2007 IEEE Canada Electrical Power Conference

Network S ecurity Management and Authentication

of Actions for Smart Grids Operations
Alexander Hamlyn, Helen Cheung, Todd Mander, Lin Wang, Cungang Yang, Richard Cheung
considerably aggravated the risks for proper power system
Abstract
Operations of electricity power systems have operations due to potential cyber-attacks [4]. Therefore,
recently become more intricate due to development of security and reliability concerns of computer networks in the
microgrids, execution of open access competition, and use of electricity power systems have been rising rapidly and
network-controlled devices, etc. Computer network therefore demands for secure computer-controlled power system
turns into a key integral of modern power-grid operations. This automation have been increasing tremendously. With
paper proposes a new utility computer network security increasing use of intelligent electronic devices (IEDs) with
-

management and authentication for actions / commands requests

in smart-grid operations. This management covers multiple
security domains in a new security architecture designed for
smart power grids. This paper presents the strategy and
procedure of security checks and authentications of commands
requests for operations in the host area electric power system
(AEPS) and interconnected multiple neighboring AEPS. Case
studies of the new security management and authentication for
smart grids operations are presented.

autonms

Microgrids,
communication,t
grids

Index Terms -- Computer network security,

Coptrnewrangmn,Power
system

the

power-grid compter

networks, the power system can be operated efficiently if all

network communications are correct, but the power system
operations can be endangered if there is any network error.
There are many potential threats to power-grid computer
network formed within utility assets such as indiscretions by
employees, authorization violation, etc.
Increasing power-grid computer network security
management and authentication that supports the power-grid
operations has become critical to the reliability of electricity
power industry. Network outages due to inadvertent errors,
deliberate sabotages, authorization violations, network
management disruptions, authentication faults, etc. could have
serious impacts on many aspects of the electricity power
industry. For example, in a physical aspect such as in the
electric power circuit, a short delay in transmitting protection
data to operate equipment due to network errors could result in
equipment failure. In an economical aspect such as in the
electricity market, jeopardizing the delivery of a tiny amount
of information for a short time by the competitor could make
our winning bid into a losing one.
Traditionally, the focus of the electricity power industry has
been exclusively on selecting, designing, or implementing
equipment to keep the power system in reliable services. Until
recently, data transmission in the power-grid computer
network that supports power system protection, control and
monitoring has been considered of tangential important. The
cascading failures in the August 14, 2003 blackout, with the
exception of the initial physical (equipment, tree and line
clearance) problems, were almost exclusively due to problems
in providing the right information to the right place within the
right time. Recently, the importance of power-grid information
infrastructure and management has been drawing steadily
increasing attention in the electricity power industry [2].
This paper presents a new utility computer network security
management and authentication for actions or commands
requests in smart-grid operations. This new control covers
security management for multiple security domains in a new
network security architecture. This paper discusses the
strategy and procedure for security checks and authentications
for command requests of operations in both Host-AEPS and
interconnecting Foreign-AEPS that will be defined in the

I. INTRODUCTION
cently increased use of network-controlled devices,
government-imposed open access competition and
deregulation, and rapid development of microgrids have made
computer networks a key integral of modem power grid
operations. The International Electrotechnical Commission
(IEC) has lately published a substation automation system
communication standard - IEC61850 [1]. Its working group
IEC TC57 WG15 is currently addressing the security and
reliability of information infrastructure for power system
operations [2]. Concurrently, research has been underway for
enhancing the computer network security of distribution
systems with distributed generations (DGs) from renewable
energy resources [3] [4]. As a key contribution towards powergrid computer network security, this paper proposes a new
utility computer network security management and
authentication of actions/commands requests for carrying out
smart grids operations.
For implementation of government-imposed deregulation
policy, it is almost unavoidable to allow fairly open access to
the computer networks of the distribution system from
external communication networks for inter-power-system
operations and electricity business transactions. Consequently,
it is inevitable to have a substantial increase of users who are
permitted to access the utility computer network through
external specific or general-purpose networks or even through
the Internet, whereas not long ago, only trained utility staff
had access to the utility computer network. This has
_____________________________
A. Hamlyn (shamlyn (cc rycrsow.ca), H. Cheung, L. Wang, C. Yang, and R paper. Case studies of the new security management and
Cheung are with Ryerson University, Canada.
authentication for smart grids operations are presented.
T. Mander is with University of Teesside, UK. and Ryerson University.

1-4244-1445-8/07/$25.OO 2007 IEEE

31

Authorized licensed use limited to: Politecnico di Torino. Downloaded on July 16,2010 at 12:05:15 UTC from IEEE Xplore. Restrictions apply.

2007 IEEE Canada Electrical Power Conference

II. SECURITY MANAGEMENT ARCHITECTURE
Fig. 1 shows the security management architecture designed
for power-grid computer networks. This security management
is comprised of one Host-AEPS (area electric power system)
domain and multiple Foreign-AEPS domains. Each AEPS
domain contains one network control center and several local
EPS domains, and each local domain may be a microgrid
containing one or more distributed resources. This
classification of domains is consistent with that of area electric
power systems in the IEEE-1547 standard for interconnecting
distributed resources with electric power systems [5].
Foreign-AEPS Domain Fl
Foreign-AEPS Domain F2
X
>
<
a f) / Q>, A />E)
(Q\

IA I
Local EP)

Dom

in F2

_-

XH
l

Role Hierarchy in Host-AEPS Domain

In the proposed Host-AEPS domain shown in Fig. 1, the
network control center is designed to have the authority and
facilities to structure the Host-AEPS domain role hierarchy.
This design allows the control center computer network to
have full capability to structure the network access and
management according to the real power system environment
in that AEPS, and to adapt to the changes in live operating
conditions such as reconfiguration of power grids, outage of
equipments, etc. The AEPS network hierarchy can be
comprised of multiple local-domain role hierarchies.
A role hierarchy is established to represent inheritance of
authority, responsibility, and privilege among the roles in the
AEPS. The role hierarchy design can be shown using Fig. 1.
For example, role H points to role J that is H -X J, then H
g1 1 lW ) t }(7)
inherits all privileges of J. The role H is called a direct parent
}
L )
I
role
of J. On the other hand, J is called a direct child role ofH.
d
a
>1,>
y ,/
The inheritance relationship is transitive. For example if H QXv
J and J -> G, then H ->-> G, where the role H is an indirect
Local E
DLocal EPLS Local
1/ EPS
Domain Fi
Domain LF2
L - -D-m-a- parent role of G and G is an indirect child role of H. A user of
the power-grid computer network can be assigned with a
/
_j_
_ _ r __-_-_-_-_-__
/
Il
number of roles, either parent roles or child roles that can be
>
<
according to the user's
_/e_-)
/changed\ fromandtime to intime
A t\
the
responsibility
authority
electricity
utility. A role in a
/(> \ / r ~
\ / 9
local EPS domain may take on some tasks belonging to
another local EPS domain. Fig. 1 shows an example of role
(;)tl
to
W
I and 2 ofthe Host-AEPS domain,
DomaIni \ ( > / \ < Shierarchies in local
j

D)

}/gC

: LcaEP ()/\Local
EPS (:)/
Domaina2

domain

where
role H in
local Hdomain
is assigned
to accessparent
role Arole
in
local domain
1. Role
is then2 called
an extended
I- -of A, and A is called an extended child role of H. The
management of the roles in the Host-AEPS is discussed in the

Fig. 1. Power Grid Security Management Architecture

following section.
Role Hierarchy with Foreign-AEPS Domain
Fig. 1 illustrates that the architecture of multiple domains
designed in this research extends the capability of the
conventional role-based control to cover the connections of
the host domain and the foreign domains. In this design,
privileges can be given to users from the foreign domains.
These users are called the foreign domain users, e.g. as shown
in Fig. 1 the users of role 5 in local EPS domain F22 of
Foreign-AEPS domain F2. In order to deal with the access
control of users from the foreign domains, it is required to
establish a foreign-user network access policy to verify the
trust relationship between users of host domain and those of
foreign domains. The management of the access policy is
discussed in the following section.

Local EPS

Host-AEPS Domain

The network control center in one AEPS domain operates

as an administrator of all its local EPS domains and
communicates with users in other AEPS domains. The main
function of each AEPS network domain in the proposed
security management architecture is as follows. The control
center administrator defines and maintains the security policy
for all local domains, as well as defines and maintains the
security policy for connections with the foreign AEPS
domains and authorizes privileges of access to foreign domain
users according to the defined foreign domain security policy.
Each local EPS domain implements its security policy
instrumented by the control center administrator. The local
domain security officer authorizes privileges of access to its
own local domain users and the users from other

interconnected local domains.

Roles and Privileges
Fig. 1 shows that each local security domain has a number
of roles, each of which is represented by one circle [3][6]. A
role is defined as a collection of privileges that can be
executed by the authorized users of certain job positions in the
area, electric power system. A role ~can take on a number of
privileges according
to its functions and authorities. A
.. .
.
. .
privilege~~~ ~
uha
oirn
beeecsdo.bet
~ca ~
prtn
substation equipments, etc.

power~~~
~
sytmpromne'rdngeetiiy

111.

SMART GRID ROLE-BASED SECURITY MANAGEMENT

This section discusses the role-based security management

designed in this paper for the smart (defied in this paper

as

intelligent computer-network control integrated) power grids.

Role management within a local EPS domain

Aue a eas e ihanme frlsacrigt
the user's.g
the user's
and authority in the electricity utility.
For example, a professional engineer Mary iS working in a
local EPS and has experiences of substation operation, design

~~~~.responsibility

32
Authorized licensed use limited to: Politecnico di Torino. Downloaded on July 16,2010 at 12:05:15 UTC from IEEE Xplore. Restrictions apply.

2007 IEEE Canada Electrical Power Conference

and monitoring. Then she may be assigned with several roles

such as role of operator, role of designer, and role of analyst.
Fig.2 can be used to illustrate the role assignment for
Mary. It is assumed that the Host-AEPS domain administrator
has defined the following role functions for Local EPS
Domain 1: A is a supervising role, B is a monitoring role, C is
a power-flow controlling role, D is a substation designing role,
E is an analyzing role, F is a substation operating role, etc.
Then, it would be sufficient to assign Mary with two roles D
and F.

Domain F22 of Foreign-AEPS Domain F2 is given an access

privilege to role B in Local EPS Domain 1 of Host-AEPS
Domain. This can represent a practical power system
operating condition such as, for execution of power flow
control in one area EPS, its controller (role 5) requires data
from a substation monitor (role B) of another EPS.
IV. SMART GRID ROLE-BASED AUTHENTICATION
This section describes the computer network role-based
security authentication for actions/commands requests in

smart-grid operations.

Ast

D<
\

\
t

>

>

/,4
/ \\

Domain
EPS (t)/
Local

Local EPS
Domn

ocal EPS

Lo
Dmain
aloEEPSPS

Authentication w. r. t. Role Constraints

The network controller is responsible to carry out an
authentication evaluation for constraints to the role operations
defined with required qualifications. The role constraints can
be grouped into three types: cardinality constraints,
separation-of-duty constraints and prerequisite constraints.

Cardinalityconstraint:ThisconstraintincludesthatDairole

I _ _ __ Doman3

may be allowed to have a limited number of users, a user may

be allowed to execute a limited number of roles, the number of
roles that can be linked may be limited, etc. For example, in a
electricity substation, the role of circuit breaker
operator usually can be assigned to three users: first the
substation operation on duty, second the substation supervisor,
and third the control center operator, in order to identify
responsibility for actions in case of emergency system events.
Separation-of-duty constraint. This constraint is managed
by the network controller to enforce conflict-of-interest
prevention policy. Conflict of interest may arise as a result of
the simultaneous assignment of two mutual exclusive roles to
the same user. For example, a role of electricity transaction
monitor and a role of power flow controller cannot be
assigned to the same user in order to avoid the conflict of
interest in power enterprise systems.
Prerequisite constraint. This constraint for a specific
network access is checked to ensure that a user can perform a
prerequisite operation if and only if the user has already been a
member of prerequisite role. For example, a role with a
privilege to initiate a tripping command to the substation bustie breaker is a role that has a prerequisite constraint. The
constraint is determined by the control center such as the role
must be a substation operator with a specific training and
operating experience. A user can execute this role if and only
if the user already has a role of substation operators.
Moreover there exists many other role constraints, for
instance time constraint that defines how long the role can be
activated that may be changed from time to time according to
thelivepower-grid operating environment.

Host-AEPS Domain
Fig.2 Role Hierarchy for Host-AEPS Domain
Role managementwit inter-localdomainsrequitypical
Role management
with nter-localdommrequirements
Fig.2 can be used to illustrate the role management with
inter-local EPS domain requirements. For example, John is
working as a power-flow controller in Local EPS Domain 1
and his control software requires power-flow data from Local
EPS Domain 2. It is assumed that role C is a power-flow
controlling role in Domain 1 and role G is the power-flow
monitoring role in Domain 2. And role C has a limited access
privileges to role G. Then, John is assigned to role C in order
to execute the power-flow control operation.
Role management with inter-AEPS domains requirements
A practical power system operation in one AEPS domain
may require, from time to time, data from other AEPS
domains. The design proposed in this paper supports this
requirement, as illustrated in Fig.3.
Foreign-AEPS

Foreign-AEPS Domain F2
5

s tA X } |: S

Domain F11
FP2
---T------. --

Domain

: 1l/
;-.

-A,'<

D\

LaE

DomaLF

{\

t>. )

t 1

<

Local EPS_ (4)

Doai I

Authentication w. r. t. Foreign Domain Interfacing

In order to deal with the access control of users from the
it istorequired
establish
a foreign-user
foreign
ewr domains,
access policy
verify theto trust
relationship
between

LocalEPS
\ mi

Host-AEPS Domain

users

Fig.3 Role Hierarchy for Inter AEPS Domains

In this design, privileges of access to a local domain in the
Host-ABPS can be given to a specially arranged user from a
foreign domain. As shown in Fig.3, role 5 in Local BPS
33

domain and those of foreign domains.

Digital credentials can be used to manage the trust

establishment efficiently. The design in this paper uses the
digital credential to verify the network access request to the
power-grid computer networks. This credential verification is
particularly important for maintaining the network security

Authorized licensed use limited to: Politecnico di Torino. Downloaded on July 16,2010 at 12:05:15 UTC from IEEE Xplore. Restrictions apply.

2007 IEEE Canada Electrical Power Conference

when the network is open to the foreign users. Digital

credentials signed by CA issuers are the online counterparts of
paper credentials that people use in their daily lives. There are
multiple subject properties and their values for each type of
credential. For example, the digital credential of a substation
circuit-breaker operator has several typical subject properties
including the user's profession credential, required training,
specific equipment operating experiences, etc. The control
center network administrator (software) automatically assigns
a digital value to each subject property such as a minimum of
5 years of professional engineering experience is represented
with npe5, substation training level-I experience with n,11,
training level-2 experience with nt12, etc.
Trust establishment using the digital credential is applicable
whenever a foreign user requests to engage in a sensitive
transaction without sufficient pre-established trust, and such a
request involves essentially every aspect of the e-commerce in
the power systems. An enterprise's network access policy may
allow foreign users to access to certain data files but such
access may limit to the authorized users.
In this design, a foreign-interfacing role in the host computer
network domain can be viewed as a collection of privileges
that can be performed by a foreign user who holds the required
digital credentials. The Host-AEPS control centre defines a
security policy for the foreign-interfacing role that it can only
be authorized to foreign computer network domain users who
holds the required credentials.
V. TYPICAL PROCEDURES FOR SECURITY MANAGEMENT AND
AUTHENTICATION
The following describes typical procedures of security
management and authentication for actions / commands
requests in smart grids operations.
* A procedure handles the user access to its own local
domain. This procedure represents the most frequent
network accesses that the utility staffs use the computer
network to carry out their daily tasks, for example the use
of the computer network to obtain monitoring data of
substation bus voltage and current, feeder voltage and
current, breaker status, etc.
* A procedure handles the user access to another local
domain. This procedure represents the specific network
accesses that some utility staffs use another local network
to carry out specific tasks, for example the use of the
computer network to obtain monitoring data of
neighboring substation power flow, breaker status on the
high voltage transmission system, etc.
* A procedure handles the foreign user access to host AEPS
domain. This procedure represents occasional / infrequent
network accesses that staff of other AEPS or personnel
makes access to the host domain to carry out some tasks
such as request for transfer of power, sequence of events
records, power flowdata, etc.
Security Managementfor Procedures Pre-execution
Prior to executing appropriate procedures for allowing users to
gain access to the smart-grid computer network for carrying
out their duty, the network administrator has defined functions
ApoeuehnlthfoegusrcesthotA

of all roles. For convenience of illustrating typical procedures,

the functions of some roles in Fig.3 are given below.
Role A is a supervising role, role B is a monitoring role,
role C is a power-flow controlling role, role D is a substation
designing role, role E is an analyzing role, role F is a
substation operating role, role G is power-flow monitoring
role, role 2 is a controlling role, role 4 is a bus-voltage
analyzing role, etc.
Also it is assumed that the network administrator has
assigned User X with role C and role F.
Illustration of Security Authentication of User Requests

Request 1: User X makes a request to the smart-grid computer

network to reduce the power flow in Domain 1 of the host area
electric power system.
Security Execution: Request is accepted, because User X has
role C that can directly implement the control of power flow in
Domain 1 of Host AEPS.
Request 2: User X makes a request to analyze bus voltage
fluctuation in Domain 1 of the host area electric power system.
Security Execution: Request is denied, because all the roles
that User X has cannot reach role E that is responsible for
substation analysis in Domain 1 of Host AEPS.
Request 3: User X makes a request to obtain bus voltage data
in Domain F21 of the neighboring area electric power system.
Security Execution: Request is accepted, because User X has
role C that is granted with access privilege to role 2 of Domain
F21, and role 2 is a parent role of role 4 in Domain F21 (as
shown in Fig.3), and role 4 is responsible for analyzing the bus
voltage in Domain F21 of Foreign-AEPS Domain F2.
VI. CASE STUDIES OF SECURITY AUTHENTICATION FOR
SMART-GRID STABILITY CONTROL
The section presents typical case studies of computer
network security authentication for requests of actions for
smart-grid stability control.
. .

The basic strategy proposed in this paper for enhancement

of smart grids stability is first to continuously evaluate the
power-grid real-time performance particularly regarding any
contingencies being occurred, using state-of-the-art digital
signal processing and computer networking technologies and
second, to carry out corrective actions to restore a sufficient
margin, whenever the power system stability margin is
reduced due to contingencies. The actions include increase of
spinning reserve, reschedule of generation, decrease of
allowed power transfer, shedding of non-critical loads, etc.
These actions have associated costs that are, however,
negligible compared to a widespread power outage or even a
blackout due to serious voltage collapse if the actions are not

taken.

This strategy deals with four fronts: monitoring stability

margins, restoring sufficient stability margins, detecting
developing instability, and counteracting instability. The
evaluation of instant stability margins and the detection of
poetaordvlinisabiycniinseddtaf
oprtnsaesithdsrbuonccitndheoncig
tasiso ieeupet hc eursarlal ih

34
Authorized licensed use limited to: Politecnico di Torino. Downloaded on July 16,2010 at 12:05:15 UTC from IEEE Xplore. Restrictions apply.

2007 IEEE Canada Electrical Power Conference

speed computer network for real-time data acquisition.

Implementation of restoring stability margins and execution of
stability corrective actions also require a network to realize the
reliable high-speed commands transmission,
Security Authentication for Stability Control
Stability coto sone of the most impot26to2er4io46inAEPS-3
the electricity power system. Prior to executing any requests

3.
4.

Each local domain should include circuits that are critical

from the monitoring point of view, if physically feasible.
For cost-effective implementation, the number of local
domains should be minimized.
AEPSI1
AEPS-2 D..
32 29
*011 1213 1
151301311
0
~~~~~~~~~~~~~~~10
2I1
44
6
0 5
0 10
42
6
0
22
62 19 697
L..I G,~,ti-

D.

2 5

Do

19

14

290

32

254

47

:22

20 18
14

~ ~ ~
~11"4

Cl)

V5

3
10217

94

150 191
1

292088
6

Fg5

7
7

9 6828
7

5Lo1

LSdmisdfndfrteIE
orteIE

~~~~~~~~~84
~~~~~~~~~~~~~~~76

ici

AbiFdeciptionEPoftesvnlcldomains
isie givnc elow
LD1ie mnciptiors ofivhe noden circuldmisiitsewheelNode .5
Disonctfdb
aoitr local gnoerat rionsadwNoe25regulaoreare
ditscritical felements. gneaio n Nd-2 egltor
monitors five node circuits.
~~~o. ILD2
LD3 monitors seven node circuits where Node 18

114

113

Li-

~~~

651E5

connecting to\EPS-2 isiscritical element.

is1 four node circuits where Node-9 regulator is
monitors
10
450LD4
6 63
~~~~~~~~~~~~~100
E5'
ts
elmet
90
75
iscritical ee et
~~~3 6219 981 70
LD5 monitors seven node circuits, where Node- 149
68
disconnect fed by a transmission line is its critical element.
LD6 monitors four node circuits.
461
172
68 4LD7 monitors four node circuits, wee ~ dsonc
6
7
oncting to AEPS-3 is its critical element.
26

65

10

10

10

102

~~~~~~60

Li~~~~~2

to

92PS90
88m81

~~~~s

-, ~~~~~~4

110 11 2

ill

15130it

3 442 3 4

24

.8350

G_,o-1
51

49

10

5772

rqet.The seuiymanagement and authenticationstaey25

3

605609 68

requests but also the trustworthiness of the issuers of the

335025

43

24

of actions for restoring stability margins or correcting

instability conditions, all action requests must go through strict
security checks for examining not only the reliability of the

and procedures designed in this paper are applied for the

smart-grid stability control.
The IEEE 123 node circuit shown in Fig.4 [7] is utilized to
illustrate the application of the security management and
authentication proposed in this paper for the control of smart
grid security. It is assumed that the IEEE circuit is connected
with a transmission system at two places Nodes 150 and 451,
as well as the IEEE circuit is fed by two local generators at
Nodes 251 and 195.

AEPS-4 D..i

89 9

87

862

1Gto

Fig.4: IEEE 123 network fed by transmission-level and

distribution-level generations

Formulation ofAEPS Domains

In the security management architecture (Fig. 1) designed in
this paper, the computer network for the power grid is dividedVA1
into AEPS network domains. Fig.5 shows the IEEE network is
divided into four AEPS domains: AEPS-1, AEPS-2, AEPS-3,Uaalal
and AEPS-4. This division is based on the configuration of the
IEEE circuit as each domain can be physically isolated by
opening disconnects around that domain, or on the other hand
Formulation of Local EPS Domains I

L2LLclDomain
9

T1
LB91

150

LD6

7813

Lo~~~~~~~~~~~~~~~~~~~~~~~~~~~~~d
Lo ~

LclDmi
Lca

Doa1

severalolocalbyig
otnec t rnmsinlnL
dlomains. the fppolloinge uisesnnAEPs- 1 oant lutae h
local domains. This division is based on two aspects, the
In the following case studies, it is assumed thatltherenn-occurs
)unvlbe,wnAES1soprig
acorduaing totefLocllwn guiDeaines:tasisolieT
1.aIn orErStomake the sbestvusedo h off-the-serl lfbc itel with6 thea twomdinsconfnect atr NodeS 13ai and 1 en
eachdoaEPSa domaneistsubdividednintob
b

TranLocalidomains Defaine fo

Sioanad

/
fousraoneloalopn,a shown tinFge6ncTe cotrntmsiongeince ntrige E aolmaximgumeofEPcrcitdoantode
design.runninSuineshort-tecrmior longthermicadynai andintability.Atin
sudivsoman. Fisgslete inow thetAP-Iidvddit
2.oEachlocalns domin miisonitos thsedciruit that arpelocathed 1) Case studoiesfor shot-tierm
co trols
e
saiityisu
eeccr
o
tblt
one
ciclotspelyini shetin.tokdsg
oto,asroscnigneta ae LA(n ieo

hoardwarTe,

~'_

41-

-C 1 1

-'

-'A35

Authorized licensed use limited to: Politecnico di Torino. Downloaded on July 16,2010 at 12:05:15 UTC from IEEE Xplore. Restrictions apply.

2007 IEEE Canada Electrical Power Conference

The contingence that makes TL1A unavailable can excite

the short-term dynamics of the local generator LG- 1
(including its turbine, governor, and excitation system), VAR
compensators, induction-motor loads, etc. in AEPS-1. These
dynamics may trigger angle instability and voltage instability.
The angle instability is resulted from the loss of synchronism
between the local generator LG1 and the transmission line
TIB. The voltage instability is linked to fast load recovery.
Corrective actions are requested to restore sufficient
stability margins in AEPS- 1 as the margins are reduced due to
this contingency. Prior to executing any requests of actions for
restoring stability margins or correcting instability conditions,
all action requests must go through strict security checks for
examining not only the reliability of the requests but also the
trustworthiness of the issuers of the requests. Two typical
cases are studied below.

commands requests in smart-grid operations. This

management covers multiple security domains in a new
security architecture designed for smart power grids. This
paper has presented the strategy and procedure of security
checks and authentications of commands requests for
operations in the host AEPS and interconnected multiple
neighboring AEPS. Case studies of the new security
management and authentication for smart grids operations for
improvement of stability conditions due to contingencies are
presented.
[1]

IEC
Substations," 2005.

VIII. REFERENCES

Standards 61850, "Communication Networks and Systems in

[2] F. Cleveland, "Enhancing the Reliability and Security of the Information

Infrastructure Used to Manage the Power System." IEEE PES General

Case 1: Authenticationfor Generator Excitation Adjustment

[3]

This case assumes that user-Y (an operator or software

controller) requests to adjust the excitation of the local
generator LG-1. As shown in Fig.6, LG-1 is located at Node
22 in the local domain LDI of AEPS-1, user-Y must have a

Meeting, Tampa, Florida, USA, June 24-28, 2007.

L. Wang, C. Li, H. Cheung, C. Yang, R. Cheung, " PRAC: A Novel

Security Acess Model for Power Distribution System Computer

Networks", 07GM0843, IEEE PES General Meeting, Tampa, Florida,

USA, June 24-28, 2007.

[4] T. Mander, F. Nabhani, L. Wang, R. Cheung, "Open-AccessCompatibility Security Layer for Enhanced Protection Data

Transmission", 07GM0458, IEEE PES General Meeting, Tampa,

role of LGI excitation controller in LDI or its parent role in

Order to adjust LGI generator excitation.

[5]

Case 2: Authentication for VAR Compensation

Florida, USA, June 24-28, 2007.

IEEE Standards 1547, "IEEE Standard for Interconnecting Distributed

Resources with Electric Power Systems," July, 2003.

This case assumes that user-Y requests to switch in a

reactive compensator VAR-i. As shown in Fig.6, VAR-15is

[6] Access
s. Osborn,
R. Sandhu, and Q. Munawer, "Configuring Role-based
Control to Enforce Mandatory and Discretionary Access Control
Policies," ACM Transactions on Information and System Security, Vol.

switch on/off theVAR- 1 compensator.

[7] "IEEE 123 Node Test Feeder," Distribution System Analysis

Subcommittee, IEEE Power Engineering Society.

located in the local domain LD3 in AEPS-1, user-Y must have

a role of VAR-I controller in LD3 or its parent role in order to

3, No. 2, 2000, pages 85-106.

IX. BIOGRAPHIES
Alexander Hamlyn received his B.Eng. from Ryerson University and is

2) Case studies for long-term stability controls

The contingence that makes TL1A unavailable reduces the
maximum power deliverable to loads in AEPS-1 can trigger
the long-term instability. This instability is associated with
slower dynamics involving operations such as load tap
changes (LTCUs) and over-excitation limiters (OELs).
Corrective actions (including LTCs, increase of spinning
reserve, reschedule of generation, decrease of allowed power
transfer, shedding of non-critical loads, etc.) can be used to

currently a M.A.Sc. student at Ryerson. He worked as NSERC USRA and

Research Assistant in Ryerson WAN and LEDAR labs.

Helen Cheung received her B.Eng. from Ryerson University and is currently
a M.A.Sc. student at Ryerson. She has worked as Research Assistant in

caa(QELs).

Ryerson LEDAR Lab and Engineer in RC Power Conversions Inc.

Todd Mander received his B.Eng. degree from Ryerson University. He is
currently working on his doctorate degree in power system computer
networks at the University of Teesside through Ryerson University.
University of Science and Technology, where she was an Associate

control the
AEPS,Twoy
in
long-term
control the long-term stablity
In AEPScases
1. stabilit
Two typical
are studied below.

Lin Wang received her B.Eng., M.Eng., and Ph.D. degrees from Huazhong

Professor. She is currently conducting research at Ryerson University.

Cungang Yang received his Ph.D. degree from University of Regina. He is
currently an Assistant Professor at Ryerson University. His research areas

Case 3: Authenticationfor LTCAdjustment

This case assumes that user-Y requests to correct the low

voltage condition at Node 11. As shown in Fig.6, the voltage
of Node 11 can be improved by adjusting the regulator at
Node 9. In order to correct Node-lII voltage, user-Y must have
a role of Node 9 regulator controller or its parent role.

include security and privacy, enhanced role-based access control model,

information flow control, web security, and multimedia security.

Richard Cheung received his B.A.Sc., M.A.Sc., and Ph.D. degrees from the
University of Toronto. He was a Research Engineer in Ontario Hydro.
Currently he is a Professor at Ryerson University, and he is an active
Power Engineering consultant and is the President of RC Power
Conversions Inc.

Case 4: Authentication for Shedding ofNon-Critical Load

This case assumes that user-Y requests to support the

voltage of the critical load at Node 3 by shedding of a noncritical load. As shown in Fig.6, the Node-3 critical load is
located in the local domain LD6 and a non-critical load at
Node 6 is located in the same local domain. User-Y must have

a role of Node-6 non-critical load shedding controller or its

parent role in order to carry out the load shedding.
VII. CONCLUSION

This paper has proposed a new utility computer network

security management and authentication for actions or
36
Authorized licensed use limited to: Politecnico di Torino. Downloaded on July 16,2010 at 12:05:15 UTC from IEEE Xplore. Restrictions apply.