1

Cyber-Security in Smart Grid:

Survey and Challenges
Z. Elmrabet1, H. Elghazi1, N. Kaabouch2, H. Elghazi1

1
STRS Lab, INPT, Rabat, Morocco

2
Electrical Engineering Department, UND, USA

Laboratory in 2004 showed that power interruptions cost the

Abstract--- Smart grid uses the power of information American economy approximately $80 billion per year; other
technology to intelligently deliver energy to customers by using a estimates indicate a higher cost of $150 billion per year [1]. It
two-way communication, and wisely meet the environmental is evident that these critical problems cannot be addressed
requirements by facilitating the integration of green technologies. with existing electricity grid. Smart grid promises to provide
Although smart grid addresses several problems of the
traditional grid, it faces a number of security challenges. Because flexibility and reliability by facilitating the integration of new
communication has been incorporated into the electrical power power resources (such as renewable energy, wind, and solar
with its inherent weaknesses, it has exposed the system to energy), enabling corrective capabilities when failures occur,
numerous risks. Several research papers have discussed these reducing carbon footprint, and reducing energy losses within
problems. However, most of them classified attacks based on the grid.
confidentiality, integrity, and availability, and they excluded
Smart grid is a system based on communication and
attacks which compromise other security criteria such as
accountability. In addition, the existed security countermeasures information technology in generation, delivery, and
focus on countering some specific attacks or protecting some consumption of energy power. It uses two-way flow of
specific components, but there is no global approach which information to create an automated and widely distributed
combines these solutions to secure the entire system. The purpose system that has new functionalities such as, real time control,
of this paper is to provide a comprehensive overview of the operational efficiency, grid resilience, and better integration of
relevant published works. First, we review the security
requirements. Then, we investigate in depth a number of
renewable technology which will decrease carbon footprint.
important cyber-attacks in smart grid to diagnose the potential However, risks can still exist in smart grid. Any interruptions
vulnerabilities along with their impact. In addition, we proposed in power generation could disturb smart grid stability and
a cyber security strategy as a solution to address breaches, could potentially have large socio-economic impacts. In
counter attacks, and deploy appropriate countermeasures. addition, as valuable data are exchanged among smart grid
Finally, we provide some future research directions. systems, theft or alteration of this data could violate consumer
privacy. Because of these weaknesses, smart grid has become
the primary target of attackers [2], which attracted the
Index Terms— Smart grid, cyber-attacks, vulnerabilities,
confidentiality, availability, integrity, accountability, IDS, attention of government, industry, and academia.
cryptography, network security. Several research papers have been published that provide an
overview of the prevailing problems related to cyber security
in smart grid infrastructure [3, 7]. In [3], Rawat et al.
presented a study of the challenges present in smart grid
security. They classified attacks based upon the type of the
network, namely, home area network (HAN), neighborhood
area network (NAN), and wide area network (WAN). In
I. INTRODUCTION addition, they presented the impact of each attack on the
Traditional electrical distribution systems are used to information security: confidentiality, integrity, and availability
transport electrical energy generated at a central power plant (CIA). In [4], Shapsough et al. discussed security challenges
by increasing voltage levels and then delivering it to the end in smart grid system, especially those related to connectivity,
users by reducing voltage levels gradually. However, this trust, customer privacy, and software vulnerabilities. The
electricity grid has major shortcomings, including the inability authors provided also an overview of the existing security
to include diverse generation sources such as green energy, solutions, particularly network security, data security, key
high cost and expensive assets, time consuming demand management, network security protocols, and compliance
response, high carbon emission, and blackouts. For example, a checks. Another study, focusing on public networks, has been
study conducted by researchers at the Berkeley National conducted by Liang et al. in [5]. The paper describes a
protection framework of smart grid based on a public network.
This framework was composed of three layers, main station,
 2

communication network, and terminals. In [6], Dari et al. performed by a one actor or more in each domain. Fig. 1
discussed the security requirements and possible threats on shows the conceptual model of smart grid and the interaction
smart grid. These threats were classified into three categories: of actors from different domains via a secure channel.
people and policy, platform, and network threats. In [7], Wang Within the customer domain, the main actor is the end user.
et al. also classified attacks based on the CIA requirements, Generally, there are three types of customers: home,
and they described several countermeasures, including commercial/building, and industrial. In addition to consuming
network security, cryptographic, secure protocols, and secure electricity, these actors may also generate, store, and manage
architecture. the use of energy. This domain is electrically connected to the
While these survey papers provide various classifications of distribution domain and communicates with the distribution,
attacks on smart grid, most of them are based upon operation, service provider, and market domains [2, 11].
confidentiality, integrity, or availability. However, blended
and sophisticated attacks such as Stuxnet, Duqu, and Flame
[8] can compromise all of the security parameters at the same
time. Therefore, such attacks are usually excluded from these
classification systems. Furthermore, countermeasures and
security solutions were presented individually for each smart
grid’s component, and there is no global approach or process
to combine all security mechanisms in order to ensure security
for the entire system.
This paper provides a summary of the current status and
future expectations of the smart grid cyber security. The
remainder of this paper is organized as follows. First, we
review cyber security objectives in smart grid. Next, we
present a new classification system of cyber-attack based on a
method used by hackers or penetration testers. This method
allows one to better understand the process used by a hacker to
compromise the smart grid security [9]. Then, we summarize
and recommend a number of countermeasures. Some Fig. 1. Smart grid’s conceptual model based on NIST.
challenges and future directions are discussed in the last
section. In the market domain, actors are the operators and
participants in the electricity markets. This domain maintains
II. SMART GRID OVERVIEW the balance between electrical supply and the demand. In
A. Smart grid’s features order to match the production with demand, the market
The main benefits expected from the smart grid are domain communicates with energy supply domains which
increasing grid resilience and improving environmental include the bulk generation domain and distributed energy
performance. Resilience indicates the capability of a given resources (DER) [2, 11]. The service provider domain
entity to resist unexpected events and recover quickly includes the organizations that provide services to both
thereafter [1]. Today, grid resilience as a feature has become electrical customers and utilities. These organizations manage
nonnegotiable, especially when power interruptions can services such as billing, customer account, and use of energy.
potentially impact the economy. Smart grid promises to The service provider interacts with the operation domain for
provide flexibility and reliability by enabling additional situational awareness, system control and also communicates
dispersed power supply, facilitating the integration of new with customer and market domain to develop smart services
resources into the grid, and enabling corrective capabilities such as enabling customer interaction with market and energy
when failures occur. Moreover, smart grid systems are generation at home [2, 11]. The operations domain’s actors are
expected to enable electric vehicles as replacements for the managers of the movement of electricity. This domain
conventional vehicles, reducing energy used by customers and maintains efficient and optimal operations in transmission and
reducing energy losses within the grid [10]. distribution. In transmission, it uses energy management
systems (EMS), whereas in distribution it uses distribution
B. Smart grid’s conceptual model management systems (DMS) [2, 11]. Actors in the bulk
According to the national institute of standard and generation domain include generators of electricity in bulk
technology (NIST) [2], a smart grid is composed of seven quantities. Energy generation is the first step in the process of
logical domains: bulk generation, transmission, distribution, delivering electricity to the end user. Energy is generated
customer, markets, service provider, and operations, each of using resources like oil, flowing water, coal, nuclear fission,
which include both actors and applications. Actors are and solar radiation. The bulk generation domain is electrically
programs, devices, and systems whereas applications are tasks connected to the transmission domain and communicates
 3

through an interface with the market domain, transmission 61850 [20].

domain, and operations domain [2, 11]. In the transmission The substation is a key element in the power grid network.
domain, generated electrical power is carried over long it performs several functions including receiving power from
distances from generation domain to distribution domain generating facility, regulating distribution, and limiting power
through multiple substations. This domain may also store and surge [13]. It contains devices that regulate and distributes
generate electricity. The transmission network is monitored electrical energy such as a remote terminal unit (RTU), global
and controlled via a SCADA system, which is composed of a positioning system (GPS), human–machine interface (HMI),
communication network, control devices, and monitoring and intelligent electronic devices (IEDs) [21]. The substation
devices [2, 11]. The distribution domain includes the sends operation data to the SCADA for controlling the power
distributors of electricity to and from the end user. The system. Many operations are automated within the substation
electrical distribution systems have different structures such as in order to increase the reliability of the power grid [1]. The
radial, looped, or meshed. In addition to distribution, this communication between the automation substation and other
domain may also support energy generation and storage. This devices in transmission and distribution is defined by the
domain is connected to the transmission domain, customer standard IEC 61850 [22].
domain, and the metering points for consumption [2, 11].
D. Smart grid’s network protocols
C. Smart grid’s systems Distributed and heterogeneous applications in smart grid
Smart grid is composed of several distributed and require different communication protocols. Fig. 2 illustrates
heterogeneous applications, including advanced metering the smart grid network architecture and the protocol used
infrastructure (AMI) [12], automation substation [13], demand within each network. In the home area network (HAN), home
response [13], supervisory control and data acquisition appliances uses ZigBee and Z-wave protocols [18]. In the
(SCADA), electrical vehicle (EV) [14], and home energy neighborhood area network (NAN), devices are usually
management (HEM) [13]. In this section we will discuss three connected via IEEE 802.11, IEEE 802.15.4, or IEEE 802.16
critical and vulnerable applications in the smart grid: AMI, standards [18]. In the wide area network (WAN) and in
SCADA, and automation substation [1, 8, 12, 13, 15, 16, 17] . supervisory control and data acquisition (SCADA)
The other applications were discussed in detail in [12, 13]. applications, several industrial protocols are used specially
Advanced metering infrastructure (AMI) is responsible for distributed networking protocol 3.0 (DNP3) and modicon
collecting, measuring and analyzing energy, water and gas communication bus (ModBus) [20]. Within substation
usage. It allows two-way communication from the user to the automation, protocol IEC 61850 is used [7]. In this section we
utility. It is composed of three components: smart meter, AMI will discuss two widely used yet vulnerable protocols in smart
headend, and the communication network [18]. Smart meters grid [22-25]: Modbus and DNP3. Bluetooth, Z-Wave, Zigbee,
are digital meters, consisting of microprocessors and a local 6LoWPAN, WiMAX, IEC 61850 protocol, and power line
memory, and they are responsible first for monitoring and communication are discussed in depth in [12, 14, 22].
collecting power usage of home appliances, and also for Modicon communication bus (ModBus) is a 7 layer
transmitting data in real time to the AMI headend in the utility protocol of the model OSI; it was designed in 1979 to enable
side. An AMI headend is an AMI server consists of meter data the process controller to communicate in real-time with
management system (MDMS) [12]. The communication computers. There are three types of Modbus: Modbus ASCII,
between the smart meters, the home appliances, and the AMI Modbus RTU, and Modbus/TCP. In the first one, messages
headend is defined through several communication protocols are coded in hexadecimal. Though it is slow, it is ideal for
such as Z-wave and Zigbee [18]. radio links and telephone communications. In the second one,
Supervisory control and data acquisition (SCADA) is a the messages are coded in binary and it is used over RS232. In
system that measures, monitors and controls electrical power the third one, the masters and slaves uses IP addresses for
grid. It is typically used for large-scale environments. It communication [23]. In a SCADA system ModBus is a
consists of three elements: the remote terminal unit (RTU), master-slave protocol responsible for exchanging instruction
master terminal unit (MTU), and human–machine interface between one master, remote terminal unit (RTU) or master
(HMI) [19]. RTU is a device composed of three components: terminal unit (MTU), and several slave devices, such as
first one used for data acquisition, second one responsible for sensors, drivers, and PLCs [23]. On one hand, Modbus is
executing instructions coming for the MTU, and a third one widely used in industrial architecture, because of its relative
designed for the communication. MTU is a device responsible ease of use by communicating raw data without restriction of
for controlling the RTU. The HMI is a graphic interface for authentication, encryption, or any excessive overhead [26].
the SCADA system operator [19]. The communication within One the other hand, these features make it vulnerable and
SCADA system is based on many industrial protocol easily exploitable [23, 25].
including distributed network protocol v3.0 (DNP3) and IEC
 4

Fig. 2. Illustration of smart grid network architecture

Distributed network protocol v3.0 (DNP3) is another widely malicious purposes [10].
used communication protocol for critical infrastructure, more
B. Availability
specifically in the electricity industry [24]. It was initiated in
1990 as a serial protocol to manage communication between Availability is defined as ensuring timely and reliable
“Master stations” and slave stations called “outstations’ [26]. access to and use of information. It is considered the most
In electrical stations, DNP3 was used for connecting master important security criterion in smart grid because the loss of
stations, such as RTUs, with outstations, such as intelligent availability means disruption of access to information in a
electrical devices (IEDs) [23]. In 1998, DNP3 was extended to smart grid [10]. For example, loss of availability can disturb
work over IP network through encapsulation of TCP or UDP the operation of the control system by blocking the
packets. DNP3 uses several standardized data formats and information’s flow through the network, and therefore denying
support timed-stamped (time-synchronized) data, making the the network’s availability to control the system’s operators.
data transmission reliable and efficient [26]. At first DNP3 did C. Integrity
not provide any security mechanism such as encryption or Integrity in smart grid means protecting against improper
authentication, but this problem was fixed with the secure modification or destruction of the information. A loss of
version of DNP3 called DNP3 secure [7]. integrity is an unauthorized alteration, modification, or
destruction of data in undetected manner [10]. For example,
III. SECURITY REQUIREMENTS OF SMART GRID
power injection is a malicious attack launched by an adversary
The National Institute of Standards and Technology (NIST) who intelligently modifies the measurements and relays them
has defined three criteria required to maintain security of from the power injection meters and power flow to the state
information in the smart grid and keep it protected, estimator. Both nonrepudiation and authenticity of information
specifically confidentiality, integrity, and availability [10]. are required to maintain the integrity. Nonrepudiation means
According to [27], accountability is another important security that individuals, entity or organization, are unable to perform a
criterion. The description of each criterion is given below. particular action and then deny it later; authenticity is the fact
A. Confidentiality that data is originated from a legitimate source.
In general, confidentiality preserves authorized restrictions on D. Accountability
information access and disclosure. In other words, the Accountability means ensuring tractability of the system
confidentiality criterion requires protecting both personal and that every action performed by a person, device, or even a
privacy and proprietary information from being accessed or public authority is recordable so that no one can deny his/her
disclosed by unauthorized entities, individuals, or processes. action. This recordable information can be presented as an
Once an unauthorized disclosure of information occurs, evidence within a court of law in order to determine the
confidentiality is lost. For instance, information such as attacker [28]. An example of an accountability problem would
control of a meter, metering usage, and billing information be the monthly electricity bills of customers. Generally smart
that is sent between a customer and various entities must be meters could determine the cost of electricity in real-time or
confidential and protected; otherwise the customer’s day-to-day. However, if these meters are under attack this
information could be manipulated, modified, or used for other information is no longer reliable because they have been
 5

altered. As a result, the customer will have two different compromise mainly the confidentiality of the information.
electric bills, one from the smart meter and the other from the 2) Scanning
utility [27]. Scanning attack is the next step used to discover all the
devices and the hosts alive on the network. There are four
IV. SECURITY PROBLEMS AND COUNTERMEASURES IN SMART types of scans: IPs, ports, services, and vulnerabilities [9].
GRID Generally, an attacker starts with an IPs scan to identify all the
hosts connected in the network along with their IP addresses.
A. Smart grid attacks
Next, he or she goes deeper by scanning the ports in order to
In general and as shown in Fig. 3, there are four steps used determine which port is open. This scan is executed on each
by malicious hackers to attack and get control over a system, discovered host on the network. The attacker then moves on to
namely reconnaissance, scanning, exploitation, and maintain the service scan in order to find out the service or system
access [9]. During the first step, reconnaissance, the attacker running behind each opened port. For instance, if the port 102
gathers and collects information about its target. In the second is detected open on a particular system, the hacker could infer
step, scanning, the attacker tries to identify the system’s that this system is a substation automation control or
vulnerabilities. These activities aim to identify the opened messaging. If the port 4713 is open, the target system is a
ports and to discover the service running on each port along Phasor Measurement Unit (PMU) [1]. The final step,
with its weaknesses. During the exploitation step, he/she tries vulnerabilities scan, aims to identify the weaknesses and
to compromise and get a full control of the target. Once the vulnerabilities related to each service on the target machine to
attacker has an administrative access on the target, he/she exploit it afterward.
proceeds to the final step which is, maintaining the access. Modbus and DNP3 are two industrial protocols vulnerable
This step is achieved by installing a stealthy and undetectable to scanning attacks. Given that Modbus/TCP was designed for
program; thus he/she can get back easily to the target system communication rather than security purpose, it can be
later. compromised by an attack called Modbus network scanning
[31]. This attack consists of sending a benign message to all
devices connected in the network to gather information about
these devices [31]. Modscan is a SCADA Modbus network
scanner designed to detect open Modbus/TCP and identify
device slave IDs along with their IP addresses [25]. Nicolas
R. et al. have proposed an algorithm to scan the DNP3
protocol and discover hosts, specifically, the slaves, their
DNP3 addresses, and their corresponding master [24]. As one
can see, these attacks target mainly the confidentiality of the
smart grid.
Fig. 3. Attacking cycle followed by hackers to get control over a system. 3) Exploitation
The third step, exploitation, includes malicious activities
In smart grid, the same steps are followed by attackers to that attempt to exploit the smart grid component’s
compromise the security’s criteria [1]. During each step, they vulnerabilities and get the control over it. These activities
use different techniques to compromise a particular system in include viruses, worms, Trojan horses, denial of service
the grid. Thus, attacks can be classified based on these steps. (DOS) attacks, man-in-the-middle (MITM) attacks, replay
Fig. 4 illustrates the types of attacks during each step. As one attacks, jamming channels, popping the human machine
can see, numerous types of attacks can happen during the interface (HMI), integrity violations, and privacy violations.
exploitation step. The malicious activities and attacks during A virus is a program used to infect a specific device or a
each step described below. system in smart grid [1, 32]. A worm is self-replicating
1) Reconnaissance program. It uses the network to spread, to copy itself, and to
The first phase, reconnaissance, includes the attacks: social infect other devices and systems [1, 32]. A Trojan horse is a
engineering and traffic analysis. Social engineering (SE), program that appears to perform a legitimate task on the target
relies on social skills and human interaction rather than system. However, it runs a malicious code in the background.
technical skills. An attacker uses communication and An attacker uses this type of malware to upload a virus or
persuasion to win the trust of a legitimate user and get worm on the target system [1, 32]. In June 2010, Roel
credential and confidential information such as passwords or Schouwenberg, a senior research at Kaspersky Lab, detected
PIN number to log on into a particular system. For examples, Stuxnet, the first worm targeting supervisory control and data
phishing [29] and password pilfering attack [30] are famous acquisition (SCADA) systems [8]. This is regarded as the first
techniques used in SE. The traffic analysis attack is used to cyber attack against a physical industrial control system.
listen to the traffic and analyze it in order to determine the
devices and the hosts connected to the network along with
their IP addresses. Social engineering and traffic analysis
 6

length and the fragmentation offset fields in sequential IP

packets. Once the target system receives these packets, it
crashes because the instructions on how the fragments are
offset within these packets are contradictory.
In smurf attack, the attacker targets not only a specific
system, but it can saturate and congest the traffic of an entire
network. It consists of three elements: the source site, the
bounce site, and the target site. For source site, the adversary
sends a spoofed packet to the broadcast address of the bounce
site. These packets contain the IP address of the target system.
Once the bounce site receives the forged packets, it broadcasts
them to all hosts connected to the network and then causes
these hosts to replay, saturating the target system [1, 32].
In puppet attack [15] targets the advanced metering
infrastructure (AMI) network by exploiting a vulnerability in
dynamic source routing (DSR) protocol and then exhausting
the communication network bandwidth. Due to this attack, the
packet delivery drops between 10% and 20%.
The time-delay-switch (TDS) [34] attack consists of
introducing a delay in control system creating instability in the
smart grid system.
The time synchronization (TSA) attack [35] targets mainly
the timing information in smart grid. Because power grid
Fig. 4. Cyber attacks classification in smart grid based on the attacking cycle operations such as fault detection and event location
estimation depend highly on precise time information, and
Stuxnet, a worm of 500 Kilobytes, exploited many zero- also most of the measurement devices in smart grid are
days, which are software vulnerabilities that have not yet equipped with global positioning system (GPS), attack such as
disclosed by the software owner. It infected at least 14 TSA, which spoof the GPS information, could have a high
industrial sites based in Iran, including a uranium-enrichment impact on the system. DOS represents a significant threat to
plant. More than one year later, two more worms that targeted the smart grid system because communication and control
industrial control systems were discovered, Duqu and Flame. messages in such a system are time critical [11], and a delay of
Unlike Stuxnet, Duqu was designed to gather and steal few seconds could compromise the system availability.
information about industrial control systems. Flame, on the The man-in-the-middle (MITM) attack is performed when
other hand, was created to be used in cyber espionage in an attacker inserts itself between two legitimate devices and
industrial networks. It has been found in Iran and other Middle listens, performs an injection, or intercepts the traffic between
East countries [1, 8, 33]. Viruses and worms can compromise them. The attacker is connected to both devices and relays the
availability, as Stuxnet did, confidentiality, as Duqu did, or a traffic between them. These legitimate devices appear to
combination of the security’s parameters. communicate directly when in fact they are communicating
In denial of service (DOS) attacks, several methods are via a third-device [1]. For example, an attacker could conduct
used, particularly SYN attacks, buffer overflow, teardrop a MITM, by placing himself on an Ethernet network to alter or
attacks, and smurf attacks [1, 32], puppet attack [15], time- misrepresent I/O values to the human machine interface
delay-switch (TDS) [34], and time synchronization attack (HMI) and programmable logic controllers (PLC). The MITM
(TSA) [35]. A SYN attack exploits the three-way handshake could also be used to intercept TCP/IP communication
(SYN, SYN-ACK, ACK) used to establish a TCP session. The between the substation gateway and the transmission SCADA
attacker floods a target system with connection requests server [1]. Peter M. et al. have conducted several experiments,
without responding to the replays, forcing the system to crash. including the MITM attack, to compromise the integrity of the
The Modbus/TCP protocol is vulnerable to these attacks since SCADA communication. They demonstrated the impact of
it operates over TCP [26]. such attack on the SCADA servers [17]. Ihab D. et al. [36]
In buffer overflow, the attacker sends a huge amount of data highlighted the vulnerability of the protocol DNP3 operating
to a specific system, thereby exhausting its resources. For in SCADA, and they conducted an experiment of MITM
example, the ping-of-death is considered as a buffer overflow attack with two scenarios showing that it is easy to intercept
attack as it exploits the internet control message protocol the messages exchanged between the master station and the
(ICMP) by sending more that 65K octets of data. It then outstations, modify the packet’s content, and inject it into the
makes the system crash. network.
In a teardrop attack, an attacker alters and modifies the Intercept/alter attack is another type MITM attack. It
 7

attempts to intercept, alter, and modify data either transmitted an attack and gain full control of the target system [1]. The
across the network or stored in a particular device [33]. For availability, integrity, confidentiality, and accountability may
example, in order to intercept a private communication in be compromised based on the attacker’s objective and
advanced metering infrastructure (AMI), an attacker uses motivation.
electromagnetic/radio-frequency interception attack. In the masquerade attack, a malicious person may pretend
Eavesdropping attack is also another MITM attack’s type, to be a legitimate user in order to gain access to a system or
where the attacker intercepts private communications between gain greater privileges to perform unauthorized actions. This
two legitimate devices [33]. All these MITM attacks attempt attack could tamper with the programmable communicating
to compromise the confidentiality, the integrity, and the thermostat (PCT) which is used to reduce electric power at a
accountability. residential site. It compromises the availability, integrity,
In replay attack, as the industrial control traffic is confidentiality, and accountability of the system [33].
transmitted in plain text, an attacker could maliciously capture Integrity violation attacks aim to violate the integrity and/or
packets, inject a specific packet, and replay them to the the accountability of the smart grid by altering intentionally or
legitimate destinations [1], compromising then the unintentionally the data stored in a given device in the
communication’s integrity. Intelligent electronic device network. For instance, a customer could perform this attack to
(IED),which is a device designed for controlling and alter the smart meter data in order to reduce his electricity bill.
communicating with the SCADA system [7], could be This attack could also be used to target remote terminal unit
targeted by replay attacks so that false measurements are (RTU), so wrong data will be reported to the control center,
injected in a specific register [1]. Replay attack could also be resulting in an increased outage time. False data injection
used to alter the behavior the programmable logic controllers (FDI) [40] attack is a type of integrity violation. It aims to
(PLC) [1]. In AMI, where an authentication scheme is used introduce arbitrary errors and corrupt some device’s
between smart meters, a replay attack involves a malicious measurements, affecting the accuracy of the state estimate
host to intercept authentication packets sent from smart meter (SE). Since the SE is important for system monitoring to
and re-sending them at a later point in time, expecting to ensure reliable operation in the power system, and for the
authenticate and gain unauthorised entry into the network [37]. energy management system (EMS) to process a real-time data
In the jamming channel attack, an adversary exploits the collected by the SCADA system, FDI attack could
shared nature of the wireless network and sends a random or compromise the SE’s integrity leading to the instability of the
continuous flow of packets in order to keep the channel busy smart grid system [40]. A detailed study on the impact of the
and then prevents legitimate devices from communicating and FDI attack on the power system stability was conducted by
exchanging data [38]. Due to its time-critical nature, smart Adnan A. et al. in [41].
grid requires a highly available network to meet the quality of Privacy violation attack aims to violate privacy by
service requirements and such an attack can severely degrade collecting private information about customers [28]. For
its performance [38]. Keke G. et al. [16] proposed a jamming example, as smart meters collect electricity usage many times
attack named maximum attacking strategy using spoofing and per hour, information about the user electricity’s consumption
jamming (MAS-SJ) that targets mainly the cognitive radio could be obtained. Thus, if a meter does not show electricity
network (CRN) in the wireless smart grid network (WSGN). usage for a period of time, that commonly indicates that the
Because WSGN is important for monitoring power grid in the house is empty. This information could then be used to
smart grid with the PMU that plays a key component by conduct a physical attack like burglary [28]. Depeng L. et al.
providing time-synchronized data of power system operating showed that the demand response programs and smart meters
states [39], attacks like MAS-SJ can disturb the operation of generate high-resolution data about the customers’ privacy.
the system or even make it unavailable. This data could be exploited leading to the loss of customer’s
Popping the HMI is an attack that exploits a known device’s information and disclosure of activity patterns [42].
vulnerability, especially device’s software or OS 4) Maintaining access
vulnerabilities, and then installs a remote shell, allowing the In the final step, maintaining access, the attacker uses a
attacker to connect remotely to the server from his computer special type of attack to gain permanent access to the target,
to get unauthorized access in order to monitor and control the especially backdoors, viruses, and Trojan horses. A backdoor
compromised system [1]. SCADA systems, substations, or any is an undetectable program, stealthy installed on the target to
system running an operation system with a console interface is get back later easily and quickly [32]. If the attacker succeeds
considered as a potential target of this attack. Even given the in embedding a backdoor into the servers of the control center
potential impact of such an attack, it does not require of the SCADA, he or she can launch several attacks against
advanced networking skills or significant experience in the system which can cause a severe impact on the power
security and industrial control system to perform. Since the system [43].
devices’ vulnerabilities documentation are publicly available, In IT network, security’s parameters are classified based on
a hacker or the so-called script-kiddies may simply use open their importance in the following order: confidentiality,
source tools such as Metasploit and meterpreter to launch such integrity, accountability, and availability. Whereas in smart
 8

grid, they are classified: availability, integrity, accountability, composed of three phases: pre-attack, under attack, and post-
and confidentiality [10, 28]. Thus, we can say that attacks attack. As follows, and for each phase, relevant published
which compromise the availability of the smart grid systems solutions in terms of security protocols, security technology,
have a high severity, while those targeting confidentiality have cryptography, and other cyber-attack countermeasures are
a low severity. In addition to the level of severity, each attack described.
has a level of likelihood to be performed. For instance, attacks 1) Pre-attack
such as Stuxnet and Duqu [8], has a high severity because they During this first phase, pre-attack, various published
are able to vandalize the industrial control system and bypass solutions are recommended to enhance the smart grid’s
all the security boundaries; but, they are complex and security and to be prepared for any potential attack. Security
sophisticated. So, these viruses have high severity, but their countermeasures commonly fall into three categories, namely
likelihood to be performed is low. Another example is the network security, cryptography, and device security. We will
HMI popping attack. It has a high severity and it does not discuss technologies and secure protocols such as IDS, SIEM,
require advanced networking skills or significant experience in DLP and secure DNP3 [1, 18, 46] for the network security.
security and industrial control system to perform it. Since the Encryption, authentication, and key management [4, 7, 32, 47]
devices’ vulnerabilities documentation are publicly available, for the data security. Finally, Host IDS, compliance checks,
a hacker or the so-called script-kiddies may simply use open and diversity technique for the device security.
source tools such as Metasploit and meterpreter to launch such
an attack [1]. Therefore, this attack has high severity and it is a) Network security
very likely to be performed. Table II shows the likelihood of The network is the backbone of a smart grid. So, network
each attack to be performed and its associated level of security plays a significant role in securing the entire system.
severity. Using firewalls supplemented with other monitoring and
inspection technologies is recommended [1] to secure the
smart grid network. A firewall is intended to allow or deny
B. Smart grid countermeasures
network connections based on specific rules and policies. But
A number of attack detection and countermeasure an unknown or an advanced attack technique can easily bypass
techniques are proposed in the literature to counter cyber many firewall techniques. Therefore, firewalls should be
attacks. For instance, Özçelik I. et al in [44] proposed a associated with other security technologies such as intrusion
solution for distributed denial of service (DDos). In [38], Lu detection system (IDS), security information and event
Z. et al. proposed a technique to detect jamming channel management systems (SIEM), and network data loss
attacks. In [45] Rawat D. et al. proposed a technique to detect prevention (DLP) [1, 18, 46]. IDS is a system developed for
False detection injection (FDI) attacks. Though these security detecting malicious activity either on a network or on a
solutions contribute to the smart grid’s security, they are specific host [32]. SIEMS are information management
insufficient to face sophisticated and blended attacks [1]. systems that collect and gather information such as operating
Moreover, Stuxnet [8] showed that strategy like “Defense in- system logs, application logs, and network flow from all
depth” or “security by obscurity” [1] are no longer considered devices in the network. Then the collected information will be
as valid solutions. We believe that security cannot be achieved analyzed and processed by a centralized server in order to
through one specific solution, but by deploying several detect any potential threat or a malicious activity in the
techniques incorporated into a global strategy. In this section, network. Network DLP is a system responsible for preventing
and as Fig. 5 shows, we propose a cyber security strategy the loss or the theft of the data across the network [1].

Severity of the attack

Low Medium High
• Traffic analysis • Virus, worms, Trojan
[29, 30, 33] horse [8]
High
• Privacy violation [28] • DOS [15, 35]
• Backdoor [43]
• Jamming channel
Likelihood of the
• Social engineering [16, 38]
attack to be • MITM [17, 36]
performed [1, 29] • Masquerade attack
Medium • Replay attack
• Scanning [25, 28] [33]
[1, 34]
• Integrity violation
[1, 41, 46]
Popping the HMI [1]
Low
TABLE I : LIKELIHOOD OF THE ATTACK TO BE PERFORMED AND ITS ASSOCIATED SEVERITY.
 9

In addition to these security systems, secure network generation, key distribution, key storage, and key update [4].
protocols such as IPsec, transport layer security (TLS), secure Due to the distributed nature of smart grid, some specific
sockets layer (SSL), secure DNP3 can also be used to enhance requirements should be considered to design a cryptography
security in the network. DNP3 is an industrial protocol widely
used in smart gird [24]. Initially, DNP3 protocol came without
any security mechanisms. In other words, messages are
exchanged in plain text across the network and can be easily
intercepted. In recent years, the increased number of cyber-
attacks targeting industrial and power system has attracted the
attention of a number of researchers in both industry and
academia. Consequently, a secured variation of DNP3
protocols has been released named secure DNP3.
This secured version added a secure layer for encryption
and authentication between the TCP/IP and application layer.
Using such a protocol, several attacks can be avoided, for
example, authentication mechanism can protect against MITM
attack, whereas encryption decreases eavesdropping and
replay attacks. Secure DNP3 is discussed further in [7]. Fig. 5. Cyber security strategy for smart grid

key management, W. Wang et al. in [7] present several basic

yet relevant requirements of the key management scheme,
b) Cryptography for data security particularly efficiency, evolve-ability, scalability, and secure
Encryption mechanisms aim to ensure data’s management. In addition, several key management
confidentiality, integrity, and nonrepudiation. There are two frameworks have been proposed specifically for the power
types of key encryptions: symmetric and asymmetric. In system: single-key, key establishment scheme for SCADA
symmetric key encryption, or single-key encryption, one key systems (SKE), key management architecture for SCADA
is used to encrypt and to decrypt data. The most used systems (SKMA), advanced key management architecture for
algorithms employing symmetric encryption are advanced SCADA systems (ASKMA), ASKMA+, and scalable method
encryption standard (AES) and data encryption standard of cryptographic key management (SMOCK) to name a few.
(DES). Asymmetric key encryption, on the other hand, uses The choice of a framework relies on different criteria,
two keys to encrypt and decrypt data: private key and public including scalability, computational resource capability, and
key. RSA (Rivest, Shamir and Adleman) is a widely used support for multicast. The authors conducted a comparison
asymmetric algorithm [32]. In smart grid, various components between the key management schemes listed above. The
with different computational capabilities co-exist. Therefore, comparison was based on scalability, support for multicast,
both symmetric and asymmetric key encryption can be used, robust to key compromise, and power system application.
and the selection depends on several factors, including data ASKMA+ and SMOCK show interesting results. ASKMA+ is
criticality, time constraints, and computational resources [4]. an efficient key management scheme and it supports multicast,
Authentication is defined as the act of verifying that an but it still suffers from scalability. SMOCK, on the other hand,
object’s identity is valid, such as the use of a password [32]. shows good scalability; however, it has some weaknesses such
An object could be a user, a smart device, or any component as no support for multicast and low computational efficiency.
connected to the smart grid network. Multicast authentication
c) Device security
is a particular type of authentication and its applications are
widely used in smart grid [47]. In [4], Shapsough et al. Device protection is the third crucial element in the supply
proposed three methods to achieve authentication for multicast chain of smart grid security. Many research papers and
applications: secret-info asymmetry, time asymmetry, and recommendation reports have been published contributing to
hybrid asymmetry. security assurance for endpoints. In [1], several security
Key management is a crucial approach for encryption and technologies have been recommended, particularly, host IDS,
authentication. Public key management (PKI), or shared secret anti-virus, and host data loss prevention (DLP). Additionally,
key management, can be used to ensure authenticity for Kammerstetter et al. [48] recommended using an automated
communication across networks. In PKI infrastructure, the security compliance check. Such a tool performs a check
identities of two parties is verified by a certificate delivered against all smart grid components to verify that each device’s
from a third party called the certificate authority (CA). This configuration is up to date, especially the device’s firmware
mechanism is done before establishing any connection and the current configuration file. As the smart grid
between the two parties. In shared secret key management, components are highly connected and a weakness in one
four steps are used to maintain communication security: key component can expose the entire system to risk, a compliance
 10

check is a crucial tool. In [49], Mclaughlin et al. proposed a combination of two classifiers SVM and AIS have produced
diversity technique in smart meter’s firmware to limit a large- satisfactory results in terms of detection malicious traffic [46].
scale attack. Using such a technique, an attacker can exploit a Once the attack are detected, mitigation can be executed
vulnerability of one device’s firmware, but he or she cannot using the following methods. S. Shapsough et al. [4] surveyed
exploit the same vulnerability on other devices. and summarized several methods used to mitigate the DOS
2) Under attack attack, especially pushback and reconfiguration methods. In
This step is divided into two tasks: attack detection and pushback, the router is configured to block all the traffic
attack mitigation. Several approaches and technologies can be coming from the attacker’s IP address. In the reconfiguration
used during each task, to detect the malicious activity, and method, the network topology is changed to isolate the
then deploy the appropriate countermeasures. attacker. For jamming attacks, Lu et al. [38] discussed anti-
During the attack detection, all the deployed security jamming schemes such as frequency hopping spectrum spread
technologies are recommended, including SIEMS, DLP, and (FHSS) and direct sequence spectrum spread (DSSS) to
IDS [1, 18, 46]. But, some of these solutions have a number of mitigate attacks. Other mitigation techniques for buffer
limitations and need improvements, particularly IDS. IDS is a overflow, man-in-the-middle, CPU exhausting, and replay
widely used security system in IT network, and it is also used attack, distributed denial of service (DDos), and false data
in smart grid network; but, it has many performance injection (FDI) were discussed in detail in [3, 27, 44].
limitations specially reporting high rate of false positive. Thus, 3) Post-attack
many research papers were published to improve the IDS When an attack is not detected, such as in the case of
performance in the smart context [46, 50, 51]. Y. Kwon et al. Stuxnet [8], the post-attack period is an important step. First, it
[50] proposed an approach based on IDS for the IEC 61850 is critical to identify the entity involved in the attack. Then,
protocol. They used both statistical analysis and specification- the IDS signature, anti-virus database and security policies
based metrics. The experimental results showed that their must be kept up to date by learning from attacks and to protect
approach could detect anomalies in large networks with low the smart grid against future similar attacks. Forensic analysis
false positive. In [51], U. K. Premaratne et al. proposed an is the primary technique used during the post-attack. Smart
IDS IEC61850 automated substations. This rule-based IDS grid forensic studies collect, analyze, and intercept digital data
was developed based on collecting data from simulated attacks in order to identify the entity involved in the event. They are
on an IED. The result of the experiment showed that the also useful to determine and address cyber and physical
IEC61850 IDS was capable of detecting many attacks such as vulnerabilities of the smart grid in order to anticipate potential
a DOS attack, a password cracking attack, and an ARP packet attacks. In addition, forensic analysis in smart grid plays an
sniffer attack. Faisal M. et al. [18] proposed an architecture of important role in the investigation of cyber-crimes such as
IDS in AMI based on stream mining algorithms. They hacking, viruses, digital espionage, cyber terrorism,
conducted an experiment to compare the seven existing manipulating the operation of the smart grid, violating the
state-of-the-art data stream mining algorithms: Accuracy consumer’s privacy, and stealing valuable information
Updated Ensemble, Active Classifier, Leveraging Bagging, including intellectual property and state secrets [54].
Limited Attribute Classifier, Bagging using ADWIN, Bagging Table II shows a summary of the cyber attacks in smart grid
using Adaptive Size Hoeffding Tree, and Single Classifier based upon the fours steps: reconnaissance, scanning,
Drift. Their comparison was based on several metrics exploitation, and maintaining access. Each step includes
including execution time, detection accuracy, and memory attacks’ categories, attacks’ examples, the compromised
consumption. For the assessment they used an original version component in the smart grid by each attack, the impact of each
of the KDD Cup 1999 [52] and an improved version of this attack, and the appropriate countermeasures. As we can see,
data set. The results showed that some algorithms do not the most attacks can be avoided by using secure network
require an advanced computational resources, so they are protocols such as secure DNP3, and also by enabling
suitable for IDS in some devices such as smart meters. Other encryption and authentication mechanisms.
algorithms have a high accuracy and they require more
computational resources; these algorithms can be used for the V. CHALLENGES AND FUTURE DIRECTION
IDS in a data concentrator or in an AMI headends [18]. Zhang In heterogeneous systems such as smart grid, different
Y. et al. [46] proposed a distributed intrusion detection system devices coexist and communicate through various network
for smart grids (SGDIDS) based on an intelligent model. This protocols. This heterogeneity represents a great challenge and
model can be used in every level of the smart grid: home area a potential threat for the smart grid security. The
network (HAN) , neighborhood area network (NAN), and communication between devices requires aggregation of data
wide area network (WAN). The proposed IDS was based on and translation between protocols. However, this aggregation
data mining algorithms: support vector machine (SVM) and can enable accidental breaches and vulnerabilities simply
artificial immune system (AIS). To evaluate the efficiency of because a feature in one protocol could not be translated
their solution, they used a simplified and an improved version properly into another [4].
of the KDD cup 1999 called the NSL-KDD [53]. The
 11
Compromised Compromised
Attacking cycle Attack
Attack category application/protocol security’s Possible countermeasures
step example
in smart grid. parameter
Traffic analysis [33] Secure DNP3, PKI
Phishing [29] Modbus protocol, (SKMA, SMOCK), TLS,
Reconnaissance Social Confidentiality
Password pilfering DNP3 protocol SSL, Encryption,
engineering
[30] Authentication[1, 7]
Modbus network IDS, SIEM, Automated[1]
Scanning IP, Port, Modbus Protocol
scanning [25] security compliance
Scanning Service, Confidentiality
DNP3 network checks [48]
Vulnerabilities DNP3 Protocol
scanning [24]
SCADA
Confidentiality
Stuxnet [8] PMU, DLP , IDS , SIEM, Anti-
Integrity
Virus, worms, Control device virus [1], Diversity
Availability
Trojan horse technique[49]
Duqu [8] SCADA Accountability
Puppet attack [15] AMI SIEM, IDS [1], flow
Instability of smart entropy, signal strength,
TDS [34] sensing time measurement,
grid systems
Availability transmission failure count,
Denial of service
PMU, smart grid pushback, reconfiguration
(DOS) TSA [35]
equipment’s GPS methods [4, 44]

eavesdropping
HMI, PLC Secure DNP3, PKI
attack [1, 33] Confidentiality
[17] SCADA (SKMA, SMOCK) [7],
Man-in-the- Integrity
TLS, SSL, encryption,
middle (MITM) [36] DNP3, SCADA
authentication [1]
Intercept/alter [33] AMI
[1] IED, SCADA, PLC Secure DNP3, TLS, SSL,
Confidentiality encryption,
Replay attack Authentication
[33] Integrity authentication[1] PKI
scheme in AMI (SKMA, SMOCK) [7],
Exploitation
[38] PMU JADE, anti-jamming
Jamming channel Availability
MAS-SJ [16] CRN in WSGN (FHSS, DSSS) [38]
Confidentiality DLP, IDS , SIEM , Anti-
SCADA, EMS, Integrity virus [1], automated
Popping the HMI [1]
substations. Availability security compliance
Accountability checks [48]

Confidentiality DLP, IDS, Secure DNP3,

Masquerade Integrity SIEM, TLS, SSL,
[33] PLC
attack Availability encryption, authentication
Accountability [1], PKI (SKMA,
SMOCK)[7]
[1] Smart meter, RTU DLP, IDS ,SIEM, Secure
DNP3, TLS, SSL,
Integrity
Integrity violation encryption, authentication
FDI [40], [41] EMS, SCADA, AMI Availability
[1], PKI (SKMA,
SMOCK) [7, 45]
Secure DNP3, PKI
Demand Response
(SKMA, SMOCK)[7],
Privacy violation [28], [42] program, Smart Confidentiality
TLS, SSL, encryption,
meters.
authentication [1]
Confidentiality
IDS, SIEM,Anti-virus [1],
Maintaining Integrity
Backdoor [43] SCADA Diversity technique[49]
access Availability
Accountability
TABLE II : CYBER ATTACKS IN SMART GRID, THEIR IMPACTS AND COUNTERMEASURE

 12

Furthermore, the majority of industrial network protocols number of cyber-attacks, deploying the appropriate
used in smart grid such as, DNP3, ICCP, Modbus, and countermeasures, and identifying the involved entity.
Profibus, were designed for connectivity but not for security
purposes. Thus, these protocols not only cannot ensure a VI. CONCLUSION
secure communication channel, but they may also be used as Smart grid is a system composed of distributed and
an attack surface. Though there are some secure version of heterogeneous components to intelligently deliver the
many industrial protocols, such as secure DNP3. However, the electricity and easily integrate the renewable technologies.
problem with this new version is its incompatibility with However, this critical system suffers from a number of
legacy installations [26]. security weaknesses. In this paper, we provide a
In addition to network protocols, operating systems and comprehensive overview of cyber-security in smart grid and
physical equipment in smart grid may be vulnerable and investigate in depth the main cyber-attacks threating its
expose the system to a wide variety of attacks. Since operating infrastructure, its network protocols, and its applications. In
systems are designed for control in automation control addition, we propose a strategy composed of several tools and
components, they lack security features. Moreover, most of mechanisms designed to address potential components’
the physical devices are obsolete whereas others have vulnerabilities, detect malicious activities, enhance
insufficient memory space and limited computational capacity, communication security in the network, and protect the
so they cannot support advanced security mechanisms. For customer’s privacy.
instance, smart meters have limited memory and
computational resources because they are designed for lower REFERENCE
power consumption, so they cannot support some important [1] E. D. Knapp and R. Samani, Applied cyber security and the smart grid:
security mechanisms such as proper random number implementing security controls into the modern power infrastructure.
generators and cryptographic accelerators [55]. Although these Amsterdam: Elsevier, Syngress, 2013.
components have less impact on the smart grid operation, if [2] N. Framework, “Roadmap for Smart Grid Interoperability Standards,
Release 2.0 (2012),” NIST Special Publication, vol. 1108.
they are compromised, they represent a potential vector to [3] D. B. Rawat and C. Bajracharya, “Cyber security for smart grid systems:
compromise the whole system. Status, challenges and perspectives,” in SoutheastCon 2015, pp. 1–6.
Security solutions such as IDS, firewalls, and encryption [4] S. Shapsough, F. Qatan, R. Aburukba, F. Aloul, and A. Al Ali, “Smart
grid cyber security: Challenges and solutions,” in International
methods play a significant role in securing the conventional Conference on Smart Grid and Clean Energy Technologies (ICSGCE),
networks . However, these mechanisms have many limitations 2015, pp. 170–175.
and they are inappropriate for a distributed environment with [5] X. Liang, K. Gao, X. Zheng, and T. Zhao, “A Study on Cyber Security
of Smart Grid on Public Networks,” in IEEE Green Technologies
different application requirements such as latency and Conference, 2013, pp. 301–308.
bandwidth [13]. In addition, these solutions are unable to [6] M. Essaaidi and others, “An overview of smart grid cyber-security state
counter the newest types of cyber-attacks. Since cyber-attacks of the art study,” in 3rd International Renewable and Sustainable
Energy Conference (IRSEC), 2015, pp. 1–7.
are becoming more blended, sophisticated, and complex, they [7] W. Wang and Z. Lu, “Cyber security in the Smart Grid: Survey and
are able to target at the same time multiple layers of a challenges,” Computer Networks, vol. 57, no. 5, pp. 1344–1371, 2013.
communication system. For example, as previously [8] D. Kushner, “The real story of stuxnet,” IEEE Spectrum, vol. 50, no. 3,
pp. 48–53, Mar. 2013.
mentioned, Stuxnet [8] was able to vandalize an industrial [9] P. Engebretson, The basics of hacking and penetration testing: ethical
control system by bypassing all the security boundaries, hacking and penetration testing made easy. Elsevier, 2013.
demonstrating that the security solutions deployed in those [10] S. G. I. Panel, “Guidelines for smart grid cyber security: Vol. 1, smart
scenarios are unable to detect such an effective virus. grid cyber security strategy, architecture, and high-level requirements,
and Vol. 2, privacy and the smart grid, National Institute of Standards
Furthermore, because there are several logical domains in and Technology (NIST),” Interagency Rep, vol. 7628, 2010.
smart grid (generation, transmission, distribution, markets, [11] W. Wang, Y. Xu, and M. Khanna, “A survey on the communication
customer, and service provider), security requirements architectures in smart grid,” Computer Networks, vol. 55, no. 15, pp.
3604–3629, 2011.
necessarily differ from one domain to another. For instance, in [12] A. Usman and S. H. Shami, “Evolution of communication technologies
the generation domain denial of service (DOS) attacks need for smart grid applications,” Renewable and Sustainable Energy
fast detection, which is not the case for market domain, Reviews, vol. 19, pp. 191–199, 2013.
[13] V. C. Gungor et al., “A survey on smart grid potential applications and
customer domain, or service provider domain. In addition, the communication requirements,” IEEE Transactions on Industrial
transmission domain requires delay-efficient key management, Informatics, vol. 9, no. 1, pp. 28–42, 2013.
whereas the market domain requires large scale key [14] A. Mahmood, N. Javaid, and S. Razzaq, “A review of wireless
communications for smart grid,” Renewable and Sustainable Energy
management [7]. Reviews, vol. 41, pp. 248–260, Jan. 2015.
Therefore, rather than applying a simple security approach [15] P. Yi, T. Zhu, Q. Zhang, Y. Wu, and J. Li, “A denial of service attack in
or deploying a specific security technology, we believe that advanced metering infrastructure network,” in IEEE International
Conference on Communications (ICC), 2014, pp. 1029–1034.
smart grid cyber-attacks may be mitigated more effectively by [16] K. Gai, M. Qiu, Z. Ming, H. Zhao, and L. Qiu, “Spoofing-Jamming
combining several security mechanisms through a cyber Attack Strategy Using Optimal Power Distributions in Wireless Smart
security strategy. Such a strategy have several benefits, Grid Networks,” IEEE Transactions on Smart Grid, pp. 1–1, 2017.
including, addressing the system’s vulnerabilities, detecting a [17] P. Maynard, K. McLaughlin, and B. Haberler, “Towards Understanding
Man-In-The-Middle Attacks on IEC 60870-5-104 SCADA Networks,”
 13

in Proceedings of the 2nd International Symposium on ICS \& SCADA [41] A. Anwar, A. N. Mahmood, and Z. Tari, “Identification of vulnerable
Cyber Security Research 2014, pp. 30–42. node clusters against false data injection attack in an AMI based Smart
[18] M. A. Faisal, Z. Aung, J. R. Williams, and A. Sanchez, “Data-stream- Grid,” Information Systems, vol. 53, pp. 201–212, Oct. 2015.
based intrusion detection system for advanced metering infrastructure in [42] Depeng Li, Zeyar Aung, J. Williams, and A. Sanchez, “P2DR: Privacy-
smart grid: A feasibility study,” IEEE Systems Journal, vol. 9, no. 1, pp. Preserving Demand Response system in smart grids,” in International
31–44, 2015. Conference on Computing, Networking and Communications (ICNC),
[19] D. Choi, S. Lee, D. Won, and S. Kim, “Efficient secure group 2014, pp. 41–47.
communications for SCADA,” IEEE Transactions on power delivery, [43] Y. Zhang, L. Wang, and Y. Xiang, “Power System Reliability Analysis
vol. 25, no. 2, pp. 714–722, 2010. With Intrusion Tolerance in SCADA Systems,” IEEE Transactions on
[20] R. Radvanovsky and J. Brodsky, Handbook of SCADA/control systems Smart Grid, vol. 7, no. 2, pp. 669–683, Mar. 2016.
security. CRC Press, 2013. [44] İ. Özçelik and R. R. Brooks, “Cusum - entropy: an efficient method for
[21] D. Wei, Y. Lu, M. Jafari, P. M. Skare, and K. Rohde, “Protecting smart DDoS attack detection,” in 4th International Istanbul Smart Grid
grid automation systems against cyberattacks,” IEEE Transactions on Congress and Fair (ICSG), 2016, pp. 1–5.
Smart Grid, vol. 2, no. 4, pp. 782–795, 2011. [45] D. B. Rawat and C. Bajracharya, “Detection of False Data Injection
[22] V. C. Gungor et al., “Smart Grid Technologies: Communication Attacks in Smart Grid Communication Systems,” IEEE Signal
Technologies and Standards,” IEEE Transactions on Industrial Processing Letters, vol. 22, no. 10, pp. 1652–1656, Oct. 2015.
Informatics, vol. 7, no. 4, pp. 529–539, Nov. 2011. [46] Y. Zhang, L. Wang, W. Sun, R. C. Green II, and M. Alam, “Distributed
[23] R. Al-Dalky, O. Abduljaleel, K. Salah, H. Otrok, and M. Al-Qutayri, “A intrusion detection system in a multi-layer network architecture of smart
Modbus traffic generator for evaluating the security of SCADA grids,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 796–808,
systems,” in 9th International Symposium on Communication Systems, 2011.
Networks Digital Sign (CSNDSP), 2014, pp. 809–814. [47] Q. Li and G. Cao, “Multicast authentication in the smart grid with one-
[24] N. R. Rodofile, K. Radke, and E. Foo, “DNP3 Network Scanning and time signature,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp.
Reconnaissance for Critical Infrastructure,” in Proceedings of the 686–696, 2011.
Australasian Computer Science Week Multiconference, New York, NY, [48] M. Kammerstetter, L. Langer, F. Skopik, and W. Kastner, “Architecture-
USA, 2016, pp. 39:1–39:10. driven smart grid security management,” in Proceedings of the 2nd ACM
[25] M. Bristow, “ModScan: a SCADA Modbus network scanner,” in workshop on Information hiding and multimedia security, 2014, pp.
DefCon-16 Conf., Las Vegas, NV, 2008. 153–158.
[26] E. D. Knapp and J. T. Langill, Industrial Network Security: Securing [49] S. E. McLaughlin, D. Podkuiko, A. Delozier, S. Miadzvezhanka, and P.
critical infrastructure networks for smart grid, SCADA, and other McDaniel, “Embedded Firmware Diversity for Smart Electric Meters.,”
Industrial Control Systems. Syngress, 2014. in HotSec, 2010.
[27] J. Liu, Y. Xiao, and J. Gao, “Achieving accountability in smart grid,” [50] Y. Kwon, H. K. Kim, Y. H. Lim, and J. I. Lim, “A behavior-based
IEEE Systems Journal, vol. 8, no. 2, pp. 493–508, 2014. intrusion detection technique for smart grid infrastructure,” in IEEE
[28] J. Liu, Y. Xiao, S. Li, W. Liang, and C. P. Chen, “Cyber security and PowerTech, 2015, pp. 1–6.
privacy issues in smart grids,” IEEE Communications Surveys & [51] U. K. Premaratne, J. Samarabandu, T. S. Sidhu, R. Beresh, and J.-C.
Tutorials, vol. 14, no. 4, pp. 981–997, 2012. Tan, “An intrusion detection system for IEC61850 automated
[29] H. Holm, W. R. Flores, and G. Ericsson, “Cyber security for a Smart substations,” IEEE Transactions on Power Delivery, vol. 25, no. 4, pp.
Grid-What about phishing?,” in IEEE PES ISGT Europe, 2013, pp. 1–5. 2376–2383, 2010.
[30] Y. Yang, T. Littler, S. Sezer, K. McLaughlin, and H. F. Wang, “Impact [52] The KDD99 dataset available at :
of cyber-security issues on Smart Grid,” in 2nd IEEE PES International https://kdd.ics.uci.edu/databases/kddcup99/task.html
Conference and Exhibition on Innovative Smart Grid Technologies [53] M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, “A detailed
(ISGT Europe), 2011, pp. 1–7. analysis of the KDD CUP 99 data set,” in IEEE Symposium on
[31] F. Aloul, A. R. Al-Ali, R. Al-Dalky, M. Al-Mardini, and W. El-Hajj, Computational Intelligence for Security and Defense Applications .
“Smart grid security: Threats, vulnerabilities and solutions,” (CISDA), 2009, pp. 1–6.
International Journal of Smart Grid and Clean Energy, vol. 1, no. 1, pp. [54] M. Erol-Kantarci and H. T. Mouftah, “Smart grid forensic science:
1–6, 2012. applications, challenges, and open issues,” IEEE Communications
[32] E. Cole, Network security bible, vol. 768. John Wiley & Sons, 2011. Magazine, vol. 51, no. 1, pp. 68–74, 2013.
[33] F. M. Cleveland, “Cyber security issues for Advanced Metering [55] A. P. Fournaris, P. Kitsos, and N. Sklavos, “Security and Cryptographic
Infrasttructure (AMI),” in Power and Energy Society General Meeting- Engineering in Embedded Systems,” in Embedded Computing Systems:
Conversion and Delivery of Electrical Energy in the 21st Century, Applications, Optimization, and Advanced Design, IGI Global, 2013, pp.
2008, pp. 1–5. 420–438.
[34] A. Sargolzaei, K. Yen, and M. Abdelghani, “Delayed inputs attack on
load frequency control in smart grid,” in ISGT, 2014, pp. 1–5.
[35] Z. Zhang, S. Gong, A. D. Dimitrovski, and H. Li, “Time
Synchronization Attack in Smart Grid: Impact and Analysis,” IEEE
Transactions on Smart Grid, vol. 4, no. 1, pp. 87–98, Mar. 2013.
[36] I. Darwish, O. Igbe, O. Celebi, T. Saadawi, and J. Soryal, “Smart Grid
DNP3 Vulnerability Analysis and Experimentation,” in IEEE 2nd
International Conference on Cyber Security and Cloud Computing
(CSCloud), 2015, pp. 141–147.
[37] B. Alohali, K. Kifayat, Q. Shi, and W. Hurst, “Replay Attack Impact on
Advanced Metering Infrastructure (AMI),” in Smart Grid Inspired
Future Technologies, vol. 175, Springer International Publishing, 2017,
pp. 52–59.
[38] Z. Lu, W. Wang, and C. Wang, “From jammer to gambler: Modeling
and detection of jamming attacks against time-critical traffic,” in
Proceedings IEEE INFOCOM, 2011, pp. 1871–1879.
[39] M. Qiu, W. Gao, M. Chen, J.-W. Niu, and L. Zhang, “Energy Efficient
Security Algorithm for Power Grid Wide Area Monitoring System,”
IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 715–723, Dec.
2011.
[40] Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacks against
state estimation in electric power grids,” ACM Transactions on
Information and System Security (TISSEC), vol. 14, no. 1, p. 13, 2011.