This is not strictly related to control system security, but it is related to control systems in general and is personally exciting to me. The solar decathlon project at DOE challenges universities to develop solar-powered houses which are all assembled on the Capitol lawn in DC the first week of October and judged according to various criteria. They must power an electric car, wash and dry clothes, run a PC and TV all day, etc. The full details of the competition are available here: http://www.solardecathlon.org/. For a description of the philosophy of our team, you can read the description on that site: http://www.solardecathlon.org/2007/team_illinois.html. The team also has a full website (http://www.solardecathlon.org/), and even received a little coverage on one of my favorite blogs: http://www.treehugger.com/files/2007/07/solar_decathlon_5.php.



I played a small role in the design and construction of this house, but it was the fulfillment of a longtime dream to play any part in a project like this (I've always been interested in alternative construction techniques and advanced environmental tech.). I was responsible for installing an electrical submeter that TrendPoint (http://www.trendpoint.com) generously donated to the team. It is a single compact unit that is capable of monitoring up to 42 circuits simultaneously in the configuration we received, and reporting those measurements (active and reactive power and energy) over a ModBus serial interface. We are only actually monitoring 24 circuits. The measurements are recorded by a Linux application that TrendPoint also donated. The software graphically depicts a circuit breaker panel that can be labeled with human-friendly names for each circuit. It can also associate each breaker with a particular region of a floorplan that can be loaded into the software from a standard image file, as can be seen in the following image:



The software is running on Linux inside a virtual machine. One of the unique challenges of this particular installation was transporting the data between the meter, mounted in the electrical closet, and the PC, located at the other end of the house. I ended up using two DB9-to-RJ45 adapters to route the signals over standard CAT-5 cable, which runs over 80 feet. The meter itself is mounted in a PVC junction box screwed into the wall of the electrical closet. The current transformers are attached to individual breakers in the breaker panel beneath the meter, and are routed through a hole in the meter box. The meter is connected to a voltage transformer mounted inside the breaker panel, as well as a DIN-mountable power supply that is also hardwired into the breaker panel. DOE installed their own metering solution in an adjacent plexiglass box, prominently visible in the following image:



Their metering solution was apparently far more expensive (I haven't confirmed the actual price), monitors less breakers, requires significantly more wiring, space, and data connectivity, and doesn't provide any additional information as far as I know! I'm sure it has some advantages, though. It definitely looks prettier, and perhaps the data can be downloaded at shorter time intervals.

Overall, this was a fun project, and I certainly hope our team takes home the gold!

Michael LeMay from the Attested Metering project at the Illinois Security Lab will be presenting the attested metering threat model and security architecture in Session 3F on Wednesday, Oct. 3 at the AMRA Autovation symposium in Reno, NV (http://www.amra-intl.org/autovation/). My talk is entitled "An Incremental Approach to Improved AMI Security." If any of you blog readers will be at my talk and would like to meet in person afterwards, please send me an email! (lemaymd .@t. lemaymd .d0t. com)

The Attested Metering team is pleased to announce that we will be presenting a paper on intelligent demand-response at the Hawai'i International Conference on System Sciences (HICSS) this January. I have included the paper's abstract here to pique your interest and hopefully convince you to read the full paper:


In the competitive electricity structure, demand response programs enable customers to react dynamically to changes in electricity prices. The implementation of such programs may reduce energy costs and increase reliability. To fully harness such benefits, existing load controllers and appliances need around-the-clock price information. Advances in the development and deployment of Advanced Meter Infrastructures (AMIs), Building Automation Systems (BASs), and various dedicated embedded control systems provide the capability to effectively address this requirement. In this paper we introduce a Meter Gateway Architecture (MGA) to serve as a foundation for integrated control of loads by energy aggregators, facility hubs, and intelligent appliances. We discuss the requirements that motivate the architecture, describe its design, and illustrate its application to a small system with an intelligent appliance and a legacy appliance using a prototype implementation of an intelligent hub for the MGA and ZigBee wireless communications.


The full paper can be downloaded from our website: http://seclab.uiuc.edu/pubs/LeMayNGG08.pdf.

The ANSI C12.19 meter data table standard includes simple security mechanisms. I decided that it might be interesting to provide a condensed introduction to those mechanisms here, with some commentary on how effectively they can be expected to perform. If you wish to read about the mechanisms in the draft standard itself, you can find them starting on pp.93.

The standard defines tables for transferring both passwords and encryption/authentication keys. One thing that can be immediately noted from this description is that passwords may be stored verbatim and the meter will still comply with the standard, since it only specifies how data should be transferred, not how it should be stored. In standard computer security systems, passwords are salted and hashed (often repeatedly) before being stored in the device that will perform the password verification. This is to prevent the password from being revealed if the password file is compromised. Since this precaution is not necessarily taken on C12-compliant meters, it may be possible to retrieve the password itself from a compromised meter. This may be important if the meter data management agency (MDMA) reuses passwords between meters, which would allow an attacker that compromises one meter to access the others with less difficulty. However, the standard itself shouldn't be faulted for this omission, since it is a standard systems security consideration.

Different meters can support differing amounts of storage for passwords and keys. It is possible to support from 0 to 255 passwords and 0 to 255 keys. If a meter supports password storage, it can set a limit on maximum password length from 1 to 20 characters. No minimum length can be configured. It would be beneficial to support such a lower limit, to prevent the usage of short passwords. Each meter can also set a limit on the key size, from 0 to 255 octets. This means that up to 2040-bit keys are supported, which is sufficient for all common symmetric and asymmetric cryptography algorithms. However, it is difficult to imagine a scenario in which a 0-bit key could be useful.

Regardless of their security, the stated purpose of these credentials is to establish group access permissions. Access permissions can limit access to the other data tables on the meter. Just like permissions in UNIX filesystems, the permissions can restrict read, write, and execute permissions on arbitrary tables, including procedural tables.

Up to eight groups can be defined on each meter. When a remote user logs into the meter, the key or password that they use determines which groups will be activated for them. Then, these groups determine what permissions will be granted to the user.

Default permissions must be defined for all tables on the meter that are not explicitly access-controlled. It is possible to allow read and write access to all tables by default, which provides a very simple way for meter administrators to make their meters convenient to access, but also very insecure.

Access to individual tables can also be controlled by creating entries in a special access control table that specifically identify the table they control and which groups are allowed to read and/or write to that table.

I hope that this summary is informative!

---
Many thanks to Ed Beroset for providing corrections to this summary.

The EPAct of 2005 is the first major piece of legislation to address our national energy problems since the EPAct of 1992. It has a number of provisions that are related to advanced metering, which we discuss below. For a full description of the bill, the wikipedia article is quite useful.

The Energy Policy Act of 2005 includes several provisions related to automated meter reading that will undoubtedly spur further deployments across the nation. Page 8 of the ``Energy Efficiency'' section sets a deadline of Oct. 1, 2012 for fitting all federal buildings with electric meters that are capable of metering energy usage with at least hourly resolution, and that report those measurements at least daily. It is explicitly stated that preference should be given to ``advanced meters.'' It is also specified that federal facilities managers will be given access to that data, via the existing federal energy management system.

In a separate document dedicated to electricity, the Secretary of Energy is directed to establish a ``comprehensive research, development, demonstration, and commercial application program to promote improved reliability and efficiency of electrical transmission and distribution systems'' which must include, among many other things, ``advanced metering, load management, and control technologies.''

On page 67 of the same document, utilities are required to provide net metering capabilities to any customer that requests such a provision. Manual net metering devices are available, but net metering is typically associated with advanced meters.

Even more significantly, page 70 of the ``Electricity'' document contains a large section dedicated to ``Smart Metering.'' This section discusses a number of advanced technologies that can only be provided by automated metering systems. The first item to be discussed is time-based metering. Within 18 months of the passage of the bill, all utilities must offer all their customers with a time-based rate schedule, which can then be voluntarily adopted by customers. There are several different types of rate schedules that may be offered to customers, including the following:

• Time-of-use: Prices are set in advance and typically don't change more than twice per year. This sort of schedule allows customers to anticipate periods of high prices and adjust their behavior accordingly to minimize their costs.
  
• Real-time pricing: Prices are set in advance, but may change as often as hourly.
  

The utility is required to provide the customer with both the rate schedule and a meter capable of using the schedule. Electric resellers are also required to provide this service and the equipment required to use it. However, provisions made later in the document appear to allow individual states to decide whether to enforce these requirements. Finally, the Secretary of Energy has been tasked with educating customers on the availability and benefits of advanced metering.

Section 1287 of the ``Electricity'' document deals with the related issue of customer privacy. However, the bill only states that the FTC is permitted to issue rules to prevent electric service providers from disseminating customer information. This weak protection may not be adequate, and is unlikely to inspire trust among the public.

One final interesting provision in Section 1287 prohibits ``cramming,'' by which an electric customer is forced to pay for unsolicited services. Thus, developers of AMR applications must be very careful in how they deploy their applications to avoid prosecution under this provision.

The EP Act of 2005 provides AMR researchers with valuable research opportunities. The ``Studies and Program Support'' document explicitly provides support for a program to ``improve energy efficiency of high power density facilities, including data centers, server farms, and telecommunications facilities.'' More specifically, the program must investigate technologies ``that provide significant improvement in thermal controls, metering, load management, peak load reduction, or the efficient cooling of electronics.'' Programs will also be established to investigate residential usage of combined heat and power generators to reduce residential load and possibly contribute power back to the grid, which is an excellent application for advanced meters.

We can reasonably predict that the outcomes from these intiatives will be increased adoption of AMR technologies, and more research in the field.

Welcome to the new ADA blog! I intend to update this blog whenever I spot items of interest to the advanced distribution automation community. If you are new to the area and would like to understand ADA more fully, please refer to the Intelligrid use cases on the subject. Please also visit my academic website for more information on a number of topics.