GridStat Middleware Communication Framework: Management Security and Trust
Schweitzer Engineering Laboratories, Inc.
It is generally recognized that a high-bandwidth and highly available networked communication system should overlie the transmission system topology to enable new types of control and protection applications that will make the grid more efficient and reliable. Those applications will make use of data originating at many locations in the grid, which may be under the control of operators with various levels of competency and motivation, or even under the control of attackers. The research in this activity addressed two aspects of cyber security in that emerging environment. The first is that of message origin authentication when the data delivery model is multicast. That is a challenging technical problem for which various solutions already existed, all of which involved trade-offs among multiple quality-of-service dimensions, leaving no universally best solution. The second aspect concerns how to make control decisions using information from sources whose trustworthiness is unknown a priori. We observe that in any system of the power grid’s size, involving thousands of participating entities, security will necessarily be imperfect and uncertain. The work pursued here attempted to use trustworthiness assessment in combination with decision theory to make good control decisions, even in the face of uncertainty about the trustworthiness of some inputs. Specifically, we made several multicast authentication protocols available in the GridStat framework, allowing application designers to choose a protocol that best meets the application’s needs. We improved the performance of the Time-Valid One-Time Signature (TV-OTS) multicast authentication protocol, which offers tunable security at relatively low computational and latency cost compared to competing methods for multicast message authentication. Based on our evaluation of trade-offs among choices in the TV-OTS implementation, such as signature size, number of chains, epoch length, and the resistance of the protocol to brute-force attacks, we implemented TV-OTS as a fully supported authentication mechanism in the GridStat framework. We also developed ProFokus, a secure key storage repository that makes the system more resilient against attacks on its management infrastructure by splitting secret key material across several servers and requiring k out of n servers to collaborate in revealing the secrets for use. Finally, we have assessed various protocols for their susceptibility to false data injection and denial of service attacks when used on highly-regular data streams such as those from PMUs.
Presentation from 2014 Industry Workshop:
K-Time Signatures for Smartgrid Multicast. Presented by Kelsey Cairns, Washington State University, at the 2014 TCIPG Industry Workshop held November 12-13, 2014 at the iHotel and Conference Center in Illinois. Slides for this presentation may be downloaded from the workshop archives.
Data Injection Attacks and Prevention: Presented by Kelsey Cairns, Washington State University, at the TCIPG Industry Workshop in November 2014.
Download PDF of Fact Sheet
Download PDFs of Research Posters (2014 Industry Workshop)
K-Time Signature Deployment: A Practical Framework
Security Implications of Transport-Layer Protocols in Power Grid Synchrophasor Data Communication
Download PDFs of Research Posters (2013 Industry Workshop)
Flexible Data Authentication Evaluated for the Smart Grid
Resilience of State Estimation using Hybrid SCADA and PMU Data
Download PDFs of Research Posters (2012 Industry Workshop)
Evidence-Based Trust for Critical-Infrastructure Decision-Making
Focused Targeting in Fractal Hash Sequences
ProFocus: A Fault-Tolerant Key Storage Service with Proactive Recovery
Download PDFs of Research Posters (2011 Industry Workshop)
Evidence-based Trust for Critical-Infrastructure Decision-Making
Tradeoffs Between Latency and Security in Multi-cast Message Authentication Protocols