SlideShare ist ein Scribd-Unternehmen logo

ZigBee Smart Energy Security Securing The HAN Network

Zin Kyaw
Zin Kyaw

Provides an overview of the security mechanisms of the ZigBee Smart Energy profile. From Metering America/World Meter Design Congress, San Diego, CA, March 2010

1 von 16
Downloaden Sie, um offline zu lesen
Zin Kyaw, System Applications Engineer Texas Instruments, San Diego, CA, USA
Agenda • Introduction • ZigBee Smart Energy 101 • Joining a ZigBee Smart Energy Network • Establishing an Application Link Key • Security Maintenance Policies • Commissioning Considerations • Example SE HAN Network
Introduction • Paradigm shift towards appliances in the home being able to intelligently save us money and energy • Smart appliances must be able to communicate with the utility back haul network via a device in the home called the Energy Service Portal (ESP) • This communications link must not only be robust, but also secure • In-depth look at the security model for the ZigBee Smart Energy Profile • Device commissioning and network installation procedures are examined • Discussion of example eco-system
ZigBee Smart Energy 101 • ZigBee Smart Energy is a ZigBee Alliance public application profile that defines commands (or clusters) and attributes for the following device types: – Energy Service Portal (ESP) – The ESP is the device that provides a gateway into the home and manages the ZigBee Smart Energy HAN – In-Premise Display (IPD) – The IPD is a device that will present energy consumption data and price information to the end user either by text or graphical means – Metering Device – These are typically metering devices such as gas, water, and heat meters
ZigBee Smart Energy 101 (cont.) • Programmable Communicating Thermostat (PCT) – Device used to control the cooling and heating systems of the home • Load Control Device – A device such as a pool pump or water heater that is capable of receiving demand response and load control events from the utility head end • Smart Appliance – Like a load control device, a smart appliance could be a washer, dryer, oven that is capable of receiving demand response or pricing events from the utility head end • Range Extender – A range extender has no other purpose than to be a router device for other devices in the HAN
ZigBee Smart Energy 101 (cont.) • A cluster is a ZigBee term for a collection of commands and attributes specific to a particular behavior • In ZigBee Smart Energy, the following clusters are supported: – Price – Provides functionality to convey price information from the utility head end – Demand Response and Load Control (DRLC) - Provides functionality for devices such as thermostats and other devices that perform load control – Simple Metering - Provides functionality to retrieve usage data from electric, gas, water metering devices
ZigBee Smart Energy 101 (cont.) • Message – Provides functionality to deliver text messages • Time – Provides functionality to synchronize time between the time server (ESP) and other devices. UTC is used as the common time base • Key Establishment – Provides functionality for establishing a link key for secure application level communication between pairs of devices
Joining a ZigBee Smart Energy Network • Typically, the ESP is also the ZigBee Coordinator and Trust Center, and TrustCenter/ acts as the gate keeper for all joining Coordinator/ESP SE Device devices • Device joins by using a Pre- BeaconRequest configured Trust Center Link Key • Pre-configured Trust Center Link Key BeaconResponse is programmed at manufacturing, or AssociationRequest via an installation code using the process outlined in section 5.4.8.1 of AssociationResponse [1] • The Pre-configured Trust Center Link APS TransportKey (encrypted with Trust Center Link Key) Key is used to encrypt the APS transport command containing the EndDeviceAnnounce network key • Network key is NOT sent to the joining device in the clear
Establishing an Application Link Key • After joining the network, the device establishes a link key with the ESP in order to exchange SE application data • The procedure is called Certificate Based Key Establishment, or CBKE for short • Trust is established by commissioning a Certificate Authority (CA) root key (public key paired with the CA’s private key) and a digital certificate for each device • Upon successful completion of CBKE, both devices achieve to: – Share the same link key – Authenticate each other – Confirm that the other device actually has computed the same key correctly – All shared link key created per session are unique • The trust center then updates the pre-configured trust center link key of the joining device
Establishing an Application Link Key (cont.) TrustCenter/ SE Device Coordinator/ESP Initiate Key EstablishmentRequest Initiate Key EstablishmentResponse EphemeralDataRequest EphemeralDataResponse Confirm KeyRequest ConfirmKeyResponse APS ACK
Security Maintenance Policies • The ZigBee SE system should have policies in place for managing network key and link key updates • Updating the network key – Changing the network key periodically is good practice as it helps reduce the chance of brute force attacks at the network level – How often the network key gets updated is a network wide policy – The core ZigBee specification provides primitives for the trust center to update the network key and instruct devices to start using the new network key – If any device misses the network key update it will try to rejoin the network using the “unsecured rejoin” procedure specified in the core ZigBee specification – The transport key message used to deliver the network key is encrypted with the link key previously obtained via the CBKE process
Security Maintenance Policies (cont.) • Updating the link key – The trust center policy for updating the link key could be more selective, as the established link key is for each pair of devices – When it is time for the trust center to update the link key, it will mark it as stale, and can initiate the CBKE procedure to establish a new link key – Once the new link key is established, the trust center will then clear the stale status for that key – It must mark it as stale and not delete the link key since the link key is used to deliver the current network key per the unsecure rejoin process – Other devices may delete the link key prior to establishing a new link key
Commissioning Considerations • Typically the ESP (E-meter) would be the device that is installed first, followed by other metering devices such as the gas meter • It is expected that these devices would be installed by a service professional • However, the homeowner could be expected to install a device such as an in-premise display that has been approved for use by their utility • The Pre-Configured Trust Center Link Key for the HAN device should be commissioned at manufacturing or configured at installation • In a typical install scenario, the user would have to: – Enable permit joining of the ZigBee SE HAN for a period of time via an out of band mechanism. Part of this procedure may require the user to enter the install code found on the device through a customer portal – Press a button on the in-home display to tell it to join. The display would provide the user feedback throughout the device registration process
Example SE HAN Network In Premise Display shows • All communication with consumption, price signals and text messages from ESP In-Premise Display the ESP (e-meter) is ESP Sends PCT Load Control Event to control HVAC (IPD) secured at the application layer with Programmable Communicating Thermostat (PCT) the link key established via CBKE ESP (E-Meter) Simple Metering Device Reports Current Summation Delivered Attribute Periodically Simple Metering Device (Gas, Water, Heat)
Conclusion • Provided an overview of the ZigBee Smart Energy application profile and described its security model • The procedures of secure joining and establishing application link keys were discussed • Maintenance policies for updating the network and application link keys were discussed • ZigBee Smart Energy and ZigBee core specifications provide all the services and tools for robust security
References • ZigBee Smart Energy Profile Specification, 075356r15ZB_AMI_PTG-AMI_Profile Specification.pdf, ZigBee Alliance • ZigBee Specification, 053474r17ZB_TSC- ZigBee-Specification.pdf, ZigBee Alliance • Z-Stack Smart Energy Developer’s Guide, SWRA216, Texas Instruments

Empfohlen

About BLE server profile
About BLE server profile About BLE server profile
About BLE server profile Lin Steven
 
Epiguard datasheet
Epiguard datasheetEpiguard datasheet
Epiguard datasheetJaeWoo Wie
 
Ble overview and_implementation
Ble overview and_implementationBle overview and_implementation
Ble overview and_implementationStanley Chang
 
Gefen: Video over IP and Cascading Retail Wall
Gefen: Video over IP and Cascading Retail WallGefen: Video over IP and Cascading Retail Wall
Gefen: Video over IP and Cascading Retail WallrAVe [PUBS]
 
Archos Android based connected home solution - DroidCon Paris 2014
Archos Android based connected home solution - DroidCon Paris 2014Archos Android based connected home solution - DroidCon Paris 2014
Archos Android based connected home solution - DroidCon Paris 2014Paris Android User Group
 
Chapter
ChapterChapter
Chapterprajapatijagdish
 
Core Bluetooth and BLE 101
Core Bluetooth and BLE 101Core Bluetooth and BLE 101
Core Bluetooth and BLE 101Li Lin
 
Air defense ap_test_spec_sheet
Air defense ap_test_spec_sheetAir defense ap_test_spec_sheet
Air defense ap_test_spec_sheetAdvantec Distribution
 

Empfohlen

About BLE server profile
About BLE server profile About BLE server profile
About BLE server profile Lin Steven
 
Epiguard datasheet
Epiguard datasheetEpiguard datasheet
Epiguard datasheetJaeWoo Wie
 
Ble overview and_implementation
Ble overview and_implementationBle overview and_implementation
Ble overview and_implementationStanley Chang
 
Gefen: Video over IP and Cascading Retail Wall
Gefen: Video over IP and Cascading Retail WallGefen: Video over IP and Cascading Retail Wall
Gefen: Video over IP and Cascading Retail WallrAVe [PUBS]
 
Archos Android based connected home solution - DroidCon Paris 2014
Archos Android based connected home solution - DroidCon Paris 2014Archos Android based connected home solution - DroidCon Paris 2014
Archos Android based connected home solution - DroidCon Paris 2014Paris Android User Group
 
Chapter
ChapterChapter
Chapterprajapatijagdish
 
Core Bluetooth and BLE 101
Core Bluetooth and BLE 101Core Bluetooth and BLE 101
Core Bluetooth and BLE 101Li Lin
 
Air defense ap_test_spec_sheet
Air defense ap_test_spec_sheetAir defense ap_test_spec_sheet
Air defense ap_test_spec_sheetAdvantec Distribution
 
Uccn1003 -may10_-_lect03a_-_lan_design_issues
Uccn1003 -may10_-_lect03a_-_lan_design_issuesUccn1003 -may10_-_lect03a_-_lan_design_issues
Uccn1003 -may10_-_lect03a_-_lan_design_issuesShu Shin
 
Management & control of home automation devices
Management & control of home automation devicesManagement & control of home automation devices
Management & control of home automation devicesPiyush Chand
 
A Brief Introduction to Bluetooth Low Energy (BLE) on iOS
A Brief Introduction to Bluetooth Low Energy (BLE) on iOSA Brief Introduction to Bluetooth Low Energy (BLE) on iOS
A Brief Introduction to Bluetooth Low Energy (BLE) on iOSMatt Whitlock
 
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deploymentsEMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deploymentsAruba, a Hewlett Packard Enterprise company
 
Dir 524 ds
Dir 524 dsDir 524 ds
Dir 524 dspraveenatseablue1
 
Mersive Solstice Appliance
Mersive Solstice ApplianceMersive Solstice Appliance
Mersive Solstice AppliancePaul Richards
 
UPnP Forum Overview - H Elenbaas
UPnP Forum Overview - H ElenbaasUPnP Forum Overview - H Elenbaas
UPnP Forum Overview - H Elenbaasmfrancis
 
Avaya ethernet switching portfolio presentation [level 3 - tdi][1]
Avaya ethernet switching portfolio presentation [level 3 - tdi][1]Avaya ethernet switching portfolio presentation [level 3 - tdi][1]
Avaya ethernet switching portfolio presentation [level 3 - tdi][1]IP10 TECNOLOGIA
 
Regulatory compliant cloud computing rethinking web application architectures...
Regulatory compliant cloud computing rethinking web application architectures...Regulatory compliant cloud computing rethinking web application architectures...
Regulatory compliant cloud computing rethinking web application architectures...Khazret Sapenov
 
RENESAS MICROCONTROLLER PROJECTS CHENNAI-RENESAS RX62N-CHENNAI RENESAS
RENESAS MICROCONTROLLER PROJECTS CHENNAI-RENESAS RX62N-CHENNAI RENESASRENESAS MICROCONTROLLER PROJECTS CHENNAI-RENESAS RX62N-CHENNAI RENESAS
RENESAS MICROCONTROLLER PROJECTS CHENNAI-RENESAS RX62N-CHENNAI RENESASASHOKKUMAR RAMAR
 
Cisco WLAN - Chapter. 04 : wireless topologies
Cisco WLAN - Chapter. 04 : wireless topologiesCisco WLAN - Chapter. 04 : wireless topologies
Cisco WLAN - Chapter. 04 : wireless topologiesYaser Rahmati
 
What is Bluetooth Smart? - Technical Version
What is Bluetooth Smart? - Technical VersionWhat is Bluetooth Smart? - Technical Version
What is Bluetooth Smart? - Technical VersionValensas
 
Jvvnl 071108
Jvvnl 071108Jvvnl 071108
Jvvnl 071108amanmadhok
 
CaseStudy_EnergyETC
CaseStudy_EnergyETCCaseStudy_EnergyETC
CaseStudy_EnergyETCSteve Jones
 
(Download)
(Download)(Download)
(Download)Videoguy
 
Cisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client Adapters
Cisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client AdaptersCisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client Adapters
Cisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client AdaptersYaser Rahmati
 
Performance out of the box developers
Performance out of the box developersPerformance out of the box developers
Performance out of the box developersMichelle Holley
 
Qstartgide01
Qstartgide01Qstartgide01
Qstartgide01berhereda
 
E zcall ge telligence sql interface sales doc
E zcall ge telligence sql interface sales docE zcall ge telligence sql interface sales doc
E zcall ge telligence sql interface sales docQBsoft Solutions
 
Texas Instruments Smart Meter Board
Texas Instruments Smart Meter BoardTexas Instruments Smart Meter Board
Texas Instruments Smart Meter BoardZin Kyaw
 
Energy Management Systems in the Home: Gateway to the Customer HAN
Energy Management Systems in the Home: Gateway to the Customer HANEnergy Management Systems in the Home: Gateway to the Customer HAN
Energy Management Systems in the Home: Gateway to the Customer HANZin Kyaw
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PROIDEA
 

Weitere ähnliche Inhalte

Was ist angesagt?

Uccn1003 -may10_-_lect03a_-_lan_design_issues
Uccn1003 -may10_-_lect03a_-_lan_design_issuesUccn1003 -may10_-_lect03a_-_lan_design_issues
Uccn1003 -may10_-_lect03a_-_lan_design_issuesShu Shin
 
Management & control of home automation devices
Management & control of home automation devicesManagement & control of home automation devices
Management & control of home automation devicesPiyush Chand
 
A Brief Introduction to Bluetooth Low Energy (BLE) on iOS
A Brief Introduction to Bluetooth Low Energy (BLE) on iOSA Brief Introduction to Bluetooth Low Energy (BLE) on iOS
A Brief Introduction to Bluetooth Low Energy (BLE) on iOSMatt Whitlock
 
Mersive Solstice Appliance
Mersive Solstice ApplianceMersive Solstice Appliance
Mersive Solstice AppliancePaul Richards
 
UPnP Forum Overview - H Elenbaas
UPnP Forum Overview - H ElenbaasUPnP Forum Overview - H Elenbaas
UPnP Forum Overview - H Elenbaasmfrancis
 
Avaya ethernet switching portfolio presentation [level 3 - tdi][1]
Avaya ethernet switching portfolio presentation [level 3 - tdi][1]Avaya ethernet switching portfolio presentation [level 3 - tdi][1]
Avaya ethernet switching portfolio presentation [level 3 - tdi][1]IP10 TECNOLOGIA
 
Regulatory compliant cloud computing rethinking web application architectures...
Regulatory compliant cloud computing rethinking web application architectures...Regulatory compliant cloud computing rethinking web application architectures...
Regulatory compliant cloud computing rethinking web application architectures...Khazret Sapenov
 
RENESAS MICROCONTROLLER PROJECTS CHENNAI-RENESAS RX62N-CHENNAI RENESAS
RENESAS MICROCONTROLLER PROJECTS CHENNAI-RENESAS RX62N-CHENNAI RENESASRENESAS MICROCONTROLLER PROJECTS CHENNAI-RENESAS RX62N-CHENNAI RENESAS
RENESAS MICROCONTROLLER PROJECTS CHENNAI-RENESAS RX62N-CHENNAI RENESASASHOKKUMAR RAMAR
 
Cisco WLAN - Chapter. 04 : wireless topologies
Cisco WLAN - Chapter. 04 : wireless topologiesCisco WLAN - Chapter. 04 : wireless topologies
Cisco WLAN - Chapter. 04 : wireless topologiesYaser Rahmati
 
What is Bluetooth Smart? - Technical Version
What is Bluetooth Smart? - Technical VersionWhat is Bluetooth Smart? - Technical Version
What is Bluetooth Smart? - Technical VersionValensas
 
CaseStudy_EnergyETC
CaseStudy_EnergyETCCaseStudy_EnergyETC
CaseStudy_EnergyETCSteve Jones
 
(Download)
(Download)(Download)
(Download)Videoguy
 
Cisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client Adapters
Cisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client AdaptersCisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client Adapters
Cisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client AdaptersYaser Rahmati
 
Performance out of the box developers
Performance out of the box developersPerformance out of the box developers
Performance out of the box developersMichelle Holley
 
Qstartgide01
Qstartgide01Qstartgide01
Qstartgide01berhereda
 
E zcall ge telligence sql interface sales doc
E zcall ge telligence sql interface sales docE zcall ge telligence sql interface sales doc
E zcall ge telligence sql interface sales docQBsoft Solutions
 

Was ist angesagt? (19)

Uccn1003 -may10_-_lect03a_-_lan_design_issues
Uccn1003 -may10_-_lect03a_-_lan_design_issuesUccn1003 -may10_-_lect03a_-_lan_design_issues
Uccn1003 -may10_-_lect03a_-_lan_design_issues
 
Management & control of home automation devices
Management & control of home automation devicesManagement & control of home automation devices
Management & control of home automation devices
 
A Brief Introduction to Bluetooth Low Energy (BLE) on iOS
A Brief Introduction to Bluetooth Low Energy (BLE) on iOSA Brief Introduction to Bluetooth Low Energy (BLE) on iOS
A Brief Introduction to Bluetooth Low Energy (BLE) on iOS
 
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deploymentsEMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
 
Dir 524 ds
Dir 524 dsDir 524 ds
Dir 524 ds
 
Mersive Solstice Appliance
Mersive Solstice ApplianceMersive Solstice Appliance
Mersive Solstice Appliance
 
UPnP Forum Overview - H Elenbaas
UPnP Forum Overview - H ElenbaasUPnP Forum Overview - H Elenbaas
UPnP Forum Overview - H Elenbaas
 
Avaya ethernet switching portfolio presentation [level 3 - tdi][1]
Avaya ethernet switching portfolio presentation [level 3 - tdi][1]Avaya ethernet switching portfolio presentation [level 3 - tdi][1]
Avaya ethernet switching portfolio presentation [level 3 - tdi][1]
 
Regulatory compliant cloud computing rethinking web application architectures...
Regulatory compliant cloud computing rethinking web application architectures...Regulatory compliant cloud computing rethinking web application architectures...
Regulatory compliant cloud computing rethinking web application architectures...
 
RENESAS MICROCONTROLLER PROJECTS CHENNAI-RENESAS RX62N-CHENNAI RENESAS
RENESAS MICROCONTROLLER PROJECTS CHENNAI-RENESAS RX62N-CHENNAI RENESASRENESAS MICROCONTROLLER PROJECTS CHENNAI-RENESAS RX62N-CHENNAI RENESAS
RENESAS MICROCONTROLLER PROJECTS CHENNAI-RENESAS RX62N-CHENNAI RENESAS
 
Cisco WLAN - Chapter. 04 : wireless topologies
Cisco WLAN - Chapter. 04 : wireless topologiesCisco WLAN - Chapter. 04 : wireless topologies
Cisco WLAN - Chapter. 04 : wireless topologies
 
What is Bluetooth Smart? - Technical Version
What is Bluetooth Smart? - Technical VersionWhat is Bluetooth Smart? - Technical Version
What is Bluetooth Smart? - Technical Version
 
Jvvnl 071108
Jvvnl 071108Jvvnl 071108
Jvvnl 071108
 
CaseStudy_EnergyETC
CaseStudy_EnergyETCCaseStudy_EnergyETC
CaseStudy_EnergyETC
 
(Download)
(Download)(Download)
(Download)
 
Cisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client Adapters
Cisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client AdaptersCisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client Adapters
Cisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client Adapters
 
Performance out of the box developers
Performance out of the box developersPerformance out of the box developers
Performance out of the box developers
 
Qstartgide01
Qstartgide01Qstartgide01
Qstartgide01
 
E zcall ge telligence sql interface sales doc
E zcall ge telligence sql interface sales docE zcall ge telligence sql interface sales doc
E zcall ge telligence sql interface sales doc
 

Ähnlich wie ZigBee Smart Energy Security Securing The HAN Network

Texas Instruments Smart Meter Board
Texas Instruments Smart Meter BoardTexas Instruments Smart Meter Board
Texas Instruments Smart Meter BoardZin Kyaw
 
Energy Management Systems in the Home: Gateway to the Customer HAN
Energy Management Systems in the Home: Gateway to the Customer HANEnergy Management Systems in the Home: Gateway to the Customer HAN
Energy Management Systems in the Home: Gateway to the Customer HANZin Kyaw
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PROIDEA
 
Afrina Naznin (063514056)
Afrina Naznin (063514056)Afrina Naznin (063514056)
Afrina Naznin (063514056)mashiur
 
Identity based encryption with outsourced revocation in cloud computing
Identity based encryption with outsourced revocation in cloud computingIdentity based encryption with outsourced revocation in cloud computing
Identity based encryption with outsourced revocation in cloud computingCloudTechnologies
 
Secure Delivery Center, Eclipse Open Source
Secure Delivery Center, Eclipse Open SourceSecure Delivery Center, Eclipse Open Source
Secure Delivery Center, Eclipse Open SourceGenuitec, LLC
 
20180717 Introduction of Seamless BLE Connection Migration System (SeamBlue)
20180717 Introduction of Seamless BLE Connection Migration System (SeamBlue)20180717 Introduction of Seamless BLE Connection Migration System (SeamBlue)
20180717 Introduction of Seamless BLE Connection Migration System (SeamBlue)Will Shen
 
01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docx01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docxhoney725342
 
How Dell and Intel are Optimizing OpenStack Clouds
How Dell and Intel are Optimizing OpenStack CloudsHow Dell and Intel are Optimizing OpenStack Clouds
How Dell and Intel are Optimizing OpenStack CloudsOpenStack_Online
 
KVM_over_IP_Matrix_System_Implementation_Guide_20190618.pdf
KVM_over_IP_Matrix_System_Implementation_Guide_20190618.pdfKVM_over_IP_Matrix_System_Implementation_Guide_20190618.pdf
KVM_over_IP_Matrix_System_Implementation_Guide_20190618.pdfRikyFitriadi1
 
Architectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsArchitectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsRoshan Kulkarni
 

Ähnlich wie ZigBee Smart Energy Security Securing The HAN Network (20)

Texas Instruments Smart Meter Board
Texas Instruments Smart Meter BoardTexas Instruments Smart Meter Board
Texas Instruments Smart Meter Board
 
Energy Management Systems in the Home: Gateway to the Customer HAN
Energy Management Systems in the Home: Gateway to the Customer HANEnergy Management Systems in the Home: Gateway to the Customer HAN
Energy Management Systems in the Home: Gateway to the Customer HAN
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
 
Afrina Naznin (063514056)
Afrina Naznin (063514056)Afrina Naznin (063514056)
Afrina Naznin (063514056)
 
VPN
VPNVPN
VPN
 
Vp ns
Vp nsVp ns
Vp ns
 
Anoop_VA_CV
Anoop_VA_CVAnoop_VA_CV
Anoop_VA_CV
 
Identity based encryption with outsourced revocation in cloud computing
Identity based encryption with outsourced revocation in cloud computingIdentity based encryption with outsourced revocation in cloud computing
Identity based encryption with outsourced revocation in cloud computing
 
Anura
AnuraAnura
Anura
 
Anura
AnuraAnura
Anura
 
Embedded System
Embedded SystemEmbedded System
Embedded System
 
Secure Delivery Center, Eclipse Open Source
Secure Delivery Center, Eclipse Open SourceSecure Delivery Center, Eclipse Open Source
Secure Delivery Center, Eclipse Open Source
 
E.s (2)
E.s (2)E.s (2)
E.s (2)
 
Ds24756760
Ds24756760Ds24756760
Ds24756760
 
20180717 Introduction of Seamless BLE Connection Migration System (SeamBlue)
20180717 Introduction of Seamless BLE Connection Migration System (SeamBlue)20180717 Introduction of Seamless BLE Connection Migration System (SeamBlue)
20180717 Introduction of Seamless BLE Connection Migration System (SeamBlue)
 
CISCO: Click to Deploy
CISCO: Click to DeployCISCO: Click to Deploy
CISCO: Click to Deploy
 
01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docx01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docx
 
How Dell and Intel are Optimizing OpenStack Clouds
How Dell and Intel are Optimizing OpenStack CloudsHow Dell and Intel are Optimizing OpenStack Clouds
How Dell and Intel are Optimizing OpenStack Clouds
 
KVM_over_IP_Matrix_System_Implementation_Guide_20190618.pdf
KVM_over_IP_Matrix_System_Implementation_Guide_20190618.pdfKVM_over_IP_Matrix_System_Implementation_Guide_20190618.pdf
KVM_over_IP_Matrix_System_Implementation_Guide_20190618.pdf
 
Architectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsArchitectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud Platforms
 

ZigBee Smart Energy Security Securing The HAN Network

  • 1. Zin Kyaw, System Applications Engineer Texas Instruments, San Diego, CA, USA
  • 2. Agenda • Introduction • ZigBee Smart Energy 101 • Joining a ZigBee Smart Energy Network • Establishing an Application Link Key • Security Maintenance Policies • Commissioning Considerations • Example SE HAN Network
  • 3. Introduction • Paradigm shift towards appliances in the home being able to intelligently save us money and energy • Smart appliances must be able to communicate with the utility back haul network via a device in the home called the Energy Service Portal (ESP) • This communications link must not only be robust, but also secure • In-depth look at the security model for the ZigBee Smart Energy Profile • Device commissioning and network installation procedures are examined • Discussion of example eco-system
  • 4. ZigBee Smart Energy 101 • ZigBee Smart Energy is a ZigBee Alliance public application profile that defines commands (or clusters) and attributes for the following device types: – Energy Service Portal (ESP) – The ESP is the device that provides a gateway into the home and manages the ZigBee Smart Energy HAN – In-Premise Display (IPD) – The IPD is a device that will present energy consumption data and price information to the end user either by text or graphical means – Metering Device – These are typically metering devices such as gas, water, and heat meters
  • 5. ZigBee Smart Energy 101 (cont.) • Programmable Communicating Thermostat (PCT) – Device used to control the cooling and heating systems of the home • Load Control Device – A device such as a pool pump or water heater that is capable of receiving demand response and load control events from the utility head end • Smart Appliance – Like a load control device, a smart appliance could be a washer, dryer, oven that is capable of receiving demand response or pricing events from the utility head end • Range Extender – A range extender has no other purpose than to be a router device for other devices in the HAN
  • 6. ZigBee Smart Energy 101 (cont.) • A cluster is a ZigBee term for a collection of commands and attributes specific to a particular behavior • In ZigBee Smart Energy, the following clusters are supported: – Price – Provides functionality to convey price information from the utility head end – Demand Response and Load Control (DRLC) - Provides functionality for devices such as thermostats and other devices that perform load control – Simple Metering - Provides functionality to retrieve usage data from electric, gas, water metering devices
  • 7. ZigBee Smart Energy 101 (cont.) • Message – Provides functionality to deliver text messages • Time – Provides functionality to synchronize time between the time server (ESP) and other devices. UTC is used as the common time base • Key Establishment – Provides functionality for establishing a link key for secure application level communication between pairs of devices
  • 8. Joining a ZigBee Smart Energy Network • Typically, the ESP is also the ZigBee Coordinator and Trust Center, and TrustCenter/ acts as the gate keeper for all joining Coordinator/ESP SE Device devices • Device joins by using a Pre- BeaconRequest configured Trust Center Link Key • Pre-configured Trust Center Link Key BeaconResponse is programmed at manufacturing, or AssociationRequest via an installation code using the process outlined in section 5.4.8.1 of AssociationResponse [1] • The Pre-configured Trust Center Link APS TransportKey (encrypted with Trust Center Link Key) Key is used to encrypt the APS transport command containing the EndDeviceAnnounce network key • Network key is NOT sent to the joining device in the clear
  • 9. Establishing an Application Link Key • After joining the network, the device establishes a link key with the ESP in order to exchange SE application data • The procedure is called Certificate Based Key Establishment, or CBKE for short • Trust is established by commissioning a Certificate Authority (CA) root key (public key paired with the CA’s private key) and a digital certificate for each device • Upon successful completion of CBKE, both devices achieve to: – Share the same link key – Authenticate each other – Confirm that the other device actually has computed the same key correctly – All shared link key created per session are unique • The trust center then updates the pre-configured trust center link key of the joining device
  • 10. Establishing an Application Link Key (cont.) TrustCenter/ SE Device Coordinator/ESP Initiate Key EstablishmentRequest Initiate Key EstablishmentResponse EphemeralDataRequest EphemeralDataResponse Confirm KeyRequest ConfirmKeyResponse APS ACK
  • 11. Security Maintenance Policies • The ZigBee SE system should have policies in place for managing network key and link key updates • Updating the network key – Changing the network key periodically is good practice as it helps reduce the chance of brute force attacks at the network level – How often the network key gets updated is a network wide policy – The core ZigBee specification provides primitives for the trust center to update the network key and instruct devices to start using the new network key – If any device misses the network key update it will try to rejoin the network using the “unsecured rejoin” procedure specified in the core ZigBee specification – The transport key message used to deliver the network key is encrypted with the link key previously obtained via the CBKE process
  • 12. Security Maintenance Policies (cont.) • Updating the link key – The trust center policy for updating the link key could be more selective, as the established link key is for each pair of devices – When it is time for the trust center to update the link key, it will mark it as stale, and can initiate the CBKE procedure to establish a new link key – Once the new link key is established, the trust center will then clear the stale status for that key – It must mark it as stale and not delete the link key since the link key is used to deliver the current network key per the unsecure rejoin process – Other devices may delete the link key prior to establishing a new link key
  • 13. Commissioning Considerations • Typically the ESP (E-meter) would be the device that is installed first, followed by other metering devices such as the gas meter • It is expected that these devices would be installed by a service professional • However, the homeowner could be expected to install a device such as an in-premise display that has been approved for use by their utility • The Pre-Configured Trust Center Link Key for the HAN device should be commissioned at manufacturing or configured at installation • In a typical install scenario, the user would have to: – Enable permit joining of the ZigBee SE HAN for a period of time via an out of band mechanism. Part of this procedure may require the user to enter the install code found on the device through a customer portal – Press a button on the in-home display to tell it to join. The display would provide the user feedback throughout the device registration process
  • 14. Example SE HAN Network In Premise Display shows • All communication with consumption, price signals and text messages from ESP In-Premise Display the ESP (e-meter) is ESP Sends PCT Load Control Event to control HVAC (IPD) secured at the application layer with Programmable Communicating Thermostat (PCT) the link key established via CBKE ESP (E-Meter) Simple Metering Device Reports Current Summation Delivered Attribute Periodically Simple Metering Device (Gas, Water, Heat)
  • 15. Conclusion • Provided an overview of the ZigBee Smart Energy application profile and described its security model • The procedures of secure joining and establishing application link keys were discussed • Maintenance policies for updating the network and application link keys were discussed • ZigBee Smart Energy and ZigBee core specifications provide all the services and tools for robust security
  • 16. References • ZigBee Smart Energy Profile Specification, 075356r15ZB_AMI_PTG-AMI_Profile Specification.pdf, ZigBee Alliance • ZigBee Specification, 053474r17ZB_TSC- ZigBee-Specification.pdf, ZigBee Alliance • Z-Stack Smart Energy Developer’s Guide, SWRA216, Texas Instruments