Home // International Journal On Advances in Security, volume 13, numbers 1 and 2, 2020 // View article
Authors:
Steffen Fries
Rainer Falk
Keywords: security; device authentication; end-to-end security; multi-hop security; IEC 62351; Publish/Subscribe
Abstract:
End-to-end security is often a requirement for interacting systems, including energy automation systems. As the term can be interpreted on different layers of the Open System Interconnection (OSI) reference model, it is necessary to clearly define the end points that need to provide or rely on the exchanged data. Connecting client and server applications directly via a transport connection allows the usage of existing security protocols directly, as known from classical Web applications. Typically, Transport Layer Security (TLS) is applied to protect the communication link end-to-end. This approach is utilized in substation automation of energy grids to protect the Transmission Control Protocol (TCP/IP)-based communication between a substation controller and a protection relay applying mutual authentication of the end points. Here, the communicating end points on the application layer terminate in the same entity as the transport layer end points, which essentially provides end-to-end security on a component level. If a direct communication link is not available, communication is realized over an intermediary system. Providing end-to-end security over multiple communication hops, including mutual endpoint authentication (client and a destination application service) as well as integrity and confidentiality of communicated data, deserves specific attention, even if the communication hops with the intermediary are protected hop-by-hop by security protocols like TLS. In power system automation, this kind of communication involving an intermediary is used with publish subscribe protocols, e.g., when integrating Decentralized Energy Resources (DER) or when integrating smart meters in the German Smart Meter Gateway architecture. This paper investigates existing solutions and specifically analyses the end-to-end security approach defined for power system automation within the International Electrotechnical Commission (IEC). A broader application of end-to-end security using session-based communication over intermediaries is desired.
Pages: 76 to 87
Copyright: Copyright (c) to authors, 2020. Used with permission.
Publication date: June 30, 2020
Published in: journal
ISSN: 1942-2636