Network Coding Based Encryption System for Advanced Metering ...

Network Coding Based Encryption System for Advanced Metering Infrastructure Hasen Nicanfar† , Amr Alasaad‡ , Peyman TalebiFard† , Victor C.M. Leung†

† Department

of Electrical and Computer Engineering, The University of British Columbia, Vancouver, BC ‡ King Abdulaziz City for Science and Technology, Riyadh, Saudi Arabia Emails: [email protected], [email protected], [email protected], [email protected]

Abstract—In a smart grid system, the metering data collected by smart meters (SMs) and transferred via an Advanced Metering Infrastructure to the utility for billing purposes, and to the demand-response system to achieve cost effective resource allocation. The collected data at the SMs are sent to aggregators (AGRs), which in turn forward these data to a higher layer data collection system using secured communications. However, metering data are typically transferred between SMs and AGRs over wireless multi-hop communication networks. Due to the broadcast nature of wireless transmissions, the communications between a SM and AGR are susceptible to many security attacks. We argue that advanced network coding (NC) technology can be utilized to address this problem. We propose a novel system that supports data collection security at AGR by encrypting metering data transmitted between SMs and AGR using NC technology. Our innovative scheme eliminates the use of previously specified public key encryption system between SMs and AGR, which consequently makes our system very efficient. Analyses show that our proposed scheme enhances robustness and throughput of data routing in the wireless multi-hop network between SMs and AGR while maintaining a strong security. Index Terms—Encryption System; Network Coding; AMI; Security; Smart Grid.

Fig. 1: Communications Architecture in AMI

I. I NTRODUCTION Smart Grid (SG) aims at improving different aspects of the power grid [1]. In order to achieve the SG objectives, cooperation between stakeholders of the grid including consumers, service providers and the utility is required [2]. Advanced Metering Infrastructure (AMI) and different systems (e.g., Demand-Response) are defined for the SG [3]. In such systems, metering information and predicted (planned) consumer demand are the key elements. To collect the power consumption data, a smart meter (SM) is used at the customerend (e.g., home area network (HAN)). Specific nodes in the SG called aggregators (AGRs) are used to collect metering information from SMs. For example, SMs of the HANs gather power metering data of homes in a neighbourhood and send these data to the AGR located in that neighbourhood [4]. Every period of time, the metering data collected by an SM are transferred via AMI to the utility for billing purposes [5]. Different communication technologies using power lines, wireless channels, and optical fibres [6] have been proposed for transferring data between SMs and AGRs. Advances in wireless multi-hop communication technologies such as wireless mesh networks (WMNs) motivate developers of SG to use them for communications between SMs and AGRs,

particularly in neighbourhood area networks (NANs) [7]. In this case, SMs in a neighbourhood use the wireless NANs to connect together to form a WMN and collaborate to forward each other’s traffic [8], [9]. A typical architecture for communication in a SG is shown in Fig. 1. The broadcasting nature of the wireless transmissions makes the SG communications vulnerable to various security attacks. These attacks can cause many issues such as black-out or debilitating short circuits if the metering data were changed by the adversary. For this reason, aspects like confidentiality and privacy of the clients have gained more attention in the last few years. Thus, effective security measures are mandatory to make SG ready for implementation [1], [2], [10]. The traffic encoding feature of network coding (NC) has been used to improve data delivery and reliability in communication networks. However, other inherent features of NC can be used for other purposes such as privacy [11] and security. Our main contribution in the paper is the proposal of network coding based encryption (NCbE), a novel and efficient encryption scheme for metering data traffic in the SG that enables secured data collection at AGRs using advanced NC technology, which eliminates the cost of heavy computational

978-1-4673-5775-3/13/$31.00 ©2013 IEEE

operations required in Public Key Encryption (PKE) specified for SG. In Section II, we review the related work. Section III presents our proposed NCbE, which is analyzed in Section IV. Section V concludes the paper. II. BACKGROUND AND R ELATED W ORK A. Background In general, there are two kinds of security keys along with appropriate schemes for encrypting and decrypting data packets: symmetric keys and asymmetric keys. In the symmetric key (a.k.a private key encryption (PrKE)) system, the sender and receiver of a packet use the same key for encryption and decryption. In the asymmetric key (a.k.a PKE) system, every communicating node has a public key and a private key. The public key of the receiver, which is publicly known by others, is used by the sender to encrypt the packet. The receiver uses its own private key to decrypt the encrypted packet and obtains the original packet. 1) Authentication: Authentication is defined as binding an identity (ID) to a subject or principal, normally by showing that the subject (a) is capable of, e.g., performing a digital signature, (b) knows, e.g., a password, (c) possesses, e.g., a smart card, and (d) has biometrically, e.g., fingerprints. In order to establish a certain level of trust in a networking environment, it is necessary that network nodes perform a mutual authentication [1]. One of the well-known authentication protocol is Secure Remote Password (SRP) [12], which authenticates entities and constructs a session key over an insecure communication channel. In SRP, verifiers are stored instead of the passwords in the server in order to decrease the harm of the server compromising attack. In this case, a one-way (hash) function is used to compute the verifier out of both the password and another value called salt [12]. The client password is initially introduced to the server prior to starting the authentication protocol, and the server saves the verifier (and its salt) along with the client ID (e.g. Fig. 2). 2) Network Coding: NC is mainly used in multicast routing, wherein intermediate nodes encode the contents of the incoming packets, e.g., by using an operation involving coefficients. Although it has been shown that NC improves the robustness and throughput, the advantages is beyond what NC has been originally proposed for. The simplest coding scheme is linear coding [13], which treats a block of data as a vector over a certain base field of coefficients. Each intermediate node performs a linear transformation to obtain a linear combination of the incoming edges before transmitting them to the next node(s). This process is performed using a coefficient (Local Encoding Vector or LEV) at each node in order to obtain a Global Encoding Vector (GEV) between source(s) and destination(s). Consider a finite Field Fq where q = pn , p is called the characteristic of the field and is a prime number, and n is the length of a code word. Each coded data packet is a linear combination of data chunks with coefficients from Fq . Similar to the definition of generation in the field theory, the

result of the linear combination carried over a set of original packets is called a generation of the original packet. This operation generates a primitive element in the field. Secure NC and requirements for the field size is investigated in [14]. According to the results of this work, it is sufficient that the ˜ where E ˜ is all the possible subsets of links field size q > |E|, that can be available to the eavesdropper. Therefore, NC can be represented by a state space description consisting of the coupling at the source and destination as well as the adjacency matrix of the graph as shown in the following standard form. Z = F X + BU,

(1)

Y = T X,

(2)

where Z denotes the intermediate random processes, F is the adjacency matrix for the graph of the network, B describes the coupling between the source nodes and the network, and A describes the coupling between the system and the sink nodes. The global transfer matrix T for the system can be written as (3): (3) T = A(I − F )−1 B T where I is an identity matrix with the size of |E| × |E| [15]. By obtaining the transfer matrix of the network (T ), receivers can use (4) to extract the original X out of received Y . X = T −1 Y

(4)

Matrix T , which is based on the coefficients of the nodes and topology/graph, should be invertible. Indeed, this can be assured by using random coefficients [16]. Since T is not fixed due to dynamic and randomness of the coefficients, the receiver is required to calculate T −1 each time. B. Related Work PKE is proposed by the National Institute of Standard and Technology (NIST) in the United States for SG communications [17]. Different solutions have been proposed in the literature to efficiently implement PKE, including our previous solutions in [9]. However, PKE is costly in terms of the use of computational resource. In this paper, we propose to replace PKE by NCbE as the method to maintain data confidentiality between SMs and AGRs. NCbE utilizes advances of NC technology to encrypt the metering data. Furthermore, NCbE system eliminates forwarding the coefficients (LEVs) of the nodes to the receiver in order to decode the received encoded data. The inherent features of NC such as shaping, buffering, and mixing traffic allow for source authentication, and creates the possibility of protecting packets from traffic analysis and flow tracing. However, NC is vulnerable to several security attacks (e.g., pollution attack and entropy attack). Therefore, some solutions have been proposed to address security issues in NC. The proposed schemes mainly focus on detecting or filtering out polluted messages in cryptography based solutions including homomorphic hashing [18]. The scheme in [19] is proposed to address Byzantine adversaries with different attack capabilities. In [20], NC is used for security and privacy

preserving in multi-hop wireless networks [20]. However, little attention has been paid to explore the ability of NC to support data confidentiality and security. To the best of our knowledge, we are the first to propose a practical NC-based scheme to encrypt metering data in the SG in order to provide security for the collection of metering data. Y. Phulpin et al. present a set of strategies to exploit NC technology in SG [21]. In particular, the impact of NC on the reliability of multicast channels for control messages was addressed. The most related work to ours is Secure Practical NC (SPOC) [22]. SPOC is a security scheme for data confidentiality using Random Linear NC (RLNC), which provides a simple yet powerful way to exploit the inherent security of RLNC in order to reduce the number of cryptographic operations required for confidential communications. The scheme locks the source coefficients required to decode the linearly encoded data, while allowing intermediate nodes to run their NC operations. Authors proved that the unlocked coefficients do not compromise the hidden (secured) data. However, the scheme considers one source only and does not scale well with an increasing number of sources in the network. In [23], authors focused on data integrity in content distribution via NC, by using the homomorphic concept. However, this work mainly targets scenarios with one source and multi destinations, wherein the data integrity values (signatures) issued by the source is proposed to be verified by the intermediate nodes at each step. The presented solution in [24] efficiency delivers the messages from the sources to the receivers in an untrusted NC-enabled system with low bandwidth cost, but requires having a separate (secure) channel between the sources. Although they considered multi-source system, having the separate communication network between the sources is not applicable in the SG since all nodes (i.e., SMs) act as source as well as intermediate node. Sang Kim introduced and defined the concept of trust as the probability of receiving the data by the receivers [25]. The author showed that this probability decreases exponentially with the number of combined packets in the intermediates nodes when a random based NC-enabled system is used. As per his results, and also according to the results of other work in this area, it is recommended to route the traffic over the shortest distance (hops) between the source and sink, or using the sub-graphing technique [11]. In the system design presented in this paper, we divide the network topology into different segments at the NAN level, which is practical in the SG context, and focus on the segment between SMs and the AGRs in a single NAN. However, using NC in the WMN has some side effects such as vulnerability to epidemic attacks. Li and Lui proposed an algorithm for detecting and identifying epidemic attacks in a NC-enabled WMN [18]. Since SMs in our network model are intermediate nodes as well as the sources of the metering data, this attack is less likely to occur. However, an algorithm such as the one proposed by Li and Lui can be easily added to our proposed system.

III. S YSTEM D ESIGN In this section, we first explain our assumptions and describe the system model and architecture. We then present our proposed NCbE mechanism for encrypting and decrypting metering data transmitted from the SMs to the AGRs. A. Assumptions and System Setup Referring to [1], [9], our assumptions are as follows: • The network topology is segmented, and there is an AGR in each segment. Since the locations of the SMs and AGR are fixed, the network topology is also static. • Nodes within a segment are connected using a WMN, and unicast routing is used to deliver traffic between nodes in the segments over the WMN. • Each node has a unique ID, which can be manually assigned to the node. • AGR periodically collects and aggregates metering data from SMs, and sends them to the higher layer in SG. • AGR has the required information about its segment such as ID of the nodes (SMs) and topology of the segment. • Each SM has an initial secret password pwsm loaded at the time of installation for authentication purposes. The AGR of the segment is also informed about the new SM and its information, such as IDsm and pwsm . • Each node is initially loaded with the H(.) function and g & p values to be used in the SRP-based algorithm [12]. • There is a reasonable level of trust between SMs. In each segment, the responsible AGR picks a saltsm and calculates the appropriate verification value versm as in (5), and saves the ID of the SM (IDsm ) along with the saltsm & versm values in its database. versm = g H(pwsm ,saltsm ) mod p

(5)

B. Initialization: Mutual Authentication As shown in Fig. 2, SM and AGR mutually authenticates each other via four steps using an SRP-6a based [12] scheme.

Fig. 2: SM and AGR Mutual Authentication

The two parties construct a symmetric key Ksm that is used during the third and fourth steps. Furthermore, the SM receives system information such as number of neighbours, their IDs and labels (1, ..., msm ) as well as the required function FC (.), which are described in Section III-C. Lastly, the SM sends to 0 ) along with a nonce ncsm the AGR its first packet (P cksm received in the system parameters in the previous step, all encrypted by Ksm , to acknowledge receiving the parameters. Note: We use the original SRP-6a mechanism and modify it by reducing the steps and transferring the required parameters, e.g. FC (.), via the exchanging packets of the steps, similar to the proposed mechanism in [9]. C. Network Coding based Encryption Referring to Section II-A2, the receiver (AGR in this case) requires the LEVs in order to compute the GEV followed by the transfer matrix of the graph/network. Moreover, an LEV is a function of the coefficient factors [26]. Without going to more detail, we can assume:

Fig. 4: Process steps of a SM

T ransf er M atrix = F unction(LEV s or GEV ) In the NCbE system, we implement RLNC in a static topology. Therefore, in order to compute the transfer matrix for decoding the packets, an AGR requires the coefficient factors of the SMs. Beside, to be an invertible transfer matrix, the coefficient should be as random as possible. So, we introduce the coefficient vector C i (i = 1, 2, ...) of a node/SM to be the product (FC (.)) of the received packets in the previous i−1 ), number of the incoming links (msm ) and iteration (P cksm Gsm used in the authentication scheme, as per (6)  i−1 , Gsm , msm ) (6) C i = ci0 , ci1 , ..., cim  = FC (P cksm i S.t. cj = 0 , ∀j = 1, 2, ..., msm & ∀i = 1, 2, ...

Ksm key constructed by AGR. 0 as a seed value), II. SM sends its first packet (with P cksm encrypted with Ksm , to AGR directly during the fourth step of the authentication scheme (Fig. 2). III. SM computes the coefficient vector Ci (C1 in the first iteration) utilizing its own sent packet in the previous 0 in the first iteration), via (6). iteration (P cksm IV. SM receives the encoded packets from its neighbours. V. SM calculates its output packet piout from the packets received from its downstream neighbours (Pin = {pjin |j = i , as follows: 1, 2, ..., msm }) and its own packet P cksm

Note: Gsm is based on modulo p of a true random number Rsm (Fig. 2), as Gsm = g Rsm mod p. To transfer the randomness to the coefficient, we consider a large p value to have Gsm randomly out of a large range to increase probability of the matrix to be invertible [16].

(7)

i i piout = C i  (P cksm , Pin )

VI. SM sends the encoded packet piout to the upstream neighbours to be transferred to the AGR. For instance, if we assume the NC operation “” in (7) is the dot product of the vectors, piout can be calculated as per (8): i i T i , Pin ) = ci0 .P cksm + piout = C i .(P cksm

m sm  j=1

Fig. 3: SM and AGR connections To present and explain NCbE, we concentrate on a SM and an AGR as shown in Fig. 3. 1) Operations of the smart meter: An overview of the algorithm that operates in the SM is presented in Fig. 4. Each step of the algorithm is explained in detail below. I. SM sends initialization request to AGR and performs mutual authentication as in Section III-B, and receives

(cij .pjin )

(8)

SM repeats steps “III − V I” of the above SM algorithm for the transfer of subsequent packets, as shown in Fig. 4. 2) Operations of the aggregator: The overall algorithm that shows duty of the AGR is presented in Fig. 5. I. AGR responds to the initialization request sent by the SM, and performs the mutual authentication as presented in Fig 2. AGR sends the required information to the SM, such as topology as well as labels (number) of each link between the SM and its downstream neighbours that the SM receives the packet from. Note: The link number/label is used in the NC task, to pick the appropriate coefficient from the coefficient vector Ci in each iteration. SM and AGR should be synchronized in this regard under control of the AGR.

A. Security analysis

Fig. 5: Process steps of an AGR 0 II. AGR receives the first packet from the SM (P cksm ) in the fourth step of the authentication scheme (Section III-B). III. AGR decrypts the received packet using the session symmetric key Ksm , and saves the packet in its dataset for the next iteration. IV. In iteration “i”, AGR computes coefficient vector Ci s for all the SMs in its segment utilizing their received packets during iteration “i − 1”. V. Then, AGR calculates the transfer matrix of the segment that it is covering, and the inverse of this matrix. VI. AGR receives the encoded packets from its neighboring SMs. Note that, AGR should stay in this step till it has received sufficient encoded data to solve the coding problem. VII. AGR decodes the received encoded data in this iteration. VIII. AGR aggregates the received data and forwards them to the higher layer in the SG network. Note: This communication, which can be e.g., a unicast communication via a channel secured by PKE, is outside the scope of this paper. IX. AGR updates its data-set with the decoded packets of this iteration (i) to be used in the next iteration (i + 1). Note that AGR repeats steps “IV − IX”, as shown in Fig. 5, for the following iterations.

IV. A NALYSIS In this section, we analyze our proposed NCbE system from the security and performance points of view.

We follow the well-known Dolev-Yao approach [27] and provide an adversary analysis. Dolev-Yao assumes all the packets are delivered to and received from an adversary that is capable of recording, deleting, re-playing, re-routing, reordering and re-scheduling the packets. We investigate two scenarios for the adversary including internal and external adversaries. 1) External adversary model: In this scenario, our adversary is an external party who does not have control on any of the nodes of the segment such as AGR or any SM. Objectives: The adversary wants to gain passive or active access to the metering information of the customers and possibly modify them. Initial capabilities: The detail information about our proposed scheme and topology are known by the adversary. Also, he has enough knowledge and is well-equipped to be able to wire-tap the channel. Capabilities during the attack: The adversary gains access to the packets arriving to and departing from each SM. Indeed, the data that he can receive is encoded data (by the downstream (relay) SMs). Discussion: Since the adversary does not have the coefficient vectors of the SMs, he cannot decode the messages. The coefficient vector of a SM is the function of the previous packet of the SM as well as a random number that SM has generated at the time of authenticating itself to the AGR. Therefore and in a general situation, he cannot obtain access to the data. If he receives the data of a leaf SM, the data at least is encrypted/encoded by multiplying the plain packet to a secret coefficient (msm = 1 in (6)), but he does not have the coefficient of the victim SM. The last situation that we need to examine is that the adversary intercepts the communications between AGR and its neighbours over the last hop. Although it may appear that he can cause the most issue in this situation by destroying the data, since the AGR receives the encoded packets from different neighbours via different paths, it has a good chance to solve the NC problem and obtain the right information. However, the is not able to gain access to the data or modify them since he does not have the full matrix of transportation. 2) Internal adversary model: In this model, we assume the adversary has full control on one (or more) malicious SM(s). Objectives: The adversary’s aim is to (i) passively gain access to the packets of other SMs, and (ii) actively modify the packets of others. Initial capabilities: Similarly, he has full knowledge about the topology and our scheme. Beside, he has access to the symmetric keys of the SM and its neighbours, e.g. the AGR of the segment. Capabilities during the attack: Having full control on a SM makes the adversary one of the relay/intermediate nodes for other traffic that crosses the SM. Discussion: In this case, even if the malicious SM is the last hop (one hop before the AGR), the adversary cannot gain access to other SMs, and he is at the same situation as the

external adversary from this point of view. However, with a low probability, he can prevent the AGR from receiving (i.e., destroy) some packets as explained below. If the malicious SM is one hop after a victim leaf SM, and the malicious SM is the only path to the AGR that the victim SM has, he can drop, or destroy, the packets of the victim. However, if the packets of the victim SM are transferred via several SMs (the leaf SM is connected to more than one neighbours), the chance of destroying the victim packets is still low. Note that, he cannot modify the packets since the packets are at least encrypted/encoded with the coefficient value of the victim (ci0 ). Moreover, if the malicious SM is in the middle of the network, the only information that he receives is the packets of its neighbour. Since the neighbours’ packets are being transferred via other nodes (SMs) as well, the AGR will notice that the packets are modified/destroyed, just in case. This information can be forwarded by the AGR and used by system administrator to fix the issue. Meanwhile, the malicious SM can be ignored in communications, and AGR can modify the topology (graph) to address this issue. B. Communication and network performance analysis NC is proposed to be used in communication targeted at maximizing throughput, minimizing energy per bit and minimizing delay [26]. Therefore in this section, we only analyze network performance related to NCbE, in terms of the cost of the security operations. In order to provide a comparison, we consider a reference model with RLNC employed for data transport robustness and PKE for data security. We also assume the cost of the authentication steps (“I −II” in Fig. 4 and “I −III” in Fig. 5) are negligible compared to the data delivery steps (“III −V I” in Fig. 4 and “IV − IX” in Fig. 5), since they are part of a transition state. The differences are as follows: ScnI. Using PKE system: • Each SM randomly selects its coefficient at each iteration. • Each SM encrypts its packet at each iteration. • Each SM sends LEV to the AGR at each iteration. • The AGR decrypts the packets after decoding them. • All parties need to have the appropriate public/private key pairs as well as a mechanism to refresh the keys. ScnII. Using NCbE system: • Each SM runs the coefficient function generator FC (.) per each iteration. • The AGR runs FC (.) per each SM to calculate LEV of the SM per each iteration. • Each SM needs to keep one (last) packet, of its own. • The AGR needs to keep one (last) packet per SM. Note that, we only consider the metering data collection traffic. An appropriate encryption system can be used for other data traffic, e.g., SG controlling packets, which is not part of our comparison, since they exist in both scenarios. TABLE I presents a summary of the aforementioned requirements, improvement or drawback, in the communication

TABLE I: Summary of Performance Comparisons Item/Parameter TRNG Bandwidth (data and coefficient) Encryption/decryption process time Encryption/decryption resource consumption Storage for saving the key vs. packet Key refreshment process

Improvement or Replaced by 2 times PRNG 50% 100% 100% 33.33% Eliminated

and resource consumption, which are further described as follows: Random number: As above comparison shows, we have replaced running a true random number generator (TRNG) with two pseudo random number generators (PRNGs). Since running a TRNG is a heavy task, it is not even feasible for a SM to perform this task in each iteration. On the other hand, running PRNG is a low cost task and the required resource is much less than running the TRNG. Encryption/decryption: Performing the encryption and decryption tasks in the ScnI scenario are completely eliminated by our system in the ScnII scenario. For instance if we assume the time for encryption and decryption are the same as t0 , in a segment consists of m0 number of SMs, we needs 2 × t0 × m0 less time for the packet handling. Required bandwidth: Referring to Section III-C, since the coefficients of the SMs are known by the AGR via (6) in each iteration, the coefficients do not need to be transfered to the AGR. Consequently, the required bandwidth to transfer the coefficient information (LEV) is completely eliminated in our system. If we assume that the size of a packet that contains LEV is the same as that of the metering data packet, a good estimate is that we are saving 50% of the bandwidth. Required storage: Each SM needs to save its own private key as well as public key of the AGR in ScnI, which is replaced by one of its packet in ScnII. If we assume that the size of the keys and data packets are the same, each SM requires 50% less storage in ScnII. Furthermore, the AGR should saves its own private key as well as the public key of each SMs in ScnI that is replaced by one (data) packet per each SM in ScnII. Similarly, if we assume that the size of the packet and the key are the same, the required storage RS(.) in the AGR is the same in both scenarios. To compare the storage, in a segment consisting of m0 SMs, and with p0 representing the size of a packet as well as a key, (9) and (10) shows the required storage by ScnI and ScnII, respectively. RS(ScnI) = m0 × (2 × p0 ) + (1 + m0 ) × p0 = (1 + 3 × m0 ) × p0 ≈ 3.m0 .p0

(9)

RS(ScnII) = m0 × p0 + m0 × p0 = 2.m0 .p0 (10) Consequently, ScnII needs 33.33% less storage. Key refreshment: The required key refreshment process as part of the PKE key management is eliminated in ScnII. 1) Impact of the control packets: We have only considered collecting the metering data from multiple sources, which are also relay node, at a single receiver. Referring to our previous discussion, there are other data, like SG control packets, which

still may use a PKE, or a PrKE. To perform a fair analysis, let us assume our solution saves α% resource consumption per packet. Also, β% of the data are the metering data. The total of improvement is: Improvement = 1−

(1 − β) + ((1 − α) × β) = α×β (11) (1 − β) + β

Generally speaking, (11) shows that our improvement is directly related to the values of α and β. Indeed, (11) shows that as the percentage of the metering data increases, the system becomes more efficient. Furthermore, since α is normally close to one, the improvement is roughly equal to the value of β. V. C ONCLUSION In this paper, we have proposed an efficient scheme for security and confidentiality in the SG communication system. In particular, our proposed scheme utilizes the traffic encryption feature of the NC mechanism in order to enable security for the metering data collected from SMs at the AGRs. Our analysis and evaluation results show that our proposed scheme provides robust and efficient performance for the SG communications from both security and system point of views. Our scheme does not use the PKE mechanism previously specified for secured communications in SG. Instead, we have developed an innovative NC-based encryption scheme for data security that significantly reduces the network overhead for secure communications as well as the computation cost (i.e., the number of computational operations required at the SMs). In the future work, we shall extend our scheme to address security of data collection at the Phasor Measurement Units (PMUs). Furthermore, we shall take advantage of the crowded topologies by employing a sub-graph approach to further improve the performance of the proposed scheme. Also, we shall carefully design the FC (.) function in such a way that increases the probability of the transmission matrix to be invertible in order to enhance the robustness of SG communications. ACKNOWLEDGEMENT This work was supported in part by the Natural Sciences and Engineering Research Council (NSERC) of Canada through grant STPGP 396838. R EFERENCES [1] NIST Smart Grid, Cyber Security Working Group, “Introduction to NISTIR 7628 Guidelines for Smart Grid Cyber Security,” Guideline, Sep. 2010. [Online]. Available: www.nist.gov/smartgrid [2] T. M. Chen, “Survey of cyber security issues in smart grids,” Cyber Security, Situation Management, and Impact Assessment II; and Visual Analytics for Homeland Defense and Security II (part of SPIE DSS 2010), pp. 77 090D–1, 2010. [3] A. Rossello-Busquet, “G. hnem for AMI and DR,” in International Conference on Computing, Networking and Communications (ICNC). IEEE, 2012, pp. 111–115. [4] F. Bouhafs and M. Merabti, “Managing communications complexity in the smart grid using data aggregation,” in 7th IWCMC, 2011, pp. 1315– 1320. [5] P. Kulkarni, S. Gormus, Z. Fan, and F. Ramos, “Ami mesh networksa practical solution and its performance evaluation,” IEEE Transactions on Smart Grid, vol. 3, no. 3, pp. 1469–1481, 2012.

[6] Z. Fan, P. Kulkarni, S. Gormus, C. Efthymiou, G. Kalogridis, M. Sooriyabandara, Z. Zhu, S. Lambotharan, and W. H. Chin, “Smart Grid Communications: Overview of Research Challenges, Solutions, and Standardization Activities,” IEEE Commun. Surveys & Tutorials, vol. 15, no. 1, pp. 21–38, 2013. [7] D. Geelen, G. van Kempen, F. van Hoogstraten, and A. Liotta, “A wireless mesh communication protocol for smart-metering,” in ICNC, 2012, pp. 343–349. [8] H. Gharavi and B. Hu, “Multigate communication network for smart grid,” Proceedings of the IEEE, vol. 99, no. 6, pp. 1028–1045, 2011. [9] H. Nicanfar, P. Jokar, K. Beznosov, and V. C. M. Leung, “Efficient Authentication and Key Management Mechanisms for Smart Grid Communications,” accepted for publication in IEEE Systems Journal, Jan. 2013. [10] H. Khurana, M. Hadley, N. Lu, and D. Frincke, “Smart-grid security issues,” IEEE Security & Privacy, vol. 8, no. 1, pp. 81–85, 2010. [11] H. Nicanfar, P. TalebiFard, A. Alasaad, and V. C. Leung, “PrivacyPreserving Scheme in Smart Grid Communication Using Enhanced Network Coding,” in will be presented at IEEE ICC, Budapest, Hungary, Jun. 2013. [12] T. Wu et al., “SRP-6: Improvements and Refinements to the Secure Remote Password Protocol,” P1363.2 working group,. [13] S. Li, R. Yeung, and N. Cai, “Linear network coding,” IEEE Transactions on Information Theory, vol. 49, no. 2, pp. 371–381, 2003. [14] J. Feldman, T. Malkin, C. Stein, and R. Servedio, “On the capacity of secure network coding,” in 42nd Annual Allerton Conf. on Commun., Control, and Computing, 2004. [15] R. Koetter and M. M´edard, “An algebraic approach to network coding,” IEEE/ACM Transactions on Networking, vol. 11, no. 5, pp. 782–795, 2003. [16] P. TalebiFard and V. Leung, “A content centric approach to dissemination of information in vehicular networks,” in Proceedings of the second ACM international symposium on Design and analysis of intelligent vehicular networks and applications. ACM, 2012, pp. 17–24. [17] NIST Smart Grid, Cyber Security Working Group, “Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements,” Guideline, Aug. 2010. [Online]. Available: www.nist.gov/smartgrid [18] Y. Li and J. Lui, “Epidemic attacks in network-coding enabled wireless mesh networks: Detection, identification and evaluation,” 2012. [19] S. Jaggi, M. Langberg, S. Katti, T. Ho, D. Katabi, M. Medrad, and M. Effros, “Resilient network coding in the presence of Byzantine adversaries,” IEEE Transactions Information Theory, vol. 54, no. 5, pp. 2569–2603, 2008. [20] Y. Fan, Y. Jiang, H. Zhu, J. Chen, and X. S. Shen, “Network coding based privacy preservation against traffic analysis in multi-hop wireless networks,” IEEE Transactions on Wireless Communications, vol. 10, no. 3, pp. 834–843, 2011. [21] Y. Phulpin, J. Barros, and D. Lucani, “Network coding in Smart Grids,” in IEEE SmartGridComm. Brussels, Belgium: IEEE, 2011. [22] J. P. Vilela, L. Lima, and J. Barros, “Lightweight Security for Network Coding,” in IEEE ICC. Beijing, China: IEEE, 2008. [23] Q. Li, J. C. Lui, and D.-M. Chiu, “On the security and efficiency of content distribution via network coding,” Dependable and Secure Computing, IEEE Transactions on, vol. 9, no. 2, pp. 211–221, 2012. [24] Y. Buyukalp, G. Maatouk, V. M. Prabhakaran, and C. Fragouli, “Untrusting network coding,” in Network Coding (NetCod), 2012 International Symposium on. IEEE, 2012, pp. 79–84. [25] S. W. Kim, “Trustworthiness of Random Network Coded Information in Untrustworthy Networks,” in IEEE ICC, Ottawa, ON, Jun. 2012, pp. 4579–4583. [26] P. A. Chou and Y. Wu, “Network coding for the internet and wireless networks,” IEEE Signal Processing Magazine, vol. 24, no. 5, pp. 77–85, 2007. [27] D. Dolev and A. Yao, “On the security of public key protocols,” IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198–208, 1983.