Application-Aware Secure Multicast for Power Grid Communications Jianqing Zhang* and Carl A. Gunter University of Illinois at Urbana-Champaign * Now working.

Slides:

Advertisements

Similar presentations

Internet Protocol Security (IP Sec)

Advertisements

Engineering, Architecture, Construction, Environmental and Consulting Solutions © 2011 Burns & McDonnell Missouri Public Service Commission.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Applying the SOA RA Utah Public Safety ESB Project Utah Department of Technology Services April 10, 2008 Prepared by Robert Woolley.

Understanding the IEC Standard 李嘉凱指導教授：柯開維.

Research Seminar on Telecommunications Business IPSEC BUSINESS Henri Ossi.

IEC Substation Configuration Language and Its Impact on the Engineering of Distribution Substation Systems Notes Dr. Alexander Apostolov.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

Mobile Agents: A Key for Effective Pervasive Computing Roberto Speicys Cardoso & Fabio Kon University of São Paulo - Brazil.

Ch 12 Distributed Systems Architectures

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Internet Protocol Security (IPSec)

«Computer-Aided Design System for Digital Substation based on open standards IEC 61850, 61131, 61499» T. Gorelik, O. Kiriyenko LLC EPSA RUSSIA.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Greenbench: A Benchmark for Observing Power Grid Vulnerability Under Data-Centric Threats Mingkui Wei, Wenye Wang Department of Electrical and Computer.

INTEROPERABILITY Tests IOP11/ IEC Interoperability with IEC IEC INTEROPERABILITY BETWEEN ABB, ALSTOM and SIEMENS STATUS REVIEW.

Communication Networks and Systems In Substations

Substation Automation

Towards a Distributed, Service-Oriented Control Infrastructure for Smart Grid ASU - Cyber Physical Systems Lab Professor G. Fainekos Presenter: Ramtin.

Join Us Now at: Enabling Interoperability for the Utility Enterprise And TESTING.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Chapter 6 High-Speed LANs Chapter 6 High-Speed LANs.

Dr. Lo’ai Tawalbeh 2007 INCS 741: Cryptography Chapter 1:Introduction Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus

Cryptography and Network Security

Eng. Wafaa Kanakri Second Semester 1435 CRYPTOGRAPHY & NETWORK SECURITY Chapter 1:Introduction Eng. Wafaa Kanakri UMM AL-QURA UNIVERSITY

Event Stream Processing for Intrusion Detection in ZigBee Home Area Networks Sandra Pogarcic, Samujjwal Bhandari, Kedar Hippalgaonkar, and Susan Urban.

Scalable Security and Accounting Services for Content-based Publish/Subscribe Systems Himanshu Khurana NCSA, University of Illinois.

College of Engineering and Architecture Using Information to Increase Power Reliability and Reduce Vulnerability Anjan Bose Washington State University.

AL-MAAREFA COLLEGE FOR SCIENCE AND TECHNOLOGY INFO 232: DATABASE SYSTEMS CHAPTER 1 DATABASE SYSTEMS (Cont’d) Instructor Ms. Arwa Binsaleh.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Security for the Optimized Link- State Routing Protocol for Wireless Ad Hoc Networks Stephen Asherson Computer Science MSc Student DNA Lab 1.

#ConnWeekSanta Clara, CA May 22-24, OpenADR 2.0 Signaling over Tropos Network  Architecture, Communications and Security May Jim Compton.

A Transport Framework for Distributed Brokering Systems Shrideep Pallickara, Geoffrey Fox, John Yin, Gurhan Gunduz, Hongbin Liu, Ahmet Uyar, Mustafa Varank.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

DR Software: Essential Foundational Elements and Platform Components UCLA Smart Grid Energy Research Center (SMERC) Industry Partners Program (IPP) Meeting.

1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.

The Grid System Design Liu Xiangrui Beijing Institute of Technology.

GridStat on GENI: Simulating a Smart Power Grid Infrastructure over GENI Divya Giri, Ruma Paul, Haiqin Liu, Victor Valgenti, Carl Hauser and Min Sik Kim.

Virtual Workspaces Kate Keahey Argonne National Laboratory.

1 Integrating security in a quality aware multimedia delivery platform Paul Koster 21 november 2001.

Enhanced Storage Architecture

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.

Enabling the Future Service-Oriented Internet (EFSOI 2008) Supporting end-to-end resource virtualization for Web 2.0 applications using Service Oriented.

Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.

Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]

HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.

Towards a Software Architecture for DRM Joint work with Kristof Verslype, Wouter Joosen, and Bart De Decker DistriNet research.

COSC573 Instructor: Professor Anvari Student:Shen Zhong ID#: Summer semester,1999 Washington.D.C.

Computer Science and Engineering 1 Mobile Computing and Security.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

Goals The DNP3 protocol is widely used in electrical power systems as a means of communicating observed sensor state information back to a control center.

Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.

Euro-Par, HASTE: An Adaptive Middleware for Supporting Time-Critical Event Handling in Distributed Environments ICAC 2008 Conference June 2 nd,

By Marwan Al-Namari & Hafezah Ben Othman Author: William Stallings College of Computer Science at Al-Qunfudah Umm Al-Qura University, KSA, Makkah 1.

Fault Tolerant Routing in Mobile Ad hoc Networks Yuan Xue and Klara Nahrstedt Computer Science Department University of Illinois.

1. Introduction and Background Network Performance and Quality of Service.

Securing Access to Data Using IPsec Josh Jones Cosc352.

Dynamo: A Runtime Codesign Environment

NOX: Towards an Operating System for Networks

Model-Driven Analysis Frameworks for Embedded Systems

Majid Alshammari and Khaled Elleithy

PLANNING A SECURE BASELINE INSTALLATION

Presentation transcript:

Application-Aware Secure Multicast for Power Grid Communications Jianqing Zhang* and Carl A. Gunter University of Illinois at Urbana-Champaign * Now working at Energy Systems Research Lab, Intel Labs

Motivation Introduction Formal Model for Multicast – Data Model and Publish-Subscribe Model – Multicast Configuration Anomaly Implementation: SecureSCL Performance Analysis of IPsec Based Multicast Conclusion Outline 2

Multicast in Power Grid Systems Substation Networks PMU: Phasor Measurement Unit PMUs DNP3 3

IEC Substation Network * Based on Baigent, D. et. al. IEC Communication Networks and Systems in Substations: An Overview for Users Generic Object Oriented Substation Event (GOOSE) Sampled Measured Value (SMV) Data objects model Communication protocols suite Link layer multicast Substation Configuration Language (SCL) IEC: International Electrotechnical Commission HMI: Human Machine Interface PMU: Phasor Measurement Unit Abstract Communication Service Interface (ACSI) Substation Bus Process Bus Ethernet * 4

Cyber Security Threats to Substation Networks Integrity – Tampered power grid status data – Faked control commands Confidentiality – Valuable raw data Availability – Data packets flood Cryptographically Secured Protocols? 5

Challenges: Manageable Configuration Complex and error-prone configuration for current systems – Intricate system designs – Changing specifications during design phases – Large and hardly auditable configuration files TVA Bradley Substation: 7.4Mbytes and 98K lines XML files – Proprietary configuration tools from multiple vendors – Complexity of current off-the-shelf security protocols and tools Security vulnerabilities due to incorrect system configuration 6

Timing requirements for real-time operations* – PMU: 30 times per second – Substation: event notification for protection e.g. GOOSE, 2-10ms Challenges: Latency Requirements * IEEE Std. 1646: Communication Delivery Time Performance Requirements for Electric Power Substation Automation VT: Volt Transformer CT: Current Transformer 7

Integration with power grid systems – How to partition multicast groups in a particular domain, like a power substation? – What’s the role of each control device in a group? – How to distribute group keys? Standardized security protocols – How to integrate group key management with secure multicast protocols? Challenges: Efficient Group Key Management & Configuration 8

Derive group membership by application data dependency in system functional configurations – Observation: data dependency determines publish- subscribe relationships and group memberships Approach: Application-Aware Secure Multicast 9

… … … … … 01-0C-CD … Data Dependency in Substation Configuration Language (SCL) Trip command 10

Derive group membership by application data dependency in system functional configuration Detect inconsistent configurations automatically Configure group key management system based on the derived group memberships and extended configuration files Raise the link layer multicast to the network layer and secure multicast traffic using IPsec Approach: Application-Aware Secure Multicast 11

D, the set of data objects E, the entities which have relationships with data objects – O, the set of data owners – C, the set of data consumer – P, the set of publishers – S, the set of subscribers G, the set of group controllers A Formal Multicast Model: Components 12

A Formal Multicast Model: Publish-Subscribe Model 13

Publish-Subscribe Model in SCL: Ownership & Publication 14

... Publish-Subscribe Model in SCL: Consumption & Subscription 15

Multicast Configuration Anomaly: Publication Anomaly 16

Multicast Configuration Anomaly: Subscription Anomaly 17

Architecture of SecureSCL 18

Preserves a variety of security properties, proved by a degree of formal analysis Supports wide area multicast, important to inter- substation communications and PMU networks Obtains strong support from security communities Capable of addressing latency constraints in medium scale networks Benefits of IPsec Based Multicast in Power Grid Networks 19

Test Bed Setup – Hardware Deterlab: 8, 16, 32, 64-node scenarios Xeon Quad 3.00GHz PCs – Software Platform: Ubuntu 8.04 Process Control Emulation System* – Measure round trip latency Performance Analysis of IPsec Based Multicast * Credits to Chris Grier and Sam King 20

Performance of IPsec Multicast 21

Application-aware secure multicast is an efficient solution for multicast in power grid systems – Automate group configuration and minimize errors – Integrate security configurations with functional configurations IPsec is a promising solution for secure multicast in power grid systems Future work – WAN or Inter-substation network multicast communication and configuration – Dynamic group management Conclusion 22

Questions? Dr. Jianqing Zhang Intel Labs, RNB Mission College Blvd. Santa Clara, CA Tel: (408) Professor Carl A. Gunter 4304 Siebel Center for Computer Science 201 N. Goodwin Ave. Urbana, IL Tel: (217)

1.Propose a formal multicast data model and a publish- subscribe model depicting the publish-subscribe relationships 2.Classify a number of configuration anomalies in multicast systems 3.Design algorithms detecting the anomalies 4.Design a multicast and group key management architecture 5.Develop a prototype system, SecureSCL 6.Provide a case study of secure GOOSE in IEC substations 7.Evaluate the performance of IPsec based multicast Contributions 24

IEC 62351: sign each GOOSE frame using RSA Gjermundrod, H. et al. GridStat: A Flexible QoS-Managed Data Dissemination Framework for the Power Grid, IEEE Transactions on Power Delivery, Jan Ehab S. et al. Discovery of Policy Anomalies in Distributed Firewalls. INFOCOM 2004 Related Work Header Authentication Value GOOSE PDU Length CRC 25

System Working Phases 26

Group Domain of Interpretation (GDOI, RFC 3547): IKEv1 based group key management protocol for IPsec multicast GDOI Based Group Key Management Architecture 1.IKEv1 Phase1: Reg. SA 2.Phase 2 GROUPKEY-PULL: (first) Rekey SA and Data SA 3.GROUPKEY-PUSH: subsequent Rekey SAs and Data SAs 27