IEEE TRANSACTIONS ON SMART GRID, VOL. 2, NO. 4, DECEMBER 2011
809
Security Framework for Wireless Communications in Smart Distribution Grid Xudong Wang, Senior Member, IEEE, and Ping Yi
Abstract—Communication networks play a critical role in smart grid, as the intelligence of smart grid is built based on information exchange across the power grid. In power transmission segments of smart grid, wired communications are usually adopted to ensure robustness of the backbone power network. In contrast, for a power distribution grid, wireless communications provide many benefits such as low cost high speed links, easy setup of connections among different devices/appliances, and so on. Connecting power equipment, devices, and appliances through wireless networks is indispensable for a smart distribution grid (SDG). However, wireless communications are usually more vulnerable to security attacks than wired ones. Developing appropriate wireless communication architecture and its security measures is extremely important for an SDG. Thus, these two problems are investigated in this paper. Firstly, a wireless communication architecture is proposed for an SDG based on wireless mesh networks (WMNs). The security framework under this communication architecture is then analyzed. More specifically, potential security attacks and possible counter-attack measures are studied. Within the security framework, a new intrusion detection and response scheme, called smart tracking firewall, is developed to meet the special requirements of SDG wireless communications. Performance results show that the smart tracking firewall can quickly detect and respond to security attacks and is thus suitable for real-time operation of an SDG. Index Terms— Security, smart distirbution grid, smart grid, wireless mesh networks.
I. INTRODUCTION
A
S COMPARED TO traditional power grid, smart grid is distinguished by several features. Smart grid is robust to load fluctuations, and the supply-demand balance can be properly maintained via intelligent real-time dispatching mechanisms, large-capacity high-performance battery, distributed energy, and close customer-grid interactions. Smart grid is also resilient to equipment failure, which prevents a single failure from developing into power outage or blackout. Smart
Manuscript received October 15, 2010; revised April 21, 2011; accepted June 05, 2011. Date of publication October 25, 2011; date of current version November 23, 2011. This work was supported by Program for New Century Excellent Talents in University under Grant NCET-10-0552), by Pujiang Talent Program under Grant 10PJ1406100, and by Shanghai Municipal Natural Science Foundation under Grant 09ZR1414900). Paper no. TSG-00182-2010. X. Wang is with the University of Michigan-Shanghai Jiao Tong University Joint Institute, Shanghai Jiao Tong University, Shanghai, China (e-mail:
[email protected]). P. Yi is with the School of Information Security, Shanghai Jiao Tong University. Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identifier 10.1109/TSG.2011.2167354
grid makes a power system more sustainable and more environmentally friendly by integrating renewable energy sources (e.g., solar power and wind power) into the same grid. In smart grid, energy can be utilized efficiently through well-maintained balance between supply and demand. Smart grid can bring various benefits to customers. For example, customers can reduce the amount of power bill by matching the operation time of different electric appliances to the period with the best price; they can even get profit by selling power to the grid. Moreover, smart grid significantly improves power availability and quality. Many core technologies need to be developed to enable the above features of smart grid. Among them, one critical technology is real-time monitoring and control of a large scale power network, which demands a sophisticated communication network across the grid to fulfill two tasks: 1) exchange information acquired by distributed sensing; 2) disseminate management and control messages to electric equipment and appliances. Thus, developing novel communication technologies that meet the special requirements of a power network plays a critical role in smart grid [1], [2]. In different segments of a power grid, different communication technologies are applied to meet their unique specific requirements. In a power transmission network that involves bulk power generation and power transmission, wired communications over power lines or optical cables are adopted to ensure robustness of the power backbone. However, in power distribution networks that provide power directly to customers, both wired and wireless communications should be considered. For example, from substations to pole-mounted transformers, power-line communications can be employed for monitoring and control of various equipments. In a substation, optical communications can be applied to monitor or control certain mission critical devices. However, in power distribution networks, wireless communications are preferred by many application scenarios, such as: 1) when many parameters in a substation need to be monitored, optical or power-line communications can result in a costly and complicated system architecture; 2) power-line communications cannot easily bypass transformers in a power distribution network; 3) wired communications cannot provide peer-to-peer communications among electric devices in a flexible manner. In order to achieve cost-effective and flexible monitoring and control of end devices, efficient dispatching of power to customers, and dynamic integration of distributed energy resources with power grid, wireless communication and networking functionalities must be embedded into various electric equipments such as circuit breakers, power inverters, power meters, and so on. Capability of wireless networking among various electric
1949-3053/$26.00 © 2011 IEEE
810
equipments is one of the key technologies that drive the evolution of a conventional power distribution network into a smart distribution grid (SDG). Different types of wireless networks are available, but which one is the best fit for an SDG depends on the system architecture of the SDG and varieties of communication modules and wireless connections. In an SDG, multihop wireless networking is definitely necessary, as electric equipments out of communication range of each other need to exchange information. To simplify network organization and maintenance, the entire network needs to be self-organized. Moreover, communication modules in an SDG may pertain heterogeneous properties in terms of communication range, computing power, and power efficiency. For example, some communication modules are for wireless sensing or for control running at a low duty-cycle, but other communication modules may need to constantly forward data traffic. In an SDG, communication modules associated with electric devices are usually stationary, but mobile connections need to be supported at the customer side or on some handheld devices. The aforementioned requirements of SDG communications lie in the advantages of wireless mesh network (WMNs) [4], so WMNs are well suited for wireless networking in an SDG. In fact, some companies have started to consider mesh links for wireless communications in a power distribution network. For example, a company called Tropos Networks has started to use WMNs to connect smart grid. In NIST’s recent document on cyber security of smart grid [5], WMNs are also considered important networking links for smart grid. In recent years, many innovations have been made to improve performance of WMNs. However, when WMNs are applied to build wireless communication infrastructure for an SDG, a few challenging issues still remain. Among them, the most critical concern is what security level can be achieved by WMNs for an SDG. Without effective measures to prevent security attacks, the privacy of customers and confidentiality of grid information cannot be guaranteed. In the worst case, power outage can be triggered by security attacks. Thus, this paper studies the security framework for WMN-based wireless communications in an SDG. In particular, security vulnerabilities are investigated under the scenario of SDG wireless communications. Corresponding to each category of security issues, existing solutions are discussed and potential improvements are also proposed for the specific applications of SDG. In particular, detailed research results are presented for an effective security measure for SDG wireless communications. This security solution is developed based on a novel mechanism of smart tracking firewall, which can dynamically track a security attacker and respond to attacks in a timely manner. The rest of the paper is organized as follows. In Section II, wireless communication architecture based on WMNs is proposed. Under this architecture, security framework for WMNbased SDG communications is investigated in Section III. A new security protocol called smart tracking firewall is developed in Section IV. The paper is concluded in Section V. II. WIRELESS COMMUNICATION ARCHITECTURE FOR SDG A smart distribution grid (SDG) holds several distinct characteristics, e.g., 1) it is integrated with distributed energy sources
IEEE TRANSACTIONS ON SMART GRID, VOL. 2, NO. 4, DECEMBER 2011
such as solar cells, wind turbines, or electric vehicles (EVs); 2) power flows do not necessarily follow a single direction from a generator to an end device; instead, the distributed energy source can send power directly to customers or even to power grid, which results in multidirectional power flows; 3) electric devices and power meters become much more intelligent to enable dynamic power dispatching; 4) dynamic pricing becomes a feasible measure of controlling power load, stability, and quality. To fully support the intelligent capabilities of an SDG, a reliable and cost-effective communication network is necessary to connect electric modules such as inverters, smart meters, and intelligent electric appliances. Wired communication technologies are available, but they are not suitable for SDG communications. For example, optical communications are reliable, but deploying optical fibers to connect all end devices are too expensive to be feasible. Power line communications (PLCs) [3] are constrained by several shortcomings: 1) it is not flexible to support peer-to-peer communications among electric devices; 2) throughput may not be sufficient for frequent data exchange in an SDG; 3) high speed communications signals cannot pass through transformers. Consequently, wireless technologies becomes an indispensable option for SDG communications. There exist several choices of wireless communications for connecting monitoring, control, and consumer electric devices. However, most of them (e.g., wireless local area networks (WLANs) or wireless sensor networks (WSNs)) are not directly applicable to an SDG due to several issues. The first one is the flexibility in topology formation. In an SDG, various eletric devices need to have peer to peer communications, so mesh networking capability is a viable option. However, a WLAN can only support one-hop point-to-multipoint (PMP) communications. Usually a WSN like a Zigbee network is also a PMP network unless mesh networking capability is added into Zigbee nodes. The second issue is that rate-distance performance is not scalable for SDG wireless communications. For example, a WLAN can support a communication rate of tens of Mbps, but it can only reliably reach a distance of tens of meters. Moreover, to achieve reasonable throughput delay trade-off, the number of nodes that can be supported within the same WLAN needs to be small. Thus, one WLAN is obviously not enough for an SDG. In theory, multiple WLANs can be adopted to support a large scale SDG. However, communications and coordination among different WLANs become difficult to manage. The better solution is to build WMNs based on WLAN technologies. The third issue is that SDG wireless communications need to support different types of wireless applications. For example, some eletric nodes only need to send control or measurement information in a low frequency, so the communication capability like WSN is sufficient. However, for some other nodes like the gateway node in a home or for an entire community definitely demand a much higher communication rate and a larger communication distance. In this case, communication technologies based on WiFi with high-gain antenna may be necessary. As a result, SDG wireless networks must be capable of integrating heterogeneous wireless networks. Furthermore, in an SDG there exist PLCs that shall be utilized as much as possible, particularly to enhance reliability
WANG AND YI: SECURITY FRAMEWORK FOR WIRELESS COMMUNICATIONS IN SMART DISTRIBUTION GRID
811
Fig. 1. Wireless communication architecture based on WMNs in smart distribution grid.
and security. As pointed out in [4], wired communications can be easily integrated into WMNs. Although a cellular network like 3G can provide satisfying rate-distance performance, its network capacity may not be enough to allow SDG wireless communications as an additional service, because emerging cell phone services are currently overloading 3G networks. Moreover, coupling power supply services with telecom services downgrades reliability and complicates management of an SDG. In contrast, a wireless mesh network (WMN) [4] does not have the afore-mentioned issues. It can be deployed and managed proprietarily by a utility company. In addition, the mesh networking capability of WMNs provides more flexible interconnection among various electric devices than a cellular network can do. In short, WMNs can easily integrate heterogeneous networks to fulfill different functions such as sensing, monitoring, data collection, control, pricing, and so on. The system architecture that merges WMNs and power distribution networks is depicted in Fig. 1. An SDG below the level of substations consists of multiple microgrids. Typically, a microgrid, managed by a micro control center, contains a few picogrids, several sets of power equipment such as transformers, breakers, and capacitors, and distributed energy sources like solar cells, EVs, or wind turbines. A picogrid is usually formed by electric devices in a home or building, and it may also include some distributed energy sources like EVs or solar cells. To form WMNs in an SDG, a communication module with mesh networking capability needs to be added into each electric equipment or device. According
to Fig. 1, a hierarchical communication architecture, which is typical in WMNs, can be formed. In this architecture, different communication networks are integrated in the same WMN. At the lower level of the hierarchy, PLC networks and local area mesh networks in a home, building, or factory are merged. The local area mesh networks interconnect electric appliances, smart meters, and grid-tied inverters through mesh links of WSNs or WiFi networks. At the upper level, all local area mesh networks are connected to each other through mesh routers to form a larger scale WMN. The mesh routers also provide connections to transformers, shunt capacitors, control centers, and substations. To ensure satisfactory rate-distance performance, some mesh routers are more powerful in terms of transmit power and antenna gain. It should be noted a mesh node at the lower level of the hierarchy is a mesh client of a mesh router at the upper level, although a group of such nodes can also form a mesh network themselves. III. SECURITY FRAMEWORK FOR WMN-BASED SDG To ensure proper operation of an SDG, a number of critical services must be supported by a secure communication network. Several typical scenarios are listed below. 1) Collect power usage information from smart power meters for the purpose of billing, power dispatching, and grid optimization. This function has already existed in some power distribution grids, especially for billing purpose, via PLCs. However, higher communication throughput and
812
more flexible networking interfaces are desired due to frequent interactions among grid, customers, smart meters, inverters, and renewable energy sources. 2) Monitor the status of electric equipments. For example, the grid-tied inverters, transformers, switches, and so on need to be monitored by measuring parameters such as voltage, current, and phase. Such information needs to be sent back to a control center for maintaining grid stability and power quality. 3) Send control messages from a control center to electric devices. For example, when a number of grid-tied inverters are connected to an SDG, their operations need to be coordinated and controlled such that the renewable energy sources and the grid work collaboratively. 4) Send pricing information to customers. Pricing is the key strategy to control power usage at the customer side. Via dynamic pricing, customers can be guided to use less power during peak-demand period and save power in battery (e.g., charging EVs) during valley-demand period. The above services of an SDG need to be protected; otherwise, the SDG will malfunction. For a WMN-based SDG, security measures developed for WMNs can be adopted. However, existing solutions are insufficient for an SDG, because there exsit several challenging requirements specific to SDG. Firstly, how the communication network and the power network interact with each other remains an open research problem of cyber-physical systems. In other words, the performance metrics that need to be delivered by WMNs for an SDG are not clear yet. As a result, it is unknown if the performance of existing security measures of WMNs can meet the needs of an SDG. Secondly, a security attack to a WMN of an SDG is much more harmful than it does to a conventional WMN. For example, information loss caused by security attacks in a conventional WMN may not be so detrimental. However, for a WMN in an SDG, such information loss can lead to disastrous result like power outage in the entire SDG. To enhance security in WMNs for an SDG, cross-layer design is highly preferred, and all protocol layers need to work together to ensure highest security. Thirdly, the latency of existing security measures of WMNs may not satisfy the need of an SDG. For example, when a security attack causes malfunction in an electric device, its impact can be propagated to other electric devices of the entire SDG quickly, as the propagation speed is basically equal to the speed of electromagnetic waves in cables. Thus, the intrusion detection and response scheme must be fast enough such that a security attack can be terminated before it becomes effective [2], [6]. Fourthly, the communication network of an SDG will always involve PLCs, which can potentially improve the security of WMNs. However, existing security solutions of WMNs do not take into account the role of wired networks. Considering the above challenging requirements, a new security framework needs to be developed for a WMN-based SDG. More specifically, several key research tasks are necessary: 1) investigate new secure system architecture for a WMN-based SDG; 2) reevaluate and enhance existing security measures of WMNs considering the new requirements of an SDG; 3) develop new security measures to cover the scenarios that do not exist in a conventional WMN.
IEEE TRANSACTIONS ON SMART GRID, VOL. 2, NO. 4, DECEMBER 2011
A. Reliable Security Architecture for WMN-Based SDG To achieve a robust, reliable, and secure WMN for an SDG, a comprehensive security framework is proposed by following several design rules: 1) security measures must be considered in all protocol layers, and cross-layer design is adopted whenever possible; 2) time critical messages must be protected by a security mechanism with quick response time; 3) all available wired communication paths must be leveraged to strengthen the security in WMNs. In addition, information messages must be differentiated through different security levels according to two criteria: delay and loss. Messages with strict constraint in both delay and loss hold the highest security level. Messages that are only sensitive to delay or loss have medium level of security, while messages without delay or loss constraint hold the lowest security level. Dedicated resources (in time, frequency, etc.) must be allocated to messages with the highest security level. Wired communications may be integrated into WMNs to support extremely critical messages. B. Security Vulnerabilities and Attacks in WMN-Based SDG As explained in [5], smart grid security involves nearly all function blocks of a power system. As far as communications are concerned, the security vulnerabilities are subject to many factors [2], [6], [7]. This section is focused on the security vulnerabilities and attacks in SDG communications based on WMNs. According to how security of SDG wireless communications is compromised, the security issues can be classified into the following categories: • Jamming. In this case, a malicious node intentionally generates wireless signals in the same frequency band used by WMNs of an SDG. This type of security attacks can be easily captured through signal detection. • Eavesdropping by nodes outside WMNs. A malicious node can steal information from a WMN without being authorized to access the network. It can eavesdrop packets sent by mesh nodes in a WMN, and then either tries to decrypt the packets or just analyze the traffic pattern of mesh nodes. Since the malicious node can work totally in the receiving mode without emitting any signals, it is extremely challenging to capture such security attacks. A promising approach to this problem is to develop physical layer security techniques [9], [10]. With physical layer security enabled in a WMN, an eavesdropper cannot figure out any useful information even at the bit level, no matter howmuch computation power it possesses. • Eavesdropping by malicious nodes inside WMNs. Such nodes may be the legitimate mesh nodes that do not follow the security rules or illegitimate nodes that have bypassed the authentication procedure of WMNs. When they get access to the network, they do not conduct active security attacks, but just eavesdrop packets in a passive way. There are two scenarios with this type of eavesdropping. In the first scenario, the malicious node overhears packets or signals from other nodes. The physical layer security can be applied so that the malicious node cannot decode signals from other mesh nodes. In this scenario, data encryption can also help protect the confidentiality of information
WANG AND YI: SECURITY FRAMEWORK FOR WIRELESS COMMUNICATIONS IN SMART DISTRIBUTION GRID
flowing in an SDG. In the second scenario, the malicious node tries to masquerade as a legitimate mesh node and then receive packets from other mesh nodes. It is difficult to protect information security in this scenario, because the node has been considered as a legitimate node. However, it might be possible to analyze the malicious node’s behavior based on the patterns of receiving data from other nodes. • Launching security attacks by nodes inside WMNs. The node launching security attacks can be either legitimate or illegitimate mesh nodes. To launch security attacks, a malicious node needs to be actively involved in networking protocols. Since a WMN is generally a multihop wireless network, the malicious node can easily participate in both MAC and routing protocols. As a result, it can launch a large number of different attacks, e.g., dropping packets, redirecting packets, changing contents of a packet, disabling routing messages or MAC layer ACKs. C. Security Measures for WMN-Based SDG To avoid security vulnerabilities and counter security attacks, multiple security measures need to be implemented. Firstly, WMNs need to cooperate with available wired networks to deliver critical messages via the most secure and reliable path within the shortest time. Designing a hybrid secure communication systems by integrating both WMNs and wired networks (e.g., power-line communications or optical networks) is highly desired by a smart distribution grid. To the best of our knowledge, no research results have been reported. Solutions to this problem are subject to future research. Secondly, all categories of security issues described in Section III-B need to be addressed properly. 1) Anti-jamming techniques. Both passive and active schemes can be developed. In active schemes, physical layer techniques that are tolerable to jamming schemes are adopted for wireless communications. For example, spread spectrum (either frequency hopping or direct sequence) techniques can be applied to reduce the impact by intentional jamming signals. The passive schemes are based on monitoring electromagnetic emissions in the frequency band of WMNs for an SDG. If abnormal jamming signals are detected, the next key step is to locate the jamming source. In this way, a security attacker can be captured. 2) Physical layer security to disable eavesdropping. Eavesdropping can be conducted by a node outside WMNs or a node authorized to access WMNs. Data encryption makes eavesdropping a hard task for malicious node. However, as computation power is constantly increasing, decrypting packets is becoming more and more feasible for security attackers. Moreover, the security attack can be based on analyzing traffic patterns or accessing packets (e.g., some broadcast messages) without being encrypted. Thus, security level provided by data encryption may not be sufficient to satisfy the security requirements of an SDG, because an information network in power grid usually demands much tighter security than the well known Internet. In order to totally block eavesdropping in SDG wireless communications, techniques of physical layer security [9], [10] can be
813
applied. Applying physical layer security to SDG wireless communications is a long term research effort instead of a short-term solution, for two reasons. Firstly, to date physical layer security still lacks mature techniques that can be implemented practically in a realistic system. Secondly, how to carry out cross-layer design between MAC/routing protocols and physical layer security algorithms for SDG wireless communications still demands enormous research efforts. However, physical layer security is a promising approach that can provide nearly perfect security in the physical layer for wireless communications. This distinct feature is highly favored by power grid. 3) Effective authentication schemes to block network access by malicious nodes. As explained in Section III-B, as long as an illegitimate node passes authentication and becomes an insider of a network, security issues associated with this node become very difficult to resolve. Thus, authentication in SDG wireless communications must be conducted in a much stricter process than that is done in other wireless networks. Particularly, hierarchical authentication [8] needs to be enforced from an SDG macro control center to micro control centers. The state-of-the-art key management schemes [8], [11]–[17] for WMNs can be employed to further enhance the effectiveness of authentication. 4) Secure protocols to prevent inside attackers. When a malicious node is authenticated, whether it is legitimate or not, it becomes an inside security attacker. Two security measures can be applied to reduce security threat by such a node: 1) secure communication protocols; 2) intrusion detection and response schemes. • In WMNs for an SDG, the most critical communication protocols are MAC and routing protocols. Thus, mechanisms to achieve secure MAC and routing protocols must be adopted. To date, a number of secure MAC protocols [18], [19] and secure routing protocols [20]–[22] have been developed for WMNs or mobile ad hoc networks. However, how these protocols perform in an SDG needs further investigation. Moreover, crosslayer design is necessary to fulfill security of the entire communication architecture of SDG wireless communications. To this end, several rules shall be followed to achieve secure cross-layer design: 1) secure MAC and routing protocols must take into account the hierarchical authentication and key management schemes; 2) secure MAC and routing protocols must be designed together with physical layer security measures; 3) secure MAC and routing protocols need to take advantage of the wired communications available in an SDG to enhance security in protocols. • Security attacks can still occur even though secure MAC or routing protocols are adopted. Thus, it is indispensable to detect possible intruders and respond to these intrusions in a timely manner. The performance metrics of intrusion detection include accuracy and response time. The latter one is especially critical for an SDG, due to real-time operation of power systems. Since WMNs are employed for SDG communications, intrusion detection is a distributed process instead of a centralized
814
IEEE TRANSACTIONS ON SMART GRID, VOL. 2, NO. 4, DECEMBER 2011
one. In [23], [24], distributed and collaborative intrusion detection schemes were developed for mobile ad hoc networks. However, for WMN-based SDG communications, mobility of mesh routers is minimal. Such a feature can be utilized to improve the accuracy of intrusion detection and reduce the complexity of the entire intrusion detection system. Once intrusion detection captures security attacks, the other critical task is to respond to such attacks in a timely and effective way. So far researchers pay more attention to intrusion detection than to intrusion response. For example, in [23] intrusion response is conducted by simply restarting the authentication process. Such simple schemes cannot quickly capture further security attacks and result in slow intrusion response. In Section IV, a smart tracking firewall is developed to track a detected intruding node such that its security attacks can be quickly captured and blocked wherever it moves in an SDG wireless network. IV. SMART TRACKING FIREWALL No matter how secure the communication protocols can be in WMNs, security attacks can still happen. Thus, intrusion detection and response is an important security measure to protect WMNs. When an SDG is considered, the intrusion detection and response process must be quick enough to ensure real-time operation of an SDG. In this section, a new intrusion detection and response scheme, called smart tracking firewall, is developed. It adopts the concept of secure firewall, but more importantly the firewall is adaptively mobile to track an intruder. A. Key Mechanisms of the Smart Tracking Firewall In a WMN-based SDG, unwanted traffic flowing into WMNs cannot be filtered out by a traditional firewall, because the attacker in an SDG wireless network may not be always attached to the same network interface. In addition, a node within the network could become an intruder, so attack traffic could originate from within the network itself. Consequently, the traditional mechanism of firewall is not suitable for SDG communications. To develop a new firewall for SDG communications, it is necessary to consider several requirements: 1) the malicious traffic from outside of the mesh network needs to be filtered, as implemented in a traditional firewall; 2) the security attacks from insiders need to be blocked; 3) security attacks from a mobile node need to be quickly located and blocked; 4) overhead for implementing the firewall shall be minimized. It is a challenging problem to meet these requirements as SDG wireless communications are characterized by multihop wireless networks. In this paper, a smart tracking firewall is proposed to solve this problem. It is based on several key mechanisms: • Each mesh node (mesh client or mesh router) contains a module of smart tracking firewall, in which two security agents are implemented: an intrusion detection agent and an intrusion response agent. Moreover, each mesh node maintains two node lists: blacklist and graylist. The backlist contains the nodes that are determined to be malicious nodes by the intrusion detection agent. A mesh node cannot send any message to or receive any message from a node in
the blacklist. The graylist of a mesh node contains the malicious nodes that are determined by neighbors of the mesh node. When a malicious node in the graylist moves into the communication range of the mesh node, it is immediately considered as a security attacking node and is thus moved into the blacklist. Since the nodes in the graylist of a mesh node are not within the communication range of the mesh node, direct security attacks to the mesh node cannot be launched. • When a mesh client detects an security attack from an malicious node, it cuts off the communications with the malicious node by dropping packets from/to the malicious node. In addition, it reports the intruder (i.e., the detected malicious node) to its neighbors by sending a prealarm message. A neighbor receiving this message will record the intruder as a node in the graylist. In our design, mesh clients associated with the same mesh router are considered to be in the same cluster, so each mesh router is the cluster head of several mesh clients. Two neighboring clusters can be linked through either mesh routers or mesh clients in the overlapping area of clusters. When a mesh router of a cluster receives a prealarm message, it also includes the intruder into the graylist. However, if the mesh router receives such a message from more than a certain number of mesh clients (i.e., the prealarm threshold), it moves the intruder from the graylist to the blacklist, and then broadcast its blacklist to all mesh clients in the same cluster as well as to mesh routers in neighboring clusters. Since the mesh router can determine whether an intruder shall be included into the blacklist, it is also called a decision node. • As the intruder moves from one mesh cluster to another, it will be included into the blacklist or the graylist in a new group of mesh nodes. The mesh nodes with the intruder in their blacklist block security attacks launched by the intruder, so they form a defense zone to confine the intruder. The mesh nodes with the intruder in their graylist form a prealarm zone, because they can quickly detect the intruder once it moves into their communication range and thus respond to security attacks in a timely fashion. As a result, when an intruder moves, both the defense zone and the prealarm zone track its moving path and actively block its attacks. In this way, a malicious node is always under the control of a smart tracking firewall; as a result, it has no time to launch effective security attacks. It should be noted that the above mechanisms are mainly focused on the process of intrusion response. How to effectively detect intrusion is not the focus of this paper, but schemes in [23], [24] can be adopted as a function block of the smart tracking firewall. The smart tracking firewall have two distinct advantages: • Security attacks to any node by an intruder can be quickly blocked by mesh nodes, no matter where the intruder launches attacks. Such a fast response to security attacks is desired by smart grid. • A prealarm message is broadcast only when a mesh node includes an intruder into the backlist, so its propagation will be quickly stopped at mesh nodes where the intruder is only added into the graylist. In other words, prealarm
WANG AND YI: SECURITY FRAMEWORK FOR WIRELESS COMMUNICATIONS IN SMART DISTRIBUTION GRID
Fig. 2. An example of smart tracking firewall: Steps 1 and 2. (a) Step 1: Nodes B and C have detected attacks from Node W and put it in their blacklists. (b) Step 2: Node A receives enough prealarm messages from Nodes B and C and thus decides to put Node W in its blacklist.
messages are confined within the neighboring clusters. As a result, signaling overhead of this protocol is significantly reduced as compared to other schemes based on message flooding. B. An Example of the Smart Tracking Firewall An example is presented in this section to further illustrate the detailed procedures of the smart tracking firewall. The mesh nodes of an SDG are shown in Figs. 2, 3, 4, where two mesh routers A and F work as the cluster heads and the decision nodes. Nodes A, B, C, D, and E form the first cluster, while Nodes F, G, H, I, J form another cluster. Node W is a malicious node. In Fig. 2(a), the malicious node W launches attacks. Both Node B and Node C are under such attacks. Through self intrusion detection, they detect Node W as a malicious node and record it in their blacklist. At the same time, they broadcast a prealarm message to inform their decision node A. In Fig. 2(b), Node E cannot overhear prealarm messages from either Node B or C, so it does not know anything about Node W. However, decision node A receives two prealarm messages from its mesh clients. Since the prealarm threshold in this example is set into two, it concludes that the malicious node W has entered into its cluster. As a result, the decision node A records Node W in its blacklist and conducts a blacklist broadcast. As a result, in Fig. 3(a), after receiving the blacklist broadcast from Node A, Nodes D and E record the Node W into their blacklist, and broadcast a prealarm message to inform their neigh-
815
Fig. 3. An example of smart tracking firewall: Steps 3 and 4. (a) Step 3: Node A broadcasts its blacklist to all mesh nodes in its cluster and to other mesh routers like Node F. All nodes in the cluster of Node A put Node W into their blacklists. (b) Step 4: Both Node D and Node E send a prealarm message. Such a message is received by Nodes G and I, so these two nodes put Node W into their graylists. When Node F receives the blackist message from Node A, it only records Node W in its graylist. A prealarm zone is formed in this step.
bors. Currently, the nodes surrounding Node W all record it in their blacklists. Thus, the defense zone of the firewall is formed to block attacks from Node W. In Fig. 3(b), Nodes G and I receive a prealarm message from Node D, they record Node W in their graylists. When Node F receives the blacklist message from Node A, it records Node W in its graylist instead of blacklist, because Node F decides blacklist by itself; messages from Node A only provide a warning to Node F. By now, a prealarm zone is formed as a second layer of firewall to protect mesh nodes from being attacked by Node W. In Fig. 4(a), as Node W approaches Node I, it lies in the communication range of Node I. Thus, Node I moves Node W from its graylist into the blacklist. As a result, Node I not only defends the network from attacks by Node W but also broadcasts a prealarm message. When Node H receives such a message, it puts Node W in its graylist. Since the number of received prealarm messages in Node F is only one and does not exceed the threshold (i.e., two), the decision node F cannot proceed to put Node W in the blacklist. Thus, Node F does not broadcast a message about its blacklist. As the malicious node W further moves into the cluster as shown in Fig. 4(b), Node F detects a strong signal strength that confirms Node W is really in the cluster. Thus, Node F moves Node W from the graylist to the blacklist and also conducts a one-hop broadcast of the blacklist. As a result, all mesh clients in the second cluster record Node W
816
IEEE TRANSACTIONS ON SMART GRID, VOL. 2, NO. 4, DECEMBER 2011
Fig. 5. The network topology of a mesh network.
Fig. 4. An example of smart tracking firewall: Steps 5 and 6. (a) Step 5: Node W is very close to Node I, so Node I moves Node W from the graylist to the blacklist, and then sends a prealarm message. When this message is received by Node H, Node W is put into the gray list of Node H. In this step, Node F receives only one prealarm message, so no action is necessary.(b) Step 6: Node F detects Node W is close enough and decides to move Node W from the graylist to the blacklist. Node F also informs all mesh nodes of its blacklist. As a result, all nodes in the cluster of Node F put Node W into the blacklist.
in their blacklist. Thus, when Node W moves inside the cluster of Node F, it is tightly controlled by a new firewall. In Fig. 4(a) and 4(b), some nodes are not included in the defense zone, even if they have put Node W in their blacklists. The reason is that these nodes are too far away from Node W. These nodes can either keep Node W in their blacklists or eliminate Node W, whichever way will not impact the performance of the smart tracking firewall. C. Performance Results Simulations are conducted to evaluate the performance of the proposed mechanism of smart tracking firewall. Within an area of 1000 m 1000 m, 34 mesh clients are randomly distributed, but 16 mesh routers are regularly placed. The distance between two mesh routers is 240 m, and the closest distance from a mesh router to the area boundary is 140 m. The network topology is shown in Fig. 5, where mesh nodes 0–15 are mesh routers, and all other nodes are mesh clients. All mesh nodes follow the IEEE 802.11 MAC protocol, and the link capacity of each mesh node is assumed to be 4096 Kbps. Routing path between any two communication nodes within this mesh network is determined by a dynamic source routing (DSR) protocol. After simulation starts, 30 end-to-end data flows between mesh clients are
initiated randomly within 10 s. To simulate security attacks, one mesh client is selected as the security attacker. It initiates attacks at 50 s after simulation starts and floods 100 packets per second to the mesh network. The security attacker can move freely in the simulation area at a constant speed of 10 m/s. In addition to the smart tracking firewall proposed in this paper, two other scenarios are also simulated. The first one is No Detection, which means that no intrusion detection and response system is available in the network. The second one is Individual Response, which includes a threshold-based intrusion detection scheme but does not track the mobile security attacker, i.e., intrusion response is done by each mesh node individually. Performance of these three scenarios are compared using different metrics. The results of packet delivery ratio, packet delay, and throughput are shown in Figs. 6, 7, and 8, respectively. As illustrated by these results, when security attacks start at 50 s, the network performance is severely impacted. If no effective security measure is available, the system performance stays constantly low. If intrusion detection is applied but the attacker is not tracked (as shown in the scenario of Individual Response), the network performance can be improved after attacks are detected. However, the network cannot be recovered and work properly, because the new attacks launched by the mobile intruder cannot be quickly blocked. With smart tracking firewall, this issue is effectively resolved. As shown in the results of all the performance metrics, the network can quickly roll back to the normal state, because the mobile intruder is constantly tracked by mesh nodes and its new security attacks can be captured in a timely manner. For SDG wireless communications, the response time to security attacks is a critical parameter. If security attacks can be detected within the shortest time interval, then the power grid will get minimal impact. Otherwise, security attacks may lead to system failure or even power outage. To illustrate the quick response time of the smart tracking firewall, the delay of detecting security attacks in each mesh router is shown in Table I. The results show that all mesh routers except one do not need to spend
WANG AND YI: SECURITY FRAMEWORK FOR WIRELESS COMMUNICATIONS IN SMART DISTRIBUTION GRID
817
TABLE I COMPARISONS OF DETECTION DELAYS
Fig. 6. Packet delivery ratio of different security measures.
V. CONCLUSION
Fig. 7. Packet delay of different security measures.
In this paper a WMN-based wireless communication architecture was proposed for an SDG. The security framework for this architecture was studied comprehensively. In order to demonstrate the effectiveness of the security framework, a smart tracking firewall was developed to address the intrusion detection and response issue in a WMN-based SDG system. Simulation results showed that the smart tracking firewall could detect and respond to security attacks in a timely manner, which suits the real-time operation of smart grid. To further improve security of WMN-based SDG wireless communications, several challenging issues still remain. In the short term, effective hierarchical authentication and key management schemes need to be designed for the microgrid/picogrid hierarchical system architecture of an SDG. In addition, secure MAC and routing protocols shall be developed through cross-layer design with the physical layer techniques. Moreover, how to integrate wired communications, especially power line communications, with WMNs is important to improve security of an SDG. In the long term, it is necessary to develop practical physical layer security schemes for SDG wireless communications. ACKNOWLEDGMENT The authors would like to thank the Program for New Century Excellent Talents in University, the Pujiang Talent Program, and the Shanghai Municipal Natural Science Foundation for their generous support.
Fig. 8. Throughput of different security measures.
time on detecting security attacks. Once Mesh Router 0 detects the intruder, all other mesh routers can launch counter-attacks once the intruder moves into the defense zone. In contrast, the Individual Response scheme is slow in responding to security attacks, because each mesh router has to take a few seconds to detect new attacks by the same intruder.
REFERENCES [1] C. W. Gellings, The Smart Grid: Enabling Energy Efficiency and Demand Response. Boca Raton, FL: CRC, Aug. 2009. [2] G. N. Ericsson, “Cyber security and power system communication—Essential parts of a smart grid infrastructure,” IEEE Trans. Power Del., vol. 25, no. 3, pp. 1501–1507, Jul. 2010. [3] IEEE Standard for Broadband over Power Line Networks: Medium Access Control and Physical Layer Specifications, , IEEE P1901, Dec. 2010. [4] I. F. Akyildiz and X. Wang, “Wireless mesh networks: A survey,” Comput. Netw., vol. 47, no. 4, pp. 445–487, Mar. 2005.
818
IEEE TRANSACTIONS ON SMART GRID, VOL. 2, NO. 4, DECEMBER 2011
[5] NIST Smart Grid Cyber Security Working Group, “Guidelines for smart grid cyber security: Vol. 3, Supportive analyses and references,” NISTIR 7628, Aug. 2010. [6] P. McDaniel and S. McLaughlin, “Security and privacy challenges in the smart grid,” IEEE Security Privacy, vol. 7, no. 3, pp. 75–77, May–Jun. 2009. [7] A. R. Metke and E. L. Ekl, “Security technology for smart grid network,” IEEE Trans. Smart Grid, vol. 1, no. 1, pp. 99–107, Jun. 2010. [8] IEEE 802.11 WLAN Standards: Mesh Networking, , IEEE 802.11 Standard Group, 2010, Draft standard of IEEE 802.11s. [9] S. Goel and R. Negi, “Guaranteeing secrecy using artificial noise,” IEEE Trans Wirel. Commun., vol. 7, no. 6, pp. 2180–2189, 2009. [10] E. Tekin and A. Yener, “The general gaussian multiple-access and two-way wiretap channels: Achievable rates and cooperative jamming,” IEEE Trans Inf. Theory, vol. 54, no. 6, pp. 2735–2751, June 2006. [11] L. Zhou and Z. J. Haas, “Securing ad hoc networks,” IEEE Netw. (Special Issue on Network Security), vol. 13, no. 6, pp. 24–30, Nov./Dec. 1999. [12] R. Ostrovsky and M. Yung, “How to withstand mobile virus attacks,” in Proc. 10th ACM Symp. Principles Distrib. Comput., 1991, pp. 51–59. [13] S. Yi and R. Kravets, “MOCA: Mobile certificate authority for wireless ad hoc networks,” in Proc. 2nd Annu. PKI Res. Workshop Program (PKI), Apr. 2003. [14] J. Kong, P. Zerfos, H. Luo, S. Lu, and L. Zhang, “Providing robust and ubiquitous security support for mobile ad-hoc networks,” in Proc. IEEE 9th Int. Conf. Netw. Protocols (ICNP’01), pp. 251–260. [15] H. Luo, J. Kong, P. Zerfos, S. Lu, and L. Zhang, “Self-securing ad hoc wireless networks,” in Proc. 7th IEEE Symp. Comput. Commun. (ISCC’02), pp. 567–574. [16] J.-P. Hubaux, L. Buttyan, and S. Capkun, “The quest for security in mobile ad hoc networks,” in Proc. 2001 ACM Int. Symp. Mobile Ad Hoc Netw. Comput., pp. 146–155. [17] S. Capkun, L. Nuttyan, and J.-P. Hubaux, “Self-organized public-key management for mobile ad hoc networks,” IEEE Trans. Mobile Comput., vol. 2, no. 1, pp. 52–64, Jan.–Mar. 2003. [18] N. B. Salem and J.-P. Hubaux, “Securing wireless mesh networks,” IEEE Wirel. Commun., vol. 13, no. 2, pp. 50–55, 2006. [19] Y. Zhang and Y. Fang, “ARSA: An attack-resilient security architecture for multihop wireless mesh networks,” IEEE J. Sel. Areas Commun., vol. 24, no. 10, pp. 1916–1928, 2006. [20] Y.-C. Hu, A. Perrig, and D. B. Johnson, “Ariadne: A secure on-demand routing protocol for ad hoc networks,” in Proc. MobiCom, Sep. 2002, pp. 23–28. [21] K. Sanzgiri, B. Dahill, B. N. Levine, C. Shields, and E. M. BeldingRoyer, “A secure routing protocol for ad hoc networks,” in Proc. IEEE Int. Conf. Netw. Protocols (ICNP), Nov. 2002. [22] M. G. Zapata, “Secure ad hoc on-demand distance vector routing,” ACM Mobile Comput. Commun. Rev. (MC2R), vol. 6, no. 3, pp. 106–107, Jul. 2002. [23] Y. Zhang and W. Lee, “Intrusion detection techniques for mobile wireless networks,” Mobile Netw. Appl., vol. 9, no. 5, pp. 545–556, 2003.
[24] O. Kachirski and R. Guha, “Intrusion detection using mobile agents in wireless ad hoc networks,” in Proc. IEEE Workshop Knowl. Media Netw. (KMN02), 2002, pp. 153–158.
Xudong Wang (S’00–M’03–SM’08) received the B.E. degree in electric engineering and his first Ph.D. degree in automatic control from Shanghai Jiao Tong University, Shanghai, China, in 1992 and 1997, respectively. He received his second Ph.D. degree in Electrical and Computer Engineering from Georgia Institute of Technology, Atlanta, in 2003. Since 2003, he has been working as a Senior Research Engineer, Senior Network Architect, and R&D Manager in several companies. He is currently with UM-SJTU Joint Institute, Shanghai Jiao Tong University, Shanghai, China. He is also an Affiliate Faculty Member with the Electrical Engineering Department at the University of Washington, Seattle. He has been actively involved in R&D, technology transfer, and commercialization of various wireless networking technologies. His research interests include low-power radio architecture and protocol suite, deep-space network architecture and protocols, cognitive/software radios, LTE-A, wireless mesh networks, cross-layer design, wireless sensor networks, and ultra-wideband networks. He holds several patents on wireless networking technologies and most of his inventions have been successfully transferred to products. Dr. Wang is an editor for Elsevier’s Ad Hoc Networks and ACM/Kluwer’s Wireless Networks. He was also a guest editor for several journals. He was the demo cochair of the ACM International Symposium on Mobile Ad Hoc Networking and Computing (ACM MOBIHOC 2006), a technical program cochair of Wireless Internet Conference (WICON) 2007, and a general cochair of WICON 2008. He has been a technical committee member of many international conferences and a technical reviewer for numerous international journals and conferences. He was was a voting member of the IEEE 802.11 and 802.15 Standard Committees.
Ping Yi received the Ph.D degree from the department of Computing and Information Technology, Fudan University, China. He is an Associate Professor in the School of Information Security Engineering, Shanghai Jiao Tong University, Shanghai, China. His research interests include mobile computing and ad hoc network security. Dr. Yi is a member of IEEE Communications and Information Security Technical Committee, Associate Editor for Wiley’s Security and Communication Networks (SCN) Journal, Editor for Journal of Security and Telecommunications, and a Technical Program Committee (TPC) for the ICC’11 CISS and Globecom’10 CCNS.