Yee Wei Law
Marimuthu Palaniswami
ARC Research Network on Intelligent Sensors,
Sensor Networks and Information Processing
(ISSNIP)
28th March 2011, Tonkin’s 3rd Smart Grids Forum
1
◦ 10 Australian universities
◦ Access to an extended
network of over 200
researchers
◦ Australia, the USA, Europe
and Asia
◦ 30+ industry linkages, e.g.,
ISSNIP
Vision
Partners:
 Universities
 National
 International
 Industry
 Research
Institutions
Funding:
 ARC
 DEST
 DIISR
 NSF
 DARPA
2



With UNSW
Evaluate impact of largescale wind turbines
penetration on the transient
and voltage stability of
power systems
Effects of Flexible AC
Transmission Systems
(FACTS) devices



With University of Surrey
Reshaping energy demand
of users by communication
technology and economic
incentives
“Persuasive energyconscious network”
usage
3

Cyber security, not to be confused with “power
system security”
Confidentiality
Availability
Integrity

Outline:
Recent developments
Introduce new smart grid infrastructure
and associated security issues
What tech from sensor networks is
applicable
What research is needed
4
2007
2008
2009
2010
5
Organizations
Guidelines/standards
Nuclear Regulatory Commission (U.S.)
Cyber Security Programs for Nuclear
Facilities (2010)
Dept. Homeland Security (U.S.)
Catalog of Control Systems Security:
Recommendations for Standards
Developers (2011)
Idaho National Laboratory (U.S.)
NSTB Assessments
Summary Report:
Common Industrial
Control System Cyber
Security Weaknesses (2010)
NIST (U.S.)
IR 7628 “Guidelines for Smart Grid
Cyber Security” (2010)
NIST (U.S.)
Standards review (2011)
Government Accountability Office
(U.S.)
Report on Smart Grid Security
Guidelines (2011)
and more…
6
2011 CyberSecurity Watch Survey
by CERT (Aug 2009 – Jul 2010)
21% threats from
insiders
(employees or
contractors)



Real-world example:
Stuxnet
Stuxnet was introduced via
a USB stick
It seeks out and spreads to
machines running WinCC
and PCS 7 SCADA software
(Siemens)
Fact 1: Insider attacks render
cryptographic
protection
inadequate
58% threats from
outsiders (e.g.,
hackers)
7
Fact 2: Control systems are
prime targets
80% executives say
their SCADA are
Internet-accessible
55% say SCADA /
operational control systems
targeted most often
57% say security
patches applied regularly
8


AGA 12: cryptographic protection of communications
IEC62351: TLS encryption, security extension of DNP3, etc.
Resilient control system: A system that maintains state awareness and
an accepted level of operational normalcy in response to disturbances,
including threats of an unexpected or malicious nature.
– Rieger et al., Idaho National Laboratory

Multimillion European research projects
◦ CRUTIAL
◦ VIKING
9
Part A
Advanced
Distribution
Automation (ADA)
Advanced Metering
Infrastructure (AMI)
Part B
Wide-Area
Measurement
System (WAMS)
10
Part A
ADA according to EPRI: Complete automation of all controllable
equipment and functions in the distribution system
Control center
Substation
RF
leakage
current
sensor
RF temperature
sensor
Recloser
Switched
capacitor bank
Metal insulated
semiconducting
(MIS) sensor for
detecting
hydrogen
Transmission-line robot
11
Neighborhood
Area Network
Smart
meter
Home Area
Network
AMI
12
Jemena, United Energy, Citipower and Powercor
Interoperability
Capacity
Latency
Interference
rejection
CDMA2000
GE-MDS 900MHz
Open standard
Proprietary
76.8 kbps (80-ms frame)
153.6 kbps (40-ms
frame)
307.2 kbps (20-ms
frame)
Hundreds of milliseconds
19.2 kbps (80 km)
115 kbps (48 km)
1 Mbps (32 km)
DSSS, 2 GHz frequency
band allows frequency
band re-use
Transmission Nation-wide service
range
coverage
Configuration Point-to-multipoint
SP AusNet and Energy Australia
Silver Spring
Networks
Proprietary
Wi-Fi/IEEE 802.11
100 kbps
54 Mbps (802.11a)
11 Mbps (802.11b)
54 Mbps (802.11g)
72 Mbps (802.11n)
Open standard
Tens of milliseconds Tens of
Milliseconds
milliseconds
FHSS, 902-928 MHz FHSS, 902-928 802.11a: ODFM, 5 GHz
MHz
802.11b: DSSS, 2.4 GHz
802.11g: OFDM/DSSS,
2.4 GHz
802.11n: OFDM, 2.4/5
GHz
*2.4 GHz band is
crowded; 5 GHz less so
80 km
Unknown
802.11a: 120 m
802.11b/g: 140 m
802.11n: 250 m
Point-to-point,
Point-to-point Point-to-point, pointpoint-to-multipoint
to-multipoint
WiMAX/IEEE
802.16
Open standard
9 Mbps
Milliseconds
OFDM, 3.65-3.70
GHz
20 km
Point-tomultipoint
* Note: ZigBee is not in here
13
Smart meter MCUs
have limited
computational power
& memory:


Vendor
CPU
RAM (KB)
Flash (KB)
Microchip PIC16Fxxxx
8-bit, 20 MHz
<1
< 16
TI MSP430F471xx
16-bit, 8 MHz
4/8
56—120
Freescale V1 ColdFire
32-bit, 50 MHz
8/16
64/128/256
ADA and AMI that utilize low-capacity networks and low-cost
mesh networking devices are in fact wireless sensor networks
(WSNs)
Notable players:
founded by WSN pioneers
acquired by CISCO
14


The only non-European
partner in the European
project “SmartSantander”
To turn the Spanish city of
Santander into an
experimental smart city, by
deploying a large-scale
network of 20,000 sensors


Noise mapping for the City
of Melbourne
To measure, monitor,
understand and manage
noise issues within the city
The Age
15

The security of WSN is a relatively well-researched area
Application
Network
protocol
stack

Network
Data link
Key
management
Physical
Intrusion
detection and
response
Many techniques are applicable, e.g.,
◦ secure routing
◦ secure firmware update
16




Objective: to ensure the delivery of information
Robustness: achieving objective despite hardware failures or
unstable connections
Resilience: achieving objective despite attacks
Insider attacks:
Dropping
Flooding
Sybil
C
Wormhole
I’m C
Wormhole
B
I’m B
Attacker
attracts traffic
to itself by
claiming to be 1
hop away from
base station
17

RPL (IPv6 routing protocol for low-power and lossy networks)
◦ New routing protocol of the 6LowPAN protocol stack
◦ Internet Draft

On top of RPL, apply “tunnel routing with support” (TRS) (codesigned with IBM Zürich)
◦ Principle: monitoring of packet forwarders, multiple paths
AODV = Ad hoc
On-demand
Distance Vector
Compared to
AODV, TRS
increases packet
delivery rate
Fraction of malicious nodes in the network
Andrea Munari, Wolfgang
Schott, and Yee Wei Law.
Dynamic tunnel routing for
reliable and resilient data
forwarding in wireless
sensor networks. In PIMRC
2009, pages 1178-1182.
IEEE, 2009.
18


What: For updating firmware of network nodes in situ, i.e.,
over the air instead of via physical contact
Why:
◦ Firmware needs to be updated for feature expansion or “bug fix”
◦ Sensor nodes may be inaccessible
◦ Labour cost too high

Challenges:
◦
◦
◦
◦
Limited computational power requires discreet use of crypto
Limited data rate requires careful coordination
Dynamic environment requires robustness to packet loss
Insider attacks requires resilience to packet pollution
19

Limit use of digital signature verification to once
Avoid flooding (broadcast storm), by exchanging
advertisement, request and data messages:

For robustness to packet loss, use rateless codes

◦ Instead of sending packets as is, encode them in such a way that
any k number of encoded packets can be decoded

For resilience to packet pollution, use Sreluge, which isolates
polluters
Yee Wei Law, Yu Zhang, Jiong Jin, Marimuthu Palaniswami, and Paul Havinga.
“Secure Rateless Deluge: Pollution-Resistant Reprogramming and Data
Dissemination for Wireless Sensor Networks,” EURASIP Journal on Wireless
Communications and Networking: Special Issue on Security and Resilience for
Smart Devices and Applications, vol 2011, 2010. Article ID 685219, 22 pages.
20
Part B


14 Aug 2003 North America blackout affected 50
million people
Reasons include:
◦ Inadequate “situational awareness” at FirstEnergy
◦ No real-time data from Stuart-Atlanta line for
Midwest ISO to work with
21




WAMS: High-capacity network of PMUs
Measures voltage and current phasors (magnitude + angle)
Typically 30 time-stamped samples per sec
Real-time control of electromechanical oscillation, voltage,
frequency, etc.
Phadke and Thorp’s prototype circa 1988
Commercial products:
Macrodyne’s
1690

MiCOM P847
ABB’s RES521
Aka synchrophasors, because time-synchronized using GPS
22
Energy management system (EMS)
State estimator
Automatic
generation control
(AGC)
Load
forecast
SCADA master
Other
functions
Wide-area measurement system (WAMS)
...
PDC
...
RTU/
IED
Economic
dispatch
PMU
...
...
Power network
23
Possible insider
attack: inject
bad data to foil
detection
Measurements
State estimator
Bad data detection
Network topology
processor
Y. Liu et al., “False data injection
attacks against state estimation in
electric power grids,” Proc. 16th ACM
Computer and Communications
Security, 2009.
24

Attack scenario: given k compromised meters (RTUs/IEDs/
PMUs), find a vector of k false values that bypass detection
Larger networks
IEEE test systems
25
The attacker earns
$2/MWh here
The attacker loses
$1/MWh here
The attacker earns
$1/MWh net
Actually
congested,
faked not
congested
Actually
congested,
faked not
congested
IEEE 14-bus test system
L. Xie, Y. Mo, and B. Sinopoli,
“False data injection attacks in
electricity markets,” in Proc.
1st International Conference
on Smart Grid
Communications, 2010.
26
A multilayered
architecture with a
perimeter network
Firewall + VPN
Stewart et al., “Synchrophasor
Security Practices,” white paper





It is impractical to tamper-proof a whole PMU, for maintenance
reasons, etc.
Even if tamper-proofing all PMUs is achievable, impractical for all
RTUs and IEDs
Using redundant PMUs could reduce the risk, but also costly
Most (academic) research so far designed attacks under different
constraints
We are investigating anomaly detection methods to detect false data
27




J. C Bezdek, S. Rajasegarar, M. Moshtaghi, T. Havens, C. Leckie, and
M. Palaniswami, “Anomaly detection in environmental monitoring
networks,” IEEE Computational Intelligence Magazine, 2010.
A. Shilton, D.T.H. Lai, and M. Palaniswami, “A Division Algebraic
Framework for Multidimensional Support Vector Regression,” IEEE
Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics,
vol. 40, no. 2, page 517-528, Apr 2010.
S. Rajasegarar, J. C. Bezdek, C. Leckie, and M. Palaniswami,
“Elliptical Anomalies in Wireless Sensor Networks,” ACM Transactions
on Sensor Networks, vol. 6, no. 1, article 7, Dec 2009.
A. Shilton, M. Palaniswami, D. Ralph, and A. C. Tsoi, “Incremental
Training of Support Vector Machines,” IEEE Transactions on Neural
Networks, vol. 16, no. 1, page 114-131, Jan 2005.
28
We (ISSNIP) welcome collaboration opportunities
Contact: palani@unimelb.edu.au
29
Attack
Prevention
Containment
Detection
and
notification
Recovery
and
restoration
30




Synchrophasors rely on GPS
GPS is vulnerable to jamming
(weak signal) and spoofing
Short-term solution: Enhanced
Long Range Navigation
(eLORAN)
Long-term solution: atomic
clocks
A
portable
GPS and
mobile
jammer
A LORAN transmitter
31
PMU
PMU
...
PMU
PMU
WAN
Layer 2: Data management
PDC
Application Data Buffer
Real-Time
Monitoring
Real-Time
Control
Layer 1: Data acquisition
Layer 3: Data services
Real-Time
Protection
Layer 4: Applications
32


Privatization of electricity market recent (‘80s)
Locational marginal pricing (LMP) aka nodal pricing
◦ Case no constraint on Tx line: uniform market clearing price is the
highest marginal generator cost
◦ Case congestion on Tx line: price varies with location
Attack [Xie ‘10]:
1. In the day-ahead forward market,
buy and sell virtual power at two
different locations 𝑃1 and 𝑃2
2. Inject false data to manipulate
the nodal price of the Ex Post
market
3. In the Ex Post market, sell and
buy virtual power at 𝑃1 and 𝑃2
respectively
4. Profit
33




Advances in sensor and networking tech driving Smart Grid
Grid modernization stimulates multi-disciplinary research
In progress:
◦ $100m “Smart Grid, Smart City” demo project in Newcastle
◦ Intelligent Grid: CSIRO and five universities
We have the expertise in WSNs, control and machine learning,
seeking collaboration opportunities
34