Securing embedded system nodes on any networking platform requires a standard interface for communication which in turn necessitates that all nodes talk the same “language” and provide data in the same format.
The emerging smart grid standards could provide standard data and communication formats. But such a standard raises a larger question; who or what would keep anyone listening on the network from understanding and using the data for their own purposes?
On a smart grid network, each node or network of nodes may communicate to each other over a different medium, the systems may have different processing power, storage capabilities, operating systems (or lack of), and/or application software. Such systems may use advanced encryption algorithms, and verification schemas to ensure communications are unaltered. Each node may be so different from the next that the largest security facet is obscurity of the systems themselves.
Standardizing communications over the entire smart grid makes the entire network act or appear to act as one giant system containing multiple pieces (nodes). The entire system now contains the same root security issues and concerns.
The largest vulnerability is that breaking into one node of the system and extracting the keys would provide the hacker the keys to communicate between any and all of the other nodes. Thus the obscurity of the different nodes is eliminated if you can interpret all the communications, and pretend to be a (or a group of) node(s).
Managing Keys inside each node becomes the basis to securing the entire networked system. Such keys should never be saved in unsecure memory devices on any node. Keys should be changed often to prevent keys older then a few seconds from being used for communication between the systems nodes.
Nodes should be authenticated before participating on the network. Each change of limited use keys should re-authenticate the lower level network node. All authentications and key exchange data should be validated by the nodes on each end. There needs to be a way to provide authentication for Session encryption and PKI by managing input seeds.
Overall, the networked system needs to provide key management capability which is incorporated into all nodes at every level. This key management needs to be repeatable on each node without saving key values to memory.
The overall network system should have a key management strategy that provides tiered secrets that provide, internal (root) secrets that never leave a hardware layer, internal derived secrets that also never leave the hardware, and working secrets that are produced for use as keys and seeds to the nodes cryptographic operations.
The nodes need the ability to store multiple derived secrets and re-create these derived secrets from the root secret on setup and when required. Each node would contain a self setup or initialization process which presents credentials in a securely seeded session to higher nodes. As part of the self initialization process the node is authenticated and locked to its place on the network by secrets provided from the higher nodes.
To accomplish such a key management strategy, a cryptographic security IC should be incorporated into each node on the network (Figure 1, below ). The key management IC incorporates storage of multiple internal root and derived secrets that are un-extractable to any of the system’s software components. Such cryptographic devices only use these internal secrets as seed values to produce a digest to be used as keys for the nodes (and network).
Figure 1. Key management ICs should be able to store multiple internal roold and derived secrets that are un-extractable by any of the system’s software components.( To view an expanded image, click here.)
This fulfils the requirement that no keys are saved in memory on any node. The keys are instead reproduced each time they are needed for encrypting, authentication, seeding sessions, etc. Keys can be produced and reproduced by all nodes containing the same cryptographic IC, if and only if they have been authenticated to the proper segment of the network.
The cryptographic IC on a new smart grid device (such as a meter, or household appliance) would contain root secrets that display the manufacturer of the device, model information, regional information, licensing or access requirements, etc.
On initial communication, the device would authenticate its factory program secret by using it to seed a session communication to the higher network. The network above the new device passes credentials from the device up to a trusted node or credential server. The new device (Figure 2 below ) would receive a generated seed based on its own manufacture programmed secrets and the network it is located on and create a derived internal secret to save in reserved key slots.
For operation going forward the new node uses this derived secret to produce all of the network communication keys. The credential server can verify that nodes can only be placed once based on unique Cryptographic IC serial number information.
Figure 2. A cryptograhiic IC for smart grid use should be able to take a generated seed based on its own manufacture programmed secrets and the network it is located on and create a derived internal secret to save in reserved key slots. .( To view an expanded image, click here.)
After the initial set up of a node, the local network would manage all its communications, providing re-authentication of nodes after non-communication for extended periods, producing keys for encrypted traffic (AES keys etc.), performing key exchanges for new encryption keys on a preset interval, and locking packets of personal identification information for transport to trusted upstream nodes.
All cryptographic functionality is based on seeds, keys, and secrets that must be maintained in a secure fashion. If these are compromised, the network could also be compromised. Thus managing this information becomes the most important aspect of providing security for an overall network of nodes or, network of networks.
The smart grid effort will consist of exactly this and will be the groundwork of an ever-growing network of networks. Addressing this from the ground up requires a secret key management strategy that does not store keys on any node, authenticates each node, verifies communications, and uses temporary communication keys that are rotated often.
Christopher Gorog, PMP, agraduate of Colorado Technical University with a BSCE degree in Computer Engineering, is crypto solutions applications manager at