Policy enforcement system for secure interoperable control in distributed Smart Grid systems
Introduction
We have witnessed the enormous progress made in the different Smart Grid domains in recent years (Fang et al., 2012, Wang et al., 2011, NIST, 2012). Control systems, (power generation, transmission and distribution) substations, service providers, markets and customers together, make up a whole that enables the exchange of information and optimises the power production according to the true demand. The information is forwarded through complex and dynamic communication infrastructures with the capacity to connect multiple and heterogeneous systems (Kyusakov et al., 2012, Gungor et al., 2011). An array, ranging from local and small networks to large communication systems with full access to control objects (e.g., smart meters, sensors, charging points, RTUs (Remote Terminal Units), gateways, etc.), generally installed in distant locations and close to the critical infrastructures. However, when the proposal consists of moving towards the connectivity of different technologies belonging to different owners, manufactures or vendors with multiple types of access and security policies, issues related to interoperability can arise (Kyusakov et al., 2012, NIST, 2012, Alcaraz and Lopez, 2012, Farhangi, 2010).
Any security breach, conflict of format or operational delay caused by the heterogeneity of systems can trigger integrity and availability problems in the control, complicating the interpretation of the data itself or the execution of commands. This may even affect the safety of the entire power grid, and even its stability (Alcaraz and Lopez, 2012). For this reason, our aim is not only to interconnect several control infrastructures but also to protect their monitoring and supervision tasks. The Industrial Control System Cyber Emergency Response Team (ICS-CERT) recently reported in NCCIC (2014) the number of vulnerabilities received in control systems in the year 2013 (181 incidents in total). According to this report, the authentication flaws are at the head of the number of incidents reported, considering it to be the most abundant vulnerability in 2013, with a register of 58% of the total. In light of this, the security has to encompass a set of requirements, amongst them: access control and security policy management because (i) any unauthorised access to restricted devices may become a threat, and (ii) authorised access under different security policies may hamper the supervision tasks.
One way of ensuring a secure and interoperable communication between systems belonging to different organisations could be through intermediary policy enforcement systems with support for dynamic handling of access and security policies. Through them it would be possible to prevent unknown access and filter operations in the field, resulting in a decision-making system with the capability to adapt the access to the type of context. For example, Kapsalis et al. (2006) presented a dynamic context-awareness access control architecture for the provision of e-services where the system can authenticate and authorise access according to the context, and even learn from said context. This functional feature has also been tailored to the proposal described in this paper together with a Role-Based Access Control (RBAC)-based least privilege scheme defined by the IEC-62351 standard (IEC-62351-8, 2011, International Electrotechnical Comision, International Electrotechnical Commission). Concretely, the approach is based on a decision engine driven by a rule-based expert system capable of validating the access according to a set of factors: (i) the roles and permissions assigned to the subject; (ii) the type of context and the criticality of such a context; (iii) the type of action to be executed by an object (the destination node); and (iv) its accessibility degree.
The IEC-62351-8 is part of the IEC-62351 series (IEC-62351 Parts 1–8) that establishes end-to-end security in power systems and the protection of the communication channels. In this case, and through IEC-62351-8, RBAC is recognised as a potentially efficient mechanism for wide use in power systems and distributed services. Only authorised users and automated agents can gain access to restrictive data objects (e.g., IEC-61850 objects) such as measurements, status variables or parameters. Moreover, through RBAC it is possible to reallocate system controls and their security as defined by the organisation policy, where the purpose is (i) to introduce authorisation aspects under the category of subject-roles-rights; (ii) boost role-based access control in the power system management; and (iii) enable heterogeneity and interoperability between different elements of a system. Moreover, Li et al. (2012) underline that the RBAC technique in Smart Grids can enhance the reliability of the connections and survivability with a greater level of granularity. This analysis is also supported by Majdalawieh et al. (2007) through their generalised RBAC model for SCADA (Supervisory Control and Data Acquisition) systems. Similarly, Cheung et al. (2008) define a XML (eXtensible Markup Language)-based role-based model for establishing trust and role assignments to users belonging to different microgrid domains under the coordination of their respective central systems. This way of subdividing Smart Grid areas into regions is also considered by Rosic et al. (2013) to propose a RBAC-based access control mechanism dependent on the area of responsibility. Regarding policy enforcement and interoperability in Smart Grid environments, Kuntze et al. (2011) propose the use of smart energy gateways to establish trust relationships between parties (the energy grid, the control system and the customer side) using asymmetric key cryptography and cryptographic hash functions. Similarly, Veichtlbauer et al. (2013) provide a middle-ware architecture based on RBAC and policy decision and enforcement points to collect data streams from multiple sources connected to the Advanced Metering Infrastructure (AMI) in a standardised format. But beyond this, more investigation is still necessary to expand functionalities and offer more automated solutions.
In order to illustrate monitoring scenarios, our research centres on studies based on graph theory. The deployment of networks depends on graphical–theoretical interpretations where the control is based on the structural controllability theory introduced by Lin (1974) and on the concept of power domination defined by Haynes et al. (2002). For the interconnection of these graphs, a decentralised architecture based on the concept of the supernode is also adapted to identify the Policy Decision Points (PDPs) within the control structure and provide an attractive way to distribute and filter operational activities. Once modelled, our main contributions later concentrate on addressing the interoperability through an expert system capable of understanding the IEC-62351-8 standard and the criticality degree of a context. This also means that the analysis carried out in this paper follows an incremental structure based on three fundamental parts (i) the logical modelling of virtual control networks (through graph theory, structural controllability and power dominance); (ii) the theoretical construction of a decentralised network architecture (through supernode theory); and (iii) automated interoperability of networks through Policy Enforcement Points (PEPs) and an expert system.
The remainder of this paper is structured in five sections. Section 2 describes the network architecture and the conditions for control, whereas the policy enforcement architecture is presented in Section 3 together with its construction blocks related to authentication, authorisation, security policy management and context. This architectures is later analysed using a case study in Section 4 to validate and discuss practical behaviours of authorisation. Finally, our conclusions together with future work are presented in Section 5.
Section snippets
General architecture for complex, dynamic and heterogeneous networks
So as to model control networks from a conceptual standpoint but approximated to real applications, the network architecture proposed here is based on the concept of the supernode (Samuel et al., 2011). A supernode system is a decentralised architecture composed of fixed nodes with the computational capacities for acting as proxies and offering peer-to-peer connection via the Internet. Through these proxies it is possible to connect different types of networks, the connection of which is also
Policy enforcement for structural controllability protection
With the network architecture proposed in Section 2 in mind, this section establishes the means by which control objects can be protected from external access. A control object is a necessary element for supervision and data acquisition, and it represents either a (e.g., gateways, base stations, servers, RTUs, etc.) or an element (e.g., sensors, actuators, smart meters, etc.) under the ‘observation’ of, at least, one ; i.e., an RTU a sensor. These elements have to be protected
Case study: power dominance in heterogeneous control domains
The network architecture proposed in Section 2 and the policy enforcement approach presented in Section 3 have been implemented in Matlab and Java, respectively. The first part contains the implementation of Algorithm 2.1 with the two power-law distributions (PLOD with α=0.1, 0.2 and BA with α=3). This part also achieves the power domination by performing OR1 and OR2. The result is a compendium of sub-graphs holding an implicit hierarchy with respect to their gateways, and a sub-set of
Conclusions and future work
Connectivity of heterogeneous networks belonging to Smart Grid environments with connections coming from anywhere, at any time and in anyway, involves the provision of specialised policy enforcement mechanisms that transparently help protect the monitoring elements from unauthenticated and/or unauthorised entities. For this reason, a policy enforcement system based on the context and driven by the least privilege defined by IEC-62351-8 through RBAC has been proposed in this paper, where the
Acknowledgements
The research led by C. Alcaraz has received funding from the Marie-Curie COFUND programme U-Mobility (GA No. 246550), co-financed by the University of Málaga, the EC FP7 under GA no. 246550 and the Spanish Ministerio de Economía y Competitividad (COFUND2013-40259). Nonetheless, this work has also been partially supported by the research projects PISCIS (P10-TIC-06334) and PERSIST (TIN2013-41739-R).
References (52)
- et al.
Analysis of requirements for critical control systems
Int J Crit Infrastruct Prot
(2012) - et al.
Critical infrastructure protectionrequirements and challenges for the 21st century
(2015) - et al.
A dynamic context-aware access control architecture for e-services
Comput Secur
(2006) - et al.
Parameterised power domination complexity
Inf Process Lett
(2006) - et al.
Securing smart grid: cyber attacks, countermeasures, and challenges
IEEE Commun Mag
(2012) - et al.
The power grid as a complex network: a survey
Phys A: Stat Mech Appl
(2013) - et al.
A survey on the communication architectures in smart grid
Comput Netw
(2011) - et al.
Connected dominating sets in wireless ad hoc and sensor networks - A comprehensive survey
Comput Commun
(2013) - et al.
Statistical mechanics of complex networks
Rev Mod Phys
(2002) - Alcaraz C, Wolthusen S. Recovery of structural controllability for control systems. In: The eighth IFIP WG 11.10...
Critical control system protection in the 21st century: threats and solutions
IEEE Comput
Survey of clustering schemes in mobile ad hoc networks
Commun Netw
Towards a theory of domination in graphs
Networks
Parameterised complexity
monographs in computer science
Smart grid — the new and improved power grid: a survey
IEEE Commun Surv Tutor
The path of the smart grid
IEEE Power Energy Mag
Approximation algorithms for connected dominating sets
Algorithmica
Smart grid technologiescommunication technologies and standards
IEEE Trans Ind inf
Domination in graphs applied to electric power networks
SIAM J Discret Math
Cited by (33)
A comprehensive review of AI-enhanced smart grid integration for hydrogen energy: Advances, challenges, and future prospects
2024, International Journal of Hydrogen EnergyTowards cyber security for low-carbon transportation: Overview, challenges and future directions
2023, Renewable and Sustainable Energy ReviewsDatadriven false data injection attacks against cyber-physical power systems
2022, Computers and SecurityBlockchain-assisted access for federated Smart Grid domains: Coupling and features
2020, Journal of Parallel and Distributed ComputingCitation Excerpt :PDPs not only present the ability to determine the connection in the field, but the capacity to verify, together with the rest of PDPs, the validity of a transaction for data provenance and traceability. This double functionality notably aggravates the management of PEP requests [7], mainly because part of the computation, the storage and the communication have to be reserved to: (i) Validate the pending transactions, (ii) interact with the rest of PDPs for its verification, and (iii) compete to add a block to the chain in a distributed environment. Depending on the consensus protocol and its added difficulty for the competition, the computational overheads can become very variable, hampering any access required for the control in the field.
Deriving event data sharing in IoT systems using formal modelling and analysis
2019, Internet of Things (Netherlands)Resilient interconnection in cyber-physical control systems
2017, Computers and SecurityCitation Excerpt :Moreover, each entity defined in Table 2 is not only limited to the criticality of the context but also to the reachability of a destination node from the gateway, denying all those accesses that may collapse the communications. This feature was also described in Alcaraz et al. (2016b), the value of which can be computed through the observation rate and the diameter, and both restricted according to the type of operation in the field. Namely, this restriction is declared as priorRight in Table 2 and in Alcaraz et al. (2016b), the value of which is linked to the type of permitted action, and in relation to the information assigned in Table 1 corresponding to IEC-62351-8.