Elektrotechnik & Informationstechnik (2014) 131/3: 105–111. DOI 10.1007/s00502-014-0203-3
ORIGINALARBEITEN
Security Challenges for Wide Area Monitoring in Smart Grids T. Zseby, J. Fabini
Wide Area Monitoring Systems (WAMS) improve situational awareness in the electric grid. They support planning and optimizing of grid operations and provide valuable information to prevent critical incidents. Communication demands for WAMS have been elevated by the variety of applications that rely on measurement data from distributed sensors. Besides bounds on tolerated end-to-end latencies for some applications, security is a major concern in todays Wide Area Monitoring Systems. We review recent approaches for WAMS communication and point out security challenges that need to be addressed in future communication solutions for WAMS. Keywords: Wide Area Monitoring System; WAMS; Smart Grid; communication networks; IPsec; security
Sicherheitsanforderungen an zukünftige Kommunikationslösungen für Wide Area Monitoring-Systeme zur Überwachung von Smart Grids. Wide Area Monitoring-Systeme (WAMS) formen Netze aus verteilten Sensoren zur Überwachung von intelligenten Stromnetzen (Smart Grids). Sie unterstützen Planung und Optimierung von Prozessen im Elektrizitätsnetz und liefern wertvolle Informationen zur Prävention von kritischen Ereignissen. Viele Anwendungen benötigen aktuelle Messdaten, um auf neue Situationen in intelligenten Stromnetzen reagieren zu können. Damit steigen auch die Kommunikationsanforderungen für Wide Area Monitoring-Systeme. Neben Anforderungen bezüglich der maximal tolerierbaren Ende-zu-Ende-Verzögerungszeiten sind heutzutage vor allem Sicherheitsmechanismen von hoher Bedeutung für Wide Area Monitoring-Systeme. Wir vergleichen verschiedene Ansätze für WAMS-Kommunikation und zeigen, welche Sicherheitsanforderungen in zukünftigen Kommunikationslösungen für WAMS berücksichtigt werden müssen. Schlüsselwörter: Wide Area Monitoring-System; WAMS; Smart Grid; Kommunikationsnetze; IPsec; Security
Received February 24, 2014, accepted April 4, 2014, published online May 9, 2014 © Springer Verlag Wien 2014
1. Introduction Wide Area Monitoring Systems (WAMS) are used to supervise the state of the electric grid. They collect measurement values from widely distributed sensors in the grid and provide them to a variety of applications. Measurement values may be processed and displayed for real-time manual supervision by human operators. They can be archived for future planning and for post-incident analysis. And they can be used as direct input to control functions in order to optimize electric grid operation or to make immediate decisions to prevent critical incidents. Especially if measurements are used as feedback in control loops, two requirements are essential for the communication: low latencies and high security measures. In this paper we present WAMS communication requirements for different scenarios. Based on the requirements we review existing approaches for WAMS communication and show which security challenges have to be addressed for future WAMS environments. 2. WAMS communication scenarios A common type of sensors in the electric grid are phasor measurement units (PMUs). PMUs are clock-synchronized distributed measurement devices that measure voltage and current phasors (magnitude and phase angle) and other characteristics such as frequency drifts and harmonics. Wide area monitoring with PMUs can be realized with different settings. First of all it has to be distinguished if sensor data is only required at one receiver or at multiple receivers. Sending data to multiple receivers is explicitly required in IEC 61850-90-5 [1]. If multiple receivers should get the same sensor data, it is useful to use
April/Mai 2014 131. Jahrgang
multicast functions for sending sensor data in order to save network resources. Secondly it has to be decided if the communication infrastructure contains application layer aggregation points, e.g., phasor data concentrators (PDC), that aggregate sensor data before it is forwarded. Figure 1 shows four different scenarios for wide area monitoring with phasor measurement units (PMUs). In scenario A the PMUs report the measurement values directly to a control center. Only one receiver requires the data. Therefore unicast communication can be used here. In scenario B data is needed at multiple control centers (e.g. for archiving, real-time analysis, visualization, etc.). In this case PMUs should use multicast to allow an efficient transmission of the sensor data to multiple receivers. In scenario C a phasor data concentrator (PDC) is used that first combines data received from different PMUs. The PDC may rearrange, aggregate or resample the PMU measurement values. If messages are encrypted or signed, the PDCs need to decrypt them to access the data and need to add a new signatures if data is modified. In scenario D both, PMUs and PDCs, use multicast in order to send messages to multiple receivers. In the past PMUs, PDCs and control instances often resided in a single LAN (e.g. at a substation) or used dedicated SDH or SONET
Zseby, Tanja, Institute of Telecommunications, Vienna University of Technology, Gußhausstraße 25, 1040 Vienna, Austria; Fabini, Joachim, Institute of Telecommunications, Vienna University of Technology, Gußhausstraße 25, 1040 Vienna, Austria (E-mail:
[email protected])
© Springer Verlag Wien
heft 3.2014
105
ORIGINALARBEITEN
T. Zseby, J. Fabini Security Challenges for Wide Area Monitoring in Smart Grids
Fig. 1. Configuration scenarios for Wide Area Monitoring (PMU—Phasor Measurement Unit, PDC—Phasor Data Concentrator, CC—Control Center)
tunnels to communicate with remote devices. In this case messages do not need to be routable and can use layer 2 technologies directly, e.g., by sending messages directly over Ethernet. If messages stay within a single LAN they experience much lower delays. Furthermore protecting messages inside a local network is easier than providing security functions for messages that travel over a wide area network where many potential attackers can gain access. Nowadays we often have situations where sensor data from different geographical locations is transmitted over wide area networks. Such scenarios are more challenging with regard to latencies and security requirements. We here address situations where sensor data is transmitted over wide area networks using the IP protocol at the network layer. Scenarios where sensor data remains within a single LAN are out of scope of this paper. 3. WAMS communication protocols Requirements for the communication infrastructure depend on the application that uses the sensor data. Control functions and realtime supervision of the grid require timely delivery of measurement results. Archiving functions have no time constraints, but may require reliable transmission for completeness of the data. So there are partially conflicting demands regarding the desired properties of WAMS communication. − Protocols should be able to operate even if there is only unidirectional communication possible, e.g., using simple sensors that just report data to a collector without receiver functionality. − Protocols should be able to operate connectionless, because connection establishment requires time and state keeping (i.e., resources in devices) which may be critical for resource-constrained devices. − Protocols should support multicast transmission as required in IEC 61850-90-5. − Reliable transmission is useful, e.g. to archive data completely for post incident forensics or planning. Reliable transmission requires feedback and therefore bi-directional communication. Fur-
106
heft 3.2014
© Springer Verlag Wien
thermore, the need to wait for acknowledgements and retransmissions introduces additional delay. − Congestion control is useful if data is transmitted over wide area networks and competes with other data flows. Congestion control also requires feedback signals. Adjusting sending rates to the network situation can also cause additional delays. − Security features must be provided. Message integrity and source authentication are the most important features. Confidentiality is less critical in WAMS, but may be desired to prevent that attackers gather information about connected sensors. It is not possible to provide all desired features in one protocol. For instance, reliable transmission and congestion control require feedback signals, which cannot be achieved with unidirectional communication. On network layer the IP protocol gains more and more acceptance and is proposed in several smart grid standards as a common convergence layer. Different transport layer protocols can be used on top of IP to provide desired communication features. For smart grid installations we recommend the use of IPv6 instead of IPv4 on network layer [2]. The much larger IPv6 address range allows end-to-end connectivity for the expected high amount of devices in smart grids and autoconfiguration features support installation of new devices. Furthermore, the recommended integration of IPsec functions in IPv6 and the improved IP multicast support provide valuable features in WAMS environments. On transport layer UDP and TCP are the most common protocols used in IP networks. Advantages of TCP are the reliable transport and the use of congestion control. Congestion control is important when data is transmitted over an infrastructure that is shared by multiple flows. But there are also some disadvantages when using TCP for collecting measurements in the grid. First of all TCP requires bi-directional communication, which may not be available at simple sensors. Restricting sensors to unidirectional communication can also have security reason. Sensors that do not accept any connection attempts cannot be accessed by remote devices and are immune
e&i elektrotechnik und informationstechnik
T. Zseby, J. Fabini Security Challenges for Wide Area Monitoring in Smart Grids
against claim & hold attacks that use connection establishments for resource exhaustion (e.g., TCP-SYN attack). Due to the use of acknowledgements and retransmissions TCP also generates more traffic and requires state keeping in the devices. Furthermore, TCP re-transmissions can cause critical delays. TCP also does not support the sending of data via IP multicast. There are some approaches to realize reliable multicast, e.g. Pragmatic General Multicast (PGM) defined in [3], but currently only with the status of an experimental protocol. Less common transport protocols are the Stream Control Transmission Protocol (SCTP) [4] and the Datagram Congestion Control Protocol (DCCP) [5]. SCTP is reliable and connection-oriented and provides more flexibility than TCP. Due to a four-way handshake it is less vulnerable to claim & hold attacks (such as TCP-SYN attacks). In addition SCTP’s multi-streaming and partial reliability features improve timely delivery of near-real-time data, providing solutions to the severe impairment of TCP’s head-of-line blocking effect. DCCP provides congestion control functions but no reliable transport. It can be considered as a protocol similar to UDP, but with TCPfriendly behavior that reduces the sending rate when congestion is detected. It introduces less delay than TCP because it does not implement functions for reliable transmission. But like TCP it requires bidirectional communication. The IEEE C37.118.2 standard [6] for PMU communication describes a message format and communication protocols to send measurement data from PMUs to Phasor Data Collectors (PDCs), Energy Management Systems (EMS) or other applications. IEEE C37.118.2 allows sending everything via TCP (TCP-only), everything via UDP (UDP-only) or sending measurement results by UDP and configuration and control messages by TCP (TCP/UDP method). It is also possible to configure PMUs in a way that they just send the measurement values using UDP without the use of any control messages. IPv6 is not explicitly mentioned in the standard, but TCP and UDP data in general can be sent via IPv4 or IPv6. Depending on the transport protocol choice IEEE C37.118.2 offers connectionless service with the possibility to use multicast (in UDP-only mode) or reliable communication with flow and congestion control (in TCP-only mode). Security aspects are not addressed in the document. The IEC 61850 standard [7] defines an architecture and data models for communication in electric power systems for substation automation. The standard specifies the transmission of Sampled Values (SV) and Generic Substation Events (GSE), such as GOOSE (Generic Object Oriented Substation Events) and GSSE (Generic Substation State Events). Such messages are typically exchanged among devices within a substation LAN. In order to make PMU communication compliant to the IEC 61850 standard, IEEE and IEC started to work together and created the technical report TR IEC 61850-90-5 [1]. The technical report describes synchrophasor communication using C37.118 messages over IEC 61850. IEC 61850-90-5 also defines routable profiles for IEC 61850-8-1 GOOSE and IEC 61850-9-2 Sampled Value (SV) packets in order to send such messages beyond substation LANs. Historic developments of IEEE C37.118 and IEC 61850 are described in [8]. For IP based communication IEC 61850-90-5 mainly discusses the use of UDP with multicast addressing, but also allows using TCP if reliable communication is required and data delivery is not time critical. IEC 61850-90-5 explicitly mentions the use of IPv6 for the data transmission. It also addresses security aspects and proposes to use key distribution centers (KDCs) for the management of cryptographic keys for message authentication and (optional) encryption. For multicast security the technical report recommends to use the Group Domain of Interpretation (GDOI) pro-
April/Mai 2014 131. Jahrgang
ORIGINALARBEITEN
tocol described in [9]. IEC 61850-90-5 also refers to security methods proposed in IEC 62351-6 [10], which describes general security mechanisms and messages for IEC 61850 protocols. Whereas integrity protection mechanisms described in IEC 62351-6 for the non-routable SV and GOOSE profiles are considered optional, IEC 61850-90-5 demands integrity protection for the routable profiles. If no IEC 62351-6 integrity protection is deployed on the original publisher/subscribers on Ethernet, integrity is provided between IEC 61850-90-5 instances instead. If IEC 62351-6 integrity protection is deployed on the original publisher/subscribers on Ethernet, then two levels of integrity protection are considered: between the original publisher/subscribers and between IEC 61850-90-5 instances. IEC 61850-90-5 mentions concerns that PMU hardware may be incapable to support digital signatures due to the computational effort required by asymmetric cryptography operations. The report also points out that re-packaging of measured values at PDCs interrupts the end-to-end integrity protection and requires to re-calculate integrity checks. In [11] Cisco proposes a WAMS structure without PDCs. The architecture just makes use of PMUs as IP multicast sources. The authors recommend using UDP over IP multicast. In order to add reliability they propose to use Pragmatic General Multicast (described in an experimental RFC [3]) or RTP [12] on top of UDP. For security the authors propose a VPN-based concept called Group Encrypted Transport VPN (GETVPN), which has been developed by Cisco. In [13] a new transport protocol SSTP (Scalable Secure Transport Protocol) for WAMS communication is proposed as replacement for TCP, SCTP and associated security mechanisms like IPsec or TLS. The protocol is connection-oriented and provides reliable delivery by sending acknowledgements. The authors argue that common connection-oriented transport protocols do not match the primary, unidirectional Smart Grid communication pattern of sensors, which report measurement data on a periodic base. Using TCP or SCTP with network or transport layer security (IPsec or TLS) adds overhead in terms of connection establishment delay on each data report. Alternatively, transport connections between sensors and PDC or CC servers must be kept alive between subsequent reports. This requires storage of session state by servers where the limited number of concurrent transport connections establishes a potential performance bottleneck in terms of scalability. This affects WAMS operations especially if data needs to be unwrapped at concentration points. SSTP encrypts session state into tokens, which clients must use when contacting servers such that servers can reconstruct session state. It supports only symmetric key encryption based on pre-shared keys (PSK) to decrease the computational effort at client and server. Table 1 shows a comparison of the features provided by different WAMS communication protocols. 4. WAMS security challenges In wide area monitoring measurement values are transmitted from different geographical locations and often use existing infrastructures such as the public Internet. The communication has to be protected against attackers that try to discard, inject or modify measurement values, e.g., to influence control decisions. 4.1 Security objectives Security aspects are extremely important if measurements are used for real-time grid supervision or as direct feedback in control loops. Any altering of measurement data may trigger wrong control decisions and endanger grid operations. Most important is the integrity of the reported values, ensuring that no one could have tampered with the measurement data. Also the availability of measurement
© Springer Verlag Wien
heft 3.2014
107
ORIGINALARBEITEN
T. Zseby, J. Fabini Security Challenges for Wide Area Monitoring in Smart Grids
Table 1. Comparison of WAMS communication protocols Feature
C37.118 UDP-Only
C37.118 TCP-Only
IEC 61850-90-5
SSTP
Layer Security concept
Application None
Application None
Transport Network/transport Symmetric keys, PSK GETVPN
IPv6 Unidirectional Connectionless Multicast Reliable In-order delivery Flow control Congestion control
Yes Yes Yes Yes No No No No
Yes No No No Yes Yes Yes Yes
Network/transport GDOI, KDCs, symmetric and asymmetric keys Yes Yes Yes Yes Optional with TCP Optional with TCP Optional with TCP Optional with TCP
results is important to provide the necessary feedback control loops. Confidentiality is less important. Nevertheless, eavesdropping on the message exchange between sensors and control centers allows attackers to gather information about device types, software versions and configurations. This information might be valuable for attackers for attack preparation. Therefore we would also recommend encryption of the message exchange, if it can be computationally afforded. 4.2 Security protocol choice There are three main options to provide end-to-end security between devices in IPv4 and IPv6 networks. Application Layer Security secures data exchange for a specific application. It has the drawback, that it is only available for specific applications and that each new application has to implement its own security measures. Application Layer Security is in the responsibility of the application developers. So type and quality of the security implementations may differ. Transport Layer Security (TLS) provides a standard security protocol on transport layer. It is widely used in the Internet today (e.g. HTTPS) and has been proposed to secure communication in advanced smart metering infrastructures ([14]). TLS supports different cipher suites, and provides a negotiation protocol for devices to agree on a common cipher suite. One downside of TLS is that it requires a reliable transport protocol—commonly TCP—for operation. DTLS, defined in RFC6347 [15], implements security mechanisms of TLS for unreliable transport protocols like UDP. Network Layer Security provides an alternative on network layer. IPsec is a network layer security protocol that can secure the whole communication between two network nodes (hosts or routers). IPsec allows message authentication and data encryption using an authentication header (AH) or Encapsulating Security Payload (ESP). Like TLS it offers different cipher suites and communication partners can negotiate an appropriate scheme that is supported by both. The major drawback of TLS compared to IPsec is that TLS requires a reliable transport layer protocol (usually TCP). This is not always possible for sensor communication (see Sect. 3). For WAMS communication we therefore consider IPsec as a more applicable choice than TLS. 4.3 Resource consumption for security operations Security always comes at a price. It requires resources on devices to perform cryptographic operations, and more bandwidth for the
108
heft 3.2014
© Springer Verlag Wien
Probably Yes No No Yes No No No
Cisco Whitepaper
Yes Yes Yes Yes Optional with RTP, PGM Optional with RTP, PGM No No (but extension possible)
establishment of security associations and security headers in messages. Simple and cheap sensors may not be able to provide sufficient resources for this. Since messages need to be processed before they can be sent (e.g. to encrypt them or to add integrity check values) and after being received (e.g., to decrypt them and verify message integrity), security operations also increase the end-to-end latency. When evaluating the overhead of security operations, two distinct phases must be considered: first security association establishment and second data encryption and decryption once a security association is in place between the communicating parties. Depending on the amount and frequency of sensor data generation, as well as on timing sensitivity, two main scenarios are applicable for secure clientserver communication: (a) connection-on-request and (b) persistent connectivity. For rare events, e.g., daily or monthly billing reports, establishment of secure connections on request variant (a) is the optimum solution. The requirement to store session state in servers limits the scalability and performance of communication infrastructures as detailed in Sect. 3 in the discussion on SSTP. Therefore it is recommended to prefer on-request establishment of secure connections whenever tolerable from a timing and performance point of view. According to the authors of [16] the establishment of a security association can last up to 170 ms for IPsec (2048 bit RSA key, 1536 bit DH) or up to 66 ms for SSL server authentication and up to 119 ms for SSL Client Authentication (DH, 2048 bit RSA key, 768 bit DH). However, the use of 1536 bit for SSL Client Authentication (DH) was reported to require more than 1.5 s (1648 ms). These measurement results recommend secure persistent connections (variant b) to be the only acceptable solution when having system-critical requirements which can go down to less than 4 ms to 10 ms system response time demanded by IEEE 1646 [17] for system-critical messages. For instance, state prediction requires endto-end delays of maximum 20 ms, which is difficult to achieve because of network transmission and propagation delays in WANs. Once a connection and security association has been established, the main metric is the per-packet delay penalty because of encryption and decryption. The results of an IPsec performance analysis in [18] (Table II and Fig. 3) show that for low-latency networks the IPsec overhead in ESP tunnel and transport mode, as well as AH operation overhead might be acceptable even for time-critical SmartGrid communications. For C37.118 data size (synchrophasor data, 10 or 20 fps, 48 byte or 96 byte payload) the paper reports an end-toend delay of encrypted LAN traffic of 260–300 µs per packet, the
e&i elektrotechnik und informationstechnik
T. Zseby, J. Fabini Security Challenges for Wide Area Monitoring in Smart Grids
penalty due to IPsec ESP encryption and decryption amounting to 50–100 µs. An important aspect is the selection of appropriate ciphers, which for larger packets, e.g., aggregated data sent by PDC to the CC, becomes a main influencing factor. Using 3DES cipher for encryption of payloads of 1500 bytes according to [18] results in end-to-end delays of larger than 1.1 ms, such that the security penalty of 750 µs is more than double of the AES or Blowfish cipher penalty of roughly 300 µs. The authors of [19] have compared throughput and one-way endto-end delay for IPsec transport and tunnel mode against TLS, reporting lower average response time for IPsec (AES, 56 ms) than for OpenVPN (AES, 92 ms). In addition there are latency effects due to in-path aggregation (scenarios C and D in Fig. 1). Wide area monitoring often includes aggregation points (e.g., Phasor Data Collectors, PDCs) on the path. The PDCs receive sensor data from multiple PMUs and may rearrange, aggregate or re-sample the received values. As a consequence integrity check values need to be re-calculated and messages need to be decrypted and again encrypted at those points. So instead of one secure end-to-end connection between PMU and control center we have to establish two secure connections: one from PMU to PDC and one from PDC to control center. This pointto-point security demands for additional effort at the PDC and also causes an additional delay due to the processing of messages. Furthermore, it introduces further potential entry points for attacks. In [11] it is proposed to use IP multicast instead of PDC stacking and remove PDCs completely. Nevertheless, early aggregation has also advantages, such as data reduction, early assessment of data for immediate alarms, adjusting measurement results from sources with different sampling rates and accuracies and the concealment of individual results to eavesdroppers. Therefore we assume that PDCs will remain at least as optional elements in the WAMS infrastructure. 4.4 Secure group communication Multicast functions allow an efficient distribution of the data in a communication network and are very useful in wide area settings. If a sender wants to send a packet to multiple destinations it simply uses a multicast address in the destination field. Interested receivers just subscribe to the multicast group in order to get the data. The packet is then duplicated in the network only as needed at junction points, avoiding that identical packets travel on the same link and therefore preventing unnecessary bandwidth consumption. But group communication also adds complexity to the network. Multicast routing is needed to establish distribution trees from all senders to all members of the group. Dynamic group membership needs to be managed when nodes join or leave a multicast group. Furthermore, multicast adds significant security problems. Establishing security associations and key management for group communication is much more difficult than for unicast communication. Secure group communication is still an active field of research and the requirements for WAMS are quite challenging. Multicast security solutions for WAMS should not introduce too much additional delay when sending and receiving data. Furthermore, one has to cope with resource constraints at sensors, so security protocols should not consume too much computational resources or memory. This makes it difficult to provide applicable solutions for WAMS. In accordance to RFC3740 [20] we distinguish the following group communication security services: − Data Confidentiality: ensures that data is not disclosed to unauthorized entities. This is typically accomplished by encryption.
April/Mai 2014 131. Jahrgang
ORIGINALARBEITEN
− Source Authentication: ensures that the data originated at a specific source. This can be accomplished by using a digital signature. − Data Integrity: ensures that the original data that was sent has not been modified. A digital signature also protects the data from tampering, because an attacker could not generate a valid signature for the modified data. So if a digital signature is used, both source authentication and data integrity can be provided. − Multicast Group Authentication: ensures that the data origin is one of the group members. This provides a weaker security level than source authentication, but is usually easier to accomplish. If not all group members are trusted it cannot provide data integrity. − Multicast Group Membership Management: describes the process to enable security features when group members join or leave a group. That means for instance check if a member is allowed to join and provide new members with keys. It may also include processes to change keys if group members leave in order to ensure that they cannot longer participate in secure communication. − Multicast Key Management: is needed to distribute keys to group members and update keys when necessary. − Multicast Policy Management: ensures that group members have the same security policies, e.g. regarding membership and key management. For WAMS communication mainly source authentication and data integrity are important. Data confidentiality may be desired but is of less importance. Source authentication and multicast key management is not trivial. There are different proposals how to provide multicast security in WAMS communication, but we still lack a general overall solution. Using digital signatures for sender authentication requires high computational overhead. So it may be difficult to provide a signature for all messages sent by a PMU or PDC. IEC61850-90-5 describes the use of group communication with IP or Ethernet multicast functions to transmit sensor data from PMUs (or PDCs) to multiple destinations. The document proposes to use a key distribution center (KDC) and the Group Domain of Interpretation (GDOI). IEC61850-90-5 still refers to RFC3547 [21] but the RFC has been substituted in 2011 by RFC6407 [9]. GDOI allows group key management and the management of IPsec group security associations for the group key management architecture described in RFC 4046 [22]. In this model group members register with a Group Controller/Key Server (GCKS). After mutual authentication between GCKS and group member the GCKS sends the group security policy and keying material to the group member. GDOI still uses the Internet Security Association and Key Management Protocol (ISAKMP) [23]. ISAKMP is a quite complex protocol with many options and eight different initial message exchanges. It has been substituted by IKEv2 [24] to simplify and clarify the usage, to prevent potential security flaws that can originate from high complexity and to reduce delays by exchanging fewer messages. Nevertheless, RFC6407 still uses ISAKMP in order to provide a more general framework and be able to use alternatives to IPsec. So problems with ISAKMP remain. Furthermore, the problem of computational resources for sender authentication is not further addressed in IEC61850-90-5. Approaches for resource-efficient sender authentication for multicast streams have recently been compared in [25]. The authors propose to use multiple-time signature schemes and compare four different approaches. They conclude that TV-HORS [26] currently provides the most efficient solution regarding computation. In [27] it is shown how TV-HORS can be used in a Key Management Scheme
© Springer Verlag Wien
heft 3.2014
109
ORIGINALARBEITEN
T. Zseby, J. Fabini Security Challenges for Wide Area Monitoring in Smart Grids
for Wide-Area Measurement Systems (WAKE) for multicast sender authentication. These approaches look quite promising, but further investigations are needed to provide a general solution. 4.5 Clock synchronization Monitoring and operation of the Smart Grid depends on highly accurate time synchronization with the Universal Time Coordinated (UTC). According to IEEE standard C37.118-2, Synchrophasor Measurement Units (PMU) must support reporting rates of 10–50 frames/s for 50 Hz systems and 10–60 frames/s for 60 Hz systems. Sampling must be synchronous with global time, starting at second rollover. To meet accuracy requirements of IEEE C37.118-1, timing accuracy of PMUs must be better than ±26 µs for a 60 Hz system and better than ±31 µs for a 50 Hz system. Section 9.8 of Technical Report IEC61850-90-5 tightens these requirements, recommending expected time accuracy of 1 µs and requiring accuracy of 5 µs or better for typical systems. The documents do not enforce specific time synchronization technologies, allowing for any time source which satisfies requirements in terms of accuracy and reliability. IEEE C37.118-2 explicitly mentions the Global Positioning System (GPS) technology as potential time source, which offers synchronization accuracy of ±0.5 µs. Other sources which can satisfy the accuracy requirements for Smart Grids include the Precision Time Protocol (PTP) IEEE 1588 and the Network Time Protocol (NTP). Considering potentially catastrophic consequences of faulty time information in PMUs, secure and reliable acquisition of accurate time information is a mandatory requirement for safeguarding Smart Grid operation. All three technologies feature specific benefits and drawbacks which will be discussed in the following. GPS time sources using the Pulse Per Second signal (PPS) can be hard-wired to PMUs, eliminating secure time distribution and communication channels as uncertainty or failure sources. GPS requires antennas with visibility of GPS satellites. This is difficult if time servers are located in server rooms in the basement or without windows. Placing antennas on the roof-top requires long cables that introduce additional delays. Furthermore, GPS functionality depends on the availability of GPS satellite signals, which can be compromised by attackers or may be turned off for political or economical reasons for specific geographical areas. Even if this scenario is theoretically possible, its likelihood can be considered as low compared to the probability of IP-based intrusion or denial of service attempts. PTP is a time synchronization protocol targeting mainly accurate time synchronization in Ethernet networks. In LANs PTP can achieve synchronization accuracy down to sub-µs levels at the cost of requiring a trusted infrastructure, including links and intermediate nodes. By default PTP uses unencrypted messaging and a hop-by-hop architecture. This makes PTP susceptible to impairments or attacks by intermediate nodes or networks, in particular in the case of nontrusted systems in WANs. A detailed security discussion on PTP can be found in [28]. The authors of [29] propose to use IPsec for securing PTP messaging, which eliminates possible tampering by intermediate nodes. Delay measurement results presented in the publication point out that end-to-end delay increases by up to 102 µs for receive and lower than 2 µs for transmit operations, adding 2–3 µs jitter at the receiver side. As long as the fixed delay overhead caused by IPsec can be compensated, PTP could be an option for accurate time synchronization in Smart Grids. The feasibility of PTP based synchronization depends also on the specific infrastructure and use case, some of the drawbacks summarized in [28] being potentially prohibitive. The Network Time Protocol (NTP), which has been standardized by the IETF as RFC5905, is commonly used to synchronize Internet
110
heft 3.2014
© Springer Verlag Wien
hosts against UTC time at sub-second accuracy. NTP’s end-to-end concept and its support for symmetric and public key cryptography can provide a high level of security. However, because of the cryptographic overhead most NTP servers use plain messaging which make the communication susceptible to man-in-the-middle attacks. To the best of our knowledge no NTP performance measurements on IPsec have been published so far. Own measurement results obtained when optimizing methodologies for accurate one-way delay measurements [30] indicate that NTP servers are likely to NOT meet the Smart Grids requirement of 1 µs accuracy to UTC. Tests on Linux hosts with GPS PPS capable receivers attached via a serial cable have resulted in local host NTP time accuracy of ±5–20 µs to UTC using the Linux pps kernel driver. Considering this to be an optimum deployment scenario (stratum 1 NTP server, with attached hardware time source), remote NTP servers will likely exhibit lower accuracy. In particular, IPsec in tunnel or transport mode or NTP cryptographic features are additional uncertainty sources that can impair on time accuracy. Summarizing the discussion on clock synchronization it must be stressed that the availability of reliable and highly accurate time sources is fundamental to the correct operation of the Smart Grid. Hardware time sources like GPS/PPS receivers, which are wired to the Smart Grid devices like PMUs, can be recommended due to their reduced accessibility by attackers. 5. Conclusion We reviewed recent communication approaches for Wide Area Monitoring Systems (WAMS) and pointed out future challenges for WAMS security. Major difficulties for WAMS end-to-end security arise from the demand to keep latencies low and reduce computational complexity for security operations at PMUs and PDCs. PMUs and PDCs need persistent connectivity to stream measurement results to receiving applications. For unicast communication, established solutions based on IPsec or TLS can be used. But depending on the ciphers in use, operations can add latencies in the range of 250–700 µs. The situation gets worse if further latencies are introduced due to aggregation points (PDCs) in the path that need to recalculate integrity checks or decrypt and re-encrypt messages. Further problems arise from the demand to support secure multicast communication. Efficient solutions for secure group communication are still an active field of research. Further research is needed to provide secure and efficient communication solutions based on IP multicast that fit future WAMS communication needs. A third field that needs to be addressed is secure clock synchronization protocols. Considering the challenging requirements with respect to time source accuracy of 1–5 µs to UTC, wired hardware clocks like GPS/PPS seem to be the solution of choice. Existing clock synchronization protocols are either not secure (PTP) or do not perform well at the required accuracy (NTP). Adding security to these protocols leads to unacceptable latencies, which raises the need for novel secure and highly accurate clock synchronization protocols. From the proposed WAMS communication protocols, we consider UDP-based communication with the option to use IP multicast as described in IEC 61850-90-5 as the most promising option. Nevertheless, the security concepts described in IEC 6185090-5 are far from mature. Security measures should be upgraded to latest group communication security standards, e.g. RFC6407 [9] and IKEv2, even if this reduces generality and demands the use of IPsec. Furthermore, recent developments in the provisioning of integrity and source authentication in resource-constrained environments (e.g. TV-HORS [26], WAKE [27]) should be included in future WAMS communication standards.
e&i elektrotechnik und informationstechnik
T. Zseby, J. Fabini Security Challenges for Wide Area Monitoring in Smart Grids
References 1. IEC (2012): IEC TR 61850-90-5: Communication networks and systems for power utility automation—Part 90-5: Use of IEC 61850 to transmit synchrophasor information according to IEEE C37.118, May 2012. 2. Zseby, T. (2012): Is IPv6 ready for the Smart Grid? In CyberSecurity 2012, international conference on cyber security, Washington D.C., USA (pp. 157–164). 3. Farinacci, D., Lin, S., Luby, M., Edmonstone, R., Gemmell, J., Rizzo, L. (2001): RFC3208: PGM reliable transport protocol specification, Dec-2001. 4. Stewart, R. (2007): RFC4960: stream control transmission protocol, Sep-2007. 5. Floyd, S., Handley, M., Kohler, E. (2006): RFC4340: datagram congestion control protocol (DCCP), Mar-2006. 6. IEEE Standard for Synchrophasor Measurements for Power Systems (2011): IEEE Std C371181-2011 Revis. IEEE Std C37118-2005 (pp. 1–61). 7. IEC (2002–2005): IEC 61850 communication networks and system in substation automation. 8. Martin, K. E. (2011): Synchrophasor standards development—IEEE C37.118 & IEC 61850. In 2011 44th Hawaii international conference on system sciences (HICSS) (pp. 1–8). 9. Hardjono, T., Weis, B., Rowles, S. (2011): RFC6407: the group domain of interpretation, Oct-2011. 10. IEC (2007): IEC/TS 62351-6: power system management and associated information exchange—data and communications security—Part 6: Security for IEC 61850 profiles. 11. Cisco Whitepaper: PMU networiking with IP multicast (2012) 12. Jacobson, V., Frederick, R., Casner, S., Schulzrinne, H. (2003): RFC3550: RTP: a transport protocol for real-time applications, Jul-2003. 13. Budka, K. C., Deshpande, J. G., Thottan, M. (2014): Smart Grid data management. In Communication networks for Smart Grids (pp. 265–284). London: Springer. 14. German Federal Office for Information Security (2013): Office protection profile for the gateway of a smart metering system—v1. 2, 18-Mar-2013. 15. Rescorla, E., Modadugu, N. (2012): RFC6347: datagram transport layer security version 1.2. IETF, Jan-2012. 16. Alshamsi, A., Saito, T. (2005): A technical comparison of IPSec and SSL. In 19th international conference on advanced information networking and applications, 2005. AINA 2005 (Vol. 2, pp. 395–398).
ORIGINALARBEITEN
17. IEEE standard communication delivery time performance requirements for electric power substation automation (2005): IEEE Std 1646-2004 (pp. 0_1–24). 18. Weerathunga, P. E., Samarabandu, J., Sidhu, T. (2012): Implementation of IPSec in substation gateways, presented at the 2012 IEEE 6th International Conference on Information and Automation for Sustainability (ICIAfS) (pp. 327–331). 19. Kotuliak, I., Rybar, P., Truchly, P. (2011): Performance comparison of IPsec and TLS based VPN technologies, presented at the 2011 9th International Conference on Emerging eLearning Technologies and Applications (ICETA) (pp. 217–221). 20. Hardjono, T., Weis, B. (2004): RFC3740: the multicast group security architecture, Mar-2004. 21. Hardjono, T., Weis, B., Baugher, M. (2003): RFC3547 (obsoleted): the group domain of interpretation, Jul-2003. 22. Dondeti, L. R., Lindholm, F., Baugher, M. (2005): RFC4046: Multicast Security (MSEC) group key management architecture, Apr-2005. 23. Maughan, D., Schneider, M. (1998): RFC2408 (obsoleted): Internet Security Association and Key Management Protocol (ISAKMP), Nov-1998. 24. Eronen, P., Kaufman, C., Nir, Y., Hoffman, P. (2010): RFC5996: Internet Key Exchange protocol version 2 (IKEv2), Sep-2010. 25. Law, Y. W., Gong, Z., Luo, T., Marusic, S., Palaniswami, M. (2013): Comparative study of multicast authentication schemes with application to wide-area measurement system. In Proceedings of the 8th ACM SIGSAC symposium on information, computer and communications security, New York, NY, USA (pp. 287–298). 26. Wang, Q., Khurana, H., Huang, Y., Nahrstedt, K. (2009): Time valid one-time signature for time-critical multicast data authentication. In IEEE INFOCOM 2009 (pp. 1233– 1241). 27. Law, Y. W., Palaniswami, M., Kounga, G., Lo, A. (2013): WAKE: key management scheme for wide-area measurement systems in smart grid. IEEE Commun. Mag., 51(1), 34–41. 28. Mizrahi, T. (2011): Time synchronization security using IPsec and MACsec, presented at the 2011 International IEEE Symposium on Precision Clock Synchronization for Measurement Control and Communication (ISPCS) (pp. 38–43). 29. Treytl, A., Hirschler, B. (2010): Securing IEEE 1588 by IPsec tunnels—an analysis, presented at the 2010 International IEEE Symposium on Precision Clock Synchronization for Measurement Control and Communication (ISPCS) (pp. 83–90). 30. Fabini, J., Abmayer, M. (2013): Delay measurement methodology revisited: timeslotted randomness cancellation. IEEE Trans. Instrum. Meas., 62(10), 2839–2848.
Authors Tanja Zseby received her Dipl.-Ing. degree in electrical engineering and her Dr.-Ing. degree from University of Technology Berlin, Germany. She worked as a scientist at the Fraunhofer Institute for Open Communication Systems (FOKUS) in Berlin, where she later became head of the Competence Center for Network Research (CC NET). From September 2011 to February 2013 she was a visiting scientist at the San Diego Supercomputer Center at the University of California, San Diego, USA (UCSD). Since March 2013 she has been professor of communication networks at the Faculty of Electrical Engineering and Information Technology at Vienna University of Technology, Austria.
April/Mai 2014 131. Jahrgang
Joachim Fabini holds a diploma degree (Dipl.-Ing., 1997) in Technical Computer Sciences and a Ph.D. (Dr. techn., 2008) in Electrical Engineering, both from Vienna University of Technology, Austria. After five years of R&D in telecoms industry he joined the Institute of Telecommunications (formerly Institute of Broadband Communications) at the Vienna University of Technology in 2003, where he is teaching lectures on communication networks and leading applied research projects. Since 2013 he has been Senior Scientist with the Communication Networks group at the Institute of Telecommunications. His main research interests include measurement methodologies and metrics in packet-switched networks, machine-type communications and the smart grid, handover in heterogeneous access networks, Location Based Services and NGN architectures.
© Springer Verlag Wien
heft 3.2014
111