Security analysis of handover key management in 4 g ltesae networks

IEEE SYSTEMS JOURNAL, VOL. 8, NO. 2, JUNE 2014 641

Toward Unified Security and Privacy Protection forSmart Meter Networks

Georgios Kalogridis, Mahesh Sooriyabandara, Zhong Fan, and Mustafa A. Mustafa

Abstract—The management of security and privacy protectionmechanisms is one fundamental issue of future smart grid (SG)and metering networks. Designing effective and economical mea-sures is a nontrivial task due to the following: 1) the large numberof system requirements; and 2) the uncertainty over how thesystem functionalities are going to be specified and to evolve. Thispaper explores a unified approach for addressing security andprivacy of smart metering (SM) systems. In the process, we presenta unified framework that entails the analysis and synthesis ofsecurity solutions associated with closely interrelated componentsof a typical SM system. Ultimately, the proposed framework canbe used as a guideline for embedding cross-domain security andprivacy solutions into SG communication systems.

Index Terms—Privacy, risk assessment, security, smart grid(SG), smart metering (SM).

I. INTRODUCTION

SMART METERING (SM) is an important and essentialcomponent of the upcoming energy network, coined smart

grid (SG). SM can be defined as the communication systemand associated data management system which allow collec-tion, processing, and distribution of information between smartmeters, customers, and utility companies [1]. The importanceof SM is that it interconnects SG components and functionswithin a two-way communication network. The objective isto support an economically efficient sustainable power systemwith high quality and security of supply. To achieve this ob-jective, advanced SM functions might include automated meterreadings (AMRs), distributed energy storage (e.g., of electricvehicles or EVs), distributed energy resource (DER) manage-ment (e.g., from renewable resources), as well as further energyefficiency mechanisms such as incentive-based direct load con-trol and real-time optimizations for load shifting/scheduling.Ultimately, SM will help SG stakeholders to innovate andimprove grid operations and services [2].

It emerges that SG and SM systems are underpinned bythe utilization of information and communication technologies(ICTs). This exemplifies the increasing dependence of thesociety on complex systems combining power and automated

Manuscript received April 15, 2012; accepted January 23, 2013. Date ofpublication July 9, 2013; date of current version May 22, 2014.

G. Kalogridis, M. Sooriyabandara, and Z. Fan are with the Telecommu-nications Research Laboratory, Toshiba Research Europe Limited, BristolBS1 4ND, U.K. (e-mail: [email protected]; [email protected];[email protected]).

M. A. Mustafa is with the School of Computer Science, The University ofManchester, Manchester M13 9PL, U.K. (e-mail: [email protected]).

Color versions of one or more of the figures in this paper are available onlineat http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/JSYST.2013.2260940

control systems, communication networks, and computer appli-cations. However, while SG systems provide clear advantages,the dependence on ICT gives rise to vulnerabilities and cyberattacks with potentially devastating results [3].

Risk analysis and impact assessment is a step toward secur-ing (or upgrading the security of) any system. The applicationof such a process is nontrivial in an SM network, consideringits architectural complexity and interfacing with cyber-physicalSG functionalities, and the scale of the potential damagescaused by attacks. For example, protection against unauthorizedaccess and repudiation is a vital requirement for the AMR datato be trusted by both the utility providers and the customers.This requires end-to-end communication security, tamper-proofhardware (HW), trusted software (SW), and complex accesscontrol.

Data privacy concerns the security of data that are linkedwith, or infer information related to, the life of individuals.The problem of privacy protection is intrinsic in SM be-cause frequent data collection from smart meters reveals awealth of information about residential appliance usage [4].Information proliferation and lax controls combined with gran-ular smart meter data collection create a risk of privacyinvasions.

Our Contribution: In this paper, we introduce a unifiedsecurity and privacy protection (USaPP) framework that helpsanalyze fundamental problems of SM security and privacy, andsearch the solution space of security controls in a methodi-cal and holistic manner. Providing a comprehensive securityanalysis of SM from different stakeholders’ point of view isnot the objective of this paper. Instead, this paper providesan overview of user-related problems and solutions as thebasis for suggesting a unified approach. To this end, the mainobjective of this paper is to support the premise that the USaPPapproach is vital for sustainable cyber-physical security andprivacy management of SM systems, and, more generally,SG systems and similar complex critical infrastructures. Asan example application, we study the security and privacyof an EV dynamic charging use case and apply the USaPPmethodology.

We organize our material as follows. Section II describes atypical SM system architecture. Section III makes an overviewof SM security and privacy problems. Section IV supports therationale of USaPP benefits and introduces the USaPP frame-work. Section V analyzes further the subclasses of USaPP classelements and maps them with security controls. Section VI inte-grates USaPP with a system-level security analysis framework.Section VII applies USaPP to an EV charging scenario, andSection VIII concludes this paper.

1932-8184 © 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

642 IEEE SYSTEMS JOURNAL, VOL. 8, NO. 2, JUNE 2014

Fig. 1. Typical SM architecture.

II. SM SYSTEM DESCRIPTION

We consider an SM communication system that consistsof the following components: a smart meter which primarilymeasures energy consumption, a home area network (HAN)which is used for home appliances and devices to communicate,a wide or neighborhood area network (WAN/NAN) which con-nects HAN to control centers (head-ends) and interested parties,and a gateway which interconnects HAN with WAN/NAN.Fig. 1 shows the typical SM architecture that is being reflectedin different USA and European standards such as ZigBee andETSI machine to machine [5].

Optionally, home automation, e.g., a home building en-ergy system (HBES) or a home energy management system(HEMS), may also interface with the smart meter or thegateway within the HAN. An in-home display, often calledas customer display unit, is a special device that provides avisualization of data received from the smart meter and optionalsubmeters attached to specific appliances. Ultimately, a numberof home sensors and actuators can be brought together tocontrol and optimize energy consumption. This functionalitymay further be used to optimize renewable power generationand to reach carbon saving targets.

There are a number of options available for the communi-cations outside the home, e.g., between the metering gatewayand the power distribution network, utility, or operators. Theseinclude cellular technologies, wireless mesh/sensor networks(WMN/WSN), and various home broadband solutions. How-ever, it remains to be seen if utilities and grid operators willbe willing to trust the reliability and independence of somenetworks. It is likely that SM systems will use a mixture ofICTs. For example, data concentrators/aggregators may collectdata from home gateways via WMNs and then send them to theutilities through fixed line communications.

A common SG functionality, which may utilize SM, con-cerns “demand, generation, and storage flexibility.” One suchflexibility program, known as demand response (DR), aims to

reduce energy costs, to reduce peak loads, and to adapt thevariability of renewable power generation. DR involves director indirect control of customer demand and consumption (e.g.,remote control of home appliances) in order to apply peakdemand shaving. An alternative program, known as demandside management (DSM), involves giving customers financialincentives to shift demands (that can be elastic) as required bythe utilities. Both DR and DSM can effectively be implementedby collecting and analyzing customer energy data, makingenergy saving suggestions, and applying real-time pricing. Thekeen reader can find a good overview of DR/DSM functionsin [6].

III. SECURITY AND PRIVACY ISSUES

A. Related Work

While the focus of this paper is not an exhaustive surveyof various security and privacy mechanisms of SG, we brieflymention in the following discussion some of the related work.

An early work discussing important security and privacychallenges of an SG is found in [7], while a more compre-hensive review of related issues and solutions is found in [8].The National Institute of Standards and Technology (NIST)document [9] provides a list of security requirements of SGand lays out a path toward the standardization of securitysolutions. The authors of [10] discuss several key technologiesof SG, particularly public key infrastructures (PKIs) and trustedcomputing tailored specifically to SG networks. A reliabilityperspective of SG is elaborated in [11], where a systematic andarchitectural approach is advocated for integrating the diverseICTs to realize a reliable, secure, and smart power grid. This,in fact, coincides with the motivation of this paper in which weaim to provide a holistic framework for security and privacyof SM systems and, in advance, interrelated cyber-physicalsystems of the SG.

KALOGRIDIS et al.: TOWARD USAPP FOR SMART METER NETWORKS 643

B. Fundamental Security Problems

SG/SM cyber threats, such as the Stuxnet worm [9], have thepotential to breach national security, economic stability, andeven physical security. Power stations and supervisory controland data acquisition (SCADA) systems have always been targe-ted by hackers; the move from closed communication systemsto open IP networks opens up a new range of vulnerabilities.As previously stated, the study of SM/SG security is out ofthe scope of this paper. The keen reader may refer to the NISTguidelines for SG cyber security [9]; these provide a good start-ing point and a foundation for SG security analysis, includingsecurity attacks, vulnerabilities, risks, requirements, solutions,and research problems. Also, a comprehensive specification ofSM security requirements has been published by OpenSG [1].

This paper focuses on the information security of the homeSM system as described in Section II. The SM system maybe attacked from many different entry points. For example,data integrity and authentication may be compromised throughnetwork attacks such as man-in-the-middle spoofing, imperson-ation, or denial of service (DoS) attacks. Similarly, data secu-rity may be compromised by sabotage/insider attacks such asviruses and trojan horses. The later threat becomes significantconsidering the distributed and shared nature of the SM systemand its interconnections with different networks such as NANsand the Internet.

Once an entry point is found, it becomes easier for theattacker to cascade an attack along the SM system. For exam-ple, compromising the real-time pricing channel may result inenergy theft or malicious remote control of appliances. Hence,rigorous HW/SW security is required to ensure the validity ofdifferent communicating parties such as head-ends and smartmeters. For example, consider an attacker takes over the head-end and sends all meters a DR control message to interruptsupply. The interruption can be made permanent by also com-manding all meters to change their crypto keys to some newvalue only known to the attacker [12]. The impact can be enor-mous: millions of homes could be left without power until theyare locally replaced or reflashed with authentic keys, people’slivelihood could be affected, health and safety could be jeopar-dized, and businesses could lose millions. SM security needs toperform the following: 1) prevent such attacks from happening;and 2) provide a recovery/survivability mechanism in case of(successful) attack.

The communication infrastructures are not the only source ofvulnerabilities. HW and SW used for building SM componentsare at risk of being tampered even before they are installed.Rogue code including the so-called “logic bombs” which causesudden malfunctions can be inserted into SW while it is beingdeveloped. As for HW, remotely operated “kill switches” andhidden “backdoors” can be written into the computer chips,allowing outsiders to manipulate the system.

C. Fundamental Privacy Problems

The notion of privacy is complex and is perceived anddefined in different ways in different countries and cultures.Privacy is associated with the notion of personally identifiable

information (PII) that may be contained in or linked with certaindata. In this direction, we would like to use the notion privacyin the context of the following two notions.

1) Anonymity is a property of how sufficiently the identityof a user associated with a message is hidden (rather thanthe message itself).

2) Undetectability is a property of how a particular item ofinterest (IOI) associated with a message is sufficientlydistinguished by whether it exists or not.

The SM privacy problem stems from the potential of a smartmeter to measure energy consumption in much more detail thana conventional meter. Smart meters are expected to provideaccurate readings automatically at requested time intervals(e.g., every few minutes) to the utility company, electricity dis-tribution network, or wider SG to facilitate optimizations suchas DSM and DR. Such detailed energy usage can be used todeduce detailed information about appliance usage and lifestylepatterns, as discussed in [4]. Quinn [4] also teaches that vagueassurances of privacy (by the government) are undesirable asthey often lead to regulatory capture and irrecoverable datamisuse damages.

The importance of SM privacy and compliance withdata privacy regulations has recently been highlighted inThe Netherlands, in 2009, where the consumers’ groups forcedthe government to postpone smart meter roll outs until afterdata privacy issues are resolved. According to the Dutch model,SM privacy requires technical specifications and justificationfor SM data collection and handling and provision of explicit,informed, and voluntary consent [13]. Further standardizationactivities in the U.S. and EU involve the development oflegal and regulatory consumer privacy regimes that promoteconsumer choice and control over third party use of theirenergy data.

IV. USAPP FRAMEWORK

A. Rationale

Complex critical infrastructure systems which interconnect anumber of independent subsystems to realize new functionality,services, and business models could lead to unforeseeable andunanticipated security, safety, and reliability-related vulnerabil-ities. Currently, a number of international efforts are underwayto assess and implement guidelines and methodologies forsecurity and resilience of ICT systems for SG. However, SGis not the first complex system to utilize ICT systems. Thereare many different example applications in retail and financialsectors which have a wealth of experience in utilizing ICT incomplex systems. The observation and experience from thesesectors indicate that security related to complex cyber-physicalsystems has been moving away from conventional layeredsecurity concepts toward more system approaches [14].

There are many drivers behind holistic system security ap-proaches: some technical and others policy and regulation re-lated. On the technical side, intradomain security measures arenot sufficient to address system-level threats. This often raisesthe need for a unified approach to analyzing, implementing,and managing security at system level. Such unified approach


provides many benefits during various stages of the life cycleof the system: from planning to design and to implementationand operation. In the planning and design stage, organizationsoften have to consider legislative, standard-related, regulatory,and system/application details, including other guidelines andbest information security and privacy practices. When devel-oping system security and privacy by design specifications, adecision has to be made about using one or more of domain-specific security techniques in isolation or in combination todevelop a solution addressing identified system and stakeholderrequirements.

A unified framework such as the one discussed in this paperwill help streamline security compliance as well as assist ineffectively utilizing the overall space of security solutions. Forexample, eliminating the use of security schemes which over-lap in the solution space can help improve the manageabilityand reduce complexity without compromising efficiency orsecurity. Furthermore, during system operation stages, unifiedsecurity solutions can help strengthen security and resilience asfollows.

1) Preparedness and prevention: the USaPP approach pro-vides a systematic way of mapping risk and impactassessment results to solutions to (preemptively) protectsecurity and privacy by design.

2) Detection and response: the USaPP framework can im-prove traceability by embedding in its core design handlesfor the use of standardized anomaly detection techniques.

3) Mitigation and recovery: the USaPP framework providesa mapping of SG/SM information assets and processes tosecurity controls, which helps segregate safe assets frompotentially affected/infected ones, mitigate the cascadingattacks due to interdependences, and pinpoint actions forfaster recovery.

4) Coordination and cooperation: the USaPP approach canprovide a common platform for international incidencereporting and cooperation.

We note that the four security and resilience elements listedpreviously are broadly known as the pillars of a critical infor-mation infrastructure protection (CIIP) system in the field ofICT [3].

A unified system’s approach to SM security is key to me-thodically addressing the emerging challenges. This becomesclearer if, momentarily, we consider a nonunified approach. Wesuppose, for example, that a level of SM security preparednessis required to protect against unknown or obscure vulnerabili-ties and threats. The lack of a unified security framework meansthat the results of a threat dependence analysis might not becredible as these will be subject to particular methodologiesemployed in different parts of the SM system. On the otherhand, a unified system approach helps consistently analyzethreats that need complex solutions, including security inter-connections among domains, traceability, and data handling.

With regard to customer privacy protection, we consider thepremise that regulations are not a panacea [4]. Instead, weconsider that a holistic approach and application of privacy bydesign solutions is a sine qua non for broad acceptance andsuccess of SGs.

B. Principles

We consider the USaPP framework to be an integratedholistic approach to deal with the SM/SG security and privacyproblems. A unified approach is necessary to study the impactof SM/SG attacks. This is because SM/SG is a complex cyber-physical system where vulnerability in one subsystem cascadesin vulnerabilities in other subsystems. In nonintegrated securitysystems, complex attacks are typically dealt with by retrofittingsecurity updates. Such problem-solving approaches have beenproven to be obscure and ineffective. For example, ICT systemshave long suffered from vulnerable security SW. Such a laxapproach is not prudent for SM networks which is likely to bepart of a critical energy infrastructure such as the SG. Instead,a unified approach should be considered from the design stageand should be applied systematically using open and standardsolutions.

From a user perspective, unification facilitates the integra-tion of conflicting SM functionalities and system control athome. For example, energy management and related data flowrelationships could be simultaneously applied from differentdomains such as user, utility, and third party energy opti-mization agents. Such relationships become more complexas microgeneration and EVs are integrated in home SM net-works. Furthermore, USaPP considers new market and businessmodels where users could change energy supplier, tariffing,energy management contracts, or even control SW on a frequentbasis (i.e., daily or less). In such case, both users and otherstakeholders will need to have a unified way of ensuring thatsecurity and privacy is maintained during a “hand-off” from one(validated) component or stakeholder to another.

The integration of security and privacy is also essential.This is because privacy depends on security services such asconfidentiality and access control. Hence, retrofitting privacyprotection mechanisms is susceptible to attacks if securityservices are not designed with privacy in mind.

In general, as heterogeneous communication systems con-verge, SM communications will integrate with ad hoc networks,the Internet, cloud services, and etc. For example, a roaming SGcustomer may wish to initiate an authenticated flow of infor-mation between his home gateway and a remote device. Suchdata could, for example, be used to authorize access to remotefacilities. If privacy is required, the customer may also wishto maintain anonymity. The extrapolation and combination ofmultidomain information such as energy consumption data,location information, lifestyle information, and other personalinformation increase the potential both for richer applicationsand services as well as security threats and damages. Futureintegration of systems and services requires transparent USaPPby design more than any other time.

The evolution of SM systems also requires scalable andfuture proof architectures. For example, consider the casewhere the collection frequency of smart meter data and controlfunctionality change. This change may increase the risk of dataprivacy infringements and remote attacks such as impersonatedcontrol messages. A scalable security system should be pre-pared to respond to such changes, e.g., by providing customeralerts and handles that help adjust protection levels as required.


Fig. 2. USaPP framework for home SM systems.

C. Framework Elements

Given the system requirements outlined in previous sections,in this section, we propose a USaPP framework with an empha-sis on home solutions, as illustrated in Fig. 2. However, we alsoconsider that the proposed framework can be adopted for usewithin the scope of a broader SM/SG security system, such asthe EV charging use case discussed in Section VII.

We organize SM USaPP solutions in the following threeclasses.

1) Communication security. This class involves two distinctcommunication systems: a) in-home HAN, HEMS, andHBES and b) WAN/NAN, including WMN/WSN.

2) Secure computing. This class involves the HW and SWsecurity systems integrated in different SM componentsthat can operate SM system functions such as energy andcyber system control, including communications.

3) System control. This class involves the SM functionsand the variables (user input, rules, policies, or decision-making algorithms) that drive computing or communi-cation USaPP operations. This class is responsible fordeciding what security services are needed for differentfunctions and where/how different data are protected andcommunicated. That is, this class is responsible for con-figuring home SM operations and resolving conflictingrequirements (e.g., energy saving versus privacy versususer overrides versus SG overrides).

Each one of the aforementioned three classes integrates bothsecurity and privacy protection measures and comprises threesubclasses, which are described immediately in the followingdiscussion.

V. MAP OF USAPP SOLUTIONS

In this section, we discuss in further detail the components ofthe USaPP framework in Fig. 2.

A. Communication Security

1) Cryptosystem: Remote access and control within an SMsystem, such as DR functionality, may involve the following:1) heterogeneous private or public networks, such as the TCP/IP-based networks (Internet), Clouds, and WMNs; 2) many dif-ferent devices, such as sensors, access points, and smart meters;and 3) different actors, such as utilities, grid operators, andcustomers. Communication security for such systems entailskey management in different security domains. However, allNAN/WAN sensors and smart meters of a city may all needto be integrated in a single security cryptosystem involvingmaintenance of possibly millions of cryptographic keys andother credentials. Hence, SM communication security needs tocombine large-scale economical key management and cryptog-raphy that can be carried out effectively on devices with limitedprocessing power.

The design of an SM key management system is an activearea of research. This could, for example, be based on existingsystems such as PKI and identity-based encryption (IBE). IBE,in particular, is a strong candidate cryptosystem being deployedin SG/SM systems as it allows devices with low computationpower to start sending messages without a need to contact a keyserver.

In general, a mixture of hierarchical, decentralized, dele-gated, or hybrid security schemes may be feasible. Preferably,


a candidate scheme should include secure bootstrapping pro-tocols, i.e., it should provide effective means to initialize newdevices. Furthermore, critical security operations, such as keyupdates, should preferably employ group key managementtechniques, such as “defense in depth” techniques used innuclear or military control systems, to mitigate the impact ofcompromised head-ends (or trusted people) [12].

2) Routing Security: Network routing architecture has animpact on security. For example, consider a NAN implementedusing WSN in which a number of intermediate wireless nodesaggregate traffic to optimize bandwidth usage and increasenetwork reliability. Assuming an end-to-end encryption, aggre-gation might be as simple as concatenation of encrypted data.Alternatively, secure aggregation might use additive privacyhomomorphism protocols [15]. End-to-end security ensuresthat data security services are resilient to compromised or rogueaggregators. Furthermore, a multilayer and/or cross-layer ap-proach to security (including physical layer (or PHY), mediumaccess control (or MAC), and network layer or multihop pro-tocol) may be required to protect against DoS attacks such asflooding attacks. For example, the security of the IPv6 over Lowpower Wireless Personal Area Networks (6LoWPAN) protocolmay provide integrity and authentication.

3) Network Privacy: Privacy protection requires standardsecurity services such as confidentiality, authentication, andaccess control. Such security services need to be employed atdifferent SM layers, including communications, storage, andcomputing platforms. However, that kind of measures may notsuffice. For example, end-to-end communication security mayonly guarantee message payload protection. Private informationmay still be exposed from “shallow packet inspection” (e.g.,analysis of IP addresses), which is feasible in WMNs suchas 6LoWPAN. That is, network privacy also requires networkanonymity, as defined in Section III-C. In such cases, possibleprotection mechanisms include network mixes such as onionrouting [16].

In a broader SM network system, different levels of SMdata anonymity may be achieved as SM data are cascaded indownstream systems. This can be engineered by effectivelyremoving different degrees of privacy information from SMdata in intermediate systems/aggregators. We note that anSM aggregator may also offer undetectability (as defined inSection III-C). For example, the aggregation of the meteredload signatures of (sufficiently) large blocks of homes willeffectively reduce the probability in detecting a particular IOIsuch as the operation of a TV set [4].

B. Secure Computing

1) HW and SW Security: Secure computing solutions in-volve the protection of programmable HW components,including SW and firmware. Security holes such as backdoorsand SW bugs may allow hackers to compromise standard cybersecurity solutions such as cryptographic protocols offeringauthentication, access control, and accountability (AAA).

SM systems may include small- (e.g., embedded) to large-scale (e.g., server type) computing platforms. Such devicesneed to employ well-designed operating system kernel security

architectures such as firewalls to protect against both malwareand poor user practices, such as poor storage of importantcryptographic keys, poor user/system trust and password man-agement, and social engineering.

The SM system should be resilient to both insider and incom-ing attacks from open interfaces while providing access permis-sions to authorized parties as appropriate. For example, accessrights may be managed by a digital rights management system.Also, applications may communicate on complex distributedprogramming platforms such as mobile agents; this requiressuitable mobile code security measures. Finally, the systemshould undergo continuous exhaustive penetration testing, bugfixing, and updating.

Certification and accreditation are critical processes in guar-anteeing HW and SW security. Common criteria, FIPS 140,and PCI PTS are generic certification schemes. Additionally,ISA 99 standardizes security controls for embedded systems.However, extensions will be required to include security pro-files for SM/SG, similar to those related to the smart cardindustry. Alternative, and quicker, tests include “white-box”and code audits, employed by the U.S. national SCADA testbed program. Certification governance may also consider anadaptation of the ISO 27K series of standards as it occurredwith the telecommunication security.

2) Cyber-Physical Security Analysis: A holistic approachshould be taken to analyze USaPP of the SM system. For ex-ample, SM communication security vulnerabilities can directlycompromise billing, HEMS and DR functionalities, and gridstability. Hence, SM security should be integrated to addressproblems in both the cyber and energy domains. It is particu-larly important to design a unified intrusion detection systemthat will monitor and analyze both cyber and energy events,such as potential attacks and impacts. For example, intrusiondetection checks may include key management and routingprotocol operations, packet headers and payloads, security logs,traffic statistics, wireless signals, and system and data integrity.Additionally, honeypots may be used to isolate and analyzeattacks [17].

In such complex computing, communications, and energymanagement environment, it is important to simulate risksof the broader SM/SG system. That is, cascaded risk shouldbe evaluated, whereby compromise of one system leads tocompromise of a downstream system. A risk analysis modelis often recommended for the SG [3] as it will help proactivelyand reactively identify system anomalies and take appropriateprotection measures, including system security alerts.

3) Reliability and Availability: The reliability and avail-ability of energy, in the physical sense, probably form themost critical security requirements. However, it is wrong toconsider data integrity and confidentiality less important, assuch security services may be cross-correlated. For example,lack of data integrity may yield unreliable billing. Even worse,compromised AAA may allow intruders to manipulate SMappliances and even cause physical damages (e.g., one couldforce the gas heaters to operate on full power), let alone poten-tial greater SG threats such as substation sabotages leading tosystem breakdown and widespread energy blackouts (which wedo not study here).


Fig. 3. Redundant measurement system to verify the integrity of the reportedmeasurements.

Reliability can be induced by means of redundancy. One suchexample is depicted in Fig. 3, where the integrity of gatheredbilling data X can be verified if an integrity check Y = f(X) isfed back to be compared with X . Sending back Y instead of Xincreases the level of security when Y is sent over an untrustednetwork.

We note that the simple integrity check scheme in Fig. 3may also be used for privacy-friendly computations using zero-knowledge proofs, in which case X may represent encryptedSM data that cannot be decrypted by the utility and Y =f(X) may represent the outcome of an encrypted functionthat calculates, for example, the bill [15]. Reusing architecturaland protocol components for different reliability, security, orprivacy services again highlights the need for a unified systemdesign approach.

Survivability functionality also needs to be in place to handleemergency situations when critical security services fail. So-lutions may involve the addition of system redundancy func-tionalities such as different ways to access system components.For example, a home gateway may be simultaneously accessedthrough different communication networks. Also, critical de-vices may be accessed by more than one gateway or accesspoint. Finally, multiple parties, such as delegates and escrowservices, may be used to add diversity in AAA services. In suchcases, critical devices may need to maintain multiple (backup)crypto keys. This is discussed further in Section V-C2.

C. System Control

1) Private Data Handling: Secure data handling requirestransparent policies, trust management, and compliance en-forcement mechanisms. Architectural solutions for data han-dling include privacy-enhancing technologies (PETs), whichmay employ a variety of cryptographic or anonymity protocols.For example, PETs may be based on standard “privacy princi-ples” such as notice and purpose, choice and consent, collec-tion and scope, use and retention, access, disclosure to thirdparties and limited use, security for privacy, quality, and mon-itoring and enforcement [18]. Access to data should be con-trolled with cryptographic protocols.

PETs could also be used to assess privacy risks and moderateSM data communication and handling. SM privacy risk maybe quantified by analyzing the leakage or exposure of PII to

different parties. Privacy protection risk assessment depends onprivacy parameters such as the following: 1) the value of thedata; 2) the ownership of the data; 3) the data access and usagepermissions given to different parties; and 4) the degree the dataowner trusts other parties with the data [18].

Harmonizing privacy regulations across different legal sys-tems and cultures is not straightforward. For example, in theUSA, there are 51 different standards for privacy: one for eachone of the 50 states plus one federal standard. Regarding dataownership, each state has different rules: in some states, it is theindividual; in some others, it is the electrical company; and inothers, it is a third party.

We also support the premise that trusting stakeholders forcomplying with regulations is not a panacea for protectingprivacy. This is because regulations are often equivocal andnot easily enforced. History (e.g., of the Internet) teaches that“legitimate” data mining and exploitation techniques evolvequickly when there are financial incentives. To overcome thisproblem, it is desirable to define a common unified languagein order to design validated contractual customer-stakeholderrelationships in a structural manner.

2) Spheres of Control: Spheres of control are useful tomitigate vulnerabilities by giving different levels of control todifferent trusted parties for different data or functionality. Forexample, as a generalization of the work in [19], we suggest thatprivate data could be segregated into the following categories.

1) Customer data: these could be low-frequency attributabledata such as data used for billing.

2) Technical data: these could be high-frequency SM datasuch as data supporting DR/DSM.

3) Strictly personal data: these could be per unit data sam-pled at the highest frequency used for personal or privatebusiness purposes.

The difference between the aforementioned categories ofdata is that each data set contains different amounts of infor-mation. That is, customer data will have a low information con-tent, while strictly personal data will have a high informationcontent. Thus, the leakage of the latter will pose a greater riskto customer privacy.

It becomes clear that empowering the user to control accessto granular SM data, including giving consent for access toSM/SG stakeholders, is key to implementing a hierarchicalaccess control system for privacy preservation. For example,the Expert Group 2 of the European Smart Grids Task Force(SGTF), set up by the European Commission (EC), has recom-mended in [20] that technical SM data should be anonymizedwith means of data aggregation, as previously discussed inSection V-A3.

Apart from using aggregation, data privacy and control maybe further advocated with the introduction of trusted thirdparties, such as escrows. The benefit here is that an independentescrow service allows secure end-to-end aggregation of SMdata payloads in a very scalable manner.

The escrow-based anonymization scheme proposed in [19]introduces a structural difference to a smart meter within whichtwo separate IDs are embedded, as depicted in Fig. 4: oneanonymous high-frequency ID (HFID) and one attributable


Fig. 4. Smart meter HW architecture containing the following: 1) a personallyidentifiable SM (PISM) profile and 2) an anonymous SM (ANSM) profile. Eachprofile contains a certificate (CERT), corresponding HW ID, public key, privatekey (PRIV), and root certifying authority (CA) data. The two profiles are usedto create or update a client data profile (CDP) and an anonymous data profile(ADP).

Fig. 5. Battery is discharged/recharged with power pB(t) in order to “dis-guise” a given consumption load p(t). The smart meter records a power tracepi = p− pB − pL, where pL(t) is the power lost within the battery.

low-frequency ID (LFID). The idea is to use HFID to sendtechnical data and LFID to send customer data. The key to thisidea is that HFID will never be known to the utility; however,the utility can verify the integrity and authenticity of associatedmessages with the help of the escrow.

We note that multiple-ID HW architectures, as in Fig. 4,may support the following: 1) escrow anonymization discussedhere; 2) group key management protocols for attack impactmitigation discussed in Section V-A1; or 3) backup keys trustfor emergency HW control discussed in Section V-B3. Such po-tential multipurpose use of cryptographic keys again illustratesthe importance for having a USaPP design.

3) Secure Energy Management: The concept of privacy viaundetectability discussed in Section III-C adopts the fundamen-tal assumption that hiding home appliance usage patterns isa matter of “privacy of personal behavior,” i.e., “the right ofindividuals to keep any knowledge of their activities, and theirchoices, from being shared with others” [18]. In this context,SM privacy can be studied as an undetectability property ofappliance load signatures [21]. Undetectability can effectivelybe enforced by controlling the energy flow within a home sothat a portion of a consumption demand runs off a rechargeablebattery, rather than directly off the grid, as shown in Fig. 5.The battery system may manage energy flow in a manneradvantageous to customer privacy by masking load signaturesin a way that makes it harder to detect appliance usage patterns.

The problem of energy or SM data perturbation (e.g., bymeans of battery) can further be approached from an infor-mation theoretic perspective, as a tradeoff problem betweenprivacy preservation versus loss of benefit (utility) [22].

From the aforementioned discussion, it becomes clear thatHEMS decision-making algorithms can effectively impact SMdata privacy. However, the degree to which this is true dependson deployed spheres of control discussed in Section V-C2.

It should be clarified that private energy management mayconflict with other SM functionality such as DR/DSM or energypricing arbitrage and is bounded by the physical limitationsof the battery. For example, pB(t) in Fig. 5 might containloads that 1) have been shifted in an undesirable mannerand/or 2) reveal some appliance (and battery) usage patterns.The development of optimal privacy preservation and/or costminimization algorithms by using a rechargeable battery is aproblem of future research.

VI. SECURITY ANALYSIS

A. SM/SG Risk Assessment

The process of evaluating the security of a system typicallyinvolves the specification of (baseline or increased level) secu-rity requirements, the identification and analysis of applicablethreats and vulnerabilities, and the application of appropriatesecurity controls, such as the ones discussed in Section V.Threat analysis, in particular, can be performed following dif-ferent approaches as follows.

1) Top-down approach: threats and vulnerabilities are iden-tified for specific scenarios.

2) Bottom-up approach: “common” security requirements(such as integrity, confidentiality, authentication, ac-countability, availability, and anonymity) are analyzed forthe various system components and functions.

The security analysis of complex systems, such as SM/SG,is commonly directed by regulatory frameworks for critical in-frastructure protection (CIP) and CIIP. One of the key elementsof such CIP/CIIP is the application of risk assessment methodo-logies, including dependability and interdependence analysis.

Current risk assessments used by distribution system oper-ators are not good to deal with the very distributed nature ofSG/SM systems [3]. This challenge has been recognized by theEC SGTF and Mandate M/490 Smart Grid Coordination Groupand Smart Grid Information Security (SGIS) Working Groups,which are currently developing a risk assessment toolkit [2].

We note that, even though the USaPP framework uses prin-ciples of risk assessment, it does not specify nor it dependson particular processes a risk assessment may entail. Instead,the purpose of USaPP is to standardize and unify a processof methodically identifying security controls within the USaPPclassified solution space. This process will, in retrospect, fa-cilitate systematic risk assessment as it is underpinned byassumptions regarding existing security controls.

B. System Integration and Benefits

As previously discussed, the USaPP framework helps mapsecurity analysis results (e.g., prioritized security system designor update requirements) to security controls and solutions. Atsystem level, the integration of USaPP with standard informa-tion security management processes can be seen in Fig. 6. This


Fig. 6. USaPP system integration.

system’s approach of a holistic security management consistsof the following processes.

1) Stakeholder analysis: this involves a stock taking ofSG/SM stakeholders’ development drivers and critical re-quirements, including policy-driven rulebases, standards’compliance, market sustainability, and customer satisfac-tion. This analysis helps formulate a minimal set of high-level security and privacy goals.

2) Functionality and use cases: functional requirements andspecific use cases have their custom security and pri-vacy requirements. These custom requirements becomemore specific by mapping the corresponding functionsand operations into a reference system architecture. Fur-thermore, the importance of these requirements may befiltered by linking them with the high-level goals obtainedfrom the stakeholder analysis.

3) Risk assessment: the reference architecture can be furtherused as a basis to identify potential use case threats andvulnerabilities and to assess their potential impact to thesystem. This helps identify the set of security weaknessesthat pose high risk and that will need to be addressed.

4) USaPP solution space: this involves using the USaPPframework to help identify security controls in a unifiedand systematic manner. This process will be further ana-lyzed later on in this section.

5) Update mechanism: assuming that a (chosen) securitymeasure is implemented and, thus, the reference archi-tecture is updated, the risk assessment and USaPP appli-cation could be performed iteratively to make sure thatthreats to security and privacy pose a low risk. Addition-ally, the process is reiterated when a new use case or func-tionality is inserted or when the stakeholder goals change.

We note that the USaPP process in Fig. 6 is based onrisk analysis principles used by the EC SGIS [2], com-bined with the Dutch methodology for specifying SM privacyrequirements [13].

The process of using USaPP to help organize the searchof required solutions is given in greater detail in Fig. 7. Thisoperational methodology comprises the following steps.

1) The system security (and privacy) requirements are iden-tified and grouped for each separate use case.

2) Given a security requirement, security interdependencesare identified across different domains. In SM systemsand in this example implementation, we consider thefollowing four distinct domains: house, DER/EV, distri-bution, and retail. Each one of these domains is furtherorganized in two orthogonal categories. The first one isthe physical domain, which concerns the security of HWcomponents, and the second one is the cyber domain,which concerns the set of (secure virtual) entities that areallowed to access and actuate on the reference domain(and potentially irrespective of their physical location).

3) Given a certain location in the horizontal plane of Fig. 7,which corresponds to a use case requirement for a certaindomain category, a designer is expected to search thepool of USaPP solutions, which are grouped into threetop-level classes and further second-level subclasses, asshown in Fig. 2.

4) The application of each USaPP (subclass) solution isfurther broken down into five layers: business, func-tion, information, network, and component layers. Thebusiness layer corresponds to solutions that involve or-ganizational or regulatory aspects. The function layercorresponds to solutions that involve services and logicalprocesses. The information layer corresponds to solu-tions for data models and credentials. The network layerrepresents solutions for mechanisms and protocols thatsupport data communications. Finally, the componentlayer corresponds to solutions that help protect platformsthat host functions, information, and network elements.This layered classification is similar to the layers of theEuropean SG architectural model [2].


Fig. 7. USaPP operational methodology.

5) Given that a security requirement for a domain can beaddressed by employing a solution in an interdependentlayer of the SG, the systematic reduction of the searchspace facilitates a rigorous and efficient search.

Given the aforementioned methodology, it becomes clearerthat the benefit of USaPP is that it helps eradicate fragmentationin the application of security measures, which has traditionallybeen based on the insightful considerations of security experts.The proposed USaPP classification helps specify a minimumset of standards and regulatory mechanisms by mitigating du-plicated security services of overlaying security controls. Aminimum set of standards will concern a common/unified refer-ence architecture and common security management processes.This helps justify the premise that USaPP is advantageous ascompared to standard security risk analysis and solution map-ping methods as it improves interoperability and standardizessuch security processes. At large scale, USaPP could furtherprovide a common platform for national coordination, e.g.,through computer emergency response teams (CERTs), whichcould play a role in SG incident management [3].

VII. CASE STUDY: EV CHARGING SECURITY

This section presents an EV charging case study to demon-strate how the USaPP framework can be applied to address thesecurity and privacy issues in an SM/SG system.

A. Controlled EV Charging

EVs are envisioned to be an integral part of the future SG.This is because, in addition to functioning as vehicles, theycan also be used as the following: 1) storage facilities for anysurplus electricity (e.g., electricity generated by intermittentrenewable sources) and 2) DERs when they discharge theirbatteries and feed electricity back to the grid [23].

However, letting users to recharge their EVs in an uncon-trolled manner could endanger the stability of the grid [24]. Toprevent this or to reduce the chance of destabilizing the grid, EVcharging should be done in a controlled (coordinated) manner

[6]. For example, EVs should be recharged when the grid islightly loaded and/or when there is surplus electricity. In orderto influence the times when users recharge their EVs, a price-driven incentive-based DR mechanism could be put in place,e.g., adaptive electricity pricing that changes depending on thecurrent state of the grid; examples of such pricing mechanismsinclude real-time pricing, time of use, critical peak pricing, etc.

In addition, grid operators would offer payments for provid-ing ancillary services to the grid (e.g., frequency regulation,DR, spinning reserve, etc.) [23]. EVs are suitable for offeringsuch services due to their fast reaction capabilities. However,to be eligible, an ancillary service provider has to be able tooffer at least a certain amount of flexible demand. As an EVtypically has a limited battery capacity, there is a need for a newentity, EV AGGregator (EVAGG), to be created. EVAGG willaggregate the batteries of a number of EVs and will representtheir users in the electricity market, i.e., it will act as a mid-dleman between users and grid operators. Fig. 8 illustrates thenecessary interactions among entities involved. More precisely,if an EV user agrees to offer ancillary services to the grid, theEV’s battery will be added to the EVAGG’s aggregated load.With this flexible load, the EVAGG could bid in the electricitymarket for offering ancillary services. If the bid is accepted, theEVAGG will receive instructions from the grid operators to ad-just its load. To comply with the instructions, the EVAGG maychange the charging process of some of the EVs (e.g., adjustrecharging levels, terminate recharging, commence discharg-ing, etc.) by sending control signals (CSs) to some of the EVs.In return, for the load provided, the grid operators will pay theEVAGG which will, in turn, pass some of the payment to the EVusers. This is another mechanism to incentivize users to chargetheir EVs in a way that it would bring benefits to all partiesconcerned.

B. Exemplar EV Charging Scenario

Fig. 9 illustrates one of several possible EV charging sce-narios. Here, it is assumed that user B (Ub) visits user A’s(Ua) home and charges his EV (EVb) on the premises of Ua.


Fig. 8. EV used as an ancillary service provider via EVAGG.

Fig. 9. Roaming EV user at a typical home of the future.

Ua and Ub have contracts for electricity supply with utilitycompanies, utility A (Uta) and utility B (Utb), respectively. Ubalso has contract with EVAGG for offering ancillary services.It is assumed that Ua has a renewable energy source (RES) onher premises.

Depending on the amount of electricity generated from RES,during recharging, EVb may just get electricity supplied by theRES (if RES has sufficient stock), by the grid (if RES has zerostock), or by both RES and the grid (if RES has some stock butnot sufficient for EVb’s demand). Depending on these differentsituations, the payee of Ub’s payment and the amount payableto the payee may vary as well. In other words, Ub may need topay for the electricity to Ua, to Uta, or to both of them.

Similarly, if EVb is discharging, depending on the Ua’scurrent demand for electricity, the electricity fed by the EVbcould be used by Ua’s home appliances and could be fed backto the grid, or some could be used by Ua’s appliances, and somecould be fed back to the grid. Depending on the different cases,

Ub may be paid by Ua, by Uta, or by both of them. In addition,Ub may also receive payment from EVAGG for any ancillaryservices provided by the EVb to the grid.

Moreover, the time, level, and continuance of the chargingmay also depend on the following: 1) the user’s preferences;2) the available electricity generated by the local RES; 3) thecurrent price signal; 4) the state of the distribution networks;and 5) any CSs sent by EVAGG, etc.

C. Addressing Security and Privacy Issues Using USaPP

In the aforementioned example, the charging of EVs requiresthe involvement of multiple entities and potentially complexinteractions. For example, Uta would need to deliver the cur-rent electricity price to Ua and would also access her meterreadings (for billing purposes), EVAGG would need to havereal-time communication with EVb to obtain data about itsbattery’s current status (to be able to use EVb as an ancillary


TABLE IEV CHARGING SECURITY ISSUES

provider), distribution network operators would need to accessmeter readings of Ua (to be informed about the grid’s overalldemand), etc. Such a complex process not only introduces alarge number of security and privacy concerns but also dictatesthat the approach to the security and privacy concerns shouldbe structured, integrated, and unified.

For example, adversaries may try to impersonate differententities (e.g., Uta, Utb, EVAGG, etc.), eavesdrop, and/or tamperwith the messages (e.g., pricing signal, CSs, etc.) communi-cated in EV charging sessions in an attempt to destabilize thegrid. This could lead to disruptions of electricity supplies andcould even threaten the national security of a country. From theprivacy point of view, knowing an EV’s identity, its location,and its user’s identity may be sufficient for a perpetrator toprofile an EV user or to prepare for a further attack in the nameof the user.

To analyze these threats, we need to identify the interactionsand entities involved, thus addressing the key managementissues ensuring the right keys are shared only among authorizedentities (within the framework of a cryptosystem based, forexample, on a PKI or IBE). In addition, we also need to considerrouting security and to secure data aggregation to corroboratethe confidentiality of SM data. Furthermore, EVb electricityconsumption data measured at the EV supply equipment wouldbe communicated to Utb and EVAGG (for billing purposes),and EVAGG would be sending CSs to EVb. As these dataare directly related with the current charging session, secureend-to-end and peer-to-peer communication would be moreappropriate. If Ub wishes to preserve his location privacy, i.e.,wishes to hide the fact that he has ever visited Ua’s home, thennetwork privacy techniques should be considered, such as mixnetworks, onion routing, or anonymizers.

Other types of threats to EV charging include legitimate butnot genuine data or commands sent by different entities. Forexample, incorrectly executed optimization of EVs’ chargingschedules could trigger an EV to start recharging at peak timescausing financial losses to its user.

Furthermore, protecting EV users’ privacy is a challengingissue. There can be the following privacy-related scenarios:1) Ua may not want to reveal to Uta that there is an EV (inour case EVb) using the charging facility; 2) Ub may not wantto reveal his identity or EVb’s identity and EVb’s electricityconsumption to Uta or unauthorized eavesdroppers; and 3) Ubmay not want to reveal identity and EVb’s identity to EVAGG

but still acts as ancillary provider and gets payments for offeringthis service.

To address these privacy issues, different methods can beemployed. For example, in the first scenario, a secure energymanagement mechanism can be deployed by managing EVb’srecharging process in a way that it mimics electricity usage ofstandard home appliances. In such a way, Uta would not beable to detect the presence of any EV charging processes. In thesecond scenario, Ub’s anonymity can be provided by employingtrusted third parties or pseudonyms. However, anonymity maynot be sufficient to prevent adversaries from linking togetherEVb’s multiple charging sessions. The nonlinkability propertycan be achieved by assigning a dynamic identifier to each of thecharging sessions performed by Ub. Of course, a controlled andauthorized linkage of Ub’s multiple charging sessions shouldbe supported to ensure accountability and traceability in theevent of a dispute or security incident. In such a way, EVAGGwould only need to know the anonymous Ub’s contracted utilitycompany (Utb) in order to make payments to Ub (via Utb) andrequest Ub’s real ID revelation in case of disputes (solution forscenario three).

Table I lists some potential EV charging security issues andcategorizes them into the classes of the USaPP framework.

D. Importance of USaPP

From the aforementioned EV charging scenario analysis, itwould appear that the USaPP framework is useful in providinga systematic way to identify and classify a number of securityand privacy issues as in Table I. Such a classification wouldhelp designers to explore better the pool of existing solutions.For example, the false CS, false price signal, and false networkstatus signal issues could be addressed by the same or similarsolutions.

Without applying USaPP, it is likely that designers wouldprovide solutions to different issues, and these solutions maynot integrate with each other. Therefore, new solutions shouldbe planned and designed in a way that they do not overlap orconflict with solutions that address security and privacy issuesbelonging to different classes.

Using this systematic way of tackling different subcasescould increase the efficiency and reliability of the entire designand could launch a cycle of products related to the EV charging


application as well as the operation and management of thesystem.

We note that a detailed presentation of how the USaPPprocess methodology and solution mapping may be used, in theEV charging scenario, to systematically analyze, design, andmaintain a level of security and privacy under a range of attacksis not within the scope of this paper. This is left for future work.

VIII. CONCLUSION

The interconnection of cross-disciplinary systems (such asHEMS, HAN, and WSN/WAN) with sufficient support of theirinterdependences (such as collection, aggregation, and analysisof SM data, real-time pricing, DR/DSM programs, etc.) andthe involvement of multiple SG stakeholders (e.g., consumers,utilities, grid operators, and third-party service providers) makeSM systems highly complex. Equally complex is the analysisof security and privacy attacks that may cascade from one SMsystem domain into another SM/SG domain.

In this paper, we have presented the case for a unified ap-proach that attempts to address home SM security and privacyrequirements by fusing different solutions and mapping them toa number of tightly interrelated system components. In particu-lar, by classifying discussed solutions into three logical groups,namely, communications, computing, and system control (as inFig. 2), and orthogonal domains and layers (as in Fig. 7), theproposed USaPP framework helps address SM network securityand privacy issues, occurring in different cyber-physical parts ofthe system, for different use cases, in a systematic and holisticmanner.

We believe that the proposed USaPP framework can beused as a guideline for SM and SG security designers andresearchers. Future work may be motivated by many of thetechnical problems and solutions embedded in different areasof the framework.

ACKNOWLEDGMENT

The authors would like to thank the Directors of the ToshibaTelecommunications Research Laboratory for their support, aswell as Dr. T. Farnham for his invaluable comments.

REFERENCES

[1] B. Brown, B. Singletary, B. Willke, C. Bennett, D. Highfill, D. Houseman,F. Cleveland, H. Lipson, J. Ivers, J. Gooding, J. McDonald, N. Greenfield,and S. Li, AMI System Security Requirements, UCAIUG, Raleigh, NC,USA, AMI-SEC TF. [Online]. Available: http://osgug.ucaiug.org

[2] CEN/CENELEC/ETSI. (2011, May). Final Report of the CEN/CENELEC/ETSI Joint Working Group on Standards for Smart Grids,Brussels, Belgium. [Online]. Available: http://www.etsi.org/WebSite/document/Report_CENCLCETSI_Standards_Smart%20Grids.pdf

[3] ENISA. (2012, Jul.). Smart Grid Security: Recommendationsfor Europe and Member States, Heraklion, Greece. [Online].Available: http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/smart-grids-and-smart-metering/ENISA-smart-grid-security-recommendations

[4] E. L. Quinn, Privacy and the New Energy Infrastructure, University Col-orado Law School, Boulder, CO, USA. [Online]. Available: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1370731

[5] ETSI. (2010, May). Machine-to-Machine Communications (M2M);Smart Metering Use Cases, Cedex, France, TR 102 691, v1.1.1. [Online].

Available: http://www.etsi.org/deliver/etsi_tr/102600_102699/102691/01.01.01_60/tr_102691v010101p.pdf

[6] E. Lu, D. Reicher, C. Spirakis, and B. Weihl, “Demand dispatch,” IEEEPower Energy Mag., vol. 8, no. 3, pp. 20–29, May/Jun. 2010.

[7] P. McDaniel and S. McLaughlin, “Security and privacy challenges in thesmart grid,” IEEE Sec. Privacy, vol. 7, no. 3, pp. 75–77, May/Jun. 2009.

[8] J. Liu, Y. Xiao, S. Li, W. Liang, and C. L. P. Chen, “Cyber security andprivacy issues in smart grids,” IEEE Commun. Surv. Tuts., vol. 14, no. 4,pp. 981–997, 2012.

[9] NIST. (2010, August). Guidelines for Smart Grid Cyber Security:Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-LevelRequirements, Gaithersburg, MD, USA, NISTIR 7628. [Online]. Avail-able: http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf

[10] A. R. Metke and R. L. Ekl, “Security technology for smart grid networks,”IEEE Trans. Smart Grid, vol. 1, no. 1, pp. 99–107, Jun. 2010.

[11] K. Moslehi and R. Kumar, “A reliability perspective of the smart grid,”IEEE Trans. Smart Grid, vol. 1, no. 1, pp. 57–64, Jun. 2010.

[12] R. Anderson and S. Fuloria, “Who controls the off switch?” in Proc. 1stIEEE Int. Conf. SmartGridComm, Gaithersburg, MD, USA, Oct. 2010,pp. 96–101.

[13] Dutch Smart Meter Requirements, Netbeheer Nederland, The Hague, TheNetherlands, Apr. 22, 2011.

[14] R. Rajkumar, I. Lee, L. Sha, and J. Stankovic, “Cyber-physicalsystems: The next computing revolution,” in Proc. 47th ACM DAC, 2010,pp. 731–736.

[15] A. Rial and G. Danezis, “Privacy-preserving smart metering,” in Proc.10th Annu. ACM WPES, 2011, pp. 49–60.

[16] M. G. Reed, P. F. Syverson, and D. M. Goldschlag, “Anonymous con-nections and onion routing,” IEEE J. Sel. Areas Commun., vol. 16, no. 4,pp. 482–494, May 1998.

[17] T. Flick and J. Morehouse, Securing the Smart Grid: Next GenerationPower Grid Security. Waltham, MA, USA: Syngress, 2010.

[18] NIST. (2010, Aug.). Guidelines for Smart Grid Cyber Security: Vol.2, Privacy and the Smart Grid, Gaithersburg, MD, USA, NISTIR7628. [Online]. Available: http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol2.pdf

[19] C. Efthymiou and G. Kalogridis, “Smart grid privacy via anonymizationof smart metering data,” in Proc. 1st IEEE Int. Conf. SmartGridComm,Gaithersburg, MD, USA, October 2010, pp. 238–243.

[20] Task Force Smart Grids. (2010, December). Expert Group 2: Regula-tory Recommendations for Data Safety, Data Handling and Data Protec-tion, Brussels, Belgium. [Online]. Available: http://ec.europa.eu/energy/gas_electricity/smartgrids/doc/expert_group2.pdf

[21] G. Kalogridis, R. Cepeda, S. Z. Denic, T. Lewis, and C. Efthymiou,“Elecprivacy: Evaluating the privacy protection of electricity manage-ment algorithms,” IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 750–758,Dec. 2011.

[22] L. Sankar, S. Kar, R. Tandon, and H. V. Poor, “Competitive privacyin the smart grid: An information-theoretic approach,” in Proc. 2ndIEEE Int. Conf. SmartGridComm, Brussels, Belgium, Oct. 17–20, 2011,pp. 220–225.

[23] W. Kempton and J. Tomic, “Vehicle-to-grid power fundamentals: Calcu-lating capacity and net revenue,” J. Power Sourc., vol. 144, no. 1, pp. 268–279, Jun. 2005.

[24] K. Clement-Nyns, E. Haesen, and J. Driesen, “The impact of vehicle-to-grid on the distribution grid,” Elect. Power Syst. Res., vol. 81, no. 1,pp. 185–192, Jan. 2011.

Georgios Kalogridis received the Diploma in elec-trical and computer engineering from the Universityof Patras, Patras, Greece, in 2000, the M.Sc. de-gree in advanced computing from the University ofBristol, Bristol, U.K., in 2001, and the Ph.D. degreein mathematics from Royal Holloway, University ofLondon, London, U.K., in 2011.

He is a Senior Research Engineer at Toshiba Re-search Europe Limited, Bristol, where he has beenworking since 2001. His research has spanned theareas of information security and privacy, distributed

trust, network reliability, and smart grid communications. In these areas, hehas authored papers, invented patents, developed prototypes, and contributedto European information and communication technology research projects andEuropean Telecommunications Standards Institute standards.


Mahesh Sooriyabandara received the B.Sc.Eng.(Hons.) from the University of Peradeniya,Peradeniya, Sri Lanka, and the Ph.D. degree fromthe University of Aberdeen, Aberdeen, U.K.

In 2004, he joined the TelecommunicationsResearch Laboratory, Toshiba Research EuropeLimited, Bristol, U.K., where he is currently the As-sociate Managing Director. Prior to this, he was a Re-search Fellow with the Electronics Research Group,University of Aberdeen. His main areas of researchinterest are wireless networks, Internet engineering,

smart grid communications, and machine-to-machine communications.Dr. Sooriyabandara is a Senior Member of the Association for Computing

Machinery and a Chartered Engineer.

Zhong Fan received the B.S. and M.S. degreesin electronic engineering from Tsinghua University,Beijing, China, and the Ph.D. degree in telecom-munication networks from Durham University,Durham, U.K.

He is a Chief Research Fellow at Toshiba ResearchEurope, Bristol, U.K. Prior to joining Toshiba, heworked as a Research Fellow at Cambridge Uni-versity, Cambridge, U.K., a Lecturer at BirminghamUniversity, Birmingham, U.K., and a Researcherat Marconi Labs, Cambridge, U.K. He was also

awarded a BT Short-Term Fellowship to work at BT Labs. His research interestsare wireless networks, IP networks, and machine-to-machine and smart gridcommunications.

Mustafa A. Mustafa received the B.Sc. degree incommunications equipment and technologies fromthe Technical University of Varna, Varna, Bulgaria,in 2007 and the M.Sc. degree in communicationsand signal processing from Newcastle University,Newcastle upon Tyne, U.K., in 2010. He is currentlyworking toward the Ph.D. degree in the School ofComputer Science, The University of Manchester,Manchester, U.K.

His research interests include information securityand privacy, and smart grid communications.

Education

Security analysis of handover key management in 4 g ltesae networks