cyber-physical device authentication for smart grid ev ecosystem
DESCRIPTION
Entity authentication and related key management is an active research topic in bothcomputer and smart grid security alike. But existing works seem to have overlooked thesignificance that the smart grid is a cyber-physical system, which entails more considerationsin the integration of its cyber and physical domains. Ignoring this could possiblyundermine the security of the smart grid since the effects of cyber authorizationare usually extended into the physical domains. The substitution attack, a kind of themain-in-the-middle attack, has been demonstrated using this gap. This paper proposesa two-factor cyber-physical device authentication protocol to defend against coordinatedcyber-physical attacks to the smart grid. The idea is to combine a novel contextual factorbased on physical connectivity in the power grid with the conventional authenticationfactor in the challenge-response protocol, widely and commonly used in cybersecurity.The resulting protocol provides assurance on not only the digital identity of a device, butalso the controllability of the device in the physical domain. While the design is in thecontext of electric vehicle ecosystem, the framework could be readily extended to othersmart grid subsystems.TRANSCRIPT
Cyber-Physical Device Authentication for
Smart Grid Electric Vehicle Ecosystem
Aldar C-F. Chan and Jianying Zhou
October 23, 2013
Abstract
Entity authentication and related key management is an active research topic in both
computer and smart grid security alike. But existing works seem to have overlooked the
significance that the smart grid is a cyber-physical system,which entails more consid-
erations in the integration of its cyber and physical domains. Ignoring this could pos-
sibly undermine the security of the smart grid since the effects of cyber authorization
are usually extended into the physical domains. The substitution attack, a kind of the
main-in-the-middle attack, has been demonstrated using this gap. This paper proposes
a two-factor cyber-physical device authentication protocol to defend against coordinated
cyber-physical attacks to the smart grid. The idea is to combine a novel contextual fac-
tor based on physical connectivity in the power grid with theconventional authentication
factor in the challenge-response protocol, widely and commonly used in cybersecurity.
The resulting protocol provides assurance on not only the digital identity of a device, but
also the controllability of the device in the physical domain. While the design is in the
context of electric vehicle ecosystem, the framework couldbe readily extended to other
smart grid subsystems.
Keywords: multi-factor authentication, coordinated cyber-physical attacks, challenge-
response protocol, IEC 61851.
1
1 Introduction
Secure smart grid communication requires mutual authentication of the communicating en-
tities. Entity authentication refers to the security primitive which corroborates the identity
of an entity, be it a person or a device, as it accesses certainresources entailing autho-
rization. It should be distinguished from message authentication [8] which protects the in-
tegrity of a message and corroborates its origin. Entity authentication has been widely stud-
ied in computer security as in authenticated key exchange and/or multi-factor authentication
[2, 3, 6, 14, 15, 23–25, 30]. The handshake in the widely used Transport Layer Security (TLS)
protocol [13] is an example of entity authentication. Entity authentication in the smart grid
is also a significant research problem actively considered in the literature [5,9–11,16,22,30].
A research report published by Gartner [29] also states thatan electric vehicle as a roaming
appliance has to be identified and located whenever it is connected to the power grid. How-
ever, there are salient features in smart grid communication, making entity authentication still
challenging. Some subtle issues have not been adequately addressed by the existing works.
First, one key feature of the smart gird is that it will ultimately facilitate fully automated
management of energy devices and systems without human intervention. Device authentica-
tion would be the primary form of authentication in the smartgrid. In other words, machine-to-
machine (M2M) communication will be the most common mode of smart grid communication
in the future. This poses a particular challenge for entity authentication in the smart grid con-
text because most of the existing approaches [2, 3, 6, 14, 15,24] are not designed to support
unattended operation. To provide a strong assurance of digital identities in an unattended,
fully automated environment demands a strong protection ofthe private key in most of the ex-
isting entity authentication protocols. That is, some formof a trusted computing base (TCB)
or secure element is inevitable, which is now a widely presumed assumption in entity authen-
tication and key management for the smart grid [5, 9–11, 16, 22, 30]. Paverd and Martin [22]
proposes a hardware security architecture to provide such atrusted computing platform for
2
device authentication in the smart grid. This paper gives analternative instantiation.
Second, all the existing protocols [5, 9–11, 16, 22, 30] provide security assurance up to
within the cyber domain only, overlooking the significance that the smart grid is a cyber-
physical system in nature. This indeed undermines smart grid security and has serious implica-
tions to typical smart grid applications such as demand response and vehicle-to-grid (V2G) [7].
The study of coordinated cyber-physical attacks is also regarded as an area of high priority in
the widely cited NIST Framework and Roadmap for Smart Grid Interoperability Standards,
Release 2.0 [18].
The core concept of the smart grid is that, through the use of advanced digital communica-
tion for instrumentation and control, different subsystems of the power grid can be coordinated
for optimized and automated operation to increase the reliability of power supply and mini-
mize waste due to spinning reserve, while supporting the integration of new appliances such
as electric vehicles and renewable energy sources. There are two paths between devices in
the smart grid — a two-way (cyber) communication channel anda (physical) power network
supporting two-way power flow [18]. When a device is authenticated in the cyber domain, the
resulting authorization actually extends beyond the cyberdomain into the physical domain.
In fact, most of the cyber commands are effected as certain operations in the power network,
like closing a circuit breaker, or turning on/off of a relay.That is, a device successfully au-
thenticated in the cyber domain is actually granted access and authorization to act freely in
the physical domain. Consequently, the power grid reliability may be at risk if entity authen-
tication provides little assurance that a cyber-authenticated device will be responsive to cyber
commands and act accordingly to effect changes in the physical power network.
Chan and Zhou [7] actually shows, using the electric vehicle(EV) ecosystem as an exam-
ple, that an EV passing the typical challenge-response authentication using a TCB (which is
deemed as secure in any cybersecurity standards) may not be the device which is physically
connected to the power grid. Rather, it could be a malicious load connecting to the power grid,
3
thus risking the reliability of the power grid. For instance, the malicious load could be irre-
sponsive to the demand-response commands requesting the EVto curtail its power consump-
tion when there is a shortfall of power supply.1 Such an attack also has serious repercussions
in other smart grid applications: undermining V2G when battery profiling is used [27], and
eroding utility’s revenue in flat-rate charging subscription plan.
This paper proposes a new two-factor cyber-physical authentication protocol for the smart
grid EV ecosystem using a novel contextual factor, namely, physical connectivity of the charg-
ing cable. It is basically a challenge-response protocol with two challenges — one sent over
the standard cyber path (cyber challenge) and the other sentover the charging cable of the
electric vehicle (physical challenge).This is the first design of cyber-physical authentication
for the smart grid in the literature.A proof-of-concept design is given with experiment.
The contribution is two-fold. First, a novel cyber-physical device authentication protocol
for electric vehicles is presented. The protocol has a number of desirable properties: unlike
IEC 15118 [27], it does not require any modifications on the EV, thus readily deployable;
besides, the protocol provides a strong binding between thecyber and physical parts of an EV,
assuring that the EV passing the authentication knows the needed secret key (in the tamper
resistant device or TCB) and is physically connected to the specified point of the power grid
(as given in the digital data); in addition, it also providesa means to verify the controllability of
the EV in the physical domain. It should be emphasized that, while the protocol is specifically
designed for the EV ecosystem, the idea of two-factor cyber-physical authentication could be
widely applicable in the smart grid to secure switchgears, trippers, etc.. The key is to find
a relevant contextual factor. This paper gives a basic framework for designing new protocols
with new smart grid contextual factors. Second, a hardware mechanism for binding an onboard
1Circuit breakers are ineffective in this case. The allowable current range is 6-80A in typical charging ac-
cording to IEC61851, meaning the circuit breaker will only breaker at 80A or above. There is a potential gap of
74A between the supply and demand side in the worst case for demand response, whereas, a typical household
would usually draw no more than 30A.
4
unit (OBU) and an EV is proposed. The basic idea is that once the device is deployed —
plugged in to the Control Area Network (CAN) bus of an EV, it isin a particular state such
that unplugging it would disable its CAN bus interface. The design could find application in
other scenarios such as vehicular telemetry and location-based electronic road pricing.
The paper is organized as follows. The coordinated cyber-physical attack called the sub-
stitution attack [7] is explained in the next section. The proposed cyber-physical device au-
thentication protocol is given in Section 3. Section 4 present the prototype implementation
with details of tailoring and optimizations adopted. Section 5 and 6 discuss the security of
the proposed protocol and the experimental results. Related work is discussed in Section 7,
followed by a conclusion in Section 8.
2 Substitution Attack
The substitution attack [7] can be viewed as a special type ofthe Man-in-the-Middle (MitM)
attack. The following discussion assumes that each EV is installed with an onboard unit
called the Intelligent Electronics Device (IED). The IED, with tamper resistant storage of a
secret key, serves as a token to assure the identity of the EV.Only the grid operator would
have access to this secret key. Even the EV owner himself would not have access to it.
Though with unique advantage of ready deployment, the IED model is just one of the
instantiations of providing digital identity assurance for EVs. In IEC15118 [27], the secret
key is pre-installed in the EV itself, say, in one of its Electronics Control Units (ECUs). It is
assumed that the IED is bound to the EV at installation, say, through the CAN bus security
mechanism presented in Section 4.2. The crux is that the IED is inseparable from the EV once
installed. It is also assumed that a conventional challenge-response protocol [1] based on the
stored secret in the IED is used for authentication.
In the desirable situation, when the IED passes the authentication, it means that the EV has
a valid registration and is eligible for charging if the useridentity and billing account also pass
5
IED’IED
Challenge
Response
IED’
STOLEN
IED
Smart CardAccess Control
Figure 1: Substitution Attack against EV Device Authentication
verification. Imagine that an EV has been stolen. With its registration and certificate revoked
(as possibly initiated by its original owner), it should notbe able to gain access to the power
grid for charging, even though the car-thief uses his own user account to pay the charging
cost. To charge a stolen car, the car-thief has to replace itsIED — equivalent to changing its
identity. This is the main security objective of device authentication.
However, consider the substitution attack as depicted in Figure 1. When the authentication
is conducted through a wireless channel, which is widely accepted as the default means of
communication for the EV ecosystem. Now the car-thief can use the IED of another EV with
a valid certificate and registration to run the challenge-response authentication protocol over
the wireless link, while plugging in the stolen EV to the charging station. Since the keys and
certificates of IED’ in the second EV are still valid, they will pass the device authentication
test. If the car-thief’s billing account also has sufficientfund, then a charging session would
start to charge the stolen EV, rather than the second EV. Charging of a stolen EV would go
undetected in this way, which might have serious repercussions, such as irresponsive loads in
demand response. It should be emphasized that, depending onthe wireless channel in use,
cooperation from the second EV is not necessary. That is, thesecond EV could be innocently
and unconsciously helping the stolen EV to pass the authentication.
Linking or binding a user’s identity with his EV’s identity may not work either since the
second EV could be owned by the car-thief who has a valid user identity linked to the EV’s
identity. Instead, it causes inconvenience to EV owners. For the same reason, the require-
6
ment to tap a smart card at the charging station for verification would not work either. This
substitution attack applies to all existing charging stations using wireless authentication pro-
tocols. Indeed this problem is not entirely new. For instance, a remote computer, storing valid
credentials, could log into a legitimate user’s bank account, but the user behind the computer
may not be the account owner. Including physical features isthe key to thwarting this kind of
attacks.
While the stolen car scenario is used as an example for illustration, the impact of such
an access control breach could potentially be far more serious regarding the power grid reli-
ability. For instance, malicious actions can be carried outin the physical domain in demand
response [7] or V2G. A mis-representation of situation or connectivity in the physical domain
by the cyber domain information could lead to power supply shortfall in these core smart
grid applications. Was such breach occurring, the controllability of the electric vehicle (or
more precisely the malicious load) remains a big security concern to the utility. In fact, the
new release of the NIST 1108 report [18] places study on coordinated cyber-physical attacks
as one of the key themes for revising the widely-cite NISTIR 7628 cybersecurity guidelines,
bespeaking the significance of addressing cyber-physical attacks like the substitution attack.
3 Cyber-Physical Device Authentication
3.1 Communication Settings
Depicted in Figure 2 is the communication setting for the cyber-physical device authentication
protocol. The IED onboard of the EV and the charging station have direct communication with
the utility’s backend server. The communication link between the IED and the charging station
is merely a logical link.The server could be seen as the verifier for the EV identity andissue
commands to the charging station to grant access to the EV.That is, a direct communication
channel between the IED and the charging station is not necessary. The IED onboard of the
7
IED on EV
Onboard
charger
Cyber
connection
Challenge sent over
the charging cable
Cyber
connection
Servers at utility
company
Figure 2: The Communication Setting for Cyber-Physical Device Authentication
EV is connected to the CAN bus of the EV, through the OBD-II diagnosis port commonly
adopted in nearly all automobiles. The charging cable is assumed to follow the SAE J1772
standard, which is adopted in all EV models for level 2 charging. That is, the charging cable
has a control pilot pin using IEC 61851 signaling. This assumption is fairly reasonable and
the resulting protocol covers almost all EV models.
3.2 Security Assumptions
The main security assumption of the proposed protocol is theIED’s tamper resistance which
is a common assumption in the smart grid literature. As argued by [22], this assumption is
inevitable to support the fully automated M2M smart grid communication. As a corollary to
such an assumption, we can assume that it is hard for an attacker to modify the IED’s firmware
without being detected. Remote code attestation may also beregularly used to check the code
integrity of the IED.
3.3 Protocol Design of Cyber-Physical Device Authentication
The cyber-physical authentication protocol aims to corroborate the following: 1) the IED on-
board of the EV stores the secret key corresponding to the digital identity of a valid EV; 2) the
EV is physically connected to the claimed charging station.The proposed protocol is a typ-
8
ical challenge-response protocol [1], except that part of the challenge could only be received
through a particularly designated physical medium, which is the charging cable. Details of
how the second challenge is embedded in the signaling of the charging cable are given in
Section 4.1.
A conventional challenge-response protocol involves two parties — a prover and a verifier.
The purpose of the protocol is for the verifier to check whether the prover knows a particular
secret, which is usually a cryptographic key. The verifier sends the prover a random bit string
as a challenge, and in response, the prover could sign on the challenge using its private key.
Then the verifier could verify the signature to see whether the prover really knows the private
key in question. In the case with a symmetric key shared between the prover and verifier, the
prover could decrypt the challenge or generate a MAC (Message Authentication Code) [12]
for the challenge, in place of the signature. In this paper, the most generalized form of response
computation, namely, a pseudorandom functionPRFK(·) — with secret keyK — is used in
the discussion. It should be noted that thePRF could be instantiated by any of the preceding
primitives (digital signatures, MAC, decryption). HMAC [12] is used to instantiate the PRF
in the prototype implementation (Section 4) and experiment(Section 6) in this paper.
In the cyber-physical authentication, there are two parts of a challenge, namely, a cyber
challengeCcyber and a physical challengeCphysical. Ccyber is received over the wireless chan-
nel, whereas,Cphysical is received over the charging cable. Both challenges are originated from
the server. The response is then computed as:
r = PRFK(Ccyber||Cphysical),
whereK could be the secret key stored inside the IED or a session key derived from it, de-
pending on the actual implementation which is out of the scope of this paper.
The server (knowingK) could verify whether the response is a correct one. This protocol
is a two-factor authenticationscheme: while the secret keyK shared between the server and
the IED is one factor (the ’what-you-know’ factor), the physical challengeCphysical is another.
9
Cphysical is a novel factor which combines its numerical value and the dedicated channel for
its delivery (the charging cable and its signaling). It is obvious that the underlying security
guarantees of these two factors are based on very different means. While the first factor is
a conventional one, the second one iscontextual, similar the notion of [2]. In addition, the
contextual factor provides an assurance that the EV is actually physically connected to the
charging station, and the digital information it provides to the server truly reflects the situation
of the physical domain.
Figure 3 shows the execution of the protocol. The charging station and the IED onboard of
the EV are denoted byCS andIED(EV ) respectively. Step 1 is a typical TLS handshake to
establish a session keyK which is used to secure the channel betweenServer andIED(EV )
. A similar TLS handshake is executed to establish a secure channel betweenServer andCS
with another session keyK ′. It should be noted that, from Step 2 onwards, all communication
betweenServer andCS is secured against eavesdropping and message modification.The
same also applies to communication betweenServer andIED(EV ). Step 2 shows that the
EV sends a request to initiate a new charging session to access the power grid. The execution
of the cyber-physical device authentication protocol starts at Step 3, with details as follows:
3. When a new charging session is requested,Server randomly picks a bit sequenceCcyber
as the cyber challenge and then sends it toIED(EV ) through the secure channel. The
challenge should be at least 80 bits long.2 Server storesCcyber for later verification.
4. At the same time,Server randomly picks another independent bit sequenceCphysical
as the physical challenge and then sends it to theCS via another secure channel. The
challenge should be of similar length withCcyber (but not necessarily strictly enforced3)
2A 64-bit sequence is also acceptable because the protocol isexecuted in real time and an attacker cannot
repeatedly fail the test. In other words, the offline brute force attack is inapplicable. Once a test is failed, a new
random sequence is used in the next test.3Since HMAC is used, the input toPRF could be arbitrary in length. Consequently, the two challenges need
not be equally long.
10
Note thatCphysical is kept secret fromIED(EV ). Server storesCphysical for later
verification.
Note that step 3 and 4 could be placed in reverse sequence without affecting the opera-
tion of the protocol.
5. Upon receiving the encrypted challenge fromServer, CS decrypts it to get backCphysical.
A parity check code is computed and appended toCphysical. An 8-bit parity check code
should be sufficient. CS then embeds the challengeCphysical with the parity bits in the
PWM (Pulse Width Modulation) signal of the control pilot pinof the charging cable.
More specifically, using a lookup table, CS maps the bit sequence ofCphysical and the
parity bits into a sequence of duty cycle or pulse width values, which are effected on
the control pilot pin. According to IEC61851, these duty cycle values inform an EV to
adjust its maximum charging current. The resulting maximumcurrent values could be
read from the CAN bus of the EV.
As Cphysical is sent over the control pilot pin, the maximum allowable current the EV
takes in is also changing accordingly, based on IEC61851. The original purpose of the
PWM pulses is to inform the EV the maximum allowable chargingcurrent. This paper
uses them to embed the bit sequenceCphysical. That is, the PWM pulses are seen as a
sequence of symbols embeddingCphysical. While Cphysical is being sent, the charging
current consumed by the EV is also measured atCS at an interval corresponding to
each symbol and compared with the maximum allowable currentset forth by the corre-
sponding PWM pulse duty cycle. If the measured current is larger than the maximum
allowable current, it is consider as a failure for that symbol. At the end of transmitting
Cphysical, the percentage of failures is computed and sent toServer. If this percentage
exceeds a certain predefined threshold, the authenticationis considered as failed.
6. The IED(EV ) reads the sequence of maximum current values from the CAN bus,
11
and looks up from a table the corresponding bit sequence of the challengeCphysical.
The parity bits are checked. If the verification fails, theIED(EV ) requestsCS to
resendCphysical (which is ideally a new value). A request of using a quantization
scheme with coarser granularity on the duty cycles could be sent. IED(EV ) then
uses the established session keyK shared withServer to generate the responser =
PRFK(Ccyber||Cphysical) and sends it toServer. BothCphysical andK, corresponding
to the two authentication factors, are needed for generating a correctr to passServer’s
verification.
7. Upon receivingr from theIED(EV ), Server computesPRFK(Ccyber||Cphysical) to
verify whetherr is a correct response. Equality would mean IED(EV) has the correct
keyK and correctCphysical (implying that the EV is connected to the specifiedCS as
IED(EV ) claims). If the verification of IEC61851 compliance (performed in the last
step) also passes, the server then sends an ”AuthenticationOK” to CS to inform it to
start the charging session and grant access to the EV.
If the verification fails,Server would informCS to repeat Steps 3-6 again, possibly with
longer symbol duration for the PWM pulses. The probability of a verification failure should
be practically negligible. After a predefined number of authentication failures,Server could
informCS to terminate the charging session setup.
4 Prototype Implementation
A full proof-of-concept prototype is implemented to demonstrate the two-factor cyber-physical
device authentication. The NXP-ATOP platform [20], a system-on-chip module including two
ARM7 and one ARM9 processors, is used to implement the IED andthe controller for the
charging station. The power part of the charging station is also constructed. The backend
server is also implemented, running the Ubuntu OS. The IED and charging station communi-
12
IED(EV) CSServer
Secure channel established
between Server and CS with
session key K’
TLS Handshake
Secure channel established
between Server and IED(EV)
with session key K
ID(CS)
Random Challenge Cphysical
Random Challenge sent over the charging cable
Response
Authentication OK
1. IED(EV) connects to
the server.
2. EV arrives at a CS and
IED(EV) sends the
identity of CS to the
server to initiate a
charging session.
5. CS decrypts to get
the challenge
Cphysical and embeds
it in the PWM signal
of the control pilot
pin of the charging
cable and sends it to
EV. Simultaneously,
CS checks IEC61851
compliance of the EV
and return the result
at the end of sending
Cphysical.
6. IED(EV) computes the
response:
r = PRFK(Ccyber || Cphysical)
7. Server computes
PRFK(Ccyber || Cphysical), and
compares it with the received
response r. Equality passes
the first verification. When
IEC61851 compliance check
is also OK, Server sends
“Authentication OK” to CS.
Otherwise, steps 356 are
repeated.
8. Charging starts
Random Challenge
Ccyber
3. Server chooses a random bit
sequence Ccyber as the cyber challenge
and encrypts it and sends it to
IED(EV). Server stores Ccyber.
4. Server chooses a random bit
sequence Cphysical as the physical
challenge and encrypts it and sends
it to CS. Server stores Cphysical.
IEC61851 Compliance
Check Result
Figure 3: Detailed Execution of the Cyber-Physical Device Authentication Protocol
13
Figure 4: PWM Pulses over the Control Pilot Pin of SAE J1772
cate with the server using GPRS (General Packet Radio Service) provided in the NXP-ATOP.
The prototype include a number of optimizations, includingthe coding method to embed the
physical challenge bit sequence into the PWM pulses of the control pilot pin of the SAE J1772
standard, and a specially designed CAN locker or secure hardware interface, which ensures
the binding between the IED and the EV. SAE J1772 is the most widely adopted charging
cable standard.
4.1 Mapping the Physical Challenge into the PWM Signal of theSAE
J1772 Control Pilot Pin
An encoding scheme is designed to achieve that no synchronization between the IED and
charging station is needed when sending the physical challenge which is embedded in the
duty cycles of the PWM pulses. In an IEC62196 or SAE J1772 plug, square pulses are sent
from the charging station to the EV over the control pilot pinof the charging cable, as shown
in Figure 4. By changing the duty cycle of these pulses, the charging station can request the
EV to adjust the maximum charging current. This protocol is defined in IEC 61851, which is
adopted by IEC62196 and SAE J1772.
The physical challenge is sent as a sequence of different duty cycle values over the control
pilot pin. The duty cycle values of the PWM signal are in essence a set of symbols. The EV
treats this sequence as a challenge and generates a responseaccordingly. Note that what can
be read from the CAN bus is the maximum negotiated charging current rather than the duty
14
cycle. A lookup table is created to covert the current value back to the duty cycle.
4.1.1 Table Creation
To create the lookup table, the following procedure is adopted:
1. Set the minimum duty cycle valueTMIN to the minimum allowable value in IEC61851.
Determine the maximum duty cycle valueTMAX based on the power rating of the charg-
ing station.
2. Divide [TMIN , TMAX ] into partitions of equal length:T1, T2, . . . , Ti, . . . , TN . The num-
ber of bits for eachTi is thenn = ⌊log2N⌋ − 1.
3. For eachn-bit string rj, randomly pick 2 elementsi1, i2 ∈ [1, N ] and compute the
minimum current valuesIMINi1
, IMINi2
of those 2 partitions,Ti1 , Ti2, based on IEC61851.
4. Create the first table TableCS as follows: for eachrj, create two rows, filling the first
with rj and the mid-value ofTi1 and the second withrj and the mid-value ofTi2 . That
is, eachrj is mapped to two duty cycle values.
5. Create the second table TableEV as follows: for eachrj , create two rows, filling the
first with rj andIMINi1
, and the second withrj andIMINi2
; sort the table in ascending
order ofIMINi .
These two tables (TableCS and TableEV) are pre-stored in both the charging station
and IED. Note thatrj corresponds to the physical challenge bit sequence and eachbit string
rj is mapped to two different duty cycle values. The purpose is to eliminate the need of
synchronization between the charging station and IED. Whentwo consecutive symbols both
take on the same bit stringrj, it would be difficult for the IED to decide whether there is one
or two symbols ifrj always maps to the same symbol. This implies that time synchronization
may be necessary to tell when to sample the duty cycle values.Yet, this paper intentionally
15
maps eachrj to two different duty cycle values, so that, when two consecutive symbols take on
the samerj, two distinct duty cycle values would always be transmittedfor the two symbols
although the two duty cycle values map back to the samerj . In summary, with this encoding,
adjacent symbols used to send the physical challenge alwaysdiffer. Two symbols will never
be mistaken as one symbol.
There could be multiple mappings with differentn or, equivalently, partition size to support
different levels of granularity. When the channel seems notvery reliable, a mapping for a
smallern could be used to ensure reliable delivery of the physical challenge.
4.1.2 Table Lookup
TableCS is used in the charging station to look up from a random bit string to a duty cycle
value. Upon receiving the binary string of the physical challengeCphysical, the charging station
divides the string inton-bit sub-strings. For each sub-string, the charging station looks up from
TableCS the corresponding duty cycle value. This forms a sequenceof duty cycle values. The
charging station varies the duty cycle of the PWM signal on the control pilot pin according to
this sequence.
TableEV is used in the IED onboard of the EV to look up from the maximum negotiated
current values to a binary string in order to recover the physical challenge and its parity check
bits. For each negotiated current valueICAN read from the CAN bus of the EV, the IED
looks up from TableEV the maximumIMINi which is still smaller thanICAN and append the
bit string rj to the previously decoded values to form the physical challenge (and its parity
bits). Then the IED checks the physical challenge using the parity bits to detect any error in
transmission.
16
4.2 CAN Interface Security
A tailored security mechanism is designed to ensure the binding of the IED and the EV such
that the secret key inside the IED can be seen as a proof of identity for the EV.
Through the tamper-resistant storage of the IED and the TLS protocol used to establish
the secure session, the server and the charging station could be assured that it is the specified
IED which runs the protocol. The knowledge of the physical challenge would further infer
to a reasonably high level of confidence that this specified IED is somehow connected to the
charging station via the charging cable. If the attacker could remove the IED from a valid car
and plug it into the stolen car, this would pass the verification. A mechanism is thus designed
to ensure that each IED can be plugged in once only. Subsequent removals and plug-in’s
would disable the CAN bus interface of the IED. This assures that only the IED installed by
the authority could function properly.
The purpose of this mechanism is to ensure that an IED could only be plugged in to an
EV by an authorized party, after which unplugging and re-plugging the IED to the OBD-II
socket will render the IED’s CAN bus interface disabled. Thebasic idea of this protection
mechanism is that different states are defined for the IED to operate at. Details of the state
definitions can be found in Figure 5. The states are defined based on the number of reboots,
and whether the CAN bus interface has been unplugged and re-plugged. It is assumed that
a trusted computing base (TCB) is available, which is provided by the secure element of the
NXP-ATOP in this paper. The current state of the IED is signedby the TCB with a digital
signature appended. In other words, the TCB is purely used togenerate a digital signature for
the current state of the IED. The need of the TCB could bewaivedif the IED has no backup
battery and draws its power only from the ODB-II socket. In other words, the requirement of
having a TCB in the IED is not mandatory in the design.
17
State 0
State 1
State 2A State 2B
State 3
HALT
reboot
1st
bootup
V+ removal
V+ removal
CAN removal
CAN removal
reboot
rebootreboot
reboot
Figure 5: State Diagram for Secure CAN Bus Interface in the IED
4.2.1 IED Bootup Sequence
When the IED is rebooted, whether the CAN bus interface is enabled depends on the signed
state denoted ascurrentstate. The IED bootup sequence is as follows:
1. Verify the signature ofcurrent state.
2. If (current state =State0 ) and the signature verification is OK, do:
(a) Enable the CAN bus interface.
(b) Generate a digital signature forState1.
(c) Updatecurrent state toState1.
3. Else, do:
(a) Disable the CAN bus interface.
The bootup sequence is designed in such a way that, after the first enabling of the CAN
bus interface by the authorized party, the IED will transit into a state (State 1) which disallows
18
GND CAN_H
CAN_L V+
Figure 6: OBD-II socket of the EV and Signal Level of CAN Bus
Figure 7: Glue Logic for the State Transition Signals
enabling of the CAN bus interface upon subsequent reboots. Enabling the CAN bus interface
is allowed only in State 0. In other words, after the authorized party first boots up the IED and
installs it in the EV, the attacker should not have the digital signature for a state which allows
enabling of the CAN bus interface. As can be seen, all states except State 0 will not allow
the enabling of the CAN bus interface upon reboot. This thus can prevent the attacker from
unplugging the IED and using it on the stolen EV. Remote code attestation protocol could also
be used to verify the integrity of the software if necessary.
4.2.2 State Transition Signals and Glue Logic
Shown in Fig 6 is the OBD-II socket of the EV, through which theIED is connected to the
CAN bus of the EV. The signals V+, CANH, CAN L are used, through some glue logic, to
trigger state transition in the IED.4
4It should be noted that, in the simplest case, using these state transition signals may not be compulsory. They
are included in the design for finer granularity of control and later expansion.
19
Depicted in Figure 7 is the glue logic for the state transition signals. The output signals
V+ REMOVAL and CAN REMOVAL are fed as input to two edge-sensitive GPIO (General
Purpose Input Output) of the NXP-ATOP. A downward transition of any of these two signals
triggers an ISR (Interrupt Service Routine) to update the current state of the IED. When V+
is removed, there will be a downward transition of the signallevel at V+. This downward
moving edge of V+ can be used to trigger the transition from State 1 to State 2A. In normal
situations, CANL and CAN H would move in opposite direction. However, when the plug
is removed, both CANL and CAN H will go downward in voltage level simultaneously. A
downward transition at both CANL and CAN H could be used to trigger the state transition
from State 1 to State 2B. The two ISRs are as follows.
Subroutine V plus removal
1. Verify the signature ofcurrent state.
2. If (current state =State1) and the signature verification is OK, do:
(a) Generate a digital signature forState2A.
(b) Updatecurrent state toState2A.
3. If (current state =State2B) and the signature verification is OK, do:
(a) Generate a digital signature forState3.
(b) Updatecurrent state toState3.
End V plus removal
Subroutine CAN removal
1. Verify the signature ofcurrent state.
2. If (current state =State1) and the signature verification is OK, do:
20
(a) Generate a digital signature forState2B.
(b) Updatecurrent state toState2B.
3. If (current state =State2A) and the signature verification is OK, do:
(a) Generate a digital signature forState3.
(b) Updatecurrent state toState3.
End CAN removal
5 Security Analysis
5.1 Security of Cyber-Physical Device Authentication Protocol
The cyber-physical device authentication protocol could withhold most attacks, except sophis-
ticated tampering of the charging cable, which involves relatively deeper technical know-how
difficult for most adversaries. Simple tapping or tamperingof the charging cable would give
a wrong impedance value and should fail the verification of IEC61851. Even for those more
sophisticated attacks, the protocol still can assure that the malicious load is acontrollableone
which is responsive to the load curtailing requests made through the control pilot pin signaling.
That is, a car may be plugged in with the wrong identity using asophisticated tampering at-
tack, but passing the authentication protocol in this case means that this illegitimate car would
still follow the grid’s instructions when demanded.
The security analysis of the cyber-physical device authentication protocol is similar to
that of a typical challenge-response authentication protocol, a formal proof of which might
not be available. In order to compute a correct response thatcan pass the verification by the
server, the IED needs to have the knowledge of the secret keyK and all the inputs (Ccyber and
Cphysical) to thePRF . This is based on the unpredictability assumption of the PRFwhich in
turn is a result of the well-known indistinguishability assumption of PRFs. While an attacker
21
might use a second car with a validK, he has to plug in that car, rather than the malicious
load, in order to obtainCphysical as well.
The key of the security against the substitution attack [7] hinges on the access toCphysical.
There should be no other way than tapping onto the control pilot pin of the charging cable to
obtainCphysical as the encryption used between the charging station and the server is assumed
to be secure. Simple tampering of the charging cable fails the IEC 61851 protocol verification.
In order to launch the relay attack posed by [28] successfully, the protocol proposed in this
paper makes physical access to the second EV a necessity. While the first EV, which is the
malicious one in our consideration so far, can obtainCphysical, it has to passCphysical to the
second EV through a certain channel. Unless the attacker could modify the IED firmware of
the second EV —- which is difficult in general due to the tamperresistance discussed — the
IED firmware of the second EV has to acceptCphysical through the CAN bus. Feeding another
input to the IED’s CAN interface is highly unlikely due to theCAN security implemented.
The only possible means to feedCphysical to the IED of the second EV is through its charging
cable again. In other words, the attacker has to launch the relay attack over the charging cable,
and IEC61851 has safe-guarded simple tampering techniques.
For the more sophisticated cable tampering attacks, we should distinguish between two
cases: that the second EV is cooperative in the attack, and that the second EV is innocent and
unaware of its involvement in the attack. In both case, physical access to the second EV is
inevitable, which already imposes an additional layer of difficulty to the attacker in the latter
case, making a massive attack unlikely. For the former case with a cooperative EV, a complete
defeat of the attack might be impossible. Even the distance bounding protocol [4, 28] might
not work well. Imagine the relay attack to access a car as in [28]: if the car owner holding
the key cooperates with the attacker, how can defence to suchan attack be possible? This
is the same for the case of substitution attack, if the attacker builds sophisticated tampering
devices to relay the charging cable signals. Nevertheless,the cyber-physical authentication
22
protocol still gives a better protection guarantee for the power grid reliability in this case.
First, even the malicious car would be responsive to load curtailing commands as it is verified
to be compliant to IEC61851 in the cyber-physical authentication protocol. Second, the task
of relaying is made more difficult to average attackers.
It should be noted that the distance bounding protocol over the charging cable might not
be able to withhold the substitution attack with a cooperative second EV. First, the delay
difference between the two cars could be too small to obtain aclear resolution with high
confidence. Second, the delay could be tampered as physical access to the two cars is assured.
Besides, the equipment required makes it impractical.
5.2 Analysis of CAN Interface Security
The only state which allows the IED to boot up with the CAN bus interface enabled is State
0. Once an IED is deployed, it would never have a signed state for State 0. The signature for
State 0 would be immediately erased after the first installation by the authorized dealer. In
State 1, the IED could operate normally with the CAN bus interface enabled. However, once
rebooted, the CAN bus interface will be disabled at the next bootup. Since the attacker has no
knowledge of a valid signature for State 0, this check cannotbe bypassed in the next bootup.
It is possible that the attacker could obtain a new IED from the manufacturer but this new
IED does not have the necessary credentials (including the secret key and certificates) pre-
stored. In other words, the attacker could only get an IED with CAN bus interface enabled
but without the needed credentials or an IED with proper credentials but with the CAN bus
interface disabled.
23
6 Experiment Results
A number of experiments, including demand response on a realEV, the substitution attack,
how the cyber-physical authentication protocol withholdsthe substitution attack and detects
a malicious load, and an execution of the cyber-physical authentication protocol on an EV
emulator. We have built our own charging station as shown in Figure 8 and implemented a
basic demand response application. When carrying out the substitution attack, the malicious
loads including a water kettle and hairdryer are plugged in,instead of the EV. The normal
challenge-response protocol is passed without detecting any anomaly and the charging station
supplies power to the kettle and dryer. When a load curtailing command is issued, these loads
are irresponsive. We then tested the cyber-physical authentication on the same attack setting
and the system is now able to detect the malicious loads and deny the access at the start. On
average the time needed to complete the cyber-physical authentication protocol ranges from
40s to 100s. Since the authentication could be done automatically after plugging in without
demanding active human attention, the latency of the protocol could be reasonably practical.
The following discussion will focus on the execution of the protocol on the EV emulator.
The EV emulator is built on an 8051 microcontroller from SiLab. The experiment setup is
shown in Figure 8, which also depicts how the physical challenge is embedded in the PWM
signal of the control pilot pin.
7 Related Work
Man-in-the-middle (MitM) attacks are not an entirely new problem in security engineering.
Anderson has a fairly comprehensive discussion in his book [1]. This paper takes the specific
context of the smart grid into consideration to illustrate the potential impact of such an attack.
The discussion of MitM attacks could be found in various contexts including web browsers
[2,15] and physical access control [4].
24
Change in
duty cycle
Figure 8: Experiment Setup
Multi-factor entity authentication has also been addressed in different applications [2,3,6,
14, 15, 23–25, 30]. Besides the existing forms of typical authentication factors, namely, what
the prover has, what the prover knows, and what the prover is,we introduce a new factor
of authentication based on where the prover is or where the prover is physically connected
in the smart grid. This shares some similarity with [15] yet different. The main difference
lies in that human involvement is avoided in the current context, which is desirable. While
the distance bounding protocol [4, 28] could partly solve the problem of substitution attacks,
it poses stringent requirements on the physical channel forrunning it. Besides, there is still
chance that physical proximity may not guarantee physical connectivity. On the contrary,
the proposed method in this paper assures that the EV passingthe authentication is the one
plugged in. Of course, it is possible that the attacker tailors a special charging cable to bypass
the protocol. But it requires deep technical expertise. Similarly, using RFID tags on electric
vehicles may not provide the desired strength of binding between the RFID tag and the electric
vehicle.
It is fair to say most research in smart grid security focuseson cyber mechanisms. For
instance, [26] develops a secure Intelligent Electronics Device (IED) which is safe to connect
to the Internet. Entity authentication and key management in the smart grid is also actively
25
studied [5, 9–11, 16, 22, 30]. However, nearly all of the existing works only consider purely
cybersecurity issues and it is unsure whether such approaches could defend coordinated cyber-
physical attacks in the real deployment scenario. It is truethat combined cyber-physical con-
siderations have to take specific details of the contexts or application scenarios, say, what
equipment is being secure and where it is connected to the power grid, into account, which
might limit the range of applications of the resulting schemes. However, considering specific
contexts would also mean optimized performance in the targeted application. There is tradeoff
between generality and optimization. More importantly, a generic design might not be able
to withhold even the simplest form of coordinated cyber-physical attacks. It is important that
coordinated cyber-physical attacks be considered early onin smart grid security designs.
8 Conclusion
In this paper, we illustrate the potential risks of a specifictype of coordinated cyber-physical
man-in-the-middle attack, called the substitution attack, to the smart grid. We also propose a
cyber-physical device authentication protocol to withhold the substitution attack, and a CAN
security mechanism to provide a strong binding between the IED and the electric vehicle. A
proof-of-concept prototype is implemented to demonstratethe strength of combined cyber-
physical approach to defend the man-in-the-middle attack in the smart grid. This idea could
be extended to other equipments in the smart grid. By taking specific details of the context
of the EV ecosystem into consideration, the prototype achieves an advantage that no intrusive
modifications to electric vehicles is necessary. The advantages of our design over NFC (Near
Field Communication)/RFID and IEC15118 are shown in the following table.
26
Table 1: Comparison of Different Approaches
Physical Minimum Demand
Connectivity Modification Response
Assurance On EV Compliance
NFC/RFID NO YES NO
IEC15118 YES NO NO
Our Approach YES YES YES
Acknowledgment
The authors would like to thank Energy Market Authority (EMA) of Singapore for providing
funding support.
References
[1] R. J. Anderson,Security Engineering: A Guide to Building Dependale Distributed System,
2nd ed. Wiley, 2008.
[2] A. Ben-David, O. Berkman, Y. Matias, S. Patel, C. Paya, and M. Yung, “Contextual
OTP: Mitigating Emerging Man-in-the-Middle Attacks with Wireless Hardware Tokens,”
in F. Bao, P. Samarati and J. Zhou (Eds.): ACNS’12, Springer LNCS, vol. 7341, p. 30-47,
2012.
[3] J. Brainard, A. Juels, R. L. Rivest, M. Szydlo, and M. Yung, “Fourth-Factor Authentica-
tion: Somebody You Know,” inACM CCS’06, p.168-178, 2006.
[4] S. Brands, and D. Chaum, “Distance-Bounding Protocol,”in Eurocrypt’93, 1993.
27
[5] T. Baumeister, “Adapting PKI for the Smart Grid,” inIEEE SmartGridComm’11, p.249-
254, 2011.
[6] X. Boyen, Y. Dodis, J. Katz, R. Ostrovsky, and A. Smith, “Secure Remote Authentication
using Biometric Data,” inR. Cramer (Ed.): Eurocrypt’05, LNCS, vol. 3494, p.147-163,
2005.
[7] A. C-F. Chan, and J. Zhou, “On Smart Grid Cybersecurity Standardization: Issues of
Designing with NISTIR 7628,”IEEE Communications Magazine51(1), p.58-65, January,
2013.
[8] M. M. Fouda, Z. M. Fadlullah, N. Kato, R. Lu, and X. Shen, “ALightweight Message
Authentication Scheme for Smart Grid Communications,”IEEE Trans. on Smart Grid,
vol. 2, no. 4, p.675-685, December, 2011.
[9] H. Khurana, R. Bobba, T. Yardley, P. Agarwal, and E. Heine, “Design Principles for Power
Grid Cyber-Infrastructure Authentication Protocols,” inHICSS’10, January, 2010.
[10] N. Kuntze, C. Rudolph, I. Bente, J. Vieweg, and J. von Helden, “Interoperable Device
Identification in Smart-Grid Environments,” inIEEE PES General Meeting, p.1-7, July,
2011.
[11] S. Lakshminarayanan, “Authentication and Authorization for Smart Grid Application
Interfaces,” inIEEE/PES PSCE’11, March, 2011.
[12] IETF, RFC 2104 — HMAC: Keyed-hashing for Message Authentication.
[13] IETF, RFC 5246 — The Transport Layer Security (TLS) Protocol, version 1.2.
[14] M. S. Mannan, and P. C. van Oorschot, “Using a Personal Device to Strengthen Password
Authentication from an Untrusted Computer,” inS. Dietrich, R. Dhamija (Eds.): FC’07,
Springer LNCS vol. 4886, p.88-103, 2007.
28
[15] J. M. McCune, A. Perrig, and M. K. Reiter, “Seeing-is-believing: Using Camera Phones
for Human-verifiable Authentication,” inIEEE Symposium on Security and Privacy,
p.110-124, 2005.
[16] H. Nicanfar, P. Jokar, K. Beznosov, and V. C. M. Leung, “Efficient Authentication and
Key Management Mechanisms for Smart Grid Communications,”to appear inIEEE Sys-
tem Journal, 2013.
[17] NIST, NISTIR 7628: Guidelines for Smart Grid Cyber Security, vol.1-3, August, 2010.
[18] NIST, NIST SP1108: Framework and Roadmap for Smart Grid Interoperability Stan-
dards, Release 1.0 (January, 2010), Release 2.0 (February, 2012).
[19] NERC,Critical Infrastructure Protection (CIP-001 to CIP-009).
[20] NXP, ATOP datasheet, accessed athttp://www.nxp.com/documents/
leaflet/939775016910.pdf.
[21] SGIP-CSWG,Standard Review Report on “Security Assessment of SAE J2847-1: Com-
munication between Plug-in Vehicles and the Utility Grid,”November, 2010.
[22] A. J. Paverd, and A. P. Martin, “Hardware Security for Device Authentication in the
Smart Grid,” inJ. Cuellar (Ed.): SmartGridSec’12, Springer LNCS vol. 7823, p. 72-84,
2013.
[23] D. Pointcheval, and S. Zimmer, “Multi-factor Authenticated Key Exchange,” in
S. M. Bellovin, R. Gennaro, A. D. Keromytis, and M. Yung (Eds.): ACNS’08, Springer
LNCS, vol. 5037, p.277-295, 2008.
[24] B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. Mitchell, “Stronger Password Authen-
tication using Browser Extensions” inUSENIX Security’05, p.17-32, 2005.
29
[25] B. Schneier, “Two-factor Authentication: Too Little,Too Late,” Communications of the
ACM 4(4), 2005.
[26] J. Zhang, C. Grier, S. T. King, and C. A. Gunter, “Secure Intelligent Electronic Devices,”
accessed athttp://tcipg.org.
[27] ISO/IEC, ISO/IEC 15118-2: Vehicle-to-Grid Communication Interface — Part 2: Net-
work and Application Protocol Requirements (Draft International Standard), 2012.
[28] A. Francillon, B. Danev, S. Capjun, “Relay Attacks on Passive Keyless Entry and Start
Systems in Modern Cars,” inNDSS’11, February, 2011.
[29] Z. Sumic,Gartner Research Report: Hype Cycle for Smart Grid Technologies, 2012,
July, 2012.
[30] F. Zhao, Y. Hanatani, Y. Komano, B. Smyth, S. Ito, and T. Kambayashi, “Secure Authen-
ticated Key Exchange with Revocation for Smart Grid,” inIEEE ISGT’12, 2012.
30