Berthier receives award for work on detecting security breaches in utility communications

4/8/2015 5:26:00 AM ITI Staff

ITI researcher Robin Berthier recently received a Best Paper Award at the 2014 IEEE International Conference on Smart Grid Communications for his collaborative work on a project that aims to help utilities to monitor encrypted network communications.

Written by ITI Staff

ITI researcher Robin Berthier recently received a Best Paper Award at the 2014 IEEE International Conference on Smart Grid Communications for his collaborative work on a project that aims to help utilities to monitor encrypted network communications.

Robin Berthier
Robin Berthier
Robin Berthier
Berthier, along with eight other researchers from Fujitsu Laboratories of America, University of Texas at Dallas, Honeywell Labs and former ITI researcher Rakesh Bobba (now an assistant professor at Oregon State University), published the paper, titled On the Practicality of Detecting Anomalies with Encrypted Traffic in AMI, which looks at four different approaches to reconciling the goals of confidentiality and monitoring for utility companies. The group has been working together over the past few years on the topic of cyber security for metering infrastructure and has published four papers together during that time.

Nationwide, utilities are replacing meters, which require a person to read the meter each month, with a new generation of meters that is able to remotely connect to the utility network to report back usage automatically.

Utilities are deploying these new meters because they have a lot of value, such as detecting outages much more precisely, Berthier said. With this real-time consumption information, we can better predict and assess the load on the grid.

Those qualities enable utilities to use demand response applications, which allows consumers to save money and utilities to reduce their peak load times. But because they are connected to other entities within the grid, they also create security concerns.

You don't want anyone to get access to the communication network and to attempt to compromise meters, Berthier said. Utilities, vendors, government and researchers are working on solutions to prevent that and to build a resilient infrastructure.

Berthier and the rest of the team are trying to help the utility companies monitor what's happening in their networks and to be alerted if an intrusion attempt occurs. The key is to design an Intrusion Detection Systems (IDS) that can observe and deter attacks.

This image represents a communication network where each of the white dot is a meter and the blue lines are communication traces between meters and the utility. The picture enables Berthier and the team to visualize the entire network and better understand communication patterns.
This image represents a communication network where each of the white dot is a meter and the blue lines are communication traces between meters and the utility. The picture enables Berthier and the team to visualize the entire network and better understand communication patterns.
This image represents a communication network where each of the white dot is a meter and the blue lines are communication traces between meters and the utility. The picture enables Berthier and the team to visualize the entire network and better understand communication patterns.
Utilities have two different goals, which are to encrypt communications to protect sensitive information, and also to be able to monitor communications to detect any malicious activities, Berthier said. If the communications are all encrypted, IDSes can't monitor the messages, but you lose privacy protection if you don't encrypt the messages. We are designing a solution to reconcile those two goals.

Using communication data from an industry partner, Berthier and his colleagues were able to apply techniques to the system to see how effective different approaches are in detecting suspicious activity. They studied four different approaches: monitoring the periodicity of meter communications; detecting rogue devices through passive fingerprinting; tracking unknown flows by baselining the network connectivity graph; and identifying traffic patterns and outliers through unsupervised clustering.
Their conclusion is that there is no single technique that can satisfy all the needs of a utility company, but rather, it's necessary to have multiple techniques running in parallel.

These techniques are mostly relying on each meter following a specific pattern for communication, Berthier said. The key is if you have something malicious, it will disturb the regularity of the patterns. We wanted to show which technique identifies the attacks most clearly with the least amount of false positive or false negative results.

Berthier anticipates their future research will work to figure out which combination of techniques works best.

The fact that we are a team with a variety of expertise enables us to look at the problem through different angles, Berthier said. It's hard for a single researcher to have this large of scope. Through this collaboration, we were able to break down the problem into smaller pieces and improve the resulting contribution of the study.


Share this story

This story was published April 8, 2015.