SMART grid is comprised of two main aspects - the

Transcription

1 EDIC RESEARCH PROPOSAL 1 Smart Grid Security: Challenges and Solutions Teklemariam Tsegay Tesfay I&C, EPFL Abstract State estimation is an important power system tool used to best estimate the system state through analysis of remotely collected sensor measurements and the power system topology. The reliability of the estimated output depends on the quality of the input measurements. Therefore, grid operators use Bad Data Detection (BDD) techniques to filter out grossly erroneous measurements from the state estimator s calculations. However, an attacker with knowledge of the power system model can corrupt a carefully selected set of measurements to introduce arbitrary errors into certain state variables while bypassing existing BDD techniques. A possible defense to such attacks is to ensure end-to-end secure delivery of the sensor measurements by enforcing message authentication and integrity check at the application layer. Implementing such defense mechanisms requires designing an efficient key management scheme that provides the foundation for the secure generation, storage, and distribution of cryptographic keys. The effectiveness of the defense mechanisms also depends on the level of protection afforded to the cryptographic keys. One solution to protect cryptographic keys is to adopt tamperproof hardware tokens such as the Trusted Platform Module (TPM). However, the security properties of a TPM can also be exploited by an attacker for malicious purposes unless the security credentials that are used to authorize TPM functionalities are safely handled. Index Terms Smart Grid, Substation Automation, Active Distribution Network, State Estimation, Bad Data Detection, Authentication, Integrity, Key Management, TPM Proposal submitted to committee: September 6 th, 2012; Candidacy exam date: September 13 th, 2012; Candidacy exam committee: Jean-Pierre Hubaux, Jean-Yves Le Boudec, Mario Paolone. This research plan has been approved: Date: Doctoral candidate: (name and signature) Thesis director: (name and signature) Thesis co-director: (if applicable) (name and signature) Doct. prog. director: (R. Urbanke) (signature) I. INTRODUCTION SMART grid is comprised of two main aspects - the power and the communication infrastructures. The latter plays a key role for a utility s Supervisory Control and Data Acquisition (SCADA) system to remotely collect vast amounts of real-time process measurements gathered at important grid locations such as substations. One of the main functions of a SCADA system is to remotely monitor the physical process of the grid using power system state estimation [3]. State estimation techniques provide a best estimate of the system state through analysis of the telemetered data and the power system model. A reliable and timely estimate of the power system state is used by many energy management applications to ensure proper system operation. Given an accurate system model (a system of equations relating the expected measurements to the power systems physical state), a system estimator is expected to give a good estimate of the actual system state. Unfortunately, if some of the measurements are corrupted with abnormally gross errors, the estimated system state is expected to deviate from the true state significantly. Therefore, grid operators use statistical tests, called Bad Data Detectors (BDD), to detect, identify and remove such erroneous measurements from the state estimator s calculations to provide the control center operator with the best possible state estimate. In order to ensure high system availability, a redundant set of measurement data is collected by the SCADA systems. Hence state estimation is usually possible even if a fraction of the measurements are found to be erroneous and are removed by the BDD. In spite of the presence of various bad data detection techniques, Liu et al. [9] have shown that an intelligent adversary with knowledge of the power system model can corrupt a carefully selected set of measurements to introduce arbitrary errors in the estimates of certain state variables without triggering an alarm from the BDD. Such an attack involves an adversary tampering with the measurements by compromising either the meters or the communication between the meters and the control center. The aforementioned attack scenario highlights the importance of deploying security mechanisms to ensure end-toend secure delivery of measurement data. A power system operator can prevent an attacker from compromising a meter by implementing security measures such as user access control, security logging and hardware hardening. Moreover, the operator can enforce message authentication and integrity check at the application layer to protect or identify any kind of modification on the measurement data while on transit. Although security solutions for message authentication and integrity check are available for most communication proto-

2 EDIC RESEARCH PROPOSAL 2 cols, implementing such solutions in smart grid is not straightforward because of the overhead of managing cryptographic keys [3]. Designing a secure and scalable key management solution for a smart grid network characterized by a large number of communicating devices is regarded as a challenging problem. NISTIR 7628, the foundation document for the architecture of the US Smart Grid, mentions key management as one of the most important research areas in smart grid security. Fuloria et al. [5] proposed symmetric-key and publickey protocols for key management to secure communications within a substation, and between substations and the network control center (master station). An important requirement for any efficient key management scheme is providing protection for keying materials. All cryptographic keys need to be protected against any modification by an adversary, and secret and private keys need to be protected against unauthorized disclosure. Within the context of the smart grid, this requirement becomes of great importance since a large number of field devices are physically exposed (e.g. IEDs deployed next to pole-mounted transformers). An efficient solution to provide the required level of protection for keying material within such devices is to use a FIPS140-validated tamper-resistant, special-purpose cryptographic module such as Trusted Platform Module (TPM). A Trusted Platform Module (TPM) is a secure crypto-processor that offers functionalities for secure generation and storage of cryptographic keys. TPM functionalities like the ability to load and use cryptographic keys stored in the TPM are authorized by entering secret credentials called AuthData. Dunn et al. [4] have shown that an attacker who has access to the AuthData can use a TPM, along with late launch processor mechanisms, to conceal sensitive sub-computations of a malware from an analyst. Therefore, AuthData for a TPM need to be protected from getting snooped in order for the TPM to server its intended purpose. The rest of this report is organized as follows. Section II, provides an overview of power system state estimation. It also demonstrates a vulnerability in current BDD techniques that can be exploited by an attacker who wishes to modify measurement data and introduce arbitrary errors in a state estimator s output without causing any bad data detection alarm. Section III discusses the communication architecture for substation automation systems. Different key management schemes for communications within a substation, and between a substation and a master station are also discussed here. In Section IV-A, we demonstrate how a malware developer can exploit TPM security functionalities for malicious purposes. Future research plans are discussed in Section V. Finally, Section VI concludes the paper. II. OVERVIEW OF STATE ESTIMATION The static state of a power system is defined as the voltage magnitudes and phases at all the system busses. Power system operators use state estimation to determine the most likely state of a power system through analysis of redundant remotely collected measurements and the power system model. A reliable estimate of the current state of a power system is used by utilities to plan for any contingencies and to take corrective control actions if necessary. The measurement model for system estimators is defined as [11]: z = h(x) + e (1) where z = (z 1, z 2,..., z m ) T is an m-dimensional measurement vector; x = (x 1, x 2,..., x n ) T is an n-dimensional (n < m) state vector; e = (e 1, e 1,..., e m ) T is an m-dimensional random measurement error vector. The measurement errors are assumed to be independent, zero-mean Gaussian variables with a known covariance matrix W. W is a diagonal matrix with values σi 2, where σ i is the standard deviation of the error associated with measurement i. h(x) = (h 1 (x), h 2 (x),..., h m (x)) T is a vector of functions relating error free measurements to the state variables. Given the imperfect set of measurements z, the purpose of a state estimator is to determine an optimal estimate ˆx of the system state that best fits the measurement model. A state estimator can be formulated as a weighted least squares (WLS) problem [11]. min J(x) = 1 x R n 2 (z h(x))t W(z h(x)) (2) An optimal estimate of the system state is a vector ˆx that minimizes the above objective function. Although state estimation using AC power flow model is more accurate, it can be computationally expensive and may not always converge to a solution. Therefore, power system engineers use DC power flow model which is a simplification and linearization of an AC power flow model. In the DC power flow model, the measurement model is represented by the following linear regression model [9]: z = Hx + e (3) where H is an mxn full rank matrix that reflects the configuration of the system. For the DC power flow model, the optimization problem in (2) admits the following solution for the estimates of the state variables ˆx = (H T WH) 1 H T Wz (4) given that G = H T WH is invertible, i.e., full rank. A. Bad data detection In addition to the small random errors in the measurement model, some meter measurements can be corrupted by gross errors due to reasons such as incorrect configuration or failure of meters, malfunction in the communication system or deliberate attacks. Given an accurate system model, measurements with only additive errors usually give a good estimate of the actual system state while measurements with abnormally gross errors are expected to force the estimated state away from the true system state. Therefore, grid operators use statistical tests, called bad data detectors (BDD), to detect, identify and remove measurements with gross errors from the estimator s calculations. The most commonly used approach to detect the presence of bad measurements in power systems is based on the L 2 -Norm

3 EDIC RESEARCH PROPOSAL 3 of measurement residuals [11], [2]. A measurement residual is defined as the difference between the vector of observed measurements and the vector of estimated measurements, i.e, z Hˆx. In this approach, presence of bad measurements is detected if the following condition is violated z Hˆx τ (5) where ˆx is the estimate of x, and τ is the detection threshold. B. False data injection attacks on state estimation [9] False data injection attacks on state estimation are those in which an attacker manipulates the meter measurements to induce an arbitrary change in the estimated value of state variables without being detected by the bad data detection algorithm [2]. Liu et al. [9] present this kind of attacks on state estimators that use DC power flow models. In what follows, we summarize the basic attack principle, attack scenarios and goals from an attackers perspective. 1) Basic attack principle: If we denote by a = (a 1, a 2,..., a m ) T a nonzero attack vector representing the malicious data added to the original measurement vector z = (z 1, z 2,..., z m ) T, then the resulting modified measurement vector can be represented as za = z + a. Let ˆx bad and ˆx represent the estimates of x when using the manipulated measurements za and the original measurements z, respectively. Then ˆx bad can be represented as ˆx + c, where c is the estimation error introduced by the attacker. If the original measurement z can pass the bad data detection condition described in (5), a manipulated measurement za = z + a can also pass it if an attacker systematically chooses an attack vector a which is a linear combination of the column vectors of H (i.e. a = Hc). This can be proven as follows: If a = Hc and z Hˆx τ, the L 2 -Norm of the measurement residual with the manipulated data is za Hˆx bad = z + a H(ˆx + c) = z Hˆx + (a Hc = z Hˆx τ 2) Attack scenarios and goals: The following assumptions are made while demonstrating the false data injection attacks: The attacker has access to the matrix H of the target system which is determined by the power network topology and line impedances. The attacker is able to manipulate the measurements by compromising either the meters or the communication between the meters and the control center. The capability of an attacker to manipulate a set of meter measurements is constrained by the following two realistic scenarios: Scenario I: An attacker is constrained to accessing only specific meters, i.e., some meters are beyond the reach of an attacker either due to physical protection or other reasons. Scenario II: An attacker can compromise any meters but has only limited resources to compromise only a limited number, say k, out of all meters. For both scenarios, an attacker can have the following two possible attack goals: i. Random attack: the attacker aims to find any attack vector as long as it can result in a wrong estimation of state variables. ii. Targeted Attack: the attacker aims to find an attack vector that can inject specific errors into certain state variables. Two cases are considered for the targeted attack case: constrained and unconstrained. In the constrained case, the attacker aims to find an attack vector that injects specific errors into the estimates of specific state variables but does not pollute the estimates of other state variables. In the unconstrained case, the adversary has no such concerns regarding polluting other state variables. In the following, we will discuss how an attacker can systematically and efficiently construct attack vectors in both scenarios with both attack goals. a. Scenario I - Random false data injection attack The conditions for this attack are to find an attack vector a = (a 1, a 2,..., a m ) T = Hc with a i = 0 for i / I m, where I m is the set of indices of the compromised meters and vector a 0. To build the attack vector a, the first step is to transform a = Hc to an equivalent form Ba = 0 such that B = H(H T H) 1 H T I) where I is the identity matrix. The next step is for the attacker to find a nonzero attack vector a such that Ba = 0 and a i = 0 for i / I m. It is possible that an attack vector may not exist if the number of meters to be compromised (k) is too small. However, if an attacker can compromise k specific meters, for k m n + 1, it can be shown that there always exist attack vectors a = Hc such that a 0 and a i = 0 for i / I m. b. Scenario I - Taregeted false data injection attack The conditions for this attack are to find a nonzero attack vector a = Hc with a i = 0 for i / I m, such that the resulting estimate ˆx bad = ˆx + c where c i for i I v is the specific error the attacker has chosen to inject to ˆx i and I v is the set of indices of the target state variables. In the constrained case, c i = 0 for i / I v. Hence the value for every element of the vector c is known. Therefore, an attacker can substitute c back to a = Hc, and check if a i = 0 for i / I m. If yes, the attacker succeeds in constructing the only attack vector a. Otherwise, the attack is impossible. For the unconstrained case, there is no restriction on the value of c i for i / I v. To generate an attack vector a, the attacker can first transform a = Hc into an equivalent form that does not contain c, and then solve a from the equivalent form. It can be shown that a = Hc B s a = y, where B s = H s (H T s H s ) 1 H T s I, H s is the submatrix of H containing columns whose indices are not in I v, b = j I v h j c j, and y = B s b. Once the transformation from a = Hc to B s a = y is made, an attacker can determine a nonzero attack vector a that satisfies the relation B s a = y. The existence of such a vector depends on how the attacker chooses the specific errors for c j for j I v. Details of how the specific values for c j should be selected so that an attack vector can be successfully constructed are discussed in [9]. c. Scenario II - Random false data injection attack There is no restriction on which meters to compromise in

4 EDIC RESEARCH PROPOSAL 4 this attack. The condition is to find any nonzero k-sparse attack vector a (i.e. a has at most k non-zero elements) which satisfies the relation a = Hc. An attacker can find an attack vector a using a brute force approach by trying all possible a s consisting of k unknown elements and m k zero elements. For each such candidate a, the attacker checks if there exists a nonzero solution of a such that Ba = 0. Since the brute force approach of finding an attack vector can be time consuming, a more efficient heuristic method based on column transformation on H is also proposed in [9]. d. Scenario II - Targeted false data injection attack In this attack the aim is to find a k-sparse, nonzero attack vector a = (a 1,..., a m ) T which satisfies the relation a = Hc, where c i for i I v is the specific error chosen by the attacker. In the constrained case, all elements of c are fixed. So the attacker can substitute c into the relation a = Hc. If the resulting a is a k-sparse vector, the attacker succeeds in constructing the only attack vector. Otherwise, the attacker fails. For the unconstrained case, in order to construct a k-spare attack vector, the first step is to transform the relation a = Hc to B s a = y (similar to the one discussed in Scenario I). After this transformation, the attacker has to find a k-sparse attack vector a that satisfies the relation B s a = y. This problem is the same as the Minimum Weight Solution for Linear Equations problem, which is NP-hard. Therefore, an attacker can use one of the many heuristic algorithms proposed for such problems to generate the attack vector. C. Protection against false data injection attacks Bobba et al. [2] have pointed out that protecting a carefully chosen subset of meter measurements (a minimum set of measurements which is sufficient to ensure full observability of the power system network) is a necessary and sufficient condition to thwart undetectable false data injection attacks. Protecting the measurements entails protecting meters from any unauthorized access and ensuring the authenticity and integrity of the received measurements at the control center. Although a utility can enforce message authentication and integrity check at the application layer to protect or identify any kind of modification on the measurement data while on transit, implementing such solutions is not straightforward because of the overhead of managing the cryptographic keys. Therefore, designing an efficient key management scheme that provides the foundation for the secure generation, storage, distribution, and destruction of cryptographic keys is important. There is a general consensus that Public Key Infrastructure (PKI) is a viable solution as a key management scheme for smart grid networks characterized by a large number of communicating devices [10], [1]. In what follows, we discuss symmetric and asymmetric cryptographic protocols for key management in substations, both for the communication within substations, and between substations and the network control center. III. KEY MANAGEMENT FOR SUBSTATION NETWORKS [5] Although the layout of substations can vary greatly depending on the functions they perform, most of them generally have equipment for switching, protection, control operations and voltage regulation [6]. A typical substation has two main levels - the station level (station room) as well as the bay-level. The station room consists of a substation controller, a workstation through which engineers access the controller and a Human- Machine Interface (HMI) comprised of displays. The baylevel contains several Intelligent Electronic Devices (IEDs) - microprocessor based power system equipment with the capability to receive data from sensors and to issue commands to actuators. The substation controller in the station room communicates with the Intelligent Electronic Devices (IEDs) at the bay level and uses the information it receives to monitor the processes and health of the substation. The substation controller also communicates with a higher level network control center (master station) and possibly with other substation controllers. In addition to communicating sensor data and status information with the substation controller, IEDs can issue control commands, such as tripping circuit breakers if they sense voltage, current, or frequency anomalies, or raise/lower voltage levels in order to maintain the desired voltage profile. Moreover, an IED can also multicast messages to other IEDs in the same VLAN to inform them about an important event, for example, a trip [6]. Fig. 1. Substation communication architecture Communication between the different devices in a substation in governed by a communication protocol. IEC is a new communication protocol which provides flexible and interpretable communication for substation automation systems. The IEC standard defines several kinds of messages for data exchange between nodes in the substation area. Sample Measured Value (SMV) and General Object Oriented Substation Event (GOOSE) are two types of messages defined in the IEC standard which have very stringent performance requirements. GOOSE and SMV are multicast messaging protocols designed to meet the ultra low latency requirements of 4ms peer-to-peer communication between intelligent controllers (IEDs) in a VLAN. A Sample Measured Value (SMV) message delivers sampled signals from transducers such as current transformers (CTs) and voltage transformers (VTs) to IEDs. GOOSE messages are used for fast transmission of substation events such as commands, alarms and indications. Upon detecting an event, an IED multicasts GOOSE messages to notify other IEDs of the event and causes an actuator to do protection action [8].

5 EDIC RESEARCH PROPOSAL 5 IEC does not come with security features of its own. The IEC series of technical specifications was the first step to design security mechanisms for IEC based substation communication. The IEC standard suggests that the wide area communication between the substation controller and the network control center (master station) should be secured by a public-key based standard protocol like TLS. IEC aims to build security into communications within the substation network, mandating that a digitally signed message authentication code (MAC) for GOOSE and SMV messages would be used for ensuring message integrity and authenticity. However, given the stringent time requirement of these messages, digitally signing the MAC is infeasible. Therefore, Fuloria et al. [5] suggested a message authentication code with a shared secret key as a solution for ensuring message integrity and authenticity within a substation. Designing authentication into the GOOSE and SMV messages is just one part of communication security. Much of the hard work lies in the key management. This can be achieved using either symmetric or asymmetric cryptography mechanisms. A. Using symmetric keys In this scheme, each IED to be installed to a substation network is assumed to be loaded with a symmetric key (ignition key) m at time of manufacture. The ignition key is also printed on the device s packaging. This key is then manually written to the substation controller s key database during installation of the IED so that it will serve as a shared secret between the IED and the substation controller. This shared secret serves to setup other secret keys as follows: Y C : E m (Y, N) C Y : Y C : E m (N, Y, KY, KN) E KN (N) where E k (msg) indicates a message msg encrypted using symmetric key k. Y and C represent the IED s and the controller s ID, respectively. N is a random challenge that lets the IED to verify that the controller s response is not a replay message. KY is a device specific secret key used to secure communication between the IED and the controller whereas KN is a network secret key shared by all IEDs in the same VLAN and the controller and is used to secure multicast messages (GOOSE and SMV) in the VLAN. Notice that security of this scheme depends on the unrealistic assumption that all installation engineers are trustworthy. Moreover, this scheme ignores the possibility of a rogue device getting installed in a substation network. The asymmetric key based scheme undermentioned is an alternative solution that can address these issues. B. Using asymmetric key mechanisms This scheme requires an IED and the substation controller to be provided with public-private key pairs and associated digital certificates signed by either the vendor or the utility. As stated above, digital signatures cannot be used for ensuring message authentication and integrity due to the stringent time requirements of substation multicast messages. Therefore, the IED and the controller use public-key based standard protocols such as TLS to transit from the public key domain to a symmetric key domain. During the handshake stage of the TLS protocol, the controller and the IED authenticate each other by verifying their certificates and establish a device specific shared session key KY. The network key KN is then sent to the IED as a data encrypted using the session key KY during the record stage of the TLS protocol. In this scheme, the installation engineer does not need to have any direct access to sensitive information such as the private key of the certified key pairs. Besides, the IED and the controller verify the authenticity of each other s certificates before any communication starts. Hence, a rogue device cannot be installed to the network since the certificate verification process will fail. C. Secure credential storage A major assumption in any key management scheme is that the cryptographic keys are stored in a secure location where an adversary cannot delete or modify them. However, the physical protection of IEDs at the bay-level or those deployed next to pole-mounted transformers in some remote location may not be secure enough. Unless there are very strong measures to protect sensitive data within these IED s from probing, one can assume that any cryptographic secret, that the devices contain, has been or could easily be compromised. Softwarebased protection mechanisms, such as file system permissions, can be bypassed, especially if an attacker has physical access to the device. An alternative and more efficient solution to protect sensitive information, like cryptographic keys, within such devices is to use tamper-proof, special-purpose hardware tokens such as the Trusted Platform Module (TPM). In the following section, we describe what functionalities a TPM consists of and how an attacker can utilize them for malicious purposes. IV. TRUSTED PLATFORUM MODULE (TPM) A Trusted Platform Module (TPM) is a secure hardware chip that stores cryptographic keys and other sensitive information in shielded location. Furthermore, a TPM also has a built-in cryptographic co-processor that performs asymmetric encryption/decryption, hashing, key generation, and random number generation [7]. The asymmetric cryptographic function can be used for both signing and encrypting sensitive data stored outside of the TPMs non-volatile memory. In addition to serving as tamper-proof storage to sensitive data, like cryptographic keys and digital certificates, [10] discusses additional security benefits of using TPMs for smart grid devices. The benefits include secure software upgrade, high assurance booting, dynamic attestation of running software and device attestation.

6 EDIC RESEARCH PROPOSAL 6 the infected machine in encrypted form. The Infection Program in the infected machine is capable of kernel-level exploitation and is responsible for coordinating the attack. Fig. 2. Trusted Platform Module (TPM) architecture A. Exploiting TPM for malicious purposes [4] The set of functionalities provided by a TPM in order to increase platform security can also be exploited by an attacker for malicious purposes. An attacker who wants to infect a TPM-fitted machine with a malware can exploit the security properties of a TPM to conceal a sensitive portion of the malware so that it cannot be observed or modified by a security analyst. This is achieved by combining late launch processor mechanisms and TPM security functionalities. Late launch is a hardware-enforced secure environment where a program runs without any other concurrently executing software, including the operating system. Therefore, late launch is an ideal environment for an attacker to run any sensitive sub-computation of a malware that the attacker wants to be unobservable to a security analyst. Late launch computation is privileged and can only be started by a code that runs at the OS privilege level. Thus, we assume that the attacker has found a compromise in the operating system that results in kernel-level privileges. The attacker uses this compromise to force the infected platform to run in a late launch environment when it executes the sensitive sub-computation. Further, the attacker is also assumed to know the security credentials (AuthData) that are required to authorize TPM capabilities, like the ability to read, write, and use objects stored in the TPM and execute TPM commands. 1) Attack protocol: Here we discuss how an attacker (a malware developers) can use a TPM along with late launch processor capabilities to implement cloaked (hidden) subcomputation of a malware. To this end, the attacker must first design the malware such that its computations are split into sensitive (cloaked) and nonsensitive (observable) subcomputations. The sensitive sub-computation may contain valuable information that a security analyst can utilize to stop widespread effects of the malware. Therefore, an attacker does not want this portion of the malware to appear unencrypted in the infected machine. In order to prevent a security analyst from having access to the sensitive sub-computation, the attacker splits the malware into two pieces - the Infection Program which contains the nonsensitive sub-computation and the payload which implements the sensitive sub-computation that needs to be protected. After splitting the malware, the attacker infects the target machine with the Infection Program and stores the payload in a secure location called Malware Distribution Platform (MDP) that is remote to the infected machine. The purpose of the Malware Distribution Platform (MDP) is to get the payload to Fig. 3. Overall flow of an attack that exploits TPM functionalities for concealing sensitive portions of a malware [4] As shown in Figure 3, the attack protocol runs between the Infection Program which is on the infected machine and the Malware Distribution Platform (MDP) which contains the payload. When the attack is launched, the Infection Program requests the MDP for the payload. The MDP transfers the payload to the infected platform in an encrypted form. The Infection Program decrypts and executes the payload in an environment that is not observable to an analyst. There are two important issues that need to be addressed to accomplish the attack protocol described above. The Infection Program needs to put the infected platform in some known non-analyzable state. The Infection Program has to restrict the payload decryption only to the non-analyzable state. Putting a platform in a non-analyzable state is accomplished by a processor mechanism known as late launch. The Infection Program uses late launch to suspend all system software and other software currently running in the infected platform to allow decryption and execution of the malicious payload without observation by an analyst. After suspending all system operations, late launch transfers control to a separate module called Infection Payload Loader (IPL) and records a hash of the IPL in a particular TPM Platform Configuration Register (PCR), specifically P CR18. Infection Payload Loader (IPL) is responsible for decryption and execution of the payload in a late launch environment. Restricting payload decryption to a non-analyzable environment is achieved by use of TPM s capability to securely store private keys. A TPM controls the usage of private keys for the key pairs it generates, i.e., a TPM can deny usage of a private key unless certain conditions are satisfied. In this case, the TPM releases the private key needed to decrypt the payload only if the value stored in P CR18 is equal to the hash of the IPL code. The complete attack protocol flow is depicted briefly in Figure 4. The protocol is a two phase procedure by which the Infection Program proves to an MDP that the key pair used to encrypt and decrypt the payload (also called binding key (P K, SK) bind ) is generated by a legitimate TPM and that the key is only usable and the payload only decryptable in the

7 EDIC RESEARCH PROPOSAL 7 late launch environment. In Phase I, the Infection Program establishes a proof to the MDP that it is using a legitimate TPM. Each TPM is shipped with a uniquely identifying public/private key pair built into the hardware, called the Endorsement Key (EK). The public part of the EK (P K EK ) is certified by the manufacturer. The MDP proves the legitimacy of the TPM by verifying the Endorsement Key s certificate using the manufacturer s public key P K manuf. Once the MDP proves the legitimacy of the TPM, the Infection Program can use the TPM s EK to sign messages that are sent to the MDP. However, anonymity of the TPM (the platform) can be breached by correlating different transactions signed by the same EK because every TPM has a unique EK. Therefore, the Infection Program cannot directly use the TPM s EK but can generate an Attestation Identity Key (AIK) that serves as alias for EK to provide anonymity. After generating the AIK (inside the TPM), the Infection Program informs the MDP about this mapping between the EK and the AIK. Note that, knowledge of owner AuthData is required to generate AIK. After receiving the mapping between the EK and the AIK, the MDP replies to the Infection Program with a challenge cred encrypted using the EK. This challenge is posed by the MDP to prove that the AIK and the EK are indeed linked to the same TPM. At the end of the first phase, the Infection Program produces the cred from the encrypted message with the help of the TPM. The AIK is also activated to be used for signing messages to be sent to the MDP. The second phase is executed to prove that the binding key (P K, SK) bind that is used to encrypt the malicious subcomputation (payload) is actually from the TPM that has the endorsement key EK. This is accomplished as follows. First, the Infection Program uses the TPM to generate the binding key and the key use constraint that restricts the private part of the binding key to be used for decryption only in the late launch environment. More specifically, the key use constraint is satisfied if the value of P CR18 is equal to the hash of the Infection Payload Loader (IPL) code. The encryption key P K bind and the key use constraint signed using the AIK and cred are then sent to the MDP. After the MDP verifies the cred, the key use constraint and the signature, it encrypts the malicious payload using P K bind and sends it to the Infection Program. Once, the Infection Program receives the encrypted payload, it initiates late launch by exploiting the the kernel-level compromise. Late launch transfers control to Infection Payload Loader (IPL) and records a hash of the IPL in P CR18. Now that the key use constraint for the binding key is satisfied, the TPM allows the Infection Payload Loader (IPL) to use the private part of the binding key SK bind to decrypt the payload and execute it. Fig. 4. The cloaked malware protocol B. Defense mechanisms A possible defense mechanism against the treat of using TPM for concealing malicious sub-computation of a malware is one that requires a TPM manufacturer s intervention. A manufacturer can generate and certify an Endorsement Key (EK), that is not assigned to any TPM, and give it to an analyst. The analyst can then use the EK to break any legitimate TPM protocols that a malware developer uses to protect the malicious sub-computation. However, leakage of such EK can compromise TPM security properties. Therefore, an alternative solution is for a manufacturer not to reveal the EK to an analyst but generate a fake AIK whenever an analyst requests and use the EK key to activate the fake AIK s and to produce the challenge credential cred in step (5) of Figure 4. The constraint with this scheme is that the manufacturer needs to be online to respond to requests by an analyst to activate a fake AIK. The manufacturer will also have to do some background check to verify if the requesting analyst is a legitimate analyst. V. RESEARCH PROPOSAL Conventional distribution networks are passive and are considered to be stable with unidirectional power flows that require minimum level of system monitoring and control strategies. However, the large-scale integration of renewable and distributed energy resources and the introduction of distributed energy storage is paving a way for the emergence of Active Distribution Networks (ADNs). An ADN is a subset of a distribution network with distributed energy generation capability, together with local storage devices and is characterized by bidirectional powers flow depending on the amount of local generation and local energy demand. ADNs are expected to have autonomous local monitoring and control systems to perform power flow control and voltage and frequency regulation. Local monitoring and control capabilities enable an ADN to perform intentional islanding in the presence of faults in the upstream network, and back-synchronization once

8 EDIC RESEARCH PROPOSAL 8 the faults are resolved. These sophisticated monitoring and control operations are realized by deploying a large number of various electronic automation and communication devices, such as Phasor Measurement Units (PMUs) or Intelligent Electronic Devices (IEDs), and a reliable two-way communication infrastructure that facilitates transfer of sensor data and control signals. However, the increasing reliance on networking and electronic automation for system monitoring and control comes with the risk of potential cyber attacks through the communication network. Therefore, the implementation of a secure and reliable communication network that is resilient to insider and outsider malicious attacks, natural disasters, and other failures is crucial. A utility can strive to implement perfect security solutions to thwart all kinds of anticipated attacks. However, such security solutions usually come at the cost of usability. Therefore, any security solution for an ADN should strike a balance between security and usability. As a first step towards building a secure communication network for ADNs, we intend to implement state of the art security solutions in a real microgrid facility which will be available at EPFL. The security solutions will include enforcing a centralized access control strategy to all devices in the network, and implementing a secure event logging mechanism to maintain a record of system events and user activities for each device in the network. Event logs will be used to hold malicious insiders accountability for security violations, to detect intrusions by outsiders and identify problems. We will also implement a PKI based key management scheme that provides the foundation for secure generation, storage, distribution, and destruction of the cryptographic keys which will be used to create a secure communication channel for all message exchanges, including measurement data and control signals. Furthermore, we plan to verify the effectiveness of the deployed security mechanisms to thwart attacks from a malicious insider. We will consider cases where an ADN is operating in an islanded mode and an operator wants to replace some failed devices or wants to install a software update to some devices in the network. we will look for vulnerabilities in the deployed security solutions that a malicious field engineer, taking advantage of the crisis situation, may exploit either to introduce a rogue device to the network or to install malicious software to some devices. Finally, we expect that advanced measurement and control devices, such as PMUs and IEDs, will be fitted with a hardware cryptographic module, such as TPM, during manufacturing. Field engineers (some potentially malicious) who install these devices will be entrusted with the security credentials (AuthData) that are required to authorize TPM security functionalities. [4] demonstrated that a malware developer who has access to the AuthData can use a TPM to cloak sensitive sub-computations of a malware from an analyst. Given that a malicious field engineer will also have access to the AuthData of the TPMs in the power system devices, we plan to investigate potential security attacks similar to those proposed in [4], but in the context of smart grid networks. VI. CONCLUSION This work highlighted the importance of deploying advanced security mechanisms adjusted to the needs of the emerging smart grid. A vulnerability in current bad data detection techniques was presented as an example to demonstrate a possible attack on power system state estimation. The vulnerability allows an attacker to corrupt a carefully selected set of sensor measurements to introduce arbitrary errors into the estimator s output without triggering any alarm from the bad data detector. Possible defense strategies that implement message authentication and integrity checking mechanisms are proposed to counter such attacks. Such defense mechanisms require designing a secure and scalable key management solution, which is particularly difficult for smart grid networks due to the large number of communicating devices. Adopting a tamper-resistant cryptographic module, such as Trusted Platform Module (TPM), is proposed as a solution to enhance protection to sensitive data such cryptographic keys for smart grid field devices which are physically exposed. However, the need for safe handling of TPM s authorization credentials is also highlighted by demonstrating a scenario where an attacker with knowledge of the security credentials can use a TPM for cloaking malicious sub-computation of a malware. REFERENCES [1] T. Baumeister. Adapting PKI for the smart grid. In Smart Grid Communications (SmartGridComm), 2011 IEEE International Conference on, pages , Oct [2] Rakesh B. Bobba, Katherine M. Rogers, Qiyan Wang, Himanshu Khurana, Klara Nahrstedt, and Thomas J. Overbye. Detecting false data injection attacks on DC state estimation. Proceedings of the First Workshop on Secure Control Systems (SCS 10), [3] Gyö andrgy Dá andn, Henrik Sandberg, Mathias Ekstedt, and Gunnar Bjö andrkman. Challenges in power system information security. Security Privacy, IEEE, 10(4):62 70, July-Aug [4] Alan M. Dunn, Owen S. Hofmann, Brent Waters, and Emmett Witchel. Cloaking malware with the trusted platform module. In Proceedings of the 20th USENIX conference on Security, SEC 11, pages 26 26, Berkeley, CA, USA, USENIX Association. citation.cfm?id= [5] S. Fuloria, R. Anderson, F. Alvarez, and K. McGrath. Key management for substations: Symmetric keys, public keys or no keys? In Power Systems Conference and Exposition (PSCE), 2011 IEEE/PES, pages 1 6, March [6] Shailendra Fuloria. Robust security for the electricity network, PhD Thesis. [7] David Grawrock. Dynamics of a Trusted Platform: A Building Block Approach. Intel Press, [8] Sugwon Hong, Dae-Yong Shin, and Myongho Lee. Evaluating security algorithms in the substation communication architecture. In Scalable Computing and Communications; Eighth International Conference on Embedded Computing, SCALCOM-EMBEDDEDCOM 09. International Conference on, pages , Sept [9] Yao Liu, Peng Ning, and Michael K. Reiter. False data injection attacks against state estimation in electric power grids. ACM Trans. Inf. Syst. Secur., 14(1):13:1 13:33, June [10] A.R. Metke and R.L. Ekl. Security technology for smart grid networks. Smart Grid, IEEE Transactions on, 1(1):99 107, June [11] A. Monticelli and A. Garcia. Reliable bad data processing for real-time state estimation. Power Apparatus and Systems, IEEE Transactions on, PAS-102(5): , May 1983.