ANALYSIS OF CELLULAR DATA COMMUNICATION FOR NEIGHBORHOOD AREA NETWORK FOR SMART GRID
Harish Maiya B.E., Visveswaraiah Technological University, Karnataka, India, 2006
PROJECT
Submitted in partial satisfaction of the requirements for the degree of
MASTER OF SCIENCE
in
COMPUTER ENGINEERING
at
CALIFORNIA STATE UNIVERSITY, SACRAMENTO
SPRING 2011
ANALYSIS OF CELLULAR DATA COMMUNICATION FOR NEIGHBORHOOD AREA NETWORK FOR SMART GRID
A Project
by
Harish Maiya
Approved by:
______, Committee Chair Isaac Ghansah, Ph.D.
______, Second Reader Fethi Belkhouche, Ph.D.
______Date
ii
Student: Harish Maiya
I certify that this student has met the requirements for format contained in the University
format manual, and that this project is suitable for shelving in the Library and credit is to
be awarded for the Project.
______, Graduate Coordinator ______Suresh Vadhva, Ph.D. Date
Department of Computer Engineering
iii
Abstract
of
ANALYSIS OF CELLULAR DATA COMMUNICATION FOR NEIGHBORHOOD AREA NETWORK FOR SMART GRID
by
Harish Maiya
Infrastructure of Smart Grid system relies on communication between electricity
producer and consumer domain. Consumer domain consists of Neighborhood Area
Network which connects smart meters installed at homes or businesses of consumers,
Home Area Network which connects all appliances at home to Utility AMI Network (on
producer side). Few candidates or protocols considered for implementing Neighborhood
Area Network (NAN) are Cellular communication, IEEE 802.11, 802.16, 802.15.4,
Optical fiber network, Power line network.
Project aims to provide an analysis on Cellular data communication protocol considering
its different standards, implementation details, advantages, disadvantages, security issues,
reliability, time critical communication, maintenance, power, and cost factors. Studies are
conducted on standards in Cellular communication such as CDMA, GSM, (2G) UMTS,
WCDMA (3G) and 4G protocols and gauge factors of bandwidth, coverage, and resource
usage and identify effective and efficient way to implement NAN. Analysis on Short
Message Service (SMS) which is preferred mode for communication in NAN is carried iv
out. Project intends to identify potential issues which affect the confidentiality, integrity,
and availability of information flow through cellular communication channel when it is
implemented in the Smart Grid.
Investigations are carried out on application of information security best practice(s) to
NAN in Smart grid and to what extent they are applied. Comparisons are done on different candidate protocols for NAN and make few recommendations, identify few research areas and open issues if any.
______, Committee Chair Isaac Ghansah Ph.D.
______Date
v
DEDICATION
To my parents, teachers and friends
vi
ACKNOWLEDGEMENT
I am grateful to all the people who have helped and guided me in successful completion of my Masters’ Project.
My sincere thanks to the project supervisor Dr. Isaac Ghansah, for providing me the opportunity to work on Smart Grid and guiding me throughout the project. My heartfelt thanks to Dr. Kwai-Ting Lan for being second reader and providing me with invaluable inputs on revising my report. I am thankful to Dr. Suresh Vadhva for his invaluable support throughout my graduate program.
Special thanks to my friends Arti Arora and Adithya Shreyas for helping me with their ideas and by reviewing my project report. I would like to thank my seniors and all my friends who have been there for me throughout this graduate program. I would take this opportunity to acknowledge and appreciate the efforts of California State University,
Sacramento for providing the facilities and environment conducive for students to nurture their career.
Most importantly I would like to thank my parents Suryanarayana, Radha, my sister
Sowmya, and bro-in-law Vinay for their true love and moral support.
vii
TABLE OF CONTENTS
Page Dedication ...... vi Acknowledgement ...... vii List of Tables ...... x List of Figures ……………………………………………………………………………xi Chapter 1. INTRODUCTION ...... 1 1.1. Traditional Grid ...... 1 1.2. Need for Smart Grid ...... 3 1.3. Smart Grid ...... 5 1.4. Neighborhood Area Network ...... 8 1.5. Scope of the Project...... 11 2. REQUIREMENTS FOR NEIGHBORHOOD AREA NETWORK ...... 12 3. CELLULAR COMMUNICATION ...... 19 3.1 Features and Standards ...... 19 3.2 Candidates for Implementing NAN ...... 22 3.2.1 Global System for Mobile Communications (GSM) ...... 22 3.2.2 GSM Core Network ...... 26 3.2.3 CDMA One or IS-95 ...... 40 3.2.4 3G Systems and UMTS (Universal Mobile Telecommunications System) .. 42 3.2.5 W-CDMA ...... 46 3.2.6 4G-LTE Advanced ...... 47 4. SHORT MESSAGE SERVICE (SMS) IN CELLULAR COMMUNICATION ...... 50 4.1 Implementation Details ...... 50 4.2 Vulnerability and Example Attacks ...... 54 4.3 Counter Measures, Solutions...... 56 5. GENERATION IN CELLULAR WIRELESS STANDARDS ...... 59
viii
5.1 1G,2G,3G,4G ...... 59 5.1.1 Overview of Standards ...... 60 5.2 Evaluation of Parameters of Cellular Standards ...... 61 5.3 Security Issues and Mechanisms in Cellular Standards ...... 63 5.4 Wireless Application Protocol (WAP) ...... 72 6. COMPARISON OF CANDIDATE NETWORK PROTOCOLS FOR NAN ...... 77 6.1 Introduction ...... 77 6.2 IEEE 802.11 ...... 78 6.3 IEEE 802.16 ...... 83 6.4 IEEE 802.15.4 ...... 87 6.5 Power Line Communication...... 90 6.6 Optical Fiber Communication ...... 92 6.7 Wireless Mesh Networks ...... 93 6.8 Cellular Network Over Other Candidates ...... 95 7. CONCLUSION ...... 102 7.1 Project Results ...... 102 7.2 Challenges and Outstanding Works ...... 104 7.3 Future Works and Potential Research Topics ...... 104 Appendix Glossary...... 105 References ...... 109
ix
LIST OF TABLES
Page
Table 1: Network Types, Coverage and Bandwidth ...... 16 Table 2: IEEE 802.11 Standards and its Variations ...... 79 Table 3: Summary of Technologies for NAN...... 101
x
LIST OF FIGURES
Page
Figure 1: Traditional Grid ...... 2 Figure 2: Smart Grid ...... 5 Figure 3: Smart Grid ...... 7 Figure 4: Customer Domain: NAN, gateway and HAN ...... 13 Figure 5: Smart Grid Building Blocks ...... 14 Figure 6: Hierarchical Organization of Communication Networks ...... 17 Figure 7: Operation of Cells in Network. Frequency (F) reuses factor or pattern 1/4 .. 21 Figure 8: Structure of GSM network [9]...... 23 Figure 9: GSM Core Network Architecture ...... 27 Figure 10: Authentication and Key agreement ...... 33 Figure 11: Radio Link Encryption ...... 36 Figure 12: Temporary ID management...... 38 Figure 13: Structure of UMTS network ...... 44 Figure 14: High Level description of SMS delivery in an SS7 network ...... 51 Figure 15: Overview of SMS delivery on the wireless interface...... 52 Figure 16: Signaling Data Integrity Mechanism ...... 70 Figure 17: Air Interface Confidentiality Mechanism ...... 71 Figure 18: KASUMI Block Cipher ...... 72 Figure 19: WAP1, WAP 2 Protocol Stack ...... 73 Figure 20: Generic Data Frame ...... 80 Figure 21: Frame Control field ...... 81 Figure 22: IP based WiMAX Network Architecture ...... 85 Figure 23: Wireless Mesh Network [28] ...... 94
xi
1
Chapter 1
INTRODUCTION
1.1.Traditional Grid
The traditional power grid which was designed several decades ago has performed
satisfactorily to cater electricity to the nation until only recent past. However, the
system appears ill equipped on several fronts to meet the requirements of the present
and future needs. Reliability factor of the grid has declined over last few years. A
large number of outages have affected numerous consumers causing inconvenience
and loss in revenue [3]. Modernization of the current electric grid is imperative to
national efforts to increase energy efficiency, transition to renewable sources of
energy, reduce greenhouse gas emissions and build a sustainable economy that
ensures prosperity for current and future generations.
The Figure 1 [2] shows the traditional power grid which has unidirectional flow of
energy from the electricity generation and transmission units to the end user. The grid
consists of the transmission system which includes power generation plants, step up
transformers, high voltage power lines and substations. The distribution system
consists of substations; step down transformers, pole-top transformers, and medium
voltage power lines. The power plants generate electricity and step up the voltage for
long distance transmissions using step-up transformers. Further, electricity is
transmitted across the high power transmission lines over long distances to
substations where the voltage is stepped down before transmitting over the medium 2
voltage power lines to the customer premises. The pole-top transformers further step
down the voltage to suit the residential and commercial specifications.
Figure 1: Traditional Grid
The existing power grid infrastructure is largely analog and electromechanical and it is
built on producer controlled model where power flows in one direction. With significant
advancements in computer systems, electronic devices, internet and communications
there exists vast disparity between traditional grid infrastructure and these advanced
technologies. Electricity supply for present generation relies on infrastructure which is
aged out. Whether or not there is a need for the power supply to a region, or consumer,
the utility supplies scheduled amount of power to regions under its coverage. This lack of
3
communication to inform the utilities, about the demand for power and the utilities to appropriately respond back to the consumer is the missing component in the current grid.
As the demand for power is on increase, it is very important that there be an effective communication between the consumers and the utilities for power supply based on customer needs.
1.2. Need for Smart Grid
Smart Grid is an infrastructure which intends to provide electricity supply to consumers based on their demand, there is two way communication between producer or utilities and consumers. Utilizing latest technical advancements in the areas of computer systems, internet, communication and electronics devices, Smart Grid envisages providing efficient, reliable and secure electricity supply to the consumers. Below are the benefits of implementing the Smart Grid.
RELIABILITY
Present electricity grid architecture lacks the outage management system which is directly affecting the reliability of the grid. The utilities are informed of the blackouts or outages, if and only if, a customer rings them up notifying an outage. These blackouts results in billions of dollar losses to household and businesses [3]. An intelligent grid, like Smart Grid with effective communications infrastructure detects an outage immediately and notifies a utility office about the outage; also they could be avoided
4
when power is redirected to the place where the outage is predicted. To achieve an
improved reliability, a smarter grid is the need of the hour.
RENEWABLE ENERGY
Use of renewable energy sources is gaining momentum at present days, reasons are to
reduce the carbon emissions, dependency on oil and lower the cost of electricity over the
longer run. Power from renewable energy sources like solar, wind, geothermal and tidal
are low power and intermittent when compared to the traditional power generation. These
intermittent sources need a distributed generation to harness the power and sell it to the utility offices close by. To handle both the distributed and intermittent power sources, we need a smarter grid.
SECURITY
One of the aspects of Security in the systems is Availability.The current centralized grid is vulnerable in the sense that in case of attacks there could be a significant outage and reconstruction of such huge electricity infrastructure in a short time would take too long time. In case of attacks, a significant area is affected with lack of power supply. Having the power generation distributed would help us reduce the devastating effect of terror attacks or any natural disasters. [5]
5
1.3. Smart Grid
Figure 2[2] shows the infrastructure of Smart grid, we can see there is an integration of
Information technology, communication and electronic devices with Power grid to deliver two way flow of information into the system.
Figure 2: Smart Grid
Smart Grid is an electricity infrastructure which consists of devices installed at homes
and businesses throughout the electricity distribution grid for the purpose of energy
monitoring; the system utilizes computer, networking and communications technologies
all the way from the generation, transmission and distribution of electricity to consumer
6
appliances and equipments. This set up provides consumers the ability to monitor and
control energy consumption comprehensively in real time across the smart
communication network. The consumers that generate energy from sources such as:
solar, wind or other systems, can also carry out business with the utilities by outsourcing
the surplus energy that they generate.
As seen in the Figure 3 [4], the sensors detect the variations and fluctuations in the electricity and send information signals to the demand management systems. At the demand management system, decision signals are generated, so as to increase or decrease the electricity generation and these signals are sent out to the processors. The processors, without any need for human intervention, would execute these instructions and take appropriate actions instantaneously.
7
Figure 3: Smart Grid
Smart grid as an intelligent system is capable of sensing the system overload and rerouting power to prevent outages and give resolution to conditions faster than a user could respond. It is efficient as it meets the user’s increasing demand without adding infrastructure. It is accommodating as the user can do business with the utilities by pumping energy back to the utilities with renewable sources like wind, solar and other sources. The consumer has the ease to choose the energy consumption profile and
8 customize it according to his/her preferences. For this reason along with the real-time communication between the customer and the utilities makes it motivating for use of
Smart Grid. It is capable of delivering power, free of spikes, disturbances and interrupts which is the main requirement for the data centers and could be termed as quality-focused power supply infrastructure. Since, the Smart Grid’s deployment would be made distributed and not centralized; it becomes secure and provides resistance to natural and terror attacks. All these features make Smart Grid intelligent, efficient, accommodating, motivating, opportunistic, quality-focused, and resilient and lastly “green” as the carbon emissions are lowered with increased efficiency. [5]
1.4. Neighborhood Area Network
The efficiency of Smart Grid greatly depends on communication networks.
Communication on the customer domain consists of Neighborhood Area Network which connects the utility to the smart meters installed in the homes of the consumers, the gateway and finally to Home Area Network which connects all the appliances at consumers’ home. In Smart Grid, NAN has a role to play in the HOME-to-HOME or
HOME-to-GRID communication. Neighborhood Area Networks [NAN] are a type of packet switched mobile data networks whose geographical coverage area could be anywhere from the coverage of a LAN (Local Area Networks) which is about few meters, to MAN (Metropolitan Area Networks), to WAN (Wide Area Networks) which are up to several miles.
9
Communication in NAN can be broadly classified into two types:
DATA COMMUNICATION
The utility offices collect the electricity usage information from consumers on a timely basis to build a future demand statistics. Example: a smart device which is part of a room heater sending the usage or power consumption information every minute to the smart meter in kilo watt hour [kWh] units and the smart meters in turn send the information back to the utility office.
CONTROL COMMUNICATION
Real time signals to control the devices at the consumer or business premises are part of control communication. Example for this could be turning off the room heaters for a certain period of time, on request from the consumer during the peak hours when the price per unit usage is high.
To explain this better, we consider an example of IEEE 802.15.4 standard where the communication could between three main entities, reduced functional devices, fully functional devices and the utility offices. Reduced functional devices are those devices that carriers limited functionality to lower cost and complexity. Fully functional devices support all IEEE 802.15.4 functions and features specified by the standard. Further, the data communication could be between the reduced functional devices [RFD] (smart devices installed in homes like heater, refrigerators, air conditioners etc.) and the fully
10
functional devices [FFD] (say smart meters), and, between the FFD’s to the utility office.
Similarly, the control communication would be from the utility office to the FFD’s and from FFD’s to the RFD’s.
The communication between the RFD’s and the FFD’s installed at home and business premises is part of Home Area Network [HAN] and the communication between the
FFD’s and the utility offices is part of Neighborhood Area Network. A set of FFD’s (say smart meters from a group of houses) would communicate with a device on a pole and this device would in turn communicate with the utility offices over the neighborhood area network. And each such device on the pole is interconnected thereby forming a mesh like network constituting a neighborhood area network.
Neighborhood Area Networks [NAN] are a type of packet switched mobile data networks. NANs are flexible packet switched networks whose geographical coverage area could be anywhere from the coverage of a LAN, to MAN, to WAN. The order of the day in networking is to provide complete ubiquity, i.e., every device location is connected to millions of locations and across ten thousands of square miles. The solution for complete ubiquity is wireless neighborhood area network [WNAN] [5].The
ubiquitous network requirements for Smart Grid are identified as: reliable, secure, power
efficient, low latency, low cost, diverse path, scalable technology, ability to support
bursty, asynchronous upstream traffic to name a few.
11
In this report, we mainly focus on the communication sector of Smart Grid, where analysis of communication protocols for neighborhood area network of Smart Grid in
particular is carried out.
1.5.Scope of the Project
Aim of this project is to provide an insight on cellular communication protocol, which is leading candidate for implementing the neighborhood area network for Smart Grid. Study on various standards, modes of communication in particular SMS, security concerns, and different generations of protocols and finally comparisons with other candidate networks are carried out. Chapter 2 acquaints us on neighborhood area network, its requirements
for Smart Grid and its significance in Smart Grid. Chapter 3 emphasizes various standards of cellular communication such as GSM, CDMA, UMTS, WCDMA, LTE advanced. Chapter 4 discusses Short Message Service (SMS) operations and its issues.
Following this would be the discussion on different generation of Cellular wireless standard as part of Chapter 5. In Chapter 6 there is comparison and overview of other candidates for implementing neighborhood area network; Chapter 7 would identify such research areas in neighborhood area network as part of the customer domain for Smart
Grid. Finally we arrive at conclusion of this project in Chapter 8.
12
Chapter 2
REQUIREMENTS FOR NEIGHBORHOOD AREA NETWORK
Building blocks of Smart Grid include automated distribution and control system, power quality monitoring and substation automation, and a communication infrastructure which implements utilities interaction with devices on the customer domain and distributed power generation and storage facilities [7]. As in Figure 4[8] Customer domain consists of a Neighborhood Area network which connects the utility to the smart meter installed in the homes of the consumer, the gateway and then home area network which connects all the appliances at home.
13
Figure 4: Customer Domain: NAN, gateway and HAN
Smart grid utilities should be capable to support multiple communication networks such as Home Area Network [HAN], Neighborhood Area Network [NAN] and Wide Area
Network [WAN] for various applications like consumer energy efficiency, advanced metering and distribution automation [See Figure 5] [4].
14
Figure 5: Smart Grid Building Blocks
Building blocks of Smart Grid is as shown in Figure 5[4], it comprises Power System
Layer, Control Layer, Communications Layer, Security Layer, IT Infrastructure Layer and the Application Layer. The Communications Layer is further divided into three sub divisions. They are:
Part of the customer domain is Home Area Network [HAN]; it involves the communication between the devices installed at the residential or commercial premises to their respective Smart Meters.
15
Neighborhood Area Network [NAN] is the communication network that bring the communications between the utilities and the Smart Meters installed at the customer stations.
Wide Area Network [WAN] is the communication network responsible for the backhaul communications.
The Smart Grid communication requirements at high level, is described below [9]:
SECURE
Privacy, Integrity and Confidentiality are the three main focus areas in communication across the network. Hence, an end-to-end security must be provided to protect user information and protect the network from unauthorized access.
RELIABLE
The network has to provide maximum availability by incorporating fault tolerance mechanisms and self-healing failover at each tier of the network. It must provide an
“always-on” communication as part of the electric grid.
FLEXIBLE
The coverage has to be consistent over smaller rural regions to larger urban areas. The communication network has to have the flexibility to cover the same disparate territories as the grid itself.
16
SCALABLE
The network needs to be scalable to meet the current and future requirements. It should
be capable of supporting the changing requirements over time to accommodate the
current simple meter reading to the future multi-application that span from demand-side management to distribution automation. Also, it should be upgradeable and interoperable to ensure future-proof solution.
COST-EFFECTIVE
The capital and operational expenses of a communication network needs to be within the potential savings.
The typical characteristics of different communication network layers could be summarized as shown below in Table 1.
Scale of Coverage Bandwidth Example for Required Communication Technologies Home Area 1000 of Sq. Feet 1-10 Kbps ZigBee Network Neighborhoo 1 – 10 Sq. Miles 10-100 Kbps 900 MHz d Area Network Distribution/ 1000s Sq. Miles 500 Kbps – 10 3G/802.11/WiMAX Wide Area Mbps Network Core 10 – 100 Mbps Fiber
Table 1: Network Types, Coverage and Bandwidth
17
Representation of above table of information is shown in the Figure 6[4].
Figure 6: Hierarchical Organization of Communication Networks Scope of our discussion lies on the Neighborhood Area Network [NAN], which requires
higher bandwidths ranging anywhere from 10 Kbps to 100Kbps to suffice the meter
reading, demand response, remote disconnect and coverage area of 1-10 sq miles. Further focus is made on implementation on Neighborhood Area Network, choosing technology
which meets all requirements of NAN and satisfying aspects of security, scalability,
reliability and cost. Cellular data communication which is very successful in bringing voice, data communication to millions of consumers, businesses worldwide, being cost effective, reachable, scalable, there also happen to be more research, innovations and up gradations happening every year in the field of cellular communication. Cellular communication as implementation technology for Neighborhood Area Network in Smart grid is considered and evaluated for various parameters, issues.
18
Further chapters focus extensively on Cellular communication, its operation details, various standards involved, modes for communication, various generations of protocols, performance, security issues.
19
Chapter 3
CELLULAR COMMUNICATION
3.1 Features and Standards
Introduction:
Cellular network and technology has been highly successful in providing voice, data communication for millions of users worldwide. It is ubiquitous, convenient to use, easy to install and incurs low maintenance cost for its services. Cellular coverage is excellent because it directly corresponds to the population concentration and proportional to number of users of power and its distribution. Cellular communication is already established and has 95% coverage extended to consumers and hence no additional efforts for installations are required. Continuous advances and researches in cellular technology
(2G, 3G, to recent 4G standards and bandwidths) and competitive pricing among carriers create an ideal environment for the implementing Neighborhood Area Network of Smart grid.
Features:
Cellular network is a radio network distributed over land areas called cells, each served by at least one fixed-location transceiver known as a cell site or base station. When joined together these cells provide radio coverage over a wide geographic area. This enables a large number of portable transceivers (e.g., mobile phones, pagers, etc.) to communicate
20
with each other and with fixed transceivers and telephones anywhere in the network, via
base stations, even if some of the transceivers are moving through more than one cell
during transmission.
As seen in Figure 9 [9] In a cellular radio system, a land area to be supplied with radio
service is divided into regular shaped cells, which can be hexagonal, square, circular or
some other irregular shapes, although hexagonal cells are conventional. Each of these
cells is assigned multiple frequencies (f1 - f6) which have corresponding radio base
stations. The group of frequencies can be reused in other cells, provided that the same
frequencies are not reused in adjacent neighboring cells as that would cause co-channel interference.
The increased capacity in a cellular network, compared with a network with a single transmitter, comes from the fact that the same radio frequency can be reused in a different area for a completely different transmission. If there is a single plain transmitter, only one transmission can be used on any given frequency. Unfortunately, there is inevitably some level of interference from the signal from the other cells which use the same frequency.
This means that, in a standard FDMA system, there must be at least a one cell gap between cells which reuse the same frequency.
21
Figure 7: Operation of Cells in Network. Frequency (F) reuses factor or pattern 1/4
Cell signal encoding:
To distinguish signals from several different transmitters, frequency division multiple access (FDMA) and code division multiple access (CDMA) are developed.
With FDMA, the transmitting and receiving frequencies used in each cell are different from the frequencies used in each neighboring cell.
In next sections we discuss about major Cellular communication standards such GSM,
CDMA-One, from 2nd Generation (2G) and UMTS, WCDMA from 3rd Generation (3G).
22
3.2 Candidates for Implementing NAN
3.2.1 Global System for Mobile Communications (GSM)
GSM is the world's most popular standard for mobile telephone, in which both signaling and speech channels are digital, and falls under second generation (2G) mobile phone system.
In GSM cellular network, mobile phones connect to base stations by searching for cells in the immediate vicinity. Cell horizontal radius varies depending on antenna height, antenna gain and propagation conditions from a couple of hundred meters to several tens of miles.
GSM networks operate in a number of different carrier frequency ranges (separated into
GSM frequency ranges for 2G and UMTS frequency bands for 3G), with most 2G GSM networks operating in the 850 MHz or 19800 MHz bands. (In Canada and United States).
Carriers in US using GSM are AT&T and T-Mobile. Enhanced Data GSM Environment
(EDGE) which is faster GSM service can deliver data rates up to 384kbps on a broadband.
The GSM network as seen in Figure 10 [9] is structured into a number of discrete sections:
• The Base Station Subsystem (the base stations and their controllers).
23
• Network and Switching Subsystem (the part of the network most similar to a
fixed network). This is sometimes also just called the core network.
• The GPRS Core Network (optional part which allows packet based Internet
connections).
• The Operations support system (OSS) for maintenance of the network.
Figure 8: Structure of GSM network [9]
24
Subscriber Identity Module (SIM):
One of the key features of GSM is the Subscriber Identity Module, commonly known as a
SIM card. The SIM is a detachable smart card containing the user's subscription information and phone book. This allows the user to retain his or her information after switching handsets. Alternatively, the user can also change operators while retaining the
handset simply by changing the SIM. Some operators will block this by allowing the
phone to use only a single SIM, or only a SIM issued by them; this practice is known as
SIM locking.
When GSM is chosen to implement NAN systems in Smart Grid, SIM cards could be inserted in smart meters and devices which would transmit meter data from home to utilities offices, producer sites over the built-in wireless network. Carrier for a particular locality can be chosen based on signal coverage, cost and bandwidth of data transmitted.
GSM service security:
GSM was designed with a moderate level of service security. The system authenticates
the subscriber using a pre-shared key and challenge-response. Communications between the subscriber and the base station can be encrypted. GSM only authenticates the user to the network and not vice versa. The security model therefore offers confidentiality and authentication, but limited authorization capabilities, and no non-repudiation.
GSM Security Features:
25
• Secure access: Operator can authenticate user identity for billing and preventing
fraudulent calls by masqueraders
• Control and data signal confidentiality: Protect voice, data, and control (e.g.,
dialed telephone numbers) from eavesdropping
• Anonymity: Protect attackers from using known info (e.g., IMSI) from tracking
user's location or identifying user's calls
SUBSCRIBER IDENTITY CONFIDENTIALITY: Temporary Mobile Subscriber
Identity [TMSI] is used to ensure subscriber identity confidentiality. TMSI is a pseudo
random number generated and issued by the Visitor Location Register [VLR] and TMSI
is valid only in the area it was issued.
GSM uses several cryptographic algorithms for security. The A5/1 and A5/2 stream
ciphers are used for ensuring over-the-air voice privacy. A5/1 was developed first and is a stronger algorithm used within Europe and the United States. Serious weaknesses have been found in both algorithms: it is possible to break A5/2 in real-time with a ciphertext- only attack, and in February 2008, Pico Computing, Inc revealed its ability and plans to commercialize FPGAs that allow A5/1 to be broken with a rainbow table attack. [10] The system supports multiple algorithms so operators may replace that cipher with a stronger one.
In 2010, there was report stating, a group of cryptographers had developed an attack that broke Kasumi, the encryption algorithm used to secure traffic on 3G GSM wireless
26
networks. The technique enabled attackers to recover a full key by using a tactic known as a Related-key attack. [11]
3.2.2 GSM Core Network
GSM core network is the component of a GSM system that carries out call switching and
mobility management functions for mobile phones roaming on the network of base
stations. It is owned and deployed by mobile phone operators and allows mobile devices
to communicate with each other and telephones in the wider Public Switched Telephone
Network or (PSTN). The architecture contains specific features and functions which are
needed because the phones are not fixed in one location. Figure 9 [12] shows schematic of GSM Core Network Architecture.
27
Figure 9: GSM Core Network Architecture MS: Mobile Station; SIM: Subscriber Identity Module; MSC: Mobile Switching Centre
VLR: Visitor Location Register; HLR: Home Location Register; AuC: Authentication
Centre
Mobile switching center (MSC):
The mobile switching center (MSC) is the primary service delivery node for
GSM/CDMA, responsible for routing voice calls and SMS as well as other services (such as conference calls, FAX and circuit switched data).
28
The MSC sets up and releases the end-to-end connection, handles mobility and hand-over
requirements during the call and takes care of charging and real time pre-paid account monitoring.
In the GSM mobile phone system, in contrast with earlier analogue services, fax and data information is sent directly digitally encoded to the MSC. Only at the MSC is this re- coded into an "analogue" signal (although actually this will almost certainly mean sound encoded digitally as PCM signal in a 64-kbit/s timeslot, known as a DS0 in America).
The gateway MSC (G-MSC) is the MSC that determines which visited MSC the subscriber who is being called is currently located. It also interfaces with the PSTN. All mobile to mobile calls and PSTN to mobile calls are routed through a G-MSC. The term
is only valid in the context of one call since any MSC may provide both the gateway
function and the Visited MSC function; however, some manufacturers design dedicated high capacity MSCs which do not have any BSSs connected to them. These MSCs will then be the Gateway MSC for many of the calls they handle.
The visited MSC (V-MSC) is the MSC where a customer is currently located. The VLR associated with this MSC will have the subscriber's data in it.
The anchor MSC is the MSC from which a handover has been initiated. The target MSC is the MSC toward which a Handover should take place.
29
Mobile switching centre server (MSCS):
The mobile switching centre server is a soft-switch variant of the mobile switching centre, which provides circuit-switched calling, mobility management, and GSM services to the mobile phones roaming within the area that it serves. MSS functionality enables split between control (signaling) and user plane (bearer in network element called as media gateway/MG), which guarantees better placement of network elements within the network.
MSS and MGW media gateway makes it possible to cross-connect circuit switched calls switched by using IP, ATM AAL2 as well as TDM.
Other GSM core network elements connected to the MSC:
• The home location register (HLR) for obtaining data about the SIM and mobile
services ISDN number (MSISDN; i.e., the telephone number).
• The base station subsystem which handles the radio communication with 2G and
2.5G mobile phones.
• The UMTS terrestrial radio access network (UTRAN) which handles the radio
communication with 3G mobile phones.
• The visitor location register (VLR) for determining where other mobile
subscribers are located.
• Other MSCs for procedures such as handover.
Procedures implemented
Tasks of the MSC include:
30
• Delivering calls to subscribers as they arrive based on information from the VLR.
• Connecting outgoing calls to other mobile subscribers or the PSTN.
• Delivering SMSs from subscribers to the short message service centre (SMSC)
and vice versa.
• Arranging handovers from BSC to BSC.
• Carrying out handovers from this MSC to another.
• Supporting supplementary services such as conference calls or call hold.
• Generating billing information.
Home locations register (HLR):
The home location register (HLR) is a central database that contains details of each
mobile phone subscriber that is authorized to use the GSM core network. There can be
several logical, and physical, HLRs per public land mobile network (PLMN), though one
international mobile subscriber identity (IMSI)/MSISDN pair can be associated with only
one logical HLR (which can span several physical nodes) at a time.
The HLRs store details of every SIM card issued by the mobile phone operator. Each
SIM has a unique identifier called an IMSI which is the primary key to each HLR record.
The next important items of data associated with the SIM are the MSISDNs, which are the telephone numbers used by mobile phones to make and receive calls. The primary
MSISDN is the number used for making and receiving voice calls and SMS, but it is possible for a SIM to have other secondary MSISDNs associated with it for fax and data
31
calls. Each MSISDN is also a primary key to the HLR record. The HLR data is stored for
as long as a subscriber remains with the mobile phone operator. [14]
Examples of other data stored in the HLR against an IMSI record are:
• GSM services that the subscriber has requested or been given.
• GPRS settings to allow the subscriber to access packet services.
• Current location of subscriber (VLR and serving GPRS support node/SGSN).
• Call diverts settings applicable for each associated MSISDN.
The HLR is a system which directly receives and processes MAP transactions and
messages from elements in the GSM network, for example, the location update messages
received as mobile phones roam around.
Other GSM core network elements connected to the HLR
• The HLR connects to the following elements:
• The G-MSC for handling incoming calls
• The VLR for handling requests from mobile phones to attach to the network
• The SMSC for handling incoming SMs
• The voice mail system for delivering notifications to the mobile phone that a
message is waiting
• The AUC for authentication and ciphering and exchange of data (triplets)
Procedures implemented
The main function of the HLR is to manage the fact that SIMs and phones move around a lot. The following procedures are implemented to deal with this:
32
Manage the mobility of subscribers by means of updating their position in administrative
areas called 'location areas', which are identified with a LAC. The action of a user of
moving from one LA to another is followed by the HLR with a Location area update
procedure.
Send the subscriber data to a VLR or SGSN when a subscriber first roams there.
Broker between the G-MSC or SMSC and the subscriber's current VLR in order to allow
incoming calls or text messages to be delivered.
Remove subscriber data from the previous VLR when a subscriber has roamed away from it.
Authentication centre (AUC):
Figure 10 [12] shows schematic of Authentication and Key agreement
33
Figure 10: Authentication and Key agreement
Description
The authentication centre (AUC) is a function to authenticate each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on). Once the authentication is successful, the HLR is allowed to manage the SIM and services described above. An encryption key is also generated that is subsequently used to encrypt all wireless communications (voice, SMS, etc.) between the mobile phone and the GSM core network.
If the authentication fails, then no services are possible from that particular combination of SIM card and mobile phone operator attempted. There is an additional form of
34
identification check performed on the serial number of the mobile phone described in the
EIR section below, but this is not relevant to the AUC processing.
Proper implementation of security in and around the AUC is a key part of an operator's strategy to avoid SIM cloning.
The AUC does not engage directly in the authentication process, but instead generates data known as triplets for the MSC to use during the procedure. The security of the process depends upon a shared secret between the AUC and the SIM called the Ki. The
Ki is securely burned into the SIM during manufacture and is also securely replicated onto the AUC. This Ki is never transmitted between the AUC and SIM, but is combined with the IMSI to produce a challenge/response for identification purposes and an encryption key called Kc for use in over the air communications.
Other GSM core network elements connected to the AUC
The AUC connects to the following elements: the MSC which requests a new batch of triplet data for an IMSI after the previous data have been used. This ensures that same keys and challenge responses are not used twice for a particular mobile.
Procedures implemented:
The AUC stores the following data for each IMSI:
• the Ki
35
• Algorithm id. (The standard algorithms are called A3 or A8, but an operator may
choose a proprietary one).
When the MSC asks the AUC for a new set of triplets for a particular IMSI, the AUC first generates a random number known as RAND. This RAND is then combined with the Ki to produce two numbers as follows:
• The Ki and RAND are fed into the A3 algorithm and the signed response (SRES)
is calculated.
• The Ki and RAND are fed into the A8 algorithm and a session key called Kc is
calculated.
The numbers (RAND, SRES, Kc) form the triplet sent back to the MSC. When a
particular IMSI requests access to the GSM core network, the MSC sends the RAND part
of the triplet to the SIM. The SIM then feeds this number and the Ki (which is burned
onto the SIM) into the A3 algorithm as appropriate and an SRES is calculated and sent
back to the MSC. If this SRES matches with the SRES in the triplet (which it should if it
is a valid SIM), then the mobile is allowed to attach and proceed with GSM services.
After successful authentication, the MSC sends the encryption key Kc to the base station
controller (BSC) so that all communications can be encrypted and decrypted. Of course,
the mobile phone can generate the Kc itself by feeding the same RAND supplied during
authentication and the Ki into the A8 algorithm.
36
The AUC is usually collocated with the HLR, although this is not necessary. Whilst the procedure is secure for most everyday use, it is by no means crack proof. Therefore a new set of security methods was designed for 3G phones. [16]
Figure 11 [14] shows schematic of encryption using A5 algorithm.
Figure 11: Radio Link Encryption
Visitor locations register (VLR):
Description
The visitor location register is a database of the subscribers who have roamed into the jurisdiction of the MSC (Mobile Switching Center) which it serves. Each base station in
37
the network is served by exactly one VLR; hence a subscriber cannot be present in more than one VLR at a time.
The data stored in the VLR has either been received from the HLR, or collected from the
MS (Mobile station). In practice, for performance reasons, most vendors integrate the
VLR directly to the V-MSC and, where this is not done, the VLR is very tightly linked with the MSC via a proprietary interface. Whenever an MSC detects a new MS in its network, in addition to creating a new record in the VLR, it also updates the HLR of the mobile subscriber, apprising it of the new location of that MS. If VLR data is corrupted it can lead to serious issues with text messaging and call services.
Figure 12 [14] shows schematic of Temporary ID management using VLR
38
Figure 12: Temporary ID management
Data stored include:
• IMSI (the subscriber's identity number).
• Authentication data.
• MSISDN (the subscriber's phone number).
• GSM services that the subscriber is allowed to access.
• access point (GPRS) subscribed.
• The HLR address of the subscriber.
39
Other GSM core network elements connected to the VLR
• The VLR connects to the following elements:
• The V-MSC to pass required data for its procedures; e.g., authentication or call
setup.
• The HLR to request data for mobile phones attached to its serving area.
• Other VLRs to transfer temporary data concerning the mobile when they roam
into new VLR areas. For example, the temporal mobile subscriber identity
(TMSI).
Procedures implemented
The primary functions of the VLR are:
• To inform the HLR that a subscriber has arrived in the particular area covered by
the VLR.
• To track where the subscriber is within the VLR area (location area) when no call
is ongoing.
• To allow or disallow which services the subscriber may use.
• To allocate roaming numbers during the processing of incoming calls.
• To purge the subscriber record if a subscriber becomes inactive whilst in the area
of a VLR. The VLR deletes the subscriber's data after a fixed time period of
inactivity and informs the HLR (e.g., when the phone has been switched off and
left off or when the subscriber has moved to an area with no coverage for a long
time).
40
• To delete the subscriber record when a subscriber explicitly moves to another, as
instructed by the HLR.
Equipment identities register (EIR):
The equipment identity register is often integrated to the HLR. The EIR keeps a list of mobile phones (identified by their IMEI) which are to be banned from the network or monitored. This is designed to allow tracking of stolen mobile phones. In theory all data about all stolen mobile phones should be distributed to all EIRs in the world through a
Central EIR. It is clear, however, that there are some countries where this is not in operation. The EIR data does not have to change in real time, which means that this function can be less distributed than the function of the HLR. The EIR is a database that contains information about the identity of the mobile equipment that prevents calls from stolen, unauthorized or defective mobile stations. Some EIR also have the capability to log Handset attempts and store it in a log file.
3.2.3 CDMA One or IS-95
CDMA One is a second generation mobile telecommunications standard that uses
CDMA, which is a multiple access scheme for digital radio, to send voice, data and signaling data between mobile telephones and cell sites.
CDMA, "code division multiple access" uses a digital modulation called spread spectrum which spreads the voice data over a very wide channel in pseudorandom fashion using a user or cell specific pseudorandom code. The receiver undoes the randomization to
41 collect the bits together and produce the original data. As the codes are pseudorandom and selected in such a way as to cause minimal interference to one another, multiple users can talk at the same time and multiple cells can share the same frequency. This causes an added signal noise forcing all users to use more power, which in exchange decreases cell range and battery life.
When CDMAone technology is chosen to implement in Neighborhood Area Networks of
Smart Grid; Smart devices and Smart meters of NAN will be using CDMA locks, IC chips and linked to particular cellular carriers.
In USA service providers of CDMA include Verizon, Sprint operating in frequency band below 3000MHz. CDMA can provide up to 0.384 Mbit/s of Uplink and downlink capacity.
Below are advantages of using CDMAOne/IS-95
1) Capacity is IS-95's biggest asset; it can accommodate more users per MHz of
bandwidth than any other technology.
2) Has no built-in limit to the number of concurrent users.
3) Uses precise clocks that do not limit the distance a tower can cover.
4) Consumes less power and covers large areas so cell size in IS-95 is larger.
5) Able to produce a reasonable call with lower signal (cell phone reception) levels.
42
6) CDMAOne uses soft handoff, reducing the likelihood of dropped calls.
7) IS-95's variable rate voice coders reduce the rate being transmitted when speaker
is not talking, which allows the channel to be packed more efficiently.
8) Has a well-defined path to higher data rates.
Below are disadvantages of using CDMAOne/IS-95
1) Most technologies are patented and must be licensed from Qualcomm.
2) Breathing of base stations, where coverage area shrinks under load. As the
number of subscribers using a particular site goes up, the range of that site goes
down.
3) Because IS-95 towers interfere with each other, they are normally installed on
much shorter towers. Because of this, IS-95 may not perform well in hilly terrain.
4) Even barring subsidy locks, CDMA phones are linked by ESN to a specific
network, thus phones are typically not portable across providers.
3.2.4 3G Systems and UMTS (Universal Mobile Telecommunications System)
3G Systems were developed to provide global mobility with wide range of services which includes telephony, paging, messaging, Internet and broadband data. International
Telecommunication Union (ITU) is the organization which defined the standard for third generation systems, referred to as International Mobile Telecommunications 2000 (IMT-
43
2000). Third Generation Partnership Project (3GPP) which was formed performs
technical specification work and technical development of 3G technology.
Universal Mobile Telecommunications System (UMTS) is one of the third-generation
(3G) mobile telecommunications technologies which is specified by 3GPP and is part of
the global ITU IMT-2000 standard.
UMTS, using 3GPP, can support maximum data transfer rates of up to 45 Mbit/s (with
HSPA+),[12] although at the moment users in deployed networks can expect a transfer rate of up to 384 kbit/s for R99 handsets, and 7.2 Mbit/s for HSDPA handsets in the downlink connection. This is still much greater than the 9.6 kbit/s of a single GSM error-
corrected circuit switched data channel and 14.4 kbit/s for CDMAOne.
UMTS Architecture
A UMTS network consists of three interacting domains; Core Network (CN), UMTS
Terrestrial Radio Access Network (UTRAN) and User Equipment (UE). The main
function of the core network is to provide switching, routing and transit for user traffic.
Core network also contains the databases and network management functions.
The basic Core Network architecture for UMTS as seen in Figure 13 [18] is based on
GSM network with GPRS. All equipment has to be modified for UMTS operation and
services. The UTRAN provides the air interface access method for User Equipment. Base
Station is referred as Node-B and control equipment for Node-B's is called Radio
44
Network Controller (RNC).
Figure 13: Structure of UMTS network
UMTS provides several different terrestrial air interfaces, called UMTS Terrestrial Radio
Access (UTRA). [14] All air interface options are part of ITU's IMT-2000. In the currently most popular variant for cellular mobile telephones, W-CDMA (IMT Direct
Spread) is used.
UMTS has enhanced security features compared to 2G protocols such as GSM, CDMA.
Below are security features implemented in UMTS,
Entity authentication:
45
UMTS provides mutual authentication between the UMTS subscriber, represented by a
smart card application known as the USIM (Universal Subscriber Identity Module), and
the network in the following sense, 'Subscriber authentication': the serving network
corroborates the identity of the subscriber and 'Network authentication': the subscriber
corroborates that he is connected to a serving network that is authorized, by the
subscribers home network, to provide him with services.
Signaling data integrity and origin authentication:
Integrity algorithm agreement: the mobile station and the serving network can securely
negotiate the integrity algorithm that they use.
Integrity key agreement: the mobile and the network agree on an integrity key that they
may use subsequently; this provides entity authentication.
User traffic confidentiality:
Ciphering algorithm agreement: the mobile and the station can securely negotiate
ciphering algorithm that they use.
Cipher key agreement: the mobile and the station agree on a cipher key that they may use.
Confidentiality of user and signaling data: neither user data nor sensitive signaling data can be overheard on the radio access interface.
Network domain security:
The term ‘network domain security’ in the 3G covers security of the communication between network elements. In particular, the mobile station is not affected by network
46
domain security. The two communicating network elements may both be in the same
network administrated by a mobile operator or they may belong to two different
networks. [13]
3.2.5 W-CDMA
W-CDMA (Wideband Code Division Multiple Access) is an air interface in 3G mobile
telecommunications networks, the most-commonly used member of the UMTS family.
W-CDMA uses the DS-CDMA channel access method with a pair of 5 MHz wide
channels.
It utilizes the DS-CDMA channel access method and the FDD duplexing method to
achieve higher speeds and support more users compared to most time division multiple
access (TDMA) schemes used.
DS-CDMA: direct-sequence spread spectrum (DSSS) CDMA
DSSS phase-modulates a sine wave pseudo randomly with a continuous string of pseudo noise (PN) code symbols called ‘chips’, each of which has a much shorter duration than
an information bit. That is, each information bit is modulated by a sequence of much
faster chips. Therefore, the chip rate is much higher than the information signal bit rate.
Key technical features of W-CDMA are as below:
• Radio channels are 5 MHz wide.
• Chip rate of 3.84 MHz
• Supported mode of duplex: frequency division (FDD), Time Division (TDD)
47
• Employs coherent detection on both the uplink and downlink based on the use of
pilot symbols and channels [14].
• Supports inter-cell asynchronous operation.
• Variable mission on a 10 ms frame basis.
3.2.6 4G-LTE Advanced
4G cellular standards is a successor to the 3G and 2G families of standards. The ITU-R
organization specified the IMT-Advanced (International Mobile Telecommunications
Advanced) requirements for 4G standards, setting peak speed requirements for 4G
service at 100 Megabits per second for high mobility communication (such as from trains
and cars) and 1 Gbps for low mobility communication (stationary users).
A 4G system is expected to provide a comprehensive and secure all-IP based mobile
broadband solution to laptop computer wireless modems, smart phones, and other mobile
devices. Facilities such as ultra-broadband Internet access, IP telephony, gaming services,
and streamed multimedia may be provided to users.
LTE:
The LTE specification provides downlink peak rates of at least 100 Mbps, an uplink of at
least 50 Mbps and RAN round-trip times of less than 10 ms. LTE supports scalable
carrier bandwidths, from 1.4 MHz to 20 MHz and supports both frequency division
duplexing (FDD) and time division duplexing (TDD).
Part of the LTE standard is the System Architecture Evolution, a flat IP-based network
architecture designed to replace the GPRS Core Network and ensure support for, and
48 mobility between, some legacy or non-3GPP systems, for example GPRS and WiMax respectively.[15]
The main advantages with LTE are high throughput, low latency, plug and play, FDD and TDD in the same platform, an improved end-user experience and a simple architecture resulting in low operating costs. LTE will also support seamless passing to cell towers with older network technology such as GSM, CdmaOne, UMTS, and
CDMA2000. [9]
49
LTE Advanced:
Is essentially an enhancement to LTE. It is not a new technology but rather an improvement on the existing LTE network. This upgrade path makes it more cost effective for vendors to offer LTE and then upgrade to LTE Advanced which is similar to the upgrade from WCDMA to HSPA. LTE and LTE Advanced will also make use of additional spectrum and multiplexing to allow it to achieve higher data speeds.
Coordinated Multi-point Transmission will also allow more system capacity to help handle the enhanced data speeds. Release 10 of LTE is expected to achieve the LTE
Advanced speeds. Release 8 currently supports up to 300 Mbit/s download speeds which is still short of the IMT-Advanced standards.[15]
Data speeds of LTE Advanced LTE Advanced
Peak Download 1 Gbit/s Peak Upload 500 Mbit/s
50
Chapter 4
SHORT MESSAGE SERVICE (SMS) IN CELLULAR COMMUNICATION
4.1 Implementation Details
Short Message Service (SMS) is considered as a suitable mode of data transfer when cellular network is chosen to implement Neighborhood Area Network of Smart Grid.
Communication between Smart devices, Smart meters in Neighborhood Area Network
51
(NAN), and utility offices can happen through exchange of SMSes containing data and control information.
Below explains a high level view of text delivery mechanism in Cellular communication network.
Figs. 14 and 15 [16] illustrate the process of SMS communication in Cellular network.
Figure 14: High Level description of SMS delivery in an SS7 network
52
Figure 15: Overview of SMS delivery on the wireless interface.
1) Message Insertion:
Messages may be submitted into the system from cell phones operating within the system or from external sources. An Internet-originated SMS message can be generated by any
one of a number of External Short Messaging Entities (ESMEs).
ESMEs include devices and interfaces ranging from email and web-based messaging portals to service provider websites and voicemail, services and can be attached to telecommunications networks either by dedicated connection or the Internet. When a message is injected into
the network, it is delivered to the Short Messaging Service Center (SMSC). These servers
are responsible for the execution of a “store-and-forward” protocol that eventually
delivers text messages to their intended destination. The contents and destination
information from the message are examined by the SMSC and are then copied into a
53
properly formatted packet. At this point, messages originating in the Internet and those
created in the network itself become indistinguishable. Formatted text messages are then
placed in an egress queue in the SMSC and await service.
2) Message Routing:
Before an SMSC can forward a text message to a targeted mobile device, it must first
determine the location of that device. To accomplish this, the SMSC queries a database known as the Home Location Register (HLR). The HLR is responsible for storing subscriber data including availability, billing information, available services and current location. With the help of other elements in the network, the HLR determines the routing information for the targeted device. If the desired phone is not available; the SMSC stores the message until a later time for subsequent retransmission. Otherwise, the SMSC receives the address of the Mobile
Switching Center (MSC) currently providing service to the target device. The MSC delivers the text message over the wireless interface through attached Base Stations (BS).
3) Wireless Delivery:
An area of coverage in a wireless network is called a cell. Each cell is typically partitioned into multiple (usually three) sectors. We characterize the system on a per sector basis throughout the paper. The air interface, or radio portion of the network, is traditionally divided into two classes of logical channels—the Control Channels (CCHs) and Traffic Channels (TCH). TCHs carry
54
voice traffic after call setup has occurred. CCHs, which transport information about the
network and assist in call setup/SMS delivery, are sub classified further. In order to alert
a targeted device
that a call or text message is available, a message is broadcast on the Paging Channel
(PCH). Note that multiple base stations broadcast this page in an attempt to quickly determine the sector in which the targeted recipient is located. Upon hearing its temporary identifier on the PCH, available devices inform the network of their readiness to accept incoming communications using the slotted ALOHA-based Random Access Channel (RACH) uplink. A device is then assigned a Standalone Dedicated Control Channel (SDCCH) by
listening to the Access Grant Channel (AGCH). If a text message is available, the base station authenticates the device, enables encryption, and then delivers the contents of the
message over the assigned SDCCH. If instead a call is incoming for the device, the
SDCCH is used to authenticate the device and negotiate a TCH for voice communications.
4.2 Vulnerability and Example Attacks
The vulnerability in GSM cellular networks that allows for targeted text message attacks
to occur is the result of bandwidth allocation on the air interface. Under normal
conditions, the small ratio of bandwidth allocated to the control versus the traffic data is
sufficient to deliver all messages with a low probability of blocking. However, because
55 text messages use the same control channels as voice calls (SDCCHs), contention for resources occur when SMS traffic is elevated. Given a sufficient number of SMS messages, each of which require on average four seconds for delivery, arriving voice calls will be blocked for lack of available resources.
Sending text messages to every possible phone number is not an effective means of attacking a network. The haphazard submission of messages is in fact likely to overwhelm gateways between the Internet and cellular networks than to disrupt cellular service. An adversary must efficiently blanket only the targeted area with messages so as to reduce the probability of less effective collateral damage. The information to achieve such a goal, however, is readily available. Using tools including NPA-NXX Area Code
Databases, search engines and even feedback from provider websites, an attacker can construct a “hit-list” of potential targets. Given this information, an adversary can then begin exploiting the bandwidth vulnerability.
The exploit itself involves saturating sectors to their SDCCH capacity for some period of time. In so doing, the majority of attempts to establish voice calls are blocked. For all of
Manhattan, which would typically be provisioned with 12 SDCCHs per sector, a perfectly executed attack would require the injection of only 165 messages per second, or approximately 3 messages/ sector/second.
56
4.3 Counter Measures, Solutions
Cellular providers have introduced a number of mitigation solutions into phone networks to combat the SMS-based DoS attacks. These solutions focus on limiting the source of the messages and are ineffective against all but the least sophisticated adversary. To illustrate, the primary countermeasure discovered was a per-source volume restriction at the SMS gateway. Such restrictions would, for example, allow only 50 messages from a single IP address. The ability to spoof IP addresses and the existence of zombie networks render this solution impotent.
Another popular deployed solution filters SMS traffic based on the textual content.
Similar to SPAM filtering, this approach is effective in eliminating undesirable traffic only if the content is predictable. However, an adversary can bypass this countermeasure by generating legitimate looking SMS traffic from randomly generated simple texts, e.g.,
“Remember to buy milk on your way home from the office. -Alice”
Note that these and the overwhelming majority of other solutions deployed in response to the SMS vulnerability can be classified as edge solutions. Ineffective by construction because of their lack of context, such solutions try to regulate the traffic flowing from the
Internet into the provider network at its edge.
Limiting the total traffic coming across all interfaces results simply in reduced income under normal operating conditions. For example, a total of 1000 email-generated text messages per second distributed across a nation cause no ill effects to the network and generates significant revenue; however statistics shows that such a volume targeted to
57
one region is more than sufficient to paralyze the network. Rate limitation is largely unattractive even within the core network. The distributed nature of Short Messaging
Service Centers (SMSCs), through which all text messages flow makes it difficult to
coordinate real-time filtering in response to targeted attacks. Moreover, because provider
networks cover huge geographic areas and consist many thousands of network elements,
any compromised element can be a conduit for malicious traffic. Left unregulated, the
connections between provider networks can also be exploited to inject SMS traffic.
Therefore, for the purposes of this discussion, we assume that an adversary is able to
successfully submit a large number of text messages into a cellular network. The defenses
below are dedicated to protecting the resource that is being exploited in the SMS attack—
the bandwidth constrained SDCCHs. Note that the Internet faces a similar conundrum:
once dominant perimeter defenses are failing in the face of dissolving network borders,
e.g., as caused by wireless connectivity and larger and more geographically distributed
networks. As is true in the Internet, we must look to techniques providing “defense in
depth” to protect telecommunications networks.
Below are traffic analysis techniques to prevent attacks on cellular communication
Queue Management Techniques
1) Weighted Fair Queuing: Because we cannot rely on rate limitation at the source of
messages, we now explore network-based solutions. Fair Queuing is a scheduling
algorithm that separates flows into individual queues and then apportions bandwidth
equally between them. Designed to
58 emulate bit-wise interleaving, Fair Queuing services queues in a round-robin fashion.
Packets are transmitted when their calculated interleaved finishing time is the shortest.
Building priority into such a system is a simple task of assigning weights to flows.
Known as Weighted Fair Queuing (WFQ), this technique can be used to give incoming voice calls priority over SMS.
2) Weighted Random Early Detection: Active queue management has received a great deal of attention as a congestion avoidance mechanism in the Internet. Random Early
Detection
(RED), one of the better known techniques from this field is a particularly effective means of coping with potentially damaging quantities of text messages.
59
Chapter 5
GENERATION IN CELLULAR WIRELESS STANDARDS
5.1 1G,2G,3G,4G
Cellular Communication has become an important part of communication in daily life.
Besides using cell phones for voice communication, we are now able to access the
Internet, conduct monetary transactions, send text messages etc. using our cell phones,
and new services continue to be added. However, the wireless medium has certain
limitations such as open access, limited bandwidth and systems complexity. These
limitations make it difficult although possible to provide security features such as
authentication, integrity and confidentiality. In this section we discuss about various
generations of cellular communication standards which have evolved over time and provide an overview on their functions, properties. And discuss about security issues and
mechanisms in cellular standards.
60
5.1.1 Overview of Standards
First generation (1G) networks were the first cellular networks introduced in the 1980s.
They were only capable of transmitting voice at speeds of about 9.6 kbps max. In US, the
system was known Advanced Mobile Phone System (AMPS) and in Europe, the Nordic
Mobile Telephony (NMT). Both these technologies used analog modulation to transmit
data as a continuously varying waveform.
1G system had some limitations such as no support for encryption, poor sound quality
and inefficient use of the spectrum due to their analog nature. Second generation (2G)
cellular networks also known as personal communication services (PCS) introduced the
concept of digital modulation meaning that voice was converted into digital code, and
then into analog (radio) signals. Being digital, they overcame certain limitations of 1G
system. Various 2G technologies have been deployed around the world. Code Division
Multiple Access (CDMA), North American Time Division Multiple Access (NA-TDMA)
and digital AMPS (D-AMPS) have been deployed in the US whereas Global System for
mobile communication (GSM) has been deployed in Europe and USA and Personal
Digital Cellular (PDC) has been deployed in Japan.
Although 2G systems were a great improvement from 1G, they were only used for voice communication.
The Third generation (3G) standard provide services such as fast Internet surfing,
advanced value added services and video telephony. There are three main technologies
61
that are being applied. In the US CDMA2000, in Europe Wideband CDMA (W-CDMA)
and in China Time Division-Synchronous Code Division Multiple Access (TD-SCDMA).
The fourth generation (4G) technology which is currently designed and developed to
have data rates of up to 20Mbps. It will support for next generation Internet such as IPv6,
QoS and Mo-IP, lower system cost and high capacity and capable of supporting communication in moving vehicles with speed up to 250 km/hr.
5.2 Evaluation of Parameters of Cellular Standards
1G:
The first generation of public wireless telecom.
Analog. Voice only. Since 1980s. Examples: AMPS, NMT, TACS. Frequency: various,
150MHz+
2G:
The second generation of public wireless telecom.
Digital, encrypted. Digital data transmission, voice as data; slow data services (SMS text messages). TDMA: GSM, PDC (Japan), iDEN, D-AMPS (IS-136). CDMA: CdmaOne
(IS-95). In US, 2G is also called PCS (Personal Communications Service). Higher
capacity. 800-2000MHz.
2.x G:
Data service separated from voice; commonly used for WAP, SMS/MMS, and Internet
(email, browsing).
62
GSM: GPRS (56-115kbps); EDGE/EGPRS (236.8kbps) with 8PSK encoding in GSM
timeslot.
CDMA2000: 1xRTT (144kbps [80-100kbps]).
3G:
ITU’s IMT-2000: requires data rate > 200kbps. Circuit-switch and packet-switch in parallel.
3GPP’s UMTS (since 2001), coexists with GSM
UMTS W-CDMA: CDMA/FDD, 384kbps down/up
HSDPA+HSUPA: 14.4Mbps/5.76Mbps
TD-SCDMA (China only)
HSPA+: CDMA/FDD/MIMO, 56Mbps/22Mbps
3GPP2’s CDMA2000 (since 2002), coexists with CdmaOne. EV-DO: CDMA/FDD, completely packet-switched network. EV-DO and voice cannot be used simultaneously.
EV-DO Rev 0, or 1xEV-DO, or just EV-DO: 2.4Mbps down, 153kbps up
EV-DO Rev A: theoretic 3.1Mbps down/1.8Mbps up; actual 500-1000kbps up
EV-DO Rev B: theoretic 14.7Mbps down
3.x G:
Pre-4G (often branded as “4G”). Phones still use 2G GSM/CDMA for voice.
3GPP’s LTE: 100Mbps down, 50Mbps up. OFDMA. Radio interface: E-UTRA
(Evolved UMTS Terrestrial Radio Access, previously called HSOPA)
63
3GPP2: UMB (formerly EV-DO Rev. C): 275Mbps down, 75Mbps up. Qualcomm abandoned development.
IEEE: Mobile WiMAX (802.16e): 128Mbps down and 56Mbps up. OFDMA.
4G:
ITU’s IMT-Advanced: 1Gbps stationary; 100Mbps mobile. Radio technology: OFDMA;
core network: all-IP packet-switched
3GPP: LTE Advanced
IEEE: WiMAX 2(based on 802.16m)
5.3 Security Issues and Mechanisms in Cellular Standards
The infrastructure for Cellular Networks is massive, complex with multiple entities
coordinating together, such as the IP Internet coordinating with the core network. And
therefore it presents a challenge for the network to provide security at every possible
communication path.
Limitations of Cellular Networks:
Compared to Wired Networks, Wireless Cellular Networks have a lot of limitations.
1. Open Wireless Access Medium: Since the communication is on the wireless
channel, there is no physical barrier that can separate an attacker from the
network.
2. Limited Bandwidth: Although wireless bandwidth is increasing continuously,
because of channel contention everyone has to share the medium.
64
3. System Complexity: Wireless systems are more complex due to the need to
support mobility and making use of the channel effectively. By adding more
complexity to systems, potentially new security vulnerabilities can be introduced.
4. Limited Power: Wireless systems consume a lot of power and therefore have a
limited time battery life.
5. Limited Processing Power: The processors installed on the wireless devices are
increasing in power, but still they are not powerful enough to carry out intensive
processing.
6. Relatively Unreliable Network Connection: The wireless medium is an unreliable
medium with a high rate of errors compared to a wired network.
There are several security issues that have to be taken into consideration when deploying a cellular infrastructure.
1. Authentication: Cellular networks have a large number of subscribers, and each
has to be authenticated to ensure the right people are using the network. Since the
purpose of 3G is to enable people to communicate from anywhere in the world,
the issue of cross region and cross provider authentication becomes an issue.
2. Integrity: With services such as SMS, chat and file transfer, it is important that the
data arrives without any modifications.
65
3. Confidentiality: With the increased use of cellular phones in sensitive
communication, there is a need for a secure channel in order to transmit
information.
4. Access Control: The Cellular device may have files that need to have restricted
access to them. The device might access a database where some sort of role based
access control is necessary.
5. Operating Systems in Mobile Devices: Cellular Phones have evolved from low
processing power, ad-hoc supervisors to high power processors and fully fledged
operating systems. Some phones may use a Java Based system; others use
Microsoft Windows CE and have the same capabilities as a desktop computer.
Issues may arise in the OS which might open security holes that can be exploited.
6. Web Services: A Web Service is a component that provides functionality
accessible through the web using the standard HTTP Protocol. This opens the
cellular device to variety of security issues such as viruses, buffer overflows,
denial of service attacks etc. [19]
7. Location Detection: The actual location of a cellular device needs to be kept
hidden for reasons of privacy of the user. With the move to IP based networks, the
issue arises that a user may be associated with an access point and therefore their
location might be compromised.
8. Viruses and Malware: With increased functionality provided in cellular systems,
problems prevalent in larger systems such as viruses and malware arise. The first
66
virus that appeared on cellular devices was Liberty. An affected device can also
be used to attack the cellular network infrastructure by becoming part of a large
scale denial of service attack.
9. Downloaded Contents: Spyware or Adware might be downloaded causing
security issues. Another problem is that of digital rights management. Users might
download unauthorized copies of music, videos, wallpapers and games.
10. Device Security: If a device is lost or stolen, it needs to be protected from
unauthorized use so that potential sensitive information such as emails,
documents, phone numbers etc. cannot be accessed.
Types of Attacks:
Due to the massive architecture of a cellular network, there are a variety of attacks that the infrastructure is open to.
1. Denial of Service (DOS): This is probably the most potent attack that can bring
down the entire network infrastructure. This is caused by sending excessive data
to the network, more than the network can handle, resulting in users being unable
to access network resources.
2. Channel Jamming: Channel jamming is a technique used by attackers to jam the
wireless channel and therefore deny access to any legitimate users in the network.
3. Unauthorized Access: If a proper method of authentication is not deployed then
an attacker can gain free access to a network and then can use it for services that
he might not be authorized for.
67
4. Eavesdropping: If the traffic on the wireless link is not encrypted then an attacker
can eavesdrop and intercept sensitive communication such as confidential calls,
sensitive documents etc.
5. Message Forgery: If the communication channel is not secure, then an attacker
can intercept messages in both directions and change the content without the users
ever knowing.
6. Message Replay: Even if communication channel is secure, an attacker can
intercept an encrypted message and then replay it back at a later time and the user
might not know that the packet received is not the right one.
7. Man in The Middle Attack: An attacker can sit in between a cell phone and an
access station and intercept messages in between them and change them.
8. Session Hijacking: A malicious user can highjack an already established session
and can act as a legitimate base station.
Security Mechanisms In 3G – UMTS:
3G - UMTS, is the most popular of the architectures, it is built upon the security features
of 2G systems so that some of the robust features of 2G systems are retained. The aim of
the 3G security architecture is to improve on the security of 2G systems. Any holes
present in the 2G systems are to be addressed and fixed. Also, since many new services
have been added to 3G systems, the security architecture needs to provide security for
these services.
68
3G Security Architecture:
There are five different sets of features that are part of the architecture:
1. Network Access Security: This feature enables users to securely access services
provided by the 3G network. This feature is responsible for providing identity
confidentiality, authentication of users, confidentiality, integrity and mobile
equipment authentication. User Identity confidentiality is obtained by using a
temporary identity called the International Mobile User Identity. Authentication is
achieved using a challenge response method using a secret key. Confidentiality is
obtained by means of a secret Cipher Key (CK) which is exchanged as part of the
Authentication and Key Agreement Process (AKA). Integrity is provided using an
integrity algorithm and an integrity key (IK). Equipment identification is achieved
using the International Mobile Equipment Identifier (IMEI).
2. Network Domain Security: This feature enables nodes in the provider domain to
securely exchange signaling data, and prevent attacks on the wired network.
3. User Domain Security: This feature enables a user to securely connect to mobile
stations.
4. Application Security: This feature enables applications in the user domain and the
provider domain to securely exchange messages.
5. Visibility and Configurability of Security: This feature allows users to enquire
what security features are available.
69
The UMTS Authentication and Key Agreement (UMTS AKA) mechanism is responsible for providing authentication and key agreement using the challenge/response mechanism.
Challenge/Response is a mechanism where one entity in the network proves to another entity that it knows the password without revealing it. There are several instances when this protocol is invoked. When the user first registers with the network, when the network receives a service request, when a location update is sent, on an attach/detach request and on connection reestablishment. The current recommendation by 3GPP for AKA algorithms is MILENAGE. MILENAGE is based on the popular shared secret key algorithm called AES or Rijndael. Readers interested in the AES algorithm are encouraged to look at [Imai06]. AKA provides mutual authentication for the user and the network. Also, the user and the network agree upon a cipher key (CK) and integrity key
(IK) which are used until their time expires.
Control Signaling Communication between the mobile station and the network is sensitive and therefore its integrity must be protected. This is done using the UMTS
Integrity Algorithm (UIA) which is implemented both in the mobile station and the RNC.
This is known as the f9 algorithm. Figure 16 [18] shows application of this algorithm.
First, the f9 algorithm in the user equipment calculates a 32 bit MAC-I for data integrity using the signaling message as an input parameter. This, along with the original signal message is sent to the RNC, where the XMAC-I is calculated and then compared to the
MAC-I. If both are same, then we know that the integrity of the message has not been compromised.
70
Figure 16: Signaling Data Integrity Mechanism
The confidentiality algorithm is known as f8 and it operates on the signaling data as well as the user data. Figure 17 [18] shows application of this algorithm. The user's device uses a Cipher Key CK and some other information and calculates an output bit stream.
Then this output stream is xored bit by bit with the data stream to generate a cipher stream. This stream is then transmitted to the RNC, where the RNC uses the same CK and input as the user's device and the f8 algorithm to calculate the output stream. This is then xored with the cipher stream to get the original data stream. [18]
71
Figure 17: Air Interface Confidentiality Mechanism
It has eight rounds of processing, with the plain text (can be any form of data) as input to
the first round and the cipher text the result after the last round. An encryption key is used
to generate round keys (KLi, KOi, KIi) for each round i. Each round calculates a separate
function since the round keys are different. The same algorithm is used for encryption
and decryption. The KASUMI cipher is based on the MISTY1 cipher which was chosen
by 3GPP due to its proven security against many advanced cipher breaking techniques. It
has been optimized for hardware implementation which is important concerning the
hardware constraints of cellular devices, such as limited power and limited memory. As shown in the Figure 18 [20] the function f consists of sub functions FLi and FOi. FL is a simple function consisting of shifts and logical operations. The FO function is much more complicated and is itself based on the fiestel structure and consists of three rounds. [20]
72
Figure 18: KASUMI Block Cipher
5.4 Wireless Application Protocol (WAP)
Since one of the most important services provided by 3G systems is access to the
Internet, it is important to understand the security mechanisms of the protocol used to access the Internet. WAP is an open specification which enables mobile users to access
73 the Internet. This protocol is independent of the underlying network e.g. WCDMA,
CMDA 2000 etc and also independent of the underlying operating system e.g. Windows
CE, PALM OS etc. The first generation is known as WAP1 which was released in 1998.
WAP1 assumes that the mobile devices are low on power and other resources. And therefore the devices can be simple while sharing the security responsibilities with the gateway devices. The second generation is known as WAP2 and was released in 2002.
WAP2 assumes that the mobile devices are powerful and can therefore directly communicate with the servers. Figure 19 [18] shows the protocol stack for WAP1 and
WAP2.
Figure 19: WAP1, WAP 2 Protocol Stack A brief description of each layer is as follows,
1. Wireless Application Environment (WAE): This provides an environment for
running web applications or other WAP applications.
74
2. Wireless Session Protocol (WSP): This is similar to the HTTP protocol and
provides data transmissions with small sizes so that WAP1 clients can process the
data with less complexity.
3. Wireless Transaction Protocol (WTP): This is responsible for providing
reliability.
4. Wireless Transport Layer Security (WTLS): This is responsible for providing
security features such as authentication, confidentiality, integrity etc. between a
WAP1 client and the WAP gateway.
5. Wireless Datagram Protocol (WDP): This provides the underlying transport
service.
6. Hypertext Transfer Protocol (HTTP): A standard protocol used to transmit web
pages.
7. Transport Layer Security (TLS): This layer provides security features such as
authentication, confidentiality, integrity etc. In WAP1, this is between the WAP1
gateway and the server. In WAP2 this is between the WAP2 client and the server.
8. Transport Control Protocol (TCP): Standard transport protocol used to provide
reliability over IP.
9. Internet Protocol (IP): Protocol used to route data in a network.
10. Bearer Protocol: This is the lowest level protocol and can be any wireless
technique such as GSM, CDMA etc.
75
Cipher Suite in WTLS: This suite provides a key-establishment protocol, a bulk encryption algorithm and a MAC algorithm. In SSL/TLS these are used together, in
WTLS each can be used independently.
Key Exchange Suite: This protocol is responsible for establishing a secret key between a client and the server. An example of is the RSA key suite, which consists of the following steps: the WAP gateway sends a certificate consisting of the gateway's RSA public key and signed by the certification authority's private key. The client checks the validity of the certificate authority's signature. If invalid, the communication is aborted. If valid, the user generates a secret value, encrypts it with the gateway's public key. Both sides can then calculate their common keys using the secret value.
Bulk Encryption and MAC Suite: Bulk encryption is used for data confidentiality and the
MAC is used for integrity. The common key that we calculated in the key exchange suite can be used for both purposes. For bulk encryption, algorithms such as DES, 3DES,
IDEA and RC5 are used. For integrity WTLS uses the HMAC algorithm which uses either SHA-1 or MD5 twice.
WAP-Profiled TLS: WAP2 uses the WAP profiled TLS which consists of a cipher Suite, authentication suite, tunneling capability and session identification and session resume.
Cipher suite consists of key establishment (e.g. RSA), encryption (e.g. DES) and integrity
76
(SHA-1 for MAC calculation). A session identifier is chosen by the server to identify a particular session with the client. Server and Client authentication is done using certificates similar to WTLS. Tunneling is a mechanism set up between the client and the server, so that they can communicate even if the underlying network layers are different.
WAP Identity module: WIM (WAP Identity Module) is a method of identification in
WAP. This enables the device to separate its identification from WAP. So a device can be updated without any changes made to the telephone number or billing information.
WIM provides operations such as key generation, random numbers, signing, decryption, key exchange, storing certificates etc.
A Look at Security in 4G:
4G is the next generation after 3G. Some of the 4G services talked about are incorporating quality of service (QoS) and Mobility. There is also a concept of always best connected which means that the terminal will always select the best possible access available. 4G will also make use of the IPV6 address scheme. This might make it possible for each cell device to have its own IP address. Currently, the problem of security is solved by using multiple layers of encryption of the protocol stack. There are disadvantages in this scheme such as wasted power, wasted energy and a larger transmission delay. In 4G there will be a concept of interlayer security where only one layer will be configured to do encryption on data. [21]
77
Chapter 6
COMPARISON OF CANDIDATE NETWORK PROTOCOLS FOR NAN
6.1 Introduction
When we consider the network protocols which are in contention for
implementing Neighborhood Area Network, they can be classified based on the
type of connectivity, as wired and wireless networks. Cellular networks which fall
under the category of wireless networks are relatively cheaper to implement,
scalable, have wider coverage area and there are no cables hanging around like
wired networks and set up is easy and does not require a great deal of networking
experience. Cellular, Wireless networks have many other advantages over wired
networks which are mobility, being more flexible, easier to use and economical to
deploy and maintain. On the downside they are not as reliable and secure as wired
networks. They also have potential radio interference due to obstacles, weather
and other wireless devices. For wireless networks the medium of transmission is
the electromagnetic radiation and Wireless devices are constrained to operate in a
certain frequency band. Each band has an associated bandwidth, which is simply
the amount of frequency space in the band. Advantages of wired networks include
Reliability, quality of service, security, cost effectiveness and speed. While the
disadvantages include difficulty in installation, scalability slowing down the
network, disorganized cables requiring more maintenance. Let us first consider
the players in the wireless category for communication protocols for Smart Grid.
78
For Smart Grid, a careful choice has to be made in selecting a protocol for the
data and control information exchanges. This information exchange involves
highly confidential consumer information so customer privacy has to be
protected. As far as the control information is concerned, security is at the highest
priority, if misused, would lead to financial loss and sometimes could prove to be
fatal.
With the above discussed points in consideration, we could consider the following
protocols that could find a place in the communication arena of Smart Grid. They
are IEEE 802.11, 802.15.4 and 802.16, ANSI C12.22, 3G, Mesh Networks,
optical fiber communication, and power line communication.
6.2 IEEE 802.11
IEEE 802.11 is the set of standards defining the wireless local area network
communications operating in the 2.4GHz, 3.6GHz or 5GHz frequency bands.
These are defined and updated by the IEEE LAN/MAN standards committee.
IEEE 802.11 includes the Wi-Fi [Wireless Fidelity] and its faster cousin IEEE
802.11g. The current version is IEEE 802.11-2007 and other common and most
implemented versions are IEEE 802.11a, b, g and n. IEEE 802.11 uses the radio
wave physical layer. The bands of operation of these protocols are set by ITU
[International Telecommunication Union] for radio communication. The ISM
[Industry, Scientific and Medical] bands are usually license-free provided that the
79
devices are low-power. IEEE 802.11b/g operates at 2.4GHz, while IEEE 802.11a
operates at 5GHz.
A summary of the standard, speed associated and the frequency band is reported
in 1
IEEE Standard Speed Frequency Band 802.11 1Mbps , 2Mbps 2.4 GHz
802.11a Up to 54Mbps 5 GHz
802.11b 5.5 Mbps, 11 Mbps 2.4 GHz
802.11g Up to 54 Mbps 2.4GHz
802.11n Up to 300 Mbps 2.4/5 GHz
Table 2: IEEE 802.11 Standards and its Variations
IEEE 802.11 adds a number of management features to differentiate it from the wired
networks. They have a 48 bit MAC [Media Access Control] address and they look like
the Ethernet network interface cards. These addresses are from the same address pool as
of the Ethernet, to maintain the uniqueness and compatibility when wireless networks are
deployed in networks which contain the wired network too.
802.11 FRAMING
Framing in wireless is not simple as in case of wired since it involves several
management features. There are three types of frames namely:
80
DATA FRAMES
Data frames could be of different type depending on the network and function, which
carries data from station to station. One of the types could be data used for contention-
based service or contention-free service. The other type could be one which carries
frames that performs management functions. A generic data frame format is shown in
Figure 20 [22].
Figure 20: Generic Data Frame As shown in Figure 20 [22], the data frame contains frame control, sequence control and
FCS [Frame Check Sequence] fields. The FCS field is referred to as the cyclic redundancy check because of the underlying mathematical operations. The Sequence
Control field is a 16 bit field which is used for defragmentation and disregarding duplicate frames. The Sequence Control field has two parts, A four bit field is the
Fragment number and the rest 12 bits is the sequence number [See Figure 20] [22]. The
Frame control field has many other components as show in
Figure 21.
81
Figure 21: Frame Control field Protocol Version field indicates the version of 802.11 MAC contained in the frame. The
Type and Sub Type fields indicate the type and subtype of the frames.
ToDS and FromDS indicate whether the frame is destined for a distribution system.
Power Management field indicates whether the sender will be in a power saving mode or not after the exchange of the current frame. The protected frame field indicates whether protection is enabled by the link layer or not. Order bit indicates whether strict ordering delivery is implemented or not.
CONTROL FRAMES: This performs area-clearing operations, channel acquisition, positive acknowledgement and carrier sensing maintenance functions. These use the same fields as the frame control field [See
Figure 21] [22].
MANAGEMENT FRAMES: These perform functions which take care of joining and leaving the networks and to move association from access points to access points. This is done by splitting the procedure into three parts. First, the mobile stations must locate a compatible wireless network to use for access. Next, it must be authenticated with the
82
network to get itself identified and connect to the network. Finally a mobile station will
be associated with a network to gain access.
802.11 SECURITY ARCHITECTURE
One of the major features of wireless networks is the ease of connection. This is because
802.11 networks announce their existence with the aid of beacon frames. To protect
against unauthorized access to the network we have to apply access control. It could be
done at various steps as follows:
STATION AUTHENTICATION: Before joining an 802.11 network station
authentication is performed using shared key authentication or sometimes using MAC
address filtering to filter out unauthorized client by MAC address.
LINK LAYER SECURITY: Link-layer authentication is transparent to network
protocols, and will work for any network protocol chosen. Networks are increasingly
homogenous and are based on IP. Link-layer authentication can be used to secure both IP
and IPX. Link Layer Security has a very small foot print and can be easily integrated with
the network interface cards, access point devices and mobile devices. WPA is an industry
standard for providing strong link layer security to WLANs, and supports two
authenticated key management protocols using the Extensible Authentication Protocol
[EAP]. WPA also requires data frame encryption using TKIP [Temporal Key Integrity
Protocol] and message integrity using a Message Integrity Check [MIC].
NETWORK OR TRANSPORT LAYER SECURITY: Network layer security provides end-to-end security across a routed network and can provide authentication, data
83
integrity, and encryption services. These services are provided for IP traffic only. IPSec is
a standard network layer security protocol which provides a standard and extensible method to provide security to network layer (IP) and upper layer protocols such as TCP and UDP. It can also be used between routers or IPSec gateways. Firewalls can be used to
isolate untrusted networks and authenticate users. Also VPN termination devices can supply encryption over untrusted networks. [5]
6.3 IEEE 802.16
WiMAX [Worldwide Interoperability for Microwave Access] is a trade name for IEEE
802.16 standard. WiMAX provides wireless transmission of data in variety of modes from a point to multi-point links. It is also called as the Last Mile Connectivity of
Broadband Wireless Access [BWA] with a range of around 30 miles and a data transfer rate of up to 280Mbps with the ability to support data, voice and video. Its operating range is anywhere from 2GHz to 66GHz. It does not require LOS [Line Of Sight]. A version of IEEE 802.16 which is IEEE 802.16e adds mobility features operating in the range of 2-11 GHz license bands. Hence it allows fixed and mobile non Line of Sight
[NLOS] applications primarily to enhance OFDMA [Orthogonal Frequency Division
Multiple Access]. To summarize the salient feature of WiMAX are:
• It enhances orthogonal Frequency Division Multiple Access [OFDMA] by allowing fixed and mobile Non Line of Sight [NLOS] applications.
• QUALITY OF SERVICE [QoS]
84
• HIGH DATA RATES: Multiple Input and Multiple Output [MIMO] along with
flexible sub-channelization schemes, coding and adaptive modulation helps mobile
WiMAX technology to support downlink [DL] data rates up to 128 Mbps per sector and
peak uplink [UL] data rates up to 56Mbps per sector in 20MHz bandwidth.
• SCALABILITY: The mobile WiMAX has the capability of operating in scalable bandwidths from 1.25 to 20MHz by utilizing Scalable [SOFDMA].
• SECURITY: The most advanced security features includes Extensible
Authentication Protocol [EAP], advanced Encryption Standard [AES], Cipher Based
Message Authentication Code [CMAC] and Hashed Message Authentication Code
[HMAC].
WiMAX system has two major components: They are:
• BASE STATION: consists of high speed electronics and tower like a cell-phone tower. Base station provides coverage over an area called cell, which has a maximum radius of up to 30 miles.
• RECEIVER: could be an antenna, stand-alone box or a PCMCIA [Personal
Computer Memory Card International Association] card in a computer. This is also referred to as Customer Premise Equipment [CPE].
IEEE 802.16e just provides an air interface, but the end-to-end WiMAX network is defined by WiMAX forums Network Working Group [NWG], which is responsible for developing requirements, architecture and protocols for WiMAX using IEEE 802.16e-
2005 as the air interface.
85
IP BASED WIMAX NETWORK ARCHITECTURE:
The overall network [See Figure 22] [23] could be divided into the following logical parts
for an IP based WiMAX Network Architecture:
• MOBILE STATIONS [MS]: used by end users to access the network.
• BASE STATIONS [BS]: is responsible for providing air interface to the mobile
stations. Also responsible for features like key management, session management and
dynamic host configuration protocol [DHCP] proxy.
Figure 22: IP based WiMAX Network Architecture
• ACCESS SERVICE NETWORK [ASN]: comprises more than one base stations and more than one access service network gateway to form the radio access network
[RAN]. Functions of Access Service Network gateway includes intra-ASN location management and paging, radio resource management and admission control, caching of subscriber profiles and encryption keys, establishment and management of mobility
86
tunnel with base stations, Quality of Service [QoS] and policy enforcement, and routing
to the selected connectivity service network [CSN].
• CONNECTIVITY SERVICE NETWORK [CSN]: provides connectivity to internet, public networks and corporate networks. Also, manages per user policy management and security and IP address management.
WiMAX network is based on the following principles [23]:
• SPECTRUM: which allows WiMAX network to be deployed in both licensed and unlicensed spectra
• TOPOLOGY: Supports Radio Access Network [RAN] topologies
• INTERNETWORKING: Enables internetworking with WiFi, 3GPP [3rd
Generation Partnership Project which is responsible for the specification, maintenance
and development of global system for mobile communication [GSM]].
• IP CONNECTIVITY: Supports IPv4 and IPv6 network interconnects in clients
and application servers.
• MOBILITY MANAGEMENT: Supports both fixed and mobile access and
broadband multimedia services delivery.
WIMAX SECURITY:
• Security is handled by the Privacy Sublayer of the WiMAX MAC. The primary
features of WiMAX security are as follows:
• PRIVACY: Most advanced encryption standards like Advanced Encryption
Standard [AES] and 3DES [Triple Data Encryption Standard] are supported. In
87
addition to the above, 128 bit and 256 bit keys are used for deriving the cipher
during the authentication phase and also these are periodically refreshed.
• AUTHENTICATION: To prevent unauthorized access, a flexible means for
authenticating the subscriber stations and users is provided. This authentication is
based on the Internet Engineering Task Force [IETF] Extensible Authentication
Protocol [EAP] which provides different types of credentials such as username
and password, digital certificates like X.509 (which has the username and MAC
address) and smart cards.
• KEY MANAGEMENT: The keys are transferred securely from the base stations
to the mobile stations using the Privacy and Key Management Protocol version 2
[PKMv2] which involves periodical reauthorizing and refreshing of the keys.
• INTEGRITY: The integrity of the control messages is protected using different
message digest schemes like AES-based CMAC [Cipher Based Message
Authentication Code] or MD5-based HMAC [Hashed Message Authentication
Code]. [23]
6.4 IEEE 802.15.4
IEEE 802.15.4 based wireless networking standard has emerged as a key to robust, reliable and secure Home Area Network [HAN] deployments. One of the major players in HAN for Smart Grid is ZigBee which is based on IEEE 802.15.4 standard. IEEE
802.15.4 defines the physical and medium access control layers for low data rate, short
88 range wireless communication. The operation is defined in both sub 1GHz and 2.4 GHz frequency bands, supporting Direct Sequence Spread Spectrum [DSSS] signaling with a raw data throughput of 250Kbps and can transmit point to point, ranging anywhere from tens to hundred of meters depending on the output power and receive sensitivity of the transceiver. Applications of IEEE 802.15.4 include light control systems, environmental and agricultural monitoring, consumer electronics, energy management and comfort functions, automatic meter reading systems, industrial applications, and alarm and security systems.
IEEE 802.15.4 DEVICES
An IEEE 802.15.4 network has only one personal area network [PAN] coordinator. There are two types of devices described in the specification that communicate together to form different network topologies: full function device [FFD] and reduced function device
[RFD]. An FFD is a device capable of operating as a coordinator and implementing the complete protocol set. An RFD is a device operating with a minimal implementation of the IEEE 802.15.4 protocol. An RFD can connect to only an FFD whereas an FFD can connect to both FFDs and RFDs. A PAN coordinator is the main controller of the network which can initiate or terminate a connection.
89
IEEE 802.15.4 SECURITY [24]
IEEE 802.15.4 supports both secure and non secure mode. Secure mode devices use AES
to implement the following services:
• ACCESS CONTROL: This enables the device to accept frames from authentic
sources only.
• DATA INTEGRITY: The beacon, data, and command frames are encrypted using
AES encryption algorithm. The AES algorithm is not only used to for encryption but also
to validate data sent. This is achieved using Message Integrity Code [MIC] also called as
Message Authentication Code [MAC]. The MAC can be of different sizes: 32, 64 and
128 bits. This MAC is created encrypting parts of the MAC frame using the Key of the
network, so if we receive a message from a non trusted node, the MAC generated for the
sent message does not correspond to the one what would be generated using the message
with the current secret Key, so the message is discarded.
• FRAME INTEGRITY: Ensures that the frames are received from the device that
has the key and the data is protected from modification without the key. Frame integrity
is provided to the beacon, data and command payload using a message integrity code
[MIC].
• SEQUENTIAL FRESHNESS: This is to prevent the replay attacks using a replay
counter which will reject a frame which has a value equal or less than the previous
obtained counter value.
90
6.5 Power Line Communication
Power line communication [PLC] uses the existing power lines from utility office to home and within a home/building to transmit data from one device to another. With better power line solutions, one can communicate using the existing wiring infrastructure without rewiring or modifications which makes it a cost effective means of networking devices. One of the requirements of PLC is that it requires high frequency. The current lines are designed at 50Hz to 400Hz and are noisy and unreliable. The legal restrictions on frequency band limit the data rates. There are quite a few challenges associated with communicating over the power lines. Power loss on these lines is directly proportional to square of current and distance. Different protocols like X10 protocol, CE bus protocol and Lon works protocol were used but due to poor bandwidth utilization, low data rate
(60bps t0 10Kbps) and frequency band restrictions made them unqualified for implementation. Home Plug 1.0 was introduced to mitigate the unpredictable noise and provides Ethernet class network on the existing power lines with a data rate in the range of 1 to 14 Mbps. Currently research is carried out to achieve higher data rates up to 100
Mbps which are necessary for applications like HDTV. The quality of the transmitted signal depends on number of devices (air conditioner, television, hair dryer) that are switched on at a particular time. The quality of signal may also depend on the wiring architecture and the distance between the receiver and the transmitter. The key characteristics that are considered to evaluate the performance of power line communications are:
91
1) Total number of components to complete a communication device and the cost
associated with it. This includes the cost of implementing an appropriate power supply.
2) The frequency spectrum it uses for communication and its compliance with regulations.
3) Communication performance in the presence of noisy devices like televisions, computers and hair dryers which sometimes makes it impossible for the receivers to decode the transmitted signal, due to high signal distortion.
The applications of power line communication could be as follows:
1) HOME AUTOMATION: PLC could be used to connect home devices that have an Ethernet port using Powerline adapters. The Powerline adapters plug into the wall outlet and then are connected using CAT5 cables to the home routers. All the devices would have a receiver system and each receiver in the system has an address that can be individually commanded by the signals transmitted over the household wiring and decoded at the receiver.
2) INTERNET ACCESS (Broadband over Power Line [BPL]): BPL is internet over power lines and has many advantages over DSL or cable internet. The most obvious is the already existing ubiquitous wiring architecture. The wiring architecture reduces the cost of running Ethernet cables in buildings, overcomes the disadvantage of wireless networks which are security, limited maximum throughput and inability to power devices efficiently.
92
3) AUTOMOTIVE: Power-line technology enables in-vehicle communication network of data, voice, music and video signals by digital means over direct current [DC] battery power-line.
Major disadvantages of PLC are signal errors due to interference and attenuation.
Interference from nearby device causes signal degradation and Active devices like transformers, DC-DC converters and passive devices like relays and transistors causes signal attenuation. This might corrupt the data and/or control signals from/to the utility offices to the customers. [25]
6.6 Optical Fiber Communication
Optical Fiber Communication [OFC] is a technique of sending data or information from one place to another by sending light pulses through an optical fiber. The light acts as the carrier wave which is used in modulation to carry the information signal. The transmission of information involves basic steps which are creating an optical signal to carry the information using a transmitter, relaying the signal over the optical fiber, ensuring the signal does not weaken before it reaches the destination and receiving the data and converting it to electrical signal at the destination.
Optical fiber communication offers lower attenuation and interference and hence is an advantage over electrical transmission for long distances. OFC finds it application in telecommunication, television and internet signal transmissions. However the disadvantage with OFC is that it is very complex and expensive to install the required
93 infrastructure. OFC is chosen when the system requirements are high bandwidth and long distance communication. OFC can replace thousands of electrical links with a single higher bandwidth fiber. OFC is extremely low loss and effectively no crosstalk which are the major advantages over electrical transmission lines.
Synchronous Optical Networking (SONET) and Synchronous Digital Hierarchy (SDH) are multiplexing WAN protocols, which enable transport of multi digital bit streams across the same optical fiber by using Light Emitting Diodes (LEDs) or lasers. SONET and SDH are closely related protocols that are based on circuit mode communication.
SONET/SDH enables various ISPs to share the same optical fiber simultaneously without interrupting each other’s traffic load. They are physical layer protocols, which offer continuous connections without involving packet mode communication, and are distinguished as time division multiplexing (TDM) protocols. Optical Carriers are typically known by their OC-x number where x is a multiple of the OC-1 rate of 51.84
Mbps and OC-768 rate of 40Gbits/s. [26]
6.7 Wireless Mesh Networks
Wireless Mesh Networks [WMN] are multi-hop wireless networks formed by the mesh routers and mesh clients [See Figure 28]. Wireless mesh networking has emerged as a promising concept to meet the challenges in net-generation wireless networks such as providing flexibility, adaptive and reconfigurable architecture while offering cost- effective solutions to service providers.
94
Figure 23: Wireless Mesh Network [28]
The core nodes are the mesh routers which form a wireless mesh backbone among the nodes. The mesh routers provide a rich radio mesh connectivity which significantly reduces the up-front deployment cost and subsequent maintenance cost. They have limited mobility and forward the packets received from the clients to the gateway router which is connected to the backhaul network/internet. In addition to the conventional router functions, mesh routers enable mesh networking and have multiple interfaces of the same or different communications technologies based in the requirement. They achieve more coverage with the same transmission power by using multi-hop communication through other mesh routers.
95
The physical layer in a WMN uses some of the techniques like orthogonal frequency
division multiplexing [OFDM], ultra wide band [UWB], and Multiple-input Multiple-
output [MIMO] and Smart Antenna technologies to improve the capacity of the WMNs.
The medium Access Control protocols for wireless networks are limited to single-hop
communication while the routing protocols use multi-hop communication. Hence, the
MAC protocols are categorized as single channel and multi channel MAC. [28]
The single channel MAC protocols make use of use a few variations of Contention based protocols like a general contention based protocol, contention based protocol with reservation mechanism and/or a contention based protocol with a scheduling mechanism.
Multi-channel MAC protocol is a link layer protocol where each node is provided with only one interface, but to utilize the advantage of multi-channel communication, the interface switches among different channels automatically [29].
Wireless mesh networks are considered for a wide range of applications such as backhaul connectivity for cellular radio access networking, building automation, intelligent transport system networks, defense systems and surveillance systems.
The existing wireless networking technologies such as IEEE 802.11, IEEE 802.15 and
IEEE 802.16 are used to implement WMNs.
6.8 Cellular Network Over Other candidates
96
In order to achieve an efficient, scalable and cost effective implementation of
Neighborhood Area Network, Cellular communication would be the best choice since it
fairs well over its competitors.
Wi-Fi vs. Cellular:
As discussed in previous sections, when IEEE 802.11/Wi-Fi applied into smart devices, meters of Smart Grid there is satisfactory data transfer rate, security and provides a cost effective solution. But this has very less coverage area; range up to only half mile is possible with use of WiFi. This is unacceptable for NAN implementation, since smart
devices and meters across consumer homes, businesses has to support minimum tens of
miles of coverage to communicate with utility offices in the neighborhood. Cellular
communication on the upside has a giant infrastructure to provide excellent coverage area
and with 3G, 4G standards it can provide high bandwidth data transfer for several miles.
Wi-Max vs. Cellular:
IEEE 802.16/Wi-Max tries to overcome the downside of Wi-Fi in aspects of coverage
area. It has a range of up to 30-40 miles, can provide IP based communication, and
satisfactory data transfer rates (30Mbps) for implementing NAN. This is indeed a strong contender and competes closely with Cellular network. Only downside of Wi-Max seems
to be high installation and maintenance costs. Equipments, devices of WiMax
infrastructure is expensive and still not mass produced unlike Cellular network
communication devices which are widely used and available cheap. With the application
97 of 4G network cellular network is able to provide IP based communication with higher security and bandwidth which makes it perfect match to implement NAN. [30]
IEEE 802.15.4 has the advantages of low power consumption, cost of operation, but suffer heavily to provide wide coverage and high data transfer rate which NAN demands.
Optical Fiber vs. Cellular:
Optical fiber links/lines provides sufficient data transfer rate, wide range of coverage and optimal security mechanisms. But it fails to match Cellular networks when it comes to cost of installation and maintenance. Optical fiber links require high costs to install dedicated lines for the sole purpose of implementing NAN and high recurring costs of maintenance. On the other hand implemention of NAN through Cellular networks requires no dedicated lines or paths. Association with existing cellular carriers and few additions or upgrades to already built infrastructure will bring communication between the smart devices, meters with the utilities. [5]
Power lines vs. Cellular:
Addition of communication devices to the existing, in place power grid to enable two way communications between the smart devices, meters and the utility offices would require a complete re-model of the existing infrastructure and installation of brand new devices all over the network. Also the devices are expensive since they would be custom made and time to successful completion of this project is yet to be experimented and
98
uncertain. With many downsides on its side, Power lines would hardly match low cost,
easy to integrate and already proven technology of Cellular communications.
Wireless Mesh vs. Cellular:
Wireless/RF Mesh seems to qualify for most of the requirements of NAN implementation
such as data transfer rate, coverage area, security and flexibility. But it suffers setbacks
since Mesh networks are not as widely used and popular as Cellular networks. RF Mesh
would also require installation of brand new and expensive devices for NAN
implementation and does not enjoy huge infrastructure form various carriers which is
already in place. [5]
Cellular Network wins:
With many advantages to its side such as being cost effective, high transfer rate, wide coverage area, existing huge infrastructure, secure, scalable and reliable Cellular network seems to be an ideal candidate for implementing NAN connecting the Smart devices, meters to the utilities, grid. As discussed in Chapter 4, SMS would be the selected mode of communication.
There are certain aspects which needs attention and improvements during the implementation such as selection of cellular service providers based on technology, At&t,
T-mobile for GSM, UMTS and Verizon, Sprint for CDMA, LTE. Selection can be based on cost, integration, mode of communication, coverage, security and devices etc.
99
Integration with existing infrastructure, security mechanism and smart device, meters would be the areas which need to be taken care during the implementation of NAN.
The Table 3 summarizes the technologies discussed above which are considered for implementation of neighborhood area network for Smart Grid. [5]
Technology Features Advantages Disadvantages IEEE Data Transfer Rate: 22 Low device cost Not yet proven for 802.11 (Wi- Mbps – 128 Mbps Suitable to Mesh Smart Grid Fi) Range: up to ½ mile topology deployment Operating Frequency: Low latency 2.4 GHz to 5 GHz Applications: Meters (AMI), Distribution Automation [DA] IEEE Data Transfer Rate: Low latency High equipment or 802.16 (Wi- 30Mbps High bandwidth device cost Max) Range: up to 50 km Not yet proven for Operating Frequency: Smart Grid 2 GHz to 3 GHz deployment Applications: Meters([AMI), DA, Mobile workforce management
100
IEEE Data Transfer Rate: Suitable for Mesh Lesser data rates 802.15.4 250 Kbps topology Short range Range: 100+ meters Low power coverage Operating Frequency: consumption 1 GHz to 2.4 GHz Applications: Meters (AMI), HAN
Technology Features Advantages Disadvantages Cellular Range: up to 50 km Uses existing No direct utility Operating Frequency: networks control over the 900 MHz to 2.4 GHz Low capital network Applications: Meters investment Moderate (AMI), DA, Mobile Short time-to- performance workforce market management Low module cost Leased Data Transfer Rate: High High recurring Lines (e.g. 1.5 Mbps – 155 Mbps Performance cost SONET) Range: Variable Robust No direct utility Operating Frequency: control Wired (Fiber or copper Not available at all cables) sites Applications: Substations, DA Broadband Data Transfer Rate: Low recurring High initial over power 256 Kbps – 10 Mbps cost investment lines Range: Variable Robust Expensive devices Operating Frequency: Not widely 1.8 to 80 MHz (electric implemented carrier) Not reliable Applications: Substations, DA
101
RF Mesh Data Transfer Rate: up Customizable Proprietary to 1 Mbps based on specific Expensive devices Range: Variable need Unpredictable Operating Frequency: Self healing and Latencies variable organizing Applications: Meters Low cost (AMI), DA
Table 3: Summary of Technologies for NAN
102
Chapter 7
CONCLUSION
7.1 Project Results
This research focused on Neighborhood Area Networks [NAN] implementation which is
used for Home-to-Home and Home-to-Grid communication in Smart Grid. Requirements
and characteristics of NAN are identified, and Cellular communication as an
implementation candidate was studied.
Protocols and standards in Cellular communication such as GSM and CDMA from 2nd
Generation, UMTS, and WCDMA from 3rd Generation and also LTE from 4G are
discussed. Security architecture and issues associated with each of the protocol was
examined. It was found that 4G protocols had enhanced security features, bandwidth,
data transfer rate and technical advancements when compared to previous generations of
protocols. When Cellular communication is chosen for NAN implementation 4G would
be an ideal choice.
Short Message Service (SMS) in Cellular communication which would be the mode of
communication between the Smart Devices, Meters and Utility offices, Grid was
discussed. Implementation details and working of SMS, its vulnerabilities, examples of
attacks and defends were studied in this project. SMS would be an ideal choice for NAN communication in Smart Grid mainly because there is data communication between involved devices and no voice involved. Also this saves bandwidth since there is no voice
103
communication happening over NAN. It is concluded that SMS communication with security best practices followed would bring efficient NAN implementation in Smart
Grid.
Advancements and enhancements in cellular technology over generations (2G, 3G, and
4G) are discussed.
Comparison of Cellular networks with other candidates in contention for NAN implementation was carried out in the project. Various factors such as reliability, coverage, security, power efficiency, cost, scalability of contender protocols were listed.
An effective and wise choice of implementing protocol should be made on parameters
such as cost of implementation, security, coverage area of the network and integration
with different technologies and standards which is detailed in the report. In case there is
combination of various technologies chosen to implement sub division of NAN, this report serves as a reference document or guide for the implementation. It is finally concluded that Cellular communication network would be an ideal match for NAN implementation since it is cost effective, wide coverage area, high transfer rate, secure, scalable, and flexible.
104
7.2 Challenges and Outstanding Works
Project has covered various areas of communication in Cellular communication and SMS
mode of communication. Details of networking concepts and involved protocols were
initially a challenge to understand and took more time to study.
Also security aspects, list of attacks and defends was interesting to know and discuss
about.
7.3 Future Works and Potential Research Topics
There is potential research work in areas such as 4G protocols where more innovations
and advancements are happening in cellular domain. IP based networks which have
dynamic routing abilities and bandwidth sharing properties is another research area to
look into and also decide its implementation for NAN in Smart Grid. Security best
practices to follow when implementing above discussed networks is to be done.
105
APPENDIX
Glossary
AES Advanced Encryption Standard
AMI Advanced Metering Infrastructure
AMR Advanced Meter Reading
ANSI American National Standards Institute
AP Access Point
BPL Broadband over Power Line
BPSK Binary Phase Shift Keying
BS Base Station
CDMA Code Division Multiple Access
CMAC Cipher based Medium Access Control
CRC Cyclic Redundancy Check
CSN Connectivity Service Network
DC Direct Current
DL Downlink
DoS Denial of Service
DSSS Direct Sequence Spread Spectrum
FCS Frame Check Sequence
FDD Frequency Division Duplexing
106
FFD Full Function Device
FHSS Frequency Hopping Spread Spectrum
GSM Global Satellite for Mobile communication
HAN Home Area Network
HSDPA High Speed Downlink Packet Access
IEEE Institute of Electrical and Electronics Engineers
IP Internet Protocol
ITU International Telecommunication Union
LAN Local Area Network
LLC Link Layer Control
LoS Line of Sight
MAC Medium Access Control
MAN Metropolitan Area Network
MIC Message Integrity Code
MS Mobile Station
NAN Neighborhood Area Network
NIST National Institute for Standards and Technology
NLoS Non Line of Sight
NWG Network Working Group
OFC Optical Fiber Communication
PHY Physical Layer
107
PKM Privacy and Key Management
PLC Power Line Communication
QoS Quality of Service
RAN Radio Access Network
RFD Reduced Function Device
SAP Service Access Point
SIM Subscriber Identity Module
SMS Short Message Service
TCP Transmission Control Protocol
TDD Time Division Duplexing
TDM Time Division Multiplexing
TMSI Temporary Mobile Subscriber Identity
UL Uplink
UMTS Universal Mobile Telecommunication Systems
VLR Visitor Location Register
WEP Wired Equivalent Privacy
Wi-Fi Wireless Fidelity
WiMAX Wireless Interoperability for Microwave Access
WMN Wireless Mesh Network
WNAN Wireless Neighborhood Area Network
108
WPA Wi-Fi Protected Access
109
REFERENCES
[1] National Institute of Standards and Technology, US Dept of Commerce, “NIST Framework and Roadman for Smart Grid Interoperability Standards release 1.0”, [Online] Available: http://www.nist.gov/public_affairs/releases/smartgrid_interoperability.pdf
[2] Dean Prochaska, National Coordinator for Smart Grid Conformance National Institute of Standards and Technology, September 16, 2009,” NIST Smart Grid Updates” [Online] Available: http://trade.gov/td/energy/Smart%20Grid%20NIST.pdf
[3] Office of Electricity Delivery and Energy Reliability, “The Smart Grid, An Introduction”, US Department of Energy. Available: http://www.oe.energy.gov/DocumentsandMedia/DOE_SG_Book_Single_Pages.pdf
[4] Consumer Energy Report, Smart Grid Image, [Online]. Available: http://www.consumerenergyreport.com/wp-content/uploads/2010/04/smartgrid.jpg
[5] Analysis of communication protocols for Neighborhood area Network for Smart Grid Available: http://csus- dspace.calstate.edu/xmlui/browse?value=Ghansah%2C+Isaac&type=thesisAdvisor
[6] Residential energy gateway system in smart grid Available: http://csus- dspace.calstate.edu/xmlui/browse?value=Ghansah%2C+Isaac&type=thesisAdvisor
[7] Tropos GridCom, “A Wireless Distribution Area Network for Smart Grids”, White Paper, [Online]. Available: http://www.smartgridnews.com/artman/uploads/1/distribution_automation_tropos_maybe .pdf
[8] Available: http://www.sensorsmag.com/files/sensor/nodes/2008/1526/Figure2.jpg [online]
[9] Wikipedia, “Cellular network”, [Online]. Available: http://en.wikipedia.org/wiki/Cellular_network
110
[10] Krebs, Brian. "Security Fix - Research May Hasten Death of Mobile Privacy Standard". Blog.washingtonpost.com. Available: http://blog.washingtonpost.com/securityfix/2008/02/research_may_spell_end_of_mobi.ht ml.
[11] Online: A Second GSM Cipher Falls". http://threatpost.com/en_us/blogs/second- gsm-cipher-falls-011110.
[12] Online: Tindal, Suzanne (8 December 2008). "Telstra boosts Next G to 21Mbps". ZDNet Australia. http://www.zdnet.com.au/news/communications/soa/Telstra-boosts-Next-G-to- 21Mbps/0,130061791,339293706,00.htm. Retrieved 2009-03-16.
[13] Online: http://en.wikipedia.org/wiki/UMTS_security
[14] Online: Common Pilot Channel
[15] LTE – an introduction. Ericsson. 2009. Available: http://www.ericsson.com/res/docs/whitepapers/lte_overview.pdf.
[16] Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks Available: IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 17, NO. 1, FEBRUARY 2009
[17] Online: http://www1.cse.wustl.edu/~jain/cse574- 06/ftp/cellular_security/index.html#gen
[18] Imai, H., et. al., "Wireless communications security," Boston: Artech House, 2006
[19] [Fernandez05-2] Fernandez, E., et. al., "Some security issues of wireless systems," Advanced Distributed Systems: 5th International School and Symposium, ISSADS 2005, Guadalajara, Mexico, January 24-28, 2005, Revised Selected Papers http://www1.cse .fau.edu/%7Eed/Fernandez_ISSADS2005Final.pdf
[20] [Balderas04]Balderas-Contreras, T., et. al., "Security Architecture in UMTS Third Generation Cellular Networks," Coordinación de Ciencias Computacionales INAOE, Reporte Técnico No. CCC-04-002 27 de febrero de 2004 http://ccc.inaoep.mx/Reportes/CCC-04-002.pdf
111
[21] [Carneiro04] Carneiro, G., "Cross-Layer Design In 4G Wireless Terminals," IEEE Wireless Communications, 2004 http://paginas.fe.up.pt/~mricardo/doc/journals/crossLayerDesign.pdf
[22] “802.11 Wireless Networks, The Definitive Guide”, Mathew Gast, ISBN 0-596- 10052-3, O'Reilly Publications
[23] Available: http://www.tutorialspoint.com/WiMAX/WiMAX_technology.htm [24] Online: http://en.wikipedia.org/wiki/Visitors_Location_Register#Visitor_location_register_.28V LR.29
[25] Available: http://en.wikipedia.org/wiki/Power_line_communication
[26] Available: http://en.wikipedia.org/wiki/Fiber-optic_communication
[27] A. Geriks, J. Purcell, A Survey of Wireless Mesh Networking Security Technology and Threats, SANS Institute, September 2006.
[28] Available: http://www.nicta.com.au/research/project_list/completed_projects/smart_applications_for _emergencies/networks/mesh
[29] Available: Yan Zhang, Jun Zheng, Honglin Hu, Security in Wireless Mesh Networks, CRC Press, 2009
[30] http://en.wikipedia.org/wiki/WiMAX