ANALYSIS OF CELLULAR DATA FOR NEIGHBORHOOD AREA NETWORK FOR SMART GRID

Harish Maiya B.E., Visveswaraiah Technological University, Karnataka, India, 2006

PROJECT

Submitted in partial satisfaction of the requirements for the degree of

MASTER OF SCIENCE

in

COMPUTER ENGINEERING

at

CALIFORNIA UNIVERSITY, SACRAMENTO

SPRING 2011

ANALYSIS OF CELLULAR FOR NEIGHBORHOOD AREA NETWORK FOR SMART GRID

A Project

by

Harish Maiya

Approved by:

______, Committee Chair Isaac Ghansah, Ph.D.

______, Second Reader Fethi Belkhouche, Ph.D.

______Date

ii

Student: Harish Maiya

I certify that this student has met the requirements for format contained in the University

format manual, and that this project is suitable for shelving in the and credit is to

be awarded for the Project.

______, Graduate Coordinator ______Suresh Vadhva, Ph.D. Date

Department of Engineering

iii

Abstract

of

ANALYSIS OF CELLULAR DATA COMMUNICATION FOR NEIGHBORHOOD AREA NETWORK FOR SMART GRID

by

Harish Maiya

Infrastructure of Smart Grid system relies on communication between electricity

producer and consumer domain. Consumer domain consists of Neighborhood Area

Network which connects smart meters installed at homes or businesses of consumers,

Home Area Network which connects all appliances at home to Utility AMI Network (on

producer side). Few candidates or protocols considered for implementing Neighborhood

Area Network (NAN) are Cellular communication, IEEE 802.11, 802.16, 802.15.4,

Optical fiber network, Power line network.

Project aims to provide an analysis on Cellular data considering

its different standards, details, advantages, disadvantages, security issues,

reliability, time critical communication, maintenance, power, and cost factors. Studies are

conducted on standards in Cellular communication such as CDMA, GSM, () UMTS,

WCDMA () and protocols and gauge factors of , coverage, and resource

usage and identify effective and efficient way to implement NAN. Analysis on Short

Message Service (SMS) which is preferred mode for communication in NAN is carried iv

out. Project intends to identify potential issues which affect the confidentiality, integrity,

and availability of flow through cellular when it is

implemented in the Smart Grid.

Investigations are carried out on application of best practice(s) to

NAN in Smart grid and to what extent they are applied. Comparisons are done on different candidate protocols for NAN and make few recommendations, identify few research areas and open issues if any.

______, Committee Chair Isaac Ghansah Ph.D.

______Date

v

DEDICATION

To my parents, teachers and friends

vi

ACKNOWLEDGEMENT

I am grateful to all the people who have helped and guided me in successful completion of my Masters’ Project.

My sincere thanks to the project supervisor Dr. Isaac Ghansah, for providing me the opportunity to work on Smart Grid and guiding me throughout the project. My heartfelt thanks to Dr. Kwai-Ting Lan for being second reader and providing me with invaluable inputs on revising my report. I am thankful to Dr. Suresh Vadhva for his invaluable support throughout my graduate program.

Special thanks to my friends Arti Arora and Adithya Shreyas for helping me with their ideas and by reviewing my project report. I would like to thank my seniors and all my friends who have been there for me throughout this graduate program. I would take this opportunity to acknowledge and appreciate the efforts of California State University,

Sacramento for providing the facilities and environment conducive for students to nurture their career.

Most importantly I would like to thank my parents Suryanarayana, Radha, my sister

Sowmya, and bro-in-law Vinay for their true love and moral support.

vii

TABLE OF CONTENTS

Page Dedication ...... vi Acknowledgement ...... vii List of Tables ...... x List of Figures ……………………………………………………………………………xi Chapter 1. INTRODUCTION ...... 1 1.1. Traditional Grid ...... 1 1.2. Need for Smart Grid ...... 3 1.3. Smart Grid ...... 5 1.4. Neighborhood Area Network ...... 8 1.5. Scope of the Project...... 11 2. REQUIREMENTS FOR NEIGHBORHOOD AREA NETWORK ...... 12 3. CELLULAR COMMUNICATION ...... 19 3.1 Features and Standards ...... 19 3.2 Candidates for Implementing NAN ...... 22 3.2.1 Global System for Mobile (GSM) ...... 22 3.2.2 GSM Core Network ...... 26 3.2.3 CDMA One or IS-95 ...... 40 3.2.4 3G Systems and UMTS (Universal Mobile System) .. 42 3.2.5 W-CDMA ...... 46 3.2.6 4G-LTE Advanced ...... 47 4. SHORT MESSAGE SERVICE (SMS) IN CELLULAR COMMUNICATION ...... 50 4.1 Implementation Details ...... 50 4.2 Vulnerability and Example Attacks ...... 54 4.3 Counter Measures, Solutions...... 56 5. GENERATION IN CELLULAR STANDARDS ...... 59

viii

5.1 ,2G,3G,4G ...... 59 5.1.1 Overview of Standards ...... 60 5.2 Evaluation of Parameters of Cellular Standards ...... 61 5.3 Security Issues and Mechanisms in Cellular Standards ...... 63 5.4 Wireless Application Protocol (WAP) ...... 72 6. COMPARISON OF CANDIDATE NETWORK PROTOCOLS FOR NAN ...... 77 6.1 Introduction ...... 77 6.2 IEEE 802.11 ...... 78 6.3 IEEE 802.16 ...... 83 6.4 IEEE 802.15.4 ...... 87 6.5 Power Line Communication...... 90 6.6 Communication ...... 92 6.7 Wireless Mesh Networks ...... 93 6.8 Over Other Candidates ...... 95 7. CONCLUSION ...... 102 7.1 Project Results ...... 102 7.2 Challenges and Outstanding Works ...... 104 7.3 Future Works and Potential Research Topics ...... 104 Appendix Glossary...... 105 References ...... 109

ix

LIST OF TABLES

Page

Table 1: Network Types, Coverage and Bandwidth ...... 16 Table 2: IEEE 802.11 Standards and its Variations ...... 79 Table 3: Summary of Technologies for NAN...... 101

x

LIST OF FIGURES

Page

Figure 1: Traditional Grid ...... 2 Figure 2: Smart Grid ...... 5 Figure 3: Smart Grid ...... 7 Figure 4: Customer Domain: NAN, gateway and HAN ...... 13 Figure 5: Smart Grid Building Blocks ...... 14 Figure 6: Hierarchical Organization of Communication Networks ...... 17 Figure 7: Operation of Cells in Network. Frequency (F) reuses factor or pattern 1/4 .. 21 Figure 8: Structure of GSM network [9]...... 23 Figure 9: GSM Core ...... 27 Figure 10: Authentication and Key agreement ...... 33 Figure 11: Link Encryption ...... 36 Figure 12: Temporary ID management...... 38 Figure 13: Structure of UMTS network ...... 44 Figure 14: High Level description of SMS delivery in an SS7 network ...... 51 Figure 15: Overview of SMS delivery on the wireless interface...... 52 Figure 16: Signaling Data Integrity Mechanism ...... 70 Figure 17: Confidentiality Mechanism ...... 71 Figure 18: KASUMI Block Cipher ...... 72 Figure 19: WAP1, WAP 2 ...... 73 Figure 20: Generic Data Frame ...... 80 Figure 21: Frame Control field ...... 81 Figure 22: IP based WiMAX Network Architecture ...... 85 Figure 23: Wireless Mesh Network [28] ...... 94

xi

1

Chapter 1

INTRODUCTION

1.1.Traditional Grid

The traditional power grid which was designed several decades ago has performed

satisfactorily to cater electricity to the nation until only recent past. However, the

system appears ill equipped on several fronts to meet the requirements of the present

and future needs. Reliability factor of the grid has declined over last few years. A

large number of outages have affected numerous consumers causing inconvenience

and loss in revenue [3]. Modernization of the current electric grid is imperative to

national efforts to increase energy efficiency, transition to renewable sources of

energy, reduce greenhouse gas emissions and build a sustainable economy that

ensures prosperity for current and future generations.

The Figure 1 [2] shows the traditional power grid which has unidirectional flow of

energy from the electricity generation and transmission units to the end user. The grid

consists of the transmission system which includes power generation plants, step up

transformers, high voltage power lines and substations. The distribution system

consists of substations; step down transformers, pole-top transformers, and medium

voltage power lines. The power plants generate electricity and step up the voltage for

long distance transmissions using step-up transformers. Further, electricity is

transmitted across the high power transmission lines over long distances to

substations where the voltage is stepped down before transmitting over the medium 2

voltage power lines to the customer premises. The pole-top transformers further step

down the voltage to suit the residential and commercial specifications.

Figure 1: Traditional Grid

The existing power grid infrastructure is largely analog and electromechanical and it is

built on producer controlled model where power flows in one direction. With significant

advancements in computer systems, electronic devices, and communications

there exists vast disparity between traditional grid infrastructure and these advanced

technologies. Electricity supply for present generation relies on infrastructure which is

aged out. Whether or not there is a need for the power supply to a region, or consumer,

the utility supplies scheduled amount of power to regions under its coverage. This lack of

3

communication to inform the utilities, about the demand for power and the utilities to appropriately respond back to the consumer is the missing component in the current grid.

As the demand for power is on increase, it is very important that there be an effective communication between the consumers and the utilities for power supply based on customer needs.

1.2. Need for Smart Grid

Smart Grid is an infrastructure which intends to provide electricity supply to consumers based on their demand, there is two way communication between producer or utilities and consumers. Utilizing latest technical advancements in the areas of computer systems, internet, communication and electronics devices, Smart Grid envisages providing efficient, reliable and secure electricity supply to the consumers. Below are the benefits of implementing the Smart Grid.

RELIABILITY

Present electricity grid architecture lacks the outage management system which is directly affecting the reliability of the grid. The utilities are informed of the blackouts or outages, if and only if, a customer rings them up notifying an outage. These blackouts results in billions of dollar losses to household and businesses [3]. An intelligent grid, like Smart Grid with effective communications infrastructure detects an outage immediately and notifies a utility office about the outage; also they could be avoided

4

when power is redirected to the place where the outage is predicted. To achieve an

improved reliability, a smarter grid is the need of the hour.

RENEWABLE ENERGY

Use of renewable energy sources is gaining momentum at present days, reasons are to

reduce the carbon emissions, dependency on oil and lower the cost of electricity over the

longer run. Power from renewable energy sources like solar, wind, geothermal and tidal

are low power and intermittent when compared to the traditional power generation. These

intermittent sources need a distributed generation to harness the power and sell it to the utility offices close by. To handle both the distributed and intermittent power sources, we need a smarter grid.

SECURITY

One of the aspects of Security in the systems is Availability.The current centralized grid is vulnerable in the sense that in case of attacks there could be a significant outage and reconstruction of such huge electricity infrastructure in a short time would take too long time. In case of attacks, a significant area is affected with lack of power supply. Having the power generation distributed would help us reduce the devastating effect of terror attacks or any natural disasters. [5]

5

1.3. Smart Grid

Figure 2[2] shows the infrastructure of Smart grid, we can see there is an integration of

Information technology, communication and electronic devices with Power grid to deliver two way flow of information into the system.

Figure 2: Smart Grid

Smart Grid is an electricity infrastructure which consists of devices installed at homes

and businesses throughout the electricity distribution grid for the purpose of energy

monitoring; the system utilizes computer, networking and communications technologies

all the way from the generation, transmission and distribution of electricity to consumer

6

appliances and equipments. This set up provides consumers the ability to monitor and

control energy consumption comprehensively in real time across the smart

communication network. The consumers that generate energy from sources such as:

solar, wind or other systems, can also carry out business with the utilities by outsourcing

the surplus energy that they generate.

As seen in the Figure 3 [4], the sensors detect the variations and fluctuations in the electricity and send information signals to the demand management systems. At the demand management system, decision signals are generated, so as to increase or decrease the electricity generation and these signals are sent out to the processors. The processors, without any need for human intervention, would execute these instructions and take appropriate actions instantaneously.

7

Figure 3: Smart Grid

Smart grid as an intelligent system is capable of sensing the system overload and rerouting power to prevent outages and give resolution to conditions faster than a user could respond. It is efficient as it meets the user’s increasing demand without adding infrastructure. It is accommodating as the user can do business with the utilities by pumping energy back to the utilities with renewable sources like wind, solar and other sources. The consumer has the ease to choose the energy consumption profile and

8 customize it according to his/her preferences. For this reason along with the real-time communication between the customer and the utilities makes it motivating for use of

Smart Grid. It is capable of delivering power, free of spikes, disturbances and interrupts which is the main requirement for the data centers and could be termed as quality-focused power supply infrastructure. Since, the Smart Grid’s deployment would be made distributed and not centralized; it becomes secure and provides resistance to natural and terror attacks. All these features make Smart Grid intelligent, efficient, accommodating, motivating, opportunistic, quality-focused, and resilient and lastly “green” as the carbon emissions are lowered with increased efficiency. [5]

1.4. Neighborhood Area Network

The efficiency of Smart Grid greatly depends on communication networks.

Communication on the customer domain consists of Neighborhood Area Network which connects the utility to the smart meters installed in the homes of the consumers, the gateway and finally to Home Area Network which connects all the appliances at consumers’ home. In Smart Grid, NAN has a role to play in the HOME-to-HOME or

HOME-to-GRID communication. Neighborhood Area Networks [NAN] are a type of packet switched mobile data networks whose geographical coverage area could be anywhere from the coverage of a LAN (Local Area Networks) which is about few meters, to MAN (Metropolitan Area Networks), to WAN (Wide Area Networks) which are up to several miles.

9

Communication in NAN can be broadly classified into two types:

DATA COMMUNICATION

The utility offices collect the electricity usage information from consumers on a timely basis to build a future demand . Example: a smart device which is part of a room heater sending the usage or power consumption information every minute to the in kilo watt hour [kWh] units and the smart meters in turn send the information back to the utility office.

CONTROL COMMUNICATION

Real time signals to control the devices at the consumer or business premises are part of control communication. Example for this could be turning off the room heaters for a certain period of time, on request from the consumer during the peak hours when the price per unit usage is high.

To explain this better, we consider an example of IEEE 802.15.4 standard where the communication could between three main entities, reduced functional devices, fully functional devices and the utility offices. Reduced functional devices are those devices that carriers limited functionality to lower cost and complexity. Fully functional devices support all IEEE 802.15.4 functions and features specified by the standard. Further, the data communication could be between the reduced functional devices [RFD] (smart devices installed in homes like heater, refrigerators, air conditioners etc.) and the fully

10

functional devices [FFD] (say smart meters), and, between the FFD’s to the utility office.

Similarly, the control communication would be from the utility office to the FFD’s and from FFD’s to the RFD’s.

The communication between the RFD’s and the FFD’s installed at home and business premises is part of Home Area Network [HAN] and the communication between the

FFD’s and the utility offices is part of Neighborhood Area Network. A set of FFD’s (say smart meters from a group of houses) would communicate with a device on a pole and this device would in turn communicate with the utility offices over the neighborhood area network. And each such device on the pole is interconnected thereby forming a mesh like network constituting a neighborhood area network.

Neighborhood Area Networks [NAN] are a type of packet switched mobile data networks. NANs are flexible packet switched networks whose geographical coverage area could be anywhere from the coverage of a LAN, to MAN, to WAN. The order of the day in networking is to provide complete ubiquity, i.e., every device location is connected to millions of locations and across ten thousands of square miles. The solution for complete ubiquity is wireless neighborhood area network [WNAN] [5].The

ubiquitous network requirements for Smart Grid are identified as: reliable, secure, power

efficient, low latency, low cost, diverse path, scalable technology, ability to support

bursty, asynchronous upstream traffic to name a few.

11

In this report, we mainly focus on the communication sector of Smart Grid, where analysis of communication protocols for neighborhood area network of Smart Grid in

particular is carried out.

1.5.Scope of the Project

Aim of this project is to provide an insight on cellular communication protocol, which is leading candidate for implementing the neighborhood area network for Smart Grid. Study on various standards, modes of communication in particular SMS, security concerns, and different generations of protocols and finally comparisons with other candidate networks are carried out. Chapter 2 acquaints us on neighborhood area network, its requirements

for Smart Grid and its significance in Smart Grid. Chapter 3 emphasizes various standards of cellular communication such as GSM, CDMA, UMTS, WCDMA, LTE advanced. Chapter 4 discusses Short Message Service (SMS) operations and its issues.

Following this would be the discussion on different generation of Cellular wireless standard as part of Chapter 5. In Chapter 6 there is comparison and overview of other candidates for implementing neighborhood area network; Chapter 7 would identify such research areas in neighborhood area network as part of the customer domain for Smart

Grid. Finally we arrive at conclusion of this project in Chapter 8.

12

Chapter 2

REQUIREMENTS FOR NEIGHBORHOOD AREA NETWORK

Building blocks of Smart Grid include automated distribution and control system, power quality monitoring and substation automation, and a communication infrastructure which implements utilities interaction with devices on the customer domain and distributed power generation and storage facilities [7]. As in Figure 4[8] Customer domain consists of a Neighborhood Area network which connects the utility to the smart meter installed in the homes of the consumer, the gateway and then home area network which connects all the appliances at home.

13

Figure 4: Customer Domain: NAN, gateway and HAN

Smart grid utilities should be capable to support multiple communication networks such as Home Area Network [HAN], Neighborhood Area Network [NAN] and Wide Area

Network [WAN] for various applications like consumer energy efficiency, advanced metering and distribution automation [See Figure 5] [4].

14

Figure 5: Smart Grid Building Blocks

Building blocks of Smart Grid is as shown in Figure 5[4], it comprises Power System

Layer, Control Layer, Communications Layer, Security Layer, IT Infrastructure Layer and the . The Communications Layer is further divided into three sub divisions. They are:

Part of the customer domain is Home Area Network [HAN]; it involves the communication between the devices installed at the residential or commercial premises to their respective Smart Meters.

15

Neighborhood Area Network [NAN] is the communication network that bring the communications between the utilities and the Smart Meters installed at the customer stations.

Wide Area Network [WAN] is the communication network responsible for the backhaul communications.

The Smart Grid communication requirements at high level, is described below [9]:

SECURE

Privacy, Integrity and Confidentiality are the three main focus areas in communication across the network. Hence, an end-to-end security must be provided to protect user information and protect the network from unauthorized access.

RELIABLE

The network has to provide maximum availability by incorporating fault tolerance mechanisms and self-healing failover at each tier of the network. It must provide an

“always-on” communication as part of the electric grid.

FLEXIBLE

The coverage has to be consistent over smaller rural regions to larger urban areas. The communication network has to have the flexibility to cover the same disparate territories as the grid itself.

16

SCALABLE

The network needs to be scalable to meet the current and future requirements. It should

be capable of supporting the changing requirements over time to accommodate the

current simple meter reading to the future multi-application that span from demand-side management to distribution automation. Also, it should be upgradeable and interoperable to ensure future-proof solution.

COST-EFFECTIVE

The capital and operational expenses of a communication network needs to be within the potential savings.

The typical characteristics of different communication network layers could be summarized as shown below in Table 1.

Scale of Coverage Bandwidth Example for Required Communication Technologies Home Area 1000 of Sq. Feet 1-10 Kbps ZigBee Network Neighborhoo 1 – 10 Sq. Miles 10-100 Kbps 900 MHz d Area Network Distribution/ 1000s Sq. Miles 500 Kbps – 10 3G/802.11/WiMAX Wide Area Mbps Network Core 10 – 100 Mbps Fiber

Table 1: Network Types, Coverage and Bandwidth

17

Representation of above table of information is shown in the Figure 6[4].

Figure 6: Hierarchical Organization of Communication Networks Scope of our discussion lies on the Neighborhood Area Network [NAN], which requires

higher bandwidths ranging anywhere from 10 Kbps to 100Kbps to suffice the meter

reading, demand response, remote disconnect and coverage area of 1-10 sq miles. Further focus is made on implementation on Neighborhood Area Network, choosing technology

which meets all requirements of NAN and satisfying aspects of security, ,

reliability and cost. Cellular data communication which is very successful in bringing voice, data communication to millions of consumers, businesses worldwide, being cost effective, reachable, scalable, there also happen to be more research, innovations and up gradations happening every year in the field of cellular communication. Cellular communication as implementation technology for Neighborhood Area Network in Smart grid is considered and evaluated for various parameters, issues.

18

Further chapters focus extensively on Cellular communication, its operation details, various standards involved, modes for communication, various generations of protocols, performance, security issues.

19

Chapter 3

CELLULAR COMMUNICATION

3.1 Features and Standards

Introduction:

Cellular network and technology has been highly successful in providing voice, data communication for millions of users worldwide. It is ubiquitous, convenient to use, easy to install and incurs low maintenance cost for its services. Cellular coverage is excellent because it directly corresponds to the population concentration and proportional to number of users of power and its distribution. Cellular communication is already established and has 95% coverage extended to consumers and hence no additional efforts for installations are required. Continuous advances and researches in cellular technology

(2G, 3G, to recent 4G standards and bandwidths) and competitive pricing among carriers create an ideal environment for the implementing Neighborhood Area Network of Smart grid.

Features:

Cellular network is a distributed over land areas called cells, each served by at least one fixed-location transceiver known as a cell site or . When joined together these cells provide radio coverage over a wide geographic area. This enables a large number of portable transceivers (e.g., mobile phones, , etc.) to communicate

20

with each other and with fixed transceivers and anywhere in the network, via

base stations, even if some of the transceivers are moving through more than one cell

during transmission.

As seen in Figure 9 [9] In a cellular radio system, a land area to be supplied with radio

service is divided into regular shaped cells, which can be hexagonal, square, circular or

some other irregular shapes, although hexagonal cells are conventional. Each of these

cells is assigned multiple frequencies (f1 - f6) which have corresponding radio base

stations. The group of frequencies can be reused in other cells, provided that the same

frequencies are not reused in adjacent neighboring cells as that would cause co-channel interference.

The increased capacity in a cellular network, compared with a network with a single , comes from the fact that the same can be reused in a different area for a completely different transmission. If there is a single plain transmitter, only one transmission can be used on any given frequency. Unfortunately, there is inevitably some level of interference from the from the other cells which use the same frequency.

This means that, in a standard FDMA system, there must be at least a one cell gap between cells which reuse the same frequency.

21

Figure 7: Operation of Cells in Network. Frequency (F) reuses factor or pattern 1/4

Cell signal encoding:

To distinguish signals from several different , frequency division multiple access (FDMA) and code division multiple access (CDMA) are developed.

With FDMA, the transmitting and receiving frequencies used in each cell are different from the frequencies used in each neighboring cell.

In next sections we discuss about major Cellular communication standards such GSM,

CDMA-One, from 2nd Generation (2G) and UMTS, WCDMA from 3rd Generation (3G).

22

3.2 Candidates for Implementing NAN

3.2.1 Global System for Mobile Communications (GSM)

GSM is the world's most popular standard for mobile , in which both signaling and speech channels are digital, and falls under second generation (2G) system.

In GSM cellular network, mobile phones connect to base stations by searching for cells in the immediate vicinity. Cell horizontal radius varies depending on height, antenna gain and propagation conditions from a couple of hundred meters to several tens of miles.

GSM networks operate in a number of different carrier frequency ranges (separated into

GSM frequency ranges for 2G and UMTS frequency bands for 3G), with most 2G GSM networks operating in the 850 MHz or 19800 MHz bands. (In Canada and United States).

Carriers in US using GSM are AT&T and T-Mobile. Enhanced Data GSM Environment

(EDGE) which is faster GSM service can deliver data rates up to 384kbps on a broadband.

The GSM network as seen in Figure 10 [9] is structured into a number of discrete sections:

• The Base Station Subsystem (the base stations and their controllers).

23

• Network and Switching Subsystem (the part of the network most similar to a

fixed network). This is sometimes also just called the core network.

• The GPRS Core Network (optional part which allows packet based Internet

connections).

• The Operations support system (OSS) for maintenance of the network.

Figure 8: Structure of GSM network [9]

24

Subscriber Identity Module (SIM):

One of the key features of GSM is the Subscriber Identity Module, commonly known as a

SIM card. The SIM is a detachable containing the user's subscription information and phone book. This allows the user to retain his or her information after switching handsets. Alternatively, the user can also change operators while retaining the

handset simply by changing the SIM. Some operators will block this by allowing the

phone to use only a single SIM, or only a SIM issued by them; this practice is known as

SIM locking.

When GSM is chosen to implement NAN systems in Smart Grid, SIM cards could be inserted in smart meters and devices which would transmit meter data from home to utilities offices, producer sites over the built-in . Carrier for a particular locality can be chosen based on signal coverage, cost and bandwidth of data transmitted.

GSM service security:

GSM was designed with a moderate level of service security. The system authenticates

the subscriber using a pre-shared key and challenge-response. Communications between the subscriber and the base station can be encrypted. GSM only authenticates the user to the network and not vice versa. The security model therefore offers confidentiality and authentication, but limited authorization capabilities, and no non-repudiation.

GSM Security Features:

25

• Secure access: Operator can authenticate user identity for billing and preventing

fraudulent calls by masqueraders

• Control and data signal confidentiality: Protect voice, data, and control (e.g.,

dialed telephone numbers) from eavesdropping

• Anonymity: Protect attackers from using known info (e.g., IMSI) from tracking

user's location or identifying user's calls

SUBSCRIBER IDENTITY CONFIDENTIALITY: Temporary Mobile Subscriber

Identity [TMSI] is used to ensure subscriber identity confidentiality. TMSI is a pseudo

random number generated and issued by the Visitor Location Register [VLR] and TMSI

is valid only in the area it was issued.

GSM uses several cryptographic for security. The A5/1 and A5/2 stream

ciphers are used for ensuring over-the-air voice privacy. A5/1 was developed first and is a stronger used within Europe and the United States. Serious weaknesses have been found in both algorithms: it is possible to break A5/2 in real-time with a ciphertext- only attack, and in February 2008, Pico , Inc revealed its ability and plans to commercialize FPGAs that allow A5/1 to be broken with a rainbow table attack. [10] The system supports multiple algorithms so operators may replace that cipher with a stronger one.

In 2010, there was report stating, a group of cryptographers had developed an attack that broke Kasumi, the encryption algorithm used to secure traffic on 3G GSM wireless

26

networks. The technique enabled attackers to recover a full key by using a tactic known as a Related-key attack. [11]

3.2.2 GSM Core Network

GSM core network is the component of a GSM system that carries out call switching and

functions for mobile phones on the network of base

stations. It is owned and deployed by mobile phone operators and allows mobile devices

to communicate with each other and telephones in the wider Public Switched Telephone

Network or (PSTN). The architecture contains specific features and functions which are

needed because the phones are not fixed in one location. Figure 9 [12] shows schematic of GSM Core Network Architecture.

27

Figure 9: GSM Core Network Architecture MS: Mobile Station; SIM: Subscriber Identity Module; MSC: Mobile Switching Centre

VLR: Visitor Location Register; HLR: Home Location Register; AuC: Authentication

Centre

Mobile switching center (MSC):

The mobile switching center (MSC) is the primary service delivery for

GSM/CDMA, responsible for routing voice calls and SMS as well as other services (such as conference calls, and ).

28

The MSC sets up and releases the end-to-end connection, handles mobility and hand-over

requirements during the call and takes care of charging and real time pre-paid account monitoring.

In the GSM mobile phone system, in contrast with earlier analogue services, fax and data information is sent directly digitally encoded to the MSC. Only at the MSC is this re- coded into an "analogue" signal (although actually this will almost certainly mean sound encoded digitally as PCM signal in a 64-kbit/s timeslot, known as a DS0 in America).

The gateway MSC (G-MSC) is the MSC that determines which visited MSC the subscriber who is being called is currently located. It also interfaces with the PSTN. All mobile to mobile calls and PSTN to mobile calls are routed through a G-MSC. The term

is only valid in the context of one call since any MSC may provide both the gateway

function and the Visited MSC function; however, some manufacturers design dedicated high capacity MSCs which do not have any BSSs connected to them. These MSCs will then be the Gateway MSC for many of the calls they handle.

The visited MSC (V-MSC) is the MSC where a customer is currently located. The VLR associated with this MSC will have the subscriber's data in it.

The anchor MSC is the MSC from which a handover has been initiated. The target MSC is the MSC toward which a Handover should take place.

29

Mobile switching centre server (MSCS):

The mobile switching centre server is a soft-switch variant of the mobile switching centre, which provides circuit-switched calling, mobility management, and GSM services to the mobile phones roaming within the area that it serves. MSS functionality enables split between control (signaling) and user plane (bearer in network element called as media gateway/MG), which guarantees better placement of network elements within the network.

MSS and MGW media gateway makes it possible to cross-connect circuit switched calls switched by using IP, ATM AAL2 as well as TDM.

Other GSM core network elements connected to the MSC:

• The home location register (HLR) for obtaining data about the SIM and mobile

services ISDN number (MSISDN; i.e., the ).

• The base station subsystem which handles the radio communication with 2G and

2. mobile phones.

• The UMTS terrestrial radio access network (UTRAN) which handles the radio

communication with 3G mobile phones.

• The visitor location register (VLR) for determining where other mobile

subscribers are located.

• Other MSCs for procedures such as handover.

Procedures implemented

Tasks of the MSC include:

30

• Delivering calls to subscribers as they arrive based on information from the VLR.

• Connecting outgoing calls to other mobile subscribers or the PSTN.

• Delivering from subscribers to the short message service centre (SMSC)

and vice versa.

• Arranging handovers from BSC to BSC.

• Carrying out handovers from this MSC to another.

• Supporting supplementary services such as conference calls or call hold.

• Generating billing information.

Home locations register (HLR):

The home location register (HLR) is a central that contains details of each

mobile phone subscriber that is authorized to use the GSM core network. There can be

several logical, and physical, HLRs per public land mobile network (PLMN), though one

international mobile subscriber identity (IMSI)/MSISDN pair can be associated with only

one logical HLR (which can span several physical nodes) at a time.

The HLRs store details of every SIM card issued by the . Each

SIM has a unique identifier called an IMSI which is the primary key to each HLR record.

The next important items of data associated with the SIM are the MSISDNs, which are the telephone numbers used by mobile phones to make and receive calls. The primary

MSISDN is the number used for making and receiving voice calls and SMS, but it is possible for a SIM to have other secondary MSISDNs associated with it for fax and data

31

calls. Each MSISDN is also a primary key to the HLR record. The HLR data is stored for

as long as a subscriber remains with the mobile phone operator. [14]

Examples of other data stored in the HLR against an IMSI record are:

• GSM services that the subscriber has requested or been given.

• GPRS settings to allow the subscriber to access packet services.

• Current location of subscriber (VLR and serving GPRS support node/SGSN).

• Call diverts settings applicable for each associated MSISDN.

The HLR is a system which directly receives and processes MAP transactions and

messages from elements in the GSM network, for example, the location update messages

received as mobile phones roam around.

Other GSM core network elements connected to the HLR

• The HLR connects to the following elements:

• The G-MSC for handling incoming calls

• The VLR for handling requests from mobile phones to attach to the network

• The SMSC for handling incoming SMs

• The voice mail system for delivering notifications to the mobile phone that a

message is waiting

• The AUC for authentication and ciphering and exchange of data (triplets)

Procedures implemented

The main function of the HLR is to manage the fact that SIMs and phones move around a lot. The following procedures are implemented to deal with this:

32

Manage the mobility of subscribers by means of updating their position in administrative

areas called 'location areas', which are identified with a LAC. The action of a user of

moving from one LA to another is followed by the HLR with a Location area update

procedure.

Send the subscriber data to a VLR or SGSN when a subscriber first roams there.

Broker between the G-MSC or SMSC and the subscriber's current VLR in order to allow

incoming calls or text messages to be delivered.

Remove subscriber data from the previous VLR when a subscriber has roamed away from it.

Authentication centre (AUC):

Figure 10 [12] shows schematic of Authentication and Key agreement

33

Figure 10: Authentication and Key agreement

Description

The authentication centre (AUC) is a function to authenticate each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on). Once the authentication is successful, the HLR is allowed to manage the SIM and services described above. An encryption key is also generated that is subsequently used to encrypt all wireless communications (voice, SMS, etc.) between the mobile phone and the GSM core network.

If the authentication fails, then no services are possible from that particular combination of SIM card and mobile phone operator attempted. There is an additional form of

34

identification check performed on the of the mobile phone described in the

EIR section below, but this is not relevant to the AUC processing.

Proper implementation of security in and around the AUC is a key part of an operator's strategy to avoid SIM cloning.

The AUC does not engage directly in the authentication , but instead generates data known as triplets for the MSC to use during the procedure. The security of the process depends upon a shared secret between the AUC and the SIM called the Ki. The

Ki is securely burned into the SIM during manufacture and is also securely replicated onto the AUC. This Ki is never transmitted between the AUC and SIM, but is combined with the IMSI to produce a challenge/response for identification purposes and an encryption key called Kc for use in over the air communications.

Other GSM core network elements connected to the AUC

The AUC connects to the following elements: the MSC which requests a new batch of triplet data for an IMSI after the previous data have been used. This ensures that same keys and challenge responses are not used twice for a particular mobile.

Procedures implemented:

The AUC stores the following data for each IMSI:

• the Ki

35

• Algorithm id. (The standard algorithms are called A3 or A8, but an operator may

choose a proprietary one).

When the MSC asks the AUC for a new set of triplets for a particular IMSI, the AUC first generates a random number known as RAND. This RAND is then combined with the Ki to produce two numbers as follows:

• The Ki and RAND are fed into the A3 algorithm and the signed response (SRES)

is calculated.

• The Ki and RAND are fed into the A8 algorithm and a session key called Kc is

calculated.

The numbers (RAND, SRES, Kc) form the triplet sent back to the MSC. When a

particular IMSI requests access to the GSM core network, the MSC sends the RAND part

of the triplet to the SIM. The SIM then feeds this number and the Ki (which is burned

onto the SIM) into the A3 algorithm as appropriate and an SRES is calculated and sent

back to the MSC. If this SRES matches with the SRES in the triplet (which it should if it

is a valid SIM), then the mobile is allowed to attach and proceed with GSM services.

After successful authentication, the MSC sends the encryption key Kc to the base station

controller (BSC) so that all communications can be encrypted and decrypted. Of course,

the mobile phone can generate the Kc itself by feeding the same RAND supplied during

authentication and the Ki into the A8 algorithm.

36

The AUC is usually collocated with the HLR, although this is not necessary. Whilst the procedure is secure for most everyday use, it is by no means crack proof. Therefore a new set of security methods was designed for 3G phones. [16]

Figure 11 [14] shows schematic of encryption using A5 algorithm.

Figure 11: Radio Link Encryption

Visitor locations register (VLR):

Description

The visitor location register is a database of the subscribers who have roamed into the jurisdiction of the MSC (Mobile Switching Center) which it serves. Each base station in

37

the network is served by exactly one VLR; hence a subscriber cannot be present in more than one VLR at a time.

The data stored in the VLR has either been received from the HLR, or collected from the

MS (Mobile station). In practice, for performance reasons, most vendors integrate the

VLR directly to the V-MSC and, where this is not done, the VLR is very tightly linked with the MSC via a proprietary interface. Whenever an MSC detects a new MS in its network, in addition to creating a new record in the VLR, it also updates the HLR of the mobile subscriber, apprising it of the new location of that MS. If VLR data is corrupted it can lead to serious issues with and call services.

Figure 12 [14] shows schematic of Temporary ID management using VLR

38

Figure 12: Temporary ID management

Data stored include:

• IMSI (the subscriber's identity number).

• Authentication data.

• MSISDN (the subscriber's phone number).

• GSM services that the subscriber is allowed to access.

• access point (GPRS) subscribed.

• The HLR address of the subscriber.

39

Other GSM core network elements connected to the VLR

• The VLR connects to the following elements:

• The V-MSC to pass required data for its procedures; e.g., authentication or call

setup.

• The HLR to request data for mobile phones attached to its serving area.

• Other VLRs to transfer temporary data concerning the mobile when they roam

into new VLR areas. For example, the temporal mobile subscriber identity

(TMSI).

Procedures implemented

The primary functions of the VLR are:

• To inform the HLR that a subscriber has arrived in the particular area covered by

the VLR.

• To track where the subscriber is within the VLR area (location area) when no call

is ongoing.

• To allow or disallow which services the subscriber may use.

• To allocate roaming numbers during the processing of incoming calls.

• To purge the subscriber record if a subscriber becomes inactive whilst in the area

of a VLR. The VLR deletes the subscriber's data after a fixed time period of

inactivity and informs the HLR (e.g., when the phone has been switched off and

left off or when the subscriber has moved to an area with no coverage for a long

time).

40

• To delete the subscriber record when a subscriber explicitly moves to another, as

instructed by the HLR.

Equipment identities register (EIR):

The equipment identity register is often integrated to the HLR. The EIR keeps a list of mobile phones (identified by their IMEI) which are to be banned from the network or monitored. This is designed to allow tracking of stolen mobile phones. In theory all data about all stolen mobile phones should be distributed to all EIRs in the world through a

Central EIR. It is clear, however, that there are some countries where this is not in operation. The EIR data does not have to change in real time, which means that this function can be less distributed than the function of the HLR. The EIR is a database that contains information about the identity of the mobile equipment that prevents calls from stolen, unauthorized or defective mobile stations. Some EIR also have the capability to log Handset attempts and store it in a log file.

3.2.3 CDMA One or IS-95

CDMA One is a second generation mobile telecommunications standard that uses

CDMA, which is a multiple access scheme for digital radio, to send voice, data and signaling data between mobile telephones and cell sites.

CDMA, "code division multiple access" uses a digital called which spreads the voice data over a very wide channel in pseudorandom fashion using a user or cell specific pseudorandom code. The receiver undoes the randomization to

41 collect the bits together and produce the original data. As the codes are pseudorandom and selected in such a way as to cause minimal interference to one another, multiple users can talk at the same time and multiple cells can the same frequency. This causes an added signal noise forcing all users to use more power, which in exchange decreases cell range and battery life.

When CDMAone technology is chosen to implement in Neighborhood Area Networks of

Smart Grid; Smart devices and Smart meters of NAN will be using CDMA locks, IC chips and linked to particular cellular carriers.

In USA service providers of CDMA include Verizon, Sprint operating in frequency band below 3000MHz. CDMA can provide up to 0.384 Mbit/s of Uplink and downlink capacity.

Below are advantages of using CDMAOne/IS-95

1) Capacity is IS-95's biggest asset; it can accommodate more users per MHz of

bandwidth than any other technology.

2) Has no built-in limit to the number of concurrent users.

3) Uses precise clocks that do not limit the distance a tower can cover.

4) Consumes less power and covers large areas so cell size in IS-95 is larger.

5) Able to produce a reasonable call with lower signal (cell phone reception) levels.

42

6) CDMAOne uses soft handoff, reducing the likelihood of dropped calls.

7) IS-95's variable rate voice coders reduce the rate being transmitted when speaker

is not talking, which allows the channel to be packed more efficiently.

8) Has a well-defined path to higher data rates.

Below are disadvantages of using CDMAOne/IS-95

1) Most technologies are patented and must be licensed from .

2) Breathing of base stations, where coverage area shrinks under load. As the

number of subscribers using a particular site goes up, the range of that site goes

down.

3) Because IS-95 towers interfere with each other, they are normally installed on

much shorter towers. Because of this, IS-95 may not perform well in hilly terrain.

4) Even barring subsidy locks, CDMA phones are linked by ESN to a specific

network, thus phones are typically not portable across providers.

3.2.4 3G Systems and UMTS (Universal Mobile Telecommunications System)

3G Systems were developed to provide global mobility with wide range of services which includes , paging, messaging, Internet and broadband data. International

Telecommunication Union (ITU) is the organization which defined the standard for third generation systems, referred to as International Mobile Telecommunications 2000 (IMT-

43

2000). Third Generation Partnership Project (3GPP) which was formed performs

technical specification work and technical development of 3G technology.

Universal Mobile Telecommunications System (UMTS) is one of the third-generation

(3G) mobile telecommunications technologies which is specified by 3GPP and is part of

the global ITU IMT-2000 standard.

UMTS, using 3GPP, can support maximum data transfer rates of up to 45 Mbit/s (with

HSPA+),[12] although at the moment users in deployed networks can expect a transfer rate of up to 384 kbit/s for R99 handsets, and 7.2 Mbit/s for HSDPA handsets in the downlink connection. This is still much greater than the 9.6 kbit/s of a single GSM error-

corrected circuit switched data channel and 14.4 kbit/s for CDMAOne.

UMTS Architecture

A UMTS network consists of three interacting domains; Core Network (CN), UMTS

Terrestrial Radio Access Network (UTRAN) and User Equipment (UE). The main

function of the core network is to provide switching, routing and transit for user traffic.

Core network also contains the and network management functions.

The basic Core Network architecture for UMTS as seen in Figure 13 [18] is based on

GSM network with GPRS. All equipment has to be modified for UMTS operation and

services. The UTRAN provides the air interface access method for User Equipment. Base

Station is referred as Node-B and control equipment for Node-B's is called Radio

44

Network Controller (RNC).

Figure 13: Structure of UMTS network

UMTS provides several different terrestrial air interfaces, called UMTS Terrestrial Radio

Access (UTRA). [14] All air interface options are part of ITU's IMT-2000. In the currently most popular variant for cellular mobile telephones, W-CDMA (IMT Direct

Spread) is used.

UMTS has enhanced security features compared to 2G protocols such as GSM, CDMA.

Below are security features implemented in UMTS,

Entity authentication:

45

UMTS provides mutual authentication between the UMTS subscriber, represented by a

smart card application known as the USIM (Universal Subscriber Identity Module), and

the network in the following sense, 'Subscriber authentication': the serving network

corroborates the identity of the subscriber and 'Network authentication': the subscriber

corroborates that he is connected to a serving network that is authorized, by the

subscribers home network, to provide him with services.

Signaling data integrity and origin authentication:

Integrity algorithm agreement: the mobile station and the serving network can securely

negotiate the integrity algorithm that they use.

Integrity key agreement: the mobile and the network agree on an integrity key that they

may use subsequently; this provides entity authentication.

User traffic confidentiality:

Ciphering algorithm agreement: the mobile and the station can securely negotiate

ciphering algorithm that they use.

Cipher key agreement: the mobile and the station agree on a cipher key that they may use.

Confidentiality of user and signaling data: neither user data nor sensitive signaling data can be overheard on the radio access interface.

Network domain security:

The term ‘network domain security’ in the 3G covers security of the communication between network elements. In particular, the mobile station is not affected by network

46

domain security. The two communicating network elements may both be in the same

network administrated by a mobile operator or they may belong to two different

networks. [13]

3.2.5 W-CDMA

W-CDMA (Wideband Code Division Multiple Access) is an air interface in 3G mobile

telecommunications networks, the most-commonly used member of the UMTS family.

W-CDMA uses the DS-CDMA with a pair of 5 MHz wide

channels.

It utilizes the DS-CDMA channel access method and the FDD duplexing method to

achieve higher speeds and support more users compared to most time division multiple

access (TDMA) schemes used.

DS-CDMA: direct-sequence spread spectrum (DSSS) CDMA

DSSS phase-modulates a sine wave pseudo randomly with a continuous string of pseudo noise (PN) code symbols called ‘chips’, each of which has a much shorter duration than

an information bit. That is, each information bit is modulated by a sequence of much

faster chips. Therefore, the rate is much higher than the information signal bit rate.

Key technical features of W-CDMA are as below:

• Radio channels are 5 MHz wide.

• Chip rate of 3.84 MHz

• Supported mode of duplex: frequency division (FDD), Time Division (TDD)

47

• Employs coherent detection on both the uplink and downlink based on the use of

pilot symbols and channels [14].

• Supports inter-cell asynchronous operation.

• Variable mission on a 10 ms frame basis.

3.2.6 4G-LTE Advanced

4G cellular standards is a successor to the 3G and 2G families of standards. The ITU-R

organization specified the IMT-Advanced (International Mobile Telecommunications

Advanced) requirements for 4G standards, setting peak speed requirements for 4G

service at 100 Megabits per second for high mobility communication (such as from trains

and cars) and 1 Gbps for low mobility communication (stationary users).

A 4G system is expected to provide a comprehensive and secure all-IP based mobile

broadband solution to laptop computer wireless , smart phones, and other mobile

devices. Facilities such as ultra-broadband , IP telephony, gaming services,

and streamed multimedia may be provided to users.

LTE:

The LTE specification provides downlink peak rates of at least 100 Mbps, an uplink of at

least 50 Mbps and RAN round-trip times of less than 10 ms. LTE supports scalable

carrier bandwidths, from 1.4 MHz to 20 MHz and supports both frequency division

duplexing (FDD) and time division duplexing (TDD).

Part of the LTE standard is the System Architecture Evolution, a flat IP-based network

architecture designed to replace the GPRS Core Network and ensure support for, and

48 mobility between, some legacy or non-3GPP systems, for example GPRS and WiMax respectively.[15]

The main advantages with LTE are high throughput, low latency, plug and play, FDD and TDD in the same platform, an improved end-user experience and a simple architecture resulting in low operating costs. LTE will also support seamless passing to cell towers with older network technology such as GSM, CdmaOne, UMTS, and

CDMA2000. [9]

49

LTE Advanced:

Is essentially an enhancement to LTE. It is not a new technology but rather an improvement on the existing LTE network. This upgrade path makes it more cost effective for vendors to offer LTE and then upgrade to LTE Advanced which is similar to the upgrade from WCDMA to HSPA. LTE and LTE Advanced will also make use of additional spectrum and to allow it to achieve higher data speeds.

Coordinated Multi-point Transmission will also allow more system capacity to help handle the enhanced data speeds. Release 10 of LTE is expected to achieve the LTE

Advanced speeds. Release 8 currently supports up to 300 Mbit/s download speeds which is still short of the IMT-Advanced standards.[15]

Data speeds of LTE Advanced LTE Advanced

Peak Download 1 Gbit/s Peak 500 Mbit/s

50

Chapter 4

SHORT MESSAGE SERVICE (SMS) IN CELLULAR COMMUNICATION

4.1 Implementation Details

Short Message Service (SMS) is considered as a suitable mode of data transfer when cellular network is chosen to implement Neighborhood Area Network of Smart Grid.

Communication between Smart devices, Smart meters in Neighborhood Area Network

51

(NAN), and utility offices can happen through exchange of SMSes containing data and control information.

Below explains a high level view of text delivery mechanism in Cellular communication network.

Figs. 14 and 15 [16] illustrate the process of SMS communication in Cellular network.

Figure 14: High Level description of SMS delivery in an SS7 network

52

Figure 15: Overview of SMS delivery on the wireless interface.

1) Message Insertion:

Messages may be submitted into the system from cell phones operating within the system or from external sources. An Internet-originated SMS message can be generated by any

one of a number of External Short Messaging Entities (ESMEs).

ESMEs include devices and interfaces ranging from email and web-based messaging portals to service provider websites and voicemail, services and can be attached to telecommunications networks either by dedicated connection or the Internet. When a message is injected into

the network, it is delivered to the Short Messaging Service Center (SMSC). These servers

are responsible for the execution of a “store-and-forward” protocol that eventually

delivers text messages to their intended destination. The contents and destination

information from the message are examined by the SMSC and are then copied into a

53

properly formatted packet. At this point, messages originating in the Internet and those

created in the network itself become indistinguishable. Formatted text messages are then

placed in an egress queue in the SMSC and await service.

2) Message Routing:

Before an SMSC can forward a text message to a targeted mobile device, it must first

determine the location of that device. To accomplish this, the SMSC queries a database known as the Home Location Register (HLR). The HLR is responsible for storing subscriber data including availability, billing information, available services and current location. With the help of other elements in the network, the HLR determines the routing information for the targeted device. If the desired phone is not available; the SMSC stores the message until a later time for subsequent retransmission. Otherwise, the SMSC receives the address of the Mobile

Switching Center (MSC) currently providing service to the target device. The MSC delivers the text message over the wireless interface through attached Base Stations (BS).

3) Wireless Delivery:

An area of coverage in a wireless network is called a cell. Each cell is typically partitioned into multiple (usually three) sectors. We characterize the system on a per sector basis throughout the paper. The air interface, or radio portion of the network, is traditionally divided into two classes of logical channels—the Control Channels (CCHs) and Traffic Channels (TCH). TCHs carry

54

voice traffic after call setup has occurred. CCHs, which transport information about the

network and assist in call setup/SMS delivery, are sub classified further. In order to alert

a targeted device

that a call or text message is available, a message is broadcast on the Paging Channel

(PCH). Note that multiple base stations broadcast this page in an attempt to quickly determine the sector in which the targeted recipient is located. Upon hearing its temporary identifier on the PCH, available devices inform the network of their readiness to accept incoming communications using the slotted ALOHA-based Random Access Channel (RACH) uplink. A device is then assigned a Standalone Dedicated Control Channel (SDCCH) by

listening to the Access Grant Channel (AGCH). If a text message is available, the base station authenticates the device, enables encryption, and then delivers the contents of the

message over the assigned SDCCH. If instead a call is incoming for the device, the

SDCCH is used to authenticate the device and negotiate a TCH for voice communications.

4.2 Vulnerability and Example Attacks

The vulnerability in GSM cellular networks that allows for targeted text message attacks

to occur is the result of bandwidth allocation on the air interface. Under normal

conditions, the small ratio of bandwidth allocated to the control versus the traffic data is

sufficient to deliver all messages with a low of blocking. However, because

55 text messages use the same control channels as voice calls (SDCCHs), contention for resources occur when SMS traffic is elevated. Given a sufficient number of SMS messages, each of which require on average four seconds for delivery, arriving voice calls will be blocked for lack of available resources.

Sending text messages to every possible phone number is not an effective means of attacking a network. The haphazard submission of messages is in fact likely to overwhelm gateways between the Internet and cellular networks than to disrupt cellular service. An adversary must efficiently blanket only the targeted area with messages so as to reduce the probability of less effective collateral damage. The information to achieve such a goal, however, is readily available. Using tools including NPA-NXX Area Code

Databases, search engines and even feedback from provider websites, an attacker can construct a “hit-list” of potential targets. Given this information, an adversary can then begin exploiting the bandwidth vulnerability.

The exploit itself involves saturating sectors to their SDCCH capacity for some period of time. In so doing, the majority of attempts to establish voice calls are blocked. For all of

Manhattan, which would typically be provisioned with 12 SDCCHs per sector, a perfectly executed attack would require the injection of only 165 messages per second, or approximately 3 messages/ sector/second.

56

4.3 Counter Measures, Solutions

Cellular providers have introduced a number of mitigation solutions into phone networks to combat the SMS-based DoS attacks. These solutions focus on limiting the source of the messages and are ineffective against all but the least sophisticated adversary. To illustrate, the primary countermeasure discovered was a per-source volume restriction at the SMS gateway. Such restrictions would, for example, allow only 50 messages from a single IP address. The ability to spoof IP addresses and the existence of zombie networks render this solution impotent.

Another popular deployed solution filters SMS traffic based on the textual content.

Similar to SPAM filtering, this approach is effective in eliminating undesirable traffic only if the content is predictable. However, an adversary can bypass this countermeasure by generating legitimate looking SMS traffic from randomly generated simple texts, e.g.,

“Remember to buy milk on your way home from the office. -Alice”

Note that these and the overwhelming majority of other solutions deployed in response to the SMS vulnerability can be classified as edge solutions. Ineffective by construction because of their lack of context, such solutions try to regulate the traffic flowing from the

Internet into the provider network at its edge.

Limiting the total traffic coming across all interfaces results simply in reduced income under normal operating conditions. For example, a total of 1000 email-generated text messages per second distributed across a nation cause no ill effects to the network and generates significant revenue; however statistics shows that such a volume targeted to

57

one region is more than sufficient to paralyze the network. Rate limitation is largely unattractive even within the core network. The distributed nature of Short Messaging

Service Centers (SMSCs), through which all text messages flow makes it difficult to

coordinate real-time filtering in response to targeted attacks. Moreover, because provider

networks cover huge geographic areas and consist many thousands of network elements,

any compromised element can be a conduit for malicious traffic. Left unregulated, the

connections between provider networks can also be exploited to inject SMS traffic.

Therefore, for the purposes of this discussion, we assume that an adversary is able to

successfully submit a large number of text messages into a cellular network. The defenses

below are dedicated to protecting the resource that is being exploited in the SMS attack—

the bandwidth constrained SDCCHs. Note that the Internet faces a similar conundrum:

once dominant perimeter defenses are failing in the face of dissolving network borders,

e.g., as caused by wireless connectivity and larger and more geographically distributed

networks. As is true in the Internet, we must look to techniques providing “defense in

depth” to protect telecommunications networks.

Below are traffic analysis techniques to prevent attacks on cellular communication

Queue Management Techniques

1) Weighted Fair Queuing: Because we cannot rely on rate limitation at the source of

messages, we now explore network-based solutions. Fair Queuing is a

algorithm that separates flows into individual queues and then apportions bandwidth

equally between them. Designed to

58 emulate bit-wise interleaving, Fair Queuing services queues in a round-robin fashion.

Packets are transmitted when their calculated interleaved finishing time is the shortest.

Building priority into such a system is a simple task of assigning weights to flows.

Known as Weighted Fair Queuing (WFQ), this technique can be used to give incoming voice calls priority over SMS.

2) Weighted Random Early Detection: Active queue management has received a great deal of attention as a congestion avoidance mechanism in the Internet. Random Early

Detection

(RED), one of the better known techniques from this field is a particularly effective means of coping with potentially damaging quantities of text messages.

59

Chapter 5

GENERATION IN CELLULAR WIRELESS STANDARDS

5.1 1G,2G,3G,4G

Cellular Communication has become an important part of communication in daily life.

Besides using cell phones for voice communication, we are now able to access the

Internet, conduct monetary transactions, send text messages etc. using our cell phones,

and new services continue to be added. However, the wireless medium has certain

limitations such as open access, limited bandwidth and systems complexity. These

limitations make it difficult although possible to provide security features such as

authentication, integrity and confidentiality. In this section we discuss about various

generations of cellular communication standards which have evolved over time and provide an overview on their functions, properties. And discuss about security issues and

mechanisms in cellular standards.

60

5.1.1 Overview of Standards

First generation (1G) networks were the first cellular networks introduced in the 1980s.

They were only capable of transmitting voice at speeds of about 9.6 kbps . In US, the

system was known Advanced Mobile Phone System (AMPS) and in Europe, the Nordic

Mobile Telephony (NMT). Both these technologies used analog modulation to transmit

data as a continuously varying waveform.

1G system had some limitations such as no support for encryption, poor sound quality

and inefficient use of the spectrum due to their analog nature. Second generation (2G)

cellular networks also known as personal communication services (PCS) introduced the

concept of digital modulation meaning that voice was converted into digital code, and

then into analog (radio) signals. Being digital, they overcame certain limitations of 1G

system. Various 2G technologies have been deployed around the world. Code Division

Multiple Access (CDMA), North American Time Division Multiple Access (NA-TDMA)

and digital AMPS (D-AMPS) have been deployed in the US whereas Global System for

mobile communication (GSM) has been deployed in Europe and USA and Personal

Digital Cellular (PDC) has been deployed in Japan.

Although 2G systems were a great improvement from 1G, they were only used for voice communication.

The Third generation (3G) standard provide services such as fast Internet surfing,

advanced value added services and video telephony. There are three main technologies

61

that are being applied. In the US CDMA2000, in Europe Wideband CDMA (W-CDMA)

and in China Time Division-Synchronous Code Division Multiple Access (TD-SCDMA).

The fourth generation (4G) technology which is currently designed and developed to

have data rates of up to 20Mbps. It will support for next generation Internet such as IPv6,

QoS and Mo-IP, lower system cost and high capacity and capable of supporting communication in moving vehicles with speed up to 250 km/hr.

5.2 Evaluation of Parameters of Cellular Standards

1G:

The first generation of public wireless telecom.

Analog. Voice only. Since 1980s. Examples: AMPS, NMT, TACS. Frequency: various,

150MHz+

2G:

The second generation of public wireless telecom.

Digital, encrypted. Digital data transmission, voice as data; slow data services (SMS text messages). TDMA: GSM, PDC (Japan), iDEN, D-AMPS (IS-136). CDMA: CdmaOne

(IS-95). In US, 2G is also called PCS (Personal Communications Service). Higher

capacity. 800-2000MHz.

2.x G:

Data service separated from voice; commonly used for WAP, SMS/MMS, and Internet

(email, browsing).

62

GSM: GPRS (56-115kbps); EDGE/EGPRS (236.8kbps) with 8PSK encoding in GSM

timeslot.

CDMA2000: 1xRTT (144kbps [80-100kbps]).

3G:

ITU’s IMT-2000: requires data rate > 200kbps. Circuit-switch and packet-switch in parallel.

3GPP’s UMTS (since 2001), coexists with GSM

UMTS W-CDMA: CDMA/FDD, 384kbps down/up

HSDPA+HSUPA: 14.4Mbps/5.76Mbps

TD-SCDMA (China only)

HSPA+: CDMA/FDD/MIMO, 56Mbps/22Mbps

3GPP2’s CDMA2000 (since 2002), coexists with CdmaOne. EV-DO: CDMA/FDD, completely packet-switched network. EV-DO and voice cannot be used simultaneously.

EV-DO Rev 0, or 1xEV-DO, or just EV-DO: 2.4Mbps down, 153kbps up

EV-DO Rev A: theoretic 3.1Mbps down/1.8Mbps up; actual 500-1000kbps up

EV-DO Rev B: theoretic 14.7Mbps down

3.x G:

Pre-4G (often branded as “4G”). Phones still use 2G GSM/CDMA for voice.

3GPP’s LTE: 100Mbps down, 50Mbps up. OFDMA. Radio interface: E-UTRA

(Evolved UMTS Terrestrial Radio Access, previously called HSOPA)

63

3GPP2: UMB (formerly EV-DO Rev. C): 275Mbps down, 75Mbps up. Qualcomm abandoned development.

IEEE: Mobile WiMAX (802.16e): 128Mbps down and 56Mbps up. OFDMA.

4G:

ITU’s IMT-Advanced: 1Gbps stationary; 100Mbps mobile. Radio technology: OFDMA;

core network: all-IP packet-switched

3GPP: LTE Advanced

IEEE: WiMAX 2(based on 802.16m)

5.3 Security Issues and Mechanisms in Cellular Standards

The infrastructure for Cellular Networks is massive, complex with multiple entities

coordinating together, such as the IP Internet coordinating with the core network. And

therefore it presents a challenge for the network to provide security at every possible

communication path.

Limitations of Cellular Networks:

Compared to Wired Networks, Wireless Cellular Networks have a lot of limitations.

1. Open Wireless Access Medium: Since the communication is on the wireless

channel, there is no physical barrier that can separate an attacker from the

network.

2. Limited Bandwidth: Although wireless bandwidth is increasing continuously,

because of channel contention everyone has to share the medium.

64

3. System Complexity: Wireless systems are more complex due to the need to

support mobility and making use of the channel effectively. By adding more

complexity to systems, potentially new security vulnerabilities can be introduced.

4. Limited Power: Wireless systems consume a lot of power and therefore have a

limited time battery life.

5. Limited Processing Power: The processors installed on the wireless devices are

increasing in power, but still they are not powerful enough to carry out intensive

processing.

6. Relatively Unreliable Network Connection: The wireless medium is an unreliable

medium with a high rate of errors compared to a wired network.

There are several security issues that have to be taken into consideration when deploying a cellular infrastructure.

1. Authentication: Cellular networks have a large number of subscribers, and each

has to be authenticated to ensure the right people are using the network. Since the

purpose of 3G is to enable people to communicate from anywhere in the world,

the issue of cross region and cross provider authentication becomes an issue.

2. Integrity: With services such as SMS, chat and file transfer, it is important that the

data arrives without any modifications.

65

3. Confidentiality: With the increased use of cellular phones in sensitive

communication, there is a need for a secure channel in order to transmit

information.

4. Access Control: The Cellular device may have files that need to have restricted

access to them. The device might access a database where some sort of role based

access control is necessary.

5. Operating Systems in Mobile Devices: Cellular Phones have evolved from low

processing power, ad-hoc supervisors to high power processors and fully fledged

operating systems. Some phones may use a Java Based system; others use

Microsoft Windows CE and have the same capabilities as a desktop computer.

Issues may arise in the OS which might open security holes that can be exploited.

6. Web Services: A is a component that provides functionality

accessible through the web using the standard HTTP Protocol. This opens the

cellular device to variety of security issues such as viruses, buffer overflows,

denial of service attacks etc. [19]

7. Location Detection: The actual location of a cellular device needs to be kept

hidden for reasons of privacy of the user. With the move to IP based networks, the

issue arises that a user may be associated with an access point and therefore their

location might be compromised.

8. Viruses and Malware: With increased functionality provided in cellular systems,

problems prevalent in larger systems such as viruses and malware arise. The first

66

virus that appeared on cellular devices was Liberty. An affected device can also

be used to attack the cellular network infrastructure by becoming part of a large

scale denial of service attack.

9. Downloaded Contents: Spyware or Adware might be downloaded causing

security issues. Another problem is that of digital rights management. Users might

download unauthorized copies of music, videos, wallpapers and games.

10. Device Security: If a device is lost or stolen, it needs to be protected from

unauthorized use so that potential sensitive information such as emails,

documents, phone numbers etc. cannot be accessed.

Types of Attacks:

Due to the massive architecture of a cellular network, there are a variety of attacks that the infrastructure is open to.

1. Denial of Service (DOS): This is probably the most potent attack that can bring

down the entire network infrastructure. This is caused by sending excessive data

to the network, more than the network can handle, resulting in users being unable

to access network resources.

2. Channel Jamming: Channel jamming is a technique used by attackers to jam the

wireless channel and therefore deny access to any legitimate users in the network.

3. Unauthorized Access: If a proper method of authentication is not deployed then

an attacker can gain free access to a network and then can use it for services that

he might not be authorized for.

67

4. Eavesdropping: If the traffic on the wireless link is not encrypted then an attacker

can eavesdrop and intercept sensitive communication such as confidential calls,

sensitive documents etc.

5. Message Forgery: If the communication channel is not secure, then an attacker

can intercept messages in both directions and change the content without the users

ever knowing.

6. Message Replay: Even if communication channel is secure, an attacker can

intercept an encrypted message and then replay it back at a later time and the user

might not know that the packet received is not the right one.

7. Man in The Middle Attack: An attacker can sit in between a cell phone and an

access station and intercept messages in between them and change them.

8. Session Hijacking: A malicious user can highjack an already established session

and can act as a legitimate base station.

Security Mechanisms In 3G – UMTS:

3G - UMTS, is the most popular of the architectures, it is built upon the security features

of 2G systems so that some of the robust features of 2G systems are retained. The aim of

the 3G security architecture is to improve on the security of 2G systems. Any holes

present in the 2G systems are to be addressed and fixed. Also, since many new services

have been added to 3G systems, the security architecture needs to provide security for

these services.

68

3G Security Architecture:

There are five different sets of features that are part of the architecture:

1. Network Access Security: This feature enables users to securely access services

provided by the 3G network. This feature is responsible for providing identity

confidentiality, authentication of users, confidentiality, integrity and mobile

equipment authentication. User Identity confidentiality is obtained by using a

temporary identity called the International Mobile User Identity. Authentication is

achieved using a challenge response method using a secret key. Confidentiality is

obtained by means of a secret Cipher Key (CK) which is exchanged as part of the

Authentication and Key Agreement Process (AKA). Integrity is provided using an

integrity algorithm and an integrity key (IK). Equipment identification is achieved

using the International Mobile Equipment Identifier (IMEI).

2. Network Domain Security: This feature enables nodes in the provider domain to

securely exchange signaling data, and prevent attacks on the wired network.

3. User Domain Security: This feature enables a user to securely connect to mobile

stations.

4. : This feature enables applications in the user domain and the

provider domain to securely exchange messages.

5. Visibility and Configurability of Security: This feature allows users to enquire

what security features are available.

69

The UMTS Authentication and Key Agreement (UMTS AKA) mechanism is responsible for providing authentication and key agreement using the challenge/response mechanism.

Challenge/Response is a mechanism where one entity in the network proves to another entity that it knows the password without revealing it. There are several instances when this protocol is invoked. When the user first registers with the network, when the network receives a service request, when a location update is sent, on an attach/detach request and on connection reestablishment. The current recommendation by 3GPP for AKA algorithms is MILENAGE. MILENAGE is based on the popular shared secret key algorithm called AES or Rijndael. Readers interested in the AES algorithm are encouraged to look at [Imai06]. AKA provides mutual authentication for the user and the network. Also, the user and the network agree upon a cipher key (CK) and integrity key

(IK) which are used until their time expires.

Control Signaling Communication between the mobile station and the network is sensitive and therefore its integrity must be protected. This is done using the UMTS

Integrity Algorithm (UIA) which is implemented both in the mobile station and the RNC.

This is known as the f9 algorithm. Figure 16 [18] shows application of this algorithm.

First, the f9 algorithm in the user equipment calculates a 32 bit MAC-I for data integrity using the signaling message as an input parameter. This, along with the original signal message is sent to the RNC, where the XMAC-I is calculated and then compared to the

MAC-I. If both are same, then we know that the integrity of the message has not been compromised.

70

Figure 16: Signaling Data Integrity Mechanism

The confidentiality algorithm is known as f8 and it operates on the signaling data as well as the user data. Figure 17 [18] shows application of this algorithm. The user's device uses a Cipher Key CK and some other information and calculates an output bit stream.

Then this output stream is xored bit by bit with the data stream to generate a cipher stream. This stream is then transmitted to the RNC, where the RNC uses the same CK and input as the user's device and the f8 algorithm to calculate the output stream. This is then xored with the cipher stream to get the original data stream. [18]

71

Figure 17: Air Interface Confidentiality Mechanism

It has eight rounds of processing, with the plain text (can be any form of data) as input to

the first round and the cipher text the result after the last round. An encryption key is used

to generate round keys (KLi, KOi, KIi) for each round i. Each round calculates a separate

function since the round keys are different. The same algorithm is used for encryption

and decryption. The KASUMI cipher is based on the MISTY1 cipher which was chosen

by 3GPP due to its proven security against many advanced cipher breaking techniques. It

has been optimized for hardware implementation which is important concerning the

hardware constraints of cellular devices, such as limited power and limited memory. As shown in the Figure 18 [20] the function f consists of sub functions FLi and FOi. FL is a simple function consisting of shifts and logical operations. The FO function is much more complicated and is itself based on the fiestel structure and consists of three rounds. [20]

72

Figure 18: KASUMI Block Cipher

5.4 Wireless Application Protocol (WAP)

Since one of the most important services provided by 3G systems is access to the

Internet, it is important to understand the security mechanisms of the protocol used to access the Internet. WAP is an open specification which enables mobile users to access

73 the Internet. This protocol is independent of the underlying network e.g. WCDMA,

CMDA 2000 etc and also independent of the underlying e.g. Windows

CE, PALM OS etc. The first generation is known as WAP1 which was released in 1998.

WAP1 assumes that the mobile devices are low on power and other resources. And therefore the devices can be simple while sharing the security responsibilities with the gateway devices. The second generation is known as WAP2 and was released in 2002.

WAP2 assumes that the mobile devices are powerful and can therefore directly communicate with the servers. Figure 19 [18] shows the protocol stack for WAP1 and

WAP2.

Figure 19: WAP1, WAP 2 Protocol Stack A brief description of each layer is as follows,

1. Wireless Application Environment (WAE): This provides an environment for

running web applications or other WAP applications.

74

2. Wireless Session Protocol (WSP): This is similar to the HTTP protocol and

provides data transmissions with small sizes so that WAP1 clients can process the

data with less complexity.

3. Wireless Transaction Protocol (WTP): This is responsible for providing

reliability.

4. Wireless Security (WTLS): This is responsible for providing

security features such as authentication, confidentiality, integrity etc. between a

WAP1 and the WAP gateway.

5. Wireless Protocol (WDP): This provides the underlying transport

service.

6. Hypertext Transfer Protocol (HTTP): A standard protocol used to transmit web

pages.

7. (TLS): This layer provides security features such as

authentication, confidentiality, integrity etc. In WAP1, this is between the WAP1

gateway and the server. In WAP2 this is between the WAP2 client and the server.

8. Transport Control Protocol (TCP): Standard transport protocol used to provide

reliability over IP.

9. (IP): Protocol used to route data in a network.

10. Bearer Protocol: This is the lowest level protocol and can be any wireless

technique such as GSM, CDMA etc.

75

Cipher Suite in WTLS: This suite provides a key-establishment protocol, a bulk encryption algorithm and a MAC algorithm. In SSL/TLS these are used together, in

WTLS each can be used independently.

Key Exchange Suite: This protocol is responsible for establishing a secret key between a client and the server. An example of is the RSA key suite, which consists of the following steps: the WAP gateway sends a certificate consisting of the gateway's RSA public key and signed by the certification authority's private key. The client checks the validity of the certificate authority's signature. If invalid, the communication is aborted. If valid, the user generates a secret value, encrypts it with the gateway's public key. Both sides can then calculate their common keys using the secret value.

Bulk Encryption and MAC Suite: Bulk encryption is used for data confidentiality and the

MAC is used for integrity. The common key that we calculated in the key exchange suite can be used for both purposes. For bulk encryption, algorithms such as DES, 3DES,

IDEA and RC5 are used. For integrity WTLS uses the HMAC algorithm which uses either SHA-1 or MD5 twice.

WAP-Profiled TLS: WAP2 uses the WAP profiled TLS which consists of a cipher Suite, authentication suite, tunneling capability and session identification and session resume.

Cipher suite consists of key establishment (e.g. RSA), encryption (e.g. DES) and integrity

76

(SHA-1 for MAC calculation). A session identifier is chosen by the server to identify a particular session with the client. Server and Client authentication is done using certificates similar to WTLS. Tunneling is a mechanism set up between the client and the server, so that they can communicate even if the underlying network layers are different.

WAP Identity module: WIM (WAP Identity Module) is a method of identification in

WAP. This enables the device to separate its identification from WAP. So a device can be updated without any changes made to the telephone number or billing information.

WIM provides operations such as key generation, random numbers, signing, decryption, key exchange, storing certificates etc.

A Look at Security in 4G:

4G is the next generation after 3G. Some of the 4G services talked about are incorporating quality of service (QoS) and Mobility. There is also a concept of always best connected which means that the terminal will always select the best possible access available. 4G will also make use of the IPV6 address scheme. This might make it possible for each cell device to have its own IP address. Currently, the problem of security is solved by using multiple layers of encryption of the protocol stack. There are disadvantages in this scheme such as wasted power, wasted energy and a larger transmission delay. In 4G there will be a concept of interlayer security where only one layer will be configured to do encryption on data. [21]

77

Chapter 6

COMPARISON OF CANDIDATE NETWORK PROTOCOLS FOR NAN

6.1 Introduction

When we consider the network protocols which are in contention for

implementing Neighborhood Area Network, they can be classified based on the

type of connectivity, as wired and wireless networks. Cellular networks which fall

under the category of wireless networks are relatively cheaper to implement,

scalable, have wider coverage area and there are no cables hanging around like

wired networks and set up is easy and does not require a great deal of networking

experience. Cellular, Wireless networks have many other advantages over wired

networks which are mobility, being more flexible, easier to use and economical to

deploy and maintain. On the downside they are not as reliable and secure as wired

networks. They also have potential radio interference due to obstacles, weather

and other wireless devices. For wireless networks the medium of transmission is

the electromagnetic radiation and Wireless devices are constrained to operate in a

certain frequency band. Each band has an associated bandwidth, which is simply

the amount of frequency space in the band. Advantages of wired networks include

Reliability, quality of service, security, cost effectiveness and speed. While the

disadvantages include difficulty in installation, scalability slowing down the

network, disorganized cables requiring more maintenance. Let us first consider

the players in the wireless category for communication protocols for Smart Grid.

78

For Smart Grid, a careful choice has to be made in selecting a protocol for the

data and control information exchanges. This information exchange involves

highly confidential consumer information so customer privacy has to be

protected. As far as the control information is concerned, security is at the highest

priority, if misused, would lead to financial loss and sometimes could prove to be

fatal.

With the above discussed points in consideration, we could consider the following

protocols that could find a place in the communication of Smart Grid. They

are IEEE 802.11, 802.15.4 and 802.16, ANSI C12.22, 3G, Mesh Networks,

optical fiber communication, and power line communication.

6.2 IEEE 802.11

IEEE 802.11 is the set of standards defining the wireless

communications operating in the 2.4GHz, 3.6GHz or 5GHz frequency bands.

These are defined and updated by the IEEE LAN/MAN standards committee.

IEEE 802.11 includes the Wi-Fi [Wireless Fidelity] and its faster cousin IEEE

802.11g. The current version is IEEE 802.11-2007 and other common and most

implemented versions are IEEE 802.11a, b, g and n. IEEE 802.11 uses the radio

wave . The bands of operation of these protocols are set by ITU

[International Union] for radio communication. The ISM

[Industry, Scientific and Medical] bands are usually license-free provided that the

79

devices are low-power. IEEE 802.11b/g operates at 2.4GHz, while IEEE 802.11a

operates at 5GHz.

A summary of the standard, speed associated and the frequency band is reported

in 1

IEEE Standard Speed Frequency Band 802.11 1Mbps , 2Mbps 2.4 GHz

802.11a Up to 54Mbps 5 GHz

802.11b 5.5 Mbps, 11 Mbps 2.4 GHz

802.11g Up to 54 Mbps 2.4GHz

802.11n Up to 300 Mbps 2.4/5 GHz

Table 2: IEEE 802.11 Standards and its Variations

IEEE 802.11 adds a number of management features to differentiate it from the wired

networks. They have a 48 bit MAC [Media Access Control] address and they look like

the network interface cards. These addresses are from the same address pool as

of the Ethernet, to maintain the uniqueness and compatibility when wireless networks are

deployed in networks which contain the wired network too.

802.11 FRAMING

Framing in wireless is not simple as in case of wired since it involves several

management features. There are three types of frames namely:

80

DATA FRAMES

Data frames could be of different type depending on the network and function, which

carries data from station to station. One of the types could be data used for contention-

based service or contention-free service. The other type could be one which carries

frames that performs management functions. A generic data frame format is shown in

Figure 20 [22].

Figure 20: Generic Data Frame As shown in Figure 20 [22], the data frame contains frame control, sequence control and

FCS [] fields. The FCS field is referred to as the cyclic redundancy check because of the underlying mathematical operations. The Sequence

Control field is a 16 bit field which is used for defragmentation and disregarding duplicate frames. The Sequence Control field has two parts, A four bit field is the

Fragment number and the rest 12 bits is the sequence number [See Figure 20] [22]. The

Frame control field has many other components as show in

Figure 21.

81

Figure 21: Frame Control field Protocol Version field indicates the version of 802.11 MAC contained in the frame. The

Type and Sub Type fields indicate the type and subtype of the frames.

ToDS and FromDS indicate whether the frame is destined for a distribution system.

Power Management field indicates whether the will be in a power saving mode or not after the exchange of the current frame. The protected frame field indicates whether protection is enabled by the or not. Order bit indicates whether strict ordering delivery is implemented or not.

CONTROL FRAMES: This performs area-clearing operations, channel acquisition, positive acknowledgement and carrier sensing maintenance functions. These use the same fields as the frame control field [See

Figure 21] [22].

MANAGEMENT FRAMES: These perform functions which take care of joining and leaving the networks and to move association from access points to access points. This is done by splitting the procedure into three parts. First, the mobile stations must locate a compatible wireless network to use for access. Next, it must be authenticated with the

82

network to get itself identified and connect to the network. Finally a mobile station will

be associated with a network to gain access.

802.11 SECURITY ARCHITECTURE

One of the major features of wireless networks is the ease of connection. This is because

802.11 networks announce their existence with the aid of frames. To protect

against unauthorized access to the network we have to apply access control. It could be

done at various steps as follows:

STATION AUTHENTICATION: Before joining an 802.11 network station

authentication is performed using shared key authentication or sometimes using MAC

address filtering to filter out unauthorized client by MAC address.

LINK LAYER SECURITY: Link-layer authentication is transparent to network

protocols, and will work for any network protocol chosen. Networks are increasingly

homogenous and are based on IP. Link-layer authentication can be used to secure both IP

and IPX. Link Layer Security has a very small foot print and can be easily integrated with

the network interface cards, access point devices and mobile devices. WPA is an industry

standard for providing strong link layer security to WLANs, and supports two

authenticated key management protocols using the Extensible Authentication Protocol

[EAP]. WPA also requires data frame encryption using TKIP [Temporal Key Integrity

Protocol] and message integrity using a Message Integrity Check [MIC].

NETWORK OR TRANSPORT LAYER SECURITY: Network layer security provides end-to-end security across a routed network and can provide authentication, data

83

integrity, and encryption services. These services are provided for IP traffic only. IPSec is

a standard network layer security protocol which provides a standard and extensible method to provide security to network layer (IP) and upper layer protocols such as TCP and UDP. It can also be used between routers or IPSec gateways. Firewalls can be used to

isolate untrusted networks and authenticate users. Also VPN termination devices can supply encryption over untrusted networks. [5]

6.3 IEEE 802.16

WiMAX [Worldwide for Access] is a trade name for IEEE

802.16 standard. WiMAX provides wireless transmission of data in variety of modes from a point to multi-point links. It is also called as the Connectivity of

Broadband Wireless Access [BWA] with a range of around 30 miles and a data transfer rate of up to 280Mbps with the ability to support data, voice and video. Its operating range is anywhere from 2GHz to 66GHz. It does not require LOS [Line Of Sight]. A version of IEEE 802.16 which is IEEE 802.16e adds mobility features operating in the range of 2-11 GHz license bands. Hence it allows fixed and mobile non Line of Sight

[NLOS] applications primarily to enhance OFDMA [Orthogonal Frequency Division

Multiple Access]. To summarize the salient feature of WiMAX are:

• It enhances orthogonal Frequency Division Multiple Access [OFDMA] by allowing fixed and mobile Non Line of Sight [NLOS] applications.

• QUALITY OF SERVICE [QoS]

84

• HIGH DATA RATES: Multiple Input and Multiple Output [MIMO] along with

flexible sub-channelization schemes, coding and adaptive modulation helps mobile

WiMAX technology to support downlink [DL] data rates up to 128 Mbps per sector and

peak uplink [UL] data rates up to 56Mbps per sector in 20MHz bandwidth.

• SCALABILITY: The mobile WiMAX has the capability of operating in scalable bandwidths from 1.25 to 20MHz by utilizing Scalable [SOFDMA].

• SECURITY: The most advanced security features includes Extensible

Authentication Protocol [EAP], advanced Encryption Standard [AES], Cipher Based

Message Authentication Code [CMAC] and Hashed Message Authentication Code

[HMAC].

WiMAX system has two major components: They are:

• BASE STATION: consists of high speed electronics and tower like a cell-phone tower. Base station provides coverage over an area called cell, which has a maximum radius of up to 30 miles.

• RECEIVER: could be an antenna, stand-alone box or a PCMCIA [Personal

Computer Memory Card International Association] card in a computer. This is also referred to as Customer Premise Equipment [CPE].

IEEE 802.16e just provides an air interface, but the end-to-end WiMAX network is defined by WiMAX forums Network Working Group [NWG], which is responsible for developing requirements, architecture and protocols for WiMAX using IEEE 802.16e-

2005 as the air interface.

85

IP BASED WIMAX NETWORK ARCHITECTURE:

The overall network [See Figure 22] [23] could be divided into the following logical parts

for an IP based WiMAX Network Architecture:

• MOBILE STATIONS [MS]: used by end users to access the network.

• BASE STATIONS [BS]: is responsible for providing air interface to the mobile

stations. Also responsible for features like key management, session management and

dynamic host configuration protocol [DHCP] proxy.

Figure 22: IP based WiMAX Network Architecture

• ACCESS SERVICE NETWORK [ASN]: comprises more than one base stations and more than one access service network gateway to form the radio access network

[RAN]. Functions of Access Service Network gateway includes intra-ASN location management and paging, radio resource management and admission control, caching of subscriber profiles and encryption keys, establishment and management of mobility

86

tunnel with base stations, Quality of Service [QoS] and policy enforcement, and routing

to the selected connectivity service network [CSN].

• CONNECTIVITY SERVICE NETWORK [CSN]: provides connectivity to internet, public networks and corporate networks. Also, manages per user policy management and security and IP address management.

WiMAX network is based on the following principles [23]:

• SPECTRUM: which allows WiMAX network to be deployed in both licensed and unlicensed spectra

• TOPOLOGY: Supports Radio Access Network [RAN] topologies

: Enables internetworking with WiFi, 3GPP [3rd

Generation Partnership Project which is responsible for the specification, maintenance

and development of global system for mobile communication [GSM]].

• IP CONNECTIVITY: Supports IPv4 and IPv6 network interconnects in clients

and application servers.

• MOBILITY MANAGEMENT: Supports both fixed and mobile access and

broadband multimedia services delivery.

WIMAX SECURITY:

• Security is handled by the Privacy Sublayer of the WiMAX MAC. The primary

features of WiMAX security are as follows:

• PRIVACY: Most advanced encryption standards like Advanced Encryption

Standard [AES] and 3DES [Triple Data Encryption Standard] are supported. In

87

addition to the above, 128 bit and 256 bit keys are used for deriving the cipher

during the authentication phase and also these are periodically refreshed.

• AUTHENTICATION: To prevent unauthorized access, a flexible means for

authenticating the subscriber stations and users is provided. This authentication is

based on the Internet Engineering Task Force [IETF] Extensible Authentication

Protocol [EAP] which provides different types of credentials such as username

and password, digital certificates like X.509 (which has the username and MAC

address) and smart cards.

• KEY MANAGEMENT: The keys are transferred securely from the base stations

to the mobile stations using the Privacy and Key Management Protocol version 2

[PKMv2] which involves periodical reauthorizing and refreshing of the keys.

• INTEGRITY: The integrity of the control messages is protected using different

message digest schemes like AES-based CMAC [Cipher Based Message

Authentication Code] or MD5-based HMAC [Hashed Message Authentication

Code]. [23]

6.4 IEEE 802.15.4

IEEE 802.15.4 based wireless networking standard has emerged as a key to robust, reliable and secure Home Area Network [HAN] deployments. One of the major players in HAN for Smart Grid is ZigBee which is based on IEEE 802.15.4 standard. IEEE

802.15.4 defines the physical and layers for low data rate, short

88 range wireless communication. The operation is defined in both sub 1GHz and 2.4 GHz frequency bands, supporting Direct Sequence Spread Spectrum [DSSS] signaling with a raw data throughput of 250Kbps and can transmit point to point, ranging anywhere from tens to hundred of meters depending on the output power and receive sensitivity of the transceiver. Applications of IEEE 802.15.4 include light control systems, environmental and agricultural monitoring, , energy management and comfort functions, automatic meter reading systems, industrial applications, and alarm and security systems.

IEEE 802.15.4 DEVICES

An IEEE 802.15.4 network has only one [PAN] coordinator. There are two types of devices described in the specification that communicate together to form different network topologies: full function device [FFD] and reduced function device

[RFD]. An FFD is a device capable of operating as a coordinator and implementing the complete protocol set. An RFD is a device operating with a minimal implementation of the IEEE 802.15.4 protocol. An RFD can connect to only an FFD whereas an FFD can connect to both FFDs and RFDs. A PAN coordinator is the main controller of the network which can initiate or terminate a connection.

89

IEEE 802.15.4 SECURITY [24]

IEEE 802.15.4 supports both secure and non secure mode. Secure mode devices use AES

to implement the following services:

• ACCESS CONTROL: This enables the device to accept frames from authentic

sources only.

• DATA INTEGRITY: The beacon, data, and command frames are encrypted using

AES encryption algorithm. The AES algorithm is not only used to for encryption but also

to validate data sent. This is achieved using Message Integrity Code [MIC] also called as

Message Authentication Code [MAC]. The MAC can be of different sizes: 32, 64 and

128 bits. This MAC is created encrypting parts of the MAC frame using the Key of the

network, so if we receive a message from a non trusted node, the MAC generated for the

sent message does not correspond to the one what would be generated using the message

with the current secret Key, so the message is discarded.

• FRAME INTEGRITY: Ensures that the frames are received from the device that

has the key and the data is protected from modification without the key. Frame integrity

is provided to the beacon, data and command payload using a message integrity code

[MIC].

• SEQUENTIAL FRESHNESS: This is to prevent the replay attacks using a replay

counter which will reject a frame which has a value equal or less than the previous

obtained counter value.

90

6.5 Power Line Communication

Power line communication [PLC] uses the existing power lines from utility office to home and within a home/building to transmit data from one device to another. With better power line solutions, one can communicate using the existing wiring infrastructure without rewiring or modifications which makes it a cost effective means of networking devices. One of the requirements of PLC is that it requires high frequency. The current lines are designed at 50Hz to 400Hz and are noisy and unreliable. The legal restrictions on frequency band limit the data rates. There are quite a few challenges associated with communicating over the power lines. Power loss on these lines is directly proportional to square of current and distance. Different protocols like X10 protocol, CE protocol and Lon works protocol were used but due to poor bandwidth utilization, low data rate

(60bps t0 10Kbps) and frequency band restrictions made them unqualified for implementation. Home Plug 1.0 was introduced to mitigate the unpredictable noise and provides Ethernet class network on the existing power lines with a data rate in the range of 1 to 14 Mbps. Currently research is carried out to achieve higher data rates up to 100

Mbps which are necessary for applications like HDTV. The quality of the transmitted signal depends on number of devices (air conditioner, , hair dryer) that are switched on at a particular time. The quality of signal may also depend on the wiring architecture and the distance between the receiver and the transmitter. The key characteristics that are considered to evaluate the performance of power line communications are:

91

1) Total number of components to complete a communication device and the cost

associated with it. This includes the cost of implementing an appropriate power supply.

2) The frequency spectrum it uses for communication and its compliance with regulations.

3) Communication performance in the presence of noisy devices like , and hair dryers which sometimes makes it impossible for the receivers to decode the transmitted signal, due to high signal distortion.

The applications of power line communication could be as follows:

1) HOME AUTOMATION: PLC could be used to connect home devices that have an Ethernet port using Powerline adapters. The Powerline adapters plug into the wall outlet and then are connected using CAT5 cables to the home routers. All the devices would have a receiver system and each receiver in the system has an address that can be individually commanded by the signals transmitted over the household wiring and decoded at the receiver.

2) INTERNET ACCESS (Broadband over Power Line [BPL]): BPL is internet over power lines and has many advantages over DSL or cable internet. The most obvious is the already existing ubiquitous wiring architecture. The wiring architecture reduces the cost of running Ethernet cables in buildings, overcomes the disadvantage of wireless networks which are security, limited maximum throughput and inability to power devices efficiently.

92

3) AUTOMOTIVE: Power-line technology enables in-vehicle communication network of data, voice, music and video signals by digital means over direct current [DC] battery power-line.

Major disadvantages of PLC are signal errors due to interference and attenuation.

Interference from nearby device causes signal degradation and Active devices like transformers, DC-DC converters and passive devices like relays and transistors causes signal attenuation. This might corrupt the data and/or control signals from/to the utility offices to the customers. [25]

6.6 Optical Fiber Communication

Optical Fiber Communication [OFC] is a technique of sending data or information from one place to another by sending light pulses through an optical fiber. The light acts as the which is used in modulation to carry the information signal. The transmission of information involves basic steps which are creating an optical signal to carry the information using a transmitter, relaying the signal over the optical fiber, ensuring the signal does not weaken before it reaches the destination and receiving the data and converting it to electrical signal at the destination.

Optical fiber communication offers lower attenuation and interference and hence is an advantage over electrical transmission for long distances. OFC finds it application in telecommunication, television and internet signal transmissions. However the disadvantage with OFC is that it is very complex and expensive to install the required

93 infrastructure. OFC is chosen when the system requirements are high bandwidth and long distance communication. OFC can replace thousands of electrical links with a single higher bandwidth fiber. OFC is extremely low loss and effectively no crosstalk which are the major advantages over electrical transmission lines.

Synchronous Optical Networking (SONET) and Synchronous Digital Hierarchy (SDH) are multiplexing WAN protocols, which enable transport of multi digital bit streams across the same optical fiber by using Light Emitting Diodes (LEDs) or lasers. SONET and SDH are closely related protocols that are based on circuit mode communication.

SONET/SDH enables various ISPs to share the same optical fiber simultaneously without interrupting each other’s traffic load. They are physical layer protocols, which offer continuous connections without involving packet mode communication, and are distinguished as time division multiplexing (TDM) protocols. Optical Carriers are typically known by their OC-x number where x is a multiple of the OC-1 rate of 51.84

Mbps and OC-768 rate of 40Gbits/s. [26]

6.7 Wireless Mesh Networks

Wireless Mesh Networks [WMN] are multi-hop wireless networks formed by the mesh routers and mesh clients [See Figure 28]. Wireless mesh networking has emerged as a promising concept to meet the challenges in net-generation wireless networks such as providing flexibility, adaptive and reconfigurable architecture while offering cost- effective solutions to service providers.

94

Figure 23: Wireless Mesh Network [28]

The core nodes are the mesh routers which form a wireless mesh backbone among the nodes. The mesh routers provide a rich radio mesh connectivity which significantly reduces the up-front deployment cost and subsequent maintenance cost. They have limited mobility and forward the packets received from the clients to the gateway router which is connected to the backhaul network/internet. In addition to the conventional router functions, mesh routers enable mesh networking and have multiple interfaces of the same or different communications technologies based in the requirement. They achieve more coverage with the same transmission power by using multi-hop communication through other mesh routers.

95

The physical layer in a WMN uses some of the techniques like orthogonal frequency

division multiplexing [OFDM], ultra wide band [UWB], and Multiple-input Multiple-

output [MIMO] and Smart Antenna technologies to improve the capacity of the WMNs.

The medium Access Control protocols for wireless networks are limited to single-hop

communication while the routing protocols use multi-hop communication. Hence, the

MAC protocols are categorized as single channel and multi channel MAC. [28]

The single channel MAC protocols make use of use a few variations of Contention based protocols like a general contention based protocol, contention based protocol with reservation mechanism and/or a contention based protocol with a scheduling mechanism.

Multi-channel MAC protocol is a link layer protocol where each node is provided with only one interface, but to utilize the advantage of multi-channel communication, the interface switches among different channels automatically [29].

Wireless mesh networks are considered for a wide range of applications such as backhaul connectivity for cellular radio access networking, building automation, intelligent transport system networks, defense systems and surveillance systems.

The existing wireless networking technologies such as IEEE 802.11, IEEE 802.15 and

IEEE 802.16 are used to implement WMNs.

6.8 Cellular Network Over Other candidates

96

In order to achieve an efficient, scalable and cost effective implementation of

Neighborhood Area Network, Cellular communication would be the best choice since it

fairs well over its competitors.

Wi-Fi vs. Cellular:

As discussed in previous sections, when IEEE 802.11/Wi-Fi applied into smart devices, meters of Smart Grid there is satisfactory data transfer rate, security and provides a cost effective solution. But this has very less coverage area; range up to only half mile is possible with use of WiFi. This is unacceptable for NAN implementation, since smart

devices and meters across consumer homes, businesses has to support minimum tens of

miles of coverage to communicate with utility offices in the neighborhood. Cellular

communication on the upside has a giant infrastructure to provide excellent coverage area

and with 3G, 4G standards it can provide high bandwidth data transfer for several miles.

Wi-Max vs. Cellular:

IEEE 802.16/Wi-Max tries to overcome the downside of Wi-Fi in aspects of coverage

area. It has a range of up to 30-40 miles, can provide IP based communication, and

satisfactory data transfer rates (30Mbps) for implementing NAN. This is indeed a strong contender and competes closely with Cellular network. Only downside of Wi-Max seems

to be high installation and maintenance costs. Equipments, devices of WiMax

infrastructure is expensive and still not mass produced unlike Cellular network

communication devices which are widely used and available cheap. With the application

97 of 4G network cellular network is able to provide IP based communication with higher security and bandwidth which makes it perfect match to implement NAN. [30]

IEEE 802.15.4 has the advantages of low power consumption, cost of operation, but suffer heavily to provide wide coverage and high data transfer rate which NAN demands.

Optical Fiber vs. Cellular:

Optical fiber links/lines provides sufficient data transfer rate, wide range of coverage and optimal security mechanisms. But it fails to match Cellular networks when it comes to cost of installation and maintenance. Optical fiber links require high costs to install dedicated lines for the sole purpose of implementing NAN and high recurring costs of maintenance. On the other hand implemention of NAN through Cellular networks requires no dedicated lines or paths. Association with existing cellular carriers and few additions or upgrades to already built infrastructure will bring communication between the smart devices, meters with the utilities. [5]

Power lines vs. Cellular:

Addition of communication devices to the existing, in place power grid to enable two way communications between the smart devices, meters and the utility offices would require a complete re-model of the existing infrastructure and installation of brand new devices all over the network. Also the devices are expensive since they would be custom made and time to successful completion of this project is yet to be experimented and

98

uncertain. With many downsides on its side, Power lines would hardly match low cost,

easy to integrate and already proven technology of Cellular communications.

Wireless Mesh vs. Cellular:

Wireless/RF Mesh seems to qualify for most of the requirements of NAN implementation

such as data transfer rate, coverage area, security and flexibility. But it suffers setbacks

since Mesh networks are not as widely used and popular as Cellular networks. RF Mesh

would also require installation of brand new and expensive devices for NAN

implementation and does not enjoy huge infrastructure form various carriers which is

already in place. [5]

Cellular Network wins:

With many advantages to its side such as being cost effective, high transfer rate, wide coverage area, existing huge infrastructure, secure, scalable and reliable Cellular network seems to be an ideal candidate for implementing NAN connecting the Smart devices, meters to the utilities, grid. As discussed in Chapter 4, SMS would be the selected mode of communication.

There are certain aspects which needs attention and improvements during the implementation such as selection of cellular service providers based on technology, At&t,

T-mobile for GSM, UMTS and Verizon, Sprint for CDMA, LTE. Selection can be based on cost, integration, mode of communication, coverage, security and devices etc.

99

Integration with existing infrastructure, security mechanism and smart device, meters would be the areas which need to be taken care during the implementation of NAN.

The Table 3 summarizes the technologies discussed above which are considered for implementation of neighborhood area network for Smart Grid. [5]

Technology Features Advantages Disadvantages IEEE Data Transfer Rate: 22 Low device cost Not yet proven for 802.11 (Wi- Mbps – 128 Mbps Suitable to Mesh Smart Grid Fi) Range: up to ½ mile topology deployment Operating Frequency: Low latency 2.4 GHz to 5 GHz Applications: Meters (AMI), Distribution Automation [DA] IEEE Data Transfer Rate: Low latency High equipment or 802.16 (Wi- 30Mbps High bandwidth device cost Max) Range: up to 50 km Not yet proven for Operating Frequency: Smart Grid 2 GHz to 3 GHz deployment Applications: Meters([AMI), DA, Mobile workforce management

100

IEEE Data Transfer Rate: Suitable for Mesh Lesser data rates 802.15.4 250 Kbps topology Short range Range: 100+ meters Low power coverage Operating Frequency: consumption 1 GHz to 2.4 GHz Applications: Meters (AMI), HAN

Technology Features Advantages Disadvantages Cellular Range: up to 50 km Uses existing No direct utility Operating Frequency: networks control over the 900 MHz to 2.4 GHz Low capital network Applications: Meters investment Moderate (AMI), DA, Mobile Short time-to- performance workforce market management Low module cost Leased Data Transfer Rate: High High recurring Lines (e.g. 1.5 Mbps – 155 Mbps Performance cost SONET) Range: Variable Robust No direct utility Operating Frequency: control Wired (Fiber or copper Not available at all cables) sites Applications: Substations, DA Broadband Data Transfer Rate: Low recurring High initial over power 256 Kbps – 10 Mbps cost investment lines Range: Variable Robust Expensive devices Operating Frequency: Not widely 1.8 to 80 MHz (electric implemented carrier) Not reliable Applications: Substations, DA

101

RF Mesh Data Transfer Rate: up Customizable Proprietary to 1 Mbps based on specific Expensive devices Range: Variable need Unpredictable Operating Frequency: Self healing and Latencies variable organizing Applications: Meters Low cost (AMI), DA

Table 3: Summary of Technologies for NAN

102

Chapter 7

CONCLUSION

7.1 Project Results

This research focused on Neighborhood Area Networks [NAN] implementation which is

used for Home-to-Home and Home-to-Grid communication in Smart Grid. Requirements

and characteristics of NAN are identified, and Cellular communication as an

implementation candidate was studied.

Protocols and standards in Cellular communication such as GSM and CDMA from 2nd

Generation, UMTS, and WCDMA from 3rd Generation and also LTE from 4G are

discussed. Security architecture and issues associated with each of the protocol was

examined. It was found that 4G protocols had enhanced security features, bandwidth,

data transfer rate and technical advancements when compared to previous generations of

protocols. When Cellular communication is chosen for NAN implementation 4G would

be an ideal choice.

Short Message Service (SMS) in Cellular communication which would be the mode of

communication between the Smart Devices, Meters and Utility offices, Grid was

discussed. Implementation details and working of SMS, its vulnerabilities, examples of

attacks and defends were studied in this project. SMS would be an ideal choice for NAN communication in Smart Grid mainly because there is data communication between involved devices and no voice involved. Also this saves bandwidth since there is no voice

103

communication happening over NAN. It is concluded that SMS communication with security best practices followed would bring efficient NAN implementation in Smart

Grid.

Advancements and enhancements in cellular technology over generations (2G, 3G, and

4G) are discussed.

Comparison of Cellular networks with other candidates in contention for NAN implementation was carried out in the project. Various factors such as reliability, coverage, security, power efficiency, cost, scalability of contender protocols were listed.

An effective and wise choice of implementing protocol should be made on parameters

such as cost of implementation, security, coverage area of the network and integration

with different technologies and standards which is detailed in the report. In case there is

combination of various technologies chosen to implement sub division of NAN, this report serves as a reference document or guide for the implementation. It is finally concluded that Cellular communication network would be an ideal match for NAN implementation since it is cost effective, wide coverage area, high transfer rate, secure, scalable, and flexible.

104

7.2 Challenges and Outstanding Works

Project has covered various areas of communication in Cellular communication and SMS

mode of communication. Details of networking concepts and involved protocols were

initially a challenge to understand and took more time to study.

Also security aspects, list of attacks and defends was interesting to know and discuss

about.

7.3 Future Works and Potential Research Topics

There is potential research work in areas such as 4G protocols where more innovations

and advancements are happening in cellular domain. IP based networks which have

dynamic routing abilities and bandwidth sharing properties is another research area to

look into and also decide its implementation for NAN in Smart Grid. Security best

practices to follow when implementing above discussed networks is to be done.

105

APPENDIX

Glossary

AES Advanced Encryption Standard

AMI Advanced Metering Infrastructure

AMR Advanced Meter Reading

ANSI American National Standards Institute

AP Access Point

BPL Broadband over Power Line

BPSK Binary Phase Shift Keying

BS Base Station

CDMA Code Division Multiple Access

CMAC Cipher based Medium Access Control

CRC Cyclic Redundancy Check

CSN Connectivity Service Network

DC Direct Current

DL Downlink

DoS Denial of Service

DSSS Direct Sequence Spread Spectrum

FCS Frame Check Sequence

FDD Frequency Division Duplexing

106

FFD Full Function Device

FHSS Frequency Hopping Spread Spectrum

GSM Global Satellite for Mobile communication

HAN Home Area Network

HSDPA High Speed Downlink Packet Access

IEEE Institute of Electrical and Electronics Engineers

IP Internet Protocol

ITU International Telecommunication Union

LAN Local Area Network

LLC Link Layer Control

LoS Line of Sight

MAC Medium Access Control

MAN Metropolitan Area Network

MIC Message Integrity Code

MS Mobile Station

NAN Neighborhood Area Network

NIST National Institute for Standards and Technology

NLoS Non Line of Sight

NWG Network Working Group

OFC Optical Fiber Communication

PHY Physical Layer

107

PKM Privacy and Key Management

PLC Power Line Communication

QoS Quality of Service

RAN Radio Access Network

RFD Reduced Function Device

SAP Service Access Point

SIM Subscriber Identity Module

SMS Short Message Service

TCP Transmission Control Protocol

TDD Time Division Duplexing

TDM Time Division Multiplexing

TMSI Temporary Mobile Subscriber Identity

UL Uplink

UMTS Universal Mobile Telecommunication Systems

VLR Visitor Location Register

WAN

WEP Wired Equivalent Privacy

Wi-Fi Wireless Fidelity

WiMAX Wireless Interoperability for Microwave Access

WMN Wireless Mesh Network

WNAN Wireless Neighborhood Area Network

108

WPA Wi-Fi Protected Access

109

REFERENCES

[1] National Institute of Standards and Technology, US Dept of Commerce, “NIST Framework and Roadman for Smart Grid Interoperability Standards release 1.0”, [Online] Available: http://www.nist.gov/public_affairs/releases/smartgrid_interoperability.pdf

[2] Dean Prochaska, National Coordinator for Smart Grid Conformance National Institute of Standards and Technology, September 16, 2009,” NIST Smart Grid Updates” [Online] Available: http://trade.gov/td/energy/Smart%20Grid%20NIST.pdf

[3] Office of Electricity Delivery and Energy Reliability, “The Smart Grid, An Introduction”, US Department of Energy. Available: http://www.oe.energy.gov/DocumentsandMedia/DOE_SG_Book_Single_Pages.pdf

[4] Consumer Energy Report, Smart Grid Image, [Online]. Available: http://www.consumerenergyreport.com/wp-content/uploads/2010/04/smartgrid.jpg

[5] Analysis of communication protocols for Neighborhood area Network for Smart Grid Available: http://csus- dspace.calstate.edu/xmlui/browse?value=Ghansah%2C+Isaac&type=thesisAdvisor

[6] Residential energy gateway system in smart grid Available: http://csus- dspace.calstate.edu/xmlui/browse?value=Ghansah%2C+Isaac&type=thesisAdvisor

[7] Tropos GridCom, “A Wireless Distribution Area Network for Smart Grids”, White Paper, [Online]. Available: http://www.smartgridnews.com/artman/uploads/1/distribution_automation_tropos_maybe .pdf

[8] Available: http://www.sensorsmag.com/files/sensor/nodes/2008/1526/Figure2.jpg [online]

[9] Wikipedia, “Cellular network”, [Online]. Available: http://en.wikipedia.org/wiki/Cellular_network

110

[10] Krebs, Brian. "Security Fix - Research May Hasten Death of Mobile Privacy Standard". Blog.washingtonpost.com. Available: http://blog.washingtonpost.com/securityfix/2008/02/research_may_spell_end_of_mobi.ht ml.

[11] Online: A Second GSM Cipher Falls". http://threatpost.com/en_us/blogs/second- -cipher-falls-011110.

[12] Online: Tindal, Suzanne (8 December 2008). " boosts Next G to 21Mbps". ZDNet Australia. http://www.zdnet.com.au/news/communications/soa/Telstra-boosts-Next-G-to- 21Mbps/0,130061791,339293706,00.htm. Retrieved 2009-03-16.

[13] Online: http://en.wikipedia.org/wiki/UMTS_security

[14] Online: Common Pilot Channel

[15] LTE – an introduction. Ericsson. 2009. Available: http://www.ericsson.com/res/docs/whitepapers/lte_overview.pdf.

[16] Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks Available: IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 17, NO. 1, FEBRUARY 2009

[17] Online: http://www1.cse.wustl.edu/~jain/cse574- 06/ftp/cellular_security/index.html#gen

[18] Imai, H., et. al., "Wireless communications security," Boston: Artech , 2006

[19] [Fernandez05-2] Fernandez, E., et. al., "Some security issues of wireless systems," Advanced Distributed Systems: 5th International School and Symposium, ISSADS 2005, Guadalajara, Mexico, January 24-28, 2005, Revised Selected Papers http://www1.cse .fau.edu/%7Eed/Fernandez_ISSADS2005Final.pdf

[20] [Balderas04]Balderas-Contreras, T., et. al., "Security Architecture in UMTS Third Generation Cellular Networks," Coordinación de Ciencias Computacionales INAOE, Reporte Técnico No. CCC-04-002 27 de febrero de 2004 http://ccc.inaoep.mx/Reportes/CCC-04-002.pdf

111

[21] [Carneiro04] Carneiro, G., "Cross-Layer Design In 4G Wireless Terminals," IEEE Wireless Communications, 2004 http://paginas.fe.up.pt/~mricardo/doc/journals/crossLayerDesign.pdf

[22] “802.11 Wireless Networks, The Definitive Guide”, Mathew Gast, ISBN 0-596- 10052-3, O'Reilly Publications

[23] Available: http://www.tutorialspoint.com/WiMAX/WiMAX_technology.htm [24] Online: http://en.wikipedia.org/wiki/Visitors_Location_Register#Visitor_location_register_.28V LR.29

[25] Available: http://en.wikipedia.org/wiki/Power_line_communication

[26] Available: http://en.wikipedia.org/wiki/Fiber-optic_communication

[27] A. Geriks, J. Purcell, A Survey of Wireless Mesh Networking Security Technology and Threats, SANS Institute, September 2006.

[28] Available: http://www.nicta.com.au/research/project_list/completed_projects/smart_applications_for _emergencies/networks/mesh

[29] Available: Yan Zhang, Jun Zheng, Honglin Hu, Security in Wireless Mesh Networks, CRC Press, 2009

[30] http://en.wikipedia.org/wiki/WiMAX