Experimental Comparison of Multicast Authentication for Wide Area Monitoring Systems

Multicast is proposed as a preferred communication mechanism for many power grid applications. One of the biggest challenges for multicast in smart grid is ensuring source authentication without violating the stringent time requirement. The research community and standardization bodies have proposed several authentication mechanisms for smart grid multicast applications. In this paper, we evaluate different authentication schemes and identify the best candidates for phasor data communication in wide area monitoring systems (WAMS). We first do an extensive literature review of existing solutions and establish a short list of schemes to evaluate. Second we make an experimental comparison of the chosen schemes in an operational smart grid pilot and evaluate the performance of these schemes by using the following metrics: computation, communication and key management overheads. The best candidates we consider are two variants of ECDSA, TV-HORS and three variants of Incomplete-key-set. We find ECDSA without pre-computed tokens and all the Incomplete-key-set variants are inapplicable for WAMS due to their high computation overhead. The ECDSA variant that uses pre-computed tokens and TV-HORS perform well in all metrics; however, TV-HORS has potential drawbacks due to a large key management overhead as a result of the frequent distribution of a large public key per source

Optimal Software Patching Plan for PMUs

Phasor measurement units (PMUs) deployed to monitor the state of an electrical grid need to be patched from time to time to prevent attacks that exploit vulnerabilities in the software. Applying some of these patches requires a PMU reboot, which takes the PMU offline for some time. If the PMU placement provides enough redundancy, it is possible to patch a set of PMUs at a time while maintaining full system observability. The challenge is then to find a patching plan that guarantees that the patch is rolled out to all PMUs in the smallest number of rounds possible while full system observability is maintained at all times. We show that this problem can be formulated as a sensor patching problem, which we demonstrate to be NP-complete. However, if the grid forms a tree, we show that the minimum number of rounds is two and we provide a polynomial-time algorithm that finds an optimal patching plan. For the non-tree case, we formulate the problem as a binary integer linear programming problem (BILP) and solve it using an ILP-solver. We also propose a heuristic algorithm to find an approximate solution to the patching problem for grids that are too large to be solved by an ILP-solver. Through simulation, we compare the performance of the ILP-solver and the heuristic algorithm over different bus systems

Security Vulnerabilities of the Cisco IOS Implementation of the MPLS Transport Profile

We are interested in the security of the MPLS Transport Profile (MPLS-TP), in the context of smart-grid communication networks. The security guidelines of the MPLS-TP standards are written in a complex and indirect way, which led us to pose as hypothesis that vendor solutions might not implement them satisfactorily. To test this hypothesis, we investigated the Cisco implementation of two MPLS-TP OAM (Operations, Administration, and Maintenance) protocols: bidirectional forwarding detection (BFD), used to detect failures in label-switched paths (LSPs) and protection state coordination (PSC), used to coordinate protection switching. Critical smart grid applications, such as protection and control, rely on the protection switching feature controlled by BFD and PSC. We did find security issues with this implementation. We implemented a testbed with eight nodes that run the MPLS-TP enabled Cisco IOS; we demonstrated that an attacker who has access to only one cable (for two attacks) or two cables (for one attack) is able to harm the network at several points (e.g., disabling both working and protection LSPs). This occurred in spite of us implementing the security guidelines that are available from Cisco for IOS and MPLS-TP. The attacks use forged BFD or PSC messages, which induce a label-edge router (LER) into believing false information about an LSP. In one attack, the LER disables the operational LSP; in another attack, the LER continues to believe that a physically destroyed LSP is up and running; in yet another attack, both operational and backup LSPs are brought down. Our findings suggest that the MPLS-TP standard should be more explicit when it comes to security. For example, to thwart the attacks revealed here, it should mandate either hop by hop authentication (such as MACSec) at every node, or an ad-hoc authentication mechanism for BFD and PSC

Integration of IEEE C37.118 and publish/subscribe communication

IEEE C37.118 is the current standard for synchrophasor measurements in power systems. It defines the measurement method and communication protocols for the entities in a synchrophasor network. The standard offers two different modes for client-server communication, but cannot be used unchanged over publish/subscribe communication architectures, whose major advantage is simplified and incremental integration of new applications. This work reviews the communication part of IEEE C37.118, and provides an adapter-based solution to easily connect and integrate entities in a synchrophasor network over a publish/subscribe communication architecture. The proposed adapters offer standard-compliant communication between the synchrophasor measurement network entities to facilitate the exchange of measurement data