Security Framework for Wireless Communications In

IEEE TRANSACTIONS ON SMART GRID, VOL. 2, NO. 4, DECEMBER 2011 809

Security Framework for Wireless Communications inSmart Distribution GridXudong Wang, Senior Member, IEEE, and Ping Yi

Abstract—Communication networks play a critical role in smartgrid, as the intelligence of smart grid is built based on informationexchange across the power grid. In power transmission segmentsof smart grid, wired communications are usually adopted to en-sure robustness of the backbone power network. In contrast, fora power distribution grid, wireless communications provide manybenefits such as low cost high speed links, easy setup of connectionsamong different devices/appliances, and so on. Connecting powerequipment, devices, and appliances through wireless networks isindispensable for a smart distribution grid (SDG). However, wire-less communications are usually more vulnerable to security at-tacks than wired ones. Developing appropriate wireless communi-cation architecture and its security measures is extremely impor-tant for an SDG. Thus, these two problems are investigated in thispaper. Firstly, a wireless communication architecture is proposedfor an SDG based on wireless mesh networks (WMNs). The se-curity framework under this communication architecture is thenanalyzed. More specifically, potential security attacks and possiblecounter-attack measures are studied. Within the security frame-work, a new intrusion detection and response scheme, called smarttracking firewall, is developed to meet the special requirements ofSDG wireless communications. Performance results show that thesmart tracking firewall can quickly detect and respond to securityattacks and is thus suitable for real-time operation of an SDG.

Index Terms— Security, smart distirbution grid, smart grid,wireless mesh networks.

I. INTRODUCTION

A S COMPARED TO traditional power grid, smart grid isdistinguished by several features. Smart grid is robust

to load fluctuations, and the supply-demand balance can beproperly maintained via intelligent real-time dispatching mech-anisms, large-capacity high-performance battery, distributedenergy, and close customer-grid interactions. Smart grid isalso resilient to equipment failure, which prevents a singlefailure from developing into power outage or blackout. Smart

Manuscript received October 15, 2010; revised April 21, 2011; acceptedJune 05, 2011. Date of publication October 25, 2011; date of current versionNovember 23, 2011. This work was supported by Program for New CenturyExcellent Talents in University under Grant NCET-10-0552), by PujiangTalent Program under Grant 10PJ1406100, and by Shanghai Municipal NaturalScience Foundation under Grant 09ZR1414900). Paper no. TSG-00182-2010.X. Wang is with the University of Michigan-Shanghai Jiao Tong University

Joint Institute, Shanghai Jiao Tong University, Shanghai, China (e-mail: [email protected]).P. Yi is with the School of Information Security, Shanghai Jiao Tong Univer-

sity.Color versions of one or more of the figures in this paper are available online

at http://ieeexplore.ieee.org.Digital Object Identifier 10.1109/TSG.2011.2167354

grid makes a power system more sustainable and more envi-ronmentally friendly by integrating renewable energy sources(e.g., solar power and wind power) into the same grid. In smartgrid, energy can be utilized efficiently through well-maintainedbalance between supply and demand. Smart grid can bringvarious benefits to customers. For example, customers canreduce the amount of power bill by matching the operationtime of different electric appliances to the period with the bestprice; they can even get profit by selling power to the grid.Moreover, smart grid significantly improves power availabilityand quality.Many core technologies need to be developed to enable

the above features of smart grid. Among them, one criticaltechnology is real-time monitoring and control of a large scalepower network, which demands a sophisticated communica-tion network across the grid to fulfill two tasks: 1) exchangeinformation acquired by distributed sensing; 2) disseminatemanagement and control messages to electric equipment andappliances. Thus, developing novel communication technolo-gies that meet the special requirements of a power networkplays a critical role in smart grid [1], [2].In different segments of a power grid, different communi-

cation technologies are applied to meet their unique specificrequirements. In a power transmission network that involvesbulk power generation and power transmission, wired commu-nications over power lines or optical cables are adopted to en-sure robustness of the power backbone. However, in power dis-tribution networks that provide power directly to customers,both wired and wireless communications should be considered.For example, from substations to pole-mounted transformers,power-line communications can be employed for monitoringand control of various equipments. In a substation, optical com-munications can be applied tomonitor or control certainmissioncritical devices. However, in power distribution networks, wire-less communications are preferred by many application sce-narios, such as: 1) when many parameters in a substation need tobe monitored, optical or power-line communications can resultin a costly and complicated system architecture; 2) power-linecommunications cannot easily bypass transformers in a powerdistribution network; 3) wired communications cannot providepeer-to-peer communications among electric devices in a flex-ible manner.In order to achieve cost-effective and flexible monitoring and

control of end devices, efficient dispatching of power to cus-tomers, and dynamic integration of distributed energy resourceswith power grid, wireless communication and networking func-tionalities must be embedded into various electric equipmentssuch as circuit breakers, power inverters, power meters, and soon. Capability of wireless networking among various electric

1949-3053/$26.00 © 2011 IEEE

810 IEEE TRANSACTIONS ON SMART GRID, VOL. 2, NO. 4, DECEMBER 2011

equipments is one of the key technologies that drive the evolu-tion of a conventional power distribution network into a smartdistribution grid (SDG).Different types of wireless networks are available, but which

one is the best fit for an SDG depends on the system archi-tecture of the SDG and varieties of communication modulesand wireless connections. In an SDG, multihop wireless net-working is definitely necessary, as electric equipments out ofcommunication range of each other need to exchange informa-tion. To simplify network organization and maintenance, the en-tire network needs to be self-organized. Moreover, communica-tion modules in an SDG may pertain heterogeneous propertiesin terms of communication range, computing power, and powerefficiency. For example, some communication modules are forwireless sensing or for control running at a low duty-cycle, butother communication modules may need to constantly forwarddata traffic. In an SDG, communicationmodules associated withelectric devices are usually stationary, but mobile connectionsneed to be supported at the customer side or on some handhelddevices. The aforementioned requirements of SDG communica-tions lie in the advantages of wireless mesh network (WMNs)[4], so WMNs are well suited for wireless networking in anSDG. In fact, some companies have started to consider meshlinks for wireless communications in a power distribution net-work. For example, a company called Tropos Networks hasstarted to use WMNs to connect smart grid. In NIST’s recentdocument on cyber security of smart grid [5], WMNs are alsoconsidered important networking links for smart grid.In recent years, many innovations have beenmade to improve

performance of WMNs. However, when WMNs are applied tobuild wireless communication infrastructure for an SDG, a fewchallenging issues still remain. Among them, the most criticalconcern is what security level can be achieved by WMNs for anSDG. Without effective measures to prevent security attacks,the privacy of customers and confidentiality of grid informa-tion cannot be guaranteed. In the worst case, power outage canbe triggered by security attacks. Thus, this paper studies the se-curity framework for WMN-based wireless communications inan SDG. In particular, security vulnerabilities are investigatedunder the scenario of SDG wireless communications. Corre-sponding to each category of security issues, existing solutionsare discussed and potential improvements are also proposed forthe specific applications of SDG. In particular, detailed researchresults are presented for an effective security measure for SDGwireless communications. This security solution is developedbased on a novel mechanism of smart tracking firewall, whichcan dynamically track a security attacker and respond to attacksin a timely manner.The rest of the paper is organized as follows. In Section II,

wireless communication architecture based on WMNs is pro-posed. Under this architecture, security framework for WMN-based SDG communications is investigated in Section III. Anew security protocol called smart tracking firewall is devel-oped in Section IV. The paper is concluded in Section V.

II. WIRELESS COMMUNICATION ARCHITECTURE FOR SDG

A smart distribution grid (SDG) holds several distinct charac-teristics, e.g., 1) it is integrated with distributed energy sources

such as solar cells, wind turbines, or electric vehicles (EVs); 2)power flows do not necessarily follow a single direction froma generator to an end device; instead, the distributed energysource can send power directly to customers or even to powergrid, which results in multidirectional power flows; 3) elec-tric devices and power meters become much more intelligentto enable dynamic power dispatching; 4) dynamic pricing be-comes a feasible measure of controlling power load, stability,and quality.To fully support the intelligent capabilities of an SDG, a re-

liable and cost-effective communication network is necessaryto connect electric modules such as inverters, smart meters, andintelligent electric appliances. Wired communication technolo-gies are available, but they are not suitable for SDG communi-cations. For example, optical communications are reliable, butdeploying optical fibers to connect all end devices are too ex-pensive to be feasible. Power line communications (PLCs) [3]are constrained by several shortcomings: 1) it is not flexible tosupport peer-to-peer communications among electric devices;2) throughput may not be sufficient for frequent data exchangein an SDG; 3) high speed communications signals cannot passthrough transformers. Consequently, wireless technologies be-comes an indispensable option for SDG communications.There exist several choices of wireless communications for

connecting monitoring, control, and consumer electric devices.However, most of them (e.g., wireless local area networks(WLANs) or wireless sensor networks (WSNs)) are not di-rectly applicable to an SDG due to several issues. The first oneis the flexibility in topology formation. In an SDG, variouseletric devices need to have peer to peer communications, somesh networking capability is a viable option. However, aWLAN can only support one-hop point-to-multipoint (PMP)communications. Usually a WSN like a Zigbee network isalso a PMP network unless mesh networking capability isadded into Zigbee nodes. The second issue is that rate-distanceperformance is not scalable for SDG wireless communications.For example, a WLAN can support a communication rate oftens of Mbps, but it can only reliably reach a distance of tensof meters. Moreover, to achieve reasonable throughput delaytrade-off, the number of nodes that can be supported within thesame WLAN needs to be small. Thus, one WLAN is obviouslynot enough for an SDG. In theory, multiple WLANs can beadopted to support a large scale SDG. However, communi-cations and coordination among different WLANs becomedifficult to manage. The better solution is to build WMNs basedon WLAN technologies. The third issue is that SDG wirelesscommunications need to support different types of wirelessapplications. For example, some eletric nodes only need to sendcontrol or measurement information in a low frequency, so thecommunication capability like WSN is sufficient. However, forsome other nodes like the gateway node in a home or for anentire community definitely demand a much higher communi-cation rate and a larger communication distance. In this case,communication technologies based on WiFi with high-gainantenna may be necessary. As a result, SDG wireless networksmust be capable of integrating heterogeneous wireless net-works. Furthermore, in an SDG there exist PLCs that shall beutilized as much as possible, particularly to enhance reliability

WANG AND YI: SECURITY FRAMEWORK FOR WIRELESS COMMUNICATIONS IN SMART DISTRIBUTION GRID 811

Fig. 1. Wireless communication architecture based on WMNs in smart distribution grid.

and security. As pointed out in [4], wired communications canbe easily integrated into WMNs.Although a cellular network like 3G can provide satisfying

rate-distance performance, its network capacity may not beenough to allow SDG wireless communications as an additionalservice, because emerging cell phone services are currentlyoverloading 3G networks. Moreover, coupling power supplyservices with telecom services downgrades reliability andcomplicates management of an SDG. In contrast, a wirelessmesh network (WMN) [4] does not have the afore-mentionedissues. It can be deployed and managed proprietarily by autility company. In addition, the mesh networking capability ofWMNs provides more flexible interconnection among variouselectric devices than a cellular network can do.In short, WMNs can easily integrate heterogeneous networks

to fulfill different functions such as sensing, monitoring, datacollection, control, pricing, and so on. The system architecturethat merges WMNs and power distribution networks is depictedin Fig. 1. An SDG below the level of substations consists of mul-tiple microgrids. Typically, a microgrid, managed by a microcontrol center, contains a few picogrids, several sets of powerequipment such as transformers, breakers, and capacitors, anddistributed energy sources like solar cells, EVs, or wind tur-bines. A picogrid is usually formed by electric devices in a homeor building, and it may also include some distributed energysources like EVs or solar cells. To form WMNs in an SDG, acommunication module with mesh networking capability needsto be added into each electric equipment or device. According

to Fig. 1, a hierarchical communication architecture, which istypical in WMNs, can be formed. In this architecture, differentcommunication networks are integrated in the same WMN. Atthe lower level of the hierarchy, PLC networks and local areamesh networks in a home, building, or factory are merged. Thelocal areamesh networks interconnect electric appliances, smartmeters, and grid-tied inverters through mesh links of WSNs orWiFi networks. At the upper level, all local area mesh networksare connected to each other through mesh routers to form alarger scale WMN. The mesh routers also provide connectionsto transformers, shunt capacitors, control centers, and substa-tions. To ensure satisfactory rate-distance performance, somemesh routers are more powerful in terms of transmit power andantenna gain. It should be noted a mesh node at the lower levelof the hierarchy is a mesh client of a mesh router at the upperlevel, although a group of such nodes can also form a mesh net-work themselves.

III. SECURITY FRAMEWORK FOR WMN-BASED SDG

To ensure proper operation of an SDG, a number of criticalservices must be supported by a secure communication network.Several typical scenarios are listed below.1) Collect power usage information from smart power me-ters for the purpose of billing, power dispatching, and gridoptimization. This function has already existed in somepower distribution grids, especially for billing purpose,via PLCs. However, higher communication throughput and


more flexible networking interfaces are desired due to fre-quent interactions among grid, customers, smart meters, in-verters, and renewable energy sources.

2) Monitor the status of electric equipments. For example, thegrid-tied inverters, transformers, switches, and so on needto be monitored by measuring parameters such as voltage,current, and phase. Such information needs to be sent backto a control center for maintaining grid stability and powerquality.

3) Send control messages from a control center to electric de-vices. For example, when a number of grid-tied invertersare connected to an SDG, their operations need to be co-ordinated and controlled such that the renewable energysources and the grid work collaboratively.

4) Send pricing information to customers. Pricing is the keystrategy to control power usage at the customer side. Viadynamic pricing, customers can be guided to use lesspower during peak-demand period and save power inbattery (e.g., charging EVs) during valley-demand period.

The above services of an SDG need to be protected; other-wise, the SDG will malfunction. For a WMN-based SDG, se-curity measures developed for WMNs can be adopted. How-ever, existing solutions are insufficient for an SDG, becausethere exsit several challenging requirements specific to SDG.Firstly, how the communication network and the power networkinteract with each other remains an open research problem ofcyber-physical systems. In other words, the performance met-rics that need to be delivered by WMNs for an SDG are notclear yet. As a result, it is unknown if the performance of ex-isting security measures of WMNs can meet the needs of anSDG. Secondly, a security attack to a WMN of an SDG is muchmore harmful than it does to a conventional WMN. For ex-ample, information loss caused by security attacks in a conven-tional WMN may not be so detrimental. However, for a WMNin an SDG, such information loss can lead to disastrous resultlike power outage in the entire SDG. To enhance security inWMNs for an SDG, cross-layer design is highly preferred, andall protocol layers need to work together to ensure highest secu-rity. Thirdly, the latency of existing security measures ofWMNsmay not satisfy the need of an SDG. For example, when a secu-rity attack causes malfunction in an electric device, its impactcan be propagated to other electric devices of the entire SDGquickly, as the propagation speed is basically equal to the speedof electromagnetic waves in cables. Thus, the intrusion detec-tion and response scheme must be fast enough such that a se-curity attack can be terminated before it becomes effective [2],[6]. Fourthly, the communication network of an SDG will al-ways involve PLCs, which can potentially improve the securityof WMNs. However, existing security solutions of WMNs donot take into account the role of wired networks.Considering the above challenging requirements, a new secu-

rity framework needs to be developed for a WMN-based SDG.More specifically, several key research tasks are necessary: 1)investigate new secure system architecture for a WMN-basedSDG; 2) reevaluate and enhance existing security measures ofWMNs considering the new requirements of an SDG; 3) de-velop new security measures to cover the scenarios that do notexist in a conventional WMN.

A. Reliable Security Architecture for WMN-Based SDG

To achieve a robust, reliable, and secure WMN for an SDG,a comprehensive security framework is proposed by followingseveral design rules: 1) security measures must be consideredin all protocol layers, and cross-layer design is adopted when-ever possible; 2) time critical messages must be protected by asecurity mechanism with quick response time; 3) all availablewired communication paths must be leveraged to strengthen thesecurity in WMNs. In addition, information messages must bedifferentiated through different security levels according to twocriteria: delay and loss. Messages with strict constraint in bothdelay and loss hold the highest security level. Messages thatare only sensitive to delay or loss have medium level of secu-rity, while messages without delay or loss constraint hold thelowest security level. Dedicated resources (in time, frequency,etc.) must be allocated to messages with the highest securitylevel. Wired communications may be integrated into WMNs tosupport extremely critical messages.

B. Security Vulnerabilities and Attacks in WMN-Based SDG

As explained in [5], smart grid security involves nearly allfunction blocks of a power system. As far as communicationsare concerned, the security vulnerabilities are subject to manyfactors [2], [6], [7]. This section is focused on the securityvulnerabilities and attacks in SDG communications based onWMNs.According to how security of SDG wireless communications

is compromised, the security issues can be classified into thefollowing categories:• Jamming. In this case, a malicious node intentionally gen-erates wireless signals in the same frequency band used byWMNs of an SDG. This type of security attacks can beeasily captured through signal detection.

• Eavesdropping by nodes outside WMNs. A maliciousnode can steal information from aWMNwithout being au-thorized to access the network. It can eavesdrop packetssent by mesh nodes in a WMN, and then either tries to de-crypt the packets or just analyze the traffic pattern of meshnodes. Since the malicious node can work totally in the re-ceiving mode without emitting any signals, it is extremelychallenging to capture such security attacks. A promisingapproach to this problem is to develop physical layer secu-rity techniques [9], [10]. With physical layer security en-abled in a WMN, an eavesdropper cannot figure out anyuseful information even at the bit level, no matter how-much computation power it possesses.

• Eavesdropping by malicious nodes inside WMNs. Suchnodes may be the legitimate mesh nodes that do not followthe security rules or illegitimate nodes that have bypassedthe authentication procedure of WMNs. When they getaccess to the network, they do not conduct active secu-rity attacks, but just eavesdrop packets in a passive way.There are two scenarios with this type of eavesdropping. Inthe first scenario, the malicious node overhears packets orsignals from other nodes. The physical layer security canbe applied so that the malicious node cannot decode sig-nals from other mesh nodes. In this scenario, data encryp-tion can also help protect the confidentiality of information


flowing in an SDG. In the second scenario, the maliciousnode tries to masquerade as a legitimate mesh node andthen receive packets from other mesh nodes. It is difficultto protect information security in this scenario, because thenode has been considered as a legitimate node. However, itmight be possible to analyze the malicious node’s behaviorbased on the patterns of receiving data from other nodes.

• Launching security attacks by nodes insideWMNs. Thenode launching security attacks can be either legitimate orillegitimate mesh nodes. To launch security attacks, a ma-licious node needs to be actively involved in networkingprotocols. Since a WMN is generally a multihop wirelessnetwork, the malicious node can easily participate in bothMAC and routing protocols. As a result, it can launch alarge number of different attacks, e.g., dropping packets,redirecting packets, changing contents of a packet, dis-abling routing messages or MAC layer ACKs.

C. Security Measures for WMN-Based SDG

To avoid security vulnerabilities and counter security attacks,multiple security measures need to be implemented.Firstly, WMNs need to cooperate with available wired net-

works to deliver critical messages via the most secure and re-liable path within the shortest time. Designing a hybrid securecommunication systems by integrating both WMNs and wirednetworks (e.g., power-line communications or optical networks)is highly desired by a smart distribution grid. To the best of ourknowledge, no research results have been reported. Solutions tothis problem are subject to future research.Secondly, all categories of security issues described in Sec-

tion III-B need to be addressed properly.1) Anti-jamming techniques. Both passive and active schemescan be developed. In active schemes, physical layer tech-niques that are tolerable to jamming schemes are adoptedfor wireless communications. For example, spread spec-trum (either frequency hopping or direct sequence) tech-niques can be applied to reduce the impact by intentionaljamming signals. The passive schemes are based on moni-toring electromagnetic emissions in the frequency band ofWMNs for an SDG. If abnormal jamming signals are de-tected, the next key step is to locate the jamming source.In this way, a security attacker can be captured.

2) Physical layer security to disable eavesdropping. Eaves-dropping can be conducted by a node outside WMNs or anode authorized to access WMNs. Data encryption makeseavesdropping a hard task for malicious node. However,as computation power is constantly increasing, decryptingpackets is becoming more and more feasible for securityattackers. Moreover, the security attack can be based onanalyzing traffic patterns or accessing packets (e.g., somebroadcast messages) without being encrypted. Thus, secu-rity level provided by data encryption may not be sufficientto satisfy the security requirements of an SDG, because aninformation network in power grid usually demands muchtighter security than the well known Internet. In order tototally block eavesdropping in SDG wireless communica-tions, techniques of physical layer security [9], [10] can be

applied. Applying physical layer security to SDG wirelesscommunications is a long term research effort instead of ashort-term solution, for two reasons. Firstly, to date phys-ical layer security still lacks mature techniques that canbe implemented practically in a realistic system. Secondly,how to carry out cross-layer design between MAC/routingprotocols and physical layer security algorithms for SDGwireless communications still demands enormous researchefforts. However, physical layer security is a promising ap-proach that can provide nearly perfect security in the phys-ical layer for wireless communications. This distinct fea-ture is highly favored by power grid.

3) Effective authentication schemes to block network accessby malicious nodes. As explained in Section III-B, as longas an illegitimate node passes authentication and becomesan insider of a network, security issues associated with thisnode become very difficult to resolve. Thus, authentica-tion in SDG wireless communications must be conductedin a much stricter process than that is done in other wire-less networks. Particularly, hierarchical authentication [8]needs to be enforced from an SDG macro control centerto micro control centers. The state-of-the-art key manage-ment schemes [8], [11]–[17] for WMNs can be employedto further enhance the effectiveness of authentication.

4) Secure protocols to prevent inside attackers. When a mali-cious node is authenticated, whether it is legitimate or not,it becomes an inside security attacker. Two security mea-sures can be applied to reduce security threat by such anode: 1) secure communication protocols; 2) intrusion de-tection and response schemes.• In WMNs for an SDG, the most critical communica-tion protocols are MAC and routing protocols. Thus,mechanisms to achieve secure MAC and routing pro-tocols must be adopted. To date, a number of secureMAC protocols [18], [19] and secure routing protocols[20]–[22] have been developed for WMNs or mobile adhoc networks. However, how these protocols performin an SDG needs further investigation. Moreover, cross-layer design is necessary to fulfill security of the entirecommunication architecture of SDG wireless commu-nications. To this end, several rules shall be followedto achieve secure cross-layer design: 1) secure MACand routing protocols must take into account the hierar-chical authentication and key management schemes; 2)secure MAC and routing protocols must be designed to-gether with physical layer security measures; 3) secureMAC and routing protocols need to take advantage ofthe wired communications available in an SDG to en-hance security in protocols.

• Security attacks can still occur even though secureMACor routing protocols are adopted. Thus, it is indispens-able to detect possible intruders and respond to theseintrusions in a timely manner. The performance met-rics of intrusion detection include accuracy and responsetime. The latter one is especially critical for an SDG, dueto real-time operation of power systems. Since WMNsare employed for SDG communications, intrusion de-tection is a distributed process instead of a centralized


one. In [23], [24], distributed and collaborative intru-sion detection schemes were developed for mobile adhoc networks. However, for WMN-based SDG commu-nications, mobility of mesh routers is minimal. Such afeature can be utilized to improve the accuracy of in-trusion detection and reduce the complexity of the en-tire intrusion detection system. Once intrusion detectioncaptures security attacks, the other critical task is to re-spond to such attacks in a timely and effective way. Sofar researchers pay more attention to intrusion detectionthan to intrusion response. For example, in [23] intrusionresponse is conducted by simply restarting the authen-tication process. Such simple schemes cannot quicklycapture further security attacks and result in slow intru-sion response. In Section IV, a smart tracking firewall isdeveloped to track a detected intruding node such thatits security attacks can be quickly captured and blockedwherever it moves in an SDG wireless network.

IV. SMART TRACKING FIREWALL

No matter how secure the communication protocols can bein WMNs, security attacks can still happen. Thus, intrusion de-tection and response is an important security measure to protectWMNs.When an SDG is considered, the intrusion detection andresponse process must be quick enough to ensure real-time op-eration of an SDG. In this section, a new intrusion detection andresponse scheme, called smart tracking firewall, is developed. Itadopts the concept of secure firewall, but more importantly thefirewall is adaptively mobile to track an intruder.

A. Key Mechanisms of the Smart Tracking Firewall

In a WMN-based SDG, unwanted traffic flowing into WMNscannot be filtered out by a traditional firewall, because the at-tacker in an SDG wireless network may not be always attachedto the same network interface. In addition, a node within the net-work could become an intruder, so attack traffic could originatefrom within the network itself. Consequently, the traditionalmechanism of firewall is not suitable for SDG communications.To develop a new firewall for SDG communications, it is nec-essary to consider several requirements: 1) the malicious trafficfrom outside of the mesh network needs to be filtered, as im-plemented in a traditional firewall; 2) the security attacks frominsiders need to be blocked; 3) security attacks from a mobilenode need to be quickly located and blocked; 4) overhead forimplementing the firewall shall be minimized. It is a challengingproblem to meet these requirements as SDG wireless commu-nications are characterized by multihop wireless networks. Inthis paper, a smart tracking firewall is proposed to solve thisproblem. It is based on several key mechanisms:• Each mesh node (mesh client or mesh router) contains amodule of smart tracking firewall, in which two securityagents are implemented: an intrusion detection agent andan intrusion response agent. Moreover, each mesh nodemaintains two node lists: blacklist and graylist. The back-list contains the nodes that are determined to be maliciousnodes by the intrusion detection agent. Amesh node cannotsend any message to or receive any message from a node in

the blacklist. The graylist of a mesh node contains the ma-licious nodes that are determined by neighbors of the meshnode. When a malicious node in the graylist moves into thecommunication range of the mesh node, it is immediatelyconsidered as a security attacking node and is thus movedinto the blacklist. Since the nodes in the graylist of a meshnode are not within the communication range of the meshnode, direct security attacks to the mesh node cannot belaunched.

• When a mesh client detects an security attack from an ma-licious node, it cuts off the communications with the ma-licious node by dropping packets from/to the maliciousnode. In addition, it reports the intruder (i.e., the detectedmalicious node) to its neighbors by sending a prealarmmessage. A neighbor receiving this message will recordthe intruder as a node in the graylist. In our design, meshclients associated with the samemesh router are consideredto be in the same cluster, so each mesh router is the clusterhead of several mesh clients. Two neighboring clusters canbe linked through either mesh routers or mesh clients inthe overlapping area of clusters. When a mesh router ofa cluster receives a prealarm message, it also includes theintruder into the graylist. However, if the mesh router re-ceives such a message from more than a certain number ofmesh clients (i.e., the prealarm threshold), it moves the in-truder from the graylist to the blacklist, and then broadcastits blacklist to all mesh clients in the same cluster as wellas to mesh routers in neighboring clusters. Since the meshrouter can determine whether an intruder shall be includedinto the blacklist, it is also called a decision node.

• As the intruder moves from one mesh cluster to another,it will be included into the blacklist or the graylist in anew group of mesh nodes. The mesh nodes with the in-truder in their blacklist block security attacks launched bythe intruder, so they form a defense zone to confine the in-truder. The mesh nodes with the intruder in their graylistform a prealarm zone, because they can quickly detect theintruder once it moves into their communication range andthus respond to security attacks in a timely fashion. As aresult, when an intruder moves, both the defense zone andthe prealarm zone track its moving path and actively blockits attacks. In this way, a malicious node is always underthe control of a smart tracking firewall; as a result, it hasno time to launch effective security attacks.

It should be noted that the above mechanisms are mainlyfocused on the process of intrusion response. How to effec-tively detect intrusion is not the focus of this paper, but schemesin [23], [24] can be adopted as a function block of the smarttracking firewall.The smart tracking firewall have two distinct advantages:• Security attacks to any node by an intruder can be quicklyblocked by mesh nodes, no matter where the intruderlaunches attacks. Such a fast response to security attacksis desired by smart grid.

• A prealarm message is broadcast only when a mesh nodeincludes an intruder into the backlist, so its propagationwill be quickly stopped at mesh nodes where the intruderis only added into the graylist. In other words, prealarm


Fig. 2. An example of smart tracking firewall: Steps 1 and 2. (a) Step 1: NodesB and C have detected attacks from Node W and put it in their blacklists. (b)Step 2: Node A receives enough prealarm messages from Nodes B and C andthus decides to put Node W in its blacklist.

messages are confined within the neighboring clusters. Asa result, signaling overhead of this protocol is significantlyreduced as compared to other schemes based on messageflooding.

B. An Example of the Smart Tracking Firewall

An example is presented in this section to further illustratethe detailed procedures of the smart tracking firewall.The mesh nodes of an SDG are shown in Figs. 2, 3, 4, where

two mesh routers A and F work as the cluster heads and thedecision nodes. Nodes A, B, C, D, and E form the first cluster,while Nodes F, G, H, I, J form another cluster. Node W is amalicious node.In Fig. 2(a), the malicious node W launches attacks. Both

Node B and Node C are under such attacks. Through self in-trusion detection, they detect Node W as a malicious node andrecord it in their blacklist. At the same time, they broadcast aprealarm message to inform their decision node A.In Fig. 2(b), Node E cannot overhear prealarmmessages from

either Node B or C, so it does not know anything about NodeW. However, decision node A receives two prealarm messagesfrom its mesh clients. Since the prealarm threshold in this ex-ample is set into two, it concludes that the malicious nodeW hasentered into its cluster. As a result, the decision node A recordsNode W in its blacklist and conducts a blacklist broadcast. As aresult, in Fig. 3(a), after receiving the blacklist broadcast fromNode A, Nodes D and E record the Node W into their black-list, and broadcast a prealarm message to inform their neigh-

Fig. 3. An example of smart tracking firewall: Steps 3 and 4. (a) Step 3: Node Abroadcasts its blacklist to all mesh nodes in its cluster and to other mesh routerslike Node F. All nodes in the cluster of Node A put NodeW into their blacklists.(b) Step 4: Both Node D and Node E send a prealarm message. Such a messageis received by Nodes G and I, so these two nodes put NodeW into their graylists.When Node F receives the blackist message from Node A, it only records NodeW in its graylist. A prealarm zone is formed in this step.

bors. Currently, the nodes surrounding Node W all record it intheir blacklists. Thus, the defense zone of the firewall is formedto block attacks from Node W.In Fig. 3(b), Nodes G and I receive a prealarm message from

Node D, they record Node W in their graylists. When Node Freceives the blacklist message from Node A, it records Node Win its graylist instead of blacklist, because Node F decides black-list by itself; messages from Node A only provide a warning toNode F. By now, a prealarm zone is formed as a second layer offirewall to protect mesh nodes from being attacked by Node W.In Fig. 4(a), as Node W approaches Node I, it lies in the com-

munication range of Node I. Thus, Node I moves Node W fromits graylist into the blacklist. As a result, Node I not only de-fends the network from attacks by Node W but also broadcastsa prealarm message. When Node H receives such a message, itputs Node W in its graylist. Since the number of received pre-alarm messages in Node F is only one and does not exceed thethreshold (i.e., two), the decision node F cannot proceed to putNodeW in the blacklist. Thus, Node F does not broadcast a mes-sage about its blacklist. As the malicious node W further movesinto the cluster as shown in Fig. 4(b), Node F detects a strongsignal strength that confirms Node W is really in the cluster.Thus, Node F moves Node W from the graylist to the black-list and also conducts a one-hop broadcast of the blacklist. Asa result, all mesh clients in the second cluster record Node W


Fig. 4. An example of smart tracking firewall: Steps 5 and 6. (a) Step 5: NodeW is very close to Node I, so Node I moves Node W from the graylist to theblacklist, and then sends a prealarm message. When this message is received byNode H, NodeW is put into the gray list of Node H. In this step, Node F receivesonly one prealarm message, so no action is necessary.(b) Step 6: Node F detectsNode W is close enough and decides to move Node W from the graylist to theblacklist. Node F also informs all mesh nodes of its blacklist. As a result, allnodes in the cluster of Node F put Node W into the blacklist.

in their blacklist. Thus, when Node W moves inside the clusterof Node F, it is tightly controlled by a new firewall. In Fig. 4(a)and 4(b), some nodes are not included in the defense zone, evenif they have put Node W in their blacklists. The reason is thatthese nodes are too far away from Node W. These nodes caneither keep Node W in their blacklists or eliminate Node W,whichever way will not impact the performance of the smarttracking firewall.

C. Performance Results

Simulations are conducted to evaluate the performance of theproposed mechanism of smart tracking firewall. Within an areaof 1000 m 1000 m, 34 mesh clients are randomly distributed,but 16 mesh routers are regularly placed. The distance betweentwo mesh routers is 240 m, and the closest distance from a meshrouter to the area boundary is 140 m. The network topologyis shown in Fig. 5, where mesh nodes 0–15 are mesh routers,and all other nodes are mesh clients. All mesh nodes follow theIEEE 802.11 MAC protocol, and the link capacity of each meshnode is assumed to be 4096 Kbps. Routing path between anytwo communication nodes within this mesh network is deter-mined by a dynamic source routing (DSR) protocol. After sim-ulation starts, 30 end-to-end data flows between mesh clients are

Fig. 5. The network topology of a mesh network.

initiated randomly within 10 s. To simulate security attacks, onemesh client is selected as the security attacker. It initiates attacksat 50 s after simulation starts and floods 100 packets per secondto the mesh network. The security attacker can move freely inthe simulation area at a constant speed of 10 m/s.In addition to the smart tracking firewall proposed in this

paper, two other scenarios are also simulated. The first one isNoDetection, whichmeans that no intrusion detection and responsesystem is available in the network. The second one is IndividualResponse, which includes a threshold-based intrusion detectionscheme but does not track the mobile security attacker, i.e., in-trusion response is done by each mesh node individually. Per-formance of these three scenarios are compared using differentmetrics. The results of packet delivery ratio, packet delay, andthroughput are shown in Figs. 6, 7, and 8, respectively. As il-lustrated by these results, when security attacks start at 50 s, thenetwork performance is severely impacted. If no effective se-curity measure is available, the system performance stays con-stantly low. If intrusion detection is applied but the attacker isnot tracked (as shown in the scenario of Individual Response),the network performance can be improved after attacks are de-tected. However, the network cannot be recovered and workproperly, because the new attacks launched by the mobile in-truder cannot be quickly blocked. With smart tracking firewall,this issue is effectively resolved. As shown in the results ofall the performance metrics, the network can quickly roll backto the normal state, because the mobile intruder is constantlytracked by mesh nodes and its new security attacks can be cap-tured in a timely manner.For SDG wireless communications, the response time to se-

curity attacks is a critical parameter. If security attacks can bedetected within the shortest time interval, then the power gridwill get minimal impact. Otherwise, security attacks may lead tosystem failure or even power outage. To illustrate the quick re-sponse time of the smart tracking firewall, the delay of detectingsecurity attacks in each mesh router is shown in Table I. The re-sults show that all mesh routers except one do not need to spend


Fig. 6. Packet delivery ratio of different security measures.

Fig. 7. Packet delay of different security measures.

Fig. 8. Throughput of different security measures.

time on detecting security attacks. Once Mesh Router 0 detectsthe intruder, all other mesh routers can launch counter-attacksonce the intruder moves into the defense zone. In contrast, theIndividual Response scheme is slow in responding to securityattacks, because each mesh router has to take a few seconds todetect new attacks by the same intruder.

TABLE ICOMPARISONS OF DETECTION DELAYS

V. CONCLUSION

In this paper a WMN-based wireless communication archi-tecture was proposed for an SDG. The security frameworkfor this architecture was studied comprehensively. In orderto demonstrate the effectiveness of the security framework, asmart tracking firewall was developed to address the intrusiondetection and response issue in a WMN-based SDG system.Simulation results showed that the smart tracking firewallcould detect and respond to security attacks in a timely manner,which suits the real-time operation of smart grid.To further improve security of WMN-based SDG wireless

communications, several challenging issues still remain. Inthe short term, effective hierarchical authentication and keymanagement schemes need to be designed for the micro-grid/picogrid hierarchical system architecture of an SDG. Inaddition, secure MAC and routing protocols shall be developedthrough cross-layer design with the physical layer techniques.Moreover, how to integrate wired communications, especiallypower line communications, with WMNs is important to im-prove security of an SDG. In the long term, it is necessaryto develop practical physical layer security schemes for SDGwireless communications.

ACKNOWLEDGMENT

The authors would like to thank the Program for NewCenturyExcellent Talents in University, the Pujiang Talent Program, andthe Shanghai Municipal Natural Science Foundation for theirgenerous support.

REFERENCES

[1] C. W. Gellings, The Smart Grid: Enabling Energy Efficiency and De-mand Response. Boca Raton, FL: CRC, Aug. 2009.

[2] G. N. Ericsson, “Cyber security and power system communica-tion—Essential parts of a smart grid infrastructure,” IEEE Trans.Power Del., vol. 25, no. 3, pp. 1501–1507, Jul. 2010.

[3] IEEE Standard for Broadband over Power Line Networks: MediumAccess Control and Physical Layer Specifications, , IEEE P1901, Dec.2010.

[4] I. F. Akyildiz and X. Wang, “Wireless mesh networks: A survey,”Comput. Netw., vol. 47, no. 4, pp. 445–487, Mar. 2005.


[5] NIST Smart Grid Cyber Security Working Group, “Guidelines forsmart grid cyber security: Vol. 3, Supportive analyses and references,”NISTIR 7628, Aug. 2010.

[6] P. McDaniel and S. McLaughlin, “Security and privacy challengesin the smart grid,” IEEE Security Privacy, vol. 7, no. 3, pp. 75–77,May–Jun. 2009.

[7] A. R. Metke and E. L. Ekl, “Security technology for smart grid net-work,” IEEE Trans. Smart Grid, vol. 1, no. 1, pp. 99–107, Jun. 2010.

[8] IEEE 802.11 WLAN Standards: Mesh Networking, , IEEE 802.11 Stan-dard Group, 2010, Draft standard of IEEE 802.11s.

[9] S. Goel and R. Negi, “Guaranteeing secrecy using artificial noise,”IEEE Trans Wirel. Commun., vol. 7, no. 6, pp. 2180–2189, 2009.

[10] E. Tekin and A. Yener, “The general gaussian multiple-access andtwo-way wiretap channels: Achievable rates and cooperative jam-ming,” IEEE Trans Inf. Theory, vol. 54, no. 6, pp. 2735–2751, June2006.

[11] L. Zhou and Z. J. Haas, “Securing ad hoc networks,” IEEE Netw. (Spe-cial Issue on Network Security), vol. 13, no. 6, pp. 24–30, Nov./Dec.1999.

[12] R. Ostrovsky andM. Yung, “How to withstandmobile virus attacks,” inProc. 10th ACM Symp. Principles Distrib. Comput., 1991, pp. 51–59.

[13] S. Yi and R. Kravets, “MOCA:Mobile certificate authority for wirelessad hoc networks,” in Proc. 2nd Annu. PKI Res. Workshop Program(PKI), Apr. 2003.

[14] J. Kong, P. Zerfos, H. Luo, S. Lu, and L. Zhang, “Providing robustand ubiquitous security support for mobile ad-hoc networks,” in Proc.IEEE 9th Int. Conf. Netw. Protocols (ICNP’01), pp. 251–260.

[15] H. Luo, J. Kong, P. Zerfos, S. Lu, and L. Zhang, “Self-securing adhoc wireless networks,” in Proc. 7th IEEE Symp. Comput. Commun.(ISCC’02), pp. 567–574.

[16] J.-P. Hubaux, L. Buttyan, and S. Capkun, “The quest for security inmobile ad hoc networks,” in Proc. 2001 ACM Int. Symp. Mobile AdHoc Netw. Comput., pp. 146–155.

[17] S. Capkun, L. Nuttyan, and J.-P. Hubaux, “Self-organized public-keymanagement for mobile ad hoc networks,” IEEE Trans. MobileComput., vol. 2, no. 1, pp. 52–64, Jan.–Mar. 2003.

[18] N. B. Salem and J.-P. Hubaux, “Securing wireless mesh networks,”IEEE Wirel. Commun., vol. 13, no. 2, pp. 50–55, 2006.

[19] Y. Zhang and Y. Fang, “ARSA: An attack-resilient security archi-tecture for multihop wireless mesh networks,” IEEE J. Sel. AreasCommun., vol. 24, no. 10, pp. 1916–1928, 2006.

[20] Y.-C. Hu, A. Perrig, and D. B. Johnson, “Ariadne: A secure on-demandrouting protocol for ad hoc networks,” in Proc. MobiCom, Sep. 2002,pp. 23–28.

[21] K. Sanzgiri, B. Dahill, B. N. Levine, C. Shields, and E. M. Belding-Royer, “A secure routing protocol for ad hoc networks,” in Proc. IEEEInt. Conf. Netw. Protocols (ICNP), Nov. 2002.

[22] M. G. Zapata, “Secure ad hoc on-demand distance vector routing,”ACM Mobile Comput. Commun. Rev. (MC2R), vol. 6, no. 3, pp.106–107, Jul. 2002.

[23] Y. Zhang andW. Lee, “Intrusion detection techniques for mobile wire-less networks,” Mobile Netw. Appl., vol. 9, no. 5, pp. 545–556, 2003.

[24] O. Kachirski and R. Guha, “Intrusion detection using mobile agentsin wireless ad hoc networks,” in Proc. IEEE Workshop Knowl. MediaNetw. (KMN02), 2002, pp. 153–158.

Xudong Wang (S’00–M’03–SM’08) received theB.E. degree in electric engineering and his firstPh.D. degree in automatic control from ShanghaiJiao Tong University, Shanghai, China, in 1992 and1997, respectively. He received his second Ph.D.degree in Electrical and Computer Engineering fromGeorgia Institute of Technology, Atlanta, in 2003.Since 2003, he has been working as a Senior

Research Engineer, Senior Network Architect, andR&D Manager in several companies. He is currentlywith UM-SJTU Joint Institute, Shanghai Jiao Tong

University, Shanghai, China. He is also an Affiliate Faculty Member with theElectrical Engineering Department at the University of Washington, Seattle.He has been actively involved in R&D, technology transfer, and commercial-ization of various wireless networking technologies. His research interestsinclude low-power radio architecture and protocol suite, deep-space networkarchitecture and protocols, cognitive/software radios, LTE-A, wireless meshnetworks, cross-layer design, wireless sensor networks, and ultra-widebandnetworks. He holds several patents on wireless networking technologies andmost of his inventions have been successfully transferred to products.Dr. Wang is an editor for Elsevier’s Ad Hoc Networks and ACM/Kluwer’s

Wireless Networks. He was also a guest editor for several journals. He wasthe demo cochair of the ACM International Symposium on Mobile Ad HocNetworking and Computing (ACM MOBIHOC 2006), a technical programcochair of Wireless Internet Conference (WICON) 2007, and a general cochairof WICON 2008. He has been a technical committee member of many interna-tional conferences and a technical reviewer for numerous international journalsand conferences. He was was a voting member of the IEEE 802.11 and 802.15Standard Committees.

Ping Yi received the Ph.D degree from the depart-ment of Computing and Information Technology,Fudan University, China.He is an Associate Professor in the School of In-

formation Security Engineering, Shanghai Jiao TongUniversity, Shanghai, China. His research interestsinclude mobile computing and ad hoc network secu-rity.Dr. Yi is a member of IEEE Communications and

Information Security Technical Committee, Asso-ciate Editor for Wiley’s Security and Communication

Networks (SCN) Journal, Editor for Journal of Security and Telecommunica-tions, and a Technical Program Committee (TPC) for the ICC’11 CISS andGlobecom’10 CCNS.

Documents

Security Framework for Wireless Communications In