◆ Assessing Smart Grid Security

Alan J. McBride and Andrew R. McGee

The evolution from traditional power networks to smart grid involves many
aspects including data network transformation, distributed functionality, and
two-way information flow between supplier and customer. Networks are
transforming to the use of packet-based communications and the use of
newer networking technologies, including optical, Internet Protocol (IP) and
Multiprotocol Label Switching (MPLS). Functionality is being distributed to
substations, transmission and distribution nodes, and to the customer site.
Information flow evolves to two-way communication of rating, billing, and
usage data between the customer and supplier (including “smart metering”).
These changes introduce new reliability and security challenges for the
power grid utility company. In the security domain, new threat vectors are
introduced, and vulnerabilities and attacks related to data networking and
information technology become more relevant. Security, reliability, and
availability of the management and control network and functionality are
business critical. This paper describes a methodology for assessing smart grid
security, and trends in smart grid security that we have observed while
applying this methodology. © 2012 Alcatel-Lucent.

Introduction depth of experience with assessing the security of prod-

Assessing security for the smart grid is a signifi- ucts, solutions, enterprises, and networks using method-
cant challenge for various reasons. Smart grid archi- ologies and tools that have evolved over many years to
tecture includes very many disparate systems, devices, address the target from multiple perspectives.
networking technologies, and other components. The paper begins with a brief overview of the
Security requirements for the smart grid are particu- smart grid, before proceeding to discuss relevant secu-
larly onerous due to the critical nature of the power rity challenges and trends. The methodology is then
grid as a public service and due to the particularly described, including the use of a threat analysis pro-
attractive nature of critical infrastructure targets to cess, and assessment against industry best practices.
potential attackers with a range of motivations.
This paper describes a methodology used for assess- Smart Grid Overview
ing security for the smart grid, used by Bell Labs in con- Smart grid applications as well as legacy power grid
sultative services around the globe, and based on the applications are concerned with monitoring and control
security frameworks used within Alcatel-Lucent for prod- of power transmission, distribution, and usage. Because of
uct and solution development. Bell Labs has a significant the critical nature of power grid applications, security is

Bell Labs Technical Journal 17(3), 87–104 (2012) © 2012 Alcatel-Lucent. Published by Wiley Periodicals, Inc.
Published online in Wiley Online Library (wileyonlinelibrary.com) • DOI: 10.1002/bltj.21560
 Panel 1. Abbreviations, Acronyms, and Terms
3G—Third generation LAN—Local area network
3GPP—3rd Generation Partnership Project LTE—Long Term Evolution
AES—Advanced Encryption Standard MAC—Medium access control
AMI—Advanced metering infrastructure MMS—Manufacturing Messaging
AMR—Automatic meter reading Specification
ATM—Asynchronous Transfer Mode MPLS—Multiprotocol Label Switching
BLAS—Bell Labs Advisory Service NAC—Network access control
CCTV—Closed circuit television NAN—Neighborhood area network
CIP—Critical infrastructure protection NERC—North American Electric Reliability
CNCI—Comprehensive National Cybersecurity Corporation
Initiative NIST—National Institute of Standards and
DA—Distribution automation Technology
DES—Data Encryption Standard PTT—Push-to-talk
DHS—Department of Homeland Security SbD—Security by Design
DMZ—Demilitarized zone SCADA—Supervisory control and data
DNP3—Distributed Network Protocol 3 acquisition
DoS—Denial of service SG—Smart grid
DPI—Deep packet inspection SONET—Synchronous Optical Network
DR—Demand response SSL—Secure Sockets Layer
FAN—Field area network TA—Transmission automation
GOOSE—Generic Object Oriented Substation TCP—Transmission Control Protocol
Event TDM—Time Division Multiplexing
HQ—Headquarters TLS—Transport Layer Security
ICCP—Inter-Control Center Communications UMTS—Universal Mobile
Protocol Telecommunications System
ICT—Information and communication U.S. —United States
technology USB—Universal serial bus
IDS—Intrusion detection system VLAN—Virtual local area network
IEC—International Engineering Consortium VLL—Virtual leased line
IED—Intelligent electronic device VPLS—Virtual private LAN service
IP—Internet Protocol VPN—Virtual private network
IPS—Intrusion protection system VPRN—Virtual private routed network
IPsec—Internet Protocol security WAN—Wide area network
ISMS—Information security management WCDMA—Wideband code division multiple
system access
ISO—International Organization for WiMAX—Worldwide Interoperability for
Standardization Microwave Access
ISO27K—ISO 27000 series

a critical requirement, along with reliability and per- and consumers of power [1]. Many utilities are
formance (and, indeed, security issues can threaten reli- transforming their networks to accommodate estab-
ability and performance). lished and emerging applications on a common, inte-
The evolution of the power grid entails upgrad- grated network based on Internet Protocol (IP),
ing the infrastructure to a “smart grid” to support primarily for reasons of cost efficiency and flexibility.
two-way communication between electric genera- The use of IP networking brings the security chal-
tion, transmission and distribution infrastructure, lenges associated with this technology.

88 Bell Labs Technical Journal DOI: 10.1002/bltj

Smart Grid Architecture involve connecting tens of thousands of endpoints,
A logical reference architecture for smart grid is which will be a challenge for the legacy network
presented in [22], illustrating logical domains of mar- infrastructure.
kets, operations, service providers, bulk generation, Another key emerging application is demand
transmission, distribution, and the customer. For our response (DR) which aims to affect a degree of control
purposes, we focus on the customer, operations, over customer usage and to adapt demand to supply.
transmission, and distribution domains. Figure 1 pro- The smart grid may include and/or connect to “micro
vides a simplified abstraction of a smart grid architec- grids” which are managed by small organizations or
ture [4]. individuals. A micro grid, with its own generation,
The architecture includes operational centers and storage, power lines, and loads, is a subsystem of the
transmission substations (which may be manned or larger utility grid.
unmanned) connected by a wide area network Established Applications
(WAN). A field area network (FAN) extends the net- Among established power grid applications,
work connectivity to field devices including remote supervisory control and data acquisition (SCADA) and
distribution nodes and meters at customer premises. teleprotection are key applications. Teleprotection
In some cases, a local neighborhood area network typically refers to the use of signal-aided relay-to-relay
(NAN) may be deployed between the FAN and cus- communication between adjoining substations (i.e.,
tomer premises, connecting multiple customers to a substations connected by a transmission line). If pro-
common local network. tection equipment at either end detects a fault, the
other end is notified, and protective actions are taken
Emerging SG Applications
(such as tripping a circuit breaker). SCADA for the
New and emerging smart grid applications such as
power grid involves field data acquisition and transfer
advanced metering infrastructure (AMI), syn-
to centralized systems for monitoring and control of
chrophasors, distribution automation (DA), auto-
power grid components, including remote actuators
mated demand response, electric vehicles, and
and sensors. An overview of the SCADA architecture
microgrid management are described in [6].
and of security issues associated with SCADA is pro-
Advanced metering infrastructure provides two-
vided in [26], including the observation that legacy
way communications for meter reading, remote
SCADA protocols (such as Modbus* or Distributed
management, outage notifications, power quality
Network Protocol 3 (DNP3) for example) do not have
information (which can be used for grid control and
default security features such as authentication or
anomaly detection), and communication of pricing
encryption. A standard is specified in [11] to address
information from the smart grid to the meter (which
security aspects of SCADA protocols specified in [10].
can be used to inform consumers about the billing
In addition to the applications discussed above,
implications of their usage decisions, and in some
[6] provides an overview of other key applications
cases provide for utility control of consumer load).
widely established and used for power grid manage-
Meters may also support connectivity to devices in
ment, including mobile workforce management,
the home.
enterprise voice, push-to-talk (PTT), and closed cir-
Distribution automation (DA) is concerned with
cuit television (CCTV) for video surveillance and
the remote control of distribution devices including
teleprotection.
switches, voltage and phase regulation devices, capaci-
tor banks, and other monitoring and management Wider Context
functions in the distribution network. Historically, There is more to smart grid security than cyber-
power utilities have usually managed a limited num- security for the smart grid networks themselves. The util-
ber of monitoring and control points—for example, a ity companies are enterprises in their own right,
limited number of key substations—numbering in the requiring security governance, including information secu-
hundreds for larger utilities. In comparison, DA will rity management systems (ISMS). Security governance

DOI: 10.1002/bltj Bell Labs Technical Journal 89

 Alternate,
renewable
energy
source
To regional
or national grid Transmission
substation
Storage
Large scale
Bulk power Transmission Distribution Large DER
(PV, wind,
generation substation substation business, diesel, UPS,
industrial CHP, …)
Transmission complex

transmission lines
substation

Feeder

Extra high and high voltage

Bulk power Transmission Distribution PV
substation Residence
generation substation

Medium voltage and

(sub)-transmission lines
Transmission
substation
Feeder
Thermal (coal, gas),
hydro-electric, Business
nuclear PHEV
Residence
Wind,
PV, Storage DER
Transformer(s) bio mass, Alternate,
Micro-generation
hydro, renewable
(PV, …)
tidal, energy
Generator source
fuel cell,
…

CHP—Combined heat and power

DER—Distributed energy resource (Hierarchy of)
PHEV—Plug-in (hybrid) electric vehicle micro grids
PV—Photovoltaic (cell)
UPS—Uninterruptible power supply

Figure 1.
Generation, transmission, and distribution in smart grid.
includes policies, training, risk management, compli- time, critical infrastructure presents a particularly
ance, operations security, business continuity plan- attractive target to potential attackers.
ning, and many other aspects. Developing these The smart grid will bring security benefits as well
human-focused procedures takes time—and needs to as security risks. The smart grid continuously monitors
take time—to ensure that it is done correctly. [7] itself to detect unsafe or insecure situations that could
Furthermore, many (if not most) of the larger utility detract from its reliability and safe operation [7].
companies will have significant in-house development Security Goals
or integration—so supply chain security and applica- Key goals for security include reducing risks and
tion security are crucial. Many will use data centers costs. Generally, security is significantly less costly if it
and call centers, and may be consolidating and evolv- is addressed at early stages (requirements, architec-
ing to the use of virtualization and migration to cloud- ture, design) of systems development rather than
based deployment models. Utility companies also being added in later stages. The principle of “Security
have a significant mobile workforce, requiring secure by Design” (or SbD) is well established, and seeks to
communications while in the field. The range of secu- provide a framework for addressing security from the
rity aspects to be addressed by a smart grid utility outset, in the initial phases of development.
company are very broad, and some aspects are rela- Security is essentially about risk management.
tively new and still rapidly evolving. The level of security employed should be driven by
the level of risk—where risk includes both the likeli-
Smart Grid Security Issues hood and the impact of an attack. There are risks asso-
Security for critical infrastructure (including util- ciated with compromising the confidentiality,
ity companies) is a very broad concern and involves integrity, and availability of information and services.
many aspects including: A key goal of security management should be to
• Physical security of plant, equipment, and net- reduce the costs associated with security. This includes
works. the cost of security itself, and the costs associated with
• Cyber security for networking and computing. security breaches. Costs associated with security
• Security management for the corporation or include;
enterprise itself. • Personnel costs,
• Specific security issues for supervisory and control • Appliance costs,
applications and networks (SCADA). • Software costs,
• Specific security issues for endpoints (including • Administrative costs, and
intelligent electronic devices (IEDs) and meters). • Costs associated with security breaches.
The evolution to a smart grid increases the focus on Security management involves balancing the cost
security. The smart grid will be characterized by a two- of security against the cost of security breaches, based
way flow of electricity and information [7] and the use on risk assessment of breaches, taking into account
of communications and distributed computing. The their likelihood and impact. Costs increase as com-
smart grid can also be characterized as “a network of plexity increases in conjunction with the prolifera-
networks.” These aspects introduce new threat vectors, tion of equipment and inconsistencies among device
compared with legacy electricity networks. The con- types and software versions.
vergence of the information and communications No security solution can be absolute. There are
infrastructure with the electric power grid introduces always potential ways to contravene any security con-
new security and privacy-related challenges [23]. As trol, especially since complex systems can have
utilities continue to leverage information technology, unknown as well as known vulnerabilities. To com-
especially for the smart grid, they also expose their pensate for this, most enterprises (including power
infrastructure to all of the risks and threats associated grid utility companies) will generally employ the
with information technology in general. At the same “defense-in-depth” principle, and implement multiple

DOI: 10.1002/bltj Bell Labs Technical Journal 91

layers of security to protect their network, systems, The smart grid exists in an evolving threat land-
information and enterprise. As such, defense-in-depth scape where critical infrastructure is an increasingly
is a goal in its own right. Defense-in-depth involves attractive target for potential attackers, and where the
layered security controls of different types: utility is exposed to general information and com-
• Physical, including barriers, locks, and CCTV. munication technology (ICT) threats (e.g., denial of
• Personnel-related, including screening, security service attacks) as well as domain-specific attacks (e.g.,
awareness and training, and organizational targeted malware such as Stuxnet). Recent surveys
aspects. [3, 20] found that the number of critical infrastructure
• Procedural, concerning policies, internal standards, companies (which responded to the survey) from
and procedures, and across the globe and in multiple sectors which
• Technical, for example, access control, firewalls, reported large-scale DoS attacks increased from 54
intrusion detection and prevention, cryptography percent to 80 percent in one year, and a similar
and anti-malware applications. increase was reported for infiltration attacks.
Defense-in-depth starts with the assumption that At the same time, the smart grid architecture itself
no one control will be adequate to defeat all attacks, is evolving. New applications are emerging and estab-
so the attacker is presented with subsequent layers of lished applications continue to evolve, and the degree
security to delay and deter the attack. of integration between applications may increase.
Risk Factors Newer variants of domain application protocols
The smart grid represents an increase in com- (including SCADA and automatic meter reading
plexity compared to legacy power grid systems and (AMR)/AMI protocols) may be introduced while
communications networks, including a high degree legacy variants may need to be maintained for a con-
of heterogeneity of platforms and devices, and widely siderable period of time. The mix of legacy technolo-
disparate levels of computational power at nodes gies and newer technologies can be a risk factor.
throughout the grid (e.g., an IED compared to a Threats
SCADA system). These factors can mean that there is At a high level, the smart grid may be subject to a
a higher density of vulnerabilities and more difficulty wide range of business threats, of which we present
in identifying and resolving vulnerabilities. some examples below.
The smart grid also extends the distributed nature • Loss of situational awareness. Secure, reliable,
of the power grid communications network and sys- and real time situational awareness is a critical
tems to include a vastly increased population of end- operational requirement for power grids, due to
points (including meters and remote sensors or the critical nature of the service and the risk of
actuators) and a higher degree of interconnectivity. cascading failures and rapid development of inci-
The distribution of the components of the architec- dents. Loss of this capability is a key high-level
ture extends beyond the utility corporation bounda- threat that should be considered. Any technical
ries and onto the customer premises where devices threat to situational awareness—including delib-
are deployed in an unsecured environment. erate or accidental outages—must be understood
The extended distributed network is used to col- and mitigated with appropriate controls. This is
lect a wider scope of information, including customer as much a security issue as a reliability issue.
data potentially subject to privacy regulations. There • Theft of service (also known as non-technical losses).
are risks to the confidentiality, integrity and availabil- The utility company relies on secure, reliable and
ity of the distributed data in situ and in transit. trustworthy metering to be able to correctly bill
Further, the distributed nature of the smart grid attests for service. Compromise of meters (through hard-
to the fact that the utility company’s workforce ware tampering or software hacking), of the
includes a mobile population, possibly including con- metering networking infrastructure, or even of
tracted third-party personnel, all potentially using the metering and billing systems themselves
mobile computing devices. should be considered. Examples of appropriate

92 Bell Labs Technical Journal DOI: 10.1002/bltj

 technical controls are AMI encryption (for controls should include strong authentication
integrity and confidentiality), tamper-proof meter (e.g., multi-factor authentication for access to
hardware, device authentication, and hardened critical systems and for remote access), role-based
platforms for metering and billing systems. access control, device authentication, and net-
• Service impairment. This threat includes aspects work access control (NAC). Centralized identity
such as denial of service, compromise of service, management can reduce administrative costs and
and corruption of data related to service. Critical improve security for access control solutions.
infrastructure utility companies are subject to fre-
quent and increasingly aggressive denial of ser- Trends and Best Practices
vice attacks. These are currently focused on the With the emergence of targeted malware such as
Internet interfaces, but in the future they could Stuxnet, and the widely-reported increase in denial of
potentially be directed at application interfaces or service attacks on critical infrastructure companies
internal systems using attack vectors such as the (c.f. [3] and [20]), we observe a heightened awareness
customer meter, employee mobile devices (lap- of security and an evolution of security posture across
tops, USB drives), or wireless FAN nodes. The the industry. This can also be driven by regulation. In
Stuxnet [9] malware and the Aurora Test [5] some jurisdictions, domain-specific regulations, stan-
were graphic illustrations of the potential risk of dards, and guidelines have begun to emerge. The
impairment of operations and even of physical North American Electric Reliability Corporation
destruction of equipment. Forty percent of critical (NERC) critical infrastructure protection (CIP) stan-
infrastructure companies which responded to a dards in the U.S. [18] offer one example.
McAfee survey [20] reported finding Stuxnet in The Internet remains a priority threat vector, and
their systems, with the number increasing to 47 of course de facto controls such as firewalls are widely
percent in the electric sector specifically. employed. Beyond basic firewalling, utility companies
• Breach of privacy. Utility companies manage cus- are employing demilitarized zones (DMZs), anti-DoS
tomer-related information and other information and intrusion detection systems (IDSs)/intrusion pro-
that may be subject to privacy regulation which, tection systems (IPSs) to protect their boundaries.
if disclosed, could result in punitive penalties or at IDS/IPS capabilities can include deep packet inspec-
least damage the corporate image. Confidentiality tion (DPI) features, and detection algorithms based on
controls for privacy-relevant information are cru- signatures, anomalies, and behaviors. Firewalls and
cial, and should apply to information in situ as IDS/IPS systems can include application-aware features
well as in transit. for protocols specific to the critical infrastructure and
• Infiltration. This business threat relates to the control systems domains. Advanced techniques such
penetration of the secure perimeter by an unau- as the use of honeypot/honeynet can be used to divert
thorized party, including actions such as scanning, and observe attacks. Remote access to the WAN
probing, mapping of networks and systems, and through external networks should be via an encrypted
even taking control of functions. Infiltration is virtual private network (VPN) with strong access con-
closely linked to the threat of unauthorized trol including multi-factor authentication.
access, and threat can allow other threats to be These controls are also being used on internal as
exercised (for example, service impairment). well as external boundaries. Power grid utility com-
• Unauthorized access. This is a very broad threat that panies generally have a control network (for applica-
can cover a very wide range of specific issues tions such as SCADA, AMI, DR, DA and transmission
including access to data, systems, applications, automation (TA) discussed earlier), and a corporate
networks, devices, and physical sites. Appropriate network for enterprise applications including customer-
access controls are required for every type of related applications. Just as the corporate network
access, and in general the principles of least privi- should be separated from the Internet by a DMZ, so
lege and separation of duties should apply. Access also should the control network be separated from

DOI: 10.1002/bltj Bell Labs Technical Journal 93

the corporate network. Systems that need to connect password-based authentication. Password policies are
to both the corporate and control networks can be being strengthened. The principles of least privilege and
hosted in this DMZ. separation of duties are being employed to limit the
Many utility companies are executing on network privileges of individual accounts and to address non-
transformation to IP or IP/Multiprotocol Label Switching repudiation risks. Multi-factor authentication, using
(MPLS) and are addressing security as a part of that ini- tokens or biometrics for example, is being embraced.
tiative. This includes the use of VPNs for network seg- The use of cryptography is increasing. WAN/FAN
mentation, where physical network separation may networks are often encrypted, or encrypted VPNs are
previously have been used. Traffic separation tech- used for critical traffic (e.g., SCADA). Cryptographic
niques vary from the physical (e.g., separate lines or authentication of users, systems, and devices is being
wavelengths) to the logical (e.g., VPNs). Logical traffic used to a wider extent. Remote access uses encrypted
separation can involve virtual local area networks VPNs. Critical data is stored and transmitted with
(VLANs), virtual private LAN service (VPLS), virtual encryption. When choosing the right cryptographic
private routed network (VPRN) or other VPN tech- solution (from the range of possible options including
niques. Separation of traffic between (logically or physi- optical layer 1 encryption and IPsec), the delay
cally) separate networks can involve access control lists, penalty must be considered against the latency
filters (in routers or firewalls), and intrusion detection/ requirements for the particular application.
prevention. Logical separation is more cost efficient than Some utility companies are consolidating their
physical, because it streamlines capital and operational data and operations centers, and are addressing the
costs by avoiding multiple instances of physical devices. security aspects of such transformations. Data center
One approach is to use IP/MPLS with MPLS VPNs for consolidation can be an opportunity to employ geo-
traffic separation with overlaid encryption (e.g., using graphical redundancy for business continuity and dis-
Internet Protocol security (IPsec) or group-based aster recovery. Data and operations centers require
encryption). Physically separate networks are not cost enhanced physical security including physical and
effective (particularly as new applications are added) so logical access controls—for example, the use of bio-
utilities can benefit from converging onto a common metric and/or smartcard authentication. The use of
physical network while maintaining the required traf- virtualization, or even cloud computing, techniques in
fic separation and network segmentation using logical data centers brings its own security challenges which
techniques. MPLS is ideally suited for this, supporting may be addressed through secure VLAN configura-
multiple protocols (e.g., Synchronous Optical Network tion, use of virtual security appliances, encryption
(SONET), Asynchronous Transfer Mode (ATM), Time (e.g., of virtual machine images) and other technical
Division Multiplexing (TDM) and Ethernet) on a com- controls.
mon infrastructure while also supporting multiple Anti-malware controls are generally used, but are
options for virtual networking: virtual leased lines being strengthened to counter the threats of novel
(VLLs), virtual private LAN service (VPLS) and virtual and stealthy viruses or worms such as Stuxnet. At the
private routed network (VPRN). MPLS provides secure same time, there is heightened awareness of the criti-
traffic isolation, preventing attacks between VPNs or cal need to eliminate vulnerabilities, including zero-
from a VPN to the MPLS control network. MPLS secu- day vulnerabilities that such malware can exploit. This
rity also involves device security (physical and logical includes aggressive patching (to close known vulner-
access control) including security at the administration abilities as soon as possible) and device or system
and management interfaces. See [2] for further discus- hardening (e.g., disabling unused services) to reduce
sion of the security aspects of MPLS in the context of avenues for attack. There may be particular difficulties
use for critical infrastructure. with availability of patches for legacy systems, and in
In general, there is growing awareness of such cases it may be necessary to consider compen-
the weaknesses of de facto access controls such as sating by installing controls to mitigate vulnerabilities

94 Bell Labs Technical Journal DOI: 10.1002/bltj

that cannot be directly removed. All of this is in con- meter should be remotely manageable, including
junction with improvements in incident management upgrades. Secure booting should involve checking the
and vulnerability management policies and processes, digital signature of software at boot time. Ideally
as utility companies “catch up” with other ICT com- the meter should support remote attestation to be able
panies and enterprises on best practices in terms of to securely affirm that it is running a trusted version
security management. of firmware and software (with authentication and
The fact that Stuxnet was most likely introduced integrity guaranteed by the use of a digital signature).
via a mobile device (USB drive) has focused attention The use of cryptographic techniques implies that key
on mobile device security as a critical dimension. management must be achieved in a secure way,
Utility personnel are often mobile and utilize a range which can be difficult for devices where components
of devices including laptop computers, USB drives, and are sourced, assembled, and tested by multiple agents
smartphones. Encrypted VPN with access control is in the supply chain. These capabilities require sup-
not adequate for full protection. VPN access control port by meter vendors—however this may be diffi-
can be breached (particularly if it relies mainly on pass- cult to achieve consistently across the range of
word authentication), and mobile devices may be vendors providing proprietary meters and meter read-
directly connected to the network when brought on ing implementations.
site. Mobile device security includes hardening, cen- Optical networks can be vulnerable to eaves-
tralized management, enhanced access control (e.g., dropping. This is exacerbated by the wide geographi-
multifactor authentication), device firewalling, and cal distribution, and any use of leased optical lines
anti-virus scans. Enhanced techniques can include disk where the utility is not entirely in control of security.
encryption and the use of anti-theft mechanisms for For confidentiality and message integrity, the WAN
remote disabling or even tracking. All of this must be should be encrypted. The use of optical devices that
done in the context of clear policies and strong aware- encrypt at the optical layer can be considered, but this
ness and training for personnel on the risks and may be costly to deploy and may not be applicable
responsibilities associated with mobile devices. for leased optical lines, so generally the utility will
Power grid networks include distributed end- employ encryption at a higher layer. IP and MPLS do
points such as meters and intelligent electronic devices not natively encrypt traffic. Encryption can be done at
(IEDs). Endpoint security can include endpoint the network layer or at higher layers using IPsec,
authentication, tamper-proofing, use of cryptography, Secure Sockets Layer (SSL) or other solutions. IPsec is
physical security, software integrity checks, and a natural choice for IP/MPLS encryption, but the com-
remote attestation. Since endpoints are generally plexity and administration costs do not scale well for
deployed in unsecured or less secure environments mesh networks.
(e.g., customer premises, unstaffed substations), they WAN security depends not only on technical con-
should be secured using cryptographic techniques. trols applied to the WAN itself (e.g., encryption, access
This includes cryptographic device authentication, control, traffic isolation). The security of the WAN
encrypted data communications, and digitally signed requires “defense-in-depth” and the use of security
software for integrity. The smart grid can involve controls across the physical, procedural, personnel,
extending the utility network (even the IP networking) and technical aspects of access. WAN devices and links
to the customer premises where the meter is an end- should be physically secured. Physical and logical
point deployed in an essentially unsecured environment. access controls are required. Overall security should
As such, the meter itself must be hardened against secu- be grounded in a wider security management system
rity threats. Threats can include hacking, tampering, or for the utility enterprise, covering security governance,
cloning. Meters should (mutually) authenticate with policies, compliance, training and awareness etc.
servers, and the cryptographic keys used should be Security for smart grid applications and applica-
stored securely in tamper-proof hardware. Ideally the tion protocols is an important focus area. For example,

DOI: 10.1002/bltj Bell Labs Technical Journal 95

International Engineering Consortium (IEC) 62351 is The overall trend is that, as networking and com-
a standard that addresses security aspects of data com- puting are more widely used, utility companies are
munication for power systems, including SCADA pro- implementing ICT security best practices, albeit at a
tocols such as IEC 61850, as well as Inter-Control slow or uneven pace. Sometimes this is driven by
Center Communications Protocol (ICCP) and DNP3. regulation, and otherwise it is driven in the context of
Authentication is achieved through digital signatures. threats and the fact that utilities are under increasing
For the Transmission Control Protocol (TCP) and IP- attack globally. Generally there is an increasing
based protocols (e.g., the Manufacturing Messaging emphasis on compliance and governance aspects,
Specification (MMS) part of IEC 61850), confidential- with companies starting to consider embracing secu-
ity and message authentication can be achieved rity management techniques from standards such as
through optional use of Transport Layer Security (TLS) the International Organization for Standardization
for devices that have the computational resources to 27000 series (ISO27K), or even seeking formal certi-
cope with the load, within latency constraints. For fication under such standards.
non-routable datagram protocols (e.g., the Generic
Object Oriented Substation Event (GOOSE) part of Methodology
IEC 61850) which have low-latency requirements When assessing security for a utility company
(e.g., 4 ms), only digital signature authentication is embarking on transformation of network and opera-
specified by IEC 62351. A secure transport protocol tions for support the smart grid, the Bell Labs Advisory
for the smart grid is proposed in [16], and [17] dis- Service (BLAS) employs a methodology that is
cusses a data-centric architecture for smart grid appli- grounded in the Bell Labs Security by Design (SbD)
cations including aspects of security. methodology used widely for Alcatel-Lucent product
As stated earlier for WAN security, the security of and solution development. The SbD methodology
the field area network requires “defense-in-depth” involves component parts that provide different per-
and the use of security controls for physical, proce- spectives on security. Similarly, the methodology used
dural, personnel, and technical aspects. For wireless for assessing smart grid security also involves separate
FANs, wireless standards generally cover both authen- parts that address the target from different perspec-
tication and traffic encryption. For example, IEEE tives. The main components of the methodology (illus-
802.16(e) medium access control (MAC) specifies trated in Figure 2) are threat analysis, baseline
Worldwide Interoperability for Microwave Access assessment, tools analysis, and architecture assessment.
(WiMAX) security through secure key exchange and Threat Analysis
the use of Advanced Encryption Standard/Data The purpose of threat analysis is to identify poten-
Encryption Standard (AES/DES) encryption. For Long tial vulnerabilities, and to identify potential counter-
Term Evolution (LTE), the 3rd Generation Partnership measures for those vulnerabilities. The threat analysis
Project (3GPP) standards specify the same approach process is a structured semi-formal top-down assess-
as for third generation (3G) Universal Mobile ment based on standards. The Bell Labs Advisory
Telecommunications System (UMTS) and Wideband Service employs an Alcatel-Lucent internal standard
Code Division Multiple Access (WCDMA) systems based on approaches described in the literature
using a stream-based algorithm (KASUMI) with regu- (including [8, 13–15, 21, 24]) customized for Alcatel-
lar changes to the key to ensure the key stream is not Lucent use.
reused. FAN devices and links should be physically The activities and results of the threat analysis
secured. Physical and logical access controls are include:
required. Overall security should be grounded in a 1. Defining the business risk (in terms of a priori-
wider security management system for the utility tized set of business threats).
enterprise, covering security governance, policies, 2. Identifying the critical assets of the product or
compliance, training, and awareness. solution.

96 Bell Labs Technical Journal DOI: 10.1002/bltj

 Threat analysis
Top-down, structured, standards-based and risk-oriented analysis to
identify and prioritize critical-infrastructure threats, attack vectors,
vulnerabilities and countermeasures

Tools analysis
Architecture assessment
Assess results from
Assess use of technical
test/audit tools, e.g.,
security enablers such as
Utility penetration testing,
firewalls, IPS, AAA,
networks vulnerability scanning,
encryption, DMZ, and
offline configuration,
VPN.
and auditing.

Baseline assessment
Evaluate the target against a range of authoritative standards, recommendations, and
best practices pertinent to the domain, e.g., NIST, ISO, NERC CIP.

AAA—Authorization, authentication, and accounting ISO—International Organization for Standardization

CIP—Critical infrastructure protection NERC—North American Electric Reliability Corporation
DMZ—Demilitarized zone NIST—National Institute of Standards and Technology
IPS—Intrusion protection system VPN—Virtual private network

Figure 2.
Overview of assessment methodology.

3. Understanding the threats that the critical assets threats include theft of content, denial of service, eaves-
are exposed to. dropping, and unauthorized disclosure of information.
4. Recognizing potential vulnerabilities and con- When defining business risk, it is useful to consider the
firming known vulnerabilities. threat agents and threat vectors (the avenues by which
5. Prioritizing the vulnerabilities, based on their a threat may be realized). For critical infrastructure,
associated risk. potential threat agents could include company employ-
6. Determining the countermeasures needed to ees, terrorists, espionage agents, extortionists, hackers,
thwart the key vulnerabilities. cyber-criminals, customers, and outsourced mainte-
7. Performing a business impact analysis to deter- nance staff. Potential threat vectors (or potential chan-
mine when or if to develop the security features nels of attack) could include the Internet, wireless
needed to implement the countermeasures. access points, the enterprise intranet, mobile devices
The first task that is performed in a threat analysis (including USB devices), remote endpoints (including
is to define the business risk, which is the business meters), the supply chain, and the company’s own sys-
threat environment surrounding a product or solution tems development organization. Several sources may
when it is deployed in the production environment. A be consulted to identify business threats that will be
business threat is defined as an adversary’s goal or present in the deployed environment. These can
motive for attacking the business or organization. To include industry consortia or regulations for the prod-
prevent the business threat from being realized, pro- uct or solution, customer vertical industries (e.g., finan-
tective measures must be in place. Example business cial, healthcare, manufacturing), standards bodies that

DOI: 10.1002/bltj Bell Labs Technical Journal 97

address the technology used or provided by the prod- on the target (including privacy-related aspects). The
uct or solution, and consultations with or historical exploitability, or ease of attack, considers how easy it
knowledge of past targets. The output of this stage is a would be for an attacker to accomplish his objective.
set of threats constituting the business risk for the This can be related to the existence of off-the-shelf tools
potential target. (even if they are only accessible by the cyber under-
After defining the business risk, the next stage of ground), the level of technical expertise required to
the threat analysis involves listing the assets of the exploit the vulnerability, and the attacker’s accessibility
potential target, and determining the level of detail to the target. The impact of a successful attack considers
around which target assets will be defined. Critical the cost or amount of damage resulting from a success-
assets could include sites (including headquarters, ful attack, including potential revenue impact, regulatory
datacenters, and substations), networks (including cor- impact, impact on reputation with customers, impact
porate and control networks), systems (including on relationship with business partners or impact on busi-
operations, business, and customer-related systems) ness model.
and devices (including mobile devices, remote end- At this stage, a set of vulnerabilities has been
points, networking devices, security devices, and established, and prioritized according to risk. The next
smart meters). step is to propose countermeasures for the vulnera-
Once the information assets are identified, they bilities (or at least for those that exceed an agreed
are examined for potential exposure to business risk level of priority or risk). Potential countermeasures
by associating the applicable business threats to each can be derived from sources including published sets
asset. The purpose of this is to develop a comprehen- of controls (for example, [14, 18, 19, 22, 25, 27]), or
sive list of assets and the business threats that they through proposals by domain experts and security
are potentially exposed to; therefore, existing counter- experts. In many cases, de facto controls such as fire-
measures should be temporarily disregarded when walls, encryption, access control, intrusion detection,
performing this step. and anti-malware will be obvious candidates as coun-
Based on the threat exposures identified above, termeasures. Often, the defense-in-depth principle
the next step is to assess the possible attacks against an may lead to proposal of more than one overlapping
asset in order to realize a threat. In order to perform countermeasure.
risk analysis and vulnerability prioritization, the asses- Once the list of proposed countermeasures is
sor must consider the target from the perspective of a established, a business decision process is imple-
potential attacker. The attacker has a high-level goal mented to decide which countermeasures to implement,
or motive in mind—to realize one of the business taking into account such things as cost, return on
threats (e.g., theft of content) against the product or investment, time to market, required resource com-
solution. In order to do this, an attack would be made mitments, and competitive advantage. Risks may be
against an asset. The objective of the attack is to com- remediated (by implementing the related counter-
promise the asset in some way in order to realize the measures), accepted (by choosing not to address
business threat. them) or transferred (for example, by investing in
A risk analysis is performed to understand the insurance against the risk). Ultimately, the set of
urgency of implementing a countermeasure using fac- accepted countermeasures become requirements for
tors such as the attractiveness of the target, ease of the product, solution, or enterprise.
attack, and the impact of a successful attack. The attrac- Examples of relevant threats, attacks, and candi-
tiveness of the target considers how motivated an date countermeasures are illustrated in Figure 3.
attacker would be to compromise the target—which can
be related to the potential reward, the geopolitical or Baseline Assessment
military significance of the target, the value of the infor- The baseline assessment measures the target
mation and the general public’s interest in information against a wide range of best practices. The best practices

98 Bell Labs Technical Journal DOI: 10.1002/bltj

 IP/MPLS

Threats/attacks: Eavesdropping, message insertion, breach of privacy

Countermeasures: Encryption, secure traffic separation (e.g., MPLS VPRNs),
firewalling, internal DMZs
OPERATION
CENTER
MICROWAVE
Threats/Attacks: Backdoors, unauthorized
access, malware insertion
+ Countermeasures: Application hardening,
− proactive vulnerability management, multi-factor
ENERGY authentication, host IDS/IPS
STORAGE

GENERATION
OPTIC IP/MPLS Threats/attacks: Eavesdropping,
unauthorized access
Countermeasures: Mutual authentication,
domain-specific protocol security (e.g., IEC
4G-LTE
WiMAX 62351)
INTEGRATED
3G RENEWABLE
TRANSMISSION PMR/LMR

SM
AR
TC
ITY
MICRO
FTTH GENERATION
DISTRIBUTION PLC
Threats/attacks: Unauthorized access
Radio + Threats/attacks: Theft of service, meter hacking, tampering,
Countermeasures: Physical security, secure −
management interfaces, role-based access control ELECTRIC ENERGY cloning
VEHICLE STORAGE Countermeasures: Mutual authentication, tamper-proof
hardware, encryption, secure-boot, remote management,
remote attestation

3G—Third generation IEC—International Engineering Consortium MPLS—Multiprotocol Label Switching

4G—Fourth generation IP—Internet Protocol PLC—Power line communications
DMZ—Demilitarized zone IPS—Intrusion protection system PMR—Private mobile radio
FTTH—Fiber to the home LMR—Land mobile radio VPRN—Virtual private routed network
IDS—Intrusion detection system LTE—Long Term Evolution WiMAX—Worldwide Interoperability for Microwave Access

Figure 3.
Example threats, attacks, and candidate countermeasures.
are derived from authoritative work by industry be used to select the appropriate sources, to filter the
bodies (e.g., the National Institute of Standards and resources for applicability, and to prioritize the con-
Technology (NIST), ISO, and NERC) and against the trols. The baseline controls can be used in an explicit
Bell Labs security knowledge base. and formal manner, to survey the target for compli-
Below, we describe some sources of best practices ance. Alternatively, a less-formal approach can be
or baseline security requirements in the public taken, using the knowledge base to structure the dia-
domain. Some of these are specific to the United logue with the target of the assessment, and as a ref-
States, but are nevertheless relevant references for erence for grounding findings and recommendations.
assessments of any target regardless of the jurisdic- Tools Analysis
tion of deployment. The tools analysis component of the assessment
In [22], the United States National Institute of methodology involves the use of tools to audit or test
Standards and Technology (NIST) specifies security the systems and networks of the target. Tools can be
controls for Smart Grid Cyber Security, based on secu- active or passive, online or offline. A wide range of
rity controls defined in [25] (originally for U.S. federal potential tools could be brought to bear on the target.
information systems generally, but considered to be Offline configuration analysis tools can audit the con-
more broadly applicable). figuration of network devices or systems for vulnera-
The North American Electric Reliability Corporation bilities. Vulnerability scanning tools can scan and
(NERC) specifies a high-level set of security controls in probe systems and networking devices. Tools can be
[18] that are specifically written for critical infra- used to simulate different types of denial of service
structure. Eight security standards are included, with attacks at different layers of the communications pro-
110 requirements. tocol stack. For application layer protocols, whether
A wide-ranging set of 133 security controls for domain-specific (e.g., SCADA protocols) or general
information security management systems (ISMS) are (e.g., Web protocols), protocol flooding and fuzzing
specified by the International Organization for tools can be employed to stress the robustness of the
Standardization (ISO) and International Electrotechnical protocol implementation. Protocol fuzzing tools delib-
Commission (IEC) in [12]. erately subject the target to malformed protocol mes-
The U.S. Department of Homeland Security sages to try to provoke errors that may crash the
(DHS) specified a catalog of controls for critical infra- device, impair its performance, or even potentially
structure control systems in [27]. allow execution of arbitrary code for a more precise
The U.S. Comprehensive National Cybersecurity attack.
Initiative (CNCI) has derived a set of 20 high level If the target of an assessment is an operational
controls based on a prioritization of [25] from NIST. network or enterprise, there will generally be judi-
Bell Labs maintains a knowledge base of security cious constraints on the types of tools that can be
controls, best practices, and baseline security require- employed and the rules of engagement—obviously
ments including over 800 at the product level and any risk to the service should be avoided, and the
over 70 higher-level requirements for solution tools themselves can be considered a security risk.
deployments. These are a wide-ranging set of best When the target is a pre-deployment configuration
practices for broad coverage and wide applicability in a testing environment, potentially there is scope
across all Alcatel-Lucent products, and many are for use of a wider range of tools, including more active
applicable to products that are relevant for use in criti- and aggressive options that endeavor to actually pene-
cal infrastructure deployments. trate or impair the target.
Considered in aggregate, the references above
represent a very large set of potential controls or best Architecture Assessment
practices to consider, which offer a high degree of The architecture assessment component of the
overlap between the sources. Expert judgement can assessment methodology can be a more informal and

100 Bell Labs Technical Journal DOI: 10.1002/bltj

flexible offline assessment of the current and/or pro- SCADA) and the wider context of the utility company
posed architecture of the target. Often, architecture enterprise that envelops the smart grid network
proposals or even decisions will already have been operation.
made considering factors other than security, and Acknowledgements
these will of course have security implications. An The authors would like to thank Dr. Jayant
example could be a utility company that proposes to Deshpande and Dr. Frank Feather for their valuable
migrate to a common integrated IP or MPLS network input.
for its corporate and control networks. The proposal
*Trademarks
may originally arise from considerations of total cost Modbus is a registered trademark of Schneider
of ownership, performance, quality of service, flexi- Automation Inc.
bility and future proofing. Security implications may
References
or may not have already been factors in the proposal
[1] S. Acharya and K. C. Budka, “Tele-
or decision, so must be assessed—for example, con- communications in Vertical Markets: Challenges
sidering the fact that IP and MPLS do not natively and Opportunities,” Bell Labs Tech. J., 16:3
protect confidentiality through encryption. Other (2011), 1–4.
aspects of architecture to consider include security [2] A. Akyamac, J. Deshpande, and A. McGee,
zoning (for example, the use of demilitarized zones “Achieving NERC CIP Compliance with Secure
MPLS Networks: A Bell Labs Memorandum,”
(DMZs)), placement of security appliances (including
Alcatel-Lucent White Paper, Aug. 2010.
firewalls, intrusion detection, and hardware encryp- [3] S. Baker, S. Waterman, and G. Ivanov, In the
tion devices), technology choices (e.g., LTE for the Crossfire: Critical Infrastructure in the Age of
field area network), and deployment models (e.g., the Cyber War, McAfee, 2009.
use of a private cloud deployment model in converged [4] K. C. Budka, J. G. Deshpande, T. L. Doumi,
data centers). Generally, the technical components of M. Madden, and T. Mew, “Communication
Network Architecture and Design Principles for
the architecture will have been considered as assets in
Smart Grids,” Bell Labs Tech. J., 15:2 (2010),
the threat analysis component, and they will also map 205–227.
to controls or best practices considered in the base- [5] S. Cunningham, “Cyber Security for Industrial
line assessment component of the methodology. Control Systems,” Power Engineering, Nov. 1,
Nevertheless, the architecture assessment component 2011, <http://www.power-
of the methodology allows for a particular focus on eng.com/articles/print/volume-115/issue-
11/features/cyber-security-for-industrial-
architectural perspectives, bringing to bear architec-
control-systems.html>.
ture expertise and architectural approaches. Any [6] J. G. Deshpande, E. Kim, and M. Thottan,
overlapping between the components of the assess- “Differentiated Services QoS in Smart Grid
ment methodology should be complementary to Communication Networks,” Bell Labs Tech. J.,
avoid inefficiency. 16:3 (2011), 61–81.
[7] Electric Power Research Institute (EPRI), Report
to NIST on the Smart Grid Interoperability
Conclusion
Standards Roadmap, June 2009.
An overall framework and methodology is effec- [8] European Telecommunications Standards
tive in structuring and guiding assessment of security Institute, “Telecommunications and Internet
for power grid transformations towards smart grid. Converged Services and Protocols for Advanced
The methodology described here includes component Networking (TISPAN), Methods and Protocols,
parts such as threat analysis and baseline assessment Part 1: Method and Proforma for Threat, Risk,
Vulnerability Analysis,” ETSI TS 102 165-1,
that provide different perspectives on the target.
v4.2.1, Dec. 2006, <http://www.etsi.org>.
Security assessment for smart grid must consider not [9] N. Falliere, L. O. Murchu, and E. Chien,
only the specific new applications that smart grid “W32.Stuxnet Dossier,” v1.4, Symantec, Feb.
involves, but also established applications (such as 2011.

DOI: 10.1002/bltj Bell Labs Technical Journal 101

[10] International Electrotechnical Commission, Information Technology Laboratory, Advanced
“Communication Networks and Systems in Network Technologies Division, Emerging and
Substations,” IEC TS 61850. Mobile Network Technologies Group, Smart
[11] International Electrotechnical Commission, Grid Interoperability Panel, Cyber Security
“Power Systems Management and Associated Working Group, “Guidelines for Smart Grid
Information Exchange: Data and Cyber Security,” NISTIR 7628, Aug. 2010.
Communications Security,” IEC TS 62351, May [23] United States, Department of Commerce,
2007. National Institute of Standards and Technology,
[12] International Organization for Standardization Information Technology Laboratory, Advanced
and International Electrotechnical Commission, Network Technologies Division, Emerging and
“Information Technology, Security Techniques, Mobile Network Technologies Group, Smart
Information Security Management Systems, Grid Interoperability Panel, Cyber Security
Requirements,” ISO/IEC 27001, 2005. Working Group, Introduction to NISTIR 7628:
[13] International Organization for Standardization Guidelines for Smart Grid Cyber Security, Sept.
and International Electrotechnical Commission, 2010.
“Information Technology, Security Techniques, [24] United States, Department of Commerce,
Information Security Risk Management,” National Institute of Standards and Technology,
ISO/IEC 27005, 2011. Information Technology Laboratory, Computer
[14] International Telecommunication Union, Security Division, “Risk Management Guide for
Telecommunication Standardization Sector, Information Technology Systems,” NIST SP 800-
“Security Architecture for Systems Providing 30, July 2002.
End-to-End Communications,” ITU-T Rec. [25] United States, Department of Commerce,
X.805, Oct. 2003, <http://www.itu.int>. National Institute of Standards and Technology,
[15] J. A. Jones, “An Introduction to Factor Analysis Information Technology Laboratory, Computer
of Information Risk (FAIR),” Risk Management Security Division, “Recommended Security
Insight White Paper, Draft, 2005, Controls for Federal Information Systems and
<http://www.riskmanagementinsight.com/med Organizations,” NIST SP 800-53, Rev. 3, Aug.
ia/documents/FAIR_Introduction.pdf>. 2009.
[16] Y.-J. Kim, V. Kolesnikov, H. Kim, and [26] United States, Department of Commerce,
M. Thottan, “SSTP: A Scalable and Secure National Institute of Standards and Technology,
Transport Protocol for Smart Grid Data Information Technology Laboratory, Computer
Collection,” Proc. IEEE Internat. Conf. on Smart Security Division, “Guide to Industrial Control
Grid Commun. (SmartGridComm ’11) Systems (ICS) Security,” NIST SP 800-82, June
(Brussels, Bel., 2011), pp. 161–166. 2011.
[17] Y.-J. Kim, M. Thottan, V. Kolesnikov, and [27] United States, Department of Homeland
W. Lee, “A Secure Decentralized Data-Centric Security, National Protection and Programs
Information Infrastructure for Smart Grid,” Directorate, Office of Cyber Security and
IEEE Commun. Mag., 48:11 (2010), 58–65. Communications, National Cyber Security
[18] North American Electric Reliability Corporation Division, “Catalog of Control Systems Security:
(NERC), “Standards: Reliability Standards,” Recommendations for Standards Developers,”
“Critical Infrastructure Protection (CIP),” Sept. 2009, <www.us-cert.gov/control_systems
<http://www.nerc.com/page.php?cid=2%7C20 /pdf/Catalog_of_Control_Systems_Security_Rec
standards>. ommendations.pdf>.
[19] SANS Institute, Twenty Critical Security
Controls for Effective Cyber Defense: Consensus
Audit Guidelines (CAG), v3.1, Oct. 3, 2011. (Manuscript approved May 2012)
[20] P. Schneck, “In the Dark: Crucial Industries
Confront Cyberattacks,” McAfee Blog, Apr. 19, ALAN J. MCBRIDE is a consulting member of technical
2011. staff in Bell Labs CTO Security Technology
[21] F. Swiderski and W. Snyder, Threat Modeling, Office in Dublin, Ireland. He is a Certified
Microsoft Press, Redmond, WA, 2004. Information Systems Security Professional
[22] United States, Department of Commerce, (CISSP), and holds a B.S. degree in computer
National Institute of Standards and Technology, science from Trinity College, University of

102 Bell Labs Technical Journal DOI: 10.1002/bltj

Dublin, in Ireland. Mr. McBride has worked in the
telecommunications domain for over 20 years,
primarily in the areas of network management and
security. His current areas of focus include security for
Cloud Computing and for Critical Infrastructure.

ANDREW R. MCGEE is a distinguished member of

technical staff in the Alcatel-Lucent Bell
Labs CTO Security Technology Office in
Murray Hill, New Jersey. He is a Certified
Information Systems Security Professional
(CISSP), a GIAC Certified Incident Handler
(GCIH), and is certified as a GIAC Reverse Engineering
Malware (GREM) analyst. Mr. McGee has over 20 years
of telecommunications experience and is currently
responsible for the development and analysis of
advanced security architectures and security services for
next-generation networks. In this capacity, Mr. McGee
has defined the Alcatel-Lucent corporate-wide threat
analysis methodology, performed threat and
vulnerability analyses, designed security architectures,
and defined detailed security requirements for next-
generation network (NGN) technologies such as
converged IP networks, third generation (3G) and
fourth generation (4G) cellular, Voice over Internet
Protocol (VoIP), Internet Protocol television (IPTV), and
critical infrastructure networks. Mr. McGee is
responsible for key security contributions to the ITU-T
and ISO/IEC standards bodies and holds three patents in
the areas of data networking and cyber-security.
Mr. McGee received a B.S. degree from Michigan State
University in East Lansing, and an M.S. degree from
Rutgers University in New Brunswick, New Jersey, both
in computer science. ◆

DOI: 10.1002/bltj Bell Labs Technical Journal 103