IEEE TRANSACTIONS ON SMART GRID, VOL. 2, NO.
4, DECEMBER 2011
An Early Warning System Based on Reputation for
Energy Control Systems
Cristina Alcaraz, Member, IEEE, Carmen Fernandez-Gago, and Javier Lopez, Member, IEEE
AbstractMost of energy control or Supervisory Control and
Data Acquisition (SCADA) systems are very dependent on ad-
vanced technologies and on traditional security mechanisms for
protecting the a system against anomalous events. Security mech-
anisms are not enough to be used in critical systems, since they
can only detect anomalous events occurring at a certain moment
in time. For this reason it becomes of paramount importance
the usage of intelligent systems with capability for preventing
anomalous situations and reacting against them on time. This type
of systems are, for example, early warning systems (EWS). In this
paper, we propose an EWS based on Wireless Sensor Networks
(WSNs) (under the ISA100.11a standard) and reputation for con-
troling network behavior. The WSN are organized into clusters
where a cluster head (CH) is designated. This CH will contain a
Reputation Manager Module. The usability of this approach is also
analyzed considering a smart grid scenario.
Index TermsEarly warning systems, reputation, SCADA sys-
tems, smart grid, wireless sensor networks.
I. INTRODUCTION
A CCORDING to the conceptual model described by NIST
in [1], part of the functionality of a smart grid is associ-
ated to the remote control of power substations that ensure an
efficient energy generation and distribution to residential com-
plexes. The control is basically managed by a centralized system
known as Supervisory Control and Data Acquisition (SCADA)
system. Although this control form a unique entity, it has a spe-
cial influence on the rest of domains by supervising operational
activities and residential complexes.
However, this type of interaction among domains could
trigger in serious consequences when part of the control and
substations are disrupted. Then it is crucial to address problems
of the current SCADA systems to strengthen its architecture,
and thus to ensure a reliable and survivable smart grid. In fact,
most of the security mechanisms applied in SCADA systems
are not based so far on dynamic and autonomous procedures
where different entities with different complexities are inte-
grated in the same context. It is necessary to provide advanced
security mechanisms to individually protect domains, and thus
Manuscript received October 14, 2010; revised April 01, 2011; accepted
June 05, 2011. Date of publication November 09, 2011; date of current version
November 23, 2011. This work was supported in part by ARES under Project
CSD2007-00004, in part by SPRINT under Project TIN2009-09237), the
latter also cofunded by FEDER and the EU under the Information and Com-
munication Technologies (ICT) theme of the 7th Framework Programme for
R&D FP7) under Project NESSoS (FP7 256890). The work of C. Alcaraz was
supported by the Spanish FPI (Formacion de Personal Investigador) Research
Programme. Paper no. TSG-00161-2010.
The authors are with the Computer Science Department, University
of Malaga, 29071 Malaga, Spain (e-mail: [email protected]; mc-
[email protected]; [email protected]).
Digital Object Identifier 10.1109/TSG.2011.2161498
1949-3053/$26.00 2011 IEEE
827
protect the rest of the system as a whole. We agree with [2]
that part of this security must be focused on the prevention of
anomalous events and the preview of any significant change
that can cause a cascading effect over other domains of the
smart grid or over other critical infrastructures (CIs) [3]. For
this reason, we propose an intelligent early warning systems
(EWS) able to protect the substations as independent subdo-
mains, but indirectly protecting the rest of domains of a smart
grid when serious failures occur.
Unfortunately, up to date there are not specialized EWSs
for critical environments and therefore researching in this new
area is very much needed in order to protect the system against
anomalous events, failures or threats. The approach we present
in this paper tries to fill this lack. We introduce a model of
an EWS that covers this security aspect for energy control
systems. The approach is based on wireless sensor networks
(WSNs), able to perceive the real state of the infrastructure, on
reputation to control the real behavior of the control network
and on the ISA100.11a standard [4] for an efficient alarm
management. Moreover, the approach is able to detect specific
anomalous behaviors from sensor nodes, and in particular be-
haviors associated to compromised situations, such as a replay
or a delay attack.
The paper is organized as follows. Section II analyzes the
need of EWSs in highly critical energy scenarios and it identi-
fies the main components of them. Section III provides a back-
ground about WSN and reputation systems in WSNs and crit-
ical infrastructures. Section IV presents the general architec-
ture of our model, which includes a set of components, together
with their respective modules and functionalities. In Section V
our model is analyzed in a critical application context, such as
a smart grid, and in Section VI implementation details of the
model are given. Finally, Section VII concludes the paper and
outlines the future work.
II. EARLY WARNING SYSTEMS IN THE CASCADING
EFFECT CONTROL
The protection of critical infrastructures in our society such
as energy generation and distribution systems has been proven
of paramount importance. Some national and international ac-
tion plans and initiatives have already been proposed in order
to discuss some security issues related to critical infrastructures
protection (CIP). Even though modeling and simulation tech-
niques are feasible mechanisms to visualize the connectivity
among systems and assess risks, they are not enough to ensure
an effective control of a cascading effect. It would be desirable
to predict and anticipate anomalous situations, even before they
happen in order to react against them, reducing as much as pos-
sible risks and efforts in recuperation processes. These can be
solved with early warning systems (EWSs), specialized security
828
mechanisms that aid the protection of highly critical environ-
ments in early stages.
Unfortunately, EWSs are not yet considered by todays con-
trol industry. Its security currently depends on security policies,
access control mechanisms, security applications, and specific
detection systems, such as firewalls or intrusion detection sys-
tems (IDSs). At this point, we may think that an EWS is appar-
ently a security mechanism similar to an IDS, since both of them
can detect anomalous situations through patterns/rules. How-
ever, there is an important difference between them. An IDS is
only able to detect existing anomalous events, whereas an EWS
is able to predict and warn about them. An EWS consists of
an advanced monitoring component based on integrated tech-
niques that analyze and interpret data streams from distributed
sensors in remote energy substations. These techniques also in-
clude decision making procedures to avoid or reduce the prop-
agation of a possible effect originated by an anomalous event
[5]. To be more precise, the idea is not to precisely detect an ex-
isting failure/threat and subsequently correct it. The success of
an EWS depends on the ability to anticipate an event sequence,
as well as facing an anomalous situation to control the effect
over the system or systems.
Four main components constitute any EWS: i) a detection
component represented by sensorial nodes; ii) a reaction com-
ponent; iii) an information recollection component to store ev-
idences; and iv) an alarm management component. The reac-
tion component includes a process of decision making whose
determination will depend on the type of threat, the criticality
of the affected environment, the interaction with other involved
elements, the associated risk and the damage-cost relationship.
In any case, all of these components have to be active before,
during and after a failure/threat appears in the system. Before
in order to anticipate and warn about a set of suspected actions,
during in order to avoid that an effect starts to propagate itself
in the system, and after in order to control that such effect can
be propagated towards other systems.
III. BACKGROUND AND STATE OF THE ART
A. WSN, a Control, Reaction, and Warning Component
As mentioned earlier, an EWS has four essential components
associated to control/detection, reaction, recollection, and
warning tasks. A technology capable of offering all of these
services is precisely a WSN. Its nodes (called sensor nodes)
are able to monitor, detect, track, and alert anomalous situa-
tions thanks to its adhered sensors capable of sensing physical
events from their surroundings, as well as its computational
capabilities. They can also collaborate among them in order to
achieve a common goal (e.g., control of energy generators),
in addition to being self-configurable, self-healing, and smart
devices. This type of self-configurability allows sensor nodes to
adapt by themselves in the network and react against failures,
whereas self-healing provides them with capabilities for facing
unexpected network events.
WSN is currently considered as one of the most demanded
wireless technologies by the control industry and smart grid,
since it guarantees the same control services as a remote ter-
minal unit (RTU) but to a low installation and maintenance
cost [6]. Even this demand has implied the recent standarization
IEEE TRANSACTIONS ON SMART GRID, VOL. 2, NO. 4, DECEMBER 2011
of their comunications with ZigBee PRO [7], WirelessHART
[8], and ISA100.11a. In this paper we will mainly focus on
ISA100.11a, since it is an extended version of WirelessHART
and it improves some of its services [6].
ISA100.11a allows both mesh and star topologies using: i)
sensor nodes (working at 26 MHz, RAM 96 KB, 128 KB Flash
Memory and 80 KB ROM); ii) routers; iii) gateways (one or
several working at 533 MHz, 64 MB RAM, and 8 MB Flash
memory) to establish redundant connection with the SCADA
center; iv) backbone routers to provide connectivity to other
networks; and v) two special managers: a system manager and
a security manager. The system manager is in charge of allo-
cating resources and providing communication, whereas the
security manager affords key management services. Moreover,
ISA100.11a is based on the IEEE 802.15.4-2006 standard,
which specifies the physical (PHY) and media access control
(MAC) layers for wireless personal area networks (WPANs),
providing it with security mechanisms based on AES-128 bits,
message authentication codes (MAC) and an access control
list (ACL) to authenticate any received message. In addition,
the standard provides security at link and transport level using
message integrity codes, and unique symmetric keys of 128
bits for solving confidential issues.
Lastly, ISA100.11a offers a set of services for guaranteeing
reliability of communications, diagnosis, and alert and priority
management. Specially, this priority management depends on
four subcategories (a device diagnostic, a communication diag-
nostic, a security alert, and a process alarm) and on five priority
levels (journal [02], low [35], medium [68], high [911], and
urgent [1215])). With respect to the dissemination from sensors
is managed through objects using Device Management Appli-
cation Process (DMAP). DMAP is a class individually installed
in each network device that includes a set of objects used for
configuring, supervising, and requesting parameters belonging
to sensor nodes. More precisely, DMAP contemplates the alert
reporting management object (ARMO) class for managing, at
first level, alerts and generating reports through an AlertReport
service to an alert receiving object (ARO). ARO is a class con-
figured in a unique device in the network (the gateway in our
case). All of these alert management objects will be discussed
in more detail throughout this paper given that they play an im-
portant role in our proposal.
B. Reputation and Trust Management for WSNs
Reputation and trust are related concepts, however they have
different meanings. Reputation is defined by the Concise Oxford
Dictionary as what is generally said or believed about a person
or the character or standing of a thing while trust is defined
as the firm belief in the reliability or truth or strength of an
entity. From these definitions we can infer that the concept of
reputation is more objective compared to the concept of trust.
For assuring a successful collaboration, a node should be able
to discover which neighboring nodes are more likely of accom-
plishing a certain task. If a node knows in advance how the dif-
ferent elements of the network will react in any situation, then
it will be able to make a flawless decision. However, in a WSN
the outcome of a certain situation cannot be clearly established
or assured. That is, we need to take uncertainty into account.
Trust and reputation systems aid dealing with the problem of
ALCARAZ et al.: AN EARLY WARNING SYSTEM BASED ON REPUTATION FOR ENERGY CONTROL SYSTEMS 829

uncertainty. In a collaborative environment such as WSN by

determining which is the best node to collaborate with becomes
very important. It is then when reputation plays a key role. By
knowing the reputation of nodes in their neighborhood and their
actual behavior, it is possible for the nodes to choose a suitable
course of action when making operational decisions (knowing
which is the best partner for starting a collaboration or in ex-
treme situations, e.g., malfunctioning nodes).
The development of trust and reputation management sys-
tems for WSN is in a very early stage of research although
growing rapidly in the past few years. Most of the existing works
are proper of ad hoc and P2P networks [9]. However, these sys-
tems do not fit all the requirements and features required by
WSN. As mentioned, this research area is becoming very active
and several surveys have been produced [10]. Still, many of the
solutions are designed with the purpose of solving very specific
problems and most of them do not deal with all the features that
a trust management system for WSN should provide although
they have been outlined in [11]. When designing a trust or rep- Fig. 1. General architecture of the model.
utation system for WSN important aspects that should be taken
into account are the sources of information and the way of com-
puting and modelling reputation or trust.
Reputation provides some interesting benefits to trust man-
agement systems (e.g., better management of aspects such as
aging). Some authors have proposed reputation-based frame-
works where nodes maintain reputation for other nodes and use
it in order to evaluate their trustworthiness. Probabilistic func-
tions are widely used as it is the case for [12].
The approach we are going to consider for the design of a
reputation system for EWS is the use of clusters. In fact, some
sensor networks group their nodes into clusters for various rea-
sons (e.g., better energy management or use of more powerful
nodes to execute complex tasks). The cluster head (CH) is in
charge of gathering and analyzing reputation values of the nodes
in its cluster and making event decisions. This is the case, for
example, of TIBFIT [13], a protocol that aims at detecting arbi-
trary node failures in an event-driven WSN where the nodes are
organized into clusters. Still, not all cluster-based systems place
the trust entity only in the CH, such as for example [14].
Fig. 2. Architecture of the cluster head.
IV. AN EARLY WARNING SYSTEM MODEL BASED ON
REPUTATION to include the reputation manager (RM in the following, see
Fig. 2). The RM will provide the gateway with information
A. The Architecture of the Model about the nodes in the EWS. The gateway contains an alarm
EWS could provide a good support for SCADA systems, as manager (AM in the following). This manager is in charge of
the actions of the latter might be influenced by the information dealing with the alerts received from the CH about nodes in the
provided by the EWS. Therefore, it is desirable to provide EWS EWS in order to determine the level of criticality of such an
with techniques that lead towards a good performance of the alarms. The AM sends to the SCADA center a SCADA alert in
SCADA systems. Our intention is to provide a reputation mech- order to be properly treated and registered (accounting), while
anism within the EWS in such a way that facilitates the deci- the most suitable operator in the affected area is also being lo-
sion making process once a warning (i.e., a SCADA alert) has cated. When the incidence has been finally treated by the se-
reached the SCADA system. lected operator, he/she has to send a report to the gateway to be
The general architecture of our model can be seen in Fig. 1. later on re-sent to the corresponding CH. Depending on the re-
Due to the energy and resource constraints of sensors in general, port, this last one will update the reputation of the sensor node
organizing sensor networks into clusters is a good approach for accordingly.
managing the existing resources. This hierarchical configura-
tion will allow us to select a cluster head (CH) in every cluster, B. The Cluster and Its Components
which will be a trustworthy node with enough resources to take Fig. 2 represents the components integrated into the CH
up essential functionalities of the EWS. In particular, it is going needed for implementing our EWS. At first, nodes, , in the
830
cluster send their messages [ (e.g., voltage streams) and
(e.g., anomalous events)] to the CH which first operates the
message normalization component to combine and represent
different data inputs in a same generic format. The result of
such a normalization is then sent to the pattern association
component in order to verify the nature of such a message.
This component must be based on simple patterns due to high
constraints of the networks devices, such as for instance values
(readings) out/in of a specific threshold (e.g., minimum and
maximum values for voltage ( ), as well as delayed
messages circulating in the network and/or replay attacks. Note
that lost messages that come from the same node can also mean
a possible delay attack. All of these situations and any alert
generated by a sensor node (such as circuit break, stresses,
strong fluctuations, routing, etc.) have to go through the RM
in order to aid the whole system to verify the real state of the
affected area.
These components have been integrated into the CH because
of three main reasons. Firstly, the control in these types of sub-
networks is generally simplified to a small number of nodes in
order to reduce the memory storage with information associated
to the subnetwork. Secondly, we believe that if traditional sen-
sors (working at 48 MHz, 416 KB RAM and 48128 KB flash
memory) are able to work as CHs, our CHs with higher capa-
bilities (working at 26 MHz, 96 kB RAM, 128 KB serial flash
memory, and 80 KB ROM) are equally feasible to process, cal-
culate and store information. Finally, part of the processing is
straightforward, since the approach has been designed for spe-
cific situations using basic behavior patterns and the calculation
of the reputations values is simple. Lastly, and given the dimen-
sion of our approach, we assume that the entire process of key
management and agreement between peers properly work using
the security mechanisms offered by the ISA100.11a. as well as
authentication and integrity services.
In the following we will concentrate on the functionalities
of two of the main components: the pattern association and the
reputation manager.
1) Pattern Association Component: The validation process
of a normalized message basically consists of checking if the re-
ceived message is really unique and recent. In order to achieve
this, a cache memory is needed (see Fig. 2). This memory
allows the system to check if a new message received from a
sensor node, was already received recently. In order to carry
out an efficient search in the cache the entries have to be ordered
by a specific and unique data, such as for instance the timestamp
corresponding to the received messages. It would also be desir-
able that the data stored in the cache memory are relevant and
simple information, at least, the identification of the node
, the timestamp of the message and the value associated to
the message (i.e., a , or ).
Another important task of the pattern association component
is also to verify that the messages were received in a valid time
period, i.e., in an expected time according to their timestamp.
This time is calculated as the difference between the real time
of the CH and the timestamp of the message, such
that the result a configurable value ac-
cording to its security policies. In case where is within
the expected time interval, the component has to check in the
cache memory if other recent message was already received
IEEE TRANSACTIONS ON SMART GRID, VOL. 2, NO. 4, DECEMBER 2011
from the same node . The cache memory is ordered by the
timestamps what makes more efficient the search as it can be
achieved by tracking it using as primary identifiers the time-
stamp and the . For example, when the timestamp of the
message is greater than the timestamp of an entry in memory,
the search can be stopped in order to reduce computational over-
head.
The next step is to verify the message nature or sus-
pect actions such as lost of messages, delay attacks or
replay attacks. For the analysis, the new alert will have to
include, at least, the , the type of the alert and its pri-
ority, as well as the type of detected event, which could be
categorized as follows: event alert (any received from
a ), event reading out threshold (a ]),
event lost message, event delay attack, event replay attack,
and event discard node.
In order to control delay attacks, for each entry in the cache
memory a new column is also included storing in it two pos-
sible labels: event lost message/not event lost message. When
the component receives a lost message from an , it checks
in cache if such a node did not send another lost message re-
cently by using the label event lost message. This label is in-
cluded in the memory for the first time when a specific message
is detected as a lost message. On the contrary, when the compo-
nent receives an alert or a valid (i.e., ])
the component must also store them in the cache using the label
not event lost message for future queries. In the particular case
where a reading is valid, it must be filtered and aggregated by
the data aggregation component to be sent it to the gateway later
on. This last action is the main task of a CH. In the following,
we will formally describe by means of a pseudocode our model,
previously defining the functions used.
Obtain Normalized Message: it obtains normalized mes-
sages from the message normalization component.
Obtain Node: it obtains the .
Exist Memory: it tracks the cache in order to find an ex-
isting entry.
Exist Memory LostMessage: it tracks the cache to check
if an corresponding to a node already sent an
event lost message.
Send : it sends the normalized message to the RM in
order to validate the state of the node and the type of de-
tected event.
TReading: it verifies if the message is a .
TAlert: it verifies if the message is an .
Store Cache: it stores the messages in the cache and their
corresponding label (i.e., either not_event_lost_message or
event_lost_message).
Send Message DataAggregation: it filters and aggregates
data streams to be sent to the gateway.
Confirmation : it confirms the reception of the
message to the with an ACK (acknowledge packet).
Then,
;
;
if then
ALCARAZ et al.: AN EARLY WARNING SYSTEM BASED ON REPUTATION FOR ENERGY CONTROL SYSTEMS 831

. Part of this
if (Exist_Memory(message)) then //An expected time, information (such as or and type of event) is
; // a possible obtained from the information passed by the pattern associ-
replay attack ation component. is acquired from a simple reputation
else database. Concerning the parameter the most interesting
information contained in it (e.g., alert type, alert category, and
if ( AND
) then alert priority) for reputation purposes is the alert priority (low,
medium, high, urgent, etc.). In contrast, is the reputation
parameter of a node at time , and it is calculated by a
; reputation engine inside the RM. The entries that this engine
else takes into account in order to calculate reputation values are
; initial reputation, observations gathered by neighbor nodes and
secondhand information obtained from different iterations. The
;
parameter is a timestamp representing the cycle of time that
; passes by in between the node emitted an alert (and reported
if then it to the RM) until the reputation of the node is updated (see
//storage of alert, ACK and its transfer to the RM
Section IV-D).
Initially, all the nodes in a cluster behave in a trustworthy
;
way and therefore their initial value of reputation is the highest
else possible value. After the first iteration, when nodes come into
// storage of a reading, ACK and aggregation play, the RM can update the reputation values for each of them.
The RM generates a new alert using the ARMO class defined
;
by the ISA100.11a standard in order to send to the gateway the
end , the type of occurred event, its priority and the timestamp
end . It is important to highlight that depending on the type of
end event, the RM has to determine the criticality of it. In particular,
events associated to an undesirable minimum reputation value
else
(it corresponds to an event discard node, see Section IV-D),
//The message was received in an unexpected time. a out of the threshold (an event reading out threshold) and
//This may mean: (i) a lost message or (ii) a possible delay. a compromised node in the network (an event replay attack
;
or an event delay attack) must be labeled as an urgent alert,
since these cases represent serious situations that have to be at-
if ( then
tended on time. Furthermore, as the events event replay attack,
; event delay attack, and event discard node are associated to
else compromised behaviors of sensor nodes, a replace/reconfigu-
ration procedure of affected nodes is required in the network.
;
Only two of them are really managed by the RM. They are
; event alert and event reading out threshold. A register or
end warning of anomalous situations is needed for the rest of the
end events.
Four situations may arise in our critical context: 1) false pos-
The effectiveness of this approach for detecting delay and re- itive if the analyzed event by a node is innocuous, but it is clas-
play attacks will depend on the size of the cache. In addition, sified as a threat (failure/compromised node); 2) true positive,
the control of delayed or resent messages from a compromised if the analyzed event is properly classified as a threat (failure/
node simplifies the computational cost inverted in the aggrega- compromised node); false negative, if the analyzed event is a
tion tasks. This means that the CH is able to filter and aggregate threat (failure/compromised node) but the node classified it as
data streams from different nodes, but not repeated packets from normal/innocuous; and true negative, if the analyzed event is
a unique node. correctly classified as normal/innocuous. The levels of impor-
2) Reputation Manager: In this section we will introduce tance of these cases will serve as a basis for updating reputation
how reputation can be included as an input for the decision values by the RM (see Section IV-D).
making process for a WSN, part of an EWS. Our intention is
to design a reputation manager (RM) for aiding the CH deter- C. The Gateway and Its Components
mining which nodes in its cluster are not functioning properly The next step of our model is to analyze any type of alert re-
or are acting in a compromised way in order to leave them out of ceived from CHs. The analysis must be managed by the ARO
the network for certain actions. The CH is responsible of main- class which is configured in the gateway and uses an organized
taining the RM. queue ordered by priorities [4], and for each priority is used
After the information has gone through the message nor- a buffer with a maximum size (see Fig. 3). Depending on the
malization and the pattern association components (see queue and its priorities, two tasks can concurrently be executed:
Fig. 2), the following parameters are required by the RM: i) to send the alert to the SCADA central system; ii) to activate
832 IEEE TRANSACTIONS ON SMART GRID, VOL. 2, NO. 4, DECEMBER 2011

report this fact to the gateway. The gateway will inform the
RM which then will increase the reputation of the node.
The operator determines that the type of alert priority that
the node initially reported is not as high as the node esti-
mated or it was even higher than the node estimated. Then,
this report is sent back to the RM which will decrease the
reputation of the node.
An important issue is how to decrease or increase the reputa-
tion values of a certain node, . This will depend on the alert
type priority the node reported and what the operator, who is
treating the alerts, determined about this alert.
When the reputation of a node reaches a certain threshold set
by the system as the minimum possible reputation value, the
node is discarded as useless for the cluster purposes. Let this
Fig. 3. Architecture of the ISA100.11a gateway. minimum threshold be denoted by . If for any node
in the cluster, then the node is discarded from
the operator location component when an alert is really crit- the cluster and no readings coming from it will be taken into
ical. The former task involves registering and occurred in consideration any longer.
the system, since they must be stored by the SCADA central The algorithm for updating reputation values for nodes is as
system. As the information has to be transmitted to the SCADA follows.
system through specific SCADA protocols under TCP/IP (e.g., Let us assume the number of nodes in the cluster is and
Modbus/TCP, DNP3, or IEC-104), the gateway must also act as is a sensor node in it, where . Let the alert priority re-
a special interface with capability for understanding and trans- ported by the node be denoted by and the alert priority
lating messages between different systems. For instance, IEEE reported by the operated be (see Section III-A for the
802.15.4 messages to Modbus/TCP messages and viceversa. In priority levels schema).
contrast, the latter task involves treating any type of critical in- At the initial time, is the maximum possible rep-
cidence (i.e., high/urgent ) and react against them on time. It utation to be given by the RM.
also involves location and warning to the closest field operator For at time the RM has received a report
so that he/she can approach the affected area and check the real back from the gateway stating how accurate the alert esti-
nature of the situation as soon as possible. To this end, the oper- mated by the node was. Then,
ator must previously know the and its localization, , If and then
in the area as well as the occurred event by using a handheld a false positive is produced and the RM decreases the
device. as , where is a weight that de-
As ISA100.11a defines statical networks, the can be pends on the . If then the
obtained from a simple and local database configured in the used weight should produce a reputation value that is
gateway. Note that this database must store, at least, the decreased with respect to the previous value. In case
and the . This type of design does not only allow locating that the , i.e., it is medium, the rep-
the node in the affected area in a short time, but also reducing utation value should decrease more than in the case
computational and memory overhead in CHs as well as com- where . For the other two cases where
munication overhead if was maintained by clusters. The or then the reputation value is
location of operators is outside of the scope of this paper. How- decreased more respectively.
ever, some attempts have been made in order to find the most If but then as
suitable operator in [15] based on reputation. it happened in the previous case the reputation of the
node is decreased by applying a weight . In this
case if a false negative is produced
D. Updating Reputation
and therefore the reputation of the node should decrease
After the alerts with types event alert and more by using an appropriate weight than the one used
event reading out threshold are treated by the AM, a when where a false positive is pro-
report is sent back to the RM regarding how accurate the duced.
estimation of the type of alert priority given by a node was. If is in the same interval of level priority than
This report will be used in order to update reputation. When then the reputation is increased by choosing
an alert reaches the SCADA center and an operator deals with an appthe weight should be chosen in such a way
it, he can deliver a report about the behavior of the node. The that the resulting reputation value increases.
operator is who determines the real priority of the alert. Let If the is journal, low or medium at time
the priority of the alert given by the operator, . Then, no action is taken but the RM keeps this record in a
two cases arise. temporal buffer. If at consecutive instances in time, i.e.,
The operator considers that the type of the alert priority was , the same node keeps producing
as critical as the node determined. This means the node the same type of alerts then a new message is generated
behaved in the right way and therefore, the operator will by the RM that informs about this situation and it is sent
ALCARAZ et al.: AN EARLY WARNING SYSTEM BASED ON REPUTATION FOR ENERGY CONTROL SYSTEMS
to ARMO. The kind of message sent will inform the
operator that the alert produced by node should be
checked. The operator then will determine whether the
alert is a false negative or a false positive and then the
RM will act as in the previous cases.
The process continues until . Then, the
node is discarded. In order to warn about this situa-
tion, the RM has to generate another new alert of type
event discard node with urgent priority.
V. AN APPLICATION CASE SCENARIO: SMART GRID
Given that an energy control system is part of a smart grid,
we can apply our approach to such a scenario. The idea is to an-
ticipate a response against a possible anomalous event in order
to reduce as much as possible its negative effect over the other
parts of the system as a whole. To this end, let us assume that
the model presented in Section IV is integrated into an electrical
remote substation, which is the main unit responsible for super-
vising, at first level, the energy generation and its distribution to
large residential complexes. The cluster heads, , are able to
identify five different cases.
1) Case 1: A receives an alert from a sensor, . For
example, a neighbor is not forwarding packages inter-
rupting thus the communication within the network.
2) Case 2: A receives a of voltage with value , from
and .
3) Case 3: A receives a with value , from a and
. At present, we are implementing our model using the de
4) Case 4: A receives the same message from a sev-
eral times given that this node is a compromised node
trying to carry out a replay attack. Note that a delay attack
is very similar to this particular case.
5) Case 5: A receives a message after from a .
This means that the message was lost in the network and it
was received in an unexpected time.
We will next analyze the above cases and the behavior of the
components involved in the EWS.
1) Cases 1 and 2. These cases correspond to an alert and a
normal situation, respectively. Here, the pattern associa-
tion component analyzes if the message delivered by is
a unique and recent message. Otherwise, the component
will have to validate if this unique message is an alert or a
valid reading. We will see the differences in between these
two cases next.
If the message is an alert then the pattern association com-
ponent performs as described in Section IV-B1 and send
it to the RM, which realizes the operations detailed in
Section IV-B2.
If the message is a correct measure of voltage then the As-
sociation Pattern component has to: i) store it in the cache
memory for recent and future analysis of events and ii)
send such a reading to the aggregation component in order
to aggregate a set of readings to the gateway.
2) Case 3. An anomalous situation happens: the association
pattern component analyzes if the voltage reading is a
unique and recent information from a by using the
information stored in the cache memory. In this case as
then the system determines that the
833
anomalous situation is possibly a circuit break. All these
information is forwarded to the RM in order to validate
the alert in an appropriate way. Then, a new alert of type
event reading out threshold is generated by the RM and
set as urgent. Again, as in the previous cases, the repu-
tation of nodes is updated as described in Section IV-D.
3) Cases 4 and 5. These two cases correspond to replay at-
tacks and lost of messages in the network, respectively.
The pattern association component analyzes that the mes-
sages are unique and recent (Case 4) and that the time-
stamp of the message is not over (Case 5). If the
message is not unique then it is forwarded to the RM in
order to generate a new alert of type event replay attack
with urgent priority. In contrast, Case 5 is associated to
finding an entry in the cache memory with the and a
label event lost message. If it is not found, it must be stored
in cache with label event lost message by the pattern as-
sociation component. Then, it is transferred to the RM in
such a way that a new alert of type event lost message with
low priority is generated. As this case is not really crit-
ical, this type of situation does not require a reputation up-
date process, but a register process in the SCADA central
system for future auditing or maintenance procedures. In
case that this action is repeated several times, a field oper-
ator will have to replace/reconfigure the node.
VI. IMPLEMENTATION DETAILS AND EXPECTED RESULTS
facto standard operative system for sensor nodes called TinyOS,
which provides limited support for network and protocol simu-
lations. For this reason, we are going to extend the simulations
to a proprietary testbed architecture with support for NesC
(component-based C-dialect [16]) and Java. This will allow
us to provide several experiments considering diverse (either
extreme or nonextreme) situations.
Although, we expect to obtain tangible results in the very near
future, we believe that a first approximation of the results will
be as follows.
1) Fast response and protection to the rest of domains of a
smart grid. A hierarchical configuration allows the system
to quickly locate an affected area and respond on time.
2) Safety and security. Safety in the control of the cascading
effect. This control is based on a detection and reputation
mechanism and on the use of a smart AM. With respect to
security, the system is able to identify compromised nodes
by means of reputation values.
3) Performance. The EWS ensures performance since part of
its logic is configured in the cluster heads and the gateway,
both of them with enough resources to carry out their tasks
of detection and alarm management, respectively.
4) Adaptability. Our model can equally work in an
ISA10011.a, a ZigBee PRO, and a WirelessHART
network, since all of them share certain topological,
structural, and functional characteristics.
5) Auditing and maintenance. The system is able to ensure
maintenance by identifying compromised nodes, in addi-
tion to offering relevant information to carry out efficient
auditing procedures.
834
VII. CONCLUSIONS AND FUTURE WORK
We have proposed an early warning system based on WSNs
using the ISA100.11a standard for alarm management and repu-
tation for controlling behaviors. This model consists of different
components that have been presented and their functionalities
have also been analyzed being the main ones the pattern associ-
ation component and the reputation manager.
Although different cases have been analyzed for a smart grid
scenario, the main idea of the proposed solution has been to pro-
tect the operational control domains to indirectly protect the en-
tire grid as a whole. Thanks to these analysis we have concluded
that WSNs playing as EWS are perfect candidates for offering
future solutions of EWSs. They provide the required ingredi-
ents for detecting, tracking, and alerting about evidences that
can produce a negative effect on the performance of a domain
with an impact on the entire grid, if they are not treated properly
in advance.
We are at an initial development phase but our intention is to
provide a complete implementation that shows its feasibility in
a real and critical context. Lastly and as future work, we intend
to research how to directly include all the logic of this approach
within sensor nodes. However, this will obviously depend on
the computational capabilities and resources offered by them,
which are still constrained. Likewise, a security analysis of the
approach will have to be performed in order to evaluate its in-
tegrity against existing and future faults.
REFERENCES
[1] NIST Framework and Roadmap for Smart Grid Interoperability Stan-
dards, Release 1.0, Jan. 2010, NIST Special Publication 1108.
[2] SIGiP, the Smart Grid Interoperability Panel. Introduction to NISTIR
7628 Guidelines for Smart Grid Cyber Security. Cyber Security
Working Group Sep. 2010 [Online]. Available: http://csrc.nist.gov/
publications/PubsNISTIRs.html, retrieved in Mar. 2011
[3] P. Peerenboom and R. Fisher, Analyzing cross-sector interdependen-
cies, in Proc. 40th Annu. Hawaii Int. Conf. Syst. Sci. (HICCS), 2007,
pp. 112119, IEEE Computer Society.
[4] Wireless Systems for Industrial Automation: Process Control and Re-
lated Applications, ISA100.11a. ISA-100.11a-2009.
[5] K. Walter and E. Nash, Coupling wireless sensor networks and the
sensor observation serviceBridging the interoperability gap, in
Proc. 12th Agile Int. Conf. Geographic Inf. Sci., 2009.
[6] C. Alcaraz and J. Lopez, A security analysis for wireless sensor mesh
networks in highly critical systems, IEEE Trans. Syst., Man, Cybern.
C, Appl. Rev., vol. 40, no. 4, pp. 419428, Jul. 2010.
[7] ZigBee ZigBee Technology, Sep. 2010 [Online]. Available:
http://www.zigbee.org/
[8] WirelessHART WirelessHART, Sep. 2010 [Online]. Available: http://
WirelessHART.hartcomm.org/
[9] M. Mejia, N. Pea, J. L. Muoz, and O. Esparza, A review of trust mod-
eling in ad hoc networks, Internet Res., vol. 19, pp. 88104, 2009.
[10] R. Roman, M. C. Fernandez-Gago, J. Lopez, and H.-H. Chen, Chapter
trust and reputation systems for wireless sensor networks, in On Secu-
rity and Privacy in Mobile and Wireless Networking. Leicester, U.K.:
Troubador, 2009.
IEEE TRANSACTIONS ON SMART GRID, VOL. 2, NO. 4, DECEMBER 2011
[11] R. Roman, C. Fernandez-Gago, and J. Lopez, Featuring trust and
reputation management systems for constrained hardware devices,
in Proc. 1st Int. Conf. Auton. Comput. Commun. Syst. (Autonomics
2007), Rome, Italy, Oct. 2007, vol. 302.
[12] F. Li, A. Srinivasan, and J. Wu, A novel CDS-based reputation mon-
itoring system for wireless sensor networks, in Proc. 28th Int. Conf.
Distrib. Comput. Syst. Workshops (ICDCS), Beijing, China, Jun. 2008.
[13] M. Krasniewski and B. Rabeler, TIBFIT: Trust index based fault tol-
erance for arbitrary data faults in sensor networks, in Proc. Int. Conf.
Dependable Syst. Netw. (DSN05), Washington, DC, pp. 672681.
[14] T. A. Zia, Reputation-based trust management in wireless sensor net-
works, in Proc. Intell. Sensors, Sensor Netw. Inf. Process. (ISSNIP),
Dec. 2008, pp. 163166.
[15] C. Alcaraz, I. Agudo, C. Fernandez-Gago, R. Roman, G. Fernandez,
and J. Lopez, Adaptive dispatching of incidences based on reputation
for SCADA systems, in Proc. 6th Int. Conf. Trust, Privacy and Secu-
rity Digital Business (TrustBus), Sep. 2009, vol. 5695, Lecture Notes
on Computer Science, pp. 8694.
[16] E. Brewer, D. Culler, D. Gay, P. Levis, R. Behren, and M. Welsh,
NesC: A programming language for deeply networked systems, 2004
[Online]. Available: http://nescc.sourceforge.net/, retrieved on March
2011
Cristina Alcaraz (M07) received the M.Sc.
and Ph.D. degrees in computer science from the
University of Malaga, Spain, in 2006 and 2011,
respectively.
Her research activities are mainly focused on crit-
ical information infrastructure protection, and more
precisely on secure monitoring of critical infrastruc-
tures, security of SCADA systems and smart grids, as
well as the use of wireless sensor networks for pro-
tection of critical systems.
Carmen Fernandez-Gago received the Ph.D.
degree in computer science from the University of
Liverpool, U.K., in 2004.
She was with the University of Liverpool as a
Researcher. She is currently a Postdoctoral Research
Assistant in the Security Division of the Depart-
ment of Computer Science at the University of
Malaga, Spain. Her main research interests are the
development of trust and reputation models and its
applications. She has published several research
papers in this area and is also organizing some
international events on this topic.
Javier Lopez (M96) is a Full Professor in the Com-
puter Science Department, University of Malaga,
Spain, and Head of the Network, Information and
Security (NICS) Laboratory. His activities are
mainly focused on network security and critical
information infrastructures protection, leading
a number of national and international research
projects in those areas, including projects in FP5,
FP6, and FP7 Framework Programmes. Prof. Lopez
is the Co-Editor-in-Chief of International Journal
of Information Security (IJIS) and Spanish repre-
sentative in the IFIP Technical Committee 11 on Security and Protection in
Information Systems. He is a member of the Editorial Board of, among others,
Computers & Security, Wireless Communications and Mobile Computing,
Computer Communications, Journal of Network and Computer Applications,
and International Journal of Communication Systems.