Secure Communications in the Smart Grid

Jeff Naruchitparames and Mehmet Hadi Güneş Cansin Yaman Evrenosoglu

Department of Computer Science and Engineering Department of Electrical and Biomedical Engineering
University of Nevada, Reno University of Nevada, Reno
jnaruchit@acm.org, mgunes@cse.unr.edu cevrenosoglu@unr.edu

Abstract—This paper focuses on deployment of smart meters years to account for the increase in security requirements such
in the power distribution systems to enhance the operation as detecting anomalous events, notifying actors within the
infrastructure. An important challenge in establishing a com- system, maintaining smooth operation, and logging events,
munication paradigm between the utilities and the customers is
that customers are susceptible to privacy concerns. In this paper, several critical cybersecurity requirements are not present
we present a model to ensure the privacy and integrity of com- in the current model [2], [3]. In particular, the lack of a
municating parties within the smart grid by using smart meters standardized encryption scheme between system components
as a gateway between intra- and inter-network communications. opens the door to integrity concerns and insider threads [2].
In particular, we utilize the smart meter as a firewall to manage It is important to consider a standardized communications
incoming and outgoing traffic and mediate household devices
based on the instructions from the electric utility. Moreover, third protocol both on the HAN and WAN levels. In this direction,
parties are introduced in our model such as service providers so organizations such as the GridWise Alliance aim at standard-
that they can monitor and manage the contracted customers by izing the security protocols in the smart grid [4]. GridWise
using the existing communication infrastructure. focuses on enhancing smart grid solutions while complying to
IEEE standards [5], [6].
I. I NTRODUCTION
Proliferation of renewable energy-based electric power pro- Researchers have proposed hybrid wireless-broadband over
duction to decrease dependence on foreign oil, increased power line (W-BPL) communications to address security is-
use of electric vehicles and upgrading the aging electricity sues in smart meter communication [7]. They mainly conceal
infrastructure for more efficient grid operations are only viable messages using encryption but it does not address the integrity
with smarter monitoring, control and consumption of electrical issues of smart meters, which can be modified to generate
energy. It is not possible to achieve the nationwide visions attacks on electric utility. Moreover, [8], [9] utilizes Intel’s
if the current control, monitoring and consumption practices Universal Plug-n-Play platform and considers the use of sym-
are not significantly changed. In addition, a smarter grid metric key cryptography. A key issue is the ability to reliably
equipped with intelligent electronic devices cannot survive if exchange secret keys over WAN.
the communications infrastructure is insecure and vulnerable
to cyber attacks. A key issue that must be addressed is the balance between
Currently, smart grid research focuses on high voltage in- the benefits of enhanced communications in the smart grid
terconnected transmission grids and medium/low voltage dis- and the privacy of homeowners. As household devices become
tribution level applications. At the transmission level, smarter more intelligent and electric utilities become more involved
monitoring and control applications for large regionally con- in household power consumption, the privacy of homeowners
nected networks are proposed. The implementation of smart may be invaded. We solve this issue by applying trusted
grid applications is much more prevalent at the distribution computing concepts to this considerably static environment
level. Distribution applications deal with the utilities and and create a symbiotic relationship between all actors within
the consumers (i.e. residential, industrial, and governmental this architecture [10]. We focus on providing privacy to the
entities) at a local level. The proposed smart grid applications user and ensuring the integrity of the communication to protect
at the utility level primarily focus on the use of smarter meters both of the electric utility and the user. This is achieved by
that can have two-way communications with the utility. The establishing trust relation between the electric utility and the
smart meters can report the type of the electricity usage at the smart meter. Additionally, we try to prevent adversaries such
consumer side and can also receive messages from the utility as malicious users and outsiders attempting cyber attacks.
on a continuous basis.
One security issue with current implementations is the In this paper we propose a system model envisioning the
deployment of commercial off-the-shelf products instead of use of smart meters that can communicate with not only
proprietary technologies [1]. Although it is desirable to power system operators, but also with related vendors (i.e.,
comply with an open platform, the lack of standardization service providers). The paper is organized as follows: Section
introduces several new threats and attack vectors. Further, even 2 presents the overall system model, Section 3 discusses
though these traditional systems have been refined for many communication issues, and Section 4 concludes the paper.
 II. S YSTEM M ODEL
In this section, we present our conceptual model which
focuses on the essential security components to ensure privacy
enhanced secure communications in the smart grid. A smart
meter provides the separation between intra- and inter-network
communications. An intra-network (i.e., home area network)
consists of communications among household devices whereas
an inter-network (i.e., wide area network) consists of commu-
nications among households, utilities, and system operators.

A. System Components Fig. 1. Wide Area Network

1) Smart Meter: The smart meter will act as the gateway
2) Electric Utility: The electric utility will send consump-
between internal and external entities and protect user privacy
tion related instructions to smart meters and collect sub-hourly
by hiding individual components from the electric utility.
power usage reports and emergency/error notifications using
Instead of the electric utility directly controlling individual
GPRS technology. Further, the electric utility will interact with
household devices, the electric utility will request the smart
smart meters in regulating power consumption. For instance,
meter to reduce overall power consumption and the smart
during on-peak hours to shave the peak loads, the electric
meter will determine which devices to shut down or limit.
utility will instruct smart meters to limit their usages by
Consumers will prioritize their devices. Moreover, the electric
providing incentives. It will then be up to the smart meter to
utility may request for a shift in power cycle which generally
regulate its household devices. This approach hides individual
depends on HVAC.
devices from the electric utility and protects privacy of users.
Further, the smart meter will be used to communicate with
service providers which are contracted to maintain specific 3) Service Providers: In our model, users will be able
electrical devices. That is, the smart meter will register and to establish contracts with service providers for individual
pair a service provider with relevant devices in order to electrical devices and use the smart meter to relay messages
establish a communication path between the service provider between internal devices and the service provider. In order to
and the device. The smart meter will provide messaging only be able to serve users, service providers will register with the
between contracted service providers and the devices they are electric utility and obtain digital certificates for their identities
responsible for. For instance, an electrical car may transmit and public keys. Then, they will be able to establish contract
error messages to a specified and authenticated mechanic with individual users for devices that they support. The smart
through the smart meter. meter will limit communication with only contracted service
The smart meter will also contain properties similar to that providers whose certificates are valid.
of firewalls in that it will manage incoming and outgoing 4) Electrical Household Devices: In our model, we assume
messages. It will determine the authenticity of senders on both both smart devices that can communicate with smart meter and
the HAN and WAN levels and ensure the integrity of messages legacy devices which do not have communication capabilities.
before forwarding them to the corresponding entity. The smart meter will instruct smart devices using HAN and
In terms of hardware, the smart meter will provide Power- actively manage their power consumption. For legacy devices,
Line [11], ZigBee [11], or WiFi [8] based communication smart meter will cut their power when necessary.
within the HAN and GPRS based communication within the B. Networks
WAN [4], [8]. These technologies may be substituted with the
1) Wide Area Network (WAN): In our model, WAN con-
state-of-the-art if better communication technologies arise.
sists of three actors: the electric utility, service providers, and
Moreover, the smart meter will contain a tamper-resistant
the smart meter as in Figure 1. As a firewall, the smart meter
cryptoprocessor to securely process information and run com-
will shield unnecessary information from outside entities and
putations without interference from third parties. The cryp-
ensure identities in the communication.
toprocessor will provide cryptographic primitives such as
The electric utility will manage the power distribution
cryptographic hash functions (e.g., MD5, SHA1), symmetric-
within the smart grid and collect sub-hourly power usage
key algorithms (e.g., AES, 3DES), and public-key algorithms
from smart meters. However, the electric utility will not have
(e.g, RSA, DH) [12]. As the identities and communication
an omniscient view of the power consuming devices within
keys will be stored in the smart meter, having a tamper
a house but only access electric consumption and delivery
resistant cryptoprocessor enables greater security for stored
related issues such as overall power usage and emergency
data [13], [14]. With the use of a tamper-resistant cryptopro-
notifications. The smart meter will be a gateway between
cessor, it becomes considerably more difficult for malicious
external commands from the electric utility and internal power
users and external attackers to compromise the smart meter,
consumption of electrical devices.
thus maintaining the integrity of the messages for both the
Moreover, household devices will communicate with dedi-
electric utility and the smart meter.
cated service providers through the smart meter. Upon receiv-
 In order to reduce processing overhead in encryp-
tion/decryption of messages, communicating systems may
use session keys, which are agreed upon using public key
cryptography. As public key cryptosystems are considerably
slower than symmetric key cryptosystems, session keys will
be devised to exchange bulk of messages [17]. Additionally,
since actors within the WAN are not very dynamic, session
keys can be utilized for long durations [2].
2) Privacy Assurance: Once the smart meter successfully
attests to the identity of a remote party, it can then estab-
lish a secure communication channel using stored keys to
encrypt/decrypt transmitted messages. It is important to limit
the amount of information that can be gathered from household
to a “need to know” basis. The primary concern for privacy
resides in the WAN domain where external entities may gather
Fig. 2. Home Area Network
device/usage information.
ing a message from a device through HAN, the smart meter We propose the smart meter to contain properties simi-
will determine corresponding service provider and relay the lar to that of firewalls and mediate all incoming and out-
message after ensuring identities. going messages. In particular, the smart meter will shield
The communication between these remote parties will be all device-specific information from the electric utility and
through GPRS [15]. GPRS is a best-effort, packet-oriented report/negotiate overall power consumption. Similarly, the
mobile data service that utilizes 2G and 3G cellular com- smart meter will provide device-specific information only to
munications. We propose the use of GPRS as it offers inter- contracted service providers responsible for that particular
networking services such as broadcast, multicast, and unicast device. Essentially, the smart meter will only provide sufficient
transmissions [16]. These group communication mechanisms data for the remote entity to do their job.
will be useful in our secure communications protocol as 3) Integrity Assurance: Since the smart meter will act as
described in Section II-D. a gateway between the HAN and WAN and serve as a firewall
2) Home Area Network (HAN): We define HAN to consist for the HAN, it is important for the smart meter to have
of two actors: the smart meter and a set of smart and legacy high integrity assurance. The smart meter should be equipped
devices within the household. At this level, the smart meter with components that will prevent tampering both from the
will be the only authoritative entity and manage household de- software and hardware perspectives. The cryptoprocessor and
vices. Smart devices will register with smart meter exchanging its memory should be tamper-resistant similar to the Trusted
identities and public keys, if available, and only communicate Platform Module chips used in trusted computing [18]. Es-
with the smart meter. tablishing a trust relationship with the smart meter provides
better assurances to both external and internal entities. Such a
C. Security Issues tamper-resistant system especially protects the electric utility
and service providers from attacks generated by malicious
1) Identity and Key Management: Every communicating smart meters. Furthermore, a user would need to develop
entity at both the WAN and HAN levels will have unique service contracts with established service providers, which are
identities. These identities will be used to ensure messages are trusted for their businesses.
sent to and received from a legitimate trusted entity. Moreover, Having a root of trust in the tamper-resistant chip, a smart
the smart meter, electric utility, service providers, and some meter can perform integrity checks using fingerprints of its
of the smart devices will have certificates for their public code [19]. Fingerprints of a code can be generated using hash
keys whose private key pair will always be kept confidential. functions. The electric utility or a service provider would then
The electric utility will be the authoritative certification agent identify a faulty/malicious smart meter by comparing stored
in providing certificates for WAN entities. The certificate of fingerprints and reported hash values. Moreover, data integrity
electric utility will be stored in every smart meter before will be provided using hash values of messages.
installation and the certificates for smart meters and service
providers will be signed by the electric utility. After a contract D. Packet Format
agreement between a smart meter and a service provider is Packets transmitted between the smart meter and other
established, both entities will exchange signed certificates to system entities must be standardized for enhanced processing.
ensure identity and legitimacy of public keys. Similarly, the The system uses three communication schemes: (1) unicast for
smart meter will be the authoritative entity in handling cer- direct communication between any two entities, (2) multicast
tificates in the HAN. If needed, certificates for smart devices for messaging from the electric utility or a service provider
will be signed by the smart meter and used in communication to a group of smart meters, and (3) broadcast for announcing
with service providers. instructions from the electric utility to all smart meters.
 III. S ECURE C OMMUNICATION M ECHANISMS
In order to provide a secure communication infrastructure,
it is essential to analyze all transmission methods, i.e., unicast,
Fig. 3. Packet Format multicast, and broadcast, at both the WAN and the HAN levels.
In this section, we discuss communication issues regarding
Figure 3 presents our generic transport-level packet format the smart meter with respect to the electric utility, service
for all communication schemes. Except Sender and Receiver, providers, and household smart devices.
the message is encrypted with relevant encryption scheme
as detailed below. In the packet, Receiver is the intended A. Electric Utility–Smart Meter Communications
recipient of the message and it can be a multicast group or The electric utility will aggregate timely usage information
broadcast, Sender is the producer of the message, Type is the from smart meters to manage the smart grid. Every smart meter
message type which will indicate the application responsible will provide continuous reports of its power usage intervals to
for handling the message, Time is message generation time to the electric utility. Furthermore, the interval and frequency of
protect against replay attacks, Length is the message length these report messages may be configured by the electric utility.
in terms of bytes, Message is the actual message being Additionally, the electric utility can collect daily usage reports
transmitted, and Hash is the hash of ever field as a plaintext. such as minimum, average, and maximum power consumption
of users. Smart meter reporting intervals will be scheduled by
E. Encryption-Decryption the electric utility so that packet collisions and congestion
Encryption involves public/private keys of communicating are minimized. Communications between these two parties
parties unless they have agreed upon a session key. If a session will be done via unicast only after having established and
key is determined, Sender can encrypt its message to recipient authenticated identities of both parties.
using the shared session key. The receiver can then simply In the event of an irregularity in power consumption or
decrypt the packet and ensure packet integrity by comparing an issue in power delivery, the smart meter will generate
computed and reported hash values. On the other hand, when urgent messages to the electric utility. These messages will
public key cryptography is used we have different cases based trigger corresponding alarms so that necessary precautions and
on the communication scheme. actions are taken by the electric utility. For example, should
In a unicast communication, the sender will encrypt its mes- a smart meter report the urgency of a household fire to the
sage using its private key (i.e., EPSndr electric utility, it would be the responsibility of the electric
riv ) and then the receiver
public key (i.e., EPRcvr ), to obtain ciphertext as follows: utility to send a broadcast or multicast signal to smart meters
ub
within the vicinity of the reported urgency. However, in a
EPRcvr Sndr
ub (EP riv (T ype|T ime|Length|M essage|Hash))
large-scale event such as power outage, every smart meter
will be generating urgent error reports towards the electric
Encryption with EPSndr riv ensures the sender of the message utility further consuming power and causing congestion in the
and EPRcvr
ub ensures only the intended receiver will be able to communication system. Hence, based on event type, electric
recover the plaintext of the message. To obtain the plaintext utility can determine thresholds for number of received errors,
of Type, Time, Length, Message, and Hash, the receiver will and then generate a control broadcast message to suppress
first decrypt with its private key (i.e, DPRcvr
riv ) then with sender smart meters. Suppression messages can increase the limits
public key (i.e., DPSndr
ub ) as follows: for error reporting or block certain types of messages until a
new control broadcast message is sent to reset the parameters.
DPRcvr Sndr
riv (DP ub (Ciphertext)) To enhance user privacy the smart meter will manage
household devices while trying to comply to instructions of
In both multicast and broadcast communications, the sender the electric utility. For example, during on-peak hours to shave
will encrypt the message with its private key (i.e., EPSndr
riv ). As the peak loads, the electric utility will request the smart meter
multiple recipients will receive the message, use of receiver to reduce overall power consumption and the smart meter will
public keys is not practical. Hence, Sender will encrypt the determine which devices to shut down or limit.
message as follows:
B. Smart Meter–Device Communications
EPSndr
riv (T ype|T ime|Length|M essage|Hash) At the HAN level, security requirements in communications
and recipients of the packet will recover the plaintext as are less strict than the WAN level. Although it is important
follows: to provide defense in depth, we must find a balance between
usability and security. As the communications at HAN level
DPSndr use power-line, WiFi, or ZigBee, we can rely on security
ub (Ciphertext)
component of these technologies in choosing a standardized
Finally, in multicast and broadcast, the use of session keys is implementation [12].
not a good approach. As multiple entities will know the shared The smart meter will be the centralized authoritative entity
key, anyone can fabricate messages on behalf of another entity. in the HAN and provide certificates to smart devices if needed.
When a smart device is introduced into the system, it will be communicating parties and use smart meters as a gateway
registered with the smart meter. The smart meter will keep between Home Area Network and Wide Area Network. We
track of device identities and maintain the integrity of these aim to enhance the capabilities of smart meters and increase
devices. its utilization through mediated interaction between house-
The smart meter may instruct individual smart devices to hold devices and the electric utility and service providers.
power off or change power cycle. Similarly, smart devices In particular, smart meters will be used to notify service
will send usage reports and any error messages to the smart providers of devices in need of repair and maintenance where
meter. If error message is received from a contracted device, the electric utility will maintain a list of authorized service
the smart meter will send a service request message to the providers for consumers. Further, smart meters will be used
corresponding service provider as detailed below. in overall power consumption reporting, disaster management,
In the event that a smart meter must take an authoritative emergency situations, and compliance with instructions of the
stance and instruct devices to alter their power settings, the electric utility. The addition of an enhanced, tamper-resistant
smart meter has complete control in prioritizing devices. This smart meter to act as a gateway to the outside world on behalf
prioritization can be configured by a user if they believe a of the household provides improved services for home users.
device to be more important than another. For example, a
R EFERENCES
refrigerator can take precedence over a a washer or dryer
since the refrigerator would be capable of actively monitoring [1] G. Ericsson, “Cyber security and power system communicationessential
parts of a smart grid infrastructure,” in IEEE Transactions of Power
humidity and maintain water filtering whereas a washer and Delivery, vol. 25, no. 3, Jul 2010.
dryer would be used more sparingly in comparison to the [2] I. T. L. at the National Institute of Standards and Technology, “Smart
refrigerator [20], [21]. grid cyber security strategy and requirements,” 2010.
[3] ——, “Accelerating smart grid standards adoption,” 2009.
Although it is important to limit as many forms of physical [4] N.-K. C. Nair and L. Zhang, “Smartgrid: Future networks for new
tampering of the smart device as possible, it is still important zealand power systems incorporating distributed generation,” in Science
for a user to have some control of their household. By allowing Direct: Energy Policy, Mar 2009.
[5] IEEE, “IEEE standard communication delivery time performance re-
users to reconfigure the priority of their household devices quirements for electric power substation automation,” IEEE Std 1646-
through the smart meter, users can acquire this minimal, 2004, pp. 1 –24, 2005.
needed control of their household. [6] ——, “IEEE standard for substation intelligent electronic devices (IEDs)
cyber security capabilities,” IEEE Std 1686-2007, pp. c1 –15, feb. 2008.
[7] A. M. Sarafi, G. I. Tsiropoulos, and P. G. Cottis, “Hybrid wireless-
C. Service Provider–Smart Meter Communications broadband over power lines: A promising broadband solution in rural
In our model, service providers may monitor and maintain areas,” in IEEE Communications Magazine, Nov 2009.
[8] M. P. Anastasopoulos, A. C. Voulkidis, A. V. Vasilakos, and P. G. Cottis,
electrical household devices through the smart meter. Each “A secure network management protocol for smartgrid bpl networks:
service provider that wants to join the system must first register Design, implementation and experimental results,” in Science Direct:
with electric utility and then develop contracts with individual Computer Communications, Jun 2008.
[9] Intel and U. Forum, “Upnp device architecture 1.0,” Dec 2003.
users for specific devices. Contracted devices may generate [10] “Trusted execution technology architectural overview.” [Online].
usage reports or error messages that will be forwarded by Available: http://www.intel.com/technology/security
the smart meter to the corresponding service provider. The [11] A. E. Power, Avista, Centerpoint, C. Energy, D. Energy, E. de France,
F. P. . Light, Oncor, P. G. . Electric, R. Energy, S. D. G. . Electric,
smart meter becomes a proxy between contracted devices and and S. C. Edison, “Smart grid standards adoption - utility industry
contracted service providers. perspective,” 2009.
By allowing a service provider limited access to a house- [12] C. P. Pfleeger and S. L. Pfleeger, Security in Computing, 4th ed. Prentice
Hall, Oct 2006.
hold device information, some privacy is compromised. This [13] “IBM cryptographic coprocessors,” http://www-
compromise can be minimized by providing only sufficient 03.ibm.com/security/cryptocards/. [Online]. Available: http://www-
information so that the service provider can perform its job. 03.ibm.com/security/cryptocards/
[14] E. Cesena, G. Ramunno, and D. Vernizzi, “Secure storage using a
It is important to note that service providers may gain more sealing proxy,” in Proceedings of the 1st European Workshop on System
information about specific household devices than the electric Security. New York, NY, USA: ACM, 2008, pp. 27–34.
utility. Hence, when establishing service contracts users should [15] F. A. Phiri and M. B. Murthy, “Wlan-gprs tight coupling based
interworking architecture with vertical handoff support,” Wirel. Pers.
prefer established providers with a good track record. Commun., vol. 40, no. 2, pp. 137–144, 2007.
Moreover, a user may configure smart meter to obtain [16] K. S. Xavier de Foy, “Machine to machine communication for smart
instruction from certain service providers. For instance, service meters using optimized 3gpp systems.”
[17] W. Diffie, “The first 10 years of public-key cryptography,” 1988.
providers might be able to upgrade certain software compo- [18] “TCG architecture overview,” Aug 2007. [On-
nents of smart devices. This is particularly useful as software line]. Available: https://www.trustedcomputinggroup.org/groups/
bugs are identified in code of smart device or a more efficient TCG 1 4 Architecture Overview.pdf
[19] M. H. Gunes and C. Y. Evrenosoglu, “Blind processing: Securing data
algorithm is developed for its tasks. against system administrators,” in FIP/IEEE International Workshop on
Management of Smart Grids, Apr 2010.
IV. C ONCLUSION [20] “creative living! - activesmart refrigerators,” Feb 2010.
[21] P. Communications, “Smart homes,” 2010. [Online]. Available:
Deployment of smart meters, which continuously report to http://www.powerlinecommunications.net/smarthomes.htm
electric utility, arises privacy concerns for household users.
In this paper, we present a model to ensure integrity of