Beruflich Dokumente
Kultur Dokumente
2, JUNE 2014
509
I. I NTRODUCTION
HE electrical power industry is experiencing major challenges in the twenty-first century. Two significant developments are based on smart grid technologyan automated
system with improved communication and electric vehicles
(EVs). These are expected to change the way energy is consumed by residential customers. Advanced metering infrastructure (AMI) is introduced at residential levels to incorporate
Manuscript received April 4, 2012; revised September 19, 2012; accepted
January 23, 2013. Date of publication August 7, 2013; date of current version
May 22, 2014. This work was supported in part by the Power Systems Engineering Research Center (PSERC) Project T-39, Communication Requirements
and Integration Options for Smart Grid Deployment, by the U.S. Department
of Energy Project DE-FG36-08GO88149, Sustainable Energy Solutions, and
by the contributions from the industrial and academic members of the PSERC
S-54 Project, Towards a Privacy-Aware Information-Sharing Framework for
Advanced Metering Infrastructures. A preliminary version of this paper was
presented in the conference proceedings at the IEEE Power and Energy Society
General Meeting at Detroit, MI, USA, in July 2011.
The authors are with the Department of Electrical Engineering and
Computer Science, Wichita State University, Wichita, KS 67260-0083 USA
(e-mail: vinod.namboodiri@wichita.edu; visvakumar.aravinthan@wichita.edu;
surymoha@cisco.com; bxkarimi@wichita.edu; ward.jewell@wichita.edu).
Color versions of one or more of the figures in this paper are available online
at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/JSYST.2013.2260700
these changes. With the introduction of AMI technology, a twoway communication between a smart meter and the control
center as well as the meter and residential power equipment
would be facilitated for demand response, dynamic pricing, and
system monitoring [1]. In addition, AMIs could be used for
greenhouse gas-emission mitigation [2]. According to Edison
Electric Institution compilation, by 2015, it is expected that
60 million AMIs (smart meters) would be installed in the U.S.
[3]. Such new technologies bring further challenges to the area
of power systems.
This work focuses on aspects of communication between
the AMI and terminal residential equipment. Any home area
network (HAN) used for a smart-meter application should have
enhanced security features to ensure that necessary and accurate
information is communicated to the smart meter by every piece
of equipment. Possible malicious behavior in complying with
this process could include any information not reported to
the smart meter by an intentional action of the consumer or
any action by a third party (like a neighbor) to modify the
information of a consumer that would give them higher priority
or other benefits.
Fig. 1 shows how different residential equipment or devices
could be classified into groups and controlled by a smart meter
provided by the utility.1 Equipment in each group could be
subjected to different restrictions on utilizing the grid. Communication between the smart meter and each equipment would
be used to realize one-on-one control to regulate the operation
of each equipment. From a power system point of view, all
loads should be served in a controlled manner, and none of
them can be refused service. Therefore, it is essential to build
a communication architecture that would ensure that the basic
principles of security are met toward a resilient monitoring
and control network. A recent paper in the IEEE S PECTRUM
highlights the importance placed on the issue of security and
role of communications for smart meters [3].
Although there has been some discussion about the mode
of communication to be used between the control center and
a smart meter at the distribution level, there is more consensus about the use of wireless communication as the mode of
communication between a smart meter and electrical devices in
the home [4], [5]. For example, ZigBee is a technology that
is being talked about in the power system community as a
good candidate solution [5]. A wireless-communication-based
1 Additional details on how equipment could be classified into groups and
what restrictions they could be subjected to are described in Section II.
1932-8184 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
510
NAMBOODIRI et al.: TOWARD SECURE WIRELESS-BASED HOME AREA NETWORK FOR METERING IN SMART GRIDS
511
512
NAMBOODIRI et al.: TOWARD SECURE WIRELESS-BASED HOME AREA NETWORK FOR METERING IN SMART GRIDS
513
514
NAMBOODIRI et al.: TOWARD SECURE WIRELESS-BASED HOME AREA NETWORK FOR METERING IN SMART GRIDS
515
B. Jamming
Jamming is one of the most difficult denial-of-service attacks
to defend against. The best defense against intentional jamming
is the usage of multiple alternate frequency channels if the current channel has significant interference that results in packet
losses above a certain threshold. The smart meter and any nodes
deployed could be hard coded to move through a predefined and
common random sequence of channels if communication on the
default channel is unsuccessful for a specified period.
The nature of the HAN scenario is different from other typical wireless sensor network research problems in that battery
energy is not a constraint due to access to power outlets for
recharging. Hence, each packet could possibly be retransmitted
multiple times, on multiple channels until it succeeds. The
smart meter, being a high functionality node compared to
typical customer nodes, could be equipped with more spread
spectrum capabilities that could reject interference to a greater
degree and possibly help monitor the network and call for
manual intervention. Directional reception taking into account
equipment locations in the residence and appropriate smartmeter placement can further mitigate the impact of jamming.
In this paper, we propose the approach shown in Fig. 5 to
move the whole network through a sequence of predefined
channels, which could mitigate the impact of a jammer. Each
smart meter on deployment has a predefined sequence of channels through which it moves as a function of time. When a
new node authenticates to the network on the control channel,
the smart meter sends the channel sequence encrypted to the
node using the customers public key. Each node can then decrypt using the customers private key and adopt the sequence,
beginning with the current data channel being used. Methods
for generating and exchanging pseudorandom sequences using
public key encryption are well known [36], with the U.S.
National Institute for Standards and Technology offering several standards from which to pick [37]. If such pseudorandom
516
Fig. 7. Load profiling algorithm to counter the possibility of device impersonation. Actions to be taken by equipment, power outlet, or the smart meter are clearly
demarcated.
NAMBOODIRI et al.: TOWARD SECURE WIRELESS-BASED HOME AREA NETWORK FOR METERING IN SMART GRIDS
E. Nonrepudiation
In the proposed approach, nonrepudiation can be achieved
by ensuring that customers and the smart meter use unique
keys for encryption, possibly after initial authentication using
preassigned publicprivate key pairs. Furthermore, the smart
meter would be required to keep a log of all communications
for a specified number of days. If either party files a complaint,
the logs can be used to trace back events. Regulations will need
to be enforced to ensure that the utility does not tamper with
these logs and are available for third-party investigations.
V. D ESIGN OF A C OMMON S ECURITY F RAMEWORK
AGAINST ATTACKS
In this section, we describe a common framework
SecureAMI that integrates all the solutions to possible attacks
on the HAN scenario. Subsequently, we discuss how this framework preserves customer privacy and deals with interference
from other wireless equipment in the vicinity.
A. Integrated Security Framework for HANs
An integrated framework for providing a secure HAN for
smart metering will need to address the security challenges
mentioned previously with a clear demarcation of responsibility
between the three entities involved: the smart meter that obtains
aggregate power consumption behavior from the network and
controls the load, the device that is requesting operation, and
the power outlet which represents the devices request to the
smart meter and executes control decisions.
Our integrated framework SecureAMI for HANs provides a
logical ordering of operation of the HAN with the integration
of various techniques to counter possible attacks. An overview
of this framework is shown in Fig. 9. Each devices request
for operation is sent electronically to the power outlet, if
capable, or manually entered by the customer. Upon receiving
such a request, the power outlet completes an authentication
exchange with the smart meter and sends a packet including the
details of the device that it is representing and the requested
517
operation. The device is not allowed to operate if authentication fails or if the smart meter finds the request to have
an invalid sequence number or any other means to detect a
replay attack. Jamming could be done when the power outlet
and smart meter are exchanging packets. In our SecureAMI
framework, the power outlet and smart meter move through
a predecided sequence of channels that make it very difficult
for an adversary to intentionally jam communications. Prior
work done for a pair of nodes that move through a sequence
of channels shows that reasonable throughput can be expected
from the network if the time spent on each channel is very
small [34]. The jammer has to keep guessing what channel
might be used for communication, presenting opportunities for
the communicating nodes. Our proposed approach outlined in
Section IV is similar but works between one coordinator and
many other nodes in the network. The fact that communication
throughput expectation in our smart-meter HAN scenario is low
reduces the impact of jamming significantly. Other techniques
like directional reception at the smart meter, as mentioned in
Section IV, could be employed as well.
Once the smart meter confirms that the requested operation
is from one of the customers equipment, it can allow device
operation based on the load profiling algorithm introduced
in the previous section. The load profiling algorithm serves
the dual purposes of controlling the load when necessary and
detecting device impersonation. Any decisions are then sent
as control messages to the power outlet, which then enforces
them to the device that it controls. A decision to reschedule can
lead to the request being queued at the power outlet for a later
attempt without customer intervention or have the customer
manually retry at a later time. All decisions taken by the smart
meter on requests from power outlets are logged for later review
if needed at the power outlet. These logs can help provide
nonrepudiation of actions in the network.
B. Progress Toward Meeting Security Objectives
Our authentication procedure, along with our defense
to packet replay attacks, is directed toward the objectives
518
NAMBOODIRI et al.: TOWARD SECURE WIRELESS-BASED HOME AREA NETWORK FOR METERING IN SMART GRIDS
519
C. Limitations
All packets were encrypted and then decrypted based on
the authentication mechanism specified earlier in this paper
and used a simple ceaser cipher at this time. The encryption
used must be much stronger in practice. The jamming attack
implementation and its solution were not implementable as
TinyOS1.x does not allow dynamic channel shifting at run time.
It can be expected that this can be done by using a higher
version of TinyOS with more capable hardware.6 Additional
work that can be done includes scaling up the implementation to
many appliances in a home with commodity smart meters available that are ZigBee capable. Additional scenarios that include
EVs should be considered as well, including the challenges to
predict and control such large stochastic loads.
Fig. 11. Circuit diagram of the interface between the communication module
and the power outlet/load.
MDA300CA excitation pin to drive the single-pole singlethrow (SPST) relay. SPST relays are used to provide isolation
between a low-voltage circuit and a high-voltage circuit.
B. Implementation Details
Most of the security solutions mentioned in the SecureHAN
framework were successfully implemented, but there were challenges as well.
A request packet from an appliance sent through the power
outlet to the smart meter had the following fields: device type,
pass key, sequence number, and power outlet identification
(ID). The response packet from the smart meter has only an
activation field and a time duration field. An activation value
of 0xFFFF signified that the device could be activated with the
corresponding time duration field having the value of NULL.
A 0x0000 value in the activation field signifies that the device
connected to the power outlet cannot be operated at that time.
The time field value denotes the delay after which the outlet
can repeat the request. If device operation is allowed, the power
outlet requests a stored load profile of the device from the smart
meter according to the load profiling algorithm in Fig. 7 which
it can use to compare loads. The current implementation just
uses a simple comparison of the peak power consumed by the
load and has left the development of the load profile signature
comparison algorithm for future work.
The power outlet ID uniquely identifies an appliance connected to it from the smart meters perspective. The sequence
number in the packet is tracked in the smart meter for every
device in an array data structure to prevent replay attack. The
device type field is used to communicate what group the load
belongs to; in the implementation, only group 2 and 3 loads
in Fig. 1 were specified since group 1 loads do not need to
request activation, and group 4 loads were not considered in
this work. Every packet exchanged between a transmitter and a
receiver has a pass key field whose value can be configured by
a customer. The receiver decrypts the packet and authenticates
the packet by validating this pass key.
520
Vinod Namboodiri (M03) received the B.E. degree in instrumentation and control engineering from
Gujarat University, Ahmedabad, India, and the M.S.
degree in computer science from the University of
North Carolina, Charlotte, NC, USA.
He is currently an Assistant Professor with the
Department of Electrical Engineering and Computer Science, Wichita State University, Wichita,
KS, USA. He is an Active Reviewer for numerous
journals and conferences in the mobile computing
and green computing areas, including smart grids.
His research interests include designing algorithms and protocols for energyintelligent and sustainable computing, and designing an effective communication architecture for smart electric grids.
Prof. Namboodiri has served or is currently serving on the Technical Program
Committees of IEEE INFOCOM, IEEE International Conference on Smart
Grid Communications, IEEE Global Communications Conference, IEEE International Conference on Communications, IEEE International Performance,
Computing, and Communications Conference, and IEEE GREENCOM.
Visvakumar Aravinthan (M03) received the B.Sc.
degree in engineering and the M.Sc. degree in electrical engineering from the University of Moratuwa,
Moratuwa, Sri Lanka, in 2002 and 2005, respectively, and the M.S. and Ph.D. degrees in electrical
engineering from Wichita State University, Wichita,
KS, USA, in 2006 and 2010, respectively.
He is currently an Assistant professor with the
Department of Electrical Engineering and Computer Science, Wichita State University, Wichita,
KS, USA, where he teaches electric power system
courses. He performs research in smart distribution systems, power system
reliability, integration of distributed energy sources, and electric vehicles.
Surya Narayan Mohapatra received the B.E. degree from Biju Patnaik University of Technology,
Bhubaneswar, India, and the M.S. degree in computer networking from Wichita State University,
Wichita, KS, USA.
He is currently a Software Engineer with the Substation Automation Team, Connected Energy Network Business Unit, Cisco Systems, San Jose, CA,
USA. He is currently working on designing and developing networking devices for smart grid market.
He has worked in developing networking protocols
for embedded system platform for several years.
Babak Karimi (S10) received the M.S. degree in
information technology from Amirkabir University
of Technology, Tehran, Iran, in 2008 and the M.Sc.
degree in computer networking from Wichita State
University, Wichita, KS, USA, in 2012, where he is
currently working toward the Ph.D. degree, working
on application of wireless communications in the
smart grid.
He is actively involved in research areas such
as designing architecture for smart grid communications and solving problems related to advanced
metering infrastructure and data concentration along with its security and
privacy issues.
Ward Jewell (M77F03) received the B.S.E.E.
degree from Oklahoma State University, Stillwater,
OK, USA, in 1979, the M.S.E.E. degree from Michigan State University, East Lansing, MI, USA, in
1980, and the Ph.D. degree from Oklahoma State
University in 1986.
Since 1987, he has been with Wichita State University, Wichita, KS, USA, where he is currently a
Professor of electrical engineering. He is the Wichita
State Site Director of the Power System Engineering
Research Center (pserc.org). His current research
interests include advanced energy technologies and climate change as it affects
the electric energy system.