Security of Industrial Control Systems and Cyber-Physical Systems 2016
Security of Industrial Control Systems and Cyber-Physical Systems 2016
Costas Lambrinoudakis
Frédéric Cuppens
Sokratis Katsikas (Eds.)
Security of Industrial
LNCS 10166
123
Lecture Notes in Computer Science 10166
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zurich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany
More information about this series at http://www.springer.com/series/7410
Nora Cuppens-Boulahia Costas Lambrinoudakis
•
Security of Industrial
Control Systems and
Cyber-Physical Systems
Second International Workshop, CyberICPS 2016
Heraklion, Crete, Greece, September 26–30, 2016
Revised Selected Papers
123
Editors
Nora Cuppens-Boulahia Frédéric Cuppens
Telecom Bretagne Telecom Bretagne
Cesson Sevigne Cesson Sevigne
France France
Costas Lambrinoudakis Sokratis Katsikas
University of Piraeus Norwegian University of Science
Piraeus and Technology
Greece Gjøvik
Norway
This book presents the revised and selected papers of the Second Workshop on the
Security of Industrial Control Systems and Cyber-Physical Systems (CyberICPS 2016),
held in Crete, Greece, during September 26–30, 2016, and co-located with the 21st
European Symposium on Research in Computer Security (ESORICS 2016).
The event aims to address the increasing number of cyber threats that cyber-physical
systems operators around the world face. Cyber-physical systems range in size, com-
plexity, and criticality, from embedded systems used in smart vehicles, to SCADA and
industrial control systems like energy and water distribution systems, smart trans-
portation systems etc.
The workshop program included two invited papers and five full papers. The invited
papers were entitled “Security of Cyber-Physical Systems: From Theory to Testbeds
and Validation” and “Critical Infrastructure Protection: A Holistic Methodology for
Greece” presented by Joaquin Garcia-Alfaro (Telecom SudParis, CNRS, Université
Paris-Saclay, Evry, France) and George Stergiopoulos (Information Security & Critical
Infrastructure Protection Laboratory, Department of Informatics, Athens University of
Economics & Business, Greece), respectively. The reviewed paper sessions covered
topics related to the management of cyber-security in industrial control systems and
cyber-physical systems, including security monitoring, trust management, security
policies and measures.
We would like to express our thanks to the people who assisted us in organizing the
event and formulating the program. We are very grateful to the Program Committee
members for their timely and rigorous reviews of the papers. Finally, we would like to
thank all authors who submitted papers for the event and contributed to an interesting
set of conference proceedings.
General Chairs
Frédéric Cuppens Télécom Bretagne, France
Sokratis Katsikas Center for Cyber and Information Security, Norwegian
University of Science and Technology, Norway
Program Committee
Alcaraz Cristina University of Malaga, Spain
Ayed Samiha IMT-Telecom-Bretagne, France
Conti Mauro University of Padua, Italy
Debar Hervé Télécom SudParis, France
Debbabi Mourad Concordia University, Canada
Espes David University of Brest, France
Gollmann Dieter Hamburg University of Technology, Germany
Kanoun Waël Alcatel-Lucent Bell Labs, France
Mambo Masahiro Kanazawa University, Japan
Mauw Sjouke University of Luxembourg, Luxembourg
Meng Weizhi Institute for Infocomm Research, Singapore
Mitchell Chris Royal Holloway, University of London, UK
Röning Juha University of Oulu, Finland
Roudier Yves EURECOM, France
Vyskoc Jozef VaF, Slovakia
Wahid Khan Ferdous Airbus Defence and Space GmbH, Germany
Wolthusen Stephen Royal Holloway, University of London, UK
Zanero Stefano Politecnico di Milano, Italy
Contents
Invited Papers
Full Papers
1 Introduction
Traditional control systems are evolving in an effort to reduce complexity and
cost. These systems are converging into using a shared network layer, enabling
interconnectivity between different manufacturers. Despite all the evident advan-
tages of joining the communication layer in a shared network, this evolution also
opens the door to the emergence of sophisticated cyber-threats [6,13]. These
threats need to be assessed to offer novel countermeasures to minimize the risk
when using shared communication layers.
Critical services infrastructures, such as water management, transportation
of electricity, rail and air traffic control, belong to systems nowadays coined as
Cyber-Physical Systems (CPSs). The impact of any security breach to these
environments can affect the physical integrity of individuals in contact to those
systems. Even basic threats such as replay cyber-physical attacks [22] could
potentially cause significant damages if attack detection is not properly under-
taken. Within this scope, our goal is to put in practice solutions of theoretical
nature, modeled and implemented under realistic scenarios, in order to ana-
lyze their effectiveness against intentional attacks. More precisely, we assume
cyber-physical environments operated by SCADA (Supervisory Control And
Data Acquisition) technologies and industrial control protocols. We focus on
two representative protocols, which are widely used in the industry: Modbus
c Springer International Publishing AG 2017
N. Cuppens-Boulahia et al. (Eds.): CyberICPS 2016, LNCS 10166, pp. 3–18, 2017.
DOI: 10.1007/978-3-319-61437-3 1
4 J. Rubio-Hernan et al.
and DNP3 [5,16]. Both protocols have TCP enabled versions. This allows us the
emulation of cyber-physical environments under shared network infrastructures.
We assume a Master-Slave design pattern, which mainly dictates that slaves
would not initiate any communication unless a given master requests an initial
operation. One of our objectives has been to combine these two protocols, both
to allow the flexibility and support of several devices with Modbus as well as the
security enhancements that DNP3 could provide as one of its features. Further-
more, some cyber-physical detection mechanisms based on challenge-response
strategies proposed in [15,20] are embedded in our SCADA testbed to experi-
ment and analyze with their real-world performance. To complement the testbed,
a set of adversarial scenarios are designed and developed to test attacks against
the emulated environment. These scenarios focus on attacking the Modbus seg-
ments of the SCADA architecture. The final goal is to analyze the effectiveness
of novel security methods implemented upon the emulated environment, and
under the enforcement of some attack models.
Paper Organization — Section 2 provides the background. Section 3 provides
details about the testbed implementation. Section 4 presents some experimental
results. Section 5 provides related work. Section 6 concludes the paper.
2 Background
Protocols for industrial control systems built upon SCADA technologies must
cover regulation rules such as delays and faults [2]. However, few protocols
imposed by industrial standards provide security features in the traditional ICT
security sense. Details about two representative SCADA protocols used in our
work follow.
Modbus — One of the first protocols that stands out when working with
data acquisition systems is Modbus [16]. It was developed around the 80’s and
it was done with no security concerns as was common at that time. It was
developed by Modicon to be used with their PLCs. The protocol was formulated
as a method to transmit data between electrical devices over serial lines. In the
standard working mode, Modbus has a master and slave architecture, something
really common for half duplex communications. The protocol is free and open
source, making it really popular among the automation industry. The protocol
evolved to allow different communication technologies. For instance, Modbus
ASCII, for serial communications; and Modbus TCP/IP for Ethernet networks.
Distributed Network Protocol (DNP3) — As with Modbus, DNP3 is a
query-response protocol for process automation systems. Messages are sent over
serial bus connections or Ethernet networks (using the TCP/IP stack) [5]. The
protocol recently has been leaning towards a more security-oriented design. Pre-
vious versions of the protocol suffered from the same kind of design conception
where security was not taken into account, due to the inherent level of security
that dedicated networks provided by this protocol.
3 Testbed Design
3.1 Architecture
Closed-loop systems are systems which rely upon internally gathered informa-
tion to perform, correct, change or even stop actions. This kind of systems are
important in the control theory branch, known to have two-way communication,
one to read data and the other to forward commands.
We can observe three important block elements: the controller, the system
itself, and the sensors. The controller reads data from the sensors, computes new
information and transmit new commands to the system (i.e., the system control
input). The system control input is generated by the controller with the purpose
of correcting the behavior of the system, under some previously established lim-
its. The system is what we normally see as the entity under control. The sensors
are the feedback link between the system and the controller. Their purpose is to
quantify the output and provide the necessary information to the controller, in
order to compare and, if necessary, correct the behavior of the system.
The architecture proposed for our SCADA testbed works as follows. All the
aforementioned elements can be distributed across several nodes in a shared net-
work combining DNP3 and Modbus protocols (cf. Fig. 1). Likewise, one or vari-
ous elements can be embedded into a single device. From a software standpoint,
the controller never connects directly to the sensors. Instead, it is integrated
in the architecture as a SCADA PLC (Programmable Logic Controller) node,
with eventual connections to some other intermediary nodes. Such nodes are
able to translate the controller commands into SCADA (e.g., either Modbus or
can intercept all communication between ends, and thus the attacker can alter,
store, analyze replay and forge false data in the communication. Since this is
done using a testbed instead of numeric simulations, all real-life limitations are
applied to the attacker. ARP poisoning [17] is used by the attacker to intercept
the channels and eavesdrop the communications. The attacker has a passive
and active mode of operation. The passive mode is where the attacker only
eavesdrops, processes, and analyzes the data without modifying the information
contained in the payload of the messages. Nevertheless, Ethernet header data,
such as the hardware addresses, are modified since ARP tables are poisoned.
During the active mode, the attacker starts injecting data to the hijacked com-
munication. This injection, depending on the pattern of the attacker, can be a
generated response or replayed packets.
Replay Attack — The attacker uses ARP poisoning to start eavesdropping the
connection (passive mode). After capturing enough data, the active mode starts.
The attacker injects the old captured data following the stream of packets of the
previous capture. Before starting to disrupt the system, the attacker conducts
the attack between the sensors and the controller, forging only the TCP headers
that correspond to the opened TCP sessions. Once replayed the packets, the
system gets disrupted by forging data between the controller and the PLCs.
The process uses the χ2 detector proposed in [15]. The detector returns a metric,
gt , which increases rapidly when the output of the system starts to move away
from the estimation. The metric is posteriorly used to generate alerts.
The gt metric is an in-code operator that quantifies the difference between
the parametric model output and the actual system output. An increase of gt
means that the system is not behaving or reacting to the watermark as expected.
Therefore, the system is likely to be under attack. The value of gt is calculated for
each iteration and compared with the values of some previous iterations. In order
to discard false positives, the controller implements the validation code presented
in Algorithm 1, to separate normal faults from attacks or severe failures. The
algorithm alerts the operator only when real intervention is required, making the
differentiation between faults, e.g., latency or inaccuracy events at the sensor;
and intentional attacks. For every feedback sample, the controller analyzes gt .
If gt consecutively bypasses a given threshold more than window times, then it
triggers an alert.
4.1 Experimentation
180 180
160 160
140 140
120 120
100 100
gt
t
g
80 80
60 60
40 40
20 20
0 0
0 2 4 6 8 10 12 14 16 0 2 4 6 8 10 12 14 16
Time(s) Time(s)
(a) No watermark under replay attack (b) Stationary watermark under replay
attack
180 180
160 160
140 140
120 120
100 100
gt
t
g
80 80
60 60
40 40
20 20
0 0
0 2 4 6 8 10 12 14 16 0 2 4 6 8 10 12 14 16
Time(s) Time(s)
180 180
160 160
140 140
120 120
100 100
gt
gt
80 80
60 60
40 40
20 20
0 0
0 2 4 6 8 10 12 14 16 0 2 4 6 8 10 12 14 16
Time(s) Time(s)
Fig. 5. Detection results. The horizontal solid line represents the threshold. The vertical
dotted line represents the moment when the attack starts. Peaks on the left side of the
vertical dotted line represent false positives. (a), (b) detection values of gt , without and
with stationary watermark under replay attack. (c), (d) detection values with stationary
and non-stationary watermark under non-parametric attack. And (e), (f) detection
values with stationary and non-stationary watermark under parametric attack.
14 J. Rubio-Hernan et al.
attack. This shows how the non-stationary watermark mechanism does improve
the detection abilities compared to the stationary watermark approach.
Figures 5(e) and (f) evaluate the scenario associated to the parametric
attacks. Theoretically, the attacker is expected to evade the detector when the
attack succeeds at properly identifying the parameters of the system dynamics.
Figure 5(e) represents the experiments where the parametric attack is executed
under the stationary watermark scenario. The figure shows that the detector
value, gt , remains most of the time below the detection threshold. Figure 5(f)
shows the behavior of the detector under the non-stationary watermark scenario.
This time, the detector has slightly more chances of detecting the attack.
Using the watermark-based detection mechanism, we run for each attack sce-
nario 75 automated rounds (about 4 h of data collection processing). In order to
evaluate the results, we use the following metrics:
Table 1 shows the performance results of the detector, based on the Detection
Ratio and the Average detection Time metrics.
Regarding the results shown in Table 1, we can emphasize that the replay
attack is the most detectable scenario, with a detection ratio of about 40%. This
detection ratio is still far from perfect, maybe due to the sensors accuracy and
resolution; but better than for the rest of scenarios. The non-parametric attacker
has a lower detection ratio, of about 18%. This result is expected, as suggested
by the theoretical and simulation-based conclusions available at [20], where the
authors emphasize that the mechanism is not sufficiently robust to detect adver-
saries that are able to identify the system model. To finish, the parametric attack
has the most robust system identification approach. The attacks can evade the
detection process if they succeed at properly identifying the system attributes.
In terms of results, they lead to the lowest detection rate of about 12%.
During the replay attack, the Average Detection Time is the slowest of all the
adversarial scenarios. This behavior is due to the watermark distribution proper-
ties, since the watermark variation makes the replay attack highly detectable. At
the same time, the injection attacks (either the parametric or the non-parametric
version) are detected much faster than the replay attack. This is due to the
transition period needed by the attackers to estimate the correct data prior mis-
leading the detector. For this reason, if the attacker does not choose the precise
moment to start the attack, the detector implemented at the controller side is
able to detect the injected data, right at the beginning of the attack. Further-
more, the attackers shall also synchronize their estimations to the measurements
sent by the sensors. In case of failing the synchronization process, the detector
does identify the uncorrelated data, and reports the attack.
Table 2 shows that the detection of the replay attack has the lowest false
negative ratio, 64.06%, hence confirming that this adversarial scenario is the
most detectable situation with regard to the detection techniques reported in
[15]. The detection of the non-parametric attacks has a higher false negative
ratio, 85.20%, confirming the theoretical and simulation-based results reported in
[20]. The detection of the parametric attacks also confirms the results estimated
in [19], and leading to the highest false negative ratio, 88.63%. Finally, and in
terms of false positive ratio, the three adversarial scenarios show a low impact
(on average, about 1.33% false positive ratio). Such low impact is, moreover,
easy to tune by adapting the parameters of Algorithm 1.
5 Related Work
The study of security incidents associated to cyber-physical systems underlying
critical infrastructures has gathered a big amount of attention since the infamous
Stuxnet case [13]. Since then, research on cyber-physical systems has progressed
substantially resulting in a large number of testbeds developed and established
in the literature. A non-exhaustive list follows.
Myat-Aung present in [9] a Secure Water Treatment (SWaT) simulation and
testbed to test defense mechanisms against a variety of attacks. Siaterlis et al.
[21] define a cyber-physical Experimentation Platform for Internet Contingencies
(EPIC) that is able to study multiple independent infrastructures and to pro-
vide information about the propagation of faults and disruptions. Green et al. [7]
focus their work on an adaptive cyber-physical testbed where they include differ-
ent equipments, diverse networks, and also business processes. Yardley reports in
[25] a cyber-physical testbed based on commercial tools in order to experimen-
tally validate emerging research and technologies. The testbed combines emula-
tion, simulation, and real hardware to experiment with smart grid technologies.
Krotofil and Larsen show in [11] several testbeds and simulations concluding
that a successful attack against their envisioned systems has to manage cyber
and physical knowledge.
From a more control-theoretic standpoint, Candell et al. report in [3] a test-
bed to analyze the performance of security mechanisms for cyber-physical sys-
tems. The work reports as well discussions from control and security practi-
tioners. McLaughlin et al. analyze in [14] different testbeds and conclude that
it is necessary to use pathways between cyber and physical components of the
system in order to detect attacks. Also, Koutsandria et al. [10] implement a
testbed where the data are cross-checked, using cyber and physical elements.
Holm et al. survey, classify and analyze in [8] several cyber-physical testbeds
proposed for scientific research. Inline with the aforementioned contributions,
we have presented in this paper an ongoing testbed that aims at evaluating
research mitigation techniques targeting attacks at the physical layer of cyber-
physical systems operated via SCADA protocols. The initial focus of our testbed
has been the evaluation of the control-theoretic security mechanisms reported in
[15,19,20].
6 Conclusion
provide larger datasets as results and enabling the architecture to perform repet-
itive tests. Experimental results confirm previous theoretical and simulation-
based work.
Acknowledgements. The authors acknowledge support from the Cyber CNI Chair
of Institut Mines-Télécom. The chair is held by Télécom Bretagne and supported by
Airbus Defence and Space, Amossys, EDF, Orange, La Poste, Nokia, Société Générale
and the Regional Council of Brittany. It has been acknowledged by the Center of
excellence in Cybersecurity.
References
1. Aarts, R.: System identification and parameter estimation. Technical report, Fac-
ulty of Engineering Technology, University Twente (2012)
2. Brown, S.: Overview of IEC 61508 design of electrical/electronic/programmable
electronic safety-related systems. Comput. Control Eng. J. 11(1), 6–12 (2000)
3. Candell, R., Stouffer, K., Anand, D.: A cybersecurity testbed for industrial con-
trol systems. In: Process Control and Safety Symposium International Society of
Automation, Houston, TX (2014)
4. Chmelar, P.: Java kalman library (2014). https://sourceforge.net/projects/jkalm
an/. Accessed Oct 2016
5. Curtis, K.: A DNP3 protocol primer. A basic technical overview of the pro-
tocol (2005). http://www.dnp.org/AboutUs/DNP3%20Primer%20Rev%20A.pdf.
Accessed Oct 2016
6. Graham, J.H., Patel, S.C.: Security considerations in SCADA communication
protocols. Technical report TR-ISRL-04-01 (2004). http://www.cs.louisville.edu/
facilities/ISLab/tech%20papers/ISRL-04-01.pdf. Accessed Oct 2016
7. Green, B., Hutchison, D., Frey, S.A.F., Rashid, A.: Testbed diversity as a funda-
mental principle for effective ICS security research. In: Proceedings of the First
International Workshop on Security and Resilience of Cyber-Physical Infrastruc-
tures (SERECIN). Lancaster University, Technical report SCC-2016-01, pp. 12–15
(2016)
8. Holm, H., Karresand, M., Vidström, A., Westring, E.: A survey of industrial control
system testbeds. In: Buchegger, S., Dam, M. (eds.) Secure IT Systems. LNCS, vol.
9417, pp. 11–26. Springer, Cham (2015). doi:10.1007/978-3-319-26502-5 2
9. Kaung Myat, A.: Secure Water Treatment Testbed (SWaT): an overview
(2015). https://itrust.sutd.edu.sg/wp-content/uploads/sites/3/2015/11/Brief-In
troduction-to-SWaT 181115.pdf. Accessed Oct 2016
10. Koutsandria, G., Gentz, R., Jamei, M., Scaglione, A., Peisert, S., McParland, C.:
A real-time testbed environment for cyber-physical security on the power grid.
In: 1st ACM Workshop on Cyber-Physical Systems-Security and/or Privacy, pp.
67–78. ACM (2015)
11. Krotofil, M., Larsen, J.: Rocking the pocket book: Hacking chemical plants for
competition and extortion. DEF CON 23 (2015)
12. Lagu, S.S., Deshmukh, S.B.: Raspberry Pi for automation of water treatment plant.
In: International Conference on Computing Communication Control and Automa-
tion (ICCUBEA), pp. 532–536, February 2015
13. Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3),
49–51 (2011)
18 J. Rubio-Hernan et al.
14. McLaughlin, S., Konstantinou, C., Wang, X., Davi, L., Sadeghi, A.-R., Maniatakos,
M., Karri, R.: The cybersecurity landscape in industrial control systems. Proc.
IEEE 104(5), 1039–1057 (2016)
15. Mo, Y., Weerakkody, S., Sinopoli, B.: Physical authentication of control systems:
designing watermarked control inputs to detect counterfeit sensor outputs. IEEE
Control Syst. 35(1), 93–109 (2015)
16. Modbus Organization. Official Modbus Specifications (2016). http://www.modbus.
org/specs.php. Accessed Oct. 2016
17. Nam, S.Y., Kim, D., Kim, J.: Enhanced ARP: preventing ARP poisoning-based
man-in-the-middle attacks. IEEE Commun. Lett. 14(2), 187–189 (2010)
18. Rollins, M.: Beginning LEGO MINDSTORMS EV3. Apress, Berkeley (2014)
19. Rubio-Hernan, Jose, Cicco, Luca, Garcia-Alfaro, Joaquin: Event-triggered water-
marking control to handle cyber-physical integrity attacks. In: Brumley, Billy Bob,
Röning, Juha (eds.) NordSec 2016. LNCS, vol. 10014, pp. 3–19. Springer, Cham
(2016). doi:10.1007/978-3-319-47560-8 1
20. Rubio-Hernan, J., De Cicco, L., Garcia-Alfaro, J., Revisiting a watermark-based
detection scheme to handle cyber-physical attacks. In: 11th International Confer-
ence on Availability, Reliability and Security, Salzburg, Austria. IEEE, September
2016
21. Siaterlis, C., Genge, B., Hohenadel, M.: EPIC: a testbed for scientifically rigor-
ous cyber-physical security experimentation. IEEE Trans. Emerg. Topics Comput.
1(2), 319–330 (2013)
22. Teixeira, A., Shames, I., Sandberg, H., Johansson, K.H.: A secure control frame-
work for resource-limited adversaries. Automatica 51, 135–148 (2015)
23. Wimberger, D., Charlton, J.: Java modbus library (2004). http://jamod.
sourceforge.net. Accessed Oct 2016
24. Wu, G., Sun, J., Chen, J.: A survey on the security of cyber-physical systems.
Control Theory Technol. 14(1), 2–10 (2016)
25. Yardley, T.: Testbed cross-cutting research (2014). https://tcipg.org/research/
testbed-cross-cutting-research. Accessed Oct 2016
26. Zhu, Y.: New development in industrial MPC identification. In: Proceedings of the
International Symposium on Advanced Control of Chemical Processes (ADChEM),
Hong Kong, China, January 2003
Critical Infrastructure Protection:
A Holistic Methodology for Greece
1 Introduction
The protection of Critical Infrastructures (CI) is, by definition, of high importance for
the welfare of citizens of each country; especially nowadays, both because of direct
threats (dictated by the current international political situation) and also due to
emerging interactions or dependencies [13–15] developed between national CI at
international and European levels.
Today, Greece remains one of the few countries of the European Union, which,
be-sides the formal transposition of the 114/2008/EC Directive into domestic legisla-
tion, has not implemented a comprehensive CI protection strategy, nor any process of
developing such an integrated plan, except for some initiatives taken by the General
Secretariat of Digital Policy.
© Springer International Publishing AG 2017
N. Cuppens-Boulahia et al. (Eds.): CyberICPS 2016, LNCS 10166, pp. 19–34, 2017.
DOI: 10.1007/978-3-319-61437-3_2
20 D. Gritzalis et al.
This paper presents some of the results which derived from project OLIKY1 that
aimed to provide a road-map towards the development of a holistic national CIP
strategy for Greece. The basic goals of OLIKY included, among others:
1. The initial creation of an inventory and an initial ranking of candidate national CI,
along with their supervised entities, in order to identify the most critical services
and their dependencies, to adequately protect and increase their resilience against
known or unknown threats.
2. The assessment of critical services and interdependencies between candidate
national CI based on a methodology for the classification of national critical
components.
The objectives of the OLIKY project did not include a comprehensive coverage and
assessment of all national CI, nor the proposal of a detailed security policy for each CI.
This would not be feasible in the context of an independent study, since the complete
recording and evaluation of all CI nationwide requires an authorized body with the
institutional and legal feasibility of collecting and processing classified information
along with the cooperation of all national CI operators. However, an initial systematic
identification and evaluation of Greek CI may act as a catalyst for conducting such an
in-depth analysis.
Contribution. The main contributions of this paper include:
1. The development of an inventory of all stakeholders, (legislative, supervisory or
regulatory) involved in the protection of the Greek CI.
2. The identification of potential national CI, as well as their interdependencies. In
particular, an attempt was made to identify national CIs on the Energy, Transport
and Information and Communication Technologies (ICT) sectors.
3. The development of a structured identification methodology for national CI, taking
into account internationally applied CI identification methodologies. A range of
three evaluation levels (criticality) and specific evaluation criteria for the integration
of critical components in criticality levels will also be developed and utilized, as
part of the proposed methodology.
4. The pilot implementation of the proposed methodology to a list of candidate
national CI fields in order to rank their criticality; namely on the Energy and ICT
sectors.
The identification and evaluation of national CI first requires the creation of an initial
list of potential CI, at sector and subsector levels. In this section, the services of three
key critical sectors of the country are being mapped; namely those concerning the
Energy, Transport and ICT sectors.
1
All OLIKY project deliverables (in Greek) can be found at: http://www.dianeosis.org/2016/07/ideas_
infrastractures_protection/.
Critical Infrastructure Protection: A Holistic Methodology for Greece 21
Table 1. List of potential CI, sectors, and subsectors selected for Greece
Sector Subsector Service
Energy Electricity Generation (all forms)/
Transmission
Distribution/Electricity market
Oil Extraction/Refinemen
Transport/Storage
Natural gas Extraction/Transport
Distribution/Storage
Information and Information Web services/Internet
communication technologies technologies Computer networks/Services
(ICT) cloud
Software as a service (SaaS)
Communications Voice/Data communications
Mobile communications/Satelite
Radio
communication/Broadcasting
Water Drinking water Water storage/Quality assurance
Water distribution
Wastewater Wastewater collection &
treatment
(continued)
22 D. Gritzalis et al.
Table 1. (continued)
Sector Subsector Service
Food Food supply chains Agriculture/Food production
Food supply
Food distribution/Quality/Safety
Health Hospital & heath Emergency healthcare/Hospital
facilities care (inpatient & outpatient)
Supply of medicines, vaccines,
blood & medical supplies
Control of infections and
epidemics
Financial services Banking/Stock exchange
Payment transactions
Public order & security Public order Maintenance of public order and
safety
Justice Judiciary and penal systems
Transportations Aviation Air navigation services
Airport operation
Road transport Bus/Tram services/Road network
maintenance
Train transport Railway network management
Railway transport services
Maritime transport Navigation control - cruises
Coastal interconnection
Postal services Logistic services
Payment transactions
Industry Critical industries Employment/GDP/Supply of
goods
Chemical/Nuclear Storage & disposal of hazardous
industry materials
Safety of high risk industrial units
Tourism Hotel supplies
Restaurant supplies
Agriculture Agricultural unit supply
Water supply services
Public administration Government/Ministries Government functions
Regional Civil services
administration
Civil protection Emergency and rescue services
(continued)
Critical Infrastructure Protection: A Holistic Methodology for Greece 23
Table 1. (continued)
Sector Subsector Service
Environment Air pollution monitoring and
early warning
Meteorological monitoring and
early warning
Ground water (lake/river)
monitoring and early warning
Marine pollution monitoring and
control
Defense National defense
In order to identify candidate Greek CI, the ENISA List of Critical Sectors and
Related Critical Services [7] was used to create an overview of the Critical Sectors as
reported in Table 1, where specific areas were selected as being more significant for the
country. Potential critical services which were irrelevant to Greek Activities (e.g. Space
sector) were removed from the list due to non-conformity, while others have been
added due to their potentially high impact on Greece’s GDP, like Tourism and asso-
ciated services.
Based on the collection of public information and scientific expertise of the panel
members, the following critical areas were selected for our study: (a) Energy
(b) Information and Communications Technologies (ICT) and (c) Transportation.
Results from identifying interdependencies and main stakeholders for these three
fundamental CI sectors are presented in Tables 2, 3 and 4, respectively. These tables
contain critical domains, sub domains for each critical service, the key subsystems that
are necessary for providing each service, the essential interdependencies with other
(sub) sectors, as well as an inventory of the providers of each service involved in the
country.
Energy sector
In Greece, multiple providers support various subsectors of the Energy sector. In some
subsectors, only one provider (or a very small number of them) has a dominant
position, making him the obvious choice for a CI at the Energy sector. Still, some
changes have occurred in the Energy market of other subsectors over the last years;
usually because of Greece’s need to comply with the relevant European Directives, but
also due to the economic situation of the country.
ICT sector
The Information and Telecommunication Technologies (ICT sector) is a sector of high
criticality since it provides information assets and services to almost all other critical
services in the country. Of all the ICT subsectors, it appears that the Telecommuni-
cation subsector is the most important in Greece. Hardcore centralization of services is
observed at the Greek ICT sector, although for some services there seems to be a more
balanced distribution of providers. For this reason several providers have been iden-
tified as candidate CI for this sector although their “weight” may significantly vary.
24 D. Gritzalis et al.
Table 4. (continued)
Critical Critical Interdependencies Main Stakeholders
Subsector Service Depends upon Affects
Shipping Ports and port Availability Providing Min. of infrastructure
infrastructure ferry transport and transport
ICT Systems Trade Min. of Shipping and
Island Policy
Interoperability Industry Piraeus Port
infrastructure Authority SA
COSCO SA
Environment & Enterprises Thessaloniki port
weather authority SA
Agriculture Greek port
authorities
Coastal Port Tourism Ferry operators
transport & infrastructure transport companies
transportation Availability of Trade Tourist companies
mineral resources
& energy
Marine signaling Industry
system
ICT systems Enterprises
Environment & Agriculture
weather
Aviation Airports and Availability Air Hellenic civil
airport transportation aviation authority
infrastructure ICT systems tourism Athens international
airport
Interoperability Hellenic republic
infrastructure asset development
Environment & fund
weather
Air transport Availability Tourism Hellenic civil
petroleum Trade aviation authority
System radar air AIRCARRIERS
navigation
services
ICT Systems Government EUROCONTROL
Environment & agencies
Weather
Rail Network Rail Communications Trade industry Greek Railways/OSE
Transport infrastructure systems & SA
information ERGOSE SA
GAIAOSE SA
(continued)
Critical Infrastructure Protection: A Holistic Methodology for Greece 27
Table 4. (continued)
Critical Critical Interdependencies Main Stakeholders
Subsector Service Depends upon Affects
Rail transport Rail Trade Greek railways
infrastructure companies
network
Energy Industry TRAINOSE SA
availability
ICT systems Business STASY SA
Interoperability Agriculture AMEL SA
infrastructure
Tourism TRAM SA
Transportation Sector
The transport sector provides services to multiple other sectors and supports many
economic activities such as trading, tourism, industry, rural development and the
exploitation of natural resources of Greece. The sector is subdivided into Road, Sea,
Air and Rail transport along with postal services.
This section describes a methodology for identifying and evaluating national CI,
structured as a sequence of steps. Each step provides a brief description, the data (or
parameters) input necessary for the execution, and implementation actions needed and
expected results. The development of the methodology took into consideration previ-
ous work from other EU members [7–12, 16–20, 26], since following a best practice
and creating a common baseline throughout the EU is of outmost importance.
Categories of criteria for the integration of candidate CI were defined inside the
methodology. These include direct assessment criteria, time-based criteria and indirect
criteria used to evaluate the “importance” of the CI. Direct evaluation criteria are based
on the assessment of potential impact (impact-based classification) that are expected to
manifest after an attack on relevant infrastructures.
Time-based criteria such as estimated recovery time, and estimated impact evolu-
tion over time are used for prioritizing CI within each risk level. Indirect criteria
consider, amongst others, second order dependencies, which may eventually upgrade a
candidate CI to a higher criticality level, e.g., when other critical elements depend on it.
Indeed, the analysis of interdependencies between CI can identify CI that might have
been underestimated during previous analysis [13–15, 21–25].
For each critical service sectorial and horizontal criteria are utilized for the iden-
tification of its most important subsystems. The methodology does not take into
account threats (threats or scenarios), nor does it assess them according to their like-
lihood. A schematic overview of the described Methodology is presented in Fig. 1.
28 D. Gritzalis et al.
Results. The amended list of critical elements and CI or the update of the previous
assessment of critical components (domains, subdomains, services and systems.
Production of electrical Territory Important Potential Loss in Potential in Effect on the Rapid consequence Affects most CIs
power % of GNP case of accident case of lives of million manifestation Slow
accident citizens recovery
LEVEL 3 LEVEL 3 LEVEL 1 LEVEL 1 LEVEL 3 CATEGORY 3 LEVEL 3
Transportation/Distribution Territory Important Potential Loss due Effect on the Rapid consequence Affects most CIs
of electrical power % of GNP to impact on lives of million manifestation Slow
Health Sector citizens recovery
LEVEL 3 LEVEL 3 LEVEL 1 LEVEL 3 CATEGORY 3 LEVEL 3
Electrical power market Territory Important Effect on the Rapid consequence Affects most CIs
% of GNP lives of million manifestation Slow
citizens recovery
LEVEL 3 LEVEL 3 LEVEL 3 CATEGORY 2 LEVEL 3
Based on the application of the evaluation criteria and taking into account the
record from providers/-operators per service, our evaluation provided the following:
• In the Electricity sub-sector all services are assessed as high critical, both for direct
and indirect dependencies. To an extent, they also depend on one provider/IM
(PPC).
• Concerning the temporal analysis of impact, the Production and Distribution ser-
vices have higher priority than the electricity market service, as far as recovery time
is concerned.
• At the subsystems level, all subsystems used to support this sector’s services must
be tested using corresponding sectoral criteria.
32 D. Gritzalis et al.
Acknowledgments. This work was performed within the OLIKY project framework. OLIKY
was coordinated by the INFOSEC Laboratory (Athens University of Economics & Business) and
funded by diaNEOsis, a non-government and non-profit research and analysis organization,
located in Greece. The opinions expressed herein are those of the authors.
References
1. EU Commission: Communication from the Commission on a European Programme for
Critical Infrastructure Protection COM (2006) 786 final (2006)
2. EU Commission: European Commission, staff working document on the review of the
European Programme for Critical Infrastructure Protection (EPCIP), Brussels (2012)
3. EU Commission: European Commission, staff working document on a new approach to the
European Programme for Critical Infrastructure Protection making European Critical
Infrastructures more secure), Brussels, Belgium (2013)
4. EU Commission 149: European Commission. Protecting Europe from large scale
cyber-attacks and disruptions: enhancing preparedness, security and resilience (2009)
5. EU Council: Council of the European Union, Non-Binding Guidelines for the application of
the Directive on the identification and designation of European Critical Infrastructure and the
assessment of the need to improve their protection, Brussels [14808/08] (2008b)
6. EU Council: Proposal for a COUNCIL DECISION on a Critical Infrastructure Warning
Information Network (CIWIN). COM (2008) 676 final (2008c)
7. ENISA, Mattioli, R., Levy-Bencheton, C.: Methodologies for the identification of Critical
Information Infrastructure assets and services. ENISA Report, December 2014 (2014)
34 D. Gritzalis et al.
8. Faily, S., Stergiopoulos, G., Katos, V., Gritzalis, D.: “Water, Water, Every Where”: nuances
for a water industry critical infrastructure specification exemplar. In: Rome, E., Theochari-
dou, M., Wolthusen, S. (eds.) CRITIS 2015. LNCS, vol. 9578, pp. 243–246. Springer, Cham
(2016). doi:10.1007/978-3-319-33331-1_20
9. FC: Federal council’s basic strategy for critical infrastructure protection, basis for the
national critical infrastructure protection strategy. In: Confédération Swisse, 18 May 2009
(2009)
10. French Strategy: French national digital security strategy. French Republic (2015)
11. FRG: National Strategy for Critical Infrastructure Protection (CIP Strategy). Federal
Ministry of the Interior, Federal Republic of Germany. Berlin, June 17 2009
12. Klaver, M., Luiijf, H., Nieuwenhuijsen, A.: RECIPE: Good practices manual for CIP
policies, for policy makers in Europe (2011)
13. Kotzanikolaou, P., Theocharidou, M., Gritzalis, D.: Accessing n-order dependencies
between critical infrastructures. Int. J. Crit. Infrastruct. Prot. 9(1–2), 93–110 (2013)
14. Kotzanikolaou, P., Theoharidou, M., Gritzalis, D.: Cascading effects of common-cause
failures in critical infrastructures. In: Butts, J., Shenoi, S. (eds.) ICCIP 2013. IAICT, vol.
417, pp. 171–182. Springer, Heidelberg (2013). doi:10.1007/978-3-642-45330-4_12
15. Kotzanikolaou, P., Theoharidou, M., Gritzalis, D.: Interdependencies between critical
infrastructures: analyzing the risk of cascading effects. In: Bologna, S., Hämmerli, B.,
Gritzalis, D., Wolthusen, S. (eds.) CRITIS 2011. LNCS, vol. 6983, pp. 104–115. Springer,
Heidelberg (2013). doi:10.1007/978-3-642-41476-3_9
16. Lebau-Marianna, D., Roger, E.: France – three decrees reinforced the safety obligations of
Operators of Vital Importance, 8 July 2015
17. Livre Blanc: Défense et sécurité nationale, République Francaise (2013)
18. Luiijf, E., Burger, H., Klaver, M.: Critical infrastructure protection in the Netherlands: a
quick-scan. In: EICAR Conference Best Paper Proceedings (Vol. 19). Denmark (2003)
19. MSB: A first step towards a national risk assessment. Swedish Civil Contingencies
Agency-MSB, Sweden (2011). 2011
20. MSB: Action Plan for the Protection of Vital Societal Functions & Critical Infrastructure.
Swedish Civil Contingencies Agency, Risk & Vulnerability Reduction Department (2014)
21. Renda, A., Hammerli, B. (2010). Protecting critical infrastructure in the EU. CEPS Task
Force Report
22. Salonikias, S., Mavridis, I., Gritzalis, D.: Access control issues in utilizing fog computing for
transport infrastructure. In: Rome, E., Theocharidou, M., Wolthusen, S. (eds.) CRITIS 2015.
LNCS, vol. 9578, pp. 15–26. Springer, Cham (2016). doi:10.1007/978-3-319-33331-1_2
23. Stergiopoulos, G., Kotzanikolaou, P., Theocharidou, M., Gritzalis, D.: Risk mitigation
strategies for critical infrastructures based on graph centrality analysis. Int. J. Crit.
Infrastruct. Prot. 10, 34–44 (2015)
24. Stergiopoulos, G., Kotzanikolaou, P., Theocharidou, M., Lykou, G., Gritzalis, D.: Time-base
critical infrastructure dependency analysis for large-scale and cross-sectoral failures. Int.
J. Crit. Infrastruct. Prot. 12, 46–60 (2016)
25. Theocharidou, M., Kandias, M., Gritzalis, D.: Securing transportation-critical infrastructures:
trends and perspectives. In: Georgiadis, C.K., Jahankhani, H., Pimenidis, E., Bashroush, R.,
Al-Nemrat, A. (eds.) Global Security, Safety and Sustainability & e-Democracy. LNICST, vol.
99, pp. 171–178. Springer, Berlin, Heidelberg (2012). doi:10.1007/978-3-642-33448-1_24
26. UK: Strategic Framework and Policy Statement on Improving the Resilience of Critical
Infrastructure to Disruption from Natural Hazards (2010)
Full Papers
A Security Policy Infrastructure
for Tactical Service Oriented Architectures
1 Introduction
Tactical networks are of Ad-Hoc nature, subjected to a variety of constraints
related both to the limited operational characteristics of the deployed nodes and
the scarcity of network resources. Such constraints impede the attainment of
requisite protection goals, by rendering current generic solutions unsuitable, due
to limited adaptability over the network dynamics. For that purpose, within the
project TACTICS (TACTICal Service oriented architecture), suitable security
solutions have been developed, tailored to the characteristics of tactical service
oriented architectures. Within this scope our study aims to identify and support
fine-grained protection goals over the initial over provisioned operational stages,
but mainly through the anticipated degraded and disrupted mission execution
phases.
Earlier studies [1,2] presented a detailed risk analysis of tactical SOA, inves-
tigating the impact of the aforementioned constraints across the three stages
of tactical operations (Preparation-Execution-Debrief). Furthermore, suitable
c Springer International Publishing AG 2017
N. Cuppens-Boulahia et al. (Eds.): CyberICPS 2016, LNCS 10166, pp. 37–51, 2017.
DOI: 10.1007/978-3-319-61437-3 3
38 V. Gkioulos and S.D. Wolthusen
security requirements and protection goals have been identified, referring to the
security of communication procedures, transitive information, data at rest and
service choreography related processes. Finally, the feasible benefits of exploit-
ing the unique characteristics of service oriented architectures have been iden-
tified, aiming to utilise them for the enhancement of the implemented security
mechanisms.
The results of these studies have been consequently utilised for the extraction
of functional requirements in respect to the developed security policy mecha-
nisms [3–5]. These requirements include constraints related to scalability, real
time dynamic adaptability, cross layer implementation and distributed deploy-
ment. A parallel evaluation between the identified functional policy requirements
and the constraints imposed by the nature of tactical SOA, was undertaken
for the examination of suitable security policy frameworks. This examination
included commonly used mechanisms, such as WS - Security, SAML [6], XACML
[7] and Ponder [8], as well as recent semantic (REI [9], KAOS [10], ROWLBAC
[11], Kolter et al. [12], Trivellato et al. [13]) and trust management frameworks
(cassandra [14], Tulip [15], RT [16], Peer-Trust [17]). This analysis promoted the
use of web ontology language (OWL) as the most suitable solution in respect
to the requirements of tactical SOA. Thus, the same study presented a tactical
policy framework and our initial results regarding its conceptualisation.
In this paper we present a detailed analysis of this security policy framework
dedicated to tactical SOA, as it has been designed within TACTICS. Section 2
introduces the developed tactical service infrastructure, focusing on the security
related services, their interactions and functionalities. Section 3 presents the core
policy model in accordance to the decision process, along with the required steps
for the policy formalization. Finally, Sect. 4 includes a simplified example of the
prototype implementation developed for validation and demonstration purposes.
Four distinct instances of tactical nodes have been assumed within TACTICS,
each of whom supports the delivery of a defined associated functionality set,
through standard interfaces. The studied tactical node types are:
The internal TSI components along with a subset of the defined core function-
alities are presented at Fig. 1, while the security related services are highlighted
(Yellow). The middle-ware has been divided into two vertical stacks, as it was
presented in detail by Thorsten et al. [18] namely:
A Security Policy Infrastructure for Tactical Service Oriented Architectures 39
where:
Individual Action(k)={Individual Rule[k(z)], Individual Rule[k(z + 1)], ...,
(2)
Individual Rule[k(z + j)]}
And:
Individual Rulek(z)
Observable Objects −−−−−−−−−−−−−−→ Governing M echanismsIndividual Action(k)
(3)
Fig. 3. Visualisation of the decision process within the formal policy model.
While the elements constituting the formal policy model have been defined as:
– Domains: The tactical policy domains have been identified in accordance
to the protection requirements as Planning, Protection, Detection, Diligence
and Response. These generic core domains can be extended or refined in order
to support fine-grained definition of policy governance.
– Individual Domain: A singular Domain corresponding to the evaluated
action.
– Capabilities: TACTICS defined a distinct set of capabilities as part of the
developed Tactical Reference Architecture (TRA), in accordance to contem-
porary operational requirements and the existing NATO Capability View
(NAF-NCV-2/7 [20]). The extended list of defined capabilities includes Effects
Management, Fire Support, Combat Service Support and Shared Situational
Awareness.
A Security Policy Infrastructure for Tactical Service Oriented Architectures 43
Declaration(Class(:Domains))
Declaration(Class(:Response))
SubClassOf(:Response :Domains)
EquivalentClasses(:Response DataHasValue(:hasDomain “Response”))
Declaration(DataProperty(:hasDomain))
FunctionalDataProperty(:hasDomain)
DataPropertyRange(:hasDomain DataOneOf(“Defined Domains”))
Declaration(NamedIndividual(:AccessDenial))
DataPropertyAssertion(:hasDomain :AccessDenial “Response” xsd:string)
DataPropertyAssertion(:hasCapability :DigitalSignatureValidation
“MessageAuthenticityAssurance” xsd:string)
Declaration(DataProperty(:hasActionSetID))
Declaration(DataProperty(:hasActionSetPriority))
Declaration(DataProperty(:hasCapability))
Declaration(DataProperty(:hasDomain))
Declaration(DataProperty(:hasGoverningMechanism))
Declaration(DataProperty(:hasRuleSetID))
Declaration(NamedIndividual(:AccessMessagingService))
FunctionalDataProperty(:hasActionSetID)
DataPropertyRange(:hasActionSetID xsd:integer)
FunctionalDataProperty(:hasActionSetPriority)
DataPropertyRange(:hasActionSetPriority xsd:integer)
FunctionalDataProperty(:hasCapability)
DataPropertyRange(:hasCapability DataOneOf(“Defined Capabilities”))
FunctionalDataProperty(:hasDomain)
DataPropertyRange(:hasDomain DataOneOf(“Defined Domains”))
DataPropertyRange(:hasGoverningMechanism xsd:string)
FunctionalDataProperty(:hasRuleSetID)
DataPropertyRange(:hasRuleSetID xsd:integer)
DataPropertyAssertion(:hasActionSetID :AccessMessagingService
“9632654” xsd:integer)
DataPropertyAssertion(:hasActionSetPriority :AccessMessagingService
“1” xsd:integer)
DataPropertyAssertion(:hasCapability :AccessMessagingService
“ServiceAccessControl” xsd:string)
DataPropertyAssertion(:hasDomain :AccessMessagingService
“Protection” xsd:string)
46 V. Gkioulos and S.D. Wolthusen
DataPropertyAssertion(:hasGoverningMechanism :AccessMessagingService
“AuthServ23” xsd:string)
DataPropertyAssertion(:hasRuleSetID :AccessMessagingService
“86514665” xsd:integer)
It must be noted that in terms of ease of implementation and deployment,
the same procedure can be used for the definition of Action clusters according
to invocation and statistical patterns. Utilising constrained class equivalences
and exceptions, Actions of separate Action subsets can be efficiently grouped
and mapped into common policy rules, significantly minimising resource con-
sumption under heavily constrained scenarios.
– Equation 2
– Step 4-Definition of Prioritised rule stack per Action:
The notable expressive power of description logic fragments originates from
the extended set of available constructors, including but not limited to ele-
ments of first order logic (e.g. intersection, union, complement, universal/
existential restriction) and role oriented (e.g. role union/ chains/ transitivity/
hierarchy). The full extend of available constructors can be exploited at this
step for the definition of detailed rules of increased granularity, incorporating
both unary and binary predicates in accordance to the security requirements.
Thus, a prioritized rule stack of increasing complexity is defined per Action,
facilitating the adaptation of the security policy to dynamic network condi-
tions. The least-priority/least-complexity rule for each Action is defined as
a default escape policy expression (i.e. deny-override, permit-override, deny-
by-default, permit-by-default) depending on the type of the Action, for use in
highly congested tactical environments and node isolation scenarios. Concur-
rently, the rules of highest priority can designedly incorporate sets of unary
and binary predicates, referring to discrete adaptations of the security policy
to the real time network conditions for the given Action.
– Equation 3
– Step 5-Extraction of Observable Objects and knowledge base construction:
Observable Objects correspond to the aforementioned unary and binary pred-
icates referring to service, information, network, radio, node and subject
attributes as incorporated within the policy rules. Observable Objects can be
defined in ontology editors as object and data properties, enforcing suitable
schema constructs (e.g. subPropertyOf, range), relations to other properties
(e.g. inverseOf), logical characteristics (e.g. transitive, symmetric) and global
cardinality restrictions (e.g. InverseFunctionalProperty, FunctionalProperty).
Depending on the granularity requirements of the defined policy rules aggre-
gated and statistical Observable Objects can also be constructed and incor-
porated, allowing their utilisation across rules of distinct priority levels.
– Step 6-Mapping of Individual Actions to Governing Mechanisms:
This step is initiated during Step-3 by the definition of suitable DataProp-
ertyAssertions, and finalised by a constrained mapping between actions and
suitable Governing Mechanisms for their enforcement. This is achieved by
the definition of simple membership assertions, similar to those presented in
previous steps.
A Security Policy Infrastructure for Tactical Service Oriented Architectures 47
4 Prototype Implementation
TACTICS has defined sixty requirements with “MUST” priority, forty with
“SHOULD” and seven with “COULD”, thirty-four of which are security dedi-
cated as briefly discussed earlier [1,2]. An overall prototype implementation has
been realised according to Sects. 2 and 3, in order to validate the satisfaction
of these requirements under the distinct tactical constraints. This implemen-
tation was targeted to four common tactical operation types (1-Reconnaissance
Surveillance and Target Acquisition, 2-MEDical EVACuation, 3-Convoy mission,
4-Intervention Patrol), separated into a multitude of corresponding episodes (e.g.
Sensor data acquisition, Blue force tracking, Mobility management, Improvised
Explosive Device detection and report, Ordering and Tasking). Here we present
the security policy formalization, in respect to the interface functionalities as
presented at Sects. 2 and 3, for one of the investigated episodes.
first priority Governing Mechanism the distributed service registry, while the
security policy knowledge-base could also serve as a secondary Governing
Mechanism for redundancy purposes.
5 Conclusions
In this article we have presented a security policy framework dedicated to tac-
tical SOA, aiming to satisfy the established protection requirements under the
constraints of tactical environments. The developed architecture has been pre-
sented, focusing on the functionalities of core services and an insight of the
defined interfaces. Furthermore, the formal policy model was presented along
with the required policy formalisation steps. The prototype implementation has
provided a validation of the requirement for an easily deployed, lightweight,
cross-layer and dynamically adaptable security infrastructure. Thus, our future
plans include the further evaluation with the use of the developed use cases
and the preparation of the field-demonstration along with the overall TACTICS
architecture.
Acknowledgments. The results described in this work were obtained as part of the
European Defence Agency project TACTICS (Tactical Service Oriented Architecture).
The TACTICS project is jointly undertaken by Patria (FI), Thales Communications &
Security (FR), Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und
Ergonomie FKIE (DE), Thales Deutschland (DE), Leonardo (IT), Thales Italia (IT),
Norwegian University of Science and Technology (NO), ITTI (PL), Military Com-
munication Institute (PL), and their partners, supported by the respective national
Ministries of Defence under EDA Contract No. B 0980.
References
1. Gkioulos, V., Wolthusen, S.D.: Securing tactical service oriented architectures. In:
2nd International Conference on Security of Smart Cities, Industrial Control Sys-
tem and Communications (SSIC) (2016)
2. Aloisio, A., Autili, M., D’Angelo, A., Viidanoja, A., Leguay, J., Ginzler, T., Lampe,
T., Spagnolo, L., Wolthusen, S.D., Flizikowski, A., Sliwa, J.: TACTICS: tactical
service oriented architecture. CoRR, vol. abs/1504.07578 (2015)
3. Gkioulos, V., Wolthusen, S.D.: Enabling dynamic security policy evaluation for
service-oriented architectures in tactical networks. In: Norwegian Information Secu-
rity Conference 2015 (NISK-2015) (2015)
4. Gkioulos, V., Wolthusen, S.D.: Constraint analysis for security policy partitioning
over tactical service oriented architectures. In: Advances in Networking Systems
Architectures, Security, and Applications - of Springer’s Advances in Intelligent
Systems and Computing (2015)
5. Gkioulos, V., Wolthusen, S.D.: Reconciliation of ontologically defined security poli-
cies for tactical service oriented architectures. In: International Conference on
Future Network Systems and Security-FNSS (2016)
6. OASIS: OASIS Security Services (SAML) TC
A Security Policy Infrastructure for Tactical Service Oriented Architectures 51
7. Ramli, C.D.P.K., Nielson, H.R., Nielson, F.: The logic of XACML. Sci. Comput.
Program. 83, 80–105 (2014)
8. Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The ponder policy specification
language. In: Sloman, M., Lupu, E.C., Lobo, J. (eds.) POLICY 2001. LNCS, vol.
1995, pp. 18–38. Springer, Heidelberg (2001). doi:10.1007/3-540-44569-2 2
9. Kagal, L., Finin, T., Paolucci, M., Srinivasan, N., Sycara, K., Denker, G.: Autho-
rization and privacy for semantic web services. IEEE Intell. Syst. 19, 50–56 (2004)
10. Uszok, A., Bradshaw, J.M., Johnson, M., Jeffers, R., Tate, A., Dalton, J., Aitken,
S.: KAoS policy management for semantic web services. IEEE Intell. Syst. 19,
32–41 (2004)
11. Finin, T., Joshi, A., Kagal, L., Niu, J., Sandhu, R., Winsborough, W.H.,
Thuraisingham, B.: ROWLBAC - representing role based access control in OWL.
In: Proceedings of the 13th Symposium on Access control Models and Technologie,
estes Park, Colorado, USA. ACM Press, June 2008
12. Kolter, J., Schillinger, R., Pernul, G.: Building a distributed semantic-aware secu-
rity architecture. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., Solms, R.
(eds.) SEC 2007. IIFIP, vol. 232, pp. 397–408. Springer, Boston, MA (2007). doi:10.
1007/978-0-387-72367-9 34
13. Trivellato, D., Zannone, N., Glaundrup, M., Skowronek, J., Etalle, P.S.: A semantic
security framework for systems of systems. Int. J. Coop. Inf. Syst. 22, 1–35 (2013)
14. Becker, M., Sewell, P.: Cassandra: distributed access control policies with tun-
able expressiveness. In: Proceedings of the Fifth IEEE International Workshop on
Policies for Distributed Systems and Networks. POLICY 2004, pp. 159–168, June
2004
15. Czenko, M., Doumen, J., Etalle, S.: Trust management in P2P systems using stan-
dard TuLiP. In: Karabulut, Y., Mitchell, J., Herrmann, P., Jensen, C.D. (eds.)
IFIPTM 2008. ITIFIP, vol. 263, pp. 1–16. Springer, Boston, MA (2008). doi:10.
1007/978-0-387-09428-1 1
16. Li, N., Mitchell, J., Winsborough, W.: Design of a role-based trust-management
framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy,
pp. 114–130 (2002)
17. Nejdl, W., Olmedilla, D., Winslett, M.: PeerTrust: automated trust negotia-
tion for peers on the semantic web. In: Jonker, W., Petković, M. (eds.) SDM
2004. LNCS, vol. 3178, pp. 118–132. Springer, Heidelberg (2004). doi:10.1007/
978-3-540-30073-1 9
18. Lampe, T.A., Prasse, C., Diefenbach, A., Ginzler, T., Sliwa, J., McLaughlin, S.:
TACTICS TSI Architecture. In: International Conference on Military Communi-
cations and Information Systems ICMCIS (2016)
19. Gkioulos, V., Flizikowski, A., Stachowicz, A., Nogalski, D., Gleba, K., Sliwa, J.:
Interoperability of security and quality of service policies over tactical SOA. Sub-
mitted for review at: Military Communication conference-MILCOM (2016)
20. NATO: Nato c3 classification taxonomy, March 2012. https://www.act.nato.int/
article-8a
21. Baader, F., Calvanese, D., McGuinness, D.L., Nardi, D., Patel-Schneider, P.F.
(eds.): The Description Logic Handbook: Theory, Implementation, and Applica-
tions. Cambridge University Press, New York (2003)
Physical Attestation and Authentication to Detect
Cheating in Resource Constrained Smart Micro-grids
1 Introduction
reliability, and security. In the SMG, the power sharing infrastructure is supported by
small-scale distributed energy resources (DER), based on renewable sources of energy
such as photovoltaic panels and wind turbines that are intermittent and volatile.
An efficient energy management mechanism is, therefore, critical to balancing
demand and supply to/from DERs. The SMG relies on sensors, metering devices, and
advanced communication networking infrastructure for control and monitoring. On the
one hand, monitoring is useful for collecting measurement data distributed over the net-
work. On the other hand, control involves analysing the data (drawn from monitoring).
Both monitoring and control are therefore essential for supporting multiple activities
such as ensuring grid stability, detecting cheating or data distortions, load forecasting,
facilitating demand response and preventing disruption.
The standard smart grid (SG) architecture relies on a centralised Supervisory Con-
trol and Data Acquisition (SCADA) system and an Advanced Metering Infrastructure
(AMI) composed of highly calibrated, trustworthy sensors such as phasor measurement
units (PMUs), smart meters (SMs), and an extensive communication infrastructure. Due
to their high cost, SMs and PMUs are not likely to be used in constrained SMGs. In
resource constrained SMGs, however, for economic reasons, monitoring and control
operations can be supported by an insecure and unreliable network [2]. This however
implies that the devices that underlie the network are not tamper-resistant. Furthermore,
in certain cases, usability designs place device control solely on the user-end. Thus,
attacks centred on cheating are a serious concern, since cheating attacks1 can in the
long-term lead to grid destabilisation. Accurate monitoring is therefore vital to reliable
and trustworthy grid operation.
To this end, we specifically investigate two types of cheating attacks in this paper,
namely: Replay and Random Data Perturbation attacks. Both attacks are easier to
provoke on SMGs than on standard SG architectures. In the case of replay attacks,
the adversary aims to ensure that the data modifications are unidentifiable, while in the
random data perturbation attack case, the adversary is concerned with modifying the
data before it is reported, but wishes to conceal his/her identity. We note that cheating
attacks lead to issues such as false consumption reports and incorrect billing that affect
data integrity. As such, this not only creates a situation of distrust but may also lead to
unbalanced demand and supply, thus, affecting the stability of the SMG.
In this paper, we propose a cheating detection algorithm and a cheating identifi-
cation algorithm for the SMG. The proposed scheme builds on Roth and McMillin’s
physical attestation proposed to detect the occurrence of cheating attacks, and uses a
control signal or physical watermarking to identify the node(s) from which the attack
was provoked [3–5]. The advantage of using physical attestation and control signal tech-
niques over cryptographic-based techniques is that they are not computationally inten-
sive, which is suitable for resource-constrained systems [6, 7]. The intuition behind this
approach is to embed a secret control signal to the data stream, such that any adver-
sarial modification (cheating) to the original data would corrupt the legitimate control
signal and lead to a discrepancy between the observation at the physical layer with
the reported (and possibly compromised) value. We consider a framework where both
1
Cheating means that a node is reporting a value that is different from what is reflective on the
power network to achieves malicious goal.
54 P.L. Ambassa et al.
cyber and physical infrastructures are modelled as graphs with different topologies shar-
ing nodes. The data model is organised in the form of overlapping clusters, such that all
cluster nodes have shared knowledge of the control signal and report data by our pro-
tocol specifications. Adversarial nodes, have no knowledge of the shared control signal
and so report data differently from expected. We extend Roth and McMillin’s physical
attestation scheme [8] to detect multiple cheating nodes based on the so called group
attestation. More specifically, the network is divided into a set of partitions. Each par-
tition aggregates data and compares the data from the cyber layer to the physical layer.
In addition, inter-node trust, within a subgraph (partition), is established by adding a
secret control signal to reported consumption values. This control signal is kept secret
from the attacker.
The rest of the paper is organized as follows. Section 2 briefly reviews the literature
on data integrity attacks and countermeasures. In Sect. 3, we describe our proposed
SMG model and follow this in Sect. 4 with a definition of our cheating attack model.
Section 5 provides a detection framework and also presents our cheating detection and
identification schemes. We provide a performance and correctness analysis in Sect. 6
and conclude in Sect. 7.
2 Related Work
Data modification attacks in smart grids, fall under the general area of deception attacks
in which the adversary’s goal is to compromise data integrity. Typical deception attacks
distort price signals and data measurements. Liu et al. [9], described a variant of decep-
tion attacks in which the adversary uses network knowledge to modify state estimations
stealthily. These false data injection attacks (FDIAs) are not detectable by existing bad
measurement detection algorithms and can induce the control centre into making deci-
sions that affect power flow and marketing schemes negatively. Qin et al. [10] address
this problem with the concept of unidentifiable attacks as a more practical adversarial
strategy for attackers with limited resources. The unidentifiable attack in contrast to
FDIA enables the attacker to compromise a set of smart meters and inject false data.
In this case, the control system can indicate that the system is under attacks but cannot
deterministically deduce which nodes or set of smart meters have been compromised.
Many FDIA detection methods in centralised and decentralised systems have been pro-
posed including statistical test [11], machine learning based approach [12, 13], Water-
marking techniques [14] and short-term forecasting methods [15]. However, most of
these works do not consider limited computational capability networks.
Mo and Sinopoli [3] introduced the problem of detecting replay attacks in con-
trol systems and developed a detection approach based on the injection of a secret a
Gaussian white noise signal to the control input and test the estimation residue for the
output estimation error of the Kalman filter. Assuming that the added white noise is
known to the controller, a χ2 detector is then used to detect the presence of the replay
attack. When there is no attack, the added white noise is removed with the Kalman
filter. Further extensions [4, 5], add a physical watermarking secret signal to the con-
trol signal so that under normal conditions, the controller should be able to detect the
presence of the watermark in the sensor measurements. The watermark plays the role
Physical Attestation and Authentication to Detect Cheating in Resource 55
of an authenticator and follows a Gaussian distribution with zero means. Although this
solution works on the control system, it is less suitable for an SMG. Tran et al. [16],
use the same solution approach, but instead add Gaussian noise periodically making it
difficult for the adversary to emulate noise addition patterns accurately.
Roth and McMillin [8], proposed addressing this issue by using the physical invari-
ants to detect data falsifications. However, the Roth and McMillin scheme has two lim-
itations: first, it considers a SMG as a static system, and second, the approach is lim-
ited to single attack detection on linear physical topologies which is not effective for a
resource constrained SMG.
We recall that the efficiency of the detection mechanism is integral to guarantee-
ing user trust and consequently micro-grid stability. Therefore, an efficient multi-node
cheating detection scheme is a good way of preventing cheating on resource constrained
SMG with stochastic power fluctuations. We are now ready to, first of all, describe the
fundamentals of our system model and then proceed to describe the cheating and detec-
tion models.
3 System Model
A SMG can be modelled as a distributed system integrating DERs such as wind tur-
bines and solar panels, supporting local demands and a lossy communication network
to facilitate reliable power sharing in rural and remote areas that are difficult or expen-
sive to connect to standard power grid architectures. The SMG model as proposed in
[2, 17] consists of power and data network, structured as a decentralised system com-
posed of some buses, power lines, household or nodes, distributed energy resources
(DER). The SMG consists of a set of N consumers (or households or nodes) denoted
as C = c1 , ..., cN . The SMG is designed in such a way that a subset of consumers,
namely prosumers, shared energy produced among the neighbour’s households through
connecting links in a tree architecture.
The power network is based on Direct Current (DC) and can be represented by
an undirected connected graph where nodes and edges represent consumers and con-
necting links. A supply node has an energy consumption that is less than the energy
it generates; the reverse is true for a demand node. The nodes (supply or demand) are
connected by connecting lines (branches). We assume that supply nodes share power
with a set of demand households which are connected to the distribution line. However,
not every household is connected to a single branch (parallel); some households may,
for instance, share the same branch (series).
The data network can be summarised as a three-layered heterogeneous network.
The lower layer consists of the household network where sensor nodes measure gen-
eration/consumption data and communicate to the reporting device (mobile devices)
acting as intermediate data collectors. The second layer is in the neighbourhood net-
work where one or more households are grouped in a cluster connected with the data
aggregators/concentrators. Finally, the third layer is the aggregation network between
the several data aggregators and utility centre. Data aggregator collects and aggregates
measurements from a cluster of consumers, process the measurements and forwards the
aggregated data to the control centre through networks. The information is processed
56 P.L. Ambassa et al.
and analysed at the data aggregator (as it is assumed to have sufficient computation
capabilities) before being further transmitted to the control centre for further process-
ing, analysis and billing purposes. Moreover, the collected data can also be forwarded
to other aggregators to which they are densely interconnected via a mesh network to
minimise the risk of lost data.
As the system is heterogeneous, several types of communications technology can
be used between the different types of nodes. The communications media between the
sensor node, mobile phone, and aggregator is primarily wireless (Bluetooth, ZigBee,
WiFi) while communication between the data aggregator and the utility provider is
based on cellular networks. In this paper, we only focus on the communication between
the reporting device at the household and the aggregation node. Such nodes commu-
nicate by message passing. The nodes communicate with each other directly when
in wireless communication range, otherwise, the message is transmitted via multi-hop
routes in which intermediate nodes act as routing nodes. We assume that each cluster
has a unique cluster ID, and each node has a unique node ID. We assume that sensors
and mobiles devices that forward measurement reports have a limited computation and
communication capability and can be compromised by the adversary.
For simplicity, as a first solution step, we design our model on the assumption that
the underlying communication protocol is fault-free and can provide reliable commu-
nication (overcome transient communications failures). The system is asynchronous,
which means that there are no bounds on the processing times or communication delays.
This assumption means that the messages may be delayed and may be delivered in a
different order than the one in which they were sent. Every node in the SMG Network
has an associated address. This is used during network communication to identify the
nodes individually.
We consider that time is divided into a period denoted T . Every kT th reporting
period [kT , (k + 1)T ] a snapshot algorithm is regularly used to collect a stream of data
from the consumer household [2].
We define Ici (k), Vci (k) and Pci (k) the current, the voltage magnitudes and the power
respectively from node ci in the kth reporting period. We define Xci (k) the vector con-
taining the measurement from consumer ci at the kth reporting period. Xci (k) can be a
multidimensional vector with Xci (k) = [Ici (k), Vci (k), Pci (k)]. The measurements from
the sensors collected by the consumer ci are assumed to be bounded between a mini-
mum and a maximum values, ∀k, Xci (k) ∈ [Xcmin i
, Xcmax
i
]. We define Yci (k) the authenti-
cated measurements from ci that is communicated to the data aggregator. Yci (k) consists
in embedding a secret control signal (watermark) Cci (k) chosen by ci to Xci (k). Here
Cci (k) represents the secret control signal. Each node ci , reports the measurements in
the form of the message Mci (k) described as follows:
system into behaving in a way that benefits the cheater (e.g. subverting power consump-
tion fees). We assume a limited adversary having only partial knowledge of the network
topology and/or power consumption patterns. This is mostly due to the dynamic nature
of the network. On the other hand, we consider that a cheater can compromise a limited
number of metering devices, and has the capability to inject false data via the compro-
mised component not only once but over the different reporting period.
In our cheating model, the adversary compromises reporting devices at the house-
hold level and reports bad data to the aggregator node. We assume that the utility centre
and aggregator nodes are trustworthy and cannot be compromised. Finally, we assume
that communication links are secure, this because they are protected by some security
mechanisms such as authentication and encryption (symmetric encryption protocol).
We assume that our SMG is failure-free and as such, messages that are sent, even-
tually reach the destination without being modified or dropped by the communica-
tion medium. However, since no other security mechanism is running on the meter-
ing devices, we consider tampering with the measurement devices as a viable form of
attack.
Our solution model allows attacks to be provoked as individual isolated events to
minimise the risk of the attacker being discovered. Two major types of attacks are con-
sidered:
Replay Attacks (RAs). RA, as defined in the traditional security system, are simple
attacks where an attacker records an arbitrary number of measurements and proceeds
by reordering the time stamps in such a way to mimic the sequence of new timestamps.
More formally, consider C = c1 , ..., cN the set of consumers and Yci (k) the authen-
ticated measurement vector reported by consumer ci at the kth reporting period. Now
suppose that the attacker has recorded data during an number of periods and that at
a given attack interval say ka , replays the recorded data instead of reporting the new
power measurement value. The attacker then modifies the time interval associated with
the measurements so as to induce the device into reporting a modified value Ŷci (k) as
follows:
⎧
⎪
⎪
⎨Yci (k) for k ka
Ŷci (k) = ⎪
⎪ (2)
⎩Yci (k − ξ) for k ∈ ka
where ka denotes the attack interval and ξ is a positive integer(ξ > 0).
Mo and Sinopoli [3] have proven that under the replay attack the measurements
residuals [11] will converge to the same distribution as Yci (k). Thus making the conven-
tional χ2 detector not suitable for replay attack detection.
Where Yci (k) is the modified data transmitted by the consumer household ci and
γci (k) is an arbitrary nonzero value introduce by the attacker to form Ŷci (k).
We assume that at least one of the cheating attacks mentioned above is provoked. A
cheating attack detection mechanism is therefore needed to counter such attacks. The
detection scheme works by partitioning the nodes into clusters S i such that each of the
clusters is organised to ensure that the nodes are grouped into disjoint sets.
In this section, we propose a scheme to detect the cheating attacks detailed in Sect. 4.
We assume a particular SMG model where the power and data networks are modelled
as two separate graphs sharing vertices, denoted (V, Y) and (V, Q) respectively.
The power network is graphically represented by (V, Y) where nodes or vertices
correspond to supply and demand nodes or both and edges correspond to branches
Y ⊆ J × J. While the data network (V, Q), where V is the vertex set (each vertex or
node corresponds either to a consumer reporting devices or a data concentrator) and Q
is the set of edges, corresponding to the links (hop) between two vertices. Undirected
edges are represented by the commutativity law as follows {x, y} = {y, x}, and {x, y} ∈ Q
means that nodes x and y are adjacent if there is a direct link between x and y, i.e.
they are within mutual transmission range. We represent the set of neighbours (adjacent
nodes) of x by N(x) = {y|{x, y} ∈ Q}.
We model the SMG as a joint of the two networks to form G = (V, E) where V is
the vertex set (each vertex or node corresponds either to a supply node or demand node
in power network; or consumer reporting devices/a data concentrator in communication
network) and E = Y ∪ Q is the set of edges, corresponding to either the links (hop) or
branches connecting two vertices.
The design of the detection framework, is based on the principles of divide-and-
conquer [19]. The graph G = (V, E) is partitioned into an interconnected set of sub-
graphs (also referred to as clusters) of arbitrary sizes. The motivation behind this is
that partitioning the graph helps to perform a limited number of tests (for cheating
detection) in each partition, which is a more efficient procedure than performing tests
on the whole system. We make the assumption that the partitions are organised such that
the power network at each sub-graph (cluster) is independent, but the communication
networks overlap. For any link connecting two nodes in the power network, there is also
a corresponding path in the communication network. As such the start and end nodes
are the same in both networks, but the intermediate nodes are different. The nodes in the
power network are connected both in series and parallel, and are both connected to the
data concentrator. Each cluster, for instance, could be composed of multiple consumer
households representing different nodes.
Our solution approach presented in this paper relyies on the assumption that the set
of nodes in G is partitioned into overlapping sub-graphs (clusters). This can be achieved
for instance, by adding the overlapping constraint in the neighbourhood network [2].
Physical Attestation and Authentication to Detect Cheating in Resource 59
Resilience to cheating is essential to SMG trust and stability. In this section, we propose
a low-cost and efficient solution to cheating in the SMGs. Our goal is to detect cheat-
ing attacks and identify compromised nodes using the attack detection scheme. More
specifically, each node in a given partition will generate a control signal. The secret con-
trol signal is embedded in the measured power consumption value to be reported and
therefore modifies the power consumption by a particular amount that is secret to the
attacker. The authenticated measurements data are then transmitted to the data aggrega-
tor. Upon reception of the data, the data aggregator combines the power data reported.
A correlation test is then used to confirm that the received measurements (aggregated)
are consistent with the physical invariants of the system.
As mentioned earlier, the detection approach is based on two principals compo-
nents, namely, the control signal (CS) and the physical attestation (PA). CS is a secret
signal added to the reported data for authentication, while the PA is used to compare
the reported data with the estimated data from physical invariants.
We use a random approach and design a CS as a vector of real values that is inde-
pendent of the measurement errors. The CS is generated at each reporting period i.e. at
each time slot k, a management device at node ci ∈ S i generates a IID Pseudo-Random
Number Generator (PRNG). As noted by Bhattarai et al. [14] we assume that mobile
device contains a pre-programmed function when manufactured. The function takes as
input the measurement data and a pre-shared secret key [20]; and the output is the data
with CS embedded. The generated CS is embedded to Xci (k) and the resulting value
Yci (k) = Xci (k) + Cci (k) is transmitted to the data aggregator. We assume that freshness
of the CS is ensured by a mechanism that reduces the correlation between the CS at
different periods [4, 5]. Specifically the CS is randomly generated, such that:
Xci (k) ≈ (Xci (k) + Cci (k)) (4)
ci ∈S i ci ∈S i
Where Cci (k) is the randomly generated CS and Xci (k) represents the power mea-
surements. The above equation can also be expressed as:
ci ∈S i Xci (k) = ci ∈S i (Xci (k) + C ci (k)) − (k), where (k) is the error
obtained by adding
random numbers. is the sum of all added random values: = ci ∈S i Cci (k).
Ici (k) denote its current injection, and Pci (k) denote its power. For each line connecting
ci , c j , let Ici c j (k) denote the current flowing from node ci to node c j in a DC network.
For simplicity, the generators are assumed to be an ideal current source and have
no losses. We assume that measurements at the data concentrator are trusted and con-
sider the data concentrator as the entry point from which branches to the various nodes
(households) can be made. Given the measurements of the electric current and voltage
at the entry point and supply nodes, our objective is to estimate the electric current and
voltages at each line segment between consumer ci to the data concentrator.
The power flow is formulated both at the node level or the branches. At each node,
the voltage magnitude is evaluated on the branches, the currents, and powers flowing
on the branches is evaluated.
On the other hand, current and power flow can be modelled according to node con-
nectivity. We consider two case scenarios: in the first, all the nodes (supply and demand)
are connected to the same line segment (connected in series) [8]. This is also equivalent
to connecting the components sequentially.
The line segment (branch) between the data concentrator and the consumer c j con-
tains e nodes connected in series such that m are supply nodes and e − m are demands
node. The supply nodes are assumed to have positive current injections denoted I s while
the demand nodes are assumed to have negative current injections denoted Il . By the law
of conservation of energy, the sum of the current injected into the node must equal the
sum of the currents emitted from the node to ensure an equilibrium.
m
e−m
Is = Il (5)
s=1 l=1
The current flowing between node ci and node c j , denoted Ici c j (k) is given by
Vci (k) − Vc j (k)
Ici c j (k) = (6)
Rci c j (k)
According to Kirchoff’s current law, Ici (k) is equal the algebraic sum of the currents
flowing away from node ci :
Vci (k) − Vc j (k)
Ici (k) = Ici c j (k) = (7)
ci c j c c
Rci c j (k)
i j
Moreover, the power Pci (k) consumed or produced at the node ci is represented by:
Pci (k) = Genci (k) − Loadci (k) = Vci (k) × Ici (k) (8)
In the second, the case of multiple consumers connected to different line segments
in parallel, Rci c j (k), represents the link resistance on the branch connecting ci and c j
while Vci (k) and Vc j (k) are the respective voltage magnitudes at nodes ci and c j . We
can therefore use Ohm’s law to express the corresponding current and voltage flows
between any two nodes ci , and c j , in the power network, as follows:
Vci (k) − Vc j (k) = Ici c j (k)Rci c j (k) (9)
ci c j ci c j
62 P.L. Ambassa et al.
In addition to the above, we make the following assumptions about the underlying
structure of our network.
– The topology of the (power) network is known and stable for the duration of mea-
surements
– Each aggregator knows the power network’s topology, it can obtain power injected
at each node and estimate power flowing between nodes. It is further assumed that
each aggregator employs physical invariants build from conservation of energy and
laws of electricity.
– For the message exchange, our underlying communication network is asynchronous
and fault free. These are the necessary prerequisites for reliable ordered multicast
protocols [21, Chap. 15] to ensure reliability and preserve message ordering. Relia-
bility ensures that message ordering obeys the sequence of emission (first-in-first-out
(FIFO)) order
– The ID denoted IDci of the sender’s node is associated with each message and can
directly be linked to the node.
The main idea behind the detection approach is to compute the aggregation of data
collected in each partition (cluster) via a spanning tree and then allow the aggrega-
tion node to verify the aggregate value and test whether or not a cheating attack has
occurred. The aggregator compares the aggregated measurements values transmitted by
the nodes belonging to the cluster to the expected measurements estimated from the
physical properties of the system. The aggregator detects cheating if there is a strong
inconsistency between the aggregate value received and the expected. However, the
cheating detection approach developed herein only helps in detecting the occurrence
of a cheating attack but, neither help in determining when the cheating had occurred,
i.e. if you are cheating right now or whether you were behaving correctly when the
measurement was performed, nor consider the problem of identifying the compromised
node. To overcome that limitation, the test should be repeated to reduce false positive
occurrences
The cheating detection algorithm (Algorithm 1) receives as input a graph G =
(V, E), a set of clusters S i and a threshold (k). The aggregator node aggregates the
measurements collected at the k th reporting time. Cheating detection is achieved at
each aggregation point in the partition S i and the proposed cheating detection algorithm
(Algorithm 1) consists of three stages. In the first stage data aggregator nodes queries
each consumer households (Initialisation). In the second stage, namely collection and
aggregation each consumer household node transmits the data collected during that
time interval to the aggregator for aggregation. The third, verification and attestation
stage, serves to verify that the aggregation of the reported measurements corresponds
to the expected measurements.
Initialisation. The Initialisation consists of the data aggregator AggS i to querying the
nodes in the partition by broadcasting a request for data collection from ci ∈ S i .
Physical Attestation and Authentication to Detect Cheating in Resource 63
Collection and Aggregation. The second stage namely, collection and aggregation is
subdivided into of three steps. In the first step each node ci ∈ S i upon reception of
the request, chooses a secret random CS Cci (k) (see Sect. 5.2). Then adds Cci (k) to the
measurements vectors Xci (k) and obtains the modified value Yci (k) = Xci (k) + Cci (k).
In the second step, ci ∈ S i transmits the resulting Yci (k) to the data aggregator AggS i
using a multi-hop communication system. Falsified measurements values such as Ŷci (k)
can be reported in case of cheating attacks. Third, the aggregator, on reception of Yci (k)
from ci , then aggregates of the received data.
Verification and Attestation Phase. Once the collection and aggregation phases are
completed, the trusted data aggregator detect cheating on the aggregated data based on
the correlation between the reported data from a set ci ∈ S i and estimated data from the
DC power network. Such a verification is based on its knowledge of the power network
topology and the use PA to verify the authenticity of the aggregated value. Specifically,
the reported measurement value is checked for consistency with the physical obser-
vation. In the case of inconsistencies between the reported aggregate values and the
estimated value, the data aggregator decides whether or not cheating has occurred by
comparing the difference between the two values to a threshold value. When the differ-
ence surpasses (k), this indicates that there is at least one cheating node in the set of
reporting nodes. Otherwise, the reported data are considered good and are then used for
further analysis and state estimation. To evaluate the difference between the two values,
we employ a simple distance metric that reflects similarity in time [22]. Specifically, if
the two measurements data are similar, they will exhibit a low distance from each other;
otherwise, they exhibit high distance from each other, thus low similarity. The detection
of the cheating attack is done by computing the distance between the sum of reported
measurements and the estimated physical values and comparing such a distance with
the threshold value. Let Zci (k) be a vector with the sum of estimated physical value. An
attack exist if:
Yci (k) − Zci (k) > (k) (10)
ci ∈S i ci ∈S i
We define (k) as the distance between the measurement Yci (k) reported at the kth
period using the communication system and Zci (k) the sum based on the power flow
invariant at the same reporting period is given by:
(Xci (k) + Cci (k)) − Zci (k) > (k) (11)
ci ∈S i ci ∈S i ci ∈S i
The attestation is based on the notion of group attestation where the attestation is
made at the aggregator node, but the process depends on a physical path between the
aggregation node and a reporting node (in the group sub-tree). More specifically, the
group attestation is based on the network connectivity and considers that the node can
be connected either in series or in parallel.
Once the cheating is detected i.e. the Algorithm 1 returns Detection(S i ) = T rue, the
following step is the identification of the cheating node.
64 P.L. Ambassa et al.
data would corrupt the CS. Additionally, since the ID is associated with the node, this
helps to pinpoint the compromised node. A simple verification procedure is described
in [23] as a binary function g with Yci (k) and Cci (k) as inputs. The reported data Yci (k)
from ci is authentic if g(Yci (k), Cci (k)) = 1, and inauthentic if g(Yci (k), Cci (k)) = 0.
Once cheating is detected in a particular round, we employ Algorithm 2, described
below to identify the cheating nodes.
13 return compID
6 Analysis
In this paper, we only briefly outline a sketch of the correctness proof for Algorithm 1.
Due to space limitation analysis of Algorithm 2 is left for future work.
We assume that at the kth reporting period, at least one of the cheating attacks,
namely replay or random data perturbation, is launched by the adversary.
Lemma 1. If the system is fault free and at least one node is maliciously replaying
previous measurement, then the Algorithm 1 can detect replay attacks.
66 P.L. Ambassa et al.
Proof. By Contradiction. Consider that Algorithm 1 runs on a fault free SMG and mes-
sage delivery is reliable. However, Algorithm 1 fails to detect the replay attack. Assum-
ing that for ci ∈ S i the measurement data Yci (k) reported to AggS i are aggregated. AggS i
estimates the power from the physical system. In the case of a replay attack, we further
assume that the difference between the aggregated reported value and the estimated
value is higher than the threshold value (k) then the test passes and a replay attack is
detected which contradicts our initial hypothesis.
Lemma 2. If the system is fault free and at least measurement data reported by one
node have been randomly modified, then the Algorithm 1 can detect such attacks
Proof. By Lemmas 1 and 2, Algorithm 1 can detect a replay attack and a random data
perturbation attack. Based on the Algorithm 1 strategy, it holds that Algorithm 1 detects
cheating on several ci , assuming that the test condition (line 15) is met.
Lemma 3. If the system is fault free and the communication is reliable, then the
Algorithm 1 terminates.
Proof. Consider a fault free system in which Algorithm 1 runs and message delivery
is reliable. The verification and attestation phase is executed when the Agg si collects
and aggregates data. Since the message delivery is reliable, data are collected and the
algorithm terminates successfully.
7 Conclusion
In this paper, we propose a cheating attack model and a detection solution that works
efficiently in resource constrained SMGs. Cheating attacks pose a threat to reliable
SMG operation. We considered two classes of cheating attacks namely Replay and
Random Data Perturbation attacks against the power consumption data reporting.
The countermeasures consist of detecting the attacks and identifying the cheating nodes.
Our cheating attack detection mechanism is based on a graph partitioning scheme in
which each partition aggregates measurements at the cyber system, and these values
Physical Attestation and Authentication to Detect Cheating in Resource 67
are compared to the observation of power flow at the physical layer. Consistency dis-
crepancies imply that the measurements have been tampered with and that the cheating
nodes must be identified and excluded from the network. A performance analysis shows
that our solution approach efficiently detects the cheating attacks carried out by the lim-
ited adversary, but it fails at detecting cyber-physical attacker [24]. As future work, we
are extending the detection schemes to consider both cyber-physical and cooperative
attacks as well as a metric to distinguishing if the bad data detected is due to faulty/-
malfunctioning equipment or adversarially provoked.
Acknowledgments. This work was partially supported by the joint SANCOOP Programme of
the Research Council of Norway and the National Research Foundation of South Africa (NRF)
under the NRF grant 237817 as well as the Hasso-Plattner-Institute.
References
1. Podmore, R., Larsen, R., Louie, H., Waldron, B.: Affordable energy solutions for developing
communities. In: 2011 IEEE Power and Energy Society General Meeting, pp. 1–8, July 2011
2. Ambassa, P.L., Wolthusen, S.D., Kayem, A.V., Meinel, C.: Robust snapshot algorithm for
power consumption monitoring in computationally constrained micro-grids. In: 2015 IEEE
Innovative Smart Grid Technologies - Asia (ISGT ASIA), pp. 1–6, November 2015
3. Mo, Y., Sinopoli, B.: Secure control against replay attacks. In: 47th Annual Allerton Confer-
ence on Communication, Control, and Computing, Allerton 2009, pp. 911–918, September
2009
4. Mo, Y., Chabukswar, R., Sinopoli, B.: Detecting integrity attacks on scada systems. IEEE
Trans. Control Syst. Technol. 22(4), 1396–1407 (2014)
5. Mo, Y., Weerakkody, S., Sinopoli, B.: Physical authentication of control systems: Designing
watermarked control inputs to detect counterfeit sensor outputs. IEEE Control Syst. 35(1),
93–109 (2015)
6. Juma, H., Kamel, I., Kaya, L.: Watermarking sensor data for protecting the integrity. In:
International Conference on Innovations in Information Technology, IIT 2008, pp. 598–602,
December 2008
7. Valente, J., Barreto, C., Cárdenas, A.A.: Cyber-physical systems attestation. In: Proceedings
of the 2014 IEEE International Conference on Distributed Computing in Sensor Systems,
DCOSS 2014, pp. 354–357. IEEE Computer Society, Washington, DC (2014)
8. Roth, T., McMillin, B.: Physical attestation of cyber processes in the smart grid. In: Luiijf,
E., Hartel, P. (eds.) CRITIS 2013. LNCS, vol. 8328, pp. 96–107. Springer, Cham (2013).
doi:10.1007/978-3-319-03964-0 9
9. Liu, Y., Ning, P., Reiter, M.K.: False data injection attacks against state estimation in electric
power grids. In: Proceedings of the 16th ACM Conference on Computer and Communica-
tions Security, CCS 2009, pp. 21–32. ACM, New York (2009)
10. Qin, Z., Li, Q., Chuah, M.C.: Unidentifiable attacks in electric power systems. In: Proceed-
ings of the 2012 IEEE/ACM Third International Conference on Cyber-Physical Systems,
ICCPS 2012, pp. 193–202. IEEE Computer Society, Washington, DC (2012)
11. Monticelli, A.: Electric power system state estimation. Proc. IEEE 88(2), 262–282 (2000)
12. Esmalifalak, M., Nguyen, N.T., Zheng, R., Han, Z.: Detecting stealthy false data injection
using machine learning in smart grid. In: 2013 IEEE Global Communications Conference
(GLOBECOM), pp. 808–813, December 2013
68 P.L. Ambassa et al.
13. Gu, Y., Liu, T., Wang, D., Guan, X., Xu, Z.: Bad data detection method for smart grids based
on distributed state estimation. In: 2013 IEEE International Conference on Communications
(ICC), pp. 4483–4487, June 2013
14. Bhattarai, S., Ge, L., Yu, W.: A novel architecture against false data injection attacks in smart
grid. In: 2012 IEEE International Conference on Communications (ICC), pp. 907–911, June
2012
15. Zhao, J., Zhang, G., Scala, M.L., Dong, Z.Y., Chen, C., Wang, J.: Short-term state
forecasting-aided method for detection of smart grid general false data injection attacks.
IEEE Trans. Smart Grid PP(99), 1–11 (2015)
16. Tran, T.T., Shin, O.S., Lee, J.H.: Detection of replay attacks in smart grid systems. In: 2013
International Conference on Computing, Management and Telecommunications (ComMan-
Tel), pp. 298–302, January 2013
17. Weldehawaryat, G., Wolthusen, S.: Secure distributed demand projection in micro-grids. In:
Global Information Infrastructure and Networking Symposium (GIIS) 2015, pp. 1–6 (2015)
18. Costache, M., Tudor, V., Almgren, M., Papatriantafilou, M., Saunders, C.: Remote control of
smart meters: Friend or foe?. In: Proceedings of the 2011 Seventh European Conference on
Computer Network Defense, EC2ND 2011, pp. 49–56. IEEE Computer Society, Washington,
DC (2011)
19. Yang, Y., Wang, X., Zhu, S., Cao, G.: Sdap: A secure hop-by-hop data aggregation protocol
for sensor networks. In: Proceedings of the 7th ACM International Symposium on Mobile
Ad Hoc Networking and Computing, MobiHoc 2006, pp. 356–367. ACM, New York (2006)
20. Jin, T., Noubir, G., Thapa, B.: Zero pre-shared secret key establishment in the presence of
jammers. In: Proceedings of the Tenth ACM International Symposium on Mobile Ad Hoc
Networking and Computing, MobiHoc 2009, pp. 219–228. ACM, New York (2009)
21. Ghosh, S.: Distributed Systems: An Algorithmic Approach, 2nd edn. Chapman & Hall/CRC
(2014)
22. Hautamaki, V., Nykanen, P., Franti, P.: Time-series clustering by approximate prototypes. In:
19th International Conference on Pattern Recognition, ICPR 2008, pp. 1–4, December 2008
23. Fei, C., Kwong, R.H., Kundur, D.: A hypothesis testing approach to semifragile watermark-
based authentication. IEEE Trans. Inf. Forensics Secur. 4(2), 179–192 (2009)
24. Vigo, R.: The cyber-physical attacker. In: Ortmeier, F., Daniel, P. (eds.) SAFECOMP
2012. LNCS, vol. 7613, pp. 347–356. Springer, Heidelberg (2012). doi:10.1007/978-3-642-
33675-1 31
Decentralised Scheduling of Power Consumption
in Micro-grids: Optimisation and Security
1 Introduction
Micro-grids (MGs) are low-voltage energy distribution systems that consists of a vari-
ety of energy storage, generation, and management units [1]. In distributed micro-grids,
power generation is reliant on distributed renewable energy sources and storage, on bat-
tery units. These micro-grid architectures are well suited to small remote communities,
where connections to the national power grid are not possible due to economic reasons
[1]. However, variations in generation and demand make demand management (balanc-
ing demand and supply) a challenging problem. Matching supply and demand is vital
c Springer International Publishing AG 2017
N. Cuppens-Boulahia et al. (Eds.): CyberICPS 2016, LNCS 10166, pp. 69–86, 2017.
DOI: 10.1007/978-3-319-61437-3 5
70 G.K. Weldehawaryat et al.
to grid stability. Power consumption scheduling can smooth the demand profiles out
over time to avoid overloading. A scheduling algorithm can therefore be used to dis-
tribute power cost-effectively, encouraging users to shift heavy consumption activities
to off-peak periods. For instance, instead of turning on the washing machine at a peak
period (e.g. at 6pm) the user could opt to use the machine at an off-peak period (e.g. at
11am) with the added benefit of paying less per kilowatt consumed. Centralised demand
management approaches have been studied but are computationally intensive and raise
privacy concerns [2, 3]. Furthermore, existing power scheduling solutions assume net-
work reliability and security. Such assumptions are unrealistic in computationally lim-
ited micro-grids, where data is transmitted over insecure and unreliable networks.
We address these challenges by first formulating a theoretical framework for the
operation of the micro-grid and then formulate the problem of scheduling power dis-
tribution on the micro-grid as a convex optimisation problem [4, 5], where the goal is
to minimize the total power consumption while maximizing the social benefit [3] of
power distribution on the grid. As a next step, we propose a decentralised electricity
consumption scheduling algorithm based on alternating direction method of multipliers
(ADMM) [6], which has been shown to be robust for solving optimisation problems in
smart grid communication networks [7, 8]. This allows each user to report demands as
aggregated rather than single values which addresses the privacy concern. The computa-
tional burden is alleviated by distributing computations across network devices. Finally,
we analyse the susceptibility of the proposed algorithms to false data injection attacks
and consider how such attacks can prevent the scheduling algorithm from converging.
The rest of the paper is structured as follows. In Sect. 2, we present an overview on
related work on power consumption scheduling. We proceed in Sect. 3 with a presen-
tation of the system model and formulating our power consumption scheduling algo-
rithm. In Sect. 4, we present the ADMM approach, and then proceed in Sects. 5 and 6 to
describe the decentralised and fully decentralised schemes, respectively. In Sect. 7, we
show how network unreliability can be exploited to provoke false data injection attacks.
Finally, we offer concluding statements in Sect. 8.
2 Related Work
Demand Side Management (DSM) facilitates power demand profile smoothing across
time by avoiding peak power periods [9]. These solutions minimise the power costs
while guaranteeing user satisfaction; this can be achieved through optimisation meth-
ods [2, 3]. Standard approaches to addressing such optimisation problems on smart grid
networks include dual decomposition, and augmented lagrangian methods [10]. How-
ever, dual decomposition methods are not robust, requiring many technical conditions,
such as strict convexity and finiteness of all local cost functions. Augmented Lagrangian
methods can be used to bring robustness to the gradient method, and in particular, to
yield convergence without assumptions like strict convexity or finiteness of the objec-
tive function [6]. Nevertheless, this method has the disadvantage of not being separable
across the devices in the network. ADMM can be used to achieve both separability and
robustness for distributed optimisation [6]. Kraning et al. [7] studied an energy man-
agement model for a large-scale electrical power network using ADMM. The problem
Decentralised Scheduling of Power Consumption in Micro-grids 71
and/or generation of the household to which the device is attached. The utility analyses
the data considering weather forecast of wind speed and solar radiation. This helps to
predict the household load demand as much as possible based on power consumption
patterns [14].
We use a continuous discrete-time model with a finite horizon, T = {1, 2, ..., T },
where T is finite and divided into T equal intervals of size Δt. Since our scheduling
algorithm operates over an unreliable network, we consider an asynchronous ADMM
where information can be lost or delayed during communications. The asynchronous
ADMM uses the value from the previous transmission to substitute for missing infor-
mation due to loss and/or delay. We assume that the total load of a household h at T
time slot is denoted as lh = (lh1 , ..., lhT ), and the total load Lh across all households at each
time slot t ∈ T can be calculated as: Lt = h∈H lht
Appliance Models. For each appliance a ∈ Ah , we define pa,h = (p1a,h , ..., pTa,h ) the
power consumption scheduling vector of each appliance a ∈ Ah over T , pa,h ∈ RT ,
where pta,h the power consumption that is scheduled at time slot t for appliance a ∈ Ah in
household h. The set of energy consumption schedules for all appliances in a household
h ∈ H at time horizon T , is denoted as Ph where Ph = pa,h , ∀a ∈ Ah and can be
represented with a matrix of dimension |Ah |×T . The total load of a particular household
h ∈ H denoted Ph is the sum of four types of loads: resistive load, inductive load, non-
linear load and composite load [12]. For load scheduling, each category of appliances
is studied according to the level of priority, the interruptibility during operation and
the energy consumption. The latter represents consumption patterns over a fixed time
interval.
Loads are given priority according to associated power consumption patterns
observed between load and operation processes. Loads are classified as either resis-
tive, inductive, and/or composite [12]. In addition to load characterisations, the power
consumption behaviour of household devices can be categorised as either interruptible
or non-interruptible.
Finally, consumer preferences are accounted for in the scheduling algorithm by
allowing consumers to specifying appliance operation preferences [15]. Households
and the utility provider jointly determine the energy to be allocated to a household and
specify an optimal appliance schedule using the ADMM algorithm. The utility provider
sets the prices at a time period and communicates to the households. Upon receiving
the price signal, each household solves its own scheduling problem. The solution is
based on the short-term ahead scheduling algorithm, where the price of electric energy
for next time interval is determined based on short term data forecast. A priority level
is allocated to each appliance and the scheduler, schedules the appliances with highest
priority level first. If resources are not adequate in that requested time slot a request is
denied.
Short term power consumption scheduling in the MG is based on the prior information.
Prior information enables the utility to estimate the amount of load demand and renew-
able power generation of household, e.g. based on weather forecast. However, due to
Decentralised Scheduling of Power Consumption in Micro-grids 73
estimation errors and variations in amounts of power generated from renewable sources.
It is possible to have deviations between the predetermined power supply and demand.
Thus, the utility purchases electricity from household with generation or storage
capacity.
Assuming intermittent renewable energy can be predicated using a short-term
prediction, the total generation capacity of the set of households h ∈ H is repre-
sented by Gh . The household power generation over T time slots is given by gh =
gth + g,h
t
, ∀t ∈ T , and it is constrained by 0 ≤ gth ≤ Gh , ∀t ∈ T , ∀h ∈ Hg , where gth
denotes the distributed generation of the household h ∈ Hg and g,h t
is the prediction
error considered with distribution N(0, σg ) 2
The power demand projected (Q MG ) for the power consumption scheduling horizon
T is defined by QtMG = Qtpg + QGt + Qts , where Qtpg = h∈Hg gth is the predicated
renewable generation for the set of households h ∈ Hg , QGt is the predicated utility
generation and Qts is the energy available on battery at the scheduling horizon.
Let gth be the predicated generation of household h ∈ Hg at time t ∈ T . When gth <
t
lh , the generation of the household does not covert demand and h purchases electricity
from the utility. Otherwise, gth > lht , and the household sells back extra generation to the
utility.The utility
generation at time horizon T is given by QGt = h∈Hr lht + h∈Hs lht +
h∈Hg lh − gh ∀t ∈ T .
t t
As the generation from both household and utility are different from the conven-
tional power generation, renewable energy generation does not consume fuel sources.
For simplicity, we assume a zero generation cost. Thus, the MG available energy QtMG
cannot be greater than the MG capacity, i.e, 0 ≤ QtMG ≤ QGmax , ∀t ∈ T
When the utility generation is not enough to meet the demand, utility buys excess
generation from a set of households h ∈ Hg . The total cost Cu (qh ) for supply generally
consists of the generation cost and the energy purchase cost from the household h ∈ Hg .
However as the generation cost is equal to zero, the supplier cost is only the cost of
purchasing energy. Let pt denote the electricity price set by the utility at time t, and let
qh = qth , ∀t ∈ T denote the amount of power purchased from the household h. The total
utility cost for electricity Cu (qh ) is given by Cu (qh ) = Tt=1 pt h∈Hg gth − lht , ∀gth > lht .
Since the utility needs to satisfy the power demand, the total cost on the utility end,
taking into account user satisfaction cost is given by Cu = Cu (qh ) + Tt=1 h∈H sth
Power consumption scheduling problem at the household level is usually solved
by finding the optimal loads scheduling that minimises the household cost, and this in
turn flattens the aggregated load curve and reduce the cost to the utility [16]. Let CU,h
denotes the total cost function associated to each household h ∈ H. CU,h encompasses
the cost related to the use of energy, the satisfaction cost induced by the operating mode
mismatch, the cost of operating the battery, and the penalty cost.
A penalty cost function is associated to a duration of an interruption C(Pten ). Similar
to the function described in [17], we consider a piecewise linear convex function of the
form C(x) = ki x + bi to approximate the penalty cost function C(Pten ).
The energy cost (the cost of purchasing energy from the utility) for the household
h ∈ H at time t ∈ T is given by Ca,h t
= t∈T a∈Ah pt lht , where pt is a dynamic price
provided by utility.
74 G.K. Weldehawaryat et al.
Each household chooses a list of appliances and a preferred time for operation. Fur-
thermore, since different households may have diverse preferences, it is not trivial to
characterize them with a precise mathematical model. However, according to O’Neill
et al. [18] the utility function is an abstract method used to model household prefer-
ence. Similarly, we follow the same approach in this paper and assume that households
would prefer to have their appliances operate sooner than later. This preference can be
expressed as a strictly concave utility function that represents satisfaction of the user
regarding the schedule. But we rather choose to work with the negation of this function,
namely a dissatisfaction function that captures the dissatisfaction of the consumers
(due
t
to delaying or advancing the operation of an appliance). We denote Ū pa,h as dissat-
isfaction of consumer when running appliance a ∈ A . Depending on the priority level
and the interruptibility, the dissatisfaction function may take different forms [19].
– For interruptible loads, Ū pa,h can be defined as Ū pa,h = t∈T Ū pta,h
– For deferrable loads such as a composite load,Ū pa,h can be defined as Ū pa,h =
Ū t∈T pta,h Δt
The battery is an energy storage device that flattens the power load by storing energy
during low-cost (high-production) periods for use during high-cost periods. We assume
that a subset of households H s each have a battery storage device. At each interval,
one can either recharge or discharge the battery, but not both at the same time. Each
battery has a total capacity Bmax t t t
s , and let Qc,h , Qd,h and Q s,h denote the energy charged,
discharged and stored at time t ∈ T respectively. The charging and discharging power
levels at each time t are bounded, and satisfy the following constraints:
0 ≤ Qtc,h ≤ Qmax
c,h , ∀t ∈ T , ∀h ∈ H s
0 ≤ Qtd,h ≤ Qmax
d,h , ∀t ∈ T , ∀h ∈ H s ,
Given the data forecast, energy scheduling set, the characteristics of the home electrical
appliances and the price model over a time interval. The optimal power consumption
scheduling problem (OPCSP) in a micro-grid is a constraint based optimisation problem
where the global objective is the sum of objective functions. These functions include
consumer and utility actions. Each consumer wishes, to minimise the power consump-
tion by finding the optimal load scheduling solution. Furthermore, the utility, wishes
to minimise the cost of operating the MG (power generation and distribution), hence
maximize its economic benefit while ensuring that demand and supply are balanced to
maintain grid stability. The scheduling problem over a time period is extended to incor-
porate the cost associated with the usage of appliances such as penalty function due
to load interruptions. The OPCSP is formulated as an optimisation problem consisting
of a set of variables that minimises the set of objective functions. The optimisation is
composed of two types of functions: the local objective function at household h ∈ H,
and the global objective function of the total loads of N households at the MG. The
local objectives at the household are used to find optimal schedule by minimising the
households’ cost functions while the utility’s objective function is used to minimise
its costs (energy purchase) and balance the total power consumption/generation. The
power consumption scheduling problem can be formulated as follows:
⎛ ⎞
T ⎜
⎜⎜⎜ ⎟⎟⎟
min ⎜⎜⎝Cu (qh (t)) + CU,h (ph (t))⎟⎟⎟⎠ (1a)
qh ,ph
t=1 a∈Ah h∈H
In the above objective function (1a), CU,h denotes the household cost function
described in the household cost model, and Cu represents the utility cost function.
Constraint (1b) is the power supply-demand balance equation for each time slot t, and
constraint (1c) is the appliances operational constraints. Constraints (1d)–(1e) are the
battery storage operational constraints, and 1f is the MG generation constraint.
The objective function (1a) is considered as convex function, and the minimisation
of this problem can lead to an optimal solution. The problem (1a) can be solved at the
micro-grid central controller in a centralised way; however, the controller needs the pri-
vate information about the energy usage/generation from the micro-grid components.
Requiring such information raises privacy concerns. Furthermore, the centralised app-
roach causes a significant burden of computation. Alternatively, the solution of (1a) can
be obtained efficiently by using distributed convex optimisation algorithms. This work
focuses on a distributed optimisation approach based on the ADMM to solve the power
76 G.K. Weldehawaryat et al.
with variables xi ∈ Rni , where fi : Rni → R are closed, proper, convex functions;
Ai ∈ Rmxni are given matrices; and c ∈ Rm is a given vector.
Augmented Lagrangian methods yield convergence without assumptions like strict
convexity or finiteness of fi [6]. Thus, the augmented Lagrangian for (2) is defined as
follows:
ρ
Lρ (x1 , x2 , λ) = f1 (x1 ) + f2 (x2 ) − λT (A1 x1 + A2 x2 − c) + ||A1 x1 + A2 x2 − c||22 ,
2
Thus, x1 and x2 are updated in an alternating fashion, which accounts for the term alter-
nating direction. Separating the minimisation over x1 and x2 is precisely what allows
for decomposition when f1 (x1 ) or f1 (x2 ) are separable, which will be useful in our algo-
rithm’s design. The drawback of the standard ADMM method is that it partitions the
problem into only two sub-problems and thus cannot be implemented in a distributed way
for a larger network. One way is to simply replace the two-block alternating minimisation
scheme sequentially (the Gauss-Seidel update fashion), i.e., update xi for {i = 1, 2, ..., N}.
This approach updates the blocks one after another, which is not suitable for paralleliza-
tion. To overcome this disadvantage, the Jacobi-type scheme updates all the N blocks in
parallel [23]. In the proximal Jacobian Multi-block ADMM, the update of xi is
1
xik+1 = argmin Lρ (xi , {xkj } ji , λk ) + ||xi − xik ||2Pi where ||xi ||2Pi = xiT Pi xi (4)
2
for some symmetric and positive semi-definite matrix Pi 0. When the xi − sub-
problem is not strictly convex, adding the proximal term [24] can make the sub-problem
Decentralised Scheduling of Power Consumption in Micro-grids 77
of xi strictly or strongly convex, and make the problem more stable. The update of
N
Lagrangian multiplier in proximal Jacobian ADMM is λk+1 =λk − γρ( i=1 Ai xik+1 − c),
where γ > 0 is the damping parameter. The resulting optimisation problem is solved
with the ADMM, where convergence is guaranteed if the following requirements are
satisfied [6]:
Wei et al. [23] proved the global convergence of Jacobian ADMM for appropriately
chosen regularization matrices Pi . Moreover, they showed that Jacobian ADMM has
a convergence rate of o(1/k). In Sects. 5 and 6, we employ the multi-block ADMM to
solve the power consumption scheduling problem in a distributed manner. Liu et al.
[25] discuss the use of Multi-block ADMM for smart-grid applications.
In a centralised control approach, all information about the consumers’ utility functions
can be collected and an efficient energy consumption schedule can be characterized as
the solution of optimisation problem (1a). However, the centralised approach requires
high computational capabilities at the micro-grid central controller, which is neither effi-
cient nor scalable in resource constrained micro-grid environment. As alternative app-
roach, we study a decentralised power consumption scheduling algorithm using ADMM
to solve the optimisation problem (1a). The resulting power consumption scheduling
solution is given as Algorithm 1, where each LC h is responsible for updating its own
h ,λ
(pk+1 k+1
) using the most recent qh value (denoted q˜h ) received from the central con-
troller. Analogous to Eq. (3), the value of phk+1 and λh k+1 can be updated as follows:
ρ
ph (t)k+1 = argmin Ch (ph (t)k ) + λkhh , ph (t)k + ||ph (t)k − q˜h ||2 (5a)
ph (t) 2
λk+1
h = λkhh + ρ(ph (t)kh +1 − q˜h ) (5b)
is incremented by 1 from zero after each λk+1 update. Likewise, each LC also has a
clock ki , which is also incremented by 1 from zero after each λi update. We let, pkhi
(where i ∈ {1, 2, ...N}) be the values of ph when a LC i’s clock is at ki ; and λk be the
value of λ(k) when the central controller’s clock is at k.
To alleviate the straggler problem, a partial barrier can be employed [27]. The
central controller only needs to wait for a minimum of W updates, (where W ≥ 1 and
W < N). Reliance on this partial barrier with a small W means updates from slower
LCs will be incorporated into computations less frequently than faster controllers. To
ensure sufficient “freshness” of all the updates, we enforce a bounded delay condition:
update from every LC has to be serviced by the central controller at least once every T
iterations. T is a user-defined parameter (T ≥ 1), where updates from each LC i can at
most be T clock cycles old (with respect to the central controllers clock). When both
the minimum W updates and bounded delay conditions are met, the controlling node
will proceed with the qh update. We let Φk be the set of LCs with (pkhi ) updates that are
received by controlling node (at iteration k). When the central controller updates, and
sends qh k+1 to the LCs in Φk and its clock k is incremented by 1. Analogous to 3, the
controller updates qh as
N
ρ 1
N
1
qh k+1 = argmin −λ˜h , qh + || p˜h − qh ||2 = ( p˜h + λ˜h ), (6)
qh h=1
2 N h=1
ρ
where p˜h and λ̃h are the most recent ph and λh received from LC by the central con-
troller.
Algorithm 1. Decentralised Asynchronous ADMM Algorithm
1 Central Controller Procedure: 18 until termination;
2 Initialize: k = 0, p˜h kh +1 = 0 λ˜h = 0, 19 k ←k+1;
h = 1, 2, ..., N 20 until termination
3 p˜h kh +1 being the most recent updates 21 output qkh
4 repeat 22 Local Controller Procedure:
5 repeat 23 Initialize: λ0h = 0, kh = 0
6 wait; 24 repeat
7 until receive W LC updates and 25 update pkhh +1 by (5a);
max(T 1 T 2 , ..., T N ) ≤ T ; 26 send pkhh +1 to the central controller;
8 for LC h ∈ φk do 27 repeat
9 T h ← 1; 28 wait;
10 ph ← newly received ph from 29 until qh k+1 ’ is received from central
local controller h; controller;
11 λh ← newly received λh from 30 Update λkhh +1 by (5b) ;
local controller h; 31 kh ← kh + 1;
12 end
13 for LC h φk do 32 until termination;
14 T h ← T h + 1;
15 end
16 Update qhk+1 by (6);
17 Send qk+1h to all LC in φk ;
Decentralised Scheduling of Power Consumption in Micro-grids 79
Correctness Analysis
– Partial correctness: We claim that the loop invariant always hold at the loop test:
k ≤ T (kh ≤ T h ) and 1 ≤ W ≤ N where T ≥ 1.
– Base case: Assuming the loop invariant holds and the loop test passes. Say in first
iteration, k = 1 then k ≤ T (kh ≤ T h ) is satisfied where T ≥ 1 (considering that T has
a considerable number of cycles). An update will occur in both algorithm fragments.
– Inductive case: Assume that the loop invariant holds at the loop test, and also that
the loop test passes. New values of k, p˜h and λ˜h (λh and kh ) will also hold given
h = 1, 2, ..., N
– Termination: The loop always terminates in the presence of at least one LC update
(1 ≥ W ≤ N) and at most T clock cycles when k = T (kh = T h ).
Constraint (1b) is the power supply-demand balance equation that ensures the total
demand is satisfied by the power generation for each time slot t. It couples variables
across different DGs and loads. Constraint (1c)–(1f) are local constraints that ensure
the loads, batteries and generators do not violate operative limits. Let λ := [λ1 , , , λT ]
denote Lagrange multiplier vector associated with the coupling equality constraint. The
augmented Lagrangian for Eq. 7 can be given as follows:
T N M
L (qh , ph , λ) = C (q (t)) + Tt=1 m=1 C h (ph (t))−
Tρ N t=1 u h
n=1
ρ T N M
t=1 λ(t) n=1 C u (qh (t)) − M
m=1 C h (ph (t)) + 2
|| t=1 n=1 C u (qh (t)) − m=1 C h (ph (t)) ||22 ,
where λ and ρ/2 are the penalty coefficients for the first and second order terms of
disagreement.
The OPCSP is solved across the LCs of the DERs and loads. That is, at each step
k, each LC of DG and load solves the primal problem of ensuring that the local con-
straints hold, then communicates the generation and consumption schedules to their
neighbouring nodes. The update of the LCs can be performed concurrently according
to the proximal Jacobian multi-block ADMM. The resulting fully decentralised power
80 G.K. Weldehawaryat et al.
Once qh (t) is computed, it is broadcasted to the neighbouring nodes while the utility
function is kept private.
– The LC of each load solves the following problem (analogous to Eq. 4): OPCSP-
LC(Load)
ph (t)k+1 = argmin ph (t) Ch (ph )t + ρ/2 Tt=1 ||(ph (t)) − (qh (t))k − λρ ||22 + 12 ||ph (t) − ph (t)k ||2Pi
k
Once ph (t) is computed, it is broadcasted to the neighbouring nodes while the infor-
mation of cost function is kept private.
– The dual updating step λ can be computed by any one of the LCs and broadcasted
for all neighbouring nodes. That is, after receiving schedules from the neighbouring
LCs of DGs and loads, one of the LCs perform a simple update on the dual variable.
Since the information exchanged between the LCs includes only the control signals
and schedules, the privacy of the loads (i.e., customer preferences and constraints) and
the DGs (i.e., production costs and constraints) are preserved by the power consumption
scheduling devices.
7 Security
Despite its importance, the security of power consumption scheduling algorithms have
not received significant attention. The security of the decentralised power consumption
Decentralised Scheduling of Power Consumption in Micro-grids 81
scheduling as a whole may depend on the security of the data exchange between the LCs
and central controller [28]. The reason for this is that attackers may compromise meter
measurements and prevent the decentralised consumption scheduling to converge to the
optimal value, or forcing toward a certain values of the attacker’s interest. It is thus
important to understand the potential vulnerabilities of power consumption scheduling
algorithms, i.e., how a compromised data exchange between controllers could affect the
power consumption scheduling solutions.
A number of cyberattacks against smart grids have been studied [29, 30]. Examples
include denial of services attacks, data injection and replay attacks, and timing attacks.
Among these attacks, false data injection attacks against the state estimation of power
grids has been extensively studied due to the serious threat it raises to the operation of
the power grid [31–33]. Generally, sensor measurements used for state estimation might
be inaccurate due to device misconfigurations, failures, or malicious actions. These
inaccuracies can affect state estimations [34]. Many techniques have been proposed to
detect, identify and correct bad data measurements, which are based on measurement
residuals [35]. However, Liu et al. [31] observed that the traditional detection is not able
to differentiate between unintentional errors and malicious intrusions attributed to false
data injection attacks. They further showed that the attack is required to compromise a
number of meters in order to bypass detection, and this type of attack is called stealth
attack that needs to be launched in a coordinator manner and requires full knowledge
of the network configuration.
The security of demand side management programs has been recently explored in
[28, 36]. For example, Mohsenian-Rad and Leo-Garcia [28] studied attacks against the
consumption sector, by investigating load altering attacks and proposed a cost-efficient
load protection strategy. Amini et al. [36] studied dynamic load altering attacks that
attempt to control and change a group of unsecured controllable loads in order to dam-
age the grid through circuit overflow or other mechanisms. There are a variety of load
types that are potentially vulnerable to load altering attacks, e.g., controllable loads that
automatically respond to price signals and loads in direct load control programs.
Recently, many security attacks against micro-grids have also been reported in
[37, 38]. In this section, we study the vulnerability of the decentralised power consump-
tion scheduling with respect to false data injection attacks. The reason for this is that
the decentralised consumption scheduling algorithm can be prevented from converg-
ing to the optimal value, or forced to converge towards values that lend the attacker an
advantage.
ments and n state variables can be characterized by an mn matrix H. The attacker gen-
erates malicious measurements based on the matrix H, and then injects the malicious
measurements into the compromised meters to undermine the state estimation process.
The injected malicious measurements can introduce arbitrary errors into the output of
state estimation without being detected by the existing approaches. Let qa represent
the vector of observed measurements that may contain malicious data. qa can be repre-
sented as qa = q + a, where q = (q1 , ..., qm )T is the vector of original measurements and
a = (a1 , ..., am )T is the malicious data added to the original measurements. The attacker
can choose any non-zero arbitrary vector as the attack vector a, and then construct the
malicious measurements qa = q + a. Let p̃bad and p̃ denote the estimates of p using
the malicious measurements qa and the original measurements q, respectively. p̃bad can
be represented as p̃ + c, where c is a non-zero vector of length n. Note that c reflects
the estimation error injected by the attacker. The traditional bad measurement detection
algorithm computes the L2 -norm of the corresponding measurement residual to check
whether there exist bad measurements or not. Specifically, ||q − Hp̃|| is compared with
a threshold value τ, and the presence of bad measurements is inferred if ||q − Hp̃ > τ||,
where q − Hp̃ (measurement residual) is the difference between the vector of observed
measurements and estimated measurements. However, such a detection approach can
be bypassed if the attack vector a is a linear combination of the column vectors of H, qa
can pass the detection as long as q can pass the detection. In other words, if the attacker
can use Hc as the attack vector a (i.e., a = Hc), then the L2 -norm of the measurement
residual of qa is equal to that of q. The feasibility of the stealth false data injection
attack can be described as follows [31]:
||qa − Hp̃bad ||=||q + a − H(p̃ + c)||=||q + a − Hp̃ − Hc||=||q − Hp̃ + (a − Hc)||=||q − Hp̃||
where a = Hc. It is also reported that if the attacker can compromise k specific meters,
the attack vector always exists [31]. This attack principle will be used to analyse the vul-
nerability of the decentralised power consumption scheduling algorithm with respect to
false data injection in Sect. 7.2.
The algorithm converges when the maximum update of the coordination signals
is smaller than the convergence threshold > 0, ||Δqh k || < . Once the algorithm
converges, a bad data detection algorithm analyses the measurement residual vector
to detect and identify faulty measurement data. However, the measurements can be
manipulated to ensure that the algorithm does not detect the manipulation [31]. An
attacker can compromise part of the LCs or the communication network so that he/she
can manipulate the power profile exchanged with the central controller; this value is
used as an input to the ADMM algorithm.
k
The attack vector at iteration k is represented as ak , or P¨h (t) = p˜h (t)k + ak , where
k
P¨h (t) is the corrupted vector power consumption variable. The vector P¨h (t) is used
as input to the next iteration(k + 1) of the ADMM at the central controller, instead
of the originally vector p˜h (t). When the power consumption profile is changed by the
manipulation, the control signal will change from qh to q¨¨h . It can be calculated by
replacing p˜h (t)k to ( p˜h (t)k + ak ) in step 3, that is
k+1 N
q¨h = N1 h=1 ( p˜h (t)k + ak + ρ1 λ˜h )
In other words, if a 0 then the attack will be able to drive the consensus variable
(qh ) by a to an erroneous solution(q¨¨h ) using step 3 of the ADMM. The attack can
prevent the convergence of the algorithm to the optimal value, or drive toward a certain
solution of the attacker’s interest. If the total demand is lower than the available power, a
part of the available power will be wasted and there will be a loss in terms of revenue. On
the other hand, if the demand surpasses the available power, serious problems such as
black-outs may occur on the users end. An attack on the control signals can be described
similarly. A small attack size implies smaller corruption added to the exchanged values,
which could make the detection harder. The size of the attack is defined as the Euclidean
norm of the attack vector, i.e., ||P¨h (t)||2 . Thus, it would be natural for the attacker to
look for the smallest attack vector that prevents the ADMM from converging. Sandberg
et al. [39] introduced the notion of a security index αk to characterize the minimum
effort needed for a targeted attacks. The security index not only quantifies the minimum
effort needed for stealth false data attacks but also characterizes the robustness of the
grid against such attacks.
8 Conclusions
This paper has studied decentralised DSM for the optimal operation of micro-grids, and
addressed the vulnerability of power consumption scheduling algorithms with respect to
false data injection attacks. Specifically, we formulated the power consumption schedul-
ing problem as a convex optimisation problem and employed the ADMM to solve
the optimisation problem as two decentralised algorithms by distributing computations
across every device in the microgird network. In the first case, the central controller sets
the control signals to coordinate the consumers’ power consumption schedule decisions,
and in the second case, the consumers make and coordinate their power consumption
schedule decisions through local communications with their direct neighbours in the
84 G.K. Weldehawaryat et al.
micro-grid network. The objective of the algorithms is to shift the power consump-
tion of loads to match generation while minimising the electricity cost and consumer
dissatisfaction associated with changes in consumption. Such algorithms can also be
a desirable alternative to the centralised energy management approaches, especially
when highly intermittent renewable energy generation and various load demands pose
challenges to the energy management in the micro-grid. We also investigated the vul-
nerability of the decentralised algorithms with respect to false data injection attacks in
the micro-grid environment. Our analysis indicates that false data injection attacks can
force the decentralised algorithms into erroneous values or prevent them from converg-
ing to optimal values by withholding the delivery of a set of particular measurements.
As future work, we will evaluate the proposed algorithms through numerical simu-
lations.
Acknowledgments. This work was partially supported by the joint SANCOOP Programme of
the Research Council (NRC) of Norway and the National Research Foundation of South Africa
(NRF) under the NRF grant 237817. The authors gratefully thank the anonymous referees for
their review comments that helped improve the presentation of the paper.
References
1. Hatziargyriou, N., Jenkins, N., Strbac, G., Lopes, J.P., Ruela, J., Engler, A., Oyarzabal, J.,
Kariniotakis, G., Amorim, A.: Microgrids-large scale integration of microgeneration to low
voltage grids. CIGRE C6–309, pp. 1–8 (2006)
2. Koutsopoulos, I., Tassiulas, L.: Optimal control policies for power demand scheduling in the
smart grid. IEEE J. Sel. Areas Commun. 30(6), 1049–1060 (2012)
3. Vardakas, J., Zorba, N., Verikoukis, C.: A survey on demand response programs in smart
grids: Pricing methods and optimization algorithms. IEEE Commun. Surv. Tutorials 17(1),
152–178 (2015). First quarter
4. Shi, W., Xie, X., Chu, C.C., Gadh, R.: Distributed optimal energy management in microgrids.
IEEE Trans. Smart Grid 6(3), 1137–1146 (2015)
5. Shi, W., Li, N., Chu, C.C., Gadh, R.: Real-time energy management in microgrids. IEEE
Trans. Smart Grid PP(99), 1–11 (2015)
6. Boyd, S., Parikh, N., Chu, E., Peleato, B., Eckstein, J.: Distributed optimization and statistical
learning via the alternating direction method of multipliers. Found. Trends Mach. Learn.
3(1), 1–122 (2011)
7. Kraning, M., Chu, E., Lavaei, J., Boyd, S.: Message passing for dynamic network energy
management. arXiv preprint arXiv:1204.1106, pp. 1–30, April 2012
8. Kekatos, V., Giannakis, G.: Distributed robust power system state estimation. IEEE Trans.
Power Syst. 28(2), 1617–1626 (2013)
9. Gellings, C., Chamberlin, J.: Demand-side management: Concepts and methods, 2nd edn.
PennWell Corporation (1993)
10. Zhang, Y., Gatsis, N., Giannakis, G., Zhang, Y., Gatsis, N., Giannakis, G.B.: Robust energy
management for microgrids with high-penetration renewables. IEEE Trans. Sustain. Energy
4(4), 944–953 (2013)
11. Wei, E., Ozdaglar, A.: On the O(1/k) convergence of asynchronous distributed alternating
direction method of multipliers. ArXiv e-prints, July 2013
12. Ambassa, P.L., Wolthusen, S.D., Kayem, A.V., Meinel, C.: Robust snapshot algorithm for
power consumption monitoring in computationally constrained micro-grids. In: 2015 IEEE
Innovative Smart Grid Technologies - Asia (ISGT ASIA), pp. 1–6, November 2015
Decentralised Scheduling of Power Consumption in Micro-grids 85
13. Ambassa, P.L., Kayem, A.V.D.M., Wolthusen, S.D., Meinel, C.: Secure and reliable power
consumption monitoring in untrustworthy micro-grids. In: Doss, R., Piramuthu, S., Zhou,
W. (eds.) FNSS 2015. CCIS, vol. 523, pp. 166–180. Springer, Cham (2015). doi:10.1007/
978-3-319-19210-9 12
14. Weldehawaryat, G., Wolthusen, S.: Secure distributed demand projection in micro-grids.
In: Global Information Infrastructure and Networking Symposium (GIIS), pp. 1–6, Octo-
ber 2015
15. Sou, K.C., Kordel, M., Wu, J., Sandberg, H., Johansson, K.: Energy and CO2 efficient
scheduling of smart home appliances. In: 2013 European Control Conference (ECC), pp.
4051–4058, July 2013
16. Yang, P., Chavali, P., Gilboa, E., Nehorai, A.: Parallel load schedule optimization with renew-
able distributed generators in smart grids. IEEE Trans. Smart Grid 4(3), 1431–1441 (2013)
17. Koutsopoulos, I., Tassiulas, L.: Control and optimization meet the smart power grid:
Scheduling of power demands for optimal energy management. In: Proceedings of the 2nd
International Conference on Energy-Efficient Computing and Networking. e-Energy 2011,
pp. 41–50. ACM, New York (2011)
18. O’Neill, D., Levorato, M., Goldsmith, A., Mitra, U.: Residential demand response using
reinforcement learning. In: 2010 First IEEE International Conference on Smart Grid Com-
munications (SmartGridComm), pp. 409–414, October 2010
19. Li, N., Chen, L., Low, S.: Optimal demand response based on utility maximization in power
networks. In: 2011 IEEE Power and Energy Society General Meeting, pp. 1–8, July 2011
20. Urgaonkar, R., Urgaonkar, B., Neely, M.J., Sivasubramaniam, A.: Optimal power cost man-
agement using stored energy in data centers. In: Proceedings of the ACM SIGMETRICS
Joint International Conference on Measurement and Modeling of Computer Systems, SIG-
METRICS 2011, pp. 221–232. ACM, New York (2011)
21. Wang, H., Huang, J.: Bargaining-based energy trading market for interconnected microgrids.
In: 2015 IEEE International Conference on Communications (ICC), pp. 776–781, June 2015
22. Gabay, D., Mercier, B.: A dual algorithm for the solution of nonlinear variational problems
via finite element approximation. Comput. Math. Appl. 2(1), 17–40 (1976)
23. Deng, W., Lai, M.J., Peng, Z., Yin, W.: Parallel multi-block ADMM with o(1/k) convergence.
J. Sci. Comput. 71, 1–25 (2016)
24. Parikh, N., Boyd, S.: Proximal algorithms. Found. Trends Optim. 1(3), 127–239 (2014)
25. Liu, L., Han, Z.: Multi-block ADMM for big data optimization in smart grid. In: 2015 Inter-
national Conference on Computing, Networking and Communications (ICNC), pp. 556–561,
February 2015
26. Zhang, R., Kwok, J.: Asynchronous distributed ADMM for consensus optimization. In: Pro-
ceedings of the 31st International Conference on Machine Learning (ICML-14), pp. 1701–
1709 (2014)
27. Albrecht, J.R., Tuttle, C., Snoeren, A.C., Vahdat, A.: Loose synchronization for large-scale
networked systems. In: USENIX Annual Technical Conference, General Track, pp. 301–314
(2006)
28. Mohsenian-Rad, A.H., Leon-Garcia, A.: Distributed internet-based load altering attacks
against smart power grids. IEEE Trans. Smart Grid 2(4), 667–674 (2011)
29. Li, X., Liang, X., Lu, R., Shen, X., Lin, X., Zhu, H.: Securing smart grid: cyber attacks,
countermeasures, and challenges. IEEE Commun. Mag. 50(8), 38–45 (2012)
30. Wang, W., Lu, Z.: Cyber security in the smart grid: Survey and challenges. Comput. Netw.
57(5), 1344–1371 (2013)
31. Liu, Y., Ning, P., Reiter, M.K.: False data injection attacks against state estimation in electric
power grids. In: Proceedings of the 16th ACM Conference on Computer and Communica-
tions Security, pp. 21–32. ACM, New York (2009)
86 G.K. Weldehawaryat et al.
32. Feng, Y., Foglietta, C., Baiocco, A., Panzieri, S., Wolthusen, S.D.: Malicious false data injec-
tion in hierarchical electric power grid state estimation systems. In: Proceedings of the Fourth
International Conference on Future Energy Systems. e-Energy 2013, pp. 183–192. ACM,
New York (2013)
33. Vuković, O., Dán, G.: On the security of distributed power system state estimation under tar-
geted attacks. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing,
SAC 2013, pp. 666–672. ACM, New York (2013)
34. Bobba, R.B., Rogers, K.M., Wang, Q., Khurana, H., Nahrstedt, K., Overbye, T.J.: Detecting
false data injection attacks on DCstate estimation. In: Preprints of the First Workshop on
Secure Control Systems, CPSWEEK. vol. 2010 (2010)
35. Monticelli, A.: Electric power system state estimation. Proc. IEEE 88(2), 262–282 (2000)
36. Amini, S., Mohsenian-Rad, H., Pasqualetti, F.: Dynamic load altering attacks in smart
grid. In: 2015 IEEE Power Energy Society Innovative Smart Grid Technologies Conference
(ISGT), pp. 1–5, February 2015
37. Mantooth, H.A., Liu, Y., Farnell, C., Zhang, F., Li, Q., Di, J.: Securing DC and hybrid micro-
grids. In: 2015 IEEE First International Conference on DC Microgrids (ICDCM), pp. 285–
286, June 2015
38. Talebi, M., Li, C., Qu, Z.: Enhanced protection against false data injection by dynamically
changing information structure of microgrids. In: IEEE 7th Sensor Array and Multichannel
Signal Processing Workshop (SAM), pp. 393–396, June 2012
39. Sandberg, H., Teixeira, A., Johansson, K.H.: On security indices for state estimators in power
networks. In: 2010 First Workshop on Secure Control Systems (SCS), Stockholm, pp. 1–6
(2010)
Security Issues and Mitigation
in Ethernet POWERLINK
1 Introduction
Industrial Ethernet protocols are the evolution of the Fieldbus protocols, which
have been adapted to be able to work on Ethernet. This development makes
communications easier with standard IT networks, but also simplifies access for
an attacker.
Neumann [1] and Jasperneite et al. [2] classify industrial Ethernet in three
classes. Class 1 (soft real-time, e.g. MODBUS/TCP, EtherNet/IP) uses the
TCP/IP suite to transport and schedule data. Class 2 (hard real-time, e.g.
PROFINET RT) directly relies on a standard Ethernet frame; it is faster than
the class 1 but, due to the CSMA/CD mechanism, it does not offer real deter-
minism. Finally, class 3 (isochronous real-time, e.g. Ethernet POWERLINK,
PROFINET IRT, EtherCAT) also use Ethernet, but with a different technique
for medium access control.
Many papers have already discussed attacks and mitigation for class 1 and
class 2 protocols. However, there is no work yet on this topic for the class 3.
In this paper, we present several attacks and propose modifications to the
Ethernet POWERLINK protocol to defend against them.
The paper is organized as follows: Sect. 2 gives a short overview of Ethernet
POWERLINK. In Sect. 3, we present the related work on class 1 and 2 protocols,
c Springer International Publishing AG 2017
N. Cuppens-Boulahia et al. (Eds.): CyberICPS 2016, LNCS 10166, pp. 87–102, 2017.
DOI: 10.1007/978-3-319-61437-3 6
88 J. Yung et al.
2.1 Cycle
SoC. The SoC (Start of Cycle) frame is sent by the MN to every CN on the
network. It is used to determine the start of a cycle but also to synchronize the
clocks of the nodes.
PReq/PRes. After the cycle starts, the MN polls data from every CN consec-
utively. It sends a PReq (Poll Request) frame in unicast to the first CN, which
can contain real-time data from the MN. The CN then answers to the MN and to
every other CN with its data, through a PRes (Poll Response) multicast frame.
If a CN is interested by this message, it can consume it (slave to slave commu-
nications). This frame is also used by a CN to notify the MN that it has one
or more messages to send during the asynchronous period, with a priority indi-
cation. A timer is set by the MN after having sent the PReq. When this timer
expires, the MN sends the PReq to the next CN, even if it did not receive the
expected reply from the previous one. When every CN has been contacted, the
MN can optionally send additional real-time data to every CN on the network,
with a PRes.
SoA. The SoA (Start of Asynchronous) frame is used to start the asynchronous
period. It is sent by the MN to every CN, and it indicates which device (including
the MN) can use the asynchronous period, and what type of frame it can send.
If the MN does not have any messages to schedule during this period, it sends a
void SoA and the idle period starts.
ASnd. The device which has been chosen by the SoA (if any) sends an ASnd
(Asynchronous Send) frame to every node. After the ASnd is received or sent by
the MN, the idle period starts. When the cycle ends (that is, after a pre-defined
time after the last SoC), a new one starts.
MN. When the MN starts, and after basic initialization, verifies that there is
not already an MN active on the network, in which case it must stop. If not, it
then checks that all the CNs which are defined as mandatory in its application
are present with the ident and status ASnd frame, eventually configures them
with the SDO ASnd frame and, if a full cycle can be completed without errors,
enters the operational state. If the communications with one CN are lost, it will
check again the CNs. The MN can also be reset with an NMT command ASnd
frame.
CN. When a CN starts, it waits for an SoA or SoC frame. After having received
another SoC, it can answer the MN with ASnd frames. The MN is then able to
configure it and change its NMT state. In particular, a CN can be stopped with
an NMT command, until the MN starts it again.
90 J. Yung et al.
The architecture we consider in this paper is a PLC (MN) and a few I/O modules
connected to the Ethernet POWERLINK network (also called control network)
by bus controllers. The PLC can also be connected to another network (process
network) on standard Ethernet which can be connected to other PLCs or HMIs
or programming stations or to the IT network.
The attacks we present are directly related to the Ethernet POWERLINK
protocol: we must therefore access the control network. There are then two pos-
sibilities to meet this requirement: starting directly from the control network, or
connecting to it through the PLC, by the process network.
In the first case, an attacker can compromise a field device or connect addi-
tional equipment on the network. The latter is the easiest, as many Ethernet
POWERLINK CNs include an internal hub with at least two ports, on which
an attacker can plug a device using a standard Ethernet cable. However it is
not possible to disconnect a mandatory CN from the network to replace it by
another without restarting the whole network.
In the second case, one would have to compromise the PLC through its
legacy Ethernet interface, which is accessible from the process network. Even
in the case that these networks cannot be reached from Internet, attacks like
Stuxnet [5] which was first spread by an USB stick show that one can still access
them. Spenneberg et al. [6] also presents a malware designed specifically for a
PLC.
Because an Ethernet POWERLINK network is based on hubs, we do not
consider a man-in-the-middle attack, as we will see in the next section.
Security Issues and Mitigation in Ethernet POWERLINK 91
3 Related Work
Many papers present attacks and means of defense for class one and two proto-
cols. However, there is no research for class 3 protocol yet. In this section, we look
at those papers to see if the results proposed in the literature can be applied
to the Ethernet POWERLINK protocol. We classify the different attacks we
have found in four categories, in a similar way as [7]. Eavesdropping involves an
attacker gaining understanding of the process and of the network by listening the
communications on the network. Interruption entails that the communications
between two devices or in the whole network has been tampered with, either by
the suppression of one or several messages, or by the insertion of a substantial
traffic to flood and prevent normal communications. Modification implies that
the attacker intercepted a message sent by an actual device on the network, mod-
ified it, and sent it back (man-in-the-middle attack). Finally, insertion means
that an attacker creates a message and send it on the network.
Eavesdropping in industrial Ethernet is easy as it does not use encryption
whatsoever. Huitsing et al. [7] present several attacks of this type against MOD-
BUS/TCP, as well as Bristow [8] which made use of the exception model of
this protocol to develop a scanning software to analyze the function codes and
the memory of a device. On Ethernet POWERLINK, listening to the network
enables passive reconnaissance and mapping of the different CNs, the order of
the PReq/PRes exchanges, etc.
Huitsing et al. [7] and Queiroz [9] present interruption attacks on the MOD-
BUS/TCP protocol, but using attack on the TCP protocol. Consequently, these
attacks work for all class 1 protocols on TCP, but they are not intended for class
2 or 3 protocols. However, class 3 protocols were designed to have their commu-
nications as close to real time as possible, by implementing their own medium
access control mechanism. This works perfectly as long as every device on the
network is behaving as expected. Class 3 protocols are therefore especially vul-
nerable to interruption attack. We specify in this paper a way to perform this
type of attack on the Ethernet POWERLINK protocol.
Antonioli and Tippenhauer [10] and Åkerberg and Björkman [11] present
modification attacks for EtherNet/IP and PROFINET IO respectively, by using
ARP cache poisoning. Those attacks however work for switched Ethernet, and
the Ethernet POWERLINK specification indicates to only use repeaters.
Paul et al. [12] propose to do a modification attack on PROFINET IO by
using DCP, a protocol from the PROFINET suite doing basic device configura-
tion. However, with the Ethernet POWERLINK protocol, if the MN sees two
CNs with the same node number, it stops the start-up sequence, which makes
this attack impossible in practice.
Finally, the most common type of attack found in the literature is inser-
tion. There are two kind of messages an attacker might want to insert: process
data (input or output) and command. Huitsing et al. [7] and Åkerberg and
Björkman [11] insert process data messages for respectively MODBUS/TCP
and PROFINET. However, this type of message is sent regularly by the devices
and the insertion should be repeated regularly to be efficient. In [11] the attack
92 J. Yung et al.
is performed at every cycle, and the message is inserted just before the correct
message. As only one message is accepted by PROFINET IO cycle, the correct
message is dropped. The Ethernet POWERLINK network is however too prone
to collisions in the isochronous period to be able to do this type of attack. In
the work of Bhatia et al. [13], an attacker floods the network with process data
messages to ensure that its modifications are not overwritten by normal traffic.
This is of course totally impossible in an Ethernet POWERLINK network with-
out causing collisions. Finally, Huitsing et al. [7] and Digital Bond [14] present
the insertion of commands to modify or stop devices on a MODBUS/TCP and
EtherNet/IP network respectively. We show in Sect. 4 that this type of attack is
possible on an Ethernet POWERLINK network under certain conditions.
Many authors have been working on securing industrial Ethernet protocols.
We classify their articles in three categories. The first category implements a
wrapper protocol in the device. The second category adds an intermediary unit
between the device and the network (a BITW module, for Bump-In-The-Wire),
The third category modifies the protocol to add cryptography services to provide
authentication, integrity and/or confidentiality.
The first category focuses principally on securing the TCP and IP layers.
Patel [15] studies the use of TLS and IPSec for MODBUS/TCP and DNP3.
This approach can only be used for class 1 protocols, with a drastic decrease
in performance. It can therefore not be used for Ethernet POWERLINK, which
uses neither TCP nor IP.
The second category concerns BITW module. The most well-known solution
for industrial Ethernet and more generally ICS (Industrial Control Systems) pro-
tocols is AGA-12 [16], which was however withdrawn before completion because
of its cost. West [17] shows how one could use it to secure a MODBUS or DNP3
network. Tsang and Smith [18] present another BITW solution adapted from
AGA-12. These solutions however imply communication delays that could not
fit class 3 protocols for which cycle duration is extremely short. It would besides
add a jitter we do not want on a determinist network.
The third category is based on cryptographic techniques. Shahzad et al. [19]
and Fovino et al. [20] present a solution for MODBUS/TCP based on RSA signa-
ture, with the associated drawback of the slowness of an asymmetric cryptogra-
phy solution. Hayes and El-Khatib [21] consequently propose to use an HMAC
instead. They also use SCTP instead of TCP for MODBUS/TCP to increase
availability. Wang and Chu [22] classify the communications of an ICS protocol
in four categories: data acquisition, firmware download, control functions and
broadcast. It proposes a framework applicable to every protocol (SSCada) based
on encryption and MAC. Åkerberg and Björkman [11] also suggest using MAC
to protect PROFINET IO communications. Czybik et al. [23] compare different
MAC solutions for ICS. The HMAC is on average the most efficient one, and
has a calculation time of 50 µs for a 50 or less bytes long frame. For Ethernet
POWERLINK, at each cycle, for each CN, the calculation needs to be done for
the PReq and the PRes. This adds at least 100 µs latency by CN, which is an
important delay for a class 3 protocol. Finally, Patel [15] and the DNP3-SA pro-
tocol [24] propose a challenge/response mechanism, which is also impossible for
Security Issues and Mitigation in Ethernet POWERLINK 93
4 Attacks
ASnd Message Insertion. During the asynchronous period, only one ASnd
frame can be sent, which sender and type is decided by the SoA frame. However,
the MN does not check the number of ASnd sent in one cycle, nor if it is coherent
with the SoA. The time dedicated to the asynchronous period is set during the
MN programming, and depends on the length of the frame one want to send
during this phase. Therefore, if no ASnd frame is sent, or if it is short enough, it
is possible to insert ASnd messages at that time without any error being logged.
There are two main things one can do during this period: NMT commands and
object dictionary modifications.
The NMT commands can change the CN NMT state: one can reset the CN
configuration, communications, or the application, put it to pre-configured states
or stop it. In this last case, the CN will not be able to communicate until it is
reset or put back to pre operational 1 state.
The object dictionary contains all the configuration of a device, including
communication parameters, process data formatting, device profile and man-
ufacturer specific setup, etc. If an item is accessible in read/write or in write
only, it can be modified by every device on the network by a SDO ASnd frame.
One interesting example is the errors configurations objects, which defines how
you should count the number of errors and the threshold before the CN state
changes to pre operational 1. Modifying it would change the way a CN reacts
after detecting an error, and could reduce the probability for a next attack to
be noticed.
Denial of Service. This attack is the simpler to test, and the results are the
same on both testbeds. In those configurations, the minimal amount of SoC
to send to cut the communications between the MN and the CN is two. The
behavior of the system will be the same for a greater number of SoC. When the
attack is over, the MN is still in the operational state, while the CN returns to
the pre operational 1 state. The MN will consequently continue to send PReq
to the CN. When it receives in the corresponding PRes that the CN is not in
operational state anymore, the MN restarts. In the case of the first testbed,
the application does not start correctly, and the CPU indicates that there was
an error. If we connect it to the programming software to read the logbook, it
signals the error “Module removed while running”.
address common to all the CNs and to the MN. Besides, the network equipment
used should be either hubs (recommended) or switch acting as repeater. The
Ethernet POWERLINK extension High Availability [25] offers the possibility
to do media redundancy; however, it was designed to protect against a cable or
hub failure, and would need to be adapted to be truly efficient against an attack.
As for now, every device including the MN is connected to two different media,
conveying the same messages. An interesting feature though is the possibility to
have two MNs on one network configured in the same way: one is active (AMN)
while the other is on standby (SMN) and acts as a CN, while monitoring all the
network traffic. When the SMN detects an AMN failure (absence of one cycle) it
should become the new SMN without going through the NMT boot-up process.
This way, all the CNs stay in operational state and the system can continue with
only one cycle interruption. If we use such an architecture with one main MN
being connected to both the control and process network, and another redundant
MN being connected only to the former (or to another differently secured process
network), we can protect against a Denial of Service attack in the scenario of a
compromised PLC, by shutting it down when we detect the attack.
The second issue is easier to deal with, and we propose in the two next
subsections modifications of the Ethernet POWERLINK DLL (Data Link Layer)
state machine and NMT state machine.
When the ASnd error counter, defined in the previous subsection, goes over the
defined threshold, we can think that it is not due to network error or unintended
repetition, but due to an attack. In this case, an alarm is sent to the applica-
tion (and, depending on the application, to an HMI). The MN will then reset
all the CNs and go back to the pre operational 1 state. This will also happen
in the pre operational 2 and ready to operate states where asynchronous com-
munications are already started. The transition between ready to operate and
operational only occurs if there is no error during a complete cycle like a col-
lision, delay, lack of response from a CN, etc. If the MN detects an unwanted
ASnd during this cycle, the MN should consider the cycle as incorrect.
Consequently, we are now able to detect when an attacker is trying to use
the asynchronous period and to block it in most case. He might then have to
try several times to be successful, but we would detect it either by collisions
or ASnd errors. However, if an attacker succeeds the race condition in only a
few tries, he can still be able to insert a command. We consider that the worst
case is if an attacker is able to use an NMT command to stop a CN, as he
will then be able to impersonate it. Besides, an NMT command always comes
from the MN, so an unexpected ASnd of that type is necessarily an attack. We
therefore add a transition in the MN NMT state machine which goes from any
state after pre operational 2 to pre operational 1 if it receives an unexpected
NMT command.
With these modifications, it is not possible anymore to impersonate a CN.
Even if an attacker manages to send an NMT stop to the CN, the CN will be
reset by the MN, leave the stopped state to go to the pre operational 1 state,
and will then respond normally to the MN. In this case, as the MN sees two
CNs with the same node id (the attacker and the CN), it will block the start-up
phase. However, it is still possible, after a denial of service attack, to try to
impersonate the MN by sending SoC frames when it is still in the not active
state. We therefore need to authenticate the MN. With the other modifications,
we protect against MN impersonation from the pre operational 2 state. After
that, any of our attack will take the MN to the pre operational 1. The MN
should consequently be authenticated between these two states, which will only
slow down the start-up phase.
Figure 5 indicates both the normal (on the left) and modified (on the right)
NMT state machines. Our modifications are in gray boxes.
when the ASnd error counter is higher than the threshold and when it receives
an unexpected NMT command. In the first case, it means that in several cycles,
there were too much ASnd. If it is not an attack, it implies that there was a few
accidental insertions, which might be due to badly working equipment, unwanted
delay or other network errors which could anyway lead to safety issues and
would be detected by other error markers as collision detection, frame loss, etc.
This does consequently not add any false positive. In the second case, an NMT
command to a mandatory CN for a stop, reset-node, enter-pre-operational-2, etc.
would have lead anyway in normal operating to the deactivation of a mandatory
node, and therefore to put the MN in the pre operational 1 state. This additional
mechanism only treats the special case not described in the specifications where
someone stops a CN and immediately takes its slots.
Finally, the authentication mechanism is the only one adding major memory
and computing constraints to the system. It would imply, for example, the possi-
bility to exchange and stock symmetric keys on both MN and CNs, to compute a
challenge or authentication octets like a MAC. However, this is done only during
the start-up phase, and does not put constraints on the length of a cycle, which
is the major issue in this case. Besides, as it is only used at the start-up of the
system, this should rarely occur. Light and simple systems like a one-time pad
could be used, with only constraints on memory on how many times we want to
be able to boot the system up.
Consequently, our modifications barely impacts normal communications in
operational state, and only slow down the start-up phase. It can be done by only
changing the protocol and without modifying any equipment hardware.
Security Issues and Mitigation in Ethernet POWERLINK 101
7 Conclusion
Our analysis of the Ethernet POWERLINK protocol led to the implementation
of several attacks, resulting in a loss of availability, or to the theft of the com-
munication slots of a CN without causing any errors or, even more critical, of
an MN and consequently of all the network. It is however possible to apply sim-
ple modifications to the state machines of a CN or of a MN to protect against
most of these attacks. Defending the start-up phase of the MN is also crucial,
as we do not protect against a restart of the system with a denial of service
attack. We proposed to add a step of authentication in this phase; however, we
only gave a few propositions on how to realize it. Some issues are still raised,
including the way to exchange the information necessary to achieve this step
(e.g. keys, algorithm). Future work could include a detail on this authentication
during start-up, but also regularly during the cycle. An example of an authenti-
cation during runtime would be before an NMT command, or before the reading
or writing of an item of the object dictionary; several levels of privilege could
be implemented this way. The asynchronous period could be used to achieve it
without extending the cycle time. The attacks in this paper also showed that the
authentication of a CN can also be an issue, especially those of the sensors, which
provide information to the system, and have consequently a certain amount of
control on it.
References
1. Neumann, P.: Communication in industrial automation what is going on? Contr.
Eng. Pract. 15, 1332–1347 (2007)
2. Jasperneite, J., Schumacher, M., Weber, K.: Limits of increasing the performance
of industrial ethernet protocols. In: IEEE Conference on Emerging Technologies
and Factory Automation (ETFA), pp. 17–24. IEEE (2007)
3. Ethernet POWERLINK Standardization Group: EPSG Draft Standard 301. Eth-
ernet POWERLINK Communication Profile Specification (2013)
4. CAN in Automation: CiA 301 CANopen application layer specification (2011)
5. Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper, Symantec
Corp., Security Response 5 (2011)
6. Spenneberg, R., Brüggemann, M., Schwartke, H.: PLC-blaster: a worm living solely
in the PLC (2016)
7. Huitsing, P., Chandia, R., Papa, M., Shenoi, S.: Attack taxonomies for the modbus
protocols. Int. J. Crit. Infrastruct. Protect. 1, 37–44 (2008)
8. Bristow, M.: Modscan: a scada modbus network scanner. In: DefCon-16 Confer-
ence, Las Vegas, NV (2008)
9. Spyridopoulos, T., Topa, I.-A., Tryfonas, T., Karyda, M.: A holistic approach for
cyber assurance of critical infrastructure with the viable system model. In: Cuppens-
Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC
2014. IAICT, vol. 428, pp. 438–445. Springer, Heidelberg (2014). doi:10.1007/
978-3-642-55415-5 37
10. Antonioli, D., Tippenhauer, N.O.: Minicps: a toolkit for security research on CPS
networks. In: Proceedings of the First ACM Workshop on Cyber-Physical Systems-
Security and/or Privacy, pp. 91–100.1 ACM (2015)
102 J. Yung et al.
11. Åkerberg, J., Björkman, M.: Exploring security in profinet IO. In: 33rd Annual
IEEE International Computer Software and Applications Conference (COMPSAC
2009), vol. 1, pp. 406–412. IEEE (2009)
12. Paul, A., Schuster, F., König, H.: Towards the protection of industrial control sys-
tems – conclusions of a vulnerability analysis of profinet IO. In: Rieck, K., Stewin,
P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 160–176. Springer,
Heidelberg (2013). doi:10.1007/978-3-642-39235-1 10
13. Bhatia, S., Kush, N., Djamaludin, C., Akande, J., Foo, E.: Practical modbus flood-
ing attack and detection. In: Proceedings of the Twelfth Australasian Information
Security Conference, vol. 149, pp. 57–65. Australian Computer Society, Inc. (2014)
14. Basecamp Digital Bond: Attacking ControlLogix: ControlLogix Vulnerability
Report (2012)
15. Patel, S.C.: Secure Internet-Based Communication Protocol for SCADA Networks.
University of Louisville (2006)
16. International Electrotechnical Commission: AGA Report No. 12. Cryptographic
Protection of SCADA Communications Part 1: Background, Policies and Test Plan
(2006)
17. West, A.: Securing DNP3 and modbus with AGA12-2J. In: 2008 IEEE Power and
Energy Society General Meeting-Conversion and Delivery of Electrical Energy in
the 21st Century, pp. 1–4. IEEE (2008)
18. Tsang, P.P., Smith, S.W.: YASIR: a low-latency, high-integrity security retrofit
for legacy SCADA systems. In: Jajodia, S., Samarati, P., Cimato, S. (eds.) SEC
2008. ITIFIP, vol. 278, pp. 445–459. Springer, Boston, MA (2008). doi:10.1007/
978-0-387-09699-5 29
19. Shahzad, A., Musa, S., Aborujilah, A., Irfan, M.: Secure cryptography testbed
implementation for scada protocols security. In: 2013 International Conference on
Advanced Computer Science Applications and Technologies (ACSAT), pp. 315–
320. IEEE (2013)
20. Fovino, I.N., Carcano, A., Masera, M., Trombetta, A.: Design and implementation
of a secure modbus protocol. In: Palmer, C., Shenoi, S. (eds.) ICCIP 2009. IAICT,
vol. 311, pp. 83–96. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04798-5 6
21. Hayes, G., El-Khatib, K.: Securing modbus transactions using hash-based mes-
sage authentication codes and stream transmission control protocol. In: 2013
Third International Conference on Communications and Information Technology
(ICCIT), pp. 179–184. IEEE (2013)
22. Wang, Y.: sSCADA: securing scada infrastructure communications. Int. J. Com-
mun. Netw. Distrib. Syst. 6, 59–78 (2010)
23. Czybik, B., Hausmann, S., Heiss, S., Jasperneite, J.: Performance evaluation of
MAC algorithms for real-time ethernet communication systems. In: 2013 11th
IEEE International Conference on Industrial Informatics (INDIN), pp. 676–681.
IEEE (2013)
24. IEEE Power, Energy Society: IEEE 1815. IEEE Standard for Electric Power Sys-
tems Communications - Distributed Network Protocol (DNP3) (2012)
25. Ethernet POWERLINK Standardization Group: EPSG Draft Standard Proposal
302-A. Ethernet POWERLINK Part A, High Availability (2013)
Secure Communication and Authentication
Against Off-line Dictionary Attacks in Smart
Grid Systems
Yongge Wang(B)
1 Introduction
The smart grid is a secure and intelligent energy distribution system that deliv-
ers energy from suppliers to consumers based on two-way demand and response
digital communication technologies to control appliances at consumers’ homes
to save energy and increase reliability. The smart grid improves existing energy
distribution systems with digital information management and advanced meter-
ing systems. Increased interconnectivity and automation over the grid systems
presents new challenges for deployment and management.
c Springer International Publishing AG 2017
N. Cuppens-Boulahia et al. (Eds.): CyberICPS 2016, LNCS 10166, pp. 103–120, 2017.
DOI: 10.1007/978-3-319-61437-3 7
104 Y. Wang
It is common for one to ask whether it is possible to use existing techniques such
as Kerberos and PKI that have been successfully used in Internet environments
to secure the communications among meters, collectors, and headquarter com-
puting systems. The answer to this question is that we have to be very careful
in using existing techniques. In a smart grid system, meters and collectors are
normally installed at unattended areas. Thus it may be easy for an attacker to
get long time access to a large amount of meters and collectors without being
detected. In order to deploy Kerberos and PKI based cryptographic systems in
smart grid systems, each node must hold a secure key (either a secret key for
a symmetric cipher or a private key for a public key system). If secret keys in
meters and collectors are not appropriately protected, an attacker could eas-
ily obtain them. Tamper resistant techniques are typically used to protect these
Authentication for Smart Grid 107
keys. In order to shorten our notations in following discussions, we will only men-
tion smart meters unless stated otherwise. The discussion applies to collectors
or separate tokens that could be inserted into meters or collectors as well.
We use an example to show the challenges in the design of secure smart grid
based authentication protocols using tamper resistant techniques. A traditional
way to store or transfer the secret key for each user is to use a symmetric key
cipher such as AES to encrypt user’s long term secret key with user’s password
and store the encrypted secret key in meters/collectors (either in integrated
tamper resistant components of the meters/collectors or in separate tokens to
be inserted into the nodes). This will not meet our security goals against off-
line dictionary attacks. For example, in an RSA based public key cryptographic
system, the public key is a pair of integers (n, e) and the private key is an
integer d. With the above mentioned traditional approach, the smart meter con-
tains the value AESα (d) in its tamper resistant memory space, where α is the
user’s password. If the adversary has access to the smart meter for certain time
period, the adversary could feed a message (or challenge) m to the smart meter
for a signature. The adversary needs to input a password in order for the smart
meter to generate a signature. The adversary will just pick one α from her dic-
tionary and ask the meter to sign m. The meter will “decrypt” the private key
d
as d = AESα−1 (AESα (d)) and return a signature s = m
mod n on m. Then
e
the adversary only needs to check whether s mod n = m. If the equation holds,
the adversary knows that the guessed password α is correct. That is, α = α.
Otherwise, the attacker will remove α from the dictionary. Similar attacks work
for Guillou-Quisquater (GQ), Fiat-Shamir, and Schnorr zero-knowledge identi-
fication schemes.
This example shows that the “off-line” dictionary attack in the smart grid
or AMI environments is different from the traditional client-server based off-line
dictionary attacks. One potential approach to defeat this kind of attacks is to
set a counter in the smart meter. That is, the smart meter is allowed to sign at
most certain number of messages, and then self-destroy it. However, this kind
of protection may not be feasible since the smart meters are normally deployed
for a long time of services (e.g., 30 years) and it is hard to appropriately choose
optimal values for the counter.
3 Security Models
• Tamper resistant token with counter protection. The attacker cannot read
the sensitive information stored in the tamper resistant memory within
the stolen token. Furthermore, the attacker may only issue a fixed amount
of queries to the token to learn useful information. The token will be self-
destroyed if the query number exceeds certain threshold (e.g., the GSM
SIM card V2 or later has this capability).
• Tamper resistant token without counter protection. The attacker cannot
read the sensitive information stored in the tamper resistant memory of
th token. However, the attacker may issue a large amount of queries to
the token to learn some useful information. For example, the attacker
may setup a fake server and uses a malicious smart meter to guess the
potential password.
• Token is not tamper resistant. The attacker (with the token) may be able
to break the tamper resistant protection of the token and read the sensi-
tive information stored in the tamper resistant memory. In this case, the
token looks more like a USB memory stick that stores the user credential
with password protection. But still there is a difference here. In order for
the user to use USB memory stick based credentials, the user needs the
access to a trusted computer to carry out the authentication. However,
one may assume that even if the token is not tamper resistant, it is not
possible for a malicious smart meter to read the sensitive information on
the token within a short time period (e.g., during the time that the token
owner inserts the token into the meter for an authentication).
• Returned stolen token. The attacker may steal the token from a token
holder and carry out some analysis (e.g., mount some attacks based on
the stolen token) and then return the token to the token holder without
being detected by the token holder (that is, the token holder is not aware
of the fact that the token has been lost for a while). The second author
would like to thank Mr. Ding Wang for some discussions on related topics
(note that Mr. Ding Wang is one of the authors for paper Wang et al. [10]).
– Password-guessing. The attacker is assumed to have access to a relatively
small dictionary of words that likely includes the secret password α. In an
off-line attack, the attacker records past communications and searches for a
word in the dictionary that is consistent with the recorded communications or
carry out interaction with a stolen token without frequent server involvement
(the attacker may carry out one or two sessions with server involved and all
other activities without server involvement). In an on-line attack, the attacker
repeatedly picks a password from the dictionary and attempts to impersonate
U, C, U and C, or S. If the impersonation fails, the attacker removes this
password from the dictionary and tries again, using a different password.
– Partition attack. The attacker records past communications, then goes
over the dictionary and deletes those words that are not consistent with
the recorded communications from the dictionary. After several tries, the
attacker’s dictionary could become very small.
In this symmetric key based smart grid authentication scheme SSCA, the server
should choose a master secret β and protect it securely. Note that this master
secret β could be different for different users (tokens). The Setup phase is as
follows:
Authentication for Smart Grid 111
– For each user with identity C and password α, the token maker (it knows
the server’s master secret β) sets the token secret key as K = H(β, C) and
stores K = Eα (K) in the tamper resistant memory of the token, where E is
a symmetric encryption algorithm such as AES and H is a hash algorithm
such as SHA-2.
In the SSCA scheme, we assume that the token has the capability to generate
unpredictable random numbers. There are several ways for token to do so. One of
the typical approaches is to use hash algorithms and EPROM. In this approach,
a random number is stored in the EPROM of the smart card when it is made.
Each time, when a new random number is needed, the token reads the current
random number in the EPROM and hash this random number with a secret
key. Then it outputs this keyed hash output as the new random number and
replace the random number content in the EPROM with this new value. In
order to keep protocol security, it is important for the token to erase all session
information after each protocol run. This will ensure that, in case the token is
lost and the information within the tamper resistant memory is recovered by
the attacker, the attacker should not able to recover any of the random numbers
used in the previous runs of the protocols. It should be noted that one may also
use symmetric encryption algorithms to generate random numbers. Due to the
reversible operation of symmetric ciphers, symmetric key based random number
generation is not recommended for token implementation.
Each time when the user inserts her token into a meter (which could be
malicious), the meter asks the user to input the password which will be forwarded
to the token.
1. Using the provided password α, the token decrypts K = Dα (K). If the pass-
word is correct, the value should equal to H(β, C). The token selects a ran-
dom number Rc , computes RA = EK (C, Rc ), and sends the pair (C, RA ) to
the meter which will be forwarded to the server.
2. The server recovers the value of (C, Rc ) using the key K = H(β, C)
and verifies that the identity C of the token is correct. If the verification
passes, the server selects a random number Rs , computes RB = EK (C, Rs ),
and sends (C, RB , Cs ) to the meter which forwards it to the token. Here
Cs = HMACsk (S, C, Rs , Rc ) is the keyed message authentication tag on
(S, C, Rs , Rc ) under the key sk = H(C, S, Rc , Rs ) and S is the server identity
string.
3. The token recovers the value of (C, Rs ) using the key K = H(β, C), com-
putes sk = H(C, S, Rc , Rs ), and verifies the HMAC authentication tag
Cs . If the verification passes, it computes its own confirmation message as
Cc = HMACsk (C, S, Rc , Rs ) and sends Cc to the server. The shared session
key will be sk.
4. The server accepts the communication if the HMAC tag Cc passes the
verification.
1. The token selects x ∈R Zq∗ , computes RA = gCx , and sends it to the Server via
the meter.
2. The Server selects y ∈R Zq∗ , computes RB = gSy , and sends it to the token.
3. The token computes sA = π(RA , RB ), sB = π(RB , RA ), and dC =
DH2 (α ) (dC ) where D is the decryption function and α is the user inputted
password. If dC is not an element of G, the token chooses the value for
sk as a random element of G1 . Otherwise, the token computes the value
sk = ê(gC , gS )(x+sA )(y+sB )β as
(x+s )
ê dC A , gSsB · RB .
The token should never export the value of sk to the meter during the pro-
tocol run. However, the token may need to export K2 to the meter in certain
applications.
The protocol PSCAb message flows are shown in the Fig. 3
In the following, we use heuristics to show that PSCAb is secure in the Type
I, Type II, and Type III security models. It should be noted that if the encryption
function is chosen as a standard symmetric cipher such as AES, then PSCAb is
only weakly secure in the Type III security model as follows. When the attacker
has access to the value dC , she could remove those α from her dictionary such
that DH2 (α ) (dC ) is not an element of G. In other words, PSCAb is secure in the
Type III security model only if the remaining dictionary is still large enough.
Authentication for Smart Grid 115
The security of the underlying identity based key agreement protocol WANG-
KE [5,13] is proved in [13]. Furthermore, the eavesdropping, replay, man-in-
the-middle, impersonation, password-guessing, and partition attacks will learn
nothing about the password since no information of password is involved in these
messages. Furthermore, these attackers will learn nothing about the private keys
dC and β based on the proofs in [13]. For an attacker with access to the infor-
mation dC (the attacker may read this information from the stolen token), she
may impersonate the token owner to interact with the server. Since the attacker
could not compute the correct value sk, she will not be able to generate the
confirmation message CC . Thus the server will not send the server confirmation
message back to the attacker. In another word, the attacker will get no useful
information for an off-line password guessing attack. Furthermore, even if the
attacker has observed previous valid protocol runs, it will not help the attacker
since the token does not contain any information of the session values x of the
previous protocols runs.
Remarks: In the protocol PSCAb, it is important to have the token to send
the confirmation message to the server first. Otherwise, PSCAb will not be
secure in the Type III security model. Assume that the server sends the first
confirmation message. After the attacker obtains the value dC from the token, she
could impersonate the user by sending the vale RA to the server. After receiving
the server confirmation message, she will remove α from her dictionary such that
sk = ê DH(α ) (dC )(x+sA ) , gSsB · RB
Remarks: Heuristics could be used to show that this protocol is secure in the
Type I and Type II security models. However this protocol is not secure in the
Type III security model. After the attacker obtains the value (a × H(α), g b ), the
attacker could recover the password from a × H(α) and the token public key
g a . However, if g a is only known to the server, then PSCA should be secure in
the Type III model. We conjecture that it may be impossible to design HMQV
based protocols that are secure in the Type III model if the public key of the
token is available to the attackers.
A yellow page service (e.g., LDAP server) is generally read-only and easy to
maintain.
In the Yellow Page protocol YP, each node A has a secret key KA which is
stored in the tamper resistant component of node A (could be contained in a
separate token such as smart card) and there is an online yellow page Y that
stores the following entry for each ordered node pair A, B of the AMI system:
Note that KA should be a random key with sufficient entropy and it could be
protected with memorable password within the tamper resistant component of
node A. If KA does not have sufficient entropy, then off-line dictionary attacks
are possible against the Yellow page protocol.
Each time when a node A wants to talk to a node B, the participating parties
follow the following steps of the protocol:
1. A retrieves from the Yellow Page Y the entry A, B : EKA (H(KB , A), B, A),
and decrypts τ = H(KB , A).
2. A chooses a random value r and sends it to B.
3. B chooses a random value s and sends the following pair
(s, H (H(KB , A), r, s, 0)) to A.
4. After receiving (s, σ) from B, A checks whether σ = H (τ, r, s, 0), and sends
δ = H (τ, s, 1) to Bob.
5. B checks whether δ = H (H(KB , A), s, 1).
The session key for nodes A and B to carry out subsequence communications is
computed as sk = H (τ, s, A, B).
The full message flow for the yellow page protocol YP are shown in the Fig. 4.
– Alice decrypts
In the following, we present a trivial attack on the above protocol. Our attacks
show that Carol can talk to Alice pretending to be Bob and Alice believes that
she is talking to Bob though she is talking to Carol. In particular, the adversary
Carol carries out the following steps of the attack:
– When Alice wants to talk to Bob, Alice sends the value “(Bob, Alice)” to T .
At this stage, the adversary Carol intercepts this message and changes it to
“(Carol, Alice)”. T will reply EN C(KAlice , H(Kcarol , Alice)) and Carol will
forward this to Alice
– Alice sends “(r, Alice)” to Bob. Bob will not get this message though Carol
(impersonating Bob) will get it.
– Carol (impersonating Bob) sends the value
to Alice
– Alice sends H(token, s, 1) to Carol (impersonating Bob).
Now Alice is talking to Carol though Alice thinks that she is talking to Bob.
120 Y. Wang
References
1. Chen, Y., Chou, J., Huang, C.: Comment on four two-party authentication proto-
cols (2010)
2. Das, M.L., Saxena, A., Gulati, V.P.: A dynamic ID-based remote user authentica-
tion scheme. IEEE Trans. Consum. Electron. 50, 629–631 (2004)
3. Gong, L., Lomas, M.A., Roger, M., Needham, R.M., Saltzer, J.H.: Protecting
poorly chosen secrets from guessing attacks. IEEE J. Sel. Areas Commun. 11,
648–656 (1993)
4. Goriparthi, T., Das, M.L., Saxena, A.: An improved bilinear pairing based remote
user authentication scheme. Comput. Stand. Interfaces 31, 181–185 (2009)
5. IEEE 1363: Standard specifications for public-key cryptography (2005)
6. Juang, W.S., Chen, S.T., Liaw, H.T.: Robust and efficient password-authenticated
key agreement using smart cards. IEEE Trans. Ind. Electron. 55, 2551–2556 (2008)
7. Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. Cryp-
tology ePrint Archive, Report 2005/176 (2005). http://eprint.iacr.org/
8. Lee, Y., Nam, J., Won, D.: Vulnerabilities in a remote agent authentication scheme
using smart cards. In: Nguyen, N.T., Jo, G.S., Howlett, R.J., Jain, L.C. (eds.) KES-
AMSTA 2008. LNCS, vol. 4953, pp. 850–857. Springer, Heidelberg (2008). doi:10.
1007/978-3-540-78582-8 86
9. Rhee, H.S., Kwon, J.O., Lee, D.H.: A remote user authentication scheme without
using smart cards. Comput. Stand. Interfaces 31, 6–13 (2009)
10. Wang, D., Ma, C.: Robust smart card based password authentication scheme
against smart card security breach. Technical report, Cryptology ePrint Archive,
Report 2012/439 (2012). http://eprint.iacr.org/2012/439
11. Wang, Y.: Cryptographic challenges in smart grid system security. In: IEEE Smart
Grid News Letters, December 2012. http://smartgrid.ieee.org/december-2012/
732-cryptographic-challenges-in-smart-grid-system-security
12. Wang, Y.: Password protected smart card and memory stick authentication against
off-line dictionary attacks. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.)
SEC 2012. IAICT, vol. 376, pp. 489–500. Springer, Heidelberg (2012). doi:10.1007/
978-3-642-30436-1 40
13. Wang, Y.: Efficient identity-based and authenticated key agreement protocol.
Trans. Comput. Sci. 17, 172–197 (2013)
14. Wang, Y.: Smart grid, automation, and SCADA systems security. In: Xiao, Y. (ed.)
Security and Privacy in Smart Grids, pp. 245–268. CRC Press, July 2013
15. Xia, J., Wang, Y.: Secure key distribution for the smart grid. IEEE Trans. Smart
Grid 3(3), 1437–1443 (2012)
16. Xiang, T., Wong, K., Liao, X.: Cryptanalysis of a password authentication scheme
over insecure networks. Comput. Syst. Sci. 74, 657–661 (2008)
17. Zhao, Z., Dong, Z., Wang, Y.: Security analysis of a password-based authentication
protocol proposed to IEEE 1363. Theor. Comput. Sci. 352, 280–287 (2006)
Author Index