J. Bryan Lyles Jason Carter ORNL/Cyber and Information Security Research Cliques – CRL-less Revocation and (Anonymous) Authentication for the Smart Grid Cybersecurity for Energy Delivery Systems Peer Review December 7-9, 2016

Summary: Project Title Objective Fast revocation of certificate- based authorizations in pub/sub - Open Field Message Bus (OpenFMB) - controlled micro-grids Schedule June 2016 to Sept 30, 2017 Design approach document Dec 31, 2016 TBD demonstration developed in conjunction with Duke Energy August 2017 Insert Image Performer: ORNL Partners: Duke Energy, Infineon Federal Cost: $385K Cost Share: Total Value of Award: $ $385K Funds Expended to Date: % 13

Advancing the State of the Art (SOA) Current state of the art is single certificate combining both identity and authorization. Revocation is via Certificate Revocation Lists (CRL/rfc2459/rfc5280) or the Online Certificate Status Protocol (OCSP/rfc2560/rfc6960) Certificate revocation via these mechanisms imposes high network overheads, is poorly supported, and is subject to denial of service attacks. Cliques separates node identity (“serial number”) from the attestation of a node’s authorized actions. This allows long-lived identity certificates to be installed at depot while ensuring that authorizations can be rapidly changed. Cliques is investigating the use of two techniques for authorization and authorization revocation: very short lived certificates and short group signatures. The research questions are related to assessment of these established technologies against network overhead, latency and application domain constraints.

Advancing the State of the Art (SOA) Asset owners will be able to securely and rapidly revoke authorizations of multiple devices in short time windows. They will also be able to rapidly and securely provision service changes requiring modification of authorizations. Assessment of approaches is being done in the context of bandwidth constraints associated with cellular backhaul. Cryptography is one of the foundations of cybersecurity. Whether in the Internet, the data center, or in the electrical grid managing the keys is the subject of ongoing research. See the discussions at conferences such as USENIX Enigma for illustrations.

Challenges to Success OpenFMB standard security proposals are evolving with the IIoT and control system requirements Coordination with Duke Energy’s team interfacing with standards community. ORNL’s ongoing effort in Grid Modernization has OpenFMB contact. Various proposals exist regarding the appropriate layer to standardize security Use emphasis on interoperability of vendor products and on the ability to evolve installations to inform discussions. Required cryptography may be too computationally intensive for embedded processor Use partnership to ensure that it is possible to build cheap, secure cryptographic chips capable of handing computational load.

Progress to Date Major Accomplishments Project started June 2016 Engagement with partners during summer and fall. Currently engaged in technology review and selection of candidate approaches in preparation for end of December milestone.

Collaboration/Technology Transfer Plans to transfer technology/knowledge to end user Duke Energy, Emerging Technology Office is providing grounding in use cases and is deeply involved in the OpenFMB standard. We will provide the technical material needed for Duke Energy to evaluate the proposed approach and present it to relevant standards bodies. Infineon is a leading manufacturer of highly secure cryptographic chips. They provide the cryptographic hardware for most of the set top boxes in the world – a market where a security breach would cost content owners 100s of millions of dollars. Given project budget constraints and standards committee reality, we expect that our partners will utilize their existing activities and contacts to drive incorporation into industrial practice. Demonstration of technology approach on Duke Energy Mt Holly microgrid simulator.

Next Steps for this Project Approach for the next year or to the end of project Complete study of potential cryptographic approaches, gain Duke Energy agreement on approach, verify longer term implementation considerations with Infineon, and document concept of operation by end of December 2016. Develop plan for concept demonstration on Duke Energy Mt. Holly facility breadboard by end of February 2017. Complete and demonstrate concept August 2017. Document project Sept 2017. Provide documentation to Duke Energy for potential standards engagement as requested.

Problem Statement Duke Energy and others are basing grid and microgrid management system architectures on a publish/subscribe paradigm, a many-to-many architecture. In these architectures keys for symmetrical cryptography are deeply vulnerable due to potentially wide distribution. Public key systems are significantly less vulnerable but require that invalid or compromised keys be revoked, a technical and implementation area that is of deep concern in the current Internet. Nodes in a microgrid could potentially have multiple roles and authorizations. Moreover, while node mobility is rare to non- existent, roles and authorization may change and node compromise is always a possibility. Field provisioning of certificates by technicians is undesirable. Within these constraints, how do we “quickly” and securely provision and revoke public key based authorizations.