Smart Power Grids Security: Smart Meters and Home Gateway Scenarios Alessandro Barenghi, Luca Breveglieri, Mariagrazia Fugini, Gerardo Pelosi Politecnico di Milano Dipartimento di Elettronica e Informazione, piazza L. da Vinci 32, 20133 Milano, Italy {bareng,brevegli,fugini,pelosi}@elet.polimi.it Abstract. This paper gives an overview of the security issues regarding power grids. It is targeted to use case scenarios, namely smart metering, and home gateway for applications like electric cars and home multimedia contents distribution over the power grid. The scenarios are described, the architectural model of the smart power grid is described at a high level, the actors and data types are identified, and the main security threats are described. The paper gives the relevant services that each actor should operate, to be then detailed in full-fledged service system supporting secure power grid management. Keywords: smart meters, internet over power grids, trusted architectures, System on Chip (SoC) security, final consumer’s privacy, power providers

1

Introduction

The concept of a smart power grid is to use innovative ICT to control appliances at consumers' homes to save energy, reduce cost and increase reliability and transparency. To be able to achieve these goals, usual electricity distribution must be complemented by an intelligent monitoring and information system that keeps track of all electricity flowing in the system. Therefore the smart grid will use automated meters, offering two-way communication and advanced sensors to improve electricity efficiency and reliability. This paper presents the scenarios and architecture being defined in the ENIAC JU project TOISE(Trusted Computing for European Embedded Systems) [1] to experiment a set of secure and tamper-resistant solutions for embedded applications related to power grids. TOISE defines, develops and validates trusted hardware and firmware mechanisms applicable to lightweight embedded devices and in particular secure smart metering systems used in the smart energy grid. Smart meters are under threat from several sides such as, for instance the customers themselves, organized crime or even terrorist organizations. The main vulnerabilities in smart meters, apart from classic ‘tampering’, are the communication interfaces as they offer a high vulnerability for hacking attacks. Smart meters will, most likely, also not have fixed functionality. Through upgradeable firmware, new functionality can be added. The devices will have the capability of not only passively monitoring and measuring energy consumption, but will also be able to actively influence energy consumption, e.g. by influencing when certain devices are turned on or off (for example the washing machine) or on which setting they operate (for example the air conditioning). With the introduction of all these new aspects, there will most likely some entirely new threats to the system and its participants. To be confident that a smart meter is

functioning properly at all times, there needs to be a trusted component in (absolute) control of the meter device, which has to be placed into the core of the system. Since any kind of trusted computing is based on the authentic and integral reporting of a device’s configuration, a major ingredient is the strong and secure authentication of devices and peripherals, whilst maintaining high performance, though with minimal consumption of resources. NXP Germany explored the options for lightweight and fast authentication and communication protocols, ranging from classical authentication schemes using public key cryptography (such as RSA and ECC) to non-standard solutions such as couponbased authentication and similar. In order to resist side-channel analysis and fault injection attacks, innovative lightweight measures will be needed in order to keep the resource consumption low and minimize the impact on the performance of the authentication and communication processes [2,3]. Much work is currently being done in the field of standardization [4-7]. Many different standardization activities in the field of smart grid, smart metering and power line communication are ongoing [8]. The problem of smart grid security is quite complex with different involved actors. Recently, privacy (end-customer privacy) has been acknowledged as a different topic rather than as a subsection of the smart grid security. As a starting point, in TOISE we made an overview of the different activities for selecting where we should concentrate our effort analyzed the following standards: for power line, the Homeplug & IEEE and PRIME; the ZigBee & ZigBee smart energy profile (SEP); the EU activities; DLMS Cosem; standards from the NIST. For standards at the connectivity level, standards such as Homeplug give a basic introduction to security. They define packet encryption algorithms, and in some cases device authentication in the specific application scenario. For standards at the application level, due to the limitation of ZigBee, the ZigBee Alliance is working on a new profile, known as Smart Energy Profile 2.0. This directly targets application needs, introducing node authentication via public key and certificate. The paper presents the basic TOISE scenarios and their security issues to be explored for applications such as electric cars and multimedia contents delivery via power line Internet.

2

Scenarios of use of Power Grids

Two basic scenarios have been selected in TOISE: smart metering and home gateway. Smart Metering Use Case The main task of the smart meter is to measure the power consumption by the Final Consumer (FC) and report related data to the Distribution Service Operator (DSO), also called Energy Service Provider (ESP) for billing. This task can be executed via a direct report of the billing or via a reporting of the power consumption as a function of time. Other tasks requested from a smart meter are: i) reporting technical data to improve management and efficiency of the power grid; ii) additional features

of the meter, such as routing of data coming from other meters (e.g., related to gas or water) or data exchange for management of home appliances. Home Gateway Use Case For this use case, we currently have two sub-scenarios. The first is a simple Ethernet bridging (or other communication media) where security is defined by a standard (for instance HomePlug standard) and the device is responsible only for the PHY and MAC layer of the network stack. The second sub-scenario regards the home gateway exposing a certain level of services (like NAS or other type of file server), and thus implementing security services at the application level.

3

Architectural reference

The illustrated scenarios are based on the following security technologies. A power line connection distributes electric power and data together, using the existing electric power grid. It is characterized by a higher reliability than recent wireless communication technologies (WiFi and cell phone protocols), as well as that of the traditional wired ones (e.g., the phone line). It connects a group of power meters to a concentrator, e.g. those displaced in one or few building blocks. A wireless connection (based on Zigbee) is employed for local communications among nearby meters (e.g. those displaced in a home or a building) that measure non-electric resources like gas, water, heat, etc. For all meters, the electric power meter works as a gateway to the power line connection. Concentrators connected to both the power grid and to an IP-based network (e.g. the global internet) reverse data into and from power lines. The overall system architecture is depicted in Fig.1. Utility Companies or Providers, manage energy production and acquire metering data from the power grid network. The Access Points and Bridges or Concentrators are the level of power Distributors. At the Consumers level, meters are located at individual users (home or enterprise). Fig. 1 is a general model. Meters of different types can communicate with one another via a wireless connection. The electric power meter can communicate with the concentrator via the power line connection. The concentrator can communicate with the provider via a data network. Groups of distributors and providers can work in a Virtual Organization mode (e.g. they may share customers). The Application Servers run the various services involved in each scenario. The home gateway SoC is the selected technology providing substantially increased performances and features over the smart meter, thus resulting in a reasonably increased pricing envelope. The home gateway SoC should be able to execute substantial amounts of computation in order to deal with the non-trivial network traffic required from the digital content streaming capabilities.

Providers

Access Points +

Distributors

Bridges = Concentrators

Consumers

Fig. 1 Power Grid system architecture

4

possibly connected to the SM through ZigBee

Security issues in Power Grids

In Table 1 we show the actors and the relative assets, namely elements of the power grid involved in the use case management and security. For each asset, one or more threats and the risk that each threat brings about are indicated. We also show the security requirements and security tools used to fulfil such requirements. Table 1 reflects our method to analyze security of a smart grid, which consists of two steps, where elements and security are considered under different viewpoints. At the first step, security analysis consists in the verification that the tools listed in Table 1 are correctly used. For instance, when the smart meter sends a message containing the power consumption to the DSO, the message should be protected so as to avoid risks such as economic loss, fraud, or user profiling. In this context, the meter is considered as a black box and it is of no concern considering the robustness of a secure implementation. The second step of analysis focuses on the class of attacks targeted at the chip level. This is the case where, for instance, the property of meter integrity is under investigation. In this case the attacker is trying to gain access to the meter and thus materializes the risks of meter misuse, with a consequent fraud and economic loss. In what follows, we describe to which extend we plan to develop the security analysis for the two steps.

Table 1 From Actors/Assets to Security Tools in Smart Metering Actors

Assets

ESP / DSO

grid technical data

ESP / DSO

customer(s) consumption (aggregated) data

FC

Meter

Threats

Privacy

Integrity

eavesdropping and forgery of grid management data and commands eavesdropping and forgery of consumption and billing data of the final customer(s) eavesdropping of consumption and billing data of the final customer tampering with metering function => modification of reported power consumption or recovery of encryption keys through Side-Channel Analysis (SCA) => data forgery

Risks

Security Requirements

Security Tools

grid fault or misuse

confidentiality integrity authenticity

symmetric crypto &hash MAC etc. asymmetric crypto – PKI

economic loss or fraud user(s) profiling

confidentiality integrity authenticity

symmetric crypto & Hash MAC etc Asymmetric crypto – PKI

user privacy violation user behavior tracing

confidentiality integrity

symmetric crypto hash MAC etc

resistance to attacks

robust meter design (enclosure level) secure crypto implementations with robustness level against SCA properly assessed (methodology)

meter misuse: economic loss or fraud power loss or fraud

Given these premises, security analysis is performed at two levels: 1. 2.

information and communication level; digital device (smart meter chip) level.

Security Analysis at the information and communication level The goal is the verification that confidentiality, integrity and authenticity of data are provided. The device is seen as an input/output system, where the attacker can gain no physical access to the device, but rather can gain physical access to the communication medium (mainly the power line). The analysis has to check whether exchanged packets are compliant with the proper security protocol/standard. It is also necessary to check whether incoming messages with invalid signatures (or message authentication codes) are properly managed, that contents be discharged and, if requested, that a proper log be kept in the device or a signaling of the (possible) malicious message be reported to the DSO/ESP. However, the above points are not the central focus of TOISE. Currently, various working groups at European level and different consortia are working in this field (EU Smart Grid task Force, Mandate M490, PRIME, DLMS/COSEM, ZigBee SEP 2.0 and different national initiatives). Full compliance of the smart meter with a given standard will not be implemented; a simplified use case of power line communication with a representative mix of encryption algorithm will be conducted.

Security Analysis at the digital device level In the case of digital device level, the focus is on the analysis of the silicon device and the stress of the robustness of the device. Protection profiles are very well known in the field of smart cards, where the system is the silicon device itself [9]. This is not the case for smart meters, where other components are part of the system (e.g. a display, a possible infrared port or an RF interface, and a battery or capacitor for a safe system power down in case of power shortage). One of the fundamental parts of the system, from the security perspective, is the case/enclosure/packaging of the meter. There will be sensors for detecting when the meter has been opened and when the meter is disconnected from the power line (by default, the meter is always connected to the power supply, which is also the communication media with the concentrator). If power is absent, the concentrator notifies the meter. Analogously, if the meter detects an unexpected shortage in power supply, it performs safe power down procedures based on the internal battery. During the “power down” times, it can take actions, such as logging the event in its internal flash. Upon a further “power up” it might consider such event log and possibly avoid reconnecting to the network, if power shortage is considered malicious. For re-connection after a malicious shortage, manual operation from DSO/ESO is required, to ensure that the enclosure of the meter is integer/secure and that the FC has not tampered with it. One of the challenges of TOISE is the design of a cost effective secure smart meter SoC. There might be hybrid approaches where the most relevant key material and encryption functionalities are managed within an external secure micro. This is also requested in some market areas, such as for instance the activity of BSI for specifying a protection profile for smart metering mandates the use of a secure element physically separated from the metrological/communication part of the smart meter. If the external secure micro is not adopted, security issues of the smart meter have to rely on the capability of the SoC to store key material safely, with no information leakage upon use of the key material. An activity in the project is devoted to designing cryptographic hardware and to developing a design methodology for the verification of the robustness of cryptographic hardware. How the design methodologies will satisfy the requirements will be studied in future work. Here we report the target that should be met in term of robustness by the smart meter SoC. As reported in Table 1 the asset integrity of the meter is protected against a certain class of attacks in order to avoid information leakage via monitoring physical parameter during the functioning of the device. A first set of attack is the so called side channel attacks. In this case the attacker gain physical access to the system on chip and perform some observation of physical quantity as the electromagnetic emission or the power consumption, and can infer the value of the key based. Another class is the fault injection attacks. In this case the attacker interferes with the device, in a more or less intrusive way, for changing the nominal behavior and obtains some faulted cipher text. Once faulted cipher texts are obtained it can perform some analysis and retrieve the secret key or part of it. In some situations the possibility of the attacker to perform these types of attacks requires bypassing of other security protections (such as the sensor for revealing the opening of the meter). Since the capabilities of the attackers are in constant evolution, we cannot rely on the sole sensors and physical security of the SoC can be an added value for the overall

security of the meter. Our analysis will assess the coherence between demonstrator (the SoC) and the results of the design methodology developed in the simulation. In Table 2 we report the actors/assets relationships. The ESP/DSO could be an actor in the home gateway scenario. Currently, there is no evidence that multimedia contents distribution over power line would be achieved in the short term. Hence, we focus on multimedia distribution inside a household. The main threats are: • •

violation of the FC’s privacy, which is a traditional issue requiring CIA (confidence, integrity, authentication) properties; modification of the home gateway software stack, with a risk of economic losses according to well defined business models. To avoid this, measures for integrity and authenticity of the software/firmware are necessary.

Table 2 From Actors/Assets to Security Tools in Home Gateway Actors

Assets

Threats

Risks

Security Requirements

Security Tools

ESP today no (or not yet) multimedia contents at this wide extension are realistic: & DSO only pilot cases exist for multimedia contents transmission by electric smart grid

FC

HG *

multimedia data

software

unauthorized access to or spoofing of private or copyrighted material

user privacy violation economic loss manipulation

viruses, Trojans, etc

economic loss or fraud user privacy violation

modification of gateway functionality by the user to substitute firmware with that of a more economic expensive one, inject loss or fraud “Home Brewed” software or bypass usage rules restrictions such as DRM

confidentiality integrity authenticity

symmetric crypto & Hash MAC etc Asymmetric crypto – PKI

malware detection software

integrity authenticity secure Boot

To limit the threats listed in Table 2, we have two types of security tools. For the CIA the use of encryption algorithms is mandatory; this can be partially found in the HomePlug standard or in the SSL/TLS specification for application level security. For protection against software modification, we will rely mainly on secure boot techniques.The Home Gateway scenario paves the way for more complex application cases such as electric cars. This is a generalization of the smart metering scenario. Vehicles with electric engine and battery are recharged at home or in a parking area, and the vehicle or the owner is automatically billed. The E-car scenario has all the services of the smart metering. In addition, some services are thought for vehicle concentration areas to manage their internal power reserve (e.g., in parking lots or car

rental stations). All these can in fact act as power consumers, on a larger scale than a home, as well as power producers. A second application of the smart metering scenario is Multimedia Streaming. It consists of locally storing and distributing copyrighted multimedia data by means of the power grid, e.g. in a house or in a building, and possibly of downloading data by means of the power grid as an alternative to using a traditional data network, e.g. the global internet. Hence also application data have to be considered. Multimedia streaming has all the services of smart metering, e.g. billing the consumer. Furthermore it is data intensive and data may need to be fully protected.

5

Concluding remarks

We have presented the applications scenarios and the basic hardware architectures being developed the context of the TOISE project. We have presented the principles of the approach in previous work ([10]) and are currently implementing security services within the demonstrator. Acknowledgments. This work has been performed in the ENIAC JU project “TOISE”. We wish to thank all the partners for ideas and discussion.

6 1. 2.

3. 4. 5. 6. 7.

8. 9.

10. 11.

12. 13.

References http://www.tst-sistemas.es/en/rd/toise/ EU Commission Task Force for Smart Grids (European Commission Energy), EG1: Functionalities of smart grids and smart meters; EG2: Regulatory recommendations for data safety, data handling and data protection; EG3: Roles and responsibilities of actors involved in the Smart Grids deployment; EG4: Smart Grid aspects related to Gas; [On line] http://ec.europa.eu/energy/gas_electricity/smartgrids/taskforce_en.htm (last access on July 2011)Federal Office for Information Security (BSI), Protection Profile for the Gateway of a Smart Metering System [On line] https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/SmartMeter/PPSmartMeter.pdf?__blob=pu blicationFile (last access: July 2011) IEEE, Smart Grid Initiative, [On line] http://smartgrid.ieee.org/ IEEE Standard Association, IEEE P2030 Draft Guide for Smart Grid Interoperability of Energy Technology and Information Technology Operation with the Electric Power System (EPS), and EndUse Applications and Loads, [On line] http://grouper.ieee.org/groups/scc21/2030/2030_index.html (last access on July 2011). IDIS Association, Interoperability specifications. [On line] http://www.idisassociation.com/ (last access on July 2011)The Smart Grid Interoperability Panel – Cyber Security Working Group, NISTIR 7628-Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements; Vol. 2, Privacy and the Smart Grid; Vol 3: Supportive Analyses and References, National Institute of Standards and Technology (NIST), US Department of Commerce , August 2010. ZigBee Alliance, ZigBee Smart Energy, [On line] http://www.zigbee.org/ PoweRline Intelligent Metering Evolution (PRIME) Alliance, Draft Standard for PoweRline Intelligent Metering Evolution, [On line] http://www.primealliance.org/portals/0/specs/PRIMESpec_v1%203%20E_201005.pdf (last access on July 2011) S. Song, H. Moustafa, and H. Afifi. 2012. A Survey on Personalized TV and NGN Services through Context-Awareness. ACM Comput. Surv. 44, 1, Article 4 (January 2012), A. Barenghi, G.M. Bertoni, L. Breveglieri, M. Fugini, G. Pelosi, “Smart Metering in Power Grids: Application Scenarios and Security”, 1st IEEE PES Innovative Smart Grid Technologies (ISGT) Asia Conf., Perth, November 13-16, 2011.