Sei sulla pagina 1di 30

Cyber-Physical Device Authentication for

Smart Grid Electric Vehicle Ecosystem


Aldar C-F. Chan and Jianying Zhou
October 23, 2013

Abstract
Entity authentication and related key management is an active research topic in both
computer and smart grid security alike. But existing works seem to have overlooked the
significance that the smart grid is a cyber-physical system, which entails more considerations in the integration of its cyber and physical domains. Ignoring this could possibly undermine the security of the smart grid since the effects of cyber authorization
are usually extended into the physical domains. The substitution attack, a kind of the
main-in-the-middle attack, has been demonstrated using this gap. This paper proposes
a two-factor cyber-physical device authentication protocol to defend against coordinated
cyber-physical attacks to the smart grid. The idea is to combine a novel contextual factor based on physical connectivity in the power grid with the conventional authentication
factor in the challenge-response protocol, widely and commonly used in cybersecurity.
The resulting protocol provides assurance on not only the digital identity of a device, but
also the controllability of the device in the physical domain. While the design is in the
context of electric vehicle ecosystem, the framework could be readily extended to other
smart grid subsystems.
Keywords: multi-factor authentication, coordinated cyber-physical attacks, challengeresponse protocol, IEC 61851.

1 Introduction
Secure smart grid communication requires mutual authentication of the communicating entities. Entity authentication refers to the security primitive which corroborates the identity
of an entity, be it a person or a device, as it accesses certain resources entailing authorization. It should be distinguished from message authentication [8] which protects the integrity of a message and corroborates its origin. Entity authentication has been widely studied in computer security as in authenticated key exchange and/or multi-factor authentication
[2, 3, 6, 14, 15, 2325, 30]. The handshake in the widely used Transport Layer Security (TLS)
protocol [13] is an example of entity authentication. Entity authentication in the smart grid
is also a significant research problem actively considered in the literature [5, 911, 16, 22, 30].
A research report published by Gartner [29] also states that an electric vehicle as a roaming
appliance has to be identified and located whenever it is connected to the power grid. However, there are salient features in smart grid communication, making entity authentication still
challenging. Some subtle issues have not been adequately addressed by the existing works.
First, one key feature of the smart gird is that it will ultimately facilitate fully automated
management of energy devices and systems without human intervention. Device authentication would be the primary form of authentication in the smart grid. In other words, machine-tomachine (M2M) communication will be the most common mode of smart grid communication
in the future. This poses a particular challenge for entity authentication in the smart grid context because most of the existing approaches [2, 3, 6, 14, 15, 24] are not designed to support
unattended operation. To provide a strong assurance of digital identities in an unattended,
fully automated environment demands a strong protection of the private key in most of the existing entity authentication protocols. That is, some form of a trusted computing base (TCB)
or secure element is inevitable, which is now a widely presumed assumption in entity authentication and key management for the smart grid [5, 911, 16, 22, 30]. Paverd and Martin [22]
proposes a hardware security architecture to provide such a trusted computing platform for
2

device authentication in the smart grid. This paper gives an alternative instantiation.
Second, all the existing protocols [5, 911, 16, 22, 30] provide security assurance up to
within the cyber domain only, overlooking the significance that the smart grid is a cyberphysical system in nature. This indeed undermines smart grid security and has serious implications to typical smart grid applications such as demand response and vehicle-to-grid (V2G) [7].
The study of coordinated cyber-physical attacks is also regarded as an area of high priority in
the widely cited NIST Framework and Roadmap for Smart Grid Interoperability Standards,
Release 2.0 [18].
The core concept of the smart grid is that, through the use of advanced digital communication for instrumentation and control, different subsystems of the power grid can be coordinated
for optimized and automated operation to increase the reliability of power supply and minimize waste due to spinning reserve, while supporting the integration of new appliances such
as electric vehicles and renewable energy sources. There are two paths between devices in
the smart grid a two-way (cyber) communication channel and a (physical) power network
supporting two-way power flow [18]. When a device is authenticated in the cyber domain, the
resulting authorization actually extends beyond the cyber domain into the physical domain.
In fact, most of the cyber commands are effected as certain operations in the power network,
like closing a circuit breaker, or turning on/off of a relay. That is, a device successfully authenticated in the cyber domain is actually granted access and authorization to act freely in
the physical domain. Consequently, the power grid reliability may be at risk if entity authentication provides little assurance that a cyber-authenticated device will be responsive to cyber
commands and act accordingly to effect changes in the physical power network.
Chan and Zhou [7] actually shows, using the electric vehicle (EV) ecosystem as an example, that an EV passing the typical challenge-response authentication using a TCB (which is
deemed as secure in any cybersecurity standards) may not be the device which is physically
connected to the power grid. Rather, it could be a malicious load connecting to the power grid,

thus risking the reliability of the power grid. For instance, the malicious load could be irresponsive to the demand-response commands requesting the EV to curtail its power consumption when there is a shortfall of power supply.1 Such an attack also has serious repercussions
in other smart grid applications: undermining V2G when battery profiling is used [27], and
eroding utilitys revenue in flat-rate charging subscription plan.
This paper proposes a new two-factor cyber-physical authentication protocol for the smart
grid EV ecosystem using a novel contextual factor, namely, physical connectivity of the charging cable. It is basically a challenge-response protocol with two challenges one sent over
the standard cyber path (cyber challenge) and the other sent over the charging cable of the
electric vehicle (physical challenge). This is the first design of cyber-physical authentication
for the smart grid in the literature. A proof-of-concept design is given with experiment.
The contribution is two-fold. First, a novel cyber-physical device authentication protocol
for electric vehicles is presented. The protocol has a number of desirable properties: unlike
IEC 15118 [27], it does not require any modifications on the EV, thus readily deployable;
besides, the protocol provides a strong binding between the cyber and physical parts of an EV,
assuring that the EV passing the authentication knows the needed secret key (in the tamper
resistant device or TCB) and is physically connected to the specified point of the power grid
(as given in the digital data); in addition, it also provides a means to verify the controllability of
the EV in the physical domain. It should be emphasized that, while the protocol is specifically
designed for the EV ecosystem, the idea of two-factor cyber-physical authentication could be
widely applicable in the smart grid to secure switchgears, trippers, etc.. The key is to find
a relevant contextual factor. This paper gives a basic framework for designing new protocols
with new smart grid contextual factors. Second, a hardware mechanism for binding an onboard
1

Circuit breakers are ineffective in this case. The allowable current range is 6-80A in typical charging ac-

cording to IEC61851, meaning the circuit breaker will only breaker at 80A or above. There is a potential gap of
74A between the supply and demand side in the worst case for demand response, whereas, a typical household
would usually draw no more than 30A.

unit (OBU) and an EV is proposed. The basic idea is that once the device is deployed
plugged in to the Control Area Network (CAN) bus of an EV, it is in a particular state such
that unplugging it would disable its CAN bus interface. The design could find application in
other scenarios such as vehicular telemetry and location-based electronic road pricing.
The paper is organized as follows. The coordinated cyber-physical attack called the substitution attack [7] is explained in the next section. The proposed cyber-physical device authentication protocol is given in Section 3. Section 4 present the prototype implementation
with details of tailoring and optimizations adopted. Section 5 and 6 discuss the security of
the proposed protocol and the experimental results. Related work is discussed in Section 7,
followed by a conclusion in Section 8.

2 Substitution Attack
The substitution attack [7] can be viewed as a special type of the Man-in-the-Middle (MitM)
attack. The following discussion assumes that each EV is installed with an onboard unit
called the Intelligent Electronics Device (IED). The IED, with tamper resistant storage of a
secret key, serves as a token to assure the identity of the EV. Only the grid operator would
have access to this secret key. Even the EV owner himself would not have access to it.
Though with unique advantage of ready deployment, the IED model is just one of the
instantiations of providing digital identity assurance for EVs. In IEC15118 [27], the secret
key is pre-installed in the EV itself, say, in one of its Electronics Control Units (ECUs). It is
assumed that the IED is bound to the EV at installation, say, through the CAN bus security
mechanism presented in Section 4.2. The crux is that the IED is inseparable from the EV once
installed. It is also assumed that a conventional challenge-response protocol [1] based on the
stored secret in the IED is used for authentication.
In the desirable situation, when the IED passes the authentication, it means that the EV has
a valid registration and is eligible for charging if the user identity and billing account also pass
5

Challenge

Response

IED

IED

STOLEN

Smart Card
Access Control

Figure 1: Substitution Attack against EV Device Authentication


verification. Imagine that an EV has been stolen. With its registration and certificate revoked
(as possibly initiated by its original owner), it should not be able to gain access to the power
grid for charging, even though the car-thief uses his own user account to pay the charging
cost. To charge a stolen car, the car-thief has to replace its IED equivalent to changing its
identity. This is the main security objective of device authentication.
However, consider the substitution attack as depicted in Figure 1. When the authentication
is conducted through a wireless channel, which is widely accepted as the default means of
communication for the EV ecosystem. Now the car-thief can use the IED of another EV with
a valid certificate and registration to run the challenge-response authentication protocol over
the wireless link, while plugging in the stolen EV to the charging station. Since the keys and
certificates of IED in the second EV are still valid, they will pass the device authentication
test. If the car-thiefs billing account also has sufficient fund, then a charging session would
start to charge the stolen EV, rather than the second EV. Charging of a stolen EV would go
undetected in this way, which might have serious repercussions, such as irresponsive loads in
demand response. It should be emphasized that, depending on the wireless channel in use,
cooperation from the second EV is not necessary. That is, the second EV could be innocently
and unconsciously helping the stolen EV to pass the authentication.
Linking or binding a users identity with his EVs identity may not work either since the
second EV could be owned by the car-thief who has a valid user identity linked to the EVs
identity. Instead, it causes inconvenience to EV owners. For the same reason, the require-

ment to tap a smart card at the charging station for verification would not work either. This
substitution attack applies to all existing charging stations using wireless authentication protocols. Indeed this problem is not entirely new. For instance, a remote computer, storing valid
credentials, could log into a legitimate users bank account, but the user behind the computer
may not be the account owner. Including physical features is the key to thwarting this kind of
attacks.
While the stolen car scenario is used as an example for illustration, the impact of such
an access control breach could potentially be far more serious regarding the power grid reliability. For instance, malicious actions can be carried out in the physical domain in demand
response [7] or V2G. A mis-representation of situation or connectivity in the physical domain
by the cyber domain information could lead to power supply shortfall in these core smart
grid applications. Was such breach occurring, the controllability of the electric vehicle (or
more precisely the malicious load) remains a big security concern to the utility. In fact, the
new release of the NIST 1108 report [18] places study on coordinated cyber-physical attacks
as one of the key themes for revising the widely-cite NISTIR 7628 cybersecurity guidelines,
bespeaking the significance of addressing cyber-physical attacks like the substitution attack.

3 Cyber-Physical Device Authentication


3.1 Communication Settings
Depicted in Figure 2 is the communication setting for the cyber-physical device authentication
protocol. The IED onboard of the EV and the charging station have direct communication with
the utilitys backend server. The communication link between the IED and the charging station
is merely a logical link. The server could be seen as the verifier for the EV identity and issue
commands to the charging station to grant access to the EV. That is, a direct communication
channel between the IED and the charging station is not necessary. The IED onboard of the

Servers at utility
company
Cyber
connection
Cyber
connection
IED on EV

Challenge sent over


the charging cable

Onboard
charger

Figure 2: The Communication Setting for Cyber-Physical Device Authentication


EV is connected to the CAN bus of the EV, through the OBD-II diagnosis port commonly
adopted in nearly all automobiles. The charging cable is assumed to follow the SAE J1772
standard, which is adopted in all EV models for level 2 charging. That is, the charging cable
has a control pilot pin using IEC 61851 signaling. This assumption is fairly reasonable and
the resulting protocol covers almost all EV models.

3.2 Security Assumptions


The main security assumption of the proposed protocol is the IEDs tamper resistance which
is a common assumption in the smart grid literature. As argued by [22], this assumption is
inevitable to support the fully automated M2M smart grid communication. As a corollary to
such an assumption, we can assume that it is hard for an attacker to modify the IEDs firmware
without being detected. Remote code attestation may also be regularly used to check the code
integrity of the IED.

3.3 Protocol Design of Cyber-Physical Device Authentication


The cyber-physical authentication protocol aims to corroborate the following: 1) the IED onboard of the EV stores the secret key corresponding to the digital identity of a valid EV; 2) the
EV is physically connected to the claimed charging station. The proposed protocol is a typ8

ical challenge-response protocol [1], except that part of the challenge could only be received
through a particularly designated physical medium, which is the charging cable. Details of
how the second challenge is embedded in the signaling of the charging cable are given in
Section 4.1.
A conventional challenge-response protocol involves two parties a prover and a verifier.
The purpose of the protocol is for the verifier to check whether the prover knows a particular
secret, which is usually a cryptographic key. The verifier sends the prover a random bit string
as a challenge, and in response, the prover could sign on the challenge using its private key.
Then the verifier could verify the signature to see whether the prover really knows the private
key in question. In the case with a symmetric key shared between the prover and verifier, the
prover could decrypt the challenge or generate a MAC (Message Authentication Code) [12]
for the challenge, in place of the signature. In this paper, the most generalized form of response
computation, namely, a pseudorandom function P RFK () with secret key K is used in
the discussion. It should be noted that the P RF could be instantiated by any of the preceding
primitives (digital signatures, MAC, decryption). HMAC [12] is used to instantiate the PRF
in the prototype implementation (Section 4) and experiment (Section 6) in this paper.
In the cyber-physical authentication, there are two parts of a challenge, namely, a cyber
challenge Ccyber and a physical challenge Cphysical . Ccyber is received over the wireless channel, whereas, Cphysical is received over the charging cable. Both challenges are originated from
the server. The response is then computed as:
r = P RFK (Ccyber ||Cphysical ),
where K could be the secret key stored inside the IED or a session key derived from it, depending on the actual implementation which is out of the scope of this paper.
The server (knowing K) could verify whether the response is a correct one. This protocol
is a two-factor authentication scheme: while the secret key K shared between the server and
the IED is one factor (the what-you-know factor), the physical challenge Cphysical is another.
9

Cphysical is a novel factor which combines its numerical value and the dedicated channel for
its delivery (the charging cable and its signaling). It is obvious that the underlying security
guarantees of these two factors are based on very different means. While the first factor is
a conventional one, the second one is contextual, similar the notion of [2]. In addition, the
contextual factor provides an assurance that the EV is actually physically connected to the
charging station, and the digital information it provides to the server truly reflects the situation
of the physical domain.
Figure 3 shows the execution of the protocol. The charging station and the IED onboard of
the EV are denoted by CS and IED(EV ) respectively. Step 1 is a typical TLS handshake to
establish a session key K which is used to secure the channel between Server and IED(EV )
. A similar TLS handshake is executed to establish a secure channel between Server and CS
with another session key K . It should be noted that, from Step 2 onwards, all communication
between Server and CS is secured against eavesdropping and message modification. The
same also applies to communication between Server and IED(EV ). Step 2 shows that the
EV sends a request to initiate a new charging session to access the power grid. The execution
of the cyber-physical device authentication protocol starts at Step 3, with details as follows:
3. When a new charging session is requested, Server randomly picks a bit sequence Ccyber
as the cyber challenge and then sends it to IED(EV ) through the secure channel. The
challenge should be at least 80 bits long.2 Server stores Ccyber for later verification.
4. At the same time, Server randomly picks another independent bit sequence Cphysical
as the physical challenge and then sends it to the CS via another secure channel. The
challenge should be of similar length with Ccyber (but not necessarily strictly enforced3 )
2

A 64-bit sequence is also acceptable because the protocol is executed in real time and an attacker cannot

repeatedly fail the test. In other words, the offline brute force attack is inapplicable. Once a test is failed, a new
random sequence is used in the next test.
3
Since HMAC is used, the input to P RF could be arbitrary in length. Consequently, the two challenges need
not be equally long.

10

Note that Cphysical is kept secret from IED(EV ). Server stores Cphysical for later
verification.
Note that step 3 and 4 could be placed in reverse sequence without affecting the operation of the protocol.
5. Upon receiving the encrypted challenge from Server, CS decrypts it to get back Cphysical .
A parity check code is computed and appended to Cphysical . An 8-bit parity check code
should be sufficient. CS then embeds the challenge Cphysical with the parity bits in the
PWM (Pulse Width Modulation) signal of the control pilot pin of the charging cable.
More specifically, using a lookup table, CS maps the bit sequence of Cphysical and the
parity bits into a sequence of duty cycle or pulse width values, which are effected on
the control pilot pin. According to IEC61851, these duty cycle values inform an EV to
adjust its maximum charging current. The resulting maximum current values could be
read from the CAN bus of the EV.
As Cphysical is sent over the control pilot pin, the maximum allowable current the EV
takes in is also changing accordingly, based on IEC61851. The original purpose of the
PWM pulses is to inform the EV the maximum allowable charging current. This paper
uses them to embed the bit sequence Cphysical . That is, the PWM pulses are seen as a
sequence of symbols embedding Cphysical . While Cphysical is being sent, the charging
current consumed by the EV is also measured at CS at an interval corresponding to
each symbol and compared with the maximum allowable current set forth by the corresponding PWM pulse duty cycle. If the measured current is larger than the maximum
allowable current, it is consider as a failure for that symbol. At the end of transmitting
Cphysical , the percentage of failures is computed and sent to Server. If this percentage
exceeds a certain predefined threshold, the authentication is considered as failed.
6. The IED(EV ) reads the sequence of maximum current values from the CAN bus,

11

and looks up from a table the corresponding bit sequence of the challenge Cphysical .
The parity bits are checked. If the verification fails, the IED(EV ) requests CS to
resend Cphysical (which is ideally a new value). A request of using a quantization
scheme with coarser granularity on the duty cycles could be sent. IED(EV ) then
uses the established session key K shared with Server to generate the response r =
P RFK (Ccyber ||Cphysical ) and sends it to Server. Both Cphysical and K, corresponding
to the two authentication factors, are needed for generating a correct r to pass Servers
verification.
7. Upon receiving r from the IED(EV ), Server computes P RFK (Ccyber ||Cphysical ) to
verify whether r is a correct response. Equality would mean IED(EV) has the correct
key K and correct Cphysical (implying that the EV is connected to the specified CS as
IED(EV ) claims). If the verification of IEC61851 compliance (performed in the last
step) also passes, the server then sends an Authentication OK to CS to inform it to
start the charging session and grant access to the EV.
If the verification fails, Server would inform CS to repeat Steps 3-6 again, possibly with
longer symbol duration for the PWM pulses. The probability of a verification failure should
be practically negligible. After a predefined number of authentication failures, Server could
inform CS to terminate the charging session setup.

4 Prototype Implementation
A full proof-of-concept prototype is implemented to demonstrate the two-factor cyber-physical
device authentication. The NXP-ATOP platform [20], a system-on-chip module including two
ARM7 and one ARM9 processors, is used to implement the IED and the controller for the
charging station. The power part of the charging station is also constructed. The backend
server is also implemented, running the Ubuntu OS. The IED and charging station communi12

IED(EV)

Server

CS

Secure channel established


between Server and CS with
session key K
1. IED(EV) connects to
the server.

TLS Handshake

Secure channel established


between Server and IED(EV)
with session key K
2. EV arrives at a CS and
IED(EV) sends the
identity of CS to the
server to initiate a
charging session.

ID(C
S)

allen
m Ch
o
d
n
Ra
C cyber

ge

3. Server chooses a random bit


sequence Ccyber as the cyber challenge
and encrypts it and sends it to
IED(EV). Server stores Ccyber.

4. Server chooses a random bit


sequence Cphysical as the physical
challenge and encrypts it and sends
it to CS. Server stores Cphysical.

Rand
6. IED(EV) computes the
response:
r = PRFK(Ccyber || Cphysical)

om C

o
sent
nge
halle

Rand

om C
h
Cph allenge
ysica

h
ver t

e ch

le
g cab
argin

e
lianc
omp
C
1
185
sult
IEC6 heck Re
C

Resp
onse

7. Server computes
PRFK(Ccyber || Cphysical), and
compares it with the received
response r. Equality passes
the first verification. When
IEC61851 compliance check
is also OK, Server sends
Authentication OK to CS.
Otherwise, steps 356 are
repeated.

Auth

entic
ation

5. CS decrypts to get
the challenge
Cphysical and embeds
it in the PWM signal
of the control pilot
pin of the charging
cable and sends it to
EV. Simultaneously,
CS checks IEC61851
compliance of the EV
and return the result
at the end of sending
Cphysical.

OK
8. Charging starts

Figure 3: Detailed Execution of the Cyber-Physical Device Authentication Protocol

13

Figure 4: PWM Pulses over the Control Pilot Pin of SAE J1772
cate with the server using GPRS (General Packet Radio Service) provided in the NXP-ATOP.
The prototype include a number of optimizations, including the coding method to embed the
physical challenge bit sequence into the PWM pulses of the control pilot pin of the SAE J1772
standard, and a specially designed CAN locker or secure hardware interface, which ensures
the binding between the IED and the EV. SAE J1772 is the most widely adopted charging
cable standard.

4.1 Mapping the Physical Challenge into the PWM Signal of the SAE
J1772 Control Pilot Pin
An encoding scheme is designed to achieve that no synchronization between the IED and
charging station is needed when sending the physical challenge which is embedded in the
duty cycles of the PWM pulses. In an IEC62196 or SAE J1772 plug, square pulses are sent
from the charging station to the EV over the control pilot pin of the charging cable, as shown
in Figure 4. By changing the duty cycle of these pulses, the charging station can request the
EV to adjust the maximum charging current. This protocol is defined in IEC 61851, which is
adopted by IEC62196 and SAE J1772.
The physical challenge is sent as a sequence of different duty cycle values over the control
pilot pin. The duty cycle values of the PWM signal are in essence a set of symbols. The EV
treats this sequence as a challenge and generates a response accordingly. Note that what can
be read from the CAN bus is the maximum negotiated charging current rather than the duty
14

cycle. A lookup table is created to covert the current value back to the duty cycle.

4.1.1 Table Creation


To create the lookup table, the following procedure is adopted:
1. Set the minimum duty cycle value TM IN to the minimum allowable value in IEC61851.
Determine the maximum duty cycle value TM AX based on the power rating of the charging station.
2. Divide [TM IN , TM AX ] into partitions of equal length: T1 , T2 , . . . , Ti , . . . , TN . The number of bits for each Ti is then n = log2 N 1.
3. For each n-bit string rj , randomly pick 2 elements i1 , i2 [1, N] and compute the
IN
IN
minimum current values IiM
, IiM
of those 2 partitions, Ti1 , Ti2 , based on IEC61851.
1
2

4. Create the first table Table CS as follows: for each rj , create two rows, filling the first
with rj and the mid-value of Ti1 and the second with rj and the mid-value of Ti2 . That
is, each rj is mapped to two duty cycle values.
5. Create the second table Table EV as follows: for each rj , create two rows, filling the
IN
IN
first with rj and IiM
, and the second with rj and IiM
; sort the table in ascending
1
2

order of IiM IN .
These two tables (Table CS and Table EV) are pre-stored in both the charging station
and IED. Note that rj corresponds to the physical challenge bit sequence and each bit string
rj is mapped to two different duty cycle values. The purpose is to eliminate the need of
synchronization between the charging station and IED. When two consecutive symbols both
take on the same bit string rj , it would be difficult for the IED to decide whether there is one
or two symbols if rj always maps to the same symbol. This implies that time synchronization
may be necessary to tell when to sample the duty cycle values. Yet, this paper intentionally
15

maps each rj to two different duty cycle values, so that, when two consecutive symbols take on
the same rj , two distinct duty cycle values would always be transmitted for the two symbols
although the two duty cycle values map back to the same rj . In summary, with this encoding,
adjacent symbols used to send the physical challenge always differ. Two symbols will never
be mistaken as one symbol.
There could be multiple mappings with different n or, equivalently, partition size to support
different levels of granularity. When the channel seems not very reliable, a mapping for a
smaller n could be used to ensure reliable delivery of the physical challenge.

4.1.2 Table Lookup


Table CS is used in the charging station to look up from a random bit string to a duty cycle
value. Upon receiving the binary string of the physical challenge Cphysical , the charging station
divides the string into n-bit sub-strings. For each sub-string, the charging station looks up from
Table CS the corresponding duty cycle value. This forms a sequence of duty cycle values. The
charging station varies the duty cycle of the PWM signal on the control pilot pin according to
this sequence.
Table EV is used in the IED onboard of the EV to look up from the maximum negotiated
current values to a binary string in order to recover the physical challenge and its parity check
bits. For each negotiated current value ICAN read from the CAN bus of the EV, the IED
looks up from Table EV the maximum IiM IN which is still smaller than ICAN and append the
bit string rj to the previously decoded values to form the physical challenge (and its parity
bits). Then the IED checks the physical challenge using the parity bits to detect any error in
transmission.

16

4.2 CAN Interface Security


A tailored security mechanism is designed to ensure the binding of the IED and the EV such
that the secret key inside the IED can be seen as a proof of identity for the EV.
Through the tamper-resistant storage of the IED and the TLS protocol used to establish
the secure session, the server and the charging station could be assured that it is the specified
IED which runs the protocol. The knowledge of the physical challenge would further infer
to a reasonably high level of confidence that this specified IED is somehow connected to the
charging station via the charging cable. If the attacker could remove the IED from a valid car
and plug it into the stolen car, this would pass the verification. A mechanism is thus designed
to ensure that each IED can be plugged in once only. Subsequent removals and plug-ins
would disable the CAN bus interface of the IED. This assures that only the IED installed by
the authority could function properly.
The purpose of this mechanism is to ensure that an IED could only be plugged in to an
EV by an authorized party, after which unplugging and re-plugging the IED to the OBD-II
socket will render the IEDs CAN bus interface disabled. The basic idea of this protection
mechanism is that different states are defined for the IED to operate at. Details of the state
definitions can be found in Figure 5. The states are defined based on the number of reboots,
and whether the CAN bus interface has been unplugged and re-plugged. It is assumed that
a trusted computing base (TCB) is available, which is provided by the secure element of the
NXP-ATOP in this paper. The current state of the IED is signed by the TCB with a digital
signature appended. In other words, the TCB is purely used to generate a digital signature for
the current state of the IED. The need of the TCB could be waived if the IED has no backup
battery and draws its power only from the ODB-II socket. In other words, the requirement of
having a TCB in the IED is not mandatory in the design.

17

State 0

1st bootup

State 1
V+ removal

CAN removal

State 2A

State 2B
reboot

CAN removal

V+ removal

State 3
reboot

reboot

reboot

HALT

reboot

Figure 5: State Diagram for Secure CAN Bus Interface in the IED
4.2.1 IED Bootup Sequence
When the IED is rebooted, whether the CAN bus interface is enabled depends on the signed
state denoted as current state. The IED bootup sequence is as follows:
1. Verify the signature of current state.
2. If (current state = State 0 ) and the signature verification is OK, do:
(a) Enable the CAN bus interface.
(b) Generate a digital signature for State 1.
(c) Update current state to State 1.
3. Else, do:
(a) Disable the CAN bus interface.
The bootup sequence is designed in such a way that, after the first enabling of the CAN
bus interface by the authorized party, the IED will transit into a state (State 1) which disallows
18

GND

CAN_H

CAN_L

V+

Figure 6: OBD-II socket of the EV and Signal Level of CAN Bus

Figure 7: Glue Logic for the State Transition Signals


enabling of the CAN bus interface upon subsequent reboots. Enabling the CAN bus interface
is allowed only in State 0. In other words, after the authorized party first boots up the IED and
installs it in the EV, the attacker should not have the digital signature for a state which allows
enabling of the CAN bus interface. As can be seen, all states except State 0 will not allow
the enabling of the CAN bus interface upon reboot. This thus can prevent the attacker from
unplugging the IED and using it on the stolen EV. Remote code attestation protocol could also
be used to verify the integrity of the software if necessary.

4.2.2 State Transition Signals and Glue Logic


Shown in Fig 6 is the OBD-II socket of the EV, through which the IED is connected to the
CAN bus of the EV. The signals V+, CAN H, CAN L are used, through some glue logic, to
trigger state transition in the IED.4
4

It should be noted that, in the simplest case, using these state transition signals may not be compulsory. They

are included in the design for finer granularity of control and later expansion.

19

Depicted in Figure 7 is the glue logic for the state transition signals. The output signals
V+ REMOVAL and CAN REMOVAL are fed as input to two edge-sensitive GPIO (General
Purpose Input Output) of the NXP-ATOP. A downward transition of any of these two signals
triggers an ISR (Interrupt Service Routine) to update the current state of the IED. When V+
is removed, there will be a downward transition of the signal level at V+. This downward
moving edge of V+ can be used to trigger the transition from State 1 to State 2A. In normal
situations, CAN L and CAN H would move in opposite direction. However, when the plug
is removed, both CAN L and CAN H will go downward in voltage level simultaneously. A
downward transition at both CAN L and CAN H could be used to trigger the state transition
from State 1 to State 2B. The two ISRs are as follows.
Subroutine V plus removal
1. Verify the signature of current state.
2. If (current state = State 1) and the signature verification is OK, do:
(a) Generate a digital signature for State 2A.
(b) Update current state to State 2A.
3. If (current state = State 2B) and the signature verification is OK, do:
(a) Generate a digital signature for State 3.
(b) Update current state to State 3.
End V plus removal
Subroutine CAN removal
1. Verify the signature of current state.
2. If (current state = State 1) and the signature verification is OK, do:

20

(a) Generate a digital signature for State 2B.


(b) Update current state to State 2B.
3. If (current state = State 2A) and the signature verification is OK, do:
(a) Generate a digital signature for State 3.
(b) Update current state to State 3.
End CAN removal

5 Security Analysis
5.1 Security of Cyber-Physical Device Authentication Protocol
The cyber-physical device authentication protocol could withhold most attacks, except sophisticated tampering of the charging cable, which involves relatively deeper technical know-how
difficult for most adversaries. Simple tapping or tampering of the charging cable would give
a wrong impedance value and should fail the verification of IEC61851. Even for those more
sophisticated attacks, the protocol still can assure that the malicious load is a controllable one
which is responsive to the load curtailing requests made through the control pilot pin signaling.
That is, a car may be plugged in with the wrong identity using a sophisticated tampering attack, but passing the authentication protocol in this case means that this illegitimate car would
still follow the grids instructions when demanded.
The security analysis of the cyber-physical device authentication protocol is similar to
that of a typical challenge-response authentication protocol, a formal proof of which might
not be available. In order to compute a correct response that can pass the verification by the
server, the IED needs to have the knowledge of the secret key K and all the inputs (Ccyber and
Cphysical ) to the P RF . This is based on the unpredictability assumption of the PRF which in
turn is a result of the well-known indistinguishability assumption of PRFs. While an attacker
21

might use a second car with a valid K, he has to plug in that car, rather than the malicious
load, in order to obtain Cphysical as well.
The key of the security against the substitution attack [7] hinges on the access to Cphysical .
There should be no other way than tapping onto the control pilot pin of the charging cable to
obtain Cphysical as the encryption used between the charging station and the server is assumed
to be secure. Simple tampering of the charging cable fails the IEC 61851 protocol verification.
In order to launch the relay attack posed by [28] successfully, the protocol proposed in this
paper makes physical access to the second EV a necessity. While the first EV, which is the
malicious one in our consideration so far, can obtain Cphysical , it has to pass Cphysical to the
second EV through a certain channel. Unless the attacker could modify the IED firmware of
the second EV - which is difficult in general due to the tamper resistance discussed the
IED firmware of the second EV has to accept Cphysical through the CAN bus. Feeding another
input to the IEDs CAN interface is highly unlikely due to the CAN security implemented.
The only possible means to feed Cphysical to the IED of the second EV is through its charging
cable again. In other words, the attacker has to launch the relay attack over the charging cable,
and IEC61851 has safe-guarded simple tampering techniques.
For the more sophisticated cable tampering attacks, we should distinguish between two
cases: that the second EV is cooperative in the attack, and that the second EV is innocent and
unaware of its involvement in the attack. In both case, physical access to the second EV is
inevitable, which already imposes an additional layer of difficulty to the attacker in the latter
case, making a massive attack unlikely. For the former case with a cooperative EV, a complete
defeat of the attack might be impossible. Even the distance bounding protocol [4, 28] might
not work well. Imagine the relay attack to access a car as in [28]: if the car owner holding
the key cooperates with the attacker, how can defence to such an attack be possible? This
is the same for the case of substitution attack, if the attacker builds sophisticated tampering
devices to relay the charging cable signals. Nevertheless, the cyber-physical authentication

22

protocol still gives a better protection guarantee for the power grid reliability in this case.
First, even the malicious car would be responsive to load curtailing commands as it is verified
to be compliant to IEC61851 in the cyber-physical authentication protocol. Second, the task
of relaying is made more difficult to average attackers.
It should be noted that the distance bounding protocol over the charging cable might not
be able to withhold the substitution attack with a cooperative second EV. First, the delay
difference between the two cars could be too small to obtain a clear resolution with high
confidence. Second, the delay could be tampered as physical access to the two cars is assured.
Besides, the equipment required makes it impractical.

5.2 Analysis of CAN Interface Security


The only state which allows the IED to boot up with the CAN bus interface enabled is State
0. Once an IED is deployed, it would never have a signed state for State 0. The signature for
State 0 would be immediately erased after the first installation by the authorized dealer. In
State 1, the IED could operate normally with the CAN bus interface enabled. However, once
rebooted, the CAN bus interface will be disabled at the next bootup. Since the attacker has no
knowledge of a valid signature for State 0, this check cannot be bypassed in the next bootup.
It is possible that the attacker could obtain a new IED from the manufacturer but this new
IED does not have the necessary credentials (including the secret key and certificates) prestored. In other words, the attacker could only get an IED with CAN bus interface enabled
but without the needed credentials or an IED with proper credentials but with the CAN bus
interface disabled.

23

6 Experiment Results
A number of experiments, including demand response on a real EV, the substitution attack,
how the cyber-physical authentication protocol withholds the substitution attack and detects
a malicious load, and an execution of the cyber-physical authentication protocol on an EV
emulator. We have built our own charging station as shown in Figure 8 and implemented a
basic demand response application. When carrying out the substitution attack, the malicious
loads including a water kettle and hairdryer are plugged in, instead of the EV. The normal
challenge-response protocol is passed without detecting any anomaly and the charging station
supplies power to the kettle and dryer. When a load curtailing command is issued, these loads
are irresponsive. We then tested the cyber-physical authentication on the same attack setting
and the system is now able to detect the malicious loads and deny the access at the start. On
average the time needed to complete the cyber-physical authentication protocol ranges from
40s to 100s. Since the authentication could be done automatically after plugging in without
demanding active human attention, the latency of the protocol could be reasonably practical.
The following discussion will focus on the execution of the protocol on the EV emulator.
The EV emulator is built on an 8051 microcontroller from SiLab. The experiment setup is
shown in Figure 8, which also depicts how the physical challenge is embedded in the PWM
signal of the control pilot pin.

7 Related Work
Man-in-the-middle (MitM) attacks are not an entirely new problem in security engineering.
Anderson has a fairly comprehensive discussion in his book [1]. This paper takes the specific
context of the smart grid into consideration to illustrate the potential impact of such an attack.
The discussion of MitM attacks could be found in various contexts including web browsers
[2, 15] and physical access control [4].

24

Change in
duty cycle

Figure 8: Experiment Setup


Multi-factor entity authentication has also been addressed in different applications [2, 3, 6,
14, 15, 2325, 30]. Besides the existing forms of typical authentication factors, namely, what
the prover has, what the prover knows, and what the prover is, we introduce a new factor
of authentication based on where the prover is or where the prover is physically connected
in the smart grid. This shares some similarity with [15] yet different. The main difference
lies in that human involvement is avoided in the current context, which is desirable. While
the distance bounding protocol [4, 28] could partly solve the problem of substitution attacks,
it poses stringent requirements on the physical channel for running it. Besides, there is still
chance that physical proximity may not guarantee physical connectivity. On the contrary,
the proposed method in this paper assures that the EV passing the authentication is the one
plugged in. Of course, it is possible that the attacker tailors a special charging cable to bypass
the protocol. But it requires deep technical expertise. Similarly, using RFID tags on electric
vehicles may not provide the desired strength of binding between the RFID tag and the electric
vehicle.
It is fair to say most research in smart grid security focuses on cyber mechanisms. For
instance, [26] develops a secure Intelligent Electronics Device (IED) which is safe to connect
to the Internet. Entity authentication and key management in the smart grid is also actively
25

studied [5, 911, 16, 22, 30]. However, nearly all of the existing works only consider purely
cybersecurity issues and it is unsure whether such approaches could defend coordinated cyberphysical attacks in the real deployment scenario. It is true that combined cyber-physical considerations have to take specific details of the contexts or application scenarios, say, what
equipment is being secure and where it is connected to the power grid, into account, which
might limit the range of applications of the resulting schemes. However, considering specific
contexts would also mean optimized performance in the targeted application. There is tradeoff
between generality and optimization. More importantly, a generic design might not be able
to withhold even the simplest form of coordinated cyber-physical attacks. It is important that
coordinated cyber-physical attacks be considered early on in smart grid security designs.

8 Conclusion
In this paper, we illustrate the potential risks of a specific type of coordinated cyber-physical
man-in-the-middle attack, called the substitution attack, to the smart grid. We also propose a
cyber-physical device authentication protocol to withhold the substitution attack, and a CAN
security mechanism to provide a strong binding between the IED and the electric vehicle. A
proof-of-concept prototype is implemented to demonstrate the strength of combined cyberphysical approach to defend the man-in-the-middle attack in the smart grid. This idea could
be extended to other equipments in the smart grid. By taking specific details of the context
of the EV ecosystem into consideration, the prototype achieves an advantage that no intrusive
modifications to electric vehicles is necessary. The advantages of our design over NFC (Near
Field Communication)/RFID and IEC15118 are shown in the following table.

26

Table 1: Comparison of Different Approaches


Physical

Minimum

Demand

Connectivity

Modification

Response

Assurance

On EV

Compliance

NFC/RFID

NO

YES

NO

IEC15118

YES

NO

NO

Our Approach

YES

YES

YES

Acknowledgment
The authors would like to thank Energy Market Authority (EMA) of Singapore for providing
funding support.

References
[1] R. J. Anderson, Security Engineering: A Guide to Building Dependale Distributed System,
2nd ed. Wiley, 2008.
[2] A. Ben-David, O. Berkman, Y. Matias, S. Patel, C. Paya, and M. Yung, Contextual
OTP: Mitigating Emerging Man-in-the-Middle Attacks with Wireless Hardware Tokens,
in F. Bao, P. Samarati and J. Zhou (Eds.): ACNS12, Springer LNCS, vol. 7341, p. 30-47,
2012.
[3] J. Brainard, A. Juels, R. L. Rivest, M. Szydlo, and M. Yung, Fourth-Factor Authentication: Somebody You Know, in ACM CCS06, p.168-178, 2006.
[4] S. Brands, and D. Chaum, Distance-Bounding Protocol, in Eurocrypt93, 1993.

27

[5] T. Baumeister, Adapting PKI for the Smart Grid, in IEEE SmartGridComm11, p.249254, 2011.
[6] X. Boyen, Y. Dodis, J. Katz, R. Ostrovsky, and A. Smith, Secure Remote Authentication
using Biometric Data, in R. Cramer (Ed.): Eurocrypt05, LNCS, vol. 3494, p.147-163,
2005.
[7] A. C-F. Chan, and J. Zhou, On Smart Grid Cybersecurity Standardization: Issues of
Designing with NISTIR 7628, IEEE Communications Magazine 51(1), p.58-65, January,
2013.
[8] M. M. Fouda, Z. M. Fadlullah, N. Kato, R. Lu, and X. Shen, A Lightweight Message
Authentication Scheme for Smart Grid Communications, IEEE Trans. on Smart Grid,
vol. 2, no. 4, p.675-685, December, 2011.
[9] H. Khurana, R. Bobba, T. Yardley, P. Agarwal, and E. Heine, Design Principles for Power
Grid Cyber-Infrastructure Authentication Protocols, in HICSS10, January, 2010.
[10] N. Kuntze, C. Rudolph, I. Bente, J. Vieweg, and J. von Helden, Interoperable Device
Identification in Smart-Grid Environments, in IEEE PES General Meeting, p.1-7, July,
2011.
[11] S. Lakshminarayanan, Authentication and Authorization for Smart Grid Application
Interfaces, in IEEE/PES PSCE11, March, 2011.
[12] IETF, RFC 2104 HMAC: Keyed-hashing for Message Authentication.
[13] IETF, RFC 5246 The Transport Layer Security (TLS) Protocol, version 1.2.
[14] M. S. Mannan, and P. C. van Oorschot, Using a Personal Device to Strengthen Password
Authentication from an Untrusted Computer, in S. Dietrich, R. Dhamija (Eds.): FC07,
Springer LNCS vol. 4886, p.88-103, 2007.
28

[15] J. M. McCune, A. Perrig, and M. K. Reiter, Seeing-is-believing: Using Camera Phones


for Human-verifiable Authentication, in IEEE Symposium on Security and Privacy,
p.110-124, 2005.
[16] H. Nicanfar, P. Jokar, K. Beznosov, and V. C. M. Leung, Efficient Authentication and
Key Management Mechanisms for Smart Grid Communications, to appear in IEEE System Journal, 2013.
[17] NIST, NISTIR 7628: Guidelines for Smart Grid Cyber Security, vol. 1-3, August, 2010.
[18] NIST, NIST SP1108: Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0 (January, 2010), Release 2.0 (February, 2012).
[19] NERC, Critical Infrastructure Protection (CIP-001 to CIP-009).
[20] NXP, ATOP datasheet,

accessed at http://www.nxp.com/documents/

leaflet/939775016910.pdf.
[21] SGIP-CSWG, Standard Review Report on Security Assessment of SAE J2847-1: Communication between Plug-in Vehicles and the Utility Grid, November, 2010.
[22] A. J. Paverd, and A. P. Martin, Hardware Security for Device Authentication in the
Smart Grid, in J. Cuellar (Ed.): SmartGridSec12, Springer LNCS vol. 7823, p. 72-84,
2013.
[23] D. Pointcheval, and S. Zimmer, Multi-factor Authenticated Key Exchange, in
S. M. Bellovin, R. Gennaro, A. D. Keromytis, and M. Yung (Eds.): ACNS08, Springer
LNCS, vol. 5037, p.277-295, 2008.
[24] B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. Mitchell, Stronger Password Authentication using Browser Extensions in USENIX Security05, p.17-32, 2005.

29

[25] B. Schneier, Two-factor Authentication: Too Little, Too Late, Communications of the
ACM 4(4), 2005.
[26] J. Zhang, C. Grier, S. T. King, and C. A. Gunter, Secure Intelligent Electronic Devices,
accessed at http://tcipg.org.
[27] ISO/IEC, ISO/IEC 15118-2: Vehicle-to-Grid Communication Interface Part 2: Network and Application Protocol Requirements (Draft International Standard), 2012.
[28] A. Francillon, B. Danev, S. Capjun, Relay Attacks on Passive Keyless Entry and Start
Systems in Modern Cars, in NDSS11, February, 2011.
[29] Z. Sumic, Gartner Research Report: Hype Cycle for Smart Grid Technologies, 2012,
July, 2012.
[30] F. Zhao, Y. Hanatani, Y. Komano, B. Smyth, S. Ito, and T. Kambayashi, Secure Authenticated Key Exchange with Revocation for Smart Grid, in IEEE ISGT12, 2012.

30

Potrebbero piacerti anche