A Security Mechanism of Web Services-based Communication for Wind Power Plants - Complet

 Documents

 18 views
of 9

Please download to get full document.

View again

All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Description
1930 IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 23, NO. 4, OCTOBER 2008 A Security Mechanism of Web Services-Based Communication for Wind Power Plants Nian Liu, Jianhua Zhang, Member, IEEE, and Wenxia Liu Abstract—The IEC 61400-25 standard has defined the mapping of wind power-plant information model to web services (WS). Ensuring the security of WS-based communication for wind power plants is an unsolved problem. WS-Security is a standard used to deal with the security requirements in applicati
Share
Tags
Transcript
  1930 IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 23, NO. 4, OCTOBER 2008 A Security Mechanism of Web Services-BasedCommunication for Wind Power Plants Nian Liu, Jianhua Zhang  , Member, IEEE  , and Wenxia Liu  Abstract— The IEC 61400-25 standard has defined the mappingof wind power-plant information model to web services (WS). En-suring the security of WS-based communication for wind powerplants is an unsolved problem. WS-Security is a standard usedto deal with the security requirements in applications of web ser-vices, while the username/password and X.509 certificates are se-curity tokens most commonly used in electric power utilities. Wepropose a security mechanism that deals with the requirements of authentication, integrity,nonreputation, and confidentiality acrossthe communication process based on WS-Security and the two se-curitytokens.Thesecuritymechanismisimplementedbyanexten-sionofsimpleobject-accessprotocolmessage,designofthesecurityagent, and the related security message-processing algorithm. Aninstance is modeling based on IEC 61400-25 to demonstrate the se-curity-enhanced remote control of wind power plants. The resultsupports the usefulness of the security mechanism for WS-basedwind power plants communication.  Index Terms— Communication system, cybersecurity, IEC61400-25, web services (WS), wind power plant. I. I NTRODUCTION T HE multi-megawatt (MW) wind power plants are increas-ingly and actively participating in the operation of trans-mission systems, and wind power generation has a great in-fluence on power system operation due to such issues as fre-quency and voltage variations [1]–[3]. In this case, the moni-toring and control of wind power plants have become a vitalpart of power system operation [4]–[7]. Furthermore, the strate-gically distributed nature of wind power presents unique chal-lenges. Generation is not centralized and is generally remote,sometimes offshore, and often covers large geographic areas[8]. These factors usually require a variety of networked in-terconnections and telecommunication technologies for moni-toring and control of wind power plants [8], [9]. Therefore, ef-ficient and reliable communication is important for wind powerplants. As a consequence, IEC 61400-25 is proposed to pro-vide a uniform communication basis for the monitoring andcontrol of wind power plants [10]–[13]. The major communi-cation mapping defined in IEC 61400-25 is based on WS. Thesimple object-access protocol (SOAP) is used to transfer thedata. Thisensuresthatdifferent clients and environmentscan beused. Object-oriented data structures can make the engineering Manuscript received December 6, 2007; revised January 20, 2008. First pub-lished July 9, 2008; current version published September 24, 2008. Paper no.TPWRD-00791-2007.The authors are with the Key Laboratory of Power System Protection andDynamic Security Monitoring and Control Under Ministry of Education, NorthChinaElectricPowerUniversity,Beijing102206,China(e-mail:nian_liu@163.com).Digital Object Identifier 10.1109/TPWRD.2008.923521 and handling of large amounts of information provided by windpower plants less time-consuming and more efficient. The useof the a information technologies provides the benefits of lowimplementation cost and ease of interoperability, but also intro-duces the potential for cybersecurity vulnerabilities [8], [10],[12], [14].The cybersecurity intrusion of a power system is not a talebut also comes true in the real world. According to the study oncyber vulnerabilities of control systems to unauthorized accessby[15],[16],therehavebeentensofeventsthatresultindamageoccurring in electric power control systems for transmission,distribution, and generation. Research needs and requirementsrelated to the cybersecurity of power utilities and control sys-tems have been widely discussed, and some practical methodsare reported [16]–[24]. Security requirements of communica-tion for wind power plants are specified in IEC 61400-25-3,but how they are handled specifically is completely up to theindividual supplier and implemented with the communicationprotocols [12]. However, web services (WS)-based communi-cation for wind power plants is a new emerging technology,in which few studies have been conducted for security. In IEC61400-25-4, a simple security mechanism based on username/ password is introduced, but this method is weak in the secu-rity level, and cannot provide additional protections of confi-dentiality, integrity, and nonreputation [13]. A common way of achieving security is relying on a secure transport layer or net-work layer, which typically includes secure socket layer (SSL),transport layer security (TLS), and IP security (IPSec). Espe-cially, TLS is recommended to secure TCP/IP-based commu-nication for supervisory control and data acquisition (SCADA)and telecontrol in IEC 62351-3 [25]. Apart from the fact thatthese techniques provide security only in a secure channel (andnot in files or databases), it does not correspond with the WS ar-chitecture in which the intermediaries can manipulate the mes-sages on their way. Once using a secure transport layer, in-termediaries are not able to control the messages [26], [27].For the same reason, IEC 62351-3 also specifies that securitymust follow progress and update to better solutions when avail-able [25]. The WS-Security standard for web services was rati-fied by Advancing Open Standards for the Information Society(OASIS) in 2004. The standard describes enhancements for theSOAP message in order to provide security foundation for ap-plications based on WS [28]. The security mechanisms of someexisting applications, such as the digital factory, e-mail system,enterprise services system, trust management, etc., are devel-oped in accordance with WS-Security, but cannot be applied di-rectly to wind power plants’ communication [29]–[32]. 0885-8977/$25.00 © 2008 IEEE  LIU et al. : SECURITY MECHANISM OF WS-BASED COMMUNICATION FOR WIND POWER PLANTS 1931 Fig. 1. Communication model for windpower plants defined in IEC 61400-25. In this paper, we propose a security mechanism based onIEC 61400-25 and WS-Security to secure the WS-based com-munication for wind power plants. The content of this paper isorganized as follows. Section II analyzes the WS-based com-munication model for wind power plants and the related se-curity requirements. Section III briefly describes the WS-Se-curity standard and security tokens commonly used in elec-tric power utilities. Section IV presents designing principles of the security mechanism. In Section V, two schemes of the se-curity mechanism are designed based on different security to-kens and WS-Security. Section VI provides the implementationmethod, including the security extension of SOAP message, de-sign of security agent, and algorithms for security informationprocessing. In Section VII, a control instance for the wind tur-bine of a wind power plant is modeled and analyzed to demon-strate the efficiency of the security mechanism. Finally, conclu-sions are given in Section VIII.II. A NALYSIS OF C OMMUNICATION M ODELAND S ECURITY R EQUIREMENTS  A. Communication Model IEC 61400-25 defines a communication model for moni-toring and control of wind power plants, the modeling structureis similar to IEC 61850, which comprises three separatelydefined parts (see Fig. 1): wind power-plant information model[11], information-exchange model [12], and mapping the windpower-plant information model and the information exchangemodel to standard communication profiles [13].For mapping to WS, the information exchange betweenSCADA and wind power plants is based on SOAP message.The mapping process is that the services defined in abstractcommunication service interface (ACSI) [33] associated withEXtensible Markup Language (XML) elements in SOAP body. TABLE IS ECURITY R EQUIREMENTS OF D IFFERENT C OMMUNICATION S TEPS  B. Security Requirements The information-exchange model provides services that aregrouped as operational functions and management functions.The security requirements of these two functions include [12]:1) authentication: determining the identity of the user/client;2) authorization and access control: ensure that the entity hasthe correct proper access;3) integrity: messages and the computer infrastructure areprotected against unauthorized modification or destruc-tion;4) confidentiality: objects of the wind power-plant informa-tion model are protected and only disclosed to appropriateusers/clients;5) nonrepudiation: preventing a user/client involved in a dataexchangefromdenyingthatitparticipatedintheexchange;6) prevention of denial of service: preventing a client/serverfrom blocking access to authorized users.In the aforementioned requirements, authorization and ac-cess control can be solved by the privilege management and ac-cess–controlmodel,themethods introducedin[21] and [22]areuseful for IEC 61400-25-related devices of wind power plants.The prevention of denial-of-service needs to deploy suitable de-fensive measures on a crucial access point of communication.There have been efficient products developed on the cybersecu-rity domain. Other requirements, including authentication, in-tegrity, confidentiality, and nonrepudiation, should be individu-ally designed combined with communication process and WS.In Fig. 1, the communication process of wind power plantscan be divided into three steps:Step 1) associate;Step 2) data exchange;Step 3) release.Each step has different security requirements, listed in Table I.III. WS-S ECURITY AND THE S ECURITY T OKEN  A. WS–Security According to security requirements of web services, WS-Se-curity defined the security expanding method for SOAP mes-sageexchange.ThestandardispublishedbyOASIS,whichpro-vides the security foundation for applications of WS [28].  B. Commonly Used Security Tokens for Electric Power Utilities A security token represents a collection (one or more) of claims. It is the basic element for authentication, encryption/ decryption, integrity, and nonrepudiation. The security tokensmost commonly used in electric power utilities include:  1932 IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 23, NO. 4, OCTOBER 2008 Fig. 2. Designing principles of the security mechanism of communication forwind power plants. 1) username/password: a widely used, basic authenticationfunction for almost all information systems, but the de-greeofsecurityisweak,withinsecurityriskswhendirectlyused;2) X.509 certificates: solve the authentication, integrity, con-fidentiality, and nonrepudiation basedon thetechnologyof public-key cryptography. The disadvantage is that the ap-plications must be deployed on the support of the publickey infrastructure (PKI) which needs more investments.IV. D ESIGNING P RINCIPLES FOR THE P ROPOSED S ECURITY M ECHANISM For aforementioned presentation and analysis, the designingprinciples are outlined as follows (see Fig. 2).1) They can satisfy the requirements with the communicationprocess,includingauthentication,integrity,confidentiality,and no-repudiation.2) Integration with the mapping to WS, without any changesto standard SOAP messages.3) TheyshouldbeinconformancewiththeWS-Securitystan-dard.4) The security tokens commonly used in electric power util-ities are important and must be taken into consideration.V. D ESIGN OF THE S ECURITY M ECHANISM Considering the security tokens commonly used in elec-tric power utilities, the security mechanism is divided into twoschemesbasedontheusername/passwordandX.509certificate,respectively. In scheme I, symmetric cryptographic algorithmand message authentication code (MAC) are introduced tomitigate the weakness of the username/password token on thedegree of security. In scheme II, the symmetric cryptographyis used for encryption and decryption of sensitive contents inmessages, public-key cryptography is used for delivering thesymmetric session key and signing the messages. The symbolsused for security mechanism and the related explanations arepresented in Table II. TABLE IIS YMBOLS U SED BY THE S ECURITY M ECHANISM AND R ELATED E XPLANATIONS  A. Scheme I—Security Mechanism Based onUsername/Password 1) Associate: ã associate requestã associate responseIn the beginning, initializes an associate request to , andthen authenticatestheidentityof from therequestmessage.The security token based on username/password is formu-lated as(1)where and are the additional elements to re-sist against the reply attack; is a 128-b randomized value,which is used for the deviation of the symmetric key on signa-ture and encryption/decryption; is the digestvalue of , calculated by(2)is the srcinal message of the associate re-quest. To ensure the integrity and no-reputation, generates asignature for , represented as(3)  LIU et al. : SECURITY MECHANISM OF WS-BASED COMMUNICATION FOR WIND POWER PLANTS 1933 is derived from and has alength of 160 b, as follows:(4)is also used for encryption and decryption in data-ex-change steps, the key length of the selected symmetric cryptog-raphy should be lower than 160 b (e.g., AES-128).After receiving the from , retrieves theby corresponding from the local data-base, then calculates the by (2), and com-pares it with , authenticates ’s identity asbeing equal or not.Furthermore, is calculated by (4) to verify the validityof signature, ensuring the message is sent from authorized userand without unauthorized modification or destruction.After verification, sends an associate response message to, including a signature of to ensure the integrityand nonreputation(5) 2) Data Exchange: ã requestã responseIn this step, the mechanism needs to deal with the require-mentsofintegrity,confidentiality,andnonreputation.Duetothewideandvarioustypesofservices,tointroducetheproblemuni-versality, and are used for formal represen-tation of services.To protect against the reply attack, the contents of the signa-ture should include original messages andthe time stamps, while the contents of encryption only includethe first one.The signature algorithm is same as (5), and the encryption/ decryption algorithm is AES-128(6) 3) Release: ã release requestã release responseIt is important to ensure integrity and nonreputa-tion in the release step. The signature contents includeand the time stamps.  B. Scheme II—Security Mechanism Based on X.509 Certificate1) Associate: ã Associate requestã Associate responseis the X.509 certificate of C(7)The signature algorithm is , represented as(8)is encrypted by , and ’s public key is repre-sented as(9)After receiving the associate request, checks to au-thenticate ’s identity, and then verifies the integrity, nonrep-utation and freshness of the request message. Finally, usesprivate key to decrypt , which is prepared for encryp-tion and decryption in data-exchange steps.If all of the verifications are passed, sends an associate re-sponse to , which includes a signature of andtime stamp, as (8). 2) Data Exchange and Release: The message structures of these two steps are consistent with scheme I, but the signa-ture algorithm is the same as (8). For example, the signature of can be represented as(10)Furthermore, the encryption algorithm is same as (6). C. Comparison of the Two Schemes The comparison between the two schemes is shown inTable III. To deal with the security requirements, Scheme Iactualizes encryption and signature functions, which basedon username/password, can also be easily applied. SchemeII can provide much stronger protection for communication,but the related computation demand of the system resource ismuch higher due to the computation complexity of public-keyalgorithms. Therefore, the two schemes should be carefullyselected according to the application environment.
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks