OTHER TElEcOmmunicaTiOns BOOKs FROm auERBacH
Ad Hoc Mobile Wireless Networks: Principles, Protocols, and ApplicationsSubir Kumar Sarkar, T.G. Basavaraju, and C. PuttamadappaISBN 978-1-4665-1446-1
Communication and Networking in Smart GridsYang Xiao (Editor)ISBN 978-1-4398-7873-6
Delay Tolerant Networks: Protocols and ApplicationsAthanasios V. Vasilakos, Yan Zhang, and Thrasyvoulos SpyropoulosISBN 978-1-4398-1108-5
Emerging Wireless Networks: Concepts, Techniques and ApplicationsChristian Makaya and Samuel Pierre (Editors)ISBN 978-1-4398-2135-0
Game Theory in Communication Networks: Cooperative Resolution of Interactive Networking Scenarios Josephina Antoniou and Andreas PitsillidesISBN 978-1-4398-4808-1
Green Communications: Theoretical Fundamentals, Algorithms and Applications Jinsong Wu, Sundeep Rangan, and Honggang Zhang ISBN 978-1-4665-0107-2
Green Communications and NetworkingF. Richard Yu, Xi Zhang, and Victor C.M. Leung (Editors) ISBN 978-1-4398-9913-7
Green Mobile Devices and Networks: Energy Optimization and Scavenging TechniquesHrishikesh Venkataraman and Gabriel-Miro Muntean (Editors)ISBN 978-1-4398-5989-6
Handbook on Mobile Ad Hoc and Pervasive CommunicationsLaurence T. Yang, Xingang Liu, and Mieso K. Denko (Editors)ISBN 978-1-4398-4616-2
Intelligent Sensor Networks: The Integration of Sensor Networks, Signal Processing and Machine LearningFei Hu and Qi Hao (Editors)ISBN 978-1-4398-9281-7
IP Telephony Interconnection Reference: Challenges, Models, and EngineeringMohamed Boucadair, Isabel Borges, Pedro Miguel Neves, and Olafur Pall EinarssonISBN 978-1-4398-5178-4
LTE-Advanced Air Interface TechnologyXincheng Zhang and Xiaojin ZhouISBN 978-1-4665-0152-2
Media Networks: Architectures, Applications, and StandardsHassnaa Moustafa and Sherali Zeadally (Editors)ISBN 978-1-4398-7728-9
Multihomed Communication with SCTP (Stream Control Transmission Protocol)Victor C.M. Leung, Eduardo Parente Ribeiro, Alan Wagner, and Janardhan Iyengar ISBN 978-1-4665-6698-9
Multimedia Communications and NetworkingMario Marques da SilvaISBN 978-1-4398-7484-4
Near Field Communications HandbookSyed A. Ahson and Mohammad Ilyas (Editors)ISBN 978-1-4200-8814-4
Next-Generation Batteries and Fuel Cells for Commercial, Military, and Space ApplicationsA. R. Jha, ISBN 978-1-4398-5066-4
Physical Principles of Wireless Communications, Second EditionVictor L. Granatstein, ISBN 978-1-4398-7897-2
Security of Mobile CommunicationsNoureddine Boudriga, ISBN 978-0-8493-7941-3
Smart Grid Security: An End-to-End View of Security in the New Electrical GridGilbert N. Sorebo and Michael C. EcholsISBN 978-1-4398-5587-4
Transmission Techniques for 4G SystemsMário Marques da Silva ISBN 978-1-4665-1233-7
Transmission Techniques for Emergent Multicast and Broadcast SystemsMário Marques da Silva, Americo Correia, Rui Dinis, Nuno Souto, and Joao Carlos SilvaISBN 978-1-4398-1593-9
TV White Space Spectrum Technologies: Regulations, Standards, and ApplicationsRashid Abdelhaleem Saeed and Stephen J. ShellhammerISBN 978-1-4398-4879-1
Wireless Sensor Networks: Current Status and Future TrendsShafiullah Khan, Al-Sakib Khan Pathan, and Nabil Ali Alrajeh ISBN 978-1-4665-0606-0
Wireless Sensor Networks: Principles and PracticeFei Hu and Xiaojun CaoISBN 978-1-4200-9215-8
auERBacH PuBlicaTiOnswww.auerbach-publications.com
To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: [email protected]
Security andPrivacy in
Smart Grids
Edited byYANG XIAO
OTHER TElEcOmmunicaTiOns BOOKs FROm auERBacH
Ad Hoc Mobile Wireless Networks: Principles, Protocols, and ApplicationsSubir Kumar Sarkar, T.G. Basavaraju, and C. PuttamadappaISBN 978-1-4665-1446-1
Communication and Networking in Smart GridsYang Xiao (Editor)ISBN 978-1-4398-7873-6
Delay Tolerant Networks: Protocols and ApplicationsAthanasios V. Vasilakos, Yan Zhang, and Thrasyvoulos SpyropoulosISBN 978-1-4398-1108-5
Emerging Wireless Networks: Concepts, Techniques and ApplicationsChristian Makaya and Samuel Pierre (Editors)ISBN 978-1-4398-2135-0
Game Theory in Communication Networks: Cooperative Resolution of Interactive Networking Scenarios Josephina Antoniou and Andreas PitsillidesISBN 978-1-4398-4808-1
Green Communications: Theoretical Fundamentals, Algorithms and Applications Jinsong Wu, Sundeep Rangan, and Honggang Zhang ISBN 978-1-4665-0107-2
Green Communications and NetworkingF. Richard Yu, Xi Zhang, and Victor C.M. Leung (Editors) ISBN 978-1-4398-9913-7
Green Mobile Devices and Networks: Energy Optimization and Scavenging TechniquesHrishikesh Venkataraman and Gabriel-Miro Muntean (Editors)ISBN 978-1-4398-5989-6
Handbook on Mobile Ad Hoc and Pervasive CommunicationsLaurence T. Yang, Xingang Liu, and Mieso K. Denko (Editors)ISBN 978-1-4398-4616-2
Intelligent Sensor Networks: The Integration of Sensor Networks, Signal Processing and Machine LearningFei Hu and Qi Hao (Editors)ISBN 978-1-4398-9281-7
IP Telephony Interconnection Reference: Challenges, Models, and EngineeringMohamed Boucadair, Isabel Borges, Pedro Miguel Neves, and Olafur Pall EinarssonISBN 978-1-4398-5178-4
LTE-Advanced Air Interface TechnologyXincheng Zhang and Xiaojin ZhouISBN 978-1-4665-0152-2
Media Networks: Architectures, Applications, and StandardsHassnaa Moustafa and Sherali Zeadally (Editors)ISBN 978-1-4398-7728-9
Multihomed Communication with SCTP (Stream Control Transmission Protocol)Victor C.M. Leung, Eduardo Parente Ribeiro, Alan Wagner, and Janardhan Iyengar ISBN 978-1-4665-6698-9
Multimedia Communications and NetworkingMario Marques da SilvaISBN 978-1-4398-7484-4
Near Field Communications HandbookSyed A. Ahson and Mohammad Ilyas (Editors)ISBN 978-1-4200-8814-4
Next-Generation Batteries and Fuel Cells for Commercial, Military, and Space ApplicationsA. R. Jha, ISBN 978-1-4398-5066-4
Physical Principles of Wireless Communications, Second EditionVictor L. Granatstein, ISBN 978-1-4398-7897-2
Security of Mobile CommunicationsNoureddine Boudriga, ISBN 978-0-8493-7941-3
Smart Grid Security: An End-to-End View of Security in the New Electrical GridGilbert N. Sorebo and Michael C. EcholsISBN 978-1-4398-5587-4
Transmission Techniques for 4G SystemsMário Marques da Silva ISBN 978-1-4665-1233-7
Transmission Techniques for Emergent Multicast and Broadcast SystemsMário Marques da Silva, Americo Correia, Rui Dinis, Nuno Souto, and Joao Carlos SilvaISBN 978-1-4398-1593-9
TV White Space Spectrum Technologies: Regulations, Standards, and ApplicationsRashid Abdelhaleem Saeed and Stephen J. ShellhammerISBN 978-1-4398-4879-1
Wireless Sensor Networks: Current Status and Future TrendsShafiullah Khan, Al-Sakib Khan Pathan, and Nabil Ali Alrajeh ISBN 978-1-4665-0606-0
Wireless Sensor Networks: Principles and PracticeFei Hu and Xiaojun CaoISBN 978-1-4200-9215-8
auERBacH PuBlicaTiOnswww.auerbach-publications.com
To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: [email protected]
CRC PressTaylor & Francis Group6000 Broken Sound Parkway NW, Suite 300Boca Raton, FL 33487-2742
© 2014 by Taylor & Francis Group, LLCCRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Printed on acid-free paperVersion Date: 20130611
International Standard Book Number-13: 978-1-4398-7783-8 (Hardback)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit-ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.
Library of Congress Cataloging‑in‑Publication Data
Security and privacy in smart grids / editor, Yang Xiao.pages cm
“A CRC title, part of the Taylor & Francis imprint, a member of the Taylor & Francis Group, the academic division of T&F Informa plc.”
Includes bibliographical references and index.ISBN 978-1-4398-7783-8 (hardcover : acid-free paper)1. Smart power grids--Security measures. I. Xiao, Yang, 1966-
TK3105.S32 2013621.3190285’58--dc23 2012048623
Visit the Taylor & Francis Web site athttp://www.taylorandfrancis.com
and the CRC Press Web site athttp://www.crcpress.com
v
Contents
Preface vii
acknowledgment ix
about the editor xi
contributors xiii
Part 1 smart grids in general
chaPter 1 an overview of recommendations for a technical smart grid infrastructure 3
Petr aBeenk en,roBertBleik er ,JoséGonzá lez ,seBast i a nrohJa ns,M ich a elsPecht,Joer ntr efk e ,a ndM athi asUsl a r
chaPter 2 smart grid and cloud comPuting :minimizing Power consumPtion and utility exPenditure in data centers 57
sU M itkU M a rBose ,M ich a elsa lsBUrG,scot tBrock ,a ndrona ldsk eoch
chaPter 3 distributed oPPortunistic scheduling for building load control 85
PeizhonGY i,X ih UadonG,a BiodU ni waY eM i,a ndchizhoU
vi Contents
chaPter 4 advanced metering infrastructure and its integration with the distribution management system 101
zh aoli,fa nGYa nG,zhen Y Ua nwa nG,a ndYa nzh UY e
chaPter 5 cognitive radio network for the smart grid 139
r aGh Ur a Mr a nGa nath a n,roBertQi U,zhenh U,sh U J iehoU,zhechen,M a r BinPa zos-r ev ill a,a ndna nGUo
Part 2 security and Privacy in smart grids
chaPter 6 requirements and challenges of cybersecurity for smart grid communication infrastructures 187
roseQinGYa nGh Ua ndY iQi a n
chaPter 7 regulations and standards relevant for security of the smart grid 205
stef fenfr iesa ndh a ns-Joachi Mhof
chaPter 8 vulnerability assessment for substation automation systems 227
a da Mh a hn,M a ni M a r a nGov inda r asU,a ndchen-chinGli U
chaPter 9 smart grid, automation, and scada system security 245
YonGGewa nG
chaPter 10 smart grid security in the last mile 269
ta eoh,sU M itaM ishr a,a ndcl a r khochGr a f
list of acronyms 293
index 303
vii
Preface
asmartgridisanintegrationofpowerdeliverysystemswithcommu-nicationnetworksandinformationtechnology(it)toprovidebetterservices.securityandprivacywillprovidesignificantrolesinbuildingfuturesmartgrids.Thepurposeofthiseditedbookistoprovidestate-of-the-artapproachesandnoveltechnologiesforsecurityandprivacyinsmartgridscoveringarangeoftopicsintheseareas.
This book investigates fundamental aspects and applications ofsmart grids, security, andprivacy. it presents a collection of recentadvances in theseareascontributedbymanyprominent researchersworkingonsmartgridsandrelatedfieldsaroundtheworld.containing10chaptersdividedintotwoparts—Parti:smartGridsinGeneraland Part ii: security and Privacy in smart Grids, we believe thisbookwillprovideagoodreferenceforresearchers,practitioners,andstudentswhoareinterestedintheresearch,development,design,andimplementationofsmartgridsecurityandprivacy.
Thisworkismadepossiblebythegreateffortsofourcontributorsandpublisher.weareindebtedtoourcontributors,whohavesacrificeddays andnights toput together these chapters forour readers.we
viii PrefaCe
wouldliketothankourpublisher.withouttheirencouragementandqualitywork,wecouldnothavethisbook.
Yang XiaoDepartment of Computer Science
The University of AlabamaTuscaloosa, Alabama
E-mail: [email protected]
ix
Acknowledgment
This work was supported in part by the U.s. national sciencefoundation (nsf) under grants ccf-0829827, cns-0716211,cns-0737325,andcns-1059265.
xi
About the Editor
Dr. Yang XiaoworkedinindustryasaMac(Mediumaccesscontrol)architect involved in institute ofelectricalandelectronicsengineers(ieee)802.11 standard enhance-ment work before he joined thedepartment of computer scienceat the University of Memphis in2002. he is currently a professorin the department of computerscience at the University ofalabama.hewasavotingmemberof ieee 802.11 working Groupfrom2001to2004.heisanieee
seniorMember.dr. XiaoservesasapanelistfortheU.s.nationalscience foundation (nsf), canada foundation for innovation(cfi) telecommunications expert committee, and the americaninstituteofBiologicalsciences(aiBs),aswellasareferee/reviewerformanynationaland international fundingagencies.his researchareas are security, communications/networks, robotics, and tele-medicine.hehaspublishedmorethan200refereedjournalarticlesandover 200 refereed conferencepapers andbook chapters relatedto these research areas. dr. Xiao’s research has been supported by
xii about the editor
the U.s. nsf, U.s. army research, the Global environment fornetwork innovations (Geni), fleet industrial supply center–sandiego (fiscsd), fiatech, and the University of alabama’sresearchGrantscommittee.hecurrentlyservesaseditor inchieffor the International Journal of Security and Networks (iJsn) andInternational Journal of Sensor Networks(iJsnet).hewasthefound-ing editor-in-chief for the International Journal of Telemedicine and Applications (iJta) (2007–2009).
xiii
Petra Beenkenoffisr&ddivisionenergyoldenburg,Germany
Robert Bleikeroffisr&ddivisionenergyoldenburg,Germany
Sumit Kumar BosecloudengineeringGlobaltechnologycenterUnisyscorporationoldenburg,Germany
Scott BrockcloudengineeringGlobaltechnologycenterUnisyscorporationoldenburg,Germany
Zhe Chentennesseetechnological
Universitycookeville,tennessee
Xihua DongMarvelsemiconductorinc.santaclara,california
Steffen FriessiemensaGcorporatetechnologyMunich,Germany
José Gonzálezoffisr&ddivisionenergyoldenburg,Germany
Manimaran Govindarasudepartmentofelectricaland
computerengineeringiowastateUniversityames,iowa
Contributors
xiv Contributors
Nan Guotennesseetechnological
Universitycookeville,tennessee
Adam Hahndepartmentofelectricaland
computerengineeringiowastateUniversityames,iowa
Clark Hochgrafrochesterinstituteof
technologyrochester,newYork
Hans-Joachim Hofdepartmentofcomputer
scienceandMathematicsMunichUniversityofapplied
sciencesMunich,Germany
Shujie Houtennesseetechnological
Universitycookeville,tennessee
Rose Qingyang Hudepartmentofelectricaland
computerengineeringUtahstateUniversitylogan,Utah
Zhen Hutennesseetechnological
Universitycookeville,tennessee
Abiodun Iwayemidepartmentofelectricaland
computerengineeringillinoisinstituteoftechnologychicago,illinois
Zhao Liindustrialsoftwaresystem
GroupaBBUscorporationresearch
centerraleigh,northcarolina
Chen-Ching Liuschoolofelectricalengineering
andcomputersciencewashingtonstateUniversityPullman,washingtonandschoolofMechanicaland
MaterialsengineeringUniversitycollegedublindublin,ireland
Sumita Mishrarochesterinstituteof
technologyrochester,newYork
Tae Ohrochesterinstituteof
technologyrochester,newYork
Yi Qiandepartmentofcomputerand
electronicsengineeringUniversityofnebraska-lincolnomaha,nebraska
xvContributors
Robert Qiutennesseetechnological
Universitycookeville,tennessee
Marbin Pazos-Revillatennesseetechnological
Universitycookeville,tennessee
Raghuram Ranganathantennesseetechnological
Universitycookeville,tennessee
Sebastian Rohjansoffisr&ddivisionenergyoldenburg,Germany
Michael SalsburgcloudengineeringGlobaltechnologycenterUnisyscorporationoldenburg,Germany
Ronald SkeochcloudengineeringGlobaltechnologycenterUnisyscorporationoldenburg,Germany
Michael Spechtoffisr&ddivisionenergyoldenburg,Germany
Joern Trefkeoffisr&ddivisionenergyoldenburg,Germany
Mathias Uslaroffisr&ddivisionenergyoldenburg,Germany
Yongge Wangdepartmentofsoftwareand
informationsystemsUnccharlottecharlotte,northcarolina
Zhenyuan WangGridautomationGroupaBBUscorporationresearch
centerraleigh,northcarolina
Fang YangGridautomationGroupaBBUscorporationresearch
centerraleigh,northcarolina
Yanzhu Yedepartmentofelectrical
engineeringandcomputerscience
Universityoftennesseeatknoxville
knoxville,tennessee
xvi Contributors
Peizhong Yidepartmentofelectricaland
computerengineeringillinoisinstituteoftechnologychicago,illinois
Chi Zhoudepartmentofelectricaland
computerengineeringillinoisinstituteoftechnologychicago,illinois
3
1an Overview Of
recOmmendatiOnS fOr a technical Smart
Grid infraStructure
P E t r A B E E n k E n , ro B E r t B l E i k E r , J o s é G o n z á l E z , s E B A s t i A n
ro h J A n s , M i C h A E l s P E C h t, J oE r n t r E f k E , A n d M At h i A s U s l A r
Contents
1.1 introduction 41.2 iectc57referencearchitectureoverview 5
1.2.1 introductiontostandardization 51.2.2 Mainstructureofthereferencearchitecture 61.2.3 structureofthecurrenttc57reference
architecture 71.2.4 futurevisionofaseamlessintegration 101.2.5 integrationofBusinessPartnersandapplications 10
1.2.5.1 iec61970:energyManagementsystemapplicationPrograminterface 13
1.2.5.2 iec61968:applicationintegrationatelectricUtilities—systeminterfacesfordistributionManagement 14
1.2.5.3 iec62325:frameworkforenergyMarketcommunications 14
1.2.5.4 TheieccommoninformationModel 151.2.5.5 componentinterfacespecification 191.2.5.6 TheinterfacereferenceModel 20
1.2.6 integrationofenergysystems 221.2.6.1 revenueMeters 231.2.6.2 ieds,relays,Meters,switchgear,cts,
andvts 28
4 seCurity and PrivaCy in smart Grids
This chapter introduces the international electrotechnicalcommission technical committee (iec tc) 57 seamlessintegration architecture (sia) as a reference architecture forsmartgrids.itcomprisesasetofstandardsthatareonvariouslevelsessentialandwidelyrecommendedforsmartgridimple-mentations in terms of technical interoperability. issues likebusinessintegration,datadefinition,applications,fieldcommu-nicationforinformationexchangeontheequipmentandsysteminterfaces,security,anddatamanagementareconsidered.eachcomponentofthearchitectureisdiscussedindetail.asthesiaisnotastep-by-stepguidetobuildaninformationandcommu-nicationstechnology(ict)infrastructureintheenergydomain,itisratherablueprintthatfocusesoniec-specificstandards.tousethesia,itisnecessarytointegratethearchitectureinthecompanyworkfloworbuildupanentirelynewprocess.Thus,amethodologyis introduceddescribinghowtomakethesiaapplicable.finally,furtherdevelopmentsofthesiaarelisted.
1.1 introduction
Many national and international smart grid studies, recommenda-tions,androadmaps1–4havebeenpublishedrecently.someofthemdifferintheirdefinitionofwhatthesmartgridisandwhichaspectsshouldbethefocus,butallofthemagreethatstandardizationiscru-cialtoachievetechnicalinteroperability.
1.2.6.3 dersandMeters 361.2.6.4 othercontrolcenters 37
1.2.7 securityanddataManagement 401.2.7.1 securecommunicationviaiec62351-3 401.2.7.2 secureProfilesthroughiec62351-4 411.2.7.3 authenticationtechniqueofiec62351-5 431.2.7.4 PdUsecurityextensionofiec62351-6 451.2.7.5 intrusiondetectionwithiec62351-7 45
1.3 applicationofthesia 461.4 summaryandoutlook 50references 51
5an overview of reCommendations
severalstandardswereidentifiedbymostofthesestudiesascorestandards(seetheworkofrohjansetal.5,6).Thefollowingstandards,whichwerealldevelopedwithin the internationalelectrotechnicalcommissiontechnicalcommittee(iectc)57,canberegardedastheconsensusonessentialinformationtechnology(it)standardsforthesmartgrid.
• IEC 60870: Communication and Transport Protocols7
• IEC 61334: Distribution Automation8
• IEC 61400-25: Communication and Monitoring for Wind Power Plants9
• IEC 61850: Substation Automation Systems and DER [distributedenergyresources]10
• IEC 61970/61968: Common Information Model (CIM)11,12
• IEC 62056: Electricity Metering13
• IEC 62325: Market Communications Using CIM14
• IEC 62351: Security for the Smart Grid15
• IEC 62357: TC 57 Seamless Integration Architecture [sia]16
Thetc57siahasaspecialroleasitprovidesareferencearchitec-turetosettheothertc57standardsinrelationtoeachotherandtocombinethem.italsopursuestheobjectivetoidentifyinconsistenciesbetween theother standardsand to resolve them, thusmaking thewholeframeworkseamless.
This chapter shows the essential standards to reach technicalinteroperabilityinasmartgridinfrastructure.
1.2 iEC tC 57 reference Architecture overview
1.2.1 Introduction to Standardization
inthegeneralscopeofsmartgrids,onehastodistinguishbetweendifferentstandardizationbodiesandotherstakeholdersforthetech-nicalinfrastructuretobedeveloped.forthetechnicalinfrastructure,mostutilitiestrytoadapttomultinationalvendorsandtheircorre-spondingproductportfolio.withinthisscope,thingshavechangedin the last few years: whereas typical system committees in stan-dardization had a narrow focus, joint working groups (wGs) havearisen todealwith thebiggerpicture.Usergroupshavedeveloped
6 seCurity and PrivaCy in smart Grids
tocopewithcertainaspectslikeinteroperability.Thetechnicalbaseofthesmartgridinfrastructurenowisthoroughlystandardizedandprovides,duetogoodinteroperabilitycheckingandtests,manynewpossibilitiesforbothutilitiesandvendors.intheverylightofinterna-tionalstandardization,withinthedifferentstandardizationbodieslikeitU (internationaltelecommunicationUnion), iso (internationalorganizationforstandardization),andiec,thesiahasbeeniden-tifiedasthecoreaspectoffuturesmartgridstandardization.variousnationalroadmapsliketheGerman,american,andchinesefocusonitsaspectsandcorestandards.furthermore,itislikelytobepartof the korean and Japanese road maps as well. realizing this, thesiawillbeattheveryheartofanyfuturestandardizedsmartgridarchitectureandproject.
1.2.2 Main Structure of the Reference Architecture
The iec technical report (tr) 62357 reference architecture16(Powersystemcontrolandassociatedcommunications—referencearchitectureforobjectModels,services,andProtocols)constitutesaframe-workforcurrenttc57standards.itshowshowthevariousstandard-izationactivitieswithintheiectc57(PowersystemsManagementandassociatedinformationexchange)interrelateandhowtheycon-tributetomeetthetc’sobjectives.Thereferencearchitectureshowshow current standards fit in an overall architecture and provide aseamlessintegrationacrosssystemswithinthescopeofthecommit-tee.aimingtoprovideaseamlessintegration,thearchitectureisalsooftencalledthesia(seamlessintegrationarchitecture).liketc57addressesbusinessfunctionsinthefollowingdomains,theseactuallycomprisethefunctionalscopeforthereferencearchitecture:
• supervisorycontrolanddataacquisition(scada)andnet-workoperation
• energymanagement• distributionautomation• customerinquiry• Meterreadingandcontrol• substationprotection,monitoring,andcontrol
7an overview of reCommendations
• recordsandassetmanagement• networkexpansionplanning• operationalplanningandoptimization• Maintenanceandconstruction
withinthesedomains,thefocusoftc57isonmoreabstractdatamodelsandgenericinterfacesathigherlevelsinthearchitecture.Thiscomprises an abstract information modeling perspective as well astechnologymappingsforimplementationinallthesegivenareas.
Besidesclassifyingexistingstandards,areaswhereharmonizationbetweentc57standardsisneededandhowthiscouldbeachievedareidentifiedbythearchitecturetoalignandharmonizefurtherstan-darddevelopments.Ultimately,afuturearchitecturetoguidelonger-termgoalsandactivitiesisoutlinediniectr62357.
1.2.3 Structure of the Current TC 57 Reference Architecture
figure 1.1givesavisualoverviewofthetc57referencearchitectureasof2010.Thestructureofthearchitecturecanbebroadlydividedintothreeparts,whicharerepresentedbythedashedrectanglesatocinthefigure.tostructurethevariousstandardsandclassifytheircontents,thearchitectureispartitionedintodifferentlayersandpillars(horizontallyandvertically).Thesameshadingsindicatethecohesionofstandardsthroughoutdifferentlayers;inparticular,theyconstitutethepillarsinthelowerpartoftheframework.Thesedefinedbound-ariesarefinally todepict thecoverageofexistingstandards,allow-ingidentificationofharmonizationneeds.layersinthefirstpart(a)aremainlyconcernedwithbusinessintegration,datadefinition,andapplications,whichcanbecharacterizedashigher-levelabstractions.Thefirsthorizontal layer(1)coversstandardsfor integrationofdif-ferentsystemsandapplications(e.g., tobusinesspartnersormarketapplications).This couldbe realizedusingcommercialoff-the-shelfmiddlewareinamessage-orientedway,asforexampleoftenappliedinservice-orientedarchitectures(soas),inconjunctionwiththecor-respondingintersystem/interapplicationstandards(ciM;eXtensibleMarkuplanguage[XMl];ciMresourcedescriptionframework[rdf]).standardsusedonlayers2and3considerthedataconcepts
8 seCurity and PrivaCy in smart Grids
App
licat
ion
to A
pplic
atio
n (A
2A)
and
Busin
ess t
o Bu
sines
s (B2
B)Co
mm
unic
atio
n
App
licat
ion
Inte
rface
s
A B
Equi
pmen
t and
Syst
em In
terfa
ces
Spec
ific O
bjec
tM
appi
ngs
Dat
a Acq
uisit
ion
and
Cont
rol F
ront
-End
/Gat
eway
/Pro
xy S
erve
r/M
appi
ng S
ervi
ces/
Role
-bas
ed A
cces
sCo
ntro
l
Inte
r-Sy
stem
/App
licat
ion
Profi
les (
CIM
XM
L, C
IM R
DF)
1 2 3 4 5 6 7Fi
eld
Dev
ices
Tele
cont
rol C
omm
unic
atio
nsM
edia
and
Serv
ices
WA
N C
omm
unic
atio
nsM
edia
and
Serv
ices
Fiel
d O
bjec
t Mod
els
Spec
ific
Com
mun
icat
ion
Serv
ice M
appi
ngs
Prot
ocol
Pro
files
Exte
rnal
Sys
tem
s(S
ymm
etric
Clie
nt/
Serv
er P
roto
cols)
C
SCA
DA
App
sEM
S A
pps
DM
S A
pps
Mar
ket
Ope
ratio
nA
pps
Engi
neer
ing
&M
aint
enan
ceA
pps
Exte
rnal
ITA
pps
Brid
ges t
o ot
her D
omai
ns
Tech
nolo
gy M
appi
ngs
6197
0 Co
mpo
nent
Inte
rface
Spe
cific
atio
n (C
IS)/6
1968
SID
MS
CIM
Ext
ensio
ns61
970/
6196
8 Co
mm
on In
form
atio
n M
odel
(CIM
)
Ener
gy M
arke
tPa
rtic
ipan
tsU
tility
Cust
omer
sU
tility
Ser
vice
Prov
ider
Oth
erBu
sines
ses
TC13
WG
14M
eter
Stan
dard
s
6087
0-5
101 & 104
Network, System and Data Management (62351-7)
End-to-End Security Standards and Recommendations (62351 1-6)
TC13
WG
14
6087
0-5
RTU
s or
Subs
tatio
nSy
stem
s
6185
0Su
bsta
tion
Dev
ices
6185
0D
evic
esBe
yond
the
Subs
tatio
n
Fiel
d D
evic
esan
d Sy
stem
sus
ing
Web
Ser
vice
s
6087
0-6
TASE
.2
Oth
erCo
ntro
l Cen
ters
DER
s, M
eter
sRe
venu
eM
eter
sIE
Ds,
Rela
ys, M
eter
s, Sw
itchg
ear,
CTs,
VTs
6185
0-7-
3, 7-
4 Obje
ct M
odels
6185
0-7-
2 A
CSI
6185
0-8-
1M
appi
ng to
MM
SM
appi
ng to
Web
Ser
vice
sExist
ing
Obj
ect M
odel
s61
850-
6En
gine
erin
g
6087
0-6-
802
Obj
ect M
odel
s
6087
0-6-
503
App
Ser
vice
s
6087
0-6-
702
Prot
ocol
s
Com
mun
icat
ion
Indu
stry
Sta
ndar
d Pr
otoc
ol S
tack
s (IS
O/T
CP/I
P/Et
hern
et)
6133
4D
LMS
Figu
re 1
.1
Anno
tate
d ov
ervie
w of
IEC
TR 6
2357
Ref
eren
ce A
rchi
tect
ure b
ased
on IE
C 62
357.
CT =
curre
nt tr
ansf
orm
er; D
MS
= di
strib
ution
man
agem
ent s
yste
m; M
MS
= m
anuf
actu
r-in
g m
essa
ging
spec
ifica
tion;
RTU
= re
mot
e te
rmin
al u
nit;
SIDM
S =
syst
em in
terfa
ces
for d
istrib
ution
man
agem
ent s
yste
ms;
TASE
= te
leco
mm
unica
tion
appl
icatio
n se
rvice
elem
ent 2
; TC
P/ IP
= T
rans
miss
ion C
ontro
l Pro
toco
l/ Int
erne
t Pro
toco
l; VT
= v
oltag
e tra
nsfo
rmer
; WAN
= w
ide-
area
net
work
; WG
= W
orkin
g Gr
oup.
(Rep
rinte
d wi
th p
erm
ission
from
Inte
rnat
ional
El
ectro
chem
ical
Com
mis
sion.
IEC
6235
7, 2n
d ed
ition
: TC
57 A
rchi
tectu
re—
Part
1: Re
fere
nce A
rchi
tectu
re fo
r TC
57—
Draf
t, 20
09. G
enev
a, S
witz
erla
nd: I
EC.)
9an overview of reCommendations
and interfaces for the focused applications (layer 4). These applica-tions serveas central it-drivenelements forpower systemscontrolandoperations.Therearetwoaspectstoconsiderfortheseapplica-tions: the upper integration using corresponding interfaces (appli-cation interfaces) and the lower integration (equipment and systeminterfaces).toallowforsuccessful integration, thesystemsmustbeenabledtobesuppliedwithoperation-relevantdata(e.g.,fromtech-nicaldevices likesubstations)andfurtherprovideotheritsystemsandapplicationswithimportantdata.currently,gatheringdataandcontrollingfielddevices requiredataandcommunicationmappingsbetween different standards due to a variety of access options anddata formats. for these cases, abstractions to encapsulate access totherequiredtechnicalinformationareofferedbylayer5,namely,thescadafrontend.
Belowthislayer,thearchitectureisstructuredinfourpillarscontain-ing mainly standards dealing with more technical field communica-tionforinformationexchangeontheequipmentandsysteminterfaces(partB).eachpillaraddressesstandardsfordifferentdevicecategories:revenue meters; intelligent electronic devices (ieds), relays, meters,switchgear, current transformers (cts), voltage transformers (vts);distributedenergyresources(der),meters;andothercontrolcenters.
Theupperlayersofthispart(6)includestandardscontainingobjectmodels forfielddevicesanddevicecomponents, specificcommuni-cation servicemappings, andprotocolprofiles.at this point, com-municationtoexchangedatausually takesplace throughwide-areanetworks(wans)ofgeographicallyseparatedlocationsusingstan-dardprotocolstacksliketheisoopensysteminterconnection(osi)modelortheinternetProtocolstackusingthetransmissioncontrolProtocol/internet Protocol (tcP/iP) and ethernet. standards forthe different devices and systems to communicate with are finallydepictedinlayer7.
verticallayersontheleft(c)indicatecross-cuttingstandardsthatespecially focusonsecurityanddatamanagementaddressedbytheiec62351standardsfamily.inthesestandards,eachhorizontallayeris addressed by individual parts to meet specific requirements. astheseverticallayersspanthewholeframework,theycanbeconsid-eredahighlyimportantfactorforsuccessful integration,andintheend,theycontributetosecuresystemsoperation.
10 seCurity and PrivaCy in smart Grids
1.2.4 Future Vision of a Seamless Integration
Basedonthefindingsfromreviewingthecurrentreferencearchitec-ture, the need for a long-term architecture vision was determined,going further than justharmonizationbetweendifferent standards.asastart, thecommitteeagreedon16architecturalprinciples, forinstance,aboutthefocusoftheongoingwork,harmonizationeffortsforexistingstandards,andthedefinitionofcriteriatoensureasys-tem’s compliance to the reference architecture. starting with theseprinciples,astrategyadoptingtheciMandotherabstractinforma-tionmodelsas the sourceof the semanticsasbasis for future stan-dardsdevelopmentispresented.Thismayleadtoreducedexecutiontimesandcanpotentiallyavoidinformationlossduetothemappingofdifferent languageconceptsondifferent layers,whichcanfinallyeaseintegration.
inthefollowingsections,acloserlookatthestandardsandthedif-ferentaspects,alignedwiththedifferentpartsofthecurrentreferencearchitecture,isprovided.Thesesectionsare“integrationofBusinessPartners and applications” (section 1.2.5), “integration of energysystems” (section 1.2.6), and “security and data Management”(section1.2.7).
1.2.5 Integration of Business Partners and Applications
Thetoppartofthesiaasillustratedinfigure 1.2addressestheinte-grationofbusinesspartners,BusinesstoBusiness(B2B),andapplica-tions, application to application (a2a). key elements of this partarethereforemarketparticipantslikeutilitycustomers,utilityservice
Application to Application (A2A)and Business to Business (B2B)
Communication
ApplicationInterfaces
Equipment andSystem
Interfaces
Speci�c ObjectMappingsData Acquisition and Control Front-End/Gateway/Proxy Server/Mapping Services/Role-based Access Control
Inter-System/Application Pro�les (CIM XML, CIM RDF)1
2
3
4
5
SCADAApps EMS Apps DMS Apps
MarketOperation
Apps
Engineering &Maintenance
Apps
External ITApps
Bridges to other Domains
Technology Mappings61970 Component Interface Speci�cation (CIS)/61968 SIDMS
CIM Extensions 61970/61968 Common Information Model (CIM)
Energy MarketParticipants
UtilityCustomers
Utility ServiceProvider
OtherBusinesses
Figure 1.2 Top part of the SIA.
11an overview of reCommendations
providers, or other business participants and it applications withinutilitycompanieslikescadaoreMs(energymanagementsystems).
The top part of the sia can be divided into five layers: marketcommunication(1),coredatamodel(2),integrationofapplications(3),applications(4),andequipmentandsysteminterface(5).layers1–5aredescribednext:
• layer1coverstheintegrationofmarketparticipantsandtheiritsystemsbasedontheiecciManditsserializationindif-ferentformatslikeXMlorrdf.inaddition,theiec62325seriesdescribes theuseof theciMformarketcommunica-tionsbetweenbusinesspartners.communicationisdescribedindependentoftechnologybutrelyingoninterapplicationmes-sagingasprovidedbycommercialoff-the-shelfmiddleware.
• layer2providestheiec61970-301and61968-11standards,whichdescribe theciMdatamodel.TheciM is the coredatamodelwithin thesia forusagewithindataexchangeaddressingbothtypesofintegration,B2Banda2a.TheciMisadatamodelforabstractandphysicalobjectsintheelec-tricity domain. as requirements change and each utility isdifferent,customextensionsoftheciMmightbenecessary(ciMextensions).inparticular,theseextensionswillbecomenecessarywhendealingwithdatanotstrictlybelongingtotheelectricitydomain(bridgestootherdomains).
• layer3focusesonintegrationoftransmissionanddistributionitapplications.ontheonehand,iec61970-401providesapplicationinterfacesforeMss.ontheotherhand,theiec61968 standards series describes an enterprise applicationintegration (eai) framework for exchanging data betweendistributionmanagementsystems(dMss).inthecourseofnewtechnologies,technologymappingsmightbenecessary.
• layer4showsvarioustransmissionanddistributionitcom-ponentsofautilityapplication landscape.This includes thefollowingsystems:• scada:real-timesystemthatsupportsthecontrolroom
operation,includingdataacquisitionandsupervisorycon-trolusingremoteterminalunits(rtUs)inthesubstations.11
12 seCurity and PrivaCy in smart Grids
• eMs:computersystemprovidingbasicservicesandasetofapplicationstosupporttheeffectiveoperationofelec-tricalgenerationandtransmissionfacilities.17withinthis,monitorandcontrolfunctionalityisprovidedbyscadasystems.
• dMs: several distributed application components sup-porting the management of electrical distribution net-works.11 These components provide capabilities likemonitoringandcontrolofequipmentforpowerdelivery,managementprocessestoensuresystemreliability,voltagemanagement,demand-sidemanagement,outagemanage-ment,andworkmanagement.
• Market operations applications: dealing with dataexchange between market participants, supporting pro-cesseslikecustomerswitchingormeterdataexchange.
• engineering and maintenance applications: supportingprocesseslikenetworkmaintenanceandextensionplanning.
• externalitapplications:applicationsthatarenotstrictlyutilitysystemslikecustomerresourcemanagementsystems.16
• layer5addressestheintegrationofitsystemsoflayer4andexternalsystemsandtechnicaldevicesinthefield.Therefore,this layer describes an equipment and system interface toacquiredataorcontroldevices.applicationslistedinlayer4actasclientsthatconnecttoremoteserversinthefield,whereasthe connection canbeestablished throughvarious commu-nicationnetworksandtechnologies.layer5isthelastlayerofthetoppartofthesiaandconnectsthetoppartofthesiawiththelowerpart(seethedashedrectanglesaandBinfigure 1.1).
standards listed inthispartof thesiaarealldevelopedwithinwGs of iec tc 57, Power Systems Management and Associated Information Exchange.
inthefollowing,thecorestandardsseriesoftheupperpartofthesia(iec61970,iec61968,andiec62325)aswellastheiressentialcontributions,theiecciM,thecomponentinterfacespecification(cis),andtheiecinterfacereferenceModel(irM),areintroduced.
13an overview of reCommendations
1.2.5.1 IEC 61970: Energy Management System Application Program Interface Theiec61970standardsseriesdefinesapplicationprograminterfaces (aPis) foreMsto support the integrationof applicationsdevelopedbydifferentsuppliersinthecontrolcenterenvironmentandtheexchangeofinformationtosystemsexternaltothecontrolcenterenvironment.12anoverviewoftheeMsaPisisprovidedinfigure 1.3.
Thefollowingpartsofiec61970arecurrentlyavailable:18
• IEC 61970-1 Ed. 1.0: Guidelines and General Requirements• IEC/ TS 61970-2 Ed. 1.0: Glossary• IEC 61970-301 Ed. 2.0: Common Information Model (CIM) Base• IEC/ TS 61970-401 Ed. 1.0: Component Interface Specification
(CIS) Framework• IEC 61970-402 Ed. 1.0: Common Services• IEC 61970-403 Ed. 1.0: Generic Data Access• IEC 61970-404 Ed. 1.0: High Speed Data Access (HSDA)• IEC 61970-405 Ed. 1.0: Generic Eventing and Subscription (GES)• IEC 61970-407 Ed. 1.0: Time Series Data Access (TSDA)• IEC 61970-453 Ed. 1.0: CIM Based Graphics Exchange• IEC 61970-501 Ed. 1.0: Common Information Model Resource
Description Framework (CIM RDF) Schema
SCADANetwork
System
LegacySCADASystem
LegacyWrapper
TopologyProcessor
NetworkApplications
LoadManagement
Accounting/Settlement
GenerationControl
AlarmProcessor
Programs
ProgramsPrograms
PublicData
PublicData
DistributionManagement
Systems
TASE. 2
UserPCs
ComponentInterface
PublicData
TASE. 2Network
Component Execution Systemand Component Adapters (e.g., Integration Bus)
CIM Server
PublicData
Programs
PublicData
Programs
PublicData
Programs
PublicData
Programs
PublicData
Figure 1.3 Overview of the EMS-API. PC, personal computer. (Reprinted with permission from International Electrochemical Commission. 61968-1: Application Integration at Electric Utilities—System Interfaces for Distribution Management Part 1: Interface Architecture and General Requirements, 2007. Geneva, Switzerland: IEC.)
14 seCurity and PrivaCy in smart Grids
Theiectc57wG13eMsaPiis inchargeofthedevelop-mentof the iec61970 series.Theiec61970 series, inparticulartheciM,isunanimouslyrecommendedforsmartgridarchitectures.
1.2.5.2 IEC 61968: Application Integration at Electric Utilities—System Interfaces for Distribution Management Theiec61968standardsseriesaimsatfacilitatingtheinterapplicationintegrationofthevariousdis-tributed software application systems supporting the managementofutility’selectricaldistributionnetworks.11incontrasttothegen-eralunderstandingofinterapplicationintegration,focusingonpro-grams in the same application system, the iec 61968 series aimsat integrating disparate loosely coupled applications within utilityenterprisesthatarealreadybuiltornew(legacyorpurchasedappli-cations).here,connectionsbetweenapplicationsareestablishedviamiddleware services thatbrokermessages. iec61968has the fol-lowingparts:18
• IEC 61968-1 Ed. 1.0: Interface Architecture and General Requirements
• IEC/ TS 61968-2 Ed. 1.0: Glossary• IEC 61968-3 Ed. 1.0: Interface for Network Operations• IEC 61968-4 Ed. 1.0: Interfaces for Records and Asset Management• IEC 61968-9 Ed. 1.0: Interfaces for Meter Reading and Control• IEC 61968-11 Ed. 1.0: Common Information Model (CIM)
Extensions for Distribution• IEC 61968-13 Ed. 1.0: CIM RDF Model Exchange Format
for Distribution
IEC TC 57 WG 14: System Interfaces for Distribution Management (SIDM)isresponsibleforthedevelopmentoftheiec61968series.
1.2.5.3 IEC 62325: Framework for Energy Market Communications Theiec62325aimsatdescribingtheuseoftheciMformarketcom-municationsbetweenbusinesspartners.Thetermmarket communica-tionsreferstodataexchangebetweenmarketparticipantslikeenergysuppliersordistributionsystemoperatorsalongtheelectricityvaluechain.here,wG16of the iectc57develops a framework forcommunicationsinaderegulatedelectricitymarket.Theiec62325consistsofthefollowingparts:18
15an overview of reCommendations
• IEC/ TR 62325-101 Ed. 1.0: General Guidelines• IEC/ TR 62325-102 Ed. 1.0: Energy Market Model Example• IEC/ TR 62325-501 Ed. 1.0: General Guidelines for Use of
Electronic Business Using XML (ebXML)• IEC/ TS 62325-502 Ed. 1.0: Profile of ebXML
Theiec62325seriesisbeingdevelopedbytheiectc57wG16 (Deregulated Energy Market Communications). in contrast to theiec61968and61970standardsseries,thisseriesstillcontainsmanypartsthatarestillthesubjectoffuturework(seeiec62325-101).14
ascommunicationbetweenmarketparticipantsintheelectricitydomainissubjecttonationalregulation,applicationofthesestandardsrequiresanalysisofcurrentnationalregulations,laws,andguidelines.national guidelines may force the application of specific data for-matsandprotocolsnotconsideredwithiniec62325.inGermany,for instance, the electronic data interchange for administration,commerce,andtransport(edifact)formatiscurrentlyrequiredfordataexchangebetweenmarketparticipantsforprocesseslikecus-tomerswitching.
1.2.5.4 The IEC Common Information Model TheiecciMisaverylargeabstractdatamodeldescribingabstract(likedocuments)aswellas physical (like power transformer) objects of the energy domain.it was originally created to solve the problem of vendor lock-in byeMs.19Manyaspectsofthepowersystemofconcerntotc57aremodeledonlyusing theciM, likegenerationequipmentorenergyschedules.16however,otherpartsaremodeledinboththeciMandin the iec 61850 standards developed by wG 10 (e.g., substationequipment,includingtransformers,switches,orbreakers).16
TheideaoftheciMwastoprovideacommoninformationmodelthat should support the exchangeof informationbetweendifferenteMscomponentsandthusenabletheinterconnectionofapplicationsfrom different vendors. The ciM was originally developed withinseveralprojects sponsoredby theelectricPowerresearchinstitute(ePri).overtime,theciMwasextendedtofittheneedsofdistri-butionmanagement;atthemoment,wG16isextendingtheciMfor use within market communication. currently, tc 57 wG 13,wG14,wG16,andwG19areinvolvedinthedevelopmentofthe
16 seCurity and PrivaCy in smart Grids
ciM.20furthermore,manymembersofthewGsjoinedtheworkoftheciMUsersGroup(ciMug;http://cimug.ucaiug.org).
The formal definition of the ciM is done using the UnifiedModelinglanguage(UMl);anoverviewisdepictedinfigure 1.4.Themodelincludespublicclassesandattributesdescribing(realandabstract)objectsoftheenergydomainaswellasrelationshipsbetweenthem. it is currently maintained in the sparxsystems enterprisearchitect. for better maintenance, the various classes are groupedincorrespondingpackages,andthedifferentwGsfocusondifferentpackagesanddescribethemindifferentpartsofthestandardsseries,basicallyiec61968-11and61970-301.
whereasthestandardsdocumentsrelatedtotheciMaredevel-oped within the iec, the electronic UMl model is hosted at the
Class Main
IEC 61970 CIM Version
+ data: Absolute Date Time[0..1] = 2009–12–29{readOnly} |+ version: String [0..1] = IEC61970CIM 15v 01 {readOnly}
Load Model
EquivalentsWires
Generation
Generation Dynamics
Contingency
Meas
SCADA
TopologyOperational Limits
Core
Domain
Production
(from generation)
(from generation)
Outage Protection Control Area
{root}
Figure 1.4 Overview of the IEC CIM.
17an overview of reCommendations
ciMug site.Therefore,ciMugmembershave access to themodelwithouttheneedtoparticipateintheiecstandardizationprocess.
itisdifficultandoftennotnecessarytousethewholemodelwithinaprojectorcompany.tomaketheuseoftheciMmoreapplicable,profilesof theciMthatonly includeessential classesandassocia-tionsoftheciMareused.ontheonehand,singlecompaniesuseintracorporateprofiles;ontheotherhand,largeprofilesexistthatarepartlystandardizedandwidespreadwithintheutilitydomain:
• CPSM: The common Power system Model (cPsM) isusedintheUnitedstatesfortheexchangeoftransmissionsystemmodels.21
• CDPSM:ThecommondistributionPowersystemModel(cdPsM)isusedineuropefortheexchangeofdistributionpowersystemmodels.22
• ENTSO-E:Theeuropeannetworkoftransmissionsystemoperatorsforelectricity(entso-e;http://www.entsoe.eu/)profileisusedineuropefortheexchangeoftransmissionsys-temmodels.
• ERCOT:Theelectricreliabilitycounciloftexas(ercot;http://www.ercot.com/)profileisanintracorporatedatamodel.
ThemainapplicationscenariosfortheciMareasfollows:23
• Exchange of topology data: supporting the exchange ofpower system models between systems through ciM pro-files for transmission (cPsM) and distribution (cdPsM)networks.inaddition,acorrespondingserializationoftheseprofilesforXMlandrdfisdefinedinthestandardseriesiec61968(distribution)andiec61970(transmission).Thisenablesstandards-basedexchangeofstaticanddynamicdataaswellasthecurrentstateofelectricalnetworks.
• Coupling of applications:Usingstandard-basedinterfacesasdescribedinthestandarddocumentsiec61968Part3-9andiec61970-4xx.here, theciMprovides thesemantics fortheunderlyingdataofthespecifiedinterfaces.Thissupportsintegrationofapplicationsofdifferentvendorswithinappli-cationlandscapesinutilities.
18 seCurity and PrivaCy in smart Grids
• XML-based message exchange with CIM semantics: canbeusedtobuildpersonalXMlschemastoenablestandards-based message exchange between applications. as withcoupling of applications, the ciM provides a standardizedsemanticsforcouplingapplicationsofdifferentvendors.atoolfordevelopingsuchschemasisavailable,forexamplethroughlangdaleconsultants(http://www.cimtool.org).
inthefollowing,somecharacteristicsoftheciMaresummarized:16
• The CIM is hierarchical:commonclassesinheritcommonattributestosubclasses.
• The CIM is normalized:allattributesareuniqueandbelongtoonlyoneclass.Theuseofattributeswithinotherclassesisdonebydefiningrelationshipsbetweentheseclasses.relationshipssupportedincludegeneralization,association,andaggregation.
• The CIM addresses the static (or structural) model view:intheciM,physicalobjectsmayberepresentedbyseveralinterrelatedclasses.Theobjectsoneapplicationmaywanttoaccessarenotgroupedinasingleclass.Therefore,themodelisnotappropriateforaddingdynamicsintheformofopera-tionsormethodstotheactualclassdefinitions.
• The CIM is modeled in UML:TheentireciMisprovidedasaUMlmodelfile.
• The CIM UML model is the basis for the standards: Thecorresponding iec standards documents are autogeneratedusingtheelectronicUMlmodel.
• The CIM has a representation in XML:seethedescribedciM application scenarios, like exchange of topology datausingcPsMandcdPsMorXMl-basedmessageexchange.
• The CIM is in use in many production systems:forexam-ple,intheUnitedstatestheuseoftheciMfordataexchangeis prescribed in several states. ineurope, theciM is usedfortheexchangeoftransmissionsystemmodelsbyeuropeantransmissionsystemoperatorsorganizedintheentso-e.
• TheciMismeanttocontainclassesandattributesthatwillbeexchangedoverpublicinterfacesbetweenmajorapplications.
19an overview of reCommendations
The maintenance process is continuously improving the modelusingtheUMlformat.onceayear,anewreleaseispublished;thecurrentrelease isversion15.Proposals fortheextensionoramend-mentoftheciMaredoneviatheciMugsite.here,ciMugmem-berscanentermodelingissuesthatwillbediscussedlaterinmodelingteammeetingsandmayfinallyleadtochangesoftheciM.
1.2.5.5 Component Interface Specification Theiec61970-4xxstandardsdocumentsbasicallyprovidecisandGenericinterfacedefinitions(Gids)thatdefineinterfacesandaPisforastandards-basedintegra-tionofapplicationsorcomponentsofeMs.Thepurposeofthecisistospecifytheinterfacesthatanapplicationorsystemshouldusetofacilitatemessage-basedintegrationwithotherindependentlydevel-opedapplicationsor systems.16ontheonehand, thecisspecifiestheinformationcontentofthemessages;ontheotherhand,itdefineswhatservicesshouldbeusedtoconveythemessages.Thisway,acleardefinitionofwhatandhowinformationisavailableforprocessingandexpectedbyreceivingapplicationsisprovided.furthermore,thecisenablesasingleadaptertobebuiltforagiveninfrastructuretechnol-ogyindependentofwhodevelopedtheothersystems.
since multiple application categories require many componentinterface services, the service definitions are specified as genericservices independent of theparticular application that uses them.16TheGidisthecollectionofthesegenericservices.duetothemanygeneric services theiec61970-4xxstandards seriescomprises, thefollowingsubpartsconsiderthevarioustypesofdataexchange:16,23
• IEC 61970-401 CIS framework:describesscopeandvisionofthecis.
• IEC 61970-402 CIS—common services: describes com-monservicesthatserveasbasisfortheGid.here,theciMsemanticisusedfordatadefinitionsininterfaces.
• IEC 61970-403 CIS—generic data access: defines inter-facesthatcanbeusedtoreadandwritereal-timedata.Theseinterfacesprovidea request/reply-orientedservice foraccessofcomplexdatastructures.
• IEC 61970-404 HSDA: describes interfaces that can beusedforhigh-performanceaccessofsimpledatastructures.
20 seCurity and PrivaCy in smart Grids
• IEC 61970-405 GES:definesinterfacesthatcanbeusedto monitor events and alarms based on publish and sub-scribemethods.
• IEC 61970-407 TSDA: describes interfaces that can beusedtoaccessaggregatedhistoricaldata.
currently,thereplacementoftheaforementionediec61970-403and-407standardsisplannedbytheiec.insteadofthesestandards,thecorrespondingstandardsoftheoPcUnifiedarchitecture(Ua)shallbeusedinthefuture.
implementingaspecifictypeofapplicationrequiresdefiningwhatobjectclassesandattributesareexchangedaswellaswhatinterfaceisused.16Theseobjectclassesandattributestypicallyconsistofsub-setsorviewsoftheciMobjectclasses.inconclusion,theciMdatamodel defines “which” data can be exchanged; the cis and Gidspecifies“how”thesedatacanbeexchanged.20
in addition, following the open Management Group (oMG)Model driven architecture (Mda) approach24 descriptions basedontheconceptsoftheplatform-independentmodel*(PiM)andtheplatform-specific model† (PsM) are provided. first, the Part 4xxseriesofthe61970standardsprovidesthePiMcomponentmodelsofthecis,defininginterfacesintermsofevents,methods,andprop-erties independent of the underlying infrastructure.16 second, thePart5xxseriesofthe61970standardsdefinesthetechnologymap-pingstotechnologiessuchasc++,Java,webservices,andXMl.16
1.2.5.6 The Interface Reference Model The irM illustrated infigure 1.5 and described in the iec 61968-1 standard, interfacearchitectureandGeneralrecommendations11definesinterfacesforthemajorcomponentsofadMs.ThepurposeoftheirMandtheindividualsysteminterfacesdefinedthereinistoprovideaframeworkforaseriesofmessagepayloadstandardsbasedontheciM.Thesemessagepayloadstandardsarethesubjectoftheiec61968-3to–9
* aplatform-independentmodelisaviewofasystemfromtheplatform-independentviewpoint.24
† a platform-specific model is a view of a system from the platform-specificviewpoint.24
21an overview of reCommendations
standards.16The irMaims at supporting interoperability betweenthesecomponentsindependentofsystems,platforms,andlanguages.
withintheiec61968-3to–9standards,theuseofXMlfortheexchangeof informationbetweenthevarioussystems is specified.16here,severalusecasesareprovidedthatdefinethedatacontentofmessagepayloadsbetweenthesevarioussystems.furthermore,XMlschemasareusedtodefinethestructureandformatforeachmessagepayload.Themessagepayloadsdefinedhereare intendedtobe lev-eragedbybothservice-orientedarchitectures(soas)andenterpriseservicebuses(esBs).inthefuture,itispossiblethatpayloadformatsotherthanXMlcouldalsobeadopted.16TheirMillustratessevendomainssupportingcorebusinessfunctionsofdistributionmanage-ment.eachdomaincontainsseveralabstractcomponentsandshowsthe relevant iec 61968 part (-3 to –9) where interface definitionsforthesecomponentsaredescribed.inaddition,componentsexter-nalbutrelatedtodMsaregroupedintheirowndomainexternalto
Network Operations(NO) – IEC 61968-3
Network OperationsMonitoring (NMON)
Network Control(CTL)
Fault Management(FLT)
OperationalFeedback
Analysis (OFA)Operation Statistics& Reporting (OST) Network
Calculations- Real Time (CLC)
Records & AssetManagement
(AM) – IEC 61968-4
Substation & NetworkInventory (EINV)
GeographicalInventory (GINV)
Asset InvestmentPlanning (AIP)
Operational Planning& Optimisation
(OP) – IEC 61968-5
Network OperationSimulation (SIM)
Switch ActionScheduling (SSC)
Power ImportScheduling. &
Optimization (IMP)
Maintenance andConstruction
(MC) – IEC 61968-6Maintenance &
Inspection (MAI)Construction WMS
(CON)
Design (DGN)
Work Scheduling & Dispatching (SCHD)
Field Recording (FRD)
NetworkExtensionPlanning
(NE) – IEC 61968-7
NetworkCalculations (NCLC)
Project De�nition(PRJ)
ConstructionSupervision (CSP)
CustomerSupport
(CS) – IEC 61968-8
Customer Service(CSRV)
Trouble CallManagement (TCM)
Meter Reading & Control(MR) – IEC 61968-9
Meter Reading(RMR)
External to DMS (EXT)
Energy Trading(ET)
Retail (RET)
Sales (SAL)
Customer AccountManagement (ACT)
Financial (FIN)
Business Planning &Reporting(BPR)
Dispatcher Training(TRN)
Load Control(LDC)
Meter Maintenance(MM)
Meter Data (MD)
StakeholderPlanning &
Management (SPM)
Supply Chain &Logistics (SC)
Premises (PRM)
Human Resources(HR)
Point of Sale (POS)
Meter Operations(MOP)
Advanced MeteringInfrastructure (AMI)
Meter DataManagement (MDM)
Metering System(MS)
Demand Response(DR)
General inventorymanagement (GIM)
Public Information(PI)
Energy ServiceProvider (ESP)
Premise AreaNetwork (PAN)
Application Integration Infrastructure
Figure 1.5 Overview of the IEC 61968 IRM. (Reprinted with permission from International Electrotechnical Commission (IEC). 61968-1: Application Integration at Electric Utilities—System Interfaces for Distribution Management Part 1: Interface Architecture and General Requirements (Draft) (2010). Geneva, Switzerland: IEC.)
22 seCurity and PrivaCy in smart Grids
dMs(eXt).allcomponentsareintegratedthroughaciM-based,message-orientedmiddleware (MoM)—theapplication integrationinfrastructure.TheapplicationintegrationinfrastructureactshereasanenablerforXMl-basedmessageexchangewithciMsemanticsasdescribedinsection1.2.5.4.
figure 1.5showsonlythetop-levelbusinessfunctionsandbusinesssubfunctionsoftheirM.adetailed,table-baseddescription,contain-ingthefollowingelements,isprovidedintheiec61968-1standard:25
• Business functions:likenetworkoperationsorrecordsandassetmanagement;seefigure 1.5.
• Business subfunctions:likenetworkoperationsmonitoringorsubstationandnetworkinventory;seefigure 1.5.
• Abstract components:aregroupedbybusinesssubfunctionsanddefineabstractlogicalcomponentslikescadasimula-tionorsubstationstatesupervision.itisexpectedthatconcretephysicalapplicationsofvendorswillprovidethefunctionalityofoneormoreabstractcomponents.11
after having explained the upper business integration part ofthesia in this section, the following section is about the integra-tionofenergysystemsthatdealswiththeconnectiontoinformationexchangeontheequipmentandsysteminterfaces.
1.2.6 Integration of Energy Systems
Thelowerpart(partBinfigure 1.1)ofthesia,showninfigure 1.6,canbedividedintofourlayeredpillars.Thebasementofeachpillarisa
6
7Field
Devices
Telecontrol CommunicationsMedia and Services
WAN CommunicationsMedia and Services
Field ObjectModels
SpecificCommunication
Service Mappings
Protocol Profiles
External Systems(Symmetric Client/Server Protocols)
TC13WG14Meter
Standards
60870-5101&
104
TC13WG14
60870-5RTUs or
SubstationSystems
61850Substation
Devices
61850Devices
Beyond theSubstation
Field Devicesand Systems
usingWeb Services
60870-6TASE.2
Other ControlCenters
DERs, MetersRevenueMeters
IEDs, Relays, Meters, Switchgear, CTs,VTs
61850-7-3, 7-4 ObjectModels
61850-7-2 ACSI
61850-8-1Mapping to MMS
Mapping toWeb Services
ExistingObject Models
61850-6Engineering
60870-6-802Object Models60870-6-503App Services
60870-6-702Protocols
Communication Industry Standard Protocol Stacks (ISO/TCP/IP/Ethernet)
61334DLMS
Figure 1.6 Lower part of the SIA.
23an overview of reCommendations
groupofdifferentfielddevices(revenuemeters,section1.2.6.1;ieds,relays,meters,switchgear,ct,andvtinsection1.2.6.2;derandmeter,seesection1.2.6.3;othercontrolcenters,section1.2.6.4).Thenext layer(7)describesexternalcommunicationsystemsforthefielddevices,whichareconnectedtothefollowinglayers,includingproto-colprofiles,specificcommunicationservicemappings,andfieldobjectmodels.Thetopofthepillars(6)islinkedtothescadafront-endlayerofthesia.
1.2.6.1 Revenue Meters Thefirstpillar(seefigure 1.7)includesthecommunicationofrevenuemeters,whichisbasedonstandardsfromtheiectc13wG14.amongothers,thestandardseriesiec61334is mentioned. revenue meters include the various types of smartmetersforresidential,commercial,andindustrialbilling.
1.2.6.1.1 TC 13 WG 14 The iec tc 13 wG 14 name is Data Exchange for Meter Reading, Tariff and Load Control. its task is toestablish standards, by reference to iso/osi standards, necessaryfordataexchangesbydifferentcommunicationmedia,forautomaticmeter reading, tariff and load control, and consumer information.Thereby,themediacanbedistributionlinecarrier(dlc),telephone(including integrated services digital network [isdn]), radio,orotherelectricaloropticalsystem,andtheymaybeusedforlocalorremotedata exchange.furthermore, they are acting in categorydliaison with the dlMs (distribution line Message specification)Userassociation(Ua;http://www.dlms.com/index2.php).
TC13WG14Meter
Standards
TC13WG14
RevenueMeters
61334DLMS
Figure 1.7 Pillar for revenue meters.
24 seCurity and PrivaCy in smart Grids
The tc 13 strategic Business Plan (http://www.iec.ch/cgi-bin/getfile.pl/sbp_13.pdf?dir=sbp&format=pdf&type=&file=13.pdf)from2009specifiesfutureactivitiesofthewG14.onemainobjec-tiveistofocusontheextensionoftheiec62056tosupportsmartmetering,whichincludestheextensionofthecoseMdatamodel.The model has to deal with new functions and new dlMs-basedmessaging methods as well as communication profiles have to beadded.furthermore,standardsfromothertcsshallbeusedwhen-everitisappropriateandclosecooperationwiththedlMsUaandindustryconsortiaareplanned.
1.2.6.1.2 TC 13 WG 14 Meter Standards Thetc13wG14mainlydealswiththedevelopmentofthemeteringstandardsiec62056andiec62051,whicharepresentedinthefollowing:
• iec62056:IEC 62056,Electricity Metering—Data Exchange for Meter Reading, Tariff, and Load Control, consistsofseveralsubstandardsdealingwithdlMsandcoseM.Thefollow-ingsixpartscomprisethemainspecifications:18
• IEC 62056-21 Ed. 1.0: Direct Local Data Exchange• IEC 62056-42 Ed. 1.0: Physical Layer Services and Procedures
for Connection-Oriented Asynchronous Data Exchange• IEC 62056-46 Ed. 1.1: Data Link Layer Using HDLC
[high-leveldatalinkcontrol] Protocol• IEC 62056-53 Ed. 2.0: COSEM Application Layer• IEC 62056-61 Ed. 2.0: Object Identification System (OBIS)• IEC 62056-62 Ed. 2.0: Interface Classes
inpart21,13analternateprotocolstack isdefinedthat isbased on ascii. Mode e is introduced as a new modeenablingnegotiationstoaswitchovertocoseM/hdlc—definedinparts4626and5327—forclients.asaresultoftheswitchover, followingcommunicationswillbebasedon thecoseM/hdlcprotocolstack.hdlcdefinesastandarddatalinklayer,ensuringareliabletransportofcoseMdatapackages in a client-server architecture. Thereby, the layerperforms functions like low-level addressing, data integ-rity checks, data sequencing, and segmentation as well asassimilation, link-level handshaking, and data flow control.
25an overview of reCommendations
coseMspecifiesaprotocolforapplicationlayersthatcov-ers basic functionalities like set, get, and action operationswithin the meters. Beyond these basic functions, coseMalsoallowshandlingofaccessrightsandclient-serverconnec-tions,abstractingmeterdatafrom/tocoseMclassinstances,framingdataintocoseMpackages,andhigh-levelsegmen-tationofdataintoblocks.
Physicallayerservicesneededforthedatacommunicationarespecifiedinpart42.28Part6129includestheoBis,whichdefinesastandardlistofmeterdataobjectidentifiers.Thoseidentifiersaredefinedassix-charactercodesforeachobject,and they are maintained by the dlMs Ua. Part 6230, asthelastmainpartoftheseries,considersstandardinterfaceclasses.Theycanbeusedtorepresentallpossiblemeterdata,whichareabstractedintohigh-levelobjects.finally,thepro-tocolstackscanoperateonthehigh-levelobjects.
inaddition,thestandardseriesincludesthefollowingparts:18
• IEC 62056-31 Ed. 1.0: Use of Local Area Networks (LANs) on Twisted Pair with Carrier Signaling
• IEC/ TS 62056-41 Ed. 1.0: Data Exchange Using Wide Area Networks: Public Switched Telephone Network (PSTN) with LINK+ Protocol
• IEC 62056-47 Ed. 1.0: COSEM Transport Layers for IPv4 [internetProtocolversion4] Networks
• IEC/ TS 62056-51 Ed. 1.0: Application Layer Protocols• IEC/ TS 62056-52 Ed. 1.0: Communication Protocols
Management Distribution Line Message Specification (DLMS) Server
• iec/tr 62051: The second standard series maintained bywG14 isIEC 6205131Electricity Metering—Data Exchange for Meter Reading, Tariff, and Load Control,which isa rela-tivelyshortseries.itprovidesdefinitionsofspecifictermsusedfordrafting standardswithin thecontextof electricalmea-surement,tariff,andloadcontrolaswellascustomer/utilityinformationexchangesystems.Thesetofprovideddefinitionsiscompletedbythosetermsalreadydealtwithiniec60050(http://www.electropedia.org/).Thedefinedtermscouldalso
26 seCurity and PrivaCy in smart Grids
beusedforupcomingstandardscopingwithelectricitypre-paymentsystemsandthedependabilityofelectricitymeter-ingequipment.• IEC/ TR 62051 Ed. 1.0: Glossary of Terms• IEC/ TR 62051-1 Ed. 1.0: Terms Related to Data Exchange
with Metering Equipment Using DLMS/ COSEM
1.2.6.1.3 IEC 61334 DLMS Thetc57wG9developsthestan-dard series IEC 61334, Distribution Automation Using Distribution Line Carrier Systems.Thosestandardsaremainly focusingprotocolsusedtoenablethecommunicationfromthedistributioncontrolcentertodistribution automationfielddevicesusing thedistributiongrid.Theapplicationareaofthestandardsseriescontainsthecommunica-tionbycarriersystemsonthemiddle-voltagelayeraswellasonthelow-voltage layer.Thereby, thedlcsystemsenable abidirectionalcommunicationforvariousdevicesandfunctionslikecontrolcenters,dataconcentrators,loadmanagement,orstreetlights.
Basedonaclient-serverarchitecture, thesubstandardiec61334-4-1,32whichisalsoknownasthedlMs,definesareferencearchitectureandprovidesanabstractandobject-orientedservermodel.Theservermodelexplicitlytakeslimitedhardwareresourcesandthelowbandwidthofdistributionequipmentintoconsideration.abstractsyntaxnotationone(asn.1)isusedtodescribetheprotocoldataunits(PdUs)oftheapplicationprotocol of themodel. iec61334-633 adds efficient cod-ingpossibilitiestothisdescription.Thesubstandardsiec61334-5-1to–5-534–38definedifferentphysicalandMediaaccesscontrollayerswithdifferentmodulationtechnologiesthatareapplicableforbothlow-andmedium-voltagegrids.iec61334-4-51139and–4-51240defineaman-agementframeworkandtechniquesthatareespeciallyalignedtoiec61334-5-1.iec61334-3-2141and–3-2242definerequirementstofeeddlcsignalsintomiddle-voltagelineswithoutviolatingsecurityissues.
currently,thestandardseriesincludesthefollowingparts:18
• IEC/ TR 61334-1-1 Ed. 1.0: General Considerations—Distribution Automation System Architecture
• IEC/ TR 61334-1-2 Ed. 1.0: General Considerations—Guide for Specification
27an overview of reCommendations
• IEC/ TR 61334-1-4 Ed. 1.0: General Considerations—Identification of Data Transmission Parameters Concerning Medium- and Low-Voltage Distribution Mains
• IEC 61334-3-1 Ed. 1.0: Mains Signaling Requirements—Frequency Bands and Output Levels
• IEC 61334-3-21 Ed. 1.0: Mains Signaling Requirements—MV Phase-to-Phase Isolated Capacitive Coupling Device
• IEC 61334-3-22 Ed. 1.0: Mains Signaling Requirements—MV Phase-to-Earth and Screen-to-Earth Intrusive Coupling Devices
• IEC 61334-4-1 Ed. 1.0: Data Communication Protocols—Reference Model of the Communication System
• IEC 61334-4-32 Ed. 1.0: Data Communication Protocols—Data Link Layer—Logical Link Control (LLC)
• IEC 61334-4-33 Ed. 1.0: Data Communication Protocols—Data Link Layer—Connection Oriented Protocol
• IEC 61334-4-41 Ed. 1.0: Data Communication Protocols—Application Protocol—Distribution Line Message Specification
• IEC 61334-4-42 Ed. 1.0: Data Communication Protocols—Application Protocols—Application Layer
• IEC 61334-4-61 Ed. 1.0: Data Communication Protocols—Network Layer—Connectionless Protocol
• IEC 61334-4-511 Ed. 1.0: Data Communication Protocols—Systems Management—CIASE Protocol
• IEC 61334-4-512 Ed. 1.0: Data Communication Protocols—System Management Using Profile 61334-5-1—Management Information Base (MIB)
• IEC 61334-5-1 Ed. 2.0: Lower-Layer Profiles—The Spread Frequency Shift Keying (S-FSK) Profile
• IEC/ TS 61334-5-2 Ed. 1.0: Lower-Layer Profiles—Frequency Shift Keying (FSK) Profile
• IEC/ TS 61334-5-3 Ed. 1.0: Lower-Layer Profiles—Spread Spectrum Adaptive Wideband (SS-AW) Profile
• IEC/ TS 61334-5-4 Ed. 1.0: Lower-Layer Profiles—Multicarrier Modulation (MCM) Profile
• IEC/ TS 61334-5-5 Ed. 1.0: Lower-Layer Profiles—Spread Spectrum– Fast Frequency Hopping (SS-FFH) Profile
• IEC 61334-6 Ed. 1.0: A-XDR Encoding Rule
28 seCurity and PrivaCy in smart Grids
1.2.6.2 IEDs, Relays, Meters, Switchgear, CTs, and VTs Thesecondpillar(seefigure 1.8)covers themonitoringandcontrolofieds,commonrelays,meters,andswitchgearsaswellasctsandvts.Thislargegroupoffielddevicesmainlyusescommunicationstandardizedbythetwostan-dardseriesiec61850andiec60870-5,includingtheirsubstandards.
1.2.6.2.1 IEC 60870-5 RTUs or Substation Systems ThedevelopmentofthestandardseriesIEC 60870-5, Telecontrol Equipment and Systems—Part 5: Transmission Protocols,wasstartedinthe1980sbytc57wG3.Themainobjectivewastodevelopaninternationallystandardizedcom-munication protocol for telecontrol applications in distributed powernetworks.intheearly1990s,thefirstfivestandardswerepublished:18
• IEC 60870-5-1 Ed. 1.0: Transmission Frame Formats• IEC 60870-5-2 Ed. 1.0: Link Transmission Procedures• IEC 60870-5-3 Ed. 1.0: General Structure of Application Data• IEC 60870-5-4 Ed. 1.0: Definition and Coding of Application
Information Elements• IEC 60870-5-5 Ed. 1.0: Basic Application Functions
Then,allfurtherstandardsdealingwithspecialapplicationsshouldbepublishedascompanionstandards.tothisdate,thefollowingfourcompanionstandardshavebeenpublishedandarewidelyused:18
• IEC 60870-5-101 Ed. 2.0: Transmission Protocols—Companion Standard for Basic Telecontrol Tasks
60870-5101&
104
60870-5RTUs or
SubstationSystems
61850Substation
Devices
61850Devices
Beyond theSubstation
IEDs, Relays, Meters, Switchgear, CTs, VTs
61850-7-3, 7-4 Object Models
61850-7-2 ACSI
61850-8-1Mapping to MMS
Communication Industry Standard Protocol Stacks (ISO/TCP/IP/Ethernet)
Mappingto Web Services
Figure 1.8 Pillar for IED, relays, meters, switchgear, CT, and VT.
29an overview of reCommendations
• IEC 60870-5-102 Ed. 1.0: Companion Standard for the Transmission of Integrated Totals in Electric Power Systems
• IEC 60870-5-103 Ed. 1.0: Transmission Protocols—Companion Standard for the Informative Interface of Protection Equipment
• IEC 60870-5-104 Ed. 2.0: Transmission Protocols—Network Access for IEC 60870-5-101 Using Standard Transport Profiles
The whole standard series is under continuous development andproductsarebasedonstandardsthatareusedineurope,asia,andtheUnitedstates.Theyallowavendor-independentcommunicationamongtelecontrolandsubstationautomationdevices.comparedtotheiec61850standardseries,theiec60870-5doesnotofferthepossibilitytodefinetypicaldevicesinastandardizedmanner.so,insomecasesiec608970-5couldbereplacedbyiec61850standards,whereas only in a few situations does replacing one protocol withanotherprotocolleadtoadditionalvalues.
Beside the already mentioned basic and companion standards,theiec60870-5seriesincludesthefollowingsubstandardsdealingwithtesting:18
• IEC 60870-5-6 Ed. 1.0: Guidelines for Conformance Testing for the IEC 60870-5 Companion Standards
• IEC/ TS 60870-5-601 Ed. 1.0: Conformance Test Cases for the IEC 60870-5-101 Companion Standard
• IEC/ TS 60870-5-604 Ed. 1.0: Conformance Test Cases for the IEC 60870-5-104 Companion Standard
Becauseiec60870-5-101and–104arethemostestablishedcom-panionstandards,theyareanexplicitpartofthesiaanddescribednext. iec 60870-5-10243 is occasionally used, and iec 60870-5-10344isusedinvariousprotectionequipment.23
1.2.6.2.2 IEC 60870-5-101 and –104 iec 60870-5-1017 definesa communicationprofile that allows sendingbasic telecontrolmes-sagesbetweencentraltelecontrolstationsandtelecontroloutstations.Permanentanddirectlyconnecteddatacircuitsbetweenthestationsareused. insomecases, severalapplicationshave to send thesametype of messages between telecontrol stations. Therefore, data net-worksthatcontainrelaystationscouldbeused.Thesestationswould
30 seCurity and PrivaCy in smart Grids
store and forward the messages and provide only a virtual circuitinstead of a physical one. Thus, the messages are variably delayedrelatedtothenetworktrafficload.Theresultisthatitisnotpossibletousethelinklayerasitisdefinedinpart101.inspecialcases,how-ever, it ispossibletoconnecttelecontrolstationsthathaveall threelayersspecifiedinpart101tosuitabledatanetworksbyusingstationsof thepacket assembler-disassembler (Pad) type, providing accessforbalancedcommunication.inallothercases,part10445canbeusedtorealizebalancedaccessviaasuitabletransportprotocolbecauseitdoesnotusethelinkfunctionsofpart101.hence,iec60870-5-104includesacombinationoftheapplicationlayerdefinediniec60870-5-101andthetransportfunctionsfromtcP/iP.
1.2.6.2.3 IEC 61850 Substation Devices working Groups 10, 17,and18intc57areresponsiblefortheiec61850standardseries,Communication Networks and Systems in Substations,which isoneofthe most used and recommended standard series for smart grids.5it aimsat increasing interoperabilitybetweenmultivendor ieds insubstations, enabling data exchange and using data to implementthefunctionalityrequiredbytheapplication.Theieee(instituteofelectricalandelectronicsengineers)definitionofinteroperability*isused.so,itisnotthegoaltoreachinterchangeability.†
in addition to the communication technologies according to thesingle levels of the iso/osi layer, iec 61850 comprises solutionsfor system aspects like project management; domain-specific datamodels including model extension methodologies; domain-specificservices;aconfigurationlanguage;andconformancetests.asinotherstandard series, the subparts of iec 61850 have different focuses(e.g.,iedconfiguration,devicetesting,datamodeling,andabstractcommunicationinterfacesandtheirmappingonspecificcommunica-tiontechnologies).
* “abilityofasystemoraproducttoworkwithothersystemsorproductswithoutspecialeffortonthepartofthecustomer.interoperabilityismadepossiblebytheimplementation of standards” (http://www.ieee.org/education_careers/education/standards/standards_glossary.html).
† “ability of a system or product to be compatible with or to be used in place ofothersystemsorproductswithoutspecialeffortbytheuser”(http://www.ieee.org/education_careers/education/standards/standards_glossary.html).
31an overview of reCommendations
fromahierarchicalperspective,arealphysicaldeviceismodeledasa logicaldevice(ld).eachldconsistsofvarious logicalnodes(lns), described in iec 61850-7-4.46 services conform to iec61850-7-247andimplementationoftheabstractcommunicationser-vice interface (acsi) is used for the communicationwith theld.Theiedsthemselvescanbeconfiguredbysubstationconfigurationlanguage (scl) files, described in iec 61850-6.48 configurationissuescouldbenetworks,modelentities,providedservices,andinte-grationintothegrid.
The following standardsarecurrentlypartof the standard seriesiec61850:18
• IEC/ TR 61850-1Ed. 1.0: Introduction and Overview• IEC/ TS 61850-2 Ed. 1.0: Glossary• IEC 61850-3 Ed. 1.0: General Requirements• IEC 61850-4 Ed. 1.0: System and Project Management• IEC 61850-5 Ed. 1.0: Communication Requirements for Functions
and Device Models• IEC 61850-6 Ed. 2.0: Configuration Description Language for
Communication in Electrical Substations Related to IEDs• IEC 61850-7-1 Ed. 1.0: Basic Communication Structure for
Substation and Feeder Equipment—Principles and Models• IEC 61850-7-2 Ed. 2.0: Basic Information and Communication
Structure—Abstract Communication Service Interface (ACSI)• IEC 61850-7-3 Ed. 2.0: Basic Communication Structure—
Common Data Classes (CDCs)• IEC 61850-7-4 Ed. 2.0: Basic Communication Structure—
Compatible Logical Node Classes and Data Object Classes• IEC 61850-7-410 Ed. 1.0: Hydroelectric Power Plants—
Communication for Monitoring and Control• IEC 61850-7-420 Ed. 1.0: Basic Communication Structure—
Distributed Energy Resources Logical Nodes• IEC 61850-8-1 Ed. 1.0: Specific Communication Service Mapping
(SCSM)—Mappings to MMS (ISO 9506-1 and ISO 9506-2) and to ISO/ IEC 8802-3
• IEC 61850-9-1 Ed. 1.0: Specific Communication Service Mapping (SCSM)—Sampled Values over Serial Unidirectional Multidrop Point to Point Link
32 seCurity and PrivaCy in smart Grids
• IEC 61850-9-2 Ed. 1.0: Specific Communication Service Mapping (SCSM)—Sampled Values over ISO/ IEC 8802-3
• IEC 61850-10 Ed. 1.0: Conformance Testing• IEC/ TS 61850-80-1 Ed. 1.0: Guideline to Exchanging Information
from a CDC-Based Data Model Using IEC 60870-5-101 or IEC 60870-5-104
• IEC/ TR 61850-90-1 Ed. 1.0: Use of IEC 61850 for the Communication between Substations
1.2.6.2.4 IEC 61850 Devices beyond the Substation whereas iec61850 was primarily intended to cope with substation automation,otherdeviceswerealaterfocus.substandardsiec61850-7-41049and–7-42050dealwiththosedevices.
iec 61850-7-410 includes extensions of the information modelforhydroelectricpowerplants.Themodelsdefinemanylns,whichdescribeautomationlogicandthusgofarbeyondtheiec61850-7-4definitions.Themainobjectiveistoenableautomationandmonitor-ingofhydroelectricpowerplantsinawaythatcouldlastforthenextcenturies.Thisispossiblebecauseduringthenext10to20years,hydroplant control and monitoring system will be renewed. sustainableinteroperabilityisofspecialinterestinthisarea.23
iec6180-7-420representsextensionsforderlikephotovoltaic,combinedheatandpower(chP),fuelcellsandreciprocatingengines.incontrasttothefieldofsubstationautomation,inwhichonlyafewglobalplayerscontrolthemarket,manysmallandmediumenterprisesparticipateinthedermarket.hence,itisanimportantchallengetospecifyinternationallyacceptedinformationmodels.inthefuture,thesemodelswillbetestedfortheirpracticalsuitabilitystepbystep.
extensionsoftheiec61850informationmodelforwindpowerplantsarepartoftheiec61400-25standard.9
1.2.6.2.5 Communication Industry Standard Protocol Stacks torealizeacommunicationtothefielddevices,ittransportprotocolsmustbeused.duringthelastdecades,sometransportprotocols,liketcP/iPandethernet,havebeenestablished.hence,theywererecommendedforuseintheutilitydomain.2
33an overview of reCommendations
• TCP: The tcP is mainly based on two standards, rfc(requestforcomments)793(http://tools.ietf.org/html/rfc793)and rfc 1323 (http://tools.ietf.org/html/rfc1323). tcPspecifies how data can be exchanged between two comput-ers.itissupportedandusedbyallrecentoperatingsystems.furthermore, it is one of the core protocols of the internetProtocolsuite,sothatallmajorinternetapplicationsliketheworldwidewebande-mailrelyonit.tcPprovidesreliable,connection-oriented,andpacket-switchingcommunication.
• IP:rfc791(http://tools.ietf.org/html/rfc791)andrfc2460(http://tools.ietf.org/html/rfc2460)standardizetheiP,awell-establishednetworkprotocolwithincomputernetworks.it isalsooneofthecoreprotocolsoftheinternetandallowstheuseoftcP.ThemainobjectiveofiPistoroutedatapacketsacrossnetworkboundaries,whereasthetransmissionfromthesourcehosttothedestinationhostissolelybasedontheiraddresses.
• Ethernet:inthetcP/iPstack,ethernetisthelowestlayer,thebasisfortheiP.ethernetspecifiessoftwareandhardwareforwireddatanetworks,sothatdataexchangeamongdeviceswithinalanispossible.itcontainsvariousdefinitionsforanumberofwiringandsignalingstandards.Thosestandardscope with both the physical layer of the osi networkingmodelandthedatalinklayer(commonaddressingformatandavarietyofMediaaccesscontrolprocedures).
1.2.6.2.6 IEC 61850-8-1 Mapping to MMS specificcommunicationserviceMappings(scsMs)arepartofiec61850-8-1.51inthis,sub-standardmappingsoftheabstractmodeltoMMs(iso/iec9506-1and–2)andethernet(iso/iec8802-3)arespecifiedforcommuni-cationswithinthewholesubstation.Theinformationexchange,basedonGoose(Genericobjectorientedsubstationevent)andGsse(Generic substation status event) messages for real-time require-ments like trigger signals and a client-server communication forscadafunctions,isalsodefined.
1.2.6.2.7 IEC 61850-7-2 ACSI iec 61850-7-247 defines a basiccommunication infrastructure for substation and feeder equipment
34 seCurity and PrivaCy in smart Grids
focusingonacsis,includingtheirdescriptions.anacsiisintendedforuse for applications in theutilitydomain that require real-timecooperationofieds.furthermore,theacsiistechnologyindepen-dentintermsoftheunderlyingcommunicationsystems.Thedefini-tionsoftheacsiincludeahierarchicalclassmodeloftheinformationthatcouldbeaccessedbycommunicationsystems,servicesoperatingontheseclasses,andparameterslinkedtoeachservice.Thefollow-ingcommunicationservicesbetweenclientsandremoteserversareinthescopeofthesubstandard:
• real-timedataaccessandretrieval• devicecontrol• eventreportingandlogging• settinggroupcontrol• self-descriptionofdevices• datatypinganddiscoveryofdatatypes• filetransfer
1.2.6.2.8 IEC 61850-7-3 and –7-4 Object Models deviceslikederandsubstationsmodeledthroughiec61850conceptsareusedbyspe-cificapplications.constructed,attributedclassesandcommondataclasses(cdcs)arerelatedtothoseapplicationsanddefinediniec61850-7-3.52iec61850-7-446usesthesecdcstodefinecompatibledataobjectclasses.Theabstractdefinitionsfrompart7-247aremappedtoconcreteobjectdefinitions,whichareusedforspecificprotocolslikeMMs.indetail,thefollowingspecificationsareincludedinpart7-3:
• cdcforstatusinformation• cdcformeasuredinformation• cdcforcontrol• cdcstatussettings• cdcanaloguesettings• attributetypesusedinthesecdcs
one of the pursued objectives of the standard series is to reachahighdegreeofinteroperability.Therefore,alldataobjects—whichcouldbemandatory,optional,orconditional—withinthewholedatamodel are strongly defined in terms of syntax and semantics. Thesemanticinteroperabilityisachievedthroughnamesassignedtocom-monlns,theirdataobjectsaredefinedinpart7-446,andtheyare
35an overview of reCommendations
part of the classmodel specified in7-153 anddefined in7-2.47Thenames are used to build a hierarchical object reference applied forcommunicatingwithiedsinautomationsystemsandinsubstationsaswellasondistributionfeeders.also,normativenamingrulesaredefinedtoavoidprivateandthusmaybe incompatibleextensionsoflnsanddataobjectnames.inaddition,dedicatedlnsaredefinedinotherpartslikeiec61850-7-42050tomodelmorespecificdeviceslikeder.somelnfeatureslikedatasetsandlogsarenotmodeledinpart7-4butinpart7-2.
inadditiontothedescriptionsofdevicemodelsandfunctionsofsubstations and feeder equipment, device models and functions forthefollowingissuescanbedescribed:
• substation-to-substationinformationexchange• substation-to-control-centerinformationexchange• power-plant-to-control-centerinformationexchange• informationexchangefordistributedgeneration• informationexchangeformetering
1.2.6.2.9 Mapping to Web Services webservices(http://www.w3.org/2002/ws/)specifiedbytheworldwidewebconsortium(w3c)aresoftwareapplicationsthatcommunicatewitheachotherusingXMlinterfacestosendmessagesviainternetprotocols.eachwebserviceis identifiable by its Uniform resource identifier (Uri). There arethreetypesofrolesinatypicalwebservicesystem:
• servicebroker• serviceprovider• servicerequester
Theserviceproviderusesthewsdl(webservicesdescriptionlanguage) standard toprovide its services to the servicebroker. insomecases,asmallandlocalserverisusedtoofferaservicetoregisterwebservicesviatheUddi(Universaldescription,discovery,andintegration) standard.Theservice requestercanalsousewsdltocommunicatewiththeservicebroker.itqueriesthebroker’sreposi-torytofindaQos(qualityofservice)orrequirement-fittingservice.incaseofsuccess,theservicerequesterexchangesthedatawiththechosen service provider using the simple object access Protocol(soaP)standard,forexample.
36 seCurity and PrivaCy in smart Grids
oneexampleformappingofanabstractcommunicationtowebservicesistheiec61850model,whichisextendedbyiec61400-25-254toenablemodelingofwindpowerplants.inthiscontext,anothersubstandardwasdeveloped,iec61400-25-455thatspecifiesaweb-service-basedcommunicationforalliec61850-baseddatamodels.
1.2.6.3 DERs and Meters figure 1.9 illustrates the third pillar ofthe lowersiapart. This excerpt represents theweb-service-basedcommunicationforderandsomemetertypes.Therefore,anXMl-basedconfigurationlanguageforsubstationscalledsclareutilizedjustasprotocolsliketcP/iPareused.twopartsofthisexcerptwerediscussedinsection1.2.6.2.
1.2.6.3.1 Field Devices and Systems Using Web Services Thefielddevicesshownintheotherpillarsareallaccessiblebystandardizedinterfacesusing standardized data models. This group, however, uses propri-etarysystems.forthisreason,it isnecessarytodefineinterfacessothatitispossibletomonitorandcontrolthedevices.Therefore,theydefinewebserviceinterfacestobeconnectedtotheupperlayers.
1.2.6.3.2 Existing Object Models IEC 61850-6 Engineering animpor-tantissueinstandardizationistheconfigurationofiedsinsubsta-tions;thus,iec61850-648specifiesasuitabledescriptionlanguage,scl,basedonXMl.Byallowingtheformaldescriptionofrelations
Field Devicesand Systems
usingWeb Services
DERs, Meters
Mappingto Web Services
ExistingObject Models
61850-6Engineering
Communication Industry Standard Protocol Stacks (ISO/TCP/IP/Ethernet)
Figure 1.9 Pillar for DER and meters.
37an overview of reCommendations
betweenautomationsystemsand theprocesses like substationsandswitchyards,sclisusedtodescribeiedconfigurationsandcom-municationsystemsaccordingtoparts5and7-x.fromtheapplica-tion-levelperspective, switchyard topologiesandrelationsbetweentheir structureandsas(substationautomationsystem) functionsconfiguredonaniedcanbedescribed.Themainobjectiveofsclistoenableaninteroperableexchangeofcommunicationsystemcon-figurationdatabetweeniedconfigurationtoolsandsystemconfigu-rationtoolswithinamultivendorsystemarchitecture.
Thedefinitionsmadeinpart6canbeextended,ortheuseofvaluesofobjectscanberestrictedifitisnecessaryintermsofiec61850-8-151and–9-256concerningmappingsoftheabstractmodeldefinediniec61950-7-xtospecificcommunicationtechnologies.
1.2.6.4 Other Control Centers The last pillar (see figure 1.10) dealswithcontrol centers thatarenotconnectedvia iec61850,butviaiec60870-6.hence,acommunicationmainlybasedontase.2isconsidered.Theshowncommunicationprotocolstackwasdescribedinsection1.2.6.2.
1.2.6.4.1 IEC 60870-6 TASE.2 tc 57 wG 7 is developing theiec60870-6standardseriesTelecontrol Protocols Compatible with ISO Standards and ITU-T Recommendations,pursuingthegoalofprovidingprotocolsthatareabletorunoverwanstointerconnectcontrolcenters
60870-6TASE.2
OtherControl Centers
60870-6-802Object Models
60870-6-503App Services
60870-6-702Protocols
Communication Industry Standard Protocol Stacks (ISO/TCP/IP/Ethernet)
Figure 1.10 Pillar for other control center.
38 seCurity and PrivaCy in smart Grids
withheterogeneousdatabasesandeMsapplications.Thoseprotocolsand their services should be compliant to the osi layered referencemodelanduseexistingisostandardstothehighestpossibledegree.
tase.1wasthefirstpublishedstandard,anditwasbasedontheelcoM-90protocol.Themainobjectivewastoprovidetheopera-tionofanexistingelcoM-90protocoloveranosiprotocolstack.Thetase.1aPiwasdevelopedasspecifiedintheelcoM-90pro-tocoldocumentationtoenablereplacementsofthetwoprotocols.Thefollowingsubstandardsdealwithtase.1:18
• IEC 60870-6-501 Ed. 1.0: TASE.1 Service Definitions• IEC 60870-6-502 Ed. 1.0: TASE.1 Protocol Definitions• IEC/ TS 60870-6-504 Ed. 1.0: TASE.1 User Conventions• IEC 60870-6-701 Ed. 1.0: Functional Profile for Providing the
TASE.1 Application Service in End Systems
tase.2wasthesuccessoroftase.1providingautility-specificlayer over MMs. it was developed for two major reasons: to pro-vide extended functionalities and to maximize the use of existingosi-compatible protocols like MMs. whereas tase.1 providesscadadataanddevicecontrol functionalities,tase.2alsopro-videstheexchangeofinformationmessages(e.g.,shortbinaryfiles)andstructureddataobjects(e.g.,transmissionschedules).Therefore,aclient-serverarchitectureisused;itsclientsinitiatetransactionsthatareprocessedbytheservers.withinthearchitecture,specificobjectmodelsareusedtodefinethetransactionsandservices.inaddition,theexchangeddatawereseparatelydefinedasstaticdataobjects.hence,adistinctionbetweentheexchangeddataandtheusedserviceswasmade.inadditiontotheobjectmodel,ananonymouspoint-orientedmodelisusedtoidentifythereceivedvaluesandcontrolleddevices.asfortase.1,thefollowingsubstandardsdealwithtase.2:18
• IEC 60870-6-503 Ed. 2.0: TASE.2 Services and Protocol• IEC/ TR 60870-6-505 Ed. 1.1 Consol. with am1: TASE.2
User Guide• IEC 60870-6-702 Ed. 1.0: Functional Profile for Providing the
TASE.2 Application Service in End Systems• IEC 60870-6-802 Ed. 2.1 Consol. with am1: TASE.2 Object
Models
39an overview of reCommendations
Besidethetase.1andtase.2specificsub-standards,theseriescomprisesthefollowing,moregeneralparts:18
• IEC/ TR 60870-6-1 Ed. 1.0: Application Context and Organization of Standards
• IEC 60870-6-2 Ed. 1.0: Use of Basic Standards (OSI Layers 1–4)• IEC 60870-6-601 Ed. 1.0: Functional Profile for Providing
the Connection-Oriented Transport Service in an End System Connected via Permanent Access to a Packet Switched Data Network
• IEC/ TS 60870-6-602 Ed. 1.0: TASE Transport Profiles
1.2.6.4.2 IEC 60870-6-702 Protocols iec60870-6-70257definesafunctionalprofilecoveringtheprovisionofthetase.2communica-tionservicesbetweentwocontrolcenterendsystems.furthermore,theprovisionoftheosiconnectionmodepresentationandsessionservicesbetweentheendsystemsisdefinedbythefunctionalprofile.
1.2.6.4.3 IEC 60870-6-503 App Services Part6-50358ofiec60870defines the tase.2 application modeling and service definitions.it specifies a method of exchanging time-critical control centerdata through wans and lans using fully iso-compliant proto-col stacks. furthermore, it contains provisions for supporting bothcentralizedanddistributedarchitectures.itincludestheexchangeofreal-timedataindications,controloperations,timeseriesdata,sched-ulingandaccountinginformation,remoteprogramcontrol,andeventnotification.Theuseoftase.2isnotrestrictedtocontrolcenterdataexchange.itmaybeappliedinanyotherdomainhavingcomparablerequirements. examples of such domains are power plants, factoryautomation,andprocesscontrolautomation.
Thisstandarddoesnotspecifyindividualimplementationsorprod-uctsanddoesnotconstraintheimplementationofentitiesandinter-faceswithinacomputersystem.Thisstandardspecifiestheexternallyvisible functionalityof implementations togetherwithconformancerequirementsforsuchfunctionalities.
1.2.6.4.4 IEC 60870-6-802 Object Models The primary objectiveoftase.2istransferringdatabetweencontrolsystemsandinitiat-ingcontrolactions.Thereby,dataisrepresentedbyobjectinstances.
40 seCurity and PrivaCy in smart Grids
iec60870-6-80259proposesobjectmodels,representingobjectsfortransfer,fromwhichtodefineobjectinstances.localsystemsmaynotmaintainacopyofeveryattributeofanobjectinstance.
1.2.7 Security and Data Management
Thesiaincludestheiec62351securitystandardasacrosssectionfordataandcommunicationsecurity(intc57).itisdraftedontheleftsideoffigure 1.1.Theiec62351includeseightparts:Part–1providesageneralintroduction,andpart–2includessomedefinitionsusedinthestandard.Parts–3to–6providesecurityenhancementsfor15
• profilesincludingtcP/iP(iec62351-3),• profilesincludingMMs(iec62351-4),• iec60870-5andderivatives(iec62351-5),and• iec61850profiles(iec62351-6)
Part–7ofthestandardisseparatelyoutlinedinthesiaoverview(seefigure 1.1)anddealswithdomain-specificdatamodelsfornetworkmanagement.aneighthpart,whichwillconsiderrole-basedaccesscontrol,isactuallyplannedandnotyetintegratedinthesiaoverview.
iec62351isastandardfordataandcommunicationsecurity.itisnotastandardforinformationsecuritymanagement.suchsecuritymanagementmethodscanbefoundiniec62443or,ofcourse,theiso/iec27k.
next,wefirstexplainthesecurityenhancementsdefinedinparts–3to–6andtheirbenefitsandrestrictions.afterthat,wefocusonthenetworkmanagementdefined in iec62351-7.The lastpartofthissectiongivesanoverviewofiec62351.
iec62351parts–3to–6providesecurityenhancementsdescribednext.
1.2.7.1 Secure Communication via IEC 62351-3 iec62351-3dealswiththesecuringoftcP/iP-basedprotocols.Theentirepart–3standardisaboutsecuringthecommunicationonthetransportlayerthroughtls(transportlayersecurity).60ingeneral,tls,asasuccessorofssl(securesocketslayer),realizesasecurecommunicationthroughahybridencryption.suchanencryptionmakesuseofasymmetricandsymmetricencryption.Theasymmetricencryptionisusedtosecurely
41an overview of reCommendations
exchangesymmetrickeys,andthesymmetrickeysareusedtoencryptthetransferreddata.Thesymmetricencryptionisusedbecauseofitsbetterperformance.Theasymmetricencryption,whichonlyinitializesthe communication process as described, makes use of certificates.serverandclientcertificatesarepossible.ingeneral,theauthentica-tionthroughaserver-basedcertificateisverycommon.acertificateisastatementfromatrustedthirdparty(ttP)thatincludesapublickey.ThettPguaranteesthattheincludedpublickeybelongstothecertificateholder.
toconformtothisstandard,someaspectsorparametersfortheuseoftlsmustbementioned.
• onlytlsversion1.0(oratleastsslversion3.1)isallowed.• Macs (message authentication codes) that are optional in
tlsshallbeused.• symmetrickeysmustbe time-basednegotiatedby thecalling
nodes.forthiscipherrenegotiationcall,theremustbeatime-out.• for certification management, it is necessary to have more
thanonecertificationauthority.• Thesizeofacertificateshallnotbelongerthan8,192bytes.• certificateexchangeshallbebidirectional.• certificaterevocationisspecifiedinrfc3280.• signingviarivest,shamir, andadleman (rsa)ordigital
signaturestandard(dss)shallbesupported.• keyexchangewithamaximumkeysizeof1,024bitsviarsa
ordiffie-hellmanshallbesupported.
Thesecuredcommunication shallbeona separatedport so thatnonsecured communication can coexist. The use of this securityenhancementprovidessomebenefitsforintegrity,confidentiality,andauthenticity.Theprotectiongoalauthenticityisreachedthroughtheuseofcertificates.Theencryptionoftheconnectionsviatlsleadstoconfidentiality,andtheuseofMacsbringsintegrity.Therearesomerestrictionsfortheuseoftlsasasecurityenhancement.tlsdoesnotmentiontheprotectiongoalavailability,sothisstandardwillnotprotectagainstdenial-of-serviceattacks.
1.2.7.2 Secure Profiles through IEC 62351-4 iec62351-4bringsmanda-toryandoptionalsecurityenhancementsforasecurecommunication
42 seCurity and PrivaCy in smart Grids
whenusingMMs(iso/iec9506).iec61850-8-1andiec60870-6useMMs,eithertheosiortcPprofiles,inaseven-layerconnection-orientedmechanism,whichisdraftedinfigure 1.11.Therefore,differ-entsecurityprofilesareconsideredasaandtprofilesinthisstandard.Bothcanbefoundinthetc57context.Thesecurityprofilesdefineprotocolsandrequirementsforthelayersintheosireferencemodel.Theaprofilesorapplicationprofilesareconcernedwithosi layersfivetoseven,andthetprofilesortransportprofilesarepertinenttolayersonetofour.onecanseethesedeterminationsontherightsideoffigure 1.11.atthebottomoffigure 1.11,onecanseeafurtherdis-tinctionatthetprofileintotheositprofileandtcPtprofile.Thesecurityofositprofilesisoutofthescopeofiec62351-4.61
an implementation of MMs must mention secure profiles tobecompliantwiththis standard.Theremustbeapossibility tousecertificates for authentication. furthermore, there must be a pos-sibility todecidewhethera secureornonsecureprofile isnecessaryfor acceptance or initiation of communication or if it is not neces-sary.asecuresecuritylogisrecommended.forpeerauthentication,
MMS, ACSE
OSIReference Model
7
6
5
4
3
2
1
Application
Presentation
Session
Transport
Network
Datalink
Physical
ISO presentation
ISO session
ISO TP4 ISO TP0
ISO CLNP
IEEE 802.3
OSI T-pro�le TCP T-pro�le
T-pr
o�le
A-p
ro�l
e
RFC-1006
TCP
IP
Figure 1.11 Profile security. (Reprinted with permission from International Electrotechnical Commission (IEC). International Electrotechnical Commission (IEC). 62351-7: Data and Communication Security Security through Network and System Management (2007). Geneva, Switzerland: IEC.)
43an overview of reCommendations
associationcontrolserviceelement(acse)(iso8650)shallusetheacseauthenticationmechanismandauthenticationvaluefields.tobe backward compatible, authentication values can be excluded fornonsecure profiles. a certificate-based MMs authentication valueincludes a signature certificate, a timestamp, and a signed value.certificatesmusthaveamaximumsizeof8,192octetsandshallbebasedonX.509.Thesignedvalueisatimestampreducedwithsecurehashalgorithm(sha-1)andsignedwithrsa.ifthesenttimestampdiffersfromtheencodedtimestamp,theconnectionshallberefused.There are some other conditions for a connection abort. Messagesolderthan10minuteswillbeignored.so,thereisawindowofvul-nerabilityof10minutes,duringwhichthesamesignedvaluecouldbeusedbyanattacker.
tobecomplianttothisstandard,securetcPtprofilesmustbeused.infigure 1.11,onecanseethetcPtprofiledraftedontheright.from layers3 to1, the followingprotocolsarementioned inthe tcP t profile: rfc 1006 (iso transport service), tcP, iP,andieee802.3(ethernet).Thisstandarddoesnotspecifysecurityspecificationsfortheseprotocolsordescribetheuseoftls.itfocuseson the layer4 isotP0protocolandspecifiesa securerfc-1006profile. This standard defines ports for the use of secure and non-securetprofiles.Thetlsdefined in iec62351-3 shall be used.furthermore,thisstandarddefinesthingsliketransportprotocoldataunit(tPdU)tobeignored,sizeoftransportselectors(tsels),sizeofcertificates,timetocheckcertificaterevocation,andrecommendedtlsciphersuites.
1.2.7.3 Authentication Technique of IEC 62351-5 Part–5oftheiecd62351standarddealswithsecuringiec60870-5protocolsandderi-vates. it focuses on authentication mechanisms on the applicationlayer.securitygoalslikeconfidentialityofdataareoutofthescopeofthisstandard,butwheniec60870-5-104isinuse,part–3ofthisstandardshallbementioned.62
Theprotocolsthatshallbesecuredthroughthisspecificationcomewithspecificcircumstances.Theconsideredprotocolsofthissecurityenhancementhaveanasymmetriccommunicationandmessageori-entationincommon.Thereisacontrollingandacontrolledstation,sowehaveabidirectionalcommunication.Therearesomesecurity
44 seCurity and PrivaCy in smart Grids
challengeswiththiskindofprotocol,whichavoidstheadoptionofsomesecuritymechanisms.someofthesechallengesaremissingorpoor sequencenumbersandmissingorpoor integritymechanisms,limitedframelength,longupgradeintervals,andmore.
Theauthenticationmechanismdescribedinthisspecificationmakesuseofagenericchallenge-responseconcept,whichshallbemappedinto different standards. The key element for the authentication isakeyedhashmessageauthenticationcode(hMac).ahMacisaMacwithaspecifichashalgorithm.BycreatinganhMac,ahashvalueofamessageisgeneratedandthenencryptedwithasharedsecretandsymmetrickey.Thelistenerwhoalsoknowsthesecretcanperformthehashingandencryption, so that the listenerknowswhether themessagewasmodifiedandthatonlytheotherpersonwiththesecretkeycouldhavesentthemessage.anhMacisnotadigitalsignaturebecausetheMackeyisknownbymorethanoneperson.Throughhashing,manipulationofmessagescanbedetected,sothisaccountsforintegrityrequirements.TheuseofasharedsecretkeyforthehMacbetweenbothsidesgainsauthenticity.toreachasecurekeyexchangebetweenthenodes,therearethreedifferentkeys:anupdatekey,amon-itoringsessionkey,andacontrolsessionkey.Theupdatekeyisusedtoencryptthesessionkeys.forsecurityreasons,therearetwodifferentsessionkeysforthemonitoringandcontroldirection.Theupdatekeyisapresharedsecret.Theprocesstosecurelyupdateuniquekeys(Uks)orapublickeymechanismforthatisoutofthescopeofthisstandard.Theexistenceofanupdatekeyisapreconditionforeverynode.
The authentication process specified in this standard is used forcriticalmessages,butalsoforperiodicmessages.Beforeperformingcriticalprotocolmessages,theapplicationservicedataunit(asdU),theexecutorof suchamessage,will initiateanauthentication.ThechallengerofthecriticalasdUhastostartanauthenticationchal-lenge, to which the executor will respond via an authenticationresponse. Before authentication via an hMac, it will be checkedwhetheracommonsecretsessionkeyexists.Thesessionkeyhastobetransferredencryptedwiththeupdatekey.
tobebackwardcompatible,anonsecurecommunicationshallalsobementionedandpossible.Therearesomefurtherrequirementslikeinteroperabilityrequirementsandconformancestatementsforspecialapplicationswithinthisstandard.
45an overview of reCommendations
1.2.7.4 PDU Security Extension of IEC 62351-6 Part–6ofiec62351deals with the security of the iec 61850 protocols. Profiles usingMMs shall mention iec 62351-4. Profiles using simple networktime Protocol (sntP) should use rfc 2030 with authentica-tion algorithms. This standard specifies PdU enhancements. ThePdU shall include a Mac, which can be used for authentication.figure 1.12illustratesthisextension.
an application Protocol data Unit (aPdU) shall only be per-formedifthecalculatedMacisidenticaltothesentMac.Messagesolderthan2minutesshallbeignoredtoavoidreplayofGooseorsamplemeasuredvalue(sMv)messages.
to conform to this standard, scl has to be enhanced. it mustinclude certificates to realize authentication and encryption. TheaccesspointdefinitionofsclmustincludeGoose-security(iec61850-8-1)andsMv-security(iec61850-9-2).
encryption is not recommended for applications using Gooseand iec 61850-9-2 in combination with multicast because of theresponsetimerequirements.63
1.2.7.5 Intrusion Detection with IEC 62351-7 Part–7ofiec62351isaboutnetworkandsystemmanagementforpowersystems.Therefore,it specifiesabstractdatamodels for controllingandmonitoring thenetworkandconnecteddevices.Theinformationofthesedatamodelsshall beused as additional information for intrusiondetection sys-tems. The intention of this standard is to take availability require-ments into account.Themonitoringof thenetwork and connected
Current
Secure
Reserved
Header
Header
Length
Extended PDU
ExtensionGOOSE/SMV PDU
GOOSE/SMV PDU
CRC
Authentication Value(Digital Signature-HMAC)
Figure 1.12 Extended PDU. (Reprinted with permission from International Electrotechnical Commission (IEC). 62351: Data and Communication Security (2006). Geneva, Switzerland: IEC.)
46 seCurity and PrivaCy in smart Grids
devicesshalldetectattacks.also,thecontrollingofthenetworkandconnecteddevices shall reactonandetectedattack.61 iec62351-7doesnotdefineactionsforalarmscorrespondingtothesemonitoringdatamodelsorspecifytheprotocolstowhichtheabstractdatamodelscouldbemapped.infigure 1.13,onecanseethebasicelementsofapowersystemoperationsystemandcorrespondingelementsofthesecurity-monitoringarchitectureofiec62351.61
1.3 Application of the siA
atfirst,itshouldbeclearthatthesiaisnotastep-by-stepguidetobuild an ict infrastructure in the energy domain, but a blueprint
Cont
rol C
ente
r EngineeringSystems
SecurityClient
Historical Databaseand Data Interface
SCADA System
TASE.2 link toExternal Systems
Operator UserInterface
FeedersVoltage
Regulator
AutomatedSwitch
Capacitor BankController
WAN
Subs
tatio
n
SecurityServer
SubstationMaster
CircuitBreaker
Legend Clients Firewall
IDS
NSM data objectsServers
Other
ProtectionRelay
Load TapChanger PT CT
Figure 1.13 Security monitoring architecture of IEC 62351-7. CT, current transformer; IDS, intru-sion detector system; NSM, network and system management; PT, potential transformer. (Reprinted with permission from International Electrotechnical Commission (IEC). International Electrotechnical Commission (IEC). 62351-7: Data and Communication Security Security through Network and System Management (2007). Geneva, Switzerland: IEC.)
47an overview of reCommendations
thatfocusesoniec-specificstandards.tousethesia,itisnecessarytointegratethearchitectureinthecompanyworkfloworbuildupanentirelynewprocess.Thenextsectionpresentsanexampleofhowtousethesia.
figure 1.14 shows a rough procedure model on how to create aspecificsiathatfitscustomneeds.ThedescribedproceduremodelisbasedonthespecificationofmethodsasdescribedbyGutzwiller.64according to Gutzwiller, a method is described using the follow-ingelements:activity,role,specificationdocument,metamodel,andtechnique.here,wepresentonlyaroughproceduremodelandthere-forefocusonactivities(steps),roles,andspecificationdocuments.Thestepsareillustratedasflowdiagramsenhancedbyrolesandspecifica-tiondocuments.
Thefirstgoalshouldbethecreationofasia-basedarchitecturewithspecificadaptations.toachievethis,athoroughanalysisofthecurrentstateaswellasthetargetrequirementsisnecessary(seestep1).inaddition,theregulatoryandtechnicalrequirementsmustbetaken
Activities Documents
RequirementDocuments
SelectedStandards
SIA-Based adapted
Architecture
Create companyor project speci�c
expression ofthe SIA
Create necessaryextensions
Does the SIAinclude all parts to meet
the requirements
Selection of usableparts out of
the SIA
Roles
IT ExpertsDomainExperts
Step
1
IT ExpertsStandards
Experts
IT ExpertsStandards ExpertsDomain Experts
Step
2St
ep 3
Analysis of thecurrent state
Target requirement
analysis
Regulatory andtechnical
requirements andcorporate standards
Yes
No
Figure 1.14 Create a company- or project-specific expression of the SIA.
48 seCurity and PrivaCy in smart Grids
intoaccount.also,manycompanieshaveinternalcorporatestandardsthatshouldcontributetotherequirements.
with these previously identified specifications, the usable partshavetobeselectedfromtheoriginalsia(seefigure 1.15forafic-tionalexample),step2infigure 1.14.
step3includesthedecisionaboutthecompletenessofthecutoutofthesia.ifoneormorerequirementsarenotmet,itisnecessarytoextendthesiawithcustomparts.Theseextensionscouldconsistofother non-iec standards, corporate standards, or regulatory rules.anexampleresultdocumentofanadaptedarchitecturecanbeseeninfigure 1.16.Theunusedpartshavebeenremoved,andtheusedoneshavebeenslightlyshrunktogether.atthebottomleft,thereisanexampleextensionwiththeoPcUaiec62541standard.
Thisadaptedarchitecturecannowbeusedasastartingpoint innewormigrationprojects.itispossibletoconstructrequirementsandroadmapsorevencheckliststotracktheprogressofadaptingthesiaintheimplementationprocessbasedonthis.
61850Substation
Devices
61850Devices
Beyond theSubstation
Field Devicesand Systemsusing Web
Services
DERs, MetersIEDs, Relays, Meters, Switchgear, CTs, VTs
61850-7-3, 7-4 Object Models
61850-7-2 ACSI
61850-8-1Mapping to MMS
Mappingto Web Services
ExistingObject Models
61850-6Engineering
Communication Industry Standard Protocol Stacks (ISO/TCP/IP/Ethernet)
Data Acquisition and Control Front-End/Gateway/Proxy Server/Mapping Services/Role-based Access Control
Inter-System/Application Profiles (CIM XML, CIM RDF)
EMS Apps
Technology Mappings
CIM Extensions 61970/61968 Common Information Model (CIM)
End-
to-e
nd S
ecur
ity S
tand
ards
and
Reco
mm
enda
tions
(623
51 1
-6)
Figure 1.15 Fictional example of the selected SIA parts.
49an overview of reCommendations
oneadditionalimportantpointhastobetakenintoaccount.Thesiadoesnotdictate the implementationof the interfacesbetweenthestandardsacrossthelayers.itisnecessarytoconsultthespecificstandard documentation for implementation details for the recom-mendedinterfaces.
furthermore,thereisalackofharmonizationworkbetweenpar-ticularstandards.Thisleadstoanindividualmappingwithacertaindegreeoffreedom,whichresultsinuniquecharacteristics.
Theiecisdevelopingasmartgridmappingtooltosupportthecreationprocess for anadaptedarchitectureprimarily for the iden-tificationandselectionofparts fromthesia.itconsistsmainlyofametadatadatabasethatalsocontains informationonthe includedstandardsand thedirector indirect connections toother standards
Data Acquisition and Control Front-End/Gateway/Proxy Server/Mapping Services/Role-based Access Control
Inter-System/Application Profiles (CIM XML, CIM RDF)
EMS Apps
Technology Mappings
CIM Extensions 61970/61968 Common Information Model (CIM)
End-
to-E
nd S
ecur
ity S
tand
ards
and
Reco
mm
enda
tions
(623
51 1
-6)
61850Substation
Devices
61850Devices
Beyond theSubstation
Field Devicesand Systems
usingWeb Services
DERs, MetersIEDs, Relays, Meters, Switchgear, CTs,VTs
61850-7-3, 7-4 Object Models
61850-7-2 ACSIMappings
Services
Models
62541 OPCUA Parts 3-7
62541 OPCUA Parts 8-11
61850-8-1Mapping to MMS
Mappingto Web Services
ExistingObject Models
61850-6Engineering
Communication Industry Standard Protocol Stacks(ISO/TCP/IP/Ethernet)
Figure 1.16 SIA-based adapted architecture.
50 seCurity and PrivaCy in smart Grids
withinthesia.onepotentialapplicationistoselectastartingstan-dard,checktheconnectionsinalldirections,andselecttherequestedstandardstoreiteratetheprocedurewiththenewselectedonetogetthefavoredsetofstandards.furthermore,thedataincludeinforma-tion about the application domains of standards within the energydomainlikeadvancedmeteringinfrastructure(aMi)orderetc.,soitshouldbepossibletoselectthedesiredtargetdomainandobtainalltherelevantstandardsforit.
1.4 summary and outlook
Thischaptershowedtherecommendedstandardsnecessaryforasuc-cessfulintegrationoftechnicalsmartgridinfrastructures.Theagreed-onandusedstandardssolvethechallengeoftechnicalintegration.inparticular,thetc57referencearchitecture(iectr62357)wasexaminedinmoredetail.itprovidesanarchitectureandoverviewforstandardsofiectc57,whosestandardshavealsobeenreferencedbyvariousnationalandinternationalsmartgridstandardizationroadmaps(e.g.,references1–4).
in the tc 57 reference architecture, the integration of busi-nesspartnerswasconsidered toconnect the smartgrid’sassociatedbusinesses, such as the energy markets and utilities. furthermore,standards for integration of field devices with scada systemswere described, and details on which standards can be applied fortheimportantcross-cuttingconcernssecurityanddatamanagementwereprovided.
The iec tr 62357 reference architecture provides a compre-hensiveframeworkofstandardstointegratevarioussmartgridpar-ticipants.currently, standardsneed tobeharmonized to achieve aseamless integration, which is already one of the tc’s key objec-tives.aspecialissuebeingaddressedatpresentistheharmonizationbetweeniec61970/61968(ciM)andiec61850.wG19,originallyfoundedtoresolvemodeldifferenceswherethereisanoverlapbetweenstandardsandtodevelopavisionfortc57forthefuturearchitec-ture,hasalreadytreatedthisissuetosomedegree.despiteharmoni-zationefforts,modifications to standards themselvesmightbecomenecessary,asforinstanceproposedforiecciM61970/61968,20or
51an overview of reCommendations
newstandardsmightemerge,whichhastobeconsideredindependentstandards.inaddition,otherstandardsthatareoutofthetc’sscope,aretobeconsideredforintegration,liketheoPcUa,shownintheexample in section 1.3. according to this approach, the referencearchitecturehastoevolveconstantlyandincorporatethesechanges.
Thefuturevisionforthereferencearchitectureestablishesabasisforseamlessintegrationoftechnicalsystemsinvolvedinthesmartgridandthusmovesclosertorealizationofthevisionofthefuturepowergrid.recognizingthatasingle,agreedinformationmodel(ciM)canavoidmappingsandinconsistenciesbetweenstandardsand,beyondthat,isopentoandlinkedwithotherrelatedtcsandindustrycon-sortiumswillclearlyinfluencethecurrentpictureofthesia.
references 1. deutsche kommission elektrotechnik (dke). Die deutsche
Normungsroadmap E-Energy/Smart Grid (2010). frankfurt, Germany:vde.
2. national institute for standards and technology. NIST Framework and Roadmap for Smart Grid Interoperability Standards, release 1.0(2010).http://www.nist.gov/public_affairs/releases/upload/smartgrid_interoperability_final.pdf
3. Japan’s Roadmap to International Standardization for Smart Grid and Collaborations with Other Countries(2010).
4. stateGridchina.SGCC Framework and Roadmap for Strong and Smart Grid Standards(2010).
5. s. rohjans, M. Uslar, r. Bleiker, J. González, M. specht, t. suding,and t. weidelt. survey of smart Grid standardization studies andrecommendations.inFirst IEEE International Conference on Smart Grid Communications(2010),pp.583–588.
6. M.Uslar,s.rohjans,r.Bleiker,J.M.González,t.suding,M.specht,and t. weidelt. survey of smart Grid standardization studies andrecommendations—Part 2. in First IEEE International Conference on Smart Grid Communications(2010),pp.1–6.
7. international electrotechnical commission (iec). 60870-5-101 Ed. 2.0: Telecontrol Equipment and Systems—Part 5-101: Transmission Protocols—Companion Standard for Basic Telecontrol Tasks(2003).Geneva,switzerland:iec.
8. international electrotechnical commission (iec). 61334-1-1 Ed. 1.0:Distribution Automation Using Distribution Line Carrier Systems—Part 1: General Considerations—Section 1: Distribution Automation System Architecture(1995).Geneva,switzerland:iec.
52 seCurity and PrivaCy in smart Grids
9. internationalelectrotechnicalcommission(iec).61400-25-1 Ed. 1.0: Wind Turbines—Part 25-1: Communications for Monitoring and Control of Wind Power Plants—Overall Description of Principles and Models(2006).Geneva,switzerland:iec.
10. international electrotechnical commission (iec). 61850-1 Ed. 1.0: Communication Networks and Systems in Substations—Part 1: Introduction and Overview(2003).Geneva,switzerland:iec.
11. internationalelectrotechnicalcommission(iec).61968-1: Application Integration at Electric Utilities—System Interfaces for Distribution Management Part 1: Interface Architecture and General Requirements(2007).Geneva,switzerland:iec.
12. international electrotechnical commission (iec). 61970-1 Ed. 1: Energy Management System Application Program Interface (EMS-API)—Part 1: Guidelines and General Requirements ( January 2005). Geneva,switzerland:iec.
13. international electrotechnical commission (iec). 62056-21 Ed. 1.0: Electricity Metering—Data Exchange for Meter Reading, Tariff and Load Control—Part 21: Direct Local Data Exchange(2002).Geneva,switzerland:iec.
14. international electrotechnical commission (iec). 62325-101 DTR Ed. 1: Framework for Energy Market Communications Part 101: General Guidelines and Requirements( January2004).Geneva,switzerland:iec.
15. international electrotechnical commission (iec). 62351: Data and Communication Security(2006).Geneva,switzerland:iec.
16. international electrotechnical commission (iec). IEC 62357 Second Edition: TC 57 Architecture—Part 1: Reference Architecture for TC 57—Draft(2009).Geneva,switzerland:iec.
17. international electrotechnical commission (iec). 61970-2 Ed. 1: Energy Management System Application Program Interface (EMS-API)—Part 2: Glossary( January2003).Geneva,switzerland:iec.
18. international electrotechnical commission (iec). webstoreinternationalelectrotechnicalcommission (2011).http://webstore.iec.ch(accessedMarch30,2011).
19. electricPowerresearchinstitute(ePri).An Introduction to the CIM for Integrating Distribution(2008).Paloalto,ca:ePri.
20. M.Uslar,s.rohjans,M.specht,andJ.Gonzales.whatistheciMlack-ing?inFirst IEEE International Conference on Smart Grid Communications (2010),pp.1–8.
21. international electrotechnical commission (iec). 61970-452: Energy Management System Application Program Interface (EMS-API)—Part 452: CIM Transmission Network Model Exchange Profile(2009).Geneva,switzerland:iec.
22. international electrotechnical commission (iec). 61968-13 Ed. 1: Application Integration at Electric Utilities—System Interfaces for Distribution Management—Part 13: CIM RDF Model Exchange Format for Distribution(2008).Geneva,switzerland:iec.
53an overview of reCommendations
23. offis,sccconsulting,andM.Managementcoaching.Untersuchung des Normungsumfeldes zum BMWi-Förderschwerpunkt ’E-Energy—IKT-basiertes Energiesystem der Zukunft’(2009).
24. openManagementGroup(oMG).MDA Guide Version 1.0.1(2003). 25. internationalelectrotechnicalcommission(iec).61968-1: Application
Integration at Electric Utilities—System Interfaces for Distribution Management Part 1: Interface Architecture and General Requirements (Draft) (2010).Geneva,switzerland:iec.
26. international electrotechnical commission (iec). 62056-46 Ed. 1.1 Consol. with am1: Electricity Metering—Data Exchange for Meter Reading, Tariff and Load Control—Part 46: Data Link Layer Using HDLC Protocol(2007).Geneva,switzerland:iec.
27. international electrotechnical commission (iec). 62056-53 Ed. 2.0: Electricity Metering—Data Exchange for Meter Reading, Tariff and Load Control—Part 53: COSEM Application Layer(2006).Geneva,switzerland:iec.
28. international electrotechnical commission (iec). 62056-42 Ed. 1.0: Electricity Metering—Data Exchange for Meter Reading, Tariff and Load Control—Part 42: Physical Layer Services and Procedures for Connection-Oriented Asynchronous Data Exchange(2002).Geneva,switzerland:iec.
29. international electrotechnical commission (iec). 62056-61 Ed. 2.0: Electricity Metering—Data Exchange for Meter Reading, Tariff and Load Control—Part 61: Object Identification System (OBIS) (2006). Geneva,switzerland:iec.
30. international electrotechnical commission (iec). 62056-62 Ed. 2.0: Electricity Metering—Data Exchange for Meter Reading, Tariff and Load Control—Part 62: Interface Classes(2006).Geneva,switzerland:iec.
31. international electrotechnical commission (iec). 62051 Ed. 1.0: Electricity Metering—Glossary of Terms(1999).Geneva,switzerland:iec.
32. international electrotechnical commission (iec). 61334-4-1 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 4: Data Communication Protocols—Section 1: Reference Model of the Communication System(1996).Geneva,switzerland:iec.
33. international electrotechnical commission (iec). 61334-6 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 6: A-XDR Encoding Rule(2000).Geneva,switzerland:iec.
34. international electrotechnical commission (iec). 61334-5-1 Ed. 2.0: Distribution Automation Using Distribution Line Carrier Systems—Part 5-1: Lower Layer Profiles—The Spread Frequency Shift Keying (S-FSK) Profile(2001).Geneva,switzerland:iec.
35. international electrotechnical commission (iec). 61334-5-2 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 5-2: Lower Layer Profiles—Frequency Shift Keying (FSK) Profile (1998).Geneva,switzerland:iec.
54 seCurity and PrivaCy in smart Grids
36. international electrotechnical commission (iec). 61334-5-3 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 5-3: Lower-Layer Profiles—Spread Spectrum Adaptive Wideband (SS-AW) Profile(2001).Geneva,switzerland:iec.
37. international electrotechnical commission (iec). 61334-5-4 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 5-4: Lower Layer Profiles—Multi-carrier Modulation (MCM) Profile(2001).Geneva,switzerland:iec.
38. international electrotechnical commission (iec). 61334-5-5 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 5-5: Lower Layer Profiles—Spread Spectrum—Fast Frequency Hopping (SS-FFH) Profile(2001).Geneva,switzerland:iec.
39. internationalelectrotechnicalcommission(iec).61334-4-511 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 4-511: Data Communication Protocols—Systems Management—CIASE Protocol(2000).Geneva,switzerland:iec.
40. internationalelectrotechnicalcommission(iec).61334-4-512 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 4-512: Data Communication Protocols—System Management Using Profile 61334-5-1—Management Information Base (MIB) (2001). Geneva,switzerland:iec.
41. internationalelectrotechnicalcommission(iec).61334-3-21 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 3: Mains Signalling Requirements—Section 21: MV Phase-to-Phase Isolated Capacitive Coupling Device(1996).Geneva,switzerland:iec.
42. internationalelectrotechnicalcommission(iec).61334-3-22 Ed. 1.0: Distribution Automation Using Distribution Line Carrier Systems—Part 3-22: Mains Signalling Requirements—MV Phase-to-Earth and Screen-to-Earth Intrusive Coupling Devices(2001).Geneva,switzerland:iec.
43. international electrotechnical commission (iec). 60870-5-102 Ed. 1.0: Telecontrol Equipment and Systems—Part 5: Transmission Protocols—Section 102: Companion Standard for the Transmission of Integrated Totals in Electric Power Systems(1996).Geneva,switzerland:iec.
44. internationalelectrotechnicalcommission(iec).60870-5-103 Ed. 1.0: Telecontrol Equipment and Systems—Part 5-103: Transmission Protocols—Companion Standard for the Informative Interface of Protection Equipment(1997).Geneva,switzerland:iec.
45. internationalelectrotechnicalcommission(iec). 60870-5-104 Ed. 2.0: Telecontrol Equipment and Systems—Part 5-104: Transmission Protocols—Network Access for IEC 60870-5-101 Using Standard Transport Profiles(2006).Geneva,switzerland:iec.
46. international electrotechnical commission (iec). 61850-7-4 Ed. 2.0: Communication Networks and Systems for Power Utility Automation—Part 7-4: Basic Communication Structure—Compatible Logical Node Classes and Data Object Classes(2010).Geneva,switzerland:iec.
55an overview of reCommendations
47. international electrotechnical commission (iec). 61850-7-2 Ed. 2.0: Communication Networks and Systems for Power Utility Automation—Part 7-2: Basic Information and Communication Structure—Abstract Communication Service Interface (ACSI)(2010).Geneva,switzerland:iec.
48. international electrotechnical commission (iec). 61850-6 Ed. 2.0: Communication Networks and Systems for Power Utility Automation—Part 6: Configuration Description Language for Communication in Electrical Substations Related to IEDs(2009).Geneva,switzerland:iec.
49. internationalelectrotechnicalcommission(iec).61850-7-410 Ed. 1.0: Communication Networks and Systems for Power Utility Automation—Part 7-410: Hydroelectric Power Plants—Communication for Monitoring and Control(2007).Geneva,switzerland:iec.
50. international electrotechnical commission (iec). 61850-7-420 Ed. 1.0: Communication Networks and Systems for Power Utility Automation—Part 7-420: Basic Communication Structure—Distributed Energy Resources Logical Nodes(2009).Geneva,switzerland:iec.
51. international electrotechnical commission (iec). 61850-8-1 Ed. 1.0: Communication Networks and Systems in Substations—Part 8-1: Specific Communication Service Mapping (SCSM)—Mappings to MMS (ISO 9506-1 and ISO 9506-2) and to ISO/IEC 8802-3(2004).Geneva,switzerland:iec.
52. international electrotechnical commission (iec). 61850-7-3 Ed. 2.0: Communication Networks and Systems for Power Utility Automation—Part 7-3: Basic Communication Structure—Common Data Classes (2010).Geneva,switzerland:iec.
53. international electrotechnical commission (iec). 61850-7-1 Ed. 1.0: Communication Networks and Systems in Substations—Part 7-1: Basic Communication Structure for Substation and Feeder Equipment—Principles and Models(2003).Geneva,switzerland:iec.
54. internationalelectrotechnicalcommission(iec).61400-25-2 Ed. 1.0: Wind Turbines—Part 25-2: Communications for Monitoring and Control of Wind Power Plants—Information Models(2006).Geneva,switzerland:iec.
55. internationalelectrotechnicalcommission(iec).61400-25-4 Ed. 1.0: Wind Turbines—Part 25-4: Communications for Monitoring and Control of Wind Power Plants—Mapping to Communication Profile(2008).Geneva,switzerland:iec.
56. international electrotechnical commission (iec). 61850-9-2 Ed. 1.0: Communication Networks and Systems in Substations—Part 9-2: Specific Communication Service Mapping (SCSM)—Sampled Values over ISO/IEC 8802-3(2004).Geneva,switzerland:iec.
57. international electrotechnical commission (iec). 60870-6-702 Ed. 1.0: Telecontrol Equipment and Systems—Part 6-702: Telecontrol Protocols Compatible with ISO Standards and ITU-T Recommendations—Functional Profile for Providing the TASE.2 Application Service in End Systems(1998).Geneva,switzerland:iec.
56 seCurity and PrivaCy in smart Grids
58. international electrotechnical commission (iec). 60870-6-503 Ed. 2.0: Telecontrol Equipment and Systems—Part 6-503: Telecontrol Protocols Compatible with ISO Standards and ITU-T Recommendations—TASE.2 Services and Protocol(2002).Geneva,switzerland:iec.
59. international electrotechnical commission (iec). 60870-6-802 Ed. 2.1 Consol. with am1: Telecontrol equipment and Systems—Part 6-802: Telecontrol Protocols Compatible with ISO Standards and ITU-T Recommendations—TASE.2 Object Models(2005).Geneva,switzerland:iec.
60. international electrotechnical commission (iec). internationalelectrotechnicalcommission(iec).62351-3: Data and Communication Security Profiles Including TCP/IP(2005).Geneva,switzerland:iec.
61. international electrotechnical commission (iec). internationalelectrotechnicalcommission(iec).62351-7: Data and Communication Security Security through Network and System Management(2007).Geneva,switzerland:iec.
62. internationalelectrotechnicalcommission (iec). IEC 62351-5: Data and Communication Security Security for IEC 60870-5 and Derivatives(2007).Geneva,switzerland:iec.
63. internationalelectrotechnicalcommission (iec). IEC 62351-6: Data and Communication Security Security for IEC 61850 Profiles(2005).Geneva,switzerland:iec.
64. t.Gutzwiller.dasccriM-referenzmodellfürdenentwurfvonbetrie-blichen, transaktionsorientierten informationssystemen. Phd thesis,hochschulest.Gallenfürwirtschafts-,rechts-undsozialwissenschaften,st.Gallen,switzerland(1994).
57
2Smart Grid and
clOud cOmputinG
MinimizingPowerconsumptionandUtilityexpenditureindatacenters
s U M i t k U M A r B o s E , M i C h A E l s A l s B U rG , s C o t t B ro C k ,
A n d ro n A l d s k E o C h
Contents
2.1 introduction 582.2 service-levelagreements 602.3 liveMigrationofavMimageincloudcomputing 62
2.3.1 dataMigration 632.3.2 networkMigration 64
2.4 architecture 662.4.1 applicationManager 672.4.2 siteBroker 682.4.3 hybridcloudBroker 68
2.5 solutions 692.5.1 applicationManager 692.5.2 siteBroker 732.5.3 hybridcloudBroker 76
2.6 smartMetersandsmartloads 772.6.1 ThedatacentersmartGrid 782.6.2 smartappliancesinthedatacenter 79
2.7 conclusions 81references 82Bibliography 83
58 seCurity and PrivaCy in smart Grids
today’s“internet-scale”systemsmaybemadeupofseveralhundredor thousand servers spread acrossmanygeographies.These sys-temsconsumeseveralmegawattsofelectricityaday.itisimportantthereforetobuildsystemsthatareoptimizedforpowermanage-ment.however,buildingsuchasystemisachallengeastrade-offsbetweenapplicationperformanceandpowerconsumptionneedtobeconsidered.inthischapter,wediscussrecentadvancementsincloudcomputingandsmartgridtechnologiestodesignapowermanagement system that helps reduce the power expenditureincurredbyacloudproviderwithout“overtly”sacrificingtheper-formanceoftheapplicationshostedbyit.inparticular,thischapterdiscusseswaysinwhichacloudprovidercanrespondtovariousdynamicpricingsignalsreceivedbythesmartmetersinstalledatitsfacilities,calleddatacenters,byautonomouslymoving“noncritical”applicationstoremotesitesduringpeakelectricgridloadsituationsbyleveragingtechniquesfromcloudcomputing.
2.1 introduction
today’s“internet-scale”systemsarehousedingeographicallydistrib-utedserverfarms,typicallyknownasdatacenters.Thesedatacentersmaycontainseveralhundredorthousandserversandareamongthelargestconsumersofelectricity.it is important insuchscenarios tomonitornotonly thecostofmanaging the information technology(it)infrastructurebutalsothecostofpoweringtheitinfrastruc-ture,alsocalledtheenergycost.itisestimatedthatthepowerexpen-ditureisnearlyone-fourthofthetotaloperationalcostofmoderndatacenters.forexample,thepowerconsumptionindatacentersaccountsfor1.2%oftheoverallelectricityconsumptionintheUnitedstatesandisprojectedtokeepgrowingat18%everyyear.1inlightofthesegrowingstatistics,itisimportanttoprofileandinferthepowerutili-zationcharacteristicsofapplicationsandexecutetheminanefficientmanner.numerousresearchworksinthepasthaveexploredstrate-giesforefficientexecutionofapplicationswiththeaimofminimizingpowerconsumption.2–4
inthefollowingparagraphs,wediscusswaystomonitorandman-agethepowerconsumptionofapplicationsduringpeakpowergrid
59smart Grid and Cloud ComPutinG
load-occurring situations. Monitoring and managing power con-sumptionatpeakpowergridload-occurringsituationsiscrucialastheelectricityexpenditureduringapeakpowergridload-occurringsitu-ationcouldbeoverwhelminglylargecomparedtothetotalelectricityexpenditureduringnonpeakloadsituations.Thereasonbehindthisispartlyduetotemporalvariationinelectricityprices:Theelectric-itypriceinpeakpowergridsituationsishighduetodemand-supplymismatch and thehigh costof generating electricity athigh loads.information about dynamic pricing is communicated by the powerutilitiesdistributioncompaniestotheirconsumersusingsmartmetersandadvancedmeteringinfrastructurescalledsmartgridsaspartofdemandresponse(dr)programs.
with thehelpof smartmeters installedatdifferentdata centersofacloudprovider, thepowerdistributioncompaniescanremotelymonitortheelectricityconsumptionatthesecenters.Thesepowerdis-tributioncompaniescanthenmakeuseoftheseadvancedmeteringsystems, ifrequired,topushappropriatedrsignalstodatacenterswhenfacedwithpowershortages.fromtheperspectiveofacloudpro-vider,thedrsignalsreceivedbythemprovidethenecessarypricinginformationandindicatethepricesthatthepowerdistributioncom-panywillchargethecloudproviderforconsumingelectricityduringperiodsofpeakpowergridload.inaddition,itmayspecifyapenaltythatthecloudproviderwillincurifitfailstofulfillitscommitmentofcurtailingitselectricityconsumptionduringtheseperiods.toreduceits electricity consumption during such situations, a cloud providerneedstoidentifyasubsetofapplicationsthatitcanaffordtooperateatsuboptimalperformancelevelsforbriefdurationsandanothersubsetofapplicationsthatitcanaffordtomigratetoremotecloudlocations.inthefollowingparagraphs,wediscusstherecentadvancementsinvirtualmachine(vM)migrationtechnologieswithincloudcomput-ing5 and how these advancements can be leveraged to achieve thisobjective.ThisintelligentmigrationofvMsacrossdifferentvirtual-izeddatacentersinanautonomicmannerhelpstominimizepowerconsumptionduringpeakpowergrid load situationswithminimalimpactonapplicationperformance.
Thechapterisorganizedasfollows:section2.2discussestheser-vice-level agreements (slas) and the application assortment prob-lem. section 2.3 discusses the server virtualization and the cloud
60 seCurity and PrivaCy in smart Grids
computingtechnologythatenableseamlessmovementofapplicationsfrom one data center to another. section 2.4 outlines the detailedsolution architecture and describes the interaction of the differentsolutioncomponents.section2.5discusses thevariouscomponentsofthearchitectureatlengthanddevelopsappropriatemathematicalmodelsforeachofthecomponents.
2.2 service-level Agreements
Beforetheserviceengagementbetweenacloudproviderandacloudconsumercanbegin,thetwopartiesmustmutuallyagreetothepro-visionsofalegallyenforceableservicecontractcalledtheservice-levelagreement (sla).Thisservicecontract isembodied inadocumentandformallydefinestheminimumperformancecriteriaagainstwhichthe service levels and hence the performance of a service providerwillbecompared.further,theservicecontractliststhepenaltiesforsituationswhentheserviceproviderfailstomeettheobligationsascommittedbyitpriortotheinitiationoftheserviceengagementandwhentheperformancefallsbelowthepromisedstandard.Broadly,anslacanbeoftwotypes:infrastructureandapplication.Provisionswithinaninfrastructureslaaremeanttoindicatethattheserviceparameters,suchastheavailabilityofthehardwareandthenetwork-ingswitches,aretheresponsibilityoftheserviceprovider.Provisionswithin an application sla are meant to indicate that the serviceparameters,suchasguaranteeingtheresponsetimeandthethrough-put, are the responsibilityof the serviceprovider. individualprovi-sionsof anslaareknownas service-level objectives (slos).Thefocusofthischapterisonapplicationslasandtheirslos.
The service parameters, such as response time and throughput,areknownastheperformancemetric.typically,anapplicationslaspecifies twoquality indicators foranyperformancemetric:averageand threshold. if the performance metric under consideration isresponsetime,thenthethresholdvalueindicatesthemaximumtimethataserviceprovidercantaketoserviceeachindividualuserrequest.if the performance metric under consideration is throughput, thenthethresholdvalueindicatestheminimumnumberofuserrequeststhataserviceprovidershouldbeabletoservicewithinagiventime
61smart Grid and Cloud ComPutinG
window.Thus,thethresholdvalueofaperformancemetricisthehardlimitthat,whenbreached,resultsinharmfulconsequencesforboththe cloudprovider and the cloudconsumer.Theaverage valueof aperformancemetricisanindicatorofthedesirablequalityandlevelofserviceoverrelativelylongperiodsoftime.insubsequentdiscus-sions, wedescribe the analytic problemusing response time as thekey performance metric. The analysis can be extrapolated easily tootherperformancemetrics.
assume that the sla for an application i requires the averageresponsetimetobeRavgandthethresholdresponsetimetobewithinRmax .weassumethatthetotalelectricloadthatthedatacenterneedsto shed, as communicatedby the smartmeter, is d >0.let P andP ′(P ′<P)indicatethepowerconsumptionofanapplicationattheworkloadλforachievingresponsetimesofRavgandRmax(Ravg<Rmax),respectively.Then,theobjectiveistoexploitthedifferenceinvaluesof these twoslaparameters (Rmax– Ravg) foreveryapplicationsothatthetotalelectricityconsumptionbytheapplicationsatthedatacenterduringpeakelectricgridloadcanbecurtailedbyd.Thatis,theshedding in electricity consumption by the applications should notovertly affect theperformanceof the application.Thus, thequalityofserviceasagreedtobythecloudserviceprovidersfortheapplica-tionsintheirrespectiveapplicationslasshouldremainacceptabledespitethereductioninelectricitydrawnbytheapplications.earlierresearchershaveexploredpowerperformancetrade-offsanddynamicvoltageandfrequencyscaling(dvfs)schemesformaintainingtheresponse time at a desired level with varying workloads. Thus, forworkloadsλ1andλ2 such thatλ1<λ2andaprocessoroperatingata fixed frequency f, the request response times will be R1 and R2,respectively,withR1< R2.Theseworks therefore lower theoperat-ing frequency of the processor to f ′ ( f ′ < f ) such that R1 ≈ R1 ≈Ravg . incontrast to theseworks, this chapter showshow toexploitthedifferencebetweenRmaxandRavgtoidentifyapplicationsthatarebest suited for migration to remote sites so that the power expen-ditureduetohighelectricitycostatpeakpowergridsituationscanbereduced.inthefollowingparagraphs,wheneveranapplicationisallocatedbarelyenoughcomputingresourcessuchthattheresponsetimeoftherequestsisRmax,theapplicationissaidtobeoperatingat
62 seCurity and PrivaCy in smart Grids
thresholdslalevels.however,whentheapplicationisallocatedsuf-ficientcomputingresourcessothattheresponsetimeoftherequestsisRavg,theapplicationissaidtobeoperatingatstandardslalevels.
adatacenteractsasahosttomanydifferentapplicationswithvary-inginput/output(i/o),centralprocessingunit(cPU),andmemorycharacteristics.inaddition,eachoftheseapplicationshasavaryingdegreeof tenacity tooperateat thresholdslalevelsduringdiffer-enttimesoftheday.Thus,attimet1anapplicationi1canoperateatthresholdslalevelsonlyfordurationτi1.attimet2,theapplicationcanoperateatthresholdslalevelsfordurationτi2,τi2≠τi1.again,attimet2adifferentapplicationi ’canoperateatthresholdslalevelsfordurationτ′i2.Theproblemthenisto identifythefollowingforadatacenterexperiencingpeakelectricityload:
1. acandidatesetofapplicationsthatcanoperateatthresholdsla levels for a fractionofduration forwhich the electricgridisexperiencingpeakload.
2.a candidate set of applications that need to be moved toanothercloudsitethatisnotexperiencinganadverseelectricgridloadsituation.
acombinationofitems1and2shouldensurethatthetotalcurtail-mentinelectricitydrawnbytheapplicationshostedatthedatacentershould be at least d.we call this the application assortment prob-lem.however,movinganapplicationatruntimefromonephysicalmachineonwhichitisalreadyexecutingtoanotherphysicalmachineisfraughtwithchallengesthatneedtoberesolved.6,7,8encapsulatingapplicationswithinvMs,andmovingentirevMsfromonephysicalmachinetoanotherphysicalmachinehasbeenproposedasawayoutofthesechallenges.ThefollowingsectiondiscusseslivemigrationofvMsindetail.
2.3 live Migration of a VM image in Cloud Computing
MigrationofvMimagesbetweengeographicallydispersednodesinthedistributeddatacenterorthecloudrequires,atahighlevel,thattwomajorconsiderationsbeaddressed.Thefirstconsiderationistheduplicationorreplicationoftheguestdata,whichincludestorageandmemoryresidentdata.Thesecondconsiderationisthetransitionor
63smart Grid and Cloud ComPutinG
redirectionofnetworkcommunicationsfromonelogicalnetworktoanother, ensuring that traffic will continue to reach the vM at itsnewlocation.
2.3.1 Data Migration
replicationofdataondiskcanbeimplementedinanumberofways,butmostmethodsinterceptwritesfromavMguesttoits“disk(s).”Themost commonapproach is to encapsulate this servicewithin adriverandtoplacethedriverinthei/ostackofthehostserverthatcontainstheguest.anotherapproach,andperhapsbestfromaper-formanceperspective, is tousea replicationsolution that is locatedoutsidetheserver infrastructurethatresides incomponentssuchasthestoragearrayorstorageareanetwork(san)switch.
inthei/odriverapproach,thisdriverislocatedinthei/ostack,usuallyinthedevicestack(justabovethemultipathingdriverifitispresent),onthehostserver.Thedriveriscapableofreadingtheheaderinformationofeachi/oframetodeterminewhichwritestoignoreandwhichtoreplicate.Thedriverisconfigurablesothatanynumberoflocaldrivescanbereplicated.
whenthereplicationfunctionresidesinotherinfrastructurecom-ponents,thei/odriverfunctionalityeffectivelyresidesintheoper-atingsystem(os)ofthatcomponent(san-os,switchos)sothedistinctionbetweentheapproachesisreallythedifferenceinlocationofthedriver.
ifawriteismadetoadiskthatistobereplicated,thatwriteiscop-ied,theoriginalispassedtoitsintendedtarget,andthecopyisroutedtobedeliveredeventuallytotheremotestoragewheretheremotevMhostserverresides.
oneofthepracticalconsiderationsinminimizingthetimethatittakestomigrateavMbetweenlocationsisthequestionoftheamountofdatathatremainstobetransferredoverthenetworkconnectionatthe point in time the migration process is initiated. This of coursedependsonhowdifferent,intermsofchangesthathavetobeapplied,thelocalandremotevMimagesare.replicationcanbeimplementedasanon-demandserviceorasabackgroundservice.replicationondemandhastheadvantageofnotimpactingnetworkresourcesuntila migration is needed. however, when the migration process is
64 seCurity and PrivaCy in smart Grids
initiated,replicationstartsonlyatthatpointintime,sothereislikelyarelativelylargequantitydatathatwillneedtobetransferred,atleastwhen compared to the alternative of background replication. withreplicationrunningasabackgroundprocess,somenetworkresourceswillbeconsumedduringfrequentregularintervalspriortoreceivingthemigrationcommand,butsincethedifferenceinlocalandremoteimagesislikelytorequirefewerupdates,theamountofdataremain-ingtobetransferredwhenthemigrationcommandoccursissignifi-cantlyless.Thebackgroundprocesswillrequirealargertotalamountofdatatobetransferredbecauseincrementalupdates,asopposedtoonesingleupdate,willhaveappliedupdates forsomefilesmultipletimes.Thus,thechoiceiseffectivelyatrade-offbetweenabackgroundprocess thatprepositions asmuchdata aspossible tominimize thelikelydifferencesbetweenlocalandremoteimagesatthecostofsomeadditionalnetworkloadingoranon-demandprocessthatmosteffi-cientlyusesthenetworkconnectionoverallatthecostofalongertimeintervaltoupdatetheremoteimage.
however,regardlessofthereplicationapproach,thereremainsthetask of replicating local resident data to the remote site. during alive migration of a vM guest, when the bulk of the disk data hasbeen replicatedand thosedataarenearly synchronousbetween thelocalandremoteimages,thelocalhostbeginstotransferdatainlocalmemorytotheremotevM.attheendofthismemoryechoprocess,thesourcevMispaused,last-seconddiskupdatesarecopied,andthefinaldataresidentinthelocalguestmemoryarecopiedtotheremotesite.ittakesonlyafewtensofmillisecondstomakethefinaltransi-tionfromthesourcevMtothetargetvMinstance.whenthedatatransitioniscomplete,restorationofnetworkconnectivityisrequiredbeforethenewvMimagecanresumeitshostingfunction,complet-ingthelivemigrationprocess.
2.3.2 Network Migration
oncetheremotevMimageresidingontheremotestorageiscom-pletely duplicated by the replication process, network connectivitymust be either redirected or reestablished to be accessible. at thispoint in the process, all of the network traffic is still being routed
65smart Grid and Cloud ComPutinG
to the network where the “old” vM image is now paused. Thereare various means to restore network connectivity to the new vMimage;twocommonapproacheswillsufficeasexamplesofhowthisisaccomplished.
oneapproachrequiresaninternetProtocol(iP)tunneltobecre-atedfromtheoldnetworkaddresstothenewguest.ThisiPtunneliscreatedjustbeforetheoldvMisplacedintoitspausedstate.Thistunnelallowsnetworktrafficinboundtotheoldaddresstoreachtheguestatitsnewlocation.asthenewguestgoesonline,itwillregisteritsnewaddresswiththedns(domainnamesystem)server,andeventuallywhenthednsentriesareupdatedanynewclienttrafficwill be able to connect with the guest directly. when connectionsovertheiPtunnelareallclosed,thetunnelwillcollapse.Thismecha-nismallowsmigrationoftheguestfromtheoldnetworktothenewnetworkwithoutsignificantclientdisruption.
anotherapproachrequiresthecreationofaMulti-Protocollabelswitching-virtualPrivatenetwork(MPsl-vPn)meshframeworkbetweenthevarioussites.oncethisframeworkisinplace,allofthevarioussitesexistasiftheywereallonalocalnetwork.Becausetheentirenetworkenvironmentistreatedasasingleentity,anaddressresolutionProtocol(arP)updatetooneswitchmakestheconnec-tionsofthenewvMavailabletotheentireenvironmentandacces-sibletoanyclient.fromamigrationperspective,thismeansthatasaguestcomesonlineandreceivesanewiPaddress,thisnewaddresswillbeplacedintothearPtables,andimmediatelyalltrafficwillberoutedtothisnewlocation.
toaccomplishthemigrationofvMsovergeographicdistances,itisnecessarytohavemeanstoreplicateavMimageandsupportingvolumesfromtheprimarylocationtothesecondarylocationandthentobeabletorestorenetworkconnectivitytothereplicatedimage.
The choice of where to implement write splitting and the repli-cation function depends primarily on whether the small additionalprocessing and i/o load on the host is tolerable and does not sig-nificantly impact thehost’sperformance.ahostdriver tends tobesimplertoimplementandlesscostlybutdoeshaveafootprintonthehost.sanorswitch-basedimplementationsdonothaveanimpactonthehostbutaretypicallymorecomplexandcostly.
66 seCurity and PrivaCy in smart Grids
various methods are available to migrate network connectivity,but the methods used usually depend on selecting a method com-patiblewith the existing infrastructure. The iP tunneling methodsare simplebut in some situations can causedelays for some clientsuntildnscachesare fullyupdated.TheMPls-vPnmethod isamorecomplexprocessbutprovidescomparativelyfasterupdatesandimprovedperformance.
2.4 Architecture
The solution architecture for the application assortment problem isshowninfigure 2.1.Thearchitectureconsistsofthreecomponents:applicationmanager,sitebroker,andhybridcloudbroker(hcB).Thefunctionalityofeachofthethreecomponentsisdescribednext.
Site BrokerDR
DR
SLA
Workload
ApplicationManager
ApplicationManager
Cloud-1Cloud-2
Cloud-3
ApplicationManager
ApplicationManager
Site Broker
ApplicationManager
ApplicationManager
Site Broker
Hybrid CloudBroker
Figure 2.1 Architecture for managing application migration under performance constraints and in the presence of demand response signals.
67smart Grid and Cloud ComPutinG
2.4.1 Application Manager
anapplicationmanager is responsible formanaginganapplicationlocallyatacloudsiteandfortrade-offsoftheapplication’sperformanceforsavingsinpowerconsumption.Powerperformancetrade-offpos-sibilitiesinclude
1. Powering down a few servers and redistributing the excessworkload, createdas a consequenceof shuttingdown theseservers,ontotheremainingservers9,10and
2.operating each of the servers that host the applicationat a lower frequency and voltage using dvfs schemes.11figure 2.2 shows the variation in power drawn, utiliza-tion, and response time as the operating frequency of theprocessor varies. The horizontal axis shows the processorfrequency, from a maximum of 1.6 Ghz to its minimalclock frequencyof0.6Ghz.as the frequency is reduced,theaverage service timeper request increases.This causesanincreaseintheaverageprocessorutilization.highutili-zationthenresultsindegradedaverageresponsetime.Thefigureshowsthat,atthehighestfrequencyof1.6Ghz(andhighestpowerconsumption),theresponsetimeisapproxi-mately25ms.asthefrequencyoftheprocessisreducedto0.8Ghz,theutilizationdoubles.Theresponsetimereaches
R
Rmax
∆Powerconsumption
Power
Utilization
E[s]
Response
Response∆Time
80
70
60
50
40
30
20
10
00.6 0.7 0.8 0.9 1 1.1 1.2 1.3 1.4 1.5 1.6
Figure 2.2 Relationship of response time, utilization, and power with operating frequency.
68 seCurity and PrivaCy in smart Grids
itsmaximumacceptablelevelof50ms.Thistypeofanalysisallowsustoexaminetherelationshipofprocessorfrequencytoresponsetime.
accordingly, the roleof theapplicationmanager is todeterminefor each application the optimal number of physical machines ortheoptimalvalueoftheoperatingfrequencyandvoltagesothatthepowerconsumptioncanbereducedtomaximallevelswithoutcom-promisingtheapplication’sperformanceasguaranteed in thesla.Thisinturnrequiresanapplicationmanagertoaddressthequestion:howmuchsavingsinpowerconsumptioncanbeexpectedbyallow-ing the application’s response time to temporarilydegrade toRmax?anotherkeyissuethattheapplicationmanagerneedstoresolveistodeterminethetimeduration,asafractionofthepeakpowergridloadduration,forwhichthreshold-levelperformanceoftheapplicationisacceptable.Theapplicationmanagercommunicatesthisinformationtogetherwiththepowersavingsthat itcanachievefortheapplica-tionthatitmanagestothesitebroker.
2.4.2 Site Broker
Thesitebrokerusestheinformationprovidedbytheapplicationman-agersandthedrsignalavailablefromthesmartmetertosequenceapplications’executionforthedurationinwhichtheelectricgridisexperiencing peak load so that the total electricity consumed at acloud site during this duration canbe reduced to acceptable levels.inaddition,thesitebrokerisresponsibleforminimizingthenumberofapplicationsthatneedtobemovedtoremotecloudsitestobringdownthetotalelectricityconsumptiontoacceptablelevelsduringsuchintervals.Movingapplicationstoremotecloudsitesshouldbethelastpriorityandshouldbeperformedonlywhenpoweringdownserversandreducingtheoperatingfrequencyoftheserversdoesnotsolvetheprobleminitsentirety.
2.4.3 Hybrid Cloud Broker
asdiscussed in theprevious section, recentadvancements incloudcomputing make it possible to move “live” applications between
69smart Grid and Cloud ComPutinG
physical servers located in different geographies.5 The hcB lever-agesthesenewapplicationmobilitytechniquestomoveapplicationsidentifiedbythesitebrokerformigrationtoremoteclouds.foreachof thesemigratingapplications, thehcBdetermines, fromamongthe clouds managed by it, the cloud that is best suited as the newhostingenvironment.ThehcBmusttakeintoconsiderationvariousconstraints, such as the incompatibility constraints and the capac-ityconstraints,whileassigninganapplicationtoaparticularcloud.ThehcBinitiatesthemigrationoftheapplicationsidentifiedbythesitebrokeroncesuitablecloudsthatcanhosttheseapplicationshavebeenidentified.
2.5 solutions
inthefollowingsections,weformulatemathematicalmodelsanddis-cuss solutionprocedures for theproblemsaddressedby eachof thethreecomponentsdiscussedpreviously.
2.5.1 Application Manager
inthissection,weestablishamathematicalrelationshipbetweentheresponsetimeofrequeststotheworkloadandtheoperatingfrequencyoftheprocessors.Thederivedsystemmodelassumesthatanapplica-tion i is hosted in a clustered environment and consists of a set offront-end servers responsible foraccepting requests andanother setofback-endserversresponsibleforprocessingtheacceptedrequests.Thisassumptionisnotprohibitiveasthearchitecturediscussedintheprevious section is extensible, and system models for various otherscenarioscanbeeasilyincorporatedaspartoftheapplicationman-ager.wefurtherassumethateachoftheback-endserverssupportsdvfssuchthattheoperatingfrequencyoftheprocessorscanvaryatdiscreteintervals.assumethatf maxisthemaximumfrequencyatwhichtheserverscanoperate.letμj
max betheservicerateofthejthserverwhenoperatingatf max.Theservicerateμj oftheserverwhenoperatingatfrequency fj(fj< f max)thenbecomesμj=(μj
max fj)/f max.iftheserversarehomogeneous,μj
max issameforall theserversandisdenotedusingμmax.Thepowerconsumptionbyaback-endserverPjcanbemodeledmathematicallyasaj+bj fj
3,whereαj andβjare
70 seCurity and PrivaCy in smart Grids
standard parameters obtained from regression tests on empiricallycollecteddata.Theapplicationmanagerneedstodeterminetheoper-atingfrequencyfjofeachserverjandthenumberofactiveserverssothattheaggregatepowerconsumptionisminimized,andtheresponsetimeguaranteesassociatedwiththeapplicationoperatingatthresholdslalevelsaremet.Thus,
Min X fj j j jj
N
( )α β+=
∑ 3
1
subjectto:
X j jj
N
iλ λ=
∑ =1
(2.1)
R Rj j j( , ) maxµ λ ≤ (2.2)
accordingtotheM/ M/1queuingmodelRj=1/(μj–λj).substitutingμj=(μj
maxfj)/f maxandRj=Rmax,weobtain
R f fj j jmax max max( )= −( )1 µ λ
and reorganizing fj = (f max/μjmax)(λj + 1/Rmax). on substituting the
expressionoffj ,theobjectivefunctionbecomes
X f Rj j j j jj
α β µ λ+ ( ) + ( )( )( )
=
max max max/ /13
11
N
∑and isuntenable for standard solvers.we thereforedeviseheuristicalgorithms for solving the problem in a realistic time. figure 2.3showsthedetailsofouralgorithm.
let λi represent the load experienced by the application and λjrepresenttheloadhandledbytheserverj.further,assumeNisthetotalnumberofmachinescateringtotheapplicationloadforensur-ing a response timeof Ravg. inotherwords, N is theupper boundforthenumberofserverstobeusedforoperatingtheapplicationatthresholdslalevels.inreality,notalloftheseserversmaybeusedwhentheapplicationoperatesatthresholdslalevels.Thealgorithm
71smart Grid and Cloud ComPutinG
rests on the observation that whenever the difference between thetermsβj fj
3andαj isgreaterthanαj , itisbeneficialfromthepowerconsumptionperspectivetoswitchtoanewmachine(step2).Thus,thefrequencyforamachinejisgovernedbytherelationshipβj fj
3–αj ≥ αj . rearranging the equation results in ′ =f j j j23 α β/ . sincethe operating frequency of all machines is limited by f ma, the fre-quencyfjofmachine j issetastheminimumoff maand 23 α βj j/ (step 3). rearranging fj = f max/μj
max)(λj + (1/Rmax)) and setting fj asmin( f max, 23 α βj j/ ), we obtain the amount of load handled bymachine jasλj= (fj *μj
max/f max)– (1/Rmax) (step4).Theamountofloadhandledbymachinejisthensubtractedfromthetotalremain-ing loadλ′i still tobe allocated.The remaining loadλ′ineeds tobe
1.Initialize λ′i = λi and a list of machines, J= {j | j= 1, … , N}. 2.Select a machine j from the list J. Calculate
′ =f j j
j
23
αβ
.
3. Set the frequency fj of machine j as min( f max, f ′j ). 4.Calculate the number of requests handled by machine j as
λµ
jj jff R
= −* max
max max1 .
5.Calculate λ′i = λ′i – λ j. If λ′i > 0, remove j from the list of machines, that is, J=J– {j}. If J is nonempty, go to step 2.
6.If λ′i ≤ 0 and J is nonempty, all machines j in J can be pow-ered down.
7.If λ′i > 0 and J is empty, calculate
′ = ′ +
f f
N Ri
max
max maxµλ 1 .
8.The operating frequency for all the servers j then becomes fj + f ′.
Figure 2.3 Outline of the provisioning algorithm for an application manager.
72 seCurity and PrivaCy in smart Grids
assignedtotherestofserversJ = J –{ j }(step5).incasetheentireloadhasbeenassigned(λ′i≤0),amachinethathasnotbeenallocatedanyloadcanbepowereddown(step6).itisalsopossiblethatthereisafractionoftheloadthatremainsunassignedinspiteofeverymachinereceiving a portion of the load. in such cases, the unassigned loadneeds tobedistributedamongall themachines, and theoperatingfrequencyofthemachinesneedstobeincreasedby(f max/μmax)((λ′i /N)+(1/Rmax))(step7).
next,wediscussthedurationτiforwhichanapplicationcanaffordto operate at threshold sla levels. assume T is the duration forwhichapeakelectricgridloadsituationexists.further,letusdenotetheperiodimmediatelyfollowingTbyT ′.sinceanapplicationneedstomaintainanaverageresponsetimeofRavgoverT +T ′,thefollow-ingequationmustholdtrue:
( ) ( ( )) ( ˆ )( ) ( ˆ
maxλ τ λ τ λλ
i i i iavg
i
i
R T R T RT
+ − + ′ ′+ λλi
avg
TR
′=
),
whereλiistheloadduringtheperiodT(Tisalsotheperiodwhenapeakpowergridloadsituationoccurs),andλi istheforecastedloadforthetimeperiodT ′immediatelyfollowingT.ourobjectiveistodetermineτi.however,theequationhasanadditionalunknownvari-ableR′.todetermineR′,wenotethatalargevalueofτi(τi<T )isdesirableeventhoughτineednotexactlybeequaltoT.duringT ′,theaimistocompensatethedeviationfromRavgtoRmax,duringT,by operating the application at maximum frequencies so that theresponsetimesareminimized.Thus,R′canbeapproximatedas
1µ λmax − i
N.
substitutingthevalueofR′inthepreviousequationresultsin
τ
λ λ λµ λ λ
λi
avgi i
ii
avg
i
R T T TN
TR
=
+ ′ − ′−
−( ˆ ) ˆ
(
max
1
RR Ravgmax )−
73smart Grid and Cloud ComPutinG
2.5.2 Site Broker
in this section, we describe the resource management problemaddressedbythesitebroker.Thecomplexityoftheproblemcanbeobservedfromtheexampleshowninfigure 2.4.assumetherearefourapplications,i =1,2,3,4,withpowerrequirements0.5,0.3,0.5,and0.4, respectively, foroperatingat standardslalevels.furtherassumethatforthedurationforwhichthepeakpowergridsituationexists, T is 3 units. application 1 can afford to operate at thresh-oldslaperformance levels for 1 timeunit, and thepower that itconsumesis0.2units.similarly,application2canoperateatthresh-old levels for 2 time units and consumes 0.2 power units. finally,applications3and4canoperateatthresholdslalevelsfor2timeunitseachandconsume0.3and0.35powerunits,respectively.ifthepowerbudgetisfor1unit,itcanbeverifiedthattheoptimalsolutionistomoveapplication4toadifferentcloudsite.Thesequencingoftheremainingapplicationsandtheirassociatedpowerconsumptiondetailsareshowninfigure 2.4.allotherconfigurationsaresubopti-mal.figure 2.5showsonesuchsuboptimalschedulingofapplications.
Thus,let:
Pi :Powerconsumedbyapplication i ifoperatingat reducedperformancelevelsduringpeakpower–gridload
Pi′:Power consumedby application i if operating at normalperformancelevels.
t3t2t1
Ebudget
T
E2
E3
E2
E3E3
E2E1E1
E1
Figure 2.4 The optimal solution to the resource allocation problem addressed by the site broker.
74 seCurity and PrivaCy in smart Grids
Pbudget:averagepowerbudgetduringpeakload τi:acceptabledurationforexecutingapplicationiatreduced
performancelevelsduringpeakpower–gridload
Xi
i =
1
0
if application is migrated
o/w
Y
i
i =
1 if application is executing at reduced perforrmance
level at time-slot
o/w
t
0
T:timedurationforwhichpeakpower−grid loadsituationexists.
wedivideT intoN slotsofdurationδeach,N=⎡t/δ⎤.weusetheidentifiertforthesetimeslots.Then,ni=⎡τi/δ⎤.further,assumethatEi is thepowerconsumedbyanapplication i inonetimeslot,andEbudgetistheaveragepowerconsumedbyallapplicationsinonetimeslot.Then,Ei=Pi /ni,Ei′=Pi′/(N–ni), andEbudget=Pbudget/N.Mathematically,theproblemthatthesitebrokeraddressescanbefor-mulatedas
Min Xii
∑
Ebudget
E2
E3
E2
E3
E3
E2E1E1E1
t3t2t1
T
Figure 2.5 A suboptimal solution to the resource allocation problem addressed by the site broker.
75smart Grid and Cloud ComPutinG
subjectto:
Y n X i
Y X i t
E Y E
itt
N
i i
it i
i iti
=∑
∑
= − ∀
≤ − ∀
+ ′
1
1
1
( )
( ) ,
ii iti
budgetY E t( )1− ≤ ∀∑Thecomputationaltimetodetermineanoptimalsolutiontothis
problemincreasesexponentiallywiththeproblemsizeas theprob-lemisnondeterministicpolynomial(nP)hard.wethereforeproposeheuristicsthatcanprovideasufficientlygoodsolutioninareasonabletime.wesorttheapplicationsinthedecreasingorderof(Ei′–Ei)*ni/Ei′*(N–ni).Thenumeratorindicatesthetotalpowersavingsgener-atedbyanapplicationiwhenthepowergridexperiencespeakload.Thissavingsinpowerisduetotheapplicationoperatingatthresh-oldslalevelsforafractionoftimewithintheperiodTandisanindicatorof thebenefits for retainingapplication i forexecutiononthecurrentcloudsite.Thedenominatorindicatesthenominalpowerconsumed by an application during time period T when operatingunderstandardslalevelsandisanindicatorofthecostforretain-ingapplicationiforexecutioninthecurrentcloudsite.applicationsthat do not qualify a certain user-defined threshold are candidatesformigrationtoremotecloudsites.werepresentthesetofapplica-tionsthatareretainedusingthenotationI ’.weproposeasequencingheuristicforapplicationsthathavebeenretainedforidentifyingthetimeinstanceswithintheperiodTwhenanapplicationshouldoper-ateatthresholdslalevels.assumethepowerconsumptionofeachapplicationiisrepresentedusingblocksoftwosizes:i1andi2.ablockwithsizei1representstheapplicationoperatingunderstandardslaconditions.Theblockwithsizei2representstheapplicationoperatingunder thresholdslaconditions.Theheuristic ismotivatedbyourobservationthatsincei1′>i2′ andi1>i2,blockswithsizei1′ aresched-uledforexecutiontogetherwithblockswithsizei2,andblockswithsizei1arescheduledforexecutiontogetherwithblockswithsizei2′.inaddition,therecouldbeblocksofsizei1′thatneedtobecombined
76 seCurity and PrivaCy in smart Grids
withblocksofsizei1.Thisresultsinthreeblocksofsizesi1′+i2,i1+i2′andi1′+i1 (ori2′+i2).Thus,atiterationltherewouldbel +1blocksofdifferent sizes. if the sizeof anyof theblocks exceeds thebud-getEbudget ,thealgorithmterminates.allremainingapplicationsareconsideredcandidatesforcloudmigration.itistobenotedthattheheuristicselectsapplicationsinthedecreasingorderof(Ei′–Ei)*ni/Ei′*(N–ni)formaximizingpackingefficiency.
2.5.3 Hybrid Cloud Broker
ThesitebrokercommunicatesthedetailsoftheapplicationsthatneedtobemigratedtoremotecloudsitestothehcB.itisassumedthateachmigratingapplicationhasatleastonealternatecloudwhereitcanbehosted.iftherearemultipleremotecloudsthatcanhostamigrat-ingapplication, thecriteriausedby thehcBto select aparticularcloudforhostingisthatthedegradationintheperformancemetricasaresultofrehostingshouldbeminimal.letDibetheamountofdataassociatedwithanapplication i thatneedstobemovedandVkk ′bethenetworktrafficbetweencloudskandk′.let –k=argmink ′(Di/Vkk ′).it is thendecided tomoveapplication i tocloudk fromitscurrenthostingcloudk.ThehcBthen initiates contactwith the sitebro-keroftheremotecloudsite.Thesitebrokercommunicatesresourceallocationdetailstotheprovisioningmanager,whichthenprovisionssufficientcomputingresourcesonthephysicalmachinesidentifiedbythesitebroker.ThehcBcantheninitiatetheactualphysicalmove-mentoftheapplicationtothemachineidentifiedbythesitebrokerpreviously. figure 2.6 shows that the total energy consumption byapplicationsexecutingatcloudaduringthepeakelectricgridloadperiodishigh(indicatedbythebottomdotinclouda).whenadrsignal is received by the smart meter installed at cloud a, the sitebrokeratcloudaidentifiesasetofapplicationsforwhichtheoperat-ingfrequencycanbeloweredforafractionofthepeakdurationandanothersetofapplicationsrequiringmigrationtocloudBasshowninfigure 2.7.figure 2.7showsthereductioninenergyconsumptionatcloudaafterasetofapplicationsismigratedfromclouda(threedots)tocloudB(indicatedbythetoptwodots).ThehcBisrespon-siblefororchestratingallintercloudmovementsofthevMs.
77smart Grid and Cloud ComPutinG
2.6 smart Meters and smart loads
Thetermsmart gridisusedinvariedcontexts:forsome,thesmartgridmeansasuperhighwayforlarge-capacitytransmissionoversignificantgeographicdistances;forothers,itisasystemthatcanintegratesmall-scalerenewablegenerationsources;stillothersseeitasawidelyavail-ablesourcenetworkforchargingelectriccars.Perhapsitwillturnouttobesomeorallofthesethingswhenfullyevolved.inthecontextofthedatacenterorcloud,wecanshedmuchofthisambiguityandneedonlyconsiderspecificallythefunctionalityrequiredtoenablethecapabilitytomonitorreal-timepowerconsumptionandcosts.
HCB
AMAM
SB
SB
AM
f ´ f
fRavg Rmax
Cloud A
Cloud B
$ Energy Consumption $$$
Response Time (R)
Workload Frequency (f)
f ´
Ravg Rmax
$ Energy Consumption $$$
Response Time (R)
Workload Frequency (f)
Figure 2.6 Scenario before application migration when a demand response signal is received by a smart meter at cloud A. AM = application manager; SB = site broker.
HCB
AM
SB
SB
AM
f ´ f
Ravg Rmax
Cloud A
Cloud B
$ Energy Consumption $$$
Response Time (R)
Workload Frequency (f)
f ´ f
Ravg Rmax
$ Energy Consumption $$$
Response Time (R)
Workload Frequency (f)
Figure 2.7 Scenario after application migration after a demand response signal is received by a smart meter at cloud A.
78 seCurity and PrivaCy in smart Grids
2.6.1 The Data Center Smart Grid
we are interested in determining the real-time marginal cost ofpower for an incremental load.The twokeyparameterswe requirethesmartgridorsmartmetertoprovideinformationaboutisthereal(ornear-real-time)powerloadforthedatacenter,typicallymeasuredinkilowatts,andcurrentprice,usuallyquotedperkilowatt-hour.so,inthisrespect,therequirementsforcalculatingmarginalpowercostsofthedatacenterinwhichoneormorecloudsresidearerathermod-est. existing data center sites do not have smart meters capable ofproviding the data we need. currently, these sites have a standardpowermeterthatisbasedonelectromechanicalinductionandneedstobereadat theendofabillingcyclebytheelectricutility.someutilitiesareusingnewermetersthatallowthesedatatobecollectedremotely, butmany facilities pre-date this effort.electricitymeterscontinuously measure the instantaneous voltage (volts) and current(amperes)andfindtheproductofthesetogiveinstantaneouselectri-calpower(watts).wattsarethenintegratedovertimetogiveenergyused(joules,kilowatt-hours,etc.).
Thecostofakilowatt-hourofelectricityisvariabledependingonmanyfactors;typically,thesespecificdataarenotprovidedbyexist-ingmeters.infact,autilitydoesnottypicallyevencalculatethiscostuntiltheendofabillingcycle.Mostutilitiesdeterminethecostforelectricityonatieredratestructure.Thisresultsinacostmodelthathasdiscontinuousstepfunctionincreasesincost.abaselinenumberofkilowatt-hoursisprovidedatacertainprice;whencumulativeuseforabilling intervalexceeds thisbaselineamount, theconsumer isthenchargedatanincreasedpriceforthenexttierforanotherfixedamountofkilowatt-hours,andsoon.whilethecostofelectricityisvariableandisdatanottypicallyprovidedbytheutilitynowhereclosetorealtime,weneedonlynotethatitisreadilycalculablebasedonlyonknowledgeofthestartofthebillingcycle,thetierrates,thetieramounts,andtotalmeteredusagetoapointintime.
while we lack the smart grid of the future that includes smartmeters that provide real-time price signals and current electricityusage,thisfunctionalitycanbeimplementedinadatacenterwithrel-ativeeaseandatamoderatecost.whatisrequiredismeteringinde-pendentoftheutility.Thiscouldbeimplementedwithanynumber
79smart Grid and Cloud ComPutinG
ofdigitalpowermetersavailableonthemarket.Thismetermustpro-videremotemonitoringsothatthedatacanbepolledinrealornear-realtimebyacomputersystem.weenvisionthatthesedatawouldbeavailable to thesmartmeter (sM)viapolling.This independentpowermeterneednotnecessarilybeshuntbasedandthusrequiredtobeinlinewiththeexistingutilitymeter;therearetypesofmetersthatmeasurethepowerusagebyinductivemagnetsthatneedonlyencircletheexistingphysicalwiresthatdeliverthemainpower,minimizinginstallationcosts.TheotherrequirementisthatthesMbeabletopollthemeterviaacommunicationprotocolthatisacommonfeatureofexistingdigitalpowermeters.ThesMwillknowatanypointintimethebillingperiodandthecumulativepowerconsumptionandthusbeabletoaccuratelyestimatethecostofelectricityatthatpointintime.
The cost of continuing operation of a load in the data center orofsheddingthatloadistheneasilycalculatedandprovidesthecostinputthatthesMtogetherwiththehcBusestomakethedecisiontomovelocalloadstoremotesites.
2.6.2 Smart Appliances in the Data Center
weshouldrecognizethatmovingavMfromalocalphysicalmachinetoaremotephysicalmachinedoesresultinasheddingofsomeload;however, the localphysicalmachinethat isstillpoweredoncanbeseen to be consuming electricity nonproductively. simply put, themaximumload is shedwhen thephysicalmachinenothostinganyvMsispoweredoff.infact,theeconomicpremiseunderpinningthesmartgridisthatareal-timepricesignal,assumingresourceconsum-ersareeconomicallyrational,willnecessarilyresultinmoreefficientuse.atacitassumptionhereisthatconsumersareabletorespondtotheprice signal. it is fromthispremiseandassumption that smartgrid proponents argue that the market will self-evidently providesmartappliances thatenable loadsheddingby time-of-daydelayofoperationorpower-savingmodesettings.
withrespecttothedatacenter,theimmenseexistingcapitalequip-mentwillnotbereplacedwithnextyear’ssmart-grid-friendlymodelsasamatterof course.so,wewillhave todealwithexisting infra-structures.however,existingserverstypicallydohavepower-saving
80 seCurity and PrivaCy in smart Grids
modesthatcanbeinvokedvianetwork-initiatedcommands.whenhibernatingorinpower-savingmodes,typicallyserverscanbecon-figured to respond to wake-on-lan (wol) signals. when vMsandtheir loadsareshedfromphysicalmachines,whenpossiblethesMshouldinitiatethepower-savingmodestomaximizetheloadthatisshed.inthiscase,theloadshedisthedifferencebetweenthepowerloadforthephysicalmachinewhenthevMsarehostedandwhenthephysicalmachineisinpowerhibernationmode.
it ispossible tocompletelymaximize the loadshedbypoweringoffthephysicalmachine.whilethiscommandcanbeinitiatedwithcommandssentviaanetworkconnectiontothephysicalmachine,themainproblemhereisthattypicallyintheoffstateamachinecannotbepoweredonremotelyandusuallyrequiresmanuallypressingthepoweronbutton.oneapproachtoresolvethisissueis, ineffect,toretrofitanexistingserver,equipmentcabinet,orparticularcircuit.insuchanimplementation,oneneedonlybuildablackboxdevicethatisinseriestothepowerprovidedtotheequipmentunderconsideration.Theminimalfunctionalityofthisblackboxprovidesmechanicalorsolid-staterelaycontroloftheinputpowersource.iftheon/offstateofthisrelaycanbecontrolledvianetworkorotherprotocols,thenthesMcanpowerdownthephysicalmachineoncommands.existingserverscanbeeasilyconfiguredtobootontheapplicationorrestora-tionofinputpower.
existing network-controlled power busses and even commercialpower meters provide exactly this functionality. such devices caneasilybeplacedinserieswithexistingpowerinputsforthephysicalmachine,equipmentcabinet,orpowercircuit.Theadvantageofusingapowermeterwiththisrelayfunctionalityisthatthesemeterstypi-callyhavenetwork-enabledcommunications.Thus,theyalsoprovidepower consumption telemetry at this granular level and enable thehcBtoexactlyquantifyhowmuchloadwillbeshedsincetheloadwhenvMsarehostedcanbemeasured;withthismethod,theyknowthatthecompleteloadwillbeshedwhenthesystemispowereddown.ThiswouldbeansM-initiatednetworksafeshutdowncommandtothehostpriortoansM-initiatedpowerdownofthepowersource.likewise, thesMcan initiate thepoweronofaphysical serverby
81smart Grid and Cloud ComPutinG
restoringthepowersourcetotheequipmentitiscontrollingwiththisnetworkedcontrolledrelay.
so,whilethesmartgridandsmartappliancesmaysoonberealizedinthenot-too-distantfuture,thefunctionalityweneedthesmartgridtoprovidethesMandthehcBistheabilitytomoveresourcesandthencompletelyshedtheloadassociatedwiththephysicalmachinesthatnolongerhosttheseresourcesbyimplementingexistingoff-the-shelfdevices.itreducestoasimplecost-benefitanalysistojustifytheassociated capital expenditures. The costs include the hardware toindependentlymeterthesitepowersourcetodeterminecurrentpowercosts thatcanbepolledby thesMandhcB.Minimally, thesMandthehcBmustbeabletocommunicatewiththephysicalserv-ersthathostthevMstoprovidecommandstoinvokepower-savingmodes.inaddition,hardwaremaybecost-benefitjustifiedtoprovidethenetworkcontrolledrelayfor inputpowerataserver,cabinet,orcircuitgranularity.ThecommunicationprotocolbetweenthesMandthe hcB and this hardware can be tcP/iP based, infrared (ir),radio frequency (rf), or perhaps even use the existing power lineinfrastructureusingzigBeeorsimilarprotocols.
2.7 Conclusions
The chapter described ways to reduce electricity usage within datacentersduringpeakpowergridloadsituationsbyidentifyingsuitableapplicationswhoseperformancecanbetradedoffforshortdurationsforsavingsinelectricityconsumption.reducingelectricityconsump-tion during peak power grid loads is important for data centers asa significantportionof the electricity cost incurredbydata centerscouldbeduetotheelectricityconsumedduringpeakpowergridload-occurring situations. The chapter described a solution architectureanddiscussedanalyticalformulationstogetherwithheuristicschemesforminimizingtheelectricityconsumedduringpeakpowergridsitu-ations.Theapproachleveragesrecenttechnicaldevelopmentsincloudcomputingthatmakeitpossibletomoveliveapplicationsacrossthewide-areanetwork.
82 seCurity and PrivaCy in smart Grids
references 1. J.choi,s.Govindan,B.Urgaonkar,anda.sivasubramaniam,Profiling,
prediction,andcappingofpowerconsumptioninconsolidatedenviron-ments,inProceedings of 16th IEEE International Symposium on Modeling, Analysis and Simulation of Computers and Telecommunication Systems (MASCOTS)(2008).
2. d.kusic,J.kephart,J.hanson,n.kandasamy,andG.Jiang,Powerandperformancemanagementofvirtualizedcomputingvialookaheadcon-trol,inProceedings of 5th International Conference on Autonomic Computing (ICAC)(2008).
3. J. kephart, h. chan, r. das, d. levine, G. tesauro, f. rawson, andc.lefurgy,coordinatingmultipleautonomicmanagerstoachievespeci-fied power-performance tradeoffs, in Proceedings of 4th International Conference on Autonomic Computing (ICAC)(2007).
4. G.tesauro,d.chess,w.walsh,r.das,a.segal,i.whalley,J.kephart,ands.white,amulti-agentsystemsapproachtoautonomiccomputing,inProceedings of 3rd International Joint Conference on Autonomous Agents and Multi-agent Systems (AAMAS)(2004).
5. r.Bradford,e.kotsovinos,a.feldmann,andh.schiöberg,livewide-area migration of virtual machines including local persistent state, inProceedings of the 3rd International ACM/Usenix Conference on Virtual Execution Environments(2007).
6. s.osman et al.Thedesign and implementationofzap:a system formigratingcomputingenvironments,inProceedings of the 5th Symposium on Operating Systems Design and Implementation,december2002.
7. JacobG.hansenanderic Jul.self-migrationofoperatingsystems,inProceedings of the 11th ACM SIGOPS European Workshop (ew 2004),pages126-130,2004.
8. M. kozuch and M. satyanarayanan, internet suspend/resume. inwMcsa ’02 Proceedings of the Fourth IEEE Workshop on Mobile Computing Systems and Applications (2002).
9. a.Gandhi,M.harchol-Balter,r.das,andc.lefurgy,optimalpowerallocation in server farms, in Proceedings of 11th International Joint Conference on Measurement and Modeling of Computer Systems(2009).
10. M.steinder,i.whalley,J.hanson,andJ.kephart,coordinatedmanage-mentofpowerusageandruntimeperformance,inProceedings of Network Operations and Management Symposium (NOMS)(2008).
11. e.elnozahy,M.kistler,andr.rajamony,energy-efficientserverclus-ters,inProceedings of 2nd Workshop on Power-Aware Computing Systems(2002).
83smart Grid and Cloud ComPutinG
BibliographyJ.chaseandr.doyle,Balanceofpower:energymanagementforserverclus-
ters,2001.http://www.cs.duke.edu/ari/publications/publications.htmlintelcorporation,Enhanced Intel® SpeedStep® Technology for the Intel® Pentium®
M Processor,whitepaper,March2004.s. kiliccote, M. Piette, G.wikler, J. Prijyanonda, and a. chiu, installation
andcommissioningautomateddemandresponsesystems,inProceedings of 16th National Conference on Building Commissioning(2008).
d.niyato,s.chaisiri, andl.sung,optimalpowermanagement for serverfarm to support green computing, in Proceedings of 9th IEEE/ACM International Symposium on Cluster Computing and the Grid(2009).
a. Qureshi, r. weber, h. Balakrishnan, J. Guttag, and B. Maggs, cuttingthe electric bill for internet-scale systems, in Proceedings of the ACM SIGCOMM Conference on Data Communication (SIGCOMM ‘09)(2009).
X.ruibin,z.dakai,r.cosmin,M.rami,andM.daniel,energy-efficientpolicies for embedded clusters determine the number of active nodes,in Proceedings of ACM SIGPLAN/SIGBED Conference on Languages, Compilers, and Tools for Embedded Systems(2005).
85
3diStributed OppOrtuniStic
SchedulinG fOr buildinG lOad cOntrOl
P E i z h o n G Y i , X i h UA d o n G , A B io d U n i wAY E M i , A n d C h i z h o U
The smart grid adds intelligence and bidirectional communi-cation capabilities to today’s power grid, enabling utilities toprovide real-time pricing (rtP) information to their custom-ersviasmartmeters.Thisfacilitatescustomers’participationindemandresponseprograms to reducepeakelectricitydemand.in this chapter, we provide a novel distributed opportunis-tic scheduling schemebasedon anoptimal stopping rule thataimstominimizetheexpenditureofelectricitywhilesatisfying
Contents
3.1 introduction 863.2 demandresponse 87
3.2.1 PowerPricing 873.2.2 demandresponse 883.2.3 drBenefits 893.2.4 drGuidelines 89
3.3 optimalstoppingrule 893.4 Problemformulation 903.5 simulationandresult 943.6 discussion 96
3.6.1 ModelingofPricesignals 963.6.1.1 randomModelingofPricesignals 963.6.1.2 Usage-dependentelectricityPrice 97
3.6.2 fairness 983.7 conclusion 98acknowledgment 98references 99
86 seCurity and PrivaCy in smart Grids
customers’timerequirements.Theproposedschedulingschemecanbe implemented ineither centralizedordistributedmode;constraintofapowerline’stotalpowerconsumptionisalsocon-sideredinthesystemmodel.simulationresultsshowitcandra-maticallyreducetheelectricitybillandminimizepeakloads.
3.1 introduction
Thesmartgridisanintelligentpowergeneration,distribution,andcon-trolsystemequippedwithtwo-waycommunication.itfacilitatesmanyservices, including integrationof renewableenergysources, real-timepricing(rtP)toconsumers,demandresponse(dr)programsinvolv-ingresidentialandcommercialcustomers,andrapidoutagedetection.
accordingtoareportfromtheU.s.departmentofenergy(doe),buildingsconsume72%ofallelectricalenergy.1Therefore,theabilityof a building automation system (Bas) to communicate and coor-dinatewith thepowergridhas tremendouspotential to reduce thepeakinresponsetopricinganddemandreductionsignalsbyutiliz-ingsmartmeterslocatedwithincustomersites.Thesedevicesprovidecustomersandutilitiesreal-timepowerconsumptiondataandrtPinformation. The automation system facilitates this information formonitoringandcontrollingbuildingloadsandhomeappliancesbyanintelligentenergymanagementalgorithm.
Thedralgorithmplaysakeyroleinsavingenergybytheprocessofcollecting,monitoring,controlling,andconservingenergyinabuilding.itenablespeopletoreducecosts,carbonemissions,andriskofincreasedpriceorsupplyshortages.typically,thisinvolvesfoursteps:(1)meteringandcollectionofthedataofenergyconsumptionandreal-timeprice;(2)findingapplianceshiftopportunitiesandestimatingenergysaving;(3)monitoringtheappliancetotargettheopportunitiestosaveenergy;and(4) trackingtheprogressbyanalyzingyourmeterdatatoseeaneffect.fromthis,wecansee that information is themost importantfactorforestimationandplanning.however,theday-aheadpricecan-notalwaysmatchthereal-timepriceduetosomefactors,suchasthoseshowninfigure 3.1(thedatawerecollectedJuly11to15,2011).
Theweathercanhaveabigimpactonthewholesalereal-timepriceofelectricity,particularlyduringthesummerandwinter.Therealsocanbeunexpectedandbriefpricespikesifmultiplepowerplantshave
87distributed oPPortunistiC sChedulinG
technical or mechanical problems at the same time or if there areproblemsinpartsoftheregionaltransmissionnetworkusedtotrans-portelectricityfromthepowerplanttothedistributionsystem.
inthischapter,weadoptanoveldistributedopportunisticsched-uling scheme based on the optimal stopping rule. The objective istominimizetheenergyconsumptionatthepeaktimewhilesatisfy-ingthepowerandtimingrequirementsofeachutility.incomparisonwithatraditionalcentralizedschedulingscheme,devicescanadjusttheir service time and mode adaptively according to the real-timepricewithout complicated computation.we show that theoptimalschedulingschemeisapurethresholdpolicy;thatis,eachutilitycanbeturnedonwhentheelectricitypriceislowerthanathresholdvalue.
3.2 demand response
3.2.1 Power Pricing
currently, the majority of residential customers are charged flat ortwo-tiered(peakandoff-peak)electricityratesbasedonaverageelec-tricity generation costs. The implication is that retail prices do notaccuratelyreflecttheactualcostofgeneratingelectricityatanygiventime.This results in inefficient investment ingenerationandtrans-missioncapacityandhigherretailprices.2duetothedeficienciesofthisscheme,avarietyofpricingschemeshasbeenintroducedtomoreaccuratelypassonthetruecostofelectricitytoretailcustomers.TheyincludertP,time-of-use(toU)pricing,day-aheadpricing(daP),
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
1 7 13 19 25 31 37 43 49 55 61 67 73 79 85 91 97 103 109 115Time (Hrs)
Pric
e ($)
Day-ahead priceReal-time price
Figure 3.1 Day-ahead price versus real-time (Ameren Energy Illinois: July 11, 2011 to July 15, 2011).
88 seCurity and PrivaCy in smart Grids
andcriticalpeakpricing(cPP).anexplanationofthepricingtermsandvariousdrschemesareprovidedintable 3.1.
3.2.2 Demand Response
Demand response isdefinedas“changes inelectricusagebyend-usecustomers from their normal consumption patterns in response tochangesinthepriceofelectricityovertime,ortoincentivepaymentsdesigned to induce lower electricity use at times of high wholesalemarketpricesorwhensystemreliabilityisjeopardized.”2drprogramsfallintotwocategories:price-basedandincentivedrprograms.
Table 3.1 DR Modes (Ameren Energy Illinois: January 17–21, 2011)
PRICE-BASED OPTIONSTime of use (TOU): A rate with different unit prices for usage during different blocks of
time, usually defined for a 24-h day. TOU rates reflect the average cost of generating and delivering power during those time periods.
Real-time pricing (RTP): A rate in which the price for electricity typically fluctuates hourly, reflecting changes in the wholesale price of electricity. Customers are typically notified of RTP prices on a day-ahead or hour-ahead basis.
Critical peak pricing (CPP): CPP rates are a hybrid of the TOU and RTP designs. The basic rate structure is TOU. However, provision is made for replacing the normal peak price with a much higher CPP event price under specified trigger conditions (e.g., when system reliability is compromised or supply prices are very high).
INCENTIVE-BASED PROGRAMSDirect load control: A program by which the program operator remotely shuts down or cycles
a customer’s electrical equipment (e.g., air conditioner, water heater) on short notice. Direct load control programs are primarily offered to residential or small commercial customers.
Interruptible/ curtailable (I/ C) service: Curtailment options integrated into retail tariffs that provide a rate discount or bill credit for agreeing to reduce load during system contingencies. Penalties maybe assessed for failure to curtail. Interruptible programs have traditionally been offered only to the largest industrial (or commercial) customers.
Demand bidding/ buyback programs: Customers offer bids to curtail based on wholesale electricity market prices or an equivalent. Mainly offered to large customers (e.g., those using 1 MW and more).
Emergency demand response programs: Programs that provide incentive payments to customers for load reductions during periods when reserve shortfalls arise.
Capacity market programs: Customers offer load curtailments as system capacity to replace conventional generation or delivery resources. Customers typically receive day-of notice of events. Incentives usually consist of up-front reservation payments, and face penalties for failure to curtail when called on to do so.
Source: Office of Electricity Delivery and Energy Reliability, “Benefits of Demand Response in Electricity Markets and Recommendations for Achieving Them,” U.S Department of Energy, 2006.
89distributed oPPortunistiC sChedulinG
Price-baseddrmethodsincludertP,toU,andcPPschemes.Theretailpriceofelectricityvariesonanhourlybasistoreflectreal-timewholesaleelectricitycosts,andresidentialcustomerssavemoneybyeitherreducingtheirenergyconsumptionduringpeakperiodsorshiftingittooff-peakperiods.Thisdrschemerequirestheavailabil-ityofsmartmetersandanadvancedmeteringinfrastructure(aMi)tofacilitatethecommunicationofrtPtocustomers.
incentive-baseddrschemespaycustomers to reduce theirelec-tricityconsumptionwhenthepriceofelectricityishighorwhenthestabilityofthepowergridisunderthreatduetoexcessivedemand.These schemes typically involve the installation of a switch thatenablestheutilitytocycleresidentialairconditionersorwaterheat-erswhenprices(orsystemloads)arehigh.Thisschemeisalsotermeddirect load control.
3.2.3 DR Benefits
dradoptionpromisesbenefitsinseveralareas,includinglowerretailprices due to reduction in the need for expensive peaking powerplants(i.e.,powerplantsusedonlywhenthereishighorpeakpowerdemand),increasedgridreliabilityduetotheavoidanceofpowerout-ages,andreduction in theneed fornewgenerationcapacitydue toreduceddemand.
3.2.4 DR Guidelines
to guarantee widespread adoption and fulfill the potential of dr,residentialdrinfrastructuremusthavethefollowingfeatures:auto-mation;scalabilitytolargeareas;controlofintelligentandlegacy(ordumb)homeappliances;theintegrationofrenewableenergysourcessuchassolarcellarraysandplug-inhybridelectricvehicles(Phevs);andavoidanceofthecreationofreboundpeaksthatcanresultfromshiftingelectricityusagetooff-peakperiods.3
3.3 optimal stopping rule
TheoptimalstoppingruleistheperfecttoolfordrinaBas.Themethodaddressestheproblemofdeterminingthebesttimetotake
90 seCurity and PrivaCy in smart Grids
an action on an observed sequence of random variables to maxi-mize expected rewards or minimize expected costs.4 specifically,let(X1;X2;…)denotearandomprocesswhose jointdistributionisassumedknown,and(y0;y1(x1);y2(x1;x2);…;y∞(x1;x2;…))denoteasequenceofreal-valuedrewardfunctions.weneedtochooseastop-ping time N that satisfies {N = n} ∈ Fn where Fn is the σ algebrageneratedby(Xj;j<n)tomaximizeorminimizetheexpectedreturnE[YN].ithasbeenusedeffectivelyinstatistics,economics,mathemat-ics,finance,andnetworks.inourscenario,anactionmeansanelec-tricityuserorappliancestartstorun;theobservationistheelectricityprice,andtheobjectiveistominimizecostormaximizeprofit.
oneofthemostpopularexamplesofanoptimalstoppingprob-lemisthe“secretaryproblem”:abossneedstoselectaperfectsec-retaryfromNapplicants,forwhichN isknown.allapplicantscanberankedfrombesttoworstwithoutties.Theywillbeinterviewedinarandomorder,andthebosshasnoinformationaboutthecandi-datesbeforetheinterview.aftereachinterview,thebossmustmakeadecisiontoeitheracceptthecandidateonthespotorlosethechanceforever.oncetheapplicantisrejected,heorshecannotberecalled.howcanweguaranteethebosschoosesthebestsecretary?
intuitively, if we reject the first 50 percent of all applicants andchoose thefirstapplicantwitha scorebetter thanall thosealreadyobserved(andrejected),thenwehavegreaterthana25%probabilityofwinning.withtheoptimalstoppingrule,wecanfindthatifwedonot select fromthefirst37%ofcandidatesandchoose thenextintervieweewhoserankishigherthantheprevioushighestone,thewinning probability increases to 36%. if we consider choosing thefirstorsecondbestaswinning,thena57.4%winningprobabilitycanbeachieved.
3.4 Problem formulation
inthiswork,weusetheoptimalstoppingruletomodelyourprob-lem;moredetailscanbefoundinYietal.5ataskisdenotedhereastheminimumunit of an electricity user’swork,which canbedishwashing,Phevcharging,operatingelectricalmachines,andsoon.TheelectricitypriceprocessismodeledbyarandomprocessP(t),andthe time isdivided into slotswith lengthτ.weassume that, once
91distributed oPPortunistiC sChedulinG
started,ataskcanbecompletedwithinonetimeslot.forsometasks,thisassumptionisvalid(e.g.,dishwashingandclotheswashing)sincetheycanbegenerallycompletedwithinashortperiod.however,sometasks may require a much longer time and may have time-varyingpower.inthiscase,wecandecomposethistasktomultiplesubtaskssothateachsubtaskcanbecompletedwithinonetimeslot,andmoreimportantly,wecanscheduleataskbysimplystartingorpostponingasubtask.forexample,considerataskthatrequirestwotimeslotsandhaspowerPLinthefirsttimeslotandPHinthesecondtimeslotasshowninfigure 3.2.
wedecomposethetasktothreesubtasks:subtask1,subtask2,andsubtask3withpowerPL,PL,andPH–PL,respectively.anotherimpor-tantreasonfortaskdecompositionisthatsomeusers(e.g.,refrigerator)requireminimumstandbypowerlevels(e.g.,PLinfigure 3.2);thus,partofthepowerconsumptioncannotbescheduled.Bythetaskdecom-positionmethod,wecanallocateaportionofthepowerconsumptionandschedulethispart(e.g.,task3)moreflexibly.differentfromotherscheduling schemes proposed by previous works (e.g., Mohsenian-radandleon-Garcia6),whichscheduleusersbychangingthepowerlevel, ourproposed schedulingpolicy isbinary; that is,weneed todecidewhethertostartorpostponeataskinatimeslot.Thus,itisthetaskdecompositionmethodthatmakesourschedulingpolicyfeasible.
Based on this discussion, in the remainder of this chapter, wealwaysmakethefollowingassumption:
Assumption 1:oncestarted,ataskcanbecompletedwithinonetimeslot;thatis,duringtheservicetimeofatask,theelectricitypriceisconstant.
ontheotherhand,taskdecompositionmayalsoresultindepen-dencebetweentasks.forexample,sometasksmayrequireexecuting
Power
PH
PL
τ t
Subtask 1 Subtask 2
Subtask 3
Figure 3.2 Task decomposition.
92 seCurity and PrivaCy in smart Grids
consecutively, which may complicate the scheduling problem.however,inthisinitialwork,thistypeofdependenceisnotconsid-eredandislefttofuturework.
wesometimesusetheexpression“schedulingoftasks”andsome-timesusetheexpression“schedulingofelectricityusers.”itisobvi-oustheyhavethesamefunction.Moreover,althougheachelectricityusermayhavemultipletasks,forsimplicityweassumedifferenttasksbelong todifferentusers.Thus, in the reminderof this chapter,weonlytalkabouttheschedulingofelectricityusers.
weconsiderapowersysteminwhichthetasksofelectricityusersarriverandomly.recallthattheelectricitypriceprocess ismodeledbyarandomprocessP(t),andthetimeisdividedintoslotswithequallength τ. Based on assumption 1, we also assume that once a userstarts to operate, the electricity price is constant during its servicetime.sinceweuseadiscrete-timemodel,weassumeallarrivalstakeplaceatthebeginningofatimeslot.weassumethenumberofarriv-als in a time slot is Poisson distributed with mean λ × τ, where λdenotestheaveragearrivalrate.specifically, letStdenotethesetofarrivalsinthetthtimeslot;wehave
Pr( )
!, , ,S k
ke kt
k
=( ) = = …−λτ λτ 0 1 (3.1)
where ⋅ denotesthecardinalityofaset.itiswellknownthatPoissondistributionisagoodmodelofmanyservicearrivalprocesses;otherexamplesincluderadioactivedecayofatoms,telephonecallsarrivingataswitchboard,andothers.
now, we consider an arbitrary electricity user i. let gi denoteitselectricityconsumptionduring its service timeandAidenote itsarrivaltime.letNdenoteaschedulingpolicythatdetermineswhentostartauserandNidenotethecorrespondingscheduledoperationtimeofuseri.Then,thewaitingtimeofuseriis
Wi=N(i)–Ai (3.2)
foragivenuser i, thereare twosourcesofcosts: (1)costduetopurchasingelectricity,denotedbyCi
p,and(2)costduetothewaitingtime,denotedbyCi
w.Then,itiseasytosee
Cip=gi×P(N(i)) (3.3)
93distributed oPPortunistiC sChedulinG
Moreover,inthisinitialwork,weassumethecostduetowaitingisalinearfunctionofthewaitingtime,thatis,
Ciw=μi×τ×Wi (3.4)
whereμiisapositiveconstantandisreferredtoasthetimefactorofuseriinthiswork.ThetotalcostofuseriisCi
p+Ciw.weareinter-
estedinthelong-termaverageofthetotalcost,whichisgivenas
C NM
E C CM
ip
iw
i St
M
t
( ) lim= +( )
→∞
∈=∑∑1
1
(3.5)
wealsoassumethatthereisaconstraintonthetotalpowercon-sumption;thatis,atanytimet,thetotalpowerconsumptionsatisfies
g N i t Qii Sl
t
l
× ≤∈=∑∑ δ ( ( ), )
1
(3.6)
whereδ(N(i),t)=1,ifN(i)=t andδ(N(i),t)=0otherwise,andQisthepowerconstraint.noticethatintheinequality,wesumthetimefrom1totbecauseallarrivalsbeforetimetmaybescheduledtooperateattimet.oneofthemajorreasonsforustoconsiderapowerconstraintisthatwithopportunisticscheduling,manyusersmayoperatearoundtheoff-peaktimeandthusproduceapeakpowerrequirement,whichmaybeachallengeforthefacilities.
Basedonthisdiscussion,wearenowreadytoformulatethecost-minimizingopportunisticschedulingproblemasthefollowingoptimi-zationproblem:
Thecost-MinimizationProblem
min limN C M i
piw
i St
M
ME C C
t∈ →∞
∈=
+( )
∑∑1
1
(3.7)
s t g N i t Qii Sl
t
l
. . ( ( ), )× ≤∈=∑∑ δ
1
(3.8)
whereC istheclassofschedulingpolicies.
94 seCurity and PrivaCy in smart Grids
Remark 1: for convenience, we have assumed the number ofarrivalsinatimeslothasaPoissondistribution.however,asweshowintheremainder,ourmajorresultsdonotdependonthearrivaldistribution.so,ourworkcanbedirectlyextendedtoaddressotherarrivalprocesses.
Remark 2: Problem(3.7) isageneral formofthe infinite-user,infinite-horizon costminimization.Thefinite-userproblem(i.e., scheduling of a finite number of electricity users) orfinite-horizonproblem(i.e.,usershavedeadlines)canbefor-mulatedinasimilarway.Besides,weshowthatoursolutioninsection3.3canbedirectlyappliedtothefinite-usercase(infinite-timehorizon).for thefinite-horizonproblem,oursolutioncanalsobeappliedbymakingaslightmodification(the finite-horizon optimal stopping problem can be solvedbythedynamicprogrammingapproach4).insection3.4,weprovidesimulationresultsfordifferentcases.
Remark 3: ifweareinterestedinmaximizingtherateofreturninstead of total cost, we can also formulate the schedulingproblemasadualprofit-maximizationproblem.inourprevi-ouswork,7wehaveshownthat forthesingle-usercase, thecost-minimization problem and the profit-maximizationproblemareessentiallyequivalent.
3.5 simulation and result
in this section, we apply our optimal stopping method to actualrtP data from the ameren web site (https://www2.ameren.com/retailenergy/realtimeprices.aspx, July 14–23, 2011) to evaluate theperformanceofourresidentialschedulingscheme.wetakeaclothesdryerasoursimulationparameter.normally,therunningtimeofaclothesdryeris0.75h.Theaveragepowerinarunningcycleis3kw,andpeakenergyinacycleis6kw.wecanseefromfigure 3.3thatthetypicalclothesdryerusetimeisduringtheday,andthepeakhouroccursaround11a.m.,whichisalsothepeakdailyelectricityprice.due to itshighpeak energy in the cycle and short service time, itofferssignificantopportunitiesforshiftingpeakelectricityusage.
figures 3.4and3.5showtheperformanceofourproposedsched-ulingschemeusingtheoptimalstoppingrule(osr)andnooptimal
95distributed oPPortunistiC sChedulinG
stopping rule (nosr). it candramatically reduce the costof elec-tricity,withcostsavingsupto50%.averagewaitingtimeisaccept-able.Thetimefactorreflectsthecustomer’stimerequirementforthisappliance.alargertimefactormeansresidentsaremoresensitivewiththeappliance,anditislessflexibletoschedule.smalltimefactorsaremoresuitablefordrandcansavemoreelectricitycosts.
0 0.005 0.01 0.015 0.02 0.025 0.033
4
5
6
7
8× 10–3
Time Factor (μ)
Cost
($)
OSR without constraintNOSR without constraintOSR with constraintNOSR with constraint
Figure 3.4 Clothes dryer time factor versus cost. OSR, optimal stopping rule; NOSR, no optimal stopping rule.
0.000
0.020
0.040
0.060
0.080
0.100
0.120
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 20 21 22 23 24
Normalized Hourly Energy UsageHour of the Day
Perc
enta
ge
19
Figure 3.3 Normalized hourly residential energy usage.
96 seCurity and PrivaCy in smart Grids
3.6 discussion
3.6.1 Modeling of Price Signals
inourpreliminarywork,7thepricesignalwasmodeledasanindepen-dentandidenticallydistributed(i.i.d.)randomprocess,whichisnotrealistic.weproposeseveralothermodelsforfuturestudy.Theopti-malstoppingsolutionfornon-i.i.d.pricesignalsisdifficulttoobtain.
3.6.1.1 Random Modeling of Price Signals Thoughmodeledasrandomprocessesinthisproposal,thepricesignalsoftencontaindeterministiccomponents,suchasseasonalcomponents(period)andatrend.Thesedeterministiccomponentscanbeutilizedtoestimatetheelectricityprice.Thus,ageneralelectricitypriceprocesscanbedecomposedas
P(t)=m(t)+s(t)+w(t) (3.9)
wheres(t)isaperiodicfunction,m(t)isadeterministicfunction,andw(t)isazero-meanrandomprocess.Thisdecompositionisexactlytheclassicaldecompositionmodeloftimeseries.9
now, we discuss these three components in detail. The seasonalcomponents(t)describestheshort-termvariationofpricesignals.forexample,therearepeaksatthehigh-demandafternoonsandtroughsatthelow-demandnighttimehours.inthiscase,(t)hasaperiodof24h.
0 0.005 0.01 0.015 0.02 0.025 0.030
2
4
6
8
10
Time Factor (μ)
Ave
rage
Wai
ting
Tim
e (hr
s)
OSR without constraintNOSR without constraintOSR with constraintNOSR with constraint
Figure 3.5 Clothes dryer time factor versus average waiting time.
97distributed oPPortunistiC sChedulinG
Thetrendcomponentm(t)describesthelong-termvariationofpricesignals.forexample,due tohighenergydemand forheatingorairconditioning,theelectricitypricemaybehigherinwinterandsum-mer, respectively. The third component w(t) describes the random-nessofpricesignals.inourpreliminarywork,7weassumedthattheP(t)=w(t)isani.i.d.randomprocess.however,sincetheelectricityprocesshasmemoryingeneral(i.e.,theelectricitypricedoesnotchangetoomuchover twoconsecutive slots), amore realistic candidate fortherandomcomponentw(t)isthefinite-stateMarkovchain(fsMc)model.acounterpartinwirelesscommunicationisthefsMcmodel-ingoffadingchannels.10Buildingthemodelofpricesignalswillbeourfirsttask.Manyapproaches,suchaswienerfiltering,curvefitting(e.g.,polynomialfitting),willbeadoptedinourfutureanalysis.
3.6.1.2 Usage-Dependent Electricity Price in the last section,wedis-cussedrandommodelingofpricesignals.Thepricesignalisassumedtobeindependentofcustomerusage.insomescenarios,theelectric-ity price can be expressed as a deterministic function of customerusage.anexampleistheelectricitymarketwithanincliningblockrate(iBr)pricingscheme,whichhasbeenwidelyadoptedinthepric-ingtariffsbymanyutilitycompaniessincethe1980s(e.g.,southerncaliforniaedison,sandiegoGasandelectric,andPacificGasandelectric). iniBrpricing, themarginalprice increasesby the totalquantityconsumed.11Thatis,beyondacertainthresholdinthetotalmonthly/daily/hourly load, the electricity price will increase to ahighervalue.TheiBrpricingschemecanstimulatethecustomerstodistributetheirloadatdifferenttimesofdaytoavoidpayingforelec-tricityathigherrates.Moreover,iBrpricinghelpsinloadbalancingandreducingthepeak-to-averageratio(Par).6withiBrpricing,thepricesignalcanbeexpressedas
P(t)=f (u(t)); (3.10)
wheref (·)isadeterministicstepfunction,andu(t)isthetotalenergyconsumptioninthetthtimeslot.Therandommodelandtheusage-dependentmodelcanbecombinedtoprovideamoregeneralmodelofpricesignals.inthiscase,thepricesignalcanbeexpressedby
P(t)=f (u(t);t)+w(t) (3.11)
98 seCurity and PrivaCy in smart Grids
3.6.2 Fairness
in the studies discussed, the objective of optimal scheduling is tominimize the total cost of multiple appliances. in some scenarios,fairnessmustbetakenintoconsideration.forexample,weconsiderasystemwithmultipleindependentcustomers;eachuserhasaper-sonalinterest.Underfairnessconstraints,theobjectiveofschedulingbecomesminimizingthetotalutilityfunction.Therearetwotypesoffairnesscanbeconsidered,max-minfairnessandproportional fair-ness.now,weconsiderproportionalfairness.Theutilityfunctioncantakethefollowingform:13
Ur k
k r k kk
k=
=
− ≥
− −
log ,
( ) , , –
if
if
1
1 0 11 1 . (3.12)
Bysolvingthemin-costproblemin(3.7)withCireplacedbyUk(Ci),we can get the optimal scheduling scheme under the proportionalfairnessconstraint.
3.7 Conclusion
in this work, we presented our optimal stopping-based schedulingframeworkforbuildingdr.Thereal-timepricewasmodeledasran-domvariables,andeachappliancewasassignedadifferenttimefac-tor.ourschemeautomaticallydeterminedthebest timetoruntheappliancetosavetheexpenditureofelectricitywithoutwaitingalongtime.results showed thatouruser-friendly scheduling schemecanreduce domestic energy consumption with minimal user intrusionwhile mitigating peak rebound. future work includes investigationofpricesignalmodeling,fairness,andincorporationofPhevsintoourframework.
acknowledgmentThiswork is fundedbytheUsdepartmentofenergyundergrantde-fc26-08nt02875.
99distributed oPPortunistiC sChedulinG
references 1. U.s.departmentofcommerce,integrationofBuildingcontrolsystems/
smart Utility Grid Project. http://www.nist.gov/el/highperformance_buildings/intelligence/smartgrid.cfm(accessedapril24,2011).
2. officeofelectricitydeliveryandenergyreliability,Benefits of Demand Response in Electricity Markets and Recommendations for Achieving Them.washington,dc:U.sdepartmentofenergy,2006.
3. M.leMay,r.nelli,G.Gross,andc.a.Gunter,anintegratedarchitec-turefordemandresponsecommunicationsandcontrol,Proceedings of the 41st Annual Hawaii International Conference on System Sciences, January2008,waikoloa,Bigisland,hawaii,p.174.
4. t.ferguson,optimal stopping andapplications.Electronic notes,www.math.ucla.edu/~tom/stopping/contents.html
5. P.Yi,X.dong,a.iwayemi,andc.zhou,real-timeopportunisticsched-ulingforresidentialdemandresponse,acceptedbyIEEE Transactions on Smart Grid,4(1):227–234(2013).
6. a.-h. Mohsenian-rad and a. leon-Garcia, optimal residential loadcontrol with price prediction in real-time electricity pricing environ-ments,IEEE Transactions on Smart Grid,1(2):120–133(2010).
7. P.Yi,X.dong,andc.zhou,optimalenergymanagementforsmartgridsystems—an optimal stopping rule approach, ifac world congressinvitedsessiononsmartGrids,august2011,Milan,italy.
8. a.iwayemi, P.Yi, X.dong, c.zhou, knowingwhentoact:anoptimalstoppingmethodforsmartgriddemandresponse.IEEE Network25(5):44-49(2011).
9. P.J.Brockwellandr.a.davis,Introduction to Time Series and Forecasting,2nded.newYork:springer,2002.
10. h. s. wang and n. Moayeri, finite-state Markov channel—a usefulmodelforradiocommunicationchannels,IEEE Transactions on Vehicular Technology,vol.44,no.1,pp. 163–171,1995.
11. P.c. reiss, M.w. white, household electricity demand, revisited(december2001).nBerworkingPaperno.w8687.availableatssrn:http://ssrn.com/abstract=294736
12. a.-h. Mohsenian-rad, v. w. s. wong, J. Jatskevich, and r. schober,optimal and autonomous incentive-based energy consumption sched-uling algorithm for smart grid, in Innovative Smart Grid Technologies (ISGT), 2010,January2010,Gaithersburg,Md,pp. 1–6.
13. officeofelectricitydeliveryandenergyreliability,“Benefitsofdemandresponse inelectricityMarkets andrecommendations forachievingThem,”U.sdepartmentofenergy,2006.
101
4advanced meterinG infraStructure and itS inteGratiOn with
the diStributiOn manaGement SyStem
z h Ao l i , fA n G YA n G , z h E n Y UA n wA n G , A n d YA n z h U Y E
Contents
4.1 introduction 1024.2 TheadvancedMeteringinfrastructure 104
4.2.1 TheaMiMeteringsystem 1044.2.2 aMicommunicationnetwork 106
4.2.2.1 ThehierarchicalaMicommunicationnetworkformat 107
4.2.2.2 internet-Protocol-BasedMeshaMicommunicationnetwork 109
4.2.3 TheMeterdataManagementsystem 1104.3 ThestandardizationoftheaMi 111
4.3.1 standardaMicommunicationProtocols 1114.3.1.1 ansic12.22 1124.3.1.2 iec62056 115
4.3.2 standardaMiinformationModel 1174.3.2.1 ansic12.19-2008 1174.3.2.2 iec62056-62 118
4.4 TheaMianddMsintegration 1204.4.1 MeterdataModelsinthedMs 120
4.4.1.1 iec61968-9:aMeterModelinciM 1214.4.1.2 Multispeak 1224.4.1.3 comparisonofGeneralMeterModels
andPowersystem,domain-specificMeterModels 123
102 seCurity and PrivaCy in smart Grids
recognizing thevalueofanadvancedmetering infrastructure(aMi), utilities worldwide are deploying millions of smartmeters.tobetterjustifyaMiinvestment,researchershaverec-ognized theurgencyofutilizing the fullpotentialofaMi toimprovethequalityofdistributionmanagementsystem(dMs)applications.however, the integrationofaMianddMsisachallenge as it entails different communication protocols andrequirements for handling various meter information models.inaddition,theaMimeterdataloadgeneratedbymillionsofsmartmeterscanpotentiallyoverwhelmdMss.inthischapter,wefirstbrieflyreviewthestateoftheartofaMitechnologiesandthenproposeaunifiedaMianddMsintegrationsolutionthateasilyadaptsdMssystemstovariousaMisystemswithminimalengineeringeffort.
4.1 introduction
Theadvancedmetering infrastructure (aMi)1consistsofmetering,communication, and data management functionalities, offering thetwo-way transportation of customer energy usage data and metercontrol signalsbetweencustomersandutilitycontrolcenters.aMiwasoriginallydevelopedfromadvancedmeterreading(aMr),2–6a
4.4.2 aMianddMsintegration 1244.4.2.1 Businessconsiderations 1244.4.2.2 challengesofaMianddMsintegration 125
4.5 TheMeterdataintegrationlayer:aUnifiedsolutionfortheaMianddMsintegration 1264.5.1 ThecontextoftheMdilayer 1264.5.2 softwarearchitectureoftheMdilayer 126
4.5.2.1 componentsoftheMdilayer 1274.5.2.2 BehavioroftheMdilayer 129
4.5.3 TheMdiarchitectureevaluation 1314.5.3.1 strategies 1314.5.3.2 testresultsanddiscussion 133
4.6 conclusion 134acknowledgments 135references 135
103ami and its inteGration with dms
one-way communication infrastructure that implements automaticcollection of meter measurements from residential smart meters toutility control centers for calculating monthly bills and fulfillingother related activities. Partially as the next generation of “aMr,”aMinotonlyenhancesthetraditionaldatacollectionfunctionality(i.e., improvingmonthlymeterdatacollectiontoreal-timeornear-real-timemeterdatacollection)butalsodevelopsthecommunicationcapabilityfromthecontrolcentertosmartmeters.
adistributionmanagementsystem(dMs)isdefinedasanonlinedecision-makingtoolthatreceivesinformationpertainingtothesys-temstatusandanalogpointsfromthedistributiongridandgeneratessupervisorycontrolcommandsthatarerelayedtodistributionbreak-ers,switchesandreclosers,switchedcapacitorbanks,voltageregula-tors, and load tapchangers (ltcs).to fulfill these functionalities,thedMsmusthave an efficient communication system capable ofgatheringthesystemstateinformationanddistributingcontrolcom-mandstocustomer-sidecontrolunits(i.e.,switchesandreclosers)inreal time and near real time.7 Practically, however, because such atransportation network does not yet exist, most dMs applications(i.e.,balancedorunbalancedloadflow)arecurrentlybasedonesti-mationvaluesofdatapoints,whichleadstoimprecise,eveninaccu-rate,results.
inthepastfewyears,aMitechnologieshavebenefitedfromtheU.s.government’seconomicstimulusplan.inaddition,theenergyPolicyactof2005requireselectricutilitieswithannualsalesgreaterthan500,000Mwhtoadoptthesmartmeteringoptionwithtime-basedrates.today,mostU.s.stateshavebeguntheprocessofdeploy-ing smart meters within an aMi. at the beginning of 2009, forexample,texasinitiatedaprojectofdeploying6millionsmartmetersandexpectedtocompleteitby2012;californiaplanstoinstall10mil-lionsmartmetersbytheendof2012.ThedeploymentofsmartmetersistakingplacenotonlyintheUnitedstatesbutalsothroughouttheworld.Basedoncurrentestimates,by2015smartmeterinstallationsareexpectedtoreach250millionworldwide.8hence,aMiandsmartmetersshouldbeubiquitouseverywhereinthenearfuture.
The deployment of aMi technologies has led to a need for ahigher-qualitydMs.Thus,thegoalofresearchmustbetointegrateaMiwithdMssystems.9–12astheintentionofaMiwastoserve
104 seCurity and PrivaCy in smart Grids
a general domain that included electricity, water, and gas utilities,whilethatofthedMswastoexclusivelyservetheelectricitydomain,the integrationof the twosystemscertainlyentails theadaptionofvariouscommunicationprotocols(i.e.,americannationalstandardsinstitute[ansi]c12.22,JMs[JavaMessagingservice],andwebservice) and information models (i.e., ansi c12.19, internationalelectrotechnicalcommission [iec]61968-9, andMultispeak®) totheaMianddMssystems.withthe“tsunami”ofaMimeterdatageneratedbymillionsofresidentialsmartmeters,thetaskofintegra-tionhasbecomeevenmorecomplicated,requiringthattheintegrationsolutionbescalableenoughtohandletheinfluxofalargenumberofmetermeasurements.
Therestofthischapterisstructuredasfollows:ThesecondsectionanalyzesthecomponentsoftheaMi(smartmeters,thecommunica-tionnetwork,andthemeterdatamanagementsystem[MdMs])andreviewsthecurrentstatusandfuturetrendsofthesecomponents.Thethird section discusses the standardization of the aMi meter datamodel and communication protocols, an effective way to protect autility’slong-terminvestmentintheaMibyextendingthelifecycleofaMi.Thefourthsectiondiscussesthechallengesintheintegra-tionofdMsandaMiintegration;basedonthediscussioninthissection, the fifth section conducts a meter data integration (Mdi)casestudy.Thelastsectionconcludesthechapter.
4.2 The Advanced Metering infrastructure
TheaMiconsistsofameteringsystem,acommunicationnetwork,and an MdMs. in this chapter, we briefly review the functional-itiesandfuturetrendsoftheseaMicomponents.
4.2.1 The AMI Metering System
astheenddeviceoftheaMi,theaMimeteringsystemreferstoallelectricitymeters,whichperformbothmeasuringandcommunica-tionfunctions,installedatcustomersites.aMimeteringsystemsfallintotwocategories:electromechanicalmetersanddigitalsolid-stateelectricitymeters.
105ami and its inteGration with dms
an electromechanical meter (figure 4.1) operates by countingthe revolutionsof an aluminumdisk,designed to rotate at a speedproportional to the power. The number of revolutions proportionaltoenergyusagedeterminestheamountofenergyconsumptiondur-ing a certain period. currently, most utilities have a large numberof electromechanical meters in the field that provide reliable anddependablemeasurementservices.however,themajorconstraintoftheelectromechanicalmeter is its limitedandnonexpendablemea-surementcapabilities,whichpreventitswideapplicationinmodern“smart”powergrids.
a solid-state electricity meter, a meter constructed by digitalsignal-processing technologies, is actually a computer system thatutilizesthemicroprocessortoconvertanalogsignalstodigitalsignalsandfurtherprocessesthesedigitalsignals intouser-friendlyresults.forsolid-statemeters,addinganewfunctionisaseasyasinstallinga new application in a general computer. hence, its functionalitiescanbeeasilyexpandedtoadapttovariousapplicationscenarios.forexample, beyond the traditional kilowatt-hour consumption mea-surement, a solid-state meter provides demand interval informa-tion,time-of-use(toU)information,loadprofilerecording,voltagemonitoring,reverseflowandtamperdetection,poweroutagenotifi-cation,aservicecontrolswitch,andotherapplications.
tocommunicatewithothersmartmetersorutilitycontrolcenters,asmartmeterisgenerallyequippedwithacommunicationmodule.Popularcommunicationmodulesinthecurrentmarketarelow-power
(a) Electromechanical meter (b) Solid-state meter
Figure 4.1 (a) Electromechanical meter and (b) solid-state meter. (From Electromechanical meter and solid-state meter. http://en.wikipedia.org/ wiki/ Electric_energy_meter.13)
106 seCurity and PrivaCy in smart Grids
radios,theGlobalsystemforMobilecommunications(GsM),gen-eralpacketradioservices(GPrs),Bluetooth,andothers.ingeneral,eachaMivendordevelopsitsownproprietarycommunicationmod-ules (table 4.1) that arenot interoperablewith the communicationmodulesproducedbyothervendorsinmostcases.
formostutilities,thedeploymentofmillionsofsmartmetersisahuge investment, somanyutilities stillmaintainnumerouselectro-mechanical meters. however, because of their limited and non-expendablefunctionalities,themetersaregraduallybecomingamajorobstacle totheutilitiesshiftingtothesmartgrid,whichrequiresachangeinthefunctionalitiesoftheenddevices.Becauseoftechno-logicalenhancementsofthesmartgrid,utilitiesaregraduallyreplac-ingtheirelectromechanicalmeters,whichtheyexpecttolastwellintothe future with solid-state meters, so the solid-state meters shouldbegintodominatethemarketinthenearfuture.
4.2.2 AMI Communication Network
The aMi communication network is a two-way data transporta-tionchannelthattransportsmetermeasurementsandmetercontrolsignalsbackandforthbetweenindividualmetersandutilitycontrolcenters.technically,theaMinetworkcanbecategorizedintoeitherahierarchicalaMinetworkorameshaMinetwork.BecausethemeshaMinetwork,arelativelynewnetwork,hasseveraladvantages
Table 4.1 Communication Modules of Primary AMI Vendors in the United States (March 2011)
AMI VENDORS COMMUNICATION MODULES
Landis + Gyr Unlicensed RF, PLCItron ZigBee, unlicensed RF, public carrier network
(OpenWay®)Elster Unlicensed RF, public carrier networkEchelon PLC, RF, EthernetGE PLC, public carrier network, RFSensus Licensed RF (FlexNet®)Eka Unlicensed RF (EkaNet®)Smart Synch Public carrier networkTantalus RF (TUNet®)Trilliant ZigBee, public wireless network
Note: RF = radio frequency.
107ami and its inteGration with dms
(i.e.,performanceandefficiency)overthehierarchicalaMinetwork,itwillbethedominantaMinetworkinthefuture.Bothtypesarediscussedhere.
4.2.2.1 The Hierarchical AMI Communication Network Format in ahierarchicalaMicommunicationnetwork,lower-levelelementshavestrictrelationshipswiththeirdirectupper-levelparentelements,andameterismanagedbyitsupper-leveldatacollector.figure 4.2illus-tratesatypicalmultilevelhierarchicalaMicommunicationnetwork,which can be classified into three layers: the home-area network(han),themeterlocal-areanetwork(lan),andthewide-areanet-work(wan).14,15YYinsuchnetworks,meterdataarecollectedandtransported from a lower- to higher-level meter data collector. Themajorfeaturesofeachlayeraredescribednext:
4.2.2.1.1 Wide-Area Network as the highest level of aggrega-tioninanaMinetwork,thewanhandlesconnectivitybetweenahigh-levelmeterdatacollectorandautilitycontrolcenterorbetween
HAN
Meter LAN
WAN
MDMS MDMS
Collector Collector
Meter
Figure 4.2 Infrastructure of the hierarchical AMI network.
108 seCurity and PrivaCy in smart Grids
high-level meter data collectors. The wan is the backbone of theaMicommunicationnetworkthroughwhichnumerousaMimea-surementsandcontrolsignalsaretransported.
4.2.2.1.2. Meter LAN Themeterlandistributionnetworkhan-dlesconnectivityfromdataconcentratorsorsomedistributionautoma-tiondevices(e.g.,monitors,reclosers,switches,capacitorcontrollers)tohigh-leveldatacollectors.comparedwiththewan,themeterlanhaslargergeographicalcoveragebutlessdatatransportation.
4.2.2.1.3 Home-Area Network for utilities, the han has beendefinedor viewedas a groupingofhomeappliances and consumerelectronic devices that allow for remote interface, analysis, control,andmaintenance.Theelectricmeteractsasthegatewayofthehan:collectingmeasurements(e.g.,electricity,water,andgas)andsendingthemtotheutilitycontrolcenterwhileexecutingcontrolcommandsreceivedfromtheutilitycontrolcenter.
Thewan,thelan,andthehanaregenerallyconstructedbywiredandwirelessnetworktechnologies.inthecurrentaMicom-munication network, while widely applied wired communicationtechnologiesincludecommunicationviatelephonesystems,ethernet,powerlinecarriers,andbroadbandoverpowerlines,widelyappliedwirelesstechnologiesincludecommunicationviamobilesystems,cel-lularnetworks,andwirelessmeshnetworks.table 4.2demonstratesthefeaturesofthesenetworktechnologiesinthecurrentmarket.
Thevarious layers of theaMinetwork requiredifferentperfor-mance, coverage, and security, so they are constructed by different
Table 4.2 Features of Primary AMI Communication Technologies
NAME DATA RATE RANGE SECURITy
Wired PLC 100K bps Same with power network
Exposed to public access
BPL <200 Mbps Same with power network
Exposed to public access
Fiber optic 10–40 Gbps 30–50 miles with repeaters
With security features
Wireless WiMAX <70 Mbps Up to 30 miles With security featuresWi-Fi 11–54 Mbps <100 m With security featuresZigBee (802.15.4) 20–250 kbps <1 mile With security features
109ami and its inteGration with dms
wiredorwirelesscommunicationtechnologies.forthehan,whichrequiresself-healing,plug-inplay,lowpower,andlowcost,zigBeeisthepreferredtechnology.forthelan,whichrequiresgoodcov-erage and relatively low performance, power line communicator(Plc),unlicensedspectrumradio,andwi-fiarelikelychoices.forthewan,which requiresbothhighperformanceandgoodcover-age,broadbandoverpowerline(BPl),wiMaX,andthelicensed/unlicensedspectrumradioarepreferable.
4.2.2.2 Internet-Protocol-Based Mesh AMI Communication Network inameshaMicommunicationnetworkbasedontheinternetProtocol(iP),ameterisaniP-baseddevicecapableofgainingaccesstometerdata collectors and other meters through its iP address. in thissense, the iP-basedmeshaMinetwork is similar to the internet/intranet.Becauseofthissimilarity,manystandardinternetcommu-nicationprotocols(httP[hypertexttransferProtocol]andXMl[eXtensibleMarkuplanguage])arewidelyusedintheiP-basedaMinetwork even though they are neither specially designed nor opti-mizedforutilitymeterdata transportation.forexample,webGateclassicresidentialMetersolutionsprovidedbyMunet15offersaniP-enabledaMimeshnetworksolutioninwhichametercancom-municatewithanothermeterorameterdatacollectorthroughstan-dardinternetcommunicationprotocols(e.g.,htMlandXMl).
comparedwiththemultilevelhierarchicalaMinetwork,ameshaMinetworkhasmoreadvantages,especially inscalability, stabil-ity,andextensibility.Moreimportant,manywell-developedandfullytested software and hardware technologies from the internet (e.g.,variouscommunicationprotocolsandnetworksecuritytechnologies)canbesmoothlytransplantedintotheaMimeshnetwork,makingitmoresecureanduserfriendly.forexample,internetaddressingtech-nologies(e.g.,iPversion4[iPv4]andiPv6)helputilitieseffectivelyidentifyandcontrolindividualmeterslocatedinthenetwork.
Generally,mostadvancedsmartgridapplicationstendtotransportalargeamountofmeterdatainanefficientandsecureway.Becauseexistinghierarchicalcommunicationsnetworksareincapableofper-formingsuchatask,thedevelopmentofamoreadvancedaMinet-workisbecomingurgent.asmeshedaMinetworktechnologiesarestillintheresearch-and-development(r&d)phase,anintermittent
110 seCurity and PrivaCy in smart Grids
solutionistoborrowmaturedinternetcommunicationtechnologiesandapplythemtotheexistingaMinetwork.however,thissolutionis not tailored to power grid applications, so it must eventually bereplacedbyaMimeshnetworktechnologies.
4.2.3 The Meter Data Management System
whileautilitycanusetheaMitocollectdata,itmustalsobeabletouseitsaMidatatosupportdecisionmakingthroughouttheorga-nizationtoachievethemaximumreturnonitsinvestment.withthedevelopment of the smart grid, utilities are gradually realizing thattheaMicannotachieveallofthedesiredbenefitsunlessitcaneffec-tivelycleanse,process,store,andapplythedata,activitiesthatmustbeperformedifutilitiesaretoaddressandenhancetheirkeybusinesspro-cesses.ThesegoalshavedriventheneedforanentirelynewMdMs.
TheMdMsoftheaMiprovidesasetofadvancedsoftwaretoolsthatmanagelargevolumesofmeterdata.itcollects,validates,andstoresmeterdatainacentraldatarepositoryandallowsutilitiestotakefulladvantageofaMiinformationin:networkmonitoring,loadresearch,operationalanalyses,anddecisionmaking.inaddition,itenablesmeterdatatobesharedwithendcustomers,whocanaccessthedatawhen-evertheyneedtomakedecisionsabouthowandwhentheyuseenergy.
ThetypicalfunctionalitiesofanMdMsareasfollows:16
• settingup,configuring,andmonitoringmetersandcommu-nicationnetworks
• administratingnetworksecurityanddataaccessprivilege• loadingmeterdatafromcommunicationgateways• Providingagraphicuserinterface• cleaning,parsing,andstoringdataaswellasexportingdata
toothersystems• Processingvalidatedmeterdataforvariousutilityapplications
sinceanMdMscollectsmeterreadingsfrommillionsofmetersatacertaintimeinterval(i.e.,15minutes),thevolumeofmeterdataisalwaysincreasingandpotentiallycanbecomehuge.Therefore,thechallengeistostoreandmanagesuchahugedatasetandthenextractvaluable information from it to support variousutility applications,tasksthatcannotbecontrolledusingtraditionaldatabasetechnologies.
111ami and its inteGration with dms
however, awell-defined solution thatprovides sufficient scalabilitytomanagesuchameterdatasetisinthedevelopmentphaseinboththeoryandpractice.
4.3 The standardization of the AMi
inthecurrentmarket,smartmetersfromdifferentvendorsaregener-allynoninteroperable.formostutilities,deployingmillionsofsmartmeters is a long-term investment, which means that once a utilityadopts smart meters from an aMi vendor, it must follow up withrelatedproductsfromthesamevendorforthesakeofcompatibility.however,utilitiesarereluctanttobeboundtoacertainmetervendor,especiallyintheearlystagesofsmartgriddevelopment.
enabling interoperability between aMi products from differentvendors is an effective way to protect utilities’ investment, so mostimportantstandardcommitteesintheworld(e.g.,aeic[americanenergy innovation council], ansi, ePri [electric Powerresearchinstitute],andnist[nationalinstituteofstandardsandtechnology])arecurrentlyrespondingtothisissue.table 4.3liststhepopular standard communication protocols and meter informationmodelsinthecurrentmarket,definedbyansi,iec,andnreca(national rural electric cooperative association). Most of thesestandardshaverecentlybeenrevised(i.e.,version2ofc12.19in2008)ornewlydefined(i.e.,version1ofc12.22in2008)tosupportnewrequirements(i.e.,demandresponses)fromthesmartgrid.
ThestandardizationoftheaMiincludesstandardizationofbothaMicommunicationprotocolsandaMiinformationmodels.
4.3.1 Standard AMI Communication Protocols
since2008,thefocusofthestandardizationofaMicommunicationprotocols has gradually shifted from the physical level (e.g., ansic12.1817)andthedevicelevel(e.g.,ansic12.2118)totheapplica-tionlevel(e.g.,ansic12.2219)becausetheapplication-levelcommu-nicationprotocolseffectivelyisolatethedetailsofunderlyingphysicalnetworkconfigurationsandimplementations.
in the following section,we introduce theprincipal application-levelcommunicationprotocolsandmeterinformationmodelsthatare
112 seCurity and PrivaCy in smart Grids
popular inboththeU.s.market(i.e.,c12.19andc12.22)andtheeuropeanmarket(i.e.,iec62056-5320andiec62056-6221).
4.3.1.1 ANSI C12.22 historically,afterasetofstandardtablecon-tentsandformatsweredefinedinansic12.19(thedetailsforthec12.19 standardarediscussed further in this chapter), apoint-to-pointstandardprotocol(ansic12.18)wasdevelopedtotransportthe tabledataover anoptical connection.TheProtocol Specification for Telephone Modem Communication(ansic12.21)wasdevelopedafterwardtoallowdevicestotransporttablesovertelephonemodems.Thec12.22standardexpandsontheconceptsofbothansic12.18
Table 4.3 Popular Standard Communication Protocols and Meter Information Models
NAMETIME TO MARKET CATEGORy FUNCTIONALITIES
APPLICATION DOMAIN
ANSI C12.19 1997 version 1
Data model Model the meter data in tables
Gas, water, and electricity2008
version 2C12.22 2008
version 1Communication
protocolTransfer data over
C12.22 networkGas, water,
and electricity
C12.18 1996 version 1
Communication protocol
Transfer data by point-to-point protocol
Gas, water, and electricity2005
version 2C12.21 1999
version 1Communication
protocolTransfer data through
a modem-based point-to-point protocol
Gas, water, and electricity2005
version 2IEC 61968-9 2009
version 1Data model Model meter data for
power system distribution application
Electricity
62056 2007 version 1
Communication protocol
Transfer meter data over series port or network
Gas, water, and electricity
NRECA MultiSpeak Latest version 2007
Data model Model meter data for power system distribution application
Electricity
113ami and its inteGration with dms
andc12.21standardstoallowthetransportoftabledataoveranyreliablenetworkingcommunicationssystem.
4.3.1.1.1 Goals of ANSI C12.22 The goal of the ansi c12.22standardistodefineameshednetworkinfrastructurethatiscustom-izedforaMiapplications.Thegoalsofthestandardareasfollows:
• to define a datagram that may convey ansi c12.19 datatables through any network, which must include the aMinetworkandoptionallyincludestheinternet
• to provide a seven-layer communication infrastructure forinterfacing a c12.22 device to a c12.22 communicationmodule
• toprovideaninfrastructureforpoint-to-pointcommunica-tiontobeusedoverlocalportssuchasopticalportsormodems
• toprovideaninfrastructureforefficientone-waymessaging
overall,theansic12.22meshnetworkconsistsofthec12.22nodesandnetwork.
4.3.1.1.2 Network Infrastructure of ANSI C12.22 a c12.22 node,a point on the network that attaches to a ansi c12.22 network(figure 4.3), is a combination of both a c12.22 device and com-municationmodule.Thec12.22communicationmodule isahard-ware module that attaches a c12.22 device to a c12.22 network.Thec12.22devicecontainsmeterdataintheformsoftablesdefined
ANSI C12.19Meter
C12.22Comm Module
C12.22 Network Segment
A standard meter withinternal comm module
A standard meter withexternal gateway
Non-ANSIMeter
A nonstandard meter withinternal gateway
C12.22Gateway
C12.22Gateway
ANSI C12.19Meter
Figure 4.3 Typical examples of C12.22 nodes.
114 seCurity and PrivaCy in smart Grids
in the c12.19. The interface between the communication moduleandthedeviceiscompletelydefinedbythec12.22standard.
The c12.22 network defines an aMi-specific mesh communi-cation infrastructure that consists of one or more c12.22 networksegments (a subnetwork)or ac12.22lan(figure 4.4).withinanetworksegment,thereisacollectionofc12.22nodesthatcommu-nicatewithoneanotherwithoutforwardingmessagesthrougheitherac12.22relayorac12.22gateway.Thec12.22networksegmentscanbe connected into ac12.22wanthroughc12.22 relays andgateways,wheremeters fromdifferentnetwork segments cancom-municatewithoneanother.
similar to the open system interconnection (osi) model, thec12.22communicationprotocolconsistsofsevenlayers(figure 4.5):anapplicationlayer(layer7),apresentationlayer(layer6),asessionlayer(layer5),atransportlayer(layer4),anetworklayer(layer3),adata link layer (layer2), andaphysical layer (layer1).Unlikeosi,c12.22 is customized for meter data transportation. for example,theapplication layerofc12.22supportsonlyansic12.19 tables,ePseM,andacse(ePseMandacsearelanguagesthatencap-sulatec12.19meterdata22).Thestandardservicesprovidedbylayer7ofc12.22includeanidentificationservice,areadservice,awriteser-vice,asecurityservice,atraceservice,andothers;layers1through6supportvariousphysicalnetworkconnectionsinthemeterindustryaswellasthestandardinternetconnection.
C12.22 CommModule
C12.22 CommModule
C12.22 Relay
C12.22 Network Segment
C12.22 Network Segment
C12.22Node
C12.22Node
C12.22Device
C12.22 CommModule
C12.22Gateway
Figure 4.4 The basic C12.22 network.
115ami and its inteGration with dms
4.3.1.2 IEC 62056 iec 62056, which defines the meter interfaceclasses for the companion specification for the energy Metering(coseM)model,includesaseriesofstandardsondataexchangeformeterreading,tariffs,andloadcontrol,asfollows:
• iec 62056-21: a standard that defines direct local dataexchange,whichdescribeshowtousecoseMoveralocalport(opticalorcurrentloop).itisdesignedtooperateoverallmedia,includingtheinternet,throughwhichametersendsasciiorotherformatmeterdatatoanearbyhandheldunitusingaserialport.
• iec 62056-42: a standard that defines physical-layer ser-vices and procedures for connection-oriented asynchronousdataexchange.
• iec 62056-46: a standard that defines a data link layerusingthehigh-leveldatalinkcontrol(hdlc)protocol,athree-layer,connection-oriented,hdlc-basedcommuni-cationprofile.
• iec62056-47:astandard thatdefinescoseMtransportlayersforiPv4networks,thetransmissioncontrolProtocol[tcP]/iP-basedcommunicationprofile.
C12.19 TablesC12.22 EPSEMC12.22 ACSE
C12.22 Layer 7
C12.22Layer 6 to 1
C12.22Layer 6 to 1
C12.22Layer 6 to 1
C12.22 Device
C12.19 TablesC12.22 EPSEMC12.22 ACSE
C12.22 Layer 7
C12.22 Communication Model
To LAN/WAN/MAN LAN – Local-Area NetworkWAN – Wide-Area NetworkMAN – Metropolitan-Area Network
Key:
Figure 4.5 Seven-layer Open System Interconnection model for meter data transportation.
116 seCurity and PrivaCy in smart Grids
• iec62056-53:astandardthatdefinesacoseMapplica-tionlayer.
• iec62056-61:astandardthatdefinesanobjectidentifica-tionsystem(oBis).
• iec62056-62:astandardthatdefinesinterfaceclassesandadatamodel.
similartoansic12.22,iec62056-53,theapplication-layercom-municationprotocol inthecoseMmodel(figure 4.6), isdefinedbased on several other iec 62056 series protocols, including iec62056-21, –42, –46, and –47. except for iec 62056-21, which isusedinhandhelddevicesforlocallyexchangingdatawithmeters,theremainingprotocolsareusedtodefinedifferentlayersofthecommu-nicationnetworkthat supportapplication-levelcommunication: thephysicallayer(iec62056-42),thedatalinklayer(iec62056-46),andthe transport layer (iec62056-47).similar toansic12.22,themeterdatacarriedbyiec62056-53aredefinedbyiec62056-61and iec62056-62,which arededicatedmeter datamodels in theiec62056series.
as an application-layer communication protocol, iec 62056-53primarily provides three services to application-level semantics: theGetservice(.request,.confirm),thesetservice(.request,.confirm),andtheactionservice(.request,.confirm).
Physical Channel
Physical Layer (IEC62056-42)
Intermediate Layers (data link & transportation layer)(IEC62056-46, 47)
Application Layer (IEC62056-53)
Client Server
Figure 4.6 Request/ response process of COSEM.
117ami and its inteGration with dms
although both iec 62056 and ansi c12.22 provide a way ofconstructing the advanced mesh aMi network, each has a uniquemarketfocus:iec62056primarilyfocusesontheeuropeanmarket,whileansic12.22focusesonthenorthamericanmarket.inthecurrentnorthamericanmarket,mostaMivendorssupportc12.18andc12.21,butfewsupportc12.22sinceithasonlyrecentlybeendefined. itron,23elstor,24 andtrillant incorporated25were thepio-neerssupportingthec12communicationprotocols.Becauseoftheadvantagesofc12.22,wepredictthatinthenearfuturemostmajormetervendorswillsupportc12.22standardcommunicationproto-colsinthenorthamericanmarket.
4.3.2 Standard AMI Information Model
aninformationmodelisarepresentationofconcepts,relationships,constraints, rules, and operations that specify data semantics for achosen domain of discourse.26 in the aMi communication infra-structure, it is necessary that an information model, in which allcommunicationparticipantscansemanticallyreachacertainlevelofunderstanding,bemaintained.
inthischapter,webrieflydiscussmajorstandardinformationmod-elsintoday’smarket:ansic12.19andiec62056-62.TheformeriswidelyusedintheU.s.marketandthelatterintheeuropeanmarket.
4.3.2.1 ANSI C12.19-2008 ansic12.19resultedfromcomprehen-sive cooperative effort among utilities, meter manufacturers, auto-matedmeter-readingservicecompanies,ansi,Measurementcanada(forindustrycanada),neMa,theieee(instituteofelectricalandelectronics engineers), Utilimetrics, and other interested parties.currently,ithastwoversions:ansic12.19-1997andansic12.19-2008.as the latter is intended to accommodate the concepts of themostrecentlyidentifiedaMi,itisprimarilydiscussedinthischapter.
Theheartofansic12.19isasetofdefinedstandardtablesandprocedures; the former are methods of storing the collected meterdataandcontrollingparameters,andthelatteraremethodsofinvok-ingcertainactionsagainst thedataandparameters.22Thestandardtables inc12.19are typically classified into sections, referred toasdecades.eachdecadepertainstoaparticularfeaturesetandarelated
118 seCurity and PrivaCy in smart Grids
function.transferringdatafromortoanenddevicethatadherestothec12.19standardentailsreadingorwritingaparticulartableoraportionofatable.eventhoughthec12.19standardcoversabroaderrangeof tables andprocedures, it ishighlyunlikely that any smartmeter will be able to embed all tables or even a majority of thosedefined in ansi c12.19. hence, implementers are encouraged tochooseanappropriatesubsetthatsuitstheirneeds.
c12.19 is a general meter information model that serves vari-ous domains, including electricity, water, and gas. as an example,figure 4.7illustratestheelectricityinformationabstractedfromthetablesdefinedindecade1ofthec12.19standard.inaddition,thetablesinc12.19canbecustomizedthroughsomestandardoperations.
4.3.2.2 IEC 62056-62 Unlike ansi c12-19, which uses tables topackagemetermeasurements,iec62056-62modelsmeterinforma-tionthroughaseriesofinterfaceclasses.21astheinformationmod-eledbyc12.19andiec62056-62isidentical,wedonotduplicateoureffortstofurtherintroducethecontentofiec62056-62.similartoansic12.19,asageneralmeterdatamodel,iec62056supportsnotonlyelectricitymetersbutalsogasandwatermeters.
foraMivendors,thepreferencetosupportcertainstandardshasa stronggeographicalbias.forexample,most smartmetervendors
Figure 4.7 Electricity information modeled by C12.19. THD = total harmonic distortion, V = volt-age, I stands for current.
119ami and its inteGration with dms
intheU.s.marketaremorelikelytochooseansiseriesstandards(i.e.,c12.19andc12.22),while those in theeuropeanmarketaremorelikelytoselectiecstandards.table 4.4liststhesituationsofthe major meter vendors in the U.s. market that support the iec62056seriesstandards.asoftoday,onlyelstercompletelysupportsiec62056seriesstandards,includingiec62056-42,–46,–53,–61,and–62.othervendors,suchasitron,supportonlyaportionoftheiec62056standards,andsomesuchasGeandsensusdonotsup-porttheseriesprotocolsatall.
triggeredbytherapiddevelopmentofthesmartgrid,beyondsup-porting proprietary communication protocols, most aMi vendorshave begun to support the standard communication protocols andmeterdatamodels.asoftoday,mostvendorshaveacceptedc12.19(table 4.5), but only a few pioneers (i.e., itron and elster) supportc12.22,whichisnecessaryforafuturemeshedaMinetwork.
overall,aMiisatwo-waycommunicationnetworkrangingfromresidentialhouses tocontrolcenters.asan informationprovider, itis complementary, to someextent, todMs,providing real-timeornear-real-timesystemstateinformation,andasacommandexecutor,conductingcontrolcommandssentfromtheutilitycontrolcenterstoresidentialsmartmeters.asreal-timeornear-real-timesystemstate
Table 4.4 Relationships between IEC 62056 Series Standards and Primary Meter Vendors in the U.S. Market (March 2011)
IEC 62056/DLMS/ COSEM
Landis + Gyr Europe: IEC 62056-21 (for local reading) and DLMS (as a system integration interface)
North America: NoItron United States: Quantum: mini-DLMS
Europe: IEC 62056-21 and DLMS/ COSEM for C&I meterElster A1800 ALPHA: DLMS/ COSEM and IEC 62056-42, –46, –53, –61, –62Echelon IEC 62056-21 (2002) (physical and electrical requirements only)GE NoSensus NoEka NoSmartSynch NoTantalus NoTrilliant No
Source: International Electrotechnical Commission. With permission.
120 seCurity and PrivaCy in smart Grids
information can significantly improve thequalityofdMsapplica-tions,integrationoftheaMiwiththedMsmayrepresentafeasible,efficientsolutionforimprovingthequalityofdMsapplications.
4.4 The AMi and dMs integration
in this section, we focus on the context, issues, and challenges ofaMianddMsintegrationfromanengineeringaspect.
4.4.1 Meter Data Models in the DMS
insteadofadoptingexistingaMimeterdatamodels(i.e.,c12.19andiec62056-62),thedMsdefinesitsownmeterdatamodelsthatareexclusivelyoptimizedfordMsapplicationsandarecompatiblewithexistingdMs informationmodels (e.g., thecommon informationModel [ciM]). The most popular meter data models in the dMstodayareiec61968-9andMultispeak.
Table 4.5 AMI Vendors and Standard Information Models and Communication Protocols in the U.S. Market (March 2011)
C12.18 C12.21 C12.22 C12.19IEC 61968/
CIM OTHERS
Landis + Gyr V V V V V Unlicensed RF, PLCItron V V V V V ZigBee, unlicensed RF,
public carrier network (OpenWay®)
Elster V V V V V Unlicensed RF, public carrier network
Echelon V V V PLCGE V V V V PLC, public carrier
network, RFSensus V V V Licensed RF (FlexNet®)Eka V V Unlicensed RF (EkaNet®)SmartSynch V V Public carrier networkTantalus V V N/ A V N/ A RF (TUNet®)Trilliant V V V V Not yet IEEE 802.15.4; ZigBee;
public WAN, including CDMA/1xRTT, GSM/ GPRS, WiMAX, etc.
Note: CDMA = code division multiple access; DLMS = Distribution Line Message Specification.
121ami and its inteGration with dms
4.4.1.1 IEC 61968-9: A Meter Model in CIM Published by iec in2009,theiec61968-927standarddefinestheinterfaceformeterread-ingandcontrolinthedMs.Thegoaloftheinterfaceistheexchangeofinformationbetweenametersystemandotherapplicationsatelec-tricutilities,servingtheintegrationofmeterdatawithutilityapplica-tions.aspartoftheciMoftheutilities,theiec61968-9standardextendsthetraditionalciMtosupporttheexchangeofmeterinfor-mation between utility applications. electricity measurements pro-videdbyiec61968-9areimportantforavarietyofdMsapplications(figure 4.8),suchasoutagemanagement,serviceinterruptions,ser-vicerestoration,quality-of-servicemonitoring,distributionnetworkanalysis,distributionplanningdemand reduction, customerbilling,andworkmanagement.
inadditiontoelectricitymeasurements,theiec61968-9standarddefines a meter information exchange infrastructure consisting ofmessageandeventdefinitions,whicharemeterreading,metercontrol,meterevents,customerdatasynchronization,andcustomerswitching.
Meter datamanagement
Networkoperations
Metermaintenance
and assetmanagement
Outagemanagement
Metering system
Datacollection
Control andreconfiguration
Planning andscheduling
Customerinformationand billing
Servicepoint
Load managementsystem
Load analysis
Load control
[1]
[2][3]
[4]
[5]
[6]
[6][7]
[8][9]
[10]
[11]
[1][2]
[3]
[12]
[13]
[6]
IEC61968-9Meter model
1. Readings, events and status2. Controls and signals3. Meter readings4. Outage events5. Outage and restoration verification
6. Meter history7. Customer data set8. On request read9. Transaction records
10. Disconnected/reconnected, demand reset11. Demand respond signals12. Meter configuration and installation13. Meter health information
Figure 4.8 Improving the quality of DMS applications using AMI meter data.
122 seCurity and PrivaCy in smart Grids
figure 4.9demonstratesaniec61968-9messagesentbydMspoll-ingameterreadingbasedonameteridfromanaMisystem.
aspartofaciM,ametermodeledbyiec61968-9isrepresentedbytheMeterassetclass,anewlydefinedclassintheciMthatsup-portssmartmeters.ThroughtheMeterassetclass,aniec61968-9meter can easily exchange information with other devicesmodeledbytheciMandprovidebetterservicesforutilityapplications.Moreimportant,unlikec12.19,whichisageneralmeterdatamodelserv-ingwater,gas,andelectricity,ameteriniec61968-9isexclusivelytailoredtoutilityapplications(e.g.,loadanalysisandcontrol,outagemanagementandmetermaintenance,andassetmanagement).
4.4.1.2 MultiSpeak Multispeak28 is ade facto standard fundedbynreca.similartoiec61968,itfocusesondataexchangemod-elingandenterprise integration inelectricutilitiesand is intendedtosupportstandards-basedinterapplicationintegration.comparedtoiec61968-9,Multispeakisamatureprotocolthathasbeeninthemarketforsometime.
fromaninfrastructureperspective,iec61968-9fitsintoavarietyofmessagingmiddlewareframeworks,soitissuitableforutilitiesthatmayhaveanumberofdifferentmiddlewaresolutionsalreadyinplace.Multispeak, implemented in termsofweb services, ismore effec-tiveforsmallutilities,whichrarelyimplementmessagingmiddleware(figure 4.10).
<?xml version=”1.0” encoding=”UTF-8”?><!--edited with XMLSPY v2004 rel. 3 U (http://www.xmlspy.com) by ABB (ABB Inc) --><m:MeterReadings xsi:schemaLocation=”http://iec.ch/TC57/2009/MeterReadings# MeterReadings.xsd”xmlns:m=”http://iec.ch/TC57/2007/MeterReadings#”xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”> <m:MeterReading> <m:MeterAsset> <m:mRID>6468822</m:m|RID> <m:MeterAsset> <m:MeterReading></m:MeterReadings>
Figure 4.9 Example of the meter pull information packaged by IEC 61968-9. (With permission from the IEC.)
123ami and its inteGration with dms
4.4.1.3 Comparison of General Meter Models and Power System, Domain-Specific Meter Models overall, ansi c12.19 and iec 62056-62 aregeneral meter models serving the electricity domain, the waterdomain, and the gas domain, while Multispeak and iec 61968-9arecustomizedtotheelectricitydomain,whichsupportsenterpriseintegrationwithinthescopeoftheelectricutilities.
figure 4.11 illustrates the relationships between general metermodels and power system-specific meter models. even though all
Web Service Bus (MultiSpeak)
LoadPro�le
MeterReading
Outage Detection
LoadManagement Accounting
Meter DataManagement
SCADAApplications
CustomerBilling
GeographicInformation
System
Figure 4.10 MultiSpeak data model.
Information Model forElectronic Meters
IEC61968-9 andMultiSpeak Meter Models
Electric Meter ModelIn ANSI C12.19 andIEC62056-62
Measurementsfor Electric
Meters
Measurements for Gas Meters
Measurementsfor Water Meters
ANSI C12.19IEC62056-62IEC61968-9
MultiSpeakMessage
Events
TemperatureMeasurement
. Water Utilities
DMS Apps
EMS Apps
Gas Utilities
Electricity Billing
Figure 4.11 General meter data model versus power system-specific data model.
124 seCurity and PrivaCy in smart Grids
fourmeterdatamodelsdiscussedhaveelectricitymeasurements,thescopesofthemeasurementnamespacesandmessageinfrastructuresdiffer(refertothe lowerpartoffigure 4.11).aselectricity-specificmodels (i.e., iec 61968-9 and Multispeak) organize and modelinformationbasedonutilityapplications,theyhavealargerscopeofmetermeasurementnamespaces that include temperaturemeasure-ments,demandresponsecontrol,andotherdomaininformation,pro-vidingbetterservicesforvariousdMsapplications.inaddition,themessageandeventinfrastructureofelectricitymetermodelsarecom-patible with the existing utility information infrastructure, so theycaneasilybeintegratedwithutilityapplications.
4.4.2 AMI and DMS Integration
4.4.2.1 Business Considerations The dMs and the aMi are twoseparatesystemswithdifferentbusinessgoalsandarchitectures.ThepurposeofintegratingtheaMiandthedMsistoenablethetwosystemstoexchangeinformationwhileminimizingtheinfluenceofthe integrationonbothsystems in termsofperformanceandengi-neeringcosts.
UtilitiesthatadopttheMdilayermustaddresssomemajorbusi-nessconsiderations:
• different dMs applications use different approaches toimportexternaldata.forexample,somedMsapplicationsutilizetheenterpriseservicebus(esB),andothersrelyonthescada(supervisorycontrolanddataacquisition)system.inthissense,theintegrationsolutionshouldbeeasilyadaptabletobothesBandscadainterfaces.
• Utilitiesgenerallyhavedeployed(orarecurrentlydeveloping)aMisystemswithdifferenttypesofmeterdataserverssuchasMdMss.TheseaMisystemsareusuallybuiltbydifferentaMivendors.TheintegrationsolutionshouldbeadaptabletodiverseaMisystems.
• Meterdatamodels inaMisystemsaredesigned forappli-cations in different domains (i.e., electricity, water, andgas);however,dMsapplicationsprimarily require apowersystem-dedicatedmeterdatamodel(i.e.,iec61968-9).The
125ami and its inteGration with dms
integrationsolutionshouldconsiderinformationgapsbetweenageneraldomainmeterdatamodelandapowersystem—aspecific meter data model—and match these gaps while anaMisystemandadMssystemareexchangingmeterdata.
• currently, the commercial requirement for regular meterreading is a 15-minute interval. with the development ofaMitechnologies,theintervalisbecomingshorter.however,handling meter data generated by millions of smart metersevery15minutescanposesubstantialchallengestodMssys-temsbecausetheoriginalarchitectureofmost legacydMssystemswasnotdesignedforheavyaMimeterdataloadcondi-tions.Therefore,theintegrationsolutionhastominimizetheinfluenceofthemeterdataloadonadMssystembycach-ingmeterdataandadjustingthemeterdatastreamthrough-puttoalevelthatcanbeacceptedbythedMssystemwhennecessary.
• aMi and dMs systems are usually developed by differentvendors.Thus,adifferentdialectislikelyusedinbothmetermodels and transportation protocols to describe even thesamegridnetwork.Theintegrationsolutionshouldharmo-nizethesedialects.
4.4.2.2 Challenges of AMI and DMS Integration The challenges ofdesigningtheintegrationsolutionareasfollows:
• Performance: The integration solution should be capable ofprocessingbothscheduled(expected)meterreadingdataandburstoccurred (unexpected)meteroutage reportsgeneratedbyalargenumberofsmartmetersinatimelymanner.ideally,itshouldbeabletowithstandaworst-casedata-loadingsce-nariowhenaregularmeterreadingsessioncoincideswithalarge-scaleoutagereportingevent.
• scalability:Theintegrationsolutionshouldbeabletohandlethe incomingdataof thousandsandevenmillionsofsmartmetersatadata-updatingintervalof1day,1hour,15min-utes,orevenshorter.
• adaptability: The integration solution should be able toadapttodistinctaMisystemsdeployedbyutilities.That
126 seCurity and PrivaCy in smart Grids
is,itshouldbecapableofadaptingtodifferentmeterdatamodels and different aMi data integration communica-tionprotocols.
• extensibility:The integration solution shouldbe capable ofintroducingappropriatetechnologiesthatfitnotonlythecur-rentaMianddMstechnology frameworkbutalso futureaMianddMsapplications.
4.5 The Meter data integration layer: A Unified solution for the AMi and dMs integration
4.5.1 The Context of the MDI Layer
a unified aMi and dMs integration solution, called the Mdilayer,29 isdescribed in this section; itcanbeviewedasmiddlewarebetweentheaMianddMssystems.figure 4.12illustratestheover-all system,whichconsistsof theaMi,thedMs,andthe integra-tionsolution.TheMdilayerenablestheeasyintegrationofdiverseaMi systems (i.e., the MdMs meter data collection engine) withthedMs.
4.5.2 Software Architecture of the MDI Layer
in this section, the Mdi layer architecture and the rationale andtrade-offsbehindthearchitecturearediscussed.
DMS 1
Met
er D
ata I
nteg
ratio
n La
yerMDMS
Meter DataCollector
AM
I Net
wor
k
Meters
Web Service
Data/Control
Data/Control
Data/Control
Data/Control
Data/Control
Wide Band Network
ESB
Meter Network (i.e., C12.22)
Meter Network
Meter Network
Data/Control
Meter NetworkMeter Network
Key: AMI Advanced Meter InfrastructureESB Enterprise Service BusMDMS Meter Data Management System
NM Network ManagerMDI Meter Data Integration
DMS 2
Data/Control
ESB/SCADA
Data/Control
ESB/SCADA
Figure 4.12 Context of the MDI layer. (From Z. Li, Z. Wang, et al., 2010 First IEEE Smart Grid Communication, NIST, Washington, DC, October 2010, pp. 566–571. Copyright IEEE. With permission from IEEE.)
127ami and its inteGration with dms
4.5.2.1 Components of the MDI Layer figure 4.13 is the componentdiagramoftheMdilayer.overall,thecomponentsoftheMdicanbe classified into four categories based on their functionalities: theaMi adaptors, the aMi information translation and verificationinfrastructure, the loosely coupled event (lce) infrastructure, andthedMsadaptors.
4.5.2.1.1 AMI Adaptors aMiadaptors,thecomponentsillustratedon the left sideoffigure 4.13,canfitdifferent typesofaMidataservers(e.g.,theMdMsandthemeterdatacollector),transferringmeteringdatastreamsfromtheaMitothedMsorviceversa:
• for transferringmeterdata (e.g.,measurements andoutageinformation) from the aMi to the dMs, aMi adaptorsmustconformtotheaMicommunicationchanneltoreceivethemeterdatablockssentbythecorrespondingaMiserverandprocessthem.tofulfillthisconformableprocess,aMiadaptorsmustunderstandthecommunicationprotocolsandmeterdatamodelsoftheaMisysteminvolved.
• for transferringmetering information (e.g.,meter control andmeterpollcommands)fromthedMstotheaMi,aMiadap-torsmustpackthemeterpoll/controlinformationusingtheaMimeterdatamodelanddeliverthepackagestotheaMisystemusingthecommunicationprotocoladoptedbytheaMisystem.
AMI 1Adaptors
AMI 2Adaptors
AMI nAdaptors
Temp DB
LCEInfrastructure
Key: Data Channel
DMSAdaptor 1
DMSAdaptor 2
MDI Monitor
Pub/Sub LCE Message
Adapt AMI Aggregate, Cache, Translate, and Verify Meter Information Adapt DMS
Connect withESB
Connect with SCADA
Connect withAMI
Connect withMDMS
Connect withIndividual Meters
Figure 4.13 Architecture of the meter data integration solution. (From Z. Li, Z. Wang, et al., 2010 First IEEE Smart Grid Communication, NIST, Washington, DC, October 2010, pp. 566–571. Copyright IEEE. With permission from IEEE.)
128 seCurity and PrivaCy in smart Grids
eachaMisystemthatneedstosupportdMsapplicationsshouldhaveacorrespondingaMiadaptorintheMdilayer.anidealaMiadaptorpossessesthefollowingattributes:
• ithasahigh-performanceparserthatprocessestheincomingaMimeterdatastreameffectively.
• it canbedynamicallyplugged into theMdi layerwithoutinterruptingthenormaloperationofothercomponentsintheMdilayer.
TheutilizationofaMiadaptorscangreatlysimplifytheprocessofadaptingadMssystemtodiverseaMisystemsbecause,foranewaMi,thedeploymentprocessrequiresasimpleredesignofacorre-spondinglightweightaMiadaptorinsteadofaredevelopmentoftheentireaMiinterface.
4.5.2.1.2 The Information Translation and Verification Structure duetothevariationsamongthemeterdatamodelswithregardtotypi-cal aMi and dMs applications, we concluded in wang and li30that aMi systems utilize general meter data models (i.e., ansic12.19)thatcanbeappliedtoalldomains(i.e.,electricity,gas,andwater).however,dMssystemsusepowersystem-specificmeterdatamodels(i.e.,iec61968-9),sooneoftheprimarytasksoftheMdilayer is to eliminate the information gaps between the aMi anddMsmeterdatamodels,whichisaccomplishedusingtheinforma-tiontranslationandverificationstructure,thecomponentsofwhichareshowninthemiddlepartoffigure 4.13.
in the Mdi layer, translation means converting the aMi dia-lecttothedMsdialectwhenmeterdatafromtheaMiaredeliveredto the dMs and vice versa. translation is implemented by look-ingup theaMiand thedMscross-reference tables stored in thetempdB.verification involvesfilteringerror informationandveri-fying the integrityof the incomingmeteringdatabeforedeliveringthemtothetargetsystem(eithertheaMiorthedMs).verificationisimplementedbytheforeignkeyconstraintsoftherelationaltablesinthetempdB.
More important, in the worst-case scenario, in which a regularmeter-readingsessioncoincideswithalarge-scaleoutageevent,when
129ami and its inteGration with dms
alargeamountofincomingmeterinformationrequiresverificationinashorttimeframe,theinformationtranslationandverificationinfra-structureguaranteesperformancebyutilizingthreadingtechnology.
4.5.2.1.3 The LCE Infrastructure The lce infrastructure is themessaging infrastructure of the Mdi layer. all functional compo-nentsintheMdilayerarecoordinatedbypublishingorsubscribingmessagestothelceinfrastructure.Thelceeventinfrastructure31hastwocharacteristics:
1.itisamessagingsystemthatefficientlycoordinatesthebehav-iorsofmessagesenders/receivers.
2.it is loosely coupled. Message senders (publishers)/receivers(subscribers) of the lce infrastructure are decoupled andrunindifferentprogramspaces;shuttingdownapublisherorsubscriberwillnotinfluencethenormaloperationsofotherpublishersorsubscribers.
4.5.2.1.4 DMS Adaptors Most design considerations for aMiadaptors (e.g., dynamically plugging in) are also applicable to thedesign of the dMs adaptors. More important, the design of thedMsadaptorsalsoconsidersthethroughputlimitationofdMsdatachannelswhendeliveringmeterdatatothedMssystem.
4.5.2.1.5 MDI Monitor TheMdimonitor,whichisusedtotrackthe status of the functional components in the Mdi layer by sub-scribing to the lce messages sent by these components, can bedynamicallypluggedintotheMdibyturningonitssubscriptionstolcemessages.
4.5.2.2 Behavior of the MDI Layer dynamically,theMdilayersup-portsthefollowingthreetypesofactivitiesorevents:(1)TheaMipushesmeterdatatothedMs(i.e.,reportsoutageandpushesreg-ular meter reading); (2) thedMspollsmeter data from theaMi(i.e., verifies outage and requires meter measurements) by sendingmeterpollcommandstotheaMi;and(3)thedMspushescontrolcommandstotheaMi(i.e.,meter-controllingdemand).
130 seCurity and PrivaCy in smart Grids
4.5.2.2.1 AMI Pushes Meter Data to the DMS The workflow oftheMdilayerprocessingmeterdatapushedbytheaMiisasfol-lows: on receiving a meter data package from the aMi, an aMiadaptor parses and delivers the parsed meter data to the tempdBfor translation and verification; meanwhile, it publishes a messagein thelceinfrastructure tonotifyothercomponents in theMdilayerthatareinterestedintheaMimeterdataarrivalnotice.oneoftheotherinterestedcomponentsisadMsadaptor.onreceivingthisnotice,thedMsadaptorinitiatesthefollowingworkflowtoprocesstheaMimeterdatathathavecomein:first,itpicksuptheverifiedandtranslatedmeterdatafromthetempdB,thenpacksthemusingthemessageformatrequiredbythedMssystem,andfinallydeliv-ersthepackedmessagetothedMssystem.duringtheprocess,thebehaviorsoftheaMiadaptor,thetempdB,andthedMsadaptorarecoordinatedbytheaMimeterdataarrivalnotice.
as previously mentioned, the meter data load pushed by theaMi can be very large. Thus, avoiding a delay in processing or alossofaMimeterdatarequiresahigh-performanceaMiadaptor.Performance can be enhanced by multicore and multithread tech-nologies.TheworkflowofmultithreadedaMiadaptorsthatprocessincomemeterdataisasfollows:onreceivingameterdatapackage,theaMiadaptorquicklyunpacksitandthenconcurrentlylaunchesanew thread thatparses themeterdatapackage, caches themeterdataintothetempdB,andsendsameterdataarrivalnoticetothelceinfrastructure.however,thecreationofnewthreadsconsumesaconsiderablenumberofsystemresources.afterall,whenthereisalargevolumeofdatapackagescomingin,aMiadaptorsmustlaunchalargenumberofthreadsinaveryshorttimeframe,quicklyusingupsystemresources.Thisphenomenoniscalledathread explosion.topreventsuchanevent fromoccurring,asemaphore installed intheaMiadaptorlimitsthenumberoflaunchedthreads.
4.5.2.2.2 DMS Pushes Meter Control Commands to the AMI TheworkflowofprocessingmetercontrolcommandspushedbythedMstotheaMiissimilartothatofprocessingmetermeasurementspushedbytheaMi,exceptfortheirstartingpoints:dMsadaptorsfortheformerandaMiadaptorsforthelatter.
131ami and its inteGration with dms
4.5.2.2.3 DMS Polls Meter Data from the AMI TheworkflowofthedMspollingmeterdatafromtheaMiconsistsofthefollowingpro-cesses: (1)ThedMspushesmetercontrolcommands to theaMi,and(2)theaMipushesthemeterdatabacktothedMs.Thesetwoprocesseswerediscussedpreviouslyinthischapter.
4.5.3 The MDI Architecture Evaluation
to validate the Mdi design and evaluate its quality attributes ina real-world situation, we developed a prototype of the Mdi layerandameterdataloadsimulationsystem(theaMisimulator)usingMicrosoft.net enterprise technologies, a simulation system thatcancreatevarioustestingscenariosfortheMdilayerbysimulatingmanysmartmeteroperations(i.e.,meteroutages,meterreading,andmetercontrol).UsingtheMdiprototypeandtheaMisimulator,weranseveraltestcasestoevaluatethefunctionalitiesandtheassociatedqualityattributesofthedesignedMdilayer.
4.5.3.1 Strategies instead of exhausting all of the possible testingscenarios,wechose to test some important functionalitiesandtheirassociated quality attributes. Because the most important attributeoftheMdilayerisitsabilitytohandlemeterdataloadspushedbymillionsof smartmeters,we focusedour testcasesonameterdata“tsunami” scenario. in otherwords,weprimarily tested thequalityattributes(performance,scalability,andflexibility)ofthearchitectureoftheMdilayeragainstameterdataloadcreatedbymillionsofsmartmeters.Thetestenvironmentisillustratedinfigure 4.14,andadetaileddescriptionofthequalityattributesandtheirtrade-offsfollows.
4.5.3.1.1 Performance typically, a utility has millions of smartmeterswhosedata loadcancomefromregularmeasurementsevery15minutesoroutagereportscausedbyaburst.however,theavail-ableaMisimulatorserver(constrainedbyitscentralprocessingunit[cPU]andinternalmemory)cansimulatethebehaviorofonly65,000smartmeters. insteadof simulatingameterdata loadgeneratedbymillions of smart meters in 15 minutes, we simulated the load of63,445smartmeters(themeterscorrespondedtocustomersinafixed
132 seCurity and PrivaCy in smart Grids
numberofareasinoneutilitynetwork)in1minute.ourassumptionwasthatiftheMdilayercanprocessthemeterdataloadgeneratedbythe63,445smartmetersin1minute,thenitshouldbeabletoprocessameterdataloadgeneratedby1millionmetersin15minutes.
4.5.3.1.2 Scalability we tested the scale-up and scale-out capa-bilitiesof theMdi layer.for the scale-up test,weused twoaMisimulatorsthatconcurrentlypushedoutagereportstothesameMdilayer server; accordingly, two aMi adaptors configured in theMdi layer server received theoutage reports pushedby twoaMisimulators.UnlikeatypicalaMiadaptorsituation,thescale-uptestcasehandledaboutdoublethemeterdataload.
forthescale-outtest,weaddedasecondMdilayerserver,con-figured touse the sametempdBwith thefirstMdi layer. in thetwoMdilayerserverconfigurations,twoaMisimulatorswerecon-nected to the twoMdi layer servers.Theprimarypurpose for thescale-outtestcasewastoverifyifthedesignedMdilayercouldbe
AMI Simulator 1
Hardware:CPU: Intel Xeon X32202.4G, Quad CoreMemory: 4GHard disk: 250G, 7,200
Software:Windows 2008 Server
AMI Simulator 2Hardware:CPU: Intel Core 2 Quad95502.7G, Quad CoreMemory: 4GHard disk: 750G, 7,200
Software:Windows 2003 Server
MDI Layer
Software:Windows 2008 Server
Hardware:CPU: Intel Xeon X32202.4G, Quad CoreMemory: 4GHard disk: 250G, 7,200
Web Service
JMS
Figure 4.14 The configuration of the simulation test environment. (From Z. Li, Z. Wang, et al., A Unified Solution for Advanced Metering Infrastructure Integration with a Distribution Management System, 2010 First IEEE Smart Grid Communication, NIST, Washington, DC, October 2010, pp. 566–571. Copyright IEEE. With permission from IEEE.)
133ami and its inteGration with dms
scaledoutsimplybymodifyingtheserverconfigurationratherthanbyrevisingthesourcecodeoftheMdilayer.
4.5.3.1.3 Flexibility for flexibility, we wanted to verify thecapabilityoftheMdilayerconnectedtodifferenttypesofaMisystems. to make more sense of the test results, we simulatedtwoaMisystems:onetransportedmeterdatausingJMs,32sup-ported by iBM websphere MQ 7.0 (transactional communica-tionchannel),33andtheotheraMisystemtransportedmeterdatausingwebserviceremotecall(anontransactionalcommunicationchannel). accordingly, the Mdi layer had two adaptors, one foreachaMisystem.
4.5.3.2 Test Results and Discussion The performance test resultsshowedthattheMdilayerservercouldcache,translate,andverifyeitherthemetermeasurementsortheoutageinformationgeneratedby63,445smartmetersin30seconds.Basedonthis“half-minute”meter data load, we can calculate that one Mdi layer server withsimilarresourcescanprocessthemeterloadgeneratedby1.9millionsmartmetersin15minutes.
The scalability test results showed that the designed Mdi layercould easily be scaled up by adding a second aMi adaptor that isidenticaltotheoriginalaMiadaptorbychangingtheconfigurationsratherthanthesourcecodeorthedesign.TheadditionofthesecondaMiadaptorbarelyinfluencedtheperformanceofthepreviousaMiadaptors. however, utilization of system resources increased; forexample,cPUutilizationincreasedfrom50%to70%.Thisdemon-stratedfromanotheranglethatifwehavesufficientsystemresources(cPUandmemory),wecanconnecttwoormoreaMisystemswithinonephysicalMdilayerserver.hence,anoptimisticestimationisthatthescale-upofaconfigurationwithtwoidenticalaMiadaptorscanhandleameterdataloadgeneratedby3.8million(2×1.9million)smartmetersin15minutesifthesystemresourcesofthetestMdilayerserverareadequate.
The flexibility test results showed that the designed architecturecouldeasilyconnecttodifferentaMisystems.similartothescale-uptest,theflexibilitytest,whichconnectedtwodifferenttypesofaMisystems(webserviceandJMs),barelyaffectedtheperformanceof
134 seCurity and PrivaCy in smart Grids
theMdilayer.inaddition,addingaseconddifferenttypeofaMiadaptorincreasedtheutilizationofsystemresources,demonstratingthat the Mdi layer can be scaled up by connecting it to differentaMisystems.
4.6 Conclusion
Therevolutionary contributionofaMi is that it creates a low-coststandardcommunicationnetworkfacilitatingthecollectionanddis-tributionofmetering information to customers, utilities, andotherparties.BecauseofaMi,awiderangeofnewdMsapplicationsthatusedtobeconsideredimportantbutimpracticalduetocommunica-tioncosts(i.e.,automaticoutagemanagementanddemandresponds)isintroducedorreactivated.inreturn,theseapplicationsexposetheprecisestateofthepowerdistributioninfrastructureandoperationalawareness fortheoptimizationofthedeliveryanduseofenergytoutilitycontrolcenters.
to effectively integrate aMi with dMs, a unified aMi anddMs integration solution, called the Mdi layer, was presented inthischapter.structurallyatypeofmiddlewaredeployedbetweentheaMianddMssystems,theMdicangreatlyreducedevelopmentand engineering efforts expended connecting dMs applications tovarioustypesofaMisystems.atthesametime,itcanminimizetheinfluenceoftheaMimeterdataloadontheperformanceofdMsapplications by decoupling the data model and protocol conversionfunctionalityfromthedMsapplications.Moreimportant,theMdilayercanbeeasilyexpandedbyaddingnewfunctionalities(e.g.,powersystemloadprofiling,forecastingandmodeling,outagescooping,andassetutilizationoptimization)tofulfillrequirementsfrompotentialdMsapplicationsinthefuture.
asthequalityattributesoftheMdilayerinareal-worldenviron-mentareamajorconcern,aseriesoftestcaseswereconductedagainstanMdiprototypeandanaMisimulatortoverifytheperformance,flexibility,andscalabilityoftheproposedMdilayer.ThetestresultsshowedthattheMdilayerdesigncouldmeetthereal-worldrequire-mentsofhandlingaMimeterdatageneratedbymillionsof smartmetersintermsofperformance,flexibility,andscalability.
135ami and its inteGration with dms
in summary, with the development of the smart grid, aMi, asthebackboneof informationcollectionanddistribution in thegridsystem,isgraduallytranscendingtheelectricterritory,expandingthenetworktomillionsofutilityconsumers,variousrenewableresources,andmillionsofelectricalvehiclestothefaredgesofthedeliverysys-tem,theinitialprototypeofthe“internetofthings.”
acknowledgmentsThisworkwassupportedbytheaBBcorporationresearchfundsthatcomefromboththeindustrysoftwaresystemprogramandthegridautomationprogram.inaddition,wewouldliketothankXiaomingfengforvaluablecommentsontheearlyversiondrafts.
references 1. f.Yang,Advanced Metering Infrastructure Technology,Prestudyreportno.
Pt-07045.raleigh,nc:aBBU.s.corporateresearchcenter,2007. 2. r.a.fischer,a.s.laakonen,andn.n.schulz,agenerationpolling
algorithm using a wireless aMr system for restoration confirmation,IEEE Transactions on Power Systems,vol.16,no.2,pp. 312–316,2001.
3. h.dorey,advancedmeteringinoldandnewworlds,Power Engineering Journal,vol.10,no.4,pp. 146–148,august1996.
4. Y. Jin and M. d. cox, a pipelined automatic meter reading scheme,paperpresented at the instrumentation andMeasurementtechnologyconference,irvine,ca,pp. 715–720,May1993.
5. s. Mak and d. radford, design considerations for implementation oflargescaleautomaticmeterreadingsystems,IEEE Transactions on Power Delivery,vol.10,no.1,pp. 97–103,1995.
6. M.r.J.clayanda.J.Mcentee,advancedmeterreadingtokenlesspre-payment,Power Engineering Journal,vol.10,no.4,pp. 149–153,august1996.
7. electricPowerresearchinstitute.The Introduction of Smart Grid,2007.http://www.epri.com/intelliGrid/.
8. Pacific Gas and electric (PG&e), SmartMeter™ Installation Progress,PG&e,april2010.http://www.pge.com/myhome/customerservice/meter/smartmeter/deployment/.
9. r.w.Uluski, interactionsbetweenaMianddMsforefficiency/reli-ability improvement at a typical utility, paperpresented at ieeePesGeneralMeeting,raleigh,nc,July2008.
10. aliipakchi,implementingthesmartgrid:enterpriseinformationinte-gration,Grid-interopforum,2007.
136 seCurity and PrivaCy in smart Grids
11. General electric, Advanced Distribution Infrastructure, GE’s AMI and DMS Integration Solution. http://www.gepower.com/prod_serv/products/metering/en/going_ami_new.htm
12. energyiP,Siemens’s AMI and DMS Integration Solution.http://www.energy.siemens.com/us/pool/us/services/powertransmission-distribution/mdms/downloads/MdMs-overview.pdf
13. electromechanicalmeterandsolid-statemeter.http://en.wikipedia.org/wiki/electric_energy_meter
14. M.conner,Sensors Empower the Internet of Things,2010,pp. 32–38. 15. MunetMeters,2009.http://www.munet.com/. 16. aclarasoftware,Meter Data Management: The Key to Unlocking the Benefit
of Advanced Metering,aclarasoftwarewhitePaper.hazelwood,Mo:aclara,March2008.
17. american national standards institute, ANSI C12.18-2006, American National Standard Protocol Specification for ANSI Type 2 Optical Port.newYork:americannationalstandardsinstitute,2006.
18. american national standards institute, ANSI C12.21-2006, American National Standard Protocol Specification for Telephone Mode. new York:americannationalstandardsinstitute,2006.
19. internationalorganizationforstandardization/internationalelectrotechnicalcommission,ISO/IEC Standard 7498-1:1994.
20. internationalelectrotechnicalcommission,iec62056workshopinnewdelhi, february 2009. http://www.dlms.com/news/0000009c300e1ae01.html
21. internationalelectrotechnicalcommission,IEC 62056-62 the Interface Class for Electricity Metering Data Exchange for Meter Reading, Tariff and Load Control,2nded.Geneva,switzerland:iec,2006.
22. american national standards institute, ANSI C12.19-2008, American National Standard—Utility Industry End Device Data Tables, approvedfebruary24,2009.newYork:americannationalstandardsinstitute.
23. itron. The AMI/AMR Solution from Itron Inc. http://www.itron.com/pages/products_category.asp?id=itr_000238.xml
24. elster electricity, EnergyAxis from Elster Electricity LLC. http://www.elsterelectr icity.com/internet_content_1.nsf/sresults/d72B4a78cc3B0a1B85256dff006ef2c3
25. trilliant, Trilliant—A Trusted Solution Partner, solutionBrief,trilliantincorporated, 2009. http://www.trilliantinc.com/4_rsrcs/_Pdfs/tsB_trustedPartner.pdf
26. Y.t.lee,Information Modeling from Design to Implementation.newYork,nationalinstituteofstandardsandtechnology,1999.
27. internationalelectrotechnicalcommission,IEC 61968-9 Ed. 1 Part 9: Interface for Meter Reading and Control.newYork:iec/tc57,august14,2009.
28. G. a. Mcnaughton and B. saint, integration using the Multispeak®specification,PaperpresentationatUtility Automation,december2008.
137ami and its inteGration with dms
29. z.li,z.wang,etal.,aunifiedsolutionforadvancedmetering infra-structureintegrationwithadistributionmanagementsystem,2010 FirstIEEE Smart Grid Communication, nist, washington, dc, october2010,pp. 566–571.
30. z.wangandz.li,Meter Data Integration for Distribution Management System,techreportno.crid80345&80596.raleigh,nc:aBBU.s.corporateresearchcenter,2009.
31. christian nagel enterprise services with the .net framework,Microsoft.netdevelopmentseries,January13,2005.
32. Java Message service. http://en.wikipedia.org/wiki/Java_Message_service 33. iBM,IBM WebSphere MQ.http://www-01.ibm.com/software/integration/
wmq/.
139
5cOGnitive radiO netwOrk
fOr the Smart Grid
r AG h U r A M r A n G A n At h A n , ro B E r t Q i U, z h E n h U, s h U J i E h o U, z h E C h E n ,
M A r B i n PA z o s -r E V i l l A , A n d n A n G U o
Contents
5.1 introduction 1415.1.1 cognitiveradio 1415.1.2 The802.22system 142
5.1.2.1 systemtopology 1425.1.2.2 servicecoverage 1425.1.2.3 systemcapacity 143
5.2 cognitiveradionetworkforsmartGrid 1445.2.1 cognitiveradionetworktestBed:hardware
Platformsforcognitiveradionetworks 1465.2.1.1 UniversalsoftwareradioPeripheral2 1465.2.1.2 smallformfactorsoftware-defined
radiodevelopmentPlatform 1485.2.1.3 wirelessopen-accessresearchPlatform 1495.2.1.4 Microsoftresearchsoftwareradio 150
5.3 innovativetestBedforcognitiveradionetworksandthesmartGrid 1515.3.1 MotherboardforthenewhardwarePlatform 1525.3.2 functionalarchitectureforBuildingnodesfor
networktestBeds 1535.3.3 innovativenetworktestBed 155
5.4 cognitivealgorithmsforthesmartGrid 1565.4.1 dimensionalityreductionandhigh-dimensional
dataProcessingincognitiveradionetworks 1565.4.1.1 dimensionalityreductionMethods 1565.4.1.2 spectrumMonitoringUsingdimensionality
reductionandsupportvectorMachinewithexperimentalvalidation 158
140 seCurity and PrivaCy in smart Grids
recently,cognitiveradiosandthesmartgridaretwoareasthathave received considerable research impetus. cognitive radiosare fully programmable wireless devices that can sense theirenvironment and dynamically adapt their transmission wave-form, channel access method, spectrum use, and networkingprotocols.itiswidelyanticipatedthatcognitiveradiotechnol-ogywillbeusedforageneral-purposeprogrammableradiothatwill serveasauniversalplatformforwireless systemdevelop-ment, much like microprocessors have served a similar rolefor computation. The salient features of the cognitive radio(i.e.,frequencyagility,transmissionspeed,andrange)areidealfor application to the smart grid. in this regard, a cognitiveradionetwork can serve as a robust andefficient communica-tionsinfrastructurethatcanaddressboththecurrentandfutureenergymanagementneedsofthesmartgrid.Thecognitiveradionetworkcanbedeployedasalarge-scalewirelessregional-areanetwork (wran) in a smart grid to utilize the unused tvbandsrecentlyapprovedforusebythefederalcommunicationscommission(fcc).inaddition,acognitiveradionetworktestbedforthesmartgridwouldserveasanidealplatformnotonlytoaddressvariousissuesrelatedtothesmartgrid(e.g.,security,informationflowandpowerflowmanagement,etc.)butalsoto
5.4.2 robustPrincipalcomponentanalysis 1615.4.3 independentcomponentanalysiswithrobust
PcaPreprocessingforrecoveryofsmartMeterwirelesstransmissionsinthePresenceofstrongwidebandinterference 1665.4.3.1 independentcomponentanalysissignal
ModelandreceiverBlockdiagram 1675.4.4 simulationresultsUsingtherobustPca-ica
approach 1705.5 securecommunicationsinthesmartGrid 172
5.5.1 developmentofcommunicationsinfrastructure 1745.5.2 fPGa-Basedfuzzylogicintrusiondetectionfor
thesmartGrid 1765.6 conclusions 178references 178
141CoGnitive radio network for the smart Grid
revealmorepracticalproblemsforfurtherresearch.inthischap-ter,thenovelconceptofincorporatingacognitiveradionetworkasthecommunicationsbackboneforthesmartgridisoutlined.abrief overviewof the cognitive radio is provided, includingthe recently proposed institute of electrical and electronicsengineers(ieee)802.22standard.inparticular,anoverviewofthecognitiveradionetworktestbed,existingandnewhard-ware platforms for cognitive radio networks, and functionalarchitectures isgiven.cognitivemachine learningapproachessuch asprincipal component analysis (Pca) andkernelPcafor dimensionality reduction of high-dimensional smart griddata are presented. in addition, a novel approach of combin-ing the recently developed robust Pca algorithm with a sta-tisticalsignal-processingmethodcalledindependentcomponentanalysis(ica)isdescribedforrecoveryofsmartmeterwirelesstransmissions inthepresenceofstrongwidebandinterference.securityforthesmartgridisstillintheincipientstagesandisthetopicofsignificantresearchfocus.Thischapteraddressestheimpendingproblemof securing the smartgrid, inaddition tothepossibilityofapplyingfuzzylogicintrusiondetectionbasedonfield-programmablegatearray(fPGa)forthesmartgrid.
5.1 introduction
5.1.1 Cognitive Radio
cognitiveradioisanintelligentsoftware-definedradio(sdr)tech-nologythatfacilitatesefficient,reliable,anddynamicuseoftheunder-used radio spectrumby reconfiguring its operatingparameters andfunctionalities in real time depending on the radio environment.cognitive radio networks promise to resolve the bandwidth scar-city problem by allowing unlicensed devices to transmit in unused“spectrum holes” in licensed bands without causing harmful inter-ference to authorizedusers.1–4 in concept, the cognitive technologyconfigurestheradiofordifferentcombinationsofprotocol,operatingfrequency,andwaveform.currentresearchoncognitiveradiocoversawiderangeofareas, includingspectrumsensing,channelestima-tion,spectrumsharing,andmediumaccesscontrol(Mac).
142 seCurity and PrivaCy in smart Grids
duetoitsversatility,cognitiveradionetworksareexpectedtobeincreasinglydeployedinboththecommercialandmilitarysectorsfordynamicspectrummanagement.todevelopastandardforcognitiveradios,theinstituteofelectricalandelectronicsengineers(ieee)802.22 working Group was formed in november 2004.5 The cor-respondingieee802.22standarddefines thephysical (PhY)andMaclayersforawirelessregional-areanetwork(wran)thatuseswhitespaceswithinthetelevisionbandsbetween54and862Mhz,especiallywithinruralareaswhereusagemaybelower.detailsoftheieee802.22standard,includingsystemtopology,systemcapacity,andtheprojectedcoverageforthesystemaregiveninthenextsection.
5.1.2 The 802.22 System
ieee 802.22 is the first standardized air interface for cognitiveradionetworksbasedonopportunisticutilizationofthetvbroad-castspectrum.6,7Themainobjectiveoftheieee802.22standardistoprovidebroadbandconnectivitytoremoteareaswithcomparableperformancetobroadbandtechnologies suchascable,dsl(digitalsubscriberloop),andsooninurbanareas.inthisregard,thefccselectedthepredominantlyunoccupiedtvstationchannelsoperatinginthevhf(very-high-frequency)andUhf(ultra-high-frequency)regionoftheradiospectrum.
5.1.2.1 System Topology The802.22 system is apoint-to-multipointwirelessairinterfaceconsistingofabasestation(Bs)thatmanagesacellcomprisedofanumberofusersorcustomerpremisesequipment(cPes).8 The Bs controls the medium access and “cognitive func-tions”initscell,transmitsdatatothecPesinthedownlink,whilereceiving data in the uplink direction from the cPes. The variouscPesperformdistributedsensingofthesignalpowerintheassortedchannelsofthetvband.inthismanner,theBscollectsthedifferentmeasurementsfromthecPesandexploitsthespatialdiversityofthecPestomakeadecisionifanyportionofthespectrumisavailable.
5.1.2.2 Service Coverage compared to other ieee 802 standards,suchas802.11,the802.22Bscoveragerangecanreachupto100kmifnotlimitedbypowerconstraints.Thecoverageofdifferentwireless
143CoGnitive radio network for the smart Grid
standardsisshowninfigure 5.1.Thewranhasthehighestcover-ageduetohighertransmitpowerandlong-rangepropagationcharac-teristicsoftvbands.
5.1.2.3 System Capacity Thewransystemscanachievecompara-bleperformancetothatofdsl,withdownlinkspeedsof1.5Mbpsanduplinkspeedof384kbps.Thesystemwouldthusbeabletosup-port12simultaneouscPes,resultinginanoverallsystemdownloadcapacityof18Mbps.
The specification parameters of the ieee 802.22 standard aresummarizedintable 5.1.
insection5.2,theconceptofdevelopingacognitiveradionetworkforthesmartgridispresented,inadditiontoanoverviewofvarious
RAN<100 km
802.22 (proposed) - 18 to 24 Mbps
WAN<15 km
802.20 (proposed)GSM, GPRS, CDMA, 2.5G,3G – 10
kbps to 2.4 Mbps
MAN< 5 km
802.16a/d/e - 70 MbpsLMDS - 38 Mbps
LAN< 150 m
11–54 Mbps802.11a/b/e/gHiperLAN/2
802.11n (proposed) > 100 Mbps
PAN< 10 m
802.15.1 (Bluetooth)–1 Mbps802.15.3 > 20 Mbps
802.15.3a (UWB) < 480 Mbps802.15.4 (Zigbee) < 250 kbps
Figure 5.1 Comparison of 802.22 with other wireless standards. CDMA = code division multiple access; GPRS = general packet radio services; GSM = Global System for Mobile Communications; HiperLAN = High Performance Radio LAN; LAN = local-area network; LMDS = local multipoint dis-tribution service; MAN = metropolitan-area network; PAN = personal area network; RAN = regional-area network; UWB = ultra-wideband; WAN = wide-area network.
144 seCurity and PrivaCy in smart Grids
existinghardwareplatformsforcognitiveradionetworks.section5.3outlinesnewapproachesforthedevelopmentofhardwaretestbedsforsmartgridcognitiveradionetworks.insection5.4,cognitivealgo-rithmsforpreprocessingandrecoveryofhigh-dimensionalsmartgriddataareillustrated.section5.5addressesthecriticalissueofsecurityinsmartgridcommunications,followedbyconclusionsinsection5.6.
5.2 Cognitive radio network for smart Grid
Thesmartgridexploresandexploitstwo-waycommunicationtech-nology, advanced sensing, metering and measurement technology,modern control theory, network grid technology, and machinelearning in the power system to make the power network stable,secure,efficient,flexible,economical,andenvironmentallyfriendly.tosupportthesmartgrid,adedicatedtwo-waycommunicationsinfra-structureshouldbesetupforthepowersystem.inthisway,secure,reliable,andefficientcommunicationandinformationexchangecanbeguaranteed.inaddition,thevariousdevices,equipment,andpowergenerationfacilitiesof thecurrentpowersystemshouldbeupdatedand renovated. novel technologies for power electronics should beusedtobuildadvancedpowerdevices(e.g.,transformer,relay,switch,storage,andsoon).
in the area of wireless communications, cognitive radio is anemergingtechnique.Theessenceofcognitive radio is theabilityofcommunicatingovertheunusedfrequencyspectrumadaptivelyandintelligently. The idea of using cognitive radio in the smart gridappearstobeproposedintheliterature,forthefirsttime,inQiu9–11
Table 5.1 IEEE 802.22 Characteristics
PARAMETER SPECIFICATION
Typical cell radius (km) 30–100 kmMethodology Spectrum sensing to identify free channelsChannel bandwidth (MHz) 6, 7, or 8Modulation OFDMAChannel capacity 18 MbpsUser capacity Downlink: 1.5 Mbps
Uplink: 384 kbps
Source: From IEEE, with permission. OFDMA = Orthogonal Frequency-Division Multiple Access.
145CoGnitive radio network for the smart Grid
andQiuetal.12Thecapabilityofcognitive radioenables thesmartgrid, in many aspects, including security. with minimal modifica-tionstosoftware,acognitiveradionetworkcanbeusedforefficientcontrolofthesmartgrid.
Thebenefitsofapplyingcognitiveradiotothesmartgridaresum-marizedintable 5.2.first,cognitiveradiocanoperateoverawiderange of frequency bands. it has frequency agility. This feature isespeciallyusefulforthesmartgridbecausethefrequencyspectrumtoday is so crowded, and cognitive radio provides the capability ofreusingunusedfrequencybandsforthesmartgrid.second,cognitiveradioenableshigh-speeddata transmissionfor thesmartgrid.Thisisduetothewidebandnatureofcognitiveradio.Thedataratecanbeashighastensofmegabitspersecond,incontrasttothezigBee,whichcanonlyprovideadatarateoftenstohundredsofkilobitspersecond.Third,cognitiveradiohasthepotentialtotransmitdataoveralongdistance.recently,thefederalcommunicationscommission(fcc) has decided to allow use of unused tv bands for wirelesscommunications.Thetvbandsareidealforlong-distancemassdatatransmission.cognitive radio in awranscenario is designed toutilizetheunusedtvbands.employingcognitiveradio,thesmartgridcancommunicateoveralongdistanceovertheair.fourth,cog-nitiveradioboastsofcognitivelearningandadaptationcapability.ithas theability to learn theenvironment, reason from it, andadaptaccordingly. cognitive radio makes the smart grid “smarter” andmore robust. fifth, cognitive radio is based on the sdr platform,which is a programmable radio. hence, cognitive radio is capableofperformingdifferentapplicationsandtasks.inaddition,security,robustness,reliability,scalability,andsustainabilityofthesmartgridcanbe effectively supportedby cognitive radiodue to itsflexibilityandreprogrammability.
Table 5.2 Advantages of Applying the Cognitive Radio (CR) to the Smart Grid
SALIENT FEATURES DESCRIPTION
Frequency diversity CR can operate over unused frequency bandsTransmission speed Data rates of up to tens of megabits per second can be achievedRange CR can transmit over long distances in a WRAN scenarioAdaptability CR has inherent intelligence to adapt to changes in the environmentProgrammability Built on an SDR platform, the CR can be selectively programmed
146 seCurity and PrivaCy in smart Grids
5.2.1 Cognitive Radio Network Test Bed: Hardware Platforms for Cognitive Radio Networks
Therehavebeensomewirelessnetworktestbeds,suchastheopenaccess research testbed for next-Generation wireless networks(orBit)13 and the wireless test bed developed by University ofcalifornia, riverside.14 some common features of those wirelessnetworktestbedsaresummarizedasfollows:first,thenodesinthenetworksaredevelopedbasedoncomputercentralprocessingunits(cPUs).second,thenodesuse802.11wi-finetworkinterfacecardsforwirelesscommunications.Thesenetworktestbedsmayworkwellfor evaluating algorithms,protocols, andnetworkperformances forwi-finetworks,buttheyarenotsuitableforcognitiveradionetworksduetotheirinherentlackofwidebandfrequencyagility.
recently,virginiatechdevelopedatestbedforcognitiveradionet-workswith48nodes,15whichisasignificantachievementinthisarea.eachnodeconsistsofthreeparts:anintelXeonprocessor-basedhigh-performanceserver,aUniversalsoftwareradioPeripheral2(UsrP2),andacustom-developedradio-frequency(rf)daughterboardthatcov-ersacontinuousfrequencyrangefrom100Mhzto4Ghzwithvari-ableinstantaneousbandwidthsfrom10khzto20Mhz.Thenodeiseasilycapableoffrequencyagility.however,astheauthorsmentioned,thedrawbacksofthenodearetwofold.first,itisnotalow-powerpro-cessingplatform.second,itisnotcapableofmobility.
regardlessofthekindofcognitiveradionetworktestbed,itiscom-posed of multiple nodes. There exist some commercial off-the-shelfhardwareplatformsdesignedforsdrthatmaybeusedforbuildingthenodesforcognitiveradionetworks.
5.2.1.1 Universal Software Radio Peripheral 2 UsrP and UsrP2,providedbyettusresearch, arewidelyusedhardwareplatforms intheareaofsdrandcognitive radio.UsrP2 is the secondgenera-tionofUsrP,anditbecameavailablein2009.16UsrP2consistsofamotherboardandoneormoreselectablerfdaughterboards,asshowninfigure 5.2.
ThemajorcomputationpoweronthemotherboardcomesfromaXilinxspartan-3Xc3s2000field-programmablegatearray(fPGa).Themotherboardisalsoequippedwitha100-mega-samplespersecond(MsPs), 14-bit, dual-channel analog-to-digital converter (adc); a
147CoGnitive radio network for the smart Grid
400-MsPs,16-bit,dual-channeldigital-to-analogconverter(dac);andaGigabitethernetportthatcanbeconnectedtoahostcomputer.There are some rf daughterboards available for UsrP2. amongthem,anewlydevelopedrfdaughterboardcalledwidebandwidthtransceiver (wBX) covers a wide frequency band of 50 Mhz to2.2Ghz,withanominalnoisefigureof5–7dB.
signals are received and downconverted by UsrP2 and its rfdaughterboard. subsequently, they are sent to a host computerfor further processing through the Gigabit ethernet. Most of theprocessingworkisdonebythehostcomputer.datatobetransmittedaresentfromthehostcomputertoUsrP2throughthesameGigabitethernetbeforetheyareupconvertedandtransmittedbyUsrP2anditsrfdaughterboard.
amajoradvantageofUsrP2isthatitworkswithGnUradio,17anopensourcesoftwarewithplentyofresourcesforsdrandmanyusers,which simplifies and eases theuseofUsrP2.on theotherhand, UsrP2 is not perfect. first, the Gigabit ethernet connect-ing UsrP2 and its host computer introduces random time delays.Theoperatingsystemonthehostcomputermayalsointroduceran-domtimedelays.accordingtoourmeasurement,theresponsedelayof UsrP2 is in the range of several milliseconds to tens of milli-seconds.18such random responsedelaymaybe acceptable forhalf-duplex communications. however, in cognitive radio networks,full-duplexcommunicationsaredesired,andrandomresponsedelaysmaydeterioratetheperformanceofcognitiveradionetworks.second,
Figure 5.2 USRP2 with WBX RF daughterboard.
148 seCurity and PrivaCy in smart Grids
UsrP2isusuallyusedtogetherwithGnUradiothatrunsonahostcomputer.whentheinstantaneousbandwidthofUsrP2increases,thecPUon thehost computer becomesmuchbusier.Therefore, amulticorecPUisdesired,similartowhatvirginiatechhasdonetoitsnetworktestbed.whentheinstantaneousbandwidthofUsPr2becomes wider and the processing tasks on GnU radio becomemuchmorecomplex,acommoncPUmaynotbecompetentenoughforreal-timeprocessing.
5.2.1.2 Small Form Factor Software-Defined Radio Development Platform Thesmallformfactor(sff)sdrdevelopmentplatform(dP)pro-videdbylyrtechincollaborationwithtexasinstruments(ti)andXilinxisaself-containedplatformconsistingofthreeseparateboards:digitalprocessingmodule,dataconversionmodule,andrfmodule,asshowninfigure 5.3.19–21
The digital processing module is designed based ontMs320dM6446 system-on-chip (soc) from ti and virtex-4sX35fPGafromXilinx.ThetMs320dM6446sochasac64x+digital signal processor (dsP) core running at 594 Mhz togetherwithanadvancedreducedinstructionsetcomputing(risc)machine(arM9)corerunningat297Mhz.Thedigitalprocessingmodulealsocomeswitha10/100-Mbpsethernetport.Thedataconversionmod-uleisequippedwitha125-MsPs,14-bit,dual-channeladcanda500-MsPs,16-bit,dual-channeldac.italsohasaXilinxvirtex-4
Figure 5.3 SFF SDR DP with low-band tunable RF module.
149CoGnitive radio network for the smart Grid
lX25fPGa.Thelow-bandtunablerfmodulecanbeconfiguredtohave either5-or20-Mhzbandwidthwithworking frequenciesof200–1,050Mhzforthetransmitterand200–1,000Mhzforthereceiver.Thenominalnoisefigureofthisrfmoduleis5dB.otherfrequencybandsmaybecoveredbyseveralotherrfmodules.
TherearetwofavorablefeaturesofthesffsdrdPforcognitiveradionetworks.one is that asffsdrdP is insffandcanbemovedeasily.Theotheristhatitiscapableofsupportingfull-duplexcommunications.however,therearealsotwotechnicaldrawbacksofusingittobuildnodesforcognitiveradionetworks.onedrawbackisthatitscomputingcapacityisfixed,anditisnoteasytoupgradetomeetthedemandsofcognitiveradionetworks.Theotherdrawbackistheresponsetimedelay.accordingtoourmeasurement,theresponsedelayofansffsdrdPisabouttensofmilliseconds,andthedelayisconstant.18suchanontrivialdelayisundesirableforcognitiveradionetworkssinceitmaydeteriorateperformance.
an sff sdr dP can be viewed as an example of independenthardware platforms, whereas UsrP2 is an example of computer-aidedhardwareplatforms.acomparisonbetweenthetwohardwareplatformshasbeenreportedinQiuetal.12
5.2.1.3 Wireless Open-Access Research Platform The wireless open-access research Platform (warP) developed by rice UniversityconsistsofanfPGaboardandonetofourradioboards,22asshowninfigure 5.4.ThesecondgenerationofthefPGaboardhasaXilinx
Figure 5.4 WARP FPGA board with two radio boards.
150 seCurity and PrivaCy in smart Grids
virtex-4fX100fPGaandaGigabitethernetport.23,24ThefPGacanbeusedtoimplementthephysicallayerofwirelesscommunica-tions.TherearePowerPcprocessorsembeddedinthefX100fPGathatcanbeusedtoimplementMacandnetworklayers.Theradioboard incorporates a dual-channel, 65-MsPs, 14-bit adc and adual-channel, 125-MsPs, 16-bit dac, covering two frequencyrangesof2,400–2,500Mhzand4,900–5,875Mhz,withaband-widthofupto40Mhz.
ThewarPplatformisalsoansffindependenthardwareplat-form,whichisattractiveforbuildingthenodesofcognitiveradionet-works.ThesecondadvantageofusingwarPisthatboththephysicallayerandMaclayercanbeimplementedononefPGa,whichmaysimplify the board design, compared to an “fPGa + dsP/arM”architecture.hence,timedelaysintroducedbytheinterfacebetweenfPGaanddsP/arMcanbereduced.however,accordingtoMangocommunications,24 thevirtex-4fPGaonwarP isnotpowerfulenough to accommodate both transmitter and receiver functions atthesametime.Thus,full-duplexcommunicationsdesiredbycognitiveradionetworkscannotbeimplementedusingjustonewarPplatform.
5.2.1.4 Microsoft Research Software Radio Microsoft research hasdevelopedasoftwareradio(sora)platform.25soraiscomposedofaradiocontrolboard(rcB)andaselectablerfboard,anditworkswithamulticorehostcomputer.ThercBisshowninfigure 5.5.
Figure 5.5 Sora radio control board.
151CoGnitive radio network for the smart Grid
ThercBcontainsaXilinxvirtex-5fPGa,anditinterfaceswithahostcomputerthroughaPeripheralcomponentinterconnectexpress(Pcie)interfaceatarateofupto16.7Gbps.actually,thercBisaninterfaceboardfortransferringdigitalsignalsbetweentherfboardandcomputermemory.TherfboardcanbeawarPradioboard.Processingwork,includingphysicallayerandMaclayer,isdoneonthehostcomputer.
sora isacomputer-aidedplatform.Themainadvantageofusingsora is that it provides a high-throughput interface between rfboards and a host computer. however, since processing work bur-densthehostcomputer,thehostcomputerhastobeverypowerfultosupportallthefunctionsrunninginrealtime.ontheotherhand,multicoreprogramminganddebuggingwith speed-up tricks isnoteasy. Moreover, implementing full-duplex communications on onehostcomputerischallenging.obviously,ahostcomputer(orserver)installedwithsoralacksmobility.
5.3 innovative test Bed for Cognitive radio networks and the smart Grid
allofthefourhardwareplatformsmentionedaredesignedforsdr.twoofthemconnecttoahostcomputerwheremajorprocessingworkisdone.Theothertwoarestand-alonehardwareplatforms.fromtheaspectofmobility,stand-aloneplatformsarepreferableforbuildingthe nodes of cognitive radio networks, whereas from the aspect ofsoftwaredevelopment,computer-aidedhardwareplatformsaremorepracticalsincesoftwaredevelopmentanddebuggingonahostcom-puteraregenerallyeasier.inchowdhuryandMelodia,26acompro-misebetweenthetwokindsofhardwareplatformsissuggested.Theauthors recommendedperforming time-critical tasks in thefPGaandasplitMacdesignwithhostandfPGaimplementations.
however,comparedtothehardwareplatformsforsdr,themajorconcernsabouthardwareplatformsforcognitiveradionetworksarecomputingpowerandresponsetimedelay.cognitiveradiointroduces“intelligence”beyondsdr, likedetectionand learningalgorithms,whichmeanscognitiveradiorequiresmuchmorecomputingpowerthansdr.ahardwareplatformwithampleandupgradablecomput-ingpowerisdesiredforbuildingcognitiveradiotestbeds.ontheother
152 seCurity and PrivaCy in smart Grids
hand,thedesiredhardwareplatformshouldhaveminimumresponsetimedelay.iftheresponsetimedelayislarge,thethroughputofcog-nitive radio networks will seriously degrade. Moreover, full-duplexcommunicationsforthedesiredhardwareplatformsarepreferable.
Unfortunately, none of the existing off-the-shelf hardware plat-formscanmeettheserequirementsatthesametime.Theyareorigi-nally designed for sdr instead of cognitive radio networks. it isimperativetodesignanewhardwareplatformforbuildingthenodesofcognitiveradionetworks.
an innovative cognitive radio network test bed is being built attennesseetechnologicalUniversity.12,27Theideaofapplyingacog-nitiveradionetworktestbedtothesmartgridwasdevelopedtherein themiddleof2009 ina fundedresearchproposal.28subsequently,thisideahasbeenstrengthened.10,12,29–31Theobjectiveofthistestbedistoachievetheconvergenceofcognitiveradioandthesmartgrid.32
The cognitive radio network test bed being built is unique andreal-timeoriented.itisdesignedtoprovidemuchmorestand-alonecomputing power and reduce the response time delay. The cogni-tiveradionetworktestbediscomprisedoftensofnodes,witheachnode based on a self-designed motherboard, and commercial rfboards.ontheself-designedmotherboard, thereare twoadvancedandpowerfulfPGasthatcanbeflexiblyconfiguredto implementanyfunction.Therefore,thisnetworktestbedcanbereadilyappliedtothesmartgrid.
5.3.1 Motherboard for the New Hardware Platform
inthissection,anarchitectureforthemotherboardofthenewhard-ware platform is given. regarding the rf front end, existing rfboardsfromwarPorUsrP2canbereusedtointerfacewiththismotherboardtoconstitutethenewhardwareplatform.
figure 5.6 shows the corresponding architecture of the first-generationnewmotherboardanditsmajorcomponents.twopower-fulfPGas (i.e., avirtex-6fPGaand avirtex-5fXfPGa) areemployed as core components on the motherboard. all the func-tionsforthephysicalandMaclayersareimplementedonthetwofPGas,andnoexternalhostcomputerisrequired.Thisnovelhard-wareplatformstandsalone;thus,ithasgoodmobility.Thevirtex-5
153CoGnitive radio network for the smart Grid
fXfPGahasPowerPccoresthatarededicatedforimplementingtheMac layer.Physical-layer functions, including spectrum sens-ing, are implemented on the two fPGas. The virtex-5 fPGa isusedforthetransmittingdatapath,anditisconnectedtooneortworfboardsaswellasaGigabitethernetport.Thevirtex-6fPGaisdedicatedforthereceivingdatapath,withconnectionstooneortworfboardsandanextensionport.Theextensionportcanbeusedtoconnect with external boards to gain access to additional comput-ing resources. The two fPGas are connected together by a high-throughput,low-latencyonboardbus.BothofthefPGashaveaccesstotheirownexternalmemories.TheuseoftwofPGasisatrade-offbetweenperformanceandcost.
Thenewmotherboard canprovideenoughandupgradable com-putingresourcesforcognitiveradionetworks.inaddition,thetimedelays between the two fPGas are trivial. Moreover, full-duplexcommunicationsareeasilysupportedbythismotherboardwithtwoormorerfboards.
5.3.2 Functional Architecture for Building Nodes for Network Test Beds
Basedonthenewmotherboarddescribedintheprevioussectionandoff-the-shelfrfboards,nodesfornetworktestbedscanbe imple-mented using the following functional architecture, as shown infigure 5.7:Thehardwareabstractionlayer(hal)isapackagedinter-faceforupper-levelfunctionsthatscreenshardware-specificdetails.
Radio Board(RF + ADC)
Rx 1
Radio Board(RF + ADC)
Rx 2
Radio Board(RF + DAC)
Tx 1
Radio Board(RF + DAC)
Tx 2
Virtex-6 FPGA(Rx)
Virtex-5 FPGAwith PowerPC
(Tx)
Memory(RAM 1)
Memory(RAM 2)
GigabitEthernet
ExtensionPort
FlashMemory(Flash 1)
FlashMemory(Flash 2)
Figure 5.6 Architecture of the motherboard for the new hardware platform.
154 seCurity and PrivaCy in smart Grids
it provides data interfaces to both receiving data and transmittingdatapaths,aswellasanaccess interfacetootherhardware-specificresourcesonthehardwareplatform.Thespectrumandchannelman-agermanageallthespectrum-andchannel-relatedresources,includ-ing links, frequencies, and modulation methods. There are severalfunctionalmodulesinterfacedwiththespectrumandchannelman-ager. The spectrum detection and prediction module provides theinformationregardingtheavailabilityofsomefrequencybands.Thedecision-makingmoduleutilizesdecisionalgorithms tomakedeci-sionssuchaswhichchannelwillbeusedandwhenitwillbeused.More learning algorithms can be implemented as an independentmoduletolearnandreasonfromtheinputs.Thegeolocationmoduleoutputs the latitude and longitude of the node. The spectrum and
Hardware Platform
Hardware Abstraction Layer (HAL)
Spectrum andChannel Manager
Knowledge/Policy/Data Base
Routing Manager
Data Manager
Applications
Security Manager
Spectrum Detection andPrediction
Decision Making
Other Learning Algorithms
Geolocation
Figure 5.7 Functional architecture for the nodes.
155CoGnitive radio network for the smart Grid
channelmanagercanusesuchgeolocationinformationtoloadpriorinformation about current location from the knowledge/policy/datadatabase.Theroutingmanageremploysroutingalgorithmstoselectthebestrouteforsendingandrelayingdatapackages.Thedataman-agerorganizesallthedatafromupper-levelapplicationsandthedatatoberelayed.Thesecuritymanagerprovidesencryptionanddecryp-tiontothedatamanager,routingmanager,andspectrumandchannelmanager.Theknowledge/policy/datadatabasestorespriorknowledge,policies,data,andexperiences.afterthenodesarebuilt,anetworktestbedisreadytobeestablished.
5.3.3 Innovative Network Test Bed
Multiplenodesconstituteanetworktestbed.figure 5.8showstheinnovativenetworktestbed.
allthenodesareconnectedusingGigabitethernettoaconsolecomputerthroughanethernetswitch.Theconsolecomputercontrolsandcoordinatesallthenodesinthenetworktestbed.Thisnetworktest bed can be used not only for cognitive radio, but also for thesmartgrid.insmartgridapplications,nodesofthenetworktestbedimplementmicrogridcentralcontrollers,smartmeters,orsubmeters.adaptivewirelesscommunicationsare incorporated into thenodes,
… ...
Gigabit Ethernet Switch
Console
Gigabit Ethernet
Node 1 Node 2 Node 3 Node N
Figure 5.8 Innovative network test bed.
156 seCurity and PrivaCy in smart Grids
and information canbe exchangedbetweenmicrogrid central con-trollers,smartmeters,andsubmeters.
5.4 Cognitive Algorithms for the smart Grid
5.4.1 Dimensionality Reduction and High-Dimensional Data Processing in Cognitive Radio Networks
in cognitive radio networks, data exist in a significant amount.however,inpractice,thedataarehighlycorrelated.Thisredundancyinthedataincreasestheoverheadofcognitiveradionetworksfordatatransmissionanddataprocessing.inaddition,thenumberofdegreesoffreedom(dof)inlarge-scalecognitiveradionetworksislimited.ThedofofaKuserMxNmultipleinputmultipleoutput(MiMo)interferencechannelhasbeendiscussed.33Thetotalnumberofdofisequaltomin(M,N)*KifK≤R,and
min , * *M N RR
K( )+1
ifK>R,where
R M NM N
= ( )( )
max ,min ,
.
This is achieved based on interference alignment.34–36 Theoreticalanalysis about dof in cognitive radio has been presented.37,38 Thedofcorrespondstothekeyvariablesorkeyfeaturesinthenetwork.Processing the high-dimensional data instead of the key variableswillnotenhancetheperformanceofthenetwork.insomecases,thiscould even degrade the performance. hence, compact representa-tionofthedatausingdimensionalityreductioniscriticalincognitiveradionetworks.
5.4.1.1 Dimensionality Reduction Methods dimensionality reduc-tion39–42 finds a low-dimensional embedding of high-dimensionaldata. Three dimensionality reduction methods can be employed—bothlinearmethodssuchasprincipalcomponentanalysis(Pca)43and nonlinear methods such as kernel Pca (kPca),44 and land-markmaximumvarianceunfolding(lMvU).45,46ifweassumethe
157CoGnitive radio network for the smart Grid
originalhigh-dimensionaldataasasetofMsamplesxi∈RN,i =1,2,⋯,M,thenthereducedlow-dimensionalsamplesofxiareyi∈RK,i =1,2,⋯,M,whereK<<N.xijandyijarecomponent-wiseelementsinxiandyi,respectively.
Pca43isthebest-knownlineardimensionalityreductionmethod;it performs linearmappingof thehigh-dimensionaldata to a low-dimensionalspacesuchthatthevarianceofthelow-dimensionaldatais maximized. in reality, the covariance matrix of the data is con-structed,andtheeigenvectorsofthismatrixarecomputed.Thecova-riancematrixofxicanbeobtainedas
C x u x u= − −=
∑1
1M i
i
M
iT( )( ) (5.1)
where
u x==
∑1
1M i
i
M
isthemeanofthegivensamples,andTdenotesthetransposeoperator.Theeigenvectorscorresponding to the largesteigenvaluescanbe
exploited to obtain a large portion of the variance of the originaldata.Theoriginalhigh-dimensionalspacecanbereducedtoaspacespanned by a few dominant eigenvectors. Pca works well for thehigh-dimensionaldatawithlinearrelationshipsbutalwaysfailsinanonlinear scenario. Pca can be applied in the nonlinear situationby akernel,47–50 calledkPca.44kPca is therefore akernel-basedmachine learning algorithm. it uses the kernel function, which isthesameasthesupportvectormachine(svM),toimplicitlymaptheoriginaldatatoafeaturespaceFwherePcacanbeapplied.
othernonlinear techniques fordimensionality reduction includemanifold learning techniques. within the framework of manifoldlearning, thecurrent trend is to learnthekernelusingsemidefiniteprogramming(sdP)51–55insteadofdefiningafixedkernel.ThemostprominentexampleofsuchatechniqueisMvU(maximumvarianceunfolding).45MvUcanlearntheinnerproductmatrixofyiautomati-callybymaximizingtheirvariance,subjecttotheconstraintsthatyiarecenteredandlocaldistancesofyiareequaltothelocaldistancesofxi.
158 seCurity and PrivaCy in smart Grids
here,thelocaldistancesrepresentthedistancesbetweenyi(xi)anditsknearestneighbors,inwhichkisaparameter.ThecorrespondingsdPcanbecastintothefollowingform:45
maximize trace )subject to
(I
I
I
I I
� 0
0
2
ijij
ii
∑ =
− iij jj ij ijD+ = =I , when η 1
(5.2)
whereIisaninnerproductmatrixofyi,Dij=||xi−xj||2,andI≻0impliesthatIisapositivesemidefinite(Psd)matrix.
lMvU46isamodifiedversionofMvUthataimstosolveprob-lemsonalargerscalecomparedtoMvU.itusestheinnerproductmatrixAofrandomlychosenlandmarksfromxi
46toapproximatethefullmatrixI,inwhichthesizeofAismuchsmallerthanI.inthisway,thespeedofcomputingisincreased.
5.4.1.2 Spectrum Monitoring Using Dimensionality Reduction and Support Vector Machine with Experimental Validation spectrummonitoringisoneofthemostchallengingandcriticaltasksincognitiveradionetworks.inthissection,thefeasibilityofapplyingdimensionalityreductiontothecognitiveradionetwork isstudiedbypresentinganexperimen-talvalidation.Thepreliminaryresults56illustratehowtoextracttheintrinsicdimensionalityofwi-fisignalsbyrecentbreakthroughsindimensionalityreductiontechniques.Thisisanewtrendincognitiveradio networks for spectrum monitoring, which differs from tradi-tionalspectrum-sensingtechniquessuchasenergydetection,matchedfilterdetection,andcyclo-stationaryfeaturedetection.57–59
wi-fi time domain signals have been measured and recordedusinganadvanceddigitalphosphoroscilloscope(dPo),atektronixdPo72004.60ThedPosupportsamaximumbandwidthof20Ghzandamaximumsamplingrateof50Gs/s.itiscapableofrecordingupto250Msamplesperchannel.inthemeasurements,alaptopaccessestheinternetthroughawirelesswi-firouter,asshowninfigure 5.9.anantennawithafrequencyrangeof800to2,500MhzisplacednearthelaptopandconnectedtothedPo.Thesamplingrateofthe
159CoGnitive radio network for the smart Grid
dPoissetto6.25Gs/s.recordedtimedomainwi-fisignalsareshown in figure 5.10. The duration of the recorded wi-fi signalsis40ms.
The recorded 40-ms wi-fi signals are divided into 8,000 slots,witheachslot lasting5μs.Theseslotscanbeviewedasspectrum-sensingslots.Thetimedomainwi-fisignalswithinthefirst1μsofeveryslotarethentransformedintothefrequencydomainusingthefastfouriertransform(fft),whichisequivalenttofft-basedspec-trumsensing.Thefrequencybandof2.411–2.433Ghzisconsidered.Theresolutioninthefrequencydomainis1Mhz.Therefore,foreachslot, 23points in the frequencydomain canbeobtained, ofwhich13pointswillbeselectedinthefollowingexperiment.
svMisexploitedtoclassifythestates(busyli=1oridleli=0)ofthemeasuredwi-fidatawithorwithoutdimensionalityreduction,given the true states.svMwill classify the states of the spectrumdataatdifferenttimeslots.
The dof of the wi-fi frequency domain signals is extractedfrom the original 13 dimensions. The flowchart of the svM pro-cessing combinedwithdimensionality reductionmethods is shownin figure 5.11. The false alarm rate obtained by combining svMwithdimensionalityreductionandemployingonlysvMisshowninfigure 5.12.
PC(Postprocessing)
DPO(Data Acquisition)
Access Point
Laptop
Figure 5.9 Setup for the measurement of Wi-Fi signals.
160 seCurity and PrivaCy in smart Grids
Time DomainSignals
FFT
DimensionReduction
DimensionReduction
SVM
SVM Labels
Labels
……
……
……
……
……
xi
yi
li
Figure 5.11 The flowchart of SVM combined with dimensionality reduction.
0 5 10 15Time (ms)
Am
plitu
de (V
)
20 25 30
–0.01
–0.005
0
0.005
0.01
Figure 5.10 Recorded Wi-Fi signals in time domain.
161CoGnitive radio network for the smart Grid
Theoriginaldimensionofthefrequencydomaindatavariesfrom1to13forthesvMmethod.inaddition,thesvMmethodisappliedtothedatawiththeextracteddimensionsfrom1to13,obtainedbydimensionalityreduction.
experimentalresultsshowedthatwithdimensionalityreduction,the performance was much better than that without dimensional-ityreduction.
5.4.2 Robust Principal Component Analysis
inmanypracticalproblems, thecollecteddatacanbeorganized inmatrix form.Usually, the sizeof thematrix ishuge.however, thedofofthematrixarefinite,whichmeansthematrixislowrank.
awell-knownlow-rankmatrixapproximationalgorithmisPca.61iftheobservationmatrixisR,Pcafindsalow-rankapproximationoftheoriginalmatrixRbysolvingtheoptimizationmodel
min , (L
R L L− ≤subject to rank ) r (5.3)
0 2 4 6 8 10 12 140
1
2
3
4
5
6
7
8 × 10−4
Dimension
False
Ala
rm R
ate
SVMPCA with SVMKPCA with SVMLMVU with SVM
Figure 5.12 False alarm rate.
162 seCurity and PrivaCy in smart Grids
inwhich∥⋅∥isthespectralnormofamatrix(thelargestsingularvalueofthematrix).Pcafindstheoptimallow-rankapproximationintheleast-square sense. This problem can be simply solved by singularvaluedecomposition(svd).however,anintrinsicdrawbackofPcaisthatitcanworkefficientlyonlywhenthelow-rankmatrixiscor-ruptedwithindependentandidenticallydistributed(i.i.d.)Gaussiannoise.Thatis,Pcaissuitableforthemodelof
R=L+N (5.4)
inwhichListhelow-rankmatrix,andNisthei.i.d.Gaussiannoisematrix.however,itwillfailwhensomeoftheentriesinLaregrosslycorrupted,
R=L+S (5.5)
inwhichLisstillthelow-rankmatrix,butthematrixSisasparsematrixwitharbitrarilylargemagnitude,andthenumberofnonzeroentriesism.
Theproblemofrecoveringthelow-rankmatrixfromagrosslycor-ruptedobservationmatrixhasbeensolvedefficientlybytherelaxedconvexoptimizationmodel(principalcomponentpursuit):62
min ,, *L S
L S R L S+ = +λ 1 subject to , (5.6)
in which ∥⋅∥* represents the nuclear norm of a matrix (sum of thesingularvalues),∥⋅∥1denotesthesumoftheabsolutevaluesofmatrixentries,andλisatrade-offparameter.ithasbeenthoroughlyinves-tigated62,63thataslongasSissparseenough,theformulatedoptimi-zationproblem(5.6)canexactlyrecoverthelow-rankmatrixL.ThiskindofproblemhasbeentraditionallycalledrobustPca,62–64whichiscloselyrelatedto,butharderthan,thefamousproblemofmatrixcompletion.65–70
oneoftherequirementsforrobustPcaisthatthelow-rankmatrixcannotbesparseatthesametime.anincoherenceconditiondefinedincandèsandtao65andcandèsandrecht66withparameterμstatesthatthesingularvectorsofLsatisfythefollowingtwoassumptions:
max , maxi
Hi
iH
ir
MrL
U e V e2 2
≤ ≤µ µ (5.7)
163CoGnitive radio network for the smart Grid
and
UVH urML∞
≤ (5.8)
where∥⋅∥∞ is themaximumabsolute valueof all the entries in thematrix,Hdenotesconjugatetranspose,andei isthecanonicalbasisvectorineuclideanspace.ThematricesareU=[u1,u2,⋯,ur]andV=[v1,v2,⋯,vr].ui,i=1,2,⋯,randvi,i=1,2,⋯,raretheleftandrightsingularvectorsobtainedbyperformingsvdonL:
L u v==
∑σi i iH
i
r
1
, (5.9)
whereσi,i=1,2,⋯,rarepositivesingularvalues,andLisarankrmatrixwithsizeM×L.Theincoherenceconditionimpliesthattheentriesinthesingularvectorsui,i=1,2,⋯,randvi,i=1,2,⋯,rarespreadout.
a theorem based on the two assumptions in (5.7) and (5.8) hasbeenproposedandproved62andisstatedasfollows:
Theorem 1.62 suppose L is a rectangular matrix of size M × L;thereisanumericalconstantcsuchthatprincipalcomponentpur-suitwith λ = 1 1/ M( ) succeedswithprobabilityatleast1 1
10− −cM( ) ,providedthat
rank( ) (log )( ) ( )L ≤ − −ρ µrM M21
12 (5.10)
m≤ρsML, (5.11)
ThematrixLobeys(5.7)and(5.8),andthesupportsetofSisuniformlydistributedamongallsetsofcardinalitym,inwhichM(1)=max(M,L),M(2)=min(M,L);ρrandρsarepositivenumericalconstants.
Thetheoremstatesthatthelow-rankmatrixLandsparsematrixS (with arbitrarily large magnitude) can be exactly recovered fromthe observation matrix R = L + S with very large probability oncetheassumptionsofthetheoremaresatisfied,thatis,L=LandS=Sareexact.Theoriginallow-rankandsparsematricesareexpressedbyLandS,respectively.Therecovered(extracted)low-rankandsparsematricesareexpressedbyLandS,respectively.
164 seCurity and PrivaCy in smart Grids
in the presented simulations, the inexact augmented lagrangemultiplier(ialM)71methodisemployedtorecoverthesparsecom-ponentSandthelow-rankcomponentLfromtheobservationmatrixR.TheparametersfortheialMalgorithmaresetidenticaltothedefaultvaluesofthecode,whichcanbedownloadedfromthewebsite.72Theerrorsbetweentherecoveredandtheoriginalmatricesarecomputedby
ˆ
,ˆL L
L
S S
S
− −F
F
F
F
. (5.12)
The simulation results are based on the theoretical covariancematrixofarandomprocess
y(n)=x(n)+w(n), (5.13)
inwhich
x n A f nTl l l
l
L
( ) sin( )= +=
∑ 21
π θ , (5.14)
x(n)andw(n)areassumedtobeindependent,andw(n)isaddedzero-meanwhitenoise.
TheMthordercovariancematrixofthisprocessis
R R Iyy xx= + σ2 , (5.15)
whereσ2Idenotesthecovariancematrixofnoisewithpowerspectraldensityσ2andRxxdenotesthecovariancematrixofrandomsignal.IrepresentstheMthorderidentitymatrix.
TheMthordercovariancematrixforx(n)canbewrittenas73
R e e e exxl
l
L
M l MH
l M l MT
lA f f f f= +
=∑
2
14
( ) ( ) ( ) ( )* (5.16)
whereHdenotescomplexconjugatetransposition,*denotescomplexconjugation,and
165CoGnitive radio network for the smart Grid
eM lfj f T
j f MT
( )exp( )
exp( )
=
12
2
1
1
π
π�
. (5.17)
Therankofmatrix(5.16)is2L.from (5.15), the theoretical covariance matrix Ryy, which is the
observationmatrixRhere,iscomprisedofthesparsecomponentσ2IexpressedbySandlow-rankcomponentRxxexpressedbyLwithrank2L.robustPcacanbeexploredtoseparatethelow-rankandsparsecomponentsfromobservationmatrixR.
first,consideringthecaseofL=1,Al=1,fl=0.02l, T=1of(5.14),and the order of covariance matrix M = 128, the results obtainedby applying the ialM algorithm to the matrix Ryy are shown infigure 5.13.
correspondingresultsachievedbyapplyingtheialMalgorithmtothematrixRyyofL=3,Al=1,fl=0.02l, T=1of(5.14)andtheorderofcovariancematrixM=128areshowninfigure 5.14.
0 10 20 30 40 50 60 70 80 90 1000
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
�e PSD of the White Gaussian Noise in dB
Corr
espo
ndin
g Er
rors
Error between low rank matrixError between sparse matrix
Figure 5.13 Errors between extracted and original matrices of one real sinusoidal function.
166 seCurity and PrivaCy in smart Grids
Basedonfigures 5.13and5.14,itcanbeseenthatevenifthepowerspectraldensityofwhitenoiseincreasesto70dB(approximatedvalue),the ialM algorithm can still separate the low-rank and sparsecomponentsfromtheobservationmatrixRsuccessfullyviatheoreti-calanalysis.
in thenext section, the robustPcaalgorithm is employedas apreprocessing technique to mitigate strong wideband interferencebeforeapplyingtheicaapproachforrecoveringthewirelesssmartmetertransmissions.
5.4.3 Independent Component Analysis with Robust PCA Preprocessing for Recovery of Smart Meter Wireless Transmissions in the Presence of Strong Wideband Interference
smartmetersformanintegralpartofthesmartgrid.asmartmeterisanelectricalmeterthatrecordspowerconsumptionatregularinter-vals andcommunicates, either throughpower line communicationsorwirelesstransmissions,thatinformationtotheutilitycompanyformonitoringandbillingpurposes.sincethevisionofawirelesscog-nitiveradionetworkforthesmartgridispresentedinthischapter,
0 10 20 30 40 50 60 70 80 90 1000
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
�e PSD of the White Gaussian Noise in dB
Corr
espo
ndin
g Er
rors
Error between low rank matrixError between sparse matrix
Figure 5.14 Errors between extracted and original matrices of three real sinusoidal functions.
167CoGnitive radio network for the smart Grid
smartmetersequippedwithwirelesstransmittersareconsidered.inthisregard,theconceptoficaincombinationwiththerobustPcatechniqueispresentedasapossibleapproachtorecoverthesimulta-neous smartmeterwireless transmissions in thepresenceof strongwidebandinterference.
5.4.3.1 Independent Component Analysis Signal Model and Receiver Block Diagram independent component analysis is a statistical signal-processingmethodforextractingunderlyingindependentcomponentsfrommultidimensionaldata,74–77inliaoandniebur,78icawasalsoappliedto loadprofileestimation inelectric transmissionnetworks.icaisverycloselyrelatedtothemethodcalledblindsourcesepara-tion(Bss)orblindsignalseparation.79–81Thetermblindreferstothefactthatwehavelittleornoknowledgeaboutthesystemthatinducesmixingofthesourcesignals.
in a smart meter network, it is critical to accurately recover thesmartmeterwirelesstransmissionsatthecentralnodeoraccesspoint(aP). inachieving thisobjective,oneof the foremostchallenges isthe robustnessof thedata recovery in thepresenceof strongwide-bandinterferenceduetoeasyaccessofthewirelessdatatounauthor-ized personnel and inadequacy of existing physical-layer securitymeasures.inthissection,ablindestimationapproachtosmartmeterdatarecoveryispresentedbyapplyingacomplexicatechnique82incombinationwiththerecentlydevelopedrobustPcaalgorithm62forinterferencemitigationandsecurityenhancement.
inasmartmeternetwork,eachsmartmetermeasuresthecurrentloadatregularintervalsandconveysthatinformationtothecontrolcenter at thepowerutility station. in this section, awireless smartmeternetworkisassumedinwhicheachsmartmeterisequippedwithawirelesstransmitter,andtheaPatthepowerutilitycontrolcentercollectsallthewirelesstransmissionsforprocessingtheinformation.since an ica-based algorithm is used for recovery of the wirelesssmart meter data, the smart meters can transmit their informationsimultaneously.inhushengetal.,83theconceptofcompressedsens-ing84,85wasexploitedtorecoverthesparsesmartmeterdatatransmis-sionsbyapplyingthebasispursuitalgorithm.86however,inhushengetal.,itwasassumedthattheaPhasaccurateknowledgeofthechan-nelflatfadingparametersfromthechannelestimationperiodofthe
168 seCurity and PrivaCy in smart Grids
dataframe.inthissection,anica-basedblindestimationapproachis applied by exploiting the statistical properties of the source sig-nals. as a result, channel estimation in each data frame can beavoided,therebyallowingmoreinformationtobesentineachframe.furthermore, to enhance the securityof transmitteddata, recoveryof thewireless smartmeter transmissions in thepresenceof strongwidebandinterferenceisalsoconsidered.inthisregard,therecentlydevelopedmethodofrobustPcacanbeused.62,71TherobustPcamethodexploitsthelow-rankandsparsenesspropertyoftheautocor-relationmatricesofthesmartmetersignalandwidebandinterferer,respectively,toeffectivelyseparatethempriortoicaprocessing.
ThesmartmeternetworkisassumedtoconsistofNsmartmeterscontrolled by an aP, similar to the illustration given in hushenget al.83 The channel parameters are assumed to be static over thetransmission period, with rayleigh flat fading characteristics. Thedata transmission section in the frame is divided into several timeslotsduringwhichtheactivesmartmeterscansimultaneouslytrans-mittheirreadings.Mathematically,thesignalmatrixZreceivedbytheaPcanbeexpressedasthefollowinglinearicasignalmodel:
Z =HPX +W (5.18)
H istherayleighflatfadingchannelmatrixbetweenthemetersand theaP, P is thepseudorandom spreading codematrix for themeters,Xisthesourcesignalmatrixtransmittedbythemeters,andWistheadditivewhiteGaussiannoise(awGn).Thespreadingcodeisknownonly to theaPandmetersand isunique foreachmeter.replacingHPbythematrixA,(5.18)becomes
Z =AX +W (5.19)
inthecontextofica,Aiscalledthemixingmatrix.TheobjectiveoficaistorecoverXbyestimatingamatrixAthatapproximatestheinverseofA.subsequently,anestimateofthesourcesignalmatrixXcanbeobtained,asgivenbythefollowingequation:
� �X AZ= (5.20)
incontrast to thepopularcarrier sensemultipleaccess (csMa)protocol, which uses a random back-off to avoid collisions in
169CoGnitive radio network for the smart Grid
transmissions,thesignificantadvantageofemployinganica-basedapproach is that it enables simultaneous transmission for the smartmeters.Thiseliminatestheproblemofincurringsignificantdelayindatarecovery.furthermore,sinceicaisa“blind”estimator,itdoesnotneedanypriorknowledgeof thechannelor thepseudorandomnoise(Pn)codematrix.aslongasthesmartmetertransmissionsareindependent,whichisalwaysthecasesincethemetersarespatiallyseparated,icacanexactlyrecoverallthesmartmetersignals.
inthissection,smartmeterdatarecoveryinthepresenceofstrongwidebandinterferenceisalsoaddressed.hence,intheeventofstronginterference,(5.19)becomes
Z =AX +W +Y (5.21)
sinceYisnotpartofthesignalmixingmodelAX,icaalgorithmscannotrecoverthesourcesignalsXinthepresenceoftheinterferer.hence, it is imperative to separate Y from the observation matrixZ before any icamethod canbe applied.toaccomplish this, thesecond-order statistics of the signal and interferer are exploited. inparticular,theautocorrelationfunctionofeachrowofZiscomputed.rewriting(5.21)intermsoftheautocorrelationmatrices,weobtain
R =L +S +E (5.22)
in (5.22), L is the low-rank autocorrelation matrix of the signalmixture,Sisthesparseautocorrelationmatrixofthewidebandinter-fererconsistingofonlydiagonalentries,andEistheautocorrelationmatrixoftheawGncomponent.Therefore,(5.22)canbewrittenas
R L I Eint= + +σ2 (5.23)
whereσintisthepoweroftheinterferer,andIistheidentitymatrix.inthismanner,(5.22)exactlyfitstherobustPcamatrixmodeldescribedintheprevioussection.62Therefore,therobustPcatechniquecanbereadilyappliedtorecoverthelow-ranksignalautocorrelationmatrixfrom the sparse interferer autocorrelationmatrix.Thisprocedure isrepeatedforalltherowsoftheobservationmatrixZ.Therein,oncetheinterfererYisseparatedfromZ,thesignalmodelbecomessimi-larto(5.19),andicacanbeappliedtorecoverthesourcesignalsorsmartmetertransmissionsX.
170 seCurity and PrivaCy in smart Grids
The baseband block diagram of the ica-based receiver (centralnodeoraP)isshowninfigure 5.15.Thevariousstagesofatypicalreceiver,suchasdownconversion,analog-to-digitalconversion,syn-chronization,andsoon,areassumedtobecompletedpriortothedatarecoverystageintheillustratedreceiver.
5.4.4 Simulation Results Using the Robust PCA-ICA Approach
typically, in a smart meter network, only a few meters would beactivelytransmittingtheirdata.asaresult,thesparsityofthesmartmeter data transmission to the central processing node or aP wasexploited83forapplyingtheprincipleofcompressedsensing.inthissection,itisassumedthatinasmartmeternetwork,N=10metersaresimultaneouslytransmittinginquadraturephaseshiftkeying(QPsk)modulation format.asa resultof the transmitteddatabeingcom-plexvalued,acomplexfasticaseparationalgorithmwithasaddlepointtestcalledficacPlX82isusedfortheblindrecoveryofsourcesignals.sinceicaisablock-basedtechnique,theprocessingblocklength(numberofcolumnsofZ)isassumedtobe1,000symbols.TheperformanceoftherobustPca-icaapproachisstudiedfordiffer-entvaluesofσ2
intfrom1to5.Thesignal-to-noiseratio(snr)issetat20dB.Thesignal-to-interferenceratio(sir)87isusedasthemeasureofperformanceandisgivenbythefollowingequation:
SIRN
pP
Np
mn
mnm
mn
= − +( )
∑∑1
21
12
2
2
2
max
maxx Pnmn2 1( )
−∑∑ (5.24)
whereP = AA is thepermutationmatrixoforderN, inour case, a10×10matrix.here,max|Pm|andmax|Pn|aretheabsolutemaxi-mum values of the mth row and nth columns of P, respectively.ideally, P should be a permutation matrix consisting of only ones.however, due to the amplitude ambiguity introduced by the icatechnique, therecoveredsignalshave tobescaledaccordingly.Thiscanbeaccomplishedbyincludingasmallpreambleatthebeginningof
171CoGnitive radio network for the smart Grid
Calc
ulat
eau
toco
varia
nce
Robu
st P
CA(r
ecov
er lo
w-
rank
sign
alau
toco
varia
nce
mat
rix)
Reco
ver s
igna
lve
ctor
Perm
utat
ion,
gain
, and
sign
ambi
guity
corr
ectio
n
Sym
bol
Dec
odin
g
Antenna 1 Antenna 2 Antenna M ........................
Calc
ulat
eau
toco
varia
nce
Calc
ulat
eau
toco
varia
nce
Robu
st P
CA(r
ecov
er lo
w-
rank
sign
alau
toco
varia
nce
mat
rix)
Robu
st P
CA(r
ecov
er lo
w-
rank
sign
alau
toco
varia
nce
mat
rix)
Reco
ver s
igna
lve
ctor
Reco
ver s
igna
lve
ctor
Perm
utat
ion,
gain
, and
sign
ambi
guity
corr
ectio
n
Perm
utat
ion,
gain
, and
sign
ambi
guity
corr
ectio
n
Sym
bol
Dec
odin
g
Sym
bol
Dec
odin
g
Com
plex
ICA
algo
rithm
Figu
re 5
.15
ICA-
base
d re
ceiv
er fo
r sm
art m
eter
dat
a re
cove
ry.
172 seCurity and PrivaCy in smart Grids
eachframe.Thesir(dB)achievedbytheicaalgorithmficacPlX,withandwithouttherobustPcamethodfordifferentσ2
int,isshowninfigure 5.16.Theconstellationplotsforthesmartmeter1QPsksignalbeforeandafterapplyingtheficacPlXalgorithmareshowninfigures 5.17and5.18,respectively.
5.5 secure Communications in the smart Grid
The smart grid is aimed at transforming the already-aging electricpowergridintheUnitedstatesintoadigitallyadvancedanddecen-tralized infrastructure with heavy reliance on control, energy dis-tribution, communication, and security. among the five identifiedkeytechnologyareasinthesmartgrid,theimplementationofinte-grated communications is a foundationalneed.88The smart grid inthenearfuturewillberequiredtoaccommodateincreaseddemandsforimprovedqualityandenergyefficiency.solarandwindfarmsarejoininginforpowergenerationinadistributedfashion.applianceswillbecomesmartandtalktothecontrolcentersforoptimumopera-tions.Monitoring,managing,andcontrollingwillberequiredatalllevels. Prediction of electricity prices, weather, and social/human
1 2 3 4 5−10
0
10
20
30
40
50
60
70
Strength of Interferer
SIR
(dB)
ICA with robust PCAICA w/o robust PCA
Figure 5.16 SIR(dB) versus σ2int for QPSK modulation.
173CoGnitive radio network for the smart Grid
−60 −40 −20 0 20 40 60−60
−40
−20
0
20
40
60
Real
Imag
inar
y
Figure 5.17 QPSK scatterplot before applying ICA.
−0.8 −0.6 −0.4 −0.2 0 0.2 0.4 0.6 0.8−0.8
−0.6
−0.4
−0.2
0
0.2
0.4
0.6
0.8
Real
Imag
inar
y
Figure 5.18 QPSK scatterplot after applying ICA.
174 seCurity and PrivaCy in smart Grids
activitieswillbetakenintoaccountforoptimumcontrol.Theadditionofthesenewelementswillresultincontinuouslyincreasingcomplex-ity.fordifferent subnetworksorelements tobe integrated into thesmartgridseamlessly,acommunicationbackbonehastobedevelopedpriortoaddingvariousfunctions.hence,theearlierthecommunica-tionbackboneisdetermined,thefewerthecomplicationsthatwillbefacedlaterinbuildingthegrid.
5.5.1 Development of Communications Infrastructure
todevelopthiscommunicationsinfrastructure,ahighlevelofinter-connectivity and reliability among its nodes is required. sensors,advanced metering devices, electrical appliances, and monitoringdevices,justtomentionafew,willbehighlyinterconnected,allow-ingfortheseamlessflowofdata.reliabilityandsecurityinthisflowofdatabetweennodes,asshowninfigure 5.19,iscrucialduetothelowlatencyandcyberattackresiliencerequirementsofthesmartgrid.
a distributed interconnection among these nodes will be ubiq-uitous, justasfindingasimilar levelofconnectivityamongcellularphonesorcomputingnodes ina largeorganization.Thesmartgridenvironment,however,posesanewsetofcommunicationsandsecu-rityparadigms.duetotheircomplexityandimportancetothereal-izationofthesmartgridinfrastructure,itisextremelyimportantto
Secure communication �owsElectrical �owsDomain
MarketsOperations
Transmission DistributionCustomer
ServiceProvider
BulkGeneration
Figure 5.19 Interaction among actors in smart grid domains through secure communication flows and flows of electricity.
175CoGnitive radio network for the smart Grid
studytheinteractionsamongthenodes,morespecifically,intermsoftheircommunicationsandsecurity.
takingintoaccountthatreliabilityandsecuritywillimposecon-straintsonthemajorityofthedevicesconnectedtothesmartgrid,ifnotall,itwouldbewisetoconsidercommunicationstandards,proto-cols,anddevicesthataredesignedfromthegrounduptobesecured,logicallyandphysically.sinceagreatportionofthetrafficgeneratedwithinthegridwillbetravelingonanunsecuredmediumsuchastheinternet,itisimperativetominimizetheamountofpotentialsecurityloopholes.inaddition,thehumanvariableshouldalsobetakenintoaccountinthesecuritymodelaspartofthesecurityinfrastructure.
whenitcomestosecurity,communicationiskey,andinformationshould be properly disseminated to all the parties involved, ensur-ing that everyone has a clear and common understanding of secu-rityneedsfacilitatingtheir implementationandoperation.trainingandinformingusersaboutprocesses,studyofhumanbehavior,andthe perception of events related to the processes are as importantto the entire security equation as it is to engineer a secured infra-structure.asamatteroffact,thegreatestsecuritythreattoanyinfra-structure ishumanerror, asopposed to the technology securing it.communicationsinthesmartgridisakeycomponentoftheentireinfrastructure,andlogicallywedivideitintotwosections:theback-bone communications (interdomain), which will carry communica-tions amongdomains suchas those shown infigure 5.19, and thecommunications at the lan (intradomain) limited by perimeterssuchasacustomer’shouseoradistributionfacility.89
we can say that current and emerging technologies in telecom-munications,mostofwhichareexpectedtofallinthewirelessrealm(wiMaX,zigBee,802.11,etc.),canaccommodatethecommunica-tionsneedsofboth inter-and intradomainenvironments,however,notwithoutflaws.fromasecuritystandpoint,thesetechnologiesarenotdesignedtobesecurefromthegroundup.forexample,zigBeeisastandardforshort-rangecommunications,andmanufacturersofzigBee-compliantchipsproducethemwithoutnecessarilyconsider-ingthesecurityissue.inaddition,chipmanufacturersprintthechipmodelontopofthechipitselfasastandardpractice.Thechipspeci-ficationscanthereforebeeasilydownloaded,andpotentialflawsofthechipcanbeeasilyexploitedbyattackers.also,bydefault,many
176 seCurity and PrivaCy in smart Grids
ofthesechipsdonotcarryanyinternalsecurityfeaturesandthere-fore rely on external chips or on higher-level software applicationsfor this purpose. an easy access to the external chip by any mali-ciousattackercouldpotentiallydisableanyinstalledsecurityfeatures.Thisandothersimilarscenariosleadsustothinkthatthesmartgridshouldbedrivenbytechnologiesandstandardsthatconsidersecurityastheirprimaryconcern.
Thesmartgridhasbeenconceivedasbeingdistributedinnatureandheavilydependentonwirelesscommunications.today’ssoho(small office/home office) and enterprise-graded wireless devicesinclude security features tomitigateattacks,with thevastmajoritystillrelyingonconventionalrule-baseddetection.ithasbeenshownthatconventionalrule-baseddetectionsystems,althoughhelpful,donothavethecapabilityofdetectingunknownattacks.furthermore,aspresentedinPazos-revillaandsiraj,90theseconventionalintrusiondetectionsystems(idss)wouldnotbeabletodetectsuchanattackifitiscarefullycraftedsincethemajorityoftheserulesaresolelybasedonstrictthresholds.
5.5.2 FPGA-Based Fuzzy Logic Intrusion Detection for the Smart Grid
artificialintelligencetechniquessuchasfuzzylogic,Bayesianinfer-ence,neuralnetworks,andothermethodscanbeemployedtoenhancethe security gaps in conventional idss. as shown in figure 5.20,
4. Apply aggregationmethod (max)
5. Defuzzify (centroid)
25%0
25%0
25%0
Alert = 16.7%
then Alert is medium
then Alert is low
if ICMP rate is medium
or Port scan is low
1. Fuzzify inputs
1.
2. Rule 2 has nodependencyon input 2
2. Apply or operator(max)
3. Apply implicationoperator (min)
25%0
25%0if ICMP rate is low
Figure 5.20 Fuzzy logic example applied to IDS. ICMP = Internet Message Control Protocol.
177CoGnitive radio network for the smart Grid
afuzzylogicapproachwasused91inwhichdifferentvariablesthatinflu-encetheinferenceofanattackcanbeanalyzedandlatercombinedforthedecision-makingprocessofasecuritydevice.inaddition,ifeachsecuritydeviceservingasanidsisawarenotonlyofitselfbutalsoofalimitednumber(dependingonlocalresourcesandtraffic)ofsur-roundingtrustedidsdevices,thealertsthattheseotherdevicesgen-eratecanbeusedtoadjustlocalvariablesorparameterstobettercopewithdistributedattacksandmoreaccuratelydetecttheirpresence.
Theresearchanddevelopmentof robustand securecommunica-tion protocols, dynamic spectrum sensing, as well as distributedand collaborative security shouldbe considered as an inherentpartof smart grid architecture. an advanced decentralized and secureinfrastructure needs to be developed with two-way capabilities forcommunicatinginformationandcontrollingequipment,amongothertasks,asindicatedintherecentlypublishedvolume1ofGuidelines for Smart Grid Cyber Securitybythenationalinstituteofstandardsandtechnology(nist).89Thecomplexityofsuchanendeavor,coupledwiththeamalgamoftechnologiesandstandardsthatwillcoexistinthedevelopmentofthesmartgrid,makesitextremelynecessarytohave a common platform of development with flexibility and reli-ableperformance.
fPGadPssharetheseadvantages,nottomentionthefactthatasinglesiliconfPGachipcanbeusedtostudyseveralsmartgridtechnologiesandtheirimplementations.fPGachipsoffersignificantpotentialforapplicationinthesmartgridforperformingencryptionanddecryption,intrusiondetection,low-latencyrouting,dataacqui-sitionandsignalprocessing,parallelism,configurabilityofhardwaredevices,andhigh-performanceandhigh-bandwidthtamper-resistantapplications. dr. william sanders, a member of the smart Gridadvisorycommitteeofthenist,hasbeenamongthemostinflu-ential recently in the research on smart grid security. his researchteam and several collaborating universities proposed the use of atrustworthycyberinfrastructureforthePowerGrid(tciPG)thatfocusesonthesecurityoflow-leveldevicesandcommunications,aswellastrustworthyoperationofthepowergridunderavarietyofcon-ditions,includingcyberattacksandemergencies.92tciPGproposesacoordinatedresponseanddetectionatmultiplelayersofthecyberinfrastructurehierarchy,includingbutnotlimitedtosensor/actuator
178 seCurity and PrivaCy in smart Grids
andsubstationlevels.attheselevelsofthehierarchy,sdrandwire-lesscommunicationstechnologiescouldbeusedandstudiedtopre-ventattackssuchaswireless jamming.sandersetal.alsoproposedtheuseofspecification-basedidsinprotectingadvancedmeteringinfrastructures (aMis).93adistributedfPGa-basednetworkwithadaptive and cooperative capabilities can be used to study severalsecurityandcommunicationaspectsof this infrastructure fromthepointofviewofboththeattackersandthedefenders.
5.6 Conclusions
inthischapter,aninnovativeapproachofemployingacognitiveradionetwork forefficientmanagementof informationflow in the smartgrid was presented. an outline of cognitive radio and the recentlyestablishedieee802.22standardforwranswasgiven.existingand new hardware platforms for the innovative network test bedbeing built at tennessee technological University were described.to efficiently process the high-dimensional data in cognitive radionetworks, dimensionality reduction techniques such as Pca,kPca,andlMvUcanbeused.ThesvMmethodwasappliedtoaspectrum-monitoringexampleinwi-finetworks,anditwasshownthat better performance is achievedusingdimensionality reductionforpreprocessingthedata.TherecentlydevelopedrobustPcaalgo-rithm was presented for recovering a low-rank matrix when it wasgrosslycorruptedwithasparsematrixofarbitrarilylargemagnitude.for theblindrecoveryof smartmeterwireless transmissions in thepresenceofstrongwidebandinterference,therobustPcawasusedasapreprocessingmethodbeforeapplyinganica-basedalgorithm.finally, the vital issue of security in the smart grid was discussed,alongwithapossibleapproachtoachievethisbyemployingfPGa-basedfuzzylogicintrusiondetection.
references 1. J.MitolaiiiandG.MaguireJr.,cognitiveradio:makingsoftwareradios
morepersonal,IEEE Personal Communications6(4),13–18(1999). 2. s.haykin,cognitiveradio:brain-empoweredwirelesscommunications,
IEEE Journal on Selected Areas in Communications23(2),201–220(2005).
179CoGnitive radio network for the smart Grid
3. G.Ganesan,Y.li,B.Bing,ands.li,spatiotemporalsensingincognitiveradionetworks,IEEE Journal on Selected Areas in Communications26(1),5–12(2008).
4. J.BazerqueandG.Giannakis,distributedspectrumsensingforcogni-tive radionetworks by exploiting sparsity, IEEE Transactions on Signal Processing58(3),1847–1862(2010).
5. c. cordeiro, k. challapali, d. Birru, s. shankar, et al., ieee 802.22:anintroductiontothefirstwirelessstandardbasedoncognitiveradios,Journal of Communications1(1),38–47(2006).
6. c.cordeiro,k.challapali,d.Birru,s.shankar,etal.ieee802.22:thefirstworldwidewirelessstandardbasedoncognitiveradios.in2005 First IEEE International Symposium onNew Frontiers in Dynamic Spectrum Access Networks, 2005. DySPAN 2005, pp. 328–337.ieee,newYork(2005).
7. c.cordeiro,k.challapali,andM.Ghosh.cognitivePhYandMaclay-ersfordynamicspectrumaccessandsharingoftvbands.inProceedings of the First International Workshop on Technology and Policy for Accessing Spectrum,p.3.acM,newYork(2006).
8. c. stevenson, G. chouinard, z. lei, w. hu, s. shellhammer, andw. caldwell, ieee 802.22: the first cognitive radio wireless regionalareanetworkstandard,IEEE Communications Magazine47(1),130–138(2009).
9. r.Qiu,acognitiveradionetworktestbed.officeofnavalresearch(onr)dUriP.n00010-10-0810.2010.
10. r.c.Qiu,smartGridresearchatttU.Presentedatargonnenationallaboratory (february 2010). available at http://iweb.tntech.edu/rqiu/publications.htm
11. r.c.Qiu,cognitiveradioandsmartGrid.Presentedatieeechapter,huntsville,al.(february18,2010).availableathttp://iweb.tntech.edu/rqiu/publications.htm
12. r.c.Qiu,z.chen,n.Guo,Y.song,P.zhang,h.li,andl.lai,towardsareal-timecognitiveradionetworktestbed:architecture,hardwareplat-form,andapplicationtosmartgrid.PresentedatProceedings of the Fifth IEEE Workshop on Networking Technologies for Software-Defined Radio and White Space, Boston( June2010).
13. d.raychaudhuri,i.seskar,M.ott,s.Ganu,k.ramachandran,h.kremo,r.siracusa,h.liu,M,andsingh.overviewoftheorBitradiogridtestbedforevaluationofnext-generationwirelessnetworkprotocols.inProceedings of IEEE Wireless Communications and Networking Conference,neworleans,la,March13–17,2005.pp. 1664–1669(2005).
14. i.Broustis,J.eriksson,s.krishnamurthy,andM.faloutsos.ablueprintforamanageableandaffordablewirelesstestbed:design,pitfallsandles-sonslearned.inProceedings of 3rd International Conference on Testbeds and Research Infrastructure for the Development of Networks and Communities,May21–23,2007.pp. 1–6(2007).
15. t.r.newman,s.s.hasan,d.depoy,t.Bose,andJ.h.reed,designingand deploying a building-wide cognitive radio network testbed, IEEE Communications Magazine48(9),106–112(2010).
180 seCurity and PrivaCy in smart Grids
16. ettusresearchllc,homepage( July2010).http://www.ettus.com/. 17. GnUradio,homepage( July2010).http://www.gnuradio.org/. 18. z. chen, n. Guo, and r. c. Qiu, experimental validation of channel
state prediction considering delays in practical cognitive radio, IEEE Transactions on Vehicular Technology16(4),1314–1325(2011).
19. lyrtech incorporated, Small Form Factor SDR Evaluation Module/Development Platform Users Guide. lyrtech, Quebec city, canada(february2010).
20. lyrtech incorporated, ADACMaster III Users Guide. lyrtech, Quebeccity,canada( January2009).
21. lyrtechincorporated,homepage( July2010).http://www.lyrtech.com/. 22. k.amiri,Y.sun,P.Murphy,c.hunter,J.cavallaro,anda.sabharwal,
warP,aunifiedwirelessnetworktestbedforeducationandresearch.inIEEE International Conference on Microelectronic Systems Education,sandiego,ca,June3–4,2007.pp. 53–54(2007).
23. riceUniversity,homepage( July2010).http://warp.rice.edu/. 24. Mango communications, home page (september 2010). http://www.
mangocomm.com/. 25. k.tan, J. zhang, J. fang, h. liu, Y. Ye, s. wang, Y. zhang, h. wu,
w.wang,andG.voelker,sora:highperformancesoftwareradiousinggeneralpurposemulti-coreprocessors.inProceedings of the 6th USENIX symposium on Networked Systems Design and Implementation,pp. 75–90.UseniXassociation,Berkeley,ca(2009).
26. k.chowdhuryandt.Melodia,Platformsandtestbedsforexperimentalevaluationofcognitiveadhocnetworks,IEEE Communications Magazine.48(9),96–104(2010).
27. z. chen, n. Guo, and r. c. Qiu, Building a cognitive radio networktestbed,Proceedings of IEEE Southeastcon. nashville,tn(March2011).
28. r.c.Qiu, Cognitive Radio Network Testbed.funded researchproposalfor defense University research instrumentation Program (dUriP)(august 2009). http://www.defense.gov/news/fiscal 2010 dUriPwinnerslist.pdf
29. r. c. Qiu, cognitive radio and smart Grid. invited presentation atieeechapter(february2010).http://iweb.tntech.edu/rqiu.
30. robert c. Qiu (Pi). cognitive radio institute. funded research pro-posal for 2010 defense earmark (2010). http://www.opensecrets.org/politicians/earmarks.php?cid=n00003126
31. r.Qiu,z.hu,G.zheng,z.chen,andn.Guo.cognitiveradionetworkforthesmartgrid:experimentalsystemarchitecture,controlalgorithms,security, andmicrogrid testbed, IEEE Transactions on Smart Grid 2(4),724–740(2011).
32. r.c.Qiu,M.c.wicks,z.hu,l.li,ands.J.hou,wirelesstomography(1):anovelapproachtoremotesensing.in5th International Waveform Diversity and Design Conference,niagarafalls,canada(august2010).
33. t.Guoands.a.Jafar,degreesoffreedomofthekuserMnMiMointerference channel, IEEE Transactions on Information Theory 56, 12(2010).
181CoGnitive radio network for the smart Grid
34. v.r.cadambeands.a.Jafar,interferencealignmentandspatialdegreesof freedom for the k user interference channel. in IEEE International Conference onCommunications, 2008. ICC’08, pp. 971–975,Beijing(May2008).
35. M.a.Maddah-ali,a.s.Motahari,anda.k.khandani,communicationover MiMo X channels: interference alignment, decomposition, andperformance analysis, IEEE Transactions on Information Theory 54(8),3457–3470(2008).
36. B.nazer,s.a.Jafar,M.Gastpar,ands.vishwanath,ergodicinterferencealignment.inIEEE International Symposium on Information Theory, 2009. ISIT 2009,pp. 1769–1773,seoul,korea(2009).
37. c.huangands.a.Jafar,degreesof freedomoftheMiMointerfer-ence channel with cooperation and cognition, IEEE Transactions on Information Theory55(9),4211–4220(2009).
38. c.s.vazeandv.M.k.ThedegreesoffreedomregionoftheMiMocognitive interference channel with no csit. in ISIT, pp. 440–444,austin,tX( June2010).
39. J.B.tenenbaum,v.silva,andJ.c.langford,aglobalgeometricframe-work for nonlinear dimensionality reduction, Science 290(5500), 2319–2323(2000).
40. s.roweisandl.saul,nonlineardimensionalityreductionbylocallylin-earembedding,Science290(5500),2323–2326(2000).
41. e.keogh,k.chakrabarti,M.Pazzani,ands.Mehrotra,dimensionalityreduction for fast similarity search in large time series databases,Knowledge and Information Systems3(3),263–286(2001).
42. M.l.raymer,w.f.Punch,e.d.Goodman,l.a.kuhn,anda.k.Jain,dimensionalityreductionusinggeneticalgorithms,IEEE Transactions on Evolutionary Computation4(2),164–171(2002).
43. i.Jolliffe,Principal Component Analysis.springer-verlag,newYork(2002). 44. B.scholkopf,a.smola, andk.Muller,nonlinear component analysis
as a kernel eigenvalue problem, Neural Computation 10(5), 1299–1319(1998).
45. k.weinbergerandl.saul,Unsupervised learningof imagemanifoldsby semidefinite programming, International Journal of Computer Vision70(1),77–90(2006).
46. k.weinberger,B.Packer,andl.saul,nonlineardimensionalityreduc-tion by semidefinite programming and kernel matrix factorization. inProceedings of the Tenth International Workshop on Artificial Intelligence and Statistics,pp. 381–388,Barbados( January2005).
47. G.Baudatandf.anouar,kernel-basedmethodsandfunctionapproxi-mation. in International Joint Conference on Neural Networks, 2001. Proceedings. IJCNN’01, vol. 2, pp. 1244–1249, washington, dc ( July2001).
48. G.wu,e.Y.chang,andn.Panda,formulatingdistancefunctionsviathekerneltrick.inProceedings of the Eleventh ACM SIGKDD International Conference on Knowledge Discovery in Data Mining,pp. 703–709,chicago(august2005).
182 seCurity and PrivaCy in smart Grids
49. J.Mariéthozands.Bengio,akerneltrickforsequencesappliedtotext-independent speaker verification systems, Pattern Recognition 40(8),2315–2324(2007).
50. J.wang, J.lee, andc.zhang,kernel trick embeddedGaussianmix-ture model. in Algorithmic Learning Theory, vol. 2842, pp. 159–174.springerlink,newYork(2003).
51. l.vandenbergheands.Boyd,semidefiniteprogramming,SIAM Review38(1),49–95(1996).
52. f.alizadeh,J.P.a.haeberly,andM.l.overton,Primal-dualinterior-pointmethodsforsemidefiniteprogramming:convergencerates,stabil-ityandnumericalresults,SIAM Journal on Optimization8(3),746–768(1998).
53. h.wolkowicz,r.saigal,andl.vandenberghe,Handbook of Semidefinite Programming: Theory, Algorithms, and Applications. springer-verlag,dordrecht(2000).
54. s. P. Boyd and l. vandenberghe, Convex Optimization. cambridgeUniversityPress(2004).
55. G.r.G.lanckriet,n.cristianini,P.Bartlett,l.e.Ghaoui,andM.i.Jordan,learningthekernelmatrixwithsemidefiniteprogramming,The Journal of Machine Learning Research5,27–72(2004).
56. s.J.hou,z.Qiu,r.chen,andz.hu,spectrumsensingusingsvManddimensionalityreductionwithexperimentalvalidation,http://arXiv.org/abs/1106.2325(2011).
57. s. haykin, d. Thomson, and J. reed, spectrum sensing for cogni-tive radio, Proceedings of the IEEE 97(5), 849–877 (May 2009). doi:10.1109/JProc.2009.2015711.
58. J. Ma, G. Y. li, and B. h. Juang, signal processing in cognitiveradio, Proceedings of the IEEE 97(5), 805–823 (2009). doi: 10.1109/JProc.2009.2015707.
59. d.cabric,s.Mishra,andr.Brodersen.implementationissuesinspec-trumsensingforcognitiveradios.inProceedings of Conference Record of the Thirty-Eighth Asilomar Conference on Signals, Systems and Computers,vol.1,772–776(2004).
60. z.chenandr.c.Qiu,Predictionofchannelstateforcognitiveradiousing higher-order hidden Markov model. in Proceedings of the IEEE Southeastcon,pp. 276–282(March2010).
61. i. Jolliffe, Principal Component Analysis, 2nd edition. springer-verlag,newYork(2002).
62. e. candès, X. li, Y. Ma, and J. wright, robust principal componentanalysis?Journal of ACM ( JACM),58(3),1–37(May2011).
63. J.wright,a.Ganesh,s.rao,andY.Ma,robustprincipalcomponentanalysis:exactrecoveryofcorruptedlow-rankmatricesviaconvexopti-mization,inProceedings of the Conference on Neural Information Processing Systems(niPs)(december2009).
183CoGnitive radio network for the smart Grid
64. v.chandrasekaran,s.sanghavi,P.Parrilo,anda.willsky,rank-sparsityincoherence for matrix decomposition, SIAM Journal on Optimization,21(2),572–596(2011).
65. e. candès and t. tao, The power of convex relaxation: near-optimalmatrixcompletion,IEEE Transactions on Information Theory56(5),2053–2080(2010).
66. e.candèsandB.recht,exactmatrixcompletionviaconvexoptimiza-tion,Foundations of Computational Mathematics9(6),717–772(2009).
67. e.candèsandY.Plan,Matrixcompletionwithnoise,Proceedings of the IEEE98(6),925–936(2010).
68. B.recht,M.fazel,andP.Parrilo,Guaranteedminimum-ranksolutionsoflinearmatrixequationsvianuclearnormminimization,Arxiv preprint arXiv:0706.4138(2007).
69. B. recht, w. Xu, and B. hassibi. necessary and sufficient conditionsforsuccessofthenuclearnormheuristicforrankminimization.in47th IEEE Conference on Decision and Control, 2008. CDC 2008, pp. 3065–3070.ieee,newYork(2009).
70. J.cai,e.candès,andz.shen,asingularvaluethresholdingalgorithmformatrixcompletion,Arxiv preprint arXiv:0810.3286(2008).
71. z.lin,M.chen,l.wu,andY.Ma,Theaugmentedlagrangemulti-pliermethodforexactrecoveryofcorruptedlow-rankmatrices,UiUctechnicalreportUilU-enG-09-2215(november2009).
72. M.chen.http://perception.csl.illinois.edu/matrix-rank/sample code.html. 73. s. Marple Jr., Digital spectral analysis with applications. Prentice hall,
englewoodcliffs,nJ(1987). 74. P. comon, independent component analysis, a new concept? Signal
Processing36(3),287–314(1994). 75. a.hyvarinenande.oja,one-unitlearningrulesforindependentcom-
ponent analysis. in Advances in Neural Information Processing Systems,480–486.Morgankaufmann,newYork(1997).
76. a.hyvarinenande.oja,independentcomponentanalysis:algorithmsandapplications,Neural Networks13(4–5),411–430(2000).
77. a.hyvarinen,J.karhunen,ande.oja,Independent Component Analysis.wiley,newYork(2001).
78. h.liaoandd.niebur,loadprofileestimationinelectrictransmissionnetworksusingindependentcomponentanalysis,IEEE Transactions on Power Systems18(2),707–715(2003).
79. d. Pham, Blind separation of instantaneous mixture of sources via anindependentcomponentanalysis,IEEE Transactions on Signal Processing44(11),2768–2779(2002).
80. t.lee,M.lewicki,andt.sejnowski,icamixturemodelsforunsuper-visedclassificationofnon-Gaussianclassesandautomaticcontextswitch-inginblindsignalseparation,IEEE Transactions on Pattern Analysis and Machine Intelligence22(10),1078–1089(2002).
184 seCurity and PrivaCy in smart Grids
81. s.amari,a.cichocki,andh.Yang.anewlearningalgorithmforblindsignal separation. in Advances in Neural Information Processing Systems,757–763.Morgankaufman,newYork(1996).
82. z.koldovskyandP.tichavsky,Blindinstantaneousnoisymixturesepa-rationwithbestinterference-plus-noiserejection.inProceedings of the 7th International Conference on Independent Component Analysis and Signal Separation,pp. 730–737.springer-verlag,newYork(2007).
83. l.husheng,M.rukun,l.lifeng,andr.Qiu,compressedmeterread-ing for delay-sensitive and secure load report in smart grid. in First IEEE International Conference on Smart Grid Communications, 2010. SmartGridComm 2010, pp. 114–119. Gaithersburg,Md(october2010).
84. d. donoho, compressed sensing, IEEE Transactions on Information Theory52(4),1289–1306(2006).
85. e.candès,J.romberg,andt.tao,robustuncertaintyprinciples:exactsignal reconstruction from highly incomplete frequency information,IEEE Transactions on Information Theory52(2),489–509(2006).
86. s.chen,d.donoho,andM.saunders,atomicdecompositionbybasispursuit,SIAM Review43(1),129–159(2001).
87. r. ranganathan andw. B. Mikhael, a comparative study of complexgradientandfixed-pointicaalgorithmsforinterferencesuppressioninstaticanddynamicchannels,Signal Processing88(2),399–406(2008).doi:10.1016/j.sigpro.2007.08.002.http://www.sciencedirect.com/science/article/B6v18-4Pf1w9k-2/2/f6fede5fcdf79d0b75c0b5d050020861.
88. nationalenergytechnologylaboratory,A Systems View of the Modern Grid.departmentofenergy,washington,dc( January2007).
89. national institute of standards and technology, Guidelines for Smart Grid Security:vol.1,Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements,ThesmartGridinteroperabilityPanel-cybersecurityworkingGroup,august2010.
90. M. Pazos-revilla and a. siraj, an experimental model of an fPGa-based intrusion detection systems. in 2011 International Conference on Computers and Their Applications, neworleans,la(March2011).
91. M.Pazos-revilla,fPGaBasedfuzzyintrusiondetectionsystemfornetwork security, master’s thesis, tennessee technological University,cookeville(2010).
92. w.sanders,TCIP: Trustworthy Cyber Infrastructure for the Power Grid,technical report. informationtrust institute, University of illinois atUrbana-champaign(2011).
93. r.Berthier,w.sanders,andh.khurana,intrusiondetectionforadvancedmetering infrastructures: requirements and architectural directions.in First IEEE International Conference on Smart Grid Communications (SmartGridComm), 2010,pp. 350–355.ieee,newYork(2010).
187
6requirementS and
challenGeS Of cyberSecurity fOr Smart
Grid cOmmunicatiOn infraStructureS
ro s E Q i n G YA n G h U A n d Y i Q i A n
Contents
6.1 introduction 1886.1.1 Background 1886.1.2 high-levelrequirements 190
6.2 vulnerabilitiesandsecurityrequirements 1926.2.1 Privacy 1936.2.2 availability 1946.2.3 integrity 1956.2.4 authentication 1966.2.5 authorization 1966.2.6 auditability 1966.2.7 nonrepudiability 1966.2.8 Third-PartyProtection 1976.2.9 trust 197
6.3 cybersecuritychallenges 1986.3.1 internetworking 1986.3.2 securityPolicyandoperations 1996.3.3 securityservices 200
6.4 conclusions 201references 202
188 seCurity and PrivaCy in smart Grids
Upgradinganexistingpowergridintoasmartgridrequiressig-nificant dependence on intelligent and secure communicationinfrastructures. it requires systematic security frameworks fordistributedcommunications,pervasivecomputing,andsensingtechnologiesinthesmartgrid.however,asmanyofthecom-munication technologies currently recommended for use by asmartgridarevulnerabletocyberattacks,itcouldleadtounreli-ablesystemoperations,causingunnecessaryexpenditures,evenconsequentialdisasterforbothutilitiesandconsumers.inthischapter,wesummarizethepossiblevulnerabilitiesandthecyber-securityrequirementsinsmartgridcommunicationsanddiscussthechallengesofcybersecurityforsmartgridcommunications.
6.1 introduction
asmartgridcommunicationsystemiscomprisedofseveralsubsys-tems. it iseventuallyanetworkofnetworks.asupervisorycontrolanddataacquisition(scada)systemisnotonlyacontrollingsys-tem but also a communication network in a smart grid. The com-municationnetworksinsmartgridsystemscouldincludededicatedor overlay land mobile radios (lMrs), cellular, microwave, fiber-optic,wiredlinessuchaspowerlinecommunication(Plc),rs-232/rs-485 serial links,wireless local-areanetworks (wlans)mediaoraversatiledatanetworkcombining thesemedia. in this section,webrieflydiscussthebackgroundofasmartgridsysteminseveralaspects:scadasystem,communicationnetworks,deploymentsofsecure smartgridcommunications, andhigh-level security require-ments.figure 6.1showsatypicalsmartgridcommunicationsystem.1
6.1.1 Background
core to themonitoringandcontrolof a substation is thescadasystem.itisutilizedfordistributionautomation(da)andcomputer-izedremotecontrolofmedium-voltage(Mv)substationsandpowergrids, and it helps electric utilities achieve higher supply reliabilityandreducesoperatingandmaintenancecosts.inthepast,sectional-izerswitchgears,ringmainunits,reclosers,andcapacitorbanksweredesignedforlocaloperationswithlimitedremotecontrol.today,using
189requirements and ChallenGes
scadaoverreliablewirelesscommunicationlinks,remoteterminalunits(rtUs)providepowerfulintegratedsolutionswhenupgradingremotelyinstalledelectricequipment.inadistributionmanagementsystem(dMs),rtUsseamlesslyinterfaceviascadawithawiderangeofhigh-performancecontrolcenters suppliedby leadingven-dors worldwide. connection to these energy management systems(eMss) and da/dMs control centers is typically provided via ahigh-performanceinternetProtocol(iP)gatewayorasimilarnode.2
PowerSystem
Operator
MeteringSystem
RegionalControlCenter
Database
RTU
RTU
RTU
RTU
Power Plant
Power Plant
TradingCoordinator
OperationData
Management
Database
PowerMarket
Operations
DataAcquisition
Control
DataAcquisition
Control
Utility A
Utility B
CircuitBreaker
CircuitBreaker
Substation
Substation
PowerSystem
Operator
Figure 6.1 A typical smart grid communication system. (From C. H. Hauser, D. E. Bakken, and A. Bose, IEEE Power and Energy Magazine, pp. 47–55, March– April 2005. With permission.)
190 seCurity and PrivaCy in smart Grids
differentscalesandstructuresofsmartgridsystemsadoptdiffer-entcommunicationnetworkingsolutions.advancedmeteringinfra-structure(aMi)solutionscanbemeshedorpointtopoint,withshortlocal coverage or long-range communications.3,4 options for back-haulsolutionsmightbefiber,wirelessbroadband,orbroadbandoverapowerline.ThepossiblesolutionsincludewiMaX,wlan,wire-less sensornetwork (wsn), cellular, andlMr,dependingon thereliability,throughput,andcoveragedesiredbytheutility.Thewire-less communication solutions can be either licensed or unlicensed,againdependingontheneedsoftheutility.forthehighestreliability,licensedsolutionsshouldbechosen.eachoftheseoptionshasadvan-tagesanddisadvantages,butwhatisconsistentlytrueofanyandallofthesolutionsistheneedtohaveascalablesecuritysolution.5
smartgriddeploymentsmustmeetstringentsecurityrequirements.strongauthenticationwillberequiredforallusersanddevicesthatmayaffecttheoperationofthegrid.withthelargenumberofusersanddevicesaffected,scalablekeyandtrustmanagementsystems,cus-tomizedtothespecificneedsoftheenergyserviceprovider,willbeessential.whathasbeenlearnedfromyearsofdeployingandoper-atinglargesecurenetworkcommunicationsystemsisthattheeffortrequiredtoprovisionsymmetrickeysintothousandsofdevicescanbetooexpensiveorinsecure.Thedevelopmentofkeyandtrustmanage-mentsystemsforlargenetworksisrequired;thesesystemscanbelev-eragedfromotherindustries,suchaslMrsystemsandassociationofPublic-safetycommunicationsofficials (aPco)radiosystems.several aPco-deployed systems provide statewide wireless cover-age, with tens of thousands of secure devices. trust managementsystems,basedonpublickeyinfrastructure(Pki)technology,couldbecustomizedspecificallyforsmartgridoperators,easingtheburdenofprovidingsecuritythatadherestothestandardsandguidelinesthatareknowntobesecure.6
6.1.2 High-Level Requirements
accordingtotheelectricPowerresearchinstitute(ePri),oneofthebiggestchallenges facingsmartgriddeployment is related tocyber-securityofthesystems.7accordingtotheePrireport,cybersecurityisacritical issueduetothe increasingpotentialofcyberattacksand
191requirements and ChallenGes
incidentsagainstthiscriticalsectorasitbecomesincreasinglyintercon-nected.cybersecuritymustaddressnotonlydeliberateattacks,suchasfromdisgruntledemployees,industrialespionage,orterrorists,butalsoinadvertentcompromisesoftheinformationinfrastructureduetousererrors,equipment failures,andnaturaldisasters.vulnerabilitiesmightallowanattackertopenetrateanetwork,gainaccesstocontrolsoftware,andalterloadconditionstodestabilizethegridinunpredict-ableways.Thehigh-levelrequirementsforsmartgridcommunicationsecurityareconducted invariousorganizationsandthecorrespond-ingstandardsindetails.Thecybersecurityrequirementsforsmartgridcommunicationsarediscussedfurtherintherestofthischapter.
There are many organizations working on the development ofsmart grid security requirements, including the north americanelectricalreliabilitycorporationcriticalinfrastructureProtection(nercciP),internationalsocietyofautomation(isa),instituteofelectricalandelectronicsengineers(ieee)(ieee1402),nationalinfrastructure Protection Plan (niPP), and national institute ofstandardsandtechnology(nist),whichhasanumberofsmartgridcybersecurityprogramsongoing.
one prominent source of requirements is the smart Gridinteroperability Panel (sGiP) cyber security working Group,previously the nist cyber security coordination task Group(csctG).8ThenistcsctGwasestablishedtoensureconsistencyinthecybersecurityrequirementsacrossallthesmartgriddomainsandcomponents.ThelatestdraftdocumentfromthecybersecurityworkingGroup,nistinteragencyreport(nist-ir7628),9Smart Grid Cyber Security Strategy and Requirements, continues to evolveat the time of this writing. nist and the department of energy(doe)Gridwisearchitecturecouncil(Gwac)10haveestablisheddomain expert working groups (dewGs): home-to-Grid (h2G),Building-to-Grid (B2G), industrial-to-Grid (i2G), transmissionanddistribution(t&d),andBusinessandPolicy(B&P).
workingwithstandardsbodies,suchasnistandothers,willbeextremelyimportanttoensureahighlysecure,scalable,consistentlydeployedsmartgridsystemasthesestandardsbodieswilldrivethesecurityrequirementsofthesystem.11
one thing is consistent among the various standards bodies:The security of the grid will strongly depend on authentication,
192 seCurity and PrivaCy in smart Grids
authorization, and privacy technologies. Privacy technologies arewell matured. The advanced encryption standard (aes)12 andtripledataencryptionalgorithm (3des)13 solutions approvedbythefederalinformationProcessingstandard(fiPs),offeringstrongsecurity and high performance, are readily available. The specificprivacy solution required will depend on the type of communica-tionresourceprotected.asaspecificexample,nisthasdeterminedthatthe3dessolutionwilllikelybecomeinsecurebytheyear2030.consideringthatutilitycomponentsareexpectedtohavelonglife-times,theaeswouldbethepreferredsolutionfornewcomponents.however,itisreasonabletoexpectthatundercertaincircumstanceswhenlegacyfunctionalitymustbesupportedandtheriskofcompro-miseisacceptable,3descouldbeused.
wirelesslinkswillbesecuredwithtechnologiesfromwell-knownstandardssuchasieee802.11i14andieee802.16e.15differentwire-less protocols have varying degrees of security mechanisms. wiredlinkswillbesecuredwithfirewalls,virtualprivatenetworks(vPns),and iPsec (internet Protocol security) technologies. higher-layersecuritymechanismssuchassecureshell(ssh)andsecuresocketslayer/transportlayersecurity(ssl/tls)shouldalsobeused.16
system architects and designers often identify the need for andspecifytheuseofsecureprotocols,suchassshandiPsec,butthenskiptheimplementationdetailsassociatedwithestablishingsecurityassociationsbetweenendpointsofcommunications.suchanapproachis likely to result in a system inwhich thenecessaryprocedures forsecurekeymanagementcanquicklybecomeanoperationalnightmare.Thisisbecause,whensystemarchitectsdonotdevelopanintegratedandcomprehensivekeymanagementscheme,customersmaybepro-videdwithfewkeymanagementoptionsandoftenresorttomanuallypreconfiguringsymmetrickeys.Thisapproachissimpleforthesystemdesigners,butitcanbeveryexpensiveforthesystemowners/operators.
6.2 Vulnerabilities and security requirements
Thereliabilityofasmartgriddependsonthereliabilityofthecontrolandcommunicationsystems.fordevelopmentofsmartgridsystems,thecommunicationsystemsarebecomingmoresophisticated,allow-ingforbettercontrolandhigherreliability.Thesmartgridwillrequire
193requirements and ChallenGes
higherdegreesofnetworkconnectivitytosupportthenewfeatures.The higher degree of connectivity should have sophisticated secu-rityprotocolstodealwiththevulnerabilitiesandsecuritybreaches.table 6.1listssomesecurityprotocolsadoptedbydifferentlayersincommunication networks with the specific security requirements;moredetailsweresummarizedbydzungetal.18inthissection,wediscussthemajorsecurityvulnerabilitiesandrequirementsinprivacy,availability,integrity,authentication,authorization,auditability,non-repudiability,third-partyprotection,andtrustcomponentsforsmartgridcommunicationsecurity.
6.2.1 Privacy
Privacyissueshavetobecoveredwiththederivedcustomerconsump-tiondataastheyarecreatedinmeteringdevices.consumptiondatacontaindetailed informationthatcanbeusedtogain insightsonacustomer’s behavior. smart grid communications have unintendedconsequences for customer privacy. electricity usage informationstoredatthesmartmeteranddistributedthereafteractsasaninfor-mation-richsidechannel,exposingcustomers’habitsandbehaviors.certainactivities,suchaswatchingtelevision,havedetectablepower
Table 6.1 Layered Security Protocols
LAyERSECURITy PROTOCOL APPLICATION CONFIDENTIALITy INTEGRITy AUTHENTICATION
Application WS-Security Document yes yes DataPGP/ GnuPG E-mail yes yes MessageS/ MIME yes yesHTTP digest authentication
Client to service
No No User
Transport SSH yes yes ServerSSL/ TLS yes yes
Network IPSec Host to host yes yes HostLink CHAP/ PAP Point to point No No Client
WEP/ WAP/802.1X Wireless access yes yes Device
Source: From y. yan, y. Qian, H. Sharif, and D. Tipper, IEEE Communications Surveys and Tutorials, vol. 14(4), pp. 998–1010, 2012. With permission from IEEE.17
Note: CHAP/PAP = Challenge Handshake Authentication Protocol/Password Authentication Protocol, HTTP = Hypertext Transfer Protocol, PGP/GnuPG = pretty good privacy/Gnu Privacy Guard, S/MIME = secure/multipurpose Internet mail extensions, WEP/WAP = wired equivalent privacy/WiFi protected access, WS-Security = web services security.
194 seCurity and PrivaCy in smart Grids
consumptionsignatures.historyhasshownthatwherefinancialorpolitical incentivesalign,thetechniquesforminingbehavioraldatawillevolvequicklytomatchthedesiresofthosewhowouldexploitthatinformation.19
Utility companies are not the only sources of potential privacyabuse. The recently announced Google PowerMeter service,20 forinstance,receivesreal-timeusagestatisticsfrominstalledsmartmeters.customerssubscribingtotheservicereceiveacustomizedwebpagethatvisualizeslocalusage.althoughGooglehasyettoannouncethefinalprivacypolicyforthisservice,earlyversionsleavethedooropentothecompanytousethisinformationforcommercialpurposes,suchasmarketingindividualoraggregateusagestatisticstothirdparties.althoughservicessuchasGooglePowerMeterareoptional,custom-ershave lesscontrolovertheuseofpowerinformationdeliveredtoutilitycompanies.existingprivacy laws intheUnitedstatesare ingeneralapatchworkofregulationsandguidelines.itisunclearhowtheseoranylawsapplytocustomerenergyusageyet.
6.2.2 Availability
availabilityreferstoensuringthatunauthorizedpersonsorsystemscannot deny access or use to authorized users. for smart grid sys-tems, thisreferstoall the informationtechnology(it)elementsoftheplant,likecontrolsystems,safetysystems,operatorworkstations,engineeringworkstations,manufacturingexecutionsystems,aswellasthecommunicationsystemsbetweentheseelementsandtotheout-sideworld.
Malicious attacks targeting availability can be considered asdenial-of-service (dos) attacks, which attempt to delay, block, oreven corrupt information transmission to make network resourcesunavailabletocommunicatingnodesthatneedinformationexchangeinthesmartgrid.sinceitiswidelyexpectedthatatleastpart,ifnotall,ofthesmartgridwilluseiP-basedprotocols(e.g.,internationalelectrotechnicalcommission[iec]61580hasalreadyadoptedthetransmission control Protocol [tcP]/iP as a part of its protocolstacks21), and tcP/iP is vulnerable to dos attacks. dos attacksagainst tcP/iP have been well studied in the literature regardingattackingtypes,prevention,andresponse.22–24
195requirements and ChallenGes
however,amajordifferencebetweenasmartgridcommunicationnetworkandtheinternetisthatthesmartgridismoreconcernedwiththemessagedelaythanthedatathroughputduetothetimingcon-straintofmessagestransmittedoverthepowernetworks.indeed,net-worktrafficinsmartgridcommunicationnetworksisingeneraltimecritical.forinstance,thedelayconstraintofGenericobjectorientedsubstationevent(Goose)messagesis4msiniec61850.9
intrudersonlyneedtoconnecttocommunicationchannelsratherthanauthenticatednetworksinthesmartgrid;itisveryeasyforthemto launch dos attacks against the smart grid communication net-works,especiallyforthewireless-basedcommunicationnetworksthataresusceptibletojammingattacks.25–27hence,itisofcriticalimpor-tancetoevaluatetheimpactofdosattacksonthesmartgridandtodesigneffectivecountermeasurestosuchattacks.
6.2.3 Integrity
integrityreferstopreventingundetectedmodificationofinformationbyunauthorizedpersonsorsystems.forsmartgridcommunicationsystems, this applies to information suchasproduct recipes, sensorvalues,orcontrolcommands.Thisobjectiveincludesdefenseagainstinformationmodificationviamessageinjection,messagereplay,andmessagedelayonthenetwork.violationofintegritymaycausesafetyissues;thatis,equipmentorpeoplemaybeharmed.
differingfromattackstargetingavailability,attackstargetingdataintegritycanberegardedas lessbruteforceandmoresophisticatedattacks.Thetargetof the integrityattacks iseithercustomer infor-mation (e.g., pricing information and customer accountbalance) ornetworkoperationinformation(e.g.,voltagereadings,devicerunningstatus). inotherwords, suchattacksattempt todeliberatelymodifytheoriginalinformationinthesmartgridcommunicationsystemtocorruptcriticaldataexchangeinthesmartgrid.
Theriskofattackstargetingdataintegrityinthepowernetworksisindeedreal.anotableexampleistherecentworkbyliuetal.,28which proposed a new type of attacks, called false data injectionattacks, against the state estimation in the power grid. it assumedthatanattackerhasalreadycompromisedoneorseveralmetersandpointedoutthattheattackercantakeadvantageoftheconfiguration
196 seCurity and PrivaCy in smart Grids
ofapowersystemtolaunchattacksbyinjectingfalsedatatothemon-itoring center, which can legitimately pass the data integrity checkusedincurrentpowersystems.
6.2.4 Authentication
authenticationisconcernedwithdeterminationofthetrueidentityof a communication system participator andmappingof this iden-titytoasystem-internalprincipal(e.g.,validuseraccount)bywhichthisuserisknowntothesystem.Mostothersecurityobjectives,mostnotablyauthorization,distinguishbetweenlegitimateandillegitimateusersbasedonauthentication.
6.2.5 Authorization
authorization,alsoknownasaccesscontrol,isconcernedwithprevent-ingaccesstothesystembypersonsorsystemswithoutpermissiontodoso.inthewidersense,authorizationreferstothemechanismthatdis-tinguishesbetweenlegitimateandillegitimateusersforallothersecurityobjectives(e.g.,confidentiality,integrity,etc.).inthenarrowersenseofaccesscontrol,itreferstorestrictingtheabilitytoissuecommandstotheplantcontrolsystem.violationofauthorizationmaycausesafetyissues.
6.2.6 Auditability
auditabilityisconcernedwithbeingabletoreconstructthecompletehistoryofthesystembehaviorfromhistoricalrecordsofall(relevant)actions executed on it. This security objective is mostly relevant todiscoverandfindreasonsformalfunctionsinthesystemafterthefactandtoestablishthescopeofthemalfunctionortheconsequencesofasecurityincident.notethatauditabilitywithoutauthenticationmayservediagnosticpurposesbutdoesnotprovideaccountability.
6.2.7 Nonrepudiability
nonrepudiabilityreferstobeingabletoprovideirrefutableprooftoathirdpartyregardingwhoinitiatedacertainactioninthesystem,evenifthisactorisnotcooperating.Thissecurityobjectiveisrelevant
197requirements and ChallenGes
toestablishaccountabilityandliability.inthecontextofsmartgridsystems, this is most important in reference to regulatory require-ments. violation of this security requirement typically has legal/commercialconsequences.
6.2.8 Third-Party Protection
Third-partyprotectionreferstoavertingdamagedonetothirdpartiesviathecommunicationsystems,thatis,damagethatdoesnotinvolvesafetyhazardsofthecontrolledplantitself.Thesuccessfullyattackedandsubvertedautomationsystemcouldbeusedforvariousattacksonthecommunicationsystemsordataorusersofexternalthirdparties(e.g.,viadistributeddos[ddos])orwormattacks.consequencescouldreachfromadamagedreputationofasmartgridsystemownertolegalliabilityforthedamagesofthethirdparty.Therisktothirdparties throughpossible safety-relevant failuresof theplant arisingoutofattacksagainsttheplantautomationsystemiscoveredbyothersecurityobjectives,mostnotablyauthorization/accesscontrol.
6.2.9 Trust
Thenewdesignsof futuresmartgridcommunicationsystemsformamultilayerarchitecture.Thegrowthofsmartgridsystemsresultedin a plentifulness of power system-related software applications,developedinmanydifferentprogramminglanguagesandplatforms.extendingoldapplicationsordevelopingnewonesusually involvesintegrating legacy systems. Therefore, approaching the security offuture smart grid communication networks cannot be done with acompletelynewstart.
inparallel to thedevelopmentof smartgridcommunication sys-tems, the complete and monolithic cybersecurity infrastructure isnot a viable option. instead, multilayer architecture, advanced con-trolmethodologies,anddependablesoftwareinfrastructureaswellasdeviceprotectionmechanismsandhardware-monitoringanchorshavetobespecifiedatthesametime.advancedcontrolapproacheshavetoinclude predictive and self-adaptive intelligence at higher-level andcross-layermappingtothedifferenttechnicallayers.Thedependablesoftware infrastructureshave tobedesigned to identify and isolate
198 seCurity and PrivaCy in smart Grids
higher-layerindependentapplicationsaswellastosecurecross-layercommunications.withsucharchitecture,itshouldhavetheflexibilityofincorporatingpartsofexistinginfrastructurewiththefrontiersandinterfaces to adjacent systems. furthermore, the architecture needsthe flexibility to interchange or update the part of the system in asecurewayata later stagedue tonew lawsandregulationsornewdevelopmentsintheenergymarket.29
6.3 Cybersecurity Challenges
Therearemanycybersecuritychallengesforasecuresmartgridcom-municationsystem.Themajorchallengesinbuildingandoperatingasecuresmartgridcommunicationsystemincludeinternetworking,securitypolicyandoperations,securityservices,andothers.
6.3.1 Internetworking
The interconnected smart grid communication systems are riddledwithvulnerabilitiesthatvaryacrossthenetworksduetothelackofbuilt-in security in many applications and devices. This should notbethemodelforanetworkasimportantasthesmartgrid.layersofdefenseshouldbebuiltintothesolutiontominimizethethreatsfrominterruption,interception,modification,andfabrication.
keepingthenetworkprivate(i.e.,withalltransportfacilitieswhollyownedbyautility)wouldgreatlyminimizethethreatsfromintrud-ersastherewouldbenopotentialforaccessfromintrudersovertheinternet.But,havingacompletelyseparatenetworkisnotfeasibleintoday’shighlyconnectedworld.itmakesgoodbusinesssensetoreusecommunicationfacilities,suchastheinternet.aminimallysecuredsmartgridconnectedtotheinternet,ascommonlyfoundwithcom-mercial networks, opens thegrid to threats frommultiple types ofattacks. These include cyberattacks from hostile groups looking tocauseaninterruptiontothepowersupply.19,30
one of these cyberattacks is worm infestations, which haveproven to negatively impact critical network infrastructures. suchthreatshavelargelybeentheresultofleavinganetworkvulnerabletothreatsfromtheinternet.forexample,therehavebeendosattacks
199requirements and ChallenGes
ona singlenetwork thatdisruptedalldirectoryname servers, thusprohibiting users from connecting to anyof the resources. it dem-onstrates the fragilityof an interconnected smartgrid communica-tioninfrastructure.31
allconnectionstotheinternetfromasmartgridnetworkneedtobehighlysecure.intrusiondetectionisneedednotonlyatthepointswhereasmartgridnetworkconnectstotheinternetbutalsoatcriticalpointswithinthenetworkaswellasvulnerablewirelessinterfaces.32
The components, systems, networks, and architecture are allimportanttothesecuritydesignandreliabilityofthesmartgridcom-municationsolutions.But,itisinevitablethatanincidentwilloccurat some point, and one must be prepared with the proper incidentresponseplan.Thiscanvarybetweencommercialprovidersandpri-vate utility networks. a private utility network is likely to providebetterconsistencyoftheincidentresponseplanintheeventofasecu-rity incident, assuming the private network is built on a standard-izedframeworkofhardwareandsoftware.Thespeedoftheresponsedecreasesexponentiallyasthenumberofparties involvedincreases.conversely,aprivatenetworkwouldideallydependonfewerparties;therefore, a more efficient incident response process would provideformorerapidresponseandresolution.Therapidityoftheresponseiscriticalduringsituationsthatinvolveablackout.33
criticalnessofadeviceorasystemalsodetermineshowproneitwillbetoattacks.historyhasshownthatprivatenetworksbytheirinherent nature are less prone to attacks. as a result, it is recom-mendedasthebestapproachwhensecurityisparamount.34
6.3.2 Security Policy and Operations
Thereliabilityof a smartgriddependson theproperoperationsofmanycomponents and theproper connectivitybetween them.35todisruptasmartgridsystem,anattackermightattempttogainelec-tronicaccesstoacomponentandmisconfigureitortoimpersonateanothercomponentandreportafalseconditionoralarm.oneofthesimplesttypeofattacksthatanadversarymightattemptisthedosattack:Theadversarypreventsauthorizeddevicesfromcommunicat-ingbyconsumingexcessiveresourcesononedevice.forexample,it
200 seCurity and PrivaCy in smart Grids
isawell-knownissuethatifanode,suchasaserveroranaccesscon-troldevice,usesanauthenticationprotocolthatispriortoauthentica-tionandauthorization,thenthenodemaybesubjecttodosattacks.smartgridprotocoldesignersmustensurethatpropercareandatten-tionaregiventothisthreatduringprotocoldevelopment.
Manyorganizationswillbeinvolvedintheoperationsofasmartgrid.asadditionaldistributedintelligenceisaddedtothenetwork,itwillbeessential thatentities (peopleordevices)canauthenticateanddeterminetheauthorizationstatusofotherentitiesfromaremoteorganization.This issue is commonly referred to as federated iden-titymanagement.Therearemanypossibletechnicalsolutionstothisissue,suchasthoseofferedbysecurityassertionMarkuplanguage(saMl),36webservicestrust (ws-trust),37andPki.38notonlywillvendorsneedtoofferconsistenttechnicalsolutions,butalsoorga-nizations will further need consistent security policies. Great caremustbetakenbyorganizationstoensuretheirsecuritypoliciesandpractices arenot in conflictwith thoseofotherorganizationswithwhichtheywillneedinteroperability.atleastaminimumsetofoper-ationalsecuritypoliciesfortheorganizationsoperatingasmartgridisformallyadoptedanddocumentedinindustrystandards.39
6.3.3 Security Services
Managingandmaintainingasecuresmartgridwillbeequallyasvitalasdeveloping,deploying, and integrating a secure smart grid solu-tion.securityserviceswillhelpnetworkoperators identify,control,andmanagesecurityrisksinsmartgridcommunications.accordingtoePri,everyaspectofasmartgridmustbesecure.6cybersecuritytechnologies are not enough to achieve secure operations withoutpolicies,ongoingriskassessment,andtraining.Thedevelopmentofthesehuman-focusedprocedurestakestimeandneedstotaketimetoensurethattheyaredonecorrectly.asmartgridrequiresaccesstocost-effective,high-performancesecurityservices,includingexpertiseinmobility,security,andsystemintegration.Thesesecurityservicescanbetailoredperutilitytobestfittheirneedsandhelpthemachieve
201requirements and ChallenGes
theirorganizationalobjectives.figure 6.2illustratesatypicalsetofsecurityservicesinsmartgridcommunications.40
6.4 Conclusions
in this chapter, we discussed the background and requirements aswellaschallengesforsmartgridcommunicationsecurity.asacriti-cal infrastructure, the smart grid requires comprehensive solutionsforcybersecurity.acomprehensivecommunicationarchitecturewithsecuritybuiltinfromtheverybeginningisnecessary.asmartgridcommunicationsecuritysolutionrequiresaholisticapproach,includ-ingtraditionalschemessuchasPkitechnology, trustedcomputingelements, and authentication mechanisms based on industry stan-dards. clearly, securing the smart grid communication infrastruc-turewillrequiretheuseofstandards-basedstate-of-the-artsecurityprotocols.toachievethevisionputforth,therearemanystepsthatneed to be taken. Primary among them is the need for a cohesiveset of requirements and standards for smart grid security. industryandotherparticipantsshouldcontinuetheworkthathasbegununderthedirectionofnisttoaccomplishthesefoundationalstepsquickly.however,theproperattentionmustbepaidtocreatingtherequire-mentsandstandardsastheywillbeutilizedformanyyears,giventhelifecycleofutilitycomponents.
People
Process
Policy
Technology
SecurityAssessment
SecurityPolicy
IncidentResponsePlanning
ManagedSecurity
Secure Design and
Implementation
RiskManagement
Figure 6.2 Smart grid security services. (From A. R. Metke and R. L. Ekl, in Innovative Smart Grid Technologies (ISGT2010), pp. 1–7, Gaithersburg, MD, March 2010. With permission from IEEE.)
202 seCurity and PrivaCy in smart Grids
references 1. c.h.hauser,d.e.Bakken,anda.Bose,afailuretocommunicate—next
generationcommunicationrequirements,technologies,andarchitectureforelectricalpowergrid,IEEE Power and Energy Magazine,pp. 47–55,March–april2005.
2. s.hongandM.lee,challengesanddirectiontowardsecurecommu-nicationinthescadasystem,in2010 Eighth Annual Communication Networks and Services Research Conference (CNSR),pp.381–386,Montreal,May2010.
3. l. wenpeng, d. sharp, and s. lancashire, smart grid communica-tionnetworkcapacityplanning forpowerutilities, in2010 IEEE PES Transmission and Distribution Conference and Exposition, pp. 1–4, neworleans,la,april2010.
4. e.liu,M.l.chan,c.w.huang,n.c.wang,andc.n.lu,electricitygridoperationandplanningrelatedbenefitsofadvancedmeteringinfra-structure,inCRIS2010,pp. 1–5,2010.
5. P.P.Parikh,M.G.kanabar, andt.s.sidhu,opportunities and chal-lenges of wireless communication technologies for smart grid applica-tions,inIEEE Power and Energy Society General Meeting,pp. 1–7,2010.
6. a.r.Metkeandr.l.ekl,securitytechnologyforsmartgridnetworks,IEEE Transactions on Smart Grid,vol.1,pp. 99–107,2010.
7. national institute of standards and technology, Report to NIST on Smart Grid Interoperability Standards Roadmap EPRI,June 17, 2009. available at http://www.nist.gov/smartgrid/interimsmartGridroadmapnistrestructure.pdf
8. z.tao, l. weimin, w. Yufei, d. song, s. congcong, and c. lu,Thedesign of information security protection framework to support smartgrid,POWERCON 2010,pp. 1–5,2010.
9. nationalinstituteofstandardsandtechnology,Draft Smart Grid Cyber Security Strategy and Requirements, NIST IR 7628, september 2009.available at http://csrc.nist.gov/publications/drafts/nistir-7628/draft-nistir-7628.pdf
10. s. widergren, a. levinson, J. Mater, and r. drummond, smart gridinteroperabilitymaturitymodel,in2010 IEEE Power and Energy Society General Meeting,pp. 1–6,2010.
11. s.rohjans,M.Uslar,r.Bleiker,J.Gonzalez,M.specht,t.suding,andt.weidelt,surveyofsmartgridstandardizationstudiesandrecommen-dations,inIEEE SmartGridComm 2010,pp. 583–588,2010.
12. nationalinstituteofstandardsandtechnology,Announcing the Advanced Encryption Standard (AES),infederalinformationProcessingstandardsPublication197,nist,Gaithersburg,Md,november26,2001.
13. national institute of standards and technology, Data Encryption Standard,federalinformationProcessingstandards(fiPs)Publication46-7,nist,Gaithersburg,Md,1999.
203requirements and ChallenGes
14. institute of electrical and electronics engineers, IEEE Standard 802.11i, IEEE Standard for Information Technology-Telecommunications and Information Exchange Between Systems—Local and Metropolitan Area Networks—Specific Requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications Amendment 6: Medium Access Control (MAC) Security Enhancements,pp. 1–175,ieee,newYork,2004.
15. instituteofelectricalandelectronicsengineers,IEEE Standard 802.16e, IEEE Standard for Local and Metropolitan Area Networks Part 16: Air Interface for Fixed and Mobile Broadband Wireless Access Systems Amendment 2: Physical and Medium Access Control Layers for Combined Fixed and Mobile Operation in Licensed Bands and Corrigendum 1,pp. 1–822,ieee,newYork,2006.
16. a.Bendahmane,M.essaaidi,a.elMoussaoui,anda.Younes,Gridcom-putingsecuritymechanisms:state-of-the-art,inInternational Conference on Multimedia Computing and Systems (ICMCS ’09),pp. 535–540,2009.
17. Y.Yan,Y.Qian,h.sharif,andd.tipper,IEEE Communications Surveys and Tutorials,vol.14(4),pp.998–1010,2012.
18. d.dzung,M.naedele,t.P.vonhoff, and M.crevatin, security forindustrialcommunicationsystems,Proceedingsof the ieee,vol. 93,pp. 1152–1177,2005.
19. P.Mcdanielands.Mclaughlin,securityandprivacychallengesinthesmartgrid,IEEE Security and Privacy,vol.7,pp. 75–77,2009.
20. k.allan,Power to thepeople [power energy saving], Engineering and Technology,vol.4,pp. 46–49,2009.
21. t.s.sidhuandY.Yin,Modellingandsimulationforperformanceevalu-ation of iec61850-based substation communication systems, IEEE Transactions on Power Delivery,vol.22,no.3,pp. 1482–1489,July2007.
22. c.l.schuba,i.v.krsul,M.G.kuhn,e.h.spafford,a.sundaram,andd.zamboni,analysisofadenialofserviceattackontcP,inProceedings of IEEE Symposium on Security and Privacy (S&P 1997),May1997.
23. a. Yaar, a. Perrig, and d. song, Pi: a path identification mechanismtodefend againstddosattacks, in Proceedings of IEEE Symposium on Security and Privacy (S&P 2003),2003.
24. J. Mirkovic and P. reiher, a taxonomy of ddos attack and ddosdefense mechanisms, SIGCOMM Computer Communications Review,vol.34,no.2,pp. 39–53,2004.
25. M.strasser,s.capkun,c.Popper,andM.cagalj,Jamming-resistantkeyestablishment using uncoordinated frequency hopping, in Proceedings of IEEE Symposium on Security and Privacy (S&P 2008), pp. 64–78,May2008.
26. c. Popper, M. strasser, and s. capkun, Jamming-resistant broadcastcommunicationwithoutsharedkeys,inProceedings of the 18th USENIX Security Symposium (Security 09),august2009.
204 seCurity and PrivaCy in smart Grids
27. Y. liu, P. ning, h. dai, and a. liu, randomized differential dsss:Jamming-resistant wireless broadcast communication, in Proceedings of the 29th IEEE Conference on Computer Communications (INFOCOM 10),March2010.
28. Y.liu,P.ning,andM.reiter,falsedatainjectionattacksagainststateestimation inelectricpowergrids, inProceedings of ACM Conference on Computer and Communications Security (CCS 09),september2009.
29. n.kuntze,c.rudolph,M.cupelli, J.liu,anda.Monti,trust infra-structuresforfutureenergynetworks,inIEEE Power and Energy Society General Meeting 2010,pp. 1–7,2010.
30. l.husheng,M.rukun,l.lifeng, andr.c.Qiu,compressedmeterreadingfordelay-sensitiveandsecureloadreportinsmartgrid,inIEEE SmartGridComm 2010,pp. 114–119,2010.
31. G.carl,G.kesidis,r.r.Brooks,andr.suresh,denial-of-serviceattack-detectiontechniques,IEEE Internet Computing, vol.10,pp. 82–89,2006.
32. s. kent, on the trail of intrusions into information systems, IEEE Spectrum,vol.37,pp. 52–56,2000.
33. c.w.ten,G.Manimaran,andc.c.liu,cybersecurityforcriticalinfra-structures: attack anddefensemodeling, IEEE Transactions on Systems, Man and Cybernetics, Part A: Systems and Humans,vol.40,no.4,pp. 853–865,July2010.
34. w.dong,l.Yan,M.Jafari,P.skare,andk.rohde,anintegratedsecu-ritysystemofprotectingsmartgridagainstcyberattacks,inInnovative Smart Grid Technologies (ISGT 2010),pp. 1–7,2010.
35. M.Jensen,c.sel,U.franke,h.holm,andl.nordstrom,availabilityofascada/oMs/dMssystem—acasestudy,inIEEE Innovative Smart Grid Technologies Conference Europe (ISGT Europe 2010),pp. 1–8,2010.
36. t. komura, Y. nagai, s. hashimoto, M. aoyagi, and k. takahashi,Proposalofdelegationusingelectroniccertificatesonsinglesign-onsys-temwithsaMl-Protocol,inNinth Annual International Symposium on Applications and the Internet (SAINT ’09),pp. 235–238,2009.
37. c. Yongkai and t. shaohua, security scheme for cross-domain grid:integrating ws-trust and grid security mechanism, in International Conference on Computational Intelligence and Security(CIS ’08),pp. 453–457,2008.
38. r.Perlman,anoverviewofPki trustmodels,IEEE Network, vol.13,pp. 38–43,1999.
39. r. J.Thomas,Puttinganactionplan inplace,IEEE Power and Energy Magazine,vol.7,pp. 26–31,2009.
40. a.r.Metkeandr.l.ekl,smartgridsecuritytechnology,inInnovative Smart Grid Technologies (ISGT2010),pp. 1–7,Gaithersburg,Md,March2010.
205
7reGulatiOnS and
StandardS relevant fOr Security Of the Smart Grid
s t E f f E n f r i E s A n d h A n s -J oAC h i M h o f
Contents
7.1 introduction 2067.2 standardization 206
7.2.1 internationalorganizationforstandardization/internationalelectrotechnicalcommission 207
7.2.2 iso/iec27000series 2077.2.3 iecsmartGridstrategicGroup 2077.2.4 iso/iec62351-1to11 2087.2.5 iso/iec62443 2137.2.6 internationalsocietyofautomation 2137.2.7 instituteofelectricalandelectronicsengineers 2137.2.8 internationalcouncilonlargeelectronicsystems 2147.2.9 securityforinformationsystemsandintranetsin
theelectricPowersystem 2147.2.10treatmentofinformationsecurityforelectric
PowerUtilities 2157.2.11northamericanelectricreliabilitycorporation 2157.2.12internetengineeringtaskforce 216
7.3 nationalregulations 2187.3.1 nationalinstituteofstandardsandtechnology 2187.3.2 specialPublication800-53 2187.3.3 specialPublication800-82 2187.3.4 specialPublication1108 2197.3.5 nistir7628 2197.3.6 U.s.departmentofhomelandsecurity 219
206 seCurity and PrivaCy in smart Grids
cyberattacksoncriticalinfrastructuresareincreasinglybecomingathreattosocietiesaroundtheworld.hence,governmentsandstandardizationorganizations aredefining and improving theirregulationandstandardsframeworkforoneofthemostimpor-tantcriticalinfrastructures:thesmartgrid.Thischaptergivesanoverviewofregulationsandstandardsrelevanttothesmartgridaswellasongoingactivitiesandstandardizationbodies.
7.1 introduction
today,thepowermarketandtheoperationofpowersystemsingen-eral are strongly influenced by a large number of regulations andstandards. recently, many of these standards also have addressedinformation technology (it)securityasan importantaspectof theprotection of critical infrastructures. This chapter gives a (surelyincomplete) overview of relevant regulation and standardizationactivities related to securityof the smartgrid.fora surveyofpro-posedstandardizationactivitiesrelatedtothesmartgridingeneral,theinternationalelectrotechnicalcommission(iec)andnationalinstitute of standards and technology (nist) activities definingstandardizationroadmapsarereferredto(therespectivedocumentsarereferenced).Partsofthischapterhavebeentakenfromfriesandhof 1andtheiec.2
7.2 standardization
Thefollowingsectionsprovidearoughoverviewofthemostimpor-tant security-related standardization and regulation activities withrespecttosecurityforthesmartgrid.referencestotheoriginaldocu-mentsorfurtherinformationareprovided.
7.3.7 Bundesverbandfürenergie-undwasserwirtschaft—Bdew(Germany) 219
7.3.8 europeanUnion’staskforcesmartGrid 2207.3.9 resultsfromtheeuropeansmartGrid
coordinationGroup 2207.4 summary 222references 224
207reGulations and standards
7.2.1 International Organization for Standardization/ International Electrotechnical Commission
The international organization for standardization (iso) and theiecarecooperatingstandardizationbodies.Theisoprovidesinter-nationalstandardsthattargettechnicalandorganizationalmeansinseveral application domains. The iec develops international stan-dards forallelectrical,electronic,andrelatedtechnologies.todealwithoverlapbetweenisoandiec,bothstandardizationorganiza-tionscooperateinso-calledjointtechnicalcommittees.
7.2.2 ISO/ IEC 27000 Series
The standard Information Technology—Security Techniques—Information Security Management Systems” consists of different parts. iso/iec270013 specifies information security management requirements. Therequirementsaresuitedforuseincertification.iso/iec270024pro-videsthecodeofpracticeforinformationsecuritymanagementandestablishesguidelinesandgeneralprinciplesforinitiating,implement-ing,maintaining,andimprovinginformationsecuritymanagementinanorganization. iso/iec27002providesgenericguidelines,whichcanbemappedtospecificdomains.Thisallowsaddressingspecialtiesforthetargetedapplicationdomain.oneexampleisiso27011,tar-getingthemappingofiso27002tothedomainoftelecommunica-tion.afurtherexampleisprovidedbytheGermandeutschesinstitutfür normung (din), which developed the din sPec 270095(cf. Information Security Management Guidelines for Process Control Systems Used in the Energy Utility Industry on the Basis of ISO/ IEC 27002),mappingiso27002guidelinesandprinciplestotheelectricutilitydomain.Thisnationalspecificationhasbeensubmittedtotheisoforadoptingtheworktoprovideitasaninternationalstandard.Thisdocumentiscurrentlyunderevaluation,aimingatiso27019.
7.2.3 IEC Smart Grid Strategic Group
TheiecsmartGridstrategicGroup(sG3)hasissuedtheSmart Grid Standardization Roadmapreport(sMB/4175/r),6whichencompassesrequirements,status,andrecommendationsofstandardsrelevantfor
208 seCurity and PrivaCy in smart Grids
thesmartgrid.aseparatesectionoftheSmart Grid Standardization Roadmapcoverssecurity-relatedtopics.Thereportrequestsanover-all securityarchitecturecopingwith thecomplexityof smartgrids.inaddition, thefollowingarerecommendationspertainingtoopenitemsandnecessaryenhancements:
• a specification of a dedicated set of security controls (e.g.,perimetersecurity,accesscontrol)
• a defined compartmentalization of smart grid applications(domains) based on clear network segmentation and func-tionalzones
• aspecificationcomprising identityestablishment(basedontrustlevels)andidentitymanagement
• Thenecessity toconsidersecurityof the legacycomponentswithinstandardization
• Theharmonizationwiththeiec62443standardtoachievecommonindustrialsecuritystandards
• review, adapt, and enhance existing standards to supportgeneral and ubiquitous security across wired and wirelessconnections
7.2.4 ISO/ IEC 62351-1 to 11
iso/iec 623517,8 is owned by the iec technical committee 57workingGroup15 (iso/iectc57wG15). its scope isdataandcommunicationsecurityforpowersystemmanagementandtheassoci-atedinformationexchangebetweenentitiesofthepowersystem.iso/iec62351 is used to establish and ensure end-to-end security. it isappliedtoprotocolslikeiec61850,iec60870-x(energyautomation),andiccP(tase.2,controlcentercommunication).
Thestandardhaseightparts,eachinadifferentstateofcomple-tion.furtherpartsmaybeaddedinthefutureifnecessary.Thelatestparttargetsthemanagementofsecuritycredentials.table 7.1givesanoverviewofthepartsofiso/iec62351andthecurrentstateofthestandardization.
Thefirstpartofiso/iec62351introducesthestandardsandpro-vides an overview. it addresses the security services needed in the
209reGulations and standards
powerdomain.Part2providestheterminologyusedthroughoutthestandard.Parts3to8aredirectlyrelatedtodedicatedprotocolstypi-callyusedinenergyautomation,inparticulariso/iec61850(iec62351-6)andiso/iec60870-5-x(iec62351-5)aswellasthemap-pingofthoseprotocolstolower-layerprotocolslikethetransmissioncontrol Protocol/internet Protocol (tcP/iP) (iec 62351-3) andManufacturingMessagespecification (MMs) (iec62351-4).Thestandardalsoaddressesthemappingofsecuritytothenetworkman-agementinpart7.forsecuringend-to-endcommunication,abroadrangeofcryptographicalgorithmsisused,includingsymmetricandasymmetric cryptographic algorithms to secure payloads and com-municationlinks.iso/iec62351doesnottrytoreinventthewheel.hence,ituseswell-knownandwidelyusedsecurityprotocolsliketls(transportlayersecurity).tlsofferssecurityserviceslikemutualauthenticationofcommunicationpeersaswellasconfidentialityandintegrityprotectionof transmitteddata.amongother attacks, thisavoidsman-in-the-middleattacks.
Part 3 of iso/iec 62351 defines security services for tcP/iP-basedenergyautomationcommunication,includingthespecificationofciphersuites(theallowedcombinationofencryption,authentica-tion, and integrity protection algorithms) and requirements on cer-tificatestobeusedfortls.Thedefinitionofsecurityservicespaysattentiontocharacteristicsofenergyautomationcommunication.forexample,thedefinitionofcertificaterevocationproceduresisfocused
Table 7.1 Parts and Associated Standardization Status of the ISO/ IEC 62351 Standard
IEC 62351 DEFINITION OF SECURITy SERVICES FOR STANDARDIZATION STATUS
Part 1 Introduction and overview Technical specificationPart 2 Glossary of terms Technical specificationPart 3 Profiles including TCP/ IP Technical specificationPart 4 Profiles including MMS Technical specificationPart 5 Security for IEC 60870-5 and derivatives Technical specificationPart 6 Security for IEC 61850 Technical specificationPart 7 Network and system management (NSM) data object
modelsTechnical specification
Part 8 Role-based access control for power systems management
Technical specification
Part 9 Credential management Work in progressPart 10 Security architecture guidelines Technical reportPart 11 XML file security New work item proposal
210 seCurity and PrivaCy in smart Grids
onthehandlingofcrls(certificaterevocationlists),onlinevali-dationofcertificates(e.g.,usingtheocsP,onlinecertificatestatusProtocol) isnotcurrentlyconsidered inedition1ascommunicationlinks are severely limited in substations. another characteristic ofenergy automation communication are long-lived connections. Thisrequires the definition of strict key update and crl update inter-vals to restrict the application of cryptographic keys not only for adedicatednumberofpacketsbutalsoforadedicatedtime.anotherchallengetoconsideristheinteroperabilityrequirementsbetweentheimplementations of the products of different vendors. nevertheless,tlsasunderlyingsecurityprotocolhasevolvedovertime.Meanwhileitsapplicationisbeingrecommendedinsubstationautomation.Thisdrivesthedevelopmentofanedition2ofpart3,whichiscurrentlyunderreview.edition2allowsforusingocsPforcertificaterevoca-tionaswellastobetterinstrumenttlscapabilitiestocopewiththetargetenvironment.supportofsessionresumptionisjustoneexample.
Part4ofiec62351specifiesprocedures,protocolenhancements,andalgorithmstargetingtheincreaseofsecuritymessagestransmit-tedoverMMs.MMsisaninternationalstandard(iso9506)dealingwithamessagingsystemfortransferringreal-timeprocessdataandsupervisorycontrolinformationeitherbetweennetworkeddevicesorincommunicationwithcomputerapplications.Part4ofiec62351definesproceduresonthetransportlayer,basedontls,aswellasontheapplicationlayertoprotectthecommunicatedinformation.
Part5ofiec62351definesadditionalsecuritymeasuresforserialcommunication. inparticular,keyedhashesareused toprotect theintegrityofthedatasentoveraserialinterfaceemployingasymmet-rickey.Thispart alsodefinesdistinctkeymanagement for theuseofkeyedhashes.anedition2isexpectedsoon,handlingtheupdateofupdatekeysforthesymmetrickeys.
Part 6 of iec 62351 defines security for iec 61850 Peer-to-PeerProfiles.itcoverstheprofilesiniec61850thatarenotbasedon tcP/iP for the communication of Gooses (Generic objectorientedsubstationevents)andsvs(samplevalues)using,forexam-ple,plainethernet.Thistypeofcommunicationoftenusesmulticastcommunication;eachfielddevicedecidesbasedonthemessagetypeand sender whether it processes the message. The security definedinpart6usesdigitalsignaturesonthemessageleveltoprotectthe
211reGulations and standards
integrityof themessages.Thisapproachiscompatiblewiththeuseofmulticastbutrequiresalotofcomputationalpower.especially,thenumberofpacketstobeprocessedcanbehigh.atasamplerateof80samplesperpowercycle,thereareupto4,000packetspersecondforthecommonfrequencyof50hz.fielddevicesusedaretypicallynotbuilttohandle4,000signaturespersecondforgenerationorforverification.hence,anedition2istargetedaddressingthisshortcom-ing.inthefuture,itislikelytouseagroup-basedapproach.here,agroupsharesasymmetrickeythatisappliedinthecalculationofanintegritycheckvalueusingkeyedhashfunctionslikeaes-GMac(advanced encryption standard-Galois Message authenticatoncode) or hMac-sha256 (hash-based Message authenticationcode-securehashalgorithmwithkey length256).digital signa-tures inthisapproachareonlyusedtoauthenticate towardthekeyserverdistributingthegroupkey.
Part7describessecurity-relateddataobjectsforend-to-endnetworkandsystemmanagement(nsM)andsecurityproblemdetection.Thesedataobjectssupportthesecurecontrolofdedicatedpartsoftheenergyautomationnetwork.Part7canhelptoimplementorextendintrusiondetectionsystemsforpowersystem-specificobjectsanddevices.
Part 8 supports role-based access control in terms of three pro-files.eachoftheprofilesusesanowntypeofcredentialasthereareidentitycertificateswithroleenhancements,attributecertificates,andsoftware tokens. role-based access control is necessary to supportauthorizationinprotectionsystemsandincontrolcenterapplications.Moreover,itsupportsstringenttraceability.oneusageexampleistheverificationofwhohasauthorizedandperformedadedicatedswitch-ingcommand.
Part9isaworkinprogresstargetingthedefinitionofkeyman-agementsupportingpowersystemarchitecturesingeneralandiec62351specifically.itshallcoverallkeymanagement-relatedpartsofiec62351,helpingtoreusekeymanagementoptionsasmuchaspos-sible,alsoinfuturepartstobedefined.
Part10targetsatechnicalreportratherthanatechnicalspecifica-tionandprovidesanoverviewconsideringsecurityforpowersystemarchitectures. it motivates the incorporation of security right fromthebeginningandsuggestscertainsecuritycontrols.Thedocumentisintendedtofostertheadaptationofsecurityandthusdoesnotprovide
212 seCurity and PrivaCy in smart Grids
acompletearchitecturebutarchitectureelements.Moreover,itrefer-encesseveralotherdocumentsprovidingcomprehensiveinsight,likethenistdocumentsreferencedpreviously.
Part11iscurrentlyanewworkitemProposaltargetingsecurityforXMl(eXtensibleMarkuplanguage)files.Thegoalofthispartisthemarkingofinformationinmessagesandlocaldataaccordingtoitssensitivity.Thisisnecessarytoallowareceiverofcertaininformationtoactontheinformationaccordingly.Thisbecomesespeciallyevidentifareceivertransformsandstorestheinformation,whichmaylaterbequeriedbyotherapplications.
afirstglimpseatthecurrentiec62351partsshowsthatmanyofthetechnicalsecurityrequirementstobeappliedtoenergyauto-mation components and systems can be directly derived from thestandard.forinstance,parts3and4explicitlyrequiretheusageoftls.Theydefineciphersuites,whicharetobesupportedasmanda-tory.Thesepartsalsodefinerecommendedciphersuitesanddeprecateciphersuites,whichshallnotbeappliedfromtheiec62351pointofview.notethatthemandatoryciphersuitesdonotcollapsewiththeciphersuitesthedifferenttlsversions(1.0,requestforcomments[rfc]2246;1.1,rfc4346;1.2,rfc5246)statedasmandatory.iec62351edition1standardsalwaysreferencetlsversion1.0tobetteraddressbackwardcompatibility.
analyzing the standard more deeply shows that several require-mentsareprovidedratherimplicitly.Theserequirementsaremostlyrelated to theoverallkeymanagement,whichguaranteesa smoothoperationofthesecuritymechanisms.iec62351makesheavyuseof certificates andassociatedprivatekeys (e.g.,whenusingtlsorGoose).however,keymanagement isunspecified.keymanage-ment includes generation, provisioning, revocation, and initial dis-tribution of keys and certificates to all related entities. it has beennoticed that standardizedkeymanagement isnecessary forgeneraloperationaswellasfortheinteroperabilityoftheproductsofdiffer-entvendors.Thishasbeenacknowledgedandwasthemainreasontostartworkingonpart9asdescribed.
Besides standard enhancements, which have become necessarythroughfindingsduringtheimplementationofiec62351,newsce-nariosmayalsorequirethefurtherevolvementofalready-existingornewpartsofthestandardtobettercopewithnewusecases.
213reGulations and standards
7.2.5 ISO/ IEC 62443
Theiso/iectc65wG10 is currently standardizing iso/iec62443,9targetingnetworkandsystemsecurityinindustrialcommu-nicationnetworks.iso/iec62443isajointapproach,togetherwithinternationalsocietyofautomation(isa)99(seethenextsection);thatis,isa99documentswillbesubmittedtotheiecvotingprocess.Thestandardhasdifferentparts,whichareindifferentstatesofcom-pleteness.IEC 62443-1-1 (Terminology and Concepts), IEC 62443-2-1 (Establishment of an Industrial Automation and Control System [IACS] Security Program), and IEC 62443-3-1 (Security Technologies for IACS)arecurrentlyavailableasstandards.workisongoingonfurtherpartsaddressingthedefinitionofsecuritylevels,certificationrequirements,andthemappingofiso27002totheindustrialautomationdomain.
7.2.6 International Society of Automation
The isa is a nonprofit society in the field of industry automation.Besidesotherduties,isaisanimportantstandardizationbodyinthecontextofautomation.
isa-99 defines a framework addressing “security for industrialautomationandcontrolsystems.”10Thisbroadtopicalsoincludesenergy automation. The framework covers processes for establish-ing an industrial automation and control system security programbasedonriskanalysis,establishingawarenessandcountermeasures,andmonitoringandcybersecuritymanagementsystems.itdescribesseveral categories of security technologies and the types of prod-ucts available in those categories along with preliminary recom-mendationsandguidanceforusingthosesecuritytechnologies.Thestandard consists of several subparts, which are in different statesofcompletion.
7.2.7 Institute of Electrical and Electronics Engineers
TheieeestandardIEEE 1686-2007: Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities11definesmandatoryfunctionsandfeaturestoaccommodatecriticalinfrastructureprotec-tionprograms.itcoverssecurityintermsofaccess,operation,config-uration,firewallrevision,anddataretrievalfromieds.encryption
214 seCurity and PrivaCy in smart Grids
forthesecuretransmissionofdata,bothwithinandexternaltothesubstationisnotpartofthisstandard.
also applicable in the power system domain are the ieee 802standards:
• IEEE 802.1X: Port Based Network Access Control specifiesport-basedaccesscontrol,allowingtherestrictiveaccessdeci-sionstonetworksbasedondedicatedcredentials.itdefinesthe encapsulation of the eaP (extensible authenticationProtocol)overieee802,alsoknownaseaPoverlocal-areanetwork(lan)oreaPol.Thespecificationalsoincludeskeymanagement,formallyspecifiedinieee802.1af.
• IEEE 802.1AE: MAC [Mediaaccesscontrol]Securityspeci-fies security functionality in terms of connectionless dataconfidentialityandintegrityformediaaccess-independentpro-tocols.itspecifiesasecurityframeformatsimilartoethernet.
• IEEE 802.1AR: Secure Device Identity specifies unique perdevice identifiers and the management and cryptographicbindingofadevicetoitsidentifiers.
7.2.8 International Council on Large Electronic Systems
Theinternationalcouncilonlargeelectronicsystems(ciGre)isaninternationalorganizationcoveringtechnical,economic,environ-mental, organizational, ad regulatory aspects of electric power sys-tems.ThegoalsofciGreincludeprovidingstate-of-the-artworldpracticestoengineeringpersonnelandspecialistsinthefield.
7.2.9 Security for Information Systems and Intranets in the Electric Power System
ciGrepublishedthedocument,Security for Information Systems and Intranets in Electric Power Systems.12TheguidelinepresentstheworkoftheJointworkingGroupd2/B3/c2-01,focusingontheimpor-tanceofhandlinginformationsecuritywithinanelectricutility,deal-ingwithvarious threats andvulnerabilities, theevolutionofpowerutilityinformationsystemsfromisolatedtofullyintegratedsystems,theconceptofusingsecuritydomainsfordealingwithinformation
215reGulations and standards
securitywithinanelectricutility,andtheuseoftheiso/iec17799standard(predecessorofiso27000).
7.2.10 Treatment of Information Security for Electric Power Utilities
working Group d2.22 published the document, Treatment of Information Security for Electric Power Utilities.Thedocumentincludesthreereports:
• Risk Assessment of Information and Communication Systems13
• Security Frameworks for Electric Power Utilities14and• Security Technologies Guideline15
Thethreereportsprovidepracticalguidelinesandexperiencesfordeterminingsecurityrisksinpowersystemsandthedevelopmentofframeworks,includingcontrolsystemsecuritydomains.
7.2.11 North American Electric Reliability Corporation
Themissionofthenorthamericanelectricreliabilitycorporation(nerc)istoensurethereliabilityofthebulkpowersysteminnorthamerica.todoso,nercdevelopsandenforcesreliabilitystandardsandmonitorsusers,owners,andoperatorsforpreparedness.nercisaself-regulatoryorganizationsubjecttooversightbytheU.s.federalenergy regulatory commission and governmental authorities incanada.nerchasestablishedthecriticalinfrastructureProtection(ciP)cybersecuritystandardsciP-002throughciP-011,whicharedefinedtoprovideafoundationofsoundsecuritypracticesacrossthebulkpowersystem.Thesestandardsarenotdesignedtoprotectthesystemfromspecificandimminentthreats.Theyapplytooperatorsofbulkelectricsystems(Bess;seealsonorthamericanreliabilitycorporation16).Theprofilesoriginatedin2006.nercciPprovidesaconsistentframeworkforsecuritycontrolperimetersandaccessman-agementwithincidentreportingandrecoveryforcriticalcyberassetsandcoverfunctionalaswellasnonfunctionalrequirements.table 7.2providesanoverviewofthevariousnercciPparts.
The draft standard ciP-011 may not lead to new cybersecurityrequirementsbutprovidesaneworganizationoftheexistingrequire-mentsoftheexistingciPstandards.newistheclassificationofBess
216 seCurity and PrivaCy in smart Grids
into the three categories—low-, medium-, and high-impact Bescybersystems—and their mapping to security controls. currently,workisongoingonversion5ofthesetofnercciPdocuments.
7.2.12 Internet Engineering Task Force
Theinternetengineeringtaskforce(ietf)developsinternationalstandardstargetingprotocolsuitesoperatingondifferentlayersoftheopen system interconnection (osi) stack. Prominent examples ofstandardsrelate totcP/iPandtheiPsuite.Theietfcooperates
Table 7.2 NERC CIP Parts
CIP TITLE/ CONTENT
002 Critical Cyber Asset IdentificationIdentification and documentation of critical cyber assets using risk-based assessment
methodologies003 Security Management Controls
Documentation and implementation of cybersecurity policy reflecting commitment and ability to secure critical cyber assets
004 Personnel and TrainingMaintenance and documentation of security awareness programs to ensure personnel
knowledge on proven security practices005 Electronic Security Protection
Identification and protection of electronic security perimeters and their access points surrounding critical cyber assets
006 Physical Security ProgramCreation and maintenance of physical security controls, including processes, tools, and
procedures to monitor perimeter access007 Systems Security Management
Definition and maintenance of methods, procedures, and processes to secure cyber assets within the electronic security perimeter to not adversely affect existing cybersecurity controls
008 Incident Reporting and Response PlanningDevelopment and maintenance of a cybersecurity incident response plan that addresses
classification, response actions, and reporting009 Recovery Plans for Critical Cyber Assets
Creation and review of recovery plans for critical cyber assets010 Bulk Electrical System Cyber System Categorization (draft)
Categorization of BES systems that execute or enable functions essential to reliable operation of the BES into three different classes
011 Bulk Electrical System Cyber System Protection (draft)Mapping of security requirements to BES system categories defined in CIP-010
217reGulations and standards
alsowithother standardizationbodies, like the iso/iecorw3c(worldwidewebconsortium).Thefollowingrfcsareapplicableinthepowersystemdomainandthereforestatedhere:
• The ietf published rfc 6272, Internet Protocols for the Smart Grid,17 which contains an overview of security con-siderationsandafairlythoroughlistofpotentiallyapplicablesecuritytechnologydefinedbytheietf.
• RFC 3711: Secure Real-Time Transport Protocol (SRTP)18maybeusedforsecuringvoiceoverinternetProtocol(voiP)commu-nication,includingvideoconferencingorvideosurveillance.
• rfc 4101,19 rfc 4102,20 rfc 410321 are the base stan-dardsforiPsecurity(iPsec)providinglayer3security,typi-callyusedforvirtualprivatenetworks(vPns)orforremoteaccess.Thelistedrfcsdescribegeneralarchitectureaswellas the two modes ah (authentication header) and esP(encapsulatedsecurityPayload).
• RFC 4962: Authentication, Authorization, and Accounting22pro-videsguidanceforauthentication,authorization,andaccount-ing (aaa) key management and an architecture allowingcentralizedcontrolofaaafunctionality.
• RFC 5246: Transport Layer Security (TLS)23provideslayer4securityfortcP/iP-basedcommunication,currentlyusediniec62351.notethatthereareseveralextensionstotlsforadditionalciphersuites,transmissionofadditionalinforma-tionlikeauthorizationsorocsPresponses,andsoon.Theseextensionsarenotlistedhereexplicitly.
• RFC 5247: Extensible Authentication Protocol (EAP)24providesakeymanagementframeworkforeaP.singleeaPmethodsaredefinedinseparaterfcs.eaPistypicallyusedforcon-trollingdevice(orhuman)accesstonetworks.
• RFC 5746: Datagram Transport Layer Security (DTLS)25pro-vides layer4security forcommunicationbasedontheUserdatagramProtocol(UdP)/iP.itmaybeappliedinscenariosforwhichtlsisnotapplicable.
• RFC 6407: Group Domain of Interpretation (GDOI)26definesgroup-based key management, currently used in iec61850-90-5.
218 seCurity and PrivaCy in smart Grids
This list states themost obvious standards tobeusedbut is notlimitedtothem.
7.3 national regulations
Besides international standardization bodies and activities, manynational organizations and activities influence the development ofenergyautomation systems in the respective countries.This sectioncoversnationalactivitiesintheUnitedstatesandGermanyaswellasactivitiesonaeuropeanlevel.
7.3.1 National Institute of Standards and Technology
ThenistisaU.s.federaltechnologyagencythatdevelopsandpro-motesmeasurement,standards,andtechnology.Thefollowingnistdocuments cover security in energy automation systems or can bedirectlyappliedtosecurityinthesmartgrid.
7.3.2 Special Publication 800-53
nistspecialPublication(sP)800-53,Recommended Security Controls for Federal Information Systems27providesguidelinesforselectingandspecifying technical and organizational security controls and con-nected processes for information systems supporting the executiveagenciesofthefederalgovernmenttomeettherequirementsoffederalinformation Processing standard (fiPs) 200 (Minimum Security Requirements for Federal Information and Information Systems).28itpro-vides an extensive catalog of security controls and maps these in adedicatedappendixtoindustrialcontrolsystems(icss).
7.3.3 Special Publication 800-82
nistsP800-82:Guide to Industrial Control Systems (ICS) Security29covers how to secure icss, including supervisory control and dataacquisition (scada) systems, distributed control systems (dcss),andothercontrolsystemconfigurations,suchasprogrammablelogiccontrollers(Plcs).itusesthenistsP800-53asabasisandpro-videsspecificguidanceontheapplicationofthesecuritycontrolsin
219reGulations and standards
nistsP800-53.Thispublicationisanupdatetothesecondpublicdraft,whichwasreleasedin2007.
7.3.4 Special Publication 1108
nist sP 1108, NIST Framework and Roadmap for Smart Grid Interoperability Standards30describesahigh-levelconceptualreferencemodelforthesmartgrid.itlists75existingstandardsapplicableorlikelytobeapplicabletotheongoingdevelopmentofthesmartgrid.Thedocumentalsoidentifiesfutureissues,including15high-prioritygaps and potential harmonization issues for which new or revisedstandardsandrequirementsareneeded.
7.3.5 NIST IR 7628
nistir762831,32originates from thesmartGrid interoperabilityPanel(cybersecuritywG)andtargetsthedevelopmentofacompre-hensivesetofcybersecurityrequirementsbuildingonthenistsP1108,alsostatedpreviously.Thedocumentconsistsofthreesubdocu-mentstargetingstrategy,30securityarchitecture31andrequirements,andsupportiveanalysesandreferences.33
7.3.6 U.S. Department of Homeland Security
TheCatalog of Control Systems Security—Recommendations for Standards Developers34oftheU.s.departmentofhomelandsecuritysumma-rizespracticesofvariousindustrybodiestoincreasethesecuritylevelof control systems both from physical and from cyber attacks. Thecatalogisnotlimitedtoenergyautomationbutmayalsobeusedforotherdomainstodevelopacybersecurityprogram.
7.3.7 Bundesverband für Energie- und Wasserwirtschaft—BDEW (Germany)
TheGermanBundesverband fürenergie-undwasserwirtschaft—BdewwasfoundedbythefederationoffourGermanenergy-relatedassociations:BundesverbandderdeutschenGas-undwasserwirtschaft(BGw), verband der verbundunternehmen und regionalenenergieversorgerindeutschland(vre),verbanddernetzbetreiber
220 seCurity and PrivaCy in smart Grids
(vdn), and verband der elektrizitätswirtschaft (vdew). TheBdewpublishedawhitepaper35definingbasicsecuritymeasuresandrequirementsforit-basedcontrol,automation,andtelecommunica-tion systems, taking intoaccountgeneral technical andoperationalconditions. it can be seen as a further national approach targetingsimilargoalsasnercciP.Thewhitepaperaddressedrequirementsforvendorsandmanufacturersofpowersystemmanagementsystemsandisusedasanamendmenttotenderspecification.
7.3.8 European Union’s Task Force Smart Grid
within theeuropeanUnion,adedicatedexpertgroupof thetaskforcesmartGrid iscurrentlyworkingonregulatory recommenda-tionsfordatasafetydatahandlinganddataprotection.36ThegoalofthetaskforceistheidentificationandproductionofasetofregulatoryrecommendationstoensureeU-wideconsistentandfastimplementa-tionofsmartgridswhileachievingtheexpectedsmartgrids’servicesandbenefitsforallusers involved.Thegoaloftheexpertgroupforsecurityistheidentificationofanappropriateregulatoryscenarioandrecommendationsfordatahandling,security,andconsumerprotec-tiontoestablishadataprivacyanddatasecurityframeworkthatbothprotectandenable.
7.3.9 Results from the European Smart Grid Coordination Group
TheobjectiveofmandateM/49037isthedevelopmentorupdateofaset of consistent standards within a common european frameworkthat will facilitate the implementation of the different high-levelsmartgridservicesandfunctionalities.ThesmartGridcoordinationGroup(sGcG)wasfoundedinJune2011todirectlyaddressmandateM/490. it is a joint activity from cen (european committee forstandardization, http://www.cen.eu), cenelec (europeancommittee for electrotechnical standardization, http://www.cenelec.eu/), and etsi (european telecommunications standardsinstitute,www.etsi.org/)torunforalmost2yearsuntiltheendof2012resultingin4reports.Theactivitywillbeenhancedforanother2-yearperiod.38assecurityisoneofthetargetsofthismandate,adedicated
221reGulations and standards
subgroup—thesmartGridinformationsecurity(sGis)—addressesthistopicexplicitly.
it security is closely connected to the architectural model pro-videdbythereferencearchitecturegroupasthesGaM(smartGridarchitectural Model). This model is presented as a cube in whichusecasescanbemappedonzonesanddomainsondifferentlayersasdepictedinfigure 7.1.39
securityappliesbasicallytoeveryinterfaceandcomponentinthesGaMdependingon the intendedusecases.toprovideguidanceregardingwhichsecuritymeansaretobeapplied,ananalysisofthespecific use cases is necessary. This is typically being done by per-formingathreatandriskanalysisforadedicatedscenariotargetingthe identification of potential vulnerabilities based on the analysisoftheconsideredscenarioorusecase.Basedonthisanalysis,securityrequirementscanbederivedandappropriatecountermeasurescanberecommended.Thesecurityworkinggrouphasdevelopedamethod-ologyforthisapproach,whichisdescribedinthewGreportasthesecuritytoolbox.
Business ObjectivesPolitical/Regulatory Framework
Subfunctions
Data ModelData Model
ProtocolProtocol Market
Enterprise
Operation
Station
Field
Process
CustomerPremise
DERDistribution
Domains
Zones
TransmissionGeneration
Outline of Usecase
Inte
rope
rabi
lity D
imen
sion
BusinessLayer
FunctionLayer
InformationLayer
CommunicationLayer
ComponentLayer
Figure 7.1 Smart Grid Architecture Model39 (SGAM, cf. Smart Grid Coordination Group, Joint CEN, CENELEC and ETSI Activity on Standards for Smart Grids, 200938). DER = Distributed Energy Resources.
222 seCurity and PrivaCy in smart Grids
Thisisalsosupportedbysomeotherwork,whichhasbeendonebyprovidingamappingofsecurityrequirementsprovidedbythenistir7628(seepreviousdiscussion)tostandardslikeiso27001oriec62351.ThismappinghasalsobeendoneregardingthenercciPdocuments.Thegoalofthismappingwastheidentificationofgaps,whichneedtobeaddressedbytheresponsiblestandardizationbody.There have been explicit comments on iec 62351 on the techni-calsideandaclearpushforthetechnologycovered.Moreover,theGermandinsPec27009(seepreviousdiscussion)hasbeenpushedtoward internationalization in iso for the organizational securitypart intheenergyutility industry.Meanwhilethisactivityresultedinisotr27019.
it has been acknowledged that the work of the smart GridcoordinationGroupwillnotendwiththeworkingperiodontheM/490mandate.itisexpectedthattherewillbearefocusingofthegrouptoaddressspecificissuesdiscoveredduringthefirst2-yearruntime.
7.4 summary
The maternity of selected standards and their applicability is pre-sented in figure 7.2 as proposed in the european-funded projectescorts (efficient solar cells based on organic and hybridtechnology).40Thefigureisintendedtoprovideabetteroverviewforoperatorandmanufacturerregardingwhichstandardinfluencestheir
EnergyIndustrial automationIT
Design Details
Completeness
ISA 99
NIST 800-53
IEC 62351
NER
C CI
P
Operator Manufacturer
ISO 27001, ISO 27002
Technical Aspects
Management Aspects
Details of Operation
Relevance for Manufacturers
IEEE P 1686I
RFC 5246(TLS)
DIN SPEC 27009
CIGRE D2.22
Figure 7.2 Scope and completeness of selected standards (enhanced version of ESCORTS Project40).
223reGulations and standards
businessmost.Thedifferentshadesofgreyinthefigureindicatethetargetedaudience.
while iec 62351 addresses the energy sector, more specificallysubstationautomationsystems,nercciPgenerallytargetsenergyoperators.whileiso27000andnist800-53aremainlytargetedtoitenvironments(thustargetedatprotecting information),otherstandards,suchasisa99orieeeP1686,directlyaddress(indus-trial)automationsystems.itshouldbenotedthatnistsP800-53appendixiisexplicitlyforicss,asisnistsP800-82.
standardsextendingtotherightinthex-axisdirectioninthefig-urehaverelevanceformanufacturers.typically,suchstandardshavedetailedtechnicalrequirementsuptothedefinitionofspecialsecurityprotocols,whichmustbeimplementedbythemanufacturers.incon-trast,themoreastandardextendstotheleftofthexaxis,themoreitisfocusedonasecureoperation.nercciP,forexample,prescribesspecificactionsforoperatorstodo,thusprovidingimplicitrequire-mentstothemanufacturerstosupporttheoperators.
standardsextendingtothetopoftheyaxislistprecisedesigndetailsandleavelittleroomforinterpretation.iec62351,forinstance,pro-vides design details to such an extent that device interoperabilitybetweenvariousmanufacturerscanbeguaranteed.
standardsextendingtothebottomoftheyaxiscoverabroadrangeofvarioussecurityareasandthuscanbeconsultedtoobtainanesti-mationoftheoverallsecuritylevel.
a smart grid information infrastructure can be characterized asacomplex,heterogeneous interconnected system involvingdifferentusages,stakeholders,andtechnologies.Thischaptergaveanoverviewofsmartgridstandardization,regulation,andguidelineactivities.
Besides the stated activities in Germany and north america,there are further activities, like the road map activities in asia(especiallyinJapanandchina),addressingsmartgridusecasesandconnectedstandardization.
several properties of a smart grid pose challenges for designinga practically deployable and usable security solution for the smartgrid.onepoint is the long lifetimeof energydevices compared tothe lifetime of it equipment. devices once deployed will remaininthefieldformanyyearsuntilreplacement.asecuritydesignhastoconsidermigrationaspectstocopewithlegacydevices,andithasto
224 seCurity and PrivaCy in smart Grids
bedesignedwiththeexpectationtobeadequateformanyyears.Thehugenumberofheterogeneousdevicesrequiresapractical,low-effortorzero-effortmanagementofcryptographickeysandcertificates.Thediversityofdevices,usecases,andstakeholdersimpliesthatdifferentkindsofsecuritydomainshavetobesupportedwithinasmartgrid.furtherchallengesareposedthroughthenecessarycoordinationandalignmentofrequirementsfromapluralityofstakeholders(operator,productvendors,consumers,regulations,etc.).
onebaseforbroadadaptationofsecurityasasysteminherentfea-tureisalsotheinteroperabilitybetweendifferentvendor’sproducts.Thisisprovidedbystandardization.
references 1. steffen fries and hans-Joachim hof, security considerations in the
smartgrid,in:larsBergerandkrisiniewski,Smart Grids,wiley,newYork,May2012.
2. internationalelectrotechnicalcommission,IEC 62351-10 TR, Security Architecture Guidelines for TC57 Systems, iec, Geneva, switzerland,october2012.
3. international organization for standardization, iso 27001, iso/iec 27001:2005 information technology—security techniques—information security Management systems—requirements, http://www.iso27001security.com/html/27001.html
4. international organization for standardization, ISO 27002, ISO/IEC 27002: 2005 Information Technology—Security Techniques—Information Security Management Systems—Code of Practice for Information Security Management,http://www.iso27001security.com/html/27002.html
5. DIN Spec 27009, Information Security Management Guidelines for Process Control Systems Used in the Energy Utility Industry on the Basis of ISO/IEC 27002,March2012.
6. iecsmartGridstrategicGroup (sG3),smartGridstandardizationroadmap http://www.iec.ch/cgi-bin/restricted/getfile.pl/sMB_4175e_r.pdf ?dir=sMB&format=pdf&type=_r&file=4175e.pdf
7. iso-iec 62351, Part 1-11, http://www.iec.ch/cgi-bin/procgi.pl/www/iecwww.p?wwwlang=e&wwwprog=sea22.p&search=iecnumber&header=iec&pubno=62351&part=&se=
8. steffenfries,hansJoachimhof,Thierrydufaure,andMaikseewald,security for the smart grid—enhancing iec 62351 to improve secu-rity in energy automation control, international Journal on advancesin security. april 2011, http://www.thinkmind.org/download.php?articleid=sec_v3_n34_2010_7
225reGulations and standards
9. iso-iec 62443, Part 1-3, http://www.iec.ch/cgi-bin/procgi.pl/www/iecwww.p?wwwlang=e&wwwprog=sea22.p&search=iecnumber&header=iec&pubno=62443&part=&se=
10. internationalsocietyofautomation,ISA 99 Industrial Automation and Control Systems Security, Standards Framework,http://www.isa-99.com/.
11. ISO-IEC IEC 62357, Part 1: Reference Architecture for TC57, seconddraft,July2009.
12. ciGre Joint working Group d2/B3/c2-01, Managing informationsecurity in an electric Utility, http://d2.cigre.org/content/download/11370/334067/version/2/file/Managing+information+security+in+an+electric+utilityid41ver28.pdf
13. ciGre(internationalcouncilonlargeelectronicsystems)workingGroupd2.22report,Risk Assessment of Information and Communication Systems,august2008,electra.
14. ciGre report, Security Frameworks for Electric Power Utilities, wGd2.22,december2008,electra.
15. ciGre report, Security Technologies Guideline,wG d2.22, June 2009,electra.
16. north american reliability corporation, standards: reliabilitystandards,http://www.nerc.com/page.php?cid=2|20.
17. http://tools.ietf.org/html/rfc6272 18. http://tools.ietf.org/html/rfc3711 19. http://tools.ietf.org/html/rfc4101 20. http://tools.ietf.org/html/rfc4102 21. http://tools.ietf.org/html/rfc4103 22. http://tools.ietf.org/html/rfc4962 23. http://tools.ietf.org/html/rfc5246 24. http://tools.ietf.org/html/rfc5247 25. http://tools.ietf.org/html/rfc5746 26. http://tools.ietf.org/html/rfc6407 27. national institute of standards and technology, NIST SP 800-53,
Recommended Security Controls for Federal Information Systems and Organizations, revision 3, august 2009, http://csrc.nist.gov/publications/nistpubs/800-53-rev3/sp800-53-rev3-final.pdf
28. federalinformationProcessingstandard(fiPs)200:Minimumsecurityrequirementsforfederalinformationandinformationsystemshttp://csrc.nist.gov/publications/fips/fips200/fiPs-200-final-march.pdf
29. nationalinstituteofstandardsandtechnology,NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security,draft,september2008,http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf
30. national instituteofstandards andtechnology,NIST Framework and Roadmap for Smart Grid Interoperability Standards,version1.0, January2010,http://www.nist.gov/public_affairs/releases/upload/smartgrid_interoperability_final.pdf
226 seCurity and PrivaCy in smart Grids
31. national institute of standards and technology, NIST IR 7628 Guidelines for Smart Grid Cyber Security, Vol. 1 Smart Grid Cyber Security Strategy, draft, July 2010, http://csrc.nist.gov/publications/Pubsdrafts.html#nist-ir-7628
32. national institute of standards and technology, NIST IR 7628 Guidelines for Smart Grid Cyber Security, Vol. 3 Supportive Analyses and References,draft,July2010,http://csrc.nist.gov/publications/Pubsdrafts.html#nist-ir-7628
33. national institute of standards and technology, NIST IR 7628 Guidelines for Smart Grid Cyber Security, Vol. 2 Security Architecture and Security Requirements,draft,July2010,http://csrc.nist.gov/publications/Pubsdrafts.html#nist-ir-7628
34. U.s. department of homeland security, Catalog of Control Systems Security—Recommendations for Standards Developers, June 2010, http://www.us-cert.gov/control_systems/pdf/catalog%20of%20control%20systems%20secur ity%20-%20recommendations%20for%20standards%20developers%20June-2010.pdf
35. Bdew—Bundesverband der energie- und wasserwirtschaft,Datensicherheit,http://www.bdew.de/bdew.nsf/id/de_datensicherheit
36. eUtaskforcesmartGrid,expertGroup2,Regulatory Recommendations for Data Safety Data Handling and Data Protection,february16, 2011,http://ec.europa.eu/energy/gas_electricity/smartgrids/doc/expert_group2.pdf
37. european commission, directorate-General for energy, M/490, Standardization Mandate to European Standardisation Organisations (ESOs) to Support European Smart Grid Deployment,March2011,http://ec.europa.eu/energy/gas_electricity/smartgrids/doc/2011_03_01_mandate_m490_en.pdf.
38. smart Grid coordination Group, Joint CEN, CENELEC and ETSI Activity on Standards for Smart Grids,2009,http://www.cen.eu/cen/sectors/sectors/Utilitiesandenergy/smartGrids/Pages/default.aspx
39. siemens, siemens develops european architecture Model for smartGrid,http://www.siemens.com/press/en/pressrelease/?press=/en/pressrelease/2012/infrastructure-cities/smart-grid/icsg201205018.htm.
40. escortsProject,homepage,http://www.escort-project.eu/.
227
8vulnerability aSSeSSment
fOr SubStatiOn autOmatiOn SyStemS
A dA M h A h n , M A n i M A r A n G oV i n dA r A s U, A n d C h E n - C h i n G l i U
Growing cybersecurity concerns within the smart grid havecreated increasing demands for vulnerability assessments toensureadequatecyberprotections.Thischapterreviewsvulner-ability assessment requirements within substation automationcommunicationandcomputationmechanismsandidentifiesa
Contents
8.1 introduction 2288.2 assessmentMethodologies 230
8.2.1 Planning 2318.2.1.1 controlcenter 2318.2.1.2 substations 2328.2.1.3 networkProtocoloverview 2338.2.1.4 supportingProtocols 235
8.2.2 reviewtechniques 2368.2.2.1 systemconfigurationreview 2368.2.2.2 networkconfigurations/rulesets 2368.2.2.3 networktrafficreview 237
8.2.3 targetidentificationandanalysis 2388.2.3.1 networkdiscovery 2388.2.3.2 vulnerabilityscanning 239
8.2.4 targetvulnerabilityvalidation 2398.2.5 Postexecution 240
8.3 state-of-Practicereview 2418.4 summary 241references 243
228 seCurity and PrivaCy in smart Grids
methodologytoevaluatesecurityconcernswhileavoidinganynegative impactonoperational systems.finally,national andindustry efforts to expand assessment capabilities within thisdomainareaddressed.
8.1 introduction
Thesmartgridcreatesanincreasingdependencyonthecyberinfra-structure tomonitorandcontrol thephysical system.whilesuper-visory control and data acquisition (scada) technology has beenutilizedformanyyears,theincreasinginterconnectivityexpandsthegeneral cyberattack surface.recentgovernment reportshave raisedconcernsaboutthegeneralsecuritypostureofthesesystems.1,2inanattempttomitigatetheseconcerns,thenorthamericanreliabilitycorporation(nerc)hasproducedcompliancerequirementsforcrit-icalcyberresourcestoensureanappropriateprotectionlevel.3Thesedocumentsspecificallyrequirethatacybervulnerabilityassessmentisperformedtoverifythattheymeettheappropriatesecurityrequire-ments.Unfortunately,thevulnerabilityassessmentprocessisnotwellunderstood for this domain due to numerous constraining proper-ties,including
• heavy reliance on undocumented, proprietary communica-tionprotocols.
• high availability requirements that limit testing of opera-tionalsystems.
• softwareplatformsthathavenotundergoneathoroughsecu-rityanalysisandhavenotbeenengineeredtoundergoasecu-rityreview.
• Geographicdistributionofresourceslimitingphysicalresourceaccessibility.
figure 8.1providesanoverviewofthecommunicationinfrastruc-ture within the smart grid. distribution, transmission, and gen-erationdomainsareidentifiedaswellastheir interconnectivityanddependencyonotherparties.Thefigure identifiesvariousprotocolsnecessary to support this communication and highlights the con-nectivitybetweensubstationsandcontrolcenters.securityconcerns
229vulnerability assessment
MD
MS
Dist
r.M
gmt
AM
I Mgm
t
Wire
less
Wire
d
A
MI
Hea
dend
Dis
trib
utio
nCo
ntro
lTr
ans.
SCA
DA
Tran
smis
sion
Subs
tatio
nTr
ansm
issi
onCo
ntro
l
Dis
trib
utio
nSu
bsta
tion
Gen
erat
ion
Cont
rol
Syst
em
Gen
erat
ion
Cont
rol
Gen
erat
ion
IED
sIE
Ds
Ener
gyM
gmt.
HM
I
HM
I
Hist
oria
n
RTU
sRT
Us
PMU
Prot
ocol
sA
NSI
C12
.22
IEC
6185
080
2.15
.480
2.11
�ird
Par
tyM
arke
ts/I
SOs
Prot
ocol
sIE
C 61
850/
DN
P3M
odBu
s80
2.16
AN
SI C
12.2
2IE
C 61
850
Prot
ocol
sIE
C 61
850/
DN
P3,
Mod
Bus T
1,
Mic
row
ave
PPP
Corp
orat
eCI
S
Prot
ocol
sIE
C 61
850/
DN
P3M
odBu
s80
2.16
AN
SI C
12.2
2IE
C 61
850
Prot
ocol
sIE
C 61
850/
DN
P3M
odBu
sIC
CP
Util
ity W
orke
rsA
dditi
onal
Part
ies
AM
I
Figu
re 8
.1
Smar
t grid
env
ironm
ent.
ANSI
= A
mer
ican
Nat
iona
l Sta
ndar
ds In
stitu
te; C
IC=
Cus
tom
er In
form
atio
n Sy
stem
; HM
I = H
uman
Mac
hine
Inte
rfac
e; IC
CP =
Inte
r-Co
ntro
l Cen
ter P
roto
col;
IED
= In
telli
gent
Ele
ctro
nic
Devi
ce; I
SO =
Inde
pend
ent S
yste
m O
pera
tor;
MDM
S =
Met
er D
ata
Man
agem
ent S
yste
m; P
MU
= P
haso
r Mea
sure
men
t Uni
t; PP
P =
Poi
nt-t
o-Po
int P
roto
col;
RF =
Rad
io F
requ
ency
; RTU
= R
emot
e Te
rmin
al U
nit
230 seCurity and PrivaCy in smart Grids
arespecificallypresentedbytheunprotectedsubstationsandfeasibleexternalaccessibilityofcontrolcentersduetocorporateandvendorrequirements.inaddition,smartgridadvancementssuchasadvancedmeteringinfrastructures(aMis)andwide-areameasurementsystems(waMss)willonlypresentgreaterinterconnectivityofthesesystems.
This chapter addresses concerns for performing a comprehensivevulnerability assessment within this domain based on the previousconstraints. a methodology is presented to appropriately structureassessmentefforts.softwaretoolstoassistintheevaluationprocessareintroduced,andtheirapplicationtothisdomainisreviewed.inaddi-tion,currenteffortstoexpandassessmentcapabilitiesareintroduced.
8.2 Assessment Methodologies
a strong methodology is imperative to ensure that testing effortsappropriately target the technologies involved within the environ-mentandlikelythreatstothesystem.securitytestingeffortscanbetailoredtowarddifferentobjectivesbasedontheintendedscope.Thedevelopmentofvulnerabilityassessmentmethodologieshasbeenwellexplored within traditional information technology (it) environ-ments;thefollowinglistprovidessomeexamples:
• National Institute of Standards and Technology Special Publication (NIST SP) 800-115, Technical Guide to Information Security Testing and Assessment4
• NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems5
• Open Source Security Testing Methodology Manual (OSSTMM)6
a high-availability environment such as the smart grid pres-ents a requirement for nonintrusive methodologies. activities thatcould potentially cause availability or integrity problems must berestricted.Thischapterpresentsanexampleofmethodologybasedonthatproposedinnist800-115,butwithspecifictailoringtoavoidavailability concerns.figure 8.2provides anoverviewof themajorsteps,specificallyplanning,execution,andpostexecution.Thischap-ter primarily highlights the execution phase as it typically involvesmostofthetechnicalissues.Themaincomponentsoftheexecutionphaseare(1)reviewtechniques,(2)targetidentificationandanalysis,
231vulnerability assessment
and(3)targetvulnerabilityvalidation.Thesearefurtherexplainedinthefollowingsections.
8.2.1 Planning
akeycomponentoftheplanningphaseisthescopingandmonitor-ingoftestingactivitiestoensuretheydonotnegativelyinterferewithnormaloperations.Thisshould involveestablishingarepresentativetestenvironmentthatmaintainssimilarconfigurations.whileassess-mentscopecouldvarybasedontheassessment’sintent,thenercciP(northamericanreliabilitycorporationcriticalinfrastructureProtection) focused assessmentson the control centers, substations,andassociatedcommunications.7specificconcernswithinthesecom-ponentsareidentifiednext.
8.2.1.1 Control Center control centers will typically contain sets ofoperator/engineering workstations, control servers, and the result-ing network infrastructure. This environment will likely resemble atraditional it system containing windows/Unix systems and simi-lar networking switches/routers. while the control system software
System configurationNetwork trafficNetwork rulesets
ReviewTechniques
Planning Roles and responsibilitiesIdentify scope
Limitations and assumptions
Network discoveryVulnerability scanningTarget Identification/
AnalysisProtocol identification
Target VulnerabilityValidation
Password cracking
Penetration testingSocial engineering
ReportingMitigation reviewCause identification
Postexecution
Figure 8.2 Vulnerability assessment plan.
232 seCurity and PrivaCy in smart Grids
willbespecifictothepowerdomain,othersupportingservicessuchaswebservers,authenticationservices(lightweightdirectoryaccessProtocol (ldaP), active directory) and databases may be used.specificsystemswithinthisenvironmentinclude
• scada/eMs(energymanagementsystem)servers:controlservers thatperformmonitoring, control, and state estima-tiontasks
• historians:databases thatmaintainhistoric control systemdatafortrendinganalysis
• human-machine interfaces (hMis): systems that provideoperatorinterfacestothescada/eMssystems
often,controlsystemsmaintainsomeconnectivitytoothercorpo-ratelocal-areanetworks(lans)orotherthirdpartiesduetorequire-ments to collect operational data or provide vendor access.8 Thehigh-security requirements of this environment strongly emphasizescrutiny over remote access capabilities. in addition, while authen-ticationandauthorizationpresentkeysecuritymechanisms,itmustbeassumedthatinemergencysituations,thesecontrolsmayrequiresomeoverridefunction.
Assessment Guidance: specificsecurityconcernswiththecontrolenvironment include (1) appropriate network segregations throughroutingandfirewallrules;(2)implementationsofdemilitarizedzone(dMz) for services needing access by both control and corporateenvironments; (3) appropriate patching and system configurations;and(4)sufficientauthenticationandauthorizationenforcement.
8.2.1.2 Substations substations within both the transmission anddistributiondomainhaveuniquesecurity requirementsduetotheirgeographiclocation.Thecommunicationlinksprovideaspecificcon-cernduetothecriticalityofthetransmitteddataandtheirheavyuseof wireless communication. all communication paths between thecontrolcenterandsubstation,alongwithallintersubstationcommu-nications,requirethoroughanalysis.Field devicesarethecomponentsthatperformtheactualsensingandactuationfunctionsthroughoutthegrid.Thetermfield devices isusuallyageneralizationofvariousdevices,includingintelligentelectronicdevices(ieds),programmable
233vulnerability assessment
logiccontrollers(Plcs),andremoteterminalunits(rtUs).typically,theseareembeddedsystemswithlimitedprocessingcapabilities,non-standard operating systems, and software platforms. This increasesthe likelihood of vulnerabilities and creates difficulties during theassessment process. often, these devices are not internet Protocol(iP)enabled,andiftheyare,theymayimplementincompleteorfrailnetworkingstacksthatlimitanalysiscapabilities.
Assessment Guidance: specificsecurityconcernswithsubstationenvironments include (1) identification of all field device network-ing capabilities; (2) sufficient authentication of all accessible fielddevice management/administrative functions; (3) cryptographicallyprotectednetworkcommunicationbetweencontrolcentersorothersubstations;and(4)auditingofcontrol/monitoringfunctions,authen-ticationattempts,anddevicereconfigurations.
8.2.1.3 Network Protocol Overview Protocols used within a controlsystemvaryfromthosecommonlyfoundintraditionalitenviron-ments. They are primarily responsible for transmitting binary andanalog values on periodic intervals between systems. in addition,manyoftheseprotocolsweredesignedanddeployedbeforethepro-liferationofmoderncybersecurityconcerns.Thissectionintroducesnumerouscommunicationprotocols,providesabriefexplanation,andthen identifies necessary security concerns that require inspectionduringtheassessment.
8.2.1.3.1 Distributed Network Protocol The distributed networkProtocol (dnP3) is commonly usedwithin the electric grid, espe-cially in substation automation. while dnP3 has been used formanyyears,itwasrecentlyadoptedasaninstituteofelectricalandelectronicsengineers(ieee)standard(ieeestandard1815).9Theprotocoloperatesinamaster/slaveparadigm;themasteristypicallyrepresentedbythecontrolserverorrtU,andtheslavefunctionsasthefielddeviceoroutstation.withthismodel,themasterisabletotransmitcommandsandreceivereadingsfromthevariousfieldunits.
while packets are encapsulated with their own data, transport,and application layers, the application layer plays the most impor-tantroleintheassessmentprocess.eachcommandandresponseis
234 seCurity and PrivaCy in smart Grids
encapsulated within a dnP application service data unit (asdU).TheasdUcontainsa function codeused to identify thepurposeofthemessage(e.g.,read,write,confirm,response).Thefunctioncodeisthenfollowedbyoneormoreobjectsthatidentifythedata typeandvalueassociatedwiththefunctioncode.datatypesaretypicallyana-logsofdigitalinputs/outputs.
authentication within dnP3 is enforced by categorizing func-tioncodes as critical andnoncritical.critical functions are typicallythosethatperformsomecontrolorinitiateachangeontheoutstation.critical functionsdiffer fromnoncritical in that theoutstation canrequire a hash message authentication code (hMac). a hMacusesa sharedkeycombinedandamessagehash toverify themes-sage’sauthenticityandintegrity.ThehMaccalculationisbasedonthefollowingsetofpresharedkeys:
• controlkey,toauthenticatemessagessentbythemaster• Monitoringkey,toauthenticatemessagessentbytheoutstation• Updatekey,toperformasecurekeyupdateforboththecon-
trolandmonitoringkeys
in addition to the traditional utilization of dnP3, additionalworkreviewedtheuseoftransportlayersecurity(tls)orinternetProtocol security (iPsec) to provide a stronger underlying layerofsecurity.10
Assessment Guidance: a secure implementation of the dnP3protocols should achieve the following objectives: (1) identificationofthecommunicationpathforalldnP3traffic;(2)identificationofall functions/objectsthatrequireauthentication;(3)verificationoftheappropriate authentication on the resulting commands/responses;(4) identification of all communications protected by other means(e.g.,iPsecvirtualprivatenetworks[vPns]);and(5)analysisofthekeyupdateexchanges.
8.2.1.3.2 International Electrotechnical Commission 61850 Thetransi-tiontoasmarterelectricgridhasrequiredthedevelopmentofmoredynamics protocols. international electrotechnical commission(iec)61850hasbeendevelopedtoprovideincreasedinteroperability,specificallyinsubstationautomation,andprovidesimprovedsupportofsecuritymechanismssuchasauthenticationandencryption.iec
235vulnerability assessment
61850 presents an object-oriented approach to identifying substa-tioncomponentstosimplifyconfigurationandinteroperability.eachphysical devicewithinthesubstationisrepresentedbyaniec61860object;thisobjectcanthenhavesublogicaldevices,logical node,data,anddata attributes.nodesareassignednamesbasedon their func-tion;forexample, logicalnodeMMXUisusedforameasurement,whileXcBrisusedforacircuitbreaker.Thisnamingschememakesnetworktrafficanalysismoreintuitive.
iec61850isacomplexprotocolcapableofsendingvariousmes-sage types, including Generic object oriented substation event(Goose), Generic substation status event (Gsse), and sampleMeasuredvalues(sMvs).ThischapterfocusesonGooseasitsuti-lizationismoreprevalent.
Goosereliesonethernetvirtuallocal-areanetworks(vlans)(802.1q)toperformmulticastdeliveryofcontentwithina4-mstimeframeasrequiredforprotectiverelayingwithinsubstations.Goosemessages can enable digital signatures to both authenticate andensuretheintegrityofreceivedmessages.however,sincedigitalsig-naturesarebasedonpublickeycryptographyandcertificates,somecertificate management function must be deployed. This distribu-tionofcertificatesandtheutilizationofcertificateauthorities(cas)become critical to understanding the security of the resulting iec68150communications.
Assessment Guidance: a secure implementation of iec 61850shouldachievethefollowingobjectives:(1)identificationofthecom-municationpathforalltraffic;(2)identificationoftheuseofdigitalsignaturesorencryption;(3)identificationofthevlan802.1qcon-figurationonthenetworkdeviceforaccurateinclusionofnecessarysystemsandappropriatedeviceconfiguration;and(4)areviewofcer-tificatedistributionandtrustsofcas.
8.2.1.4 Supporting Protocols Many common it protocols are foundwithincontrolsystemsandintroducesecurityconcerns.domainnamesystem(dns)isfrequentlyusedbutcanbeproblematicduetoitsdependencyoninternetaccessasitmayprovideacovertchannelforattackers.11dns’sutilization shouldbe reviewed to ensure itdoesnotintroduceunnecessaryexternalaccesspoints.
236 seCurity and PrivaCy in smart Grids
ThesimplenetworkManagementProtocol(snMP)isoftenusedbyvariousdeviceswithincontrolsystemstoperformdeviceadmin-istration.accesstosnMPconfigurationisprotectedbysecretcom-munity strings;however,defaultstringssuchas“public”and“private”areoftennotchanged.Theuseofadefaultcommunitystringshouldbereviewed,specificallythosethatallowwriteaccesstodevices.
8.2.2 Review Techniques
The review step specifically addresses any nonintrusive analysis ofdatathatcanbeobtainedfromsystemsandnetworks.Theseactivi-ties include system configuration documents/files, network deviceconfiguration/rulesets,andnetworktraffic.reviewtechniqueswillplayacriticalroleintheassessmentprocessforthepowergridastheyaresignificantlylesslikelytohaveanimpactonsystemoperations.
8.2.2.1 System Configuration Review reviewingsystemconfigurationsprovidesanonintrusivemethodofdeterminingpotentialvulnerabili-ties.traditionally,thisinvolvesthereviewofanyconfigurationfilesandtheexecutionofcommandsthatprovidecurrentsystemstatus.Thisinformationcanthenbecorrelatedwithanyknownsecurebase-linesforthesystemtodeterminepotentialvulnerabilities.Thisreviewtype is most effective when system configurations are well known.whilethisistypicallythecasewithpopularoperatingsystemsandnetwork services, information is often unavailable for the softwareplatformsandfielddevicesused to support thegrid.research intotheidentificationofsecuresoftwareplatformconfigurationshasbeenexploredbytheBandolierproject.12Thiseffortreviewspopularsoft-ware with the electric grid and establishes assessment capabilitiesbasedonotherpopularassessmenttools(e.g.,ovalandnessus).
8.2.2.2 Network Configurations/ Rule Sets determining the networkarchitectureisanimportantaspectofthesecurityassessmentprocess.Thisstepfocusesonthereviewofnetworkdeviceconfigurationstoensure they appropriately enforce the desired network architecture.Thisstepiscriticalwithinthescadaparadigmduetoaheavyreli-ance on a secure network perimeter.3 incorrect assumptions about
237vulnerability assessment
networkingconfigurationmayprovideaccesstounauthorizedusers,whichisspecificallyconcerningduetoweakauthorizationcapabilitieswithinmanyofthefielddevices.
toolstoassistinthereviewofnetworkconfigurationsandfirewallrulesetsarecriticaltotheassessmentprocessduetotheirrelativedif-ficultyofinterpretationandtheheavyinterconnectivitybetweenvari-ous devices. fortunately, some tools have been developed to assist inthistask.ThenetworkaccessPolicytool(netaPt)istheresultofresearcheffortstoautomatetheinterpretationofnetworkconfigurationsandverifythattheymeetsomepreviouslyassumednetworkpolicy.13
future research should expand current tools to incorporateincreasedunderstandingofcontrolsystemcommunicationprotocolsandnetworktopologiestoprovideanincreasedcontextforconfigura-tionanalysis.
8.2.2.3 Network Traffic Review network traffic review provides amethodtodopassive discoveryofthevariousnetworkcommunications.Thisprovidestheassessorwithanunderstandingofmanysystems,ports,andprotocolsbeingusedwithintheenvironment.italsoprovidestheabilitytoanalyzevarioussecurity-relatedinformation,suchaswhetherencryptionandauthenticationarebeingusedappropriately.
Therearevarioussoftwaretoolsavailabletoperformnetworksniff-ing.wiresharkisanopensourcepacketsnifferthatmaintainsproto-coldissectorsformostpopularitandscadaprotocols,includingdnP, iec 61850, ModBus, and object linking and embedding(ole)forprocesscontrol(oPc).14whilewiresharkprovidesstrongfunctionality,moreadvanced toolshavebeendeveloped toassist inthisprocess.oneparticulartool,sophia,isbeingdevelopedbyidahonational lab to utilize network discovery capabilities to identifythenetworkcommunications.15sophiausesnetworkmonitoring todeterminethecurrentarchitectureandcommunicationrequirementsandidentifyanyanomalieswithintheenvironment.
whilenetworktrafficreviewisnecessarytounderstandthesystemandservicesoperatingonthenetwork, itdoesnotprovidesufficientanalysisofthenetworkactivity.varioussystemsorservicesmayper-formonlytransientcommunicationsandmaynotbedetectedthroughthesniffing.inaddition,notallserviceconfigurationscanbeaccurately
238 seCurity and PrivaCy in smart Grids
extractedfromthecommunications,especiallyifthetrafficisencryptedortheprotocol’sformatisnotwellknown.inthesecases,additionalactivitiesmustbeperformedtoprovideanaccuratesystemview.
table 8.1presentsanoverviewofthepresentedtoolsnecessarytosupportthereviewtechniquesdocumentedinthissection.Thetabledocumentsvulnerabilitiesthatthetoolcanhelpdiscover,itsabilitytonegativelyimpactoperationalsystems,andhowwellitsupportssmartgridenvironments.
8.2.3 Target Identification and Analysis
aftertheinitialreviewsteps,amorein-depthanalysisofspecificcom-ponents should be performed for target identification and analysis.often,theseactivitiescanbeconsideredintrusivesincetheyrequiretransmittingvariousrequeststosystemsinanattempttoidentifysys-temconfigurations.Theseactivitiescouldhaveanegativeimpactonoperationalsystemsandideallyshouldbeperformedonarepresenta-tivetestenvironment.
8.2.3.1 Network Discovery network discovery traditionally involvesprobingthevariousaddressesonthesystemtodiscoveralloperatingsystemsandservices.Thediscoveryphasetypicallyusesvarioustypesofscanningtoolsthatcansendvariousprobepacketsinthenetworkandinterprettheresponsestoidentifyoperatingservices.Thisactiv-ity,referredtoasport scanning,usesicMP(internetMessagecontrolProtocol)scanstodetermineactivesystemswhileusingtransmissioncontrol Protocol/User datagram Protocol (tcP/UdP) scans toidentifyopenports.
Table 8.1 System Configuration Review Tools
TOOL TARGETED VULNERABILITIES NEGATIVE IMPACT DOMAIN SUPPORT
Bandolier SCADA software configurations Low FullNetAPT Firewall rule set configurations None FullWireshark Networking configuration and
authentication/ encryption verificationLow Full
Sophia Networking configuration and authentication/ encryption verification
Low Full
239vulnerability assessment
a popular port-scanning tool, nMap, provides many differentnetwork probe types and reporting capabilities.16 The tool’s scan-ningcapabilitiesincludeicMP,arP(addressresolutionProtocol),UdP, and numerous tcP scans with various flag configurations.nMap maintains a dictionary of known port/protocol mapping tohelpidentifyoperatingservicesaswellasanoperatingsystemdetec-tionfeaturethatmaybeusefulwhenanalyzingfielddevicesforwhichlittlesysteminformationisknown.
8.2.3.2 Vulnerability Scanning vulnerability-scanning techniqueshave traditionally utilized network inspection methods to evalu-ate operating systems and network services in an attempt to iden-tifyvulnerabilities.Thistechniquedependsonadatabaseofknownvulnerability fingerprints that can be identified by various networkprobes.vulnerabilityscanningcanbeaneffectivewaytodetermineunpatched software and default/insecure configurations. whilevulnerability-scanning tools remain popular due to their ability toinspectfullrangesofsystemsandservices,theymaynotbeappropriateforanoperationalenvironmentduetopreviouslyaddressedavailabil-ityandintegrityconcern.inaddition,sincethistechniqueislimitedtonetworkprobing,theamountofcollectibleinformationislimited.
nessusisapopularvulnerability-scanningtoolthatiscontinuallygainingsupportforcontrolsystemsoftware.17alongwiththecom-prehensivesetoftraditionalitvulnerabilities,ithasrecentlyincludedvarious control system vulnerabilities in its database. nessus hasalso incorporatedcredential-basedscanningcapabilities thatdonotrequirenetworkprobing.whilethisfeaturesignificantlyreducesthelikelihoodofimpactsystemavailability,itisonlyavailableonwell-knownoperatingsystems.
table 8.2providesanoverviewoftheintroducedidentificationandanalysistools.
8.2.4 Target Vulnerability Validation
Thevulnerabilityvalidationphaseattemptstocorroborateanyprevi-ouslydeterminedvulnerabilityconcerns.validationplaysakeyrole
240 seCurity and PrivaCy in smart Grids
within thepowergridasvulnerabilitieswithinmanyprotocolsandsoftwareplatformsarenotwellknown.attemptstoconfirmtheexis-tence of a vulnerability may be required before investing resourcesindevisinganddeployingamitigationstrategy.Unfortunately, thisstep is generally extremely intrusive as attempts to exploit vulner-abilitiesoftenleavesystemsinunstablestates.activitiesinthisphaseshouldbeperformedonareplicatedtestingenvironmentinsteadofcritical operational systems. some tools are available to assist withthevulnerabilityvalidationprocess.oneexample is theMetasploitframework,anexploitdevelopmenttool,whichhasrecentlygainedsomescada-specificcapabilitiestocomplementitsexpansivecol-lectionoftraditionalitexploits(table 8.3).18
8.2.5 Postexecution
Thepostexecutionphase requires the evaluationof a vulnerability’spotentialsystemimpactsandidentificationofmitigationtechniquesand any reporting responsibilities. while impact analysis has beenaddressedinitsystemsthroughvariousquantitativeandqualitativemethods,thesemethodshavenotyettargetedacyberphysicalsys-temsuchasthesmartgrid.determiningimpactwithinthisdomainmayrequireadditionalresearchtodetecttheactualphysicalimpactfromapotentialexploitation.Mitigationeffortsalsovarygreatlywiththegrid.often,softwareandfielddevicesarenotstronglysupport-iveofupgradesandmayrequireincreasedcostduetolackofremote
Table 8.3 Vunerability Validation Tools
TOOL TARGETED VULNERABILITIES NEGATIVE IMPACT DOMAIN SUPPORT
Metasploit Vulnerability exploitation High Limited
Table 8.2 Identification and Analysis Tools
TOOL TARGETED VULNERABILITIES NEGATIVE IMPACT DOMAIN SUPPORT
NMap Network configurations and service/ OS detection
High Partial
Nessus Operating system/ services vulnerabilities and configurations
High Partial
Note: OS = operating system.
241vulnerability assessment
accessibility.Therefore,variousmethods,suchasnetworkreconfigu-rationsor increaseddetectioncapabilities,mayberequiredtosuffi-cientlyaddressassessmentfindings.
8.3 state-of-Practice review
Theprevioussectionsdiscussedtheprocessofperformingavulner-abilityassessment tailored towarda substationautomationenviron-ment.Thissectioncontinuesthisstate-of-practicereviewanalysisbyidentifyingcurrent researchefforts toprovide improvedcapabilitieswithin the domain. The process of identifying new vulnerabilities,improving detection within deployed systems, and managing themaftertheirdiscoverypresentsmanyresearchchallenges.Majoreffortsbyindustryandgovernmentareidentifiedandthencategorizedbasedontheirtargetedimpact.table 8.4providesacomprehensivereviewoftheseefforts.
8.4 summary
Thediscoveryofcybervulnerabilitiesisbecomingincreasinglyimpor-tantwithinthesmartgridduetoanincreaseddependencyoncom-munication and computation for grid control. while assessmenttechnologiesandmethodologieshavebeendeveloped for the tradi-tionalcomputingenvironment,thetransitiontothesubstationauto-mationenvironmentisnotwelldefined.
Thischapteridentifiedrequirementsforvulnerabilityassessmentswithinsmartgridenvironments,specificallyidentificationofsubsta-tionautomationsystems.acomprehensivemethodologywas intro-ducedtoidentifytherequiredstepswithintheprocessanddetailhowtheirapplicationtothisdomaindiffersfromtraditionalitenviron-ments.specificconcernswereaddressed,includingthepossibilitiesofnegatively impacting theoperational system through testing activi-ties.examplesof security concernswere identifiedbasedonpopu-lar scada protocols and communication architectures. finally, areviewofcurrentgovernmentandindustryeffortswithinthevulner-abilityassessmentdomainwaspresentedalongwithbothcurrentandfutureassessmenttools.
242 seCurity and PrivaCy in smart Grids
Table 8.4 Vulnerability Management State of Practice
EFFORT DESCRIPTION TARGET
POLICy
STANDARDSNIST 800-828 Identification of vulnerabilities, network architecture models,
and standards for security controlsISC
NISTIR 762819 Cybersecurity controls to address the increased connectivity within the smart grid
Smart grid
DHS CSET Compliance/ standards management and evaluation tool SCADA
CoMPLIANCENERC CIP3 Enforceable vulnerability assessment requirements for bulk
power systemsSCADA
NIST 800-5320 Enforceable security controls for government control system ISC
DISCOVER
DISCLoSURENIST NVD21 Detailed database of known software vulnerabilities and
misconfigurations IT
ISC-CERT22 Publishes advisories on newly discovered vulnerabilities with control system software platforms
ISC
Vendor advisories Vendor-released vulnerability information ISC
TEST BEDSNSTB23 National laboratory collaboration with actual SCADA
hardware/ software for vulnerability assessment targeting without impact concerns
SCADA
Academic For example, Iowa State University and University of Illinois,24,25 realistic SCADA hardware/ software, simulated power systems
SCADA
MANAGEMENT
IMPACT ANALySISCVSS26 Non-ISC-specific scoring system for vulnerability criticality IT
TESTING/ DEPLoyMENTISC-CERT Mitigation recommendations based on vendor suggestions
and ISC best practices ISC
Note: CSET = cyber security evaluation tool, CVSS = common vulnerability scoring system, ISC-CERT = Industrial Control Systems Cyber Emergency Response Team, NISTIR = National Institute of Standards and Technology Interagency Report, NSTB = National SCADA Test Bed, DVD = National Vulnerability Database.
243vulnerability assessment
references 1. Government accountability office (Gao), GAO-04-354: Critical
Infrastructure Protection Challenges and Efforts to Secure Control Systems.washington,dc:U.s.Gao(March2004).
2. Government accountability office (Gao), GAO-05-434: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities.washington,dc:U.s.Gao(May2005).
3. north american electric reliability corporation (nerc), NERC Critical Infrastructure Protection (CIP) Reliability Standards.atlanta,Ga:nerc(2009).
4. k.stouffer,J.falco,andk.scarfone,NIST SP 800-115: Technical Guide to Information Security Testing and Assessment.Gaithersburg,Md:nationalinstituteofstandardsandtechnology(september2008).
5. national institute of standards and technology (nist), NIST SP 800-53A: Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans.Gaithersburg,Md:nist( June2010).
6. instituteforsecurityandopenMethodologies(isecoM),Open Source Security Testing Methodology Manual (OSSTMM) (2010). http://www.isecom.org/osstmm/.
7. r.c.Parks,SAND2007-7328: Guide to Critical Infrastructure Protection Cyber Vulnerability Assessment. albuquerque, nM: sandia nationallaboratories(november2007).
8. k.stouffer,J.falco,andk.scarfone,NIST SP 800-82: Guide to Industrial Control Systems (ICS) Security.albuquerque,nM:nationalinstituteofstandardsandtechnology(september2008).
9. institute of electrical and electronics engineers, IEEE Standard for Electric Power Systems Communications, Distributed Network Protocol (DNP3), IEEE Std 1815-2010,pp. 1–775(1,2010). ieee,newYork.doi:10.1109/ieeestd.2010.5518537.
10. M. Majdalawieh, f. Parisi-Presicce, and d. wijesekera, dnPsec:distributed network Protocol version 3 (dnP3) security framework.ink.elleithy,t.sobh,a.Mahmood,M.iskander,andM.karim,eds.,Advances in Computer, Information, and Systems Sciences, and Engineering,pp. 227–234.springer,dordrecht,thenetherlands(2006).
11. s. Bromberger, DNS as a Covert Channel Within Protected Networks.clackamas,or:nationalelectricsectorcybersecurityorganization(nesco)( January2011).
12. Bandolier. Digital Bond, Inc. http://www.digitalbond.com/wp-content/uploads/2008/mktg/Bandolier.pdf
13. d.M.nicol,w.h.sanders,M.seri,ands.singh.experiencesvalidatingtheaccesspolicytoolinindustrialsettings.inProceedings of the 2010 43rd Hawaii International Conference on System Sciences, HICSS ’10, pp. 1–8.ieeecomputersociety,washington,dc(2010).
14. wireshark.Wireshark: A Network Protocol Analyzer.http://www.wireshark.org
244 seCurity and PrivaCy in smart Grids
15. G.rueff,c.Thuen,andJ.davidson.Sophia Proof of Concept Report,idahonationallaboratory(March2010).
16. nmap.Nmap Security Scanner.http://nmap.org 17. nessus.Tenable Network Security.http://www.nessus.org/nessus/. 18. Metasploit.Metasploit Framework. Rapid7.http://www.metasploit.com/. 19. national institute for standards and technology (nist), NISTIR
7628: Guidelines for Smart Grid Cyber Security.Gaithersburg,Md:nist(august2010).
20. nationalinstituteforstandardsandtechnology(nist),NIST SP 800-53: Recommended Security Controls for Federal Information Systems and Organizations.Gaithersburg,Md:nist(august2009).
21. national institute for standards and technology (nist), National Vulnerability Database. Gaithersburg, Md: national institute ofstandardsandtechnology(nist).http://nvd.nist.gov/.
22. industrial control systems cyber emergency response team (isc-cert).Department of Homeland Security (DHS) Control Systems Security Program (CSSP).http://www.us-cert.gov/control_systems/ics-cert/.
23. idahonationallaboratory(inl),Common Cyber Security Vulnerabilities Observed in Control System Assessments by the INL NSTB Program.idahofalls:inl(november2008).
24. d.c.Bergman,d. Jin,d.M.nicol,andt.Yardley,Thevirtualpowersystem testbed and inter-testbed integration, Second Workshop on Cyber Security Experimentation and Test,Montreal,canada(august2009).
25. a.hahn,B.kregel,M.Govindarasu,J.fitzpatrick,r.adnan,s.sridhar,andM.higdon,developmentofthePowercyberscadasecuritytes-tbed. in Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, CSIIRW ’10,pp. 21:1–21:4.acM,newYork(2010).
26. k. scarfone and P. Mell, an analysis of cvss version 2 vulnerabilityscoring,Third International Symposium on Empirical Software Engineering and Measurement,october15–16,2009,lakeBuenavista,fl(2009).
245
9Smart Grid, autOmatiOn, and
Scada SyStem Security
Yo n G G E wA n G
in this chapter, we discuss the challenges for secure smartenergy grid and automation systems. we first describe thecurrentsecuritystatusandexistingattacksonpowergridandcritical infrastructures. Then, we use the supervisory con-trolanddataacquisition(scada)systemasanexample toshow the challenges in securing the automation and smartpowergridsystems.distributedcontrolsystems(dcss)andscada systems were developed to reduce labor costs andto allow systemwide monitoring and remote control froma central location. control systems are widely used in suchcriticalinfrastructuresasthesmartelectricgrid,naturalgas,water,andwastewater industries.whilecontrolsystemscanbevulnerabletoavarietyoftypesofcyberattacksthatcouldhavedevastatingconsequences, littleresearchhasbeendonetosecurethecontrolsystems.TheamericanGasassociation(aGa),internationalelectrotechnicalcommissiontechnical
Contents
9.1 energyGridandsupervisorycontrolanddataacquisition:ahigh-levelintroduction 246
9.2 recentattacksandaccidentswithenergysystemsandautomationsystems 248
9.3 scadasecurity 2529.3.1 Threatstoscadasystems 2559.3.2 securingscadaremoteconnections 2579.3.3 sscadaProtocolsuite 2589.3.4 countersynchronization 263
9.4 conclusion 264references 264
246 seCurity and PrivaCy in smart Grids
committeeworkingGroup15(iectc57wG15),instituteof electrical and electronics engineers (ieee), nationalinstituteofstandardsandtechnology(nist),andnationalscada test Bed Program have been actively designingcryptographic standards toprotectscadasystems. in thischapter, we briefly review these efforts and discuss relatedsecurityissues.
9.1 Energy Grid and supervisory Control and data Acquisition: A high-level introduction
asstatedinadepartmentofenergy(doe)smartgridwhitepaper,1theUnitedstates is intheprocessofmodernizationof thenation’selectricity transmissionanddistributionsystem“tomaintaina reli-ableandsecureelectricityinfrastructurethatcanmeetfuturedemandgrowth”(sec.1301,p.1).Themajorcharacterizations1ofamodernelectricalgridsysteminclude
• improvedreliability,security,andefficiencyofenergydistributionbasedonmoderndigitalcommunicationandcontroltechniques
• integration of industries involved in production and sale ofenergy,includingthegasindustry(e.g.,naturalgasextractionanddistributionsystems),theelectricalpowerindustry,thecoalindustry,andrenewableresources(e.g.,solarandwindpower)
• integration of demand response technologies such as real-time, automated, interactive technologies that optimize thephysical operation of appliances and consumer devices forenergy generation, transmission, distribution, and retailing(e.g.,metering)
• deploymentofadvancedelectricitystorageandpeak-shavingtechnologies
• availability of real-time information and control optionstoconsumers
• integration of cybersecurity techniques within the gridsystems
insummary,thesmartgridsystemisasecureandintelligentenergydistribution system that delivers energy from suppliers to consum-ersbasedontwo-waydemandandresponsedigitalcommunication
247smart Grid and sCada seCurity
technologiestocontrolappliancesatconsumers’homestosaveenergyand increase reliability.Thesmartgridsystemoverlays theexistingenergydistributionsystemwithdigitalinformationmanagementandadvancedmeteringsystems.itisobviousthattheincreasedintercon-nectionandautomationoverthegridsystemspresentsnewchallengesfordeploymentandmanagement.
itischallengingtosecurelyandefficientlyconverttheexistingpowergridsystemstoasmartsystemwiththesecharacteristics.accordingtotheU.s.energyinformationadministrationwebsite,2attheendof2010thereweremorethan9,200electric-generatingplantsintheUnitedstates,includingcoal,petroleumliquids,petroleumcoke,nat-uralgas,othergases,nuclear,hydroelectric,renewables,hydroelectricpumpedstorage,andothertypes.Thesegeneratingplantsproduced312,334,000Mwhofelectricityduringfebruary2011.Theelectric-ityisdistributedtoconsumersviamorethan300,000milesoftrans-missionlinesthroughouttheUnitedstates.Thispowerinfrastructurewasdesignedforperformanceratherthansecurity,andtheintegratedcommunications protocols were designed for bandwidth efficiencywithouttheconsiderationofcybersecurity.whenmovingthecurrentenergy distribution infrastructure toward a smart grid, we have toovercomethechallengesofintegratingnetwork-basedsecuritysolu-tionswithautomationsystems,whichusuallyrequiresacombinationof new and legacy components and may not have enough reservedresourcestoperformsecurityfunctionalities.inthischapter,weusesupervisorycontrolanddataacquisition(scada)asanexampletoillustratethestrategiesthatmaybeemployedforthedesignofsmartgridsystems.
control systems are computer-based systems used within manycriticalinfrastructuresandindustries(e.g.,electricgrid,naturalgas,water, and wastewater industries) to monitor and control sensitiveprocesses andphysical functions.todeploy the smart grid system,there is a trend toward interconnecting scada systems and datanetworks(e.g.,intranet).Thus,withoutasecurescadasystemitisimpossibletodeployintelligentsmartgridsystems.
typically,controlsystemscollectsensormeasurementsandopera-tionaldatafromthefield,processanddisplaythisinformation,andrelaycontrolcommandsto localorremoteequipment.controlsys-tems may perform additional control functions, such as operating
248 seCurity and PrivaCy in smart Grids
railwayswitchesandcircuitbreakersandadjustingvalvestoregulateflowinpipelines.Themostsophisticatedonescontroldevicesandsys-temsatanevenhigherlevel.
controlsystemshavebeeninplacesincethe1930s;therearetwoprimarytypesofcontrolsystems:distributedcontrolsystems(dcs)andscadasystems.dcssystemstypicallyareusedwithinasin-gle processing or generating plant or over a small geographic area.scada systems typically are used for large, geographically dis-perseddistributionoperations.forexample, autility companymayuseadcstogeneratepowerandascadasystemtodistributeit.weconcentrateonscadasystems,andourdiscussionisgenerallyapplicabletodcssystems.
9.2 recent Attacks and Accidents with Energy systems and Automation systems
several (real and simulated) attacks on energy and scada sys-temswerereportedinthepastfewyears.3–13inthe2000Maroochyshireattack,3anaustralianmanhacked into theMaroochyshire,Queensland, computerized waste management system and caused200,000 gallons of raw sewage to spill out into local parks, rivers,andeven thegroundsofahyattregencyhotel. it is reported that49-year-oldvitekBodenhadconductedaseriesofelectronicattacksontheMaroochyshiresewagecontrolsystemafterhisjobapplicationhadbeenrejected.laterinvestigationsfoundradiotransmittersandcomputerequipmentinBoden’scar.Thelaptopharddrivecontainedsoftwareforaccessingandcontrollingthesewagescadasystems.
By exploiting a vulnerability in a control system, the simu-latedauroragenerator test5 conducted inMarch2007by theU.s.department of homeland security resulted in a hacker’s remoteaccess tothegeneratorroomattheidahonationallaboratoryandthepartialdestructionofa$1-milliondiesel-electricgenerator.
in september 2007, an individual who claimed to be a cUPe(canadianUnionofPublicemployees)memberhackedintothecitycomputersysteminvancouverthatcommandsthetown’strafficlightsand set thecomputerclock7hbehind.6Theresultwas that trafficsignalsgeared formidnightweremanaging traffic for themorningrushhour.
249smart Grid and sCada seCurity
onapril8,2009,anarticle7intheWall Street JournalbyGormanreportedthat“cyberspieshavepenetratedtheU.s.electricalgridandleftbehindsoftwareprogramsthatcouldbeusedtodisruptthesystem,accordingtocurrentandformernational-securityofficials”(page1).Thesamearticlementionedthatinsteadofdamagingthepowergridorotherkeyinfrastructures,thegoalsoftheseattacksweretonavi-gatetheU.s.electricalsystemanditscontrolstomapthem.tomakethingsworse,theseattacksweremainlydetectedbyU.s.intelligenceagenciesinsteadofthecompaniesinchargeoftheinfrastructures.inotherwords,theU.s.utilitycompaniesarenotreadyfortheprotec-tionoftheircurrentinfrastructure,letalonethefutureinterconnectedsmartgridsystems.Theseattacksincreaseworriesaboutcyberattack-erswhomaytakecontrolofelectricalfacilities,anuclearpowerplant,financialnetworks,orwater,sewage,andotherinfrastructuresystemsviatheinternet.
onThursday,august14,2003,atapproximately4:11p.m.,awide-spreadpoweroutageoccurredthroughoutpartsof thenortheasternandmidwestern Unitedstates andontario,canada.according toareportbythenewYorkindependentsystemoperator(nYiso),8this northeastern blackout of 2003 affected approximately 10 mil-lion people in ontario and 45 million people in eight U.s. states;thenYisomegawatt loadhad a loss of 80%at theheight of theoutage.Thefinalreport14bytheU.s.-canadaPowersystemoutagetaskforceshowedthattheblackoutwastriggeredbyaracecondi-tion software bug inGeneralelectricenergy’s Unix-basedXa/21energymanagementsystem.Thebugcausedadisruptionofserviceatfirstenergy’s control room, and the alarm system there stoppedworkingforoveranhour.afterthealertsystemfailure,neitheraudionorvisualalertsforimportantchangesinsystemstatewereavailabletotheoperators.Theunprocessedeventsqueuedupquickly,andtheprimaryserverfailedwithin30minutes.Then,theserverapplications(includingthefailedalertsystems)wereautomaticallytransferredtothebackupserver,whichfailedsoonafter.Thelackofalarmsledoper-atorstodismissacallfromamericanelectricPower(aeP)aboutthetrippingandreclosureofa345-kvsharedlineinnortheasternohio.firstenergy’stechnicalsupportinformedcontrolroomoperatorscon-cerningthealarmsystemjustbeforethemassiveblackoutstarted.15
250 seCurity and PrivaCy in smart Grids
althoughthesoftwarebugtriggeredthisblackout,theU.s.-canadaPowersystemoutagetaskforcereport14listedfourmajorcausesfortheblackout:
1.firstenergy(fe)anditsreliabilitycouncil“failedtoassessandunderstandtheinadequaciesoffessystem,particularlywithrespecttovoltageinstabilityandthevulnerabilityofthecleveland-akron area, and fe did not operate its systemwithappropriatevoltagecriteria”(page17).
2.firstenergy“didnotrecognizeorunderstandthedeteriorat-ingconditionofitssystem”(page17).
3.firstenergy“failedtomanageadequatelytreegrowthinitstransmissionrights-of-way”(page17).
4.Therewas“failureoftheinterconnectedgridsreliabilityorga-nizations to provide effective real-time diagnostic support”(page17).
The affected infrastructure of the blackout included power gen-eration(powerplantsautomaticallywentinto“safemode”topreventdamageinthecaseofanoverload);watersupply(someareaslostwaterpressurebecausepumpsdidnothavepower); transportation (trainshadnopower, andpassenger security checking at affected airportsceased);communicationsystems(cellularcommunicationdevicesweredisrupted,radiostationsweremomentarilyknockedofftheair,andcable television systemsweredisabled);manufacturing (largenum-bersoffactorieswereclosedintheaffectedarea,andfreewayconges-tioninaffectedareasaffectedthe“ just-in-time”supplysystem).
in June 2010, it was reported9,16 that the stuxnet worm spreadsaround the world (with 59% infected systems in iran) to subvertscada systems. stuxnet malware targets only siemens scadaapplications Pcs 7, wincc, and steP7 that run on Microsoftwindowsandsiemenss7programmablelogiccontroller(Plc).Theworm initially spreadsusingUsB (universal serial bus)flashdrivesandthenusesfourzero-dayexploitstoinfectthesiemensscadaandhMi(human-machineinterface)systemsiMaticwinccandPcs7.onceinfected,itattacksPlcsystemswithvariable-frequencydrivesthatspinbetween807and1,210hz.whencertaincriteriaaremet,stuxnetperiodicallymodifiesthefrequencyto1,410hz,then
251smart Grid and sCada seCurity
to2hz,andthento1,064hzandthusaffectstheoperationoftheconnectedmotorsbychangingtheirrotationalspeed.
in the 2009 Black hat conference in las vegas, nevada, Mikedavis10showedasimulationenvironmentinwhichanattackercouldtakecontrolof15,000of22,000homesmartmeterswithin24hbyexploitingdesignflawswithinanunnamedbrandofsmartmeters.
since november 2009, there have been reported11 coordinatedcovertandtargetedcyberattacksagainstglobaloil,energy,andpet-rochemicalcompanies.TheseattacksarecalledthenightdragonbyMcafee.11anattackfirstcompromisescompanyextranetwebserv-ersthroughstructuredQuerylanguage(sQl)injectiontechniquesandthenuploadssomecommonlyavailablehackertoolstothecom-promisedwebservers,whichwillallowtheattackertobreakintothecompany’sintranetandobtainaccesstosomesensitiveinternaldesk-topsandservers.BydisablingMicrosoftinternetexplorer(ie)proxysettings, the attacker achieves direct communication from infectedmachinestotheinternet.Theattackerproceedsfurthertoconnecttoothermachines(targetingexecutives)andexfiltratinge-mailarchivesandothersensitivedocuments.
accordingtozetter,12inMay2011,nsslabs17researchersonlyspent2monthsontestingafewscadacontrolsystemsandfoundseveralvulnerabilitiesinsiemensPlcandscadacontrolsystemsthatcouldbeexploitedbyhackerstoobtainremoteaccesstothecontrolsystemstocausephysicaldestructiontofactoriesandpowerplants.itshouldbenotedthatsiemensPlcandscadasystemsarewidelyusedintheworld,controllingcriticalinfrastructuresystemssuchasnuclearpowerandenrichmentplantsandcommercialmanufacturingfacilities.Underpressurebythedepartmentofhomelandsecurity,thensslabsdidnotdisclosedetailsbeforesiemenscouldpatchthevulnerabilities.Thisexampleshowsthatwhenthecontrolsystemsareinterconnectedwiththe intranet, a dedicated attacker could easilymount serious attacks.it should also be noted that, in his dissertation, Phd student seanGormanfromGeorgeMasonUniversityusingmaterialsavailablepub-liclyontheinternet(see,e.g.,Blumenfeld13andrappaport18),mappedeverybusinessand industrial sector in theamericaneconomytothefiber-opticnetworkthatconnectsthem.similarly,underpressurefromthegovernment,Gorman’sdissertationhasneverbeenmadepublic.
252 seCurity and PrivaCy in smart Grids
9.3 sCAdA security
inthissection,wedemonstratethechallengestosecurethecurrentautomation systems, such as scada systems with examples. Partof theseanalysiswere taken fromtheworkofwang.19 ina typicalscada system,20 data acquisition and control are performed byremoteterminalunits(rtUs)andfielddevicesthatincludefunctionsfor communications and signaling. scada systems normally useapollresponsemodelforcommunicationswithcleartextmessages.Pollmessagesaretypicallysmall(lessthan16bytes),andresponsesmight range fromashort “iamhere” toadumpofanentireday’sdata.somescadasystemsmayalsoallowforunsolicitedreportingfromremoteunits.Thecommunicationsbetweenthecontrolcenterandremotesitescouldbeclassifiedintothefollowingfourcategories.
1. Data acquisition:Thecontrolcentersendspoll(request)mes-sagestortUs,andthertUsdumpdatatothecontrolcen-ter.inparticular,thisincludesstatus scan and measured value scan.Thecontrolcenterregularlysendsastatusscanrequesttoremotesitestoobtainfielddevicesstatus(e.g.,oPenorclosedorafastclosed-oPen-closedsequence)andameasuredvaluescanrequesttoobtainmeasuredvaluesoffielddevices.Themeasuredvaluescouldbeanalogvaluesordigitallycodedvaluesandarescaledintoengineeringfor-matbythefront-endprocessor(feP)atthecontrolcenter.
2. Firmware download :Thecontrolcentersendsfirmwaredown-loadstoremotesites.inthiscase,thepollmessageislarger(e.g.,largerthan64,000bytes)thanothercases.
3. Control functions:ThecontrolcentersendscontrolcommandstoanrtUatremotesites.controlfunctionsaregroupedintofoursubclasses:individualdevicecontrol(e.g.,toturnon/offa remotedevice); controlmessages to regulating equipment(e.g., a raise/lower command to adjust the remotevalves);sequentialcontrolschemes(aseriesofcorrelatedindi-vidual control commands); and automatic control schemes(e.g.,closedcontrolloops).
4.Broadcast:Thecontrolcentermaybroadcastmessagestomul-tiple rtUs. for example, the control center broadcasts anemergentshutdownmessageoraset-the-clock-timemessage.
253smart Grid and sCada seCurity
acquired data are automatically monitored at the control centerto ensure that measured and calculated values lie within permissi-blelimits.Themeasuredvaluesaremonitoredwithregardtorateofchangeandforcontinuoustrendmonitoring.Theyarealsorecordedforpostfaultanalysis.statusindicationsaremonitoredatthecontrolcenterwithregardtochangesandtimetaggedbythertUs.inlegacyscadasystems,existingcommunicationlinksbetweenthecontrolcenter and remote sites operate at very low speeds (couldbeon anorderof300to9,600bps).notethatpresentdeploymentsofscadasystemshavevariantmodelsandtechnologies,whichmayhavemuchbetterperformances (forexample,61850-basedsystems).figure 9.1describesasimplescadasystem.
inpractice,morecomplicatedscadasystemconfigurationsexist.figure 9.2liststhreetypicalscadasystemconfigurations(see,e.g.,reportno.12oftheamericanGasassociation[aGa]21).
recently, there have been several efforts to secure the nationalscada systems. examples exist for the following companies andstandards:
1.american Gas association.21 The aGa was among thefirst todesignacryptographicstandard toprotectscadasystems.TheaGahadoriginallybeendesigningacrypto-graphic standard to protect scada communication links;thefinishedreportisaGa12,part1.aGa12,part2,hasbeentransferredtotheinstituteofelectricalandelectronicsengineers(ieee)(ieee1711).
2.ieee 1711.22 This was transferred from aGa 12, part 2.This standard effort tries to define a security protocol, theserialscadaProtectionProtocol(ssPP),forcontrolsys-temserialcommunication.
Control center Remote siteModem Modem
WAN card WAN card
FEPAntenna
Antenna
Radio or microwave
Leased lines RTU
RTU
RTU
Figure 9.1 A simple SCADA system. WAN, wide-area network.
254 seCurity and PrivaCy in smart Grids
3.ieee 1815.23 Standard for Electric Power Systems Communications—Distributed Network Protocol (DNP3). ThepurposeofthisstandardistodocumentandmakeavailablethespecificationsforthednP3protocol.
4.international electrotechnical commission technicalcommittee working Group 15 (iec tc 57 wG 15).24,25Theiectc57wG57standardizedscadacommunica-tionsecurityviaitsiec608705series.
5.national institute of standards and technology (nist).26Thenistindustrialcontrolsystemsecurity (ics)groupworks on general security issues related to control systemssuchasscadasystems.
6.nationalscadatestBedProgram.27ThedoeestablishedthenationalscadatestBedprogramatidahonationallaboratory and sandia national laboratory to ensure thesecure,reliable,andefficientdistributionofpower.
Modem
Splitter
Modem
RTU
Modem
RTU RTU
RTUModem
SCADA system with RTUs connected in a series-star con�guration
SCADA system with point-to-point con�guration
SCADA system with RTUs in a multi-drop architecture
FEP
RTUModem
Control center
ModemFEP
Control center
Control center
RTU
RTU
Modem
ModemModem
Modem
ModemFEP Modem RTU
Figure 9.2 Typical SCADA system configurations.
255smart Grid and sCada seCurity
9.3.1 Threats to SCADA Systems
scadasystemswerenotdesignedwithpublicaccessinmind;theytypically lackevenrudimentarysecurity.however,with theadventoftechnology,particularlytheinternet,muchofthetechnicalinfor-mationrequiredtopenetratethesesystemsiswidelydiscussedinthepublic forums of the affected industries. critical security flaws forscadasystemsarewellknowntopotentialattackers.it is fearedthatscadasystemscanbetakenoverbyhackers,criminals,orter-rorists.somecompaniesmayassumethat theyuse leased linesandthereforenobodyhasaccesstotheircommunications.Thefactisthatit is easy to tap these lines.28 similarly, frequency-hopping spread-spectrumradioandotherwirelesscommunicationmechanismsfre-quentlyusedtocontrolrtUscanbecompromisedaswell.
severalefforts26,27,29havebeenmadefortheanalysisandprotectionofscadasystemsecurity.accordingtothesereports,26,27,29thefac-torsthathavecontributedtotheescalationofrisktoscadasystemsincludethefollowing:
• Theadoptionofstandardizedtechnologieswithknownvul-nerabilities. in the past, proprietary hardware, software,and network protocols made it difficult to understand howscadasystemsoperated—andthereforehowtohackintothem. today, standardized technologies such as windows,Unix-likeoperatingsystems,andcommoninternetprotocolsareusedbyscadasystems.Thus,thenumberofpeoplewithknowledgetowageattacksonscadasystemshasincreased.
• The connectivity of control systems to other networks. toprovide decision makers with access to real-time informa-tionandallowengineerstomonitorandcontrolthescadasystems from different points on the enterprise networks,thescadasystemsarenormallyintegratedintotheenter-prisenetworks.enterprisesareoftenconnectedtopartners’networks and to the internet. some enterprises may alsousewide-areanetworksandtheinternettotransmitdatatoremotelocations.Thiscreatesfurthersecurityvulnerabilitiesinscadasystems.
256 seCurity and PrivaCy in smart Grids
• insecure remote connections. enterprises often use leasedlines,wide-areanetworks/internet, and radio/microwave totransmitdatabetweencontrolcentersandremotelocations.Thesecommunicationlinkscouldbeeasilyhacked.
• Thewidespreadavailabilityoftechnicalinformationaboutcon-trolsystems.Publicinformationaboutinfrastructuresandcontrolsystems is readilyavailable topotentialhackersand intruders.sean Gorman’s dissertation (see, e.g.,13,18), mentioned previ-ously,isagoodexampleforthisscenario.significantinforma-tiononscadasystemsispubliclyavailable(frommaintenancedocuments,fromformeremployees,andfromsupportcontrac-tors,etc.).alltheseinformationsourcescouldassisthackersinunderstandingthesystemsandfindingwaystoattackthem.
hackersmayattackscadasystemswithoneormoreofthefol-lowingactions:
1.causingdenial-of-serviceattacksbydelayingorblockingtheflowofinformationthroughcontrolnetworks
2.Makingunauthorizedchanges toprogrammed instructionsinrtUsatremotesites,resultingindamagetoequipment,prematureshutdownofprocesses,orevendisablingofcon-trolequipment.
3.sending false information to control system operators todisguise unauthorized changes or to initiate inappropriateactionsbysystemoperators
4.Modifyingthecontrolsystemsoftware,producingunpredict-ableresults
5.interferingwiththeoperationofsafetysystems
Theanalysisinreports26,27,29showedthatsecuringcontrolsystemsposessignificantchallenges,whichinclude
1.The limitations of current security technologies in securingcontrolsystems.existinginternetsecuritytechnologiessuchas authorization, authentication, andencryption requiremorebandwidth, processing power, and memory than controlsystem components typically have. controller stations aregenerally designed to do specific tasks, and they often uselow-cost,resource-constrainedmicroprocessors.
257smart Grid and sCada seCurity
2.Theperceptionthatsecuringcontrolsystemsmaynotbeeco-nomicallyjustifiable.
3.Theconflictingprioritieswithinorganizationsregardingthesecurityofcontrol systems. in thischapter,weconcentrateontheprotectionofscadaremotecommunicationlinks.in particular, we discuss the challenges for protection ofthese links anddesignnew security technologies to securescadasystems.
9.3.2 Securing SCADA Remote Connections
relativelycheapattackscouldbemountedonscadasystemcom-munication linksbetween thecontrol centerandrtUssince thereis neither authentication nor encryption on these links. Under theumbrellaofnist’scriticalinfrastructureProtectioncybersecurityof industrial control systems, the aGa scada encryptioncommittee has been trying to identify the functions and require-ments for authenticating and encrypting scada communicationlinks.Theirproposal21istobuildcryptographicmodulesthatcouldbe invisibly embedded into existing scada systems (in particu-lar,onecouldattachthesecryptographicmodulestomodems,suchas those of figure 9.2) so that all messages between modems areencryptedandauthenticatedwhennecessary,andtheyhaveidentifiedthe basic requirements for these cryptographic modules. however,due to theconstraintsofscadasystems,noviablecryptographicprotocolshavebeenidentifiedtomeettheserequirements.inparticu-lar,thechallengesforbuildingthesedevicesare21
1.encryptingofrepetitivemessages. 2.Minimizingdelaysduetocryptographicoperations. 3.ensuringintegritywithminimallatency:
• intramessageintegrity:ifcryptographicmodulesbufferamessageuntilthemessageauthenticatorisverified,itintro-ducesmessagedelaysthatarenotacceptableinmostcases.
• intermessageintegrity:reordermessages,replaymessages,anddestroyspecificmessages.
4.accommodating various scada poll response and retrystrategies:delaysintroducedbycryptographicmodulesmay
258 seCurity and PrivaCy in smart Grids
interfere with the scada system’s error-handling mecha-nisms(e.g.,time-outerrors).
5.supportingbroadcastmessages. 6.incorporatingkeymanagement. 7.controllingthecostofdevicesandmanagement. 8.dealing with a mixed mode: some scada systems have
cryptographiccapabilities;othersdonot. 9.accommodating different scada protocols: scada
devicesaremanufacturedbydifferentvendorswithdifferentproprietaryprotocols.
wang19hasrecentlydesignedefficientcryptographicmechanismsto address these challenges and to build cryptographic modules asrecommended in aGa report no. 12.21 These mechanisms canbeused tobuildplug-indevices called sscada(securescada)devices that could be inserted into scada networks so that allcommunicationlinksareauthenticatedandencrypted.inparticular,authenticated broadcast protocols are designed so that they can becheaplyincludedintothesedevices.ithasbeenamajorchallengingtasktodesignefficientlyauthenticatedemergencybroadcastprotocolsinscadasystems.
9.3.3 sSCADA Protocol Suite
Thesscadaprotocolsuite19isproposedtoovercomethechallengesdiscussed in the previous section. a sscada device installed atthecontrolcenteriscalledamastersscadadevice,andsscadadevices installed at remote sites are called slave sscada devices.eachmastersscadadevicemaycommunicateprivatelywithsev-eralslavesscadadevices.occasionally,themastersscadadevicemayalsobroadcastauthenticatedmessagestoseveralslavesscadadevices(e.g.,anemergencyshutdown).anillustrativesscadadevicedeployment for point-to-point scada configuration is shown infigure 9.3.
itshouldbenotedthattheaGahadoriginallydesignedaprotocolsuitetosecurethescadasystems21,30(anopensourceimplementa-tioncouldbefoundinreference31).however,wang19hasbrokentheseprotocolsuitesbymountingareplayattack.
259smart Grid and sCada seCurity
toreducethecostofsscadadevicesandmanagement,onlysym-metrickeycryptographictechniquesareusedinourdesign.indeed,due to the slow operations of public key cryptography, public keycryptographicprotocolscouldintroducedelaysinmessagetransmis-sionthatarenotacceptabletoscadaprotocols.semanticsecurityproperty32isusedtoensurethataneavesdropperhasnoinformationabouttheplaintext,eveniftheeavesdropperseesmultipleencryptionsofthesameplaintext.forexample,eveniftheattackerhasobservedtheciphertextsof“shutdown”and“turnon,”itwillnothelptheattackerto distinguish whether a new ciphertext is the encryption of “shutdown”or“turnon.”inpractice,therandomizationtechniqueisusedtoachievethisgoal.forexample,themessagesendermayprependa random string (e.g., 128 bits for advanced encryption standard[aes]128) to themessageanduse special encryptionmodes suchaschainingblockcipher(cBc)modeorhash-cBc(hcBc)mode.insomemodes,thisrandomstringiscalledtheinitializationvector(iv).Thisprevents information leakagefromtheciphertexteven iftheattackerknowsseveralplaintext/ciphertextpairsencryptedwiththesamekey.
sincescadacommunication linkscouldbeas lowas300bpsandimmediateresponsesaregenerallyrequired,thereisnosufficientbandwidthtosendtherandomstring(iv)eachtimewiththecipher-text;thus,weneedtodesigndifferentcryptographicmechanismstoachievesemanticsecuritywithoutadditionaltransmissionoverhead.inourdesign,weusetwocounterssharedbetweentwocommunicat-ingpartners,oneforeachdirectionofcommunication.
Thecountersareinitiallysettozerosandshouldbeatleast128bits,which ensures that the counter values will never repeat, avoidingreplayattacks.ThecounterisusedastheivinmessageencryptionsifcBcorhcBcmodeisused.aftereachmessageencryption,thecounterisincreasedbyoneifcBcmodeisused,anditisincreasedby the number of blocks of encrypted data if the hcBc mode is
FEP Modem Modem RTU
Control center
MasterSCADA
SlaveSCADA
Figure 9.3 sSCADA with point-to-point SCADA configuration.
260 seCurity and PrivaCy in smart Grids
used.Thetwocommunicatingpartnersareassumedtoknowtheval-uesofthecounters,andthecountersdonotneedtobeaddedtoeachciphertext.Messagesmaybecomelost,andthetwocountersneedtobesynchronizedoccasionally(e.g.,atoff-peaktime).asimplecountersynchronizationprotocolisproposedforthesscadaprotocolsuite.Thecountersynchronizationprotocolcouldalsobeinitiatedwhensomeencryption/decryptionerrorsappearduetounsynchronizedcounters.
fortwosscadadevicestoestablishasecurechannel,amastersecretkeyneedstobebootstrappedintothetwodevicesatdeploymenttime(orwhenanewsscadadevice isdeployed intotheexistingnetwork).formostconfigurations,securechannelsareneededonlybetweenamastersscadadeviceandaslavesscadadevice.forsomeconfigurations,securechannelsamongslavesscadadevicesmayalsobeneeded.Thesecurechannel identifiedwiththismastersecretisusedtoestablishotherchannels,suchassessionsecurechan-nels,timesynchronizationchannels,authenticatedbroadcastchannels,andauthenticatedemergencychannels.
assumethatH(·)isapseudorandomfunction(e.g.,constructedfromsecurehashalgorithm[sha]-256)andtwosscadadevicesAandBshareasecretK KAB BA= .dependingonthesecuritypolicy,thiskeyKAB couldbethesharedmastersecretorasharedsecretforonesessionthatcouldbeestablishedfromthesharedmasterkeyusingasimplekeyestablishmentprotocol(toachievesessionkeyfreshness,typicallyonenodesendsarandomnoncetotheotherone,andtheothernodesendstheencryptedsessionkeytogetherwithanauthenticatorontheciphertextandtherandomnonce).keysfordifferentpurposescouldbederivedfromthissecretasfollows(itisnotagoodpracticetousethesamekeyfordifferentpurposes):forexample,K AB AB= H K( , )1 isformessageencryptionfromAtoB, ′ =K AB ABH K( , )2 isformessageauthenticationfromAtoB,KBA AB= H K( , )3 isformessageencryp-tionfromBtoA,and ′ =KBA ABH K( , )4 isformessageauthenticationfromBtoA.
optionalmessageauthenticationcodes(Macs)areusedfortwopartiestoachievedataauthenticationandintegrity.Macsthatcouldbe used for sscada implementation include hMac,33,34 cBc-Mac,35 and others. when party A wants to send a message m toparty B securely, A computes the ciphertext c C K c mA AB A= E( , , || )and message authenticator mac MAC K C cAB A= ′( , || ), where c A is
261smart Grid and sCada seCurity
thelastlbitsofH( )CA (lcouldbeaslargeaspossibleifbandwidthis allowed, and 32 bits should be the minimal),E( , , || )C K c mA AB A denotes theencryptionof c mA || usingkeyKAB andrandom-prefix(oriv)CA,andCAisthecountervalueforthecommunicationfromAtoB.Then,AsendsthefollowingpacketstoB:
A B c mac→ : , (optional)
when B receives these packets, B decrypts c, checks that c A iscorrect,andverifiesthemessageauthenticatormacifmacispresent.assoonasB receivesthefirstblockoftheciphertext,Bcancheckwhether c A iscorrect.ifitiscorrect,thenBcontinuesthedecryptionandupdatesitscounter.otherwise,Bdiscardstheentireciphertext.ifthemessageauthenticatorcodemac ispresent,Balsoverifiesthecorrectnessofmac.ifmaciscorrect,Bdoesnothing;otherwise,BmaychoosetoinformAthatthemessagewascorruptedortrytoresyn-chronizethecounters.
Thereareseveralimplementationissuesonhowtodeliverthemes-sagetothetarget(e.g.,rtU).forexample,therearethefollowing:
1. Busesthecountertodecryptthefirstblockoftheciphertext;if the first l bits of the decrypted plaintext are not consis-tentwithH( )CA ,thenthereasoncouldbethatthecounterCA is not synchronized or that the ciphertext is corrupted.Bmaytryseveralpossiblecountersuntilthecounter-check-ingprocesssucceeds.Bthenusestheverifiedcounterandthecorrespondingkey todecrypt themessage anddeliver eachblockof the resultingmessage to the targetas soonas it isavailable. ifnocountercouldbeverified ina limitednum-beroftrials,BmaynotifyAofthetransmissionfailureandinitiatethecountersynchronizationprotocolinthenextsec-tion.Theadvantageof this implementation is thatwehaveminimizeddelayfromthecryptographicdevices,thusmini-mizing the interferenceofscadaprotocols.note that inthis implementation, the message authenticator mac is notused. if the ciphertext was tampered, we rely on the errorcorrection mechanisms (normally crc codes) in scadasystemstodiscardtheentiremessage.ifcBc(respectively
262 seCurity and PrivaCy in smart Grids
hcBc) mode is used, then the provable security proper-ties (respectively provable online cipher security properties)ofcBcmode(respectivelyhcBcmode)36,37guaranteethattheattackerhasnochancetotamperwiththeciphertext,sothatthedecryptedplaintextcontainsacorrectcrcthatwasusedbyscadaprotocolstoachieveintegrity.
2.Proceedasincase1.inaddition,themacisfurtherchecked,andthedecryptedmessageisdeliveredtothescadasystemonlyifthemacverificationpasses.Thedisadvantageforthisimplementationisthatthesecryptographicoperationsintro-ducesignificantdelayformessagedelivery,anditmayinterferewithscadaprotocols.
3.Proceedasincase1.Thedecryptedmessageisdeliveredtothescadasystemassoonasavailable.afterreceivingtheentiremessageandmac,Bwillalsoverifymac.iftheverifica-tionpasses,Bwilldonothing.otherwise,BresynchronizesthecounterwithAorinitiatessomeotherexception-handlingprotocols.
4.toavoiddelaysintroducedbycryptographicoperationsandto check the mac at the same time, sscada devices maydeliverdecryptedbytesimmediatelytothetargetexceptthelastbyte.ifthemessageauthenticatormacisverifiedsuccess-fully,thesscadadevicedeliversthelastbytetothetarget;otherwise,thesscadadevicediscardsthelastbyteorsendsarandombytetothetarget.Thatis,werelyontheerrorcor-rectionmechanismsatthetargettodiscardtheentiremes-sage.similarmechanismshavebeenproposed.21however,anattackermayinsertgarbagebetweentheciphertextandmac,thus tricking the sscada device to deliver the decryptedmessagestothescadasystem.ifthishappens,weessen-tiallydonotreceiveanadvantagefromthisimplementation.Thus,thisimplementationisnotrecommended.
5.insteadofprepending c A totheplaintextmessage,onemaychoose to prepend three bytes of other specially formattedstringtotheplaintextmessage(bandwidthofthreebytesisnormally available in scada systems) before encryption.This is an acceptable solution although we still prefer oursolutionofprependingthehashoutputsofthecounter.
263smart Grid and sCada seCurity
Therecouldbeotherimplementationstoimprovetheperformanceand interoperability with scada protocols. sscada devicesshouldprovideseveralpossibleimplementationsforuserstoconfig-ure.indeed,sscadadevicesmayalsobeconfiguredinadynamicwaysothatfordifferentmessagesitusesdifferentimplementations.
insomescadacommunications,messageauthenticationonlyissufficient.Thatis, it issufficientforA tosend(m,mac)toB,wherem is the cleartext message and mac = MAC(K′AB,CA ∙m). sscadadevices should provide configuration options to perform messageauthenticationwithoutencryption. in thiscase,even if thecountervalueisnotusedastheiv,thecountervalueshouldstillbeauthenti-catedinthemacandbeincreasedaftertheoperation.Thiswillpro-videmessagefreshnessassuranceandavoidreplayattacks.sscadashouldalsosupportmessagepass-throughmode.Thatis,themessageis delivered without encryption and authentication. in summary, itshouldbepossibletoconfigureansscadadeviceinsuchawaythatsomemessagesareauthenticatedandencrypted,somemessagesareauthenticatedonly,andsomemessagesarepassedthroughdirectly.
9.3.4 Counter Synchronization
in the point-to-point message authentication and encryption pro-tocol, we assume that both sscada devices A and B know eachother’scountervaluesCAandCB,respectively.inmostcases,reliablecommunicationinscadasystemsisprovided,andthesecuritypro-tocols intheprevioussectionworkfine.still,weprovideacountersynchronizationprotocolso thatsscadadevicescansynchronizetheircounterswhennecessary.Thecountersynchronizationprotocolcouldbeinitiatedbyeitherside.assumethatAinitiatesthecountersynchronizationprotocol.Then,theprotocollooksasfollows:
A B NB A C MAC K N C
A
B BA A B
→→ ′
:: , ( , || )
Theinitialcountervaluesoftwosscadadevicescouldbeboot-strappeddirectly.Thecountersynchronizationprotocolpresentedcouldalsobeusedby twodevices tobootstrap the initial counter values.amastersscadadevicemayalsousetheauthenticatedbroadcast
264 seCurity and PrivaCy in smart Grids
channelthatwediscussinthenextsectiontosetthecountersofsev-eralslavesscadadevicestothesamevalueusingonemessage.
9.4 Conclusion
in this chapter, we discussed the challenges for smart grid systemsecurity.wethenusecontrolsystems(inparticular,scadasystems)asexamplesforstudyinghowtoaddressthesechallenges.inparticu-lar,wementionedwang’sattack19ontheprotocolsinthefirstversionof theaGastandarddraft.30This attack showed that the securitymechanismsinthefirstdraftoftheaGastandardprotocolcouldbeeasilydefeated.wethenproposedasuiteofsecurityprotocolsopti-mized for scada/dcs systems. These protocols are designed toaddressthespecificchallengesofscadasystems.
recently,therehasbeenawideinterestinthesecuredesignandimplementationofsmartgridsystems.38Thescadasystemisoneofthemostimportantlegacysystemsofthesmartgridsystems.togetherwithothereffortssuchasthoseofferedinieee1711,22ieee1815,23iec tc 57,24 iec 60870-5,25 nist industrial control systemsecurity,26andthenationalscadatestbedProgram,27theworkinthischapterpresentsaninitialstepforsecuringthescadasec-tionofthesmartgridsystemsagainstcyberattacks.
references 1. department of energy. Title XIII—Smart Grid (2010). http://www.
oe.energy.gov/documentsandMedia/eisa_title_Xiii_smart_Grid.pdf
2. U.s. energy information administration. Net Generation by Energy Source: Total (All Sectors) (2011). http://www.eia.gov/cneaf/electricity/epm/table1_1.html
3. M.abramsandJ.weiss.Malicious Control System Cyber Security Attack Case Study—Maroochy Water Services, Australia (2010). http://csrc.nist.gov/groups/sMa/fisma/ics/documents/Maroochy-water-services-case-study_briefing.pdf
4. M.abramsand J.weiss.Bellingham,Washington, Control System Cyber Security Case Study (2007). http://csrc.nist.gov/groups/sMa/fisma/ics/documents/Bellingham_case_study_report2020sep071.pdf
265smart Grid and sCada seCurity
5. USA Today.aUroracase:U.s.videoshowshackerhitonpowergrid(2007).http://www.usatoday.com/tech/news/computersecurity/2007-09-27-hacker-video_n.htm
6. sPaMfighter. vancouver city-police investigating possible sabotageof traffic light computer system (2007). http://www.spamfighter.com/news_show_other.asp?M=10&Y=2007
7. s.Gorman.electricitygridinuspenetratedbyspies.Wall Street Journal(april8,2009).http://online.wsj.com/article/sB123914805204099085.html
8. isonewYorkindependentsystemoperator. NYISO Interim Report on the August 14, 2003 Blackout (2004).http://www.hks.harvard.edu/hepg/Papers/nYiso.blackout.report.8.Jan.04.pdf
9. G. keizer. is stuxnet the “best” malware ever? (2010). http://www.infoworld.com/print/137598
10. M. davis. smartgrid device security adventures in a new medium(2009).http://www.blackhat.com/presentations/bh-usa-09/Mdavis/BhUsa09-davis-aMi-slides.pdf
11. Mcafee. Global energy cyberattacks: night dragon (february 2011).http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf
12. k. zetter. fearing industrial destruction, researcher delays disclo-sure of new siemens scada holes (2011). http://www.wired.com/threatlevel/2011/05/siemens-scada-vulnerabilities/.
13. l.Blumenfeld.dissertationcouldbesecuritythreat.Washington Post ( July7,2003).http://www.washingtonpost.com/ac2/wp-dyn/a23689-2003Jul7
14. U.s.-canadaPowersystemoutagetaskforce.Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations(april2004).https://reports.energy.gov/Blackoutfinal-web.pdf
15. north american electric reliability council. Technical Analysis of the August 14, 2003, Blackout: What Happened, Why, and What Did We Learn?(2004). http://www.nerc.com/docs/docs/blackout/nerc_final_Blackout_report_07_13_04.pdf
16. n. falliere, l. Murchu, and e. chien. w32.stuxnet dossier (february2011).http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
17. nsslabs.homepage.http://www.nsslabs.com/. 18. J. rappaport.what you don’t know might hurt you: alum’s work bal-
ancesnationalsecurityandinformationsharing.http://gazette.gmu.edu/articles/11144
19. Y.wang. sscada:securingscada infrastructure communications,International Journal Communication Networks and Distributed Systems6(1),59–78(2011).
20. t.cegrell.Power System Control Technology.Prentice-hallinternational,harlow,Uk(1986).
266 seCurity and PrivaCy in smart Grids
21. americanGasassociation.AGA Report No. 12. Cryptographic Protection of SCADA Communications: General Recommendations.draft2,february5,2004.draft2isnolongeravailableonline.draft3(2010)isavailableforpurchase.http://www.aga.org/.
22. instituteofelectricalandelectronicsengineers.IEEE 1711. Trial Use Standard for a Cryptographic Protocol for Cyber Security of Substation Serial Links (2011). http://standards.ieee.org/findstds/standard/1711-2010.html
23. instituteofelectricalandelectronicsengineers.IEEE 1815. Standard for Electric Power Systems Communications—Distributed Network Protocol (DNP3)(2010).http://grouper.ieee.org/groups/1815/.
24. internationalelectrotechnicalcommission.IEC TC 57. Focus on the IEC TC 57 Standards(2010).http://www.ieee.org/portal/cms_docs_pes/pes/subpages/publications-folder/tc_57_column.pdf
25. internationalelectrotechnicalcommission.IEC 60870-5. Group Maillist Information(2010).http://www.trianglemicroworks.com/iec60870-5/index.htm
26. nationalinstituteofstandardsandtechnology(nist).NIST Industrial Control System Security (ICS) (2011). http://csrc.nist.gov/groups/sMa/fisma/ics/index.html
27. idahonationallaboratory.nationalscadatestbedProgram(2011).http://www.inl.gov/scada/.
28. Granite island Group. wiretapping and outside plant security—wiretapping101(2011).http://www.tscm.com/outsideplant.html
29. General accounting office. GAO-04-628. Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems. Testimony Before the Subcommittee on Technology Information Policy, Intergovernmental Relations and the Census, House Committee on Government Reform(March30,2004).http://www.gao.gov/new.items/d04628t.pdf
30. a.k.wright, J.a.kinast,and J.Mccarty.Low-Latency Cryptographic Protection for SCADA Communications,inProc. 2nd Int. Conf. on Applied Cryptography and Network Security, ACNS 2004, vol. 3809, LNCS,pp. 263–277.springer-verlag,newYork(2004).
31. a.wright.scadasafe(2006).http://scadasafe.sourceforge.net 32. s. Goldwasser and s. Michali. Probabilistic encryption, Journal of
Computer and System Sciences28,270–299(1984). 33. M.Bellare,r.canetti,andh.krawczyk.Messageauthenticationusing
hashfunctions—thehMacconstruction,RSA Laboratories CryptoBytes2(1)(spring1996).
34. h. krawczyk, M. Bellare, and r. canetti. HMAC: Keyed-Hashing for Message Authentication,internetrfc2104(february1997).http://www.itl.nist.gov/fipspubs/fip81.htm
35. nationalinstituteofstandardsandtechnology(nist).DES Model of Operation,fiPsPublication81.nist,Gaithersburg,Md(1981).
36. M. Bellare, a. Boldyreva, l. knudsen, and c. namprempre. on-lineciphersandthehash-cBcconstructions.inAdvances in Cryptology—Crypto 2001,vol.2139,LNCS,pp.292–309.springerverlag,newYork(2001).
267smart Grid and sCada seCurity
37. M.Bellare, J.kilian, andP.rogaway.The security of the cipherblockchaining message authentication code, Journal of Computer and System Sciences6(3),362–399(2000).
38. departmentofenergy.Study of Security Attributes of Smart Grid Systems—Current Cyber Security Issues (april 2009). http://www.inl.gov/scada/publications/d/securing_the_smart_grid_current_issues.pdf
269
10Smart Grid Security
in the laSt mile
tA E o h , s U M i tA M i s h r A , A n d C l A r k h o C h G r A f
Contents
10.1introduction 27110.2smartGridsystemarchitectureinthelastMile 27110.3controlsystemPerspective:impactofthesmartGridon
electricPowersystemstability 27210.4PlanningforsecurityandPrivacy 27210.5securityThreatsinthefield-areanetwork/neighbor-
areanetwork 27410.5.1 Physical-layerattacks 27410.5.2 link-layerattacks 27410.5.3 network-layerattacks 27510.5.4 internetProtocoladdressingspecificattacks 27610.5.5 transport-layerattacks 27610.5.6 application-layerattacks 27710.5.7 otherProminentsecurityThreats 277
10.5.7.1 Back-officecompromise 27710.5.7.2 Gridvolatility 27710.5.7.3 securitydiscrepancy 278
10.6securityofaMisystem:aMiissuesandcurrentweaknesses 27810.6.1 aMicomponents 27810.6.2 securityissuesinaMicomponents 279
10.6.2.1 confidentialityinanaMisystem 27910.6.2.2integrityinaMisystems 27910.6.2.3availabilityinaMisystems 27910.6.2.4nonrepudiationinaMisystems 28010.6.2.5authorizationinaMisystems 280
270 seCurity and PrivaCy in smart Grids
Maintainingintegrity,availability,authenticity,andconfidenti-alityofsmartgriddataandcontrolinformationbecomesincreas-inglychallenginginthelastmiletothehome.Physicalsecurityismoredifficulttoachieve,leadingtogreaterpotentialfortam-peringandcompromiseofnodes.The largernumberofnodesandtheinterdependencyofnodesforcommunicationleavethesystemmorevulnerabletocertaintypesofattacks.encryptionisessentialtonetworksecurity;however,encryptionkeyman-agement isaparticularchallenge inthesmartgridduetothelargenumberofdistributednodes.interoperabilityandflexibil-itygoalscanappeartobeatoddswiththe implementationofsecuritymeasuresthatensurevaliddataarebeingprovided.abalancemustbestruckbetweencompetingobjectives.securitydecisions in the lastmilemustbe evaluated from thebroaderperspectiveofmaintainingoperationofthesmartpowersysteminthefaceofevolvingattacksandadversariesoverthedeploy-mentlifeofthesystem.
10.6.3 MajorvulnerabilitiesincurrentaMisystems 28010.6.3.1 Plaintextnantraffic 28010.6.3.2 Bussnooping 28110.6.3.3 impropercryptography 28110.6.3.4 directtampering 28110.6.3.5 Meterauthenticationweaknesses 28210.6.3.6 denial-of-serviceThreats 28210.6.3.7 storedkeyandPasswords 28210.6.3.8 cryptographickeydistribution 282
10.7 addressingencryptionandkeyManagementneedsofthesmartGridUsingtechniquesadaptedfromsensornetworks 28310.7.1 dataencryption 28310.7.2 keyestablishmentandManagement 28410.7.3 link-layersecurityframeworks 286
10.8conclusionsandoutlook 287references 287recommendedreading 290
271smart Grid seCurity in the last mile
10.1 introduction
collectionofdataandcontrolofdevicesaretwomainobjectivesofthesmartgrid.collecteddatamayincludeenergyusage,powerconsump-tion,localvoltage,volt-amperereactive(var)power,andoperationalstatusfornumerousdevicesatnumerouslocations.devicecontrolmayincludechangingtapsontransformers,engagingvarcompensationcapacitors,disconnectingloads,reducingloads,delayingthestartofaload,orchangingcommandsetpointsfordistributedgenerators.
allofthesetasksrequirecommunicationofeitherinformationorcontrolsignals.ifinvalid,inaccurate,malicious,oruntimelyinforma-tion is provided, the effects on the power system operation can besevere, includingover-orundervoltage, interruptionofpowerbothlocally and regionally, damage to connected equipment, hazards topersonnel,andfinanciallosses.Theinformationgatheredcanbeusedfor inappropriate, unexpected, or unsavory purposes by authorizedandunauthorizedthirdparties.asaresult,bothsecurityandprivacyofsensordataandcontrolinformationareessential.
10.2 smart Grid system Architecture in the last Mile
anumberoforganizations,includingthenationalinstituteofstandardsand technology (nist), institute of electrical and electronicsengineers (ieee), electric Power research institute (ePri), andothers,havecreatedarchitecturalmodelsofthesmartgrid.inthelastmile,thesmartgridincludespowerdistributionequipmentandover-lappingcommunicationnetworks,forexample,thefield-areanetwork(fan), neighborhood-area network (nan), automated meteringinfrastructure(aMi),andhome-areanetworks(hans).
Muchoftheemphasisinthesmartgridisonsmartmeters(aMi)andlinkingaMiintoothernetworksinthehomeforloadcontrolorsendingpricingsignalstohomeowners,andinthepowersystemforconnectingaMiinfrastructuretohigher-levelcentralizingnetworks.
inGermany,asmartgridarchitecturewithdifferentslightlydif-ferentterminologyisused.1aMismartmeteringdevicesarepartofalocalmetrologicalnetwork(lMn)thatconnectstotheconsumer’shanandcancontrolloadsorgenerationunitsthatarepartofacon-trollablelocalsystem(cls).TheaMi/lMnnetworkdataispassed
272 seCurity and PrivaCy in smart Grids
backtowardacentraldatacollectorthroughagatewaythatconnectstoawide-areanetwork(wan).
Thearchitecturaldescriptiondifferencesaswellasdifferentprivacystandardsinfluencehowsecurityandprivacysolutionsareachieved.forexample,inGermany,thegatewayactsasafirewalltothehanandclsfromthewan.
10.3 Control system Perspective: impact of the smart Grid on Electric Power system stability
inthesmartgrid,end-consumersensordataandcontrollablesystemsareintegratedandaggregatedintolargervaluesofpowerconsumptionandlargereffectivecontrollableloadsystems.Thedataforaggregatepowermaybeused fordecisionsat the levelof a feeder, substation,orevenregion.Besidesdataaggregation,controlledlocalsystemsareaggregatedandmaybecommandedtoactasalargesinglecontrollableload.withthenewcontrollabilityarisingfromthesmartgrid,itisusefultotakeacontrolsystemsperspectiveonthefunctioningofthesmartgridsystem.
anadversarywhomanipulateseithertheloaddataorcontrollablelocalsystemsmaybeabletohaveabroadimpactontheelectricpowersystem.Bymanipulatingloadsonandoff,theadversarycouldreducedampingintheelectricpowersystem,modifyingthesystemeigen-valuesandworseninganylatentstabilityissues.combiningsuchanattackwithobfuscationofthesystemstatebymanipulationofsensordatamayleadtoalossofsystemcontrol.
Positive control benefits may also be achieved by adding activedampingusingaggregatedcontrollablelocalsystems.fromacontrolsystemperspective,lagandlatencybecomeacriticalissueinachiev-ingastablefeedbackcontrolsystemusingthesmartgridcontrollableloads.anyfeedbacksystemwithsufficientlagandgaincanbemadeunstable.ataminimum,laginfeedbacksignalscreatesareductioninstability.Thelagorlatencyintroducedbyaparticularsecurityimple-mentationmustbeconsideredinstabilityanalyses.
10.4 Planning for security and Privacy
designing a smart grid system for security and privacy can beapproachedstartingwithariskassessmentthatexaminesadversaries,
273smart Grid seCurity in the last mile
theirobjectives,andthreats.adversariesmaybeinsidersoroutsiders.Theymayhavephysicalaccessortheymaynot.Theirobjectivesmaybefinancial,political,ordisruptive.Guidelines forassessingcyber-security risks are available from the national association of stateenergyofficials(naseo)2andnist.3TheUtilitycommunicationarchitectureinternationalUserGroup(Ucalug)hasoutlinedsecu-ritystrategiesandthreatsspecifictoaMi.4
ageneral strategyof applying security in layers and atdifferentlevels is recommended. This “defense-in-depth” strategy includesphysical access control “fences and gates,” role limitations, securitylogs,encryption,securecommunication,andauditingofinformation-handling procedures and practices. ensuring security and privacygoesbeyondencryptionandsecurecommunication.
challengesinsmartgridsecuritydesigninclude
1.knowingwhototrust(authentication) 2.detectingintrusion,evenifthereisnodisruption 3.Understandinghowapotentialattackaffectssystemoperation 4.Maintainingsecuredata-handlingprocedures(privacy)across
organizationsoutsidetheutility(e.g.,thirdparties,outsourcedservices)
Germany’ssecuritystrategyfortheaMigateway1addresseschal-lenge3byspecificallyensuringthatifthecommunicationnetworkisdisrupted,thesystemfail-safeistoensurethatelectricityisstillpro-videdtotheconsumer,withnopossibilityofimpactonthedeliveryofthecommodity.
detecting intrusion, challenge 2, is addressed by security logs andtamperdetectionthatisobservablebyboththeconsumerandthegate-wayoperator.TheaMigatewaysarealsorequiredtobeinstalledinanonpublicenvironmenttoreducethepotentialforphysicalaccesstotheequipment.Messagesonthesystemhavetimestampstopreventareplayattack,bywhichacopyofanauthenticmessageisreplayedatalatertime.
inpreventinganadversaryfromaffectingthesystem,itisimpor-tantthattheadversarydoesnothaveaccesstothecompletesystemimage.concealmentofthenetworknodes,communicationpathways,and power system architecture is recommended. This prevents theattackerfromgainingrelevantinformationbyobservingresponsestoafailedmessageattemptorfromobservinginformationflow.
274 seCurity and PrivaCy in smart Grids
Maintainingprivacyofpersonalusageinformationcanbeaccom-plishedbyallowingupstreampartiestohaveaccesstoonlythemini-mum amount of data needed for billing or system operation. datashouldbeencryptedandpseudonymizedoraggregatedasappropriatetoanonymizeit.
10.5 security Threats in the field-Area network/ neighbor-Area network
10.5.1 Physical-Layer Attacks
smart grids are expected to have nodes that are installed in areasconsidered to be outside premises. in these locations, they becomehighlyvulnerabletophysicaldamageduetoenvironmentalreasonsormanhandlingofnodes.suchdamageposesathreattotheintegrityoftheentiresmartgridnetwork.atthephysical(PhY)layer, it isalso susceptible to break down of transmission medium and roguecapturingofnodes.5suchthreatscanbecombatedthroughtheutili-zationoftamper-resistantanddamage-imperviousdevicescapableofsendingsecurityalerts.Theuseofencryptionindevicesanddeploy-ment of devices that securely store cryptographic keys and executeanauthenticationcheckoneachlinksetupshouldbeundertakentothwartsecuritythreatsataphysicallevel.
10.5.2 Link-Layer Attacks
inanan,nodesareallowedto joinandleavedynamically,whichleadstoissuesofsecurelycommunicatingmulticastmessagesatthelinklayer.Jammingofthecommunicationmediumduetoreprobatecapture of the network is another issue that needs consideration.Jammingcanalsooccurinfast-hopadhocnetworksifthenumberof hops exceeds 1,000 hops/s, causing internal interference.6 Mostnannetworks are adhocnetworkshavingamediumaccess con-trol(Mac)protocolresponsibleforallocatingthemediumandtheavailableresourcesinadistributedmanner.Thismakesthenetworksusceptibletoavailabilityattacksbyselfishnodesthatmonopolizetheavailableresources.radio-frequency(rf)spectrumjammingcanbeavoided using frequency-hopping spread spectrum (fhss), which
275smart Grid seCurity in the last mile
variesthechannelfrom50to100timespersecond,makingitdif-ficulttolockontooneparticularfrequency.
withmultipletypesoftrafficbeingcarriedonaconvergedsmartgrid network, quality of service (Qos) is important to ensure thatcriticalcontroltrafficisnotdelayedbyless-criticaltraffic.allowablelatencytimesmaybelessthan3msforprotectionandsafety-criticalcontrolcommunications.someaspectsmaytolerateupto160msoflatency.noncriticalcommunicationscanhandle latenciesofgreaterthan160ms.Qos requirementsnotonly lead tomultiple levels ofsecuritybutalsoplacealimitonthemaximumtolerableprocessingtimeofsecuritymeasuresimplementedatthislayer.
onesecurityconcernpertainingcharacteristicallytoasmartgridnetworkissleepderivationortortureattacks.almostallcomponentsinasmartgridaredesignedtohavealongsleeptimewhenthedeviceisintheoffstate,whichtranslatestobreakdownofthedeviceifanattackoverloadsit.
The Mac layer attacks for the smart grid are generally avertedbysecurityprotocolsthatinvolvetechniqueslikeMacidfiltering,Qosprovisioning,andsoon.MostPhYlayersecuritymeasurescanalsobeextendedtotheMaclayer.
10.5.3 Network-Layer Attacks
network-layer attacks are generally characterized by attacks onrouting tables, which affect data traffic flows. The routing table isresponsible for relaying the messages to their correct destination.network-layer attacks aim at modifying the routing table so thattrafficflowsthroughaspecificnodecontrolledbytheattacker.Theattackerthencangeneratemessageswithfalseinformationorerro-neouslyrelayinformationthatmaycausecongestioninthenetwork.denial-of-service(dos)attacksat thenetwork layercanbeunder-taken by fabricating routing tables aimed at disrupting traffic flowandeavesdroppingontheinformationtransmittedinthesmartgrid.7
network-layerattacksincludethefollowing:
• routingblackholes:anodeishackedandisthenbroadcastastheshortestpath,resultinginalltrafficbeingdirectedtothehackednode.
276 seCurity and PrivaCy in smart Grids
• sybilattack:somesensornodesinthenetworkaremisguidedintobelievingthatnodesthateitheraremultiplehopsawayorthatdonotexistaretheirneighbors.
• wormholes:aconsiderableamountofthenetworktrafficistunneled from one place in the network to another distantplaceinthenetwork,deprivingotherpartsofthenetwork.
attackscanoccuronneighbor-sensingprotocolsbyinsertingunau-thorizednodes,whichcanbepreventedthroughtheroutineuseofencryption, integrity examination, and authentication mechanisms.however, this leads toanaddedsecurity threatofattacktoexploitroutemaintenanceprocedures.8
10.5.4 Internet Protocol Addressing Specific Attacks
TheuseofinternetProtocol(iP)addressinginsmartgridcommuni-cationdoesleadtoconfidentialityandauthorizationissues.iPspoof-ing,dual-stackconvergence,andcyberattacksatthislevelaresomeotherconcerns.cyber threats includecyberspiesmappingthegridandinstallingmalicioussoftwarecapableofdestroyingordisruptingservices. iP-based requirements were written for computers (hosts)androuters;someaMinodesdonotmeetthemandprobablycannotmeetthemwithoutfurtherspecificationdevelopment.ontheotherhand,securitymeasuresforiP-basedroutingarewelldefinedandcanbeaddedtothesmartgridwithsomeminormodifications.
10.5.5 Transport-Layer Attacks
Thecommunicationsmodule inside eachmeter is connected to themeterviaaserialport,whichcanbedisconnectedsothatthemeterdoes not report usage. deploying smart meters, which are capableof detecting such disconnects and other types of tampering andreportingsuch incidents tooperators, canmitigate service theftviameter/communications module interface intrusion. The primarytransportprotocolsliketcP(transmissioncontrolProtocol),UdP(User datagram Protocol), dccP (datagram congestion controlProtocol), and sctP (stream control transmission Protocol)
277smart Grid seCurity in the last mile
providemultiplexingofdifferenttrafficflowsbetweentwohosts,andthelogicalseparationprovidedbythetransportlayerisnotintendedtoguardagainstmaliciousattacksbyadeterminedadversary.
10.5.6 Application-Layer Attacks
attacksontheapplicationposeathreatsincecryptographyandencryp-tionarenotenoughtopreventthem.verifyingthedatareceivedwithstatisticaldatacorresponding to themodelcanprevent theattacks.whilethisisnotafoolproofmethod,themethodisuseful.
10.5.7 Other Prominent Security Threats
10.5.7.1 Back-Office Compromise Back-officecompromisecould takeplace whenindividualsillegallygainaccesstothesmartgridman-agementdatabase.fromthere,theycouldcompromisethereliabilityoftheentiregrid,includingunsanctionedaccesstobillingandotherback-office systems.This could lead to embezzlementof service inadditiontolossofcustomerconfidentiality.
Bythesametoken,withaccesstothedatabasethatstoresprivilegeddata,anattackercouldmodifythecredentialstowhichcoordinatorsrespondandpotentiallybringdownthegrid. Physicalsecurity,strongvalidation, authorization using multilevel privileges, and networkaccessregulationusingfirewallsareallmechanismsthatcanbeusedto combat a back-office attack. encryption of databases, password,andcustomerinformationshouldbeundertaken,andrightofentrytothecontrolsystemshouldberestrictedtospecificphysicallysafe-guardedsites.
10.5.7.2 Grid Volatility The smart grid network has much intelli-gence at its edges, that is, at the entrypoint andat the end-user’smeterandatthebackofficewhereallthedataareaccumulatedandprocessed.however, inthegridnetworkitself,thereis insufficientintelligence governing the switching functions. This lack of inte-grateddevelopmentmakesthegridavolatilenetworkwithlittleif
278 seCurity and PrivaCy in smart Grids
anysoftwareintelligencetocontrolit,makingthesmartgridvulner-abletophysicalandcyberattacksinthemiddle.9
10.5.7.3 Security Discrepancy withthesmartgrid,therearemultiplestakeholderswithdifferentagendasmotivatingthem.securitystan-dardshavetobeunbiasedandaccountforsecurityofthesmartgridinitstotality.also,encryptionandothersecuritymeasureshavetobemaintainedthroughouttheentirenetworkasthenetworkisonlyasstrongasitsweakestlink.
10.6 security of AMi system: AMi issues and Current weaknesses
advanced metering infrastructure security is one of the key com-ponents in the smartgrid infrastructure.There isaproposedaMisecurityspecificationunderdevelopmentthatwillprovidetheutilityindustryalongwithsupportingvendorcommunitiesandotherstake-holders a set of security requirements. The requirements should beappliedtoaMiimplementationstoensurethehighlevelofinforma-tionassurance,availabilityandsecuritynecessarytomaintainareli-ablesystemandconsumerconfidence.10
10.6.1 AMI Components
TheaMisystemconsistsofseveralcomponentsinterconnectedtoformanetworkarchitecture,whichprovidescommunicationcapabilitiesinapowergrid.someoftheprominentcomponentsareasfollows:11
Smart Meter: This meter provides energy-related informationaswellasmetrologicaldata.inaddition,themeterprovidesperiodicdataforcustomerenergyusage.
Customer Gateway:ThisgatewayisaninterfacebetweentheaMinetworkandhanorbuildingmanagementsystem(BMs).Thegatewaylocationmaybedifferentfromthatofthesmartmeter.
AMI Communications Network:Thenetworkprovidesinforma-tionflowfromthesmartmetertotheaMiheadend.
AMI Headend: The component provides a management func-tionforinformationflowbetweenanexternalsystemandtheaMinetwork.
279smart Grid seCurity in the last mile
10.6.2 Security Issues in AMI Components
10.6.2.1 Confidentiality in an AMI System Themainissueofconfiden-tialityinaMisystems10,12isprivacysincecustomerswouldnotwantprivatefirms,marketingagencies,orunauthorizedpeople toaccesstheirenergyorelectricutilizationpatterns.Therefore,theconcernedauthorityhastomakesurethatdataleaksdonotoccureitherinten-tionallyorunintentionally.
The aMi communications network must also restrict unauthor-izedaccessorinformationpassingbetweencustomers.itisimportanttokeep energy andother information from the smartmeter confi-dentialevenfromphysicaltamperingtoaccessthestoreddata.lackofconfidentialitycouldresult inahackeraccessingdatathatrevealwhichhouses inanareaareemptyor tricking themeter tounwit-tinglypayforyourneighbors’electricity.also,thehackercouldhijackthecontrolofyourenergyusage,suchasturningonoroffsmartgrid-enabledhouseholdappliances. if theaMisystem interfaced to thecustomergatewayintothehan,acommercialenergymanagementsystem,orotherautomatedsystem,theprivacyofthosesystemsmustbeconsideredandmaintained.
10.6.2.2 Integrity in AMI Systems inaMisystems,integrityprotectsdataandcommands fromunauthorizedchanges.11asecondaspectofintegrityrequiresthatyoumustbeabletodetectifchangesoccur.Thesmartmetermustbeprotectedagainstconcealedchangesbothphysically and cyberwise. since the smart meter is located at thecustomersite,themeterisvulnerabletotamperingandvandalizing,andpreventionfromsuchphysicalattackscanbedifficult.customergatewaysalsomustprotectagainstundetectedchangessincetheyareconduitstocriticalcustomerequipmentandsystems.
10.6.2.3 Availability in AMI Systems anattackonavailability11makesresourcesinaccessiblebyauthorizedentitieswhentheyrequestthem.ThemostimportantaspecttoadministerwhileensuringavailabilityinaMisystemsiswhetherthedataunderquestionareaffectedbyunavailability,andifaffected,howtimecriticalitis,whetherinthescaleofseconds,hours,ordays.toovercometheunavailabilityprob-lem,wehavetoprovidecreativeapproachesinroutingtheinformation
280 seCurity and PrivaCy in smart Grids
betweenthesmartmeter,consumergateway,andaMicommunica-tionnetworks.wealsoneedtoenablethesmartmeterstomakelocaldecisions. detection methods for availability attacks include auto-mateddiagnosticsandphysicalandcyberintrusiondetection.
10.6.2.4 Nonrepudiation in AMI Systems nonrepudiation ensuresthattheentitiesreceivingthedatadonotsubsequentlydenyreceiv-ingit,andiftheentitiesdidnotreceivethedata,thentheycannotsubsequentlystate that theydidreceive it.nonrepudiation inaMisystems10isimportantforallfinancialtransactions.also,thetimeli-nessofresponseisasimportantasactuallyactingonacontrolcom-mand. Therefore, accurate timestamp information and continuoustimesynchronizationacrossallaMisystemcomponentsarecrucial.inaccuratetimestampsanddesynchronousmessagesleadtoerrorsincustomerinformation,billingforusage,andanalysisforloadandgen-erationpatternsbyutilityplanners.
10.6.2.5 Authorization in AMI Systems authorization in aMi sys-tems10grantsusersanddevicestherighttoaccessresourcesandper-form specified actions. lack of authorization will allow the aMiarchitecturetobevulnerabletoattackfrommaliciouselementsthatbreak intothenetwork.aspartofauthorization,usersanddevicesmaybeassignedroles,forexample,thatgivethemasetofprivileges.Bydefiningthescopeofwhatanauthenticateduserordevicecando,digitalcertificatescanbeusedasanauthorizationmechanism.
10.6.3 Major Vulnerabilities in Current AMI Systems
ThevariousmajorvulnerabilitiesinthecurrentaMisystemsareasfollows:
10.6.3.1 Plaintext NAN Traffic BecauseoftherapiddevelopmentandspecificationfortheaMisystems, the implementationofdecisionsfromvendorshasbeenaffectingthequalityofsecurityimplementa-tion in the system.vendorsmay choosehow to implementprivacyandintegritycontroltoprotecttheconfidentialdata.insomecases,thevendorsencryptalltrafficinthenan;othervendorsmaydecide
281smart Grid seCurity in the last mile
nottousetheencryptionatsomeconfigurationlevel.forexample,aproductmayhavethecapabilityofencryptionbutshipwithadefaultsettingofnoencryption.Thisisaproblemthatcanaccountformajorsecuritybreaches.12,13,14
10.6.3.2 Bus Snooping embeddedsystemsareusedwidelyinperiph-eral devices such as radios that interface to measurement units. ifthe device has little or nophysical protection, then a security riskmayexistontheinterfacesbetweenthecomponentsintheembed-dedsystem.forexample, thebusbetweenthemicrocontrollerandtheradioisusuallyunencryptedwhichintroducesvulnerability.Theattackercanattachabussnifferontothebusbetweenthemicrocon-troller and the radio to sniffpackets.15Theattacker is free to readand capture radio configuration information, cryptographic keys,networkauthenticationcredentials,andothersensitiveinformation.Therefore,manyradiochipmanufacturersintroducedcryptographicalgorithms internally in hardware to prevent tampering with thechipsandothercomponents.
10.6.3.3 Improper Cryptography cryptography is easy to detect intheaMiinfrastructure,butitisverydifficulttodetectifthecryp-tography is improperly configured. improperly configured cryptog-raphy12,13couldpresentacriticalvulnerability tothe infrastructure.Thepossibleimproperconfigurationofthecryptographycouldrangefromweakkeyderivation,improperreuseofkeystreamdata,lackofreplay,insecureciphermodes,weakintegrityprotection,insufficientkeylength,tocryptographicallyweakinitializationvectors.
10.6.3.4 Direct Tampering tamperprotectionmechanismsarenec-essarytoprotectagainstmaliciousmodificationofthemeterdeviceinstalledinpublicoropenareas.16Themechanismscouldinevitablyfail,butthetamperingprotectionshoulddelayattackersfromdam-agingtheintegrityofdatafromthemeterwhilenotifyingtheutilitycompany.Theutilitycompanyshouldimplementtheabilitytotracktheaffectedmeterandalertlawenforcementtocapturetheattackers.
whendesigningtamperprotectionmechanisms,thefollowinglistoffeaturesshouldbeconsidered:
282 seCurity and PrivaCy in smart Grids
• local tamperingdetectionmechanism,which indicatesanyphysicaltamperingwithameter
• remotetamperingdetectionmechanism,whichnotifiestheheadofficethatsomeonehasbeentamperingwithameter
• integrity-protectingmechanism,whichprotectsandpreventsmodifying the sensitive information, such as security keys,meterconfiguration,andsoon
• repair authorizationmechanism,whichallowsonlyautho-rized technicians or engineers from the utility company torepairthemeter
• Physical lock mechanism, which prevents an unauthorizedpersonfromphysicallyaccessingthemeter
10.6.3.5 Meter Authentication Weaknesses Theprocessofvalidatingthecredentialpassedbetweenameter andnandevice requiresmanysteps. however, an attacker could impersonate a legitimate deviceand could gain information to undermine cryptographic protocols.Therefore, the process of meter authentication should be tested tomake further improvements for defending authentication-relatedattacksduringauthenticationexchanges.12,17
10.6.3.6 Denial-of-Service Threats denial of service is a commonthreatthatprohibitsaccesstothemeter,andtherearemanycondi-tions that trigger denial of service.7 it is important to explore thepossibledosthreatsformeters.
10.6.3.7 Stored Key and Passwords Because of the security require-ments of meter devices, the manufacturers of aMi have includedauthentication,encryption,and integrityprotections in thedevices.Therefore,encryptionkeys,meter-derivedkeys,passwords,andothersecurity-sensitive informationarestored locally in themeter.13Thispresents an opportunity for hackers who compromise the meter togainaccesstothenan.
10.6.3.8 Cryptographic Key Distribution cryptography is supportedinmostradiosandmeters,butkeymanagement isadifficultprob-lem.12,18forexample,symmetrickeyscouldbeusedineachmeter,butiftheattackercompromisesanymeter,theattackerwillhaveaccessto
283smart Grid seCurity in the last mile
thenanorothermetersandimpersonateasameter.Therefore,useofcertificates,asymmetrickeys,orpublickeyinfrastructure(Pki)isrecommended.twopossibleattacksfromattackersarespoofingsys-temupdatemechanismstoinsertunauthorizedcertificatesandallow-inganattackertodecryptandinjectencryptedtraffic.
10.7 Addressing Encryption and key Management needs of the smart Grid Using techniques Adapted from sensor networks
10.7.1 Data Encryption
to achieve the security goals stated in the previous sections, dataencryption is essential.somekey securitymeasures thathavebeendevelopedforsensornetworkscanbeadaptedforaddressingthesecu-rityneedsofthesmartgrid.asensornetworkcanbeconsideredasa network of devices communicating using a short-range multihopcommunicationinfrastructure.
whenthesenderandthereceiverusethesamekeyforencryption,themechanismistermedsymmetric keycryptography.Thesenderusesthekeytoconvertplaintexttociphertextusingthechosenencryptionalgorithm.Thereceiverrecoverstheplaintextfromciphertextusingthe samekeyand thecorrespondingdecryptionalgorithm.on theotherhand,asymmetric keyorpublickeycryptographyusesaunique(public,private)keypair for eachcommunicatingnode.Thepublickeyofthenodeisusedforencryptingdatasenttothenode.sincetheprivatekeyisknownonlytothenode,thedatacanbedecryptedbytheintendedrecipientonly.
symmetrickeycryptographyiscomputationallylessintensivebutdoes not scale well as each node requires a unique symmetric keywith every other node in the network for successfully encryptingdatabetweenanytwoparticipatingnodes.ontheotherhand,asym-metric key cryptography scales better but requires more computa-tionalresources.
ifthedevicesareresourceconstrained,asymmetrickeycryptosys-temismoreattractive,andmostoftheexistingworkintheliteratureisbasedonthismethodology.twotypesofciphertextcanbegener-atedusingsymmetrickeycryptography:streamciphergeneratedbyencryptingtheplaintextonebitatatimeandblockciphergenerated
284 seCurity and PrivaCy in smart Grids
by encryptingblocksof theplaintext at a time.Thecomputationaloverheadofrc4(streamcipher),ideaandrc5(blockciphers),andMd5andsha1 (one-wayhash functions) have been evaluated intheworkofGanesanetal.19differentsensorplatformswereusedfortestingthesealgorithms.itwasshownthatrc4outperformedrc5acrossallplatforms.Thehashingalgorithmshaveanorderofmag-nitudehigheroverheadcomparedtothesymmetrickeyalgorithms.
severalblockcipherswereevaluatedfortheirapplicabilityinsen-sornetworksintheworkoflawetal.20Thestoragerequirementsandenergyefficiencyofthecipherswerealsoconsideredalongwiththeirsecurity properties. The authors proposed rjindel for applicationswithhighsecurityandenergyefficiencyrequirementsandMistY1forapplicationswithbothstorageandenergyefficiencyneeds.
eventhoughasymmetrickeycryptographyisnotconsideredsuit-ableforsensornetworks,recentresearchhasshownthatitmightbefeasible with the proper choice of algorithms.21,22 asymmetric keycryptosystems are more scalable and resilient to node compromise.Thechallengeistoadapttheasymmetrickeycomputationalgorithmsonthehardwaredesignsothatthecomputationscanbesupportedbytheresourcesavailabletothesensornodes.asymmetrickeycrypto-systemscanbedesignedforsensornodeswithpowerconsumptionaslowas20μwusingoptimized low-power techniques.22The futureof public key encryption architectures for sensor networks lookspromising with advances in sensor energy-harvesting techniques.approaches based on elliptic curve cryptography (ecc) are alsobeinginvestigatedforsensornetworks.tinyos,themostwidelyusedoperatingsystemforsensors,canbemodifiedtosupportapublickeyinfrastructurebasedonecc.23
10.7.2 Key Establishment and Management
of the different security measures, establishment of cryptographickeysiscritical.encryptionaswellasauthenticationmechanismsrelyonthemfortheiroperation.Thekeysusedbythecryptographicalgo-rithmsmustbesetupbythenodesbeforesecuredataexchangecantakeplace.Thisprocessofestablishing,distributing,andmanagingcryptographickeys iscalledkey managementandisoneofthemostchallengingaspectsofsmartgridsecuritydesign.
285smart Grid seCurity in the last mile
securityprotocolsrelyonencryptionmechanismsforensuringdataconfidentiality. also, for authentication purposes, the sender com-putesamessageauthenticationcodeforeachpacketandappendstothemessage.Boththeencryptionalgorithmandthemessageauthen-ticationcodecomputationrequirecryptographickeysasinputs.24ina previous section, it was shown that symmetric key cryptographyispreferredforsensornetworkapplications.forlargenetworks,itisextremelydifficult tomanagethecreationanddistributionofsym-metrickeys.Mostsymmetrickeycryptosystemsdependonacentralauthorityforkeycreationanddistribution.however,duetothelackofcentralizedcontrolinsomenetworks,thisapproachisnotsuitable.
fordistributednetworks,thesimplestwaytosetupsymmetrickeysistouseanetworkwide key forencryptionanddecryptionpurposes.24hence,everynodeusesthesamekeyforencryptionanddecryption.althoughthisapproachdoesensuredataprivacyandintegrity, it isextremelyvulnerabletonodecompromisesincethesensornodesareunattendedformanyapplications.eventhoughthisapproachissim-pletoimplement,itcertainlyisnotanoptimalsolution.
Theotherextremeistohavepairwise symmetric keyspreloadedforallsensornodesinthenetwork.however,thenumberofuniquesym-metrickeysloadedineachsensorbecomesunacceptablylargeasthesizeofthenetworkincreases.ithasbeenproposedtousethesinkasthekeydistributioncenterforsettinguppairwisesymmetrickeysfortheparticipatingsensornodes.25however,thesinkbecomesasinglepointoffailurefortheprotocol.also,itmayleadtolargecommunica-tionoverheadforsensorsduringthekeyexchangeprocess.
in theworkofzhouandfang,26 itwas shownthatmost recentapproaches consider the key management problem for sensor net-worksasatwo-stepprocess.Priortothedeploymentofthenetwork,eachsensornodeisloadedwiththeinitialkeyingmaterial(key pre-distributionphase).Thisphaseeliminatesthedependenceonthesink(or any other central node) for key distribution. The predistributedkeyingmaterialdependsonthememoryresourcesofthesensornodesandtheresilienceofthenodestocompromise.inotherwords,anodecompromiseshouldhaveanimpactonaminimumnumberofnodesbasedontheinformationobtainedfromthepredistributedmaterial.once the network is deployed, the nodes communicate with eachother and establish either pairwise symmetric keys or asymmetric
286 seCurity and PrivaCy in smart Grids
keys,basedonthealgorithmsused(key agreementphase).zhuetal.27showedthatbasedonthecommunicationpatternofthesensornodes,agroupkeymayalsobeestablishedinsteadofpairwisekeys.
The distribution of keying material can be probabilistic, deter-ministic,orhybrid.28intheprobabilisticapproach,eachnodeispre-loadedwithasetofkeys(keyring)randomlyselectedfromaglobalkeypool.29,30Theneighboringnodesshareatleastonekeywithacer-tainprobabilitydependingonthesizeofthekeyring,whichinturndependsonthememoryresourcesavailable.Thechallengeistoachieveabalancebetweentheavailableresourcesandthedesiredkeyconnec-tivity.Gongandwheeler31presenteddeterministicapproachesforkeydistributionthatdefinedtheglobalkeypoolandthekeyassignmenttoeachnodenonrandomlytoincreasethekeyconnectivitybetweenneighboringnodes.insteadofuniformlydistributingthekeyingmate-rialacrosstheentirenetwork,alocation-basedkeymaterialdistribu-tionsystemcanbeusedtooptimizeone-hopkeyconnectivity.32
Mostoftheexistingsensorsecuritysolutionsrelyonakeypredis-tributionmechanismtoalleviatetheproblemofkeydistributionandmanagement.others rely on the sink forkeydistribution.Bothoftheseapproachesarenotoptimal,andthedesignofkeymanagementschemesforsensornetworksisstillanopenresearchproblem.
10.7.3 Link-Layer Security Frameworks
afewyearsago,thefocusofsensornetworkresearchwaskeyman-agement.anotherareaofinterestwassecurerouting.however,recentworkhas been in the area of link-layer security frameworks in thequestforamoregeneralsolutionthatcanbeusedfordifferentappli-cationsandsituations.link-layersecurityworkswithsensornetworkfeatures suchas in-networkprocessinganddataaggregation.Thesefeaturesenablethesenseddatatobeprocessedandaggregatedateachintermediatenodesothatunnecessarytransmissionscanbeavoided.note that theenergyused inprocessing is lessby severalordersofmagnitudecomparedtotheenergyineverybitofinformationthatistransmittedandreceivedbysensors.also,end-to-endsecuritysolu-tionscanbesubjectedtocertaindosattacks,whichcanbepreventedbylink-layersecurityarchitecturesthatcandetectmaliciouspackets
287smart Grid seCurity in the last mile
injectedinthenetworkatanearlystage.severallink-layerapproachesexistintheliteratureforaddressingthesecurityneedsofsensornet-worksandprovideanothertoolforsmartgridsecurity.24,33–39
10.8 Conclusions and outlook
Thedistributed,changing,andphysicallyexposednatureofthesmartgridmakes itmore susceptible tocyberattacks thanmanyexistingnetworks.asecurityanalysisofthesmartgridcommunicationarchi-tecture indicated several likely attack methods. security solutionsfromtraditionalnetworksandfromsensornetworkscanbeadaptedtothesmartgrid.anessentialsmartgridsecurityfeatureistheabil-ity to detect compromised nodes and for nodes to be able to sendnotification if they are attacked. in addition, for the smart grid tomaintaineffectiveencryptionofprivatedataandpreventattacks,aneffective key management system must be used. This is an area ofactive,ongoingresearch.
references 1. Germanfederalofficeforinformationsecurity(2011).Protection Profile
for the Gateway of a Smart Metering System,v01.01.01finaldraft.federalofficeforinformationsecurity,Bonn,Germany.
2. national association of state energy officials (naseo) (december2010). Smart Grid and Cyber Security for Energy Assurance—Planning Elements for Consideration in States’ Energy Assurance Plans. naseo,arlington,va.
3. nationalinstituteofstandardsandtechnology(nist)(august2010).NISTIR 7628 Guidelines for Smart Grid Cyber Security, Introduction and Volumes 1–3. cyber security coordinationtask Group, advancedsecurityaccelerationProjectsmartGrid,nist,Gaithersburg,Md.
4. c. Bennett, B. Brown, B. singletary, d. highfill, d. houseman,f.cleveland,h.lipson,J.ivers,J.Gooding,J.Mcdonald,n.Greenfield,and s. li (december 2008). AMI System Security Requirements, Utilitycommunication architecture international User Group (UcaiUG),raleigh,nc.
5. h.khurana,M.hadley,n.lu,andd.a.frincke (2010).smart-gridsecurity issues. IEEE Security and Privacy, doi: 10.1109/MsP.2010.49,pp. 81–85.
6. d. c. schleher ( July 1999). Electronic Warfare in the Information Age.artechhouse,norwood,Ma.
288 seCurity and PrivaCy in smart Grids
7. z.lu,X.lu,w.wang,andc.wang(october2010).reviewandevalua-tionofsecuritythreatsonthecommunicationnetworksinthesmartgrid.Military Communications Conference, 2010—Milcom 2010,doi:10.1109/MilcoM.2010.5679551,pp. 1830–1835.
8. c. karlof and d.wagner. secure routing in wireless sensor networks:attacksandcountermeasures.First IEEE International Workshop on Sensor Network Protocols and Applications,anchorage,ak(May2003).
9. ProblemswithsmartGrid.ehow.com.http://www.ehow.com/info_8072577_problems-smart-grid.html#ixzz1imkhd3c8
10. opensGUserGroup. AMI Security Specification v_2.01,nashville,tn.http://osgug.ucaiug.org/utilisec/amisec/default.aspx
11. c.Bennettandd.highfill(november2008).networkingaMismartmeters.Energy 2030 Conference, 2008. ENERGY 2008.ieee,newYork,pp. 1–8.
12. M. carpenter,t. Goodspeed, B. singletary, e. skoudis, and J.wright( January5,2009).Advanced Metering Infrastructure Attack Methodology.http://www.inguardians.com/pubs/articles.html
13. f.M.cleveland( July2008).cybersecurityissuesforadvancedmeter-ing infrastructure (aMi). Power and Energy Society General Meeting—Conversion and Delivery of Electrical Energy in the 21st Century, 2008,ieee,newYork,pp. 1–5.
14. M. Theoharidou, G. Marias, s. dritsas, and d. Gritzalis (2006). Theambientintelligenceparadigm.areviewofsecurityandprivacystrate-giesinleadingeconomies.2nd IET International Conference onIntelligent Environments. IE 06, vol.2,pp. 213–219.
15. r.chaki(october2010).intrusiondetection:ad-hocnetworkstoambi-ent intelligence framework. International Conference on 2010 Computer Information Systems and Industrial Management Applications (CISIM), pp. 7–12.
16. a. hahn (september 2010). smart grid architecture risk optimiza-tionthroughvulnerabilityscoring.2010 IEEE Conference on Innovative Technologies for an Efficient and Reliable Electricity Supply (CITRES), pp. 36–41.
17. c.Bennettands.B.wicker( July2010).decreasedtimedelayandsecu-rityenhancementrecommendationsforaMismartmeternetworks.inInnovative Smart Grid Technologies (ISGT), 2010,pp. 1–6.
18. J.kim,s.ahn,Y.kim,k.lee, ands.kim ( June2010).sensornet-work-based aMi network security. 2010 IEEE PES Transmission and Distribution Conference and Exposition, pp. 1–5.
19. P. Ganesan et al. (september 2003). analyzing and modeling encryp-tionoverheadforsensornetworknodes.Proceedings of 2nd International Conference on Wireless Sensor Network Applications,pp. 151–159.
20. Y. w. law, J. doumen, and P. hartel (november 2006). surveyand benchmark of block ciphers for wireless sensor networks. ACM Transactions on Sensor Networks,2,65–93.
289smart Grid seCurity in the last mile
21. r.watroetal.(november2004).tinyPk:securingsensornetworkswithpublickeytechnology.Proceedings of 2nd ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN’04),washington,dc.
22. G.Gaubatz,J.kaps,andB.sunar(october2005).Public Key Cryptography in Sensor Networks—Revisited.Lecture Notes in Computer Science—Security in Ad-Hoc and Sensor Networks.springer,newYork.
23. d. J. Malan et al. (october 2004). a public-key infrastructure for keydistributionintinyosbasedonellipticcurvecryptography.Proceedings of 1st IEEE International Conference on Sensor and Ad Hoc Communication Networks (SECON’04),santaclara,ca.
24. c.karlofetal.(november2004).tinysec:alinklayersecurityarchitectureforwirelesssensornetworks.Proceedings of 2nd International Conference on Embedded Networked Sensor Systems (SenSys ’04),pp. 162–175.
25. a.Perrigetal.(2002).sPins:securityProtocolsforsensornetworks.ACM Wireless Networks,8(5),521–534.
26. Y.zhouandY.fang(2008).securingwirelesssensornetworks:asurvey.IEEE Communications Surveys and Tutorials,10(3),6–28.
27. s.zhuetal.(october2003).leaP:efficientsecuritymechanismforlargescaledistributedsensornetworks.Proceedings of 10th ACM Conference on Computer and Communications Security (CCS’03),pp. 62–72.
28. s.camtepeet al. (2008).Key Management in Wireless Sensor Networks. Wireless Sensor Network Security.J.lopezandJ.zhou(eds.).iosPress,amsterdam,thenetherlands.
29. h. chan et al. ( June 2006). random key predistribution schemes forsensor networks. IEEE International Conference on Communication,pp. 2262–2267.
30. l. eschenauer and v. Gligor (november 2002). a key managementschemefordistributedsensornetworks.Proceedings of 9th ACM Conference on Computer and Communications Security (CCS’02),pp. 41–47.
31. l. Gong and d.J.wheeler (1990). a matrix key distribution scheme.Journal of Cryptology,2(1),51–59.
32. d.liuandP.ning(october2003).location-basedpairwisekeyestab-lishmentsforrelativelystaticsensornetworks.Proceedings of 2003 ACM Workshop Security of Ad Hoc and Sensor Networks (SASN’03), fairfax,vaUsa.
33. Q.Xueanda.Ganz(october2009).runtimesecuritycompositionforsensornetworks(securesense).IEEE 58th Vehicular Technology Conference (VTC’03),pp. 2976–2980.
34. n. sastry and d. wagner (october 2004). security considerations forieee802.15.4networks.ACM Workshop on Wireless Security (Wise’04),pp. 32–42.
35. t.li,h.wu,X.wang, andf.Bao (May2005).sensec: sensor secu-rityframeworkfortinyos.Proceedings of 2nd International Workshop on Networked Sensing Systems (INSS’05),sandiego,ca.
36. a.d.woodetal.(october2006).siGf:afamilyofconfigurable,secureroutingprotocolsforwirelesssensornetworks.Proceedings of Fourth ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN ’06).
290 seCurity and PrivaCy in smart Grids
37. M.luk,G.Mezzour,a.Perrig,andv.Gligor(april2007).Minisec:asecure sensornetworkcommunicationarchitecture. IEEE International Conference on Information Processing in Sensor Networks (IPSN’07),cambridge,Ma.
38. P. osanacek (2009). Towards Security Issues in ZigBee Architecture. Lecture Notes in Computer Science—Human Interface and Management of Information, Designing Information Environments.springer,newYork.
39. M.healy,t.newe,ande.lewis(2009).securityforwirelesssensornet-works:areview.IEEE Sensors Applications Symposium,neworleans,la.
recommendedreadinga.agahands.das(2007).Preventingdosattacksinwirelesssensornetworks:
a repeated game theory approach. International Journal of Network Security,5(2),145–153.
e.cayirciandc.rong(2009).Security in Wireless Ad Hoc and Sensor Networks.wiley,westsussex,Uk.
h.chananda.Perrig(2003).securityandprivacyinsensornetworks.IEEE Computer Magazine,36(10),103–105.
B.deb,s.Bhatnagar,andB.nath(2003).informationassuranceinsensornet-works.Proceedings of 2nd ACM International Conference on Wireless Sensor Networks and Applications,pp.160–168.
J.deng,r.han,ands.Mishra(2002).INSENS: Intrusion Tolerant Routing in Wireless Sensor Networks.technicalreportcU-cs-939-02.departmentofcomputerscience,UniversityofcoloradoatBoulder.
J.r.douceur(2002).Thesybilattack.Proceedings of 1st International Workshop on Peer-to-Peer Systems (IPTPS’02),pp.251–260.
d. han, J. zhang, Y. zhang, and w. Gu (2010). convergence of sen-sor networks/internet of things and power grid information networkat aggregation layer. 2010 International Conference on Power System Technology (POWERCON),doi:10.1109/Powercon.2010.5666553,pp.1–6.
c. hartung, J. Balasalle, and r. han (2005). Node Compromise in Sensor Networks: The Need for Secure Systems.technicalreportcU-cs-990-05.departmentofcomputerscience,UniversityofcoloradoatBoulder.
f. hu and n. k. sharma (2005). security considerations in ad hoc sensornetworks.Elsevier Ad hoc Networks,3(1),69–89.
Y.c.hu,a.Perrig,andd.B.Johnson(2003).Packetleashes:adefenseagainstwormholeattacksinwirelessadhocnetworks.Proceedings of INFOCOM,pp.1976–1986.
instituteforelectricalandelectronicsengineers(september10,2011).IEEE Standard 2030™—2011 Guide for Smart Grid Interoperability of Energy Technology and Information Technology Operation with the Electric Power System (EPS), End-Use Applications, and Loads.ieee,newYork.
291smart Grid seCurity in the last mile
c.karlofandd.wagner(2003).secureroutinginwirelesssensornetworks:attacksandcountermeasures.Ad Hoc and Sensor Networks,293–315.
r. a. kisner et al. (2010). cybersecurity through real-time distributedcontrolsystems,oakridgenationallab,ornl/tM-2010/30.oakridgenationallab,oakridge,tn.
J. lopez and J. zhou (2008). Wireless Sensor Network Security. ios Press,amsterdam,netherlands.
o. komerling and M. G. kuhn (May 1999). design principles for tamperresistant smartcardprocessors.PaperpresentedatUseniXworkshoponsmartcardtechnology,chicago.
M.Mohietal.(2009).aBayesiangameapproachforpreventingdosattacksin wireless sensor networks. Proceedings of the 2009 WRI International Conference on Communications and Mobile Computing,vol.3,pp.507–511.
Moogcrossbow(2010).crossbowMica2Motes.http://www.xbow.comJ. newsome et al. (2004).The sybil attack in sensor networks: analysis and
defenses. Proceedings of 3rd International Symposium on Information Processing in Sensor Networks.acMPress,newYork.
B.Parno,a.Perrig,andv.Gligor(2005).distributeddetectionofnoderep-lication attacks in sensor networks. Proceedings of IEEE Symposium on Security and Privacy,oakland,ca.
a.Perrig,J.stankovic,andd.wagner(2004).securityinwirelesssensornet-works.Communications of ACM,47(6),53–57.
G. Pottie and w. kaiser (2000). wireless integrated network sensors.Communications of the ACM,43(5),51–58.
e.shianda.Perrig(2004).designingsecuresensornetworks.IEEE Wireless Communications Magazine,11(6),38–43.
h.song,l.Xie,s.zhu,andG.cao(2007).sensornodecompromisedetec-tion: the locationperspective. Proceedings of International Conference on Wireless Communication and Mobile Computing,pp.242–247.
M.tubaishat, J.Yin, B. Panja, and s. Madria (2004). a secure hierarchicalmodelforsensornetwork.ACM SIGMOD Record,33,7–13.
J.Undercofferetal.(2002).securityforsensornetworks.PaperpresentedatCADIP Research Symposium,Baltimore.
J.waltersetal.(2006).wirelesssensornetworksecurity:asurvey.inY.Xiao(ed.)Security in Distributed, Grid and Pervasive Computing,pp.367–410.crcPress,Bocaraton,fl.
Y.wang,G.attebury,andB.ramamurthy(2006).asurveyofsecurityissuesinwirelesssensornetworks.IEEE Communication Surveys and Tutorials,8(1),2–23.
a.d.woodandJ.a.stankovic(2002).denialofserviceinsensornetworks.Computer,35(10),54–62.
J. Yick et al. (2008). wireless sensor network survey. Elsevier Computer Networks,52(12),2292–2330.
293
list of Acronyms
A2A: applicationtoapplicationAAA: authentication,authorization,andaccountingACSE: associationcontrolserviceelementACSI: abstractcommunicationserviceinterfaceADC: analog-to-digitalconverterAES: advancedencryptionstandardAGA: americanGasassociationAH: authenticationheaderAMI: advancedmeteringinfrastructureAMR: advancedmeterreadingANSI: americannationalstandardsinstituteAP: accesspointAPCO: associationofPublic-safetycommunicationsofficialsAPDU: applicationProtocoldataUnitAPI: applicationprograminterfaceARM: advancedriscmachineARP: addressresolutionProtocolASDU: applicationservicedataunitASN.1: abstractsyntaxnotationoneAWGN: additivewhiteGaussiannoiseBAS: buildingautomationsystemB2B: BusinesstoBusiness
294 list of aCronyms
BES: bulkelectricsystemB2G: Building-to-Grid(a)BMS: buildingmanagementsystemB&P: BusinessandPolicyBPL: broadbandoverpowerlineBS: basestationBSS: blindsourceseparationCA: certificateauthorityCDC: commondataclassCDPSM: commondistributionPowersystemModelCHAP/PAP: challenge handshake authentication Protocol/
PasswordauthenticationProtocolCHP: combinedheatandpowerCIGRE: internationalcouncilonlargeelectronicsystemsCIM: commoninformationModelCIMug: ciMUsersGroupCIP: criticalinfrastructureProtectionCIS: componentinterfacespecificationCLS: controllablelocalsystemCMDA: codedivisionmultipleaccessCOSEM: companionspecificationfortheenergyMeteringCPC: chainingblockcipherCPE: customerpremisesequipmentCPP: criticalpeakpricingCPSM: commonPowersystemModelCPU: centralprocessingunitCR: cognitiveradioCRL: certificaterevocationlistCSCTG: cybersecuritycoordinationtaskGroupCSMA: carriersensemultipleaccessCT: currenttransformerDA: distributionautomationDAC: digital-to-analogconverterDAP: day-aheadpricingDCCP: datagramcongestioncontrolProtocolDCS: distributedcontrolsystemDDoS: distributeddosDER: distributedenergyresources
295list of aCronyms
3DES: tripledataencryptionalgorithmDEWG: domainexpertworkinggroupDLC: distributionlinecarrierDLMS: distributionlineMessagespecificationDMS: distributionmanagementsystemDNP3: distributednetworkProtocolDNS: domainnamesystemDoF: degreesoffreedomDoS: denialofservice(hyphenifadj)DP: developmentplatformDPO: digitalphosphoroscilloscopeDR: demandresponseDSP: digitalsignalprocessorDSS: digitalsignaturestandardDTLS: datagramtransportlayersecurityDVFS: dynamicvoltageandfrequencyscalingEAI: enterpriseapplicationintegrationEAP: extensibleauthenticationProtocolECC: ellipticcurvecryptographyEDIFACT: electronic data interchange for administration,
commerce,andtransportEMS: energymanagementsystemENTSO-E: europeannetworkoftransmissionsystemoperators
forelectricityEPRI: electricPowerresearchinstituteEPSEM: extendedprotocolspecificationforelectronicmeteringERCOT: electricreliabilitycounciloftexasESB: enterpriseservicebusESP: encapsulatedsecurityPayloadFAN: field-areanetworkFEP: front-endprocessorFFT: fastfouriertransformFHSS: frequency-hoppingspreadspectrumFIPS: federalinformationProcessingstandardFPGA: field-programmablegatearrayFSK: frequencyshiftkeyingFMSC: finite-stateMarkovchainGDOI: Groupdomainofinterpretation
296 list of aCronyms
GES: genericeventingandsubscriptionGID: GenericinterfacedefinitionGMAC: GaloisMessageauthenticationcodeGOOSE: GenericobjectorientedsubstationeventGPRS: generalpacketradioservicesGSM: GlobalsystemforMobilecommunicationsGSSE: GenericsubstationstatuseventGWAC: GridwisearchitecturecouncilHAL: hardwareabstractionlayerHAN: home-areanetworkHCB: hybridcloudbrokerHCBC: hash-cBcHDLC: high-leveldatalinkcontrolHiperLAN: highPerformanceradiolanH2G: home-to-Grid(a)HMAC: hashmessageauthenticationcodeHMI: human-machineinterfaceHSDA: high-speeddataaccessHTTP: hypertexttransferProtocolIACS: industrialautomationandcontrolsystemIBR: incliningblockrateIALM: inexactaugmentedlagrangemultiplierI/C: interruptible/curtailableICA: independentcomponentanalysisICMP: internetMessagecontrolProtocolICS: industrialcontrolsystemICS: industrialcontrolsystemsecurity(ofnist)IDS: intrusiondetectionsystemIEC: internationalelectrotechnicalcommissionIED: intelligentelectricaldeviceIEEE: instituteofelectricalandelectronicsengineersIETF: internetengineeringtaskforceI2G: industrial-to-Grid(a)i.i.d.: independentandidenticallydistributedIPSec: internetProtocolsecurityIPv4: internetProtocolversion4IRM: interfacereferenceModelISA: internationalsocietyofautomation
297list of aCronyms
ISC: industrialcontrolsystemsISC-CERT: industrialcontrolsystemscyberemergencyresponse
teamISDN: integratedservicesdigitalnetworkISO: internationalorganizationforstandardizationITU: internationaltelecommunicationUnionIV: initializationvectorJMS: JavaMessagingserviceKPCA: kernelPcaLAN: local-areanetworkLCE: looselycoupledeventLD: logicaldeviceLLC: logicallinkcontrolLMDS: localmultipointdistributionserviceLMN: localmetrologicalnetworkLMR: landmobileradioLMVU: landmarkmaximumvarianceunfoldingLN: logicalnodeLTC: loadtapchangerMAC: messageauthenticationcodeMCM: multicarriermodulationMAN: metropolitan-areanetworkMDA: ModeldrivenarchitectureMDI: meterdataintegrationMIMO: multipleinputmultipleoutputMDMS: meterdatamanagementsystemMIB: ManagementinformationBaseMMS: ManufacturingMessagespecificationMOM: message-orientedmiddlewareMPSL-VPN: Multi-Protocol label switching-virtual Private
network(MPls-vPn)MSPS: mega-samplespersecondMV: medium-voltage(a)MVU: maximumvarianceunfoldingNAN: neighborhood-areanetworkNASEO: nationalassociationofstateenergyofficialsNERC: northamericanreliabilitycorporationNetAPT: networkaccessPolicytool
298 list of aCronyms
NIPP: nationalinfrastructureProtectionPlanNOSR: nooptimalstoppingruleNP: nondeterministicpolynomialNIST: nationalinstituteofstandardsandtechnologyNRECA: nationalruralelectriccooperativeassociationNSM: networkandsystemmanagementOBIS: objectidentificationsystemOCSP: onlinecertificatestatusProtocolOFDMA: orthogonalfrequency-divisionmultipleaccessOMG: openManagementGroupORBIT: openaccessresearchtestbedfornext-Generationwireless
networksOS: operatingsystemOSI: opensysteminterconnectionOSR: optimalstoppingruleOSSTMM: opensourcesecuritytestingMethodologyManual(ch8)PAD: packetassembler-disassemblerPAN: personalareanetworkPAR: peak-to-averageratioPCA: principalcomponentanalysisPCIe: PeripheralcomponentinterconnectexpressPDU: protocoldataunitPGP/GnuPG: prettygoodprivacy/GnuPrivacyGuardPHEV: plug-inhybridelectricvehiclePIM: PlatformindependentModelPKI: publickeyinfrastructurePLC: programmablelogiccontrollerPN: pseudorandomnoisePSD: positivesemidefinitePSM: PlatformspecificModelPSTN: publicswitchedtelephonenetworkQoS: qualityofserviceQPSK: quadraturephaseshiftkeyingRCB: radiocontrolboardRDF: resourcedescriptionframeworkRFC: requestforcommentsRISC: reducedinstructionsetcomputingRSA: rivest–shamir–adleman
299list of aCronyms
RTP: real-timepricingRTU: remoteterminalunitSAML: securityassertionMarkuplanguageSAN: storageareanetworkSAS: substationautomationsystemSB: sitebrokerSCADA: supervisorycontrolanddataacquisitionSCL: substationconfigurationlanguageSCSM: specificcommunicationserviceMappingSCTP: streamcontroltransmissionProtocolSDP: semidefiniteprogrammingSDR: software-definedradioSFF: smallformfactorS-FSK: spreadfrequencyshiftkeyingSG3: smartGridstrategicGroupSGAM: smartGridarchitecturalModelSGCG: smartGridcoordinationGroupSGiP: smartGridinteroperabilityPanelSHA-1: securehashalgorithmSIA: seamlessintegrationarchitectureSIDM: systeminterfacesfordistributionmanagementSIR: signal-to-interferenceratioSLA: service-levelagreementSLO: service-levelobjectiveSM: smartmeterS/MIME: secure/multipurposeinternetmailextensionsSMV: samplemeasuredvalueSNMP: simplenetworkManagementProtocolSNR: signal-to-noiseratioSNTP: simplenetworktimeProtocolSOA: service-orientedarchitectureSOAP: simpleobjectaccessProtocolSoC: system-on-chipSOHO: smalloffice/homeofficeSP: specialPublicationSRTP: securereal-timetransportProtocol(srtP)SS-AW: spreadspectrumadaptivewidebandsSCADA:securescada
300 list of aCronyms
SS-FFH: spreadspectrum–fastfrequencyhoppingSSH: secureshellSSL: securesocketslayerSSPP: serialscadaProtectionProtocolSV: samplevalueSVD: singularvaluedecompositionSVM: supportvectormachineTC: technicalcommitteeTCP/IP: transmissioncontrolProtocol/internetProtocolTCIPG: trustworthycyberinfrastructureforthePowerGridT&D: transmissionanddistributionTLS: transportlayersecurityTOU: time-of-use(a)TPDU: transportProtocoldataUnitTR: technicalreportTSDA: timeseriesdataaccessTSEL: transportselectorTTP: trustedthirdpartyUCAIug: Utility communication architecture international User
GroupUDDI: Universaldescription,discovery,andintegrationUDP: UserdatagramProtocolUML: UnifiedModelinglanguageURI: UniformresourceidentifierUSRP2: UniversalsoftwareradioPeripheral2UWB: ultra-widebandVLAN: virtuallocal-areanetworkVM: virtualmachineVoIP: voiceoverinternetProtocolVPN: virtualprivatenetworkVT: voltagetransformerWAM: wide-areameasurementsystemWAN: wide-areanetworkWARP: wirelessopen-accessresearchPlatformWBX: widebandwidthtransceiverW3C: worldwidewebconsortiumWEP/WAP: wiredequivalentprivacyWG: workinggroup
301list of aCronyms
WOL: wake-on-lanWRAN: wirelessregional-areanetworkWSDL: webservicesdescriptionlanguageWSN: wirelesssensornetworkWS-Security: webservicessecurityWS-Trust: webservicestrustXML: eXtensibleMarkuplanguage
303
A
abstractcommunicationserviceinterface(acsi),31,33–34
abstractcomponents,22abstractsyntaxnotationone
(asn.1),26accidents,seeattacksandaccidentsaccountingstandards,217acronymslist,xvii–xxvacse,seeassociationcontrol
serviceelement(acse)acsi,seeabstractcommunication
serviceinterface(acsi)adaptability,125–126adaptors,127–128,129additivewhiteGaussiannoise
(awGn),168–169addressresolutionProtocol(arP),
65,239advancedencryptionstandard
(aes),192advancedencryptionstandard-
GaloisMessageauthenticationcode(aes-GMac),211
advancedmeteringinfrastructure(aMi)
adaptors,127–128,129aMitodMaprocesses,130ansic12.19-2008,117–118ansic12.22,112–114architectureevaluation,131–134behavior,129–131businessconsiderations,124–126challenges,125–126communicationnetwork,
106–110communicationprotocols,
111–117comparisons,123–124components,127–129context,126dMatoaMiprocesses,
130–131dMsintegration,120–126flexibility,133hierarchicalcommunication
networkformat,107–109home-areanetwork,108–109iec62056,115–117
index
304 index
iec62056-62,118–120informationmodel,117–120informationtranslationand
verificationstructure,128–129interconnectivity,230internet-protocol-basedmesh
communicationnetwork,109–110
lceinfrastructure,129Meterdataintegrationlayer,
126–134MeterdataManagementsystem,
110–111meterdatamodels,120–124meteringsystem,104–106meterlan,108aMeterModelinciM,
121–122monitor,129multilevelhierarchicalv.mesh,
109Multispeak,122overview,102–104performance,131–132scalability,132siaapplication,50softwarearchitecture,126–131standardization,111–120strategies,131–133summary,134–135testresults,133–134wide-areanetwork,107–108
advancedMeteringinfrastructure(aMi),systemsecurity
authorization,280availability,279–280bussnooping,281components,278confidentiality,279cryptographickeydistribution,
282–283dataencryption,283–284denial-of-servicethreats,282
directtampering,281–282impropercryptography,281integrity,279keyestablishmentand
management,284–286link-layersecurityframeworks,
286–287meterauthorizationweaknesses,
282nonrepudiation,280overview,278plaintextnantraffic,280–281securityissues,279–280storedkeyandpasswords,282vulnerabilities,280–283
aeic,seeamericanenergyinnovationcouncil(aeic)
aeP,seeamericanelectricPower(aeP)
aes,seeadvancedencryptionstandard(aes)
aGa,seeamericanGasassociation(aGa)
amerenwebsite,94americanelectricPower(aeP),
249americanenergyinnovation
council(aeic),111americanGasassociation(aGa),
253,257americannationalstandards
institute(ansi)ansic12.18,111–112,117ansic12.19,104,111–114,
117–120,122–123,128ansic12.21,111–112,117ansic12.22,104,111–114,117,
119A Meter Model in CIM,121–122aPco,associationofPublic–
safetycommunicationsofficials(aPco)
305index
aPdU,seeapplicationProtocoldataUnit(aPdU)
applicationcouplingof,17sia,46–50standards,14,25,39
applicationlayerattacks,277applicationmanager
architecture,smartgridsandcloudcomputing,67–68
solutions,smartgridsandcloudcomputing,69–72
applicationProtocoldataUnit(aPdU),45
applicationservicedataunit(asdU)
authenticationtechnique,44functioncode,234
applicationservice-levelagreements,60
App Services,39architecture,smartgridsandcloud
computingapplicationmanager,67–68hybridcloudbroker,68–69overview,66sitebroker,68
architectureevaluation,Mdilayer,131–134
arP,seeaddressresolutionProtocol(arP)
asdU,seeapplicationservicedataunit(asdU)
assessmenttechnologiescontrolcenter,231–232distributednetworkprotocol,
233–234iec61850,234–235networkconfiguration/rulesets,
236–237networkdiscovery,238–239networkprotocol,233–235networktrafficreview,237–238
overview,230–231planning,231–236postexecution,240reviewtechniques,236–238substations,232–233supportingprotocols,235–236systemconfigurationreview,236targetidentificationandanalysis,
238–239targetvulnerabilityvalidation,
239–240vulnerabilityscanning,239
associationcontrolserviceelement(acse)
networkinfrastructurestandards,114
secureprofiles,43associationofPublic-safety
communicationsofficials(aPco),190
asymmetricencryption,40–41attacksandaccidents,see also
cybersecurity;security;Threats
applicationlayer,277availability,194–195energysystemsandautomation
systems,248–251high-levelrequirements,190–191integrity,195–196intrusiondetection,45–46iPaddressing,276linklayer,274–275networklayer,275–276physicallayer,274scadasystems,256third-partyprotection,197transportlayer,276
attributesdatastandards,235localsystems,40
auditability,196aurorageneratortest,248
306 index
authenticationsecureprofiles,42–43securityanddatamanagement,
43–44standards,217vulnerabilitiesandsecurity
requirements,196authorization
aMisystemsecurity,280meterweaknesses,aMisystems,
282standards,217vulnerabilitiesandsecurity
requirements,196automationandscadasystem
securityattacksandaccidents,248–251countersynchronization,263energygridandscada,
246–248overview,245–246remoteconnections,257–258security,257–263sscadaprotocolsuite,258–263summary,264threats,255–257
automationsystems,seesubstations,automationsystemvulnerabilityassessment
availabilityaMisystemsecurity,279–280vulnerabilitiesandsecurity
requirements,194–195averagequalityindicator,60awGn,seeadditivewhite
Gaussiannoise(awGn)A-XDR Encoding Rule,27
B
back-officecompromise,277backwardcompatibility,44
Bas,seeBuildingautomationsystem(Bas)
Basic Application Functions,28basiccommunicationstructure
standards,31Bayesianinference,176Bdew,seeBundesverband
fürenergie-andwasserwirtschaft(Bdew)
Beenken,Petra,xiii,3–51behavior,Mdilayer,129–131benefits,demandresponse,89B2G,seeBuilding-to-Grid(B2G)bidirectionalcommunication,43Blackhatattack,251blackoutattack,249–250Bleiker,robert,xiii,3–51blind,167Bluetooth,106Boden,vitek,248bootconfiguration,80Bose,sumitkumar,xiii,57B&P,seeBusinessandPolicy(B&P)BPl,seeBroadbandoverpowerline
(BPl)broadbandoverpowerline(BPl),
109broadcasting,scadasecurity,252Brock,scott,xiii,57buildingautomationsystem(Bas)
optimalstoppingrule,89overview,86
buildingloadcontrol,distributedopportunisticscheduling
benefits,89demandresponse,87–89discussion,96–98fairness,98guidelines,89optimalstoppingrule,89–90overview,85–87powerpricing,87–88pricesignalmodeling,96–97
307index
problemformulation,90–94simulationandresult,94–95summary,98
buildingnodes,functionalarchitecture,153–155
Building-to-Grid(B2G),191Bundesverbandfürenergie-and
wasserwirtschaft(Bdew),219–220
BusinessandPolicy(B&P),191businessconsiderations
aMi/dMsintegration,124–126interfacereferenceModel,22
businesspartnersandapplicationsintegration
applicationintegrationatelectricUtilities-systeminterfacesfordistributionManagement,14
commoninformationModel,15–19
componentinterfacespecification,19–20
energyManagementsystemapplicationPrograminterface,13–14
frameworkforenergyMarketcommunications,14–15
interfacereferenceModel,20–22
overview,10–12bussnooping,281
C
canadianUnionofPublicemployees(cUPe),248
carriersensemultipleaccess(csMa),168
catalog,controlsystemssecurityrecommendations,219
cBc,seechainingblockcipher(cBc)mode
cdPsM,seecommondistributionPowersystemModel(cdPsM)
certificatesandcertificationsecurecommunications,41secureprofiles,42–43standards,210
chainingblockcipher(cBc)mode,259,261–262
challengesaMi/dMsintegration,125–126cybersecurity,198–201
chen,zhe,xiii,139–178china,roadmapactivities,223chP,seecombinedpowerandheat
(chP)ciGre,seeinternationalcouncil
onlargeelectronicsystems(ciGre)
ciM,seecommoninformationModel(ciM)
CIM Based Graphics Exchange,13CIM RDF Model Exchange Format
for Distribution,14,see alsocommoninformationModel(ciM)
ciMugsite,19cis,seecomponentinterface
specification(cis)clothesdryer,simulationandresult,
94–95cloudcomputing,seesmartgrids
andcloudcomputingcls,seecontrollablelocalsystem
(cls)cognitivealgorithms
dimensionalityreduction,156–161
experimentalvalidation,158–161high-dimensionaldata
processing,156–161independentcomponentanalysis,
166–170
308 index
receiverblockdiagram,167–170robustPca-icaapproach,
166–172robustprincipalcomponent
analysis,161–163signalmodel,167–170simulationandresults,170–172spectrummonitoring,158–161strongwidebandinterference,
166–170supportvectormachine,158–161wirelesstransmissionrecovery,
166–170cognitiveradionetwork
cognitivealgorithms,156–172communicationsinfrastructure
development,174–176dimensionalityreduction,
156–161experimentalvalidation,158–161fPGa-basedfuzzylogic
intrusiondetection,176–178functionalarchitecture,building
nodes,153–155hardwareplatforms,146–157high-dimensionaldata
processing,156–161ieee802.22system,142–144independentcomponentanalysis,
166–170innovativetestbed,151–156Microsoftresearchsoftware
radio,150–151motherboard,newhardware
platform,152–153networkforsmartgrid,144–157networktestbed,155overview,140–142receiverblockdiagram,167–170robustPca-icaapproach,
166–172robustprincipalcomponent
analysis,161–163
securecommunication,172–178signalmodel,167–170simulationandresults,170–172smallformfactorsoftware-
definedradiodevelopmentplatform,148–149
spectrummonitoring,158–161strongwidebandinterference,
166–170summary,178supportvectormachine,158–161testbed,146–157Universalsoftwareradio
Peripheral2,146–148wirelessopen-accessresearch
platform,149–150wirelesstransmissionrecovery,
166–170combinedpowerandheat(chP),32commondataclasses(cdcs),34commondistributionPower
systemModel(cdPsM),17commoninformationModel
(ciM)applicationprograminterfaces,13businesspartnersandapplications
integration,15–19futuretrends,51interapplicationintegration,14referencearchitecture,10sialayers,11standards,5
commonPowersystemModel(cPsM),17
commonservicesstandard,13communications
basiccommunicationstructurestandards,31
communicationsinfrastructuredevelopment,174–176
fPGa-basedfuzzylogicintrusiondetection,176–178
hydroelectricpowerplants,31
309index
infrastructuredevelopment,174–176
modules,105–106overview,172,174securityanddatamanagement,
40–41standardprotocolstacks,32–33standards,5,25,31substations,30–32transportprotocols,5
communications,infrastructurecybersecurity,see alsosecurity
auditability,196authentication,196authorization,196availability,194–195challenges,198–201high-levelrequirements,
190–192integrity,195–196internetworking,198–199nonrepudiability,196–197overview,188–190privacy,193–194securitypolicyandoperations,
199–200securityservices,200–201summary,201third-partyprotection,197trust,197–198
communications,protocolsansic12.22,112–114iec62056,115–117overview,111–112
communicationsnetwork,aMi/dMsintegration
hierarchicalcommunicationnetworkformat,107–109
home-areanetwork,108–109internet-protocol-basedmesh
communicationnetwork,109–110
meterlan,108
overview,106–107wide-areanetwork,107–108
communitystrings,236companionspecificationforthe
energyMetering(coseM)meteringstandards,24–25model,115protocolstacks,24–25
comparisons,123componentinterfacespecification
(cis)applicationprograminterfaces,13businesspartnersandapplications
integration,19–20components
aMisystemsecurity,278Mdilayer,127–129
confidentiality,279configurationdescriptionlanguage
standard,31conformancetestcases
companionstandard,29–30standards,29testing,32
connectionabort,43connections,remote,257–258connectivity,scadasystems,255Consol. with am1: TASE.2 Object
Models,38Consol. with am1: TASE.2 User
Guide,38consumptionofresources,199–200context,Mdilayer,126controlcenters
appservices,39appservices,39objectModels,39–40overview,37planning,231–232Protocols,39tase.2,37–39
controlfunctions,scadasecurity,252
310 index
controllablelocalsystem(cls),271–272
controllingandcontrolledstation,43
controlsystemperspective,272coseM,seecompanion
specificationfortheenergyMetering(coseM)
cost,datacenters,78–79cost-benefitanalysis,81cost-MinimizationProblem,93–94countersynchronization,263couplingofapplications,17cPe,seecustomerpremises
equipment(cPes)cPP,seecriticalpeakpricing(cPP)cPsM,seecommonPowersystem
Model(cPsM)criticalfunctioncodes,234criticalinfrastructureProtection
(ciP)cybersecuritystandards,215–216
criticalpeakpricing(cPP),88,89cryptographickeydistribution,
282–283cryptography,improper,281csctG,seecybersecurity
coordinationtaskGroup(csctG)
csMa,seecarriersensemultipleaccess(csMa)
cUPe,seecanadianUnionofPublicemployees(cUPe)
curvefitting,97customergateway,278customerpremisesequipment
(cPes),142–143cybersecurity,communication
infrastructures,see alsosecurity;Threats
auditability,196authentication,196authorization,196
availability,194–195challenges,198–201high-levelrequirements,190–192integrity,195–196internetworking,198–199nonrepudiability,196–197overview,188–190privacy,193–194securitypolicyandoperations,
199–200securityservices,200–201summary,201third-partyprotection,197trust,197–198
cybersecuritycoordinationtaskGroup(csctG),191
d
daP,seeday-aheadpricing(daP)dataacquisition,scadasecurity,
252dataattributestandards,235datacenters
ashost,62smartappliances,79–81smartgrids,78–79
datacommunicationprotocols,27dataencryption,283–284,see also
encryptiondataexchange,23–25datagramcongestioncontrol
Protocol(dccP),276datagramtransportlayersecurity
(dtls),217Data Link Layer using HDLC
Protocol,24datamanagement,seesecurity,and
datamanagementdatamigration,63–64datastandards,235datatype,234day-aheadpricing(daP),87
311index
dccP,seedatagramcongestioncontrolProtocol(dccP)
dcs,seedistributedcontrolsystems(dcs)
Definition and Coding of Application Information Elements,28
degreesoffreedom(dof),156,159,161
demandresponse(dr)benefits,89guidelines,89optimalstoppingrule,89–90overview,88–89powerpricing,87–88
denial-of-servicethreatsaMisystemsecurity,282networklayerattacks,275
der,seedistributedenergyresources(ders)
Deregulated Energy Market Communications,15
deutschesinstitutfürnormung(din),207,222
Devices beyond the Substationieds,relays,meters,switchgear,
cts,andvts,32devicestandards,214dewGs,seedomainexpert
workinggroups(dewGs)diesel-electricgeneratorattack,248diffie-hellman,secure
communications,41digitalphosphoroscilloscope
(dPo),158digitalsignaturestandard(dss),41dimensionalityreduction,156–161din,seedeutschesinstitutfür
normung(din)directloadcontrol,89Direct Local Data Exchange,24directtampering,281–282distributedcontrolsystems(dcs),
248
distributedenergyresources(ders)
devicesbeyondthesubstation,32existingobjectmodels,36–37objectmodels,34–35
distributednetworkProtocol(dnP3),233–234
distributedopportunisticscheduling,buildingloadcontrol
benefits,89demandresponse,87–89discussion,96–98fairness,98guidelines,89optimalstoppingrule,89–90overview,85–87powerpricing,87–88pricesignalmodeling,96–97problemformulation,90–94simulationandresult,94–95summary,98
Distribution Automation,5Distribution Automation Using
Distribution Line Carrier Systems,26–27
distributionlinecarrier(dlc),23,26
distributionlineMessagespecification(dlMs)Userassociation,23–25
distributionManagementsystem(dMs)
interfacereferenceModel,20–22
remoteterminalunits,189sialayers,11–12
distributionManagementsystem(dMs),integrationwithaMi
businessconsiderations,124–126challenges,125–126comparisons,123–124meterdatamodels,120–124
312 index
aMeterModelinciM,121–122
Multispeak,122dlc,seedistributionlinecarrier
(dlc)dlMs,seedistributionline
Messagespecification(dlMs)Userassociation
dMs,seedistributionManagementsystem(dMs)
dnP3,seedistributednetworkProtocol(dnP3)
dns,seedomainnameservice(dns)
domainexpertworkinggroups(dewGs),191
domainnameservice(dns)networkmigration,65supportingprotocols,235
domain-specificmetermodels,123dong,Xihua,xiii,85–98dP,seesmallformfactor(sff)
software-definedradio(sdr)developmentplatform(dP)
dPo,seedigitalphosphoroscilloscope(dPo)
dss,seedigitalsignaturestandard(dss)
dtls,seeDatagram Transport Layer Security (DTLS)
dynamicvoltageandfrequencyscaling(dvfs)schemes
applicationmanager,67,69service-levelagreements,61
E
eai,seeenterpriseapplicationintegration(eai)
eaP,seeExtensible Authentication Protocol (EAP)
edifact,seeelectronicdatainterchangeforadministration,commerce,andtransport(edifact)
efficientsolarcellsbasedonorganicandhybridtechnology(escorts),222
elcoM-90,38Electricity Metering,5Electricity Metering-Data Exchange
for Meter Reading, Tariff, and Load Control,24–26
electricPowerresearchinstitute(ePri),15,111,190,200
electricpowersystemstability,272electricreliabilitycounciloftexas
(ercot),17electromechanicalmeters,105electronicdatainterchangefor
administration,commerce,andtransport(edifact),15
eMs,seeenergymanagementsystems(eMs)
encryptionauthenticationtechnique,44dataencryption,283–284link-layersecurityframeworks,
286–287PdUsecurityextension,45securecommunications,40–41standards,213–214
energygrid,scada,246–248Energy Management System
Application Program Interface,13–14
energymanagementsystems(eMs)cisstandards,19controlcenters,232protocols,38rtUsandscada,189sialayers,11–12
313index
Energy Market Model Example,15engineeringapplications,12Engineeringstandard,36–37enterpriseapplicationintegration
(eai),11enterpriseservicebuses(esBs),21entso-e,seeeuropeannetwork
oftransmissionsystemoperatorsforelectricity(entso-e)
ePri,seeelectricPowerresearchinstitute(ePri)
ePseM,114ercot,seeelectricreliability
counciloftexas(ercot)esB,seeenterpriseservicebuses
(esBs)escorts,seeefficientsolarcells
basedonorganicandhybridtechnology(escorts)
Establishment of an Industrial Automation and Control System (IACS) Security Program,213
ethernetprotocol,32–33europeannetworkoftransmission
systemoperatorsforelectricity(entso-e),17
europeansmartGridcoordinationGroup,220–222
europeanUnion’staskforcesmartGrid,220
existingobjectmodels,36–37experimentalvalidation,158–161extensibility,126Extensible Authentication Protocol
(EAP),217eXtensibleMarkuplanguage
(XMl)commoninformationModel,18dersandmeters,36existingobjectmodels,36interfacereferenceModel,21
internet-protocol-basedmeshcommunicationnetwork,109
mappingtowebservices,35referencearchitecture,7standards,212
externalitapplications,12
f
fairness,98falseconditionsoralarms,199fastfouriertransform(fft),159federalinformationProcessing
standard(fiPs),192,218fft,seefastfouriertransform
(fft)ficacPlXalgorithm,170,172field-areanetwork,274–278fielddevices
substations,232systemsusingwebservices,36
field-programmablegatearray(fPGa),141,149–153,176–178
finite-stateMarkovchain(fsMc),97
fiPs,seefederalinformationProcessingstandard(fiPs)
firmwaredownload,scadasecurity,252
firstenergy,blackout,249–250flexibility,Mdilayer,133fPGa,seefield-programmablegate
array(fPGa)Framework for Energy Market
Communications,14–15fries,steffen,xiii,205–224fsMc,seefinite-stateMarkov
chain(fsMc)functionalarchitecture,building
nodes,153–155functionalprofilestandards,38–39
314 index
functioncodes,234futureoutlookandtrends
distributedopportunisticscheduling,98
smartgridsecurity,lastmile,287technicalsmartgrid
infrastructure,50–51fuzzylogicintrusiondetection,
176–178
G
Gaussiannoise,162Gdoi,seeGroup Domain of
Interpretation (GDOI)generalconsiderationsstandards
datatransmissionparametersconcerningmedium-andlow-voltagedistributionmains,27
distributionautomationsystemarchitecture,26
guideforspecification-dlMs,26generalmetermodels,123generalpacketradioservices
(GPrs),106General Requirements,31General Structure of Application Data,
28generatortestattack,248Generic Data Access,13Generic Eventing and Subscription
(GES)applicationprograminterfaces,13dataexchange,20
Genericinterfacedefinitions(Gid),19
Genericobjectorientedsubstationevent(Goose)
delayconstraint,195mappingtoMMs,33PdUsecurityextension,45standards,210,212,235
Genericsubstationstatusevent(Gsse)
mappingtoMMs,33standards,235
Germanstandards,219–220,222Ges,seeGeneric Eventing and
Subscription (GES)GlobalsystemforMobile
communications(GsM),106Glossarystandards,13–14,25,31GnUradio,147–148Gonzáles,José,xiii,3–51GooglePowerMeterservice,194Goose,seeGenericobject
orientedsubstationevent(Goose)
Govindarasu,Manimaran,xiv,227–242
GPrs,seeGeneralpacketradioservices(GPrs)
gridvolatility,securitythreats,277Gridwisearchitecturecouncil
(Gwac),191Group Domain of Interpretation
(GDOI),217GsM,seeGlobalsystemforMobile
communications(GsM)Gsse,seeGenericsubstationstatus
event(Gsse)Guide for Assessing the Security
Controls in Federal Information Systems,230
guidelinesprocesscontrolsystems,energy
utilityindustry,207guidelinestandards
applicationprograminterfaces,13
conformancetesting,29demandresponse,89exchanginginformationfroma
cdc-baseddatamodel,32
315index
frameworkforenergymarketcommunications,15
smartgridcybersecurity,177Guide to Industrial Control Systems
(ICS) Security,218Guo,nan,xiv,139–178Gwac,seeGridwisearchitecture
council(Gwac)
h
hahn,adam,xiv,227–242hal,seehardwareabstraction
layer(hal)han,seehome-areanetworks
(hans)hardwareabstractionlayer(hal),
153hardwareplatforms
Microsoftresearchsoftwareradio,150–151
overview,146smallformfactorsoftware-
definedradiodevelopmentplatform,148–149
UniversalsoftwareradioPeripheral2,146–148
wirelessopen-accessresearchplatform,149–150
harmonizationlackof,49standards,219
hash-basedMessageauthenticationcode-securehashalgorithm,211
hash-cBc(hcBc)mode,259,262
hashmessageauthenticationcode(hMac)
authenticationtechnique,44criticalvs.noncriticalfunctions,
234
hcB,seehybridcloudbroker(hcB)headend,278heuristics,sequencing,75–76h2G,seehome-to-Grid(h2G)hierarchicalcommunicationnetwork
formathome-areanetwork,108–109meterlan,108overview,107
high-dimensionaldataprocessing,156–161
high-levelcybersecurityrequirements,190–192
high-leveldatalinkcontrol(hldlc)protocol,115
highspeeddataaccess(hsda)applicationprograminterfaces,13dataexchange,19
hMac-sha256,seehash-basedMessageauthenticationcode-securehashalgorithm
hochgraf,clark,xiv,269–287hof,hans-Joachim,xiv,205–224home-areanetworks(hans)
hierarchicalcommunicationnetworkformat,108–109
smartgridsystemarchitecture,271
home-to-Grid(h2G),191hou,shujie,xiv,139–178hsda,seeHigh Speed Data Access
(HSDA)httP,seehypertexttransfer
Protocol(httP)hu,roseQingyang,xiv,187–201hu,zhen,xivhyattregencyhotel,248hybridcloudbroker(hcB)
architecture,smartgridsandcloudcomputing,68–69
solutions,smartgridsandcloudcomputing,76
316 index
hybridencryption,40hydroelectricpowerplants,31hypertexttransferProtocol
(httP),109
i
iacs,seeEstablishment of an Industrial Automation and Control System (IACS) Security Program
ialM,seeinexactaugmentedlagrangemultiplier(ialM)
iBMwebsphereMQ7.0,131iBr,seeincliningblockrate(iBr)
pricingschemeica,seeindependentcomponent
analysis(ica)iccP,seeinter-controlcenter
communications(iccP)icMP,seeinternetMessagecontrol
Protocol(icMP)ics,seeGuide to Industrial Control
Systems (ICS) Securityidahonationallaboratory,237,
248,254iec,seeinternational
electrotechnicalcommission(iec)
ieds,relays,meters,switchgear,cts,andvts
acsi,33–34communicationindustry
standardProtocolstacks,32–33
conformancetestcases,companionstandard,29–30
devicesbeyondthesubstation,32
MappingtoMMs,33mappingtowebservices,35–36objectModels,34–35
rtUsorsubstationsystems,28–29
substationdevices,30–32ieee,seeinstituteofelectricaland
electronicsengineers(ieee)ietf,seeinternetengineeringtask
force(ietf)i2G,seeindustrial-to-Grid(i2G)impersonation,199impropercryptography,281incentive-basedoptions,demand
response,88incliningblockrate(iBr)pricing
scheme,97independentcomponentanalysis
(ica),166–170industrial-to-Grid(i2G),191inexactaugmentedlagrange
multiplier(ialM),164–166informationmodel,aMi/dMs
integration,117–120informationtranslationand
verificationstructure,128–129infrared(ir)protocol,81infrastructureservice-level
agreements,60innovativetestbed
functionalarchitecture,buildingnodes,153–155
motherboard,newhardwareplatform,152–153
networktestbed,155overview,151–152
insecureremoteconnections,256instituteofelectricaland
electronicsengineers(ieee)ieee802.11,146,175ieee802.22,141–144,178ieee1686-2007,213ieee1711,253ieee1815,233,254ieee802.1ae,214
317index
ieee802.1ar,214ieee802.16e,192ieee802.11i,192ieeeP1686,223ieee802.1q,235ieee802.1X,214standardization,191,213–214
integratedservicesdigitalnetwork(isdn),23
integration,10–12,see alsoadvancedmeteringinfrastructure(aMi)
integrityaMisystemsecurity,279vulnerabilitiesandsecurity
requirements,195–196intelXeonserver,146interchangeability,substation
devices,30inter-controlcenter
communications(iccP),208interfacereferenceModel(irM),
12,20–22interfaces
architectureandgeneralrecommendations,20
classes,meteringstandards,24interapplicationsintegration,14meterreadingandcontrol,14networkoperations,14recordsandassetmanagement,14
internationalcouncilonlargeelectronicsystems(ciGre),214
internationalelectrotechnicalcommission(iec)
iec6180-7-420,28iec27000,223iec60050,25iec60850,40iec60870,5,208iec60870-5,28–29,40,43iec60870-5-1,28
iec60870-5-2,28iec60870-5-3,28iec60870-5-4,28iec60870-5-5,28iec60870-5-6,29iec60870-5-101,28–30iec60870-5-102,28–29iec60870-5-103,28–29iec60870-5-104,28–30,43–44iec60870-5-601,29iec60870-5-604,29iec60870-6,36–39iec60870-6-1,39iec60870-6-2,39iec60870-6-501,38iec60870-6-502,38iec60870-6-503,38–39iec60870-6-505,38iec60870-6-601,39iec60870-6-602,39iec60870-6-701,38iec60870-6-702,38–39iec60870-6-802,38–40iec61334,5,23,26–27iec61334-3-1,27iec61334-3-21,26–27iec61334-3-22,26–27iec61334-4-1,27iec61334-4-32,27iec61334-4-33,27iec61334-4-41,27iec61334-4-42,27iec61334-4-511,26–27iec61334-4-512,26–27iec61334-5-1,26–27iec61334-5-2,26–27iec61334-5-3,26–27iec61334-5-4,26–27iec61334-5-5,26–27iec61334-6,26–27iec61344-4-61,27iec61400-25,5,28
318 index
iec61400-25-2,36iec61400-25-4,36iec61580,5,194iec61850,28,30–32,36–37,45,
195,208,210–211,234–235iec61850-3,31iec61850-4,31iec61850-5,31iec61850-6,31,36–37iec61850-7-1,31iec61850-7-2,31,33–34iec61850-7-3,31,34–35iec61850-7-4,28,31–32,34–35iec61850-7-410,28,31–32iec61850-7-420,31–32,35iec61850-8-1,31,33,37,45iec61850-9-1,31iec61850-9-2,32,37,45iec61850-10,32iec61850-80-1,32iec61850-90-1,32iec61870,50iec61870-5,28iec61950-7,37iec61968,5,11–12,14–15,17,
50,122iec61968-1,14,19,22iec61968-3,14,20–21iec61968-4,20–21iec61968-5,20–21iec61968-6,20–21iec61968-7,14,20–21iec61968-8,20–21iec61968-9,14,20–21,104,
120–124,128iec61968-11,11,14,16iec61968-13,14iec61970,5,12–15,50iec61970-1,13iec61970-4,17,19–20iec61970-301,11,13,16iec61970-401,11,19iec61970-402,13,19
iec61970-403,13,19iec61970-404,13,19iec61970-405,13,19iec61970-407,13,19iec61970-453,13iec61970-501,13iec62051,24iec62056,5,24–25,115–117iec62056-21,115–116iec62056-24,24iec62056-31,24iec62056-42,24,115–116,119iec62056-46,24,115–116,119iec62056-47,25,115–116iec62056-53,24,112,116,119iec62056-61,24,116,119iec62056-62,24,112,
116–120,123iec62325,5,11–12,14–15iec62325-101,15iec62351,5,40,45–46,
222–223iec62351-3,40–41,209–210iec62351-4,40–43,45,209–210iec62351-5,40,43–44,209–210iec62351-6,40,45,209–211iec62351-7,40,45–46,211iec62351-8,211iec62351-9,211iec62351-10,211–212iec62351-11,212iec62443,40,208iec62443-1-1,213iec62443-2-1,213iec62443-3-1,213iec62541,48iec608705,254iectc57,12iec62357tc57,5iectc13wG14,23–24iectc57wG14,14iec/tr61334-1-1,26iec/tr61334-1-2,26
319index
iec/tr61334-1-4,27iec/tr61850-1,31iec/tr62051,25–26iec/tr62051-1,25iec/tr62325-101,15iec/tr62325-102,15iec/tr62325-501,15iectr62357,6–7,50iec/ts60870-6-504,38iec/ts61850-2,31iec/ts61968-2,14iec/ts61970-2,13iec/ts61970-401,13iec/ts62056-41,25iec/ts62056-51,25iec/ts62056-52,25iec/ts62325-502,15iso/iec27k,40iso/iec8802-3,33iso/iec9506-1,33iso/iec9506-2,33iso/iec17799,215iso/iec27000,207iso/iec27001,207iso/iec27002,207iso/iec60870-5,209iso/iec61850,209iso/iec62351,208iso/iec62351-3,209–210iso/iec62443,213iso/iec62351-1to11,208–212iso/tr27019,222smartGridstrategicGroup
(sG3),207–208standardization,207tc13wG14,24–26
internationalorganizationforstandardization(iso)
iso8650,43iso27000,215iso27001,222iso27011,207iso27019,207
iso/iec27k,40iso/iec8802-3,33iso/iec9506-1,33iso/iec9506-2,33iso/iec17799,215iso/iec27000,207iso/iec27001,207iso/iec27002,207iso/iec60870-5,209iso/iec61850,209iso/iec62351,208iso/iec62351-3,209–210iso/iec62443,213iso/iec62351-1to11,208–212iso/tr27019,222isotransportservice,43standardization,207
internationalsocietyofautomation(isa)
isa99,213,223standardization,191,213
internetengineeringtaskforce(ietf),216–218
internetMessagecontrolProtocol(icMP),238,239
internetprotocoladdressing,276internet-protocol-basedmesh
communicationnetwork,109–110
internetProtocolsecurity(iPsec),234
Internet Protocols for the Smart Grid,217
internet-scalesystems,58–59internetworkingchallenges,
198–199interoperability,substationdevices,30intrusiondetectionsystems
failureof,176securityanddatamanagement,
45–46i/odriverapproach,63iPprotocol
320 index
communicationindustrystandardprotocolstacks,32–33
networkmigration,65secureprofiles,43
iPsec,seeinternetProtocolsecurity(iPsec)
ir,seeinfrared(ir)protocolirM,seeinterfacereferenceModel
(irM)isa,seeinternationalsocietyof
automation(isa)isdn,seeintegratedservices
digitalnetwork(isdn)iso,seeinternationalorganization
forstandardization(iso)iwayemi,abiodun,xiv,85–98
J
Japan,roadmapactivities,223
k
kernelPca(kPca),156–157keys
agreementphase,286authenticationtechnique,44cryptographickeydistribution,
282–283development,190establishmentandmanagement,
284–286link-layersecurityframeworks,
286–287networkwide,285predistributionphase,285securecommunications,41stored,282
l
landmarkmaximumvarianceunfolding(lMvU),156,158
lceinfrastructure,129,130
ld,seelogicaldevices(lds)ldaP,seelightweightdirectory
accessProtocol(ldaP)li,zhao,xiv,101–135lightweightdirectoryaccess
Protocol(ldaP),232linklayerattacks,274–275link-layersecurityframeworks,
286–287linktransmissionprocedures,28liu,chen-ching,xiv,227–242livemigration,vMimages
datamigration,63–64networkmigration,64–66overview,62–63
lMn,seelocalmetrologicalnetwork(lMn)
lMvU,seelandmarkmaximumvarianceunfolding(lMvU)
ln,seelogicalnodes(lns)loadcontrol,seeBuildingload
control,distributedopportunisticscheduling
loadshed,maximizing,80local-areanetworks(lans)
appservices,39hierarchicalcommunication
networkformat,107localmetrologicalnetwork(lMn),
271localsystems,attributes,40localtampering,282logicaldevices(lds),31logicalnodes(lns)
devicesbeyondthesubstation,32objectmodels,35standards,235substationdevices,31
lower-layerprofilestandards,27low-rankmatrixapproximation,see
Principalcomponentanalysis(Pca)
lyrtech,148
321index
M
Mac,seeMedium/mediaaccesscontrol(Mac);Messageauthenticationcodes(Macs)
MAC Securitystandard,214mainssignalingrequirement
standards,27mainstructure,6–7maintenanceapplications,12mandateM/490,220–222ManufacturingMessage
specification(MMs)protocolobjectmodels,34secureprofiles,42–43standards,209–210tase.2,38
mappingtoMMs,33towebservices,35–36
marketcommunications,usingciM,5,14
marketoperationsapplications,12Maroochyshire(Queensland),248maximumvarianceunfolding
(MvU),157Mda,seeModeldriven
architecture(Mda)approachMdi,seeMeterdataintegration
(Mdi)medium/mediaaccesscontrol
(Mac)distributionlineMessage
specification,26standards,214
messageauthenticationcodes(Macs)
securecommunications,41sscada,260
message-orientedmiddleware(MoM),22
Metasploitframework,240meterauthorizationweaknesses,282
Meterdataintegration(Mdi)adaptors,127–128,129aMitodMaprocesses,130architectureevaluation,131–134behavior,129–131components,127–129context,126dMatoaMiprocesses,
130–131flexibility,133informationtranslationand
verificationstructure,128–129lceinfrastructure,129monitor,129performance,131–132scalability,132softwarearchitecture,126–131strategies,131–133testresults,133–134
MeterdataManagementsystem(MdMs)
aMi/dMsintegration,110–111overview,104
meterdatamodelscomparisons,123–124aMeterModelinciM,
121–122Multispeak,122overview,120
meteringsystem,aMi/dMsintegration,104–106
meterlanhierarchicalcommunication
networkformat,108meterstandards,24–26Microsoft.netenterprise
technologies,131Microsoftresearchsoftwareradio
(sora)platform,150–151migration,vMimages
datamigration,63–64networkmigration,64–66overview,62–63
322 index
MiMo,seeMultipleinputmultipleoutput(MiMo)
minimumsecurityrequirements,fiPs,218
Microsoftresearchsoftwareradio,150–151
Mishra,sumita,xiv,269–287MMs,seeManufacturingMessage
specification(MMs)protocolModeldrivenarchitecture(Mda)
approach,20modes,demandresponse,88MoM,seeMessage-oriented
middleware(MoM)monitor,Mdilayer,129motherboards,152–153multipleinputmultipleoutput
(MiMo),156multipleremoteclouds,76Multi-Protocollabelswitching-
virtualPrivatenetwork(MPsal-vPn),65
Multispeak,122–124Munet,109MvU,seeMaximumvariance
unfolding(MvU)
n
naseo,seenationalassociationofstateenergyofficials(naseo)
nationalassociationofstateenergyofficials(naseo),273
nationalinfrastructureProtectionPlan(niPP),191
nationalinstituteofstandardsandtechnology(nist)
nationalregulations,218nistir7628,191,219,222sP800-53,218,223sP800-82,218–219,223
sP800-115,230sP1108,219sP800-53a,230standards,191,219
nationalregulationsBundesverbandfürenergie-and
wasserwirtschaft,219–220europeansmartGrid
coordinationGroup,220–222europeanUnion’staskforce
smartGrid,220nationalinstituteofstandards
andtechnology,218nistir7628,219nistsP800-53,218nistsP800-82,218–219nistsP1108,219overview,218U.s.departmentofhomeland
security,219nationalruralelectriccooperative
association(nreca),111nationalscadatestBed
Program,254neighbor-areanetwork,274–278neMastandards,117nerc,seenorthamericanelectric
reliabilitycorporation(nerc)
nessusassessmenttool,236,239netaPt,seenetworkaccessPolicy
tool(netaPt)networkaccessPolicytool
(netaPt),237networkconfiguration/rulesets,
236–237networkdiscovery,238–239networkforsmartgrid
hardwareplatforms,146–157Micorsoftresearchsoftware
radio,150–151overview,144–145
323index
smallformfactorsoftware-definedradiodevelopmentplatform,148–149
testbed,146–157Universalsoftwareradio
Peripheral2,146–148wirelessopen-accessresearch
platform,149–150networkinfrastructure,113–114networklayerattacks,275–276,see
alsoattacksandaccidentsnetworkManagementProtocol
(snMP),236networkmigration,64–66networkprotocol,see alsospecific
protocoldistributednetworkprotocol,
233–234iec61850,234–235overview,233supportingprotocols,235–236
networktestbed,155networktrafficreview,237–238networkwidekeys,285neuralnetworks,176newYorkindependentsystem
operator(nYiso),249nightdragonattacks,251nist,seenationalinstituteof
standardsandtechnology(nist)
nodes,functionalarchitecture,153–155
noncriticalfunctioncodes,234nondeterministicpolynomial(nP)
hard,75nonrepudiation
aMisystemsecurity,280vulnerabilitiesandsecurity
requirements,196–197nooptimalstoppingrule(nosr),
94–95
northamericanelectricreliabilitycorporation(nerc),191,215–216,228,231
nP,seenondeterministicpolynomial(nP)hard
nreca,122nsslabs,251nYiso,seenewYorkindependent
systemoperator(nYiso)
o
oBis,seeobjectidentificationsystem(oBis)
objectidentificationsystem(oBis),24–25
objectmodelsstandard,34–35,39–40
oh,tae,xiv,269–287oMG,seeopenManagement
Group(oMG)openaccessresearchtestbed
fornext-Generalwirelessnetworks(orBit),146
openManagementGroup(oMG),20
opensourcetestingMethodologyManual(osstMM),230
opensysteminterconnection(osi)networkinfrastructurestandards,
114–115protocols,38–39secureprofiles,42
opportunisticscheduling,seedistributedopportunisticscheduling,buildingloadcontrol
optimalstoppingrule(osr)demandresponse,89–90simulationandresult,94–95
orBit,seeopenaccessresearchtestbedfornext-Generalwirelessnetworks(orBit)
324 index
osi,seeopensysteminterconnection(osi)
osr,seeoptimalstoppingrule(osr)
osstMM,seeOpen Source Testing Methodology Manual (OSSTMM)
outstations,233ovalassessmenttool,236
P
PacificGasandelectric,97packetassembler-disassembler
(Pad)typestationsstandards,30
pairwisesymmetrickeys,285passivediscovery,237passwords,282,see alsokeysPazos-revilla,Marbin,xv,139–178Pca,seerobustprincipal
componentanalysis(Pca)PdUsecurityextension,45peak-to-averageratio(Par),97peerauthentication,42,see also
authenticationperformance
aMianddMsintegration,125Mdilayer,131–132
Phevs,seePlug-inhybridelectricvehicles(Phevs)
physicaldevices,235physicallayer
attacks,274standards,24
PiM,seePlatform-independentmodel(PiM)
Pki,seePublickeysplaintextnantraffic,280–281planning
controlcenter,231–232distributednetworkprotocol,
233–234
iec61850,234–235networkprotocol,233–235smartgridsecurity,lastmile,
272–274substations,232–233supportingprotocols,235–236
platform-independentmodel(PiM),20
platform-specificmodel(PsM),20Plc,seePowerlinecommunicator
(Plc);Programmablelogiccontrollers(Plcs)
plug-inhybridelectricvehicles(Phevs)
demandresponse,89example,90
Poissondistribution,94polynomialfitting,97port-basednetworkaccesscontrol,
214portscanning,238–239positivesemidefinite(Psd)matrix,
158postexecution,240powerlinecommunicator(Plc),
109PowerMeterservice(Google),194poweroutageattack,249–250powerpricing,87–88powersystemcomparisons,123powersystems
managementandassociatedinformationexchange,6,12
objectmodels,services,andprotocols,6
price-basedoptions,demandresponse,88
pricesignalmodeling,96–97principalcomponentanalysis
(Pca),141,156,see alsorobustprincipalcomponentanalysis(Pca)
325index
privacyoverview,vii–viiiplanning,272–274vulnerabilitiesandsecurity
requirements,193–194problemformulation,90–94profiles
ebXMl,15securityanddatamanagement,
41–43programmablelogiccontrollers
(Plcs),232–233projectmanagement,31protocols,see alsospecific protocol
controlcenters,39telephonemodem
communication,112Psd,seePositivesemidefinite(Psd)
matrixpseudorandomspreadingcode
matrixandnoise,168–169PsM,seePlatform-specificmodel
(PsM)publickeys
authenticationtechnique,44securecommunications,41tinyos,284trustmanagementsystems,190,
200
Q
Qian,Yi,xvQiu,robert,xv,139–178quadraturephaseshiftkeying
(QPsk),170,172qualityofservice(Qos),35,275
r
radiocontrolboard(rcB),150–151radiofrequency(rf),81
randommodeling,pricesignals,96–97
ranganathan,raghuram,xv,139–178
rayleighflatfading,168rdf,seeresourcedescription
framework(rdf)real-timepricing(rtP)
demandresponse,87,89overview,85–86simulationandresult,94–95
receiverblockdiagram,167–170referencearchitecture
applicationintegrationatelectricUtilities-systeminterfacesfordistributionManagement,14
architecturalprinciples,10authenticationtechnique,43–44businesspartnersandapplications
integration,10–22commoninformationModel,
15–19componentinterface
specification,19–20controlcenters,37–40dataexchangeforMeter
reading,tariff,andloadcontrol,23–24
dersandmeters,36–37distributionautomationUsing
distributionlinecarriersystems,26–27
electricityMetering-dataexchangeforMeterreading,tariff,andloadcontrol,24–26
energyManagementsystemapplicationPrograminterface,13–14
energysystemsintegration,22–40
326 index
frameworkforenergyMarketcommunications,14–15
ieds,relays,meters,switchgear,cts,andvts,28–36
interfacereferenceModel,20–22
intrusiondetection,45–46layers,7–9mainstructure,6–7meterstandards,24–26PdUsecurityextension,45revenuemeters,23–27seamlessintegration,10securecommunications,40–41secureprofiles,41–43securityanddatamanagement,
40–46standardization,5–6structureofcurrentstandard,7–9
regulationsandstandards,securityBundesverbandfürenergie-and
wasserwirtschaft,219–220europeansmartGrid
coordinationGroup,220–222europeanUnion’staskforce
smartGrid,220iecsmartGridstrategicGroup,
207–208instituteofelectricaland
electronicsengineers,213–214
internationalcouncilonlargeelectronicsystems,214
internationalelectrotechnicalcommission,207
internationalorganizationforstandardization,207
internationalsocietyofautomation,213
internetengineeringtaskforce,216–218
iso/iec62443,213iso/iec27000series,207
iso/iec62351-1to11,208–212nationalinstituteofstandards
andtechnology,218nationalregulations,218–222nistir7628,219northamericanelectric
reliabilitycorporation,215–216
overview,206Security for Information Systems
and Intranets in the Electric Power System,214
specialPublication800-53,218specialPublication800-82,
218–219specialPublication1108,219standardization,206–218summary,222–224Treatment of Information Security
for Electric Power Utilities,215U.s.departmentofhomeland
security,219remoteconnections,257–258remotetampering,282remoteterminalunits(rtUs)
cybersecurity,189scadasystemsecurity,253,255substations,28–29,233
replication,datamigration,63–64requestforcomments(rfc)
rfc791,33rfc793,33rfc1006,43rfc1323,33rfc2030,45rfc2246,212rfc2460,33rfc3711,217rfc4101,217rfc4102,217rfc4103,217rfc4346,212rfc4962,217
327index
rfc5246,212,217rfc5247,217rfc5746,217rfc6272,217rfc6407,217
resourcedescriptionframework(rdf),7
resources,excessiveconsumption,199–200
revenuemetersdataexchangeforMeter
reading,tariff,andloadcontrol,23–24
distributionautomationUsingdistributionlinecarriersystems,26–27
electricityMetering-dataexchangeforMeterreading,tariff,andloadcontrol,24–26
meterstandards,24–26reviewtechniques,236–238rf,seeradiofrequency(rf)rfc,seerequestforcomments
(rfc)riskassessment,215rivest,shamir,andadleman(rsa)
signing,41,43robustPca-icaapproach,166–172robustprincipalcomponentanalysis
(Pca),161–163rohjans,sebastian,xv,3–51routingblackholes,275rsa,seerivest,shamir,and
adleman(rsa)signingrtUs,seeremoteterminalunits
(rtUs)
s
salsburg,Michael,xv,57saMl,seesecurityassertion
Markuplanguage(saMl)
samplemeasuredvalue(sMv)messages
PdUsecurityextension,45standards,235
samplevalues(svs),210sanders,william,177sandianationallaboratory,254sandiegoGasandelectric,97sas,seesubstationautomation
system(sas)scada(supervisorycontroland
dataacquisition)communicationnetwork,
188–189controlcenters,232cyberattacks,228mappingtoMMs,33networkconfigurations/rulesets,
236sialayers,11standards,218,254tase.1,38wireshark,237
scada,systemsecurityattacksandaccidents,248–251countersynchronization,263energygridandscada,
246–248overview,245–246remoteconnections,257–258security,256–263sscadaprotocolsuite,
258–263summary,264threats,255–257
scalabilityaMianddMsintegration,125Mdilayer,132
scanning,vulnerability,239scheduling,92,see alsodistributed
opportunisticschedulingscl,seesubstationconfiguration
language(scl)
328 index
scsM,seespecificcommunicationservicemapping(scsM)
sctP,seestreamcontroltransmissionProtocol(sctP)
sdP,seesemidefiniteprogramming(sdP)
sdr,seesmallformfactor(sff)software-definedradio(sdr)developmentplatform(dP)
seamlessintegrationarchitecture(sia)
application,46–50corestandard,5–6dersandmeters,36interfacereferenceModel,22layers,11–12referencearchitecture,10securityanddatamanagement,
40secretaryexample,90securecommunications,see also
communicationscommunicationsinfrastructure
development,174–176fPGa-basedfuzzylogic
intrusiondetection,176–178overview,172,174securityanddatamanagement,
40–41securedeviceidentity,214securehashalgorithm,43securereal-timetransport
Protocol(srtP),217secureshell(ssh)mechanism,192securesocketslayer(ssl),40securesocketslayer/transport
layersecurity(ssl/tls),192
security,see alsoattacksandaccidents;cybersecurity;Threats
aMisystemsecurity,279–280discrepancy,278
frameworks,215informationsystemsand
intranets,214overview,vii–viiiplanning,272–274policyandoperations,199–200profiles,41–43services,200–201forthesmartgrid,5technologiesforiacs,213technologiesguideline,215
security,anddatamanagementauthenticationtechnique,43–44intrusiondetection,45–46overview,40PdUsecurityextension,45securecommunications,40–41secureprofiles,41–43
security,regulationsandstandardsBundesverbandfürenergie-and
wasserwirtschaft,219–220europeansmartGrid
coordinationGroup,220–222europeanUnion’staskforce
smartGrid,220iecsmartGridstrategicGroup,
207–208instituteofelectricaland
electronicsengineers,213–214
internationalcouncilonlargeelectronicsystems,214
internationalelectrotechnicalcommission,207
internationalorganizationforstandardization,207
internationalsocietyofautomation,213
internetengineeringtaskforce,216–218
iso/iec62443,213iso/iec27000series,207iso/iec62351-1to11,208–212
329index
nationalinstituteofstandardsandtechnology,218
nationalregulations,218–222nistir7628,219nistsP800-53,218nistsP800-82,218–219nistsP1108,219northamericanelectric
reliabilitycorporation,215–216
overview,206Security for Information Systems
and Intranets in the Electric Power System,214
standardization,206–218summary,222–224Treatment of Information Security
for Electric Power Utilities,215U.s.departmentofhomeland
security,219security,scadasystems
countersynchronization,263overview,252–254remoteconnections,257–258sscadaprotocolsuite,258–263threats,255–257
securityassertionMarkuplanguage(saMl),200
“securityforindustrialautomationandcontrolsystems,”213
securitylogs,42semidefiniteprogramming(sdP),
157–158sequencingheuristics,75–76servicecoverage,142–143service-levelagreements(slas)
applicationmanager,70,72sitebroker,73–75smartgridsandcloudcomputing,
60–62service-orientedarchitectures(soas)
interfacereferenceModel,21referencearchitecture,7
sewagemanagementattack,248sff,seesmallformfactor(sff)
software-definedradio(sdr)developmentplatform(dP)
sGiP,seesmartGridinteroperabilityPanel(sGiP)cybersecurityworkingGroup
sia,seeseamlessintegrationarchitecture(sia)
sidM,seesysteminterfacesfordistributionManagement(sidM)
signalmodel,167–170signal-to-interferenceratio(sir),
170–172signal-to-noiseratio(snr),170simplenetworkManagement
Protocol(snMP),236simplenetworktimeProtocol
(sntP),45simpleobjectaccessProtocol
(soaP),35simulationsandresults
distributedopportunisticscheduling,buildingloadcontrol,94–95
robustPca-icaapproach,170–172
singularvaluedecomposition(svd),162
sir,seesignal-to-interferenceratio(sir)
sitebrokerarchitecture,68solutions,73–76
skeoch,ronald,xv,57sla,seeservice-levelagreements
(slas)smallformfactor(sff)software-
definedradio(sdr)developmentplatform(dP),148–149
330 index
smartappliances,datacenter,79–81smartgrid,automationandscada
systemsecurityattacksandaccidents,248–251countersynchronization,263energygridandscada,
246–248overview,245–246remoteconnections,257–258security,257–263sscadaprotocolsuite,258–263summary,264threats,255–257
smartGridarchitecturalModel(sGaM),221
smartGridinteroperabilityPanel(sGiP)cybersecurityworkingGroup,191,219
smartgridscybersecuritystratetgyand
requirements,191overview,vii–viiistandardizationroadmap,
207–208variedcontexts,77
smartgridsandcloudcomputingapplicationmanager,67–72architecture,66–69datacentersmartgrid,78–79datamigration,63–64hybridcloudbroker,68–69,76livemigration,vMimages,
62–66networkmigration,64–66overview,58–60service-levelagreements,60–62sitebroker,68,73–76smartappliances,datacenter,
79–81smartmetersandsmartloads,
77–81solutions,69–77summary,81
smartgridsecurity,lastmileaMisystemsecurity,278–283applicationlayerattacks,277authorization,280availability,279–280back-officecompromise,277bussnooping,281components,278confidentiality,279controlsystemperspective,272cryptographickeydistribution,
282–283dataencryption,283–284denial-of-servicethreats,282directtampering,281–282electricpowersystemstability,
272encryptionandkeymanagement,
283–287field-areanetwork,274–278futureoutlook,287gridvolatility,277impropercryptography,281integrity,279internetprotocoladdressing,276keyestablishmentand
management,284–286link-layerattacks,274–275link-layersecurityframeworks,
286–287meterauthorizationweaknesses,
282neighbor-areanetwork,274–278networklayerattacks,275–276nonrepudiation,280overview,270–271physicallayerattacks,274plaintextnantraffic,280–281planning,272–274privacyplanning,272–274securitydiscrepancy,278securityissues,279–280securityplanning,272–274
331index
securitythreats,274–278storedkeyandpasswords,282summary,287systemarchitecture,271–272transportlayerattacks,276vulnerabilities,280–283
smartmetersandsmartloadsdatacentersmartgrid,78–79overview,77smartappliances,datacenter,
79–81sMB/4175/r,207sMv,seesamplemeasuredvalue
(sMv)messagessnr,seesignal-to-noiseratio(snr)sntP,seesimplenetworktime
Protocol(sntP)soa,seeservice-oriented
architectures(soas)soaP,seesimpleobjectaccess
Protocol(soaP)softwarearchitecture,126–131softwareradio(sora)platform,
150–151solarcellarrays,89solid-stateelectricitymeters,105solutions,smartgridsandcloud
computingapplicationmanager,69–72hybridcloudbroker,76overview,69sitebroker,73–76
sophiatool,237sora,seesoftwareradio(sora)
platformsoutherncaliforniaedison,97sparxsystemsenterprisearchitect,
16specht,Michael,xv,3–51specificcommunicationservice
mapping(scsM)mappingtoMMs,31sampledvalues,31
spectrummonitoring,158–161srtP,seeSecure Real-Time Transport
Protocol (SRTP)sscadaprotocolsuite,258–263ssh,seesecureshell(ssh)
mechanismssl,seesecuresocketslayer(ssl)ssl/tls,seesecuresocketslayer/
transportlayersecurity(ssl/tls)
standardsandregulations,securityBundesverbandfürenergie-and
wasserwirtschaft,219–220europeansmartGrid
coordinationGroup,220–222europeanUnion’staskforce
smartGrid,220iecsmartGridstrategicGroup,
207–208instituteofelectricaland
electronicsengineers,213–214
internationalcouncilonlargeelectronicsystems,214
internationalelectrotechnicalcommission,207
internationalorganizationforstandardization,207
internationalsocietyofautomation,213
internetengineeringtaskforce,216–218
iso/iec62443,213iso/iec27000series,207iso/iec62351-1to11,208–212nationalinstituteofstandards
andtechnology,218nationalregulations,218–222nistir7628,219northamericanelectric
reliabilitycorporation,215–216
overview,206
332 index
Security for Information Systems and Intranets in the Electric Power System,214
specialPublication800-53,218specialPublication800-82,
218–219specialPublication1108,219standardization,206–218summary,222–224Treatment of Information Security
for Electric Power Utilities,215U.s.departmentofhomeland
security,219standardsandstandardization,see
alsospecific organization or standard
electricpowersystemscommunications-distributednetworkprotocol,254
iecsmartGridstrategicGroup,207–208
instituteofelectricalandelectronicsengineers,213–214
internationalcouncilonlargeelectronicsystems,214
internationalelectrotechnicalcommission,207
internationalorganizationforstandardization,207
internationalsocietyofautomation,213
internetengineeringtaskforce,216–218
iso/iec62443,213iso/iec27000series,207iso/iec62351-1to11,208–212northamericanelectric
reliabilitycorporation,215–216
overview,206referencearchitecture,5–6
Security for Information Systems and Intranets in the Electric Power System,214
substationintelligentelectronicdevices,213
Treatment of Information Security for Electric Power Utilities,215
standardsandstandardization,aMi/dMsintegration
ansic12.19-2008,117–118ansic12.22,112–114communicationprotocols,
111–117iec62056,115–117iec62056-62,118–120networkinfrastructure,113–114overview,111
state-of-practicereview,241–242staticmodelview,18storagearray/areanetwork(san),
63storedkeyandpasswords,282,see
alsokeysstrategies,Mdilayer,131–133streamcontroltransmission
Protocol(sctP),276strongwidebandinterference,
166–170structuralmodelview,18structureofcurrentstandard,7–9stuxnetworm,250substationautomationsystem
(sas),37substationconfigurationlanguage
(scl)dersandmeters,36existingobjectmodels,36–37substationdevices,31
substationsdevices,30–32standards,5
333index
substations,automationsystemvulnerabilityassessment
assessmenttechnologies,230–241controlcenter,231–232distributednetworkprotocol,
233–234iec61850,234–235networkconfiguration/rulesets,
236–237networkdiscovery,238–239networkprotocol,233–235networktrafficreview,237–238overview,227–231planning,231–236postexecution,240reviewtechniques,236–238state-of-practicereview,241–242substations,232–233summary,241systemconfigurationreview,236targetidentificationandanalysis,
238–239targetvulnerabilityvalidation,
239–240vulnerabilityscanning,239
summariesautomationandscadasystem
security,264cloudcomputing,81cognitiveradionetwork,178cybersecurity,201distributedopportunistic
scheduling,buildingloadcontrol,98
regulationsandstandardsforsecurity,222–224
smartgridsecurity,lastmile,287technicalsmartgrid
infrastructure,50–51vulnerabilityassessment,
substationautomationsystems,241
supervisorycontrolanddataacquisition,seescada
supportingprotocols,235–236supportvectormachines(svMs),
157–161svd,seesingularvalue
decomposition(svd)svM,seesupportvectormachines
(svMs)sybilattacks,276symmetricencryption,40–41symmetrickeys
authenticationtechnique,44development,190
systemandprojectmanagement,31systemarchitecture,271–272systemcapacity,143–144systemconfigurationreview,236systeminterfacesfordistribution
Management(sidM),14systemtopology,142
t
tampering,281–282targetidentificationandanalysis,238targetvulnerabilityvalidation,
239–240tase.1,38tase.2,37–39tasks,90–94tciPG,seetrustworthycyber
infrastructureforthePowerGrid(tciPG)
tcP/iPprotocoldersandmeters,36securecommunications,40smartgrid,81standards,115,209
tcPprotocolsecureprofiles,42transportlayerattacks,276
334 index
tcPtprofiles,43tcP/UdPprotocol,238t&d,seetransmissionand
distribution(t&d)technicalsmartgridinfrastructure
acsi,33–34applications,14,46–50appservices,39authenticationtechnique,43–44businesspartnersandapplications
integration,10–22commoninformationModel,
15–19communicationindustry
standardProtocolstacks,32–33
componentinterfacespecification,19–20
conformancetestcases,companionstandard,29–30
controlcenters,37–40dataexchangeforMeter
reading,tariff,andloadcontrol,23–24
dersandmeters,36–37devicesbeyondthesubstation,
32distributionautomationUsing
distributionlinecarriersystems,26–27
electricityMetering-dataexchangeforMeterreading,tariff,andloadcontrol,24–26
energyManagementsystemapplicationPrograminterface,13–14
energysystemsintegration,22–40
engineering,36–37existingobjectmodels,36–37fielddevicesandsystemsusing
webservices,36
frameworkforenergyMarketcommunications,14–15
ieds,relays,meters,switchgear,cts,andvts,28–36
interfacereferenceModel,20–22
intrusiondetection,45–46mainstructure,6–7MappingtoMMs,33mappingtowebservices,35–36meterstandards,24–26objectModels,34–35,39–40outlook,50–51overview,4–5PdUsecurityextension,45Protocols,39referencearchitecture,5–46revenuemeters,23–27rtUsorsubstationsystems,
28–29seamlessintegration,10securecommunications,40–41secureprofiles,41–43securityanddatamanagement,
40–46standardization,5–6structureofcurrentstandard,7–9substationdevices,30–32summary,50–51tase.2,37–39
tektronix,158telecontrolequipmentandsystems,
27–28tennesseetechnologicalUniversity,
152testbed,146–157testresults,Mdilayer,133–134texasinstruments,148third-partyprotection,197threadexplosion,130threats,see alsocybersecurity,
communicationinfrastructures;security
335index
applicationlayerattacks,277back-officecompromise,277denial-of-servicethreats,282field-areanetwork,274–278gridvolatility,277internetprotocoladdressing,276linklayerattacks,274–275neighbor-areanetwork,274–278networklayerattacks,275–276physicallayerattacks,274scadasystemsecurity,
255–257securitydiscrepancy,278transportlayerattacks,276
thresholdqualityindicator,60time,datamigration,63–64time-of-use(toU)pricing,87,89timeseriesdataaccess(tsda)
applicationprograminterfaces,13dataexchange,20
timestampinformation,280tinyos,284tls,seetransportlayersecurity
(tls);transportsecuritylayer(tls)
topologydata,exchange,17toU,seetime-of-use(toU)
pricingtPdU,seetransportprotocoldata
unit(tPdU)trafficlightsattack,248transmission
linktransmissionprocedures,28standards,28wirelessrecovery,166–170
transmissionanddistribution(t&d),191
transmissioncontrolProtocol,seetcPprotocol
transportlayerattacks,276transportlayersecurity(tls)
distributednetworkProtocol,234
securecommunications,40secureprofiles,43standards,209,212
transportprotocoldataunit(tPdU),43
transportsecuritylayer(tls),217
transportselectors(tsels),43trefke,Joern,xv,3–51tripledataencryptionalgorithm
(3des),192trust,vulnerabilitiesandsecurity
requirements,197–198trustedthirdparty(ttP),41trustmanagementsystem
development,190trustworthycyberinfrastructure
forthePowerGrid(tciPG),177
tsda,seetimeseriesdataaccess(tsda)
tsel,seetransportselectors(tsels)
U
Ucaiug,seeUtilitycommunicationarchitectureinternationalUserGroup(Ucaiug)
UdP,seeUserdatagramProtocol(UdP)
Uk,seeUniquekeys(Uks)UnifiedModelinglanguage
(UMl),16,19Uniformresourceidentifier(Uri),
35uniquekeys(Uks),44Universaldescription,discovery,
andintegration(Uddl)standard,35
UniversalsoftwareradioPeripheral2(UsrP2),146–148
336 index
Universityofcalifornia-riverside,146
unlicensedspectrumradio,109unusedtvbands,145Uri,seeUniformresource
identifier(Uri)U.s.departmentofhomeland
security,219U.s.energyinformation
administrationwebsite,247usage-dependentelectricityprice,97UserdatagramProtocol(UdP),
276Uslar,Mathias,xv,3–51UsrP2,seeUniversalsoftware
radioPeripheral2(UsrP2)Utilimetrics,117Utilitycommunication
architectureinternationalUserGroup(Ucaiug),273
V
virginiatech,146vMimages,livemigration
datamigration,63–64networkmigration,64–66overview,62–63
vulnerabilitiesaMisystemsecurity,280–283managementstateofpractice,
242scanning,239validation,239–240
vulnerabilitiesandsecurityrequirements
auditability,196authentication,196authorization,196availability,194–195integrity,195–196
nonrepudiability,196–197overview,192–193privacy,193–194third-partyprotection,197trust,197–198
vulnerabilityassessment,substationautomationsystems
assessmenttechnologies,230–241
controlcenter,231–232distributednetworkprotocol,
233–234iec61850,234–235networkconfiguration/rulesets,
236–237networkdiscovery,238–239networkprotocol,233–235networktrafficreview,237–238overview,227–231planning,231–236postexecution,240reviewtechniques,236–238state-of-practicereview,241–242substations,232–233summary,241systemconfigurationreview,236targetidentificationandanalysis,
238–239targetvulnerabilityvalidation,
239–240vulnerabilityscanning,239
w
wake-on-lan(wol)signals,80Wall Street Journal,249waMs,seewide-areameasurement
systems(waMss)wan,seewide-areanetworks
(wans)wang,Yongge,xv,245–264
337index
wang,zhenyuan,xv,101–135warP,seewirelessopen-access
researchplatform(warP)wastemanagementsystemattack,
248wBX,seewidebandwidth
transceiver(wBX)w3c,seeworldwideweb
consortium(w3c)weather,86–87webGateclassicalresidential
Metersolutions,109webservicestrust(ws-trust),
200websphereMQ7.0,131wide-areameasurementsystems
(waMss),230wide-areanetworks(wans)
appservices,39hierarchicalcommunication
networkformat,107–108home-areanetwork,109smartgridsystemarchitecture,
271tase.2,37
widebandinterference,strong,166–170
widebandwidthtransceiver(wBX),147
wienerfiltering,97wi-fi
home-areanetwork,109spectrummonitoring,158–159
wiMaXbackhaulsolutions,190emergingtechnologies,175home-areanetwork,109
wirelesslocal-areanetwork(wlan),190
wirelessopen-accessresearchplatform(warP)
hardwareplatforms,149–150motherboards,152sora,151
wirelessregional-areanetwork(wran),143
wirelesssensornetwork(wsn),190
wireshark,237wlan,seewirelesslocal-area
network(wlan)wol,seewake-on-lan(wol)
signalsworldwidewebconsortium
(w3c),35wormattacks,197–199,250wormholes,276wsn,seewirelesssensornetwork
(wsn)ws-trust,seewebservicestrust
(ws-trust)
X
Xiao,Yang,vii–viii,xi–xiiXilinx,148,149,151XMl,seeeXtensibleMarkup
language(XMl)
Y
Yang,fang,xv,101–135Ye,Yanzhu,xv,101–135Yi,Peizhong,xvi,85–98
z
zhou,chi,xvi,85–98zigBeeprotocol
emergingtechnologies,175smartgrid,81