1

Camouflage Traffic: Minimizing Message Delayfor Smart Grid Applications under JammingZhuo Lu, Student Member, IEEE, Wenye Wang, Senior Member, IEEE, and Cliff Wang, Senior

Member, IEEE

Abstract—Smart grid is a cyber-physical system that integrates power infrastructures with information technologies. To facilitate

efficient information exchange, wireless networks have been proposed to be widely used in the smart grid. However, the jamming attack

that constantly broadcasts radio interference is a primary security threat to prevent the deployment of wireless networks in the smart

grid. Hence, spread spectrum systems, which provide jamming resilience via multiple frequency and code channels, must be adapted

to the smart grid for secure wireless communications, while at the same time providing latency guarantee for control messages. An

open question is how to minimize message delay for timely smart grid communication under any potential jamming attack. To address

this issue, we provide a paradigm shift from the case-by-case methodology, which is widely used in existing works to investigate well-

adopted attack models, to the worst-case methodology, which offers delay performance guarantee for smart grid applications under any

attack. We first define a generic jamming process that characterizes a wide range of existing attack models. Then, we show that in

all strategies under the generic process, the worst-case message delay is a U-shaped function of network traffic load. This indicates

that, interestingly, increasing a fair amount of traffic can in fact improve the worst-case delay performance. As a result, we demonstrate

a lightweight yet promising system, TACT (transmitting adaptive camouflage traffic), to combat jamming attacks. TACT minimizes the

message delay by generating extra traffic called camouflage to balance the network load at the optimum. Experiments show that TACT

can decrease the probability that a message is not delivered on time in order of magnitude.

Index Terms—Smart grid; wireless applications; performance modeling; worst-case analysis; message delay; jamming attacks

F

1 INTRODUCTION

Smart grid is an emerging cyber-physical system thatincorporates networked control mechanisms (e.g, ad-vanced metering and demand response) into conven-tional power infrastructures [1]. To facilitate informationdelivery for such mechanisms, wireless networks thatprovide flexible and untethered network access havebeen proposed and designed for a variety of smartgrid applications [2]–[5], such as substation automation[2], [4] and home metering [5]. As a result, wirelessnetworks have become an essential integration to thecommunication infrastructure for the smart grid.

However, the use of wireless networks introduces po-tential security vulnerabilities due to the shared natureof wireless channels. Indeed, it has been pointed outin [1], [6] that the jamming attack, which uses radiointerference to disrupt wireless communications [7]–[9],can result in network performance degradation and evendenial-of-service in power applications, thereby being aprimary security threat to prevent the deployment ofwireless networks for the smart grid. How to defendagainst jamming attacks is of critical importance to se-cure wireless communications in the smart grid.

• Zhuo Lu and Wenye Wang are with the Department of Electrical andComputer Engineering, North Carolina State University, Raleigh NC. E-mails: {zlu3,wwang}@ncsu.edu. Cliff Wang is with Army Research Office,Research Triangle Park, NC. Email: cliff.wang@us.army.mil.

Part of the work was presented in the 31st IEEE Conference on ComputerCommunication (INFOCOM ’12).

There have been extensive works on designing spreadspectrum based communication schemes, which providejamming resilience to conventional wireless networks byusing multiple orthogonal frequency [8], [10] or code[9], [11] channels. Interesting enough, most efforts adopta case-by-case (or model-by-model) methodology to in-vestigate how a message can be sent to its destination.In other words, based on commonly-adopted jammingattack models (e.g., periodic, memoryless, and reactivemodels [12]), existing works focus on designing anti-jamming communication schemes for message deliveryin conventional wireless networks

However, the NIST has recently imposed a strongrequirement for smart grid security: power system oper-ations must be able to continue during any security attack orcompromise (as much as possible) [1]. This means that thewidely-used case-by-case methodology cannot be readilyadapted to wireless smart grid applications, because itis not able to guarantee reliable communication underany potential jamming attack. To provide such a guar-antee, securing wireless smart grid applications requiresa paradigm shift from the case-by-case methodology toa new worst-case methodology that offers performanceassurance under any attack scenario. On the other hand,it has been shown that the message delay performancecan be substantially worsen and even violate the timingrequirement of control applications under inappropriatesecurity design. For example, in an experimental sub-station network [13], if a RSA-based scheme is usedfor authenticating trip protection messages, 40% messages

Report Documentation Page Form ApprovedOMB No. 0704-0188

Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, ArlingtonVA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if itdoes not display a currently valid OMB control number.

1. REPORT DATE APR 2014 2. REPORT TYPE

3. DATES COVERED 00-00-2014 to 00-00-2014

4. TITLE AND SUBTITLE Camouflage Traffic: Minimizing Message Delay for Smart GridApplications under Jamming

5a. CONTRACT NUMBER

5b. GRANT NUMBER

5c. PROGRAM ELEMENT NUMBER

6. AUTHOR(S) 5d. PROJECT NUMBER

5e. TASK NUMBER

5f. WORK UNIT NUMBER

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) North Carolina State University,Department of Electrical and Computer Engineering,,Raleigh,NC,27695

8. PERFORMING ORGANIZATIONREPORT NUMBER

9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)

11. SPONSOR/MONITOR’S REPORT NUMBER(S)

12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited

13. SUPPLEMENTARY NOTES to appear in IEEE Transactions on Dependable and Secure Communications (TDSC), April 2014.

14. ABSTRACT Smart grid is a cyber-physical system that integrates power infrastructures with information technologies.To facilitate efficient information exchange, wireless networks have been proposed to be widely used in thesmart grid. However, the jamming attack that constantly broadcasts radio interference is a primarysecurity threat to prevent the deployment of wireless networks in the smart grid. Hence, spread spectrumsystems, which provide jamming resilience via multiple frequency and code channels, must be adapted tothe smart grid for secure wireless communications, while at the same time providing latency guarantee forcontrol messages. An open question is how to minimize message delay for timely smart grid communicationunder any potential jamming attack. To address this issue, we provide a paradigm shift from thecase-by-case methodology, which is widely used in existing works to investigate welladopted attack models,to the worst-case methodology, which offers delay performance guarantee for smart grid applicationsunder any attack. We first define a generic jamming process that characterizes a wide range of existingattack models. Then, we show that in all strategies under the generic process, the worst-case message delayis a U-shaped function of network traffic load. This indicates that, interestingly, increasing a fair amount oftraffic can in fact improve the worst-case delay performance. As a result, we demonstrate a lightweight yetpromising system, TACT (transmitting adaptive camouflage traffic), to combat jamming attacks. TACTminimizes the message delay by generating extra traffic called camouflage to balance the network load atthe optimum. Experiments show that TACT can decrease the probability that a message is not delivered ontime in order of magnitude.

15. SUBJECT TERMS

16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT Same as

Report (SAR)

18. NUMBEROF PAGES

14

19a. NAME OFRESPONSIBLE PERSON

a. REPORT unclassified

b. ABSTRACT unclassified

c. THIS PAGE unclassified

Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

2

cannot be delivered and verified under the timing re-quirement of 3 ms. This show that in addition to thenecessity of using the worst-case methodology, securitydesign for the smart grid should also attempt to min-imize the message delay such that it always meets thetiming requirement. As a result, in this paper, we aimat solving a fundamental yet open question for wirelesssmart grid applications: how to minimize the messagedelay under worst-case jamming attacks. The answer to thisquestion can not only help us design network strategiesagainst worst-case jamming attacks in wireless smartgrid applications, but also offer general guidance intojamming defense strategies in cyber-physical systems.

In this paper, we address this issue by consideringa wireless network that uses multiple frequency andcode channels to provide jamming resilience for smartgrid applications. We consider two general jamming-resilient communication modes for smart grid applica-tions: coordinated and uncoordinated modes [8]–[10].In coordinated mode, the sender and receiver share acommon secret or key (e.g., code-frequency channel as-signment), which is unknown to attackers. Accordingly,an attacker has to choose its own strategy to disruptthe communication between the transmitter and receiver.Coordinated communication is a conventional modelin spread spectrum systems. However, the transmitterand receiver may not share a common secret initially(e.g., a node joins a network and attempts to establisha secret with others). Uncoordinated communication istherefore used to help establish such an initial key. Inuncoordinated communication, the sender and receiverrandomly choose a frequency-code channel to transmitand receive, respectively. A message can be deliveredfrom the sender to the receiver only if they both resideat the same channel, and at the same time the jammerdoes not disrupt the transmission on the channel.

As power applications are time-critical with stricttiming requirements (e.g. 3ms and 10ms in substationtrip protection [14]), message delivery becomes invalidas long as its delay D is greater than the delay thresh-old σ. Therefore, different from existing metrics (e.g.throughput or packet delivery ratio [7]) to evaluatethe jamming impact in conventional wireless networks,we use the message invalidation probability P(D > σ),which directly reflects timing requirements of powerapplications, to measure the jamming impact in thesmart grid. Our goal is to minimize P(D>σ) under theworst-case jamming attack. To this end, we first define ageneric jamming process that includes a wide range ofexisting jamming models. Then, we use both theoreticalanalysis and experimental study to derive P(D>σ) andaccordingly design a solution to minimize P(D > σ)under jamming attacks. We highlight our major findingsas follows.

1) We propose to study the worst-case performanceunder a generic (rather than specific) jamming pro-cess. We show, through mathematical derivations,that the worst-case performance in terms of mes-

sage invalidation probability exhibits a U-shaped1

response to aggregated network traffic load. Inorder words, the message invalidation probabilityis a first-decreasing, then-increasing function ofnetwork traffic load.

2) Based on this U-shape effect, we propose a TACT(transmitting adaptive camouflage traffic) systemthat uses “camouflage traffic” to achieve the opti-mal aggregated network traffic load to minimizethe message invalidation ratio.

The underlying explanation behind the U-shape phe-nomenon and the TACT anti-jamming strategy is thatusing camouflage traffic (i.e., redundant traffic transmit-ted by TACT) is the over-provision of bandwidth in asmart grid network, where time-critical traffic rate issmaller than the network bandwidth. By sending moresuch camouflage traffic (mixed with smart grid controltraffic) to the network, we can force a jammer to “waste”enough jamming capability on the camouflage traffic(because the jammer has no way to tell the camouflagetraffic from the real smart grid traffic), so that the jammercannot find the real traffic quickly enough. Therefore,the message invalidation ratio decreases when we sendcamouflage traffic into the network under jamming.However, if the rate of sending camouflage traffic keepsincreasing and approaches the network bandwidth, morenetwork collisions will happen in the network, therebydegrading the network performance (i.e., increasing themessage invalidation ratio). As a result, there exists anoptimal rate to send camouflage traffic and TACT is usedto adaptively find this rate.

Because our strategy is based on the worst-casemethodology, the U-shape property and the global min-imum of the message invalidation probability are in-dependent with a particular jamming strategy, thus of-fering performance guarantee for a wireless smart gridapplication under jamming attacks.

The rest of this paper is organized as follows. InSection 2, we introduce preliminaries and models. InSections 3, 4, and 5, we derive the theoretical results,design the method of TACT, then implement TACT inour experimental smart grid system, Green Hub, respec-tively. Finally, we conclude in Section 6.

2 MODELS AND PROBLEM FORMULATION

In this section, we first introduce backgrounds on wire-less networks for the smart grid, then present networkand jamming models, finally formulate the problem.

2.1 Backgrounds: Smart Grid over Wireless

Wireless networks are in general used for local-areasmart grid applications, such as substation automationand distributed energy management [2], [3]. The wirelessnetwork for a local-area power system consists of a

1. Mathematically, a function is said to be U-shaped if it is first-decreasing, then-increasing.

3

number of intelligent electronic devices (IEDs) and thegateway node. IEDs are devices installed on infrastruc-tures to fulfill power management procedures by com-municating with each other. The gateway is connected tothe smart grid backbone network. Local-area messagescan be forwarded via the gateway to outside networks.

Due to the broadcast nature of wireless channels, wire-less networks for the smart grid are inevitably exposedto jamming attacks, which transmit radio interference toprevent legitimate messages from being received [7]–[9].It has already been pointed out that jamming attacks, bydisrupting communication between power equipments,can possibly result in grid operation instability or evenregional blackout [15]. Therefore, wireless networks forthe smart grid must have the ability to combat jammingattacks. There are two widely-used spread spectrumtechniques [8], [9], [11], [16] to defend against jammingattacks in the literature. (i) Frequency hopping spreadspectrum (FHSS): the sender and receiver switch a fre-quency channel among a pool of candidate channelsfrom time to time. The jammer can only jam a transmis-sion when it is on the same channel. (ii) Direct sequencespread spectrum (DSSS): the sender multiplies the orig-inal data with a pseudo-noise (PN) sequence (called acode channel). The receiver uses a correlator with thesame PN sequence to recover the original message. Itis difficult for a jammer to disrupt the communicationunless it knows the PN sequence used by the channel.

Both FHSS and DSSS have been proposed and usedfor power applications [3], [15], [17], [18]. For example,a DSSS based system is demonstrated in [17] for localsubstation automation. Since FHSS and DSSS providejamming resilience by using multiple orthogonal fre-quency and code channels, a trivial solution for de-creasing the message delay is to increase the number offrequency or code channels. Then, a jammer will have alower chance to transmit jamming signals on the samechannel used by a transmit-receive pair. However, it isquite undesirable in practice because of the large cost ofnetwork spectrum resources. Therefore, we attempt tominimize the message delay in a wireless network withfixed numbers of frequency and code channels.

2.2 Network Model

We consider a wireless local-area network N (m,Nf , Nc),where m is the number of nodes (including IEDs and thegateway) in the network, Nf and Nc are the numbersof frequency and code channels, respectively. There aretwo major types of traffic flows in the network: 1) Localtraffic, which is generated from one node to another forlocal monitoring or protection; 2) Outside traffic, whichis between a node and an outside node via the smartgrid backbone network.

For a message going outside, it will be delivered firstfrom an IED to the gateway via the local-area network(local delivery), then to the destination network via thesmart grid backbone network. If there exists a jammer,

it can affect the delay performance of both local andoutside traffic types. For outside traffic, the delay com-ponent for the first local delivery can dominate in theoverall end-to-end delay, since the smart grid backbonenetwork is always of high bandwidth. Therefore, wefocus on the message delay of local traffic in the network.

It is worth noting that in the smart grid, a largeamount of network traffic features a constant trafficmodel for continuous monitoring and control of powerequipments [3], [14], [19]. In addition, nodes can havedistinct network traffic loads for different applications.For example, merging-unit IEDs in a substation can senddata of sampled power signal quality at various rates of960–4800 messages/, dependent on configuration [19].Thus, we assume that there are heterogeneous trafficloads in network N (m,Nf , Nc); i.e., node i has a constanttraffic load of λi messages/s (i ∈ {1, 2, · · · ,m}) in thenetwork.

2.3 Communication and Interference Models

2.3.1 Protocol Processing

In the smart grid, to ensure in-time monitoring andcontrol of power devices, a large amount of commu-nication messages have stringent timing requirements.For example, substation applications have 3ms–500msdelay constraints for message delivery [14]. We referto such messages as time-critical messages. The natureof time-critical messages indicates that they should beimmediately transmitted and avoid being buffered. Forexample, time-critical messaging in substation commu-nications [14] features a simple transmission mechanismat the application layer: bypass TCP and retransmit thesame message multiple times to ensure timely deliveryand reliability. Thus, we also adopt such a mechanismat the application layer of each node.

When a message is passed from the application layerto the MAC layer, traditionally, CSMA/CA is used tosense the channel activity before sending the message.However, CSMA/CA is primarily designed for one-channel networks, and may not be efficient in spreadspectrum systems. In network N (m,Nf , Nc), the wire-less channel is separated into Nf frequency and Nc codechannels. Such channels can be considered orthogonalto each other [20]. Even if there are multiple wirelesstransmissions over the same frequency channel, they willbe successfully decoded at receivers as long as they usedistinct code channels. CSMA/CA, which defers a trans-mission after sensing activity on a frequency channel,may unintentionally degrade the delay performance.

Thus, we assume that when the MAC layer receives amessage from upper layers, it will directly transmit themessage on a frequency-code channel pair, denoted asthe (i, j)-th channel shown in Fig. 1. Since the applicationlayer will retransmit the message multiple times, theMAC layer will assign a distinct frequency-code channelto each retransmission.

4

code

frequency1 2 nf

nc

1

2

...

...

select (i,j)

Fig. 1. Nf frequency and Nc code channels available.

To correctly decode the message, the receiver mustreside on the same frequency-code channel used by thesender. However, the receiver may or may not have theinformation of the sender’s channel assignment, whichleads to distinct communication modes between thesender and receiver. In what follows, we will considerextensively-used models in the literature.

2.3.2 Secret Communications and Key Establishment

As mentioned previously, two communicators may ormay not share a common secret channel assignment (thekey) with each other. If they do share a key, receivercan synchronize with the sender’s frequency-code chan-nel switching, which is called coordinated communicationmode. In this mode, we assume that for a sender-receiverpair, each channel assignment is uniformly distributedover all NfNc selections such that the chance of potentialchannel collision among legitimate nodes is minimized.

Coordinated communication happens only when twocommunicators share a secret unknown to others. How-ever, they initially may not have such a secret. In fact, itis commonly adopted (e.g., [8], [10], [11]) that they shareno secret key before they attempt to communicate. Then,how to establish a key before they use it to communicatecoordinatedly? To solve the question, a wide-adopted so-lution (e.g., [8], [10], [11]) is uncoordinated communicationmode, which is shown as follows.

First, assume that the two communicators can alwaysverify each other’s authenticity (e.g., their public keysare open to everyone). Every packet transmitted by thesender is digitally signed by the sender’s private key.Then, the receiver can use the sender’s public key toverify if a packet is indeed sent by the real sender.

Second, the sender keeps sending the key informationto a randomly selected frequency/code channel. Theinformation is encrypted (e.g., using the receiver’s publickey) such that it is only decodable to the real receiver. Atthe same time, the receiver randomly chooses a channelto listen on. When the sender and receiver reside on thesame channel, the key information can be successfullydelivered, thereby finishing the key establishment.

After the key establishment, the sender and receiverhave shared a common secret key, so they can use thekey to communicate. We can see that although unco-ordinated communication looks less efficient, it is stillessential to achieve coordinated communication. As aresult, both uncoordinated and coordinated modes are

vital for securing jamming-resilient communications.Since channel selection is random in the uncoordi-

nated mode, we adopt the uniform selection strategy[21], in which both sender and receiver uniformly choosechannels to transmit and receive, respectively.

2.3.3 Interference Model

In coordinated mode, the sender and receiver have thecommon knowledge of the secret channel assignment,and can synchronize with each other. The transmissionon a channel fails only when it is disrupted by jammingor other transmissions at the same channel. Thus, we as-sume that for coordinated communication, the messagedelivery on the (i, j)-th channel fails when at least oneof the following two events holds: 1) at least a portion ρ(0 < ρ < 1) of the transmission is disrupted by jammingon the (i, j)-th channel; 2) at least a portion ρ of thetransmission collides with other legitimate traffic on the(i, j)-th channel.

For uncoordinated mode, message delivery failure canbe caused by not only jamming or other transmissionson the same channel, but also the channel selectionmismatch between the sender and receiver. Therefore,we assume that the message delivery with durationTL on the (i, j)-th channel fails if at least one of thefollowing holds: 1) at least a portion ρ of the transmissionis disrupted by jamming on the (i, j)-th channel; 2) atleast a portion ρ of the transmission collides with otherlegitimate traffic on the (i, j)-th channel; 3) During themessage transmission, the receiver resides on the (i, j)-thchannel for a time duration smaller than (1−ρ)TL.

Note that the value of ρ varies in practice, dependingon error correction coding. For example, the standard(255,223) Reed-Solomon code is used in the transmission,it is capable of correcting up to 16 bit errors among every223 information bits [9], resulting in ρ ≈ 7.1%.

2.4 Generic Jamming Model

The objective of a jammer is to broadcast interferenceto disrupt messages as many as possible in networkN (m,Nf , Nc). As the network has multiple channels,the jammer can adopt a wide range of strategies. In theliterature, there are two major jamming types in terms ofjamming behavior: non-reactive and reactive models [7]–[11]. Non-reactive jammers transmit radio interferenceby following their own strategies. Reactive jammerstransmit interference only when they sense any activityon a wireless channel. In addition, a jammer can eithertarget a single frequency-code channel or have the abilityto attack multiple channels at the same time. In thispaper, we assume that the jammer has the knowledgeof the pool of candidate channels used in the network,and attempt to choose the best strategy to attack one orsome of the channels and lead the worst-case attack. Inorder to adopt varying strategies the jammer can use,we define a generic process to accommodate variousjamming behaviors and models in the literature.

5

Definition 1 (Generic Jamming Process): A jamming at-tack can be represented as a Markov-renewal process

((F , C), X) = {(Fk, Ck), Xk|k = 1, 2, · · · },

where Xk is the renewal interval representing the jam-ming duration at the k-th state, denoted by (Fk, Ck) ={(Fk,i, Ck,i)}i∈[1,s], the set of frequency and code chan-nels targeted by the jammer, (Fk,i, Ck,i) is a particu-lar frequency and code channel, and s is the num-ber of channels the jammer can attack simultaneously.The embedded transition matrices associated with states(Fk, Ck) are denoted as Qf and Qc, respectively. Whenthe jamming is non-reactive, ((F , C), X) is assumed tobe a continuous Markov process. When the jamming isreactive, Xk = τ+Sk1A

2, where τ is the constant channelsensing time, Sk is the duration of the jamming signal, Adenotes the event that at least one channel in set (Fk, Ck)is sensed busy.

1

2

4

3

(a) Constant jam-ming

1

2

4

3

(b) Sweepingjamming

1

2

4

3

(c) Uniformlydistributedjamming

Fig. 2. Jamming strategies due to state transitions.

Remark 1: The generic jamming process can character-ize both non-reactive and reactive jamming behaviors.In addition, it also models jammers that can attack s ≥ 1frequency-code channels at the same time. Thus, thegeneric model defined in Definition 1 can represent awide range of existing jamming models and strategiesin the literature. For example, consider a simple networkwith 4 frequency channels in the presence of a jammerthat can attack only one frequency channel at the sametime. If the jammer’s transition matrix Qf is the 4 × 4identity matrix with state transitions shown in Fig. 2(a),every state is an absorbing state and the process rep-resents continuous jamming on a particular channel [7].Similarly, Figs. 2(b) and 2(c) represent sweeping jamming[22] and uniformly-distributed jamming, respectively.

As we can see in the Markov-renewal model, {Xk}and {(Fk, Ck)} can directly reflect when a certain set ofchannels is affected by the jamming attack, and matricesQf and Qc can model what the jamming strategy is.

2.5 Problem Formulation

The primary goal of smart grid communication is toachieve timely monitoring and control for power controlapplications. Therefore, the delay performance is of criti-cal importance in the smart grid. A time-critical messagebecomes invalid as long as its message delay D is greater

2. 1A denotes the indicator function, which has the value 1 for A

and the value 0 for Ac.

than its delay constraint σ. As a result, we focus onhow to minimize the message invalidation probabilityP(D > σ) in network N (m,Nf , Nc) under the genericjamming process ((F , C), X).

It is worth noting that there are two opposites inthe network: the network operator always attempts tominimize the message delay; in contrast, the jammer al-ways intends to maximize the message delay. The lowestbound of the message delay is always achieved whenthere exists no jammer or a naive jammer. As the NISTrequires smart grid operations must continue under anypotential attack, we adopt a worst-case methodology tostudy the problem of minimizing message delay in thesmart grid under jamming attacks.

1) In wireless local-area network N (m,Nf , Nc), fora time-critical application with delay threshold σ,what is the worst-case delay performance P(D>σ)under the generic jamming process ((F , C), X).

2) Given the worst-case scenario in Step 1, how tominimize P(D>σ).

There has been existing work addressing denial-of-service attacks on multimedia traffic (e.g., [23], [24]).We note that the differences between smart grid trafficand multimedia traffic are: 1) smart grid traffic is moretime-critical (e.g, 3 ms requirement in GOOSE comparedwith around 100 ms requirement for multimedia), 2)time-critical traffic is periodical, unsaturated (i.e., thetraffic load smaller than the network bandwidth) in thesmart grid, and multimedia traffic is usually saturatedand requires adequate congestion control. As a result,the smart grid traffic features a simpler retransmissionmechanism without congestion control. In addition, wewill show that we can take advantage of the unsaturatednature of smart grid traffic to design countermeasures.

Next, we use theoretical analysis to show the worst-case delay performance under jamming attacks.

3 THEORETICAL ANALYSIS

In this section, we theoretically analyze the worst-casedelay performance for wireless smart grid applicationsunder the generic jamming model. We first considerthe worst case in coordinated communication, then theworst case in uncoordinated communication. Finally, wepropose a method to minimize the worst-case delay forboth coordinated and uncoordinated modes.

3.1 Jamming against Coordinated Mode

Our goal is to find the jamming attack that maximizesP(D > σ) such that we can identify the worst-caseattack targeting wireless smart grid applications. As ourgeneric jamming process characterizes both non-reactiveand reactive jammers, we provide analytical results oftheir impacts on P(D>σ), respectively.

Lemma 1 (Non-Reactive Jamming): In wireless local-area network N (m,Nf , Nc) in the presence of anon-reactive jamming process {(F , C), X} with ability

6

to attack s channels simultaneously, the message delayDk of a time-critical application at node k satisfies

P(Dk>σ)≤

(

1−

(

1−1

NfNc

)2TL(1−ρ)γk(

1−(1− ρ)s

ρNfNc

)

)σ/TL

,

(1)where TL is the message transmission duration, σ is themessage delay threshold, γk =

∑mj=1,j 6=k λj , and λj is the

traffic rate at node j.Proof: Without loss of generality, assume that node 1

transmits a message with delay threshold σ and durationTL. The application layer can transmit the message atmost ⌊σ/TL⌋ times (for the sake of simplicity, we in thefollowing assume that σ/TL is an integer, i.e., ⌊σ/TL⌋ =σ/TL, which does not affect the derivation of our mainresults). Among all σ/TL transmission attempts, the i-thone uses the (ui, vi)-th channel (1 ≤ i ≤ σ/TL).

The message invalidation probability P(D1 > σ) isequal to the probability that all σ/TL transmission at-tempts are disrupted by either collision or jamming, i.e.,

P(D1 > σ) = P

(

∩σ/TL

i=1 (Ji ∪ Ci))

, (2)

where Ci and Ji denote the events that the i-th transmis-sion is disrupted by collision and jamming, respectively.

First, we derive the collision probability P(Ci). Sup-pose that node 1’s i-th transmission starts at time 0, acollision that can successfully disrupt node 1’s trans-mission will happen if another node makes a transmis-sion attempt during period [(ρ−1)TL, (1−ρ)TL] and atthe same time uses the same channel. Since all nodeshave constant traffic rates, there are 2(1 − ρ)TL

∑mj=2 λj

transmissions at other nodes that can possibly disruptnode 1’s transmission. As the frequency-code channel foreach transmission in the network is uniformly assignedamong all NfNc selections, the collision probability isequal to the probability that there is at least one othertransmission colliding with node 1’s i-th transmission,which can be written as

P(Ci) = 1− (1− 1/(NfNc))2(1−ρ)TLγ1 , (3)

where γ1 =∑m

j=2 λj .Then, we compute the jamming probability P(Ji). The

jamming process {(F , C), X} has renewal intervals {Xl}.Let Ni represent how many times the jammer makes astate transition, and we have Ni = supn∈N

{∑n

l=1 Xl <(1 − ρ)TL}, N = {0, 1, 2, · · · }, where X1, · · · , XNi

arejamming intervals during the i-th transmission. In orderto disrupt the i-th transmission (i.e., Ji holds), the sum ofjamming intervals on the (i, j)-th channel must be largerthan the threshold ρTL. Letting Bl be the event that thel-th interval with length Xl hits the (ui, vi)’th channel(i.e., Bl = {ui ∈ Fl, vi ∈ Cl}), we obtain

P(Ji|ui, vi) = P

(

Ni∑

l=1

Xl1Bl≥ρTL

)

≤E(

Ni∑

l=1

Xl1Bl)/(ρTL)

= E(Ni)E(Xl)P(Bl)/(ρTL), (4)

where the last equality and inequality follows fromWald’s equation and Markov’s inequality respectively,

E(Ni) = (1 − ρ)TL/E(Xl) and P(Bl) denotes the proba-bility that the jamming hits the (ui, vi)-th channel. Since(ui, vi) is uniformly assigned, it follows from (4) that

P(Ji) ≤

Nf∑

p=1

Nc∑

q=1

E(Ni)E(Xl)P(Bl)/(ρTL)/(NfNc)

≤(1− ρ)TL

E(Xl)E(Xl)

s

NfNc

1

ρTL=

(1− ρ)s

ρNfNc. (5)

Finally, combining (2), (3) and (5) finishes the proof. �

Next, we present our results on reactive jamming.

Lemma 2 (Reactive Jamming): In wireless local-area net-work N (m,Nf , Nc) in the presence of a reactive jammer{(F , C), X} that has sensing time τ and can attack schannels simultaneously, for a time-critical applicationat node k, its message delivery delay Dk satisfies

P(Dk>σ)≤

(

1−

(

1−1

NfNc

)2TL(1−ρ)γk

(

1−sT

L

τNfNc

1−ρ +ρT 2Lγk

))σ/TL

,

(6)where TL is the message transmission duration, σ is themessage delay threshold, γk =

∑mj=1,j 6=k λj , and λj is the

traffic rate at node j.

Proof: Similar to the proof for Lemma 1, assume thatnode 1 transmits a message with delay threshold σ. Thetransmission resides at the (ui, vi)-th channel for the i-thattempt. To find P(D1>σ), we first need to compute bothcollision and jamming probabilities, P(Ci) and P(Ji). AsP(Ci) is given in (3), we in the following compute P(Ji).

For the sake of simplicity, assume that the i-th trans-mission starts at time 0. Define a renewal processNi(t) = supn∈N

{∑n

l=1 Xl < t}, N = {0, 1, 2, · · · }. ThenX1, X2, · · · , XNi(t) are renewal intervals during period[0, t]. Different from non-reactive jamming, reactive jam-ming has renewal intervals Xl = τ + Sl1A, where A de-notes the event that a channel is sensed with activity, andSl is the jamming duration. To maximize its damage tothe network, the reactive jammer should always set thejamming duration Sl to be ρTL. This means that whenthe jammer senses a transmission, it always choosesthe minimum effective jamming duration to disrupt thetransmission such that it can immediately move on tosense and jam other channels. Thus, we choose Sl = ρTL.

In order to successfully disrupt the i-th transmission(e.g., Ji holds), the reactive jammer must switch to the(ui, vi)-th channel at least once during [0, (1−ρ)TL−τ ].Let event Bl = {ui ∈ Fl vi ∈ Cl}. Then, P(Ji|ui, vi) =

P

(

∑Ni((1−ρ)TL−τ)l=1 1Bl

≥ 1)

. Using similar procedures in

(4) and (5), we have

P(Ji) ≤ E(Ni((1 − ρ)TL − τ)s/(NfNc). (7)

To obtain E(Ni((1 − ρ)TL − τ), we first have from theelementary renewal theorem

limt→∞

E(Ni(t))/t = 1/E(Xl), (8)

where E(Xl) = τ + ρTLP(A), P(A) is the probabilitythat a channel is sensed busy and P(A) = 1 − (1 −1/(NfNc))

(1−ρ)TLγ1 . Then, it is reasonable to assume that

7

sensing time τ ≪ TL and renewal interval E(Xl) ≪ TL

since power networks always have unsaturated trafficloads [3], [14] for timely monitoring and control. Thus,from (8), E(Ni((1−ρ)TL−τ) can be approximated as

E(Ni((1−ρ)TL−τ)) ≈(1 − ρ)TL − τ

E(Xl)≈

(1− ρ)TL

E(Xl)

=(1− ρ)TL

τ+ρTL−ρTL

(

1− 1NfNc

)(1−ρ)TLγ1

≈(1− ρ)TL

τ+ρ(1−ρ)T 2

Lγ1

NfNc

. (9)

The last approximation follows from the fact that (1−x)a ≈ 1−ax for small x. From (7) and (9), we obtain

P(Ji) ≤(1− ρ)sTL

τNfNc + ρ(1− ρ)T 2Lγ1

. (10)

Combining (2), (3) and (10) completes the proof. �

Based on Lemmas 1 and 2, we then show that reactivejamming in general leads to the worst-case delay perfor-mance, thereby maximizing the damage to the network.

Theorem 1 (Worst-Case Delay in Coordinated Mode):For wireless local-area network N (m,Nf , Nc) undercoordinated communication, the worst-case delayperformance at node k is induced by reactive jammingwith sensing time τ sufficiently small. Specifically, themessage delay Dk satisfies

P(Dk>σ)≤

(

1−

(

1−1

NfNc

)2TL(1−ρ)γk

(

1−sT

L

τNfNc

1−ρ +ρT 2Lγk

))σ/TL

,

(11)where TL is the message transmission duration, σ is themessage delay threshold, γk =

∑mj=1,j 6=k λj , and λj is the

traffic rate at node j.Proof: Comparing (1) with (6), it suffices to show

(1− ρ)sTL

τNfNc+ρ(1− ρ)T 2Lγk≥

s

ρNfNc, (12)

which is equivalent to

τ ≤ ρTL − ρ(1− ρ)T 2Lγk/(NfNc) (13)

In order for (13) to hold for τ sufficiently small, itsuffices to show that the right-hand side of (13) is largerthan 0, i.e., ρTL− ρ(1− ρ)T 2

Lγk/(NfNc) > 0. Let γ̂ bethe overall message rate in the network and B be themaximum bit rate supported by each sub-channel. Then,a single message includes TLB bits, and the overallnetwork traffic rate (in terms of bits/s) can be writ-ten as r̂ = TLBγ̂, which is smaller than the overallchannel bandwidth NfNcB. In other words, we haver̂ = TLBγ̂ ≤ NfNcB, i.e., TLγ̂ ≤ NfNc. Since it alwaysholds that γk ≤ γ̂, we have TLγk ≤ NfNc and

ρTL−(ρ(1−ρ)T2Lγk)/(NfNc)≥ρTL−ρ(1−ρ)TL> 0, (14)

which finishes the proof. �

Remark 2: Theorem 1 shows that reactive jammingwith sensing time τ sufficiently small will induce theworst-case performance. Theoretically, we can alwaysassume that τ is arbitrarily small and consider reactivejamming as the worst case. Will reactive jamming do soin practice? The essence of the question is how small τcan be for a practical jammer. Taking a closer look at (13),

0 20 40 60 80 10010

−4

10−3

10−2

10−1

100

Aggregate Traffic [Kilo−Messages per Second]

Wors

t−C

ase P

erf

orm

ance

reactive

jamming

3 ms

6 ms

non−reactive

jamming

10 ms

Fig. 3. Coordinated communication: worst-case delay

performance P(Dk > σ) versus aggregate traffic γk atnode k for time-critical applications with delay thresholds

of 3–9ms. (Nf=Nc=10, TL=1ms, ρ=0.1, and τ=1µs.)

we find that the right-hand side can be approximatedas ρTL when the pool of channel selections is large(i.e., NfNc is large), which is true for an effective anti-jamming system. This indicates that reactive jammingis more harmful than non-reactive jamming when τ issmaller than the minimum jamming duration ρTL. Ithas been shown that τ can be designed very small,depending on implementation; while ρTL should bekept relatively large to effectively disrupt a transmission.For example, a software-defined radio based jammer[25] needs 20µs to sense an 802.15.4 transmission andsend jamming signals for at least 26µs to disrupt thetransmission. Such a sensing time can be further shortenwith a hardware implementation instead of a softwareimplementation, which demonstrates that τ is indeedsmaller than ρTL in practice. Therefore, it is reasonableto consider reactive jamming as the worst case boththeoretically and practically.

Fig. 3 shows an example of the worst-case messageinvalidation probabilities induced by both non-reactive(1) and reactive jamming (6) for time-critical applicationsat node k. We can see that reactive jamming always leadsto worse delay performance than non-reactive jamming,and that the delay performance at node k also dependson the aggregate traffic load γk. An interesting obser-vation from Fig. 3 is that in the reactive-jamming case,the message invalidation probability is not minimizedat γ∗

k=0. Instead, it is minimized at a fairly large valueγ∗k ≈ 38 kilo-messages/s.Fig. 3 illustrates that, interestingly, the worst-case de-

lay (caused by reactive jamming) is in fact a U-shaped(first-decreasing then-increasing) function of traffic loadγk. This is due to the sensing and reacting nature ofreactive jamming. Consider a simple example: Fig. 4(a)shows two transmissions of a message by node 1 withtwo-channel frequency-hopping. If there is no other traf-fic, by scanning the two channels alternately, a reactivejammer can always sense and jam both transmissions.

8

1st jammed 2nd delivered1st jammed 2nd jammed

Node 2 jammed

(a) (b)

sensing

Fig. 4. Message delivery under reactive jamming.

If node 2 is also transmitting as shown in Fig. 4(b), thejammer can also sense and attempt to disrupt node 2’stransmission. Then, there is a chance that node 1’smessage can be delivered during the time that thejammer is jamming node 2’s transmission. Thus, fairlyincreasing network traffic load can in fact improve thedelay performance under reactive jamming. On the otherhand, the over-increase of traffic will surely decrease theperformance since transmissions have a high probabilityto collide with each other. Hence, there should be anoptimal traffic load such that the worst-case messagedelay can be minimized.

In the following, we show theoretically that there ex-ists a traffic load γ∗

k to minimize the worst-case messageinvalidation probability for node k in the network.

Theorem 2 (Optimal Load in Coordinated Mode): Inwireless network N (m,Nf , Nc), node k’s worse-casemessage invalidation probability (11) in coordinatedcommunication is minimized at

γ∗k =

1

ρ(1−ρ)T 2L

(

c1c2 −√

c21c22 − 4c1c2ρTL

2c1− τNfNc

)

,

where c1 = 2 ln(1− 1/(NfNc)) and c2 = (1− ρ)TL.Proof: It is equivalent to show that γ∗

k maximizes thefollowing function.

f(γk)=

(

1−1

NfNc

)2TL(1−ρ)γk

(

1−(1−ρ)T

L

τNfNc+ρ(1−ρ)T 2Lγk

)

.

(15)Letting ∇γ∗

kf(γ∗

k) = 0 results in a quadratic equation

c1w2 − c1c2w + c2ρTL = 0, (16)

where c1 = 2 ln(1− 1/(NfNc)), c2 = (1− ρ)TL, and

w = τNfNc+ρ(1−ρ)T 2Lγ

∗k. (17)

Solving equation (16) for w yields

w = (c1c2 −√

c21c22 − 4c1c2ρTL)/(2c1). (18)

Combining (17) with (18) completes the proof. �

Remark 3: Theorem 2 shows that there indeed existsa unique traffic load γ∗

k for node k to minimize itsworst-case delay, and that γ∗

k is independent of the delaythreshold σ, which can be also observed in Fig. 3. Thus,the delay of messages with different delay thresholdscan be all minimized at the same optimal traffic load.

3.2 Jamming against Uncoordinated Mode

So far, we have derived the theoretical results of theworst-case jamming impact on coordinated communica-tion, which is used for IED communication in normal

operations in the smart grid. We show that, interestingly,there indeed exists a unique traffic load for a nodeto minimize its worst-case delay. In the following, wepresent the theoretical results on uncoordinated com-munication, which can be used for key establishmentbetween IEDs. Similar to Section 3.1, our goal is tofind out the worst case performance, P(D > σ), foruncoordinated communication under both non-reactiveand reactive jamming attacks.

Theorem 3 (Worst Case Delay in Uncoordinated Mode):For wireless local-area network N (m,Nf , Nc) underuncoordinated communication, the worst-case delayperformance at node k is induced by the reactivejamming with sensing time τ sufficiently small.Specifically, the message delay Dk satisfies

P(Dk>σ)≤

(

1−(NfNc−1)

2TL(1−ρ)γk

(NfNc)2T

L(1−ρ)γk+1

(

1−sT

L

τNfNc

1−ρ +ρT 2Lγk

))σ/TL

,

(19)where TL is the message transmission duration, σ is themessage delay threshold, γk =

∑mj=1,j 6=k λj , and λj is the

traffic rate at node j.

Proof: Without loss if generality, assume that node 1 at-tempts to transmit a message with duration TL to node 2using the uncoordinated mode, in which nodes 1 and 2uniformly choose a frequency-code channel to transmitand receive, respectively. They switch channels fromtime to time. For the sake of simplicity, the time ispartitioned into time slots with length TL. The senderand receiver switch their channels at the beginning ofeach time slot. Assume that for the i-th delivery attempt(1 ≤ i ≤ σ/TL), nodes 1 and 2 reside at the (ui, vi)-thchannel and the (di, ei)-th channel, respectively.

The message invalidation probability is written as

P(D1 > σ) = P

(

∩σ/TL

i=1 (Ci ∪ Ji ∪Mi))

, (20)

where Ci and Ji denote the events that the i-th transmis-sion is disrupted by collision and jamming, respectively;and Mi denotes the event that there is a channel mis-match between the sender and receiver, i.e., Mi = {ui 6=di} ∪ {vi 6= ei}.

To find P(D1 > σ), we need to compute the collisionprobability P (Ci), jamming probability P (Ji), and themismatch probability P (Mi), respectively. Since we havealready obtained P (Ci) in (3), as well as P (Ji) in (5) and(10) under non-reactive and reactive jamming attacks, wein the following derive P (Mi), which is the probabilitythat node 1 does not reside at the same channel asnode 2, i.e., either ui 6= di or vi 6= ei. We have

P(Mi) = P ({ui 6= di} ∪ {vi 6= ei}) = 1−1/(NfNc). (21)

With (20), (21), (3), (5) and (10), using similar proce-dures in Theorem 1, we get P(D>σ) satisfies (19). �

Fig. 5 shows an example of the worst-case messageinvalidation probabilities for a time-critical applicationin both coordinated and uncoordinated modes. It isobserved that similar to coordinated communication,the worst-case message invalidation probability in un-

9

0 10 20 30 40 5010

−2

10−1

100

Aggregate Traffic [Kilo−Messages per Second]

Wors

t−C

ase P

erf

orm

ance

30 ms10 ms

Fig. 5. Uncoordinated communication: worst-case

P(Dk > σ) versus γk with delay thresholds of 10ms and

30ms. (Nf=10, Nc=2, TL=1ms, ρ=0.1, and τ=1µs.)

coordinated communication exhibits U-shaped curves inFig. 5, indicating that the delay performance in uncoor-dinated communication also depends on the aggregatetraffic load γk, and can be minimized by optimizingγk. However, the delay performance in uncoordinatedcommunication is substantially worse than that in coor-dinated communication. This is due to the opportunisticnature of uncoordinated communication: the sender andreceiver have to randomly select channels to transmitand receive, respectively. Fig. 5 implies that in general,uncoordinated communication should not be used fortime-critical message delivery.

Another observation in Fig. 5 is that the messageinvalidation probability is always minimized at the sametraffic load regardless of communication modes. For ex-ample, we can see that the probabilities for all four casesin Fig. 5 are all minimized at γk≈19 kilo-messages/s.This shows that if we have the same setups in a wirelessnetwork, there exists one optimal traffic load for a nodeto minimize its message invalidation probability in bothcoordinated and uncoordinated communications, whichis formally proved in the following.

Theorem 4 (Optimal Load in Uncoordinated Mode): In anetwork with setups stated in Theorem 2, the optimalload γ∗

k in coordinated mode also minimizes the messageinvalidation probability in uncoordinated mode.

Proof: For uncoordinated communication, in order tominimize (19) (as a function of γk), it is equivalent tofind the value of γk to maximize function

g(γk)=(NfNc−1)

TL(1−ρ)γk

(NfNc)TL(1−ρ)γk+1

(

1−(1−ρ)sT

L

τNfNc+ρ(1−ρ)T 2Lγk

)

= f(γk)/(NfNc), (22)

where f(γk) is given in (15), which is the objectivefunction in the coordinated mode. Hence, finding γ∗

k thatmaximizes g(γk) is equivalent to finding γ∗

k that maxi-mizes f(γk). Therefore, γ∗

k also minimizes the messageinvalidation probabilities in uncoordinated mode. �

Remark 4: Despite the evident performance differencebetween coordinated and uncoordinated communica-tions, Theorem. 4 illustrates that their delay performance

can be optimized at the same time by choosing oneoptimum traffic load in the network. In the smart grid, anode’s traffic load is usually static and quite unsaturatedfor real-time power management. For example, wirelessmonitoring for substation transformers only needs totransmit a message every second [2]. This indicates thatin general, we should intentionally increase a certainamount of redundant traffic to obtain the optimal trafficload. Then, legitimate messages can have a chance to besuccessfully delivered during the period that jammingattacks attempt to disrupt redundant traffic. We namesuch traffic as camouflage traffic since it serves as camou-flage to “hide” legitimate traffic from attacks.

4 TACT SYSTEM

We have shown that for both coordinated and unco-ordinated communications in wireless smart grid ap-plications, the delay performance is sensitive to thenetwork traffic load under jamming attacks. As a result,generating camouflage traffic is promising to improvethe worst-case delay performance. In this section, wepresent our adaptive method that generates camouflagetraffic to minimize the message delivery delay in wire-less networks for smart grid applications.

4.1 Motivation and Method Design

Our objective is to design a feasible method to minimizethe worst case delay performance for practical wirelesssmart grid applications under jamming attacks. We firstdescribe the general idea of our method, which can beused for both coordinated and uncoordinated commu-nication modes. Notice that Theorem 2 shows that theoptimal load γ∗

k is a function of message transmissiontime TL, which depends on message length L. If allnodes’ messages have the same length, the optimal loadfor every node will be the same, i.e., γ∗

1=γ∗2=· · ·=γ∗

m.However, in the smart grid, a node has different messagetypes with distinct lengths. For example, monitoring andcontrol messages in substations can have lengths of 98and 16 bytes [19], respectively. Thus, it is impossibleto use one optimal load to minimize the delay forall message types. A reasonable choice is to generatecamouflage traffic at the optimal point to minimize thedelay for the most time-critical messages, since suchmessages are of the most importance and generallyused for protection procedures [14], [19]. Therefore, toobtain the optimal traffic load γ∗

k , TL is chosen to bethe transmission time of the most time-critical messages.Then, we have γ∗

1=γ∗2=· · ·=γ∗

m.It is also worthy of mention that the optimal traffic

load γ∗k is a function of the jammer’s sensing time τ . As τ

varies in practice, it is difficult to pre-configure networksetups to generate camouflage traffic at the optimal load.An appropriate strategy is to adaptively generate trafficat each node into the network such that the overallnetwork traffic load can be balanced around the opti-mum. Thus, we design the TACT method (transmitting

10

Algorithm 1 : TACT at Each Node.

Given: L,Lmin,Lmax,∆inc,∆dec. Init: Mprev=0,L=Lmin

repeatTransmit probing messages in observation period.Measure the number of ACKs, Mnow.if Performance not degraded (Mnow ≥Mprev) then

Increase the traffic load: L← min(L+∆inc, Lmax).else

Decrease the traffic load: L← max(L−∆dec, Lmin).end ifRecord history: Mprev ←Mnow.

until TACT is disabled.

adaptive camouflage traffic). The intuition behind TACTis two-fold. 1) TACT should avoid node coordination.Admittedly, node coordination can further help improvethe delay performance. However, it introduces an addi-tional security issue of coordination message deliveryunder jamming. Thus, TACT should be of distributednature, inducing the minimum complexity and nodecoordination. 2) Since the worst-case message delay isminimized at a positive traffic load, TACT should alwaysattempt to increase the traffic load. If the performance isdegraded after the increase, it can reduce the load.

Accordingly, we propose to implement the TACTmethod at every node in a wireless network for the smartgrid. As shown in Algorithm 1, TACT measures the de-livery results of probing messages to adjust the amountof camouflage messages in the network. Each camou-flage message is transmitted on a randomly selectedfrequency/code channel. When TACT is deployed, thereare three major traffic types in the network: i) routinetraffic for power monitoring and control, which cannot bechanged as it is coupled with setups of power devices, ii)probing traffic for performance measurement, its messagetransmission time equals to TL, iii) camouflage traffic tobalance the overall network traffic load. Fig. 6 showsan example of traffic dynamics caused by TACT: in thefirst observation period, two probing messages are bothACKed, meaning that current traffic load is not harmful.Then, TACT sends one more camouflage message inthe next observation period. The traffic load will keepbeing increased until it reaches the optimum, and finallyfluctuate around the optimum.

time

......routine

message

probing

messagecamouflage

message

two probing

messages acked

increase one more

camouflage message

Fig. 6. How TACT balances the network traffic.

4.2 Uniform Optimum

When TACT is deployed at node k, it starts to in-crease node k’s traffic load λk. However, increasing λk

cannot improve node k’s own delay performance since

P(Dk > σ) is not a function of λk but a function ofγk =

∑mj=1,j 6=k λj . By transmitting more traffic into the

network, node k in fact improves the network trafficloads γi (i 6= k) observed at other nodes. At thesame time, node k is expecting others to do the sameto help itself. Thus, the efficiency of TACT relies onsuch homogenous behavior in all nodes, which howevercannot be guaranteed when nodes have evidently het-erogenous traffic rates. Consider an extreme case: thereare two nodes (nodes 1 and 2) with routine traffic ratesof 1 and 1000 messages/s, respectively. The optimalloads γ∗

1 = γ∗2 = 1000 under a reactive jammer. Initially,

γ1 =∑2

j=1,j 6=1 λj = 1000 and γ2 =∑2

j=1,j 6=2 λj = 1.When TACT starts, node 2 is far from the optimumand keeps increasing its traffic load. In contrast, node 1immediately reaches the optimum and never generatesmore traffic to help node 2.

Therefore, in order to ensure uniform optimum overall nodes, a solution is to mandate every node have thesame minimum traffic load, regardless of their differentroutine traffic rates. This can be achieved by assigningdifferent minimum camouflage traffic loads Lmin (asgiven in Algorithm 1) to different nodes. Specifically, letnode k’s minimum camouflage traffic load Lmin(k) =max1≤i≤m αi − αk, where αi denotes the (fixed) routinetraffic load at node i. Thus, the minimum overall trafficload must be transmitted by every node is uniformlyequal to max1≤i≤m αi. In the previous example, we canassign Lmin = 999 and 0 to nodes 1 and 2, respectively.Then, both nodes can have the optimal traffic load whenTACT starts. If the optimal load is 1500 messages/s,both nodes will increase their camouflage traffic loadsuntil reaching the optimum. In the next section, we useexperiments to show the effectiveness of TACT.

4.3 TACT in Coordinated and Uncoordinated Modes

So far, we have presented the fundamentals of TACTto minimize the worst-case message delay under jam-ming attacks. Although we have shown that uncoor-dinated w communication is not appropriate for time-critical applications, it is still essential to establish thesecret key for coordinated communication. As a result,both communication modes are indispensable to fullysecure communications for time-critical applications inthe smart grid. Specifically, uncoordinated mode is usedfor key establishment and update. After the secret keyis established or updated, the two communicators canuse coordinated mode to exchange information basedon the secret key. Hence, to substantially improve theperformance of a wireless smart grid application withjamming resilience, TACT should be adapted to bothcoordinated and uncoordinated communications. Thismeans that TACT must be enabled as long as a node isactive, regardless of the mode on which it operates. Ac-cordingly, we summarize the complete jamming-resilientcommunication scheme with TACT in Algorithm 2.

In Algorithm 2, all the keys of a node is obtained fromthe gateway via uncoordinated communication. If two

11

Algorithm 2 : Communication Scheme with TACT.

Initialization: Enable TACT.repeat

Mode ← Uncoordinated mode.Obtain key K and period TK from gateway.Mode ← Coordinated mode.Use K for a period of TK .

until The node leaves the network.

nodes want to communicate with each other, they alsoneed to request the key for such communication from thegateway. Hence, the gateway can be considered as a keymanagement center in the network. It is worthy of notethat in Algorithm 2, every node operates on either unco-ordinated or coordinated mode. The gateway, however,is required to operate on both modes simultaneously.Unlike IEDs that are embedded computers on powerinfrastructures, the gateway is usually a computer serverequipped with powerful computing and communicationabilities [5]; thus, it is reasonable to assume that thegateway is capable of operating on both modes.

4.4 Discussion on Improving TACT

In Algorithm 2, we can see that when an IED joinsthe network, it starts to adaptively transmit camouflagetraffic until it observes performance degradation at acertain load, then remains approximately at the load.This inevitably leads to a fair amount of redundant trafficand a waste of energy used to transmit such traffic evenwhen there is no attack. Although we know that in thiscase, the delay is still upper bounded by the guaranteedperformance given in Theorem 1, it is quite desirable toavoid such traffic in normal system operations. To thisend, we can deploy a reactive jamming detector [26]in each IED, TACT is triggered and starts to transmitcamouflage traffic only when an attack is detected.

It is worth noting that the distributed nature of TACTrequires the minimum node coordination, in which eachnode sends camouflage traffic on randomly selectedchannels. Such traffic may collide with legitimate one;thus, node coordination may further improve the ef-ficiency of TACT, which can be achieved by lettingthe gateway node assign carefully-designed transmissionpatterns for camouflage traffic at each node.

5 SMART GRID ANTI-ISLANDING: SECURE

KEY ESTABLISHMENT AND COMMUNICATION

We have found that there exists an optimal traffic loadto minimize the worst-case message delay, and carefullydesigned the distributed TACT method to achieve theoptimal load. In this section, we aim at implementing apractical TACT based system to optimize the delay per-formance of an important smart grid application, anti-islanding, under jamming attacks in our experimentalmicro smart grid, Green Hub.

5.1 Anti-Islanding for A Micro Smart Grid

Our goal is to use real-world experiments to show the ef-fectiveness of TACT to improve the delay performance ofa wireless application in the smart grid under jammingattacks. In the following, we first introduce the smartgrid system used in the experiments. North CarolinaState University has established a micro smart grid,Green Hub, to test key smart grid components, such assolid-state transformer (SST), wireless networking, anddynamic spectrum access [27] for the smart grid. GreenHub includes two solar-array based photovoltaic (PV)systems as distributed energy resources.

An important protection procedure for distributedenergy resources is anti-islanding. In power engineering,islanding [28] refers to the condition in which distributedenergy resources continue power supply even thoughthe electric utility is disconnected. Unintentional island-ing can cause many problems, such as damaging cus-tomers’ loads and harming distributed energy resources[28]. Thus, anti-islanding procedures must be deployedin power systems to prevent any unintentional islanding.

PVSST

utility

supply

islanding

deteted message: stop producing power

customer’s

load

Fig. 7. Anti-islanding procedure in Green Hub.

Fig. 7 shows an anti-island procedure in Green Hub:when the utility supply is disconnected, the SST detectsthe islanding and sends an anti-islanding message to thePV system to make the system stop generating power.The delay threshold of such a message is 150–300ms [3].

5.2 System Setups

Network setup: There have been several wireless testingnetworks for anti-islanding in the power engineeringcommunity [3], [28]. In this work, we use universalsoftware radio peripheral (USRP) devices with GNURadio to set up a frequency-hopping based wireless net-work to provide jamming resilience for the anti-islandingapplication. Green Hub has two PV-SST pairs for anti-islanding protection. Each device is connected to an IEDfor communication. Thus, the network consists of fourIEDs and a gateway for centralized management. EachIED’s routine traffic is one message of status update tothe gateway every second. Both IEDs and the gatewaysuse USRPs to communicate with each other.Spread spectrum systems: The network uses eight fre-quency hopping channels at the 2.4GHz band, eachof which uses BPSK modulation and has a bandwidthof 125KHz, resulting in a total network bandwidthof 1MHz. The length of an anti-islanding message is400 bytes, thereby leading to a transmission time of(400*8)/125=25.6ms. The delay threshold is set to be150ms. The application layer at each IED transmitsone message 4 times. Thus, the secret key shared by

12

each transmit-receive pair is a frequency-hopping pat-tern with 4 hops. For TACT, the lengths of probingand camouflage messages are set to be 400 and 1000bytes, respectively. Note that we choose long camouflagemessages to increase the chance that a reactive jammersenses and jams such messages.Jamming attacks: We also set up a USRP-based jammerwith operational bandwidth of 125KHz. When it is non-reactive, it keeps broadcasting jamming pulses, each ofwhich is sent on a randomly selected channel. Whenit is reactive, it uses an energy detector to scan all 8hopping channels one by one, and jams any on-goingtransmission as long as it senses energy activity. Thejamming pulse duration is set to be 1ms.

... ...gateway

SST1 PV1

SST2 PV2jammer

Fig. 8. Attack scenario in the anti-islanding network.

Attack scenario: The attack scenario is illustrated inFig. 8: all IEDs (SST1, PV1, SST2, and PV2) inform thegateway of their status every second. If SST1 or SST2detects an islanding, it will send to its counterpart ananti-islanding message. The jammer targets SST2 andattempts to disrupt SST2’s messages to PV2.

5.3 Experimental Results

When the network is set up, all IEDs first communicateuncoordinatedly with the gateway to obtain their secretkeys of channel assignments, then use the keys to com-municate in a coordinated manner. As a result, we firstconsider the uncoordinated case; i.e., we first evaluatehow TACT can improve the delay performance of keyestablishment, and then move on to the coordinated case.

5.3.1 Key Establishment

We consider key establishment based on uncoordinatedcommunication: every node keeps sending key requeststo the gateway on uniformly selected frequency chan-nels. At the same time, the gateway uniformly choosesa frequency channel to receive. A message is deliveredonly when a node and the gateway reside on the samechannel. We define the delay of the key establishmentfor a node is the time duration from the instant that thenode sends the first key request to the instant that thenode receives the reply from the gateway.

Fig. 9 illustrates the mean delay of key establishmentas a function of the network traffic load under both non-reactive jamming and reactive jamming. We can observefrom Fig. 9 that reactive jamming always induces largerkey establishment delay than non-reactive jamming foruncoordinate communication, which indicates that weshould always consider the reactive jamming as theworst-case scenario for uncoordinate communication.

Note that Fig. 9 exhibits a U-shaped curve for the de-lay performance under reactive jamming, showing thatunder reactive jamming, there always exists a traffic loadto minimize the average key establishment delay. As aresult, TACT that is primarily designed to counter-attackreactive jamming by achieving the optimal traffic load,should be useful to substantially decrease the key estab-lishment delay in the wireless anti-islanding scenario.

TABLE 1

Average delay in uncoordinated communication.

Setups: TACT off TACT on BaselineDelay : 24.2 s 5.61 s 0.814 s

Next, we enable TACT at every node and evaluate theeffectiveness of TACT on uncoordinated communicationunder reactive jamming. During experiments, we set thefollowing TACT parameters: Lmin=0, Lmax=30, ∆inc=2,∆dec=2, and ten probing messages are sent every second.Table 1 illustrates the average key establishment delayunder three scenarios: i) frequency hopping under reac-tive jamming (TACT is off), ii) frequency hopping withcamouflage traffic (TACT is on), iii) baseline performance(no jamming, no TACT). It is observed from Table 1that uncoordinated communication based key establish-ment incurs fairly large delay even for the baseline (no-jamming case) performance that have the average delayof 814ms. This is due to the opportunistic nature ofuncoordinated communication. Under reactive jamming,we can see that the key establishment delay increasesto 24.2s. However, when TACT is enabled, the delaydecreases dramatically to 5.61s, as shown in Table 1.Therefore, TACT is very effective to improve the delayperformance for key establishment in the smart grid.

5.3.2 Jamming-Resilient Communication

Next, we consider the coordinated mode after the keyis established. We evaluate the impact of both reactiveand non-reactive jammers on the anti-island application.We generate camouflage messages at rates of 0–30 mes-sages/s. Fig. 10 shows that the message invalidationprobability as a function of the camouflage traffic rate ofeach IED. We can see from Fig. 10 that reactive jammingalways leads to worse performance than non-reactivejamming, indicating that reactive jamming should beconsidered as the worst-case scenario. Thus, in the fol-lowing, we will only consider reactive jamming. Fig. 10also shows that the message invalidation probabilityinduced by reactive jamming is a U-shaped function ofthe traffic load. We can see that the message invalidationprobability decreases from 41.2% to 0.82% as the camou-flage traffic load goes from 0 to 15 messages/s.

Then, we consider the delay performance with dif-ferent delay thresholds of 150, 190, and 230ms underreactive jamming. If the delay threshold becomes larger,we can transmit the same message more times to ensuremore reliability. Thus, the transmissions have 5, 6, and7 hops (transmission attempts) for messages with delay

13

0 10 20 3010

0

101

102

Traffic Load (Messages per Second)

Avera

ge D

ela

y (

Second)

Reactive Jamming

Non−Reactive Jamming

Fig. 9. Uncoordinated: Average key

establishment delay versus per-node

network traffic load.

0 10 20 3010

−3

10−2

10−1

100

Traffic Load (Messages per Second)

Message Invalid

ation P

robabili

ty

Reactive Jamming

Non−Reactive Jamming

Fig. 10. Coordinated: Message inval-

idation probability versus traffic load.

0 10 20 30

10−3

10−2

10−1

Traffic Load (Messages per Second)

Message Invalid

ation P

robabili

ty

Worst−case Bound

Experiments

150ms

190ms

230ms

Fig. 11. Coordinated: Message inval-

idation probability with different delay

thresholds.

thresholds of 150, 190, and 230ms, respectively. Fig. 11shows that the message invalidation probabilities fordifferent delay thresholds. In addition, we also comparethe worst-case bounds in Theorem 2 with the experi-mental results, as shown in Fig. 11. Although we cansee that that there exists a small and non-uniform gapbetween the worst-case bound and the experimentalmeasurement for each delay threshold, the performancetrends shown by the experimental results do matchthe theoretical predication and the U-shape phenomena,which indicates that the worst-case bound in Theorem 2is tight to predict realistic jamming impacts.

TABLE 2Message invalidation in coordinated communication.

Setups: TACT off TACT on BaselineDelay : 41.2% 0.9076% 0.0532%

Next, we evaluate the effectiveness of TACT againstreactive jamming in coordinated communication. We usethe same setups in Table 1. Table 2 illustrates messageinvalidation probabilities in three scenarios: i) frequencyhopping under reactive jamming (TACT is off), ii) fre-quency hopping with camouflage traffic (TACT is on),iii) baseline performance (no jamming, no TACT). It isobserved from Table 2 that TACT decreases the mes-sage invalidation probability from 41.2% to 0.9076%.Although TACT does not achieve the minimum prob-ability of 0.82% shown in Fig. 10, it still improves thedelay performance in order of magnitude under reactivejamming. Note that the baseline performance in Table 2shows a positive message invalidation probability. Thisis because error correction is not used in our experimentsin order to reduce the GNU Radio processing delay.

TABLE 3

Message invalidation vs number of hopping channels.

Number of Channels (Nf ): 6 8 10 12

TACT off: 92.3% 68.1% 41.2% 10.1%TACT on: 15.1% 6.01% 0.831% 0.212%

Table 3 shows the message invalidation probability asa function of the number of frequency-hopping channels

Nf under reactive jamming. It is known that increasingNf can reduce the message delay for spread spectrumcommunication, as more spectrum resources are used.Table 3 illustrates that when Nf goes from 6 to 12,the message invalidation probability in the frequency-hopping-only (no TACT) scenario decreases from 92.3%to 10.1%; while TACT can further reduce the probabilityfrom 10.1% to 0.21%. As a result, TACT is a promisingmechanism that offers a new dimension to improve thedelay performance for smart grid communication.

5.4 Discussions

In our experiments, both IEDs and jammer have lowoperational bandwidth of 125KHz, which is due to thelimit processing capability of the USRP-to-PC architec-ture. Thus, our goal is not to design a commercial anti-islanding system, but to demonstrate a proof-of-conceptapplication of TACT in the smart grid.

We observed that TACT achieved nearly-optimal per-formance. It is challenging to design an adaptive methodthat always works at the optimal load. However, theconcept of transmitting camouflage traffic can lead tomore TACT-like methods to further improve the delayperformance for wireless smart grid applications.

Currently, both legitimate and camouflage traffic isblind to all legitimate receivers and attackers, which isthe simplest setup for the attackers to have no ability toidentity legitimate traffic from camouflage traffic, whichon the other hand causes collisions between legitimateand camouflage traffic transmissions. We will exploresmart ways to avoid such collisions in the future work.

We also emphasize that our methodology in this paperis to optimize the worst-case performance to offer perfor-mance guarantee for smart grid applications. Therefore,our worst-case optimization does not necessarily meansa uniformly optimal solution to all cases. This indicatesthat when a jammer constantly changes its jamming be-havior, our countermeasure may not keep providing op-timal solutions against each behavior. However, despitethe jammer’s varying strategies, its induced performanceis always bounded by the worst case. Therefore, as long

14

as we design our countermeasures based on the worstcase, we can always provide performance guaranteeunder any attack behavior, which is our goal and alsoessential for smart grid applications.

6 CONCLUSION

In this paper, we provided a comprehensive study onminimizing the message delay for smart grid applica-tions under jamming attacks. By defining a generic jam-ming process, we showed that the worst-case messagedelay is a U-shaped function of network traffic load.We designed a distributed method, TACT, to generatecamouflage traffic to balance the network load at theoptimal point. We showed that TACT is a promisingmethod to significantly improve the delay performancein the smart grid under jamming attacks.

REFERENCES

[1] NIST Smart Grid Cyber Security Working Group, “Guidelines forsmart grid cyber security,” NIST IR-7628, vol. 1-3, Aug. 2010.

[2] F. Cleveland, “Uses of wireless communications to enhance powersystem reliability,” in Proc. of IEEE PES General Meeting, June 2007.

[3] P. M. Kanabar, M. G. Kanabar, W. El-Khattam, T. S. Sidhu, andA. Shami, “Evaluation of communication technologies for IEC61850 based distribution automation system with distributedenergy resources,” in Proc. of IEEE PES General Meeting, 2009.

[4] B. Akyol, H. Kirkham, S. Clements, and M. Hadley, “A survey ofwireless communications for the electric power system,” in Tech.Report, Pacific Northwest National Laboratory, Jan. 2010.

[5] W. Wang, Y. Xu, and M. Khanna, “A survey on the communicationarchitectures in smart grid,” Computer Networks, 2011.

[6] S. Mohagheghi, J. Stoupis, and Z. Wang, “Communication proto-cols and networks for power systems - current status and futuretrends,” in Proc. of Power Systems Conference & Exposition, 2009.

[7] W. Xu, W. Trappe, Y. Zhang, and T. Wood, “The feasibility oflaunching and detecting jamming attacks in wireless networks,”in Proc. of ACM MobiHoc ’05, 2005, pp. 46–57.

[8] M. Strasser, S. Capkun, C. Popper, and M. Cagalj, “Jamming-resistant key establishment using uncoordinated frequency hop-ping,” in Proc. of IEEE S&P, May 2008, pp. 64–78.

[9] Y. Liu, P. Ning, H. Dai, and A. Liu, “Randomized differentialDSSS: Jamming-resistant wireless broadcast communication,” inProc. of IEEE INFOCOM ’10, Mar. 2010.

[10] M. Strasser, C. Popper, and S. Capkun, “Efficient uncoordinatedFHSS anti-jamming communication,” in Proc. of ACM MobiHoc,2009.

[11] C. Popper, M. Strasser, and S. Capkun, “Jamming-resistant broad-cast communication without shared keys,” in Proc. of USENIXSecurity Symposium (Security ’09), Aug. 2009.

[12] E. Bayraktaroglu, C. King, X. Liu, G. Noubir, R. Rajaraman, andB. Thapa, “On the performance of IEEE 802.11 under jamming,”in Proc. of IEEE INFOCOM ’08, Apr. 2008, pp. 1265–1273.

[13] X. Lu, W. Wang, and J. Ma, “Authentication and integrity inthe smart grid: An empirical study in substation automationsystems,” International J. Distributed Sensor Networks, Apr. 2012.

[14] IEC Standard, “IEC 61850: Communication networks and systemsin substations,” 2003.

[15] H. Li, L. Lai, and R. C. Qiu, “A denial-of-service jamming gamefor remote state monitoring in smart grid,” in Proc. of 45th AnnualConference on Information Sciences and Systems (CISS), Mar. 2011.

[16] J. T. Chiang and Y.-C. Hu, “Dynamic jamming mitigation forwireless broadcast networks,” in Proc. of IEEE INFOCOM, 2008.

[17] F. Cleveland, “Enhancing the reliability and security of the infor-mation infrastructure used to manage the power system,” in Proc.of IEEE PES General Meeting, June 2007.

[18] J. Gardner, “Spread spectrum communications for SCADA sys-tems,” Pipeline and Gas Journal, vol. 238, Feb. 2011.

[19] T. S. Sidhu and Y. Yin, “Modelling and simulation for perfor-mance evaluation of IEC61850-based substation communicationsystems,” IEEE Trans. Power Delivery, vol. 22, no. 3, July 2007.

[20] A. Goldsmith, Wireless Communications. Cambridge University,2005.

[21] C. Popper, M. Strasser, and S. Capkun, “Anti-jamming broad-cast communication using uncoordinated spread spectrum tech-niques,” in IEEE J. Selected Areas in Communications, 2010.

[22] S. G. Glisic, A. Mammela, V.-P. Kaasila, and M. D. Pajkovic,“Rejection of frequency sweeping signal in DS spread spectrumsystems using complex adaptive filters,” IEEE Trans. Commun.,vol. 43, no. 1, pp. 136–145, Jan. 1995.

[23] B. Zhao, C. Chi, W. Gao, S. Zhu, and G. Cao, “A chain reactionDoS attack on 3G networks: Analysis and defenses,” in IEEEINFOCOM 2009, 2009.

[24] M. Brinkmeier, G. Schafer, and T. Strufe, “Optimally DoS resistantP2P topologies for live multimedia streaming,” IEEE Trans. Paralleland Distributed Systems, vol. 20, June 2009.

[25] M. Wilhelm, I. Martinovic, J. B. Schmitt, and V. Lenders, “Shortpaper: reactive jamming in wireless networks: how realistic is thethreat?” in Proc. of ACM WiSec, 2011.

[26] M. Strasser, B. Danev, and S. Capkun, “Detection of reactivejamming in sensor networks,” ACM Trans. Sensor Networks, vol. 7,no. 2, 2010.

[27] L. Sun and W. Wang, “On distribution and limits of informationdissemination latency and speed in mobile cognitive radio net-works,” in Proc. of IEEE INFOCOM, 2011.

[28] W. El-Khattam, T. S. Sidhu, and R. Seethapathy, “Evaluationof two anti-islanding schemes for a radial distribution systemequipped with self-excited induction generator wind turbines,”IEEE Trans. Energy Conversion, vol. 25, Mar. 2010.

Zhuo Lu received his Ph.D. degree in the De-partment of Electrical and Computer Engineer-ing, North Carolina State University, Raleigh NC,in 2013. He is now a research scientist at Intelli-gent Automation Inc, Rockville MD. His researchinterests include network and mobile security,cyber-physical system security.

Wenye Wang received the M.S.E.E and Ph.D.degrees from the Georgia Institute of Technol-ogy, in 1999 and 2002, respectively. She is aProfessor with the Department of Electrical andComputer Engineering, North Carolina StateUniversity. Her research interests include cyber-physical systems, mobile and cloud computing,and cyber security. Dr. Wang has been a Mem-ber of the Association for Computing Machinery(ACM) since 1998, and a Member of the EtaKappa Nu and Gamma Beta Phi honorary so-

cieties since 2001. She is a recipient of the NSF CAREER Award 2006and the co-recipient of the 2006 IEEE GLOBECOM Best Student PaperAward and the 2004 IEEE ICCCN Best Student Paper Award.

Cliff Wang graduated from North Carolina StateUniversity with a PhD degree in computer en-gineering in 1996. He is currently the divisionchief for the Army Research Office’s computersciences program and manages a large portfo-lio of advanced information assurance researchprojects. He is also appointed as an adjunct fac-ulty member of computer science in the Collegeof Engineering at North Carolina State Univer-sity. Dr. Wang has been carrying out researchin the area of computer vision, medical imaging,

high speed networks, and most recently information security.