,
Abstract
Cybersecurity is an important component for any electric utility network device. PMI devices such as the Cell Guardian, Revolution, and Boomerang (Figure 1) generate data from raw voltage and current measurements. This data is sent to cloud-based PQ Canvass, Canvass, or PC-based ProVision using a complex, multilayered communications network that includes several types of channels. Cybersecurity is ensured with different mechanisms of authentication and encryption, providing an end-to-end secure link. The RF link is unique in the chain due to the cell standards requirements and physical layer transport. Here the cybersecurity features of the RF cellular link between the device and the cell tower are reviewed in detail.
Figure 1. Cell enabled Guardian, Revolution, and Boomerang family
Authentication
The complete link system between a cell device and the utility and/or Canvass/PQ Canvass networks is shown in Figure 2. Traditional TCP/IP networking exists between the cell tower and the rest of the network, using Virtual Private Networking and encrypted tunnels to secure data. This is described in the whitepaper End-to-End Boomerang Cybersecurity. The connection from the device’s internal cell modem to the tower is quite different. The physical layer is the RF link, and layered over that are packet structures, authentication, and encryption that are required as part of the cell standards themselves.
Figure 2. Communication channels from device, through cell tower, to utility network and Canvass/PQ Canvass
There are two important security phases in establishing the link between the modem inside the device and the carrier cell tower. First, an authentication phase ensures that both sides are who they claim they are- the tower authenticates that the cell module is a valid device certified on that network, and that its identity matches the MEID or ESN (Electronic Serial Number) it claims, and that its assigned phone number also matches. In parallel, this authentication is also used for billing and roaming issues inside the carrier system.
The process is known as Authentication and Key Agreement (AKA). This algorithm uses a shared secret known as the A-Key. This key, contained in each cell module, is private and specific to each carrier and device. The initial Over the Air Service Provisioning (OTASP) that gives the module cell service also sends a fresh A-Key for future authentication. The A-Key is combined with the modem’s ESN and a randomly generated number in a complex mathematical algorithm to generate “shared secret data” (SSD). The SSD is then combined with a sequence number and other information to create an “Authentication Vector” (AV). Both sides (cell module and tower) perform this process and send their AVs to each other in an encrypted fashion, as shown in Figure 3 Only a system with the modem’s A-Key can deconstruct the AV, thus establishing that each side knows the secret and is who it says it is. The sequence number and other details help detect and prevent cloned devices from successfully authenticating. These principles are the same methods behind IPsec and other tunneling protocols, which start with authenticating both sides before proceeding.
Figure 3. CDMA Authentication Procedure (from “CDMA Authentication”, CDG Document 138)
Encryption
Once a mutual authentication phase has succeeded, a data link is established. The encryption protocol for CDMA networks uses a second SSD value (again computed from the A-Key, module ESN, and a random number) to act as an ad-hoc session encryption key. Both sides may compute this SSD, eliminating the need to send the session key over the air. The actual algorithm uses a complex series of binary linear feedback shift registers to implement data scrambling and encryption using the session key.
After any loss of cell connection, or long idle time, the entire process is begun again, as the cell modem re-attaches to the tower. There are also special considerations for device “handoff”, when it’s transferred from one tower to another (which happens occasionally even for a stationary cell device).
Once the RF link’s data stream is secured as described above, there is a separate authentication process that is used at the data layer. The data layer connection that provides IP packet based transport to the networking stack in the device is based on the Point to Point Protocol. This protocol includes a separate authentication process known as CHAP that verifies the mutual identities of the modem and the cell tower. The data link is not presented to the device firmware until this authentication is successful. This is a last check to make sure the device is not communicating with a spoofed cell system.
RF Spread Spectrum Modulation
In addition to the algorithms above, there is a property of the CDMA RF signaling itself that makes eavesdropping very difficult. The physical RF layer in CDMA uses spread spectrum modulation techniques, specifically Direct Sequence Modulation. In this protocol, the original RF low-level data stream is combined with a much faster Pseudo-random noise (PN) sequence. The PN sequence is unique for each connected device, and is a very long string of essentially random bits. This has the RF property of “spreading” the signal over a larger bandwidth, and allows for multiple devices to operating simultaneously in that band. A secondary benefit is that only a receiver that knows the encoding PN sequence can decode the RF to recover the original data. This is a physical layer mechanism operating on the raw RF signal, the authentication and encryption described above are at a logical data layer which rides on the RF signal. Apart from any other authentication or encryption involved, this PN data scrambling with a continuously changing code makes it very difficult to intercept or jam the raw data stream.
Conclusion
After this link has been established up through the PPP layer, the device firmware has a secure tower data link. Data from the tower back through the cell carrier network is generally transported via a private segregated network, which prevents interception or access from outside devices. The security details of the links from that point forward are described in the whitepaper End-to-End Boomerang Cybersecurity. There are separate cybersecurity issues for web-based data access, these are outlined for the cloud side in Canvass and Cybersecurity, and the user’s web browser side in Browser Security and Performance with Canvass.
Further reading:
Verizon whitepaper on CDMA Network Security
Qualcomm CDMA 1xRTT Security Overview
Chris Mullins
VP of Engineering and Operations
cmullins@powermonitors.com
https://www.powermonitors.com
(800) 296-4120