Wireless AMI Application and Security for Controlled Home Area ...

More documents

Recommendations

Info

4example, consider the case of a home surveillance system. It isin the interests of the customer that the network functionsproperly as intended. The customer must correct anyunintended behavior of the network.The WHAN-SM scenario has the additional dynamic ofthere being two parties with interests in the network. If theWHAN-SM does not function properly, it could preventcontrolled appliances from operating at request. Similarly, amisbehaving network could take away the ability to manageload based on the utility requirements.Further, the distributed control that exists between the twoconcerned parties could allow a third party to threaten thesecurity of the network by impersonating one or the otherparty, or both. It should be noted that capturing shared secretsis easier when more than one party is involved.B. Security ObjectivesOut of the typical security concerns in a wireless network[23], the following five main objectives were identified toensure a secure WHAN-SM:Confidentiality: The goal of confidentiality is to ensure thatany sensitive data is not disclosed to parties other than thoseinvolved in the communication process. In the WHAN-SMscenario this could mean that apart from the customer andutility, no other party gets access to the appliance usagebehavior of the customer. Further, the customer would preferthe utility to have only an aggregate view of power consumed.Integrity: This requirement is to ensure that a receivedmessage is not altered from the way it was transmitted by thesender. In the WHAN-SM scenario, this is important to allowtimely and accurate control. If an attacker manages to changethe source of the request, it could happen that the AMI ends upcommunicating and controlling the wrong appliance.Authentication: Authentication is used by one node toidentify another node or verify the source of origin of data inthe network. Authentication is important for administrativetasks like association, beaconing, and identifier collision. Thisis critical in the WHAN-SM scenario to ensure that a customeris sure of the authenticity of an AMI with which its applianceis communicating, and for the AMI to ensure that it iscommunicating only with the assigned customer’s appliance.Availability: This property is to ensure that network servicesare available and will survive possible attacks or failures thatcould occur. In the WHAN-SM scenario, resource depletion istypically not a concern when it comes to a resource likeenergy which both the AMI and appliances are assumed tohave access to through power outlets. But computationcapabilities and memory constraints could be exploited bykeeping these resources fully loaded, affecting the ability ofthe network to function as desired. Equipment failures mayalso be more common, especially with the low cost ofWHAN-SM radios.Time Sensitivity: Any message delayed over a specifictolerable time frame may be of no use. A network must ensurerelevance of communication by enforcing latency constraints.In the WHAN-SM scenario, a customer request for applianceoperation must reach AMI in a timely manner; similarly,control commands from AMI to appliances must be timely toensure scheduling practices of the utility.Security objectives such as fairness, which are common tomore general wireless networks, are not applicable in WHAN-SM scenario, as all appliances that compete for access to themedium belong to the same customer. Further, the WHAN-SM network is expected to be used mainly as a controlnetwork and is not expected to be highly loaded in terms ofbandwidth, thus providing no incentives for selfish behaviorby nodes.C. Attacks and Misbehavior Scenarios for WHAN-SMFigure 3 shows possible attacks on a WHAN-SM. Theseattacks are classified as local or remote attacks. The scope ofthis work is limited to local attacks within the HAN where allappliances communicate to their AMIs using a one-hopnetwork from their power outlets. Remote attacks, whichtypically exploit weaknesses in the routing mechanisms andmulti-hop nature of networks, will not occur in the WHAN-SM scenario.Figure 3: List of attacks on Wireless HAN scenario.Various attack scenarios are considered with the followingassumptions:(i) The customer is provided with a password by the utilityfor authentication. A common authentication procedure,outlined in Section IV, is assumed for appliances to jointhe network and prevent unauthorized access.(ii) The available encryption level is strong. This is a standardassumption, and could be based on a stronger encryptionsuite present in technologies like ZigBee.As a result of these precautions and assumptions anyauthentication and snooping type of attacks from Figure 3 canbe ruled out. Local denial-of-services are typically based onde-authentication attacks that force appliances to repeatedlyre-authenticate instead of using the network for usefulpurposes. Instead of considering such denial-of-serviceattacks, this work focuses on the stronger attack of jamminglater in this section.Physical device tampering with the AMI, appliance, orpower outlet are not considered in this work. The AMI couldbe made tamper proof by periodic communication with the
5control center that allows adequate monitoring of itsoperations. The case of customer appliance and power outlettampering would be handled in the attack category of “deviceimpersonation,” discussed later in this section.The rest of this section describes the attacks which arerelevant to WHAN_SM in Figure 3 in more detail. Theseattacks are a representative set of attacks possible in theWHAN-SM scenario.1) Jamming Attacks: In these attacks, an adversary disruptscommunications in a wireless network by sendingdeliberate signals on the shared medium. In a wirelessnetwork, packet communication is successful only if areceiver is able to successfully decode the sender’spacket. If the medium is jammed by an adversary, thesender cannot begin communicating (if it senses themedium to be busy beforehand) or its transmitted packetwill be corrupted by the adversary’s signal when received.Jamming can be carried out by sending a continuous orintermittent busy tone on the channel used forcommunication. A simpler form of jamming is for anadversary to send a continuous stream of packets usingthe same wireless technology, but at a much higher datarate, possibly after tampering with the medium accesscontrol protocol to gain an unfair advantage [25]. Basedon the investigation carried out for a six node scenariousing the NS-2 simulator [26] it was found that a jammercould reduce each node’s packet delivery ratio from 80-90% to about 40% by just using a data rate 10 times thatof an average node with a data rate of 100 kbps on a 2Mbps channel.It is fairly simple for an adversary to use a signal analyzeror similar device based on common off the shelfcomponents to determine the channel used in a network.Such attacks are the most difficult to defend against andcould cripple a HAN based on a wireless architecture.2) Appliance Impersonation: Based on the customer-utilityagreement, the customer agrees to let the utility control agroup of their appliances. However, there could beinstances where the customer would want to renege onthis agreement and not relinquish control. This couldoccur, for example, when a customer tries to control theair conditioning for better comfort.Under the customer-utility agreement, the utility controlsappliances from only a certain subset of classes, typicallythose that consume a lot of power. The customer couldtherefore exploit this fact and have a high powerconsuming appliance impersonate an appliance fromanother non-controlled class. For the utility, an inability tocontrol the appliance could result in demand exceedingsupply, possibly resulting in a blackout in parts of thegrid.The details of the attack are shown in Figure 4 where acustomer masquerades their air-conditioner as atelevision. This attack is one example of vulnerabilitiesarising out of the two party dynamic where one partymight try to cheat the other.3) Replay Attack: A neighbor could capture an appliancerequest made at some other time by a customer and replayit another time when no actual request was made. Theneighbor does not gain any benefit, but it can hurt thecustomer, and could even be a safety hazard. Such fakerequests could overload the AMI and have repercussionson the whole grid due to overloading if not handledproperly.4) Non-repudiation: Non-repudiation is a concept wherebyno party can refute some aspect of their participation inthe communication process. Specific to the WHAN-SMscenario, the customer cannot later refute having receivedcertain control messages from the AMI to operate theirappliance. Alternately, an AMI cannot later deny how ittried to control a customer appliance.Figure 4: Example of an Appliance Impersonation AttackIV. SECURITY SOLUTIONSTo ensure a reliable WHAN-SM, security attacks must beprevented. This work focuses on developing solutions to thesesecurity attacks based on the operating conditions of theelectric power system at the residential level, and conventionalwireless local area network applications.Solutions developed by the authors to overcome each of theattacks identified in the previous section are presented in thissection. An authentication procedure that will form the basisof the solution to all attacks is presented first.A. Authentication ProcedureTo ensure strong authentication the following key distributionalgorithm is assumed:1. The AMI is installed by the utility at the customerpremises. The customer is given a password to bemanually supplied to the power outlet through which anyappliance is supplied. This password can be used togenerate a public-private key pair for encryptionpurposes.2. The power outlet for any appliance that connects to thenetwork for the first time is challenged by the AMI for thepassword. A correct response authenticates the applianceto the AMI and sets up the required bi-directional controlbetween the AMI and the power outlet. The
Page 2 and 3: 2unavailable when the home electric
Page 6 and 7: 6communication in this step can use
Page 8: 8solutions to these attacks were de

Wireless AMI Application and Security for Controlled Home Area ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?