Impact factor 1.472

“International Journal for Science and Emerging ISSN No. (Online):2250-3641

Technologies with Latest Trends” 18(1): 12- 21(2014) ISSN No. (Print): 2277-8136

Analysis of Security Issues in Cloud based Smart Grid Sandeep Mehmi*, Harsh K Verma** and A L Sangal***

*Department Of Computer Science And Engineering, Punjab Technical University

**, ***Department Of Computer Science and Engineering, Dr. B.R Ambedkar National Institute of

Technology, Jalandhar, Punjab, India

(Received 27 August 2014 Accepted 28 September 2014)

Abstract-Smart grid is maximum optimization of energy management achieved through transmission

and distribution automation, efficient use of existing network and integration of smart devices. Due to

electric power system’s own characteristics, it cannot store energy in a large scale therefore electric

generation, transmission, distribution and usage operations must be completed simultaneously. Due to

its unprecedented advantages like on demand self-service, ubiquitous computing, pay-per-use model

and scalable resources, cloud computing has become a promising model that can be integrated with

smart grid to resolve this issue. Though the advantages of cloud computing have revolutionized the IT

industry but they have also brought inherent cloud-specific security issues. Outsourcing, multitenancy

and massive data storage and intense computation abilities have posed challenges to network & web

application, availability reliability, integrity, confidentiality, virtualization, privacy, authorization,

authentication, accountability and legal & regulatory compliance. This article focuses on security

issues and countermeasures in smart grid and smart grid cloud.

Keywords- Cloud computing, Smart grid, Availability, Integrity, Confidentiality, Privacy, Repudiation

of information.

1. INTRODUCTION

The objective to make the traditional grid

infrastructure efficient, robust, intelligent

and automated by encouraging active

supply-side and demand-side participation,

promoting innovative business practices

and regulatory environments across the

entire value chain has facilitated the

emergence of Smart grid (SG). SG is

composed of a power grid and a

communication network atop the power

grid for data retrieval to fully facilitate its

functionality [1]. The smart devices in the

communication network send continuous

feedback to the SG cloud for data analysis

and decision making. The cloud fulfills the

infrastructure demand of analytic tools and

control and optimization algorithms for

self-healing, fault tolerance, load balancing,

demand response and optimal power flow

features. Moreover it also caters the

designing and deployment tools

requirement for real-time consumption

patterns, flexible tariffs and online bill

payment web applications. Strong

dependence between the power grid, SG

communication networks and SG cloud

induce new threats on this cyber-physical

system, as the adversaries may exploit the

vulnerabilities to disrupt the operations of

the SG by paralyzing or manipulating the

system. SGs are a major resource to the

national defense, and any form of attack on

these can cause havoc. The remainder of

paper is organized as follows: Section 2

mentions SG and its components. The

cloud computing and its types are reviewed

in Section 3. In Section 4 and Section 5 we

have described the security

issues/vulnerabilities and countermeasures

in SG and SG cloud respectively. Finally,

we conclude in Section 6.

2. SMART GRID

SG can be defined as an interconnected

system of information communication

technologies and control systems used to

interact with automation and business

processes across the entire power sector

encompassing electricity generation,

transmission, distribution and the consumer

Impact factor 1.472

[2]. The SG is considered as critical

information infrastructure (CII) the

incapacitation or destruction of which, shall

have debilitating impact on national

security, economy, public health or safety.

SG is the next generation electricity grid

which in contrast to traditional electricity

system provides two-way flow of electricity

and information to create an automated

distribution and transmission network.

NIST has divided the SG into seven

domains: customers, markets, service

providers, operations, bulk generation,

transmission and distribution where each

domain comprises of actors and

applications. The key components of SG

include advanced metering infrastructure

(AMI), supervisory control and data

acquisition (SCADA), smart monitoring

sensors and powerline communications

(PLC).

3. CLOUD COMPUTING

Cloud computing is a model for enabling

ubiquitous, convenient, on-demand network

access to a shared pool of configurable

computing resources (e.g. networks,

servers, storage, applications, and services)

that can be rapidly provisioned and released

with minimal management effort or service

provider interaction [3]. It is the realization

of dream of delivering the computing as a

utility which has emerged from the

advances in field of hardware (e.g.

virtualization), internet technologies (e.g.

service-oriented architecture), distributed

computing (e.g. utility computing) and

system management (e.g. autonomic

computing). The cloud computing stack

consists of 3 layers, each representing one

service model. Infrastructure-as-a-Service

(IaaS) offered in the bottom layer is

responsible for resource aggregation,

physical management (e.g., Emulab) or

virtual management (e.g., Amazon EC2),

and service delivery in form of storage

(e.g., GoogleFS), network (e.g., Openflow),

or computational capability (e.g., Hadoop

MapReduce). The middle layer Platform-

as-a- Service (PaaS) provides capability to

the consumer to deploy onto the cloud

infrastructure acquired or consumer-created

applications using programming languages,

libraries, Mashup editors, Frameworks,

services, and tools supported by the

provider (e.g. Django, Google App Engine).

Software as a Service (SaaS) locates in the

top layer, in which a cloud provider further

confines client flexibility by merely

offering software applications as a service

[4]. In March 2009, Gartner [5] forecasted

that the worldwide cloud service market

was expected to reach $150.1 billion in

2013. Countries throughout the world

realizing the remarkable benefits and

importance of this field, are investing in

research and development of cloud

computing models. The major efforts taken

by countries include US’s Federal Cloud

Computing Strategy in February 2011,

Germany’s establishment of Europe’s

largest cloud computing centre in

Magdeburg for implementation of cloud

computing through a satellite program and

National Knowledge Network Cloud

project in India. The cloud provides the

ability to store/process enormous amount of

heterogeneous type of data generated by SG

hence can facilitate the simultaneous

execution of transmission, distribution and

usage operations.

4. SECURITY ISSUES IN SMART

GRID

SG like other well developed IT and

telecommunication systems, will be a

potential target for malicious, well-

equipped, and well-motivated adversaries.

In October 2013 National Geographic

released a docudrama titled, "American

Blackout" which dealt with a large scale

cyber attack and consequences on US’s

electrical grid. Many organizations are

currently involved with the development of

SG security requirements, including NERC

CIP (North American Electrical Reliability

Corporation – Critical Infrastructure

Protection), ISA (International Society of

Automation), NIPP (National Infrastructure

Protection Plan), IEEE (1402), and NIST-

CSCTG (Cyber Security Coordination

Task Group) [6]. The security issues in SG

can be categorized into:

13. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***

Impact factor 1.472

4.1. Legacy Systems and Equipment

Most of the legacy systems and equipments

are installed and designed without cyber

security in mind and hence are often

integrated with other systems through

relatively unsecured modes that provides

opportunity to the attackers to exploit those

loopholes. In certain cases compatibility

issues may also be encountered during

integration [2]. Current power systems are

usually proprietary systems that provide

specific performances and functionalities

but not security [7]. Avoiding early

obsolescence is essential in SG security

development. The possible solution

includes maximizing the life-cycle of assets

through cooperation among relevant

operators and enabling backward

compatibility [6].

4.2. Device Issues

Devices like AMIs, Programmable Logical

Controllers, RTUs, and IEDs are widely

deployed in power delivery systems to

allow administrators to perform

maintenance or to dispatch functionalities

from a remote location [7]. This

arrangement provides avenues to attackers

to manipulate the device (e.g. meter

inversion) and disrupt normal operations of

the grid, such as shutting down running

devices (switching off meters) causing

blackouts. Mohammadi et al. [8] proposed a

combined anomaly and signature-based

IDS solution to monitor the smart metering

communication network by considering

various attacks targeting physical, MAC,

transport, and network layers. IEEE 1686-

2007 standard defines the functions and

features to be provided in substation

intelligent electronic devices (IEDs) to

accommodate critical infrastructure

protection programs [9]. Plug-in hybrid

electric vehicle (PHEV) can be charged at

different locations. Inaccurate billing or

unwarranted service can disrupt operations

of the market [6]. Electric vehicle standards

need to be established to overcome this

issue.

4.3. Vulnerability in SCADA Systems

The paradigm shift from proprietary

technologies to open standards and

increased web interfaces to SCADA

systems has made SCADA systems more

vulnerable to various types of network

attacks. In April 2008, the Commission to

assess the threat to the United States from

electromagnetic pulse (EMP) attack issued

a Critical Infrastructures Report which

found that SCADA systems are extremely

vulnerable to EMP event. In June 2010,

anti-virus security company VirusBlokAda

reported the first detection of malware

called Stuxnet attacking SCADA systems

(Siemens' WinCC/PCS 7 systems) running

on Windows OS that first installs a rootkit,

logs into the SCADA's database and steals

design and control files and then hides the

changes [10]. Distribution control

commands and access logs are critical for

SCADA systems. Intercepting, tampering

or forging of data damages the grid [6] [7].

Distinct and improper SCADA models may

also lead to compatibility issues and

mislead operator actions [6]. Synchronizing

time-tagged data in wide areas is also

essential for reliability of the SCADA. The

measures to overcome the mentioned issues

include ensuring all commands and log files

to be accurate and secure, use of common

time reference (GPS time stamped) for time

synchronization [6], and multi-layer

intrusion detection system implementation

[7].

4.4. Vulnerability in Customer

Interfaces

Vulnerability in customer interfaces can

also cause security problems in SG. Smart

home appliances interact with service

providers or other AMI devices through

Home area network (HAN). Once

manipulated by malicious intruders, they

could be unsafe factors in residential areas

[6]. Also energy-related information can be

revealed on IEDs or on the Internet.

Unwarranted data may misguide users

decisions [6]. The possible solution to these

issues includes providing access control to

all customer interfaces, validation of

14. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***

Impact factor 1.472

notified information and security

improvement of hardware and software

upgrades [6].

4.5. Networking Issues

Potential security problems of networking

in SGs mainly focus on issues of the

Internet, wireless networks, and sensor

networks. Just like the Internet, multiple

networking technologies [11] (fiber optics,

land mobile radio (LMR), 3G/4G (WiMax),

RS-232/RS-485 serial links, WiFi) and

protocols [7] (ModBus, ModBus+,

ProfiBus (Process Field Bus) , ICCP (Inter-

control Center Communication Protocol),

DNP3, etc) can be utilized for the SG. But

most of them were designed for

connectivity without cyber security.

Wireless networks utilizing radio waves can

prove to be unprotected physical medium if

unauthorized users access the data causing

privacy invasion. The topological features,

Intrusion Detection System (IDS) &

Intrusion Prevention System (IPS) play an

important role in determining the network

robustness in event of cyber attack on SG

communication network. The possible

solutions include adoption of TCP/IP and

802.11i standard, VPN (IPSec), SSH,

SSL/TLS and Advanced Encryption

Standard (AES) for SG networks [6].

5. SECURITY ISSUES IN SG

CLOUD

As enterprise boundaries have been

extended to the cloud, traditional security

mechanisms are no longer suitable for

applications and data in cloud. Wikipedia

defines Cloud Computing Security as

“Cloud computing security (sometimes

referred to simply as "cloud security") is an

evolving sub-domain of computer security,

network security, and, more broadly,

information security. It refers to a broad set

of policies, technologies, and controls

deployed to protect data, applications, and

the associated infrastructure of cloud

computing.” Garter’s survey in 2009 found

that more than 70% CTOs believed that the

primary reason not to use cloud computing

services is that there are data security and

privacy concerns. According to Gartner,

before making a choice of cloud vendors,

cloud service users (CSU) should ask the

vendors for seven specific safety issues:

Privileged user access, regulatory

compliance, data location, data segregation,

recovery, investigative support and long-

term viability [12]. The Cloud Security

Alliance (CSA) has identified thirteen

domains of concerns on cloud computing

security and is gathering solution providers,

non-profits and individuals to enter into

discussion about the current and future best

practices for information assurance in the

cloud [13]. The main Security Issues in SG

Cloud include:

5.1. Availability & Reliability

The availability feature ensures that

applications or resources in cloud remains

functional even in case of intrusion. The

system should be resilient to any attack and

doesn’t completely shut down in such

event. The events like Denial of Service

(DoS) or Distributed DoS (DDoS) attack

can make the information unavailable when

it is needed the most. One way to achieve

high availability is to apply redundancy

techniques. Redundancy can be classified

into hardware redundancy, software

redundancy and time redundancy. Although

the system could receive more capabilities

by the use of redundancy technique, there

will be significant effect on the system

related to performance, size, power

consumption, etc [14]. One of approach is

triple modular redundancy (TMR) approach

which is a hardware redundancy where

three identical modules/hardware execute

the same task in parallel [14]. Also in event

of bankruptcy or Merger and Acquisitions

long-term viability of data should be

ensured in SLA. The other concern is

reliability. An unreliable system is a

liability rather than an asset for a service

provider as users are reluctant to deploy

their data or applications on it. Cloud

service provider (CSP) must deploy IDS

and IPS. Potential failure of internet

backbone is also an issue to be addressed

by the CSP and SLA must define maximum

time for which the network resources or

15. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***

Impact factor 1.472

applications will not be available for use by

the consumer in such event.

5.2. Integrity

The cloud performs the analysis and

decision operations on huge amount of data

collected from various sensors installed in

SG. Any unauthorized modification or

insertion of false data can lead to serious

malfunction of the SG cloud. The examples

of data breach occurred in 2009 in Google

Docs, which triggered the Electronic

Privacy Information Centre for the Federal

Trade Commission to open an investigation

into Google’s cloud computing services

[15]. Another breach of integrity occurred

when Amazon S3 cloud service was

disrupted for 4 days including answering

service Quora, news services Reddit, Hoot

suite and location web site tracking service

Four Square were all affected and users

suffered from data corruption [15].

Integrity can be classified into data

integrity, hardware integrity, personal

integrity and software integrity. Server with

outdated/ misconfigured policies or which

was attacked previously with a rootkit can

act in unfaithful manner by providing

incorrect results for submitted computations

[16]. The computation integrity can be

ensured by re-computation, replication and

auditing methods. The authors in [17]

proposed a third-party auditing system to

ensure the integrity of outsourced data. The

other solutions to integrity requirements

include service level agreements (SLA)

based, multi-model based, and VM based

[18]. Moreover trusted virtual data center

(TVDC) technology can be deployed to

address the need for strong isolation and

integrity in virtualized environments [19].

5.3. Confidentiality

Data pertaining to customers and grid

equipments must be secured from

unauthorized access to prevent misuse.

While, a cloud provider may have deployed

security controls within its premises and at

the edge, it doesn’t mean that some other

customer who has a shared platform cannot

get access to competitor’s information by

means of Virtual Machine (VM)

tunneling/exploitation [20]. “Sony data

break event” in April 2011 became the

largest-ever data breach in history when

account information including names, birth

dates, email addresses and log-in

information, was compromised. The

common solution for data confidentiality is

data encryption. The CSP must consider

processing speed and computational

efficiency of encrypting large amounts of

data. Today numerous efficient partially

homomorphic cryptosystems (unpadded

RSA, ElGamal, Goldwasser-Micali,

Boneh–Goh–Nissim) and fully

homomorphic encryption (FHE) but less

efficient schemes (Gentry’s HE scheme,

DGHV and RLWE) exist [21]. CSP should

also prepare/provide virtualization and

logical isolation between/among users,

basic track record and log function to

ensure confidentiality.

5.4. Network Attacks

Most of the network attacks belong to the

Denial of Service (DoS) category. They are

generally performed by broadcasting covert

malicious codes in form of messages/email

to the internet users which lure the victims

to download and run them. The technical

issues regarding these DDoS attacks are

polymorphism and evasion. Multiple

attacks vectors are sent to the victim

infrastructures to enhance the efficiency of

the DoS in terms of delay and probability of

success. The most common vectors are

HTTP Get flood attack, SYN flood attack,

TCP connection flood on port 80 and UDP

flood attack [22]. Evasion techniques

facilitate the attackers to bypass preventive

and reactive security mechanisms. They

break into four categories packet splitting,

duplicate insertion, payload mutation,

shellcode mutation [23]. Economic denial

of sustainability (EDoS) attack is fraudulent

resource consumption (FRC) attack that

manipulates the utility pricing model and

causes unmanageable costs for cloud

customers. One of the counter measures is

to deploy DoS avoidance strategy called

service migration [24]. The strategy

dedicates an agent outside the cloud which

constantly monitors the applications to

16. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***

Impact factor 1.472

detect any bandwidth starvation. If such

case is encountered, the application

execution on the current resources is

temporarily stopped, shifted to another

subnet of which the attacker is unaware and

then operation is resumed.

5.5. Application Level Attacks

Security flaws in the web applications

create a vulnerability to the SaaS

application that has devastating impact on

all of the customers using the cloud.

Verizon Business in their ‘Verizon

Business 2008 Data Breach Investigation

Report’ [25] reported 59% of the breaches

involve hacking. Application/service layer

attacks account for 39%, OS/platform layer

account for 23%, exploitation of known

vulnerability account for 18%, exploitation

of unknown vulnerability account for 5%

and use of backdoor account for 5% of

hacking breaches. The Open Web

Application Security Project has identified

Top 10 security risks faced by web

applications. Those threats are: injection,

broken authentication and session

management, cross-site scripting (XSS),

insecure direct object references, security

misconfiguration, sensitive data exposure,

missing function level access control, cross-

site request forgery (CSRF), using known

vulnerable components and unvalidated

redirects and forwards [26]. One key fact

that have been noticed based on the security

surveys is that application-level attacks are,

by far, more bandwidth-efficient than

network-level attacks. This is mainly

because, at the application level, attackers

often use script injection tools rather

flooding tools. In addition to it, security

weaknesses at the APIs available to CSU

are crucial since cloud provisioning,

management, orchestration, and monitoring

are all performed using these interfaces.

Integration of security in the software

development lifecycle (SDLC) is one of the

measure to protect the web applications.

5.6. Vulnerability in Virtualization

Some vulnerability has been found in all

virtualization software which can be

exploited by malicious, local users to

bypass certain security restrictions or gain

privileges [26]. It was exposed that there

was serious security vulnerability in

VMware virtualization software for Mac

version in May 2009. Microsoft's Azure

cloud computing platform also suffered a

serious outage accident for about 22 hours

[27]. A perfection of properties like

isolation, inspection and interposition is yet

to be completely achieved in VMMs.

5.7. Privacy

The co-residence of business logic and data

of one customer among distrusted cloud

servers poses a risk that personal

information (e.g., personal profile) is

disclosed to public or business competitors.

Privacy is associated with the collection,

use, disclosure, storage, and destruction of

personal data. Identification of private

information depends upon the specific

application scenario and the law. The

solutions to enhance privacy include the use

of cloud-based malware scanners and

personal data isolation techniques. Privacy

is best protected if no personal identifiable

information (PII) is stored, processed and

transferred to or from the cloud platform

but the biggest challenge in privacy

protection is to share data while protecting

personal information. Shamir introduced

secret sharing algorithm [28] as a solution

for the privacy issue.

5.8. Authentication, Authorisation

and Accountability

Data authentication assures that the

returned data is the same as the stored data.

Garfinkel claims that instead of following

Amazon’s advice that organizations encrypt

data before storing them in Amazon S3,

organizations should use HMAC [29]

technology or a digital signature to ensure

data is not modified by Amazon S3.

Authorisation is the level of privileges

assigned to a requesting entity, depending

upon its roles defined in the system. The

SaaS administrator can define roles in the

web servers, whereas the user company

should have an administrator defining roles

in the workflows and backend database

17. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***

Impact factor 1.472

objects. NIST recommends Extensible

Access Control Mark-up Language

(XACML) and Security Assertion Mark-up

Language (SAML) as the mechanisms for

authentication and authorisation decision

making between any two cooperating

entities. Further guest accounts or stray

accounts should be strictly prohibited.

Given that the underlying systems are

owned and managed by the CSP,

technically they are the ones responsible for

any event like corruption/loss of data,

performance degradation, service

unavailability or attack on application. One

of the solutions to this issue is that the

security procedures of the hosting

framework should be co-designed by the

user company and the cloud provider. The

agreement between the CSP and the user

company should be based on the risk

assessment and impact analysis. The

accountabilities should be documented very

clearly such that there are no conflicts

during incident management.

5.9. Repudiation of Information

As data in cloud is transmitted through

various physical, logical networks/links and

is possibly exposed to inquisitive audience,

therefore the problem of information

repudiation is amplified in cloud

environment. To prevent the issue of

repudiation, the cloud provider has to

ensure that a non-repudiation enabled

protocol [30] or handshake is deployed

whereby, the engaging parties cannot

dismiss their participation in an argued

transaction. The authors in [31] used a

mechanism to reveal the visitor’s

information and made it difficult to deceive

about their identity information. Another

solution is the multi-party non-repudiation

(MPNR) protocol [32], which provide a fair

non-repudiation storage cloud and also

prevent roll-back attacks.

5.10. Loss of Data

Serious security incidents even lead to

collapse of cloud computing vendors. As

administrators’ misuse leading to loss of

45% user data, cloud storage vendor

LinkUp had been forced to close [27].

Further the CSUs should get insurance

about the business continuity and minimum

mandatory core services available in event

of security breaches and disasters. The

policy to use redundant systems and

recovery procedures should also be clearly

addressed by CSP [22].

5.11. Service Hijacking

Service hijacking allows hackers/attackers

to compromise the services like

communication streams, sessions,

ecommerce transactions and email

transactions thereby launching malicious

attacks such as phishing, fraud, and

exploitation of known vulnerabilities [33].

To mitigate this risk Defence-in-Depth

technique should be employed in order to

have security controls implemented at

various layers throughout the cloud access

path as well as within the consumer and

provider network. Sharing of account

credentials between users and services must

be prohibited [33]. In addition to it, CSP

should deploy strong authentication and

consequent authorization for legit consumer

session. Host Intrusion Prevention System

(HIPS) at consumer endpoints can also

provide resistance to zero day attacks and

attack attempts.

5.12. Legal, Regulatory and

Compliance Issues

As of today, while security standards are

well developed and defined for on premise

deployments still current cloud computing

services lack comprehensive and well

established management and legal

constraints. Compliance environments

which can support and sustain privacy and

integrity of consumer data include:

Statement on Auditing Standards 70:

Service Organizations (SAS 70), Health

Insurance Portability and Accountability

Act (HIPAA) and Payment Card Industry

Data Security Standards (PCI DSS). Ristov

et al. [34] proposed a new ISO 27001:2005

control objective, virtualization

management, with two controls covering

virtualization and virtual machines control

for cloud. Moreover different countries

18. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***

Impact factor 1.472

have their own laws governing Data

Protection and Privacy: United Kingdom

(UK Data Protection Act 1998), France

(Processing, Data Files and Individual

Liberties Act , as amended (the “DP Act”)),

Germany(Federal Data Protection Act of

2001), European Union(European Union

Data Protection Directive of 1998, EU

Internet Privacy Law of 2002 (DIRECTIVE

2002/58/EC), United States (US Patriot

Act), Canada(The Privacy Act - July

1985 Personal Information Protection and

Electronic Data Act (PIPEDA) of 2000

(Bill C-6)), Japan(PPI Act), India

(Information Technology Act of 2000)

etc.[35] ,but international cyber law and

policies must progress/designed to help

resolve problems to multi-jurisdiction

investigations. Due to absence of any single

governing body to define a concrete

standard for cloud, many organizations and

individuals are reluctant to shift their

operations on cloud.

5.13. Security Verification in case of

VM Migration

VM Migration during hardware

maintenance, load balancing and disaster

recovery may give rise to inconsistency

issues. Jarraya et al. [36] proposed a formal

framework based on cloud calculus for the

specification of virtual machines migration

and security policies updates that can verify

that the global security policy after the

migration is consistently preserved with

respect to the initial one.

5.14. Attack on Hypervisor

Hypervisors are special purpose operating

systems that are vulnerable to the DDOS,

zero day attacks, viruses, malware, trojans,

buffer overflow and covert channels. The

Secure Hypervisor (sHype) is a hypervisor

security architecture developed by IBM

Research, in various stages of

implementation in several hypervisors [37].

Szefer et al. [38] presented the complete

design, implementation and evaluation of a

working NoHype system on today’s

commodity hardware which removes the

attack surface of the hypervisor and thus

eliminates the vector by which VMs can

exploit vulnerabilities.

6. CONCLUSION

SG is a promising model to provide

improved service quality, enhanced

reliability, reduced costs and wide customer

satisfaction. However this model is marked

with some security issues pertaining to

equipments, SCADA, network and

customer interfaces that have been explored

with description to their counter measures.

On the other hand SG can leverage the

strengths of cloud computing model: on

demand self-service, ubiquitous computing,

scalable, pay-per-use and location

independent pooling of resources.The

vulnerabilities to availability, integrity,

confidentiality, privacy, authorization,

authentication, accountability,

virtualization; legal and compliance issues

as well as attacks on applications and

networks is also discussed. The present

counter measures to these vulnerabilities

still needs further research from academia

and industry for accomplishing secure

cloud based SG.

REFERENCES

[1] Pin-Yu Chen; Shin-Ming Cheng; Kwang-

Cheng Chen, "Smart attacks in smart grid

communication networks,"Communications

Magazine, IEEE , vol.50, no.8, pp.24,29,

August 2012.

[2] FICCI, India Smart Grid Day, India Smart

Grid. [Online]. Available:

http://indiasmartgrid.org/en/Documents/Co

ntext%20of%20Smart%20Grids%20in%20

India%20%20Knowledge%20Paper%20of

%20India%20Smart%20Grid%20Day%

202013.pdf [Accessed 04 Jan. 2014].

[3] H. Takabi, J.B.D. Joshi and G.-J. Ahn,

"Security and Privacy Challenges in Cloud

Computing Environments," IEEE Security

& Privacy, vol.8, no.6, 2010, pp. 24-31.

[4] A. Lenk, M. Klems, J. Nimis, S. Tai, and T.

Sandholm, “What’s inside the Cloud? An

architectural map of the Cloud landscape,”

in Proc. CLOUD '09. ICSE Workshop on

Software Engineering Challenges of Cloud

Computing, 2009, pp. 23-31.

19. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***

Impact factor 1.472

[5] Gartner, Gartner (2009) Worldwide Cloud

service revenue will grow 21.3 percent in

2009, Gartner, 26 Mar. 2009. [Online].

Available :

http://www.gartner.com/newsroom/id/9207

12 [Accessed 04 Jan. 2014]

[6] U.S. NIST, “Guidelines for smart grid

cyber security (vol. 1 to 3),” NIST IR-7628,

Aug. 2010, available at:

http://csrc.nist.gov/publications/PubsNISTI

Rs.html#NIST-IR-7628.

[7] D. Wei, Y. Lu, M. Jafari, P. Skare, and K.

Rohde, “An integrated security system of

protecting smart grid against cyber

attacks,” in: Innovative Smart Grid

Technologies (ISGT 2010), Gaithersburg,

MD,Jan. 2010, pp. 1-7.

[8] Beigi Mohammadi, N., Mišić, J., Mišić, V.

B. and Khazaei, H. (2014), A framework

for intrusion detection system in advanced

metering infrastructure. Security Comm.

Networks, 7: 195–205.

doi: 10.1002/sec.690

[9] J. Liu and Y. Xiao, S. Li, W. Liang and C.

L. P. Chen,“Cyber Security and Privacy

Issues in Smart Grids,” IEEE

Communications Surveys & Tutorials, vol.

14 , no. 4, 2012, pp.981 – 997.

[10] Wikipedia, SCADA , Wikipedia , 2013.

[Online]. Available:

http://en.wikipedia.org/wiki/SCADA

[Accessed 11 Jan. 2014].

[11] O. Kosut, L. Jia, R. J. Thomas, and L.

Tong, “Malicious data attacks on smart grid

state estimation: attack strategies and

countermeasures,” in:Proc. 1st IEEE

SmartGridComm 2010, Gaithersburg, MD,

Oct. 2010, pp. 220-225.

[12] Gartner, Gartner : Seven cloud-computing

security risks, InfoWorld, 02 Jul. 2008.

[Online]. Available :

http://www.infoworld.com/d/security-

central/gartner-seven-cloud-computing-

security-risks-853 [Accessed 04 Jan. 2014].

[13] Cloud Security Alliance , Cloud Security

Alliance [CSA] 2009 Security Guidance for

Critical Areas of Focus in Cloud

Computing V2.1 , 2009

[Ebook].Available:CloudSecurityAlliance,h

ttps://cloudsecurityalliance.org/research/sec

urity-guidance/ [Accessed 04 Jan. 2014].

[14] B. W. Johnson, An introduction to the

design and analysis of fault-tolerant

systems, Upper Saddle River, New Jersey:

Prentice Hall, 1995, pp. 1-84.

[15] C. Cachin, I. Keidar and A. Shraer,

"Trusting the cloud," ACM SIGACT News,

vol.40, no.2, Jun. 2009, pp. 81-86.

[16] Z. Xiao and Y. Xiao, “Security and Privacy

in Cloud Computing,” IEEE Comm.

Surveys & Tutorials, Vol.15 , no.2, Jul.

2012, pp. 843-859.

[17] C. Wang, Q. Wang, K. Ren, and W. Lou,

“Privacy-Preserving Public Auditing for

Storage Security in Cloud Computing,”

Proc.IEEE INFOCOM ’10, Mar. 2010.

[18] I. Iankoulova and M. Daneva, “Cloud

Computing Security Requirements: a

Systematic Review,” in Proc. Sixth

International Conference on Research

Challenges in Information Science (RCIS),

2012 , pp. 1-7.

[19] S. Berger, R. Caceres, K. Goldman, D.

Pendarakis, R. Perez, J.R. Rao, E. Rom, R.

Sailer, W. Schildhauer, D. Srinivasan, S.

Tal, and E. Valdez, “Security for the cloud

infrastructure: Trusted virtual data center

implementation,” IBM Journal of Research

and Development, vol. 53, no. 4, 2009.

[20] A. Nayyar, “Private Virtual Infrastructure

(PVI) Model for Cloud Computing,”

International Journal of Software

Engineering Research & Practices, vol.1,

no. 1, Jan. 2011.

[21] Wikipedia, Homomorphic encryption,

Wikipedia , 2013. [Online]. Available:

http://en.wikipedia.org/wiki/Homomorphic

_encryption [Accessed 04 Jan. 2014].

[22] M. Hamdi, “Security of Cloud Computing,

Storage, and Networking,” in Proc. 2012

International Conference on Collaboration

Technologies and Systems (CTS), 2012, pp

1-5.

[23] T-H. Cheng, Y-D. Lin, Y-C. Lai and P-C.

Lin, “Evasion Techniques: Sneaking

through Your Intrusion

Detection/Prevention Systems,” IEEE

Communications Surveys and Tutorials,

vol.14, no.4, 2012, pp. 1011-1020.

[24] H. Liu, “A New Form of DOS Attack in a

Cloud and Its Avoidance Mechanism”, in

Proc. Cloud Computing Security

Workshop, 2010, pp. 65-76.

[25] H.B. Wade ,C.D. Hylender and J.A.

Valentine, Verizon Business 2008 data

20. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***

Impact factor 1.472

breach investigation report, Verizon

Enterprises ,2008. [Online].

Available:http://www.verizonbusiness.com/

resources/security/databreachreport.pdf

[Accessed 04 Jan. 2014].

[26] OWASP, OWASP Top 10 -2013, The Ten

most critical web application

securityrisks,[Online].Availablehttps://ww

w.owasp.org/index.php/Category:OWASP_

Top_Ten_Project [Accessed 04 Jan. 2014] .

[27] D. Chen, “Data Security and Privacy

Protection Issues in Cloud Computing,” in

Proc. 2012 International Conference on

Computer Science and Electronics

Engineering (ICCSEE), 2012, pp. 647-651.

[28] A. Shamir, How to share a secret,

Commun, ACM, 22th Ed.,1979, pp. 612-

613

[29] H. Krawczyk, M. Bellare and R. Canetti,

"HMAC: Keyed-hashing for message

authentication," Citeseer, 1997, pp. 1-11.

[30] O. Markowitch and S. Kremer, “A Multi-

Party Optimistic Non-repudiation

Protocol,” in Proc. International

Conference on Information Security and

Cryptology, 2000, pp 109—122.

[31] Z. Shen and Q. Tong, “The security of

cloud computing system enabled by trusted

computing technology,” in Proc. 2nd

International Conference on Signal

Processing Systems (ICSPS), vol.2, 2010,

pp. V211-V215.

[32] J. Feng, Y. Chen and D.H. Summerville, "A

fair multi-party non-repudiation scheme for

storage clouds," in Proc. 2011

International Conference Collaboration

Technologies and Systems (CTS), 2011 , pp

457 - 465

[33] Wikipedia, Cloud computing security ,

Wikipedia , 2013. [Online]. Available:

http://en.wikipedia.org/wiki/Cloud_comput

ing_security [Accessed: 04 Jan. 2014].

[34] S.Ristov, M. Gusev, and M. Kostoska, “A

New Methodology for Security Evaluation

in Cloud Computing,” in Proc. 35th

International Convention MIPRO, 2012 ,

pp. 1484 - 1489 .

[35] Information Shield, International Privacy

Laws, Information Shield.[Online].

Available:

http://www.informationshield.com/intpriva

cylaws.html [Accessed 04 Jan. 2014].

[36] Y. Jarraya, A. Eghtesadi, and M. Debbabi ,

“Cloud Calculus: Security Verification in

Elastic Cloud Computing Platform,” in

Proc. International Conference on

Collaboration Technologies and Systems

(CTS), 2012, pp. 447 – 454.

[37] IBM, Secure Hypervisor, IBM. [Online].

Available;

http://researcher.watson.ibm.com/researche

r/view_project.php?id=2849 [Accessed 11

Jan. 2014].

[38] J. Szefer, E. Keller, R.B. Lee and J.

Rexford, “Eliminating the Hypervisor

Attack Surface for a More Secure Cloud,”

in Proc. CCS '11 Proceedings of the 18th

ACM conference on Computer and

communications security, 2011, pp.401-

412.

21. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***