1930

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 23, NO. 4, OCTOBER 2008

A Security Mechanism of Web Services-Based Communication for Wind Power Plants

Nian Liu, Jianhua Zhang, Member, IEEE, and Wenxia Liu
AbstractThe IEC 61400-25 standard has dened the mapping of wind power-plant information model to web services (WS). Ensuring the security of WS-based communication for wind power plants is an unsolved problem. WS-Security is a standard used to deal with the security requirements in applications of web services, while the username/password and X.509 certicates are security tokens most commonly used in electric power utilities. We propose a security mechanism that deals with the requirements of authentication, integrity, nonreputation, and condentiality across the communication process based on WS-Security and the two security tokens. The security mechanism is implemented by an extension of simple object-access protocol message, design of the security agent, and the related security message-processing algorithm. An instance is modeling based on IEC 61400-25 to demonstrate the security-enhanced remote control of wind power plants. The result supports the usefulness of the security mechanism for WS-based wind power plants communication. Index TermsCommunication system, cybersecurity, IEC 61400-25, web services (WS), wind power plant.

I. INTRODUCTION HE multi-megawatt (MW) wind power plants are increasingly and actively participating in the operation of transmission systems, and wind power generation has a great inuence on power system operation due to such issues as frequency and voltage variations [1][3]. In this case, the monitoring and control of wind power plants have become a vital part of power system operation [4][7]. Furthermore, the strategically distributed nature of wind power presents unique challenges. Generation is not centralized and is generally remote, sometimes offshore, and often covers large geographic areas [8]. These factors usually require a variety of networked interconnections and telecommunication technologies for monitoring and control of wind power plants [8], [9]. Therefore, efcient and reliable communication is important for wind power plants. As a consequence, IEC 61400-25 is proposed to provide a uniform communication basis for the monitoring and control of wind power plants [10][13]. The major communication mapping dened in IEC 61400-25 is based on WS. The simple object-access protocol (SOAP) is used to transfer the data. This ensures that different clients and environments can be used. Object-oriented data structures can make the engineering
Manuscript received December 6, 2007; revised January 20, 2008. First published July 9, 2008; current version published September 24, 2008. Paper no. TPWRD-00791-2007. The authors are with the Key Laboratory of Power System Protection and Dynamic Security Monitoring and Control Under Ministry of Education, North China Electric Power University, Beijing 102206, China (e-mail: nian_liu@163. com). Digital Object Identier 10.1109/TPWRD.2008.923521

and handling of large amounts of information provided by wind power plants less time-consuming and more efcient. The use of the a information technologies provides the benets of low implementation cost and ease of interoperability, but also introduces the potential for cybersecurity vulnerabilities [8], [10], [12], [14]. The cybersecurity intrusion of a power system is not a tale but also comes true in the real world. According to the study on cyber vulnerabilities of control systems to unauthorized access by [15], [16], there have been tens of events that result in damage occurring in electric power control systems for transmission, distribution, and generation. Research needs and requirements related to the cybersecurity of power utilities and control systems have been widely discussed, and some practical methods are reported [16][24]. Security requirements of communication for wind power plants are specied in IEC 61400-25-3, but how they are handled specically is completely up to the individual supplier and implemented with the communication protocols [12]. However, web services (WS)-based communication for wind power plants is a new emerging technology, in which few studies have been conducted for security. In IEC 61400-25-4, a simple security mechanism based on username/ password is introduced, but this method is weak in the security level, and cannot provide additional protections of condentiality, integrity, and nonreputation [13]. A common way of achieving security is relying on a secure transport layer or network layer, which typically includes secure socket layer (SSL), transport layer security (TLS), and IP security (IPSec). Especially, TLS is recommended to secure TCP/IP-based communication for supervisory control and data acquisition (SCADA) and telecontrol in IEC 62351-3 [25]. Apart from the fact that these techniques provide security only in a secure channel (and not in les or databases), it does not correspond with the WS architecture in which the intermediaries can manipulate the messages on their way. Once using a secure transport layer, intermediaries are not able to control the messages [26], [27]. For the same reason, IEC 62351-3 also species that security must follow progress and update to better solutions when available [25]. The WS-Security standard for web services was ratied by Advancing Open Standards for the Information Society (OASIS) in 2004. The standard describes enhancements for the SOAP message in order to provide security foundation for applications based on WS [28]. The security mechanisms of some existing applications, such as the digital factory, e-mail system, enterprise services system, trust management, etc., are developed in accordance with WS-Security, but cannot be applied directly to wind power plants communication [29][32].

0885-8977/$25.00 2008 IEEE

LIU et al.: SECURITY MECHANISM OF WS-BASED COMMUNICATION FOR WIND POWER PLANTS

1931

TABLE I SECURITY REQUIREMENTS OF DIFFERENT COMMUNICATION STEPS

B. Security Requirements The information-exchange model provides services that are grouped as operational functions and management functions. The security requirements of these two functions include [12]: 1) authentication: determining the identity of the user/client; 2) authorization and access control: ensure that the entity has the correct proper access; 3) integrity: messages and the computer infrastructure are protected against unauthorized modication or destruction; 4) condentiality: objects of the wind power-plant information model are protected and only disclosed to appropriate users/clients; 5) nonrepudiation: preventing a user/client involved in a data exchange from denying that it participated in the exchange; 6) prevention of denial of service: preventing a client/server from blocking access to authorized users. In the aforementioned requirements, authorization and access control can be solved by the privilege management and accesscontrol model, the methods introduced in [21] and [22] are useful for IEC 61400-25-related devices of wind power plants. The prevention of denial-of-service needs to deploy suitable defensive measures on a crucial access point of communication. There have been efcient products developed on the cybersecurity domain. Other requirements, including authentication, integrity, condentiality, and nonrepudiation, should be individually designed combined with communication process and WS. In Fig. 1, the communication process of wind power plants can be divided into three steps: Step 1) associate; Step 2) data exchange; Step 3) release. Each step has different security requirements, listed in Table I. III. WS-SECURITY AND THE SECURITY TOKEN A. WSSecurity According to security requirements of web services, WS-Security dened the security expanding method for SOAP message exchange. The standard is published by OASIS, which provides the security foundation for applications of WS [28]. B. Commonly Used Security Tokens for Electric Power Utilities A security token represents a collection (one or more) of claims. It is the basic element for authentication, encryption/ decryption, integrity, and nonrepudiation. The security tokens most commonly used in electric power utilities include:

Fig. 1. Communication model for wind power plants dened in IEC 61400-25.

In this paper, we propose a security mechanism based on IEC 61400-25 and WS-Security to secure the WS-based communication for wind power plants. The content of this paper is organized as follows. Section II analyzes the WS-based communication model for wind power plants and the related security requirements. Section III briey describes the WS-Security standard and security tokens commonly used in electric power utilities. Section IV presents designing principles of the security mechanism. In Section V, two schemes of the security mechanism are designed based on different security tokens and WS-Security. Section VI provides the implementation method, including the security extension of SOAP message, design of security agent, and algorithms for security information processing. In Section VII, a control instance for the wind turbine of a wind power plant is modeled and analyzed to demonstrate the efciency of the security mechanism. Finally, conclusions are given in Section VIII.

II. ANALYSIS OF COMMUNICATION MODEL AND SECURITY REQUIREMENTS A. Communication Model IEC 61400-25 denes a communication model for monitoring and control of wind power plants, the modeling structure is similar to IEC 61850, which comprises three separately dened parts (see Fig. 1): wind power-plant information model [11], information-exchange model [12], and mapping the wind power-plant information model and the information exchange model to standard communication proles [13]. For mapping to WS, the information exchange between SCADA and wind power plants is based on SOAP message. The mapping process is that the services dened in abstract communication service interface (ACSI) [33] associated with EXtensible Markup Language (XML) elements in SOAP body.

1932

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 23, NO. 4, OCTOBER 2008

TABLE II SYMBOLS USED BY THE SECURITY MECHANISM AND RELATED EXPLANATIONS

Fig. 2. Designing principles of the security mechanism of communication for wind power plants.

1) username/password: a widely used, basic authentication function for almost all information systems, but the degree of security is weak, with insecurity risks when directly used; 2) X.509 certicates: solve the authentication, integrity, condentiality, and nonrepudiation based on the technology of public-key cryptography. The disadvantage is that the applications must be deployed on the support of the public key infrastructure (PKI) which needs more investments. IV. DESIGNING PRINCIPLES FOR THE PROPOSED SECURITY MECHANISM For aforementioned presentation and analysis, the designing principles are outlined as follows (see Fig. 2). 1) They can satisfy the requirements with the communication process, including authentication, integrity, condentiality, and no-repudiation. 2) Integration with the mapping to WS, without any changes to standard SOAP messages. 3) They should be in conformance with the WS-Security standard. 4) The security tokens commonly used in electric power utilities are important and must be taken into consideration.

A. Scheme ISecurity Mechanism Based on Username/Password 1) Associate: associate request

associate response

In the beginning, initializes an associate request to , and then authenticates the identity of from the request message. The security token based on username/password is formulated as

V. DESIGN OF THE SECURITY MECHANISM Considering the security tokens commonly used in electric power utilities, the security mechanism is divided into two schemes based on the username/password and X.509 certicate, respectively. In scheme I, symmetric cryptographic algorithm and message authentication code (MAC) are introduced to mitigate the weakness of the username/password token on the degree of security. In scheme II, the symmetric cryptography is used for encryption and decryption of sensitive contents in messages, public-key cryptography is used for delivering the symmetric session key and signing the messages. The symbols used for security mechanism and the related explanations are presented in Table II.

(1) where and are the additional elements to resist against the reply attack; is a 128-b randomized value, which is used for the deviation of the symmetric key on signature and encryption/decryption; is the digest value of , calculated by

(2) is the original message of the associate request. To ensure the integrity and no-reputation, generates a signature for , represented as (3)

LIU et al.: SECURITY MECHANISM OF WS-BASED COMMUNICATION FOR WIND POWER PLANTS

1933

is derived from length of 160 b, as follows:

and

has a

It is important to ensure integrity and nonreputation in the release step. The signature contents include and the time stamps. B. Scheme IISecurity Mechanism Based on X.509 Certicate 1) Associate: Associate request

(4) is also used for encryption and decryption in data-exchange steps, the key length of the selected symmetric cryptography should be lower than 160 b (e.g., AES-128). from , retrieves the After receiving the by corresponding from the local databy (2), and combase, then calculates the , authenticates s identity as pares it with being equal or not. is calculated by (4) to verify the validity Furthermore, of signature, ensuring the message is sent from authorized user and without unauthorized modication or destruction. After verication, sends an associate response message to , including a signature of to ensure the integrity and nonreputation (5) 2) Data Exchange: request Associate response

is the X.509 certicate of C (7) The signature algorithm is , represented as

(8) is encrypted by sented as , and s public key is repre-

(9) to auAfter receiving the associate request, checks thenticate s identity, and then veries the integrity, nonreputation and freshness of the request message. Finally, uses private key to decrypt , which is prepared for encryption and decryption in data-exchange steps. If all of the verications are passed, sends an associate response to , which includes a signature of and time stamp, as (8). 2) Data Exchange and Release: The message structures of these two steps are consistent with scheme I, but the signature algorithm is the same as (8). For example, the signature of can be represented as

response

In this step, the mechanism needs to deal with the requirements of integrity, condentiality, and nonreputation. Due to the wide and various types of services, to introduce the problem uniand are used for formal represenversality, tation of services. To protect against the reply attack, the contents of the signature should include original messages and the time stamps, while the contents of encryption only include the rst one. The signature algorithm is same as (5), and the encryption/ decryption algorithm is AES-128 (6) 3) Release: release request

(10) Furthermore, the encryption algorithm is same as (6). C. Comparison of the Two Schemes The comparison between the two schemes is shown in Table III. To deal with the security requirements, Scheme I actualizes encryption and signature functions, which based on username/password, can also be easily applied. Scheme II can provide much stronger protection for communication, but the related computation demand of the system resource is much higher due to the computation complexity of public-key algorithms. Therefore, the two schemes should be carefully selected according to the application environment.

release response

1934

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 23, NO. 4, OCTOBER 2008

TABLE III COMPARISON OF THE TWO SCHEMES

The communication for wind power plants has some performance requirements on data transfer. According to IEC 61400-25, the concrete time demands should follow the type of applications. As a comparison with the communication of substation automation system, the message types of communication for wind power plants belong to type 2, 3, 5, and 7, which are dened in IEC 61850-5 [34]. From the former analysis [21], it is obvious that the algorithms used in this paper can meet the real-time requirements. VI. IMPLEMENTATION OF THE SECURITY MECHANISM A. Message Extension Based on WS-Security Structure of original SOAP message for wind power plants is not enough to handle security token and other security properties. The extension principle is to add security elements without any changes of services mappings dened in IEC 61400-25-4. According to WS-Security, the <Security> element is inserted into SOAP head to provide additional security information. The structure of the extended SOAP message is shown in Fig. 3. 1) SecurityToken. The element is used for authentication, along with the resource for encryption/decryption and signature/verication, including Username/Password and the X.509 certicate. 2) Signature. Provide integrity and nonreputation for messages based on MAC or public-key signature algorithms. 3) EncryptedKey. Encryption of symmetric key for data exchange steps, only applied in scheme II. 4) EncryptedData. Encryption of the monitoring or control data for wind power plants used in data-exchange steps. B. Design of Security Agent To implement the security mechanism, the security agent (SA) with functions of XML encryption, signature, process of security attributes and authentication information are designed, and sets on both communication sides. The structure and functions of SA are shown in Fig. 4. 1) Process of authentication information. Add security token in <security> element or authenticate the senders identity by received security token. 2) Process of additional security attributes. For the purpose of protecting against reply attack, man-in-the-middle attack, generate and verify the security factors including time stamp, randomized value, etc.

Fig. 3. Structure of security-extended SOAP message.

Fig. 4. Structure and functions of the security agent.

3) Encryption/decryption. Encrypt or decrypt the request/response messages based on XML encryption [35]. 4) Signature/verication. Sign or verify request/response messages based on the XML signature [36]. C. Processing Algorithm of Security-Extended SOAP Message 1) SA of senders side a) Insert a <security> element to SOAP head of original message generated by the sender, and prepare the additional security attributes for the following related steps. b) Processing authentication information for associate step: generate <UsernameToken> by (1), or <BinarySecurity Token> by (7) according to users security token type, then insert it into the <security> element.

LIU et al.: SECURITY MECHANISM OF WS-BASED COMMUNICATION FOR WIND POWER PLANTS

1935

Processing encryption for the data exchange or associate step: if using scheme I, generate <EncryptedData> element by (4); otherwise, generate <EncryptedKey> and <EncryptedData> by (9) and (6), respectively. d) Processing signature for messages in all steps: if using scheme I, generate <Signature> element by (3); otherwise, by (8) or (10). 2) SA of receivers side a) Receiving the security message from the SA of the senders side, check the message including <Security> element or not. b) Processing authentication information for the associate step: verify the validity of security token in <UsernameToken> or <BinarySecurityToken> by the scheme type. c) Processing verication for messages in all steps: check the message if it is sent from the validity user and without any unauthorized modication or destruction. d) Processing decryption in data exchange or associate steps: decrypt monitoring or control data from <Encrypted Data>. VII. CASE STUDY An application example of the remote control of wind turbines is modeling to explain the usefulness of the security mechanism. In Fig. 5, a wind turbine wt1 of wind power plant WPP1 is modeled based on IEC 61400-25. The logical node

c)

Fig. 5. Modeling of the instance system.

TABLE IV WIND TURBINE REMOTE CONTROL STEPS OF THE INSTANCE SYSTEM

wt1WTUR represents general information of wt1. The control is operated by setting the attributes of the data object SetTurOp to start or stop wind turbines. For example, setCm represents the setting state of control commands (e.g., ON, OFF, or AUTO), actStt represents the current operation state of wind turbine, and is the time stamp of the current state. From associate to release, the control process of a wind turbine includes four steps, shown in Table IV. The control model is SBO control with normal security [15].

1936

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 23, NO. 4, OCTOBER 2008

1) LogonRequest. <S11:Envelope xmlns:S11=. . . xmlns:m=http://www.iec.ch/61400-25/2004> <S11:Body> <m:LogonRequest> <m:Username>Keld<m:Username/> <m:Password>whatelse <m:Password/> </m:LogonRequest> </S11:Body> </S11:Envelope> Fig. 6. Security-enhanced communication for wind turbine control of the instance system. 2) message 1-security extension of LogonRequest. <S11:Envelope xmlns:S11=. . . xmlns:wsse=. . . xmlns:wsse11=. . . xmlns:wsu=. . . xmlns:ds=. . .> <S11:Header> <wsse:Security> <wsse:UsernameToken wsu:Id=UT001> <wsse:Username> Keld </wsse:Username> <wsse:Password Type=. . .#PasswordDigest wsu:Id=PW001> weYI3n. . . </wsse:Password> <wsse:Nonce>WScqanj. . .</wsse:Nonce> <wsu:Created>2007-11-16T01:24:32Z</wsu:Created> <wsse11:Salt> AscwfqtP. . .</wsse11:Salt> </wsse:UsernameToken> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm=http://www.w3.org/2001/10/ xml-exc-c14n#/> <ds:SignatureMethod Algorithm=http://www.w3.org/2000/09/ xmldsig#hmac-sha1/> <ds:Reference URI=# SB001> <ds:DigestMethod Algorithm=http://www. w3.org/2000/09/xmldsig#sha1/> <ds:DigestValue>LyLsF0Pi4wPU
...

The security mechanism for each control step is executed from side to side. As the request message issued from client C, SAc processes and resends it on the security extended type to SAs, and then SAs is obligated to process it and obtain the original request message; nally, deliver the message to S. The response from S to C is an inverse procedure of request. In Fig. 6, the messages exchanged between C to SAc and SAs to S are the standard type dened in IEC 61400-25-4. In contrast, the messages exchanged from SAc to SAs are on the security extended type. The messages of step 1 to 8 are formulated as follows, as shown in the equation at the bottom of the previous page. Messages 1 and 2 belong to the associate step, and the security . token that is used in the associate request is Messages 3 to 6 belong to the data-exchange step. First, Select service selects the object data WPP1\wt1WTUR\SetTurOp in message 3 and 4. Second, Operate service sets the attribute setCm=on of selected data object to start the wind turbine. Messages 7 and 8 belong to the release step; the control process is nished after release. VIII. CONCLUSION In this paper, a security mechanism based on the WS-Security standard and two types of commonly used security tokens are proposed to ensure the security of communication for wind power plants. On the extension of the SOAP message for security properties and deployment of security agents on both communication sides, the security mechanism is implemented without any changes in the original SOAP messages dened in IEC 61400-25-4. The security requirements are derived from IEC 61400-25, and the design is consistent with existing applications of electric power utilities and an information security standard. Consequently, the security mechanism is applicable for monitoring and controlling communication for wind power plants. APPENDIX Typical SOAP messages of the case study are presented as follows.

</ds:DigestValue>

</ds:Reference> </ds:SignedInfo>

LIU et al.: SECURITY MECHANISM OF WS-BASED COMMUNICATION FOR WIND POWER PLANTS

1937

<ds:SignatureValue>DJbchm5gK. . .</ds: SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI=# UT001/> </wsse:SecurityTokenReference>

<ds:SignedInfo> <ds:CanonicalizationMethod Algorithm=http://www.w3.org/2001/ 10/xml-exc-c14n#/> <ds:SignatureMethod Algorithm=http://www.w3.org/2000/09/ xmldsig#hmac-sha1/> <ds:Reference URI=# SB003>

</ds:KeyInfo> </ds:Signature> </wsse:Security> </S11:Header> <S11:Body wsu:Id=SB001> <m:LogonRequest> <m:Username=Keld/> <m:Password> <wsse:Reference URI=# PW001/> </ds:Signature> </m:Password> </m:LogonRequest> </S11:Body> </S11: Envelope> 3) OperateRequest. <S11:Envelope xmlns:S11=. . . xmlns:m=http://www.iec.ch/61400-25/2004> <S11:Body> <m:OperateRequest> <m:Reference>WPP1.wt1WTUR.SetTurOp <m:Reference/> <m:Value>setCm=on<m:Value/> <m:T>t=2007-11-16T01:28:15Z<m:Value/> </m:OperateRequest> </wsse:Security> </S11:Header> <S11:Body wsu:Id=SB003> <m:OperateRequest> <xenc:EncryptedData> <xenc:CipherData> <xenc:CipherValue> PtH3jMVes. . .BQh00y4</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </m:OperateRequest> </S11:Body> </S11: Envelope> <ds:DigestMethod Algorithm=http://www.w3.org/ 2000/09/xmldsig#sha1/> <ds:DigestValue> khn5s1aFs. . .</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> x3PxP/hj. . .</ds:SignatureValue>

REFERENCES
</S11:Body> </S11:Envelope> 4) Message 5security extension of OperateRequest. <S11:Envelope xmlns:S11=. . . xmlns:wsse=. . . xmlns:wsse11=. . . xmlns:wsu=. . . xmlns:ds=. . .> <S11:Header> <wsse:Security> <ds:Signature> [1] J. Smith, M. Milligan, E. EeMeo, and B. Parsons, Utility wind integration and operating impact state of the art, IEEE Trans. Power Syst., vol. 22, no. 3, pp. 900908, Aug. 2007. [2] C. Chompoo-inwai, W. Lee, P. Fuangfoo, M. Williams, and J. Liao, System impact study for the interconnection of wind generation and utility system, IEEE Trans. Ind. Appl., vol. 41, no. 1, pp. 163168, Jan./Feb. 2005. [3] E. Denny and M. OMalley, Quantifying the total net benets of grid integrated wind, IEEE Trans. Power Syst., vol. 22, no. 2, pp. 605615, May 2007. [4] N. Kodama and T. Matsuzaka, Web-based data acquisition system of wind conditions and its application to power output variation analysis for wind turbine generation, in Proc. SICE-ICASE Int. Joint Conf., Bexco, Korea, Oct. 1821, 2006, pp. 37473750. [5] Z. Lubosny and J. Bialek, Supervisory control of a wind farm, IEEE Trans. Power Syst., vol. 22, no. 3, pp. 985994, Aug. 2007.

1938

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 23, NO. 4, OCTOBER 2008

[6] J. Nilsson and L. Bertling, Maintenance management of wind power systems using condition monitoring systemsLife cycle cost analysis for two case studies, IEEE Trans. Energy Convers., vol. 22, no. 1, pp. 223229, Mar. 2007. [7] Y. Amirat, M. Benbouzid, B. Bensaker, and R. Wamkeue, Condition monitoring and fault diagnosis in wind energy conversion systems: A review, in Proc. IEEE Int. Electric Machines Drives Conf., Antalya, Turkey, May 35, 2007, pp. 14341439. [8] W. Young, J. Stamp, and J. Dillinger, Communication vulnerabilities and mitigations in wind power SCADA systems, presented at the American Wind Energy Assoc. WINDPOWER Conf., May 1821, 2003. [9] O. Anaya-Lara, N. Jenkins, and J. McDonald, Communications requirements and technology for wind farm operation and maintenance, in Proc. 1st Int. Conf. Ind. Inf. Syst., Sri Lanka, Aug. 811, 2006, pp. 173178. [10] Wind TurbinesPart 25-1: Communications for Monitoring and Control of Wind Power PlantsOverall Description of Principles and Models, IEC 61400-25-1, Dec. 2006. [11] Wind TurbinesPart 25-2: Communications for Monitoring and Control of Wind Power PlantsInformation Models, IEC 61400-25-2, Dec. 2006. [12] Wind TurbinesPart 25-3: Communications for Monitoring and Control of Wind Power PlantsInformation Exchange Models, IEC 61400-25-3, Dec. 2006. [13] Wind TurbinesPart 25-3: Communications for Monitoring and Control of Wind Power PlantsMapping to Communication Prole (In Progress), IEC 61400-25-4, 2007. [14] A. Olsen, B. Osdil, B. Poulsen, and K. Pedersen, Prototype of generic server for wind power plants using IEC 61400-25 standard, presented at the 2nd Int. Conf. Integration Renewable and Distributed Energy Resources, Napa, CA, Dec. 48, 2006. [15] National Energy Technology Laboratory, A System View of the Modern Grid v2.0, Appendix A3: Resists Attack v2.0 2007. [Online]. Available: http://www.netl.doe.gov/moderngrid/resources.html. [16] D. Dzung, M. Naedele, T. Von hoff, and M. Crevatin, Security for industrial communication systems, Proc. IEEE, vol. 93, no. 6, pp. 11521177, Jun. 2005. [17] F. Cleveland, IEC TC57 security standards for the power systems information infrastructurebeyond simple Encryption, in Proc. IEEE Power Eng. Soc. Transm. Distrib., May 2124, 2006, pp. 10791087. [18] S. Sheng, W. Chan, K. Li, D. Xianzhong, and Z. Xiangjun, Context information-based cyber security defense of protection system, IEEE Trans. Power Del., vol. 22, no. 3, pp. 14771481, Jul. 2007. [19] G. Ericsson and A. Torkilseng, Management of information security for an electric power utilityOn security domains and use of ISO/IEC 17799 standard, IEEE Trans. Power Del., vol. 20, no. 2, pt. 1, pp. 683690, Apr. 2005. [20] G. Ericsson, Toward a framework for managing information security for an electric power utilityCIGRE experiences, IEEE Trans. Power Del., vol. 22, no. 3, pp. 14611469, Jul. 2007. [21] N. Liu, B. Duan, J. Wang, and S. Huang, Study on PMI based access control of substation automation system, presented at the IEEE Power Eng. Soc. General Meeting, Montreal, QC, Canada, Jun. 1822, 2006. [22] B. Duan and B. Liu, Design of security state machine of access control for control object based on IEC 61850, presented at the IEEE Power Eng. Soc. General Meeting, Montreal, QC, Canada, Jun. 1822, 2006. [23] Electric power systems cyber security: Power substation case study, in European Workshop on Industrial Computer Systems, 2006. [Online]. Available: www.ewics.org/attach-m ents/security-subgroup-bps/. [24] L. Wang, T. Mander, H. Cheung, F. Nabhani, and R. Cheung, Security operation modes for enhancement of utility computer network cybersecurity, presented at the IEEE Power Eng. Soc. General Meeting Tampa, FL, Jun. 2428, 2007. [25] Power Systems Management and Associated Information ExchangeData and Communications SecurityPart 3: Communication Network and System SecurityProles Including TCP/IP, IEC TS 62351-3, Jun. 2007.

[26] J. Viega and J. Epstein, Why applying standards to web services is not enough, IEEE Security Privacy, vol. 4, no. 4, pp. 2531, Jul./Aug. 2006. [27] E. Kleiner and A. Roscoe, On the relationship between web services security and traditional protocols, Electron. Notes Theoretical Comput. Sci., vol. 155, pp. 583603, 2006. [28] A. Nadalin, C. Kaler, R. Monzillo, and P. Hallam-Baker, Web Services Security: SOAP Message Security 1.1 OASIS Std. Specif., 2006. [29] J. Woerner and H. Woern, A security architecture integrated co-operative engineering platform for organized model exchange in a digital factory environment, Comput. Ind., vol. 56, no. 4, pp. 347360, May 2005. [30] Z. Wu and A. Weaver, Using web services to exchange security tokens for federated trust management, in Proc. IEEE Int. Conf. Web Services, Salt Lake City, UT, Jul. 913, 2007, pp. 11761178. [31] M. Anlauff, D. Pavlovic, and A. Suenbuel, Deriving secure network protocols for enterprise services architectures, in Proc. IEEE Int. Conf. Comm., Istanbul, Turkey, Jun. 2006, pp. 22832287. [32] L. Liao and J. Schwenk, Secure emails in XML format using web services, in Proc. 5th Eur. Conf. Web Services, Halle, Germany, Nov. 2628, 2007, pp. 129136. [33] Communication Networks and Systems in Substation-Part 7-2: Basic Communication Structure for Substation and Feeder EquipmentAbstract Communication Service Interface (ACSI), IEC 61850-7-2, 2003. [34] Communication Networks and Systems in SubstationsPart 5: Communication Requirements for Functions and Device Models, IEC 61850-5, 2003. [35] M. Bartel, J. Boyer, B. Fox, B. LaMacchia, and E. Simon, Signature Syntax and Processing 2002. [Online]. Available: http://www.w3.org/TR/xmldsig-core/. [36] T. Imamura, B. Dillaway, and E. Simon, XML Encryption Syntax and Processing 2002. [Online]. Available: http://www.w3.org/TR/xmlenccore/.

Nian Liu was born in Anhui, China, in 1981. He received the B.S. and M.S. degrees in electric engineering from Xiangtan University, Hunan, China, in 2003 and 2006, respectively. and is currently pursuing the Ph.D. degree at North China Electrical Power University, Beijing, China. His research interests are monitoring and control for wind power plants, communication system of substation automation, and information security.

Jianhua Zhang (M04) was born in Beijing, China, in 1952. He received the M.S. degree in electrical engineering from North China Electric Power University, Beijing, China, in 1984. He was a Visiting Scholar with the Queens University, Belfast, U.K., from 1991 to 1992, and was a Multimedia Engineer of Electric Power Training with CORYS T.E.S.S., France, from 1997 to 1998. Currently, he is a Professor and Head of the Transmission and Distribution Research Institute, North China Electric Power University, Beijing. He is also the Consultant Expert of National 973 Planning of the Ministry of Science and Technology. His research interests are in power system security assessment, operation and planning, and emergency management. Mr. Zhang is an IET Fellow and a member of several technical committees.

Wenxia Liu received the M. S. degree in electric engineering from Northeast Dianli University, Jilin, China, in 1995. Currently, she is an Assistant Professor at North China Electrical Power University, Beijing, China. Her research interests are in planning and operation of distribution system and power system communication.