoreddata.lackofconfidentialitycouldresult inahackeraccessingdatathatrevealwhichhouses inanareaareemptyor tricking themeter tounwit-tinglypayforyourneighbors’electricity.also,thehackercouldhijackthecontrolofyourenergyusage,suchasturningonoroffsmartgrid-enabledhouseholdappliances. if theaMisystem interfaced to thecustomergatewayintothehan,acommercialenergymanagementsystem,orotherautomatedsystem,theprivacyofthosesystemsmustbeconsideredandmaintained.

10.6.2.2 Integrity in AMI Systems inaMisystems,integrityprotectsdataandcommands fromunauthorizedchanges.11asecondaspectofintegrityrequiresthatyoumustbeabletodetectifchangesoccur.Thesmartmetermustbeprotectedagainstconcealedchangesbothphysically and cyberwise. since the smart meter is located at thecustomersite,themeterisvulnerabletotamperingandvandalizing,andpreventionfromsuchphysicalattackscanbedifficult.customergatewaysalsomustprotectagainstundetectedchangessincetheyareconduitstocriticalcustomerequipmentandsystems.

10.6.2.3 Availability in AMI Systems anattackonavailability11makesresourcesinaccessiblebyauthorizedentitieswhentheyrequestthem.ThemostimportantaspecttoadministerwhileensuringavailabilityinaMisystemsiswhetherthedataunderquestionareaffectedbyunavailability,andifaffected,howtimecriticalitis,whetherinthescaleofseconds,hours,ordays.toovercometheunavailabilityprob-lem,wehavetoprovidecreativeapproachesinroutingtheinformation


betweenthesmartmeter,consumergateway,andaMicommunica-tionnetworks.wealsoneedtoenablethesmartmeterstomakelocaldecisions. detection methods for availability attacks include auto-mateddiagnosticsandphysicalandcyberintrusiondetection.

10.6.2.4 Nonrepudiation in AMI Systems nonrepudiation ensuresthattheentitiesreceivingthedatadonotsubsequentlydenyreceiv-ingit,andiftheentitiesdidnotreceivethedata,thentheycannotsubsequentlystate that theydidreceive it.nonrepudiation inaMisystems10isimportantforallfinancialtransactions.also,thetimeli-nessofresponseisasimportantasactuallyactingonacontrolcom-mand. Therefore, accurate timestamp information and continuoustimesynchronizationacrossallaMisystemcomponentsarecrucial.inaccuratetimestampsanddesynchronousmessagesleadtoerrorsincustomerinformation,billingforusage,andanalysisforloadandgen-erationpatternsbyutilityplanners.

10.6.2.5 Authorization in AMI Systems authorization in aMi sys-tems10grantsusersanddevicestherighttoaccessresourcesandper-form specified actions. lack of authorization will allow the aMiarchitecturetobevulnerabletoattackfrommaliciouselementsthatbreak intothenetwork.aspartofauthorization,usersanddevicesmaybeassignedroles,forexample,thatgivethemasetofprivileges.Bydefiningthescopeofwhatanauthenticateduserordevicecando,digitalcertificatescanbeusedasanauthorizationmechanism.

10.6.3 Major Vulnerabilities in Current AMI Systems

ThevariousmajorvulnerabilitiesinthecurrentaMisystemsareasfollows:

10.6.3.1 Plaintext NAN Traffic BecauseoftherapiddevelopmentandspecificationfortheaMisystems, the implementationofdecisionsfromvendorshasbeenaffectingthequalityofsecurityimplementa-tion in the system.vendorsmay choosehow to implementprivacyandintegritycontroltoprotecttheconfidentialdata.insomecases,thevendorsencryptalltrafficinthenan;othervendorsmaydecide


nottousetheencryptionatsomeconfigurationlevel.forexample,aproductmayhavethecapabilityofencryptionbutshipwithadefaultsettingofnoencryption.Thisisaproblemthatcanaccountformajorsecuritybreaches.12,13,14

10.6.3.2 Bus Snooping embeddedsystemsareusedwidelyinperiph-eral devices such as radios that interface to measurement units. ifthe device has little or nophysical protection, then a security riskmayexistontheinterfacesbetweenthecomponentsintheembed-dedsystem.forexample, thebusbetweenthemicrocontrollerandtheradioisusuallyunencryptedwhichintroducesvulnerability.Theattackercanattachabussnifferontothebusbetweenthemicrocon-troller and the radio to sniffpackets.15Theattacker is free to readand capture radio configuration information, cryptographic keys,networkauthenticationcredentials,andothersensitiveinformation.Therefore,manyradiochipmanufacturersintroducedcryptographicalgorithms internally in hardware to prevent tampering with thechipsandothercomponents.

10.6.3.3 Improper Cryptography cryptography is easy to detect intheaMiinfrastructure,butitisverydifficulttodetectifthecryp-tography is improperly configured. improperly configured cryptog-raphy12,13couldpresentacriticalvulnerability tothe infrastructure.Thepossibleimproperconfigurationofthecryptographycouldrangefromweakkeyderivation,improperreuseofkeystreamdata,lackofreplay,insecureciphermodes,weakintegrityprotection,insufficientkeylength,tocryptographicallyweakinitializationvectors.

10.6.3.4 Direct Tampering tamperprotectionmechanismsarenec-essarytoprotectagainstmaliciousmodificationofthemeterdeviceinstalledinpublicoropenareas.16Themechanismscouldinevitablyfail,butthetamperingprotectionshoulddelayattackersfromdam-agingtheintegrityofdatafromthemeterwhilenotifyingtheutilitycompany.Theutilitycompanyshouldimplementtheabilitytotracktheaffectedmeterandalertlawenforcementtocapturetheattackers.

whendesigningtamperprotectionmechanisms,thefollowinglistoffeaturesshouldbeconsidered:


• local tamperingdetectionmechanism,which indicatesanyphysicaltamperingwithameter

• remotetamperingdetectionmechanism,whichnotifiestheheadofficethatsomeonehasbeentamperingwithameter

• integrity-protectingmechanism,whichprotectsandpreventsmodifying the sensitive information, such as security keys,meterconfiguration,andsoon

• repair authorizationmechanism,whichallowsonlyautho-rized technicians or engineers from the utility company torepairthemeter

• Physical lock mechanism, which prevents an unauthorizedpersonfromphysicallyaccessingthemeter

10.6.3.5 Meter Authentication Weaknesses Theprocessofvalidatingthecredentialpassedbetweenameter andnandevice requiresmanysteps. however, an attacker could impersonate a legitimate deviceand could gain information to undermine cryptographic protocols.Therefore, the process of meter authentication should be tested tomake further improvements for defending authentication-relatedattacksduringauthenticationexchanges.12,17

10.6.3.6 Denial-of-Service Threats denial of service is a commonthreatthatprohibitsaccesstothemeter,andtherearemanycondi-tions that trigger denial of service.7 it is important to explore thepossibledosthreatsformeters.

10.6.3.7 Stored Key and Passwords Because of the security require-ments of meter devices, the manufacturers of aMi have includedauthentication,encryption,and integrityprotections in thedevices.Therefore,encryptionkeys,meter-derivedkeys,passwords,andothersecurity-sensitive informationarestored locally in themeter.13Thispresents an opportunity for hackers who compromise the meter togainaccesstothenan.

10.6.3.8 Cryptographic Key Distribution cryptography is supportedinmostradiosandmeters,butkeymanagement isadifficultprob-lem.12,18forexample,symmetrickeyscouldbeusedineachmeter,butiftheattackercompromisesanymeter,theattackerwillhaveaccessto


thenanorothermetersandimpersonateasameter.Therefore,useofcertificates,asymmetrickeys,orpublickeyinfrastructure(Pki)isrecommended.twopossibleattacksfromattackersarespoofingsys-temupdatemechanismstoinsertunauthorizedcertificatesandallow-inganattackertodecryptandinjectencryptedtraffic.

10.7 Addressing Encryption and key Management needs of the smart Grid Using techniques Adapted from sensor networks

10.7.1 Data Encryption

to achieve the security goals stated in the previous sections, dataencryption is essential.somekey securitymeasures thathavebeendevelopedforsensornetworkscanbeadaptedforaddressingthesecu-rityneedsofthesmartgrid.asensornetworkcanbeconsideredasa network of devices communicating using a short-range multihopcommunicationinfrastructure.

whenthesenderandthereceiverusethesamekeyforencryption,themechanismistermedsymmetric keycryptography.Thesenderusesthekeytoconvertplaintexttociphertextusingthechosenencryptionalgorithm.Thereceiverrecoverstheplaintextfromciphertextusingthe samekeyand thecorrespondingdecryptionalgorithm.on theotherhand,asymmetric keyorpublickeycryptographyusesaunique(public,private)keypair for eachcommunicatingnode.Thepublickeyofthenodeisusedforencryptingdatasenttothenode.sincetheprivatekeyisknownonlytothenode,thedatacanbedecryptedbytheintendedrecipientonly.

symmetrickeycryptographyiscomputationallylessintensivebutdoes not scale well as each node requires a unique symmetric keywith every other node in the network for successfully encryptingdatabetweenanytwoparticipatingnodes.ontheotherhand,asym-metric key cryptography scales better but requires more computa-tionalresources.

ifthedevicesareresourceconstrained,asymmetrickeycryptosys-temismoreattractive,andmostoftheexistingworkintheliteratureisbasedonthismethodology.twotypesofciphertextcanbegener-atedusingsymmetrickeycryptography:streamciphergeneratedbyencryptingtheplaintextonebitatatimeandblockciphergenerated


by encryptingblocksof theplaintext at a time.Thecomputationaloverheadofrc4(streamcipher),ideaandrc5(blockciphers),andMd5andsha1 (one-wayhash functions) have been evaluated intheworkofGanesanetal.19differentsensorplatformswereusedfortestingthesealgorithms.itwasshownthatrc4outperformedrc5acrossallplatforms.Thehashingalgorithmshaveanorderofmag-nitudehigheroverheadcomparedtothesymmetrickeyalgorithms.

severalblockcipherswereevaluatedfortheirapplicabilityinsen-sornetworksintheworkoflawetal.20Thestoragerequirementsandenergyefficiencyofthecipherswerealsoconsideredalongwiththeirsecurity properties. The authors proposed rjindel for applicationswithhighsecurityandenergyefficiencyrequirementsandMistY1forapplicationswithbothstorageandenergyefficiencyneeds.

eventhoughasymmetrickeycryptographyisnotconsideredsuit-ableforsensornetworks,recentresearchhasshownthatitmightbefeasible with the proper choice of algorithms.21,22 asymmetric keycryptosystems are more scalable and resilient to node compromise.Thechallengeistoadapttheasymmetrickeycomputationalgorithmsonthehardwaredesignsothatthecomputationscanbesupportedbytheresourcesavailabletothesensornodes.asymmetrickeycrypto-systemscanbedesignedforsensornodeswithpowerconsumptionaslowas20μwusingoptimized low-power techniques.22The futureof public key encryption architectures for sensor networks lookspromising with advances in sensor energy-harvesting techniques.approaches based on elliptic curve cryptography (ecc) are alsobeinginvestigatedforsensornetworks.tinyos,themostwidelyusedoperatingsystemforsensors,canbemodifiedtosupportapublickeyinfrastructurebasedonecc.23

10.7.2 Key Establishment and Management

of the different security measures, establishment of cryptographickeysiscritical.encryptionaswellasauthenticationmechanismsrelyonthemfortheiroperation.Thekeysusedbythecryptographicalgo-rithmsmustbesetupbythenodesbeforesecuredataexchangecantakeplace.Thisprocessofestablishing,distributing,andmanagingcryptographickeys iscalledkey managementandisoneofthemostchallengingaspectsofsmartgridsecuritydesign.


securityprotocolsrelyonencryptionmechanismsforensuringdataconfidentiality. also, for authentication purposes, the sender com-putesamessageauthenticationcodeforeachpacketandappendstothemessage.Boththeencryptionalgorithmandthemessageauthen-ticationcodecomputationrequirecryptographickeysasinputs.24ina previous section, it was shown that symmetric key cryptographyispreferredforsensornetworkapplications.forlargenetworks,itisextremelydifficult tomanagethecreationanddistributionofsym-metrickeys.Mostsymmetrickeycryptosystemsdependonacentralauthorityforkeycreationanddistribution.however,duetothelackofcentralizedcontrolinsomenetworks,thisapproachisnotsuitable.

fordistributednetworks,thesimplestwaytosetupsymmetrickeysistouseanetworkwide key forencryptionanddecryptionpurposes.24hence,everynodeusesthesamekeyforencryptionanddecryption.althoughthisapproachdoesensuredataprivacyandintegrity, it isextremelyvulnerabletonodecompromisesincethesensornodesareunattendedformanyapplications.eventhoughthisapproachissim-pletoimplement,itcertainlyisnotanoptimalsolution.

Theotherextremeistohavepairwise symmetric keyspreloadedforallsensornodesinthenetwork.however,thenumberofuniquesym-metrickeysloadedineachsensorbecomesunacceptablylargeasthesizeofthenetworkincreases.ithasbeenproposedtousethesinkasthekeydistributioncenterforsettinguppairwisesymmetrickeysfortheparticipatingsensornodes.25however,thesinkbecomesasinglepointoffailurefortheprotocol.also,itmayleadtolargecommunica-tionoverheadforsensorsduringthekeyexchangeprocess.

in theworkofzhouandfang,26 itwas shownthatmost recentapproaches consider the key management problem for sensor net-worksasatwo-stepprocess.Priortothedeploymentofthenetwork,eachsensornodeisloadedwiththeinitialkeyingmaterial(key pre-distributionphase).Thisphaseeliminatesthedependenceonthesink(or any other central node) for key distribution. The predistributedkeyingmaterialdependsonthememoryresourcesofthesensornodesandtheresilienceofthenodestocompromise.inotherwords,anodecompromiseshouldhaveanimpactonaminimumnumberofnodesbasedontheinformationobtainedfromthepredistributedmaterial.once the network is deployed, the nodes communicate with eachother and establish either pairwise symmetric keys or asymmetric


keys,basedonthealgorithmsused(key agreementphase).zhuetal.27showedthatbasedonthecommunicationpatternofthesensornodes,agroupkeymayalsobeestablishedinsteadofpairwisekeys.

The distribution of keying material can be probabilistic, deter-ministic,orhybrid.28intheprobabilisticapproach,eachnodeispre-loadedwithasetofkeys(keyring)randomlyselectedfromaglobalkeypool.29,30Theneighboringnodesshareatleastonekeywithacer-tainprobabilitydependingonthesizeofthekeyring,whichinturndependsonthememoryresourcesavailable.Thechallengeistoachieveabalancebetweentheavailableresourcesandthedesiredkeyconnec-tivity.Gongandwheeler31presenteddeterministicapproachesforkeydistributionthatdefinedtheglobalkeypoolandthekeyassignmenttoeachnodenonrandomlytoincreasethekeyconnectivitybetweenneighboringnodes.insteadofuniformlydistributingthekeyingmate-rialacrosstheentirenetwork,alocation-basedkeymaterialdistribu-tionsystemcanbeusedtooptimizeone-hopkeyconnectivity.32

Mostoftheexistingsensorsecuritysolutionsrelyonakeypredis-tributionmechanismtoalleviatetheproblemofkeydistributionandmanagement.others rely on the sink forkeydistribution.Bothoftheseapproachesarenotoptimal,andthedesignofkeymanagementschemesforsensornetworksisstillanopenresearchproblem.

10.7.3 Link-Layer Security Frameworks

afewyearsago,thefocusofsensornetworkresearchwaskeyman-agement.anotherareaofinterestwassecurerouting.however,recentworkhas been in the area of link-layer security frameworks in thequestforamoregeneralsolutionthatcanbeusedfordifferentappli-cationsandsituations.link-layersecurityworkswithsensornetworkfeatures suchas in-networkprocessinganddataaggregation.Thesefeaturesenablethesenseddatatobeprocessedandaggregatedateachintermediatenodesothatunnecessarytransmissionscanbeavoided.note that theenergyused inprocessing is lessby severalordersofmagnitudecomparedtotheenergyineverybitofinformationthatistransmittedandreceivedbysensors.also,end-to-endsecuritysolu-tionscanbesubjectedtocertaindosattacks,whichcanbepreventedbylink-layersecurityarchitecturesthatcandetectmaliciouspackets


injectedinthenetworkatanearlystage.severallink-layerapproachesexistintheliteratureforaddressingthesecurityneedsofsensornet-worksandprovideanothertoolforsmartgridsecurity.24,33–39

10.8 Conclusions and outlook

Thedistributed,changing,andphysicallyexposednatureofthesmartgridmakes itmore susceptible tocyberattacks thanmanyexistingnetworks.asecurityanalysisofthesmartgridcommunicationarchi-tecture indicated several likely attack methods. security solutionsfromtraditionalnetworksandfromsensornetworkscanbeadaptedtothesmartgrid.anessentialsmartgridsecurityfeatureistheabil-ity to detect compromised nodes and for nodes to be able to sendnotification if they are attacked. in addition, for the smart grid tomaintaineffectiveencryptionofprivatedataandpreventattacks,aneffective key management system must be used. This is an area ofactive,ongoingresearch.

references 1. Germanfederalofficeforinformationsecurity(2011).Protection Profile

for the Gateway of a Smart Metering System,v01.01.01finaldraft.federalofficeforinformationsecurity,Bonn,Germany.

2. national association of state energy officials (naseo) (december2010). Smart Grid and Cyber Security for Energy Assurance—Planning Elements for Consideration in States’ Energy Assurance Plans. naseo,arlington,va.

3. nationalinstituteofstandardsandtechnology(nist)(august2010).NISTIR 7628 Guidelines for Smart Grid Cyber Security, Introduction and Volumes 1–3. cyber security coordinationtask Group, advancedsecurityaccelerationProjectsmartGrid,nist,Gaithersburg,Md.

4. c. Bennett, B. Brown, B. singletary, d. highfill, d. houseman,f.cleveland,h.lipson,J.ivers,J.Gooding,J.Mcdonald,n.Greenfield,and s. li (december 2008). AMI System Security Requirements, Utilitycommunication architecture international User Group (UcaiUG),raleigh,nc.

5. h.khurana,M.hadley,n.lu,andd.a.frincke (2010).smart-gridsecurity issues. IEEE Security and Privacy, doi: 10.1109/MsP.2010.49,pp. 81–85.

6. d. c. schleher ( July 1999). Electronic Warfare in the Information Age.artechhouse,norwood,Ma.


7. z.lu,X.lu,w.wang,andc.wang(october2010).reviewandevalua-tionofsecuritythreatsonthecommunicationnetworksinthesmartgrid.Military Communications Conference, 2010—Milcom 2010,doi:10.1109/MilcoM.2010.5679551,pp. 1830–1835.

8. c. karlof and d.wagner. secure routing in wireless sensor networks:attacksandcountermeasures.First IEEE International Workshop on Sensor Network Protocols and Applications,anchorage,ak(May2003).

9. ProblemswithsmartGrid.ehow.com.http://www.ehow.com/info_8072577_problems-smart-grid.html#ixzz1imkhd3c8

10. opensGUserGroup. AMI Security Specification v_2.01,nashville,tn.http://osgug.ucaiug.org/utilisec/amisec/default.aspx

11. c.Bennettandd.highfill(november2008).networkingaMismartmeters.Energy 2030 Conference, 2008. ENERGY 2008.ieee,newYork,pp. 1–8.

12. M. carpenter,t. Goodspeed, B. singletary, e. skoudis, and J.wright( January5,2009).Advanced Metering Infrastructure Attack Methodology.http://www.inguardians.com/pubs/articles.html

13. f.M.cleveland( July2008).cybersecurityissuesforadvancedmeter-ing infrastructure (aMi). Power and Energy Society General Meeting—Conversion and Delivery of Electrical Energy in the 21st Century, 2008,ieee,newYork,pp. 1–5.

14. M. Theoharidou, G. Marias, s. dritsas, and d. Gritzalis (2006). Theambientintelligenceparadigm.areviewofsecurityandprivacystrate-giesinleadingeconomies.2nd IET International Conference onIntelligent Environments. IE 06, vol.2,pp. 213–219.

15. r.chaki(october2010).intrusiondetection:ad-hocnetworkstoambi-ent intelligence framework. International Conference on 2010 Computer Information Systems and Industrial Management Applications (CISIM), pp. 7–12.

16. a. hahn (september 2010). smart grid architecture risk optimiza-tionthroughvulnerabilityscoring.2010 IEEE Conference on Innovative Technologies for an Efficient and Reliable Electricity Supply (CITRES), pp. 36–41.

17. c.Bennettands.B.wicker( July2010).decreasedtimedelayandsecu-rityenhancementrecommendationsforaMismartmeternetworks.inInnovative Smart Grid Technologies (ISGT), 2010,pp. 1–6.

18. J.kim,s.ahn,Y.kim,k.lee, ands.kim ( June2010).sensornet-work-based aMi network security. 2010 IEEE PES Transmission and Distribution Conference and Exposition, pp. 1–5.

19. P. Ganesan et al. (september 2003). analyzing and modeling encryp-tionoverheadforsensornetworknodes.Proceedings of 2nd International Conference on Wireless Sensor Network Applications,pp. 151–159.

20. Y. w. law, J. doumen, and P. hartel (november 2006). surveyand benchmark of block ciphers for wireless sensor networks. ACM Transactions on Sensor Networks,2,65–93.


21. r.watroetal.(november2004).tinyPk:securingsensornetworkswithpublickeytechnology.Proceedings of 2nd ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN’04),washington,dc.

22. G.Gaubatz,J.kaps,andB.sunar(october2005).Public Key Cryptography in Sensor Networks—Revisited.Lecture Notes in Computer Science—Security in Ad-Hoc and Sensor Networks.springer,newYork.

23. d. J. Malan et al. (october 2004). a public-key infrastructure for keydistributionintinyosbasedonellipticcurvecryptography.Proceedings of 1st IEEE International Conference on Sensor and Ad Hoc Communication Networks (SECON’04),santaclara,ca.

24. c.karlofetal.(november2004).tinysec:alinklayersecurityarchitectureforwirelesssensornetworks.Proceedings of 2nd International Conference on Embedded Networked Sensor Systems (SenSys ’04),pp. 162–175.

25. a.Perrigetal.(2002).sPins:securityProtocolsforsensornetworks.ACM Wireless Networks,8(5),521–534.

26. Y.zhouandY.fang(2008).securingwirelesssensornetworks:asurvey.IEEE Communications Surveys and Tutorials,10(3),6–28.

27. s.zhuetal.(october2003).leaP:efficientsecuritymechanismforlargescaledistributedsensornetworks.Proceedings of 10th ACM Conference on Computer and Communications Security (CCS’03),pp. 62–72.

28. s.camtepeet al. (2008).Key Management in Wireless Sensor Networks. Wireless Sensor Network Security.J.lopezandJ.zhou(eds.).iosPress,amsterdam,thenetherlands.

29. h. chan et al. ( June 2006). random key predistribution schemes forsensor networks. IEEE International Conference on Communication,pp. 2262–2267.

30. l. eschenauer and v. Gligor (november 2002). a key managementschemefordistributedsensornetworks.Proceedings of 9th ACM Conference on Computer and Communications Security (CCS’02),pp. 41–47.

31. l. Gong and d.J.wheeler (1990). a matrix key distribution scheme.Journal of Cryptology,2(1),51–59.

32. d.liuandP.ning(october2003).location-basedpairwisekeyestab-lishmentsforrelativelystaticsensornetworks.Proceedings of 2003 ACM Workshop Security of Ad Hoc and Sensor Networks (SASN’03), fairfax,vaUsa.

33. Q.Xueanda.Ganz(october2009).runtimesecuritycompositionforsensornetworks(securesense).IEEE 58th Vehicular Technology Conference (VTC’03),pp. 2976–2980.

34. n. sastry and d. wagner (october 2004). security considerations forieee802.15.4networks.ACM Workshop on Wireless Security (Wise’04),pp. 32–42.

35. t.li,h.wu,X.wang, andf.Bao (May2005).sensec: sensor secu-rityframeworkfortinyos.Proceedings of 2nd International Workshop on Networked Sensing Systems (INSS’05),sandiego,ca.

36. a.d.woodetal.(october2006).siGf:afamilyofconfigurable,secureroutingprotocolsforwirelesssensornetworks.Proceedings of Fourth ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN ’06).


37. M.luk,G.Mezzour,a.Perrig,andv.Gligor(april2007).Minisec:asecure sensornetworkcommunicationarchitecture. IEEE International Conference on Information Processing in Sensor Networks (IPSN’07),cambridge,Ma.

38. P. osanacek (2009). Towards Security Issues in ZigBee Architecture. Lecture Notes in Computer Science—Human Interface and Management of Information, Designing Information Environments.springer,newYork.

39. M.healy,t.newe,ande.lewis(2009).securityforwirelesssensornet-works:areview.IEEE Sensors Applications Symposium,neworleans,la.

recommendedreadinga.agahands.das(2007).Preventingdosattacksinwirelesssensornetworks:

a repeated game theory approach. International Journal of Network Security,5(2),145–153.

e.cayirciandc.rong(2009).Security in Wireless Ad Hoc and Sensor Networks.wiley,westsussex,Uk.

h.chananda.Perrig(2003).securityandprivacyinsensornetworks.IEEE Computer Magazine,36(10),103–105.

B.deb,s.Bhatnagar,andB.nath(2003).informationassuranceinsensornet-works.Proceedings of 2nd ACM International Conference on Wireless Sensor Networks and Applications,pp.160–168.

J.deng,r.han,ands.Mishra(2002).INSENS: Intrusion Tolerant Routing in Wireless Sensor Networks.technicalreportcU-cs-939-02.departmentofcomputerscience,UniversityofcoloradoatBoulder.

J.r.douceur(2002).Thesybilattack.Proceedings of 1st International Workshop on Peer-to-Peer Systems (IPTPS’02),pp.251–260.

d. han, J. zhang, Y. zhang, and w. Gu (2010). convergence of sen-sor networks/internet of things and power grid information networkat aggregation layer. 2010 International Conference on Power System Technology (POWERCON),doi:10.1109/Powercon.2010.5666553,pp.1–6.

c. hartung, J. Balasalle, and r. han (2005). Node Compromise in Sensor Networks: The Need for Secure Systems.technicalreportcU-cs-990-05.departmentofcomputerscience,UniversityofcoloradoatBoulder.

f. hu and n. k. sharma (2005). security considerations in ad hoc sensornetworks.Elsevier Ad hoc Networks,3(1),69–89.

Y.c.hu,a.Perrig,andd.B.Johnson(2003).Packetleashes:adefenseagainstwormholeattacksinwirelessadhocnetworks.Proceedings of INFOCOM,pp.1976–1986.

instituteforelectricalandelectronicsengineers(september10,2011).IEEE Standard 2030™—2011 Guide for Smart Grid Interoperability of Energy Technology and Information Technology Operation with the Electric Power System (EPS), End-Use Applications, and Loads.ieee,newYork.


c.karlofandd.wagner(2003).secureroutinginwirelesssensornetworks:attacksandcountermeasures.Ad Hoc and Sensor Networks,293–315.

r. a. kisner et al. (2010). cybersecurity through real-time distributedcontrolsystems,oakridgenationallab,ornl/tM-2010/30.oakridgenationallab,oakridge,tn.

J. lopez and J. zhou (2008). Wireless Sensor Network Security. ios Press,amsterdam,netherlands.

o. komerling and M. G. kuhn (May 1999). design principles for tamperresistant smartcardprocessors.PaperpresentedatUseniXworkshoponsmartcardtechnology,chicago.

M.Mohietal.(2009).aBayesiangameapproachforpreventingdosattacksin wireless sensor networks. Proceedings of the 2009 WRI International Conference on Communications and Mobile Computing,vol.3,pp.507–511.

Moogcrossbow(2010).crossbowMica2Motes.http://www.xbow.comJ. newsome et al. (2004).The sybil attack in sensor networks: analysis and

defenses. Proceedings of 3rd International Symposium on Information Processing in Sensor Networks.acMPress,newYork.

B.Parno,a.Perrig,andv.Gligor(2005).distributeddetectionofnoderep-lication attacks in sensor networks. Proceedings of IEEE Symposium on Security and Privacy,oakland,ca.

a.Perrig,J.stankovic,andd.wagner(2004).securityinwirelesssensornet-works.Communications of ACM,47(6),53–57.

G. Pottie and w. kaiser (2000). wireless integrated network sensors.Communications of the ACM,43(5),51–58.

e.shianda.Perrig(2004).designingsecuresensornetworks.IEEE Wireless Communications Magazine,11(6),38–43.

h.song,l.Xie,s.zhu,andG.cao(2007).sensornodecompromisedetec-tion: the locationperspective. Proceedings of International Conference on Wireless Communication and Mobile Computing,pp.242–247.

M.tubaishat, J.Yin, B. Panja, and s. Madria (2004). a secure hierarchicalmodelforsensornetwork.ACM SIGMOD Record,33,7–13.

J.Undercofferetal.(2002).securityforsensornetworks.PaperpresentedatCADIP Research Symposium,Baltimore.

J.waltersetal.(2006).wirelesssensornetworksecurity:asurvey.inY.Xiao(ed.)Security in Distributed, Grid and Pervasive Computing,pp.367–410.crcPress,Bocaraton,fl.

Y.wang,G.attebury,andB.ramamurthy(2006).asurveyofsecurityissuesinwirelesssensornetworks.IEEE Communication Surveys and Tutorials,8(1),2–23.

a.d.woodandJ.a.stankovic(2002).denialofserviceinsensornetworks.Computer,35(10),54–62.

J. Yick et al. (2008). wireless sensor network survey. Elsevier Computer Networks,52(12),2292–2330.

293

list of Acronyms

A2A: applicationtoapplicationAAA: authentication,authorization,andaccountingACSE: associationcontrolserviceelementACSI: abstractcommunicationserviceinterfaceADC: analog-to-digitalconverterAES: advancedencryptionstandardAGA: americanGasassociationAH: authenticationheaderAMI: advancedmeteringinfrastructureAMR: advancedmeterreadingANSI: americannationalstandardsinstituteAP: accesspointAPCO: associationofPublic-safetycommunicationsofficialsAPDU: applicationProtocoldataUnitAPI: applicationprograminterfaceARM: advancedriscmachineARP: addressresolutionProtocolASDU: applicationservicedataunitASN.1: abstractsyntaxnotationoneAWGN: additivewhiteGaussiannoiseBAS: buildingautomationsystemB2B: BusinesstoBusiness

294 list of aCronyms

BES: bulkelectricsystemB2G: Building-to-Grid(a)BMS: buildingmanagementsystemB&P: BusinessandPolicyBPL: broadbandoverpowerlineBS: basestationBSS: blindsourceseparationCA: certificateauthorityCDC: commondataclassCDPSM: commondistributionPowersystemModelCHAP/PAP: challenge handshake authentication Protocol/

PasswordauthenticationProtocolCHP: combinedheatandpowerCIGRE: internationalcouncilonlargeelectronicsystemsCIM: commoninformationModelCIMug: ciMUsersGroupCIP: criticalinfrastructureProtectionCIS: componentinterfacespecificationCLS: controllablelocalsystemCMDA: codedivisionmultipleaccessCOSEM: companionspecificationfortheenergyMeteringCPC: chainingblockcipherCPE: customerpremisesequipmentCPP: criticalpeakpricingCPSM: commonPowersystemModelCPU: centralprocessingunitCR: cognitiveradioCRL: certificaterevocationlistCSCTG: cybersecuritycoordinationtaskGroupCSMA: carriersensemultipleaccessCT: currenttransformerDA: distributionautomationDAC: digital-to-analogconverterDAP: day-aheadpricingDCCP: datagramcongestioncontrolProtocolDCS: distributedcontrolsystemDDoS: distributeddosDER: distributedenergyresources

295list of aCronyms

3DES: tripledataencryptionalgorithmDEWG: domainexpertworkinggroupDLC: distributionlinecarrierDLMS: distributionlineMessagespecificationDMS: distributionmanagementsystemDNP3: distributednetworkProtocolDNS: domainnamesystemDoF: degreesoffreedomDoS: denialofservice(hyphenifadj)DP: developmentplatformDPO: digitalphosphoroscilloscopeDR: demandresponseDSP: digitalsignalprocessorDSS: digitalsignaturestandardDTLS: datagramtransportlayersecurityDVFS: dynamicvoltageandfrequencyscalingEAI: enterpriseapplicationintegrationEAP: extensibleauthenticationProtocolECC: ellipticcurvecryptographyEDIFACT: electronic data interchange for administration,

commerce,andtransportEMS: energymanagementsystemENTSO-E: europeannetworkoftransmissionsystemoperators

forelectricityEPRI: electricPowerresearchinstituteEPSEM: extendedprotocolspecificationforelectronicmeteringERCOT: electricreliabilitycounciloftexasESB: enterpriseservicebusESP: encapsulatedsecurityPayloadFAN: field-areanetworkFEP: front-endprocessorFFT: fastfouriertransformFHSS: frequency-hoppingspreadspectrumFIPS: federalinformationProcessingstandardFPGA: field-programmablegatearrayFSK: frequencyshiftkeyingFMSC: finite-stateMarkovchainGDOI: Groupdomainofinterpretation


GES: genericeventingandsubscriptionGID: GenericinterfacedefinitionGMAC: GaloisMessageauthenticationcodeGOOSE: GenericobjectorientedsubstationeventGPRS: generalpacketradioservicesGSM: GlobalsystemforMobilecommunicationsGSSE: GenericsubstationstatuseventGWAC: GridwisearchitecturecouncilHAL: hardwareabstractionlayerHAN: home-areanetworkHCB: hybridcloudbrokerHCBC: hash-cBcHDLC: high-leveldatalinkcontrolHiperLAN: highPerformanceradiolanH2G: home-to-Grid(a)HMAC: hashmessageauthenticationcodeHMI: human-machineinterfaceHSDA: high-speeddataaccessHTTP: hypertexttransferProtocolIACS: industrialautomationandcontrolsystemIBR: incliningblockrateIALM: inexactaugmentedlagrangemultiplierI/C: interruptible/curtailableICA: independentcomponentanalysisICMP: internetMessagecontrolProtocolICS: industrialcontrolsystemICS: industrialcontrolsystemsecurity(ofnist)IDS: intrusiondetectionsystemIEC: internationalelectrotechnicalcommissionIED: intelligentelectricaldeviceIEEE: instituteofelectricalandelectronicsengineersIETF: internetengineeringtaskforceI2G: industrial-to-Grid(a)i.i.d.: independentandidenticallydistributedIPSec: internetProtocolsecurityIPv4: internetProtocolversion4IRM: interfacereferenceModelISA: internationalsocietyofautomation

297list of aCronyms

ISC: industrialcontrolsystemsISC-CERT: industrialcontrolsystemscyberemergencyresponse

teamISDN: integratedservicesdigitalnetworkISO: internationalorganizationforstandardizationITU: internationaltelecommunicationUnionIV: initializationvectorJMS: JavaMessagingserviceKPCA: kernelPcaLAN: local-areanetworkLCE: looselycoupledeventLD: logicaldeviceLLC: logicallinkcontrolLMDS: localmultipointdistributionserviceLMN: localmetrologicalnetworkLMR: landmobileradioLMVU: landmarkmaximumvarianceunfoldingLN: logicalnodeLTC: loadtapchangerMAC: messageauthenticationcodeMCM: multicarriermodulationMAN: metropolitan-areanetworkMDA: ModeldrivenarchitectureMDI: meterdataintegrationMIMO: multipleinputmultipleoutputMDMS: meterdatamanagementsystemMIB: ManagementinformationBaseMMS: ManufacturingMessagespecificationMOM: message-orientedmiddlewareMPSL-VPN: Multi-Protocol label switching-virtual Private

network(MPls-vPn)MSPS: mega-samplespersecondMV: medium-voltage(a)MVU: maximumvarianceunfoldingNAN: neighborhood-areanetworkNASEO: nationalassociationofstateenergyofficialsNERC: northamericanreliabilitycorporationNetAPT: networkaccessPolicytool


NIPP: nationalinfrastructureProtectionPlanNOSR: nooptimalstoppingruleNP: nondeterministicpolynomialNIST: nationalinstituteofstandardsandtechnologyNRECA: nationalruralelectriccooperativeassociationNSM: networkandsystemmanagementOBIS: objectidentificationsystemOCSP: onlinecertificatestatusProtocolOFDMA: orthogonalfrequency-divisionmultipleaccessOMG: openManagementGroupORBIT: openaccessresearchtestbedfornext-Generationwireless

networksOS: operatingsystemOSI: opensysteminterconnectionOSR: optimalstoppingruleOSSTMM: opensourcesecuritytestingMethodologyManual(ch8)PAD: packetassembler-disassemblerPAN: personalareanetworkPAR: peak-to-averageratioPCA: principalcomponentanalysisPCIe: PeripheralcomponentinterconnectexpressPDU: protocoldataunitPGP/GnuPG: prettygoodprivacy/GnuPrivacyGuardPHEV: plug-inhybridelectricvehiclePIM: PlatformindependentModelPKI: publickeyinfrastructurePLC: programmablelogiccontrollerPN: pseudorandomnoisePSD: positivesemidefinitePSM: PlatformspecificModelPSTN: publicswitchedtelephonenetworkQoS: qualityofserviceQPSK: quadraturephaseshiftkeyingRCB: radiocontrolboardRDF: resourcedescriptionframeworkRFC: requestforcommentsRISC: reducedinstructionsetcomputingRSA: rivest–shamir–adleman

299list of aCronyms

RTP: real-timepricingRTU: remoteterminalunitSAML: securityassertionMarkuplanguageSAN: storageareanetworkSAS: substationautomationsystemSB: sitebrokerSCADA: supervisorycontrolanddataacquisitionSCL: substationconfigurationlanguageSCSM: specificcommunicationserviceMappingSCTP: streamcontroltransmissionProtocolSDP: semidefiniteprogrammingSDR: software-definedradioSFF: smallformfactorS-FSK: spreadfrequencyshiftkeyingSG3: smartGridstrategicGroupSGAM: smartGridarchitecturalModelSGCG: smartGridcoordinationGroupSGiP: smartGridinteroperabilityPanelSHA-1: securehashalgorithmSIA: seamlessintegrationarchitectureSIDM: systeminterfacesfordistributionmanagementSIR: signal-to-interferenceratioSLA: service-levelagreementSLO: service-levelobjectiveSM: smartmeterS/MIME: secure/multipurposeinternetmailextensionsSMV: samplemeasuredvalueSNMP: simplenetworkManagementProtocolSNR: signal-to-noiseratioSNTP: simplenetworktimeProtocolSOA: service-orientedarchitectureSOAP: simpleobjectaccessProtocolSoC: system-on-chipSOHO: smalloffice/homeofficeSP: specialPublicationSRTP: securereal-timetransportProtocol(srtP)SS-AW: spreadspectrumadaptivewidebandsSCADA:securescada


SS-FFH: spreadspectrum–fastfrequencyhoppingSSH: secureshellSSL: securesocketslayerSSPP: serialscadaProtectionProtocolSV: samplevalueSVD: singularvaluedecompositionSVM: supportvectormachineTC: technicalcommitteeTCP/IP: transmissioncontrolProtocol/internetProtocolTCIPG: trustworthycyberinfrastructureforthePowerGridT&D: transmissionanddistributionTLS: transportlayersecurityTOU: time-of-use(a)TPDU: transportProtocoldataUnitTR: technicalreportTSDA: timeseriesdataaccessTSEL: transportselectorTTP: trustedthirdpartyUCAIug: Utility communication architecture international User

GroupUDDI: Universaldescription,discovery,andintegrationUDP: UserdatagramProtocolUML: UnifiedModelinglanguageURI: UniformresourceidentifierUSRP2: UniversalsoftwareradioPeripheral2UWB: ultra-widebandVLAN: virtuallocal-areanetworkVM: virtualmachineVoIP: voiceoverinternetProtocolVPN: virtualprivatenetworkVT: voltagetransformerWAM: wide-areameasurementsystemWAN: wide-areanetworkWARP: wirelessopen-accessresearchPlatformWBX: widebandwidthtransceiverW3C: worldwidewebconsortiumWEP/WAP: wiredequivalentprivacyWG: workinggroup

301list of aCronyms

WOL: wake-on-lanWRAN: wirelessregional-areanetworkWSDL: webservicesdescriptionlanguageWSN: wirelesssensornetworkWS-Security: webservicessecurityWS-Trust: webservicestrustXML: eXtensibleMarkuplanguage

303

A

abstractcommunicationserviceinterface(acsi),31,33–34

abstractcomponents,22abstractsyntaxnotationone

(asn.1),26accidents,seeattacksandaccidentsaccountingstandards,217acronymslist,xvii–xxvacse,seeassociationcontrol

serviceelement(acse)acsi,seeabstractcommunication

serviceinterface(acsi)adaptability,125–126adaptors,127–128,129additivewhiteGaussiannoise

(awGn),168–169addressresolutionProtocol(arP),

65,239advancedencryptionstandard

(aes),192advancedencryptionstandard-

GaloisMessageauthenticationcode(aes-GMac),211

advancedmeteringinfrastructure(aMi)

adaptors,127–128,129aMitodMaprocesses,130ansic12.19-2008,117–118ansic12.22,112–114architectureevaluation,131–134behavior,129–131businessconsiderations,124–126challenges,125–126communicationnetwork,

106–110communicationprotocols,

111–117comparisons,123–124components,127–129context,126dMatoaMiprocesses,

130–131dMsintegration,120–126flexibility,133hierarchicalcommunication

networkformat,107–109home-areanetwork,108–109iec62056,115–117

index

304 index

iec62056-62,118–120informationmodel,117–120informationtranslationand

verificationstructure,128–129interconnectivity,230internet-protocol-basedmesh

communicationnetwork,109–110

lceinfrastructure,129Meterdataintegrationlayer,

126–134MeterdataManagementsystem,

110–111meterdatamodels,120–124meteringsystem,104–106meterlan,108aMeterModelinciM,

121–122monitor,129multilevelhierarchicalv.mesh,

109Multispeak,122overview,102–104performance,131–132scalability,132siaapplication,50softwarearchitecture,126–131standardization,111–120strategies,131–133summary,134–135testresults,133–134wide-areanetwork,107–108

advancedMeteringinfrastructure(aMi),systemsecurity

authorization,280availability,279–280bussnooping,281components,278confidentiality,279cryptographickeydistribution,

282–283dataencryption,283–284denial-of-servicethreats,282

directtampering,281–282impropercryptography,281integrity,279keyestablishmentand

management,284–286link-layersecurityframeworks,

286–287meterauthorizationweaknesses,

282nonrepudiation,280overview,278plaintextnantraffic,280–281securityissues,279–280storedkeyandpasswords,282vulnerabilities,280–283

aeic,seeamericanenergyinnovationcouncil(aeic)

aeP,seeamericanelectricPower(aeP)

aes,seeadvancedencryptionstandard(aes)

aGa,seeamericanGasassociation(aGa)

amerenwebsite,94americanelectricPower(aeP),

249americanenergyinnovation

council(aeic),111americanGasassociation(aGa),

253,257americannationalstandards

institute(ansi)ansic12.18,111–112,117ansic12.19,104,111–114,

117–120,122–123,128ansic12.21,111–112,117ansic12.22,104,111–114,117,

119A Meter Model in CIM,121–122aPco,associationofPublic–

safetycommunicationsofficials(aPco)

305index

aPdU,seeapplicationProtocoldataUnit(aPdU)

applicationcouplingof,17sia,46–50standards,14,25,39

applicationlayerattacks,277applicationmanager

architecture,smartgridsandcloudcomputing,67–68

solutions,smartgridsandcloudcomputing,69–72

applicationProtocoldataUnit(aPdU),45

applicationservicedataunit(asdU)

authenticationtechnique,44functioncode,234

applicationservice-levelagreements,60

App Services,39architecture,smartgridsandcloud

computingapplicationmanager,67–68hybridcloudbroker,68–69overview,66sitebroker,68

architectureevaluation,Mdilayer,131–134

arP,seeaddressresolutionProtocol(arP)

asdU,seeapplicationservicedataunit(asdU)

assessmenttechnologiescontrolcenter,231–232distributednetworkprotocol,

233–234iec61850,234–235networkconfiguration/rulesets,

236–237networkdiscovery,238–239networkprotocol,233–235networktrafficreview,237–238

overview,230–231planning,231–236postexecution,240reviewtechniques,236–238substations,232–233supportingprotocols,235–236systemconfigurationreview,236targetidentificationandanalysis,

238–239targetvulnerabilityvalidation,

239–240vulnerabilityscanning,239

associationcontrolserviceelement(acse)

networkinfrastructurestandards,114

secureprofiles,43associationofPublic-safety

communicationsofficials(aPco),190

asymmetricencryption,40–41attacksandaccidents,see also

cybersecurity;security;Threats

applicationlayer,277availability,194–195energysystemsandautomation

systems,248–251high-levelrequirements,190–191integrity,195–196intrusiondetection,45–46iPaddressing,276linklayer,274–275networklayer,275–276physicallayer,274scadasystems,256third-partyprotection,197transportlayer,276

attributesdatastandards,235localsystems,40

auditability,196aurorageneratortest,248

306 index

authenticationsecureprofiles,42–43securityanddatamanagement,

43–44standards,217vulnerabilitiesandsecurity

requirements,196authorization

aMisystemsecurity,280meterweaknesses,aMisystems,

282standards,217vulnerabilitiesandsecurity

requirements,196automationandscadasystem

securityattacksandaccidents,248–251countersynchronization,263energygridandscada,

246–248overview,245–246remoteconnections,257–258security,257–263sscadaprotocolsuite,258–263summary,264threats,255–257

automationsystems,seesubstations,automationsystemvulnerabilityassessment

availabilityaMisystemsecurity,279–280vulnerabilitiesandsecurity

requirements,194–195averagequalityindicator,60awGn,seeadditivewhite

Gaussiannoise(awGn)A-XDR Encoding Rule,27

B

back-officecompromise,277backwardcompatibility,44

Bas,seeBuildingautomationsystem(Bas)

Basic Application Functions,28basiccommunicationstructure

standards,31Bayesianinference,176Bdew,seeBundesverband

fürenergie-andwasserwirtschaft(Bdew)

Beenken,Petra,xiii,3–51behavior,Mdilayer,129–131benefits,demandresponse,89B2G,seeBuilding-to-Grid(B2G)bidirectionalcommunication,43Blackhatattack,251blackoutattack,249–250Bleiker,robert,xiii,3–51blind,167Bluetooth,106Boden,vitek,248bootconfiguration,80Bose,sumitkumar,xiii,57B&P,seeBusinessandPolicy(B&P)BPl,seeBroadbandoverpowerline

(BPl)broadbandoverpowerline(BPl),

109broadcasting,scadasecurity,252Brock,scott,xiii,57buildingautomationsystem(Bas)

optimalstoppingrule,89overview,86

buildingloadcontrol,distributedopportunisticscheduling

benefits,89demandresponse,87–89discussion,96–98fairness,98guidelines,89optimalstoppingrule,89–90overview,85–87powerpricing,87–88pricesignalmodeling,96–97

307index

problemformulation,90–94simulationandresult,94–95summary,98

buildingnodes,functionalarchitecture,153–155

Building-to-Grid(B2G),191Bundesverbandfürenergie-and

wasserwirtschaft(Bdew),219–220

BusinessandPolicy(B&P),191businessconsiderations

aMi/dMsintegration,124–126interfacereferenceModel,22

businesspartnersandapplicationsintegration

applicationintegrationatelectricUtilities-systeminterfacesfordistributionManagement,14

commoninformationModel,15–19

componentinterfacespecification,19–20

energyManagementsystemapplicationPrograminterface,13–14

frameworkforenergyMarketcommunications,14–15

interfacereferenceModel,20–22

overview,10–12bussnooping,281

C

canadianUnionofPublicemployees(cUPe),248

carriersensemultipleaccess(csMa),168

catalog,controlsystemssecurityrecommendations,219

cBc,seechainingblockcipher(cBc)mode

cdPsM,seecommondistributionPowersystemModel(cdPsM)

certificatesandcertificationsecurecommunications,41secureprofiles,42–43standards,210

chainingblockcipher(cBc)mode,259,261–262

challengesaMi/dMsintegration,125–126cybersecurity,198–201

chen,zhe,xiii,139–178china,roadmapactivities,223chP,seecombinedpowerandheat

(chP)ciGre,seeinternationalcouncil

onlargeelectronicsystems(ciGre)

ciM,seecommoninformationModel(ciM)

CIM Based Graphics Exchange,13CIM RDF Model Exchange Format

for Distribution,14,see alsocommoninformationModel(ciM)

ciMugsite,19cis,seecomponentinterface

specification(cis)clothesdryer,simulationandresult,

94–95cloudcomputing,seesmartgrids

andcloudcomputingcls,seecontrollablelocalsystem

(cls)cognitivealgorithms

dimensionalityreduction,156–161

experimentalvalidation,158–161high-dimensionaldata

processing,156–161independentcomponentanalysis,

166–170

308 index

receiverblockdiagram,167–170robustPca-icaapproach,

166–172robustprincipalcomponent

analysis,161–163signalmodel,167–170simulationandresults,170–172spectrummonitoring,158–161strongwidebandinterference,

166–170supportvectormachine,158–161wirelesstransmissionrecovery,

166–170cognitiveradionetwork

cognitivealgorithms,156–172communicationsinfrastructure

development,174–176dimensionalityreduction,

156–161experimentalvalidation,158–161fPGa-basedfuzzylogic

intrusiondetection,176–178functionalarchitecture,building

nodes,153–155hardwareplatforms,146–157high-dimensionaldata

processing,156–161ieee802.22system,142–144independentcomponentanalysis,

166–170innovativetestbed,151–156Microsoftresearchsoftware

radio,150–151motherboard,newhardware

platform,152–153networkforsmartgrid,144–157networktestbed,155overview,140–142receiverblockdiagram,167–170robustPca-icaapproach,

166–172robustprincipalcomponent

analysis,161–163

securecommunication,172–178signalmodel,167–170simulationandresults,170–172smallformfactorsoftware-

definedradiodevelopmentplatform,148–149

spectrummonitoring,158–161strongwidebandinterference,

166–170summary,178supportvectormachine,158–161testbed,146–157Universalsoftwareradio

Peripheral2,146–148wirelessopen-accessresearch

platform,149–150wirelesstransmissionrecovery,

166–170combinedpowerandheat(chP),32commondataclasses(cdcs),34commondistributionPower

systemModel(cdPsM),17commoninformationModel

(ciM)applicationprograminterfaces,13businesspartnersandapplications

integration,15–19futuretrends,51interapplicationintegration,14referencearchitecture,10sialayers,11standards,5

commonPowersystemModel(cPsM),17

commonservicesstandard,13communications

basiccommunicationstructurestandards,31

communicationsinfrastructuredevelopment,174–176

fPGa-basedfuzzylogicintrusiondetection,176–178

hydroelectricpowerplants,31

309index

infrastructuredevelopment,174–176

modules,105–106overview,172,174securityanddatamanagement,

40–41standardprotocolstacks,32–33standards,5,25,31substations,30–32transportprotocols,5

communications,infrastructurecybersecurity,see alsosecurity

auditability,196authentication,196authorization,196availability,194–195challenges,198–201high-levelrequirements,

190–192integrity,195–196internetworking,198–199nonrepudiability,196–197overview,188–190privacy,193–194securitypolicyandoperations,

199–200securityservices,200–201summary,201third-partyprotection,197trust,197–198

communications,protocolsansic12.22,112–114iec62056,115–117overview,111–112

communicationsnetwork,aMi/dMsintegration

hierarchicalcommunicationnetworkformat,107–109

home-areanetwork,108–109internet-protocol-basedmesh


meterlan,108

overview,106–107wide-areanetwork,107–108

communitystrings,236companionspecificationforthe

energyMetering(coseM)meteringstandards,24–25model,115protocolstacks,24–25

comparisons,123componentinterfacespecification

(cis)applicationprograminterfaces,13businesspartnersandapplications

integration,19–20components

aMisystemsecurity,278Mdilayer,127–129

confidentiality,279configurationdescriptionlanguage

standard,31conformancetestcases

companionstandard,29–30standards,29testing,32

connectionabort,43connections,remote,257–258connectivity,scadasystems,255Consol. with am1: TASE.2 Object

Models,38Consol. with am1: TASE.2 User

Guide,38consumptionofresources,199–200context,Mdilayer,126controlcenters

appservices,39appservices,39objectModels,39–40overview,37planning,231–232Protocols,39tase.2,37–39

controlfunctions,scadasecurity,252

310 index

controllablelocalsystem(cls),271–272

controllingandcontrolledstation,43

controlsystemperspective,272coseM,seecompanion

specificationfortheenergyMetering(coseM)

cost,datacenters,78–79cost-benefitanalysis,81cost-MinimizationProblem,93–94countersynchronization,263couplingofapplications,17cPe,seecustomerpremises

equipment(cPes)cPP,seecriticalpeakpricing(cPP)cPsM,seecommonPowersystem

Model(cPsM)criticalfunctioncodes,234criticalinfrastructureProtection

(ciP)cybersecuritystandards,215–216

criticalpeakpricing(cPP),88,89cryptographickeydistribution,

282–283cryptography,improper,281csctG,seecybersecurity

coordinationtaskGroup(csctG)

csMa,seecarriersensemultipleaccess(csMa)

cUPe,seecanadianUnionofPublicemployees(cUPe)

curvefitting,97customergateway,278customerpremisesequipment

(cPes),142–143cybersecurity,communication

infrastructures,see alsosecurity;Threats

auditability,196authentication,196authorization,196

availability,194–195challenges,198–201high-levelrequirements,190–192integrity,195–196internetworking,198–199nonrepudiability,196–197overview,188–190privacy,193–194securitypolicyandoperations,

199–200securityservices,200–201summary,201third-partyprotection,197trust,197–198

cybersecuritycoordinationtaskGroup(csctG),191

d

daP,seeday-aheadpricing(daP)dataacquisition,scadasecurity,

252dataattributestandards,235datacenters

ashost,62smartappliances,79–81smartgrids,78–79

datacommunicationprotocols,27dataencryption,283–284,see also

encryptiondataexchange,23–25datagramcongestioncontrol

Protocol(dccP),276datagramtransportlayersecurity

(dtls),217Data Link Layer using HDLC

Protocol,24datamanagement,seesecurity,and

datamanagementdatamigration,63–64datastandards,235datatype,234day-aheadpricing(daP),87

311index

dccP,seedatagramcongestioncontrolProtocol(dccP)

dcs,seedistributedcontrolsystems(dcs)

Definition and Coding of Application Information Elements,28

degreesoffreedom(dof),156,159,161

demandresponse(dr)benefits,89guidelines,89optimalstoppingrule,89–90overview,88–89powerpricing,87–88

denial-of-servicethreatsaMisystemsecurity,282networklayerattacks,275

der,seedistributedenergyresources(ders)

Deregulated Energy Market Communications,15

deutschesinstitutfürnormung(din),207,222

Devices beyond the Substationieds,relays,meters,switchgear,

cts,andvts,32devicestandards,214dewGs,seedomainexpert

workinggroups(dewGs)diesel-electricgeneratorattack,248diffie-hellman,secure

communications,41digitalphosphoroscilloscope

(dPo),158digitalsignaturestandard(dss),41dimensionalityreduction,156–161din,seedeutschesinstitutfür

normung(din)directloadcontrol,89Direct Local Data Exchange,24directtampering,281–282distributedcontrolsystems(dcs),

248

distributedenergyresources(ders)

devicesbeyondthesubstation,32existingobjectmodels,36–37objectmodels,34–35

distributednetworkProtocol(dnP3),233–234

distributedopportunisticscheduling,buildingloadcontrol

benefits,89demandresponse,87–89discussion,96–98fairness,98guidelines,89optimalstoppingrule,89–90overview,85–87powerpricing,87–88pricesignalmodeling,96–97problemformulation,90–94simulationandresult,94–95summary,98

Distribution Automation,5Distribution Automation Using

Distribution Line Carrier Systems,26–27

distributionlinecarrier(dlc),23,26

distributionlineMessagespecification(dlMs)Userassociation,23–25

distributionManagementsystem(dMs)


remoteterminalunits,189sialayers,11–12

distributionManagementsystem(dMs),integrationwithaMi

businessconsiderations,124–126challenges,125–126comparisons,123–124meterdatamodels,120–124

312 index

aMeterModelinciM,121–122

Multispeak,122dlc,seedistributionlinecarrier

(dlc)dlMs,seedistributionline

Messagespecification(dlMs)Userassociation

dMs,seedistributionManagementsystem(dMs)

dnP3,seedistributednetworkProtocol(dnP3)

dns,seedomainnameservice(dns)

domainexpertworkinggroups(dewGs),191

domainnameservice(dns)networkmigration,65supportingprotocols,235

domain-specificmetermodels,123dong,Xihua,xiii,85–98dP,seesmallformfactor(sff)

software-definedradio(sdr)developmentplatform(dP)

dPo,seedigitalphosphoroscilloscope(dPo)

dss,seedigitalsignaturestandard(dss)

dtls,seeDatagram Transport Layer Security (DTLS)

dynamicvoltageandfrequencyscaling(dvfs)schemes

applicationmanager,67,69service-levelagreements,61

E

eai,seeenterpriseapplicationintegration(eai)

eaP,seeExtensible Authentication Protocol (EAP)

edifact,seeelectronicdatainterchangeforadministration,commerce,andtransport(edifact)

efficientsolarcellsbasedonorganicandhybridtechnology(escorts),222

elcoM-90,38Electricity Metering,5Electricity Metering-Data Exchange

for Meter Reading, Tariff, and Load Control,24–26

electricPowerresearchinstitute(ePri),15,111,190,200

electricpowersystemstability,272electricreliabilitycounciloftexas

(ercot),17electromechanicalmeters,105electronicdatainterchangefor

administration,commerce,andtransport(edifact),15

eMs,seeenergymanagementsystems(eMs)

encryptionauthenticationtechnique,44dataencryption,283–284link-layersecurityframeworks,

286–287PdUsecurityextension,45securecommunications,40–41standards,213–214

energygrid,scada,246–248Energy Management System

Application Program Interface,13–14

energymanagementsystems(eMs)cisstandards,19controlcenters,232protocols,38rtUsandscada,189sialayers,11–12

313index

Energy Market Model Example,15engineeringapplications,12Engineeringstandard,36–37enterpriseapplicationintegration

(eai),11enterpriseservicebuses(esBs),21entso-e,seeeuropeannetwork

oftransmissionsystemoperatorsforelectricity(entso-e)

ePri,seeelectricPowerresearchinstitute(ePri)

ePseM,114ercot,seeelectricreliability

counciloftexas(ercot)esB,seeenterpriseservicebuses

(esBs)escorts,seeefficientsolarcells

basedonorganicandhybridtechnology(escorts)

Establishment of an Industrial Automation and Control System (IACS) Security Program,213

ethernetprotocol,32–33europeannetworkoftransmission

systemoperatorsforelectricity(entso-e),17

europeansmartGridcoordinationGroup,220–222

europeanUnion’staskforcesmartGrid,220

existingobjectmodels,36–37experimentalvalidation,158–161extensibility,126Extensible Authentication Protocol

(EAP),217eXtensibleMarkuplanguage

(XMl)commoninformationModel,18dersandmeters,36existingobjectmodels,36interfacereferenceModel,21

internet-protocol-basedmeshcommunicationnetwork,109

mappingtowebservices,35referencearchitecture,7standards,212

externalitapplications,12

f

fairness,98falseconditionsoralarms,199fastfouriertransform(fft),159federalinformationProcessing

standard(fiPs),192,218fft,seefastfouriertransform

(fft)ficacPlXalgorithm,170,172field-areanetwork,274–278fielddevices

substations,232systemsusingwebservices,36

field-programmablegatearray(fPGa),141,149–153,176–178

finite-stateMarkovchain(fsMc),97

fiPs,seefederalinformationProcessingstandard(fiPs)

firmwaredownload,scadasecurity,252

firstenergy,blackout,249–250flexibility,Mdilayer,133fPGa,seefield-programmablegate

array(fPGa)Framework for Energy Market

Communications,14–15fries,steffen,xiii,205–224fsMc,seefinite-stateMarkov

chain(fsMc)functionalarchitecture,building

nodes,153–155functionalprofilestandards,38–39

314 index

functioncodes,234futureoutlookandtrends

distributedopportunisticscheduling,98

smartgridsecurity,lastmile,287technicalsmartgrid

infrastructure,50–51fuzzylogicintrusiondetection,

176–178

G

Gaussiannoise,162Gdoi,seeGroup Domain of

Interpretation (GDOI)generalconsiderationsstandards

datatransmissionparametersconcerningmedium-andlow-voltagedistributionmains,27

distributionautomationsystemarchitecture,26

guideforspecification-dlMs,26generalmetermodels,123generalpacketradioservices

(GPrs),106General Requirements,31General Structure of Application Data,

28generatortestattack,248Generic Data Access,13Generic Eventing and Subscription

(GES)applicationprograminterfaces,13dataexchange,20

Genericinterfacedefinitions(Gid),19

Genericobjectorientedsubstationevent(Goose)

delayconstraint,195mappingtoMMs,33PdUsecurityextension,45standards,210,212,235

Genericsubstationstatusevent(Gsse)

mappingtoMMs,33standards,235

Germanstandards,219–220,222Ges,seeGeneric Eventing and

Subscription (GES)GlobalsystemforMobile

communications(GsM),106Glossarystandards,13–14,25,31GnUradio,147–148Gonzáles,José,xiii,3–51GooglePowerMeterservice,194Goose,seeGenericobject

orientedsubstationevent(Goose)

Govindarasu,Manimaran,xiv,227–242

GPrs,seeGeneralpacketradioservices(GPrs)

gridvolatility,securitythreats,277Gridwisearchitecturecouncil

(Gwac),191Group Domain of Interpretation

(GDOI),217GsM,seeGlobalsystemforMobile

communications(GsM)Gsse,seeGenericsubstationstatus

event(Gsse)Guide for Assessing the Security

Controls in Federal Information Systems,230

guidelinesprocesscontrolsystems,energy

utilityindustry,207guidelinestandards

applicationprograminterfaces,13

conformancetesting,29demandresponse,89exchanginginformationfroma

cdc-baseddatamodel,32

315index

frameworkforenergymarketcommunications,15

smartgridcybersecurity,177Guide to Industrial Control Systems

(ICS) Security,218Guo,nan,xiv,139–178Gwac,seeGridwisearchitecture

council(Gwac)

h

hahn,adam,xiv,227–242hal,seehardwareabstraction

layer(hal)han,seehome-areanetworks

(hans)hardwareabstractionlayer(hal),

153hardwareplatforms

Microsoftresearchsoftwareradio,150–151

overview,146smallformfactorsoftware-

definedradiodevelopmentplatform,148–149

UniversalsoftwareradioPeripheral2,146–148

wirelessopen-accessresearchplatform,149–150

harmonizationlackof,49standards,219

hash-basedMessageauthenticationcode-securehashalgorithm,211

hash-cBc(hcBc)mode,259,262

hashmessageauthenticationcode(hMac)

authenticationtechnique,44criticalvs.noncriticalfunctions,

234

hcB,seehybridcloudbroker(hcB)headend,278heuristics,sequencing,75–76h2G,seehome-to-Grid(h2G)hierarchicalcommunicationnetwork

formathome-areanetwork,108–109meterlan,108overview,107

high-dimensionaldataprocessing,156–161

high-levelcybersecurityrequirements,190–192

high-leveldatalinkcontrol(hldlc)protocol,115

highspeeddataaccess(hsda)applicationprograminterfaces,13dataexchange,19

hMac-sha256,seehash-basedMessageauthenticationcode-securehashalgorithm

hochgraf,clark,xiv,269–287hof,hans-Joachim,xiv,205–224home-areanetworks(hans)

hierarchicalcommunicationnetworkformat,108–109

smartgridsystemarchitecture,271

home-to-Grid(h2G),191hou,shujie,xiv,139–178hsda,seeHigh Speed Data Access

(HSDA)httP,seehypertexttransfer

Protocol(httP)hu,roseQingyang,xiv,187–201hu,zhen,xivhyattregencyhotel,248hybridcloudbroker(hcB)

architecture,smartgridsandcloudcomputing,68–69

solutions,smartgridsandcloudcomputing,76

316 index

hybridencryption,40hydroelectricpowerplants,31hypertexttransferProtocol

(httP),109

i

iacs,seeEstablishment of an Industrial Automation and Control System (IACS) Security Program

ialM,seeinexactaugmentedlagrangemultiplier(ialM)

iBMwebsphereMQ7.0,131iBr,seeincliningblockrate(iBr)

pricingschemeica,seeindependentcomponent

analysis(ica)iccP,seeinter-controlcenter

communications(iccP)icMP,seeinternetMessagecontrol

Protocol(icMP)ics,seeGuide to Industrial Control

Systems (ICS) Securityidahonationallaboratory,237,

248,254iec,seeinternational

electrotechnicalcommission(iec)

ieds,relays,meters,switchgear,cts,andvts

acsi,33–34communicationindustry

standardProtocolstacks,32–33

conformancetestcases,companionstandard,29–30

devicesbeyondthesubstation,32

MappingtoMMs,33mappingtowebservices,35–36objectModels,34–35

rtUsorsubstationsystems,28–29

substationdevices,30–32ieee,seeinstituteofelectricaland

electronicsengineers(ieee)ietf,seeinternetengineeringtask

force(ietf)i2G,seeindustrial-to-Grid(i2G)impersonation,199impropercryptography,281incentive-basedoptions,demand

response,88incliningblockrate(iBr)pricing

scheme,97independentcomponentanalysis

(ica),166–170industrial-to-Grid(i2G),191inexactaugmentedlagrange

multiplier(ialM),164–166informationmodel,aMi/dMs

integration,117–120informationtranslationand

verificationstructure,128–129infrared(ir)protocol,81infrastructureservice-level

agreements,60innovativetestbed

functionalarchitecture,buildingnodes,153–155

motherboard,newhardwareplatform,152–153

networktestbed,155overview,151–152

insecureremoteconnections,256instituteofelectricaland

electronicsengineers(ieee)ieee802.11,146,175ieee802.22,141–144,178ieee1686-2007,213ieee1711,253ieee1815,233,254ieee802.1ae,214

317index

ieee802.1ar,214ieee802.16e,192ieee802.11i,192ieeeP1686,223ieee802.1q,235ieee802.1X,214standardization,191,213–214

integratedservicesdigitalnetwork(isdn),23

integration,10–12,see alsoadvancedmeteringinfrastructure(aMi)

integrityaMisystemsecurity,279vulnerabilitiesandsecurity

requirements,195–196intelXeonserver,146interchangeability,substation

devices,30inter-controlcenter

communications(iccP),208interfacereferenceModel(irM),

12,20–22interfaces

architectureandgeneralrecommendations,20

classes,meteringstandards,24interapplicationsintegration,14meterreadingandcontrol,14networkoperations,14recordsandassetmanagement,14

internationalcouncilonlargeelectronicsystems(ciGre),214

internationalelectrotechnicalcommission(iec)

iec6180-7-420,28iec27000,223iec60050,25iec60850,40iec60870,5,208iec60870-5,28–29,40,43iec60870-5-1,28

iec60870-5-2,28iec60870-5-3,28iec60870-5-4,28iec60870-5-5,28iec60870-5-6,29iec60870-5-101,28–30iec60870-5-102,28–29iec60870-5-103,28–29iec60870-5-104,28–30,43–44iec60870-5-601,29iec60870-5-604,29iec60870-6,36–39iec60870-6-1,39iec60870-6-2,39iec60870-6-501,38iec60870-6-502,38iec60870-6-503,38–39iec60870-6-505,38iec60870-6-601,39iec60870-6-602,39iec60870-6-701,38iec60870-6-702,38–39iec60870-6-802,38–40iec61334,5,23,26–27iec61334-3-1,27iec61334-3-21,26–27iec61334-3-22,26–27iec61334-4-1,27iec61334-4-32,27iec61334-4-33,27iec61334-4-41,27iec61334-4-42,27iec61334-4-511,26–27iec61334-4-512,26–27iec61334-5-1,26–27iec61334-5-2,26–27iec61334-5-3,26–27iec61334-5-4,26–27iec61334-5-5,26–27iec61334-6,26–27iec61344-4-61,27iec61400-25,5,28

318 index

iec61400-25-2,36iec61400-25-4,36iec61580,5,194iec61850,28,30–32,36–37,45,

195,208,210–211,234–235iec61850-3,31iec61850-4,31iec61850-5,31iec61850-6,31,36–37iec61850-7-1,31iec61850-7-2,31,33–34iec61850-7-3,31,34–35iec61850-7-4,28,31–32,34–35iec61850-7-410,28,31–32iec61850-7-420,31–32,35iec61850-8-1,31,33,37,45iec61850-9-1,31iec61850-9-2,32,37,45iec61850-10,32iec61850-80-1,32iec61850-90-1,32iec61870,50iec61870-5,28iec61950-7,37iec61968,5,11–12,14–15,17,

50,122iec61968-1,14,19,22iec61968-3,14,20–21iec61968-4,20–21iec61968-5,20–21iec61968-6,20–21iec61968-7,14,20–21iec61968-8,20–21iec61968-9,14,20–21,104,

120–124,128iec61968-11,11,14,16iec61968-13,14iec61970,5,12–15,50iec61970-1,13iec61970-4,17,19–20iec61970-301,11,13,16iec61970-401,11,19iec61970-402,13,19

iec61970-403,13,19iec61970-404,13,19iec61970-405,13,19iec61970-407,13,19iec61970-453,13iec61970-501,13iec62051,24iec62056,5,24–25,115–117iec62056-21,115–116iec62056-24,24iec62056-31,24iec62056-42,24,115–116,119iec62056-46,24,115–116,119iec62056-47,25,115–116iec62056-53,24,112,116,119iec62056-61,24,116,119iec62056-62,24,112,

116–120,123iec62325,5,11–12,14–15iec62325-101,15iec62351,5,40,45–46,

222–223iec62351-3,40–41,209–210iec62351-4,40–43,45,209–210iec62351-5,40,43–44,209–210iec62351-6,40,45,209–211iec62351-7,40,45–46,211iec62351-8,211iec62351-9,211iec62351-10,211–212iec62351-11,212iec62443,40,208iec62443-1-1,213iec62443-2-1,213iec62443-3-1,213iec62541,48iec608705,254iectc57,12iec62357tc57,5iectc13wG14,23–24iectc57wG14,14iec/tr61334-1-1,26iec/tr61334-1-2,26

319index

iec/tr61334-1-4,27iec/tr61850-1,31iec/tr62051,25–26iec/tr62051-1,25iec/tr62325-101,15iec/tr62325-102,15iec/tr62325-501,15iectr62357,6–7,50iec/ts60870-6-504,38iec/ts61850-2,31iec/ts61968-2,14iec/ts61970-2,13iec/ts61970-401,13iec/ts62056-41,25iec/ts62056-51,25iec/ts62056-52,25iec/ts62325-502,15iso/iec27k,40iso/iec8802-3,33iso/iec9506-1,33iso/iec9506-2,33iso/iec17799,215iso/iec27000,207iso/iec27001,207iso/iec27002,207iso/iec60870-5,209iso/iec61850,209iso/iec62351,208iso/iec62351-3,209–210iso/iec62443,213iso/iec62351-1to11,208–212iso/tr27019,222smartGridstrategicGroup

(sG3),207–208standardization,207tc13wG14,24–26

internationalorganizationforstandardization(iso)

iso8650,43iso27000,215iso27001,222iso27011,207iso27019,207

iso/iec27k,40iso/iec8802-3,33iso/iec9506-1,33iso/iec9506-2,33iso/iec17799,215iso/iec27000,207iso/iec27001,207iso/iec27002,207iso/iec60870-5,209iso/iec61850,209iso/iec62351,208iso/iec62351-3,209–210iso/iec62443,213iso/iec62351-1to11,208–212iso/tr27019,222isotransportservice,43standardization,207

internationalsocietyofautomation(isa)

isa99,213,223standardization,191,213

internetengineeringtaskforce(ietf),216–218

internetMessagecontrolProtocol(icMP),238,239

internetprotocoladdressing,276internet-protocol-basedmesh


internetProtocolsecurity(iPsec),234

Internet Protocols for the Smart Grid,217

internet-scalesystems,58–59internetworkingchallenges,

198–199interoperability,substationdevices,30intrusiondetectionsystems

failureof,176securityanddatamanagement,

45–46i/odriverapproach,63iPprotocol

320 index

communicationindustrystandardprotocolstacks,32–33

networkmigration,65secureprofiles,43

iPsec,seeinternetProtocolsecurity(iPsec)

ir,seeinfrared(ir)protocolirM,seeinterfacereferenceModel

(irM)isa,seeinternationalsocietyof

automation(isa)isdn,seeintegratedservices

digitalnetwork(isdn)iso,seeinternationalorganization

forstandardization(iso)iwayemi,abiodun,xiv,85–98

J

Japan,roadmapactivities,223

k

kernelPca(kPca),156–157keys

agreementphase,286authenticationtechnique,44cryptographickeydistribution,

282–283development,190establishmentandmanagement,

284–286link-layersecurityframeworks,

286–287networkwide,285predistributionphase,285securecommunications,41stored,282

l

landmarkmaximumvarianceunfolding(lMvU),156,158

lceinfrastructure,129,130

ld,seelogicaldevices(lds)ldaP,seelightweightdirectory

accessProtocol(ldaP)li,zhao,xiv,101–135lightweightdirectoryaccess

Protocol(ldaP),232linklayerattacks,274–275link-layersecurityframeworks,

286–287linktransmissionprocedures,28liu,chen-ching,xiv,227–242livemigration,vMimages

datamigration,63–64networkmigration,64–66overview,62–63

lMn,seelocalmetrologicalnetwork(lMn)

lMvU,seelandmarkmaximumvarianceunfolding(lMvU)

ln,seelogicalnodes(lns)loadcontrol,seeBuildingload

control,distributedopportunisticscheduling

loadshed,maximizing,80local-areanetworks(lans)

appservices,39hierarchicalcommunication

networkformat,107localmetrologicalnetwork(lMn),

271localsystems,attributes,40localtampering,282logicaldevices(lds),31logicalnodes(lns)

devicesbeyondthesubstation,32objectmodels,35standards,235substationdevices,31

lower-layerprofilestandards,27low-rankmatrixapproximation,see

Principalcomponentanalysis(Pca)

lyrtech,148

321index

M

Mac,seeMedium/mediaaccesscontrol(Mac);Messageauthenticationcodes(Macs)

MAC Securitystandard,214mainssignalingrequirement

standards,27mainstructure,6–7maintenanceapplications,12mandateM/490,220–222ManufacturingMessage

specification(MMs)protocolobjectmodels,34secureprofiles,42–43standards,209–210tase.2,38

mappingtoMMs,33towebservices,35–36

marketcommunications,usingciM,5,14

marketoperationsapplications,12Maroochyshire(Queensland),248maximumvarianceunfolding

(MvU),157Mda,seeModeldriven

architecture(Mda)approachMdi,seeMeterdataintegration

(Mdi)medium/mediaaccesscontrol

(Mac)distributionlineMessage

specification,26standards,214

messageauthenticationcodes(Macs)

securecommunications,41sscada,260

message-orientedmiddleware(MoM),22

Metasploitframework,240meterauthorizationweaknesses,282

Meterdataintegration(Mdi)adaptors,127–128,129aMitodMaprocesses,130architectureevaluation,131–134behavior,129–131components,127–129context,126dMatoaMiprocesses,

130–131flexibility,133informationtranslationand

verificationstructure,128–129lceinfrastructure,129monitor,129performance,131–132scalability,132softwarearchitecture,126–131strategies,131–133testresults,133–134

MeterdataManagementsystem(MdMs)

aMi/dMsintegration,110–111overview,104

meterdatamodelscomparisons,123–124aMeterModelinciM,

121–122Multispeak,122overview,120

meteringsystem,aMi/dMsintegration,104–106

meterlanhierarchicalcommunication

networkformat,108meterstandards,24–26Microsoft.netenterprise

technologies,131Microsoftresearchsoftwareradio

(sora)platform,150–151migration,vMimages


322 index

MiMo,seeMultipleinputmultipleoutput(MiMo)

minimumsecurityrequirements,fiPs,218

Microsoftresearchsoftwareradio,150–151

Mishra,sumita,xiv,269–287MMs,seeManufacturingMessage

specification(MMs)protocolModeldrivenarchitecture(Mda)

approach,20modes,demandresponse,88MoM,seeMessage-oriented

middleware(MoM)monitor,Mdilayer,129motherboards,152–153multipleinputmultipleoutput

(MiMo),156multipleremoteclouds,76Multi-Protocollabelswitching-

virtualPrivatenetwork(MPsal-vPn),65

Multispeak,122–124Munet,109MvU,seeMaximumvariance

unfolding(MvU)

n

naseo,seenationalassociationofstateenergyofficials(naseo)

nationalassociationofstateenergyofficials(naseo),273

nationalinfrastructureProtectionPlan(niPP),191

nationalinstituteofstandardsandtechnology(nist)

nationalregulations,218nistir7628,191,219,222sP800-53,218,223sP800-82,218–219,223

sP800-115,230sP1108,219sP800-53a,230standards,191,219

nationalregulationsBundesverbandfürenergie-and

wasserwirtschaft,219–220europeansmartGrid

coordinationGroup,220–222europeanUnion’staskforce

smartGrid,220nationalinstituteofstandards

andtechnology,218nistir7628,219nistsP800-53,218nistsP800-82,218–219nistsP1108,219overview,218U.s.departmentofhomeland

security,219nationalruralelectriccooperative

association(nreca),111nationalscadatestBed

Program,254neighbor-areanetwork,274–278neMastandards,117nerc,seenorthamericanelectric

reliabilitycorporation(nerc)

nessusassessmenttool,236,239netaPt,seenetworkaccessPolicy

tool(netaPt)networkaccessPolicytool

(netaPt),237networkconfiguration/rulesets,

236–237networkdiscovery,238–239networkforsmartgrid

hardwareplatforms,146–157Micorsoftresearchsoftware

radio,150–151overview,144–145

323index

smallformfactorsoftware-definedradiodevelopmentplatform,148–149

testbed,146–157Universalsoftwareradio

Peripheral2,146–148wirelessopen-accessresearch

platform,149–150networkinfrastructure,113–114networklayerattacks,275–276,see

alsoattacksandaccidentsnetworkManagementProtocol

(snMP),236networkmigration,64–66networkprotocol,see alsospecific

protocoldistributednetworkprotocol,

233–234iec61850,234–235overview,233supportingprotocols,235–236

networktestbed,155networktrafficreview,237–238networkwidekeys,285neuralnetworks,176newYorkindependentsystem

operator(nYiso),249nightdragonattacks,251nist,seenationalinstituteof

standardsandtechnology(nist)

nodes,functionalarchitecture,153–155

noncriticalfunctioncodes,234nondeterministicpolynomial(nP)

hard,75nonrepudiation

aMisystemsecurity,280vulnerabilitiesandsecurity

requirements,196–197nooptimalstoppingrule(nosr),

94–95

northamericanelectricreliabilitycorporation(nerc),191,215–216,228,231

nP,seenondeterministicpolynomial(nP)hard

nreca,122nsslabs,251nYiso,seenewYorkindependent

systemoperator(nYiso)

o

oBis,seeobjectidentificationsystem(oBis)

objectidentificationsystem(oBis),24–25

objectmodelsstandard,34–35,39–40

oh,tae,xiv,269–287oMG,seeopenManagement

Group(oMG)openaccessresearchtestbed

fornext-Generalwirelessnetworks(orBit),146

openManagementGroup(oMG),20

opensourcetestingMethodologyManual(osstMM),230

opensysteminterconnection(osi)networkinfrastructurestandards,

114–115protocols,38–39secureprofiles,42

opportunisticscheduling,seedistributedopportunisticscheduling,buildingloadcontrol

optimalstoppingrule(osr)demandresponse,89–90simulationandresult,94–95

orBit,seeopenaccessresearchtestbedfornext-Generalwirelessnetworks(orBit)

324 index

osi,seeopensysteminterconnection(osi)

osr,seeoptimalstoppingrule(osr)

osstMM,seeOpen Source Testing Methodology Manual (OSSTMM)

outstations,233ovalassessmenttool,236

P

PacificGasandelectric,97packetassembler-disassembler

(Pad)typestationsstandards,30

pairwisesymmetrickeys,285passivediscovery,237passwords,282,see alsokeysPazos-revilla,Marbin,xv,139–178Pca,seerobustprincipal

componentanalysis(Pca)PdUsecurityextension,45peak-to-averageratio(Par),97peerauthentication,42,see also

authenticationperformance

aMianddMsintegration,125Mdilayer,131–132

Phevs,seePlug-inhybridelectricvehicles(Phevs)

physicaldevices,235physicallayer

attacks,274standards,24

PiM,seePlatform-independentmodel(PiM)

Pki,seePublickeysplaintextnantraffic,280–281planning

controlcenter,231–232distributednetworkprotocol,

233–234

iec61850,234–235networkprotocol,233–235smartgridsecurity,lastmile,

272–274substations,232–233supportingprotocols,235–236

platform-independentmodel(PiM),20

platform-specificmodel(PsM),20Plc,seePowerlinecommunicator

(Plc);Programmablelogiccontrollers(Plcs)

plug-inhybridelectricvehicles(Phevs)

demandresponse,89example,90

Poissondistribution,94polynomialfitting,97port-basednetworkaccesscontrol,

214portscanning,238–239positivesemidefinite(Psd)matrix,

158postexecution,240powerlinecommunicator(Plc),

109PowerMeterservice(Google),194poweroutageattack,249–250powerpricing,87–88powersystemcomparisons,123powersystems

managementandassociatedinformationexchange,6,12

objectmodels,services,andprotocols,6

price-basedoptions,demandresponse,88

pricesignalmodeling,96–97principalcomponentanalysis

(Pca),141,156,see alsorobustprincipalcomponentanalysis(Pca)

325index

privacyoverview,vii–viiiplanning,272–274vulnerabilitiesandsecurity

requirements,193–194problemformulation,90–94profiles

ebXMl,15securityanddatamanagement,

41–43programmablelogiccontrollers

(Plcs),232–233projectmanagement,31protocols,see alsospecific protocol

controlcenters,39telephonemodem

communication,112Psd,seePositivesemidefinite(Psd)

matrixpseudorandomspreadingcode

matrixandnoise,168–169PsM,seePlatform-specificmodel

(PsM)publickeys

authenticationtechnique,44securecommunications,41tinyos,284trustmanagementsystems,190,

200

Q

Qian,Yi,xvQiu,robert,xv,139–178quadraturephaseshiftkeying

(QPsk),170,172qualityofservice(Qos),35,275

r

radiocontrolboard(rcB),150–151radiofrequency(rf),81

randommodeling,pricesignals,96–97

ranganathan,raghuram,xv,139–178

rayleighflatfading,168rdf,seeresourcedescription

framework(rdf)real-timepricing(rtP)

demandresponse,87,89overview,85–86simulationandresult,94–95

receiverblockdiagram,167–170referencearchitecture

applicationintegrationatelectricUtilities-systeminterfacesfordistributionManagement,14

architecturalprinciples,10authenticationtechnique,43–44businesspartnersandapplications

integration,10–22commoninformationModel,

15–19componentinterface

specification,19–20controlcenters,37–40dataexchangeforMeter

reading,tariff,andloadcontrol,23–24

dersandmeters,36–37distributionautomationUsing

distributionlinecarriersystems,26–27

electricityMetering-dataexchangeforMeterreading,tariff,andloadcontrol,24–26


energysystemsintegration,22–40

326 index


ieds,relays,meters,switchgear,cts,andvts,28–36


intrusiondetection,45–46layers,7–9mainstructure,6–7meterstandards,24–26PdUsecurityextension,45revenuemeters,23–27seamlessintegration,10securecommunications,40–41secureprofiles,41–43securityanddatamanagement,

40–46standardization,5–6structureofcurrentstandard,7–9

regulationsandstandards,securityBundesverbandfürenergie-and



smartGrid,220iecsmartGridstrategicGroup,

207–208instituteofelectricaland

electronicsengineers,213–214

internationalcouncilonlargeelectronicsystems,214

internationalelectrotechnicalcommission,207

internationalorganizationforstandardization,207

internationalsocietyofautomation,213

internetengineeringtaskforce,216–218

iso/iec62443,213iso/iec27000series,207

iso/iec62351-1to11,208–212nationalinstituteofstandards

andtechnology,218nationalregulations,218–222nistir7628,219northamericanelectric

reliabilitycorporation,215–216

overview,206Security for Information Systems

and Intranets in the Electric Power System,214

specialPublication800-53,218specialPublication800-82,

218–219specialPublication1108,219standardization,206–218summary,222–224Treatment of Information Security

for Electric Power Utilities,215U.s.departmentofhomeland

security,219remoteconnections,257–258remotetampering,282remoteterminalunits(rtUs)

cybersecurity,189scadasystemsecurity,253,255substations,28–29,233

replication,datamigration,63–64requestforcomments(rfc)

rfc791,33rfc793,33rfc1006,43rfc1323,33rfc2030,45rfc2246,212rfc2460,33rfc3711,217rfc4101,217rfc4102,217rfc4103,217rfc4346,212rfc4962,217

327index

rfc5246,212,217rfc5247,217rfc5746,217rfc6272,217rfc6407,217

resourcedescriptionframework(rdf),7

resources,excessiveconsumption,199–200

revenuemetersdataexchangeforMeter


distributionautomationUsingdistributionlinecarriersystems,26–27


meterstandards,24–26reviewtechniques,236–238rf,seeradiofrequency(rf)rfc,seerequestforcomments

(rfc)riskassessment,215rivest,shamir,andadleman(rsa)

signing,41,43robustPca-icaapproach,166–172robustprincipalcomponentanalysis

(Pca),161–163rohjans,sebastian,xv,3–51routingblackholes,275rsa,seerivest,shamir,and

adleman(rsa)signingrtUs,seeremoteterminalunits

(rtUs)

s

salsburg,Michael,xv,57saMl,seesecurityassertion

Markuplanguage(saMl)

samplemeasuredvalue(sMv)messages

PdUsecurityextension,45standards,235

samplevalues(svs),210sanders,william,177sandianationallaboratory,254sandiegoGasandelectric,97sas,seesubstationautomation

system(sas)scada(supervisorycontroland

dataacquisition)communicationnetwork,

188–189controlcenters,232cyberattacks,228mappingtoMMs,33networkconfigurations/rulesets,

236sialayers,11standards,218,254tase.1,38wireshark,237

scada,systemsecurityattacksandaccidents,248–251countersynchronization,263energygridandscada,

246–248overview,245–246remoteconnections,257–258security,256–263sscadaprotocolsuite,

258–263summary,264threats,255–257

scalabilityaMianddMsintegration,125Mdilayer,132

scanning,vulnerability,239scheduling,92,see alsodistributed

opportunisticschedulingscl,seesubstationconfiguration

language(scl)

328 index

scsM,seespecificcommunicationservicemapping(scsM)

sctP,seestreamcontroltransmissionProtocol(sctP)

sdP,seesemidefiniteprogramming(sdP)

sdr,seesmallformfactor(sff)software-definedradio(sdr)developmentplatform(dP)

seamlessintegrationarchitecture(sia)

application,46–50corestandard,5–6dersandmeters,36interfacereferenceModel,22layers,11–12referencearchitecture,10securityanddatamanagement,

40secretaryexample,90securecommunications,see also

communicationscommunicationsinfrastructure

development,174–176fPGa-basedfuzzylogic

intrusiondetection,176–178overview,172,174securityanddatamanagement,

40–41securedeviceidentity,214securehashalgorithm,43securereal-timetransport

Protocol(srtP),217secureshell(ssh)mechanism,192securesocketslayer(ssl),40securesocketslayer/transport

layersecurity(ssl/tls),192

security,see alsoattacksandaccidents;cybersecurity;Threats

aMisystemsecurity,279–280discrepancy,278

frameworks,215informationsystemsand

intranets,214overview,vii–viiiplanning,272–274policyandoperations,199–200profiles,41–43services,200–201forthesmartgrid,5technologiesforiacs,213technologiesguideline,215

security,anddatamanagementauthenticationtechnique,43–44intrusiondetection,45–46overview,40PdUsecurityextension,45securecommunications,40–41secureprofiles,41–43

security,regulationsandstandardsBundesverbandfürenergie-and











iso/iec62443,213iso/iec27000series,207iso/iec62351-1to11,208–212

329index

nationalinstituteofstandardsandtechnology,218

nationalregulations,218–222nistir7628,219nistsP800-53,218nistsP800-82,218–219nistsP1108,219northamericanelectric


overview,206Security for Information Systems

and Intranets in the Electric Power System,214

standardization,206–218summary,222–224Treatment of Information Security


security,219security,scadasystems

countersynchronization,263overview,252–254remoteconnections,257–258sscadaprotocolsuite,258–263threats,255–257

securityassertionMarkuplanguage(saMl),200

“securityforindustrialautomationandcontrolsystems,”213

securitylogs,42semidefiniteprogramming(sdP),

157–158sequencingheuristics,75–76servicecoverage,142–143service-levelagreements(slas)

applicationmanager,70,72sitebroker,73–75smartgridsandcloudcomputing,

60–62service-orientedarchitectures(soas)

interfacereferenceModel,21referencearchitecture,7

sewagemanagementattack,248sff,seesmallformfactor(sff)

software-definedradio(sdr)developmentplatform(dP)

sGiP,seesmartGridinteroperabilityPanel(sGiP)cybersecurityworkingGroup

sia,seeseamlessintegrationarchitecture(sia)

sidM,seesysteminterfacesfordistributionManagement(sidM)

signalmodel,167–170signal-to-interferenceratio(sir),

170–172signal-to-noiseratio(snr),170simplenetworkManagement

Protocol(snMP),236simplenetworktimeProtocol

(sntP),45simpleobjectaccessProtocol

(soaP),35simulationsandresults

distributedopportunisticscheduling,buildingloadcontrol,94–95

robustPca-icaapproach,170–172

singularvaluedecomposition(svd),162

sir,seesignal-to-interferenceratio(sir)

sitebrokerarchitecture,68solutions,73–76

skeoch,ronald,xv,57sla,seeservice-levelagreements

(slas)smallformfactor(sff)software-

definedradio(sdr)developmentplatform(dP),148–149

330 index

smartappliances,datacenter,79–81smartgrid,automationandscada

systemsecurityattacksandaccidents,248–251countersynchronization,263energygridandscada,

246–248overview,245–246remoteconnections,257–258security,257–263sscadaprotocolsuite,258–263summary,264threats,255–257

smartGridarchitecturalModel(sGaM),221

smartGridinteroperabilityPanel(sGiP)cybersecurityworkingGroup,191,219

smartgridscybersecuritystratetgyand

requirements,191overview,vii–viiistandardizationroadmap,

207–208variedcontexts,77

smartgridsandcloudcomputingapplicationmanager,67–72architecture,66–69datacentersmartgrid,78–79datamigration,63–64hybridcloudbroker,68–69,76livemigration,vMimages,

62–66networkmigration,64–66overview,58–60service-levelagreements,60–62sitebroker,68,73–76smartappliances,datacenter,

79–81smartmetersandsmartloads,

77–81solutions,69–77summary,81

smartgridsecurity,lastmileaMisystemsecurity,278–283applicationlayerattacks,277authorization,280availability,279–280back-officecompromise,277bussnooping,281components,278confidentiality,279controlsystemperspective,272cryptographickeydistribution,

282–283dataencryption,283–284denial-of-servicethreats,282directtampering,281–282electricpowersystemstability,

272encryptionandkeymanagement,

283–287field-areanetwork,274–278futureoutlook,287gridvolatility,277impropercryptography,281integrity,279internetprotocoladdressing,276keyestablishmentand

management,284–286link-layerattacks,274–275link-layersecurityframeworks,

286–287meterauthorizationweaknesses,

282neighbor-areanetwork,274–278networklayerattacks,275–276nonrepudiation,280overview,270–271physicallayerattacks,274plaintextnantraffic,280–281planning,272–274privacyplanning,272–274securitydiscrepancy,278securityissues,279–280securityplanning,272–274

331index

securitythreats,274–278storedkeyandpasswords,282summary,287systemarchitecture,271–272transportlayerattacks,276vulnerabilities,280–283

smartmetersandsmartloadsdatacentersmartgrid,78–79overview,77smartappliances,datacenter,

79–81sMB/4175/r,207sMv,seesamplemeasuredvalue

(sMv)messagessnr,seesignal-to-noiseratio(snr)sntP,seesimplenetworktime

Protocol(sntP)soa,seeservice-oriented

architectures(soas)soaP,seesimpleobjectaccess

Protocol(soaP)softwarearchitecture,126–131softwareradio(sora)platform,

150–151solarcellarrays,89solid-stateelectricitymeters,105solutions,smartgridsandcloud

computingapplicationmanager,69–72hybridcloudbroker,76overview,69sitebroker,73–76

sophiatool,237sora,seesoftwareradio(sora)

platformsoutherncaliforniaedison,97sparxsystemsenterprisearchitect,

16specht,Michael,xv,3–51specificcommunicationservice

mapping(scsM)mappingtoMMs,31sampledvalues,31

spectrummonitoring,158–161srtP,seeSecure Real-Time Transport

Protocol (SRTP)sscadaprotocolsuite,258–263ssh,seesecureshell(ssh)

mechanismssl,seesecuresocketslayer(ssl)ssl/tls,seesecuresocketslayer/

transportlayersecurity(ssl/tls)

standardsandregulations,securityBundesverbandfürenergie-and











iso/iec62443,213iso/iec27000series,207iso/iec62351-1to11,208–212nationalinstituteofstandards

andtechnology,218nationalregulations,218–222nistir7628,219northamericanelectric


overview,206

332 index

Security for Information Systems and Intranets in the Electric Power System,214

specialPublication800-53,218specialPublication800-82,

218–219specialPublication1108,219standardization,206–218summary,222–224Treatment of Information Security


security,219standardsandstandardization,see

alsospecific organization or standard

electricpowersystemscommunications-distributednetworkprotocol,254

iecsmartGridstrategicGroup,207–208

instituteofelectricalandelectronicsengineers,213–214






iso/iec62443,213iso/iec27000series,207iso/iec62351-1to11,208–212northamericanelectric


overview,206referencearchitecture,5–6

Security for Information Systems and Intranets in the Electric Power System,214

substationintelligentelectronicdevices,213

Treatment of Information Security for Electric Power Utilities,215

standardsandstandardization,aMi/dMsintegration

ansic12.19-2008,117–118ansic12.22,112–114communicationprotocols,

111–117iec62056,115–117iec62056-62,118–120networkinfrastructure,113–114overview,111

state-of-practicereview,241–242staticmodelview,18storagearray/areanetwork(san),

63storedkeyandpasswords,282,see

alsokeysstrategies,Mdilayer,131–133streamcontroltransmission

Protocol(sctP),276strongwidebandinterference,

166–170structuralmodelview,18structureofcurrentstandard,7–9stuxnetworm,250substationautomationsystem

(sas),37substationconfigurationlanguage

(scl)dersandmeters,36existingobjectmodels,36–37substationdevices,31

substationsdevices,30–32standards,5

333index

substations,automationsystemvulnerabilityassessment

assessmenttechnologies,230–241controlcenter,231–232distributednetworkprotocol,


236–237networkdiscovery,238–239networkprotocol,233–235networktrafficreview,237–238overview,227–231planning,231–236postexecution,240reviewtechniques,236–238state-of-practicereview,241–242substations,232–233summary,241systemconfigurationreview,236targetidentificationandanalysis,



summariesautomationandscadasystem

security,264cloudcomputing,81cognitiveradionetwork,178cybersecurity,201distributedopportunistic

scheduling,buildingloadcontrol,98

regulationsandstandardsforsecurity,222–224

smartgridsecurity,lastmile,287technicalsmartgrid

infrastructure,50–51vulnerabilityassessment,

substationautomationsystems,241

supervisorycontrolanddataacquisition,seescada

supportingprotocols,235–236supportvectormachines(svMs),

157–161svd,seesingularvalue

decomposition(svd)svM,seesupportvectormachines

(svMs)sybilattacks,276symmetricencryption,40–41symmetrickeys

authenticationtechnique,44development,190

systemandprojectmanagement,31systemarchitecture,271–272systemcapacity,143–144systemconfigurationreview,236systeminterfacesfordistribution

Management(sidM),14systemtopology,142

t

tampering,281–282targetidentificationandanalysis,238targetvulnerabilityvalidation,

239–240tase.1,38tase.2,37–39tasks,90–94tciPG,seetrustworthycyber

infrastructureforthePowerGrid(tciPG)

tcP/iPprotocoldersandmeters,36securecommunications,40smartgrid,81standards,115,209

tcPprotocolsecureprofiles,42transportlayerattacks,276

334 index

tcPtprofiles,43tcP/UdPprotocol,238t&d,seetransmissionand

distribution(t&d)technicalsmartgridinfrastructure

acsi,33–34applications,14,46–50appservices,39authenticationtechnique,43–44businesspartnersandapplications

integration,10–22commoninformationModel,

15–19communicationindustry

standardProtocolstacks,32–33

componentinterfacespecification,19–20

conformancetestcases,companionstandard,29–30

controlcenters,37–40dataexchangeforMeter


dersandmeters,36–37devicesbeyondthesubstation,

32distributionautomationUsing

distributionlinecarriersystems,26–27



energysystemsintegration,22–40

engineering,36–37existingobjectmodels,36–37fielddevicesandsystemsusing

webservices,36


ieds,relays,meters,switchgear,cts,andvts,28–36


intrusiondetection,45–46mainstructure,6–7MappingtoMMs,33mappingtowebservices,35–36meterstandards,24–26objectModels,34–35,39–40outlook,50–51overview,4–5PdUsecurityextension,45Protocols,39referencearchitecture,5–46revenuemeters,23–27rtUsorsubstationsystems,

28–29seamlessintegration,10securecommunications,40–41secureprofiles,41–43securityanddatamanagement,

40–46standardization,5–6structureofcurrentstandard,7–9substationdevices,30–32summary,50–51tase.2,37–39

tektronix,158telecontrolequipmentandsystems,

27–28tennesseetechnologicalUniversity,

152testbed,146–157testresults,Mdilayer,133–134texasinstruments,148third-partyprotection,197threadexplosion,130threats,see alsocybersecurity,

communicationinfrastructures;security

335index

applicationlayerattacks,277back-officecompromise,277denial-of-servicethreats,282field-areanetwork,274–278gridvolatility,277internetprotocoladdressing,276linklayerattacks,274–275neighbor-areanetwork,274–278networklayerattacks,275–276physicallayerattacks,274scadasystemsecurity,

255–257securitydiscrepancy,278transportlayerattacks,276

thresholdqualityindicator,60time,datamigration,63–64time-of-use(toU)pricing,87,89timeseriesdataaccess(tsda)

applicationprograminterfaces,13dataexchange,20

timestampinformation,280tinyos,284tls,seetransportlayersecurity

(tls);transportsecuritylayer(tls)

topologydata,exchange,17toU,seetime-of-use(toU)

pricingtPdU,seetransportprotocoldata

unit(tPdU)trafficlightsattack,248transmission

linktransmissionprocedures,28standards,28wirelessrecovery,166–170

transmissionanddistribution(t&d),191

transmissioncontrolProtocol,seetcPprotocol

transportlayerattacks,276transportlayersecurity(tls)

distributednetworkProtocol,234

securecommunications,40secureprofiles,43standards,209,212

transportprotocoldataunit(tPdU),43

transportsecuritylayer(tls),217

transportselectors(tsels),43trefke,Joern,xv,3–51tripledataencryptionalgorithm

(3des),192trust,vulnerabilitiesandsecurity

requirements,197–198trustedthirdparty(ttP),41trustmanagementsystem

development,190trustworthycyberinfrastructure

forthePowerGrid(tciPG),177

tsda,seetimeseriesdataaccess(tsda)

tsel,seetransportselectors(tsels)

U

Ucaiug,seeUtilitycommunicationarchitectureinternationalUserGroup(Ucaiug)

UdP,seeUserdatagramProtocol(UdP)

Uk,seeUniquekeys(Uks)UnifiedModelinglanguage

(UMl),16,19Uniformresourceidentifier(Uri),

35uniquekeys(Uks),44Universaldescription,discovery,

andintegration(Uddl)standard,35

UniversalsoftwareradioPeripheral2(UsrP2),146–148

336 index

Universityofcalifornia-riverside,146

unlicensedspectrumradio,109unusedtvbands,145Uri,seeUniformresource

identifier(Uri)U.s.departmentofhomeland

security,219U.s.energyinformation

administrationwebsite,247usage-dependentelectricityprice,97UserdatagramProtocol(UdP),

276Uslar,Mathias,xv,3–51UsrP2,seeUniversalsoftware

radioPeripheral2(UsrP2)Utilimetrics,117Utilitycommunication

architectureinternationalUserGroup(Ucaiug),273

V

virginiatech,146vMimages,livemigration


vulnerabilitiesaMisystemsecurity,280–283managementstateofpractice,

242scanning,239validation,239–240

vulnerabilitiesandsecurityrequirements

auditability,196authentication,196authorization,196availability,194–195integrity,195–196

nonrepudiability,196–197overview,192–193privacy,193–194third-partyprotection,197trust,197–198

vulnerabilityassessment,substationautomationsystems

assessmenttechnologies,230–241

controlcenter,231–232distributednetworkprotocol,


236–237networkdiscovery,238–239networkprotocol,233–235networktrafficreview,237–238overview,227–231planning,231–236postexecution,240reviewtechniques,236–238state-of-practicereview,241–242substations,232–233summary,241systemconfigurationreview,236targetidentificationandanalysis,



w

wake-on-lan(wol)signals,80Wall Street Journal,249waMs,seewide-areameasurement

systems(waMss)wan,seewide-areanetworks

(wans)wang,Yongge,xv,245–264

337index

wang,zhenyuan,xv,101–135warP,seewirelessopen-access

researchplatform(warP)wastemanagementsystemattack,

248wBX,seewidebandwidth

transceiver(wBX)w3c,seeworldwideweb

consortium(w3c)weather,86–87webGateclassicalresidential

Metersolutions,109webservicestrust(ws-trust),

200websphereMQ7.0,131wide-areameasurementsystems

(waMss),230wide-areanetworks(wans)

appservices,39hierarchicalcommunication

networkformat,107–108home-areanetwork,109smartgridsystemarchitecture,

271tase.2,37

widebandinterference,strong,166–170

widebandwidthtransceiver(wBX),147

wienerfiltering,97wi-fi

home-areanetwork,109spectrummonitoring,158–159

wiMaXbackhaulsolutions,190emergingtechnologies,175home-areanetwork,109

wirelesslocal-areanetwork(wlan),190

wirelessopen-accessresearchplatform(warP)

hardwareplatforms,149–150motherboards,152sora,151

wirelessregional-areanetwork(wran),143

wirelesssensornetwork(wsn),190

wireshark,237wlan,seewirelesslocal-area

network(wlan)wol,seewake-on-lan(wol)

signalsworldwidewebconsortium

(w3c),35wormattacks,197–199,250wormholes,276wsn,seewirelesssensornetwork

(wsn)ws-trust,seewebservicestrust

(ws-trust)

X

Xiao,Yang,vii–viii,xi–xiiXilinx,148,149,151XMl,seeeXtensibleMarkup

language(XMl)

Y

Yang,fang,xv,101–135Ye,Yanzhu,xv,101–135Yi,Peizhong,xvi,85–98

z

zhou,chi,xvi,85–98zigBeeprotocol

emergingtechnologies,175smartgrid,81