OTHER TElEcOmmunicaTiOns BOOKs FROm auERBacH … · OTHER TElEcOmmunicaTiOns BOOKs FROm auERBacH...

Security andPrivacy in

Smart Grids

Edited byYANG XIAO

OTHER TElEcOmmunicaTiOns BOOKs FROm auERBacH

Ad Hoc Mobile Wireless Networks: Principles, Protocols, and ApplicationsSubir Kumar Sarkar, T.G. Basavaraju, and C. PuttamadappaISBN 978-1-4665-1446-1

Communication and Networking in Smart GridsYang Xiao (Editor)ISBN 978-1-4398-7873-6

Delay Tolerant Networks: Protocols and ApplicationsAthanasios V. Vasilakos, Yan Zhang, and Thrasyvoulos SpyropoulosISBN 978-1-4398-1108-5

Emerging Wireless Networks: Concepts, Techniques and ApplicationsChristian Makaya and Samuel Pierre (Editors)ISBN 978-1-4398-2135-0

Game Theory in Communication Networks: Cooperative Resolution of Interactive Networking Scenarios Josephina Antoniou and Andreas PitsillidesISBN 978-1-4398-4808-1

Green Communications: Theoretical Fundamentals, Algorithms and Applications Jinsong Wu, Sundeep Rangan, and Honggang Zhang ISBN 978-1-4665-0107-2

Green Communications and NetworkingF. Richard Yu, Xi Zhang, and Victor C.M. Leung (Editors) ISBN 978-1-4398-9913-7

Green Mobile Devices and Networks: Energy Optimization and Scavenging TechniquesHrishikesh Venkataraman and Gabriel-Miro Muntean (Editors)ISBN 978-1-4398-5989-6

Handbook on Mobile Ad Hoc and Pervasive CommunicationsLaurence T. Yang, Xingang Liu, and Mieso K. Denko (Editors)ISBN 978-1-4398-4616-2

Intelligent Sensor Networks: The Integration of Sensor Networks, Signal Processing and Machine LearningFei Hu and Qi Hao (Editors)ISBN 978-1-4398-9281-7

IP Telephony Interconnection Reference: Challenges, Models, and EngineeringMohamed Boucadair, Isabel Borges, Pedro Miguel Neves, and Olafur Pall EinarssonISBN 978-1-4398-5178-4

LTE-Advanced Air Interface TechnologyXincheng Zhang and Xiaojin ZhouISBN 978-1-4665-0152-2

Media Networks: Architectures, Applications, and StandardsHassnaa Moustafa and Sherali Zeadally (Editors)ISBN 978-1-4398-7728-9

Multihomed Communication with SCTP (Stream Control Transmission Protocol)Victor C.M. Leung, Eduardo Parente Ribeiro, Alan Wagner, and Janardhan Iyengar ISBN 978-1-4665-6698-9

Multimedia Communications and NetworkingMario Marques da SilvaISBN 978-1-4398-7484-4

Near Field Communications HandbookSyed A. Ahson and Mohammad Ilyas (Editors)ISBN 978-1-4200-8814-4

Next-Generation Batteries and Fuel Cells for Commercial, Military, and Space ApplicationsA. R. Jha, ISBN 978-1-4398-5066-4

Physical Principles of Wireless Communications, Second EditionVictor L. Granatstein, ISBN 978-1-4398-7897-2

Security of Mobile CommunicationsNoureddine Boudriga, ISBN 978-0-8493-7941-3

Smart Grid Security: An End-to-End View of Security in the New Electrical GridGilbert N. Sorebo and Michael C. EcholsISBN 978-1-4398-5587-4

Transmission Techniques for 4G SystemsMário Marques da Silva ISBN 978-1-4665-1233-7

Transmission Techniques for Emergent Multicast and Broadcast SystemsMário Marques da Silva, Americo Correia, Rui Dinis, Nuno Souto, and Joao Carlos SilvaISBN 978-1-4398-1593-9

TV White Space Spectrum Technologies: Regulations, Standards, and ApplicationsRashid Abdelhaleem Saeed and Stephen J. ShellhammerISBN 978-1-4398-4879-1

Wireless Sensor Networks: Current Status and Future TrendsShafiullah Khan, Al-Sakib Khan Pathan, and Nabil Ali Alrajeh ISBN 978-1-4665-0606-0

Wireless Sensor Networks: Principles and PracticeFei Hu and Xiaojun CaoISBN 978-1-4200-9215-8

auERBacH PuBlicaTiOnswww.auerbach-publications.com

To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: [email protected]

CRC PressTaylor & Francis Group6000 Broken Sound Parkway NW, Suite 300Boca Raton, FL 33487-2742

© 2014 by Taylor & Francis Group, LLCCRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed on acid-free paperVersion Date: 20130611

International Standard Book Number-13: 978-1-4398-7783-8 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit-ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.

Library of Congress Cataloging‑in‑Publication Data

Security and privacy in smart grids / editor, Yang Xiao.pages cm

“A CRC title, part of the Taylor & Francis imprint, a member of the Taylor & Francis Group, the academic division of T&F Informa plc.”

Includes bibliographical references and index.ISBN 978-1-4398-7783-8 (hardcover : acid-free paper)1. Smart power grids--Security measures. I. Xiao, Yang, 1966-

TK3105.S32 2013621.3190285’58--dc23 2012048623

Visit the Taylor & Francis Web site athttp://www.taylorandfrancis.com

and the CRC Press Web site athttp://www.crcpress.com

v

Contents

Preface vii

acknowledgment ix

about the editor xi

contributors xiii

Part 1 smart grids in general

chaPter 1 an overview of recommendations for a technical smart grid infrastructure 3

Petr aBeenk en,roBertBleik er ,JoséGonzá lez ,seBast i a nrohJa ns,M ich a elsPecht,Joer ntr efk e ,a ndM athi asUsl a r

chaPter 2 smart grid and cloud comPuting :minimizing Power consumPtion and utility exPenditure in data centers 57

sU M itkU M a rBose ,M ich a elsa lsBUrG,scot tBrock ,a ndrona ldsk eoch

chaPter 3 distributed oPPortunistic scheduling for building load control 85

PeizhonGY i,X ih UadonG,a BiodU ni waY eM i,a ndchizhoU

vi Contents

chaPter 4 advanced metering infrastructure and its integration with the distribution management system 101

zh aoli,fa nGYa nG,zhen Y Ua nwa nG,a ndYa nzh UY e

chaPter 5 cognitive radio network for the smart grid 139

r aGh Ur a Mr a nGa nath a n,roBertQi U,zhenh U,sh U J iehoU,zhechen,M a r BinPa zos-r ev ill a,a ndna nGUo

Part 2 security and Privacy in smart grids

chaPter 6 requirements and challenges of cybersecurity for smart grid communication infrastructures 187

roseQinGYa nGh Ua ndY iQi a n

chaPter 7 regulations and standards relevant for security of the smart grid 205

stef fenfr iesa ndh a ns-Joachi Mhof

chaPter 8 vulnerability assessment for substation automation systems 227

a da Mh a hn,M a ni M a r a nGov inda r asU,a ndchen-chinGli U

chaPter 9 smart grid, automation, and scada system security 245

YonGGewa nG

chaPter 10 smart grid security in the last mile 269

ta eoh,sU M itaM ishr a,a ndcl a r khochGr a f

list of acronyms 293

index 303

vii

Preface

asmartgridisanintegrationofpowerdeliverysystemswithcommu-nicationnetworksandinformationtechnology(it)toprovidebetterservices.securityandprivacywillprovidesignificantrolesinbuildingfuturesmartgrids.Thepurposeofthiseditedbookistoprovidestate-of-the-artapproachesandnoveltechnologiesforsecurityandprivacyinsmartgridscoveringarangeoftopicsintheseareas.

This book investigates fundamental aspects and applications ofsmart grids, security, andprivacy. it presents a collection of recentadvances in theseareascontributedbymanyprominent researchersworkingonsmartgridsandrelatedfieldsaroundtheworld.containing10chaptersdividedintotwoparts—Parti:smartGridsinGeneraland Part ii: security and Privacy in smart Grids, we believe thisbookwillprovideagoodreferenceforresearchers,practitioners,andstudentswhoareinterestedintheresearch,development,design,andimplementationofsmartgridsecurityandprivacy.

Thisworkismadepossiblebythegreateffortsofourcontributorsandpublisher.weareindebtedtoourcontributors,whohavesacrificeddays andnights toput together these chapters forour readers.we

viii PrefaCe

wouldliketothankourpublisher.withouttheirencouragementandqualitywork,wecouldnothavethisbook.

Yang XiaoDepartment of Computer Science

The University of AlabamaTuscaloosa, Alabama

E-mail: [email protected]

252 seCurity and PrivaCy in smart Grids

9.3 sCAdA security

inthissection,wedemonstratethechallengestosecurethecurrentautomation systems, such as scada systems with examples. Partof theseanalysiswere taken fromtheworkofwang.19 ina typicalscada system,20 data acquisition and control are performed byremoteterminalunits(rtUs)andfielddevicesthatincludefunctionsfor communications and signaling. scada systems normally useapollresponsemodelforcommunicationswithcleartextmessages.Pollmessagesaretypicallysmall(lessthan16bytes),andresponsesmight range fromashort “iamhere” toadumpofanentireday’sdata.somescadasystemsmayalsoallowforunsolicitedreportingfromremoteunits.Thecommunicationsbetweenthecontrolcenterandremotesitescouldbeclassifiedintothefollowingfourcategories.

1. Data acquisition:Thecontrolcentersendspoll(request)mes-sagestortUs,andthertUsdumpdatatothecontrolcen-ter.inparticular,thisincludesstatus scan and measured value scan.Thecontrolcenterregularlysendsastatusscanrequesttoremotesitestoobtainfielddevicesstatus(e.g.,oPenorclosedorafastclosed-oPen-closedsequence)andameasuredvaluescanrequesttoobtainmeasuredvaluesoffielddevices.Themeasuredvaluescouldbeanalogvaluesordigitallycodedvaluesandarescaledintoengineeringfor-matbythefront-endprocessor(feP)atthecontrolcenter.

2. Firmware download :Thecontrolcentersendsfirmwaredown-loadstoremotesites.inthiscase,thepollmessageislarger(e.g.,largerthan64,000bytes)thanothercases.

3. Control functions:ThecontrolcentersendscontrolcommandstoanrtUatremotesites.controlfunctionsaregroupedintofoursubclasses:individualdevicecontrol(e.g.,toturnon/offa remotedevice); controlmessages to regulating equipment(e.g., a raise/lower command to adjust the remotevalves);sequentialcontrolschemes(aseriesofcorrelatedindi-vidual control commands); and automatic control schemes(e.g.,closedcontrolloops).

4.Broadcast:Thecontrolcentermaybroadcastmessagestomul-tiple rtUs. for example, the control center broadcasts anemergentshutdownmessageoraset-the-clock-timemessage.

253smart Grid and sCada seCurity

acquired data are automatically monitored at the control centerto ensure that measured and calculated values lie within permissi-blelimits.Themeasuredvaluesaremonitoredwithregardtorateofchangeandforcontinuoustrendmonitoring.Theyarealsorecordedforpostfaultanalysis.statusindicationsaremonitoredatthecontrolcenterwithregardtochangesandtimetaggedbythertUs.inlegacyscadasystems,existingcommunicationlinksbetweenthecontrolcenter and remote sites operate at very low speeds (couldbeon anorderof300to9,600bps).notethatpresentdeploymentsofscadasystemshavevariantmodelsandtechnologies,whichmayhavemuchbetterperformances (forexample,61850-basedsystems).figure 9.1describesasimplescadasystem.

inpractice,morecomplicatedscadasystemconfigurationsexist.figure 9.2liststhreetypicalscadasystemconfigurations(see,e.g.,reportno.12oftheamericanGasassociation[aGa]21).

recently, there have been several efforts to secure the nationalscada systems. examples exist for the following companies andstandards:

1.american Gas association.21 The aGa was among thefirst todesignacryptographicstandard toprotectscadasystems.TheaGahadoriginallybeendesigningacrypto-graphic standard to protect scada communication links;thefinishedreportisaGa12,part1.aGa12,part2,hasbeentransferredtotheinstituteofelectricalandelectronicsengineers(ieee)(ieee1711).

2.ieee 1711.22 This was transferred from aGa 12, part 2.This standard effort tries to define a security protocol, theserialscadaProtectionProtocol(ssPP),forcontrolsys-temserialcommunication.

Control center Remote siteModem Modem

WAN card WAN card

FEPAntenna

Antenna

Radio or microwave

Leased lines RTU

RTU

RTU

Figure 9.1 A simple SCADA system. WAN, wide-area network.


3.ieee 1815.23 Standard for Electric Power Systems Communications—Distributed Network Protocol (DNP3). ThepurposeofthisstandardistodocumentandmakeavailablethespecificationsforthednP3protocol.

4.international electrotechnical commission technicalcommittee working Group 15 (iec tc 57 wG 15).24,25Theiectc57wG57standardizedscadacommunica-tionsecurityviaitsiec608705series.

5.national institute of standards and technology (nist).26Thenistindustrialcontrolsystemsecurity (ics)groupworks on general security issues related to control systemssuchasscadasystems.

6.nationalscadatestBedProgram.27ThedoeestablishedthenationalscadatestBedprogramatidahonationallaboratory and sandia national laboratory to ensure thesecure,reliable,andefficientdistributionofpower.

Modem

Splitter

Modem

RTU

Modem

RTU RTU

RTUModem

SCADA system with RTUs connected in a series-star con�guration

SCADA system with point-to-point con�guration

SCADA system with RTUs in a multi-drop architecture

FEP

RTUModem

Control center

ModemFEP

Control center

Control center

RTU

RTU

Modem

ModemModem

Modem

ModemFEP Modem RTU

Figure 9.2 Typical SCADA system configurations.


9.3.1 Threats to SCADA Systems

scadasystemswerenotdesignedwithpublicaccessinmind;theytypically lackevenrudimentarysecurity.however,with theadventoftechnology,particularlytheinternet,muchofthetechnicalinfor-mationrequiredtopenetratethesesystemsiswidelydiscussedinthepublic forums of the affected industries. critical security flaws forscadasystemsarewellknowntopotentialattackers.it is fearedthatscadasystemscanbetakenoverbyhackers,criminals,orter-rorists.somecompaniesmayassumethat theyuse leased linesandthereforenobodyhasaccesstotheircommunications.Thefactisthatit is easy to tap these lines.28 similarly, frequency-hopping spread-spectrumradioandotherwirelesscommunicationmechanismsfre-quentlyusedtocontrolrtUscanbecompromisedaswell.

severalefforts26,27,29havebeenmadefortheanalysisandprotectionofscadasystemsecurity.accordingtothesereports,26,27,29thefac-torsthathavecontributedtotheescalationofrisktoscadasystemsincludethefollowing:

• Theadoptionofstandardizedtechnologieswithknownvul-nerabilities. in the past, proprietary hardware, software,and network protocols made it difficult to understand howscadasystemsoperated—andthereforehowtohackintothem. today, standardized technologies such as windows,Unix-likeoperatingsystems,andcommoninternetprotocolsareusedbyscadasystems.Thus,thenumberofpeoplewithknowledgetowageattacksonscadasystemshasincreased.

• The connectivity of control systems to other networks. toprovide decision makers with access to real-time informa-tionandallowengineerstomonitorandcontrolthescadasystems from different points on the enterprise networks,thescadasystemsarenormallyintegratedintotheenter-prisenetworks.enterprisesareoftenconnectedtopartners’networks and to the internet. some enterprises may alsousewide-areanetworksandtheinternettotransmitdatatoremotelocations.Thiscreatesfurthersecurityvulnerabilitiesinscadasystems.


• insecure remote connections. enterprises often use leasedlines,wide-areanetworks/internet, and radio/microwave totransmitdatabetweencontrolcentersandremotelocations.Thesecommunicationlinkscouldbeeasilyhacked.

• Thewidespreadavailabilityoftechnicalinformationaboutcon-trolsystems.Publicinformationaboutinfrastructuresandcontrolsystems is readilyavailable topotentialhackersand intruders.sean Gorman’s dissertation (see, e.g.,13,18), mentioned previ-ously,isagoodexampleforthisscenario.significantinforma-tiononscadasystemsispubliclyavailable(frommaintenancedocuments,fromformeremployees,andfromsupportcontrac-tors,etc.).alltheseinformationsourcescouldassisthackersinunderstandingthesystemsandfindingwaystoattackthem.

hackersmayattackscadasystemswithoneormoreofthefol-lowingactions:

1.causingdenial-of-serviceattacksbydelayingorblockingtheflowofinformationthroughcontrolnetworks

2.Makingunauthorizedchanges toprogrammed instructionsinrtUsatremotesites,resultingindamagetoequipment,prematureshutdownofprocesses,orevendisablingofcon-trolequipment.

3.sending false information to control system operators todisguise unauthorized changes or to initiate inappropriateactionsbysystemoperators

4.Modifyingthecontrolsystemsoftware,producingunpredict-ableresults

5.interferingwiththeoperationofsafetysystems

Theanalysisinreports26,27,29showedthatsecuringcontrolsystemsposessignificantchallenges,whichinclude

1.The limitations of current security technologies in securingcontrolsystems.existinginternetsecuritytechnologiessuchas authorization, authentication, andencryption requiremorebandwidth, processing power, and memory than controlsystem components typically have. controller stations aregenerally designed to do specific tasks, and they often uselow-cost,resource-constrainedmicroprocessors.


2.Theperceptionthatsecuringcontrolsystemsmaynotbeeco-nomicallyjustifiable.

3.Theconflictingprioritieswithinorganizationsregardingthesecurityofcontrol systems. in thischapter,weconcentrateontheprotectionofscadaremotecommunicationlinks.in particular, we discuss the challenges for protection ofthese links anddesignnew security technologies to securescadasystems.

9.3.2 Securing SCADA Remote Connections

relativelycheapattackscouldbemountedonscadasystemcom-munication linksbetween thecontrol centerandrtUssince thereis neither authentication nor encryption on these links. Under theumbrellaofnist’scriticalinfrastructureProtectioncybersecurityof industrial control systems, the aGa scada encryptioncommittee has been trying to identify the functions and require-ments for authenticating and encrypting scada communicationlinks.Theirproposal21istobuildcryptographicmodulesthatcouldbe invisibly embedded into existing scada systems (in particu-lar,onecouldattachthesecryptographicmodulestomodems,suchas those of figure 9.2) so that all messages between modems areencryptedandauthenticatedwhennecessary,andtheyhaveidentifiedthe basic requirements for these cryptographic modules. however,due to theconstraintsofscadasystems,noviablecryptographicprotocolshavebeenidentifiedtomeettheserequirements.inparticu-lar,thechallengesforbuildingthesedevicesare21

1.encryptingofrepetitivemessages. 2.Minimizingdelaysduetocryptographicoperations. 3.ensuringintegritywithminimallatency:

• intramessageintegrity:ifcryptographicmodulesbufferamessageuntilthemessageauthenticatorisverified,itintro-ducesmessagedelaysthatarenotacceptableinmostcases.

• intermessageintegrity:reordermessages,replaymessages,anddestroyspecificmessages.

4.accommodating various scada poll response and retrystrategies:delaysintroducedbycryptographicmodulesmay


interfere with the scada system’s error-handling mecha-nisms(e.g.,time-outerrors).

5.supportingbroadcastmessages. 6.incorporatingkeymanagement. 7.controllingthecostofdevicesandmanagement. 8.dealing with a mixed mode: some scada systems have

cryptographiccapabilities;othersdonot. 9.accommodating different scada protocols: scada

devicesaremanufacturedbydifferentvendorswithdifferentproprietaryprotocols.

wang19hasrecentlydesignedefficientcryptographicmechanismsto address these challenges and to build cryptographic modules asrecommended in aGa report no. 12.21 These mechanisms canbeused tobuildplug-indevices called sscada(securescada)devices that could be inserted into scada networks so that allcommunicationlinksareauthenticatedandencrypted.inparticular,authenticated broadcast protocols are designed so that they can becheaplyincludedintothesedevices.ithasbeenamajorchallengingtasktodesignefficientlyauthenticatedemergencybroadcastprotocolsinscadasystems.

9.3.3 sSCADA Protocol Suite

Thesscadaprotocolsuite19isproposedtoovercomethechallengesdiscussed in the previous section. a sscada device installed atthecontrolcenteriscalledamastersscadadevice,andsscadadevices installed at remote sites are called slave sscada devices.eachmastersscadadevicemaycommunicateprivatelywithsev-eralslavesscadadevices.occasionally,themastersscadadevicemayalsobroadcastauthenticatedmessagestoseveralslavesscadadevices(e.g.,anemergencyshutdown).anillustrativesscadadevicedeployment for point-to-point scada configuration is shown infigure 9.3.

itshouldbenotedthattheaGahadoriginallydesignedaprotocolsuitetosecurethescadasystems21,30(anopensourceimplementa-tioncouldbefoundinreference31).however,wang19hasbrokentheseprotocolsuitesbymountingareplayattack.


toreducethecostofsscadadevicesandmanagement,onlysym-metrickeycryptographictechniquesareusedinourdesign.indeed,due to the slow operations of public key cryptography, public keycryptographicprotocolscouldintroducedelaysinmessagetransmis-sionthatarenotacceptabletoscadaprotocols.semanticsecurityproperty32isusedtoensurethataneavesdropperhasnoinformationabouttheplaintext,eveniftheeavesdropperseesmultipleencryptionsofthesameplaintext.forexample,eveniftheattackerhasobservedtheciphertextsof“shutdown”and“turnon,”itwillnothelptheattackerto distinguish whether a new ciphertext is the encryption of “shutdown”or“turnon.”inpractice,therandomizationtechniqueisusedtoachievethisgoal.forexample,themessagesendermayprependa random string (e.g., 128 bits for advanced encryption standard[aes]128) to themessageanduse special encryptionmodes suchaschainingblockcipher(cBc)modeorhash-cBc(hcBc)mode.insomemodes,thisrandomstringiscalledtheinitializationvector(iv).Thisprevents information leakagefromtheciphertexteven iftheattackerknowsseveralplaintext/ciphertextpairsencryptedwiththesamekey.

sincescadacommunication linkscouldbeas lowas300bpsandimmediateresponsesaregenerallyrequired,thereisnosufficientbandwidthtosendtherandomstring(iv)eachtimewiththecipher-text;thus,weneedtodesigndifferentcryptographicmechanismstoachievesemanticsecuritywithoutadditionaltransmissionoverhead.inourdesign,weusetwocounterssharedbetweentwocommunicat-ingpartners,oneforeachdirectionofcommunication.

Thecountersareinitiallysettozerosandshouldbeatleast128bits,which ensures that the counter values will never repeat, avoidingreplayattacks.ThecounterisusedastheivinmessageencryptionsifcBcorhcBcmodeisused.aftereachmessageencryption,thecounterisincreasedbyoneifcBcmodeisused,anditisincreasedby the number of blocks of encrypted data if the hcBc mode is

FEP Modem Modem RTU

Control center

MasterSCADA

SlaveSCADA

Figure 9.3 sSCADA with point-to-point SCADA configuration.


used.Thetwocommunicatingpartnersareassumedtoknowtheval-uesofthecounters,andthecountersdonotneedtobeaddedtoeachciphertext.Messagesmaybecomelost,andthetwocountersneedtobesynchronizedoccasionally(e.g.,atoff-peaktime).asimplecountersynchronizationprotocolisproposedforthesscadaprotocolsuite.Thecountersynchronizationprotocolcouldalsobeinitiatedwhensomeencryption/decryptionerrorsappearduetounsynchronizedcounters.

fortwosscadadevicestoestablishasecurechannel,amastersecretkeyneedstobebootstrappedintothetwodevicesatdeploymenttime(orwhenanewsscadadevice isdeployed intotheexistingnetwork).formostconfigurations,securechannelsareneededonlybetweenamastersscadadeviceandaslavesscadadevice.forsomeconfigurations,securechannelsamongslavesscadadevicesmayalsobeneeded.Thesecurechannel identifiedwiththismastersecretisusedtoestablishotherchannels,suchassessionsecurechan-nels,timesynchronizationchannels,authenticatedbroadcastchannels,andauthenticatedemergencychannels.

assumethatH(·)isapseudorandomfunction(e.g.,constructedfromsecurehashalgorithm[sha]-256)andtwosscadadevicesAandBshareasecretK KAB BA= .dependingonthesecuritypolicy,thiskeyKAB couldbethesharedmastersecretorasharedsecretforonesessionthatcouldbeestablishedfromthesharedmasterkeyusingasimplekeyestablishmentprotocol(toachievesessionkeyfreshness,typicallyonenodesendsarandomnoncetotheotherone,andtheothernodesendstheencryptedsessionkeytogetherwithanauthenticatorontheciphertextandtherandomnonce).keysfordifferentpurposescouldbederivedfromthissecretasfollows(itisnotagoodpracticetousethesamekeyfordifferentpurposes):forexample,K AB AB= H K( , )1 isformessageencryptionfromAtoB, ′ =K AB ABH K( , )2 isformessageauthenticationfromAtoB,KBA AB= H K( , )3 isformessageencryp-tionfromBtoA,and ′ =KBA ABH K( , )4 isformessageauthenticationfromBtoA.

optionalmessageauthenticationcodes(Macs)areusedfortwopartiestoachievedataauthenticationandintegrity.Macsthatcouldbe used for sscada implementation include hMac,33,34 cBc-Mac,35 and others. when party A wants to send a message m toparty B securely, A computes the ciphertext c C K c mA AB A= E( , , || )and message authenticator mac MAC K C cAB A= ′( , || ), where c A is


thelastlbitsofH( )CA (lcouldbeaslargeaspossibleifbandwidthis allowed, and 32 bits should be the minimal),E( , , || )C K c mA AB A denotes theencryptionof c mA || usingkeyKAB andrandom-prefix(oriv)CA,andCAisthecountervalueforthecommunicationfromAtoB.Then,AsendsthefollowingpacketstoB:

A B c mac→ : , (optional)

when B receives these packets, B decrypts c, checks that c A iscorrect,andverifiesthemessageauthenticatormacifmacispresent.assoonasB receivesthefirstblockoftheciphertext,Bcancheckwhether c A iscorrect.ifitiscorrect,thenBcontinuesthedecryptionandupdatesitscounter.otherwise,Bdiscardstheentireciphertext.ifthemessageauthenticatorcodemac ispresent,Balsoverifiesthecorrectnessofmac.ifmaciscorrect,Bdoesnothing;otherwise,BmaychoosetoinformAthatthemessagewascorruptedortrytoresyn-chronizethecounters.

Thereareseveralimplementationissuesonhowtodeliverthemes-sagetothetarget(e.g.,rtU).forexample,therearethefollowing:

1. Busesthecountertodecryptthefirstblockoftheciphertext;if the first l bits of the decrypted plaintext are not consis-tentwithH( )CA ,thenthereasoncouldbethatthecounterCA is not synchronized or that the ciphertext is corrupted.Bmaytryseveralpossiblecountersuntilthecounter-check-ingprocesssucceeds.Bthenusestheverifiedcounterandthecorrespondingkey todecrypt themessage anddeliver eachblockof the resultingmessage to the targetas soonas it isavailable. ifnocountercouldbeverified ina limitednum-beroftrials,BmaynotifyAofthetransmissionfailureandinitiatethecountersynchronizationprotocolinthenextsec-tion.Theadvantageof this implementation is thatwehaveminimizeddelayfromthecryptographicdevices,thusmini-mizing the interferenceofscadaprotocols.note that inthis implementation, the message authenticator mac is notused. if the ciphertext was tampered, we rely on the errorcorrection mechanisms (normally crc codes) in scadasystemstodiscardtheentiremessage.ifcBc(respectively


hcBc) mode is used, then the provable security proper-ties (respectively provable online cipher security properties)ofcBcmode(respectivelyhcBcmode)36,37guaranteethattheattackerhasnochancetotamperwiththeciphertext,sothatthedecryptedplaintextcontainsacorrectcrcthatwasusedbyscadaprotocolstoachieveintegrity.

2.Proceedasincase1.inaddition,themacisfurtherchecked,andthedecryptedmessageisdeliveredtothescadasystemonlyifthemacverificationpasses.Thedisadvantageforthisimplementationisthatthesecryptographicoperationsintro-ducesignificantdelayformessagedelivery,anditmayinterferewithscadaprotocols.

3.Proceedasincase1.Thedecryptedmessageisdeliveredtothescadasystemassoonasavailable.afterreceivingtheentiremessageandmac,Bwillalsoverifymac.iftheverifica-tionpasses,Bwilldonothing.otherwise,BresynchronizesthecounterwithAorinitiatessomeotherexception-handlingprotocols.

4.toavoiddelaysintroducedbycryptographicoperationsandto check the mac at the same time, sscada devices maydeliverdecryptedbytesimmediatelytothetargetexceptthelastbyte.ifthemessageauthenticatormacisverifiedsuccess-fully,thesscadadevicedeliversthelastbytetothetarget;otherwise,thesscadadevicediscardsthelastbyteorsendsarandombytetothetarget.Thatis,werelyontheerrorcor-rectionmechanismsatthetargettodiscardtheentiremes-sage.similarmechanismshavebeenproposed.21however,anattackermayinsertgarbagebetweentheciphertextandmac,thus tricking the sscada device to deliver the decryptedmessagestothescadasystem.ifthishappens,weessen-tiallydonotreceiveanadvantagefromthisimplementation.Thus,thisimplementationisnotrecommended.

5.insteadofprepending c A totheplaintextmessage,onemaychoose to prepend three bytes of other specially formattedstringtotheplaintextmessage(bandwidthofthreebytesisnormally available in scada systems) before encryption.This is an acceptable solution although we still prefer oursolutionofprependingthehashoutputsofthecounter.


Therecouldbeotherimplementationstoimprovetheperformanceand interoperability with scada protocols. sscada devicesshouldprovideseveralpossibleimplementationsforuserstoconfig-ure.indeed,sscadadevicesmayalsobeconfiguredinadynamicwaysothatfordifferentmessagesitusesdifferentimplementations.

insomescadacommunications,messageauthenticationonlyissufficient.Thatis, it issufficientforA tosend(m,mac)toB,wherem is the cleartext message and mac = MAC(K′AB,CA ∙m). sscadadevices should provide configuration options to perform messageauthenticationwithoutencryption. in thiscase,even if thecountervalueisnotusedastheiv,thecountervalueshouldstillbeauthenti-catedinthemacandbeincreasedaftertheoperation.Thiswillpro-videmessagefreshnessassuranceandavoidreplayattacks.sscadashouldalsosupportmessagepass-throughmode.Thatis,themessageis delivered without encryption and authentication. in summary, itshouldbepossibletoconfigureansscadadeviceinsuchawaythatsomemessagesareauthenticatedandencrypted,somemessagesareauthenticatedonly,andsomemessagesarepassedthroughdirectly.

9.3.4 Counter Synchronization

in the point-to-point message authentication and encryption pro-tocol, we assume that both sscada devices A and B know eachother’scountervaluesCAandCB,respectively.inmostcases,reliablecommunicationinscadasystemsisprovided,andthesecuritypro-tocols intheprevioussectionworkfine.still,weprovideacountersynchronizationprotocolso thatsscadadevicescansynchronizetheircounterswhennecessary.Thecountersynchronizationprotocolcouldbeinitiatedbyeitherside.assumethatAinitiatesthecountersynchronizationprotocol.Then,theprotocollooksasfollows:

A B NB A C MAC K N C

A

B BA A B

→→ ′

:: , ( , || )

Theinitialcountervaluesoftwosscadadevicescouldbeboot-strappeddirectly.Thecountersynchronizationprotocolpresentedcouldalsobeusedby twodevices tobootstrap the initial counter values.amastersscadadevicemayalsousetheauthenticatedbroadcast


channelthatwediscussinthenextsectiontosetthecountersofsev-eralslavesscadadevicestothesamevalueusingonemessage.

9.4 Conclusion

in this chapter, we discussed the challenges for smart grid systemsecurity.wethenusecontrolsystems(inparticular,scadasystems)asexamplesforstudyinghowtoaddressthesechallenges.inparticu-lar,wementionedwang’sattack19ontheprotocolsinthefirstversionof theaGastandarddraft.30This attack showed that the securitymechanismsinthefirstdraftoftheaGastandardprotocolcouldbeeasilydefeated.wethenproposedasuiteofsecurityprotocolsopti-mized for scada/dcs systems. These protocols are designed toaddressthespecificchallengesofscadasystems.

recently,therehasbeenawideinterestinthesecuredesignandimplementationofsmartgridsystems.38Thescadasystemisoneofthemostimportantlegacysystemsofthesmartgridsystems.togetherwithothereffortssuchasthoseofferedinieee1711,22ieee1815,23iec tc 57,24 iec 60870-5,25 nist industrial control systemsecurity,26andthenationalscadatestbedProgram,27theworkinthischapterpresentsaninitialstepforsecuringthescadasec-tionofthesmartgridsystemsagainstcyberattacks.

references 1. department of energy. Title XIII—Smart Grid (2010). http://www.

oe.energy.gov/documentsandMedia/eisa_title_Xiii_smart_Grid.pdf

2. U.s. energy information administration. Net Generation by Energy Source: Total (All Sectors) (2011). http://www.eia.gov/cneaf/electricity/epm/table1_1.html

3. M.abramsandJ.weiss.Malicious Control System Cyber Security Attack Case Study—Maroochy Water Services, Australia (2010). http://csrc.nist.gov/groups/sMa/fisma/ics/documents/Maroochy-water-services-case-study_briefing.pdf

4. M.abramsand J.weiss.Bellingham,Washington, Control System Cyber Security Case Study (2007). http://csrc.nist.gov/groups/sMa/fisma/ics/documents/Bellingham_case_study_report2020sep071.pdf


5. USA Today.aUroracase:U.s.videoshowshackerhitonpowergrid(2007).http://www.usatoday.com/tech/news/computersecurity/2007-09-27-hacker-video_n.htm

6. sPaMfighter. vancouver city-police investigating possible sabotageof traffic light computer system (2007). http://www.spamfighter.com/news_show_other.asp?M=10&Y=2007

7. s.Gorman.electricitygridinuspenetratedbyspies.Wall Street Journal(april8,2009).http://online.wsj.com/article/sB123914805204099085.html

8. isonewYorkindependentsystemoperator. NYISO Interim Report on the August 14, 2003 Blackout (2004).http://www.hks.harvard.edu/hepg/Papers/nYiso.blackout.report.8.Jan.04.pdf

9. G. keizer. is stuxnet the “best” malware ever? (2010). http://www.infoworld.com/print/137598

10. M. davis. smartgrid device security adventures in a new medium(2009).http://www.blackhat.com/presentations/bh-usa-09/Mdavis/BhUsa09-davis-aMi-slides.pdf

11. Mcafee. Global energy cyberattacks: night dragon (february 2011).http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf

12. k. zetter. fearing industrial destruction, researcher delays disclo-sure of new siemens scada holes (2011). http://www.wired.com/threatlevel/2011/05/siemens-scada-vulnerabilities/.

13. l.Blumenfeld.dissertationcouldbesecuritythreat.Washington Post ( July7,2003).http://www.washingtonpost.com/ac2/wp-dyn/a23689-2003Jul7

14. U.s.-canadaPowersystemoutagetaskforce.Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations(april2004).https://reports.energy.gov/Blackoutfinal-web.pdf

15. north american electric reliability council. Technical Analysis of the August 14, 2003, Blackout: What Happened, Why, and What Did We Learn?(2004). http://www.nerc.com/docs/docs/blackout/nerc_final_Blackout_report_07_13_04.pdf

16. n. falliere, l. Murchu, and e. chien. w32.stuxnet dossier (february2011).http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

17. nsslabs.homepage.http://www.nsslabs.com/. 18. J. rappaport.what you don’t know might hurt you: alum’s work bal-

ancesnationalsecurityandinformationsharing.http://gazette.gmu.edu/articles/11144

19. Y.wang. sscada:securingscada infrastructure communications,International Journal Communication Networks and Distributed Systems6(1),59–78(2011).

20. t.cegrell.Power System Control Technology.Prentice-hallinternational,harlow,Uk(1986).


21. americanGasassociation.AGA Report No. 12. Cryptographic Protection of SCADA Communications: General Recommendations.draft2,february5,2004.draft2isnolongeravailableonline.draft3(2010)isavailableforpurchase.http://www.aga.org/.

22. instituteofelectricalandelectronicsengineers.IEEE 1711. Trial Use Standard for a Cryptographic Protocol for Cyber Security of Substation Serial Links (2011). http://standards.ieee.org/findstds/standard/1711-2010.html

23. instituteofelectricalandelectronicsengineers.IEEE 1815. Standard for Electric Power Systems Communications—Distributed Network Protocol (DNP3)(2010).http://grouper.ieee.org/groups/1815/.

24. internationalelectrotechnicalcommission.IEC TC 57. Focus on the IEC TC 57 Standards(2010).http://www.ieee.org/portal/cms_docs_pes/pes/subpages/publications-folder/tc_57_column.pdf

25. internationalelectrotechnicalcommission.IEC 60870-5. Group Maillist Information(2010).http://www.trianglemicroworks.com/iec60870-5/index.htm

26. nationalinstituteofstandardsandtechnology(nist).NIST Industrial Control System Security (ICS) (2011). http://csrc.nist.gov/groups/sMa/fisma/ics/index.html

27. idahonationallaboratory.nationalscadatestbedProgram(2011).http://www.inl.gov/scada/.

28. Granite island Group. wiretapping and outside plant security—wiretapping101(2011).http://www.tscm.com/outsideplant.html

29. General accounting office. GAO-04-628. Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems. Testimony Before the Subcommittee on Technology Information Policy, Intergovernmental Relations and the Census, House Committee on Government Reform(March30,2004).http://www.gao.gov/new.items/d04628t.pdf

30. a.k.wright, J.a.kinast,and J.Mccarty.Low-Latency Cryptographic Protection for SCADA Communications,inProc. 2nd Int. Conf. on Applied Cryptography and Network Security, ACNS 2004, vol. 3809, LNCS,pp. 263–277.springer-verlag,newYork(2004).

31. a.wright.scadasafe(2006).http://scadasafe.sourceforge.net 32. s. Goldwasser and s. Michali. Probabilistic encryption, Journal of

Computer and System Sciences28,270–299(1984). 33. M.Bellare,r.canetti,andh.krawczyk.Messageauthenticationusing

hashfunctions—thehMacconstruction,RSA Laboratories CryptoBytes2(1)(spring1996).

34. h. krawczyk, M. Bellare, and r. canetti. HMAC: Keyed-Hashing for Message Authentication,internetrfc2104(february1997).http://www.itl.nist.gov/fipspubs/fip81.htm

35. nationalinstituteofstandardsandtechnology(nist).DES Model of Operation,fiPsPublication81.nist,Gaithersburg,Md(1981).

36. M. Bellare, a. Boldyreva, l. knudsen, and c. namprempre. on-lineciphersandthehash-cBcconstructions.inAdvances in Cryptology—Crypto 2001,vol.2139,LNCS,pp.292–309.springerverlag,newYork(2001).


37. M.Bellare, J.kilian, andP.rogaway.The security of the cipherblockchaining message authentication code, Journal of Computer and System Sciences6(3),362–399(2000).

38. departmentofenergy.Study of Security Attributes of Smart Grid Systems—Current Cyber Security Issues (april 2009). http://www.inl.gov/scada/publications/d/securing_the_smart_grid_current_issues.pdf

OTHER TElEcOmmunicaTiOns BOOKs FROm auERBacH … · OTHER TElEcOmmunicaTiOns BOOKs FROm auERBacH...

Documents

Transcript of OTHER TElEcOmmunicaTiOns BOOKs FROm auERBacH … · OTHER TElEcOmmunicaTiOns BOOKs FROm auERBacH...