Smarter leveraging of the power grid to substantially improve security of distributed systems via a control plane data communication network over the smart power grid
First Claim
1. A method for authenticating instructions sent to a control plane of a real-time monitoring or control system, comprising the steps of:
- receiving via a regular or usual in-band communication network, an instruction at a control plane entity to modify an operating parameter of a facility or a system;
issuing by the control plane entity, a challenge to the source that sent the instruction to modify the operating parameter, to prove that the source is at a pre-designated safe location authorized to issue instructions to modify the operating parameter, in response to the challenge, furnishing by the source, a location certificate from a Power Grid Location Server (PGLS);
relaying the instruction and the operating parameter before and after the requested modification, to one of a plurality of Human-Authorization-Detector (HAD) devices, wherein the HAD device is located at the pre-designated safe location;
displaying on the HAD device at least some data associated with either the instruction, the operating parameter, or both, and requesting an input to accept or deny a location certificate request, wherein the input can be given only by physically interacting with the HAD device;
receiving the input at the HAD device, and in the case of an input to accept, generating by the HAD device, at least one cryptographically secure unique token to be bound to the location certificate request and relaying the location certificate request and the operating parameter along with timestamps and the secure unique token to one of a plurality of electric power meter located at the same structure the HAD device is located;
cryptographically verifying, by the electric power meter, the secure unique token using a secret seed and key values it shares with the HAD device, and appending a plurality of timestamps, identifiers, credentials and cryptographic authentication tokens, all of which are owned by the electric power meter;
transmitting, by the electric power meter, the location certificate request to the PGLS over an out-of-band communication channel that spans at least some portion of a electric power grid connected to the electric power meter on an upstream side;
verifying, by the PGLS, a out-of-band path including the location of the electric power meter then constructing a digitally signed location certificate for the location certificate requested which includes the instruction and the operating parameter it seeks to modify, in plain or encrypted format;
sending at least two copies of the digitally signed location certificate, each copy being sent via two distinct paths, wherein, the first path traverses a forward path through the HAD device, the electric power meter, and at least some portion of the upstream side and wherein the second path traverses a reverse direction path back through the at least some portion of the electric power grid, to the electric power meter, to the HAD device, to the source of the request, which then sends the digitally signed location certificate to the control plane entity that issued the challenge and wherein the second path does not include the at least some portion of the upstream side, the electric power meter and the HAD device that are included in the first path; and
causing, by the control plane entity, the operating parameter to be modified, only after verifying the digitally signed location certificate and confirming that the two copies of the digitally signed location certificates received via the first and second paths match and are consistent with the original instruction.
0 Assignments
0 Petitions
Accused Products
Abstract
A secure communications and location authorization system using a power line or a portion thereof as a side-channel that mitigates man-in-the-middle attacks on communications networks and devices connected to those networks. The system includes a power grid server associated with a substation, or curb-side distribution structure such as a transformer, an electric meter associated with a structure having electric service and able to communicate with the power grid server, a human authorization detector input device connected to the electric meter and the power grid server. The human authorization detector is able to receive an input from a user physically located at the structure and capable of communicating with the power grid server via the electric meter. The user'"'"'s physical input into the device causing a request to be sent to the power grid server that then generates a location certificate for the user. Without the location certificate, access to the communications network and devices connected to those networks can be denied.
-
Citations
20 Claims
-
1. A method for authenticating instructions sent to a control plane of a real-time monitoring or control system, comprising the steps of:
-
receiving via a regular or usual in-band communication network, an instruction at a control plane entity to modify an operating parameter of a facility or a system; issuing by the control plane entity, a challenge to the source that sent the instruction to modify the operating parameter, to prove that the source is at a pre-designated safe location authorized to issue instructions to modify the operating parameter, in response to the challenge, furnishing by the source, a location certificate from a Power Grid Location Server (PGLS); relaying the instruction and the operating parameter before and after the requested modification, to one of a plurality of Human-Authorization-Detector (HAD) devices, wherein the HAD device is located at the pre-designated safe location; displaying on the HAD device at least some data associated with either the instruction, the operating parameter, or both, and requesting an input to accept or deny a location certificate request, wherein the input can be given only by physically interacting with the HAD device; receiving the input at the HAD device, and in the case of an input to accept, generating by the HAD device, at least one cryptographically secure unique token to be bound to the location certificate request and relaying the location certificate request and the operating parameter along with timestamps and the secure unique token to one of a plurality of electric power meter located at the same structure the HAD device is located; cryptographically verifying, by the electric power meter, the secure unique token using a secret seed and key values it shares with the HAD device, and appending a plurality of timestamps, identifiers, credentials and cryptographic authentication tokens, all of which are owned by the electric power meter; transmitting, by the electric power meter, the location certificate request to the PGLS over an out-of-band communication channel that spans at least some portion of a electric power grid connected to the electric power meter on an upstream side; verifying, by the PGLS, a out-of-band path including the location of the electric power meter then constructing a digitally signed location certificate for the location certificate requested which includes the instruction and the operating parameter it seeks to modify, in plain or encrypted format; sending at least two copies of the digitally signed location certificate, each copy being sent via two distinct paths, wherein, the first path traverses a forward path through the HAD device, the electric power meter, and at least some portion of the upstream side and wherein the second path traverses a reverse direction path back through the at least some portion of the electric power grid, to the electric power meter, to the HAD device, to the source of the request, which then sends the digitally signed location certificate to the control plane entity that issued the challenge and wherein the second path does not include the at least some portion of the upstream side, the electric power meter and the HAD device that are included in the first path; and causing, by the control plane entity, the operating parameter to be modified, only after verifying the digitally signed location certificate and confirming that the two copies of the digitally signed location certificates received via the first and second paths match and are consistent with the original instruction. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification