Cyber Security

In the domain of smart grids, our work deals with various aspects of security. Below are some of the representative works in this direction.

Security Framework for an Active Distribution Network

We have put security mechanisms into place to ensure that the ICT infrastructure is resilient to insider and outsider cyber-attacks. The security mechanisms we implement guarantee that access to all devices in the ADN is limited only to authorized personnel. Each authorized personnel is assigned separate user credentials; everyone is held accountable for their activities in the network. Accountability is enforced by implementing a logging mechanism to record each and every activity a user performs and by analyzing the log data to identify suspicious activities.

We have also implemented network access control mechanisms to prevent an rogue device from gaining access to the ADN communication infrastructure. All devices directly connected to the ADN are authenticated using their credentials (digital certificates) before they start any sort of communication with any device in the network. The digital certificates are also used to secure communication between the field devices (PMU’s) and the PDC. DTLS (Datagram Transport Layer Security) is used to guarantee end-to-end security for Phasor and control data communication. Moreover, we are currently implementing MACSec for hop-by-hop security in order to ensure that bogus traffic injected by a rogue device is discarded at the next switch. This prevents DoS attacks because such traffic does not propagate beyond the first link where the traffic is injected.

The ADN’s communication infrastructure is also physically separate from the rest of the campus’ public communication infrastructure. There is only minimal communication with the public network in order to publish the synchrophasor data, as well as the SE output for public access for research purposes. A proxy server at the DMZ (Demilitarized Zone) that censors any incoming and outgoing traffic serves as the only interface between private smart grid network and the outside world. The DMZ with the help of the firewalls and the proxy server serves as a protective barrier by effectively shielding the smart grid from any incoming attacks from the public network.

You can find more details about this work in the below paper

T. T. Tesfay, J.-P. Hubaux, J.-Y. Le Boudec and P. Oechslin, “Cyber-secure Communication Architecture for Active Power Distribution Networks,” 29th ACM Symposium on Applied Computing, Gyeongju, South Korea, Mar. 24-28, 2014.

Multicast Authentication for Wide Area Monitoring Systems

Multicast is proposed as a preferred communication mechanism for many power grid applications. One of the biggest challenges for multicast in smart grid is ensuring source authentication without violating the stringent time requirement. The research community and standardization bodies have proposed several authentication mechanisms for smart grid multicast applications. We evaluate different authentication schemes and identify the best candidates for phasor data communication in wide area monitoring systems (WAMS). We do an extensive literature review of existing solutions and establish a short list of schemes to evaluate. We make an experimental comparison of the chosen schemes in an operational smart grid pilot and evaluate the performance of these schemes by using the following metrics: computation, communication and key management overheads. The best candidates we consider are two variants of ECDSA, TV-HORS and three variants of Incomplete-key-set. We find ECDSA without pre-computed tokens and all the Incomplete-key-set variants are inapplicable for WAMS due to their high computation overhead. The ECDSA variant that uses pre-computed tokens and TV-HORS perform well in all metrics; however, TV-HORS has potential drawbacks due to a large key management overhead as a result of the frequent distribution of a large public key per source.

You can find more details about this work in the below paper

T. T. Tesfay and J.-Y. Le Boudec, “Experimental Comparison of Multicast Authentication for Wide Area Monitoring Systems,” IEEE Transactions on Smart Grid, 2017.

Optimal Software Patching Plan for PMUs

Phasor measurement units (PMUs) deployed to monitor the state of an electrical grid need to be patched from time to time to prevent attacks that exploit vulnerabilities in the software. Applying some of these patches requires a PMU reboot, which takes the PMU offline for some time. If the PMU placement provides enough redundancy, it is possible to patch a set of PMUs at a time while maintaining full system observability. The challenge is then to find a patching plan that guarantees that the patch is rolled out to all PMUs in the smallest number of rounds possible while full system observability is maintained at all times. We show that this problem can be formulated as a sensor patching problem, which we demonstrate to be NP-complete. However, if the grid forms a tree, we show that the minimum number of rounds is two and we provide a polynomial-time algorithm that finds an optimal patching plan. For the non-tree case, we formulate the problem as a binary integer linear programming problem (BILP) and solve it using an ILP-solver. We also propose a heuristic algorithm to find an approximate solution to the patching problem for grids that are too large to be solved by an ILP-solver. Through simulation, we compare the performance of the ILP-solver and the heuristic algorithm over different bus systems.

You can find more details about this work in the below paper

T. T. Tesfay, J.-Y. Le Boudec and O. N. A. Svensson, “Optimal Software Patching Plan for PMUs,” IEEE Transactions on Smart Grid, 2017.

Security of MPLS-TP

Wide-area smart grids require an upgrade in the communication infrastructure of power utilities. The use of IP based protocols reduces cost and increases robustness but introduces specific security vulnerabilities, the solution of which may conflict with the strict timing constraints of power-utility networks. We propose to formally verify the security properties of such networks, analyze whether they conflict with delay constraints and if necessary, propose modifications.


The MPLS Transport Profile (MPLS-TP) is one of the proposed communication technologies for smart grids. The security guidelines of the MPLS-TP standards are written in a complex and indirect way, which led us to pose as hypothesis that vendor solutions might not implement them satisfactorily. In [1], we investigate the security implementation of MPLS-TP OAM (Operations, Administration, and Maintenance) protocols such as bidirectional forwarding detection (BFD) and protection state coordination (PSC). The former is used to detect failures in label-switched paths (LSPs) while the latter is used to coordinate protection switching (fast reroute).

1. Jayasinghe, U., Barreto, S., Popovic, M., Tesfay, T.T., and Le Boudec, J.Y., “Security Vulnerabilities of the Cisco IOS Implementation of the MPLS Transport Profile”, Smart Energy Grid Security Workshop (SEGS) in conjunction with 21st ACM Conference on Computer and Communications Security, Scottsdale, USA, November 3 – 7, 2014.