AuthenticationandIntegrityintheSmartGrid ... substation for the smart grid, by taking a 220kV-132kV...

Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2012, Article ID 175262, 13 pagesdoi:10.1155/2012/175262

Research Article

Authentication and Integrity in the Smart Grid:An Empirical Study in Substation Automation Systems

Xiang Lu,1, 2 Wenye Wang,2 and Jianfeng Ma1

1 Department of Computer Science, Xidian University, Xi’an 710071, China2 Department of Electrical and Computer Engineering, North Carolina State University, Raleigh, NC 27606, USA

Correspondence should be addressed to Xiang Lu, [email protected]

Received 8 March 2012; Accepted 3 April 2012

Academic Editor: Qun Li

Copyright © 2012 Xiang Lu et al. This is an open access article distributed under the Creative Commons Attribution License,which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

The smart grid is an emerging technology that integrates power infrastructures with information technologies to enableintelligent energy managements. As one of the most important facilities of power infrastructures, electrical substations undertakeresponsibilities of energy transmissions and distributions by operating interconnected electrical devices in a coordinated manner.Accordingly, it imposes a great challenge on information security, since any falsifications may trigger mal-operations, and result indamages to power usage. In this paper, we aim at authentication and integrity protections in substation automation systems (SAS),by an experimental approach on a small scale SAS prototype, in which messages are transmitted with commonly-used data originauthentication schemes, such as RSA, Message Authentication Code, and One-Time Signature. Through experimental results, wefind that, current security solutions cannot be applied directly into the SAS due to insufficient performance considerations inresponse to application constraints, including limited device computation capabilities, stringent timing requirements and highdata sampling rates. Moreover, intrinsic limitations of security schemes, such as complicated computations, shorter key valid timeand limited key supplies, can easily be hijacked by malicious attackers, to undermine message deliveries, thus becoming securityvulnerabilities. Our experimental results demonstrate guidelines in design of novel security schemes for the smart grid.

1. Introduction

The smart grid envisions a revolutionary regime of energymanagements by integrating information technologies withpower systems to make energy generation and consumptionefficient and intelligent [1]. Towards such a promisingparadigm, the crux lies in timely and accurate informationexchanges for synergistic coordinations among a variety ofelectric power devices [2], in order that intelligent powermanagement applications, such as relay protection [3] anddemand response [4], can be readily implemented forubiquitous system supervisory and efficient device controls.

As the most critical facility in power systems, widelydeployed substations are engaged in crucial functions ofenergy transmissions and distributions, including voltagetransformation and regulation, power quality measure-ments, and interconnections of multiple electric systems[5]. Towards such important and diversified functions, avariety of power devices are installed in substations, such as

transformers, breakers, and insulators. Furthermore, a largenumber of power devices in the substation result in extensivecontrol and system information exchanges and deliveries,serving for collaborative system operations. For example, toameliorate power qualities and avoid potential energy losses,the capacitor bank, which is made up of groups of individualcapacitors, requires real-time power factor measures ofphasor measurement units (PMUs) as references of powerfactor tuning in distribution substations [6]. Also, an elec-trical regulator resorts to electronic voltage transformers forinformation of real-time voltage measures to automaticallymaintain a constant voltage level on distribution feeders[7]. Hence, timely and accurate information exchanges arevital to device and system operations towards efficient powermanagements.

To enable substantial information exchanges, powerdevices in a substation are organized to form a substa-tion automation system (SAS) via microprocessor-basedequipment controllers, which are also known as intelligent

2 International Journal of Distributed Sensor Networks

electronic devices (IEDs) [8, 9]. In this way, equipmentinformation and system events are able to be transmitted andresponded elegantly, thereby effectively preventing potentialsystem failures.

Nevertheless, since the SAS encompasses all criticalsystem information, it is prone to be the primary target ofmalicious attacks [10], even terrorist attacks. Through theSAS, attackers can readily invade the substation to launchattacks by unauthorized operating equipments or tamperingsystem parameters. For example, an attacker can counterfeitdevice failures by modifying real-time device data, likecurrent and voltage, to trigger inappropriate protectionoperations, for example, “tripping” relays to cut off feeders.Even worse, such an incorrect operation may spread quicklyto neighbor substations due to interconnections betweensubstations, thereby deriving cascading failures in a large area[11]. Thus, how to protect the integrity and authenticity of SASmessages between interconnected power equipments is a crucialchallenge not only for the reliability of the smart grid, but forthe national security and public safety [12].

Prior works have identified potential threats faced bythe SAS [13] and recommended to leverage data originauthentication schemes [14–16] to protect the authenticityand integrity of SAS messages by corroborating that entityis the one that is claimed and validating that the message isunmodified [17, 18]. Intuitively, these solutions appear to beeffective in countering against malicious message forgeries,because underlying cryptographic schemes are sensitive tofalsifications. However, in this paper, we find that theseschemes are not applicable when practically deployed inthe SAS due to application and setup constraints in sub-stations, including limited device computation capabilities,multicasted device messages, stringent timing requirements,and high-rate data sampling. For example, in a substationteleprotection scenario, the most critical “trip” message mustbe securely delivered in 3 milliseconds (ms) [9] betweencoordinated relays. Otherwise, the message will becomestale and discarded by the destination, which may inducefailures of protection operations and force entire systemsto endure a fault current that is much higher than therating value. Unfortunately, our results show that thoseproposed solutions cannot handle such a scenario withsatisfactory performance. Moreover, limitations of securityschemes can be hijacked by attackers and further resultin significant performance degradation, thereby becomingsecurity vulnerabilities.

To understand such potential vulnerabilities of currentsecurity schemes, we establish an SAS prototype withessential applications regarding relay protection and IEDdata sampling according to IEC61850 [9], the most dom-inant communication standard for substations. Then, wemeasure message delivery performance with three extensivelyrecommended data origin authentication schemes, includingRSA [14], message authentication code (MAC) [15], andone-time signature (OTS) [16, 19, 20]. Our results arethreefold. Firstly, due to complicated computations, RSAis restricted only to applications that are not time critical,that is, without rigorous timing requirements. Secondly,MAC-based schemes can be potential solutions, yet need

special configurations to reduce the waiting time of messagevalidations and to resist collusion attacks. Finally, despite thefact that OTS-based schemes show better performance in ourexperiments in terms of efficient signing and verifications,the shorter key validation time is a fatal vulnerability thatderives two new attacks, including delay compression attacksand key depletion attacks. Both may largely impede theapplicability of OTS-based schemes. Based on the aboveanalysis, we remark that the fundamental cause of theseunsatisfactory results lies in that current security solutionsare not designed to achieve both security and time-criticalperformance as required by the SAS. Therefore, there is anacute need for novel data origin authentication schemes thatcan address such issues jointly, that is, security requirements,as well as timing requirements, in the smart grid.

The remainder of this paper is organized as follows.In Section 2, we briefly introduce the electrical substation,including the one-line diagram and the communicationarchitecture. In Section 3, we present a brief descriptionof existing data origin authentication schemes, which isfollowed by system implementations of our testbed inSection 4. Measurements and analysis of security schemes arediscussed in Section 5. Finally, we conclude in Section 6.

2. Preliminary of Substation AutomationSystems in the Smart Grid

In this section, we firstly introduce the single-line diagram ofa substation for the smart grid, by taking a 220 kV-132 kVtransmission substation as an example. Then, we presentthe architecture of the corresponding substation automationsystem. Based on the system architecture, we summarize per-formance and security requirements in SAS applications andidentify two critical messages for subsequent experimentalstudies, including protection messages and data samplingmessages.

2.1. Single-Line Diagram of a Substation. First of all, weexamine the single-line diagram of a substation to investigatehow power devices are wired in substations towards effectivepower managements. Since diagrams of substations varysignificantly with respect to types, functions, and sizes, wetake a 220 kV-132 kV transmission substation [9] as a simpleexample to illustrate the topology of electronic devices in thesubstation, as shown in Figure 1. In this example, a 220 kVincoming feeder (a power line used to distribute electricpower) is connected to a 132 kV bus (a conductor thatserves as a common connection for electric circuits with verylow impedance [10]) via a 220 kV-132 kV transformer. Toprotect the incoming feeder, two circuit breakers are placedon both ends of the transformer, which can be “tripped”to cut off the incoming feeder if currents or voltagesexceed thresholds measured by the electronic current trans-former/electronic voltage transformer (ECT/EVT). Besidesthe incoming feeder, there are also two outgoing feedersemanating from the 132 kV bus with the same configurationsfor feeder protections.

International Journal of Distributed Sensor Networks 3

Cyber spacePhysical space

AC: 220 kV

AC: 132 kV Bus

Mergingunit-A

Transformercontroller

Tran

sfor

mer

bay

Feed

er I

bay

Feed

er I

I ba

y

Transformer Feeder

Circuit breaker ECT/EVT

Mergingunit-C

Mergingunit-D

Mergingunit-B

Figure 1: The single line diagram of a 220 kV-132 kV transmissionsubstation.

Usually, an electric power substation is composed ofbays, which are closely connected subparts in the substationwith some common functionality [9]. For example, on theincoming feeder of Figure 1, the transformer, two ECT/EVTsand two circuit breakers work cooperatively to transformvoltages and protect feeders, thereby forming a bay, namedas the transformer bay. Similarly, we name the other two baysas feeder I/II bay, mapping with two outgoing feeders.

Towards an efficient equipment status monitoring, suchsubstation equipments are expected to send out theirrunning states. To this end, many IEDs are connected tocorresponding power devices to digitize collected analog dataand deliver state messages between devices. For example, amerging unit gathers information from connected devices,such as phase voltages and currents from the ECT/EVT andON/OFF status from the circuit breaker [8]. In the same way,a transformer controller monitors and controls the 220 kV-132 kV transformer by taking measurements of runningstates. Then, substation devices, as well as attached IEDs,are ready to be interconnected for a substation automationsystem.

2.2. System Architecture of Substation Automation. Based onsystem functions, the SAS is logically divided into threelevels, including the process level, the bay level, and thestation level [9]. The process level is close to power equip-ment, which is designed for data acquisition and issuingcommands. The key IED in this level is the merging unit[9], which is exploited to sample instantaneous current orvoltage values and ON/OFF states via the attached ECT/EVTand circuit breakers, such as merging unit C in feeder I bay ofFigure 2. The sampled measures are further fed into the baylevel equipment, like relay C and feeder I bay controller, asreferences of system states.

The bay level involves multiple IEDs to execute controloperations in response to bay events and operators’ com-mands. For example, in the feeder I bay, there are two IEDs,including relay C and feeder I bay controller. Relay C is incharge of fault handling by “tripping” or “untripping” circuitbreakers, which is determined by negotiations with otherrelays, like relays A and D in Figure 2, to ensure synergeticprotection actions in the same substation [21]. The feederI bay controller is for automation tasks regarding localdevice monitoring and control to facilitate local operationdecisions, such as “reclosing” the circuit breaker for faultclearing before incoming commands.

Further, the station level consists of a station computerwith databases for data storages, a gateway device for remotecommunications, a GPS server for synchronization inside thesubstation, human machine interface (HMI), and operators’workplaces. All of these are used for stationwide functions,such as the station level interlocking (interlocking is installedto prevent incorrect equipment operations by specifying theoperational sequencing [22]) and control operations issuedby operators [9].

Besides hierarchical levels, two buses are also deployedbetween levels to interconnect IEDs, including the processbus to connect process level IEDs and bay level IEDs andthe station bus to connect bay level IEDs and station levelfacilities. To ensure reliable connections, both buses adopt adual-bus architecture to avoid a single connection of failure.Also, a synchronization bus is originated from the GPS toprovide time synchronization services within the substation.Thereby, all substation devices are interconnected via an SAS,such that information of device running states can be flexiblydelivered among devices for synergetic system operations,such as failure diagnosis, malfunction isolations, and faultclearances.

2.3. Security and Performance Requirements. Through thefully functional SAS, a large amount of power managementapplications are enabled by operating power devices in acoordinated fashion. For example, the relay interlocking isachieved by relay negotiations to determine a “tripping”sequence of circuit breakers with the minimum system costof fault isolations, whereas the load shedding (the loadshedding is an intentionally engineered electrical poweroutage, which is in response to a situation where the demandfor electricity exceeds the power supply capability [22])is executed after communications of bay controllers, alsotargeting the minimum system cost. In spite of the diversityof power management applications, they all have twocommon features implied, that is, (1) most SAS applicationsare delay sensitive and have stringent timing requirementsfor coordination messages deliveries; (2) most coordinationmessages are usually multicasted to multiple related devices.For example, the stationwide interlocking messages must bedelivered to relays in 10 ms, and the sampling data need toarrive at several bay-level IEDs in 3 ms from process-levelmerging units [9]. Thus, the message delivery delay is consid-ered as one of the most important performance requirementsin the substation automation, which is formally defined asfollows.


Station

level

Bay

level

Process

level

Workplace 1 HMI

Gateway

device

GPS

Dual station bus

Syn

chro

niz

atio

n b

us

Feeder II bay

controller

Ethernet

switch

Relay C Relay AFeeder I bay

controllerRelay D Dual process bus

Merging

unit D

Merging

unit A

Merging

unit C

Circuit

breaker3

Circuit

breaker1

Circuit

breaker4ECT3 EVT3 ECT1 ECT4EVT1 EVT4Transformer

Control

center

· · ·Workplace N

Figure 2: The system architecture of the substation automation system in the 220 kV-132 kV transmission substation.

Definition 1. The message delivery delay is the elapsingperiod from the time instant that a message is generated atthe application layer of a power device to the time instantthat the message is delivered to the application layer of itsdestination device.

Table 1 summarizes timing requirements of key messagesin SAS applications [2, 9, 23], including protection messages,monitoring and control messages, system-maintenance-related messages, and data-sampling messages. We can seethat timing requirements vary dramatically with respect tomessage types. The most critical ones are protection andcontinuous sampling messages with 3 ms delay thresholdsinside the substation. As shown in Figure 2, protectionmessages are normally transmitted between relays via thestation bus, whereas the continuous sampling messages areon the process bus emanating from the merging unit toseveral bay level IEDs.

In addition, since SAS messages are usually designedto operate equipments, dealing with system states, messagesecurity, especially the authenticity and integrity of SASmessages, is critical to prevent unauthorized equipmentoperations and detect forged system information. Whatis more interesting is that those delay-sensitive messagesare also security-sensitive ones. For example, a protectionmessage, which intends to isolate failures by changingON/OFF statuses of circuit breakers, needs to be meticu-lously protected against malicious falsifications or forgeriesin case of unexpected mal operations.

Therefore, the security challenge in SAS can be formu-lated as a joint mission, that is to deliver a message withintegrity protections within a predetermined time period tomultiple receivers. Considering a fact that security-relatedprocessing are normally time-consuming tasks, the more

Table 1: Timing requirements of message deliveries in substationautomation systems.

Message types Substation interior Substation exterior

Protection 3 ms 8 ∼ 12 ms

Monitoring and control 16 ms 1 s

Maintenance 1 s 10 s

Data sampling 3 ms 10 ms

time critical a message is, the more challenging a correspond-ing security scheme is. A subsequent question is whether wehave solutions to achieve the joint goals. To address this openquestion, we focus on two time-critical messages, that is,protection and data-sampling messages, to find out whethercurrent security schemes can be used to accomplish such achallenging task.

3. Security Scheme Candidates

As aforementioned, since time-critical SAS messages aremostly related to critical equipment operations, messageauthenticity and integrity are of great importance foraccurate and synergetic equipment controls. To preventattackers from manipulating SAS messages in transit betweensubstation devices, data origin authentication schemes [24]are extensively proposed to protect SAS messages for twopurposes [18]: (1) to corroborate that incoming messagesare originated from a legitimate sender as claimed; (2) toverify that the incoming message has not been tamperedwith. In this section, we briefly review several important dataorigin authentication mechanisms as solution candidatesfor protections of time-critical SAS messages, which are


either recommended solutions in standards and literatures,such as RSA [14] and one-time-signature-based schemes[16, 20], or promising approaches that have been verified inother networks, such as message-authentication-code-basedschemes [15, 25, 26].

3.1. RSA. RSA is the most commonly used public keycryptography scheme, which is based on the presumeddifficulty of factoring large integers [27]. In the smartgrid, RSA is the primary choice of data authenticity andintegrity protections via the generated RSA digital signature.Moreover, IEC62351, the most comprehensive standard onsecurity issues of power systems, explicitly specifies RSAas the solution to protect time-critical messages [14] insubstation automation systems.

According to specifications in IEC62351, a time-criticalSAS message is firstly hashed by SHA256, and then thehashed message digest is encrypted by the RSA private keyto generate a RSA signature, which is attached at the end oforiginal message. At the receiver, the signature is decryptedby the transmitter’s public key. Then, the receiver comparesthe decrypted hash value with the actual hash value of thereceived message. If the two agree, the message can be verifiedfrom the holder of the RSA private key and without anymodification.

3.2. Message Authentication Code. MAC is a widely adoptedsymmetric-key cryptography scheme, which relies on asmall fixed-size block of data to authenticate a message. Tocalculate an MAC, communication entities need to share asecret key since the MAC is a function of an arbitrary-lengthmessage and the shared key. We consider two typical MAC-based schemes to protect time-critical SAS messages.

(i) Incomplete-key-set scheme [25]: it is proposed toprevent malicious message forgeries in multicastscenarios. In this scheme, a complete key set isdivided into multiple orthogonal subsets, which arefurther allocated to multicast receivers. Only thesender holds a complete key set with l keys, whereaseach receiver only knows its own key subset. Duringthe transmission, l MACs are calculated through lkeys of the sender and appended with the originalmessage. Receivers can only verify MACs based ontheir own key subsets but cannot fabricate otherMACs from unknown key subsets.

(ii) Timed efficient stream loss-tolerant authentication(TESLA) [26]: it is characterized with an excellentcomputation efficiency and a low-communicationoverhead. The main idea of TESLA is that the senderuses different keys in different time slots to computeMACs attached with original messages and alwaysdiscloses expired keys in current time slot to makereceivers verify previously buffered messages. Accord-ingly, the sender is prone to corrupt falsificationssince only expired keys will be published.

3.3. One-Time Signature. One-time signature [28] features ahigher computation efficiency based on one-way functionswithout a trapdoor, which makes it suitable for fast messageauthentications. Since the idea was invented, a multitudeof OTS algorithms [19, 29, 30] were proposed to overcometwo intrinsic drawbacks, including the larger signature size,and the “one timedness” that means one key can onlysign one message. Among these algorithms, hash to obtainrandom subsets (HORSs) [19] is recognized as the fastest oneregarding signature generation and verification with shortersignatures. Also, HORS enables “multiple timedness” to signmultiple messages using one key if a security level decreasecan be tolerated.

The nice features of HORS are further adopted in a timevalid HORS (TV-HORS) scheme [16], which is specificallydesigned for integrity protections of time-critical messagesin the power system. In the TV-HORS, one HORS key isreused to generate multiple signatures in a predeterminedtime period. Since the key reuse leads to a rapid decrease ofthe security level, which entails that an attacker gains morepossibilities to forge a signature, it is necessary to ensure thatthe decreased security level is still strong enough to resistattacks. To this end, [16] illustrated a quantity relationshipbetween achieved security levels and the allowable reusenumber of one key. In the following sections, we focuson TV-HORS as an example of OTS-based scheme todemonstrate its performance in SAS message protections. Werefer to the detailed HORS algorithm as follows.

(i) Key Generation. Generate t random l-bit stringss1, s2, . . . , st to be used as the private key Kpri. Thecorresponding public key is computed as Kpub ={v1, . . . , vt}, where vi = f (si) and f is a one-wayfunction.

(ii) Signing. To sign a message m, compute h = hash(m),where Hash is a collision resistant hash function. Splith into k substrings h1,h2, . . . ,hk of length log2t bitseach. Interpret each hj as an integer i j . The signatureof m is (si1 , si2 , . . . , sik ).

(iii) Verification. To verify a signature (s′i1 , s′i2 , . . . , s′ik ) formessage m, compute h = hash(m). Split h intok substrings h1,h2, . . . ,hk of length log2t bits each.Interpret each hj as an integer i j . Check if f (s′j) = vijholds for each j.

Based on three types of data origin authenticationschemes discussed above, we proceed to conduct an empir-ical study to measure delivery performance of secure SASmessages in a real setting testbed. Through performanceanalysis, we aim to answer the open research question, thatis, whether existing data origin authentication schemes canbe readily used to protect SAS messages with stringent timingrequirements.

4. A Small-Scale SAS Prototype

To facilitate performance evaluations of time-critical SASmessages with different data origin authentication schemes,


we focus on two types of information, including telepro-tection and data-sampling messages, for evaluations overa simple SAS prototype as described in IEC61850 [9],which is the dominant standard on substation automa-tion systems. In this section, we firstly describe IEC61850specified substation automation systems with emphasis ontransmission protocols of time-critical messages. Then, wepresent implementations of our prototyped SAS testbed,including the hardware configuration and the applicationsetup.

4.1. IEC61850-Based Substation Automation System. IEC-61850 is the most popular standard for the design of electricalsubstation automation, aiming to provide interoperabilityamong diversified devices within substations. As shown inFigure 3, regular device operations are specified into a setof abstract services in IEC61850, such as abstract com-munication service interface (ACSI) for data queries andacquisitions, TimeSync for synchronization services, genericsubstation event (GSE, including generic object orientedsubstation events (GOOSE) and generic substation stateevent (GSSE)) for fast and reliable multicasting of substationevent messages (e.g., protection messages regarding faultreporting), and sampled measured value (SMV) for sampledvalue multicasting. Then, such diversified abstract servicesare further instantiated into concrete application protocolsand communication profiles through the specific commu-nication service mapping (SCSM) according to differenttransmission requirements. For example, ACSI is mappedto leverage the manufacturing message specification (MMS)to query device data through TCP packets, whereas thesynchronization messages are mapped onto UDP packets tosynchronize substation devices.

Particularly, since GOOSE/SMV in IEC61850 under-takes transmission of time-critical protection and data-sampling messages, IEC61850 proposes a series of specialdesigns to ensure efficient processing and transmissionsof GOOSE/SMV messages [9, 13, 31]: (i) mapping GOOSE/SMV messages from the application layer directly to the linklayer, to reduce processing time and avoid tedious protocolheaders; (ii) conferring the highest transmission priorityon GOOSE/SMV to avoid packet queuing and buffering;(iii) defining application layer retransmissions to replace thetransport layer towards reliable transmissions.

In line with these design requirements, we develop aGOOSE/SMV module in the Linux kernel to ferry messagesbetween applications and network adapters. Accordingly, weestablish a prototyped SAS testbed with two simple time-critical applications, including relay protections and datasampling, based on the developed GOOSE/SMV module.

4.2. Implementations of the SAS Prototype. Figure 4 showssystem implementations of our prototyped SAS testbedfollowing the one-line diagram of the feeder I bay in Figure 2.We emulate IEDs used in the feeder I bay, including relay C,merging unit C, and the feeder I bay controller, all of whichare running Ubuntu 10.03 with Linux 2.6.32. To simulatecomputation capacities of IEDs as embedded devices, the

GOOSESMV GSSE TimeSync ACSI

Specific communication service mapping

MMS

TCP

IP

UDPGSSET-profile

Ethernet link layer

Physical layer

Figure 3: GOOSE/SMV protocol architecture in IEC61850.

CPU frequencies are tuned into a low processing speed.Moreover, the three emulated IEDs are connected in one-hop local networks established by a TRENDnet TE100-S8P 10/100 Mbps Ethernet Switch and a 54 Mbps 802.11 gLinksys Wireless Router as the dual process buses.

Besides hardware settings, a customized applicationsoftware is also installed for each IED to send protection anddata-sampling messages based on the implemented GOOSE/SMV module, as shown in Figure 5. To achieve secur-ity protections on GOOSE/SMV messages, we develop asecurity scheme lib using the OPENSSL [32] to involveaforementioned data origin authentication schemes, includ-ing RSA, MAC, and HORS. When transmitting messages,merging unit C firstly samples current or voltage values ofthe feeder via the ECT and EVT to generate correspondingmessages. Then, the generated message is signed by securityschemes, such as RSA, MAC, or HORS. According toIEC61850, the signed message bypasses the TCP/IP stack andis directly delivered to the network adapter driver throughour GOOSE/SMV module. At the receiver, the GOOSE/SMVmodule submits received messages to the security lib forsignature verifications. All verified messages will be finallyaccepted by Relay C for future processing.

Based on the established SAS testbed, we then carry out aseries of experiments to measure delay performance of suchsecure SAS messages in two kinds of process buses, includingthe Ethernet and WiFi buses and analyze feasibilities ofproposed security schemes.

5. Performance Results and Analysis

In this section, we aim to illustrate performance impacts ofdata origin authentication schemes on time-critical SAS mes-sages and to address two questions specifically, (i) whetherexisting data origin authentication schemes are satisfactoryto protect time-critical SAS messages; (ii) what factors arebottlenecks that undermine the applicability of current securityschemes in the SAS. To proceed, we first introduce the per-formance metric and parameter settings of security schemesused in our experiments. Then, we present measurement


Relay CRelay C

unit CMergingBay

level

levelProcess

Circuitbreaker3

ECT3 EVT3

Dual process bus

Dual station bus

Feeder I bay controller

Feeder I bay

Synchronization bus

controller

unit CMerging

Figure 4: The hardware configurations of the prototyped SAS testbed.

Relay C

GO

OSE

-bas

edpr

otec

tion

SMV

-bas

edsa

mpl

ing

Mon

itor

ing

and

mai

nte

nan

ce

Securityschemes lib

RSA MAC HORS

GOOSE/SMVmodule T

CP

UD

P

IPNetwork

adapter driverEthernetadapter

GO

OSE

-bas

edpr

otec

tion

SMV

-bas

edsa

mpl

ing

Mon

itor

ing

and

mai

nte

nan

ce

Securityschemes lib

RSA MAC HORS

GOOSE/SMVmodule T

CP

UD

P

IPNetwork

adapter driverEthernetadapter

EthernetTo relay

Merging unit C

To mergingunits

Ker

nel

spa

ceU

ser

spac

e

Figure 5: The software architecture of the prototyped SAS testbed.

results of implemented data origin authentication schemesin two deployed process buses, including the Ethernet andWiFi buses. Finally, we present the detailed performanceanalysis regarding scheme feasibilities and inherent schemevulnerabilities.5.1. Performance Metric. In evaluations of SAS messagesalong with security schemes, it is evident that traditionalnetwork metrics, such as delay, throughput, and packetlosses, cannot be used, because they cannot reveal the factthat whether a security scheme is applicable to the SASregarding stringent timing requirements. At the same time,we omit the security analysis on purpose, in that the detailedanalysis of security functions can be easily found in [14–16, 19, 20]. More importantly, these solutions are selectedfor evaluations because of their satisfactory security featuresfor messages protections. To this end, we take a messagevalidation ratio as the performance metric, as defined inDefinition 2.

Definition 2. The message validation ratio (MVR) is the pro-portion of the successfully delivered GOOSE/SMV messagesto the total transmitted messages.

In other words, if 1000 GOOSE messages are transmitted,we take measures of delay of each message. Then, we comparethe measured delay results with preset delay thresholds basedon the message type in Table 1, for example, 3 ms for the bay-level interlocking and 10 ms for the stationwide interlocking.Only those whose delays are less than delay thresholds canbe counted as successful deliveries for calculations of thevalidation ratio.

5.2. Parameter Settings. Since the message validation ratiovaries dramatically with different parameters of securityschemes, such as the key length and adopted hash functions,we specify parameters of security schemes on the followingsettings. As for RSA, we adopt a typical 1024-bit RSA key.For MAC, we use SHA-1 with a fixed 160-bit MAC length.Regarding HORS, we generate a 160-byte HORS signature,which is composed of 16 10-byte strings chosen from 1024random strings. It entails three key parameters defined as perscheme descriptions in Section 3.3: l = 80 is the bit lengthof the element si in the private key; k = 16 is the numberof exposed private key elements si in a signature; t = 1024implies the total number of elements si in a private key.

5.3. Measurements of Security Schemes. We now investigateperformance impacts of data origin authentication schemeson time-critical GOOSE/SMV message transmissions in twoprocess buses, including the Ethernet bus and the WiFibus, which are both the most widely used communicationtechnologies in the smart grid paradigm [33–35].

5.3.1. Results in the Ethernet Process Bus

RSA-Signed Messages. Our first experiments are the imple-mentation of RSA-signed GOOSE/SMV messages over theEthernet bus. Figure 6 shows variations of message validationratios along with the GOOSE/SMV message length and theCPU frequency of the signer, when taking 3 ms as the delaythreshold. We can find that, compared with the messagelength, MVRs of RSA-signed messages are more susceptibleto the CPU frequency, which is justified by a significant MVRrise when increasing the signer’s CPU speed, from lower than40% on 400 MHz to more than 85% on 1.2 GHz. This resultreassure that the RSA performance is mainly dominated by


90

80

70

60

50

40

30

400800

12001600

CPU frequency (M

Hz)

Mes

sage

val

idat

ion

rat

io (

%)

Packet length (bytes)

600400

200

80010001200

1400

MVR (%)

30

37.5

45

52.5

60

67.5

75

82.5

90

Figure 6: Message validation ratios of RSA-signed messages in the3 ms delay threshold.

the signer’s CPU frequency. In other words, when RSA isapplied onto power electronic devices, the CPU capacity isa critical factor in IEDs.

As mentioned, most IEDs are microprocessor-baseddevices with constrained computation capacities. For exam-ple, SEL-3530 real-time automation controller [36], a popu-lar IED production as the device controller, is furnished witha 533 MHz processor. According to Figure 6, such a CPUspeed induces that more than 40% GOOSE/SMV messagescannot be signed and verified in 3 ms if using SEL-3530 asthe device controller to transmit RSA-signed messages. Evenwith a faster CPU, like 1.6 GHz, message validation ratios ofRSA-signed messages are still 15% lower than that of originalGOOSE/SMV messages without security schemes, as shownin Figure 7. Therefore, we can infer that RSA is not suitableon the current off-the-shelf products for applications whosetiming requirement is less than 3 ms.

Interestingly, if we relax delay constraints from 3 ms to10 ms in Figure 7, performance of RSA-signed messages willdramatically catch up with that of original messages withoutdigital signatures. In this case, RSA becomes an appropriateoption for applications whose delay threshold is larger than10 ms, such as operations across substations [9].

MAC-Attached and HORS-Signed Messages. In Figure 7,message validation ratios are almost the same in most situa-tions among original messages, MAC-attached messages, andHORS-signed messages. It tells that both security schemesare potential solutions for application messages, whosetiming requirements are less than 3 ms. The only exceptionoccurs when the CPU frequency is set to 600 MHz, wheremessage validation ratios of MAC-attached and HORS-signedmessages are around 5% lower than that of original ones.Nonetheless, they are still close to 90%. Therefore, bothMAC and HORS are arguably ideal cryptographic answersregarding delay performance in the Ethernet process bus.

110

100

90

80

70

60

50

40

30600 800 1000 1200 1400 1600

Original message in 3 msRSA message in 3 msMAC message in 3 ms

HORS message in 3 msRSA message in 10 ms

CPU frequency (MHz)

Mes

sage

val

idat

ion

rat

io (

%)

Figure 7: Performance comparisons among security schemes.

Based on the above measurements, we can summarizethat, RSA is not a suitable choice to secure time-criticalmessages with the 3 ms delay threshold, although it is arecommended solution in IEC62351 [14]. Nevertheless, ifthe delay threshold is extended to 10 ms [9], RSA is stillviable. Therefore, we can deploy RSA to protect messagestransmitted across substations, but cannot use it for telepro-tection and data-sampling messages inside the substation.In addition, both MAC-attached and HORS-signed messagesshow satisfactory delay performance in the Ethernet processbus, which makes them as alternative choices to replaceRSA-signed messages to protect time-critical data inside thesubstation.

Remark 3. Timing requirements of SAS messages are essen-tial to evaluate the feasibility of data origin authenticationschemes. With existing intelligent electronic devices in thepower systems, RSA is not considered a good option fordelay-sensitive teleprotection and data-sampling messagesinside a substation. However, it remains to be a good can-didate for messages to be delivered to the outside ofsubstations, as well as nonteleprotection-related messages.For the Ethernet-bus-based SAS architecture, both MAC-attached and HORS-signed messages are suggested as goodoptions for message authentications.

5.3.2. Results in the WiFi Process Bus. Different from Eth-ernet, transmissions in the WiFi bus are subject to morechallenges due to the broadcast nature of wireless medium,which are more vulnerable to interferences and limitedtransmission rates. Especially for multicasted SAS messages,the transmission rate provided by the WiFi bus is muchless than that in the 10/100 Mbps Ethernet. There are onlythree options in our settings, including 1 Mbps, 2 Mbps,and 6 Mbps. In the following experiments, we intend to


measure delay performance of MAC-attached and HORS-signed messages in the rate-limited WiFi process bus. Notethat, since RSA does not show satisfactory performances inthe Ethernet, we will only focus on the other two schemes inthe WiFi test. To ensure results that are applicable to currentoff-the-shelf IEDs, we tune the CPU frequency to 600 MHzto emulate IEDs’ computation capabilities.

Figure 8 shows delay performance of MAC-attachedmessages in different transmission rates of the WiFi bus.We observe an obvious decline of the message validationratio when reducing the transmission rate from 6 Mbpsto 1 Mbps. In 6 Mbps, the message validation ratio dropsslightly along with the increase of the message length.However, in 1 Mbps and 2 Mbps, drops of message validationratios become significant when increasing the packet length.The same situation also happens on HORS-signed messages,as shown in Figure 9. Comparing two figures, we can findthat although declining trends are similar, dropping slopsvary a lot. We further assume that given poor networkingconditions, that is, limited multicasting rates in the WiFibus, at most 20% transmission failures are acceptable if usingthe 3 ms delay threshold. In other words, the acceptableprobability of the message validation ratio is at least 80%in the WiFi bus. From this assumption, we are motivated todefine another metric, named as message validation size toevaluate performance differences implied in Figures 8 and 9,which is formally defined as follows.

Definition 4. Given a message validation ratio threshold,message validation size (MVS) denotes the maximum allow-able packet length to meet the message validation ratiothreshold on the probability.

The message validation size tells the capabilities ofsecurity schemes to protect message contents. If a schemeis efficient, it can carry more payloads, that is, more bytescan be contained in the original message without violatingthe statistical requirements of the message validation ratioduring transmissions. Adversely, if a scheme is inefficient, itstruggles to meet the probability requirement by reducingthe packet length to save the processing time. We list messagevalidation sizes of MAC-attached and HORS-signed messagesin Table 2. According to the table, MAC-attached messagesare able to transmit 75 bytes in the original payloadin the 1 Mbps transmission rate, whereas HORS-signedmessages can deliver 30 bytes contents when using thesame rate. Moreover, based on the GOOSE/SMV messageformat specified in IEC62351 [14], 15 bytes are claimed bythe GOOSE/SMV protocol for the protocol header, cyclicredundancy check (CRC), and other reserved fields. Asa result, valid payloads are 60 bytes for MAC-attachedmessages, and 15 bytes for HORS-signed messages. Hence,we can infer that facing with limited bytes, message contents,that is, device data, should be organized efficiently to carrymore valuable information, especially when using HORS-based scheme in the WiFi network, which only ensures a 15-byte payload for message contents.

The reason of such a phenomenon lies in the longerHORS signature. As illustrated in parameter settings, the size

100

80

60

40

20

0 200 400 600 800 1000 1200 1400

GOOSE/SMV packet length (bytes)

1 Mbps2 Mbps6 Mbps

Mes

sage

val

idat

ion

rat

io (

%)

Figure 8: Message validation sizes of MAC-attached GOOSE/SMVmessages in the WiFi process bus with 1 Mbps, 2 Mbps, and 6 Mbpsmulticasting rates.

100

80

60

40

20

0 200 400 600 800 1000 1200

GOOSE/SMV packet length (bytes)

1 Mbps2 Mbps6 Mbps

Mes

sage

val

idat

ion

rat

io (

%)

Figure 9: Message validation sizes of hORS-signed GOOSE/SMVmessages in the WiFi process bus with 1 Mbps, 2 Mbps, and 6 Mbpsmulticasting rates.

Table 2: Message validation sizes of MAC- and HORS-signedmessages in 80% MVR.

Message 1 Mbps multicasting 2 Mbps multicasting

MAC attached 75 bytes 300 bytes

HORS signed 30 bytes 200 bytes

of an attached SHA-1 MAC is 160 bits, but the length ofthe HORS signature is up to 160 bytes. The longer HORSsignature inevitably occupies more processing time, whichshould have been used for payloads.


Remark 5. When MAC-attached and HORS-signed messagesare used in transmitting SAS messages over the WiFi bus,the transmission rate has a significant impact on the perfor-mance, that is, the message validation ratio. Our experimentsreveal that at least 6 Mbps is required to achieve satisfactoryperformance for the multicasting SAS messages. However,in spite of significant declines of the message validationratio, MAC and HORS still maintain a few bytes for validpayloads to deliver important, yet short messages with ahigher message validation ratio. Therefore, both MAC- andHORS-based schemes can be recommended for time-criticalSAS messages over the WiFi process bus.

5.4. Analysis of Data Origin Authentication Schemes. SinceMAC-attached and HORS-signed messages exhibit satisfac-tory performance to secure time-critical GOOSE/SMV mes-sages in the 3 ms delay requirement, we are encouraged tofurther consider data origin authentication schemes derivedfrom MAC and HORS, such as TESLA [15], the incomplete-key-set scheme [25], and TV-HORS [16], for protectingthe integrity and authenticity of time-critical SAS messages.Accordingly, an interesting question is whether such excellentdelay performances are enough to ensure MAC- and HORS-based schemes to be adopted as final solutions for messageprotections in the SAS. To address this question, we elaboratedetails of security scheme feasibilities.

Constrains of TESLA. As one of the most efficient multi-cast authentication schemes, TESLA reduces authenticationinformation to only one MAC and is widely used in sensornetworks [15]. However, due to the concept of delayedauthentications, which makes the use of buffer at the receiverside, that is, receiving packets first and waiting for the arrivalof validation keys, additional waiting time may be induced inTESLA. Hence, the suitability of TESLA is totally determinedby the interval between the arrival time of the current packetand the arrival time of the next packet, which is assumed tocarry the released key for verifications of previous packets.As a result, there exist two contradictory suggestions. (i)TESLA is not applicable for GOOSE messages in deliveriesof fault alarms. As transmissions of fault alarms are notcontinuous, the sender may not issue the next messagefor a long while. Thus, the receiver cannot verify previousalarms until the next fault triggers the next fault alarm. (ii)TESLA is applicable for continuous SMV messages only ifthe sampling rate is high enough to guarantee that the nextmessage is able to arrive before the delay deadline. Therefore,careful performance investigations and meticulous systemconfigurations are necessary before deploying TESLA fortime-critical SAS message protections.

Constraints of the Incomplete-Key-Set Scheme. The incom-plete-key-set scheme aims to leverage multiple MACs formulticasted data authentications. In experiments of MAC-attached messages, we observe that the GOOSE/SMV mes-sage attached with only one MAC shows excellent perfor-mance even in the worst network conditions. Nevertheless,the incomplete-key-set scheme requires multiple MACs

attached within one message, which deduces two potentialconcerns. The first one is regarding multiple MACs, whichleads to a larger packet size, as well as a longer transmissiontime. A promising solution is to truncate MACs in a shorterlength, as referred to in [37]. The second one is the intrinsicscheme vulnerability for the collusion attack, in which badmembers of a multicast group work together to retrieve acomplete key set by manipulating their own key subsets,thereby fabricating valuable messages. Such a vulnerabilityis easy to be handled if keys are shared only in a smallgroup, which is possible in some substations. For example,in a standard 69 kV distribution station, the total numberof equipment controllers is 39, which is partitioned into 11different bays. In that case, at most 5 devices are involved ina bay [38] to form a key shared group. The small size of thekey shared group makes partitions of key sets more secureagainst the collusion attack. Therefore, the incomplete-key-set scheme is a promising solution for some substations, inwhich the number of IEDs is small.

Remark 6. Due to the high computation efficiency, MAC-based schemes are promising security solutions for time-critical SAS messages, even on off-the-shelf products withlimited computation capabilities. The main challenge ofMAC-based scheme lies in how to remain the message securityin a multicast scenario, that is to ensure that receivers canverify the authenticity and integrity of multicast messages,but cannot generate valid MACs on behalf of the sender.Therefore, a reasonable way is to introduce asymmetrybetween the sender and multiple receivers to prevent fabri-cated MACs [24]. Since MAC is a symmetric-key cryptog-raphy, that is, the sender and the receiver share the samekey material, MAC-based schemes have to seek other ways toachieve the envisioned asymmetry for the multicast scenario.For example, TESLA makes use of time as the source ofasymmetry to create unfair knowledge of key materials in thetime domain, while the incomplete-key-set scheme resortsto incomplete knowledge of key materials between commu-nication entities to generate the asymmetry. Towards idealMAC-based schemes in the SAS, the novel asymmetry shouldbe taken with comprehensive considerations on impacts ofspecified application environments inside the substation,including features of traffic flows (discrete GOOSE messagesand continuous SMV flows), available bandwidths, and thesize of the multicast group.

Constraints of TV-HORS. The most salient feature of TV-HORS is “multiple timedness,” which makes one private keyto sign multiple messages. However, the more signatures oneprivate key signs, the more exposed elements in the privatekey, which leads to a security level decrease and providesattackers more opportunities to counterfeit a message fromreleased private key elements. To analyze the relationshipbetween the security level and the maximum reuse time ofthe key, we resort to the following formulation defined in[16], that is, L = k log2(t/vk). The notations are as follows:

(i) L denotes the security level that implies that anattacker has to compute 2L hashes on average toobtain a valid signature for a new message;


100

80

60

40

20

0200 400 600 800 1000 1200

Message length (bytes)

Mes

sage

val

idat

ion

rat

io (

%)

10

30

50

70

90

110

Ethernet in 3 msEthernet in 1.9 ms

WiFi in 3 msWiFi in 1.9 ms

Figure 10: Message validation ratios of HORS-signed messageswith different delay thresholds.

(ii) k indicates the number of exposed private keyelements in one signature;

(iii) t is the total number of elements in a private key;

(iv) v tells allowable key reuse times, namely, the maxi-mum number of messages signed by one key.

For the sake of an intuitive understanding, we take aconcrete parameter set as the example L = 44, k = 11,t = 1584, and v = 9, which is computed from the previousequation. In this setting, one private key can be reused atmost 9 times to ensure that the resulting security level is notless than 44, which is a medium security level [16]. In termsof GOOSE messages, which is usually used to report alarms, 9times are high enough since fault occurrences are discrete ina low frequency. Accordingly, the key reuses can be allocatedseparately into multiple fault alarms.

However, the story is totally different in SMV messages,which features continuous transmissions in a high samplingrate. For example, for protection operations, the samplingrate of three phase currents and voltages can achieve 4800samples per second, each of which should be contained inone message [9, 39]. It means that the merging units areexpected to multicast 4800 messages every second to the relayand the bay controller in Figure 4 to report real-time currentand voltage measures. At this rate, 9 times key reuse can lastat most 1.9 ms, that is, a key update occurs every 1.9 ms. Thecorresponding key update frequency is 526 times per second.From this point, we reveal two potential threats that may behijacked by attackers to compromise the integrity protectionprovided by HORS.

Delay Compression Attacks. The limited times of the keyreuse induce that one key may expire very soon, around1.9 ms in our parameter setting. Once the key is expired, thesigned messages will not be valid any more. In other words,

Table 3: Key generation time of TV-HORS on different devices.

Device CPU Algorithm Time(s)

Laptop 1.33 GHzSHA-1 1.598

SHA-256 2.787

TS-7800 500 MHzSHA-1 17.496

SHA-256 29.029

TS-7250 200 MHzSHA-1 20.4

SHA-256 32.14

signed messages must be verified in 1.9 ms. It actually pro-poses another timing requirement for message validations,which is different from the 3 ms delay threshold required bymessage deliveries. Thus, the timing requirement is furthersqueezed to 1.9 ms from 3 ms. Figure 10 shows performanceof HORS-signed messages in different delay thresholds. Thetighter delay threshold results in at least 5% MVR decreasesin the Ethernet bus, and even more in the WiFi bus whenthe message length is increasing. Therefore, the “multipletimedness” TV-HORS brings in tighter timing requirementsto deteriorate message validation ratios, when the schemeis utilized to protect the high-rate sampling messages. As aresult, we name the decreasing effect of message validationratios as a delay compression attack launched by compressingthe delay threshold.

Key Depletion Attacks. According to the parameter setting,the signing key needs to be updated 526 times in one second,which implies a huge key consumption. Since SMV messagesare usually used in the long-term device monitoring, eventhroughout the entire life of devices, the HORS-basedscheme should be self-contained on devices, which entailsthat TV-HORS needs to replenish keys by itself. Table 3illustrates capabilities of key generations on different devices.It shows required computation time to generate 526 keysfor one second key consumptions over different embeddeddevices, whose computation capabilities are comparable withthe off-the-shelf IED products. It is obvious that the keygeneration speed is slower than the consumption speed. Withthe mismatched speed, attackers can easily achieve a keydepletion attack to exhaust stored keys and compromise theentire integrity protection system by a large amount of bogusmessages.

Therefore, OTS-based schemes, like HORS, are far frompractical deployments, since the allowable reuse times of akey are still relatively low, although it has been extendeda lot in the past decades of years. With such limited keyreuse times, the scheme tends to show more disadvantagesto derive delay compression attacks, as well as key depletionattacks, in which OTS-based schemes seem to be messageattackers, rather than message protectors.

Remark 7. Different from MAC-based schemes, OTS-basedschemes rely on the asymmetry derived from asymmetrickey materials. To maintain the security of the scheme, thesender and receivers have to maintain the only asymmetryon the key materials. That is why multicast communication


entities keep updating their keys during SMV transmissions.Therefore, we can infer that the fundamental reason of twoillustrated new attacks, including delay compression attacksand key depletion attacks, lies in the strong dependenceof TV-HORS on the key asymmetry. To avoid such astrong dependence on asymmetric key materials, a possibleway is to introduce new asymmetries to create hybridasymmetries. Accordingly, it may deduce novel OTS-basedschemes, dealing with high-rate transmitted messages in thesubstation.

6. Conclusion and Future Works

In this paper, we studied security solutions for time-criticalmessages in the smart grid by taking an experimentalapproach on a small-scale substation automation systemprototype, with the focus on extensively proposed data originauthentication schemes. The main challenge for securityschemes in the substation is to accomplish a joint missionto ensure security requirements on message authenticityand integrity, along with strict timing requirements onmessage deliveries. In particular, we have several interestingobservations regarding performance of security schemes intime-critical transmissions. For instance, we find that RSA,which is recommended for the smart grid, is a good solutionfor nonteleprotection messages, while it is not appropriatefor delay-sensitive messages inside the substation. Ourresults reveal that, diversified application environments ofthe substation automation system, such as device compu-tation capabilities, message traffic features, fluctuant net-work bandwidths, and stringent timing requirements, haveimmediate and significant impacts on performance of dataorigin authentication schemes and may result in completelydifferent suggestions in terms of scheme feasibilities. Moreimportantly, design limits of security schemes, includingclumsy computations, additional waiting delays, and shortkey valid time, may turn the strength of these algorithmsinto vulnerabilities when they are applied into substationautomation systems. Therefore, there is an acute need forsecurity solutions towards an efficient, yet secure substationautomation system in the smart grid.

Acknowledgments

This work was supported by ERC Program of the NationalScience Foundation under Award no. EEC-0812121. A partof this work was published in the 2011 IEEE MilitaryCommunications Conference (Milcom’11).

References

[1] Office of the National Coordinator for Smart Grid Interoper-ability, “NIST framework and roadmap for smart grid inter-operability standards, release 1.0,” NIST Special Publication1108, 2010.

[2] W. Wang, Y. Xu, and M. Khanna, “A survey on the commu-nication architectures in smart grid,” Computer Networks, vol.55, no. 15, pp. 3604–3629, 2011.

[3] Y. Zhang, M. Prica, M. D. Ilic, and O. K. Tonguz, “Towardsmarter current relays for power grids,” in Proceedings of theIEEE Power Engineering Society General Meeting (PES ’06),June 2006.

[4] M. H. Albadi and E. F. El-Saadany, “Demand response inelectricity markets: an overview,” in Proceedings of the IEEEPower Engineering Society General Meeting (PES ’07), June2007.

[5] Power Systems Engineering Research Center, The 21st CenturySubstation Design, PSERC Publication, 2010.

[6] R. Ellenbogen, “At load power factor correction,” in New YorkState Energy Research and Development Authority, 2009.

[7] Department of Agriculture, “Design guide for rural substa-tions,” 2001.

[8] T. S. Sidhu, M. G. Kaanabar, and P. Parikh, “Implementationissues with iec61850 based substation automation systems,”in Proceedings of the 15th National Power Systems Conference(NPSC ’08), 2008.

[9] IEC, IEC 61850 Communication Networks and Systems inSubstations, 2003.

[10] EWICS, “Electric power systems cyber security: power substa-tion case study,” in Proceedings of the European Workshop onIndustrial Computer Systems, 2006.

[11] P. Hines, B. O’Hara, E. Cotilla-Sanchez, and C. Danforth,“Cascading failures: extreme properties of large blackouts inthe electric grid,” SIAM Mathematics Awareness Month. Inpress.

[12] E. M. Brunner and M. Suter, International Critical InformationInfrastructure Protection Policies Handbook 2008/2009, ETH,Zurich, Switzerland , 2008.

[13] Z. Lu, X. Lu, W. Wang, and C. Wang, “Review and evaluationof security threats on the communication networks in thesmart grid,” in Proceedings of the IEEE Military Communica-tions Conference (MILCOM ’10), pp. 1830–1835, November2010.

[14] IEC62351, “Power systems management and associated infor-mation exchange—data and communications security,” Inter-national Electrotechnical Commission, Geneva, Switzerland,2007.

[15] A. Perrig, R. Canetti, D. Song, and J. D. Tygar, “Efficientand secure source authentication for multicast,” in Proceedingsof the Network and Distributed System Security Symposium(NDSS ’01), pp. 35–46, 2001.

[16] Q. Wang, H. Khurana, Y. Huang, and K. Nahrstedt, “Timevalid one-time signature for time-critical multicast dataauthentication,” in Proceedings of the 28th Conference onComputer Communications (INFOCOM ’09), pp. 1233–1241,April 2009.

[17] Europe Task Force Smart Grids, Expert Group 2: RegulatoryRecommendations for Data Safety, Data Handling and DataProtection, 2011.

[18] H. Khurana, R. Bobba, T. Yardley, P. Agarwal, and E.Heine, “Design principles for power grid cyber-infrastructureauthentication protocols,” in Proceedings of the 43rd AnnualHawaii International Conference on System Sciences (HICSS’10), January 2010.

[19] L. Reyzin and N. Reyzin, “Better than BiBa: short one-timesignatures with fast signing and verifying,” in Proceedings ofthe 17th Australasian Conference on Information Security andPrivacy (ACISP ’02), 2002.

[20] Q. Li and G. Cao, “Multicast authentication in the smart gridwith one-time signature,” IEEE Transactions on Smart Grid,vol. 2, no. 4, pp. 686–696, 2011.


[21] V. H. Todd, Protective Relays: Their Theory, Design, andPractical Operation, 1922.

[22] K. Harker, Power System Commissioning and MaintenancePractice, Power Series 24, IEE, 1998.

[23] IEEE, “IEEE standard communication delivery time perfor-mance requirements for electric power substation automa-tion,” IEEE Std 1646-2004, 2005.

[24] Y. Challal, H. Bettahar, and A. Bouabdallah, “A taxonomy ofmulticast data origin authentication: issues and solutions,”IEEE Communications Surveys and Tutorials, vol. 6, no. 3, pp.34–57, 2004.

[25] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor,and B. Pinkas, “Multicast security: a taxonomy and someefficient constructions,” in Proceedings of the 18th Annual JointConference of the IEEE Computer and Communications Societie(INFOCOM ’99), pp. 708–716, March 1999.

[26] A. Perrig, R. Canetti, J. D. Tygar, and D. Song, “Efficientauthentication and signing of multicast streams over lossychannels,” in Proceedings of the IEEE Symposium on Securityand Privacy, pp. 56–73, May 2000.

[27] R. L. Rivest, A. Shamir, and L. Adleman, “method forobtaining digital signatures and public-key cryptosystems,”Communications of the ACM, vol. 21, no. 2, pp. 120–126, 1978.

[28] R. C. Merkle, “A certified digital signature,” in Proceedings ofthe Advances in Cryptology (CRYPTO ’89), 1989.

[29] A. Perrig, “The BiBa one-time signature and broadcastauthentication protocol,” in Proceedings of the 8th ACMConference on Computer and Communications Security (CCS’01), pp. 28–37, November 2001.

[30] D. Naor, A. Shenhav, and A. Wool, “One-time signaturesrevisited: have they become practical,” Tech. Rep., 2005.

[31] Z. Lu, W. Wang, and C. Wang, “From jammer to gambler:modeling and detection of jamming attacks against time-critical traffic,” in Proceedings of the 30th IEEE InternationalConference on Computer Communications, Joint Conference ofthe IEEE Computer and Communications Societies (INFOCOM’11), pp. 1871–1879, Shanghai, China, April 2011.

[32] OPENSSL, http://www.openssl.org/.[33] V. C. Gungor and F. C. Lambert, “A survey on communication

networks for electric system automation,” Computer Networks,vol. 50, no. 7, pp. 877–897, 2006.

[34] B. Akyol, H. Kirkham, S. Clements, and M. Hardley, A Surveyof Wireless Communications for the Electric Power System, 2010.

[35] NIST Smart Grid, “Smart grid panel agrees on standardsand guidelines for wireless communication, meter upgrades,”News Release, 2011.

[36] Schweitzer Engineering Laboratories, “SEL-3530-4,”http://www.selinc.com/sel-3530/.

[37] C. Szilagyi and P. Koopman, “Flexible multicast authenticationfor time-triggered embedded control network applications,”in Proceedings of the IEEE/IFIP International Conference onDependable Systems and Networks (DSN ’09), pp. 165–174, July2009.

[38] T. S. Sidhu and Y. Yin, “IED modelling for IEC61850 basedsubstation automation system performance simulation,” inProceedings of the IEEE Power Engineering Society GeneralMeeting (PES ’06), June 2006.

[39] A. Apostolov, “Testing of complex IEC 61850 based substationautomation systems,” International Journal of Reliability andSafety, vol. 2, no. 1-2, pp. 51–63, 2008.

AuthenticationandIntegrityintheSmartGrid ... substation for the smart grid, by taking a 220kV-132kV...

Documents

Transcript of AuthenticationandIntegrityintheSmartGrid ... substation for the smart grid, by taking a 220kV-132kV...