analysis of security issues in cloud based smart grid3).pdf · analysis of security issues in cloud...
TRANSCRIPT
Impact factor 1.472
“International Journal for Science and Emerging ISSN No. (Online):2250-3641
Technologies with Latest Trends” 18(1): 12- 21(2014) ISSN No. (Print): 2277-8136
Analysis of Security Issues in Cloud based Smart Grid Sandeep Mehmi*, Harsh K Verma** and A L Sangal***
*Department Of Computer Science And Engineering, Punjab Technical University
**, ***Department Of Computer Science and Engineering, Dr. B.R Ambedkar National Institute of
Technology, Jalandhar, Punjab, India
(Received 27 August 2014 Accepted 28 September 2014)
Abstract-Smart grid is maximum optimization of energy management achieved through transmission
and distribution automation, efficient use of existing network and integration of smart devices. Due to
electric power system’s own characteristics, it cannot store energy in a large scale therefore electric
generation, transmission, distribution and usage operations must be completed simultaneously. Due to
its unprecedented advantages like on demand self-service, ubiquitous computing, pay-per-use model
and scalable resources, cloud computing has become a promising model that can be integrated with
smart grid to resolve this issue. Though the advantages of cloud computing have revolutionized the IT
industry but they have also brought inherent cloud-specific security issues. Outsourcing, multitenancy
and massive data storage and intense computation abilities have posed challenges to network & web
application, availability reliability, integrity, confidentiality, virtualization, privacy, authorization,
authentication, accountability and legal & regulatory compliance. This article focuses on security
issues and countermeasures in smart grid and smart grid cloud.
Keywords- Cloud computing, Smart grid, Availability, Integrity, Confidentiality, Privacy, Repudiation
of information.
1. INTRODUCTION
The objective to make the traditional grid
infrastructure efficient, robust, intelligent
and automated by encouraging active
supply-side and demand-side participation,
promoting innovative business practices
and regulatory environments across the
entire value chain has facilitated the
emergence of Smart grid (SG). SG is
composed of a power grid and a
communication network atop the power
grid for data retrieval to fully facilitate its
functionality [1]. The smart devices in the
communication network send continuous
feedback to the SG cloud for data analysis
and decision making. The cloud fulfills the
infrastructure demand of analytic tools and
control and optimization algorithms for
self-healing, fault tolerance, load balancing,
demand response and optimal power flow
features. Moreover it also caters the
designing and deployment tools
requirement for real-time consumption
patterns, flexible tariffs and online bill
payment web applications. Strong
dependence between the power grid, SG
communication networks and SG cloud
induce new threats on this cyber-physical
system, as the adversaries may exploit the
vulnerabilities to disrupt the operations of
the SG by paralyzing or manipulating the
system. SGs are a major resource to the
national defense, and any form of attack on
these can cause havoc. The remainder of
paper is organized as follows: Section 2
mentions SG and its components. The
cloud computing and its types are reviewed
in Section 3. In Section 4 and Section 5 we
have described the security
issues/vulnerabilities and countermeasures
in SG and SG cloud respectively. Finally,
we conclude in Section 6.
2. SMART GRID
SG can be defined as an interconnected
system of information communication
technologies and control systems used to
interact with automation and business
processes across the entire power sector
encompassing electricity generation,
transmission, distribution and the consumer
Impact factor 1.472
[2]. The SG is considered as critical
information infrastructure (CII) the
incapacitation or destruction of which, shall
have debilitating impact on national
security, economy, public health or safety.
SG is the next generation electricity grid
which in contrast to traditional electricity
system provides two-way flow of electricity
and information to create an automated
distribution and transmission network.
NIST has divided the SG into seven
domains: customers, markets, service
providers, operations, bulk generation,
transmission and distribution where each
domain comprises of actors and
applications. The key components of SG
include advanced metering infrastructure
(AMI), supervisory control and data
acquisition (SCADA), smart monitoring
sensors and powerline communications
(PLC).
3. CLOUD COMPUTING
Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network
access to a shared pool of configurable
computing resources (e.g. networks,
servers, storage, applications, and services)
that can be rapidly provisioned and released
with minimal management effort or service
provider interaction [3]. It is the realization
of dream of delivering the computing as a
utility which has emerged from the
advances in field of hardware (e.g.
virtualization), internet technologies (e.g.
service-oriented architecture), distributed
computing (e.g. utility computing) and
system management (e.g. autonomic
computing). The cloud computing stack
consists of 3 layers, each representing one
service model. Infrastructure-as-a-Service
(IaaS) offered in the bottom layer is
responsible for resource aggregation,
physical management (e.g., Emulab) or
virtual management (e.g., Amazon EC2),
and service delivery in form of storage
(e.g., GoogleFS), network (e.g., Openflow),
or computational capability (e.g., Hadoop
MapReduce). The middle layer Platform-
as-a- Service (PaaS) provides capability to
the consumer to deploy onto the cloud
infrastructure acquired or consumer-created
applications using programming languages,
libraries, Mashup editors, Frameworks,
services, and tools supported by the
provider (e.g. Django, Google App Engine).
Software as a Service (SaaS) locates in the
top layer, in which a cloud provider further
confines client flexibility by merely
offering software applications as a service
[4]. In March 2009, Gartner [5] forecasted
that the worldwide cloud service market
was expected to reach $150.1 billion in
2013. Countries throughout the world
realizing the remarkable benefits and
importance of this field, are investing in
research and development of cloud
computing models. The major efforts taken
by countries include US’s Federal Cloud
Computing Strategy in February 2011,
Germany’s establishment of Europe’s
largest cloud computing centre in
Magdeburg for implementation of cloud
computing through a satellite program and
National Knowledge Network Cloud
project in India. The cloud provides the
ability to store/process enormous amount of
heterogeneous type of data generated by SG
hence can facilitate the simultaneous
execution of transmission, distribution and
usage operations.
4. SECURITY ISSUES IN SMART
GRID
SG like other well developed IT and
telecommunication systems, will be a
potential target for malicious, well-
equipped, and well-motivated adversaries.
In October 2013 National Geographic
released a docudrama titled, "American
Blackout" which dealt with a large scale
cyber attack and consequences on US’s
electrical grid. Many organizations are
currently involved with the development of
SG security requirements, including NERC
CIP (North American Electrical Reliability
Corporation – Critical Infrastructure
Protection), ISA (International Society of
Automation), NIPP (National Infrastructure
Protection Plan), IEEE (1402), and NIST-
CSCTG (Cyber Security Coordination
Task Group) [6]. The security issues in SG
can be categorized into:
13. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***
Impact factor 1.472
4.1. Legacy Systems and Equipment
Most of the legacy systems and equipments
are installed and designed without cyber
security in mind and hence are often
integrated with other systems through
relatively unsecured modes that provides
opportunity to the attackers to exploit those
loopholes. In certain cases compatibility
issues may also be encountered during
integration [2]. Current power systems are
usually proprietary systems that provide
specific performances and functionalities
but not security [7]. Avoiding early
obsolescence is essential in SG security
development. The possible solution
includes maximizing the life-cycle of assets
through cooperation among relevant
operators and enabling backward
compatibility [6].
4.2. Device Issues
Devices like AMIs, Programmable Logical
Controllers, RTUs, and IEDs are widely
deployed in power delivery systems to
allow administrators to perform
maintenance or to dispatch functionalities
from a remote location [7]. This
arrangement provides avenues to attackers
to manipulate the device (e.g. meter
inversion) and disrupt normal operations of
the grid, such as shutting down running
devices (switching off meters) causing
blackouts. Mohammadi et al. [8] proposed a
combined anomaly and signature-based
IDS solution to monitor the smart metering
communication network by considering
various attacks targeting physical, MAC,
transport, and network layers. IEEE 1686-
2007 standard defines the functions and
features to be provided in substation
intelligent electronic devices (IEDs) to
accommodate critical infrastructure
protection programs [9]. Plug-in hybrid
electric vehicle (PHEV) can be charged at
different locations. Inaccurate billing or
unwarranted service can disrupt operations
of the market [6]. Electric vehicle standards
need to be established to overcome this
issue.
4.3. Vulnerability in SCADA Systems
The paradigm shift from proprietary
technologies to open standards and
increased web interfaces to SCADA
systems has made SCADA systems more
vulnerable to various types of network
attacks. In April 2008, the Commission to
assess the threat to the United States from
electromagnetic pulse (EMP) attack issued
a Critical Infrastructures Report which
found that SCADA systems are extremely
vulnerable to EMP event. In June 2010,
anti-virus security company VirusBlokAda
reported the first detection of malware
called Stuxnet attacking SCADA systems
(Siemens' WinCC/PCS 7 systems) running
on Windows OS that first installs a rootkit,
logs into the SCADA's database and steals
design and control files and then hides the
changes [10]. Distribution control
commands and access logs are critical for
SCADA systems. Intercepting, tampering
or forging of data damages the grid [6] [7].
Distinct and improper SCADA models may
also lead to compatibility issues and
mislead operator actions [6]. Synchronizing
time-tagged data in wide areas is also
essential for reliability of the SCADA. The
measures to overcome the mentioned issues
include ensuring all commands and log files
to be accurate and secure, use of common
time reference (GPS time stamped) for time
synchronization [6], and multi-layer
intrusion detection system implementation
[7].
4.4. Vulnerability in Customer
Interfaces
Vulnerability in customer interfaces can
also cause security problems in SG. Smart
home appliances interact with service
providers or other AMI devices through
Home area network (HAN). Once
manipulated by malicious intruders, they
could be unsafe factors in residential areas
[6]. Also energy-related information can be
revealed on IEDs or on the Internet.
Unwarranted data may misguide users
decisions [6]. The possible solution to these
issues includes providing access control to
all customer interfaces, validation of
14. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***
Impact factor 1.472
notified information and security
improvement of hardware and software
upgrades [6].
4.5. Networking Issues
Potential security problems of networking
in SGs mainly focus on issues of the
Internet, wireless networks, and sensor
networks. Just like the Internet, multiple
networking technologies [11] (fiber optics,
land mobile radio (LMR), 3G/4G (WiMax),
RS-232/RS-485 serial links, WiFi) and
protocols [7] (ModBus, ModBus+,
ProfiBus (Process Field Bus) , ICCP (Inter-
control Center Communication Protocol),
DNP3, etc) can be utilized for the SG. But
most of them were designed for
connectivity without cyber security.
Wireless networks utilizing radio waves can
prove to be unprotected physical medium if
unauthorized users access the data causing
privacy invasion. The topological features,
Intrusion Detection System (IDS) &
Intrusion Prevention System (IPS) play an
important role in determining the network
robustness in event of cyber attack on SG
communication network. The possible
solutions include adoption of TCP/IP and
802.11i standard, VPN (IPSec), SSH,
SSL/TLS and Advanced Encryption
Standard (AES) for SG networks [6].
5. SECURITY ISSUES IN SG
CLOUD
As enterprise boundaries have been
extended to the cloud, traditional security
mechanisms are no longer suitable for
applications and data in cloud. Wikipedia
defines Cloud Computing Security as
“Cloud computing security (sometimes
referred to simply as "cloud security") is an
evolving sub-domain of computer security,
network security, and, more broadly,
information security. It refers to a broad set
of policies, technologies, and controls
deployed to protect data, applications, and
the associated infrastructure of cloud
computing.” Garter’s survey in 2009 found
that more than 70% CTOs believed that the
primary reason not to use cloud computing
services is that there are data security and
privacy concerns. According to Gartner,
before making a choice of cloud vendors,
cloud service users (CSU) should ask the
vendors for seven specific safety issues:
Privileged user access, regulatory
compliance, data location, data segregation,
recovery, investigative support and long-
term viability [12]. The Cloud Security
Alliance (CSA) has identified thirteen
domains of concerns on cloud computing
security and is gathering solution providers,
non-profits and individuals to enter into
discussion about the current and future best
practices for information assurance in the
cloud [13]. The main Security Issues in SG
Cloud include:
5.1. Availability & Reliability
The availability feature ensures that
applications or resources in cloud remains
functional even in case of intrusion. The
system should be resilient to any attack and
doesn’t completely shut down in such
event. The events like Denial of Service
(DoS) or Distributed DoS (DDoS) attack
can make the information unavailable when
it is needed the most. One way to achieve
high availability is to apply redundancy
techniques. Redundancy can be classified
into hardware redundancy, software
redundancy and time redundancy. Although
the system could receive more capabilities
by the use of redundancy technique, there
will be significant effect on the system
related to performance, size, power
consumption, etc [14]. One of approach is
triple modular redundancy (TMR) approach
which is a hardware redundancy where
three identical modules/hardware execute
the same task in parallel [14]. Also in event
of bankruptcy or Merger and Acquisitions
long-term viability of data should be
ensured in SLA. The other concern is
reliability. An unreliable system is a
liability rather than an asset for a service
provider as users are reluctant to deploy
their data or applications on it. Cloud
service provider (CSP) must deploy IDS
and IPS. Potential failure of internet
backbone is also an issue to be addressed
by the CSP and SLA must define maximum
time for which the network resources or
15. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***
Impact factor 1.472
applications will not be available for use by
the consumer in such event.
5.2. Integrity
The cloud performs the analysis and
decision operations on huge amount of data
collected from various sensors installed in
SG. Any unauthorized modification or
insertion of false data can lead to serious
malfunction of the SG cloud. The examples
of data breach occurred in 2009 in Google
Docs, which triggered the Electronic
Privacy Information Centre for the Federal
Trade Commission to open an investigation
into Google’s cloud computing services
[15]. Another breach of integrity occurred
when Amazon S3 cloud service was
disrupted for 4 days including answering
service Quora, news services Reddit, Hoot
suite and location web site tracking service
Four Square were all affected and users
suffered from data corruption [15].
Integrity can be classified into data
integrity, hardware integrity, personal
integrity and software integrity. Server with
outdated/ misconfigured policies or which
was attacked previously with a rootkit can
act in unfaithful manner by providing
incorrect results for submitted computations
[16]. The computation integrity can be
ensured by re-computation, replication and
auditing methods. The authors in [17]
proposed a third-party auditing system to
ensure the integrity of outsourced data. The
other solutions to integrity requirements
include service level agreements (SLA)
based, multi-model based, and VM based
[18]. Moreover trusted virtual data center
(TVDC) technology can be deployed to
address the need for strong isolation and
integrity in virtualized environments [19].
5.3. Confidentiality
Data pertaining to customers and grid
equipments must be secured from
unauthorized access to prevent misuse.
While, a cloud provider may have deployed
security controls within its premises and at
the edge, it doesn’t mean that some other
customer who has a shared platform cannot
get access to competitor’s information by
means of Virtual Machine (VM)
tunneling/exploitation [20]. “Sony data
break event” in April 2011 became the
largest-ever data breach in history when
account information including names, birth
dates, email addresses and log-in
information, was compromised. The
common solution for data confidentiality is
data encryption. The CSP must consider
processing speed and computational
efficiency of encrypting large amounts of
data. Today numerous efficient partially
homomorphic cryptosystems (unpadded
RSA, ElGamal, Goldwasser-Micali,
Boneh–Goh–Nissim) and fully
homomorphic encryption (FHE) but less
efficient schemes (Gentry’s HE scheme,
DGHV and RLWE) exist [21]. CSP should
also prepare/provide virtualization and
logical isolation between/among users,
basic track record and log function to
ensure confidentiality.
5.4. Network Attacks
Most of the network attacks belong to the
Denial of Service (DoS) category. They are
generally performed by broadcasting covert
malicious codes in form of messages/email
to the internet users which lure the victims
to download and run them. The technical
issues regarding these DDoS attacks are
polymorphism and evasion. Multiple
attacks vectors are sent to the victim
infrastructures to enhance the efficiency of
the DoS in terms of delay and probability of
success. The most common vectors are
HTTP Get flood attack, SYN flood attack,
TCP connection flood on port 80 and UDP
flood attack [22]. Evasion techniques
facilitate the attackers to bypass preventive
and reactive security mechanisms. They
break into four categories packet splitting,
duplicate insertion, payload mutation,
shellcode mutation [23]. Economic denial
of sustainability (EDoS) attack is fraudulent
resource consumption (FRC) attack that
manipulates the utility pricing model and
causes unmanageable costs for cloud
customers. One of the counter measures is
to deploy DoS avoidance strategy called
service migration [24]. The strategy
dedicates an agent outside the cloud which
constantly monitors the applications to
16. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***
Impact factor 1.472
detect any bandwidth starvation. If such
case is encountered, the application
execution on the current resources is
temporarily stopped, shifted to another
subnet of which the attacker is unaware and
then operation is resumed.
5.5. Application Level Attacks
Security flaws in the web applications
create a vulnerability to the SaaS
application that has devastating impact on
all of the customers using the cloud.
Verizon Business in their ‘Verizon
Business 2008 Data Breach Investigation
Report’ [25] reported 59% of the breaches
involve hacking. Application/service layer
attacks account for 39%, OS/platform layer
account for 23%, exploitation of known
vulnerability account for 18%, exploitation
of unknown vulnerability account for 5%
and use of backdoor account for 5% of
hacking breaches. The Open Web
Application Security Project has identified
Top 10 security risks faced by web
applications. Those threats are: injection,
broken authentication and session
management, cross-site scripting (XSS),
insecure direct object references, security
misconfiguration, sensitive data exposure,
missing function level access control, cross-
site request forgery (CSRF), using known
vulnerable components and unvalidated
redirects and forwards [26]. One key fact
that have been noticed based on the security
surveys is that application-level attacks are,
by far, more bandwidth-efficient than
network-level attacks. This is mainly
because, at the application level, attackers
often use script injection tools rather
flooding tools. In addition to it, security
weaknesses at the APIs available to CSU
are crucial since cloud provisioning,
management, orchestration, and monitoring
are all performed using these interfaces.
Integration of security in the software
development lifecycle (SDLC) is one of the
measure to protect the web applications.
5.6. Vulnerability in Virtualization
Some vulnerability has been found in all
virtualization software which can be
exploited by malicious, local users to
bypass certain security restrictions or gain
privileges [26]. It was exposed that there
was serious security vulnerability in
VMware virtualization software for Mac
version in May 2009. Microsoft's Azure
cloud computing platform also suffered a
serious outage accident for about 22 hours
[27]. A perfection of properties like
isolation, inspection and interposition is yet
to be completely achieved in VMMs.
5.7. Privacy
The co-residence of business logic and data
of one customer among distrusted cloud
servers poses a risk that personal
information (e.g., personal profile) is
disclosed to public or business competitors.
Privacy is associated with the collection,
use, disclosure, storage, and destruction of
personal data. Identification of private
information depends upon the specific
application scenario and the law. The
solutions to enhance privacy include the use
of cloud-based malware scanners and
personal data isolation techniques. Privacy
is best protected if no personal identifiable
information (PII) is stored, processed and
transferred to or from the cloud platform
but the biggest challenge in privacy
protection is to share data while protecting
personal information. Shamir introduced
secret sharing algorithm [28] as a solution
for the privacy issue.
5.8. Authentication, Authorisation
and Accountability
Data authentication assures that the
returned data is the same as the stored data.
Garfinkel claims that instead of following
Amazon’s advice that organizations encrypt
data before storing them in Amazon S3,
organizations should use HMAC [29]
technology or a digital signature to ensure
data is not modified by Amazon S3.
Authorisation is the level of privileges
assigned to a requesting entity, depending
upon its roles defined in the system. The
SaaS administrator can define roles in the
web servers, whereas the user company
should have an administrator defining roles
in the workflows and backend database
17. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***
Impact factor 1.472
objects. NIST recommends Extensible
Access Control Mark-up Language
(XACML) and Security Assertion Mark-up
Language (SAML) as the mechanisms for
authentication and authorisation decision
making between any two cooperating
entities. Further guest accounts or stray
accounts should be strictly prohibited.
Given that the underlying systems are
owned and managed by the CSP,
technically they are the ones responsible for
any event like corruption/loss of data,
performance degradation, service
unavailability or attack on application. One
of the solutions to this issue is that the
security procedures of the hosting
framework should be co-designed by the
user company and the cloud provider. The
agreement between the CSP and the user
company should be based on the risk
assessment and impact analysis. The
accountabilities should be documented very
clearly such that there are no conflicts
during incident management.
5.9. Repudiation of Information
As data in cloud is transmitted through
various physical, logical networks/links and
is possibly exposed to inquisitive audience,
therefore the problem of information
repudiation is amplified in cloud
environment. To prevent the issue of
repudiation, the cloud provider has to
ensure that a non-repudiation enabled
protocol [30] or handshake is deployed
whereby, the engaging parties cannot
dismiss their participation in an argued
transaction. The authors in [31] used a
mechanism to reveal the visitor’s
information and made it difficult to deceive
about their identity information. Another
solution is the multi-party non-repudiation
(MPNR) protocol [32], which provide a fair
non-repudiation storage cloud and also
prevent roll-back attacks.
5.10. Loss of Data
Serious security incidents even lead to
collapse of cloud computing vendors. As
administrators’ misuse leading to loss of
45% user data, cloud storage vendor
LinkUp had been forced to close [27].
Further the CSUs should get insurance
about the business continuity and minimum
mandatory core services available in event
of security breaches and disasters. The
policy to use redundant systems and
recovery procedures should also be clearly
addressed by CSP [22].
5.11. Service Hijacking
Service hijacking allows hackers/attackers
to compromise the services like
communication streams, sessions,
ecommerce transactions and email
transactions thereby launching malicious
attacks such as phishing, fraud, and
exploitation of known vulnerabilities [33].
To mitigate this risk Defence-in-Depth
technique should be employed in order to
have security controls implemented at
various layers throughout the cloud access
path as well as within the consumer and
provider network. Sharing of account
credentials between users and services must
be prohibited [33]. In addition to it, CSP
should deploy strong authentication and
consequent authorization for legit consumer
session. Host Intrusion Prevention System
(HIPS) at consumer endpoints can also
provide resistance to zero day attacks and
attack attempts.
5.12. Legal, Regulatory and
Compliance Issues
As of today, while security standards are
well developed and defined for on premise
deployments still current cloud computing
services lack comprehensive and well
established management and legal
constraints. Compliance environments
which can support and sustain privacy and
integrity of consumer data include:
Statement on Auditing Standards 70:
Service Organizations (SAS 70), Health
Insurance Portability and Accountability
Act (HIPAA) and Payment Card Industry
Data Security Standards (PCI DSS). Ristov
et al. [34] proposed a new ISO 27001:2005
control objective, virtualization
management, with two controls covering
virtualization and virtual machines control
for cloud. Moreover different countries
18. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***
Impact factor 1.472
have their own laws governing Data
Protection and Privacy: United Kingdom
(UK Data Protection Act 1998), France
(Processing, Data Files and Individual
Liberties Act , as amended (the “DP Act”)),
Germany(Federal Data Protection Act of
2001), European Union(European Union
Data Protection Directive of 1998, EU
Internet Privacy Law of 2002 (DIRECTIVE
2002/58/EC), United States (US Patriot
Act), Canada(The Privacy Act - July
1985 Personal Information Protection and
Electronic Data Act (PIPEDA) of 2000
(Bill C-6)), Japan(PPI Act), India
(Information Technology Act of 2000)
etc.[35] ,but international cyber law and
policies must progress/designed to help
resolve problems to multi-jurisdiction
investigations. Due to absence of any single
governing body to define a concrete
standard for cloud, many organizations and
individuals are reluctant to shift their
operations on cloud.
5.13. Security Verification in case of
VM Migration
VM Migration during hardware
maintenance, load balancing and disaster
recovery may give rise to inconsistency
issues. Jarraya et al. [36] proposed a formal
framework based on cloud calculus for the
specification of virtual machines migration
and security policies updates that can verify
that the global security policy after the
migration is consistently preserved with
respect to the initial one.
5.14. Attack on Hypervisor
Hypervisors are special purpose operating
systems that are vulnerable to the DDOS,
zero day attacks, viruses, malware, trojans,
buffer overflow and covert channels. The
Secure Hypervisor (sHype) is a hypervisor
security architecture developed by IBM
Research, in various stages of
implementation in several hypervisors [37].
Szefer et al. [38] presented the complete
design, implementation and evaluation of a
working NoHype system on today’s
commodity hardware which removes the
attack surface of the hypervisor and thus
eliminates the vector by which VMs can
exploit vulnerabilities.
6. CONCLUSION
SG is a promising model to provide
improved service quality, enhanced
reliability, reduced costs and wide customer
satisfaction. However this model is marked
with some security issues pertaining to
equipments, SCADA, network and
customer interfaces that have been explored
with description to their counter measures.
On the other hand SG can leverage the
strengths of cloud computing model: on
demand self-service, ubiquitous computing,
scalable, pay-per-use and location
independent pooling of resources.The
vulnerabilities to availability, integrity,
confidentiality, privacy, authorization,
authentication, accountability,
virtualization; legal and compliance issues
as well as attacks on applications and
networks is also discussed. The present
counter measures to these vulnerabilities
still needs further research from academia
and industry for accomplishing secure
cloud based SG.
REFERENCES
[1] Pin-Yu Chen; Shin-Ming Cheng; Kwang-
Cheng Chen, "Smart attacks in smart grid
communication networks,"Communications
Magazine, IEEE , vol.50, no.8, pp.24,29,
August 2012.
[2] FICCI, India Smart Grid Day, India Smart
Grid. [Online]. Available:
http://indiasmartgrid.org/en/Documents/Co
ntext%20of%20Smart%20Grids%20in%20
India%20%20Knowledge%20Paper%20of
%20India%20Smart%20Grid%20Day%
202013.pdf [Accessed 04 Jan. 2014].
[3] H. Takabi, J.B.D. Joshi and G.-J. Ahn,
"Security and Privacy Challenges in Cloud
Computing Environments," IEEE Security
& Privacy, vol.8, no.6, 2010, pp. 24-31.
[4] A. Lenk, M. Klems, J. Nimis, S. Tai, and T.
Sandholm, “What’s inside the Cloud? An
architectural map of the Cloud landscape,”
in Proc. CLOUD '09. ICSE Workshop on
Software Engineering Challenges of Cloud
Computing, 2009, pp. 23-31.
19. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***
Impact factor 1.472
[5] Gartner, Gartner (2009) Worldwide Cloud
service revenue will grow 21.3 percent in
2009, Gartner, 26 Mar. 2009. [Online].
Available :
http://www.gartner.com/newsroom/id/9207
12 [Accessed 04 Jan. 2014]
[6] U.S. NIST, “Guidelines for smart grid
cyber security (vol. 1 to 3),” NIST IR-7628,
Aug. 2010, available at:
http://csrc.nist.gov/publications/PubsNISTI
Rs.html#NIST-IR-7628.
[7] D. Wei, Y. Lu, M. Jafari, P. Skare, and K.
Rohde, “An integrated security system of
protecting smart grid against cyber
attacks,” in: Innovative Smart Grid
Technologies (ISGT 2010), Gaithersburg,
MD,Jan. 2010, pp. 1-7.
[8] Beigi Mohammadi, N., Mišić, J., Mišić, V.
B. and Khazaei, H. (2014), A framework
for intrusion detection system in advanced
metering infrastructure. Security Comm.
Networks, 7: 195–205.
doi: 10.1002/sec.690
[9] J. Liu and Y. Xiao, S. Li, W. Liang and C.
L. P. Chen,“Cyber Security and Privacy
Issues in Smart Grids,” IEEE
Communications Surveys & Tutorials, vol.
14 , no. 4, 2012, pp.981 – 997.
[10] Wikipedia, SCADA , Wikipedia , 2013.
[Online]. Available:
http://en.wikipedia.org/wiki/SCADA
[Accessed 11 Jan. 2014].
[11] O. Kosut, L. Jia, R. J. Thomas, and L.
Tong, “Malicious data attacks on smart grid
state estimation: attack strategies and
countermeasures,” in:Proc. 1st IEEE
SmartGridComm 2010, Gaithersburg, MD,
Oct. 2010, pp. 220-225.
[12] Gartner, Gartner : Seven cloud-computing
security risks, InfoWorld, 02 Jul. 2008.
[Online]. Available :
http://www.infoworld.com/d/security-
central/gartner-seven-cloud-computing-
security-risks-853 [Accessed 04 Jan. 2014].
[13] Cloud Security Alliance , Cloud Security
Alliance [CSA] 2009 Security Guidance for
Critical Areas of Focus in Cloud
Computing V2.1 , 2009
[Ebook].Available:CloudSecurityAlliance,h
ttps://cloudsecurityalliance.org/research/sec
urity-guidance/ [Accessed 04 Jan. 2014].
[14] B. W. Johnson, An introduction to the
design and analysis of fault-tolerant
systems, Upper Saddle River, New Jersey:
Prentice Hall, 1995, pp. 1-84.
[15] C. Cachin, I. Keidar and A. Shraer,
"Trusting the cloud," ACM SIGACT News,
vol.40, no.2, Jun. 2009, pp. 81-86.
[16] Z. Xiao and Y. Xiao, “Security and Privacy
in Cloud Computing,” IEEE Comm.
Surveys & Tutorials, Vol.15 , no.2, Jul.
2012, pp. 843-859.
[17] C. Wang, Q. Wang, K. Ren, and W. Lou,
“Privacy-Preserving Public Auditing for
Storage Security in Cloud Computing,”
Proc.IEEE INFOCOM ’10, Mar. 2010.
[18] I. Iankoulova and M. Daneva, “Cloud
Computing Security Requirements: a
Systematic Review,” in Proc. Sixth
International Conference on Research
Challenges in Information Science (RCIS),
2012 , pp. 1-7.
[19] S. Berger, R. Caceres, K. Goldman, D.
Pendarakis, R. Perez, J.R. Rao, E. Rom, R.
Sailer, W. Schildhauer, D. Srinivasan, S.
Tal, and E. Valdez, “Security for the cloud
infrastructure: Trusted virtual data center
implementation,” IBM Journal of Research
and Development, vol. 53, no. 4, 2009.
[20] A. Nayyar, “Private Virtual Infrastructure
(PVI) Model for Cloud Computing,”
International Journal of Software
Engineering Research & Practices, vol.1,
no. 1, Jan. 2011.
[21] Wikipedia, Homomorphic encryption,
Wikipedia , 2013. [Online]. Available:
http://en.wikipedia.org/wiki/Homomorphic
_encryption [Accessed 04 Jan. 2014].
[22] M. Hamdi, “Security of Cloud Computing,
Storage, and Networking,” in Proc. 2012
International Conference on Collaboration
Technologies and Systems (CTS), 2012, pp
1-5.
[23] T-H. Cheng, Y-D. Lin, Y-C. Lai and P-C.
Lin, “Evasion Techniques: Sneaking
through Your Intrusion
Detection/Prevention Systems,” IEEE
Communications Surveys and Tutorials,
vol.14, no.4, 2012, pp. 1011-1020.
[24] H. Liu, “A New Form of DOS Attack in a
Cloud and Its Avoidance Mechanism”, in
Proc. Cloud Computing Security
Workshop, 2010, pp. 65-76.
[25] H.B. Wade ,C.D. Hylender and J.A.
Valentine, Verizon Business 2008 data
20. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***
Impact factor 1.472
breach investigation report, Verizon
Enterprises ,2008. [Online].
Available:http://www.verizonbusiness.com/
resources/security/databreachreport.pdf
[Accessed 04 Jan. 2014].
[26] OWASP, OWASP Top 10 -2013, The Ten
most critical web application
securityrisks,[Online].Availablehttps://ww
w.owasp.org/index.php/Category:OWASP_
Top_Ten_Project [Accessed 04 Jan. 2014] .
[27] D. Chen, “Data Security and Privacy
Protection Issues in Cloud Computing,” in
Proc. 2012 International Conference on
Computer Science and Electronics
Engineering (ICCSEE), 2012, pp. 647-651.
[28] A. Shamir, How to share a secret,
Commun, ACM, 22th Ed.,1979, pp. 612-
613
[29] H. Krawczyk, M. Bellare and R. Canetti,
"HMAC: Keyed-hashing for message
authentication," Citeseer, 1997, pp. 1-11.
[30] O. Markowitch and S. Kremer, “A Multi-
Party Optimistic Non-repudiation
Protocol,” in Proc. International
Conference on Information Security and
Cryptology, 2000, pp 109—122.
[31] Z. Shen and Q. Tong, “The security of
cloud computing system enabled by trusted
computing technology,” in Proc. 2nd
International Conference on Signal
Processing Systems (ICSPS), vol.2, 2010,
pp. V211-V215.
[32] J. Feng, Y. Chen and D.H. Summerville, "A
fair multi-party non-repudiation scheme for
storage clouds," in Proc. 2011
International Conference Collaboration
Technologies and Systems (CTS), 2011 , pp
457 - 465
[33] Wikipedia, Cloud computing security ,
Wikipedia , 2013. [Online]. Available:
http://en.wikipedia.org/wiki/Cloud_comput
ing_security [Accessed: 04 Jan. 2014].
[34] S.Ristov, M. Gusev, and M. Kostoska, “A
New Methodology for Security Evaluation
in Cloud Computing,” in Proc. 35th
International Convention MIPRO, 2012 ,
pp. 1484 - 1489 .
[35] Information Shield, International Privacy
Laws, Information Shield.[Online].
Available:
http://www.informationshield.com/intpriva
cylaws.html [Accessed 04 Jan. 2014].
[36] Y. Jarraya, A. Eghtesadi, and M. Debbabi ,
“Cloud Calculus: Security Verification in
Elastic Cloud Computing Platform,” in
Proc. International Conference on
Collaboration Technologies and Systems
(CTS), 2012, pp. 447 – 454.
[37] IBM, Secure Hypervisor, IBM. [Online].
Available;
http://researcher.watson.ibm.com/researche
r/view_project.php?id=2849 [Accessed 11
Jan. 2014].
[38] J. Szefer, E. Keller, R.B. Lee and J.
Rexford, “Eliminating the Hypervisor
Attack Surface for a More Secure Cloud,”
in Proc. CCS '11 Proceedings of the 18th
ACM conference on Computer and
communications security, 2011, pp.401-
412.
21. Sandeep Mehmi*, Harsh K Verma** and A L Sangal***