Smarter leveraging of the power grid to substantially improve security of distributed systems via a control plane data communication network over the smart power grid

US 8,918,639 B2
Filed: 12/19/2013
Issued: 12/23/2014
Est. Priority Date: 06/01/2009
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating instructions sent to a control plane of a real-time monitoring or control system, comprising the steps of:

receiving via a regular or usual in-band communication network, an instruction at a control plane entity to modify an operating parameter of a facility or a system;

issuing by the control plane entity, a challenge to the source that sent the instruction to modify the operating parameter, to prove that the source is at a pre-designated safe location authorized to issue instructions to modify the operating parameter, in response to the challenge, furnishing by the source, a location certificate from a Power Grid Location Server (PGLS);

relaying the instruction and the operating parameter before and after the requested modification, to one of a plurality of Human-Authorization-Detector (HAD) devices, wherein the HAD device is located at the pre-designated safe location;

displaying on the HAD device at least some data associated with either the instruction, the operating parameter, or both, and requesting an input to accept or deny a location certificate request, wherein the input can be given only by physically interacting with the HAD device;

receiving the input at the HAD device, and in the case of an input to accept, generating by the HAD device, at least one cryptographically secure unique token to be bound to the location certificate request and relaying the location certificate request and the operating parameter along with timestamps and the secure unique token to one of a plurality of electric power meter located at the same structure the HAD device is located;

cryptographically verifying, by the electric power meter, the secure unique token using a secret seed and key values it shares with the HAD device, and appending a plurality of timestamps, identifiers, credentials and cryptographic authentication tokens, all of which are owned by the electric power meter;

transmitting, by the electric power meter, the location certificate request to the PGLS over an out-of-band communication channel that spans at least some portion of a electric power grid connected to the electric power meter on an upstream side;

verifying, by the PGLS, a out-of-band path including the location of the electric power meter then constructing a digitally signed location certificate for the location certificate requested which includes the instruction and the operating parameter it seeks to modify, in plain or encrypted format;

sending at least two copies of the digitally signed location certificate, each copy being sent via two distinct paths, wherein, the first path traverses a forward path through the HAD device, the electric power meter, and at least some portion of the upstream side and wherein the second path traverses a reverse direction path back through the at least some portion of the electric power grid, to the electric power meter, to the HAD device, to the source of the request, which then sends the digitally signed location certificate to the control plane entity that issued the challenge and wherein the second path does not include the at least some portion of the upstream side, the electric power meter and the HAD device that are included in the first path; and

causing, by the control plane entity, the operating parameter to be modified, only after verifying the digitally signed location certificate and confirming that the two copies of the digitally signed location certificates received via the first and second paths match and are consistent with the original instruction.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure communications and location authorization system using a power line or a portion thereof as a side-channel that mitigates man-in-the-middle attacks on communications networks and devices connected to those networks. The system includes a power grid server associated with a substation, or curb-side distribution structure such as a transformer, an electric meter associated with a structure having electric service and able to communicate with the power grid server, a human authorization detector input device connected to the electric meter and the power grid server. The human authorization detector is able to receive an input from a user physically located at the structure and capable of communicating with the power grid server via the electric meter. The user'"'"'s physical input into the device causing a request to be sent to the power grid server that then generates a location certificate for the user. Without the location certificate, access to the communications network and devices connected to those networks can be denied.

Citations

20 Claims

1. A method for authenticating instructions sent to a control plane of a real-time monitoring or control system, comprising the steps of:
- receiving via a regular or usual in-band communication network, an instruction at a control plane entity to modify an operating parameter of a facility or a system;
  
  issuing by the control plane entity, a challenge to the source that sent the instruction to modify the operating parameter, to prove that the source is at a pre-designated safe location authorized to issue instructions to modify the operating parameter, in response to the challenge, furnishing by the source, a location certificate from a Power Grid Location Server (PGLS);
  
  relaying the instruction and the operating parameter before and after the requested modification, to one of a plurality of Human-Authorization-Detector (HAD) devices, wherein the HAD device is located at the pre-designated safe location;
  
  displaying on the HAD device at least some data associated with either the instruction, the operating parameter, or both, and requesting an input to accept or deny a location certificate request, wherein the input can be given only by physically interacting with the HAD device;
  
  receiving the input at the HAD device, and in the case of an input to accept, generating by the HAD device, at least one cryptographically secure unique token to be bound to the location certificate request and relaying the location certificate request and the operating parameter along with timestamps and the secure unique token to one of a plurality of electric power meter located at the same structure the HAD device is located;
  
  cryptographically verifying, by the electric power meter, the secure unique token using a secret seed and key values it shares with the HAD device, and appending a plurality of timestamps, identifiers, credentials and cryptographic authentication tokens, all of which are owned by the electric power meter;
  
  transmitting, by the electric power meter, the location certificate request to the PGLS over an out-of-band communication channel that spans at least some portion of a electric power grid connected to the electric power meter on an upstream side;
  
  verifying, by the PGLS, a out-of-band path including the location of the electric power meter then constructing a digitally signed location certificate for the location certificate requested which includes the instruction and the operating parameter it seeks to modify, in plain or encrypted format;
  
  sending at least two copies of the digitally signed location certificate, each copy being sent via two distinct paths, wherein, the first path traverses a forward path through the HAD device, the electric power meter, and at least some portion of the upstream side and wherein the second path traverses a reverse direction path back through the at least some portion of the electric power grid, to the electric power meter, to the HAD device, to the source of the request, which then sends the digitally signed location certificate to the control plane entity that issued the challenge and wherein the second path does not include the at least some portion of the upstream side, the electric power meter and the HAD device that are included in the first path; and
  
  causing, by the control plane entity, the operating parameter to be modified, only after verifying the digitally signed location certificate and confirming that the two copies of the digitally signed location certificates received via the first and second paths match and are consistent with the original instruction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein the out-of-band communication network is physically and logically separate/distinct from the in-band communication network.
  - 3. The method of claim 1, wherein the operating parameter is a value specifying one of a physical, chemical, electrical, electronic, acoustic, and magnetic state of a device and photonic/optical and acoustic and thermodynamic/energy/entropy state, location, electric charge, energy, momentum, intensity, polarization, position, angle, temperature, rate, linear or angular velocity, acceleration or pressure of a device.
  - 4. The method of claim 1, wherein the location certificate request includes at least some data associated with either the instruction, the parameter, or both in plain or encrypted form.
  - 5. The method of claim 1, wherein the input to the HAD device can be given only by operating a switch or a button or selecting from an on-screen menu or entering an instruction into the HAD device via physical switches and keys or keyboards or touch-pads and touch-pens in the HAD device.
  - 6. The method of claim 1, wherein, the same physical interaction with the HAD device that gives it the input, together with the case when the input to accept is entered, activates or triggers an entity to generate a non nonce/token value by executing a cryptographically secure method or algorithm using secret initial or seed values that the HAD device shares only with the at least one electric power meter.
  - 7. The method of claim 6 where the entity that generates the nonce/token value is implemented in hardware and is incorporated within the HAD device.
  - 8. The method of claim 6 where the entity that generates the nonce/token value is implemented in hardware but outside the HAD device.
  - 9. The method of claim 6 where the entity that generates nonce/token value is implemented in software.
  - 10. The method of claim 1, wherein the secret or seed values that generate a unique sequence of tokens or values using cryptographic algorithms are set or stored in the electric power meter as well as the HAD device at install time or during maintenance or upgrade.
  - 11. The method of claim 10, wherein optionally the only way to change the secret seed values is by physical interaction with the meter or the HAD device via dedicated physical interfaces to the meter or the HAD device.
  - 12. The method of claim 1, further comprising the step of, if the user accepts the request, saving, at the HAD device, at least some data associated with either the instructions, the parameters, or both, for a time period for later display on the HAD device.
  - 13. The method of claim 1, wherein, the HAD device optionally stores or outputs to a printer or a storage device, the details of each location certificate request for billing or forensic analysis purposes.
  - 14. The method of claim 1, wherein, the at least one electric power meter stores or outputs to a printer or a storage device, details of each location certificate request, for billing purposes or for a potential forensic analysis.
  - 15. The method of claim 12, wherein, optionally, the HAD device verifies portions of the location certificate to verify that the instruction and parameter values in the certificate match those in the copy it temporarily stores.
  - 16. The method of claim 1, where the HAD device after verification of the integrity of the location certificate optionally performs the following steps:
    - (i) presents the results on its display; and
      
      (ii) requests the user to indicate accept or deny decision to relay the certificate to the control-plane entity that issued the challenge.
  - 17. The method in claim 1, where the electric power meter issues a location certificate.
  - 18. The method of claim 17, wherein the power meter generates only one copy of the location certificate which is sent to the control plane entity simply by reversing the forward path.
  - 19. The method in claim 1, wherein, if a “
    - human in the loop”
      
      test is not required in some application scenario, then skipping all interactions with the HAD device, so that the location certificate request is relayed from the source of the original request directly to the at least one electric power meter co-located in the same structure where the source of the original instruction is located; and
      
      the location certificate is directly relayed by the power meter to the source since there is no HAD device in the particular application scenario.
  - 20. The method of claim 1, wherein all the messages are encrypted on each hop.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dhananjay S. Phatak
Original Assignee
Dhananjay S. Phatak
Inventors
Phatak, Dhananjay S.
Primary Examiner(s)
SHAW, PETER C

Application Number

US14/134,471
Publication Number

US 20140108789A1
Time in Patent Office

369 Days
Field of Search

713/156
US Class Current

713/156
CPC Class Codes

G01D 4/002   Remote reading of utility m...

G06F 21/30   Authentication, i.e. establ...

G06F 21/34   involving the use of extern...

G06F 21/40   by quorum, i.e. whereby two...

G06F 2221/2111   Location-sensitive, e.g. ge...

G08B 25/00   Alarm systems in which the ...

G08B 25/06   using power transmission lines

G08B 29/16   Security signalling or alar...

H04B 2203/5445   Local network

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless

H04L 63/0823   using certificates cryptogr...

H04L 63/107   wherein the security polici...

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

H04L 63/18   using different networks or...

H04L 9/3215   using a plurality of channe...

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

H04L 9/3273   for mutual authentication n...

Y02B 90/20 : Smart grids as enabling tec...

Y04S 20/30 : Smart metering, e.g. specia...

Y04S 40/20 : Information technology spec...

View All

Smarter leveraging of the power grid to substantially improve security of distributed systems via a control plane data communication network over the smart power grid

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Smarter leveraging of the power grid to substantially improve security of distributed systems via a control plane data communication network over the smart power grid

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links