Nov 16, 2007 - of wind power-plant information model to web services (WS). En- ... to deal with the security requirements in applications of web ser- vices ...
1930
IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 23, NO. 4, OCTOBER 2008
A Security Mechanism of Web Services-Based Communication for Wind Power Plants Nian Liu, Jianhua Zhang, Member, IEEE, and Wenxia Liu
Abstract—The IEC 61400-25 standard has defined the mapping of wind power-plant information model to web services (WS). Ensuring the security of WS-based communication for wind power plants is an unsolved problem. WS-Security is a standard used to deal with the security requirements in applications of web services, while the username/password and X.509 certificates are security tokens most commonly used in electric power utilities. We propose a security mechanism that deals with the requirements of authentication, integrity, nonreputation, and confidentiality across the communication process based on WS-Security and the two security tokens. The security mechanism is implemented by an extension of simple object-access protocol message, design of the security agent, and the related security message-processing algorithm. An instance is modeling based on IEC 61400-25 to demonstrate the security-enhanced remote control of wind power plants. The result supports the usefulness of the security mechanism for WS-based wind power plants communication. Index Terms—Communication system, cybersecurity, IEC 61400-25, web services (WS), wind power plant.
I. INTRODUCTION
T
HE multi-megawatt (MW) wind power plants are increasingly and actively participating in the operation of transmission systems, and wind power generation has a great influence on power system operation due to such issues as frequency and voltage variations [1]–[3]. In this case, the monitoring and control of wind power plants have become a vital part of power system operation [4]–[7]. Furthermore, the strategically distributed nature of wind power presents unique challenges. Generation is not centralized and is generally remote, sometimes offshore, and often covers large geographic areas [8]. These factors usually require a variety of networked interconnections and telecommunication technologies for monitoring and control of wind power plants [8], [9]. Therefore, efficient and reliable communication is important for wind power plants. As a consequence, IEC 61400-25 is proposed to provide a uniform communication basis for the monitoring and control of wind power plants [10]–[13]. The major communication mapping defined in IEC 61400-25 is based on WS. The simple object-access protocol (SOAP) is used to transfer the data. This ensures that different clients and environments can be used. Object-oriented data structures can make the engineering Manuscript received December 6, 2007; revised January 20, 2008. First published July 9, 2008; current version published September 24, 2008. Paper no. TPWRD-00791-2007. The authors are with the Key Laboratory of Power System Protection and Dynamic Security Monitoring and Control Under Ministry of Education, North China Electric Power University, Beijing 102206, China (e-mail: nian_liu@163. com). Digital Object Identifier 10.1109/TPWRD.2008.923521
and handling of large amounts of information provided by wind power plants less time-consuming and more efficient. The use of the a information technologies provides the benefits of low implementation cost and ease of interoperability, but also introduces the potential for cybersecurity vulnerabilities [8], [10], [12], [14]. The cybersecurity intrusion of a power system is not a tale but also comes true in the real world. According to the study on cyber vulnerabilities of control systems to unauthorized access by [15], [16], there have been tens of events that result in damage occurring in electric power control systems for transmission, distribution, and generation. Research needs and requirements related to the cybersecurity of power utilities and control systems have been widely discussed, and some practical methods are reported [16]–[24]. Security requirements of communication for wind power plants are specified in IEC 61400-25-3, but how they are handled specifically is completely up to the individual supplier and implemented with the communication protocols [12]. However, web services (WS)-based communication for wind power plants is a new emerging technology, in which few studies have been conducted for security. In IEC 61400-25-4, a simple security mechanism based on username/ password is introduced, but this method is weak in the security level, and cannot provide additional protections of confidentiality, integrity, and nonreputation [13]. A common way of achieving security is relying on a secure transport layer or network layer, which typically includes secure socket layer (SSL), transport layer security (TLS), and IP security (IPSec). Especially, TLS is recommended to secure TCP/IP-based communication for supervisory control and data acquisition (SCADA) and telecontrol in IEC 62351-3 [25]. Apart from the fact that these techniques provide security only in a secure channel (and not in files or databases), it does not correspond with the WS architecture in which the intermediaries can manipulate the messages on their way. Once using a secure transport layer, intermediaries are not able to control the messages [26], [27]. For the same reason, IEC 62351-3 also specifies that security must follow progress and update to better solutions when available [25]. The WS-Security standard for web services was ratified by Advancing Open Standards for the Information Society (OASIS) in 2004. The standard describes enhancements for the SOAP message in order to provide security foundation for applications based on WS [28]. The security mechanisms of some existing applications, such as the digital factory, e-mail system, enterprise services system, trust management, etc., are developed in accordance with WS-Security, but cannot be applied directly to wind power plants’ communication [29]–[32].
0885-8977/$25.00 © 2008 IEEE
LIU et al.: SECURITY MECHANISM OF WS-BASED COMMUNICATION FOR WIND POWER PLANTS
1931
TABLE I SECURITY REQUIREMENTS OF DIFFERENT COMMUNICATION STEPS
B. Security Requirements
Fig. 1. Communication model for wind power plants defined in IEC 61400-25.
In this paper, we propose a security mechanism based on IEC 61400-25 and WS-Security to secure the WS-based communication for wind power plants. The content of this paper is organized as follows. Section II analyzes the WS-based communication model for wind power plants and the related security requirements. Section III briefly describes the WS-Security standard and security tokens commonly used in electric power utilities. Section IV presents designing principles of the security mechanism. In Section V, two schemes of the security mechanism are designed based on different security tokens and WS-Security. Section VI provides the implementation method, including the security extension of SOAP message, design of security agent, and algorithms for security information processing. In Section VII, a control instance for the wind turbine of a wind power plant is modeled and analyzed to demonstrate the efficiency of the security mechanism. Finally, conclusions are given in Section VIII.
II. ANALYSIS OF COMMUNICATION MODEL AND SECURITY REQUIREMENTS A. Communication Model IEC 61400-25 defines a communication model for monitoring and control of wind power plants, the modeling structure is similar to IEC 61850, which comprises three separately defined parts (see Fig. 1): wind power-plant information model [11], information-exchange model [12], and mapping the wind power-plant information model and the information exchange model to standard communication profiles [13]. For mapping to WS, the information exchange between SCADA and wind power plants is based on SOAP message. The mapping process is that the services defined in abstract communication service interface (ACSI) [33] associated with EXtensible Markup Language (XML) elements in SOAP body.
The information-exchange model provides services that are grouped as operational functions and management functions. The security requirements of these two functions include [12]: 1) authentication: determining the identity of the user/client; 2) authorization and access control: ensure that the entity has the correct proper access; 3) integrity: messages and the computer infrastructure are protected against unauthorized modification or destruction; 4) confidentiality: objects of the wind power-plant information model are protected and only disclosed to appropriate users/clients; 5) nonrepudiation: preventing a user/client involved in a data exchange from denying that it participated in the exchange; 6) prevention of denial of service: preventing a client/server from blocking access to authorized users. In the aforementioned requirements, authorization and access control can be solved by the privilege management and access–control model, the methods introduced in [21] and [22] are useful for IEC 61400-25-related devices of wind power plants. The prevention of denial-of-service needs to deploy suitable defensive measures on a crucial access point of communication. There have been efficient products developed on the cybersecurity domain. Other requirements, including authentication, integrity, confidentiality, and nonrepudiation, should be individually designed combined with communication process and WS. In Fig. 1, the communication process of wind power plants can be divided into three steps: Step 1) associate; Step 2) data exchange; Step 3) release. Each step has different security requirements, listed in Table I. III. WS-SECURITY AND THE SECURITY TOKEN A. WS–Security According to security requirements of web services, WS-Security defined the security expanding method for SOAP message exchange. The standard is published by OASIS, which provides the security foundation for applications of WS [28]. B. Commonly Used Security Tokens for Electric Power Utilities A security token represents a collection (one or more) of claims. It is the basic element for authentication, encryption/ decryption, integrity, and nonrepudiation. The security tokens most commonly used in electric power utilities include:
1932
IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 23, NO. 4, OCTOBER 2008
TABLE II SYMBOLS USED BY THE SECURITY MECHANISM AND RELATED EXPLANATIONS
Fig. 2. Designing principles of the security mechanism of communication for wind power plants.
1) username/password: a widely used, basic authentication function for almost all information systems, but the degree of security is weak, with insecurity risks when directly used; 2) X.509 certificates: solve the authentication, integrity, confidentiality, and nonrepudiation based on the technology of public-key cryptography. The disadvantage is that the applications must be deployed on the support of the public key infrastructure (PKI) which needs more investments. IV. DESIGNING PRINCIPLES FOR THE PROPOSED SECURITY MECHANISM For aforementioned presentation and analysis, the designing principles are outlined as follows (see Fig. 2). 1) They can satisfy the requirements with the communication process, including authentication, integrity, confidentiality, and no-repudiation. 2) Integration with the mapping to WS, without any changes to standard SOAP messages. 3) They should be in conformance with the WS-Security standard. 4) The security tokens commonly used in electric power utilities are important and must be taken into consideration.
V. DESIGN OF THE SECURITY MECHANISM Considering the security tokens commonly used in electric power utilities, the security mechanism is divided into two schemes based on the username/password and X.509 certificate, respectively. In scheme I, symmetric cryptographic algorithm and message authentication code (MAC) are introduced to mitigate the weakness of the username/password token on the degree of security. In scheme II, the symmetric cryptography is used for encryption and decryption of sensitive contents in messages, public-key cryptography is used for delivering the symmetric session key and signing the messages. The symbols used for security mechanism and the related explanations are presented in Table II.
A. Scheme I—Security Mechanism Based on Username/Password 1) Associate: • associate request
• associate response
In the beginning, initializes an associate request to , and then authenticates the identity of from the request message. The security token based on username/password is formulated as
(1) where and are the additional elements to resist against the reply attack; is a 128-b randomized value, which is used for the deviation of the symmetric key on signature and encryption/decryption; is the digest value of , calculated by
(2) is the original message of the associate request. To ensure the integrity and no-reputation, generates a signature for , represented as (3)
LIU et al.: SECURITY MECHANISM OF WS-BASED COMMUNICATION FOR WIND POWER PLANTS
is derived from length of 160 b, as follows:
and
has a
1933
It is important to ensure integrity and nonreputation in the release step. The signature contents include and the time stamps. B. Scheme II—Security Mechanism Based on X.509 Certificate 1) Associate: • Associate request
(4) is also used for encryption and decryption in data-exchange steps, the key length of the selected symmetric cryptography should be lower than 160 b (e.g., AES-128). from , retrieves the After receiving the by corresponding from the local databy (2), and combase, then calculates the , authenticates ’s identity as pares it with being equal or not. is calculated by (4) to verify the validity Furthermore, of signature, ensuring the message is sent from authorized user and without unauthorized modification or destruction. After verification, sends an associate response message to , including a signature of to ensure the integrity and nonreputation (5)
• Associate response
is the X.509 certificate of C (7) The signature algorithm is
, represented as
(8) is encrypted by sented as
, and ’s public key
is repre-
(9)
2) Data Exchange: • request
• response
In this step, the mechanism needs to deal with the requirements of integrity, confidentiality, and nonreputation. Due to the wide and various types of services, to introduce the problem uniand are used for formal represenversality, tation of services. To protect against the reply attack, the contents of the signature should include original messages and the time stamps, while the contents of encryption only include the first one. The signature algorithm is same as (5), and the encryption/ decryption algorithm is AES-128
to auAfter receiving the associate request, checks thenticate ’s identity, and then verifies the integrity, nonreputation and freshness of the request message. Finally, uses private key to decrypt , which is prepared for encryption and decryption in data-exchange steps. If all of the verifications are passed, sends an associate response to , which includes a signature of and time stamp, as (8). 2) Data Exchange and Release: The message structures of these two steps are consistent with scheme I, but the signature algorithm is the same as (8). For example, the signature of can be represented as
(10) Furthermore, the encryption algorithm is same as (6). C. Comparison of the Two Schemes
(6) 3) Release: • release request
• release response
The comparison between the two schemes is shown in Table III. To deal with the security requirements, Scheme I actualizes encryption and signature functions, which based on username/password, can also be easily applied. Scheme II can provide much stronger protection for communication, but the related computation demand of the system resource is much higher due to the computation complexity of public-key algorithms. Therefore, the two schemes should be carefully selected according to the application environment.
1934
IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 23, NO. 4, OCTOBER 2008
TABLE III COMPARISON OF THE TWO SCHEMES
The communication for wind power plants has some performance requirements on data transfer. According to IEC 61400-25, the concrete time demands should follow the type of applications. As a comparison with the communication of substation automation system, the message types of communication for wind power plants belong to type 2, 3, 5, and 7, which are defined in IEC 61850-5 [34]. From the former analysis [21], it is obvious that the algorithms used in this paper can meet the real-time requirements.
Fig. 3. Structure of security-extended SOAP message.
VI. IMPLEMENTATION OF THE SECURITY MECHANISM A. Message Extension Based on WS-Security Structure of original SOAP message for wind power plants is not enough to handle security token and other security properties. The extension principle is to add security elements without any changes of services mappings defined in IEC 61400-25-4. According to WS-Security, the element is inserted into SOAP head to provide additional security information. The structure of the extended SOAP message is shown in Fig. 3. 1) SecurityToken. The element is used for authentication, along with the resource for encryption/decryption and signature/verification, including Username/Password and the X.509 certificate. 2) Signature. Provide integrity and nonreputation for messages based on MAC or public-key signature algorithms. 3) EncryptedKey. Encryption of symmetric key for data exchange steps, only applied in scheme II. 4) EncryptedData. Encryption of the monitoring or control data for wind power plants used in data-exchange steps. B. Design of Security Agent To implement the security mechanism, the security agent (SA) with functions of XML encryption, signature, process of security attributes and authentication information are designed, and sets on both communication sides. The structure and functions of SA are shown in Fig. 4. 1) Process of authentication information. Add security token in element or authenticate the sender’s identity by received security token. 2) Process of additional security attributes. For the purpose of protecting against reply attack, man-in-the-middle attack, generate and verify the security factors including time stamp, randomized value, etc.
Fig. 4. Structure and functions of the security agent.
3) Encryption/decryption. Encrypt or decrypt the request/response messages based on XML encryption [35]. 4) Signature/verification. Sign or verify request/response messages based on the XML signature [36]. C. Processing Algorithm of Security-Extended SOAP Message 1) SA of sender’s side a) Insert a element to SOAP head of original message generated by the sender, and prepare the additional security attributes for the following related steps. b) Processing authentication information for associate step: generate by (1), or by (7) according to user’s security token type, then insert it into the element.
LIU et al.: SECURITY MECHANISM OF WS-BASED COMMUNICATION FOR WIND POWER PLANTS
Processing encryption for the data exchange or associate step: if using scheme I, generate element by (4); otherwise, generate and by (9) and (6), respectively. d) Processing signature for messages in all steps: if using scheme I, generate element by (3); otherwise, by (8) or (10). 2) SA of receiver’s side a) Receiving the security message from the SA of the sender’s side, check the message including element or not. b) Processing authentication information for the associate step: verify the validity of security token in or by the scheme type. c) Processing verification for messages in all steps: check the message if it is sent from the validity user and without any unauthorized modification or destruction. d) Processing decryption in data exchange or associate steps: decrypt monitoring or control data from .
1935
c)
VII. CASE STUDY An application example of the remote control of wind turbines is modeling to explain the usefulness of the security mechanism. In Fig. 5, a wind turbine wt1 of wind power plant WPP1 is modeled based on IEC 61400-25. The logical node
Fig. 5. Modeling of the instance system.
TABLE IV WIND TURBINE REMOTE CONTROL STEPS OF THE INSTANCE SYSTEM
wt1WTUR represents general information of wt1. The control is operated by setting the attributes of the data object SetTurOp to start or stop wind turbines. For example, setCm represents the setting state of control commands (e.g., ON, OFF, or AUTO), actStt represents the current operation state of wind turbine, and is the time stamp of the current state. From associate to release, the control process of a wind turbine includes four steps, shown in Table IV. The control model is SBO control with normal security [15].
1936
IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 23, NO. 4, OCTOBER 2008
1) LogonRequest. “Keld” “whatelse” Fig. 6. Security-enhanced communication for wind turbine control of the instance system.
The security mechanism for each control step is executed from side to side. As the request message issued from client C, SAc processes and resends it on the security extended type to SAs, and then SAs is obligated to process it and obtain the original request message; finally, deliver the message to S. The response from S to C is an inverse procedure of request. In Fig. 6, the messages exchanged between C to SAc and SAs to S are the standard type defined in IEC 61400-25-4. In contrast, the messages exchanged from SAc to SAs are on the security extended type. The messages of step 1 to 8 are formulated as follows, as shown in the equation at the bottom of the previous page. Messages 1 and 2 belong to the associate step, and the security . token that is used in the associate request is Messages 3 to 6 belong to the data-exchange step. First, “Select” service selects the object data “WPP1\wt1WTUR\SetTurOp” in message 3 and 4. Second, “Operate” service sets the attribute “setCm=on” of selected data object to start the wind turbine. Messages 7 and 8 belong to the release step; the control process is finished after release. VIII. CONCLUSION In this paper, a security mechanism based on the WS-Security standard and two types of commonly used security tokens are proposed to ensure the security of communication for wind power plants. On the extension of the SOAP message for security properties and deployment of security agents on both communication sides, the security mechanism is implemented without any changes in the original SOAP messages defined in IEC 61400-25-4. The security requirements are derived from IEC 61400-25, and the design is consistent with existing applications of electric power utilities and an information security standard. Consequently, the security mechanism is applicable for monitoring and controlling communication for wind power plants. APPENDIX Typical SOAP messages of the case study are presented as follows.
2) message 1-security extension of LogonRequest. Keld weYI3n. . . WScqanj. . . 2007-11-16T01:24:32Z AscwfqtP. . . LyLsF0Pi4wPU ...
LIU et al.: SECURITY MECHANISM OF WS-BASED COMMUNICATION FOR WIND POWER PLANTS
1937
DJbchm5gK. . .
khn5s1aFs. . .
x3PxP/hj. . .
3) OperateRequest.
PtH3jMVes. . .BQh00y4
“WPP1.wt1WTUR.SetTurOp” “setCm=on” “t=2007-11-16T01:28:15Z”
REFERENCES 4) Message 5—security extension of OperateRequest.
[1] J. Smith, M. Milligan, E. EeMeo, and B. Parsons, “Utility wind integration and operating impact state of the art,” IEEE Trans. Power Syst., vol. 22, no. 3, pp. 900–908, Aug. 2007. [2] C. Chompoo-inwai, W. Lee, P. Fuangfoo, M. Williams, and J. Liao, “System impact study for the interconnection of wind generation and utility system,” IEEE Trans. Ind. Appl., vol. 41, no. 1, pp. 163–168, Jan./Feb. 2005. [3] E. Denny and M. O’Malley, “Quantifying the total net benefits of grid integrated wind,” IEEE Trans. Power Syst., vol. 22, no. 2, pp. 605–615, May 2007. [4] N. Kodama and T. Matsuzaka, “Web-based data acquisition system of wind conditions and its application to power output variation analysis for wind turbine generation,” in Proc. SICE-ICASE Int. Joint Conf., Bexco, Korea, Oct. 18–21, 2006, pp. 3747–3750. [5] Z. Lubosny and J. Bialek, “Supervisory control of a wind farm,” IEEE Trans. Power Syst., vol. 22, no. 3, pp. 985–994, Aug. 2007.
1938
[6] J. Nilsson and L. Bertling, “Maintenance management of wind power systems using condition monitoring systems—Life cycle cost analysis for two case studies,” IEEE Trans. Energy Convers., vol. 22, no. 1, pp. 223–229, Mar. 2007. [7] Y. Amirat, M. Benbouzid, B. Bensaker, and R. Wamkeue, “Condition monitoring and fault diagnosis in wind energy conversion systems: A review,” in Proc. IEEE Int. Electric Machines Drives Conf., Antalya, Turkey, May 3–5, 2007, pp. 1434–1439. [8] W. Young, J. Stamp, and J. Dillinger, “Communication vulnerabilities and mitigations in wind power SCADA systems,” presented at the American Wind Energy Assoc. WINDPOWER Conf., May 18–21, 2003. [9] O. Anaya-Lara, N. Jenkins, and J. McDonald, “Communications requirements and technology for wind farm operation and maintenance,” in Proc. 1st Int. Conf. Ind. Inf. Syst., Sri Lanka, Aug. 8–11, 2006, pp. 173–178. [10] Wind Turbines—Part 25-1: Communications for Monitoring and Control of Wind Power Plants—Overall Description of Principles and Models, IEC 61400-25-1, Dec. 2006. [11] Wind Turbines—Part 25-2: Communications for Monitoring and Control of Wind Power Plants—Information Models, IEC 61400-25-2, Dec. 2006. [12] Wind Turbines—Part 25-3: Communications for Monitoring and Control of Wind Power Plants—Information Exchange Models, IEC 61400-25-3, Dec. 2006. [13] Wind Turbines—Part 25-3: Communications for Monitoring and Control of Wind Power Plants—Mapping to Communication Profile (In Progress), IEC 61400-25-4, 2007. [14] A. Olsen, B. Osdil, B. Poulsen, and K. Pedersen, “Prototype of generic server for wind power plants using IEC 61400-25 standard,” presented at the 2nd Int. Conf. Integration Renewable and Distributed Energy Resources, Napa, CA, Dec. 4–8, 2006. [15] National Energy Technology Laboratory, A System View of the Modern Grid v2.0, Appendix A3: Resists Attack v2.0 2007. [Online]. Available: http://www.netl.doe.gov/moderngrid/resources.html. [16] D. Dzung, M. Naedele, T. Von hoff, and M. Crevatin, “Security for industrial communication systems,” Proc. IEEE, vol. 93, no. 6, pp. 1152–1177, Jun. 2005. [17] F. Cleveland, “IEC TC57 security standards for the power system’s information infrastructure—beyond simple Encryption,” in Proc. IEEE Power Eng. Soc. Transm. Distrib., May 21–24, 2006, pp. 1079–1087. [18] S. Sheng, W. Chan, K. Li, D. Xianzhong, and Z. Xiangjun, “Context information-based cyber security defense of protection system,” IEEE Trans. Power Del., vol. 22, no. 3, pp. 1477–1481, Jul. 2007. [19] G. Ericsson and A. Torkilseng, “Management of information security for an electric power utility—On security domains and use of ISO/IEC 17799 standard,” IEEE Trans. Power Del., vol. 20, no. 2, pt. 1, pp. 683–690, Apr. 2005. [20] G. Ericsson, “Toward a framework for managing information security for an electric power utility—CIGRE experiences,” IEEE Trans. Power Del., vol. 22, no. 3, pp. 1461–1469, Jul. 2007. [21] N. Liu, B. Duan, J. Wang, and S. Huang, “Study on PMI based access control of substation automation system,” presented at the IEEE Power Eng. Soc. General Meeting, Montreal, QC, Canada, Jun. 18–22, 2006. [22] B. Duan and B. Liu, “Design of security state machine of access control for control object based on IEC 61850,” presented at the IEEE Power Eng. Soc. General Meeting, Montreal, QC, Canada, Jun. 18–22, 2006. [23] “Electric power systems cyber security: Power substation case study,” in European Workshop on Industrial Computer Systems, 2006. [Online]. Available: www.ewics.org/attach-m ents/security-subgroup-bps/. [24] L. Wang, T. Mander, H. Cheung, F. Nabhani, and R. Cheung, “Security operation modes for enhancement of utility computer network cybersecurity,” presented at the IEEE Power Eng. Soc. General Meeting Tampa, FL, Jun. 24–28, 2007. [25] Power Systems Management and Associated Information Exchange—Data and Communications Security—Part 3: Communication Network and System Security—Profiles Including TCP/IP, IEC TS 62351-3, Jun. 2007.
IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 23, NO. 4, OCTOBER 2008
[26] J. Viega and J. Epstein, “Why applying standards to web services is not enough,” IEEE Security Privacy, vol. 4, no. 4, pp. 25–31, Jul./Aug. 2006. [27] E. Kleiner and A. Roscoe, “On the relationship between web services security and traditional protocols,” Electron. Notes Theoretical Comput. Sci., vol. 155, pp. 583–603, 2006. [28] A. Nadalin, C. Kaler, R. Monzillo, and P. Hallam-Baker, Web Services Security: SOAP Message Security 1.1 OASIS Std. Specif., 2006. [29] J. Woerner and H. Woern, “A security architecture integrated co-operative engineering platform for organized model exchange in a digital factory environment,” Comput. Ind., vol. 56, no. 4, pp. 347–360, May 2005. [30] Z. Wu and A. Weaver, “Using web services to exchange security tokens for federated trust management,” in Proc. IEEE Int. Conf. Web Services, Salt Lake City, UT, Jul. 9–13, 2007, pp. 1176–1178. [31] M. Anlauff, D. Pavlovic, and A. Suenbuel, “Deriving secure network protocols for enterprise services architectures,” in Proc. IEEE Int. Conf. Comm., Istanbul, Turkey, Jun. 2006, pp. 2283–2287. [32] L. Liao and J. Schwenk, “Secure emails in XML format using web services,” in Proc. 5th Eur. Conf. Web Services, Halle, Germany, Nov. 26–28, 2007, pp. 129–136. [33] Communication Networks and Systems in Substation-Part 7-2: Basic Communication Structure for Substation and Feeder Equipment—Abstract Communication Service Interface (ACSI), IEC 61850-7-2, 2003. [34] Communication Networks and Systems in Substations—Part 5: Communication Requirements for Functions and Device Models, IEC 61850-5, 2003. [35] M. Bartel, J. Boyer, B. Fox, B. LaMacchia, and E. Simon, Signature Syntax and Processing 2002. [Online]. Available: http://www.w3.org/TR/xmldsig-core/. [36] T. Imamura, B. Dillaway, and E. Simon, XML Encryption Syntax and Processing 2002. [Online]. Available: http://www.w3.org/TR/xmlenccore/.
Nian Liu was born in Anhui, China, in 1981. He received the B.S. and M.S. degrees in electric engineering from Xiangtan University, Hunan, China, in 2003 and 2006, respectively. and is currently pursuing the Ph.D. degree at North China Electrical Power University, Beijing, China. His research interests are monitoring and control for wind power plants, communication system of substation automation, and information security.
Jianhua Zhang (M’04) was born in Beijing, China, in 1952. He received the M.S. degree in electrical engineering from North China Electric Power University, Beijing, China, in 1984. He was a Visiting Scholar with the Queen’s University, Belfast, U.K., from 1991 to 1992, and was a Multimedia Engineer of Electric Power Training with CORYS T.E.S.S., France, from 1997 to 1998. Currently, he is a Professor and Head of the Transmission and Distribution Research Institute, North China Electric Power University, Beijing. He is also the Consultant Expert of National “973” Planning of the Ministry of Science and Technology. His research interests are in power system security assessment, operation and planning, and emergency management. Mr. Zhang is an IET Fellow and a member of several technical committees.
Wenxia Liu received the M. S. degree in electric engineering from Northeast Dianli University, Jilin, China, in 1995. Currently, she is an Assistant Professor at North China Electrical Power University, Beijing, China. Her research interests are in planning and operation of distribution system and power system communication.
