University of Nevada, Reno

Secure Communications in the Smart Grid

A thesis submitted in partial fulfillment of the

requirements for the degree of Master of Science in

Computer Science and Engineering

by

Hayreddin Ceker

Dr. Mehmet H. Gunes/Thesis Advisor

Aug 2013 Copyright

by

Hayreddin Ceker

2013 UNIVERSITY OF NEVADA RENO THE GRADUATE SCHOOL

We recommend that the thesis prepared under our supervision by

HAYREDDIN CEKER

entitled

Secure Communications in the Smart Grid

be accepted in partial fulfillment of the requirements for the degree of

MASTER OF SCIENCE

Mehmet H Gunes, Ph.D., Advisor Murat Yuksel, Ph.D., Committee Member Yantao Shen, Ph.D., Graduate School Representative Marsha H. Read, Ph.D., Dean, Graduate School

August, 2013 i

Secure Communications in the Smart Grid Hayreddin Ceker University of Nevada, Reno, 2013

Supervisor: Mehmet Hadi Gunes

Abstract

Smart grid has diverse stake holders that often require varying levels of access to grid state and measurements. At the distribution level (i.e., MAN), smart grid provides two way communication between households and utilities. At the transmis- sion level (i.e., WAN), multiple organizations need to share the transmission lines and cooperate with participants in their region. Efficient and reliable operation of the grid depends on accurate state measurements and secure data transfer to oper- ation centers. These tasks are complicated by the vast amount of data from diverse sources that are owned by multiple entities that impose physical, economic, market, and political constraints on the data sharing. However, to protect against grid-wide failures and defend against coordinated attacks, power grid operators need to increase data sharing. In this thesis, we propose secure communication and computation services for smart grid to transform the current “closed communication channel” to an “open communication channel”. In order to ensure the privacy and integrity of communi- ii cating parties at the distribution level, we propose to utilize the smart meters as a gateway between intra-network (i.e., HAN) and inter-network (i.e., WAN) commu- nications, and manage incoming and outgoing traffic and mediate household devices based on the instructions from the electric utility or contracted service providers. Moreover, third parties such as service providers can monitor and manage the con- tracted customers by using the existing communication infrastructure. To enhance data sharing between operators at the transmission level, we pro- pose an open communication architecture that utilizes blind processing service, which allows information exchange between dedicated system components with protection mechanisms against everyone else. Traditionally, security mechanisms are deployed to protect the transmission channel and the computation environment from third parties based on security requirements of the data. Our goal with blind processing is to estab- lish a secure communication channel between trusted processes, which are concealed from the rest of the system including the root processes (and hence system admin- istrators). Blind processing particularly tries to eliminate interference from the root processes, the system administrators, and careless/malicious users internal or exter- nal to the system at all stages of the communication and computation. Shielding the information prevents competitors from accessing the sensitive data while providing a complete picture of the whole grid in computations at operation centers. iii

Acknowledgments

I would like to express my sincere gratitude for my adviser Dr. Mehmet H. Gunes, whose guidance, inspiration, understanding, patience, and encouragement contributed considerably to my graduate experience. I would like to thank Dr. Murat Yuksel and Dr. Yantao Shen for agreeing to be on my thesis committee despite their extremely busy schedule.

I would like to thank my colleagues and friends at the Computer Networking Laboratory for brightening my days and making my time as a graduate student en- joyable.

I would also like to thank my family for the support they provided me through my entire life.

Hayreddin Ceker

University of Nevada, Reno Aug 2013 iv

Contents

Abstract i

Acknowledgments iii

List of Figures vii

Chapter 1 Introduction 1 1.1 Objective ...... 4 1.2 Contributions ...... 6

Chapter 2 Background 8 2.1 Transmission Level ...... 8 2.2 Distribution Level ...... 13 2.2.1 Smart Meter ...... 14 2.2.2 Electric Utility ...... 16 2.2.3 Service Providers ...... 16 2.2.4 Electrical Household Devices ...... 17 2.3 Cryptography ...... 17 2.3.1 Public Key Infrastructure (PKI) ...... 18 2.3.2 Symmetric Key Encryption ...... 19 v 2.3.3 Hash Functions ...... 20 2.4 Trusted Computing ...... 20

Chapter 3 Power Grid Communications 23 3.1 Wide Area Network (WAN) Communications ...... 23 3.1.1 Inter-ISO ...... 24 3.2 Metropolitan Area Network (MAN) Communications ...... 26 3.2.1 Electric Utility–Smart Meter ...... 27 3.2.2 Service Provider–Smart Meter ...... 29 3.3 Home Area Network (HAN) Communications ...... 29 3.3.1 Smart Meter–Device ...... 30 3.3.2 Owner–Device ...... 31

Chapter 4 Blind Processing for Open Communications 32 4.1 Prototype ...... 33 4.2 System Sub-Structures ...... 34 4.3 Trusted Platform Module ...... 36 4.4 Security Kernel ...... 38 4.5 Chain of Trust ...... 41 4.6 Trusted Software Stack: System Domain ...... 42 4.7 Virtualization ...... 45 4.8 Trusted Software Stack: User Domain ...... 48 4.9 Trusted Platform Module Dependencies ...... 51 4.10 Privacy Assurance ...... 52 4.11 Remote System Authentication ...... 56 4.12 Communication Protocol ...... 57 vi 4.13 Integrity Assurance ...... 58

Chapter 5 Evaluations of Performance Impact 62

Chapter 6 Attack Vectors and Vulnerabilities 65 6.1 Man-in-the-Middle ...... 66 6.2 Session Injection ...... 67 6.3 Cold Boot, Physical and Side Channel Attacks ...... 68

Chapter 7 Related Work 70 7.1 Transmission Level ...... 70 7.2 Distribution Level ...... 72

Chapter 8 Conclusions and Future Work 75

Bibliography 77 vii

List of Figures

1.1 Smart Grid Conceptual Model for Data Communication by NIST (mod- ified from [16]) ...... 2

2.1 US Electric Power Markets (courtesy of Federal Energy Regulatory Commission)...... 9 2.2 Current structure with communication links ...... 11 2.3 Public Key Infrastructure ...... 19

3.1 Metropolitan Area Network (Distribution Level) ...... 27 3.2 Home Area Network ...... 30

4.1 Intra- vs Inter-domain communication ...... 35 4.2 A Trusted Platform Module (TPM) chip ...... 37 4.3 TPM memory hirearchy ...... 38 4.4 Secure system model ...... 43 4.5 Chain of trusted boot process with corresponding PCRs [70]...... 44 4.6 TPM dependencies...... 51 4.7 Dependencies ...... 54 4.8 CA Hierarchy ...... 59 viii 5.1 Timing Overhead ...... 63 5.2 Data Seal Timing ...... 64 1

Chapter 1

Introduction

Automated management of large-scale infrastructure systems is a challenging problem faced by scientists and engineers in a wide variety of applications including: power grids, transportation networks, and telecommunication networks. The problem re- quires (i) data collection, (ii) secure data transfer to processing centers, (iii) efficient data processing, and (iv) timely decision making and control actions. These tasks are complicated by the vast amount of data, the distributed sources, and the need for efficient data communication. Such large-scale systems are often subdivided into separately owned subsystems which impose physical, economic, market, and polit- ical constraints on data transfer. These challenges are emphasized for large-scale infrastructure systems where seamless operation is crucial. In addition, potential co- ordinated attacks on these systems require the infrastructures to be more automated and self-healing [63]. Power grid is one of the infrastructures crucial for public health, safety and welfare. Proliferation of renewable energy-based electric power production, increased use of electric vehicles and upgrading the aging electricity infrastructure for more 2

Operations

Marketsrkets Service Provider

Bulk Generation Customer

DistributionDistri Transmission

Electric Flows Secure Communication Domain Figure 1.1: Smart Grid Conceptual Model for Data Communication by NIST (mod- ified from [16])

efficient grid operations are only viable with smarter monitoring, control and con- sumption of the electrical energy. It is not possible to achieve the nationwide visions for a smarter grid, if the current control, monitoring and consumption practices are not significantly changed in high voltage transmission and medium/low voltage dis- tribution level. A smarter grid equipped with intelligent electronic devices cannot survive if its communications infrastructure is insecure and vulnerable to cyber at- tacks [10, 46]. Smart grid consists of multiple entities in different domains as shown in Figure 1.1. A key factor of the power infrastructure is its multi-owner property at the trans- mission level of high-voltage interconnected grids. The power transmission networks 3 are physically inter-connected; however, the electrical and financial energy markets are governed by Independent System Operators (ISOs) in different markets. Each ISO monitors (i.e., operations domain) and controls (i.e., service provider domain) its own region and only provides power flow information on tie-lines between other transmission regions. The existing cyber-architecture in the power grid provides lim- ited information exchange among domain owners and ISOs due to energy market constraints and trust boundaries. This “closed” communication architecture leave the power grid vulnerable to cascading events and makes it difficult to detect poten- tial problems and can lead to catastrophic failures [69]. As emphasized in the North American Electric Reliability Council (NERC) report [31], one of the primary weak- nesses in need of attention is “communications within the ISO and with its neighboring control areas and reliability coordinators”. However, such inter- and intra-ISO com- munication capabilities necessitate mechanisms to securely and efficiently exchange sensitive data for system modeling and monitoring. The implementation of smart grid applications is much more prevalent at the distribution level of medium/low voltage. Distribution applications deal with the utilities and the customers (e.g., residential, industrial, and governmental entities) at a local level. Research at the distribution level primarily focuses on the use of smart meters that can have two-way communications with the utility. Smart me- tering encompasses periodic energy management, frequent power and power quality measurements, real-time pricing, time-of-use pricing, and critical peak pricing fea- tures for billing and demand response applications. The smart meters can report the type of the electricity usage at the consumer side and receive messages from the utility on a continuous basis. Additionally, device manufacturers or service providers may communicate with smart devices to perform software upgrade or maintenance 4 tasks. Finally users may remotely manage household devices. Having such a com- plex system automatically introduces challenges in establishing secure communication between the components of the smart grid while the customers are particularly con- cerned with their privacy. Additionally, large number of stake-holders, highly time-sensitive operational requirements, the lack of a standardized communications protocol, and deployment of commercial off-the-shelf products introduces an expansive range of attack vectors and potential vulnerabilities into the smart grids [36]. Even though smart meters have been refined to account for the increase in security requirements such as detecting anomalous events, notifying actors within the system, maintaining smooth opera- tion, and logging events, several critical cyber-security requirements are not present in the current model [15, 16]. In particular, the lack of a standardized encryption scheme between system components opens the door to integrity concerns and insider threads [16]. It is desirable to have standardized communication protocols both at the Home Area Network (HAN) of smart meter, smart devices and Metropolitan Area Network (MAN) of utilities, service providers, smart meters. In this direction, orga- nizations such as the GridWise Alliance aim at standardizing the security protocols in the smart grid [64] while complying to IEEE standards [47, 48]. Similarly, Na- tional Institute of Standards and Technology (NIST)’s current efforts to standardize communication is crucial for inter-operability of growing smart grid technologies.

1.1 Objective

A key issue that must be addressed is the balance between the benefits of enhanced communications in the smart grid and the privacy of homeowners. As household 5 devices become more intelligent and electric utilities become more involved in the household power consumption, the privacy of homeowners may be invaded. We need to enhance the privacy of the user and ensure the integrity of the communication to protect both the electric utility and the user against adversaries including malicious users or external cyber attackers. We propose a system model that creates a symbiotic relationship between all actors within the power grid [66]. In order to enhance data communications and promote information sharing, we develop blind processing service that provides authentication, privacy, and integrity assurances [42]. Traditionally, se- curity mechanisms are deployed to protect the transmission channel and the execution environment from third parties based on the security requirements of the data. The goal in blind processing is to establish a secure channel between trusted processes which are concealed from the rest of the system, including the root processes. In order to transform the processing environment of a system to a blindly processing environment that does not look at the data while in transit or in execution, we develop the following security services;

• Privacy: The communication infrastructure allows information exchange be- tween trusted processes with protection mechanisms against anyone else, in- cluding the system administrators.

• Authentication: The communication system provides an identity based network where system components and users will prove their identity using a distributed authentication mechanism.

• Integrity: The integrity of a remote system, its processes, and transmitted data is ensured using attestation mechanisms.

It is important to include cyber security as a core element for all system compo- 6 nents including measurement devices [10,46]. Moreover, as each component’s security requirement is unique, we need to develop domain specific multi-level security mecha- nisms for the smart grid deployments [36]. We propose to adapt the blind processing mechanisms for the cyber-security issues in transmission and distribution level of smart grid communications. At the distribution level, we aim to revolutionize the relationship between the utility and customers via privacy protecting smart meters. The utility will be able to monitor the electricity consumption of the customer in a more detailed manner while the customers can be well informed with the cost and the amount of energy they are consuming. Secure communication can also help the utilities to inform their customers of price change during peak consumption times. Moreover, power generated at home (by solar panels, wind turbines, etc.) will better be integrated to the system. At the transmission level, blind processing will enable the advantages of ad- ditional information exchange while respecting electrical energy market constraints and trust boundaries over the operation of the power grid infrastructure. Shielding information prevents access to sensitive data while providing a more accurate and up-to-date picture of the power transmission grid. Furthermore, as the power grid becomes more dynamic with renewable resources that provides intermittent energy, accurate monitoring and reporting is required. The increased information sharing will thus enhance the adaptability of the power transmission grid with the proliferation of distributed renewable energy generation.

1.2 Contributions

Our major contributions in this thesis are: 7 • Open Communication Architecture: A new architectural approach for the com- munication of multi-owner large-scale infrastructure systems through smart net- worked substructures.

• Blind processing: A secure communication channel where sensitive data is trans- mitted through the shielded channel to be used in computations whose outcome is rendered only to a dedicated user/process by concealing the data from other parties including root processes, human operators.

• A prototype of blind processing for the smart grid. 8

Chapter 2

Background

In this section, we present communication issues in transmission and distribution level of the power grid along with communication networks at transmission and distribution levels. Also, we give brief information about cryptography and trusted computing which are used in this thesis.

2.1 Transmission Level

The electric power industry in the US was initially designed in the form of “verti- cally integrated” local systems where the generation, transmission and distribution were owned by one entity. Gradually the demand for electricity of “higher quality” increased and the local systems were interconnected to provide uninterrupted power, stable voltage and stable frequency. However, the failure of investment in the network to keep up with continued increase in demand resulted in network congestion and vulnerability. In response, the competitive market system was introduced where the elec- 9

— — — —

—

— Competitive energy markets —

Figure 2.1: US Electric Power Markets (courtesy of Federal Energy Regulatory Com- mission). trical and financial energy markets are governed by Independent System Operators (ISOs) or Regional Transmission Organizations (RTOs), as shown in Figure 2.1. ISOs are non-profit organizations that comply with the Federal Energy Regulatory Com- mission (FERC) regulations but are responsible to their shareholders and market participants. The market participants are the power generation owners, transmis- sion line owners, facility owners and financial entities. In some regions there are no competitive markets and the power system operations with bilateral transactions are coordinated by Regional Transmission Organizations (RTOs) or pools. The complex- ity of the competitive market system arises from the enormous financial interests of the market participants. The blackout in August 2003, which was initiated in Midwest and later affected more than 25 million people in the Northeast, was a direct result of operator error and insufficient information exchange between Midwest ISO (MISO) and Pennsylvania- Jersey-Maryland Interconnection (PJM) [38]. New York ISO, which suffered the blackout, reported that “The NYISO had received no notifications or advisories from 10 other control areas and thus, had no awareness of the precursors to the blackout.” [68] [69] As emphasized in North American Reliability Council’s report in 2004 [31], the primary weaknesses in need of attention were:

• Reliability Tools: Faster and more accurate topology processors, power system state estimators and real-time contingency analysis tools.

• Visualization Tools: Fast and efficient visualization mechanisms which provide the system status and failures of key lines, generators, or equipment, as well as a high-level voltage profile of the network.

• Communications within the ISO and with its neighboring control areas and reliability coordinators.

The limited information exchange among the operators resembles the traffic signal system of two adjacent cities with interacting traffic flows but limited or no communication between traffic managers. This can result in traffic jams that could be avoided by efficient and optimum coordination between the two systems. The constraints introduced by the market system are obscured by the financial gains, lucrative auctions in markets and opaqueness of the operation and information exchange related to power systems. Power system operators are unwilling to share their data with other operators due to market constraints. With measurement information from all system compo- nents, however, computing systems can independently monitor the health of the power grid and react to events. Using blind processing service proposed in this thesis, se- cured systems can gather information from different ISO’s measurement devices while hiding sensitive information from human operators. Additional information sharing 11

Region 1 Region 2 Node/Bus

Substation Transmission Line

ISO – SCADA center

Load

Communication link Generation Region 4 Region 3

Figure 2.2: Current structure with communication links will greatly enhance the efficiency, robustness, and the resiliency of the power grid as computing systems will have a better picture of the power grid and more accurately detect and mitigate disturbances. As shown in Figure 2.2 each region is governed by an ISO equipped with a Supervisory Control and Data Acquisition System (SCADA) that collects information (network topology) and data (measurements) from the network and provides it to the Energy Management Systems (EMS) system. The measurements from substations include magnitude of node voltage, active and reactive power/current flows along a transmission line. Data is then transmitted via wireless Remote Terminal Units (RTUs) to the central SCADA system in the system operator control room. Each ISO monitors and controls its own region and is only provided with the power flow on the “tie” lines connecting it to other regions. Information exchange is necessary for modeling, simulation and decision making within each region. This 12 limited information exchange and centralized control with one SCADA system for each system operator makes the system more vulnerable to physical and cyber at- tacks as well as cascading events. Even though the power system infrastructure is well equipped with automated protective devices to safeguard expensive equipment (generators, transformers, transmission lines and etc.), system operators make the final decision for operating and controlling the system. The extensive human decision making also introduces another degree of complexity. Moreover, EMS analyze and monitor the grid with the following functions:

• Power flow analysis and state estimation to determine system state subject to transmission line thermal limits and bus voltage upper/lower limits [56].

• Optimal power flow analysis to determine cost of energy subject to the cost of generation, the transmission line thermal limits, the bus voltage upper/lower limits [17].

• Unit commitment to commit the plants for next day’s generation respecting costs [53].

• Contingency analysis to determine the power system state (i.e., possible voltage or flow violations) of the network for a preselected set of contingencies [24].

• Security constrained unit commitment to find unit commitment subject to con- tingency analysis results [41].

• Security constrained optimal power flow to determine the optimal power flow subject to contingency analysis results [20].

ISOs operate independently with minimum information about activities in other regions. The only information they acquire from other regions is the power 13 flow on the lines connected to a neighboring region as this piece of information is nec- essary for EMS modeling and decision making within each region. Limited informa- tion exchange between and among regions makes the system vulnerable to cascading and in some cases catastrophic events. The necessary information that must be fully exchanged between the operators can be classified as follows:

• Network connectivity (transmission lines)

• Power flows along the transmission lines within the region

• Power generation information (active plants)

2.2 Distribution Level

Smart grid applications, particularly in implementing smart metering at residences enables the potential for a more intelligent infrastructure. Smart metering encom- passes periodic energy management, frequent power and power quality measurements, real-time pricing, and critical peak pricing features for billing and demand response applications. The proposed smart grid applications at the utility level so far focus on the use of smarter meters that can have two-way communications with the utility. The smart meters can report the type of the electricity usage at the consumer side and can also receive messages from the utility on a continuous basis. Even though smart meters have been developed to account for the increase in security requirements such as detecting anomalous events, notifying actors within the system, maintaining smooth operation, and logging events, several critical cyber- security requirements are not currently present [15, 16]. In particular, the lack of a standardized encryption scheme between system components opens the door to 14 integrity concerns and insider threads. In this direction, organizations such as the GridWise Alliance aim at standardizing the security protocols in the smart grid [64] while complying to IEEE standards [47,48]. Similarly, National Institute of Standards and Technology (NIST)’s current efforts to standardize communication is crucial for inter-operability of growing smart grid technologies. A key issue that must be addressed is the balance between the benefits of enhanced communications in the smart grid and the privacy of homeowners. As household devices become more intelligent and electric utilities become more involved in household power consumption, the privacy of homeowners may be invaded. We propose to address this issue by utilizing blind processing and creating a symbiotic relationship between all actors within this architecture [66]. In the following, we overview smart grid components and their roles in the distribution level communications.

2.2.1 Smart Meter

The smart meter will act as the gateway between internal and external entities and protect user privacy. Instead of the electric utility directly controlling individual household devices, which is the current practice, the electric utility will request the smart meter to reduce overall power consumption. The smart meter will then de- termine which devices to shut down or limit based on consumer prioritization of the devices. This approach hides individual devices from the electric utility and protects privacy of users. The smart meter will also be used to communicate with service providers that are contracted to maintain specific electrical devices. Additionally, users will be able to remotely monitor and manage household devices and power consumption over the 15 Internet. The smart meter will contain properties similar to that of firewalls in that it will manage incoming and outgoing messages. It will determine the authenticity of senders on both the HAN (Home Area Network) and MAN (Metropolitan Area Net- work) levels and ensure the integrity of messages before forwarding them to the cor- responding entity. The smart meter will contain a tamper-resistant crypto-processor to securely process information and communicate with other parties. This enhances protection of the smart meter against malicious users and external attackers. In terms of communication capabilities, the smart meter may provide Power- Line [75], ZigBee [75], Ethernet or WiFi [11] based communication within the HAN and Ethernet, Fiber, WiFi, GPRS [74] or WiMAX [13] based communication within the MAN [11,64]. These technologies may be substituted with the state-of-the-art if better link-layer communication technologies arise. Addressing security at the software level is insufficient, since smart meters generally reside outside of a residence and is subject to adverse weather conditions or physical tampering (e.g., side channel attacks). Hence, security must be addressed at the hardware level with TPM (Trusted Platform Module)-like chips. The use of TPM chips will enable smart meters to provide trusted computing functionality. In particular, this will allow smart meters to remotely attest to electric utilities, service providers, and household devices. That is, smart meters will manage attestation identity keys (AIK) and endorsement keys (EK) for each entity. Additionally, the smart meter will contain trusted boot functionality so electric utilities and service providers can verify the integrity of their consumers. Each key may be created using the TPM’s standard PKI where a 2048-bit RSA public-private key pair is used for communication. 16 As smart meters will be considered as the trusted authority in the HAN, its goal is to ensure privacy between the household and entities in the MAN. However, within MAN less rigorous security mechanism are required to communicate with smart de- vices. This will greatly reduce the amount of code necessary to support virtualization mechanisms and will result in a smaller code footprint. Hence, a security microkernel may be sufficient for a smart meter.

2.2.2 Electric Utility

The electric utility will send consumption related instructions to smart meters and collect sub-hourly power usage reports and emergency/error notifications. Further, instead of the electric utility directly controlling individual household devices, which is the current practice, the electric utility will interact with the smart meter in regulating power consumption. For instance, during on-peak hours to shave the peak loads, the electric utility will instruct smart meters to limit their usages by providing incentives or hard limits. The smart meter will then determine which devices to shut down or limit based on consumer prioritization of devices. This approach hides individual devices from the electric utility and protects privacy of users. The electric utility may also request for a shift in the power consumption cycle.

2.2.3 Service Providers

Users will be able to establish contracts with service providers for individual electri- cal devices and use the smart meter to relay messages between internal devices and the service provider. In order to be able to securely communicate with users, service providers will register with the electric utility and obtain digital certificates for their 17 identities and public keys. Then, they will be able to establish contracts with indi- vidual users for devices that they support. The smart meter will provide messaging only between contracted service providers whose certificates are valid and the devices they are responsible for. For instance, an electrical car may transmit error messages or status reports to an authenticated mechanic or obtain software upgrades through the smart meter.

2.2.4 Electrical Household Devices

We assume both smart electrical devices that can communicate with smart meter and legacy devices which do not have communication capabilities. The smart meter will instruct smart devices and actively manage their power consumption. For legacy devices, smart meter will cut their power when necessary. The users will also be able to monitor and manage devices online. Devices that wish to communicate with the smart meter must contain the necessary mechanisms to do so. Further, in order to benefit from the capabilities of smart meters, such as power management, notification, and identity management, electrical devices need to be more intelligent where they contain the necessary secure communication logic (i.e., software) to use the smart meter.

2.3 Cryptography

Cryptography is the practice and study of methods to protect the secret informa- tion from adversaries and malicious attackers within a system. The secret data is encrypted and transformed to an unreadable format that we call as “cipher text” by the source. The receiver end decrypts the cipher text to a readable format if it has 18 the correct credentials. Cryptography methods are commonly used in various places such as online banking, certificate authorities, cloud computing, and finally smart grid.

2.3.1 Public Key Infrastructure (PKI)

In PKI, there are two different but mathematically related keys for encryption and decryption process. Public key as its name implies, is a publicly shared key and used for encryption once the sender wants the cipher text to be readable only by the owner of that public key. Private key is the paired key with the public key and known only by the receiver side. It is used for decryption of the encrypted text. The mathematical relation could be in many different formats. RSA, for example, one of the algorithms generally used for key generation, is based on factorization of large numbers, modulo and prime numbers. To be able to discover other public keys, Certificate Authorities (CA) are used to issue digital certificates for communicating parties to ensure identities. Figure 2.3 shows the diagram of PKI. CAs associate the ownership of public key with the cer- tificate and provides a medium for different domains to authenticate systems from other domains. The certificate guarantees that the public key that will be used for the communication belongs to the person, organization, or entity documented in the certificate. In this thesis, we make use of the PKI for domains to authenticate each other when a domain initializes the communication with another domain. 19

Figure 2.3: Public Key Infrastructure

2.3.2 Symmetric Key Encryption

Symmetric Key Encryption is a technique in which the sender and the destination both share a common secret key used for encryption and decryption. A secret key could be a series of random numbers and letters. In this thesis, symmetric key encryption is used for setting a common session key between different domains of the smart grid after the domains authenticate each other with a Certificate Authority (CA) as depicted in figure 2.3. Since symmetric key performance is much better than PKI, we utilize this functionality for frequently made authentications. PKI tends to be much slower and more computationally expensive. This makes it difficult to send large amounts of data using the public key encryption. 20 2.3.3 Hash Functions

Hash functions take a message as an input and generate a fixed-length hash value as a shortened summary of the original data. Good hash functions are supposed to have very low likelihood of collisions in which finding two messages that has the same hash value is exponentially hard. In this was, any modification on the data will change the hash value and let the communicating parties know the message was modified on the route. Another important property of hash functions is that the hash value is irreversible, i.e., it is infeasible to generate a message from a generated hash. In this thesis, we use well-known SHA-1 as hash function to verify the integrity of the transmitted files and messages.

2.4 Trusted Computing

The Trusted Computing Group (TCG) is an industry-led initiative to provide a set of security primitives that can be utilized to establish trust relationships between systems or components of a system [1]. A core component, Trusted Platform Mod- ule (TPM), serves as the root of trust to provide trust mechanisms for both local and networked applications. TPM is a tamper-resistant crypto-processor whose com- putations and data are protected from external software attacks and physical theft. The chip essentially provides cryptographic primitives, integrity measurement to as- certain the system state, sealing of sensitive data to a certain system state, and globally unique identity for its host system. Cryptographic keys generated by TPM can be utilized to exchange information between trusted processes that shield its data. Accordingly, the Intel’s Trusted Execution Technology [2] and the Microsoft’s Next-Generation Secure Computing Base [71] are aimed at developing core hardware 21 architectures and operating system components for trusted computing, respectively. Several techniques such as secure boot [14], authenticated boot [35], and inde- pendent auditing [86] have been developed to provide a trustworthy root in a system. Trusted computing incorporates these techniques and has a potential to provide mech- anisms for the blind processing service [42,65]. The Trusted Computing Group (TCG) is an industry-led initiative to provide a set of security primitives that can be utilized to establish trust relationships between systems or components of a system [1]. TCG develops standards to enhance security of the computing environment and provides increased assurance of trust [5]. Trusted computing incorporates the following concepts:

• Root of trust for measurement: A secure root process that reliably measures, verifies, and records the state of a host system.

• Root of trust for reporting: Platform attestation mechanisms that reliably re- port the state of a host system.

• Root of trust for storage: Protected storage that provides confidentiality and integrity protection for sensitive data.

• Software isolation: Process isolation that prevents interference from other pro- cesses running on the same system.

Trusted functionality of a system is furnished by a TPM, a tamper-resistant cryptoprocessor, where the TPM serves as the root of trust that an operating system and higher level applications can build upon. TPM extends conventional PC archi- tectures to manage cryptographic keys, authenticate configuration of a platform (i.e., 22 attestation), and cryptographically bind confidential data to a certain system configu- ration (i.e., sealing). The internal cryptoprocessor allows asymmetric key generation, encryption, decryption, signing, random number generation, and hashing while the internal memory provides storage for sensitive keys. An important aspect of the TMP is that it shields internal data structures and its computations cannot be subverted by the host system or the system administrator. Hence, TPM can provide assurance of conformed operation of the host system to both local and networked applications. Using a secure communication protocol, a remote system can request measurement results to inspect system state and to detect modifications in the system. In this thesis, we present a prototype of our blind processing system with foundations derived from the trusted computing and virtualization. Our prototype establishes a trusted computing base, by using a TPM chip and Trusted Software Stack (TSS). The TPM chip enables the system to verify and measure the integrity of each stage of its boot process so that any inconsistency is detected. Subsequent software layers are added to establish a chain of trust with a trusted BIOS, a trusted bootloader, and a hypervisor. Hypervisor provides privileged and guest domains in the user space. The privileged domain contains a module to interact with the physical TPM chip on behalf of the guest domains. This mechanism allows for flexibility in developing security-critical applications with different requirements. 23

Chapter 3

Power Grid Communications

Smart substations of the power grid are interconnected through a communication network “integrated” with the power system infrastructure. In order to provide a secure communication infrastructure, it is essential to analyze all levels of the power grid. Learning from the errors in the development of the Internet, it is crucial to consider challenges such as management of a distributed system, providing unique ID for each element, management of keys used in data integrity, and easy integration of wired and wireless communications [29].

3.1 Wide Area Network (WAN) Communications

WAN (Wide Area Network) consists of ISOs (Independent Service Operator) whose operation centers are interconnected as in Figure 2.2. Through blind processing, we will basically transform offline communication between human operators with an online communication between SCADA (Supervisory Control And Data Acquisition) systems. This additional communication network will greatly enhance the overall 24 health and resiliency of the power grid.

3.1.1 Inter-ISO

Each utility is abstracted as a set of substations interconnected with substations of other utilities. This constitutes a mesh topology rather than a strictly tree topology where substations will exchange data and use it for potentially autonomous decisions. The major goals of this integrated network include (i) in-network aggregation of intra- ISO measurements and (ii) timely and efficient delivery of important event data to the relevant ISOs or substations. Reliable Delivery of Critical Infrastructure State Information: The Internet has been a communication medium for power operators [3]. Similarly, to prevent blackouts, the Department of Energy has proposed to build a real-time trans- mission monitoring system that utilizes the Internet [4]. However, the Internet is not inherently secure as its initial design assumed trusted users [55]. Critical infrastruc- tures like the power grid have specific service requirements such as timely delivery and minimum bandwidth that are not guaranteed by the Internet. We propose to utilize an overlay network with adaptive QoS approaches that will sustain communi- cation requirements of the power networks with grid events. Moreover, it is important to develop protocols that help with reducing the power transients particularly with the intermittent renewable energy sources. Finally, the SCADA systems have been under attack generated through the Internet [40,49,59]; and having a secured overlay network will significantly limit attackers’ capability. In-Network Aggregation and Filtering of Intra-ISO State: Data aggre- gation has extensively been analyzed in sensor networks [78], which aims to minimize the transmission power consumption due to the limited sensor power. However, en- 25 ergy is not a major constraint in power networks. Hence, there can be alternative data aggregation algorithms that will minimize traffic and reduce computation at substations. Such data processing functions are crucial at the substations located on the ISO boundaries. The purpose is be to filter some of the critical proprietary infor- mation and aggregate large amount of intra-ISO state information before sending it to other ISO domains. Such aggregation at the ISP borders will enable ISOs to se- lectively hide or expose data generated from internal substations. Neighbor ISOs can further filter the incoming data at their borders to assure security as well as reduce the size of the incoming data to the levels they need to operate on. Importance-Based Routing and Data Dissemination: Due to the large size of power networks, disseminating all the state data sensed at substations is im- practical, and routing based on importance of the data is mostly necessary. Previous research studied priority/value-based forwarding [85,93] (with support from interme- diate router queues), but did not consider a routing scheme explicitly accounting for importance of data on an end-to-end basis (i.e., without requiring router support). We propose a two-staged data dissemination architecture for realizing importance- based routing: proactive flooding of the minimum state data required (e.g., voltage and current levels of major power transmission lines) to detect risk of an important event (e.g., failure of a power transmission line), and reactive on-demand transfer of detailed state data following detection of a risk of a major event. Though the amount of data to transfer will be small in the proactive stage, the reactive stage must cope with huge amounts of data transfers being requested almost simultaneously. This is standard practice since an event will trigger many operators and substations to ask for detailed information about the topology around that event. This flash crowd [89] phenomenon exists in many networked systems (e.g., peer-to-peer) as the demand 26 profile is quite conceivably heavy-tailed. The complexity of the problem is higher as the set of substations/operators interested will be different for each event. Thus, this reactive transfer stage can be supported with multicast.

3.2 Metropolitan Area Network (MAN) Commu-

nications

In our model, MAN consists of four actors: the electric utility, service providers, home owners and the smart meter as in Figure 3.1. As a firewall, the smart meter will shield unnecessary information from outside entities and ensure identities in the communication. The electric utility will manage the power distribution within the smart grid and collect sub-hourly power usage from smart meters. However, the electric utility will not have an omniscient view of the power consuming devices within a house but only access electric consumption and delivery related issues such as overall power usage and emergency notifications. The smart meter will be a gateway between external commands from the electric utility and internal power consumption of electrical devices. Moreover, household devices will communicate with dedicated service providers through the smart meter. Upon receiving a message from a device through HAN, the smart meter will determine corresponding service provider and relay the message after ensuring identities. Similarly, smart meter will ensure identity when a homeowner accesses the system through the Internet. 27

KEY Customer Smart Meter Service Provider Electric Utility

Figure 3.1: Metropolitan Area Network (Distribution Level)

3.2.1 Electric Utility–Smart Meter

The electric utility will aggregate timely usage information from smart meters to manage the smart grid. Smart meters will provide periodic reports of power usage to the electric utility. The interval and frequency of these report messages may be con- figured by the electric utility. The electric utility can also collect daily usage reports such as minimum, average, and maximum power consumption of users. Smart meter reporting intervals will be scheduled by the electric utility so that packet collisions and congestion are minimized. Communications between these two parties will be done via unicast only after having established and authenticated identities of both parties. 28 To enhance user privacy, the smart meter will manage household devices while trying to comply to instructions of the electric utility. For example, during on-peak hours to shave the peak loads, the electric utility will request the smart meter to reduce overall power consumption and the smart meter will determine which devices to shut down or limit based on priorities determined by the home owner. In the event of an irregularity in power consumption or an issue in power delivery, the smart meter will generate urgent control messages to the electric utility. These messages will trigger corresponding alarms so that necessary precautions and actions are taken by the electric utility. For example, should a smart meter report the urgency of a household fire to the electric utility, it would be the responsibility of the electric utility to send a broadcast or multicast signal to smart meters within the vicinity of the reported urgency. However, in a large-scale event such as power outage, every smart meter will be generating urgent error reports towards the electric utility further consuming power and causing congestion in the communication system. Hence, based on event type, electric utility can determine thresholds for number of received errors, and then generate a control broadcast message to suppress smart meters. Suppression messages can increase the limits for error reporting or block certain types of messages until a new control broadcast message is sent to reset the parameters. Data aggregation: Providing GPRS/WiMAX capability for every smart meter is not cost-effective as WiFi technology is much cheaper to operate than GPRS/WiMAX. Hence, it is beneficial to aggregate data from clustered smart meters as in [43]. Ad-hoc networks can be optimized to aggregate measurement data from smart meters and broadcast messages from the utility provider. Moreover, as re- searchers have indicated that TCP is not ideal for smart-meter communications [81], 29 transmission level communication services should be provided over UDP or SCTP.

3.2.2 Service Provider–Smart Meter

In our model, service providers may monitor and maintain electrical household de- vices through the smart meter. Each service provider must first register with electric utility and then develop contracts with individual users for specific devices. Con- tracted devices may generate usage reports or error messages that will be forwarded by the smart meter to the corresponding service provider. The smart meter becomes a proxy between contracted devices and contracted service providers. By allowing a service provider limited access to a household device information, some privacy is compromised. This compromise can be minimized by providing only sufficient infor- mation so that the service provider can perform its job. It is important to note that service providers may gain more information about specific household devices than the electric utility. Moreover, a user may configure smart meter to obtain instruc- tions from certain service providers. For instance, service providers might be able to upgrade certain software components of smart devices [18]. This is particularly useful as software bugs are identified in code of smart devices and more efficient algorithms are developed for its tasks.

3.3 Home Area Network (HAN) Communications

HAN consists of three types of actors: home owners, the smart meter and a set of smart and legacy devices within the household as in figure 3.2. At this network, the smart meter will be the authoritative entity while home owners may actively manage household devices. Smart devices will register with the smart meter by exchanging 30

Figure 3.2: Home Area Network identities and public keys, if available.

3.3.1 Smart Meter–Device

At the HAN level, security requirements in communications are less strict than the WAN level. Although it is important to provide defense in depth, we must find a balance between usability and security. As the communications at HAN level use power-line, WiFi, Ethernet or ZigBee, we can rely on security component of these technologies in choosing a standardized implementation [73]. Smart meter will be the centralized authoritative entity in the HAN and provide certificates to smart devices if needed. When a smart device is introduced into the system, it will be registered with 31 the smart meter. The smart meter will keep track of device identities and monitor the integrity of these devices. The smart meter may instruct individual smart devices to power off or change power cycle. Similarly, smart devices will send usage reports and error messages to the smart meter. If an error message is received from a contracted device, the smart meter will send a service request message to the corresponding service provider. In the event that a smart meter must reduce power usage, the smart meter may shut down devices based on priorities set by the homeowner [7,30]. For example, a refrigerator can take precedence over a washer or dryer. Although it is important to limit as many forms of physical tampering of the smart device as possible, a home owner should have control of their household devices. By allowing users to reconfigure the priority of their household devices through the smart meter, users can acquire this minimal, needed control of their household.

3.3.2 Owner–Device

In our model, we allow owners to be able to remotely monitor and manage household devices and power usage. For the building automation, addressing will be provided by the utility and users will be authorized through the smart meter. 32

Chapter 4

Blind Processing for Open Communications

This section presents our blind processing system prototype to address privacy con- cerns in the smart gird. In the following, we present technical details pertaining to the blind processing system prototype. Then, we assess its overhead and related security issues. In providing blind processing service, we need to make sure that the remote system can be trusted not to reveal transmitted messages to anyone except the desig- nated process whose execution thesis well-known. This requires security mechanisms that will ensure integrity of a remote system and provide proof that the designated processes are not tempered with and isolated from the rest of the system. It is dif- ficult to address the issue of a malicious host when communicating with a remote system [39]. A host identity certificate does not guarantee that its administrators are not interfering with the execution of the code or monitoring its data. The software itself can not be directly trusted as it might have been modified to intercept or modify 33 messages. Similarly, the kernel itself is not trustworthy as we need an immutable root to trust. Hence, it is desirable to place the trust on hardware as it is more difficult to compromise than others [12]. In this thesis, we utilize TPM (Trusted Platform Chip) chips to encrypt mes- sages between processes and attest a remote system so that the messages are accessed only by the trusted process whose code is well-known. We have developed a prototype using a Dell Latitude E6400 laptop with a Broadcom TPM-1.2 chip using modified Linux 2.6.32.32 kernel with TrustedGRUB on Xen 4.1 hypervisor to demonstrate proof of concepts for blind processing through TrouSerS API. Secure root processes provide interaction mechanisms with TPM hardware and prevent external processes from accessing protected memory. We use security kernels to set up an isolated exe- cution environment for the process whose memory and storage will be protected from the rest of the system. We ensure an appropriate trust chain is built with a remote system starting with the TPM at its core. Before communication, we ensure that a remote peer has correct hardware (i.e., known devices, CPU, and TPM), trusted com- puting base (i.e., secure-kernel providing process isolation), correct credentials (i.e., keys and certificates), and trustworthy state (i.e., unaltered processes whose behavior is well-known).

4.1 Prototype

The design of our architecture is geared towards the development of a prototype in the smart grid domain. We begin development at the system level, where we first deal with low-level details. Our prototype uses Dell Latitude E6400 laptops with a Broadcom TPM-1.2 chip and a modified Linux 2.6.32.32 kernel with the TrustedGRUB on the 34 Xen 4.1 hypervisor that provides blind processing through the TrouSerS API. A laptop was chosen as prototype device mainly for its mobility. The prototype may easily be deployed on other machines assuming they contain the same TPM compliant chip. The TPM chip serves as the foundation for establishing our trusted software stack. Secure root processes provide interaction mechanisms with TPM hardware and prevent external processes from accessing protected memory. We use security kernels to set up an isolated execution environment for the process whose memory and storage will be protected from the rest of the system. We ensure an appropriate trust chain is built with a remote system starting with the TPM at its core. Before communication, we ensure that a remote peer has correct hardware (i.e., known devices, CPU, and TPM), trusted computing base (i.e., secure-kernel providing process isolation), correct credentials (i.e., keys and certificates), and trustworthy state (i.e., unaltered processes whose behavior is well-known). We assume that systems at WAN (Wide Area Network) and MAN (Metropoli- tan Area Network) will have TMP-like chips but not necessarily all devices at HAN (Home Area Network). TPM chips will encrypt messages between processes and at- test a remote system so that the messages will only be accessed by the trusted process whose code is well-known. Security kernels also set up an isolated execution environ- ment for the process whose memory and storage will be protected from the rest of the system.

4.2 System Sub-Structures

Figure 4.1 presents a conceptual model of blind communication between two domains where we consider a multi-owner networked system to be composed of competitors. 35

Domain B Domain A

VM-A1 VM-B1

VM-B2 VM-A2

Blind Communication Secure Comm. Smart Subsystems Legacy Systems

Figure 4.1: Intra- vs Inter-domain communication

There are different types of sub-structure in the model:

• Type-1 Virtual Machines (VM-A1, VM-B1): This type of VMs are used for setting a common session key with competitors. The session key becomes group key when distributed to the sub-structures in the same domain. They provide a communication channel with the other domains to send and receive data for the sake of overall system viability.

• Type-2 Virtual Machines (VM-A2, VM-B2): Type-2 VMs are intermediary sub- structures between the gate to the outside world and the inside system. They collect data from the subsystems inside the domain and process it to create reports for other components in the smart grid. The filtered data to be sent to other domains is redirected to Type-1 VMs.

• Smart Subsytems are smart devices that need not establish a channel and use a protocol to share a common key to communicate with other domains. Instead, they can either send the collected data to Type-2 VM or communicate with other 36 domains with the group key distributed by Type-1 VMs. That is, they are able to communicate directly with other domains’ Type-1 VMs without having set a session key as long as the group key which the domain is authenticated with is still valid and not revoked.

• Legacy Systems are outdated devices that are being used as part of the system and still generate data for the overall health of the system. In this model, they can communicate only with Type-2 VMs and transfer data to them. In case the data generated by legacy devices needs to be sent to the other domains, the data transfer is made step by step, first from Type-2 VMs to Type-1 VMs and then from Type-1 VMs to other domains.

4.3 Trusted Platform Module

The TPM chips provide a hardware-based root of trust for our prototype. In particu- lar, these chips are capable of measuring hardware configuration and software compo- nents during the boot process; storing measurements; authenticating users; creation, sealing, storage, signing, and migration of keys; and remote attestation [6]. A TPM consists of several components which are partitioned into three primary domains: cryptographic processor, persistent memory, and versatile memory as in Figure 4.2. The cryptographic processor contains an RSA key generator used to create 2048-bit RSA key pairs along with a random number generator. A key component of the cryptographic processor is the encryption-decryption engine, which provides essential capabilities for TPM chips to perform encryption/decryption of data and sign Platform Configuration Register (PCR) values. The Secure Hash Algorithm 1 (SHA-1) generator is used to hash values stored into the PCR. 37

TPM chip

Secure I/O

Cryptographic processor Persistent memory

Random number RSA key generator generator

Encryption- Versatile memory SHA-1 key decryption generator signature engine

Figure 4.2: A Trusted Platform Module (TPM) chip

Persistent memory is comprised of the storage root key and endorsement key (EK) as shown in Figure 4.3. The EK is a 2048-bit RSA key pair generated by the manufacturer upon creation. Essentially, when the chip is made, an immutable and non-migratable key pair is created. The private EK is used to uniquely identify that computer. This key allows for executions of secure transactions and is only viewable to the TPM. The storage root key (SRK) is a 2048-bit RSA key generated when a user takes ownership of the TPM. Similar to the EK, the SRK is immutable, non- migratable, and is not viewable to components outside the TPM. As memory space inside the TPM is limited, storage keys created inside the TPM are encrypted with the SRK’s public key, thus allowing expansion of the storage keys in a hierarchy to protect larger volumes of data. Versatile memory is used to store measurements and public/private key pairs 38

TPM chip memory

Persistent memory

Storage root key Endorsement key

Versatile memory

Migratable Non-migratable Attestation key storage key storage key

Signing key Encryption key Signing key Encryption key

Protected by TPM Unprotected

Figure 4.3: TPM memory hirearchy that help with remote attestation. This domain contains migratable and non-migratable storage and attestation keys. Measurements are stored within PCRs and may only be changed by an extend operation, which recomputes the SHA-1 of system state.

4.4 Security Kernel

In general purpose computing, kernels should support security functions such as ad- dress space layout randomization (ASLR), non-executable memory, and pointer ob- fuscation. These three security functions in particular, relate to providing safeguards against stack/heap overflow attacks and return to libc attacks, which is when an at- tack overwrites libc function pointers during runtime. By having ASLR, positions of key areas in memory are randomly arranged such that it is difficult for an attacker 39 to predict a target address. In addition to these lower level security functions, ker- nels should support higher level security functions depending on their application’s purpose. For instance, a security kernel as a foundation for a web server may need to support password hashing, port blocking, and prevention of module loading. Partic- ularly for our model, it is imperative the kernel have paravirtualization capabilities. Research in the kernel security advances in two directions. General purpose (i.e., functional) kernels and verifiable (i.e., application-specific, high-performance) kernels. The primary argument in favor of general purpose kernels is derived from flexibility, functionality, and absence of configuration. This argument is also better know as convention over configuration, a software design paradigm which aims to reduce the number of decisions developers need to make, supporting simplicity. Ver- ifiable kernels, i.e. microkernels, consist of the minimal amount of code necessary to provide basic mechanisms to implement an operating system. Microkernels are typi- cally deployed for a particular device or application, such as in embedded devices [22]. Microkernels typically tend to be around 10,000 lines of code. While the ones longer than 20,000 lines of code are not considered to be microkernels. By having a tiny kernel, it is far easier to formally verify the microkernel compared to a regular kernel. Furthermore, development of microkernels were popular due to limitations (i.e., speed and capacity) in hardware. However, this is no longer the case as powerful hardware can be retrieved at fairly low costs. Instead, the goal of microkernels now are geared towards embedded devices and domain-specific applications. The goal of security kernels are to implement some specific security policy, define verifiable protection behavior, and comply to the security model’s design. At the lowest level, kernels must comply to the processor’s architecture which they re- side on. For example, a kernel that runs on Intel’s x86 architecture typically will not 40 run on other processors without modification. Designing a microkernel with minimal size requires a compromise in portability and flexibility. However, if a microkernel is designed specifically to support one architecture with a specific configuration it would typically perform better than a general purpose kernel. In addition to choosing an architecture, kernels require device drivers, modules, and other components necessary to support an operating system. In our case, we must support paravirtualization and potentially many guest operating systems, especially since our system uses virtual- ization as an additional mechanism in providing enhanced security. Moreover, VM migration and management must be supported alongside basic security functionality and trusted computing functionality. The complexity in application domains (such as smart grid, healthcare and cloud), even though they are application-specific, is very demanding of the kernel. Each additional requirement will entail more code to be added to the kernel. Additionally, a small kernel will have problems supporting hard- ware, i.e. the hardware it resides on must be very specific. This is an important issue as technology advances and hardware quickly becomes legacy. Finally, microkernels can not be deployed for general purpose systems such as cloud environments. A key benefit of microkernels compared to general purpose kernels is that microkernels are more easily verified. For example, NICTA’s seL4 microkernel im- plementation is a security-oriented kernel that has achieved complete formal verifica- tion [19,45,67]. It was possible to mathematically prove this kernel’s implementation was consistent with its formal specification. It would be far more difficult to formally verify general purpose kernels as their lines of code extends into the millions of lines. However, in dealing with convention over configuration, we believe benefits of gen- erality will outweigh performance and verification.Even though we believe in using a minimal kernel with the necessary capabilities to support its intended application 41 domain, we cannot consider the use of microkernels as the application domain may be complex. Moreover, the difficulty in developing highly specific microkernels is very costly, such that mass adoption for different applications would be highly unlikely. All of the reasons presented in this section lead us to decide on utilizing a general pur- pose kernel, which we customized to suit our domain-specific needs. By whitelisting specific mechanisms we need for our application, we additionally limited the attack vectors and potential vulnerabilities that may be introduced into our system.

4.5 Chain of Trust

Trusted computing provides remote attestation functionality that enables verifica- tion of a machine’s boot process and secure storage of integrity measurements within TPM chips. If correctly deployed, trusted computing can assure the behavior of system components by iteratively verifying individual components during its boot process and detect undesired or unexpected changes in the environment during run- time. Unexpected changes in any of the components invalidate the chain of trust in which an interrupt is signaled. It is important to note that trusting a system does not mean it is completely safeguarded against attacks or is bug free. Trusted systems are understood as having a behavior that is known and predictable such that its integrity has not been compromised. In trusted computing, chain of trust may be understood at two different levels: system and network. Trusted systems obtain this characterization by ensuring the integrity of all its system components. Each component is iteratively verified during the boot process. For example, in a system with TPM capabilities, the system might first measure and verify the Core Root of Trust for Measurement (CRTM). This com- 42 ponent iteratively measures the BIOS, the boot loader, hypervisor/kernel, operating system(s), and applications. The CRTM begins with the BIOS boot block code that cannot be changed during the lifetime of the system. In particular, the CRTM first instantiates the boot process and append its corresponding value into a PCR before passing control to the next item in the stack. Each item in the stack is measured, verified, and then has its corresponding values appended into the PCR. A compro- mise in the system would result in unmatched PCR values, which would invalidate the entire system. Once measurements are completed, control is transferred to the trusted software stack (TSS). At the network level, TPM-capable systems enable remote attestation where a series of information exchange must take place before machines can establish a trusted connection. This establishment would be valid only at that particular state of the remote system. That is, if system state at remote location changes to a non-trusted state, the connection should be terminated as the privacy of communication might be compromised.

4.6 Trusted Software Stack: System Domain

The main purpose of the TSS is to provide necessary interaction capabilities to ensure a particular machine is trustworthy. Note that a machine being trustworthy does not necessarily imply the machine is free from bugs or vulnerabilities. Rather, a trusted machine guarantees its integrity is not compromised by ensuring its behavior is well-known, predictable, and as originally determined. We accomplish this by first establishing a trusted boot procedure. Next, we enable the system to measure and store system state for integrity verification. Finally, we provide secure communication 43 Guest OS Guest OS Guest OS vTPM vTPM vTPM

vTPM Manager Privileged OS Hypervisor TPM Driver

TPM Hardware

Figure 4.4: Secure system model channels between remote entities in which each system may remotely attest the other. Figure 4.4 presents a high-level portrayal of our TSS. This architecture establishes the chain of trust beginning from hardware, since it is more difficult to subvert than software. As the system boots, each component in the chain of trust would be itera- tively measured and verified. Any change in any of the components will result in different PCR values. It would then be up to the developer to decide on an imple- mentation to account for this situation, such as raising a flag, signaling an interrupt, or both. The intuition behind combining the two approaches is to prevent the sys- tem from proceeding any further in its boot process and to notify users of the recent compromise/tampering. Our system currently implements flags, where we notify the developer of any change in the PCR values as the system boots. Figure 4.5 presents the primary components of the trusted boot process along with their associated PCRs. There are a total of 24 PCRs in the TPM chip which are responsible for holding measurement values regarding the integrity of the system state. These PCRs enable trusted booting of our system. The validation of the entire system is performed at the 44

Paravirtualized PCR 15-23 TPM user extend Security Kernel

PCR 14 Kernel, modules PCR 13 (not used) PCR 12 Bootloader parameters Trusted Bootloader PCR 10-11 (not used) PCR 9 Bootloader Stage 2, part 2 PCR 8 Bootloader Stage 2, part 1

Devices PCR 7 (Reserved for OEM)

PCR 6 State Transaction PCR 5 IPL Configuration BIOS PCR 4 MBR & Stage 1 PCR 3 ROM Configuration PCR 2 ROM BIOS

PCR 1 BIOS Configuration CRTM PCR 0 Core BIOS

Figure 4.5: Chain of trusted boot process with corresponding PCRs [70]. application level in user space once the hashes of all components have been appended to PCRs. It is important to note that the system will continue the boot process even if one of the component’s value is invalid. It is therefore important for user- level applications or processes to verify the PCR measurements or for a developer to implement a flagging or interrupt mechanism as described. At the lowest level of Figure 4.5, the CRTM occupies PCR 0 and PCR 1, which are the core BIOS and BIOS configuration measurements, respectively. After the CRTM integrity check is performed, the boot process continues with the rest of 45 the BIOS where PCRs 2 through 6 are measured. Measurements in this area include the stage 1 bootloader and initial program load which collectively refer to where the BIOS should look for the rest of the bootloader. This expansion is necessary since BIOS generally provides a 466 byte space. This space is insufficient in encompassing all of the bootloader’s logic. Once the BIOS is measured, control will be passed to the trusted bootloader layer. This layer is primarily responsible for measuring and loading the bootloader, which would consequently be used to load the operating system security kernel. PCRs 8 and 9 contain the measurement of this stage as they are responsible for the boot- loader stage 2. This portion of the bootloader contains all of the logic necessary for a bootloader to load the operating system kernel. PCR 14 is responsible for the kernel and its modules.

4.7 Virtualization

To support multiple users over the same system, we benefit from virtualization, a use- ful technology in dynamic computing environments. Virtualization enables multiple user environments to be managed by a single entity (i.e. virtual machine monitor; VMM) on the same system [50]. In virtualized environments, a hypervisor manages the virtual machines. As hypervisor is a critical component of system integrity, it is important that the hypervisor is trustworthy along with the rest of the system. Software virtualization refers to an operating system having capabilities to host multiple virtualized environments, which may consist of other operating sys- tems. Virtualization also allows multiple operating systems to reside on the same hardware and thus centralize administrative tasks while enhancing scalability and 46 resource management. Hardware virtualization (or platform virtualization) provides virtual machines that behave analogous to real computers with operating systems. Software executed within these virtual machines are separated from underlying hardware resources. Hardware virtualization can be further divided into three categories: full virtualiza- tion, partial virtualization, and paravirtualization. Full virtualization enables near complete simulation of hardware to allow guests to run unmodified. Partial virtual- ization refers to the need for some modification of a guest operating system before it can be run on hardware. In paravirtualization, hardware is not simulated, but guests run within their own isolated domains, appearing as if they are on separate systems. Since our hypervisor already supports various virtualization techniques, namely paravirutalization and full virtualization, we had to ensure our kernel supported these techniques as well. Having paravirutalization and full virtualization support at the kernel level is necessary because the kernel is responsible for serving as a founda- tion for resident OSes. The virtualization requirement was achieved by modifying a Linux 2.6.32.32 kernel to replace non-virtualizable instructions with hypercalls that communicate directly with the hypervisor. The modules are responsible for VM com- munication, memory storage, and network communications among others. In our prototype, we support paravirtualization of resident virtual machines. For this, we modified Xen 4.1 hypervisor to support blind processing requirements. A primary function of the hypervisor is booting virtual machines (also referred to as operating systems or domains). Most importantly, the hypervisor boots the privileged virtual machine before booting guest virtual machines. There are two types of virtual machines: privileged (i.e., Dom0) and guest (i.e., DomU), which is less privileged.

A daemon, namely xend, that runs within the privileged domain is responsible for 47 handling requests issued from the privileged domain. Requests may also include creation or deletion of a guest domain. We use compartmentalization approach for modeled healthcare system. Com- partmentalization refers to technique of separating various parts of the system to prevent malfunctions. Every domain, i.e., privileged and guest, runs in paravirtual- ized environments where a hospital is considered as the privileged domain. The guest domains are conceptualized as being the variety of medical disciplines that work in the hospital. The confidential patient information is stored in a shared memory lo- cation among all domains in the system. However, guest domains require permission from the privileged domain to read or write data. A guest domain must send a request along with its credentials over the hyper- visor’s event channel, implemented by xen-evtchn.ko module, where an interrupt will be produced inside the privileged domain. The privileged domain verifies the contents of a particular guest domain’s vTPM’s PCRs and send the response back over the hypervisor’s event channel. If a read request of guest domain is granted by the privileged domain, privileged domain accesses the data at the specified memory location and pass the data through the event channel to the corresponding guest domain. Communication over the hypervisor’s event channel is possible through the blktap.ko and blkfront.ko modules. These modules provide user-level disk I/O in- terfaces to the privileged and guest domains, respectively. All I/O requests from each virtual machine are passed through libaio.ko module and O DIRECT-based calls, which implement mechanisms for file access. The intuition behind this approach is derived from the existence of an oversee- ing privileged entity, such as the privileged domain. For example, in a hospital setting, several stakeholders such as various medical professionals typically partitioned into 48 various disciplines. Each of these disciplines generally have their own set of data. However, there may be times where another medical discipline requires data from an- other discipline. From the technical perspective, each medical discipline has its own paravirtualized guest domain. If data from another discipline is required, the DomU can request data from another DomU by asking the Dom0 permission. The Dom0 in this case may therefore be understood as the entire hospital. The Dom0 adds an additional level of access control where DomUs may access data from other DomUs if granted by the Dom0. This enhances privacy of confidential patient information as the data is presented on a need to know basis. Our prototype can be expanded to support full virtualization when it is not desirable (or logical) for virtual machines to share data as in competitive or cloud environments. Full virtualization of guest domains provide isolated sandboxes for each domain that are independently managed. In such a case, privileged domain would ensure trusted operation of the whole system.

4.8 Trusted Software Stack: User Domain

In our prototype, the privileged domain consists of two components: a virtual TPMs (vTPM) manager and essential TPM drivers to communicate with the physical TPM. The TPM drivers are within the kernel space and are responsible for interfacing with the physical TPM. The drivers may optionally be loaded as kernel modules. We have tested both methods and found no empirical difference between the two approaches. The only difference is during the boot process, the TPM drivers are loaded at different times. The benefit of using TPM drivers as kernel modules is the capability for developers to unload them during runtime. Since our system typically does not need 49 to change at this level, we compiled them into the kernel. If the necessary TPM drivers are not present, it is not possible to provide TPM support to higher-level components in the stack, such as privileged and guest operat- ing systems. We added TPM-capable modules to our Linux 2.6.32.32 kernel on top of the modules already present in supporting the Xen hypervisor and paravirtualization. In addition to TCG (Trusted Computing Group) -compliant TPM and virtual- ization support, our security kernel provides trusted bootloaders and general security mechanisms. The modules enabled in our kernel to support TPM interaction along with the time it took to retrieve information. Furthermore, our security kernel is not as large as the main Linux kernel as our system requires only a subset of the mechanisms provided by the main Linux kernel. We were unable to use a microkernel because our application domains, although relatively specific, are still fairly complex such that many mechanisms are required. Finally, we were able to achieve flexibility in our kernel where we may use the same kernel for Linux-based operating systems in our infrastructure. A major benefit of using a minimal security kernel is that it is easier to verify and manage a single generic kernel that can be deployed in different infrastructures. The vTPM manager is a service that allows creation, deletion, and manage- ment of virtual TPMs (vTPM). The vTPMs emulate the functionality pertaining to the physical TPM and reside within each guest domain. Every guest domain has its own vTPM. Since the physical TPM is a highly security-critical device and guest do- mains are considered to be less privileged than the privileged domain, it is natural to employ a mechanism that abstract the physical TPM in these environments. Guest domains, thus, interact with the physical TPM indirectly through their vTPM. As depicted earlier in Figure 4.4, the vTPM then communicates with the vTPM manager 50 located within the privileged domain. From the privileged domain, the vTPM man- ager communicates with the relevant TPM driver, which then queries the physical TPM regarding the original request by the guest domain. All operating systems in our system use a trusted bootloader to prepare the system to load the operating system security kernel before booting into the oper- ating system environment. Our prototype implements TrustedGRUB, software that extends the traditional GRUB bootloader to have TCG-compliant characteristics. TrustedGRUB continues the integrity measurement process in verifying the chain of trust by measuring the stage 2 of the bootloader and operating system security ker- nel. If this step complies to the security requirements of our system, the boot process passes control onto the next step and load the operating system. Loading the operat- ing system may be understood as the final step in verifying the chain of trust at the system level. Our prototype currently consists of Dom0 and DomU domains running Linux, particularly the Ubuntu 10.04 distribution. However, we may optionally sub- stitute the use of Ubuntu for Gentoo. The primary benefit of using Gentoo is since it generally has a smaller code footprint and most of Gentoo’s configurations and kernel module compilation is done manually by the developer. A primary reason for not using Gentoo is due to the complexity in maintaining a stable system for production environments. Once the operating systems (either Dom0 or DomUs) are loaded, public-facing applications or processes are typically present. The applications may be placed in the privileged domain or the guest domain depending on the security requirements of the application. Interfacing with the TPM is enabled at this level through various TPM dependencies. 51

User Space

User Applications

TrouserS API tpm-tools

TPM Daemons

TPM Libraries

Kernel Space TPM Drivers

Hardware

TPM

Figure 4.6: TPM dependencies.

4.9 Trusted Platform Module Dependencies

Interfacing with the TPM chip requires a variety of components derived primarily from software. Applications or processes requiring communication with the physical TPM hinge on a series of TPM dependencies. Figure 4.6 presents an overview of TPM dependencies in our architecture. At the highest level are user applications or processes which may require interaction with the physical TPM. We utilize the TrouSerS API, a trusted computing service interface, that provides an interface to the TPM mechanisms. In particular, TrouSerS contains tpm-tools package, which 52 allows a user to take ownership of the TPM, clear the TPM, set TPM tokens, seal data to PCRs, create public-private endorsement keys, and sign/verify keys. However, the TrouSerS suite is not functional if there does not exist a daemon process to handle a connection with the physical TPM. For this purpose, our prototype uses the tcsd daemon, which handles connections to the physical TPM. The daemons depend on low-level TPM libraries to function properly, which consequently depend on the proper TPM drivers. The privileged domain and other guest domains manage their TPM dependen- cies using the components listed in Figure 4.6. Guest domains use the higher-level TPM dependencies to interact with a vTPM. Each guest domain’s vTPM is connected to the vTPM manager, which resides inside the privileged domain. From there, the vTPM manager communicates with the physical TPM via its own TPM drivers.

4.10 Privacy Assurance

In blind processing, we propose to use TPM chips to encrypt messages transmit- ted to both local and competitor systems. This prevents eavesdropping at the host system as well as the communication channel. The current version of the TPM pro- vides a cryptoprocessor with a random number generator, an RSA key generator, an SHA-1 hash generator, as well as encryption/decryption and signature engines. We propose to utilize such cryptographic mechanisms to perform symmetric and asymmetric key encryption approaches in data communication. To provide a secure execution environment to trusted processes, the remote system will prevent exter- nal processes from accessing protected memory locations. More importantly, human operators/administrators will not be able to access the plain-text of messages from 53 other domains as their decryption keys will be concealed in the TPM. Micro-kernels provide necessary mechanisms to support an operating system with minimal code and are typically developed for an embedded device or a domain- specific application [22]. It is far easier to optimize and formally verify a micro- kernel compared to a regular kernel. Moreover, security kernels implement specific security policies, define verifiable protection behavior of the system, and comply to the security model to control underlying hardware resources [33]. For example, NICTA’s seL4 micro-kernel implementation is a security-oriented kernel with a formally verified functionality [45]. In order to provide process isolation for communicating systems, we devel- oped prototype with a security kernel to prove the concepts. The Xen 4.1 hypervisor

(available at http://www.xen.org/) in our configuration provides an abstract in- terface to the underlying hardware resources while enforcing access control rules to multiple guest operating systems. The privileged domain operating system extends the interfaces of the underlying services while ensuring isolation of applications. For this, we customized the Intel TXT BIOS, the TrustedGRUB and the Linux kernel v2.6.32.32 as shown in Figure 4.4. In this hierarchy, only the privileged domain can directly interact with the hardware. Figure 4.7 presents chain of application inter- actions through the TrouSerS API. Using a security kernel, i.e., privileged operating system in our prototype, ensures that dedicated processes providing blind execution are executed in a sandbox safe from tampering. Any stored data is encrypted using storage keys shielded in the TPM similar to mechanisms proposed in [25]. The Storage Root Key (SRK)s used to develop a key chain by encrypting individual storage keys whose private part is not exposed to the host system. The storage keys then may seal potentially unlimited data on any 54

User Space User Applications

TPM !tools TrouSerS API

TPM daemons

TPM Libraries

Kernel Space TPM Drivers

Hardware TPM

Figure 4.7: Dependencies

medium. Sensitive data is sealed to a certain system state and bound to processes in- volved in blind execution. Sealed storage protects private information by binding it to its platform’s configuration, which encompasses both hardware and software. The data is deciphered with an authorization code only if the Platform Configuration Registers (PCR) have the same values as the ones during sealing. PCRs securely store integrity measurements of system state until system reboot and are used as the root of trust for reporting during platform attestation. A set of PCRs, embedded in the TPM, store cryptographic checksums of several executables with two basic operations, namely extend and quote. The extend operation uses the Secure Hash Al- gorithm (SHA) to compute a hash of the register content along with an input value, 55 which is usually measurement results. This operation builds a hash chain that mea- sures the sequence of code loads in the system. The quote operation uses protected Attestation Identity Keys (AIK) to sign the content of the register. This operation sends authenticated hash chains to remote parties that need to validate the integrity of the code running at the host system. The keys will be active only if the TPM evaluates the system state to be at the desired state. The system state is measured by the Core Root of Trust for Measurement (CRTM) from system boot and includes measurements of the BIOS, the master boot record, the security kernel, O/S processes, and isolated processes involved in the blind processing. Each component measures the integrity of its successor before loading it and store the hash value in the PCR. The CRTM can be utilized to establish a desired platform environment through secure boot, which allows loading only a known set of applications [14], or authenticated boot, which allows loading any code while securely recording measurement status [35]. In either case, rogue software cannot hide its presence since binary codes are measured and recorded before their execution. These measurements help verify any alteration in the system state and prevent the TPM from decrypting any sealed data when there is a modification to the underlying system or dedicated processes. Other important issues in blind processing are how to develop trustworthy software to process data and how to establish mechanisms to verify the integrity of corresponding processes. Any code involved in blind processing needs to be verified to have no security issues. Hence, we need mechanisms to identify processes involved in blind processing and verify their integrity (details are discussed in subsection 4.13). An important challenge for our proposed blind processing is how to provide investigative access without negatively affecting the blind processing service. In- 56 vestigative access is important to ensure proper operation of the entire system and prevent malicious behavior. A system is not able to know the messages it is receiving from another domain. Hence, a malicious system may inject faulty data into the com- munication to affect the operation of a competitor. For this, anonymized auditing can provide mechanisms to verify the integrity of data without accessing the actual data [8]. Other important issues in blind processing are how to develop trustworthy software to process data and how to establish mechanisms to verify the integrity of corresponding processes. We need mechanisms to identify processes involved in blind processing and verify their integrity (see section 4.13). An important challenge for blind processing is how to provide investigative access without negatively affecting the blind processing service. Investigative access is important to ensure proper operation of the entire system and prevent malicious behavior. A system is not able to know the messages it is receiving from another domain. Hence, a malicious system may inject faulty data into the communication to affect the operation of a competitor. To prevent this, operators may use anonymized auditing that provides mechanisms to verify the integrity of data without accessing the actual data [94].

4.11 Remote System Authentication

When communicating with a remote process, a system needs to establish its identity to prevent unauthorized access. Key distribution and verification is a central issue in any networked system [52]. In our case, the communication system is an identity based network, i.e., all devices and users at any of the levels have unique identities. 57 These identities will be used to ensure messages are sent to and received from a legitimate trusted entity as the public key infrastructure (PKI) [62]. At WAN level (i.e., inter-ISO), each domain needs its own Certification Au- thority (CA) independent of other domains since Endorsement Keys (EKs) need to be private to each domain. EKs of a TPM are permanent and cannot be revoked in case it is deciphered. Similarly at the MAN and HAN levels, the smart meter, electric utility, service providers, and some of the smart devices will have certificates. The electric utility will be the authoritative certification agent in providing certificates for MAN entities. The certificate of electric utility will be stored in smart meters during installation and the certificates for smart meters and service providers will be signed by the electric utility. After a contract agreement between a smart meter and a ser- vice provider is established, both entities will exchange certificates to ensure identity and legitimacy of public keys. Similarly, the smart meter will be the authoritative entity in handling certificates in the HAN. If needed, certificates for smart devices will be signed by the smart meter and used in communication with service providers. In order to reduce processing overhead in encryption/decryption, communicat- ing systems use session keys, which are agreed upon using public key cryptography. As public key cryptosystems are considerably slower than symmetric key cryptosystems, session keys will be devised to exchange bulk of the messages [34]. Session keys can be utilized for longer durations as actors within the WAN are not very dynamic [16].

4.12 Communication Protocol

Figure 4.8 shows the authentication mechanism between the subsystems of different domains step by step. (1) VM-A1 uses its EK and credentials to obtain a signature 58 from CA for an AIK it generated. (2) CA then signs the generated AIK for inter- domain and intra-domain communication. (3) Virtual machines exchange information to set a common session key. In this case, VM-A1 sends request to VM-B1 to set a common session key. (4) VM-B1 responds back as agreed on the session key to be used for communication with each other. We’ll call session key as group key since

VM-A1 will share the group key, Kg (5) with the approved smart subsystems inside Domain A to allow them communicate directly with Domain B. As for approval of the entities, the subsystems in Domain A request (purple 1) VM-A1 to register to the

Kg distribution list so that Kg is shared with them once the key is set with Domain B. The VM-A1 replies back the approval decision to the requester subsystem (purple 2). However, the purple steps will be taken only during the initialization process and re-authorization in case of a denial of access from Domain B.

1.( CrA1,EKA1, AIKA1)

CA 2. EncP riv(T ime, CrA1, AIKA1)

B1 AIKA1 3. EncP ub(EncP riv (n1,Kg))

A1 AIKB1 4. EncP ub(EncP riv (n1 + 1,Kg))

A1 AIKSubsystem 5. EncP ub(EncP riv (Kg))

4.13 Integrity Assurance

All data communication systems at WAN and MAN levels need to have integrity assurances as they might belong to different organizations. Additionally, as the smart meter will act as a gateway between the HAN and MAN and serve as a firewall for the 59

Certificate Authority

1 1 2 2

Domain A Domain B 3

VM-B1 VM-A1 4 1 4 2

4 2 1

EKs AIKs Session Keys Smart Subsystems

Figure 4.8: CA Hierarchy

HAN, it is important for the smart meter to be equipped with components that will prevent hardware/software tampering. Establishing trust relationship with the smart meter provides assurances to both external and internal entities. A tamper-resistant system, for instance, protects the electric utility and service providers from attacks generated by malicious smart meters. Preventing a tamper attempt requires a secure package with minimal and care- fully engineered access to the outer world. Moreover, the TPM mounted on a host system may be designed to quickly erase its secrets in response to tamper detection such as penetration attempts, temperature extremes, voltage variation, and radia- tion [35]. The following are the defense aspects [91]: (1) tamper detection to have the 60 device able to sense when tamper is occurring; (2) tamper evidence to ensure that tamper causes some observable consequence; (3) tamper resistance to make it hard to tamper with the device; and (4) tamper response to have the device take some appropriate countermeasure. Below, we discuss integrity of a system, a process (ally or competitor), and data (generated or collected). System integrity: System integrity indicates whether the system has a trust- worthy execution environment. All parties in blind processing will challenge peers to ensure that the remote system conforms to TCG specifications with (1) a TPM pro- viding root of trust, (2) a security kernel providing an isolated execution environment for trusted processes whose computations and memory are safe from tempering, (3) a cryptographically protected storage for sensitive data decipherable only by the dedi- cated process, and (4) shielded communication channels with remote processes. Process integrity: The integrity of a process essentially depends on the genuineness of its code. It is important not only to detect changes in software but also to ensure that newly developed code is trustworthy. When communicating with an ally or competitor process both parties will assure the integrity of each other by comparing stored fingerprints with reported PCR values before transmitting any data. To enforce process integrity, we may utilize software engineering techniques that enhance software security including safe software architecture and compilation techniques for intrusion prevention [54], security specification and management [88], software quality assurance throughout software lifecycle, and security testing [76]. Data integrity: Verifying the genuineness of data depends on whether the data is collected or generated. Collected data is primitive data given to a process and its integrity is application specific. Some techniques to ensure integrity of col- 61 lected data are semantic check (i.e., integration of logic into the process to verify data semantics), certificate (i.e., signatures from trusted central authorities), and trusted path (i.e., ensuring that the data come from an authenticated user or sens- ing device) [83]. Generated data integrity depends on genuineness of the process and collected data. Overall, data integrity requires a chain of trust in original data, communication channel, and data processers. We will utilize secure root processes of the TPM to develop authenticators that will ensure integrity of processes using the CRTM as in [9]. Moreover, as CRTM per- forms integrity measurement at load-time, run-time vulnerabilities of critical systems can be detected using run-time attestation [83] and verifiable code execution [82]. To ensure the integrity of a system, a remote challenger will request measurements of the communicating process before sending any data. Integrity measurement of a complete interactive system is a challenging task, as thousands of measurements and knowledge of their fingerprints may be required for various software [61,90]. In our case, we are interested in the integrity of a known set of processes loaded in a deterministic order. Using a security kernel, a system will ensure integrity of the TPM, the BIOS, the security kernel and a well-known set of processes providing blind processing. 62

Chapter 5

Evaluations of Performance Impact

In evaluating the performance impact of blind processing on our system, we measured the boot time, startup time for two applications (a communication oriented one and a computation oriented one), and performance of some important functions: TPM (Trusted Platform Module) Seal function, Triple DES cryptographic function and SHA-1 has function. First, we measured the timing overhead of blind processing mechanisms on the system in Figure 5.1. Table presents boot timing of different components with blind processing mechanisms, i.e., TPM and TSS (Trusted Software Stack), in place or not. The numbers present average of 50 trials. The application boot times were performed in idle environments where no process excessively consumes the CPU, memory or network bandwidth. Results show negligible difference in application boot times. However in the case of system boot time, there is a considerable slowdown. This is due to the TPM measurements and iterative state verification at boot time. The TPM unseals data using the storage root key and stores hashes into the Platform Configuration Register (PCR)s as it ensures the chain of trust. 63

Figure 5.1: Timing Overhead

In addition to measuring the startup performance of system, we analyzed the sealing, encryption and hashing performance of the system. Since these functions are very frequently used in our prototype, we wanted to measure the performance overhead they will bring. Using tpm seal to seal a file with the storage root key, we performed 50 tests of each function where we sealed files with different sizes, varying from 100K up to 10G as presented in Table 5.2. The overhead is negligible for reasonable sizes of data that will be transferred between the system components. For example, it takes less than 1 second for 10M for all functions to operate. Even for 100M, it takes only 1.60 seconds for sealing operation, 0.45 seconds for hashing operation and 5.80 for triple DES. We added the simulation results for 1G and 10G, too, to see the performance. However, data files do not occupy too large spaces so we think it will not take more than 10 seconds for any functions to operate except very rare cases such as 1G or 10G transfer. 64

Figure 5.2: Data Seal Timing 65

Chapter 6

Attack Vectors and Vulnerabilities

This section presents an overview of important attack vectors and potential vulner- abilities our architecture inherently safeguards against. In particular, each section presents basic information regarding the attack, followed by the vulnerability or pos- sible point of entry within our architecture, and finally how our architecture addresses these security risks. For application attacks (such as web browser, mobile code, and web service), wireless technology attacks (such as Wi-Fi and Cellular), social engineering attacks, physical attacks we need secondary defence mechanisms to prevent the utility from these attacks, which are discussed in [37]. For instance, one of the biggest weaknesses in infrastructures, particularly security-critical ones, is people who are vulnerable to social engineering. Unfortunately, there is no sound computational mechanism to safeguard against these types of attacks. Instead, a good approach in addressing this risk is educating all stakeholder in the system regarding the potential issues. 66 6.1 Man-in-the-Middle

Man-in-the-middle attacks are a form of eavesdropping where an attacker intervenes between two communicating parties, e.g. Alice and Bob. The attacker creates inde- pendent connections at each communication end, i.e. Alice and Bob, making each end believe they are talking directly to each other. However, as the attacker is inter- cepting the messages, the attacker may steal or manipulate information transmitted over the communication channel. The attacker may additionally inject new messages into the stream intended for either end point. In our system, an attacker may create a machine which complies to the trusted architecture and attempts a man-in-the-middle attack. However, a successful man-in- the-middle attack requires the attacker’s machine to be verified through the trusted authority. If this is not possible, an attacker may also attempt to represent a trusted authority and attempt to remotely attest to a machine within the trusted infrastruc- ture. However, given the constraint of 2048-bit private identity and endorsement keys being created during the device manufacturing and viewable only inside the TPMs, it would be impossible to successfully launch this attack. An attacker may attempt to brute force the 2048-bit key, but it would be infeasible to penetrate in a reasonable amount of time. A malicious entity may try to break the chain of trust by having a process intervene between one of the trust layers. For example, an attacker may try to subvert the guest domain, privileged domain, or the hypervisor. However, PCRs within TPM would change and therefore invalidate the system state. In such violations, the system may simply flag for invalidation, halt the system, or restore the system to a known and verifiable secure state. Another option would be to combine the two methods where 67 the system would retain its integrity but additionally notify administrators/users of a vulnerability that requires a fix.

6.2 Session Injection

Injection attacks are similar to man-in-the-middle attacks such that a third party intervenes the communication. In our case, injection refers to data injection where an attacker exploits a vulnerability that causes processing of invalid data. This is a major area of concern as an attacker may discover a vulnerability in the system and exploit it to cause an unintended behavior. It is difficult to predict these types of attacks since systems and software are developed by humans, which are prone to errors. In order to prevent these types of attacks, our system isolates memory resources by using virtual machines. According to the Open Web Application Security Project, application-level attacks were most popular means of entry into a system [77]. Ap- plication level attacks target databases and web applications that often are publicly accessed by external users. Our system employs access control where the security re- quirements of applications dictate which domain (privileged or guest) it may run on. Authorization and access control is further handled at the user level within the ap- plications. Fundamental security mechanisms are also enabled within the customized kernel to support features such as ASLR, pointer obfuscation, and non-executable memory. Similarly, session hijacking refers to the exploitation of a valid session where an attack gains some identifiable information, e.g. session key, to gain unauthorized access. In our system, we focus on protection of machine’s private Attestation Identity 68 Key (AIK), which is received after being authorized by a trusted authority, as with the private AIK the attacker can remotely attest to other machines in the network. This implies the attacker was able to circumvent the 2048-bit RSA-generated AIK or successfully masquerade as such which is not possible due to public key crypto system that protects private key and securely distributes the public key. Furthermore, machines in our architecture are able to ask other machines for their Endorsement Key (EK), which contains details regarding platform credentials from the Platform Configuration Register (PCR), endorsement credentials, and conformance credentials, which may be used at either end to re-verify the attestation.

6.3 Cold Boot, Physical and Side Channel Attacks

These types of attacks refer to an attacker gaining physical access to a machine. An attacker may retrieve crucial keys after using a cold boot to restart the machine from a completely off state [44]. These types of attacks rely on data remanence within memory, which may still be readable up to a few minutes after the machine has been powered off. Fortunately, these types of attacks are very intricate and require astounding esoteric knowledge to perform. In addition to being technically difficult to perform, the success rate is also not fully guaranteed. However, these types of attacks have been demonstrated to be effective against full disk encryption schemes, even when TPM chips or secure coprocessors are employed. This is a security risk of the hardware, rather than the software, requiring better tamper resistant chip production. Mitigating these types of attacks at software level is very difficult as additional protection software may be unreliable or ineffective. To address this security risk at the software level, systems may re-encrypt encryption keys upon disk unmount 69 or use two-factor authentication where a pre-boot PIN or removable USB would be required alongside the TPM to boot. In order to mitigate these types of attacks, it is important for the hardware, i.e. TPM devices or secure co-processors, to be tamper-resistant as discussed in Section 4.13. For example, any physical tampering of the device could result in the device short-circuiting. Moreover, a system may utilize advance power management, such that when a system powers off or goes into sleep mode, all sensitive information is intentionally wiped from the memory. TCG specifies compliancy for trusted systems whereby the BIOS must overwrite memory during POST if the system has not shut down cleanly. Finally, a trusted third party, e.g., a government agency or independent auditors, may perform verification checks at random intervals so that an owner does not temper TPM to gain competitive advantage. 70

Chapter 7

Related Work

In this section, we briefly present earlier studies that tackled smart grid communica- tion security at transmission and distribution levels.

7.1 Transmission Level

Research at the transmission level deals with a more efficient and faster monitoring of the grid. Control applications and systems to allow more data exchange among different system operators for large regionally connected networks are proposed. Metke et. al. [62] proposed a mechanism where trusted computing and PKI (Public Key Infrastracture) are combined to provide a secure and reliable solution for smart grid. Smart grid will contain millions of nodes and hundreds of organizations, so there should be a robust and scalable key exchange mechanism to maintain the security of the grid. In the solution, they build the key infrastructure by including only PKI standards, automated trust anchor security, certificate attributes and smart grid PKI tools to reduce the complexity significantly. In terms of trusted computing, 71 they strictly require both the general purpose computers and embedded systems that run only the code signed by an authority. Also, since smart grid will contain critical components manufactured by different vendors, there should be a trust management framework that establishes a set of criteria for these vendors to meet before the installation. The studies to preserve the privacy in transmission level mostly deal with the secure key distribution between the utilities to authenticate each other by a third party organization. A trusted communication channel is established securely and the interactions are made through this channel. PBES (Policy Based Encryption System) [21] uses a key distribution center to obtain encryption/decryption keys with a data and key encapsulation mechanism to share sensitive information with other utilities. The data owner sets a policy for the data and generates a data object to be shared with other utilities. Based on their ability to satisfy the policy that is set between the sender and the recipient, the utilities access the shared data determined by the policy. Once the recipient obtain the encrypted data object, it contacts the key distribution channel to decrypt it. In [92], the authors address the key management issues and the attack vectors in the smart grid. First, they show that a recently proposed key management scheme in which Kerberos was used for authentication, is vulnerable to man-in-the-middle attack. Then they propose their solutions by using a trust anchor to manage the secret keys of smart meter and service provider, and show that their scheme is protected to many cyber attacks. In [80], the authors propose a “competitive privacy” concept to express the conflict between sharing of data for viability of the grid and withholding of data for economic reasons. They present a linear measurement model for the competitive 72 privacy problem regarding the privacy leakage stemming from shared measurements. In this model, the measurements at each RTO (Regional Transmission Operator) are included in a linear combination of all the sources to view the power system state by using the perturbed function of the measurements. They formulated the trade-off between sharing data to ensure network reliability and hiding data to ensure privacy in a way that state estimation is done accurately while keeping the privacy leakage limited.

7.2 Distribution Level

Research at the distribution level communication focuses on mechanisms to preserve consumer’s privacy from electric utilities and service providers. A privacy-preserving protocol between the utility and the smart meter is pro- posed in [79]. In this protocol, the smart meters do not disclose the fine grained usage details to the electricity utility. Only the computations based on readings are transmitted to allow the utility make calculations for the billing, and at the same time tries to preserve the privacy between the user and the provider. A similar study is conducted in [72] where anonymity is provided for the customers toward the utility. Reporting the electricity consumption to the utility is done periodically in a way that the utility or service providers can not monitor customers’ habits. An anonymous credential architecture under the principle of blind signature is suggested in [27] to preserve users’ private information from third parties as well as the utilities. The customer-generated credentials are sent to a control center to be signed blindly. The signed credentials are used as a proof of identity while requesting power from the util- ity anonymously and the utility does not know who this request belongs to. Similarly, 73 LSM (Load Signature Moderation) [51], SEG (Smart Energy Gateway) [84], PASS (Privacy-preserving Authentication Scheme) [28] architectures propose mechanisms to preserve the privacy between the customer and the utility in the smart grid. Aggregation methods using homomorphic encryption is suggested by [32,57,60] to protect personal habits, behaviors, life style of the customer from the electricity suppliers. The aggregation approach is generally incremental in which data aggrega- tion is performed in all smart meters from the source meter toward the gateway or the collector unit. In this process, readability of the carried data is prevented from the meters on the route. Regarding the privacy issues of the TPMs (Trusted Platform Module), Direct Anonymous Attestation (DAA) [23] is suggested by Trusted Computing Group as the method to allow attestation remotely while preserving the privacy of the user. DAA eliminates the need to authenticate the user with a third party, i.e. certificate authority. It also detects the corrupted TPMs by using a group signature scheme. However, Symth et al [87] have shown that DAA places an unnecessarily large burden on the TPM chip and this weakness opens a way for corrupt administrators to violate the privacy. In [58], access control is introduced as an important element in the smart grid to eliminate potential security threads as there are numerous types of users in this complex structure such as operators, engineers, technicians, and managers. Similarly, Cheung et al. [26] suggested smart-grid role-based access control as a derivative of the RBAC (Role Based Access Control) model. In this study, access control is maintained by WANs (Wide Area Network) and each WAN determines the security policy for the communication with other WANs as well as with HANs (Home Area Network). The management of security policy method is done via the XML to simplify power-grid 74 network security administrations. On one hand, the studies to preserve the privacy in transmission level mostly deal with the secure key distribution between the utilities. After the authentication of the parties, only some part of the collected data is shared in a secure channel either on demand or event based. As a result of the suggested mechanisms, the shared data is left open in the other end to human operators such as system administrators and priviliged users. On the other hand, the studies involving trusted computing in their solution mostly address the privacy concerns of the customers with respect to electric utilities and service providers. These studies propose a solution on how to anonymize or consolidate the data in a way that the utilities or service providers do not gather information about consumers’ habits. We included the most recent studies in this field and presented a brief overview of the suggested mechanisms. However, the above analysis is not intended to con- clude that the existing approaches can not be adapted to smart grid. Even some of them might have real applications in the smart grid that are being used currently. Instead, this thesis seeks for a solution that the barriers against data sharing are removed and full access to the data is granted to the reliable parties’ trusted systems in a way that none of the communicating parties are aware of the processed data. Therefore, we propose “Blind Processing” to preserve privacy with an all-the-time open communication channel without having any party be aware of the transactions. 75

Chapter 8

Conclusions and Future Work

In this thesis, an “open” and “blind” communication between the intra- and inter- domain smart substructures of smart grid was proposed to increase information ex- change, minimize human intervention, and mitigate cascading events. At the trans- mission level, enhanced security services will enable the advantages of additional in- formation exchange between independent system operators in different regions while respecting electrical energy market constraints and trust boundaries over the opera- tion of the power grid infrastructure. At the distribution level, the proposed research aims at revolutionizing the relationship between the utility and customers to protect user privacy. Through blind processing service, remote parties can exchange sensitive data between isolated processes whose execution environment and data is shielded from the rest of the system including the root. For this service, we utilize trusted com- puting technology to provide underlying secure communication mechanisms between isolated processes whose behavior is well-known. In blind processing, we ensure that a peer has correct hardware (i.e., known devices, CPU, and TPM), trusted comput- 76 ing base (i.e., secure-kernel providing process isolation), correct credentials (i.e., keys and certificates), and trustworthy state (i.e., unaltered processes whose behavior is well-known). Also, we investigated security mechanisms to enhance privacy and integrity of sensitive data by ensuring that only trusted processes of a remote system accesses the data. Due to growing information exchange and increasing security threats, security solutions should identify sensitive data to be protected and reduce the susceptibility by making critical components inaccessible to threats. Traditionally, security mecha- nisms are deployed to protect the transmission channel and the execution environment from third parties based on security requirements of the data. Our goal with blind processing was to establish a secure communication channel between trusted pro- cesses, which are concealed from the rest of the system including the root processes (and hence system administrators). Sensitive data is transmitted through the secured channel and used in computations running in an isolated environment while the out- come is rendered only to a dedicated user or process. The increased information sharing will also enhance the adaptability of the power transmission grid with the proliferation of distributed renewable energy generation that provides intermittent energy. As a future work, our prototype can be expanded into other multi-owner sys- tems and cloud environments. Moreover, as we utilized off the shelf components, an optimized design can be developed. Similarly, even though we did not observe con- siderable performance degradation in our prototype, we might need to optimize the system for large scale deployment and processing. 77

Bibliography

[1] Trusted computing group. http://www.trustedcomputinggroup.org.

[2] Trusted execution technology architectural overview. http://www.intel.com/technology/security.

[3] Cryptographic protection of scada communications. American Gas Association, Mar 2006.

[4] Steps to establish a real-time transmission monitoring system for transmission owners and operators within the eastern and western interconnections. U.S. Department of Energy & Federal Energy Regulatory Commission, Feb 2006. http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf.

[5] TCG architecture overview, August 2007. https://www.trustedcomputinggroup.org/groups/ TCG 1 4 Architecture Overview.pdf.

[6] TCG architecture overview, Aug 2007.

[7] creative living! - activesmart refrigerators, Feb 2010.

[8] R. Agrawal and R. Srikant. Privacy-preserving data mining. pages 439–450. ACM Press, 2000.

[9] M. Alam, X. Zhang, M. Nauman, T. Ali, and J.-P. Seifert. Model-based be- havioral attestation. In SACMAT ’08: Proceedings of the 13th ACM symposium on Access control models and technologies, pages 175–184, New York, NY, USA, 2008. ACM.

[10] M. Amin. Security challenges for the electricity infrastructure (supplement to computer magazine). Computer, 35(4):8–10, 2002.

[11] M. P. Anastasopoulos, A. C. Voulkidis, A. V. Vasilakos, and P. G. Cottis. A secure network management protocol for smartgrid bpl networks: Design, imple- mentation and experimental results. In Science Direct: Computer Communica- tions, Jun 2008. 78 [12] R. Anderson, M. Bond, J. Clulow, and S. Skorobogatov. Cryptographic processors-a survey. Proceedings of the IEEE, 94(2):357–369, February 2006.

[13] J. G. Andrews, A. Ghosh, and R. Muhamed. Fundamentals of WiMAX: Under- standing Broadband Wireless Networking (Prentice Hall Communications Engi- neering and Emerging Technologies Series). Prentice Hall PTR, Upper Saddle River, NJ, USA, 2007.

[14] W. A. Arbaugh, D. J. Farber, and J. M. Smith. A secure and reliable boot- strap architecture. In IEEE Symposium on Security and Privacy, page 65. IEEE Computer Society, 1997.

[15] I. T. L. at the National Institute of Standards and Technology. Accelerating smart grid standards adoption. 2009.

[16] I. T. L. at the National Institute of Standards and Technology. Smart grid cyber security strategy and requirements. 2010.

[17] R. Baldick, B. H. Kim, C. Chase, and Y. Luo. A fast distributed implementation of optimal power flow. IEEE Trans. On Power Sys., 14(3):858, August 1999.

[18] J. Benoit, S. Gagnon, and L. Tetreault. Securing distribution automation. Cooper Power Systems, Technical report, Mar 2010.

[19] S. Biemueller. Hardware-supported virtualization for the l4 microkernel, Sept. 29 2006.

[20] P. N. Biskas and A. G. Bakirtzis. Decentralised security constrained dc-opf of interconnected power systems. IEE Proc. Gener. Transm. Distrib., 151(6):747, November 2004.

[21] R. Bobba, H. Khurana, M. AlTurki, and F. Ashraf. Pbes: a policy based encryp- tion system with application to data sharing in the power grid. In Proceedings of the 4th International Symposium on Information, Computer, and Communi- cations Security, pages 262–275. ACM, 2009.

[22] J. Brakensiek, A. Dr¨oge,M. Botteck, H. H¨artig,and A. Lackorzynski. Vir- tualization as an enabler for security in mobile devices. In Proceedings of the 1st workshop on Isolation and integration in embedded systems, IIES ’08, pages 17–22, New York, NY, USA, 2008. ACM.

[23] E. Brickell, J. Camenisch, and L. Chen. Direct anonymous attestation. In Pro- ceedings of the 11th ACM conference on Computer and communications security, CCS ’04, pages 132–145, New York, NY, USA, 2004. ACM. 79 [24] F. Capitanescu, M. Glavic, D. Ernst, and L. Wehenkel. Contingency filtering techniques for preventive security-constrained optimal power flow. IEEE Trans. On Power Sys., 22(4):1690, November 2007.

[25] E. Cesena, G. Ramunno, and D. Vernizzi. Secure storage using a sealing proxy. In Proceedings of the 1st European Workshop on System Security, pages 27–34, New York, NY, USA, 2008. ACM.

[26] H. Cheung, A. Hamlyn, T. Mander, C. Yang, and R. Cheung. Role-based model security access control for smart power-grids computer networks. In Power and Energy Society General Meeting-Conversion and Delivery of Electrical Energy in the 21st Century, 2008 IEEE, pages 1–7. IEEE, 2008.

[27] J. C. Cheung, T. Chim, S. Yiu, L. C. Hui, and V. O. Li. Credential-based privacy- preserving power request scheme for smart grid network. In Global Telecommu- nications Conference (GLOBECOM 2011), 2011 IEEE, pages 1–5. IEEE, 2011.

[28] T. Chim, S. Yiu, L. C. Hui, and V. O. Li. Pass: Privacy-preserving authentica- tion scheme for smart grid network. In Smart Grid Communications (SmartGrid- Comm), 2011 IEEE International Conference on, pages 196–201. IEEE, 2011.

[29] Cisco. Securing the smart grid. White paper, 2009.

[30] P. Communications. Smart homes, 2010.

[31] N. A. E. R. Council. Technical analysis of the august 14, 2003, blackout:what happened, why and what did we learn? Technical report, NERC, Princeton, NJ, July 2004.

[32] P. Deng and L. Yang. A secure and privacy-preserving communication scheme for advanced metering infrastructure. In Innovative Smart Grid Technologies (ISGT), 2012 IEEE PES, pages 1–5. IEEE, 2012.

[33] P. Derrin, K. Elphinstone, G. Klein, D. Cock, and M. M. T. Chakravarty. Run- ning the manual: an approach to high-assurance microkernel development. In Haskell ’06: Proceedings of the 2006 ACM SIGPLAN workshop on Haskell, pages 60–71, New York, NY, USA, 2006. ACM.

[34] W. Diffie. The first 10 years of public-key cryptography. 1988.

[35] J. G. Dyer, M. Lindemann, R. Perez, R. Sailer, L. van Doorn, S. W. Smith, and S. Weingart. Building the IBM 4758 secure coprocessor. Computer, 34(10):57–66, October 2001. 80 [36] G. Ericsson. Cyber security and power system communicationessential parts of a smart grid infrastructure. In IEEE Transactions of Power Delivery, volume 25, Jul 2010.

[37] T. Flick and J. Morehouse. Securing the smart grid: next generation power grid security. Syngress, 2010.

[38] U.-C. P. S. O. T. Force. Final report on the august 14,2003, blackout in the united states and canada: Causes and recommendations. Technical report, U.S. Department of Energy, Washington, D.C., April 2004.

[39] E. Gallery and C. J. Mitchell. Trusted computing: Security and applications. Cryptologia. (to appear).

[40] A. Greenberg. Hackers cut cities’ power. Forbes, Jan 2008.

[41] X. Guan, S. Guo, and Q. Zhai. The conditions for obtaining feasible solutions to security-constrained unit commitment problems. IEEE Trans. On Power Sys., 20(4):1746, November 2005.

[42] M. H. Gunes and C. Y. Evrenosoglu. Blind processing: Securing data against system administrators. In FIP/IEEE International Workshop on Management of Smart Grids, Apr 2010.

[43] V. C. Gungor and F. C. Lambert. A survey on communication networks for electric system automation. Comput. Netw., 50:877–897, May 2006.

[44] J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: cold-boot attacks on encryption keys. Commun. ACM, 52(5):91–98, May 2009.

[45] G. Heiser, K. Elphinstone, I. Kuz, G. Klein, and S. M.Petters. Towards trustwor- thy computing systems: taking microkernels to the next level. SIGOPS Oper. Syst. Rev., 41(4):3–11, 2007.

[46] S. Hurd, R. Smith, and G. Leischner. Tutorial: Security in electric utility control systems. In Protective Relay Engineers, 2008 61st Annual Conference for, pages 304–309, April 2008.

[47] IEEE. IEEE standard communication delivery time performance requirements for electric power substation automation. IEEE Std 1646-2004, pages 1 –24, 2005.

[48] IEEE. IEEE standard for substation intelligent electronic devices (IEDs) cyber security capabilities. IEEE Std 1686-2007, pages c1 –15, feb. 2008. 81 [49] V. M. Igure, S. A. Laughter, and R. D. Williams. Security issues in scada networks. Computers & Security, 25(7):498–506, 2006.

[50] M. S. K. Scarfone and P. Hoffman. Guide to security for full virtualization technologies. NIST Special Publication, 2011. 800-125.

[51] G. Kalogridis, C. Efthymiou, S. Z. Denic, T. A. Lewis, and R. Cepeda. Privacy for smart meters: Towards undetectable appliance load signatures. In Smart Grid Communications (SmartGridComm), 2010 First IEEE International Conference on, pages 232–237. IEEE, 2010.

[52] C. Kaufman, R. Perlman, and M. Speciner. Network Security: Private Commu- nication in a Public World. Prentice Hall, 2nd edition, May 2002.

[53] R. H. Kerr, J. L. Scheidt, A. J. Fontanna, and J. K. Wiley. Unit commitment. IEEE Trans. On Power Apparatus and Systems, PAS-85(5):417, May 1966.

[54] D. Kirovski, M. Drini´c,and M. Potkonjak. Enabling trusted software integrity. In ASPLOS-X: Proceedings of the 10th international conference on Architectural support for programming languages and operating systems, pages 108–120, New York, NY, USA, 2002. ACM.

[55] C. E. Landwehr, David, and M. Goldschlag. Security issues in networks with Internet access. In IEEE, volume 85, pages 2034–2051, 1997.

[56] R. E. Larson, W. F. Tinney, L. P. Hajdu, and D. S. Piercy. State estimation in power systems part 2: implementation and applications. IEEE Trans. On Power Appratus and Systems, page 353, 1970.

[57] F. Li, B. Luo, and P. Liu. Secure information aggregation for smart grids using homomorphic encryption. In First IEEE International Conference on Smart Grid Communications (SmartGridComm), pages 327–332, 2010.

[58] X. Li, X. Liang, R. Lu, X. Shen, X. Lin, and H. Zhu. Securing smart grid: cyber attacks, countermeasures, and challenges. Communications Magazine, IEEE, 50(8):38–45, 2012.

[59] J. Linder, K. Harris, B. J. Louisiana, L. S. California, E. J. Markey, K. B. Meek, L. S. California, and E. J. Markey. SCADA systems and the terrorist thread: Protecting the nation’s critical control systems. Committee on Homeland Security, Oct 2005.

[60] R. Lu, X. Liang, X. Li, X. Lin, and X. Shen. Eppa: An efficient and privacy- preserving aggregation scheme for secure smart grid communications. Parallel and Distributed Systems, IEEE Transactions on, 23(9):1621–1631, 2012. 82 [61] J. M. McCune, A. Perrig, A. Seshadri, and L. van Doorn. Turtles all the way down: research challenges in user-based attestation. In HOTSEC’07: Proceedings of the 2nd USENIX workshop on Hot topics in security, pages 1–5, Berkeley, CA, USA, 2007. USENIX Association. [62] A. Metke and R. Ekl. Security technology for smart grid networks. Smart Grid, IEEE Transactions on, 1(1):99 –107, june 2010. [63] J. Miller. Research on the characteristics of a modern grid: Operates resiliently against attack and natural disaster. Energy Pulse, 4(3), February 2009. [64] N.-K. C. Nair and L. Zhang. Smartgrid: Future networks for new zealand power systems incorporating distributed generation. In Science Direct: Energy Policy, Mar 2009. [65] J. Naruchitparames, M. H. Gnes, and C. Y. Evrenosoglu. Secure communications in the smart grid. [66] J. Naruchitparames and M. H. Gunes. Enhancing data privacy and integrity in the cloud. In International Workshop on Security and Performance in Cloud Computing, July 2011. [67] NICTA. Secure microkernel project. [68] N. Y. I. S. Operator. Interim report on august 14, 2003 blackout. Technical report, NYISO, Albany, NY, January 2004. [69] N. Y. I. S. Operator. Blackout august 14, 2003 final report. Technical report, NYISO, Albany, NY, February 2005. [70] S. Pearson. Trusted Computing Platforms: TCPA Technology in Context. Pren- tice Hall PTR, Upper Saddle River, NJ, USA, 2002. [71] M. Peinado, Y. Chen, P. Engl, and J. Manferdelli. NGSCB: A trusted open system. In 9th Australasian Conference on Information Security and Privacy, pages 86–97. Springer, 2004. [72] R. Petrlic. A privacy-preserving concept for smart grids. Sicherheit in vernetzten Systemen, 18:B1–B14, 2010. [73] C. P. Pfleeger and S. L. Pfleeger. Security in Computing. Prentice Hall, 4th edition, Oct 2006. [74] F. A. Phiri and M. B. Murthy. Wlan-gprs tight coupling based interworking architecture with vertical handoff support. Wirel. Pers. Commun., 40(2):137– 144, 2007. 83 [75] A. E. Power, Avista, Centerpoint, C. Energy, D. Energy, E. de France, F. P. . Light, Oncor, P. G. . Electric, R. Energy, S. D. G. . Electric, and S. C. Edison. Smart grid standards adoption - utility industry perspective. 2009.

[76] R. S. Pressman. Software Engineering: A Practitioner’s Approach. McGraw Hill, 7th edition, 20010.

[77] O. W. A. S. Project. Owasp top 10, 2010.

[78] R. Rajagopalan and P. K. Varshney. Data aggregation techniques in sensor networks: A survey. Communications Surveys & Tutorials, IEEE, 8:48–63, 2006.

[79] A. Rial and G. Danezis. Privacy-preserving smart metering. In Proceedings of the 10th annual ACM workshop on Privacy in the electronic society, WPES ’11, pages 49–60, New York, NY, USA, 2011. ACM.

[80] L. Sankar, S. Kar, R. Tandon, and H. V. Poor. Competitive privacy in the smart grid: An information-theoretic approach. In Smart Grid Communica- tions (SmartGridComm), 2011 IEEE International Conference on, pages 220– 225. IEEE, 2011.

[81] T. Sauter and M. Lobashov. End-to-end communication architecture for smart grids. Industrial Electronics, IEEE Transactions on, 58(4):1218 –1228, april 2011.

[82] A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla. Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms. In ACM Symposium on Operating Systems Principles, pages 1–15, Oct. 2005.

[83] E. Shi and A. Perrig. Bind: A fine-grained attestation service for secure dis- tributed systems. In IEEE Symposium on Security and Privacy, pages 154–168, 2005.

[84] H. Simo Fhom, N. Kuntze, C. Rudolph, M. Cupelli, J. Liu, and A. Monti. A user- centric privacy manager for future energy systems. In Power System Technology (POWERCON), 2010 International Conference on, pages 1–7. IEEE, 2010.

[85] M. E. Sisselman and W. Whitt. Value-based routing and preference-based routing in customer contact centers. Production and Operations Management, 16(3):277–291, 2007.

[86] S. W. Smith. Outbound authentication for programmable secure coprocessors. International Journal of Information Security, 3(1):28–41, October 2004. 84 [87] B. Smyth and L. Chen. L.: Direct anonymous attestation (daa): Ensuring privacy with corrupt administrators. In In: ESAS07: 4th European Workshop on Security and Privacy in Ad hoc and Sensor Networks, LNCS, pages 218–231. Springer-Verlag, 2007.

[88] I. Sommerville. Software Engineering. Addison-Wesley, 8th edition, 2007.

[89] T. Stading, P. Maniatis, and M. Baker. Peer-to-peer caching schemes to address flash crowds. In Proceedings of the Workshop on Peer-to-Peer Systems (IPTPS), 2002.

[90] F. Stumpf, A. Fuchs, S. Katzenbeisser, and C. Eckert. Improving the scalability of platform attestation. In STC ’08: Proceedings of the 3rd ACM workshop on Scalable trusted computing, pages 1–10, New York, NY, USA, 2008. ACM.

[91] S. H. Weingart. Physical security devices for computer subsystems: A survey of attacks and defences. In CHES ’00: Proceedings of the Second International Workshop on Cryptographic Hardware and Embedded Systems, pages 302–317, London, UK, 2000. Springer-Verlag.

[92] J. Xia and Y. Wang. Secure key distribution for the smart grid. Smart Grid, IEEE Transactions on, 3(3):1437–1443, 2012.

[93] H. Zhang and D. Ferrari. Rate-controlled static-priority queueing. In Proceedings of IEEE INFOCOM, 1993.

[94] J. Zhang, N. Borisov, and W. Yurcik. Outsourcing security analysis with anonymized logs. In Securecomm and Workshops, 2006, pages 1–9, September 2006.